diff --git a/.github/workflows/dockerimage.yml b/.github/workflows/dockerimage.yml index 45518af..ef8f6b1 100644 --- a/.github/workflows/dockerimage.yml +++ b/.github/workflows/dockerimage.yml @@ -16,15 +16,17 @@ jobs: ADMIN_USER_NAME: ${{ secrets.ADMIN_USER_NAME }} ADMIN_USER_PWD: ${{ secrets.ADMIN_USER_PWD }} DOMAIN_ADMIN_USERNAME: ${{ secrets.DOMAIN_ADMIN_USERNAME }} - DOMAIN_ADMIN_USER_PWD: ${{ secrets.DOMAIN_ADMIN_USER_PWD }} - ORGANIZATION_NAME : "MSSK" - AZURE_LOCATION : "USGov Arizona" + DOMAIN_ADMIN_USER_PWD: "Random" + ORGANIZATION_NAME : "jvgovm" + AZURE_LOCATION : "USGov Virginia" AZURE_ENVIRONMENT_NAME : "AzureUSGovernment" TENANT_ID : ${{ secrets.TENANT_ID }} SUBSCRIPTION_ID : ${{ secrets.SUBSCRIPTION_ID }} KEYVAULT_MANAGEMENT_USER_ID : ${{ secrets.KEYVAULT_MANAGEMENT_USER_ID }} AZURE_DISCOVERY_URL : "https://management.azure.com/metadata/endpoints?api-version=2019-05-01" ADMIN_USER_SSH : ${{ secrets.ADMIN_USER_SSH }} + AZURE_SENTINEL : "true" + test: "true" runs-on: ubuntu-latest steps: diff --git a/Config/toolkit.subscription.json b/Config/toolkit.subscription.json index 5997428..37b57ce 100644 --- a/Config/toolkit.subscription.json +++ b/Config/toolkit.subscription.json @@ -1,6 +1,6 @@ { - "Comments": "ToolKit for creating a new Virtual Data Center", - "TenantId": "000000-000-0000-0000", + "Comments": "Cleaned up from deployment", + "TenantId": "00000-0000000-000000-0000-0", "SubscriptionId": "000000-000-0000-0000", - "Location": "USGov Arizona" + "Location": "DUMMYVALUE" } diff --git a/Environments/MS-VDI/parameters.json b/Environments/MS-VDI/parameters.json index 792b67e..42a2ac5 100644 --- a/Environments/MS-VDI/parameters.json +++ b/Environments/MS-VDI/parameters.json @@ -222,11 +222,11 @@ "Comments": "Creating an object so we can use a secretsobject parameter type in our ARM template", "Secrets": [ { - "secretName": "admin-user", + "secretName": "vm-admin-user", "secretValue": "env(ADMIN_USER_NAME)" }, { - "secretName": "admin-user-pswd", + "secretName": "vm-admin-password", "secretValue": "env(ADMIN_USER_PWD)" } ] diff --git a/Environments/SharedServices/orchestration.json b/Environments/SharedServices/orchestration.json index b864501..7b470af 100644 --- a/Environments/SharedServices/orchestration.json +++ b/Environments/SharedServices/orchestration.json @@ -60,6 +60,9 @@ }, "location": { "value": "${Parameters.ModuleConfigurationParameters.LogAnalytics.Location}" + }, + "azureSentinel": { + "value": "${Parameters.AzureSentinel}" } } } @@ -834,7 +837,7 @@ "keyVault": { "id": "reference(KeyVault.keyVaultResourceId)" }, - "secretName": "${Parameters.ModuleConfigurationParameters.KeyVault.SecretsObject.Secrets[0].secretName}" + "secretName": "${Parameters.ModuleConfigurationParameters.KeyVault.SecretsObject.Secrets[1].secretName}" } }, "storageBlobUrl": { @@ -947,7 +950,7 @@ "keyVault": { "id": "reference(KeyVault.keyVaultResourceId)" }, - "secretName": "${Parameters.ModuleConfigurationParameters.KeyVault.SecretsObject.Secrets[2].secretName}" + "secretName": "${Parameters.ModuleConfigurationParameters.KeyVault.SecretsObject.Secrets[4].secretName}" } }, "storageBlobUrl": { diff --git a/Environments/SharedServices/parameters.json b/Environments/SharedServices/parameters.json index 146157b..60579bf 100644 --- a/Environments/SharedServices/parameters.json +++ b/Environments/SharedServices/parameters.json @@ -8,6 +8,7 @@ "Location": "env(AZURE_LOCATION)", "EnvironmentName": "env(AZURE_ENVIRONMENT_NAME)", "StorageBlobUrl": "env(AZURE_STORAGE_BLOB_URL)", + "AzureSentinel": "env(AZURE_SENTINEL)", "ModuleConfigurationParameters": { "OnPremisesInformation": { "InstanceName": "${Parameters.InstanceName}", @@ -741,11 +742,19 @@ "Comments": "Creating an object so we can use a secretsobject parameter type in our ARM template", "Secrets": [ { - "secretName": "admin-user", + "secretName": "vm-admin-user", + "secretValue": "env(ADMIN_USER_NAME)" + }, + { + "secretName": "vm-admin-password", "secretValue": "env(ADMIN_USER_PWD)" }, { - "secretName": "env(DOMAIN_ADMIN_USERNAME)", + "secretName": "domain-admin-user", + "secretValue": "env(DOMAIN_ADMIN_USERNAME)" + }, + { + "secretName": "domain-admin-password", "secretValue": "env(DOMAIN_ADMIN_USER_PWD)" }, { @@ -768,7 +777,7 @@ "ArtifactsStorageAccount": "file(../_Common/artifactsStorageAccount.json)", "Jumpbox": { "ResourceGroup": "${Parameters.InstanceName}-jumpbox-rg", - "AdminUsername": "${Parameters.ModuleConfigurationParameters.KeyVault.SecretsObject.Secrets[0].secretName}", + "AdminUsername": "env(ADMIN_USER_NAME)", "SubnetName": "${Parameters.ModuleConfigurationParameters.VirtualNetwork.Subnets[0].name}", "StorageBlobUrl": "${Parameters.StorageBlobUrl}", "Windows": { @@ -821,7 +830,7 @@ "keyVault": { "id": "reference(KeyVault.keyVaultResourceId)" }, - "secretName": "${Parameters.ModuleConfigurationParameters.KeyVault.SecretsObject.Secrets[1].secretName}" + "secretName": "${Parameters.ModuleConfigurationParameters.KeyVault.SecretsObject.Secrets[3].secretName}" }, "VMSize": "Standard_DS3_v2", "OSImage": { @@ -842,12 +851,12 @@ "ResourceGroup": "${Parameters.ModuleConfigurationParameters.ActiveDirectory.ResourceGroup}", "Comments": "Windows VM name cannot exceed 13 characters. Additionally, Make sure that AddsIPAddressStart and ActiveDirectory.PrimaryDomainControllerIP are in the same subnet address prefix and they don't overlap", "StorageBlobUrl": "${Parameters.StorageBlobUrl}", - "AdminUsername": "${Parameters.ModuleConfigurationParameters.KeyVault.SecretsObject.Secrets[0].secretName}", + "AdminUsername": "env(ADMIN_USER_NAME)", "AdminPassword": { "keyVault": { "id": "reference(KeyVault.keyVaultResourceId)" }, - "secretName": "${Parameters.ModuleConfigurationParameters.KeyVault.SecretsObject.Secrets[0].secretName}" + "secretName": "${Parameters.ModuleConfigurationParameters.KeyVault.SecretsObject.Secrets[1].secretName}" }, "Kek": { "Name": "AddsKey", diff --git a/Environments/SharedServices/readme.md b/Environments/SharedServices/readme.md index 919ffdc..8497d30 100644 --- a/Environments/SharedServices/readme.md +++ b/Environments/SharedServices/readme.md @@ -85,6 +85,7 @@ $ENV:ADMIN_USER_NAME = "[VM_ADMIN_USER_NAME]" $ENV:ADMIN_USER_PWD = "[VM_ADMIN_USER_PASSWORD]" $ENV:AZURE_DISCOVERY_URL = "https://management.azure.com/metadata/endpoints?api-version=2019-05-01" $ENV:ADMIN_USER_SSH = "[SSH_KEY]" +$ENV:AZURE_SENTINEL = "[BOOLEAN]" ``` **NOTE:** Examples to setting the env variables @@ -114,12 +115,20 @@ $ENV:ADMIN_USER_SSH = "[SSH_KEY]" - Domain user name - will be used for AD deployment and not yet included in current deployment - "[DOMAIN_ADMIN_USER_PASSWORD]" - Domain user password - will be used for AD deployment and not yet included in current deployment. Follow the [guidelines](https://docs.microsoft.com/en-us/azure/virtual-machines/windows/faq#what-are-the-password-requirements-when-creating-a-vm) for setting the password. + - UPDATE: If the deployment admin wants a random password for the Domain Admin account please set the value to "" + - Ex. $ENV:DOMAIN_ADMIN_USER_PWD="" - "[VM_ADMIN_USER_NAME]" - VM log in username - "[VM_ADMIN_USER_PASSWORD]" - VM user password. Follow the [guidelines](https://docs.microsoft.com/en-us/azure/virtual-machines/windows/faq#what-are-the-password-requirements-when-creating-a-vm) for setting the password. + - UPDATE: If the deployment admin wants a random password for the VM Admin account please set the value to "" + - Ex. $ENV:ADMIN_USER_PWD="" - "[SSH_KEY]" - Needs to be a valid public ssh rsa key for SSH to linux box +- "[BOOLEAN] + - This value needs to be "True" or "False" + - "True" will deploy Azure Sentinel to the Shared Services Environment + - "False" will NOT deploy Azure Sentinel To use the above script: @@ -131,6 +140,7 @@ To use the above script: #### Pre-req script ##### This script will ensure that the configuration files are updated with your environment variables. +##### This script has the functionality for creating random passwords for the VM's ``` PowerShell ./Orchestration/OrchestrationService/Pre_req_script.ps1 diff --git a/Environments/_Common/subscriptions.json b/Environments/_Common/subscriptions.json index fb6d0b5..b2aa1ff 100644 --- a/Environments/_Common/subscriptions.json +++ b/Environments/_Common/subscriptions.json @@ -1,38 +1,38 @@ { - "Comments": "ToolKit for Jack", - "VDCVDI": { - "Comments": "Microsoft VDC with VDI environment subscription and tenant information", - "TenantId": "000000-000-0000-0000", - "SubscriptionId": "000000-000-0000-0000" - }, - "OnPremises": { - "Comments": "Simulated On-Premises subscription and tenant information", - "TenantId": "000000-000-0000-0000", - "SubscriptionId": "000000-000-0000-0000" - }, - "SharedServices": { - "Comments": "Shared services subscription and tenant information", - "TenantId": "000000-000-0000-0000", - "SubscriptionId": "000000-000-0000-0000" - }, - "AKS": { - "Comments": "Shared services subscription and tenant information", - "TenantId": "000000-000-0000-0000", - "SubscriptionId": "000000-000-0000-0000" - }, - "ASE_SQLDB": { - "Comments": "Workload subscription and tenant information", - "TenantId": "000000-000-0000-0000", - "SubscriptionId": "00000000-0000-0000-0000-000000000000" - }, - "NTier_IaaS": { - "Comments": "Workload subscription and tenant information", - "TenantId": "000000-000-0000-0000", - "SubscriptionId": "000000-000-0000-0000" - }, - "Artifacts": { - "Comments": "Subscription and tenant information where the Artifacts Storage Account will reside", - "TenantId": "000000-000-0000-0000", - "SubscriptionId": "000000-000-0000-0000" - } + "Comments": "ToolKit for VDC Deployment", + "VDCVDI": { + "Comments": "Microsoft VDC with VDI environment subscription and tenant information", + "TenantId": "000000-000-0000-0000", + "SubscriptionId": "000000-000-0000-0000" + }, + "OnPremises": { + "Comments": "Simulated On-Premises subscription and tenant information", + "TenantId": "000000-000-0000-0000", + "SubscriptionId": "000000-000-0000-0000" + }, + "SharedServices": { + "Comments": "Shared services subscription and tenant information", + "TenantId": "000000-000-0000-0000", + "SubscriptionId": "000000-000-0000-0000" + }, + "AKS": { + "Comments": "Shared services subscription and tenant information", + "TenantId": "000000-000-0000-0000", + "SubscriptionId": "000000-000-0000-0000" + }, + "ASE_SQLDB": { + "Comments": "Workload subscription and tenant information", + "TenantId": "000000-000-0000-0000", + "SubscriptionId": "00000000-0000-0000-0000-000000000000" + }, + "NTier_IaaS": { + "Comments": "Workload subscription and tenant information", + "TenantId": "000000-000-0000-0000", + "SubscriptionId": "000000-000-0000-0000" + }, + "Artifacts": { + "Comments": "Subscription and tenant information where the Artifacts Storage Account will reside", + "TenantId": "000000-000-0000-0000", + "SubscriptionId": "000000-000-0000-0000" + } } diff --git a/Modules/LogAnalytics/deploy.json b/Modules/LogAnalytics/deploy.json index 3f77a58..9bb01d4 100644 --- a/Modules/LogAnalytics/deploy.json +++ b/Modules/LogAnalytics/deploy.json @@ -87,10 +87,21 @@ "metadata": { "description": "Optional. Automation Account resource identifier, value used to create a LinkedService between Log Analytics and an Automation Account." } + }, + "azureSentinel": { + "type": "string", + "defaultValue": "false", + "metadata": { + "description": "Install Azure Sentinel as part of the Log Analytics Workspace." + } + } }, "variables": { "logAnalyticsSearchVersion": 1, + "azureSentinelSolutionName": "[concat('SecurityInsights', '(', parameters('logAnalyticsWorkspaceName'), ')')]", + "product": "OMSGallery/SecurityInsights", + "publisher": "Microsoft", "solutions": [ { "name": "[concat('Updates', '(', parameters('logAnalyticsWorkspaceName'), ')')]", @@ -1095,6 +1106,25 @@ "properties": { "level": "CannotDelete" } + }, + { + "type": "Microsoft.OperationsManagement/solutions", + "apiVersion": "2015-11-01-preview", + "name": "[variables('azureSentinelSolutionName')]", + "condition": "[bool(parameters('azureSentinel'))]", + "location": "[parameters('location')]", + "plan": { + "name": "[variables('azureSentinelSolutionName')]", + "promotionCode": "", + "product": "[variables('product')]", + "publisher": "[variables('publisher')]" + }, + "dependsOn": [ + "[resourceId('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "properties": { + "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + } } ], "outputs": { diff --git a/Modules/NetworkSecurityGroups/Scripts/enable.flow.logs.ps1 b/Modules/NetworkSecurityGroups/Scripts/enable.flow.logs.ps1 index dfac5e1..3dea00f 100644 --- a/Modules/NetworkSecurityGroups/Scripts/enable.flow.logs.ps1 +++ b/Modules/NetworkSecurityGroups/Scripts/enable.flow.logs.ps1 @@ -39,7 +39,7 @@ try { else { Write-Host "No subscription switching is required." } - + $NetworkWatcherRegion = $NetworkWatcherRegion.Replace(' ', '').ToLower() $registered = Get-AzResourceProvider -ProviderNamespace Microsoft.Insights diff --git a/Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1 b/Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1 index fa49da0..c5b168c 100644 --- a/Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1 +++ b/Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1 @@ -66,13 +66,6 @@ $ENV:VDC_TOOLKIT_SUBSCRIPTION = (Get-Content .\Config\toolkit.subscription.json Write-Debug "AZURE_STORAGE_BLOB_URL: $ENV:AZURE_STORAGE_BLOB_URL" Write-Debug "AzureManagementUrl: $AzureManagementUrl" - -# Get the config files -$ENV:VDC_SUBSCRIPTIONS = (Get-Content ./Environments/_Common/subscriptions.json -Raw) -$ENV:VDC_TOOLKIT_SUBSCRIPTION = (Get-Content ./Config/toolkit.subscription.json -Raw) -#Write-Debug "ToolkitJSON: $ENV:VDC_SUBSCRIPTIONS" -#Write-Debug "SubscriptionJson: $ENV:VDC_TOOLKIT_SUBSCRIPTION" - Function Start-Deployment { [CmdletBinding()] param ( diff --git a/Orchestration/OrchestrationService/Pre_req_script.ps1 b/Orchestration/OrchestrationService/Pre_req_script.ps1 index c8fb714..b491e15 100644 --- a/Orchestration/OrchestrationService/Pre_req_script.ps1 +++ b/Orchestration/OrchestrationService/Pre_req_script.ps1 @@ -26,3 +26,34 @@ $onprem = (Get-Content -Path .\Environments\_Common\subscriptions.json) | Conver $onprem.OnPremises.SubscriptionId = $ENV:SUBSCRIPTION_ID $onprem.OnPremises.TenantId = $ENV:TENANT_ID $onprem | ConvertTo-Json | Set-Content -Path .\Environments\_Common\subscriptions.json + + +#### Check if random passwords are needed or if passwords are provided for the VM admin accounts and the Active Directory Account + +# Random Password Function +function Get-RandomPassword { + $Alphabets = 'a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z' + $numbers = 0..9 + $specialCharacters = '~,!,@,#,$,%,^,&,*,(,),?,\,/,_,-,=,+' + $array = @() + $counter= Get-Random -Minimum 5 -Maximum 7 + $array += $Alphabets.Split(',') | Get-Random -Count $counter + $array[0] = $array[0].ToUpper() + $array[-1] = $array[-1].ToUpper() + $array += $numbers | Get-Random -Count $counter + $array += $specialCharacters.Split(',') | Get-Random -Count $counter + $password = ($array | Get-Random -Count $array.Count) -join "" + + return $password #| ConvertTo-SecureString -AsPlainText -Force +} + +### Check the VM password +if (($null -eq $ENV:ADMIN_USER_PWD) -or ("" -eq $ENV:ADMIN_USER_PWD) -or ("Random" -eq $ENV:ADMIN_USER_PWD) ) { + $ENV:ADMIN_USER_PWD = Get-RandomPassword +} + +### Check the Active Directory (Domain Password) +if (($null -eq $ENV:DOMAIN_ADMIN_USER_PWD) -or ("" -eq $ENV:DOMAIN_ADMIN_USER_PWD) -or ("Random" -eq $ENV:DOMAIN_ADMIN_USER_PWD) ) { + $ENV:DOMAIN_ADMIN_USER_PWD = Get-RandomPassword +} + diff --git a/entrypoint1.ps1 b/entrypoint1.ps1 index 7f0ae6b..90aa7a0 100644 --- a/entrypoint1.ps1 +++ b/entrypoint1.ps1 @@ -24,12 +24,13 @@ Write-Host "Starting the script for deploying your Shared Services" Write-Host "The deployment was succesfull if: Exit code $LASTEXITCODE == 0" -Verbose -Write-Host "Starting the script for deploying MS-VDI" -./Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1 -DefinitionPath ./Environments/MS-VDI/definition.json - -Write-Host "The deployment was succesfull if: Exit code $LASTEXITCODE == 0" -Verbose +## Enter the main script for teardown shared services +Write-Host "Starting the script for tearing down Shared Services" +./Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1 -TearDownEnvironment -DefinitionPath ./Environments/SharedServices/definition.json ## Run the cleanup script so that no values are retained in code for the config files Write-Host "Executing the cleanup script" -./Orchestration/OrchestrationService/Cleanup_Script.ps1 \ No newline at end of file +./Orchestration/OrchestrationService/Cleanup_Script.ps1 + +Write-Host "The deployment was succesfull if: Exit code $LASTEXITCODE == 0" -Verbose diff --git a/vdc b/vdc deleted file mode 160000 index 8b8ecd3..0000000 --- a/vdc +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 8b8ecd33efc8364fd8c4d0629b28cb867e985ae7