Automation Account Example (#663)

2022-02-24 13:23:39 -05:00 · 2022-02-24 13:23:39 -05:00 · a0a0caeaed
--- a/_manifest/manifest.json
+++ b/_manifest/manifest.json
--- a/_manifest/manifest.json.sha256
+++ b/_manifest/manifest.json.sha256
--- a/_manifest/spdx_2.2/manifest.spdx.json
+++ b/_manifest/spdx_2.2/manifest.spdx.json
--- a/_manifest/spdx_2.2/manifest.spdx.json.sha256
+++ b/_manifest/spdx_2.2/manifest.spdx.json.sha256
--- a/src/bicep/examples/automationAccount/README.md
+++ b/src/bicep/examples/automationAccount/README.md
@ -0,0 +1,61 @@
+# Azure Automation Account Example
+
+This example deploys an MLZ compatible Azure Automation account, with diagnostic logs pointed to the MLZ Log Analytics Workspace (LAWS) instance.
+
+Read on to understand what this example does, and when you're ready, collect all of the pre-requisites, then deploy the example.
+
+## What this example does
+
+### Deploys an Azure Automation Account
+
+The docs on Azure Automation (Automation Accounts): <https://docs.microsoft.com/en-us/azure/automation/>.  
+
+## Prerequisites
+
+1. A Mission LZ deployment (a deployment of mlz.bicep)
+2. The outputs from a deployment of mlz.bicep (./src/bicep/examples/deploymentVariables.json).  
+3. PowerShell Runbook for your MLZ deployment
+
+See below for information on how to create the appropriate deployment variables file for use with this template.
+
+### Template Parameters
+
+Template Parameters Name | Description
+-----------------------| -----------
+automationAcctName | The name of automation account.  If not specified, the name will default to the MLZ default naming pattern.  
+targetResourceGroup | The name of the resource group where the automation account will be deployed.   If not specified, the resource group name will default to the shared services MLZ resource group name and subscription.
+
+### Generate MLZ Variable File (deploymentVariables.json)
+
+For instructions on generating 'deploymentVariables.json' using both Azure PowerShell and Azure CLI, please see the [README at the root of the examples folder](../README.md).
+
+Place the resulting 'deploymentVariables.json' file within the ./src/bicep/examples folder.
+
+### Deploying Azure Automation
+
+Connect to the appropriate Azure Environment and set appropriate context, see getting started with Azure PowerShell for help if needed.  The commands below assume you are deploying in Azure Commercial and show the entire process from deploying MLZ and then adding an automation account to the operations resource group.
+
+```PowerShell
+cd .\src\bicep
+Connect-AzAccount
+New-AzSubscriptionDeployment -Name contoso -TemplateFile .\mlz.bicep -resourcePrefix 'contoso' -Location 'eastus'
+cd .\examples
+(Get-AzSubscriptionDeployment -Name contoso).outputs | ConvertTo-Json | Out-File -FilePath .\deploymentVariables.json
+cd .\automationAccount
+New-AzSubscriptionDeployment -DeploymentName deployAzureAUtomationt -TemplateFile .\automationAccount.bicep -Location 'eastus'
+```
+
+```Azure CLI
+az login
+cd src/bicep
+az deployment sub create -n contoso -f mlz.bicep -l eastus --parameters resourcePrefix=contoso
+cd examples
+az deployment sub show -n contoso --query properties.outputs > ./deploymentVariables.json
+cd automationAccount
+az deployment sub create -n deployAzureAutomation -f automationAccount.bicep -l eastus
+```
+
+### References
+
+* [Azure Automation Documentation](https://docs.microsoft.com/en-us/azure/automation/)
+* [Azure Automation Examples](https://github.com/azureautomation/)
--- a/src/bicep/examples/automationAccount/automationAccount.bicep
+++ b/src/bicep/examples/automationAccount/automationAccount.bicep
@ -0,0 +1,49 @@
+/*
+Deploys an automation account with modules/runbook/diagnostic logs
+Makes use of example azure automation bicep: https://github.com/Azure/bicep/tree/main/docs/examples/301/automation-account-import-runbooks-and-modules
+*/
+targetScope = 'subscription'
+
+param mlzDeploymentVariables object = json(loadTextContent('../deploymentVariables.json'))
+
+@description('The name of the automation account which will be created.  If unchanged or not specified, the MLZ resource prefix + "-aAc" will be utilized.')
+param automationAcctName string = '${mlzDeploymentVariables.mlzResourcePrefix.Value}-aAc'
+
+@description('The name of the resource group in which the automation account will be deployed. If unchanged or not specified, the MLZ operations resource group is used.')
+param targetResourceGroup string = '${mlzDeploymentVariables.spokes.Value[1].resourceGroupName}'
+
+@description('The location of the RG to deploy the Automation Account to')
+param location string = deployment().location
+
+@description('A string dictionary of tags to add to deployed resources. See https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json#arm-templates for valid settings.')
+param tags object = {}
+var defaultTags = {
+  'DeploymentType': 'MissionLandingZoneARM'
+}
+var calculatedTags = union(tags, defaultTags)
+
+var targetSubscriptionId_Var = targetResourceGroup == '${mlzDeploymentVariables.spokes.Value[1].resourceGroupName}' ? '${mlzDeploymentVariables.spokes.Value[1].subscriptionId}' : subscription().subscriptionId
+
+
+resource targetAAResourceGroup 'Microsoft.Resources/resourceGroups@2020-10-01' existing = {
+  name: targetResourceGroup
+}
+
+module automationAccount './modules/automationAccount.bicep' = {
+  scope: resourceGroup(targetSubscriptionId_Var, targetAAResourceGroup.name)
+  name: automationAcctName
+  params: {
+    name: automationAcctName
+    tags: calculatedTags
+    location: location
+    enableDiagnostics: true
+    diagnosticStorageAccountName: '${mlzDeploymentVariables.diagnosticStorageAccountName.Value}'
+    diagnosticStorageAccountResourceGroup: '${mlzDeploymentVariables.spokes.Value[1].resourceGroupName}'
+    logAnalyticsResourceGroup: '${mlzDeploymentVariables.spokes.Value[1].resourceGroupName}'
+    logAnalyticsWorkspaceName: '${mlzDeploymentVariables.logAnalyticsWorkspaceName.Value}'
+    logAnalyticsSubscriptionId: '${mlzDeploymentVariables.spokes.Value[1].subscriptionId}'
+  }
+}
+
+output tags object = calculatedTags
+output systemIdentityPrincipalId string = automationAccount.outputs.systemIdentityPrincipalId
--- a/src/bicep/examples/automationAccount/modules/automationAccount.bicep
+++ b/src/bicep/examples/automationAccount/modules/automationAccount.bicep
@ -0,0 +1,137 @@
+@description('Location of the automation account')
+param location string = resourceGroup().location
+
+@description('Automation account name')
+param name string
+
+@description('Automation account sku')
+@allowed([
+  'Free'
+  'Basic'
+])
+param sku string = 'Basic'
+
+@description('Modules to import into automation account')
+@metadata({
+  name: 'Module name'
+  version: 'Module version or specify latest to get the latest version'
+  uri: 'Module package uri, e.g. https://www.powershellgallery.com/api/v2/package'
+})
+param modules array = []
+
+@description('Runbooks to import into automation account')
+@metadata({
+  runbookName: 'Runbook name'
+  runbookUri: 'Runbook URI'
+  runbookType: 'Runbook type: Graph, Graph PowerShell, Graph PowerShellWorkflow, PowerShell, PowerShell Workflow, Script'
+  logProgress: 'Enable progress logs'
+  logVerbose: 'Enable verbose logs'
+})
+param runbooks array = []
+
+@description('Enable delete lock')
+param enableDeleteLock bool = false
+
+@description('Enable diagnostic logs')
+param enableDiagnostics bool = false
+
+@description('Storage account name. Only required if enableDiagnostics is set to true.')
+param diagnosticStorageAccountName string = ''
+
+@description('Storage account resource group. Only required if enableDiagnostics is set to true.')
+param diagnosticStorageAccountResourceGroup string = ''
+
+@description('Log analytics workspace name. Only required if enableDiagnostics is set to true.')
+param logAnalyticsWorkspaceName string = ''
+
+@description('Log analytics workspace resource group. Only required if enableDiagnostics is set to true.')
+param logAnalyticsResourceGroup string = ''
+
+@description('Log analytics workspace subscription id (if differs from current subscription). Only required if enableDiagnostics is set to true.')
+param logAnalyticsSubscriptionId string = subscription().subscriptionId
+
+@description('Tags for created resources')
+param tags object = {}
+
+var lockName = '${automationAccount.name}-lck'
+var diagnosticsName = '${automationAccount.name}-dgs'
+
+resource automationAccount 'Microsoft.Automation/automationAccounts@2020-01-13-preview' = {
+  name: name
+  location: location
+  tags: tags
+  identity: {
+    type: 'SystemAssigned'
+  }
+  properties: {
+    sku: {
+      name: sku
+    }
+  }
+}
+
+resource automationAccountModules 'Microsoft.Automation/automationAccounts/modules@2020-01-13-preview' = [for module in modules: {
+  parent: automationAccount
+  name: module.name
+  tags: tags
+  properties: {
+    contentLink: {
+      uri: module.version == 'latest' ? '${module.uri}/${module.name}' : '${module.uri}/${module.name}/${module.version}'
+      version: module.version == 'latest' ? null : module.version
+    }
+  }
+}]
+
+resource runbook 'Microsoft.Automation/automationAccounts/runbooks@2019-06-01' = [for runbook in runbooks: {
+  parent: automationAccount
+  name: runbook.runbookName
+  location: location
+  tags: tags
+  properties: {
+    runbookType: runbook.runbookType
+    logProgress: runbook.logProgress
+    logVerbose: runbook.logVerbose
+    publishContentLink: {
+      uri: runbook.runbookUri
+    }
+  }
+}]
+
+resource lock 'Microsoft.Authorization/locks@2016-09-01' = if (enableDeleteLock) {
+  scope: automationAccount
+  name: lockName
+  properties: {
+    level: 'CanNotDelete'
+  }
+}
+
+resource diagnostics 'microsoft.insights/diagnosticSettings@2017-05-01-preview' = if (enableDiagnostics) {
+  scope: automationAccount
+  name: diagnosticsName
+  properties: {
+    workspaceId: resourceId(logAnalyticsSubscriptionId, logAnalyticsResourceGroup, 'Microsoft.OperationalInsights/workspaces', logAnalyticsWorkspaceName)
+    storageAccountId: resourceId(diagnosticStorageAccountResourceGroup, 'Microsoft.Storage/storageAccounts', diagnosticStorageAccountName)
+    logs: [
+      {
+        category: 'JobLogs'
+        enabled: true
+      }
+      {
+        category: 'JobStreams'
+        enabled: true
+      }
+      {
+        category: 'DscNodeStatus'
+        enabled: true
+      }
+    ]
+    metrics: [
+      {
+        category: 'AllMetrics'
+        enabled: true
+      }
+    ]
+  }
+}
+
+output systemIdentityPrincipalId string = automationAccount.identity.principalId
--- a/src/bicep/mlz.bicep
+++ b/src/bicep/mlz.bicep
@ -1052,6 +1052,8 @@ output logAnalyticsWorkspaceName string = logAnalyticsWorkspace.outputs.name

 output logAnalyticsWorkspaceResourceId string = logAnalyticsWorkspace.outputs.id

+output diagnosticStorageAccountName string = operationsLogStorageAccountName
+
 output spokes array = [for (spoke, i) in spokes: {
  name: spoke.name
  subscriptionId: spoke.subscriptionId
--- a/src/bicep/mlz.json
+++ b/src/bicep/mlz.json
@ -5,7 +5,7 @@
    "_generator": {
      "name": "bicep",
      "version": "0.4.1272.37030",
-      "templateHash": "11789394257827199745"
+      "templateHash": "13300226497891805183"
    }
  },
  "parameters": {
@ -6133,6 +6133,10 @@
      "type": "string",
      "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))).outputs.id.value]"
    },
+    "diagnosticStorageAccountName": {
+      "type": "string",
+      "value": "[variables('operationsLogStorageAccountName')]"
+    },
    "spokes": {
      "type": "array",
      "copy": {