Azure
/
vdc
зеркало из https://github.com/Azure/vdc.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Kunachim/on prem v2 (#100) 

* Initial commit for On-Premise Archetype

* Corrected depends-on for pipeline

* Moving ArtifactsStorageAccount module to the top and adding a ADO task for uploading scripts required for AD module

* Added a dependency to upload scripts for AD module

* Added a separate stage for uploading artifacts.

* Invalid dependency removed

* Importing Az.Storage Module before executing other commands.

* Printing out modules path

* Remove Artifacts storage from test

* Minor change to UploadScripts module

* Minor change

* Minor Change to update PSModulePath

* Testing

* Minor path fix

* Minor changes to file path regex to be non-greedy

* Pipeline fixed with reorder Artifacts storage and scripts upload to Artifacts storage

* Minor updates

* Moved the Installation of the PowerShell modules one folder up

* Point-to-Site VPN added to On-Premise Archetype

* Cleaned up the scripts for VPN Root Cert creation

* Finalized Script

* Modularization of Virtual Machine templates (#101)

* initial commit

* moved parameters file outside of the module

* initial commit of new Jumpbox design

* added encryption task

* removed unnecessary parameters

* initial implementation of encryption using kek

* fixed output storage from custom script

* Added format data disks DSC

* added adds dsc that excludes disk formatting

* removed dsc folder

* added policy and rbac tests

* removed 0 file

* updated template static test

* updated ad and adds templates

* updated non-extended shared services environment

* updated display names

* added enable key vault service endpoint task

* fix validate dependency

* fixed task name

* fixed module definition reference

* fixed azure firewall api version

* fixed pipeline and added new environment variable

* updated azure firewall api version

* fixed key vault access policy

* updated parameters comment

* updated zones copy loop

* updated zones condition

* fixed parameters.json error

* removed double quote encoding

* added string array to zones

* updated description name

* updated output reference to lowercase

* enabled debug on AD encryption

* enabled debug on AD encryption

* moved enabling service endpoint of Key Vault after VM deployment

* disabled validation stage

* enabled pipelines

* added SQL Analytics solution

* removed uneeded parameter

* added disk verification before formatting a disk

* updated DSC code

* removed data jumpbox datadisk

* added drive letter parameter to adds

* added workaround to prevent storage initialization multiple times

* added get public IP ps1

* removed finally block

* updated get ip ps1 path

* updated network rules copy loop:

* removed networkacls from initial key vault deployment

* explicit set of ps1 argument

* updated initialize file

* fixed return type

* fixed return type from getSasToken function

* added ashashtable to convert from json cmdlet

* added networkAcls with IP whitelisting

* added test-jsoncontent to helper

* added debug

* updated storage account details cache value

* removed debug flag

* updated set variable syntax

* fixed variable name

* added -Compress to JSON string creation

* updated default action on kv networkacls

* added global variable

* updated variable name

* Update pipeline.yml for Azure Pipelines

* moved org name as env variable

* update pipeline

* Update pipeline.yml for Azure Pipelines

* added additional logging info

* temp reduced validation tasks

* fixed dependency

* removed global variable from pipeline

* enabled debug on deployment

* enabled debug

* moved similar tasks into same job

* updated shared services extended pipeline

* removed write-host

* enabled multi-stage jobs

* added env variables

* updated variable set

* removed comments from inline script

* updated pipeline, pass variable between jobs

* added missing environment variable retrieval

* removed unnecessary write-host

* added vnet dependency

* updated job output dependency name

* added multi-job variable

* updated modules path of shared services onprem extension

* fixed parameters

* removed active directory reference

* added Virtual Network dependency

* added spn access policy

* moved dns server as a separate task

* removed additional api calls

* removed duplicate

* added logic for more than one resource ids

* Added exponential backoff logic (#103)

* output az graph query

* Update pipeline.yml for Azure Pipelines

* Restore pipeline stages

* added exponential backoff

* added exponential backoff

* added debug function

* Exception handling functions added to Helper (#102)

* Applied the changes

* Minor changes to the exception

* Cleanup

* Cleaned up one of the function

* minor change

* Merged the Exponential backoff logic with Get exception

* Fix for excluding resource ids from file path parse logic

* fixed - expression syntax

* updated required parameter

* removed dns server task

* enhanced error message details

* updated adds vm name

* added exception analyzer to ARM REST API call

* fixed Get-Exception cmdlet invocation

* added comments to set-context cmdlet

* Added KeyVault service point

* Updated the Archetype to include the new Active Directory Module and new Virtual Machine Module.

* Updated the On-Premise Pipeline

* Minor updates to the pipeline yml file

* Added missing dependency

* Minor update

* More updates to dependencies

* enable pip only if sepcified

* Minor update to enable Pip in VGW

* Minor update to VGW

* CHanged casing on labvm files (#106)

* Error parser logic fixed (#108)

* Initial commit for On-Premise Archetype

* Corrected depends-on for pipeline

* Moving ArtifactsStorageAccount module to the top and adding a ADO task for uploading scripts required for AD module

* Added a dependency to upload scripts for AD module

* Added a separate stage for uploading artifacts.

* Invalid dependency removed

* Importing Az.Storage Module before executing other commands.

* Printing out modules path

* Remove Artifacts storage from test

* Minor change to UploadScripts module

* Minor change

* Minor Change to update PSModulePath

* Testing

* Minor path fix

* Minor changes to file path regex to be non-greedy

* Pipeline fixed with reorder Artifacts storage and scripts upload to Artifacts storage

* Minor updates

* Moved the Installation of the PowerShell modules one folder up

* Point-to-Site VPN added to On-Premise Archetype

* Cleaned up the scripts for VPN Root Cert creation

* Finalized Script

* Added KeyVault service point

* Updated the Archetype to include the new Active Directory Module and new Virtual Machine Module.

* Updated the On-Premise Pipeline

* Minor updates to the pipeline yml file

* Added missing dependency

* Minor update

* More updates to dependencies

* enable pip only if sepcified

* Minor update to enable Pip in VGW

* Minor update to VGW

* Pipeline yml fixes

* Typo fix

* Access policies added to KeyVault to App and User.

* Pipeline yml updated with feedback from today's review
This commit is contained in:
Kungumaraj Nachimuthu 2019-08-23 22:21:47 -07:00 коммит произвёл Jorge Cotillo
Родитель 409770cc0b
Коммит 51b3710985
24 изменённых файлов: 1522 добавлений и 15 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

6
Agent/Linux/ubuntu-1804.json
Просмотреть файл

@ -64,9 +64,9 @@
{
"type": "shell",
"inline": [
"pwsh -Command \"Save-Module -Name Az -LiteralPath /opt/microsoft/powershell/6/Modules/az_1.6.0 -RequiredVersion 1.6.0 -Force\" ",
"pwsh -Command \"Save-Module -Name Pester -LiteralPath /opt/microsoft/powershell/6/Modules/pester -RequiredVersion 4.3.1 -Force\" ",
"pwsh -Command \"Save-Module -Name Az.ResourceGraph -LiteralPath /opt/microsoft/powershell/6/Modules/az_resourcegraph_0.7.3 -RequiredVersion 0.7.3 -Force\" "
"pwsh -Command \"Save-Module -Name Az -LiteralPath /opt/microsoft/powershell/6/Modules -RequiredVersion 1.6.0 -Force\" ",
"pwsh -Command \"Save-Module -Name Pester -LiteralPath /opt/microsoft/powershell/6/Modules -RequiredVersion 4.3.1 -Force\" ",
"pwsh -Command \"Save-Module -Name Az.ResourceGraph -LiteralPath /opt/microsoft/powershell/6/Modules -RequiredVersion 0.7.3 -Force\" "
],
"execute_command": "sudo sh -c '{{ .Vars }} {{ .Path }}'"
},

5
Environments/On-Premise/definition.json Normal file
Просмотреть файл

@ -0,0 +1,5 @@
{
"Subscriptions": "env(VDC_SUBSCRIPTIONS)",
"Parameters": "file(./parameters.json)",
"Orchestration": "file(./orchestration.json)"
}

426
Environments/On-Premise/orchestration.json Normal file
Просмотреть файл

@ -0,0 +1,426 @@
{
"ModuleConfigurationsPath": "../../Modules",
"ModuleConfigurations": [
{
"Name": "DiagnosticStorageAccount",
"ModuleDefinitionName": "StorageAccounts",
"ResourceGroupName": "${Parameters.ModuleConfigurationParameters.DiagnosticStorageAccount.ResourceGroup}",
"Comments": "Storage Account that is used for ...",
"Version": "2.0",
"Policies": {
"Comments": "Optional - If no object is specified, no Policies deployment will occur",
"OverrideParameters": {
"effect": {
"value": "${Parameters.ModuleConfigurationParameters.DiagnosticStorageAccount.Policies.Effect}"
},
"resourceGroup": {
"value": "${Parameters.ModuleConfigurationParameters.DiagnosticStorageAccount.ResourceGroup}"
},
"resourceGroupLocation": {
"value": "${Parameters.ModuleConfigurationParameters.DiagnosticStorageAccount.Location}"
}
}
},
"Deployment": {
"Comments": "We need the 'update' module instance to lock this resource after the Virtual Network got created",
"TemplatePath": "../../Modules/StorageAccounts/2.0/deploy.json",
"OverrideParameters": {
"storageAccountName": {
"value": "${Parameters.ModuleConfigurationParameters.DiagnosticStorageAccount.Name}"
},
"storageAccountSku": {
"value": "${Parameters.ModuleConfigurationParameters.DiagnosticStorageAccount.Sku}"
},
"location": {
"value": "${Parameters.ModuleConfigurationParameters.DiagnosticStorageAccount.Location}"
}
}
}
},
{
"Name": "LogAnalytics",
"ModuleDefinitionName": "LogAnalytics",
"ResourceGroupName": "${Parameters.ModuleConfigurationParameters.LogAnalytics.ResourceGroup}",
"DependsOn": [
"DiagnosticStorageAccount"
],
"Deployment": {
"OverrideParameters": {
"logAnalyticsWorkspaceName": {
"value": "${Parameters.ModuleConfigurationParameters.LogAnalytics.Name}"
},
"diagnosticStorageAccountName": {
"value": "reference(DiagnosticStorageAccount.storageAccountName)"
},
"diagnosticStorageAccountId": {
"value": "reference(DiagnosticStorageAccount.storageAccountResourceId)"
},
"diagnosticStorageAccountAccessKey": {
"value": "reference(DiagnosticStorageAccount.storageAccountAccessKey)"
},
"location": {
"value": "${Parameters.ModuleConfigurationParameters.LogAnalytics.Location}"
}
}
}
},
{
"Name": "OnPremisesNSG",
"ModuleDefinitionName": "NetworkSecurityGroups",
"ResourceGroupName": "${Parameters.ModuleConfigurationParameters.Network.ResourceGroup}",
"DependsOn": [
"DiagnosticStorageAccount", "LogAnalytics"
],
"Deployment": {
"OverrideParameters": {
"workspaceId": {
"value": "reference(LogAnalytics.logAnalyticsWorkspaceResourceId)"
},
"diagnosticStorageAccountId": {
"value": "reference(DiagnosticStorageAccount.storageAccountResourceId)"
},
"networkSecurityGroupName": {
"value": "${Parameters.ModuleConfigurationParameters.Network.NetworkSecurityGroups[0].Name}"
},
"networkSecurityGroupSecurityRules": {
"value": "${Parameters.ModuleConfigurationParameters.Network.NetworkSecurityGroups[0].Rules}"
}
}
}
},
{
"Name": "DomainControllerASG",
"ModuleDefinitionName": "ApplicationSecurityGroups",
"ResourceGroupName": "${Parameters.ModuleConfigurationParameters.ApplicationSecurityGroups.ResourceGroup}",
"DependsOn": [],
"Deployment": {
"OverrideParameters": {
"applicationSecurityGroupName": {
"value": "${Parameters.ModuleConfigurationParameters.ApplicationSecurityGroups.DomainController.Name}"
}
}
}
},
{
"Name": "VirtualNetwork",
"ModuleDefinitionName": "VirtualNetwork",
"ResourceGroupName": "${Parameters.ModuleConfigurationParameters.Network.ResourceGroup}",
"DependsOn": [
"OnPremisesNSG"
],
"Deployment": {
"OverrideParameters": {
"vnetName": {
"value": "${Parameters.ModuleConfigurationParameters.Network.Name}"
},
"vnetAddressPrefixes": {
"value": "${Parameters.ModuleConfigurationParameters.Network.AddressPrefix}"
},
"subnets": {
"value": "${Parameters.ModuleConfigurationParameters.Network.Subnets}"
},
"enableDdosProtection": {
"value": "${Parameters.ModuleConfigurationParameters.Network.EnableDdosProtection}"
},
"enableVmProtection": {
"value": "${Parameters.ModuleConfigurationParameters.Network.EnableVmProtection}"
}
}
}
},
{
"Name": "KeyVault",
"ModuleDefinitionName": "KeyVault",
"ResourceGroupName": "${Parameters.ModuleConfigurationParameters.KeyVault.ResourceGroup}",
"DependsOn":[
"DiagnosticStorageAccount",
"LogAnalytics"
],
"Deployment": {
"OverrideParameters": {
"keyVaultName": {
"value": "${Parameters.ModuleConfigurationParameters.KeyVault.Name}"
},
"accessPolicies": {
"value": "${Parameters.ModuleConfigurationParameters.KeyVault.AccessPolicies}"
},
"secretsObject": {
"value": {
"secrets": "${Parameters.ModuleConfigurationParameters.KeyVault.SecretsObject.Secrets}"
}
},
"enableVaultForDeployment": {
"value": "${Parameters.ModuleConfigurationParameters.KeyVault.EnableVaultForDeployment}"
},
"enableVaultForDiskEncryption": {
"value": "${Parameters.ModuleConfigurationParameters.KeyVault.EnableVaultForDiskEncryption}"
},
"enableVaultForTemplateDeployment": {
"value": "${Parameters.ModuleConfigurationParameters.KeyVault.EnableVaultForTemplateDeployment}"
},
"vaultSku": {
"value": "${Parameters.ModuleConfigurationParameters.KeyVault.Sku}"
},
"diagnosticStorageAccountId": {
"value": "reference(DiagnosticStorageAccount.storageAccountResourceId)"
},
"workspaceId": {
"value": "reference(LogAnalytics.logAnalyticsWorkspaceResourceId)"
},
"vNetId": {
"value": "reference(VirtualNetwork.vNetResourceId)"
},
"networkAcls": {
"value": {
"bypass": "AzureServices",
"defaultAction": "Allow",
"virtualNetworkRules": [],
"ipRules": []
}
}
}
}
},
{
"Name": "CreateRootCertificate",
"Comments": "Create Root Certificate",
"DependsOn": [
"KeyVault"
],
"Script": {
"Command": "../../Modules/VirtualNetworkGateway/2.0/Scripts/virtual.network.gateway.rootcert.ps1",
"Arguments" : {
"TenantId": "${Subscriptions.OnPremises.TenantId}",
"ServicePrincipal_ID": "env(SCRIPT_EXECUTION_SP_ID)",
"ServicePrincipal_Secret": "env(SCRIPT_EXECUTION_SP_KEY)",
"KeyVaultName" : "${Parameters.ModuleConfigurationParameters.KeyVault.Name}",
"KeyName" : "CACert",
"BashScriptPath": "../../Modules/VirtualNetworkGateway/2.0/Scripts/virtual.network.gateway.rootcert.sh"
}
}
},
{
"Name": "VirtualNetworkGateway",
"ModuleDefinitionName": "VirtualNetworkGateway",
"ResourceGroupName": "${Parameters.ModuleConfigurationParameters.Network.ResourceGroup}",
"DependsOn": [
"CreateRootCertificate",
"VirtualNetwork"
],
"Deployment": {
"OverrideParameters": {
"virtualNetworkGatewayName": {
"value": "${Parameters.ModuleConfigurationParameters.Network.VirtualGateway.Name}"
},
"virtualNetworkGatewayType": {
"value": "${Parameters.ModuleConfigurationParameters.Network.VirtualGateway.GatewayType}"
},
"virtualNetworkGatewaySku": {
"value": "${Parameters.ModuleConfigurationParameters.Network.VirtualGateway.GatewaySku}"
},
"vpnType": {
"value": "${Parameters.ModuleConfigurationParameters.Network.VirtualGateway.VpnType}"
},
"vNetId": {
"value": "reference(VirtualNetwork.vNetResourceId)"
},
"vpnClientAddressPoolPrefix": {
"value": "10.10.8.0/24"
},
"clientRootCertData": "${Parameters.ModuleConfigurationParameters.Network.VirtualGateway.VpnClientConfiguration.VpnClientRootCertificateData}",
"clientRevokedCertThumbprint": {
"value": "${Parameters.ModuleConfigurationParameters.Network.VirtualGateway.VpnClientConfiguration.VpnClientRevokedCertificateThumbprint}"
}
}
}
},
{
"Name": "EnableServiceEndpointOnKeyVault",
"ModuleDefinitionName": "KeyVault",
"Updates": "KeyVault",
"ResourceGroupName": "${Parameters.ModuleConfigurationParameters.KeyVault.ResourceGroup}",
"DependsOn": [
"VirtualNetworkGateway"
],
"Deployment": {
"OverrideParameters": {
"networkAcls": {
"value": "${Parameters.ModuleConfigurationParameters.KeyVault.NetworkAcls}"
},
"vNetId": {
"value": "reference(VirtualNetwork.vNetResourceId)"
}
}
}
},
{
"Name": "ArtifactsStorageAccount",
"Subscription": "Artifacts",
"ModuleDefinitionName": "StorageAccounts",
"ResourceGroupName": "${Parameters.ModuleConfigurationParameters.ArtifactsStorageAccount.ResourceGroup}",
"DependsOn": [],
"Comments": "Storage Account that is used for ...",
"Policies": {
"Comments": "Optional - If no object is specified, no Policies deployment will occur",
"OverrideParameters": {
"effect": {
"value": "${Parameters.ModuleConfigurationParameters.ArtifactsStorageAccount.Policies.Effect}"
},
"resourceGroup": {
"value": "${Parameters.ModuleConfigurationParameters.ArtifactsStorageAccount.ResourceGroup}"
},
"resourceGroupLocation": {
"value": "${Parameters.ModuleConfigurationParameters.ArtifactsStorageAccount.Location}"
}
}
},
"Deployment": {
"OverrideParameters": {
"storageAccountName": {
"value": "${Parameters.ModuleConfigurationParameters.ArtifactsStorageAccount.Name}"
},
"storageAccountSku": {
"value": "${Parameters.ModuleConfigurationParameters.ArtifactsStorageAccount.Sku}"
}
}
}
},
{
"Name": "UploadScriptsToArtifactsStorage",
"Comments": "Upload Scripts to Artifacts Storage",
"DependsOn": [
"ArtifactsStorageAccount"
],
"Script": {
"Command": "Write-Host 'Adding Scripts...'; Import-Module -Name Az.Storage; $ctx = New-AzStorageContext -StorageAccountName reference(ArtifactsStorageAccount.storageAccountName) -SasToken '?reference(ArtifactsStorageAccount.storageAccountSasToken)'; New-AzRmStorageContainer -Name scripts -ResourceGroupName reference(ArtifactsStorageAccount.storageAccountResourceGroup) -StorageAccountName reference(ArtifactsStorageAccount.storageAccountName); Get-ChildItem -LiteralPath '../../Scripts/Windows' -File -Recurse | % { Set-AzStorageBlobContent -Context $ctx -Container scripts -Force -File $($_.FullName) -Blob Windows/$($_.Name)}",
"Arguments" : {
}
}
},
{
"Name": "ActiveDirectoryVM",
"ModuleDefinitionName": "VirtualMachines",
"ResourceGroupName": "${Parameters.ModuleConfigurationParameters.ActiveDirectory.ResourceGroup}",
"DependsOn": [
"VirtualNetwork",
"DiagnosticStorageAccount",
"LogAnalytics",
"KeyVault",
"ArtifactsStorageAccount"
],
"Comments": "Creates Active Directory Domain Services VMs",
"Deployment": {
"OverrideParameters": {
"virtualMachineName": {
"value": "${Parameters.ModuleConfigurationParameters.ActiveDirectory.Name}"
},
"virtualMachineSize": {
"value": "${Parameters.ModuleConfigurationParameters.ActiveDirectory.VMSize}"
},
"virtualMachineOSImage": {
"value": "${Parameters.ModuleConfigurationParameters.ActiveDirectory.OSImage}"
},
"virtualMachineOSType": {
"value": "${Parameters.ModuleConfigurationParameters.ActiveDirectory.OSType}"
},
"workspaceId": {
"value": "reference(LogAnalytics.logAnalyticsWorkspaceId)"
},
"logAnalyticsWorkspaceId": {
"value": "reference(LogAnalytics.logAnalyticsWorkspaceResourceId)"
},
"logAnalyticsWorkspacePrimarySharedKey": {
"value": "reference(LogAnalytics.logAnalyticsPrimarySharedKey)"
},
"diagnosticsStorageAccountId": {
"value": "reference(DiagnosticStorageAccount.storageAccountResourceId)"
},
"diagnosticsStorageAccountName": {
"value": "reference(DiagnosticStorageAccount.storageAccountName)"
},
"diagnosticsStorageAccountSasToken": {
"value": "reference(DiagnosticStorageAccount.storageAccountSasToken)"
},
"artifactsStorageAccountKey": {
"value": "reference(ArtifactsStorageAccount.storageAccountAccessKey)"
},
"artifactsStorageAccountName": {
"value": "reference(ArtifactsStorageAccount.storageAccountName)"
},
"artifactsStorageAccountSasKey": {
"value": "reference(ArtifactsStorageAccount.storageAccountSasToken)"
},
"vNetId": {
"value": "reference(VirtualNetwork.vNetResourceId)"
},
"subnetName": {
"value": "${Parameters.ModuleConfigurationParameters.ActiveDirectory.SubnetName}"
},
"vmIPAddress": {
"value": "${Parameters.ModuleConfigurationParameters.ActiveDirectory.PrimaryDomainControllerIP}"
},
"applicationSecurityGroupId": {
"value": "reference(DomainControllerASG.applicationSecurityGroupResourceId)"
},
"adminUsername": {
"value": "${Parameters.ModuleConfigurationParameters.ActiveDirectory.DomainAdminUsername}"
},
"adminPassword": {
"reference": "${Parameters.ModuleConfigurationParameters.ActiveDirectory.DomainAdminPassword}"
},
"virtualMachineDataDisks": {
"value": [
{
"size": 127,
"driveLetter": "F",
"diskId": 2
}
]
}
}
}
},
{
"Name": "InstallActiveDirectory",
"ModuleDefinitionName": "ActiveDirectory",
"ResourceGroupName": "${Parameters.ModuleConfigurationParameters.ActiveDirectory.ResourceGroup}",
"DependsOn": [
"ActiveDirectoryVM"
],
"Deployment": {
"OverrideParameters": {
"virtualMachineName": {
"value": "${Parameters.ModuleConfigurationParameters.ActiveDirectory.Name}"
},
"artifactsStorageAccountKey": {
"value": "reference(ArtifactsStorageAccount.storageAccountAccessKey)"
},
"artifactsStorageAccountName": {
"value": "reference(ArtifactsStorageAccount.storageAccountName)"
},
"artifactsStorageAccountSasKey": {
"value": "reference(ArtifactsStorageAccount.storageAccountSasToken)"
},
"adIpAddress": {
"value": "${Parameters.ModuleConfigurationParameters.ActiveDirectory.PrimaryDomainControllerIP}"
},
"cloudZone": {
"value": "${Parameters.ModuleConfigurationParameters.ActiveDirectory.CloudZone}"
},
"domainName": {
"value": "${Parameters.ModuleConfigurationParameters.ActiveDirectory.DomainName}"
},
"adSitename": {
"value": "${Parameters.ModuleConfigurationParameters.ActiveDirectory.ADSitename}"
},
"domainAdminUsername": {
"value": "${Parameters.ModuleConfigurationParameters.ActiveDirectory.DomainAdminUsername}"
},
"domainAdminPassword": {
"reference": "${Parameters.ModuleConfigurationParameters.ActiveDirectory.DomainAdminPassword}"
}
}
}
}
]
}

234
Environments/On-Premise/parameters.json Normal file
Просмотреть файл

@ -0,0 +1,234 @@
{
"Organization": "file(../_Common/organizationName.txt)",
"DeploymentName": "onprem",
"InstanceName": "${Parameters.Organization}-${Parameters.DeploymentName}",
"Subscription": "OnPremises",
"Location": "West US 2",
"TenantId": "${Subscriptions.OnPremises.TenantId}",
"ModuleConfigurationParameters": {
"DeploymentUserId": "env(Deployment_User_Id)",
"DeploymentAppId": "env(Deployment_App_Id)",
"SharedServices": {
"DeploymentName": "shrdsvcs"
},
"DiagnosticStorageAccount": {
"Name": "${Parameters.Organization}${Parameters.DeploymentName}diag01",
"ResourceGroup": "${Parameters.InstanceName}-diagnostics-rg",
"Location": "${Parameters.Location}",
"Sku": "Standard_GRS",
"NetworkAcls": {
"bypass": "AzureServices",
"defaultAction": "Deny",
"virtualNetworkRules": [
{
"subnet": "${Parameters.ModuleConfigurationParameters.Network.Subnets[0].Name}"
}
],
"ipRules": []
},
"Policies": {
"Effect": "Audit"
}
},
"LogAnalytics": {
"Name": "${Parameters.InstanceName}-la",
"Comments": "Log Analytics and Diagnostic Storage Account must be deployed in the same region",
"ResourceGroup": "${Parameters.InstanceName}-diagnostics-rg",
"Location": "${Parameters.ModuleConfigurationParameters.DiagnosticStorageAccount.Location}",
"ListOfAllowedRegions": [
"Australia Central",
"Australia East",
"Australia Southeast",
"Canada Central",
"Central India",
"Central US",
"East Asia",
"East US",
"East US 2",
"France Central",
"Japan East",
"Korea Central",
"North Europe",
"South Central US",
"Southeast Asia",
"UK South",
"West Europe",
"West US",
"West US 2"
]
},
"KeyVault": {
"Name": "${Parameters.InstanceName}-kv",
"ResourceGroup": "${Parameters.InstanceName}-keyvault-rg",
"Sku": "Premium",
"EnableVaultForDeployment": true,
"EnableVaultForDiskEncryption": true,
"EnableVaultForTemplateDeployment": true,
"AccessPolicies": [
{
"tenantId": "${Parameters.TenantId}",
"objectId": "${Parameters.ModuleConfigurationParameters.DeploymentUserId}",
"permissions": {
"certificates": [
"All"
],
"keys": [
"All"
],
"secrets": [
"All"
]
}
},
{
"tenantId": "${Parameters.TenantId}",
"objectId": "${Parameters.ModuleConfigurationParameters.DeploymentAppId}",
"permissions": {
"certificates": [
"All"
],
"keys": [
"All"
],
"secrets": [
"All"
]
}
}
],
"SecretsObject": {
"Comments": "Creating an object so we can use a secretsobject parameter type in our ARM template",
"Secrets": [
{
"secretName": "DomainAdminPassword",
"secretValue": "P@ssword2019$123"
}
]
},
"NetworkAcls": {
"bypass": "AzureServices",
"defaultAction": "Deny",
"virtualNetworkRules": [
{
"subnet": "${Parameters.ModuleConfigurationParameters.Network.Subnets[0].Name}"
}
],
"ipRules": []
}
},
"ArtifactsStorageAccount": "file(../_Common/artifactsStorageAccount.json)",
"ActiveDirectory": {
"Name": "primary-ad",
"VMSize": "Standard_DS3_v2",
"OSImage": {
"offer": "WindowsServer",
"publisher": "MicrosoftWindowsServer",
"sku": "2016-Datacenter"
},
"OSType": "Windows",
"SubnetName": "${Parameters.ModuleConfigurationParameters.Network.Subnets[0].name}",
"ResourceGroup": "${Parameters.InstanceName}-ad-rg",
"ADSitename": "Cloud-Site",
"CloudZone": "contosocloud.com",
"DomainAdminUsername": "contoso",
"DomainAdminPassword": {
"keyVault": {
"id": "reference(KeyVault.keyVaultResourceId)"
},
"secretName": "${Parameters.ModuleConfigurationParameters.KeyVault.SecretsObject.Secrets[0].secretName}"
},
"DomainName": "contoso.com",
"PrimaryDomainControllerIP": "192.168.1.4"
},
"ApplicationSecurityGroups": {
"ResourceGroup": "${Parameters.ModuleConfigurationParameters.Network.ResourceGroup}",
"DomainController": {
"Name": "dc-asg"
}
},
"Network": {
"Name": "${Parameters.InstanceName}-vnet",
"ResourceGroup": "${Parameters.InstanceName}-network-rg",
"AddressPrefix": [ "192.168.1.0/27" ],
"VirtualGateway": {
"Name": "${Parameters.InstanceName}-vgw",
"GatewayType": "vpn",
"GatewaySku": "VpnGw1",
"VpnType": "RouteBased",
"VpnClientConfiguration": {
"VpnClientRootCertificateData": {
"reference": {
"keyVault": {
"id": "reference(KeyVault.keyVaultResourceId)"
},
"secretName": "CACert"
}
},
"VpnClientRevokedCertificateThumbprint": ""
}
},
"ApplicationSecurityGroups": [],
"NetworkSecurityGroups": [
{
"Name": "default",
"Rules": [
{
"name": "allow-rdp",
"properties": {
"access": "Allow",
"destinationAddressPrefixes": [],
"destinationPortRange": "3389",
"destinationPortRanges": [],
"destinationAddressPrefix": "VirtualNetwork",
"direction": "Inbound",
"priority": 100,
"protocol": "*",
"sourcePortRange": "*",
"sourcePortRanges": [],
"sourceAddressPrefix": "VirtualNetwork",
"destinationApplicationSecurityGroups": [],
"sourceApplicationSecurityGroups": []
}
}
]
}
],
"UserDefinedRoutes": [],
"Subnets": [
{
"name": "default",
"addressPrefix": "192.168.1.0/28",
"networkSecurityGroupName": "default",
"routeTableName": "",
"serviceEndpoints": [
{
"service": "Microsoft.EventHub"
},
{
"service": "Microsoft.Sql"
},
{
"service": "Microsoft.Storage"
},
{
"service": "Microsoft.KeyVault"
}
]
},
{
"name": "GatewaySubnet",
"addressPrefix": "192.168.1.16/28",
"networkSecurityGroupName": "",
"routeTableName": "",
"serviceEndpoints": ""
}
],
"EnableDdosProtection": true,
"EnableVmProtection": false,
"DnsServers": [
"${Parameters.ModuleConfigurationParameters.ActiveDirectory.PrimaryDomainControllerIP}",
"168.63.129.16"
]
}
}
}

634
Environments/On-Premise/pipeline.yml Normal file
Просмотреть файл

@ -0,0 +1,634 @@
# VDC Starter pipeline
# Start with a minimal pipeline that you can customize to build and deploy your code.
# Add steps that build, run tests, deploy, and more:
# https://aka.ms/yaml
# Set variables once
variables:
- group: VDC_SECRETS_Copy
trigger:
- master
stages:
- stage: Validate
jobs:
- job: SetupValidationResourceGroup
pool:
name: 'vdc-self-hosted'
steps:
- task: AzurePowerShell@4
displayName: "Setup Validation Resource Group"
inputs:
azureSubscription: 'Kunachim Azure SC'
ScriptType: 'FilePath'
ScriptPath: 'Orchestration/OrchestrationService/ValidationResourceGroupSetup.ps1'
ScriptArguments: '-ResourceGroupName vdc-validation-rg -SetupResourceGroup'
azurePowerShellVersion: 'LatestVersion'
- job: StorageAccounts
pool:
name: 'vdc-self-hosted'
dependsOn: SetupValidationResourceGroup
steps:
- task: PowerShell@2
displayName: "Pester Tests for Module - Storage Accounts"
inputs:
targetType: 'inline'
script: '# Write your powershell commands here.
Invoke-Pester -Script "./Modules/StorageAccounts/2.0/Tests";
# Use the environment variables input below to pass secret variables to this script.'
pwsh: true
- task: AzurePowerShell@4
displayName: "ARM Validation - Diagnostic Storage Account"
inputs:
azureSubscription: 'Kunachim Azure SC'
ScriptType: 'FilePath'
ScriptPath: 'Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1'
ScriptArguments: '-DefinitionPath "Environments/On-Premise/definition.json" -ModuleConfigurationName "DiagnosticStorageAccount" -Validate'
azurePowerShellVersion: 'LatestVersion'
env:
VDC_SUBSCRIPTIONS: $(VDC_SUBSCRIPTIONS)
VDC_TOOLKIT_SUBSCRIPTION: $(VDC_TOOLKIT_SUBSCRIPTION)
DEPLOYMENT_USER_ID: $(DEPLOYMENT_USER_ID)
ADMIN_USER_PWD: $(ADMIN_USER_PWD)
DOMAIN_ADMIN_USER_PWD: $(DOMAIN_ADMIN_USER_PWD)
TENANT_ID: $(TENANT_ID)
- task: AzurePowerShell@4
displayName: "ARM Validation - Artifacts Storage Account"
inputs:
azureSubscription: 'Kunachim Azure SC'
ScriptType: 'FilePath'
ScriptPath: 'Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1'
ScriptArguments: '-DefinitionPath "Environments/On-Premise/definition.json" -ModuleConfigurationName "ArtifactsStorageAccount" -Validate'
azurePowerShellVersion: 'LatestVersion'
env:
VDC_SUBSCRIPTIONS: $(VDC_SUBSCRIPTIONS)
VDC_TOOLKIT_SUBSCRIPTION: $(VDC_TOOLKIT_SUBSCRIPTION)
DEPLOYMENT_USER_ID: $(DEPLOYMENT_USER_ID)
ADMIN_USER_PWD: $(ADMIN_USER_PWD)
DOMAIN_ADMIN_USER_PWD: $(DOMAIN_ADMIN_USER_PWD)
TENANT_ID: $(TENANT_ID)
- job: LogAnalytics
pool:
name: 'vdc-self-hosted'
dependsOn: [ SetupValidationResourceGroup, StorageAccounts ]
variables:
BOOTSTRAP_INITIALIZED: $[dependencies.StorageAccounts.outputs['bootstratInitializedOutput.BOOTSTRAP_INITIALIZED']]
steps:
- task: PowerShell@2
displayName: "Pester Tests for Module - Log Analytics"
inputs:
targetType: 'inline'
script: '# Write your powershell commands here.
Invoke-Pester -Script "./Modules/LogAnalytics/2.0/Tests";
# Use the environment variables input below to pass secret variables to this script.'
pwsh: true
- task: AzurePowerShell@4
displayName: "ARM Validation - Log Analytics"
inputs:
azureSubscription: 'Kunachim Azure SC'
ScriptType: 'FilePath'
ScriptPath: 'Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1'
ScriptArguments: '-DefinitionPath "Environments/On-Premise/definition.json" -ModuleConfigurationName "LogAnalytics" -Validate'
azurePowerShellVersion: 'LatestVersion'
env:
VDC_SUBSCRIPTIONS: $(VDC_SUBSCRIPTIONS)
VDC_TOOLKIT_SUBSCRIPTION: $(VDC_TOOLKIT_SUBSCRIPTION)
DEPLOYMENT_USER_ID: $(DEPLOYMENT_USER_ID)
ADMIN_USER_PWD: $(ADMIN_USER_PWD)
DOMAIN_ADMIN_USER_PWD: $(DOMAIN_ADMIN_USER_PWD)
TENANT_ID: $(TENANT_ID)
- job: NetworkSecurityGroups
pool:
name: 'vdc-self-hosted'
dependsOn: [ SetupValidationResourceGroup, StorageAccounts ]
variables:
BOOTSTRAP_INITIALIZED: $[dependencies.StorageAccounts.outputs['bootstratInitializedOutput.BOOTSTRAP_INITIALIZED']]
steps:
- task: PowerShell@2
displayName: "Pester Tests for Module - Network Security Groups"
inputs:
targetType: 'inline'
script: '# Write your powershell commands here.
Invoke-Pester -Script "./Modules/NetworkSecurityGroups/2.0/Tests";
# Use the environment variables input below to pass secret variables to this script.'
pwsh: true
- task: AzurePowerShell@4
displayName: "ARM Validation - On-Premises NSG"
inputs:
azureSubscription: 'Kunachim Azure SC'
ScriptType: 'FilePath'
ScriptPath: 'Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1'
ScriptArguments: '-DefinitionPath "Environments/On-Premise/definition.json" -ModuleConfigurationName "OnPremisesNSG" -Validate'
azurePowerShellVersion: 'LatestVersion'
env:
VDC_SUBSCRIPTIONS: $(VDC_SUBSCRIPTIONS)
VDC_TOOLKIT_SUBSCRIPTION: $(VDC_TOOLKIT_SUBSCRIPTION)
DEPLOYMENT_USER_ID: $(DEPLOYMENT_USER_ID)
ADMIN_USER_PWD: $(ADMIN_USER_PWD)
DOMAIN_ADMIN_USER_PWD: $(DOMAIN_ADMIN_USER_PWD)
TENANT_ID: $(TENANT_ID)
- job: ApplicationSecurityGroups
pool:
name: 'vdc-self-hosted'
dependsOn: [ SetupValidationResourceGroup, StorageAccounts ]
variables:
BOOTSTRAP_INITIALIZED: $[dependencies.StorageAccounts.outputs['bootstratInitializedOutput.BOOTSTRAP_INITIALIZED']]
steps:
- task: PowerShell@2
displayName: "Pester Tests for Module - Application Security Groups"
inputs:
targetType: 'inline'
script: '# Write your powershell commands here.
Invoke-Pester -Script "./Modules/ApplicationSecurityGroups/2.0/Tests";
# Use the environment variables input below to pass secret variables to this script.'
pwsh: true
- task: AzurePowerShell@4
displayName: "ARM Validation - Domain Controller ASG"
inputs:
azureSubscription: 'Kunachim Azure SC'
ScriptType: 'FilePath'
ScriptPath: 'Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1'
ScriptArguments: '-DefinitionPath "Environments/On-Premise/definition.json" -ModuleConfigurationName "DomainControllerASG" -Validate'
azurePowerShellVersion: 'LatestVersion'
env:
VDC_SUBSCRIPTIONS: $(VDC_SUBSCRIPTIONS)
VDC_TOOLKIT_SUBSCRIPTION: $(VDC_TOOLKIT_SUBSCRIPTION)
DEPLOYMENT_USER_ID: $(DEPLOYMENT_USER_ID)
ADMIN_USER_PWD: $(ADMIN_USER_PWD)
DOMAIN_ADMIN_USER_PWD: $(DOMAIN_ADMIN_USER_PWD)
TENANT_ID: $(TENANT_ID)
- job: VirtualNetwork
pool:
name: 'vdc-self-hosted'
dependsOn: [ SetupValidationResourceGroup, StorageAccounts ]
variables:
BOOTSTRAP_INITIALIZED: $[dependencies.StorageAccounts.outputs['bootstratInitializedOutput.BOOTSTRAP_INITIALIZED']]
steps:
- task: PowerShell@2
displayName: "Pester Tests for Module - Virtual NetWork"
inputs:
targetType: 'inline'
script: '# Write your powershell commands here.
Invoke-Pester -Script "./Modules/VirtualNetwork/2.0/Tests";
# Use the environment variables input below to pass secret variables to this script.'
pwsh: true
- task: AzurePowerShell@4
displayName: "ARM Validation - Virtual Network"
inputs:
azureSubscription: 'Kunachim Azure SC'
ScriptType: 'FilePath'
ScriptPath: 'Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1'
ScriptArguments: '-DefinitionPath "Environments/On-Premise/definition.json" -ModuleConfigurationName "VirtualNetwork" -Validate'
azurePowerShellVersion: 'LatestVersion'
env:
VDC_SUBSCRIPTIONS: $(VDC_SUBSCRIPTIONS)
VDC_TOOLKIT_SUBSCRIPTION: $(VDC_TOOLKIT_SUBSCRIPTION)
DEPLOYMENT_USER_ID: $(DEPLOYMENT_USER_ID)
ADMIN_USER_PWD: $(ADMIN_USER_PWD)
DOMAIN_ADMIN_USER_PWD: $(DOMAIN_ADMIN_USER_PWD)
TENANT_ID: $(TENANT_ID)
- job: VirtualNetworkGateway
pool:
name: 'vdc-self-hosted'
dependsOn: [ SetupValidationResourceGroup, StorageAccounts ]
variables:
BOOTSTRAP_INITIALIZED: $[dependencies.StorageAccounts.outputs['bootstratInitializedOutput.BOOTSTRAP_INITIALIZED']]
steps:
- task: PowerShell@2
displayName: "Pester Tests for Module - Virtual Network Gateway"
inputs:
targetType: 'inline'
script: '# Write your powershell commands here.
Invoke-Pester -Script "./Modules/VirtualNetworkGateway/2.0/Tests";
# Use the environment variables input below to pass secret variables to this script.'
pwsh: true
- task: AzurePowerShell@4
displayName: "ARM Validation - Virtual Network Gateway"
inputs:
azureSubscription: 'Kunachim Azure SC'
ScriptType: 'FilePath'
ScriptPath: 'Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1'
ScriptArguments: '-DefinitionPath "Environments/On-Premise/definition.json" -ModuleConfigurationName "VirtualNetworkGateway" -Validate'
azurePowerShellVersion: 'LatestVersion'
env:
VDC_SUBSCRIPTIONS: $(VDC_SUBSCRIPTIONS)
VDC_TOOLKIT_SUBSCRIPTION: $(VDC_TOOLKIT_SUBSCRIPTION)
DEPLOYMENT_USER_ID: $(DEPLOYMENT_USER_ID)
ADMIN_USER_PWD: $(ADMIN_USER_PWD)
DOMAIN_ADMIN_USER_PWD: $(DOMAIN_ADMIN_USER_PWD)
TENANT_ID: $(TENANT_ID)
- job: KeyVault
pool:
name: 'vdc-self-hosted'
dependsOn: [ SetupValidationResourceGroup, StorageAccounts ]
variables:
BOOTSTRAP_INITIALIZED: $[dependencies.StorageAccounts.outputs['bootstratInitializedOutput.BOOTSTRAP_INITIALIZED']]
steps:
- task: PowerShell@2
displayName: "Pester Tests for Module - Key Vault"
inputs:
targetType: 'inline'
script: '# Write your powershell commands here.
Invoke-Pester -Script "./Modules/KeyVault/2.0/Tests";
# Use the environment variables input below to pass secret variables to this script.'
pwsh: true
- task: AzurePowerShell@4
displayName: "ARM Validation - Key Vault"
inputs:
azureSubscription: 'Kunachim Azure SC'
ScriptType: 'FilePath'
ScriptPath: 'Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1'
ScriptArguments: '-DefinitionPath "Environments/On-Premise/definition.json" -ModuleConfigurationName "KeyVault" -Validate'
azurePowerShellVersion: 'LatestVersion'
env:
VDC_SUBSCRIPTIONS: $(VDC_SUBSCRIPTIONS)
VDC_TOOLKIT_SUBSCRIPTION: $(VDC_TOOLKIT_SUBSCRIPTION)
DEPLOYMENT_USER_ID: $(DEPLOYMENT_USER_ID)
ADMIN_USER_PWD: $(ADMIN_USER_PWD)
DOMAIN_ADMIN_USER_PWD: $(DOMAIN_ADMIN_USER_PWD)
TENANT_ID: $(TENANT_ID)
- task: AzurePowerShell@4
displayName: "ARM Validation - Enable Service Endpoint On Key Vault"
inputs:
azureSubscription: 'Kunachim Azure SC'
ScriptType: 'FilePath'
ScriptPath: 'Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1'
ScriptArguments: '-DefinitionPath "Environments/On-Premise/definition.json" -ModuleConfigurationName "EnableServiceEndpointOnKeyVault" -Validate'
azurePowerShellVersion: 'LatestVersion'
env:
VDC_SUBSCRIPTIONS: $(VDC_SUBSCRIPTIONS)
VDC_TOOLKIT_SUBSCRIPTION: $(VDC_TOOLKIT_SUBSCRIPTION)
DEPLOYMENT_USER_ID: $(DEPLOYMENT_USER_ID)
ADMIN_USER_PWD: $(ADMIN_USER_PWD)
DOMAIN_ADMIN_USER_PWD: $(DOMAIN_ADMIN_USER_PWD)
TENANT_ID: $(TENANT_ID)
- job: ActiveDirectory
pool:
name: 'vdc-self-hosted'
dependsOn: [ SetupValidationResourceGroup, StorageAccounts ]
variables:
BOOTSTRAP_INITIALIZED: $[dependencies.StorageAccounts.outputs['bootstratInitializedOutput.BOOTSTRAP_INITIALIZED']]
steps:
- task: PowerShell@2
displayName: "Pester Tests for Module - Active Directory"
inputs:
targetType: 'inline'
script: '# Write your powershell commands here.
Invoke-Pester -Script "./Modules/ActiveDirectory/2.0/Tests";
# Use the environment variables input below to pass secret variables to this script.'
pwsh: true
- task: AzurePowerShell@4
displayName: "ARM Validation - Active Directory VM"
inputs:
azureSubscription: 'Kunachim Azure SC'
ScriptType: 'FilePath'
ScriptPath: 'Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1'
ScriptArguments: '-DefinitionPath "Environments/On-Premise/definition.json" -ModuleConfigurationName "ActiveDirectoryVM" -Validate'
azurePowerShellVersion: 'LatestVersion'
env:
VDC_SUBSCRIPTIONS: $(VDC_SUBSCRIPTIONS)
VDC_TOOLKIT_SUBSCRIPTION: $(VDC_TOOLKIT_SUBSCRIPTION)
DEPLOYMENT_USER_ID: $(DEPLOYMENT_USER_ID)
ADMIN_USER_PWD: $(ADMIN_USER_PWD)
DOMAIN_ADMIN_USER_PWD: $(DOMAIN_ADMIN_USER_PWD)
TENANT_ID: $(TENANT_ID)
- task: AzurePowerShell@4
displayName: "ARM Validation - Install Active Directory"
inputs:
azureSubscription: 'Kunachim Azure SC'
ScriptType: 'FilePath'
ScriptPath: 'Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1'
ScriptArguments: '-DefinitionPath "Environments/On-Premise/definition.json" -ModuleConfigurationName "InstallActiveDirectory" -Validate'
azurePowerShellVersion: 'LatestVersion'
env:
VDC_SUBSCRIPTIONS: $(VDC_SUBSCRIPTIONS)
VDC_TOOLKIT_SUBSCRIPTION: $(VDC_TOOLKIT_SUBSCRIPTION)
DEPLOYMENT_USER_ID: $(DEPLOYMENT_USER_ID)
ADMIN_USER_PWD: $(ADMIN_USER_PWD)
DOMAIN_ADMIN_USER_PWD: $(DOMAIN_ADMIN_USER_PWD)
TENANT_ID: $(TENANT_ID)
- job: TearDownValidationResourceGroup
pool:
name: 'vdc-self-hosted'
dependsOn: [ StorageAccounts, LogAnalytics, NetworkSecurityGroups, ApplicationSecurityGroups, VirtualNetwork, VirtualNetworkGateway, ActiveDirectory ]
steps:
- task: AzurePowerShell@4
displayName: "Teardown Validation Resource Group"
inputs:
azureSubscription: 'Kunachim Azure SC'
ScriptType: 'FilePath'
ScriptPath: 'Orchestration/OrchestrationService/ValidationResourceGroupSetup.ps1'
ScriptArguments: '-TearDownResourceGroup'
azurePowerShellVersion: 'LatestVersion'
- stage: Deploy
jobs:
- job: DiagnosticStorageAccount
timeoutInMinutes: 0
pool:
name: 'vdc-self-hosted'
steps:
- task: AzurePowerShell@4
displayName: "Diagnostic Storage Account"
inputs:
azureSubscription: 'Kunachim Azure SC'
ScriptType: 'FilePath'
ScriptPath: 'Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1'
ScriptArguments: '-DefinitionPath "Environments/On-Premise/definition.json" -ModuleConfigurationName "DiagnosticStorageAccount"'
azurePowerShellVersion: 'LatestVersion'
env:
VDC_SUBSCRIPTIONS: $(VDC_SUBSCRIPTIONS)
VDC_TOOLKIT_SUBSCRIPTION: $(VDC_TOOLKIT_SUBSCRIPTION)
DEPLOYMENT_USER_ID: $(DEPLOYMENT_USER_ID)
ADMIN_USER_PWD: $(ADMIN_USER_PWD)
DOMAIN_ADMIN_USER_PWD: $(DOMAIN_ADMIN_USER_PWD)
TENANT_ID: $(TENANT_ID)
- job: LogAnalytics
timeoutInMinutes: 0
pool:
name: 'vdc-self-hosted'
dependsOn: DiagnosticStorageAccount
variables:
BOOTSTRAP_INITIALIZED: $[dependencies.DiagnosticStorageAccount.outputs['bootstratInitializedOutput.BOOTSTRAP_INITIALIZED']]
steps:
- task: AzurePowerShell@4
displayName: "Log Analytics"
inputs:
azureSubscription: 'Kunachim Azure SC'
ScriptType: 'FilePath'
ScriptPath: 'Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1'
ScriptArguments: '-DefinitionPath "Environments/On-Premise/definition.json" -ModuleConfigurationName "LogAnalytics"'
azurePowerShellVersion: 'LatestVersion'
env:
VDC_SUBSCRIPTIONS: $(VDC_SUBSCRIPTIONS)
VDC_TOOLKIT_SUBSCRIPTION: $(VDC_TOOLKIT_SUBSCRIPTION)
DEPLOYMENT_USER_ID: $(DEPLOYMENT_USER_ID)
ADMIN_USER_PWD: $(ADMIN_USER_PWD)
DOMAIN_ADMIN_USER_PWD: $(DOMAIN_ADMIN_USER_PWD)
TENANT_ID: $(TENANT_ID)
- job: OnPremisesNSG
timeoutInMinutes: 0
pool:
name: 'vdc-self-hosted'
dependsOn: [ LogAnalytics, DiagnosticStorageAccount ]
variables:
BOOTSTRAP_INITIALIZED: $[dependencies.DiagnosticStorageAccount.outputs['bootstratInitializedOutput.BOOTSTRAP_INITIALIZED']]
steps:
- task: AzurePowerShell@4
displayName: "Network Security Group"
inputs:
azureSubscription: 'Kunachim Azure SC'
ScriptType: 'FilePath'
ScriptPath: 'Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1'
ScriptArguments: '-DefinitionPath "Environments/On-Premise/definition.json" -ModuleConfigurationName "OnPremisesNSG"'
azurePowerShellVersion: 'LatestVersion'
env:
VDC_SUBSCRIPTIONS: $(VDC_SUBSCRIPTIONS)
VDC_TOOLKIT_SUBSCRIPTION: $(VDC_TOOLKIT_SUBSCRIPTION)
DEPLOYMENT_USER_ID: $(DEPLOYMENT_USER_ID)
ADMIN_USER_PWD: $(ADMIN_USER_PWD)
DOMAIN_ADMIN_USER_PWD: $(DOMAIN_ADMIN_USER_PWD)
TENANT_ID: $(TENANT_ID)
- job: DomainControllerASG
timeoutInMinutes: 0
pool:
name: 'vdc-self-hosted'
variables:
BOOTSTRAP_INITIALIZED: $[dependencies.DiagnosticStorageAccount.outputs['bootstratInitializedOutput.BOOTSTRAP_INITIALIZED']]
dependsOn: DiagnosticStorageAccount
steps:
- task: AzurePowerShell@4
displayName: "Application Security Group"
inputs:
azureSubscription: 'Kunachim Azure SC'
ScriptType: 'FilePath'
ScriptPath: 'Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1'
ScriptArguments: '-DefinitionPath "Environments/On-Premise/definition.json" -ModuleConfigurationName "DomainControllerASG"'
azurePowerShellVersion: 'LatestVersion'
env:
VDC_SUBSCRIPTIONS: $(VDC_SUBSCRIPTIONS)
VDC_TOOLKIT_SUBSCRIPTION: $(VDC_TOOLKIT_SUBSCRIPTION)
DEPLOYMENT_USER_ID: $(DEPLOYMENT_USER_ID)
ADMIN_USER_PWD: $(ADMIN_USER_PWD)
DOMAIN_ADMIN_USER_PWD: $(DOMAIN_ADMIN_USER_PWD)
TENANT_ID: $(TENANT_ID)
- job: VirtualNetwork
timeoutInMinutes: 0
pool:
name: 'vdc-self-hosted'
dependsOn: [ OnPremisesNSG, DiagnosticStorageAccount ]
variables:
BOOTSTRAP_INITIALIZED: $[dependencies.DiagnosticStorageAccount.outputs['bootstratInitializedOutput.BOOTSTRAP_INITIALIZED']]
steps:
- task: AzurePowerShell@4
displayName: "Virtual Network"
inputs:
azureSubscription: 'Kunachim Azure SC'
ScriptType: 'FilePath'
ScriptPath: 'Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1'
ScriptArguments: '-DefinitionPath "Environments/On-Premise/definition.json" -ModuleConfigurationName "VirtualNetwork"'
azurePowerShellVersion: 'LatestVersion'
env:
VDC_SUBSCRIPTIONS: $(VDC_SUBSCRIPTIONS)
VDC_TOOLKIT_SUBSCRIPTION: $(VDC_TOOLKIT_SUBSCRIPTION)
DEPLOYMENT_USER_ID: $(DEPLOYMENT_USER_ID)
ADMIN_USER_PWD: $(ADMIN_USER_PWD)
DOMAIN_ADMIN_USER_PWD: $(DOMAIN_ADMIN_USER_PWD)
TENANT_ID: $(TENANT_ID)
- job: KeyVault
timeoutInMinutes: 0
pool:
name: 'vdc-self-hosted'
dependsOn: [ DiagnosticStorageAccount, LogAnalytics, DiagnosticStorageAccount ]
variables:
BOOTSTRAP_INITIALIZED: $[dependencies.DiagnosticStorageAccount.outputs['bootstratInitializedOutput.BOOTSTRAP_INITIALIZED']]
steps:
- task: AzurePowerShell@4
displayName: "Key Vault"
inputs:
azureSubscription: 'Kunachim Azure SC'
ScriptType: 'FilePath'
ScriptPath: 'Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1'
ScriptArguments: '-DefinitionPath "Environments/On-Premise/definition.json" -ModuleConfigurationName "KeyVault"'
azurePowerShellVersion: 'LatestVersion'
env:
VDC_SUBSCRIPTIONS: $(VDC_SUBSCRIPTIONS)
VDC_TOOLKIT_SUBSCRIPTION: $(VDC_TOOLKIT_SUBSCRIPTION)
DEPLOYMENT_USER_ID: $(DEPLOYMENT_USER_ID)
ADMIN_USER_PWD: $(ADMIN_USER_PWD)
DOMAIN_ADMIN_USER_PWD: $(DOMAIN_ADMIN_USER_PWD)
TENANT_ID: $(TENANT_ID)
- job: CreateRootCertificate
timeoutInMinutes: 0
pool:
name: 'vdc-self-hosted'
dependsOn: [ KeyVault, DiagnosticStorageAccount ]
variables:
BOOTSTRAP_INITIALIZED: $[dependencies.DiagnosticStorageAccount.outputs['bootstratInitializedOutput.BOOTSTRAP_INITIALIZED']]
steps:
- task: AzurePowerShell@4
displayName: "Create Root Certificate"
inputs:
azureSubscription: 'Kunachim Azure SC'
ScriptType: 'FilePath'
ScriptPath: 'Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1'
ScriptArguments: '-DefinitionPath "Environments/On-Premise/definition.json" -ModuleConfigurationName "CreateRootCertificate"'
azurePowerShellVersion: 'LatestVersion'
env:
VDC_SUBSCRIPTIONS: $(VDC_SUBSCRIPTIONS)
VDC_TOOLKIT_SUBSCRIPTION: $(VDC_TOOLKIT_SUBSCRIPTION)
DEPLOYMENT_USER_ID: $(DEPLOYMENT_USER_ID)
ADMIN_USER_PWD: $(ADMIN_USER_PWD)
DOMAIN_ADMIN_USER_PWD: $(DOMAIN_ADMIN_USER_PWD)
TENANT_ID: $(TENANT_ID)
- job: VirtualNetworkGateway
timeoutInMinutes: 0
pool:
name: 'vdc-self-hosted'
dependsOn: [ VirtualNetwork, CreateRootCertificate, DiagnosticStorageAccount ]
variables:
BOOTSTRAP_INITIALIZED: $[dependencies.DiagnosticStorageAccount.outputs['bootstratInitializedOutput.BOOTSTRAP_INITIALIZED']]
steps:
- task: AzurePowerShell@4
displayName: "Virtual Network Gateway"
inputs:
azureSubscription: 'Kunachim Azure SC'
ScriptType: 'FilePath'
ScriptPath: 'Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1'
ScriptArguments: '-DefinitionPath "Environments/On-Premise/definition.json" -ModuleConfigurationName "VirtualNetworkGateway"'
azurePowerShellVersion: 'LatestVersion'
env:
VDC_SUBSCRIPTIONS: $(VDC_SUBSCRIPTIONS)
VDC_TOOLKIT_SUBSCRIPTION: $(VDC_TOOLKIT_SUBSCRIPTION)
DEPLOYMENT_USER_ID: $(DEPLOYMENT_USER_ID)
ADMIN_USER_PWD: $(ADMIN_USER_PWD)
DOMAIN_ADMIN_USER_PWD: $(DOMAIN_ADMIN_USER_PWD)
TENANT_ID: $(TENANT_ID)
- job: EnableServiceEndpointOnKeyVault
timeoutInMinutes: 0
pool:
name: 'vdc-self-hosted'
dependsOn: [ VirtualNetworkGateway, DiagnosticStorageAccount ]
variables:
BOOTSTRAP_INITIALIZED: $[dependencies.DiagnosticStorageAccount.outputs['bootstratInitializedOutput.BOOTSTRAP_INITIALIZED']]
steps:
- task: AzurePowerShell@4
displayName: "Key Vault"
inputs:
azureSubscription: 'Kunachim Azure SC'
ScriptType: 'FilePath'
ScriptPath: 'Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1'
ScriptArguments: '-DefinitionPath "Environments/On-Premise/definition.json" -ModuleConfigurationName "EnableServiceEndpointOnKeyVault"'
azurePowerShellVersion: 'LatestVersion'
env:
VDC_SUBSCRIPTIONS: $(VDC_SUBSCRIPTIONS)
VDC_TOOLKIT_SUBSCRIPTION: $(VDC_TOOLKIT_SUBSCRIPTION)
DEPLOYMENT_USER_ID: $(DEPLOYMENT_USER_ID)
ADMIN_USER_PWD: $(ADMIN_USER_PWD)
DOMAIN_ADMIN_USER_PWD: $(DOMAIN_ADMIN_USER_PWD)
TENANT_ID: $(TENANT_ID)
- job: ArtifactsStorageAccount
timeoutInMinutes: 0
pool:
name: 'vdc-self-hosted'
variables:
BOOTSTRAP_INITIALIZED: $[dependencies.DiagnosticStorageAccount.outputs['bootstratInitializedOutput.BOOTSTRAP_INITIALIZED']]
dependsOn: DiagnosticStorageAccount
steps:
- task: AzurePowerShell@4
displayName: "Artifacts Storage Account"
inputs:
azureSubscription: 'Kunachim Azure SC'
ScriptType: 'FilePath'
ScriptPath: 'Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1'
ScriptArguments: '-DefinitionPath "Environments/On-Premise/definition.json" -ModuleConfigurationName "ArtifactsStorageAccount"'
azurePowerShellVersion: 'LatestVersion'
env:
VDC_SUBSCRIPTIONS: $(VDC_SUBSCRIPTIONS)
VDC_TOOLKIT_SUBSCRIPTION: $(VDC_TOOLKIT_SUBSCRIPTION)
DEPLOYMENT_USER_ID: $(DEPLOYMENT_USER_ID)
ADMIN_USER_PWD: $(ADMIN_USER_PWD)
DOMAIN_ADMIN_USER_PWD: $(DOMAIN_ADMIN_USER_PWD)
TENANT_ID: $(TENANT_ID)
- job: UploadScriptsToArtifactsStorage
timeoutInMinutes: 0
pool:
name: 'vdc-self-hosted'
dependsOn: [ ArtifactsStorageAccount, DiagnosticStorageAccount ]
variables:
BOOTSTRAP_INITIALIZED: $[dependencies.DiagnosticStorageAccount.outputs['bootstratInitializedOutput.BOOTSTRAP_INITIALIZED']]
steps:
- task: AzurePowerShell@4
displayName: "Upload Scripts To Artifacts Storage"
inputs:
azureSubscription: 'Kunachim Azure SC'
ScriptType: 'FilePath'
ScriptPath: 'Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1'
ScriptArguments: '-DefinitionPath "Environments/On-Premise/definition.json" -ModuleConfigurationName "UploadScriptsToArtifactsStorage"'
azurePowerShellVersion: 'LatestVersion'
env:
VDC_SUBSCRIPTIONS: $(VDC_SUBSCRIPTIONS)
VDC_TOOLKIT_SUBSCRIPTION: $(VDC_TOOLKIT_SUBSCRIPTION)
DEPLOYMENT_USER_ID: $(DEPLOYMENT_USER_ID)
ADMIN_USER_PWD: $(ADMIN_USER_PWD)
DOMAIN_ADMIN_USER_PWD: $(DOMAIN_ADMIN_USER_PWD)
TENANT_ID: $(TENANT_ID)
- job: ActiveDirectoryVM
timeoutInMinutes: 0
pool:
name: 'vdc-self-hosted'
dependsOn: [ VirtualNetwork, DiagnosticStorageAccount, LogAnalytics, KeyVault, ArtifactsStorageAccount ]
variables:
BOOTSTRAP_INITIALIZED: $[dependencies.DiagnosticStorageAccount.outputs['bootstratInitializedOutput.BOOTSTRAP_INITIALIZED']]
steps:
- task: AzurePowerShell@4
displayName: "Active Directory VM"
inputs:
azureSubscription: 'Kunachim Azure SC'
ScriptType: 'FilePath'
ScriptPath: 'Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1'
ScriptArguments: '-DefinitionPath "Environments/On-Premise/definition.json" -ModuleConfigurationName "ActiveDirectoryVM"'
azurePowerShellVersion: 'LatestVersion'
env:
VDC_SUBSCRIPTIONS: $(VDC_SUBSCRIPTIONS)
VDC_TOOLKIT_SUBSCRIPTION: $(VDC_TOOLKIT_SUBSCRIPTION)
DEPLOYMENT_USER_ID: $(DEPLOYMENT_USER_ID)
ADMIN_USER_PWD: $(ADMIN_USER_PWD)
DOMAIN_ADMIN_USER_PWD: $(DOMAIN_ADMIN_USER_PWD)
TENANT_ID: $(TENANT_ID)
- job: InstallActiveDirectory
timeoutInMinutes: 0
pool:
name: 'vdc-self-hosted'
dependsOn: [ ActiveDirectoryVM, DiagnosticStorageAccount ]
variables:
BOOTSTRAP_INITIALIZED: $[dependencies.DiagnosticStorageAccount.outputs['bootstratInitializedOutput.BOOTSTRAP_INITIALIZED']]
steps:
- task: AzurePowerShell@4
displayName: "Install Active Directory"
inputs:
azureSubscription: 'Kunachim Azure SC'
ScriptType: 'FilePath'
ScriptPath: 'Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1'
ScriptArguments: '-DefinitionPath "Environments/On-Premise/definition.json" -ModuleConfigurationName "InstallActiveDirectory"'
azurePowerShellVersion: 'LatestVersion'
env:
VDC_SUBSCRIPTIONS: $(VDC_SUBSCRIPTIONS)
VDC_TOOLKIT_SUBSCRIPTION: $(VDC_TOOLKIT_SUBSCRIPTION)
DEPLOYMENT_USER_ID: $(DEPLOYMENT_USER_ID)
ADMIN_USER_PWD: $(ADMIN_USER_PWD)
DOMAIN_ADMIN_USER_PWD: $(DOMAIN_ADMIN_USER_PWD)
TENANT_ID: $(TENANT_ID)

2
Environments/_Common/artifactsStorageAccount.json
Просмотреть файл

@ -1,5 +1,5 @@
{
"Name": "${Parameters.Organization}cstmartfcts01",
"Name": "${Parameters.Organization}cstmartfcts11",
"ResourceGroup": "${Parameters.InstanceName}-artifacts-rg",
"Sku": "Standard_GRS",
"Location": "${Parameters.Location}",

0
Modules/ActiveDirectory/2.0/Policy/git_placeholder.md Normal file → Executable file
Просмотреть файл

0
Modules/ActiveDirectory/2.0/RBAC/git_placeholder.md Normal file → Executable file
Просмотреть файл

0
Modules/ActiveDirectory/2.0/Scripts/git_placeholder.md Normal file → Executable file
Просмотреть файл

0
Modules/ActiveDirectory/2.0/Tests/module.tests.ps1 Normal file → Executable file
Просмотреть файл

0
Modules/ActiveDirectory/2.0/deploy.json Normal file → Executable file
Просмотреть файл

0
Modules/ActiveDirectory/2.0/readme.md Normal file → Executable file
Просмотреть файл

0
Modules/VirtualMachines/2.0/Tests/linux.parameters.json Normal file → Executable file
Просмотреть файл

61
Modules/VirtualMachines/2.0/Tests/windows.parameters.json~8d27775b63b177a0a232b2555f41a903bee8779b Executable file
Просмотреть файл

@ -0,0 +1,61 @@
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"virtualMachineName": {
"value": "adds"
},
"virtualMachineSize": {
"value": "Standard_DS2_v2"
},
"virtualMachineOSImage": {
"value": {
"offer": "WindowsServer",
"publisher": "MicrosoftWindowsServer",
"sku": "2016-Datacenter"
}
},
"virtualMachineOSType": {
"value": "Windows"
},
"workspaceId": {
"value": "00000000-0000-0000-0000-000000000000"
},
"logAnalyticsWorkspaceId": {
"value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup/providers/Microsoft.OperationalInsights/workspaces/contoso-example"
},
"logAnalyticsWorkspacePrimarySharedKey": {
"value": ""
},
"diagnosticsStorageAccountId": {
"value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup/providers/Microsoft.Storage/storageAccounts/contosostrgexmpl"
},
"diagnosticsStorageAccountName": {
"value": "contoso-diag-storage"
},
"diagnosticsStorageAccountSasToken": {
"value": ""
},
"artifactsStorageAccountName": {
"value": "vdcstorage"
},
"artifactsStorageAccountKey": {
"value": ""
},
"artifactsStorageAccountSasKey": {
"value": ""
},
"vNetId": {
"value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup/providers/Microsoft.Network/virtualNetworks/contoso-vnet-example"
},
"subnetName": {
"value": "sharedsvcs"
},
"adminUsername": {
"value": "contoso"
},
"adminPassword": {
"value": "password"
}
}
}

5
Modules/VirtualMachines/2.0/deploy.json
Просмотреть файл

@ -378,7 +378,7 @@
{
"name": "dataDisks",
"count": "[length(parameters('virtualMachineDataDisks'))]",
"input":
"input":
{
"lun": "[copyIndex('dataDisks')]",
"name": "[replace(toLower(substring(concat(parameters('virtualMachineName'), copyIndex('vmLoop', parameters('virtualMachineOffset')), '-dsk', copyindex('dataDisks', parameters('virtualMachineOffset')), '-', replace(concat(variables('uniqueString'), variables('uniqueString')), '-', '')), 0, 30)), '-', '')]",
@ -1800,7 +1800,6 @@
}
]
},
{
"type": "Microsoft.Compute/virtualMachines/extensions",
"name": "[concat(parameters('virtualMachineName'), copyIndex(parameters('virtualMachineOffset')), '/', variables('DSCExtensionName'))]",
@ -1893,4 +1892,4 @@
}
}
}
}
}

0
Modules/VirtualNetworkGateway/2.0/Scripts/git_placeholder.md
Просмотреть файл

23
Modules/VirtualNetworkGateway/2.0/Scripts/virtual.network.gateway.clientcert.ps1 Normal file
Просмотреть файл

@ -0,0 +1,23 @@
[CmdletBinding()]
param(
[Parameter(Mandatory=$true)]
[string]$CertData,
[Parameter(Mandatory=$true)]
[string]$Password
)
$certPath = "Cert:\CurrentUser\My";
$CertData > C:\certs\rootCert.cer;
$file = ( Get-ChildItem -Path C:\certs\rootCert.cer );
$file | Import-Certificate -CertStoreLocation $certPath;
if($null -eq $clientCert) {
New-SelfSignedCertificate -Type Custom -DnsName ContosoClient -KeySpec Signature `
-Subject "CN=VPN Client" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation $certPath `
-Signer $rootCert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2");
}
$rootCert = (Get-ChildItem -Path $certPath) | Where-Object { $_.Subject -eq "CN=VPN CA" };
$clientCert = (Get-ChildItem -Path $certPath) | Where-Object { $_.Subject -eq "CN=VPN Client" };
$mypwd = ConvertTo-SecureString -String $Password -Force -AsPlainText;
Export-PfxCertificate -Cert $clientCert -FilePath c:\certs\clientCert.pfx -Password $mypwd;

8
Modules/VirtualNetworkGateway/2.0/Scripts/virtual.network.gateway.clientcert.sh Executable file
Просмотреть файл

@ -0,0 +1,8 @@
CERT_DATA=$1
PASSWORD=$2
# Use a default value of "client" for USERNAME
USERNAME="client"
$CERT_DATA > ~/pki/caCert.pem
ipsec pki --gen --outform pem > ~/pki/"${USERNAME}Key.pem"
ipsec pki --pub --in ~/pki/"${USERNAME}Key.pem" | ipsec pki --issue --cacert ~/pki/caCert.pem --cakey ~/pki/caKey.pem --dn "CN=${USERNAME}" --san "${USERNAME}" --flag clientAuth --outform pem > ~/pki/"${USERNAME}Cert.pem"
openssl pkcs12 -in ~/pki/"${USERNAME}Cert.pem" -inkey ~/pki/"${USERNAME}Key.pem" -certfile ~/pki/caCert.pem -export -out ~/pki/"${USERNAME}.p12" -password "pass:${PASSWORD}"

44
Modules/VirtualNetworkGateway/2.0/Scripts/virtual.network.gateway.rootcert.ps1 Normal file
Просмотреть файл

@ -0,0 +1,44 @@
[CmdletBinding()]
param(
[Parameter(Mandatory=$true)]
[string]$TenantId,
[Parameter(Mandatory=$true)]
[string]$ServicePrincipal_ID,
[Parameter(Mandatory=$true)]
[string]$ServicePrincipal_Secret,
[Parameter(Mandatory=$true)]
[string]$KeyVaultName,
[Parameter(Mandatory=$true)]
[string]$KeyName,
[Parameter(Mandatory=$true)]
[string]$BashScriptPath
)
Import-Module -Name Az
if($Env:OS -like "*windows*" -or $IsWindows -eq $true) {
$keyExists = Get-AzKeyVaultSecret -VaultName $KeyVaultName -Name $KeyName
if($null -ne $keyExists) {
Write-Host "Generating Root Cert for Windows";
$certPath = "Cert:\CurrentUser\My";
$rootCert = Get-ChildItem -Path $certPath | Where-Object { $_.Subject -eq "CN=VPN CA" };
if($null -eq $rootCert) {
$rootCert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `
-Subject "CN=VPN CA" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation $certPath -KeyUsageProperty Sign -KeyUsage CertSign;
}
$rootCertPublicKey = $rootCert.GetPublicKeyString();
Export-Certificate -Cert $rootCert.PSPath -FilePath C:\certs\rootCert.cer
$rootCertPublicKey = $rootCert.GetRawCertDataString();
$rootCertPublicKey = [Convert]::ToBase64String($rootCertPublicKey);
$secureString = ConvertTo-SecureString -String $rootCertPublicKey -AsPlainText -Force;
Set-AzKeyVaultSecret -VaultName $KeyVaultName -Name $KeyName -SecretValue $secureString;
}
}
else {
Write-Host "Generating Root Cert for Linux";
Get-Location | Write-Host;
bash -c "$BashScriptPath $TenantId $ServicePrincipal_ID $ServicePrincipal_Secret $KeyVaultName $KeyName";
}

16
Modules/VirtualNetworkGateway/2.0/Scripts/virtual.network.gateway.rootcert.sh Executable file
Просмотреть файл

@ -0,0 +1,16 @@
TENANT=$1
SP_USERNAME=$2
SP_PASSWORD=$3
KEY_VAULT_NAME=$4
KEY_VAULT_SECRET_NAME=$5
apt-get update
apt-get install -y strongswan strongswan-pki
mkdir -p ~/pki/{cacerts,certs,private}
chmod 700 ~/pki
ipsec pki --gen --outform pem > ~/pki/caKey.pem
ipsec pki --self --in ~/pki/caKey.pem --dn "CN=VPN CA" --ca --outform pem > ~/pki/caCert.pem
KEY=$(openssl x509 -in ~/pki/caCert.pem -outform der | base64 -w0)
# Store the base64 encoded public key of the rootCert as KeyVault secret
az login --service-principal --username $SP_USERNAME --password $SP_PASSWORD --tenant $TENANT
az keyvault secret set --vault-name $KEY_VAULT_NAME --name $KEY_VAULT_SECRET_NAME --value $KEY

58
Modules/VirtualNetworkGateway/2.0/deploy.json
Просмотреть файл

@ -45,13 +45,62 @@
"metadata": {
"description": "Optional. ASN value"
}
},
"vpnClientAddressPoolPrefix": {
"type": "string",
"metadata": {
"description": "The IP address range from which VPN clients will receive an IP address when connected. Range specified must not overlap with on-premise network."
}
},
"clientRootCertData": {
"type": "string",
"metadata": {
"description": "Client root certificate data used to authenticate VPN clients."
}
},
"clientRevokedCertThumbprint": {
"type": "string",
"metadata": {
"description": "Thumbprint of the revoked certificate. This would revoke VPN client certificates matching this thumbprint from connecting to the VNet."
}
},
"enablePip": {
"type": "bool",
"defaultValue": false,
"metadata": {
"description": "Optional. Value to specify if BGP is enabled or not"
}
}
},
"variables": {
"gatewayPipName": "[concat(parameters('virtualNetworkGatewayName'), '-pip')]",
"gatewayPipResourceName": "[concat('Microsoft.Network/publicIpAddresses/',variables('gatewayPipName'))]",
"gatewaySubnetId": "[concat(parameters('vNetId'), '/subnets/GatewaySubnet')]",
"gatewayPipId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('gatewayPipName'))]"
"gatewayPipId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('gatewayPipName'))]",
"gatewayPip": {
"id": "[variables('gatewayPipId')]"
},
"vpnClientRootCertificates": [{
"name": "RootCert1",
"properties": {
"PublicCertData": "[parameters('clientRootCertData')]"
}
}],
"vpmClientRevokedCertificates": [{
"name": "RevokedCert1",
"properties": {
"Thumbprint": "[parameters('clientRevokedCertThumbprint')]"
}
}],
"vpnClientConfiguration": {
"vpnClientAddressPool": {
"addressPrefixes": [
"[parameters('vpnClientAddressPoolPrefix')]"
]
},
"vpnClientRootCertificates": "[if(empty(parameters('clientRootCertData')), json('null'), variables('vpnClientRootCertificates'))]",
"vpnClientRevokedCertificates": "[if(empty(parameters('clientRevokedCertThumbprint')), json('null'), variables('vpmClientRevokedCertificates'))]"
}
},
"resources": [
{
@ -80,9 +129,7 @@
"subnet": {
"id": "[variables('gatewaySubnetId')]"
},
"publicIPAddress": {
"id": "[variables('gatewayPipId')]"
}
"publicIPAddress": "[variables('gatewayPip')]"
},
"name": "vNetGatewayConfig"
}
@ -96,7 +143,8 @@
"tier": "[parameters('virtualNetworkGatewaySku')]"
},
"gatewayType": "[parameters('virtualNetworkGatewayType')]",
"vpnType": "[parameters('vpnType')]"
"vpnType": "[parameters('vpnType')]",
"vpnClientConfiguration": "[if(empty(parameters('vpnClientAddressPoolPrefix')), json('null'), variables('vpnClientConfiguration'))]"
}
}
],

9
Modules/VirtualNetworkGateway/2.0/parameters.json
Просмотреть файл

@ -16,6 +16,15 @@
},
"vNetId": {
"value": "subscriptions/0000000000/resourceGroups/resourceGroup"
},
"vpnClientAddressPoolPrefix": {
"value": "10.10.8.0/24"
},
"clientRootCertData": {
"value": "certData"
},
"clientRevokedCertThumbprint": {
"value": "thumbprint"
}
}
}

2
Orchestration/OrchestrationService/ConfigurationBuilder.ps1
Просмотреть файл

@ -402,7 +402,7 @@ Class ConfigurationBuilder {
# "TemplatePath": "modules/2.0/deploy.json",
# "TemplatePath": "modules.json",
# TODO: Include the above two cases
$pathExtractionRegex = "[`"\']([\.\/]+.*[.]?)[`"\']";
$pathExtractionRegex = "[`"\']([\.\/]+.*?[.]?)[`"\']";
# Check if the path matches the regex pattern specified,
# extract and return the path

4
Orchestration/OrchestrationService/CustomScriptExecution.ps1
Просмотреть файл

@ -192,8 +192,8 @@ Class CustomScriptExecution {
# there is no way to verify the order in bash.
# We are only converting the hashtable to an
# array
$arguments.Keys | ForEach-Object {
$argumentName = $_;
$arguments.GetEnumerator() | Sort-Object -Property Name | Select-Object -Property Name | ForEach-Object {
$argumentName = $_.Name;
$orderedArguments += $arguments[$argumentName];
}