From 51b3710985e49669e9de14a8c751b3e1fa4a7092 Mon Sep 17 00:00:00 2001 From: Kungumaraj Nachimuthu Date: Fri, 23 Aug 2019 22:21:47 -0700 Subject: [PATCH] Kunachim/on prem v2 (#100) * Initial commit for On-Premise Archetype * Corrected depends-on for pipeline * Moving ArtifactsStorageAccount module to the top and adding a ADO task for uploading scripts required for AD module * Added a dependency to upload scripts for AD module * Added a separate stage for uploading artifacts. * Invalid dependency removed * Importing Az.Storage Module before executing other commands. * Printing out modules path * Remove Artifacts storage from test * Minor change to UploadScripts module * Minor change * Minor Change to update PSModulePath * Testing * Minor path fix * Minor changes to file path regex to be non-greedy * Pipeline fixed with reorder Artifacts storage and scripts upload to Artifacts storage * Minor updates * Moved the Installation of the PowerShell modules one folder up * Point-to-Site VPN added to On-Premise Archetype * Cleaned up the scripts for VPN Root Cert creation * Finalized Script * Modularization of Virtual Machine templates (#101) * initial commit * moved parameters file outside of the module * initial commit of new Jumpbox design * added encryption task * removed unnecessary parameters * initial implementation of encryption using kek * fixed output storage from custom script * Added format data disks DSC * added adds dsc that excludes disk formatting * removed dsc folder * added policy and rbac tests * removed 0 file * updated template static test * updated ad and adds templates * updated non-extended shared services environment * updated display names * added enable key vault service endpoint task * fix validate dependency * fixed task name * fixed module definition reference * fixed azure firewall api version * fixed pipeline and added new environment variable * updated azure firewall api version * fixed key vault access policy * updated parameters comment * updated zones copy loop * updated zones condition * fixed parameters.json error * removed double quote encoding * added string array to zones * updated description name * updated output reference to lowercase * enabled debug on AD encryption * enabled debug on AD encryption * moved enabling service endpoint of Key Vault after VM deployment * disabled validation stage * enabled pipelines * added SQL Analytics solution * removed uneeded parameter * added disk verification before formatting a disk * updated DSC code * removed data jumpbox datadisk * added drive letter parameter to adds * added workaround to prevent storage initialization multiple times * added get public IP ps1 * removed finally block * updated get ip ps1 path * updated network rules copy loop: * removed networkacls from initial key vault deployment * explicit set of ps1 argument * updated initialize file * fixed return type * fixed return type from getSasToken function * added ashashtable to convert from json cmdlet * added networkAcls with IP whitelisting * added test-jsoncontent to helper * added debug * updated storage account details cache value * removed debug flag * updated set variable syntax * fixed variable name * added -Compress to JSON string creation * updated default action on kv networkacls * added global variable * updated variable name * Update pipeline.yml for Azure Pipelines * moved org name as env variable * update pipeline * Update pipeline.yml for Azure Pipelines * added additional logging info * temp reduced validation tasks * fixed dependency * removed global variable from pipeline * enabled debug on deployment * enabled debug * moved similar tasks into same job * updated shared services extended pipeline * removed write-host * enabled multi-stage jobs * added env variables * updated variable set * removed comments from inline script * updated pipeline, pass variable between jobs * added missing environment variable retrieval * removed unnecessary write-host * added vnet dependency * updated job output dependency name * added multi-job variable * updated modules path of shared services onprem extension * fixed parameters * removed active directory reference * added Virtual Network dependency * added spn access policy * moved dns server as a separate task * removed additional api calls * removed duplicate * added logic for more than one resource ids * Added exponential backoff logic (#103) * output az graph query * Update pipeline.yml for Azure Pipelines * Restore pipeline stages * added exponential backoff * added exponential backoff * added debug function * Exception handling functions added to Helper (#102) * Applied the changes * Minor changes to the exception * Cleanup * Cleaned up one of the function * minor change * Merged the Exponential backoff logic with Get exception * Fix for excluding resource ids from file path parse logic * fixed - expression syntax * updated required parameter * removed dns server task * enhanced error message details * updated adds vm name * added exception analyzer to ARM REST API call * fixed Get-Exception cmdlet invocation * added comments to set-context cmdlet * Added KeyVault service point * Updated the Archetype to include the new Active Directory Module and new Virtual Machine Module. * Updated the On-Premise Pipeline * Minor updates to the pipeline yml file * Added missing dependency * Minor update * More updates to dependencies * enable pip only if sepcified * Minor update to enable Pip in VGW * Minor update to VGW * CHanged casing on labvm files (#106) * Error parser logic fixed (#108) * Initial commit for On-Premise Archetype * Corrected depends-on for pipeline * Moving ArtifactsStorageAccount module to the top and adding a ADO task for uploading scripts required for AD module * Added a dependency to upload scripts for AD module * Added a separate stage for uploading artifacts. * Invalid dependency removed * Importing Az.Storage Module before executing other commands. * Printing out modules path * Remove Artifacts storage from test * Minor change to UploadScripts module * Minor change * Minor Change to update PSModulePath * Testing * Minor path fix * Minor changes to file path regex to be non-greedy * Pipeline fixed with reorder Artifacts storage and scripts upload to Artifacts storage * Minor updates * Moved the Installation of the PowerShell modules one folder up * Point-to-Site VPN added to On-Premise Archetype * Cleaned up the scripts for VPN Root Cert creation * Finalized Script * Added KeyVault service point * Updated the Archetype to include the new Active Directory Module and new Virtual Machine Module. * Updated the On-Premise Pipeline * Minor updates to the pipeline yml file * Added missing dependency * Minor update * More updates to dependencies * enable pip only if sepcified * Minor update to enable Pip in VGW * Minor update to VGW * Pipeline yml fixes * Typo fix * Access policies added to KeyVault to App and User. * Pipeline yml updated with feedback from today's review --- Agent/Linux/ubuntu-1804.json | 6 +- Environments/On-Premise/definition.json | 5 + Environments/On-Premise/orchestration.json | 426 ++++++++++++ Environments/On-Premise/parameters.json | 234 +++++++ Environments/On-Premise/pipeline.yml | 634 ++++++++++++++++++ .../_Common/artifactsStorageAccount.json | 2 +- .../2.0/Policy/git_placeholder.md | 0 .../2.0/RBAC/git_placeholder.md | 0 .../2.0/Scripts/git_placeholder.md | 0 .../2.0/Tests/module.tests.ps1 | 0 Modules/ActiveDirectory/2.0/deploy.json | 0 Modules/ActiveDirectory/2.0/readme.md | 0 .../2.0/Tests/linux.parameters.json | 0 ...n~8d27775b63b177a0a232b2555f41a903bee8779b | 61 ++ Modules/VirtualMachines/2.0/deploy.json | 5 +- .../2.0/Scripts/git_placeholder.md | 0 .../virtual.network.gateway.clientcert.ps1 | 23 + .../virtual.network.gateway.clientcert.sh | 8 + .../virtual.network.gateway.rootcert.ps1 | 44 ++ .../virtual.network.gateway.rootcert.sh | 16 + Modules/VirtualNetworkGateway/2.0/deploy.json | 58 +- .../VirtualNetworkGateway/2.0/parameters.json | 9 + .../ConfigurationBuilder.ps1 | 2 +- .../CustomScriptExecution.ps1 | 4 +- 24 files changed, 1522 insertions(+), 15 deletions(-) create mode 100644 Environments/On-Premise/definition.json create mode 100644 Environments/On-Premise/orchestration.json create mode 100644 Environments/On-Premise/parameters.json create mode 100644 Environments/On-Premise/pipeline.yml mode change 100644 => 100755 Modules/ActiveDirectory/2.0/Policy/git_placeholder.md mode change 100644 => 100755 Modules/ActiveDirectory/2.0/RBAC/git_placeholder.md mode change 100644 => 100755 Modules/ActiveDirectory/2.0/Scripts/git_placeholder.md mode change 100644 => 100755 Modules/ActiveDirectory/2.0/Tests/module.tests.ps1 mode change 100644 => 100755 Modules/ActiveDirectory/2.0/deploy.json mode change 100644 => 100755 Modules/ActiveDirectory/2.0/readme.md mode change 100644 => 100755 Modules/VirtualMachines/2.0/Tests/linux.parameters.json create mode 100755 Modules/VirtualMachines/2.0/Tests/windows.parameters.json~8d27775b63b177a0a232b2555f41a903bee8779b delete mode 100644 Modules/VirtualNetworkGateway/2.0/Scripts/git_placeholder.md create mode 100644 Modules/VirtualNetworkGateway/2.0/Scripts/virtual.network.gateway.clientcert.ps1 create mode 100755 Modules/VirtualNetworkGateway/2.0/Scripts/virtual.network.gateway.clientcert.sh create mode 100644 Modules/VirtualNetworkGateway/2.0/Scripts/virtual.network.gateway.rootcert.ps1 create mode 100755 Modules/VirtualNetworkGateway/2.0/Scripts/virtual.network.gateway.rootcert.sh diff --git a/Agent/Linux/ubuntu-1804.json b/Agent/Linux/ubuntu-1804.json index 142ae1a..83499a6 100644 --- a/Agent/Linux/ubuntu-1804.json +++ b/Agent/Linux/ubuntu-1804.json @@ -64,9 +64,9 @@ { "type": "shell", "inline": [ - "pwsh -Command \"Save-Module -Name Az -LiteralPath /opt/microsoft/powershell/6/Modules/az_1.6.0 -RequiredVersion 1.6.0 -Force\" ", - "pwsh -Command \"Save-Module -Name Pester -LiteralPath /opt/microsoft/powershell/6/Modules/pester -RequiredVersion 4.3.1 -Force\" ", - "pwsh -Command \"Save-Module -Name Az.ResourceGraph -LiteralPath /opt/microsoft/powershell/6/Modules/az_resourcegraph_0.7.3 -RequiredVersion 0.7.3 -Force\" " + "pwsh -Command \"Save-Module -Name Az -LiteralPath /opt/microsoft/powershell/6/Modules -RequiredVersion 1.6.0 -Force\" ", + "pwsh -Command \"Save-Module -Name Pester -LiteralPath /opt/microsoft/powershell/6/Modules -RequiredVersion 4.3.1 -Force\" ", + "pwsh -Command \"Save-Module -Name Az.ResourceGraph -LiteralPath /opt/microsoft/powershell/6/Modules -RequiredVersion 0.7.3 -Force\" " ], "execute_command": "sudo sh -c '{{ .Vars }} {{ .Path }}'" }, diff --git a/Environments/On-Premise/definition.json b/Environments/On-Premise/definition.json new file mode 100644 index 0000000..dba4af8 --- /dev/null +++ b/Environments/On-Premise/definition.json @@ -0,0 +1,5 @@ +{ + "Subscriptions": "env(VDC_SUBSCRIPTIONS)", + "Parameters": "file(./parameters.json)", + "Orchestration": "file(./orchestration.json)" +} \ No newline at end of file diff --git a/Environments/On-Premise/orchestration.json b/Environments/On-Premise/orchestration.json new file mode 100644 index 0000000..32d534b --- /dev/null +++ b/Environments/On-Premise/orchestration.json @@ -0,0 +1,426 @@ +{ + "ModuleConfigurationsPath": "../../Modules", + "ModuleConfigurations": [ + { + "Name": "DiagnosticStorageAccount", + "ModuleDefinitionName": "StorageAccounts", + "ResourceGroupName": "${Parameters.ModuleConfigurationParameters.DiagnosticStorageAccount.ResourceGroup}", + "Comments": "Storage Account that is used for ...", + "Version": "2.0", + "Policies": { + "Comments": "Optional - If no object is specified, no Policies deployment will occur", + "OverrideParameters": { + "effect": { + "value": "${Parameters.ModuleConfigurationParameters.DiagnosticStorageAccount.Policies.Effect}" + }, + "resourceGroup": { + "value": "${Parameters.ModuleConfigurationParameters.DiagnosticStorageAccount.ResourceGroup}" + }, + "resourceGroupLocation": { + "value": "${Parameters.ModuleConfigurationParameters.DiagnosticStorageAccount.Location}" + } + } + }, + "Deployment": { + "Comments": "We need the 'update' module instance to lock this resource after the Virtual Network got created", + "TemplatePath": "../../Modules/StorageAccounts/2.0/deploy.json", + "OverrideParameters": { + "storageAccountName": { + "value": "${Parameters.ModuleConfigurationParameters.DiagnosticStorageAccount.Name}" + }, + "storageAccountSku": { + "value": "${Parameters.ModuleConfigurationParameters.DiagnosticStorageAccount.Sku}" + }, + "location": { + "value": "${Parameters.ModuleConfigurationParameters.DiagnosticStorageAccount.Location}" + } + } + } + }, + { + "Name": "LogAnalytics", + "ModuleDefinitionName": "LogAnalytics", + "ResourceGroupName": "${Parameters.ModuleConfigurationParameters.LogAnalytics.ResourceGroup}", + "DependsOn": [ + "DiagnosticStorageAccount" + ], + "Deployment": { + "OverrideParameters": { + "logAnalyticsWorkspaceName": { + "value": "${Parameters.ModuleConfigurationParameters.LogAnalytics.Name}" + }, + "diagnosticStorageAccountName": { + "value": "reference(DiagnosticStorageAccount.storageAccountName)" + }, + "diagnosticStorageAccountId": { + "value": "reference(DiagnosticStorageAccount.storageAccountResourceId)" + }, + "diagnosticStorageAccountAccessKey": { + "value": "reference(DiagnosticStorageAccount.storageAccountAccessKey)" + }, + "location": { + "value": "${Parameters.ModuleConfigurationParameters.LogAnalytics.Location}" + } + } + } + }, + { + "Name": "OnPremisesNSG", + "ModuleDefinitionName": "NetworkSecurityGroups", + "ResourceGroupName": "${Parameters.ModuleConfigurationParameters.Network.ResourceGroup}", + "DependsOn": [ + "DiagnosticStorageAccount", "LogAnalytics" + ], + "Deployment": { + "OverrideParameters": { + "workspaceId": { + "value": "reference(LogAnalytics.logAnalyticsWorkspaceResourceId)" + }, + "diagnosticStorageAccountId": { + "value": "reference(DiagnosticStorageAccount.storageAccountResourceId)" + }, + "networkSecurityGroupName": { + "value": "${Parameters.ModuleConfigurationParameters.Network.NetworkSecurityGroups[0].Name}" + }, + "networkSecurityGroupSecurityRules": { + "value": "${Parameters.ModuleConfigurationParameters.Network.NetworkSecurityGroups[0].Rules}" + } + } + } + }, + { + "Name": "DomainControllerASG", + "ModuleDefinitionName": "ApplicationSecurityGroups", + "ResourceGroupName": "${Parameters.ModuleConfigurationParameters.ApplicationSecurityGroups.ResourceGroup}", + "DependsOn": [], + "Deployment": { + "OverrideParameters": { + "applicationSecurityGroupName": { + "value": "${Parameters.ModuleConfigurationParameters.ApplicationSecurityGroups.DomainController.Name}" + } + } + } + }, + { + "Name": "VirtualNetwork", + "ModuleDefinitionName": "VirtualNetwork", + "ResourceGroupName": "${Parameters.ModuleConfigurationParameters.Network.ResourceGroup}", + "DependsOn": [ + "OnPremisesNSG" + ], + "Deployment": { + "OverrideParameters": { + "vnetName": { + "value": "${Parameters.ModuleConfigurationParameters.Network.Name}" + }, + "vnetAddressPrefixes": { + "value": "${Parameters.ModuleConfigurationParameters.Network.AddressPrefix}" + }, + "subnets": { + "value": "${Parameters.ModuleConfigurationParameters.Network.Subnets}" + }, + "enableDdosProtection": { + "value": "${Parameters.ModuleConfigurationParameters.Network.EnableDdosProtection}" + }, + "enableVmProtection": { + "value": "${Parameters.ModuleConfigurationParameters.Network.EnableVmProtection}" + } + } + } + }, + { + "Name": "KeyVault", + "ModuleDefinitionName": "KeyVault", + "ResourceGroupName": "${Parameters.ModuleConfigurationParameters.KeyVault.ResourceGroup}", + "DependsOn":[ + "DiagnosticStorageAccount", + "LogAnalytics" + ], + "Deployment": { + "OverrideParameters": { + "keyVaultName": { + "value": "${Parameters.ModuleConfigurationParameters.KeyVault.Name}" + }, + "accessPolicies": { + "value": "${Parameters.ModuleConfigurationParameters.KeyVault.AccessPolicies}" + }, + "secretsObject": { + "value": { + "secrets": "${Parameters.ModuleConfigurationParameters.KeyVault.SecretsObject.Secrets}" + } + }, + "enableVaultForDeployment": { + "value": "${Parameters.ModuleConfigurationParameters.KeyVault.EnableVaultForDeployment}" + }, + "enableVaultForDiskEncryption": { + "value": "${Parameters.ModuleConfigurationParameters.KeyVault.EnableVaultForDiskEncryption}" + }, + "enableVaultForTemplateDeployment": { + "value": "${Parameters.ModuleConfigurationParameters.KeyVault.EnableVaultForTemplateDeployment}" + }, + "vaultSku": { + "value": "${Parameters.ModuleConfigurationParameters.KeyVault.Sku}" + }, + "diagnosticStorageAccountId": { + "value": "reference(DiagnosticStorageAccount.storageAccountResourceId)" + }, + "workspaceId": { + "value": "reference(LogAnalytics.logAnalyticsWorkspaceResourceId)" + }, + "vNetId": { + "value": "reference(VirtualNetwork.vNetResourceId)" + }, + "networkAcls": { + "value": { + "bypass": "AzureServices", + "defaultAction": "Allow", + "virtualNetworkRules": [], + "ipRules": [] + } + } + } + } + }, + { + "Name": "CreateRootCertificate", + "Comments": "Create Root Certificate", + "DependsOn": [ + "KeyVault" + ], + "Script": { + "Command": "../../Modules/VirtualNetworkGateway/2.0/Scripts/virtual.network.gateway.rootcert.ps1", + "Arguments" : { + "TenantId": "${Subscriptions.OnPremises.TenantId}", + "ServicePrincipal_ID": "env(SCRIPT_EXECUTION_SP_ID)", + "ServicePrincipal_Secret": "env(SCRIPT_EXECUTION_SP_KEY)", + "KeyVaultName" : "${Parameters.ModuleConfigurationParameters.KeyVault.Name}", + "KeyName" : "CACert", + "BashScriptPath": "../../Modules/VirtualNetworkGateway/2.0/Scripts/virtual.network.gateway.rootcert.sh" + } + } + }, + { + "Name": "VirtualNetworkGateway", + "ModuleDefinitionName": "VirtualNetworkGateway", + "ResourceGroupName": "${Parameters.ModuleConfigurationParameters.Network.ResourceGroup}", + "DependsOn": [ + "CreateRootCertificate", + "VirtualNetwork" + ], + "Deployment": { + "OverrideParameters": { + "virtualNetworkGatewayName": { + "value": "${Parameters.ModuleConfigurationParameters.Network.VirtualGateway.Name}" + }, + "virtualNetworkGatewayType": { + "value": "${Parameters.ModuleConfigurationParameters.Network.VirtualGateway.GatewayType}" + }, + "virtualNetworkGatewaySku": { + "value": "${Parameters.ModuleConfigurationParameters.Network.VirtualGateway.GatewaySku}" + }, + "vpnType": { + "value": "${Parameters.ModuleConfigurationParameters.Network.VirtualGateway.VpnType}" + }, + "vNetId": { + "value": "reference(VirtualNetwork.vNetResourceId)" + }, + "vpnClientAddressPoolPrefix": { + "value": "10.10.8.0/24" + }, + "clientRootCertData": "${Parameters.ModuleConfigurationParameters.Network.VirtualGateway.VpnClientConfiguration.VpnClientRootCertificateData}", + "clientRevokedCertThumbprint": { + "value": "${Parameters.ModuleConfigurationParameters.Network.VirtualGateway.VpnClientConfiguration.VpnClientRevokedCertificateThumbprint}" + } + } + } + }, + { + "Name": "EnableServiceEndpointOnKeyVault", + "ModuleDefinitionName": "KeyVault", + "Updates": "KeyVault", + "ResourceGroupName": "${Parameters.ModuleConfigurationParameters.KeyVault.ResourceGroup}", + "DependsOn": [ + "VirtualNetworkGateway" + ], + "Deployment": { + "OverrideParameters": { + "networkAcls": { + "value": "${Parameters.ModuleConfigurationParameters.KeyVault.NetworkAcls}" + }, + "vNetId": { + "value": "reference(VirtualNetwork.vNetResourceId)" + } + } + } + }, + { + "Name": "ArtifactsStorageAccount", + "Subscription": "Artifacts", + "ModuleDefinitionName": "StorageAccounts", + "ResourceGroupName": "${Parameters.ModuleConfigurationParameters.ArtifactsStorageAccount.ResourceGroup}", + "DependsOn": [], + "Comments": "Storage Account that is used for ...", + "Policies": { + "Comments": "Optional - If no object is specified, no Policies deployment will occur", + "OverrideParameters": { + "effect": { + "value": "${Parameters.ModuleConfigurationParameters.ArtifactsStorageAccount.Policies.Effect}" + }, + "resourceGroup": { + "value": "${Parameters.ModuleConfigurationParameters.ArtifactsStorageAccount.ResourceGroup}" + }, + "resourceGroupLocation": { + "value": "${Parameters.ModuleConfigurationParameters.ArtifactsStorageAccount.Location}" + } + } + }, + "Deployment": { + "OverrideParameters": { + "storageAccountName": { + "value": "${Parameters.ModuleConfigurationParameters.ArtifactsStorageAccount.Name}" + }, + "storageAccountSku": { + "value": "${Parameters.ModuleConfigurationParameters.ArtifactsStorageAccount.Sku}" + } + } + } + }, + { + "Name": "UploadScriptsToArtifactsStorage", + "Comments": "Upload Scripts to Artifacts Storage", + "DependsOn": [ + "ArtifactsStorageAccount" + ], + "Script": { + "Command": "Write-Host 'Adding Scripts...'; Import-Module -Name Az.Storage; $ctx = New-AzStorageContext -StorageAccountName reference(ArtifactsStorageAccount.storageAccountName) -SasToken '?reference(ArtifactsStorageAccount.storageAccountSasToken)'; New-AzRmStorageContainer -Name scripts -ResourceGroupName reference(ArtifactsStorageAccount.storageAccountResourceGroup) -StorageAccountName reference(ArtifactsStorageAccount.storageAccountName); Get-ChildItem -LiteralPath '../../Scripts/Windows' -File -Recurse | % { Set-AzStorageBlobContent -Context $ctx -Container scripts -Force -File $($_.FullName) -Blob Windows/$($_.Name)}", + "Arguments" : { + } + } + }, + { + "Name": "ActiveDirectoryVM", + "ModuleDefinitionName": "VirtualMachines", + "ResourceGroupName": "${Parameters.ModuleConfigurationParameters.ActiveDirectory.ResourceGroup}", + "DependsOn": [ + "VirtualNetwork", + "DiagnosticStorageAccount", + "LogAnalytics", + "KeyVault", + "ArtifactsStorageAccount" + ], + "Comments": "Creates Active Directory Domain Services VMs", + "Deployment": { + "OverrideParameters": { + "virtualMachineName": { + "value": "${Parameters.ModuleConfigurationParameters.ActiveDirectory.Name}" + }, + "virtualMachineSize": { + "value": "${Parameters.ModuleConfigurationParameters.ActiveDirectory.VMSize}" + }, + "virtualMachineOSImage": { + "value": "${Parameters.ModuleConfigurationParameters.ActiveDirectory.OSImage}" + }, + "virtualMachineOSType": { + "value": "${Parameters.ModuleConfigurationParameters.ActiveDirectory.OSType}" + }, + "workspaceId": { + "value": "reference(LogAnalytics.logAnalyticsWorkspaceId)" + }, + "logAnalyticsWorkspaceId": { + "value": "reference(LogAnalytics.logAnalyticsWorkspaceResourceId)" + }, + "logAnalyticsWorkspacePrimarySharedKey": { + "value": "reference(LogAnalytics.logAnalyticsPrimarySharedKey)" + }, + "diagnosticsStorageAccountId": { + "value": "reference(DiagnosticStorageAccount.storageAccountResourceId)" + }, + "diagnosticsStorageAccountName": { + "value": "reference(DiagnosticStorageAccount.storageAccountName)" + }, + "diagnosticsStorageAccountSasToken": { + "value": "reference(DiagnosticStorageAccount.storageAccountSasToken)" + }, + "artifactsStorageAccountKey": { + "value": "reference(ArtifactsStorageAccount.storageAccountAccessKey)" + }, + "artifactsStorageAccountName": { + "value": "reference(ArtifactsStorageAccount.storageAccountName)" + }, + "artifactsStorageAccountSasKey": { + "value": "reference(ArtifactsStorageAccount.storageAccountSasToken)" + }, + "vNetId": { + "value": "reference(VirtualNetwork.vNetResourceId)" + }, + "subnetName": { + "value": "${Parameters.ModuleConfigurationParameters.ActiveDirectory.SubnetName}" + }, + "vmIPAddress": { + "value": "${Parameters.ModuleConfigurationParameters.ActiveDirectory.PrimaryDomainControllerIP}" + }, + "applicationSecurityGroupId": { + "value": "reference(DomainControllerASG.applicationSecurityGroupResourceId)" + }, + "adminUsername": { + "value": "${Parameters.ModuleConfigurationParameters.ActiveDirectory.DomainAdminUsername}" + }, + "adminPassword": { + "reference": "${Parameters.ModuleConfigurationParameters.ActiveDirectory.DomainAdminPassword}" + }, + "virtualMachineDataDisks": { + "value": [ + { + "size": 127, + "driveLetter": "F", + "diskId": 2 + } + ] + } + } + } + }, + { + "Name": "InstallActiveDirectory", + "ModuleDefinitionName": "ActiveDirectory", + "ResourceGroupName": "${Parameters.ModuleConfigurationParameters.ActiveDirectory.ResourceGroup}", + "DependsOn": [ + "ActiveDirectoryVM" + ], + "Deployment": { + "OverrideParameters": { + "virtualMachineName": { + "value": "${Parameters.ModuleConfigurationParameters.ActiveDirectory.Name}" + }, + "artifactsStorageAccountKey": { + "value": "reference(ArtifactsStorageAccount.storageAccountAccessKey)" + }, + "artifactsStorageAccountName": { + "value": "reference(ArtifactsStorageAccount.storageAccountName)" + }, + "artifactsStorageAccountSasKey": { + "value": "reference(ArtifactsStorageAccount.storageAccountSasToken)" + }, + "adIpAddress": { + "value": "${Parameters.ModuleConfigurationParameters.ActiveDirectory.PrimaryDomainControllerIP}" + }, + "cloudZone": { + "value": "${Parameters.ModuleConfigurationParameters.ActiveDirectory.CloudZone}" + }, + "domainName": { + "value": "${Parameters.ModuleConfigurationParameters.ActiveDirectory.DomainName}" + }, + "adSitename": { + "value": "${Parameters.ModuleConfigurationParameters.ActiveDirectory.ADSitename}" + }, + "domainAdminUsername": { + "value": "${Parameters.ModuleConfigurationParameters.ActiveDirectory.DomainAdminUsername}" + }, + "domainAdminPassword": { + "reference": "${Parameters.ModuleConfigurationParameters.ActiveDirectory.DomainAdminPassword}" + } + } + } + } + ] +} \ No newline at end of file diff --git a/Environments/On-Premise/parameters.json b/Environments/On-Premise/parameters.json new file mode 100644 index 0000000..87eef46 --- /dev/null +++ b/Environments/On-Premise/parameters.json @@ -0,0 +1,234 @@ +{ + "Organization": "file(../_Common/organizationName.txt)", + "DeploymentName": "onprem", + "InstanceName": "${Parameters.Organization}-${Parameters.DeploymentName}", + "Subscription": "OnPremises", + "Location": "West US 2", + "TenantId": "${Subscriptions.OnPremises.TenantId}", + "ModuleConfigurationParameters": { + "DeploymentUserId": "env(Deployment_User_Id)", + "DeploymentAppId": "env(Deployment_App_Id)", + "SharedServices": { + "DeploymentName": "shrdsvcs" + }, + "DiagnosticStorageAccount": { + "Name": "${Parameters.Organization}${Parameters.DeploymentName}diag01", + "ResourceGroup": "${Parameters.InstanceName}-diagnostics-rg", + "Location": "${Parameters.Location}", + "Sku": "Standard_GRS", + "NetworkAcls": { + "bypass": "AzureServices", + "defaultAction": "Deny", + "virtualNetworkRules": [ + { + "subnet": "${Parameters.ModuleConfigurationParameters.Network.Subnets[0].Name}" + } + ], + "ipRules": [] + }, + "Policies": { + "Effect": "Audit" + } + }, + "LogAnalytics": { + "Name": "${Parameters.InstanceName}-la", + "Comments": "Log Analytics and Diagnostic Storage Account must be deployed in the same region", + "ResourceGroup": "${Parameters.InstanceName}-diagnostics-rg", + "Location": "${Parameters.ModuleConfigurationParameters.DiagnosticStorageAccount.Location}", + "ListOfAllowedRegions": [ + "Australia Central", + "Australia East", + "Australia Southeast", + "Canada Central", + "Central India", + "Central US", + "East Asia", + "East US", + "East US 2", + "France Central", + "Japan East", + "Korea Central", + "North Europe", + "South Central US", + "Southeast Asia", + "UK South", + "West Europe", + "West US", + "West US 2" + ] + }, + "KeyVault": { + "Name": "${Parameters.InstanceName}-kv", + "ResourceGroup": "${Parameters.InstanceName}-keyvault-rg", + "Sku": "Premium", + "EnableVaultForDeployment": true, + "EnableVaultForDiskEncryption": true, + "EnableVaultForTemplateDeployment": true, + "AccessPolicies": [ + { + "tenantId": "${Parameters.TenantId}", + "objectId": "${Parameters.ModuleConfigurationParameters.DeploymentUserId}", + "permissions": { + "certificates": [ + "All" + ], + "keys": [ + "All" + ], + "secrets": [ + "All" + ] + } + }, + { + "tenantId": "${Parameters.TenantId}", + "objectId": "${Parameters.ModuleConfigurationParameters.DeploymentAppId}", + "permissions": { + "certificates": [ + "All" + ], + "keys": [ + "All" + ], + "secrets": [ + "All" + ] + } + } + ], + "SecretsObject": { + "Comments": "Creating an object so we can use a secretsobject parameter type in our ARM template", + "Secrets": [ + { + "secretName": "DomainAdminPassword", + "secretValue": "P@ssword2019$123" + } + ] + }, + "NetworkAcls": { + "bypass": "AzureServices", + "defaultAction": "Deny", + "virtualNetworkRules": [ + { + "subnet": "${Parameters.ModuleConfigurationParameters.Network.Subnets[0].Name}" + } + ], + "ipRules": [] + } + }, + "ArtifactsStorageAccount": "file(../_Common/artifactsStorageAccount.json)", + "ActiveDirectory": { + "Name": "primary-ad", + "VMSize": "Standard_DS3_v2", + "OSImage": { + "offer": "WindowsServer", + "publisher": "MicrosoftWindowsServer", + "sku": "2016-Datacenter" + }, + "OSType": "Windows", + "SubnetName": "${Parameters.ModuleConfigurationParameters.Network.Subnets[0].name}", + "ResourceGroup": "${Parameters.InstanceName}-ad-rg", + "ADSitename": "Cloud-Site", + "CloudZone": "contosocloud.com", + "DomainAdminUsername": "contoso", + "DomainAdminPassword": { + "keyVault": { + "id": "reference(KeyVault.keyVaultResourceId)" + }, + "secretName": "${Parameters.ModuleConfigurationParameters.KeyVault.SecretsObject.Secrets[0].secretName}" + }, + "DomainName": "contoso.com", + "PrimaryDomainControllerIP": "192.168.1.4" + }, + "ApplicationSecurityGroups": { + "ResourceGroup": "${Parameters.ModuleConfigurationParameters.Network.ResourceGroup}", + "DomainController": { + "Name": "dc-asg" + } + }, + "Network": { + "Name": "${Parameters.InstanceName}-vnet", + "ResourceGroup": "${Parameters.InstanceName}-network-rg", + "AddressPrefix": [ "192.168.1.0/27" ], + "VirtualGateway": { + "Name": "${Parameters.InstanceName}-vgw", + "GatewayType": "vpn", + "GatewaySku": "VpnGw1", + "VpnType": "RouteBased", + "VpnClientConfiguration": { + "VpnClientRootCertificateData": { + "reference": { + "keyVault": { + "id": "reference(KeyVault.keyVaultResourceId)" + }, + "secretName": "CACert" + } + }, + "VpnClientRevokedCertificateThumbprint": "" + } + }, + "ApplicationSecurityGroups": [], + "NetworkSecurityGroups": [ + { + "Name": "default", + "Rules": [ + { + "name": "allow-rdp", + "properties": { + "access": "Allow", + "destinationAddressPrefixes": [], + "destinationPortRange": "3389", + "destinationPortRanges": [], + "destinationAddressPrefix": "VirtualNetwork", + "direction": "Inbound", + "priority": 100, + "protocol": "*", + "sourcePortRange": "*", + "sourcePortRanges": [], + "sourceAddressPrefix": "VirtualNetwork", + "destinationApplicationSecurityGroups": [], + "sourceApplicationSecurityGroups": [] + } + } + ] + } + ], + "UserDefinedRoutes": [], + "Subnets": [ + { + "name": "default", + "addressPrefix": "192.168.1.0/28", + "networkSecurityGroupName": "default", + "routeTableName": "", + "serviceEndpoints": [ + { + "service": "Microsoft.EventHub" + }, + { + "service": "Microsoft.Sql" + }, + { + "service": "Microsoft.Storage" + }, + { + "service": "Microsoft.KeyVault" + } + ] + }, + { + "name": "GatewaySubnet", + "addressPrefix": "192.168.1.16/28", + "networkSecurityGroupName": "", + "routeTableName": "", + "serviceEndpoints": "" + } + ], + "EnableDdosProtection": true, + "EnableVmProtection": false, + "DnsServers": [ + "${Parameters.ModuleConfigurationParameters.ActiveDirectory.PrimaryDomainControllerIP}", + "168.63.129.16" + ] + } + } +} \ No newline at end of file diff --git a/Environments/On-Premise/pipeline.yml b/Environments/On-Premise/pipeline.yml new file mode 100644 index 0000000..b625970 --- /dev/null +++ b/Environments/On-Premise/pipeline.yml @@ -0,0 +1,634 @@ +# VDC Starter pipeline +# Start with a minimal pipeline that you can customize to build and deploy your code. +# Add steps that build, run tests, deploy, and more: +# https://aka.ms/yaml +# Set variables once +variables: +- group: VDC_SECRETS_Copy +trigger: +- master +stages: +- stage: Validate + jobs: + - job: SetupValidationResourceGroup + pool: + name: 'vdc-self-hosted' + steps: + - task: AzurePowerShell@4 + displayName: "Setup Validation Resource Group" + inputs: + azureSubscription: 'Kunachim Azure SC' + ScriptType: 'FilePath' + ScriptPath: 'Orchestration/OrchestrationService/ValidationResourceGroupSetup.ps1' + ScriptArguments: '-ResourceGroupName vdc-validation-rg -SetupResourceGroup' + azurePowerShellVersion: 'LatestVersion' + - job: StorageAccounts + pool: + name: 'vdc-self-hosted' + dependsOn: SetupValidationResourceGroup + steps: + - task: PowerShell@2 + displayName: "Pester Tests for Module - Storage Accounts" + inputs: + targetType: 'inline' + script: '# Write your powershell commands here. + + Invoke-Pester -Script "./Modules/StorageAccounts/2.0/Tests"; + + # Use the environment variables input below to pass secret variables to this script.' + pwsh: true + - task: AzurePowerShell@4 + displayName: "ARM Validation - Diagnostic Storage Account" + inputs: + azureSubscription: 'Kunachim Azure SC' + ScriptType: 'FilePath' + ScriptPath: 'Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1' + ScriptArguments: '-DefinitionPath "Environments/On-Premise/definition.json" -ModuleConfigurationName "DiagnosticStorageAccount" -Validate' + azurePowerShellVersion: 'LatestVersion' + env: + VDC_SUBSCRIPTIONS: $(VDC_SUBSCRIPTIONS) + VDC_TOOLKIT_SUBSCRIPTION: $(VDC_TOOLKIT_SUBSCRIPTION) + DEPLOYMENT_USER_ID: $(DEPLOYMENT_USER_ID) + ADMIN_USER_PWD: $(ADMIN_USER_PWD) + DOMAIN_ADMIN_USER_PWD: $(DOMAIN_ADMIN_USER_PWD) + TENANT_ID: $(TENANT_ID) + - task: AzurePowerShell@4 + displayName: "ARM Validation - Artifacts Storage Account" + inputs: + azureSubscription: 'Kunachim Azure SC' + ScriptType: 'FilePath' + ScriptPath: 'Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1' + ScriptArguments: '-DefinitionPath "Environments/On-Premise/definition.json" -ModuleConfigurationName "ArtifactsStorageAccount" -Validate' + azurePowerShellVersion: 'LatestVersion' + env: + VDC_SUBSCRIPTIONS: $(VDC_SUBSCRIPTIONS) + VDC_TOOLKIT_SUBSCRIPTION: $(VDC_TOOLKIT_SUBSCRIPTION) + DEPLOYMENT_USER_ID: $(DEPLOYMENT_USER_ID) + ADMIN_USER_PWD: $(ADMIN_USER_PWD) + DOMAIN_ADMIN_USER_PWD: $(DOMAIN_ADMIN_USER_PWD) + TENANT_ID: $(TENANT_ID) + - job: LogAnalytics + pool: + name: 'vdc-self-hosted' + dependsOn: [ SetupValidationResourceGroup, StorageAccounts ] + variables: + BOOTSTRAP_INITIALIZED: $[dependencies.StorageAccounts.outputs['bootstratInitializedOutput.BOOTSTRAP_INITIALIZED']] + steps: + - task: PowerShell@2 + displayName: "Pester Tests for Module - Log Analytics" + inputs: + targetType: 'inline' + script: '# Write your powershell commands here. + + Invoke-Pester -Script "./Modules/LogAnalytics/2.0/Tests"; + + # Use the environment variables input below to pass secret variables to this script.' + pwsh: true + - task: AzurePowerShell@4 + displayName: "ARM Validation - Log Analytics" + inputs: + azureSubscription: 'Kunachim Azure SC' + ScriptType: 'FilePath' + ScriptPath: 'Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1' + ScriptArguments: '-DefinitionPath "Environments/On-Premise/definition.json" -ModuleConfigurationName "LogAnalytics" -Validate' + azurePowerShellVersion: 'LatestVersion' + env: + VDC_SUBSCRIPTIONS: $(VDC_SUBSCRIPTIONS) + VDC_TOOLKIT_SUBSCRIPTION: $(VDC_TOOLKIT_SUBSCRIPTION) + DEPLOYMENT_USER_ID: $(DEPLOYMENT_USER_ID) + ADMIN_USER_PWD: $(ADMIN_USER_PWD) + DOMAIN_ADMIN_USER_PWD: $(DOMAIN_ADMIN_USER_PWD) + TENANT_ID: $(TENANT_ID) + - job: NetworkSecurityGroups + pool: + name: 'vdc-self-hosted' + dependsOn: [ SetupValidationResourceGroup, StorageAccounts ] + variables: + BOOTSTRAP_INITIALIZED: $[dependencies.StorageAccounts.outputs['bootstratInitializedOutput.BOOTSTRAP_INITIALIZED']] + steps: + - task: PowerShell@2 + displayName: "Pester Tests for Module - Network Security Groups" + inputs: + targetType: 'inline' + script: '# Write your powershell commands here. + + Invoke-Pester -Script "./Modules/NetworkSecurityGroups/2.0/Tests"; + + # Use the environment variables input below to pass secret variables to this script.' + pwsh: true + - task: AzurePowerShell@4 + displayName: "ARM Validation - On-Premises NSG" + inputs: + azureSubscription: 'Kunachim Azure SC' + ScriptType: 'FilePath' + ScriptPath: 'Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1' + ScriptArguments: '-DefinitionPath "Environments/On-Premise/definition.json" -ModuleConfigurationName "OnPremisesNSG" -Validate' + azurePowerShellVersion: 'LatestVersion' + env: + VDC_SUBSCRIPTIONS: $(VDC_SUBSCRIPTIONS) + VDC_TOOLKIT_SUBSCRIPTION: $(VDC_TOOLKIT_SUBSCRIPTION) + DEPLOYMENT_USER_ID: $(DEPLOYMENT_USER_ID) + ADMIN_USER_PWD: $(ADMIN_USER_PWD) + DOMAIN_ADMIN_USER_PWD: $(DOMAIN_ADMIN_USER_PWD) + TENANT_ID: $(TENANT_ID) + - job: ApplicationSecurityGroups + pool: + name: 'vdc-self-hosted' + dependsOn: [ SetupValidationResourceGroup, StorageAccounts ] + variables: + BOOTSTRAP_INITIALIZED: $[dependencies.StorageAccounts.outputs['bootstratInitializedOutput.BOOTSTRAP_INITIALIZED']] + steps: + - task: PowerShell@2 + displayName: "Pester Tests for Module - Application Security Groups" + inputs: + targetType: 'inline' + script: '# Write your powershell commands here. + + Invoke-Pester -Script "./Modules/ApplicationSecurityGroups/2.0/Tests"; + + # Use the environment variables input below to pass secret variables to this script.' + pwsh: true + - task: AzurePowerShell@4 + displayName: "ARM Validation - Domain Controller ASG" + inputs: + azureSubscription: 'Kunachim Azure SC' + ScriptType: 'FilePath' + ScriptPath: 'Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1' + ScriptArguments: '-DefinitionPath "Environments/On-Premise/definition.json" -ModuleConfigurationName "DomainControllerASG" -Validate' + azurePowerShellVersion: 'LatestVersion' + env: + VDC_SUBSCRIPTIONS: $(VDC_SUBSCRIPTIONS) + VDC_TOOLKIT_SUBSCRIPTION: $(VDC_TOOLKIT_SUBSCRIPTION) + DEPLOYMENT_USER_ID: $(DEPLOYMENT_USER_ID) + ADMIN_USER_PWD: $(ADMIN_USER_PWD) + DOMAIN_ADMIN_USER_PWD: $(DOMAIN_ADMIN_USER_PWD) + TENANT_ID: $(TENANT_ID) + - job: VirtualNetwork + pool: + name: 'vdc-self-hosted' + dependsOn: [ SetupValidationResourceGroup, StorageAccounts ] + variables: + BOOTSTRAP_INITIALIZED: $[dependencies.StorageAccounts.outputs['bootstratInitializedOutput.BOOTSTRAP_INITIALIZED']] + steps: + - task: PowerShell@2 + displayName: "Pester Tests for Module - Virtual NetWork" + inputs: + targetType: 'inline' + script: '# Write your powershell commands here. + + Invoke-Pester -Script "./Modules/VirtualNetwork/2.0/Tests"; + + # Use the environment variables input below to pass secret variables to this script.' + pwsh: true + - task: AzurePowerShell@4 + displayName: "ARM Validation - Virtual Network" + inputs: + azureSubscription: 'Kunachim Azure SC' + ScriptType: 'FilePath' + ScriptPath: 'Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1' + ScriptArguments: '-DefinitionPath "Environments/On-Premise/definition.json" -ModuleConfigurationName "VirtualNetwork" -Validate' + azurePowerShellVersion: 'LatestVersion' + env: + VDC_SUBSCRIPTIONS: $(VDC_SUBSCRIPTIONS) + VDC_TOOLKIT_SUBSCRIPTION: $(VDC_TOOLKIT_SUBSCRIPTION) + DEPLOYMENT_USER_ID: $(DEPLOYMENT_USER_ID) + ADMIN_USER_PWD: $(ADMIN_USER_PWD) + DOMAIN_ADMIN_USER_PWD: $(DOMAIN_ADMIN_USER_PWD) + TENANT_ID: $(TENANT_ID) + - job: VirtualNetworkGateway + pool: + name: 'vdc-self-hosted' + dependsOn: [ SetupValidationResourceGroup, StorageAccounts ] + variables: + BOOTSTRAP_INITIALIZED: $[dependencies.StorageAccounts.outputs['bootstratInitializedOutput.BOOTSTRAP_INITIALIZED']] + steps: + - task: PowerShell@2 + displayName: "Pester Tests for Module - Virtual Network Gateway" + inputs: + targetType: 'inline' + script: '# Write your powershell commands here. + + Invoke-Pester -Script "./Modules/VirtualNetworkGateway/2.0/Tests"; + + # Use the environment variables input below to pass secret variables to this script.' + pwsh: true + - task: AzurePowerShell@4 + displayName: "ARM Validation - Virtual Network Gateway" + inputs: + azureSubscription: 'Kunachim Azure SC' + ScriptType: 'FilePath' + ScriptPath: 'Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1' + ScriptArguments: '-DefinitionPath "Environments/On-Premise/definition.json" -ModuleConfigurationName "VirtualNetworkGateway" -Validate' + azurePowerShellVersion: 'LatestVersion' + env: + VDC_SUBSCRIPTIONS: $(VDC_SUBSCRIPTIONS) + VDC_TOOLKIT_SUBSCRIPTION: $(VDC_TOOLKIT_SUBSCRIPTION) + DEPLOYMENT_USER_ID: $(DEPLOYMENT_USER_ID) + ADMIN_USER_PWD: $(ADMIN_USER_PWD) + DOMAIN_ADMIN_USER_PWD: $(DOMAIN_ADMIN_USER_PWD) + TENANT_ID: $(TENANT_ID) + - job: KeyVault + pool: + name: 'vdc-self-hosted' + dependsOn: [ SetupValidationResourceGroup, StorageAccounts ] + variables: + BOOTSTRAP_INITIALIZED: $[dependencies.StorageAccounts.outputs['bootstratInitializedOutput.BOOTSTRAP_INITIALIZED']] + steps: + - task: PowerShell@2 + displayName: "Pester Tests for Module - Key Vault" + inputs: + targetType: 'inline' + script: '# Write your powershell commands here. + + Invoke-Pester -Script "./Modules/KeyVault/2.0/Tests"; + + # Use the environment variables input below to pass secret variables to this script.' + pwsh: true + - task: AzurePowerShell@4 + displayName: "ARM Validation - Key Vault" + inputs: + azureSubscription: 'Kunachim Azure SC' + ScriptType: 'FilePath' + ScriptPath: 'Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1' + ScriptArguments: '-DefinitionPath "Environments/On-Premise/definition.json" -ModuleConfigurationName "KeyVault" -Validate' + azurePowerShellVersion: 'LatestVersion' + env: + VDC_SUBSCRIPTIONS: $(VDC_SUBSCRIPTIONS) + VDC_TOOLKIT_SUBSCRIPTION: $(VDC_TOOLKIT_SUBSCRIPTION) + DEPLOYMENT_USER_ID: $(DEPLOYMENT_USER_ID) + ADMIN_USER_PWD: $(ADMIN_USER_PWD) + DOMAIN_ADMIN_USER_PWD: $(DOMAIN_ADMIN_USER_PWD) + TENANT_ID: $(TENANT_ID) + - task: AzurePowerShell@4 + displayName: "ARM Validation - Enable Service Endpoint On Key Vault" + inputs: + azureSubscription: 'Kunachim Azure SC' + ScriptType: 'FilePath' + ScriptPath: 'Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1' + ScriptArguments: '-DefinitionPath "Environments/On-Premise/definition.json" -ModuleConfigurationName "EnableServiceEndpointOnKeyVault" -Validate' + azurePowerShellVersion: 'LatestVersion' + env: + VDC_SUBSCRIPTIONS: $(VDC_SUBSCRIPTIONS) + VDC_TOOLKIT_SUBSCRIPTION: $(VDC_TOOLKIT_SUBSCRIPTION) + DEPLOYMENT_USER_ID: $(DEPLOYMENT_USER_ID) + ADMIN_USER_PWD: $(ADMIN_USER_PWD) + DOMAIN_ADMIN_USER_PWD: $(DOMAIN_ADMIN_USER_PWD) + TENANT_ID: $(TENANT_ID) + - job: ActiveDirectory + pool: + name: 'vdc-self-hosted' + dependsOn: [ SetupValidationResourceGroup, StorageAccounts ] + variables: + BOOTSTRAP_INITIALIZED: $[dependencies.StorageAccounts.outputs['bootstratInitializedOutput.BOOTSTRAP_INITIALIZED']] + steps: + - task: PowerShell@2 + displayName: "Pester Tests for Module - Active Directory" + inputs: + targetType: 'inline' + script: '# Write your powershell commands here. + + Invoke-Pester -Script "./Modules/ActiveDirectory/2.0/Tests"; + + # Use the environment variables input below to pass secret variables to this script.' + pwsh: true + - task: AzurePowerShell@4 + displayName: "ARM Validation - Active Directory VM" + inputs: + azureSubscription: 'Kunachim Azure SC' + ScriptType: 'FilePath' + ScriptPath: 'Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1' + ScriptArguments: '-DefinitionPath "Environments/On-Premise/definition.json" -ModuleConfigurationName "ActiveDirectoryVM" -Validate' + azurePowerShellVersion: 'LatestVersion' + env: + VDC_SUBSCRIPTIONS: $(VDC_SUBSCRIPTIONS) + VDC_TOOLKIT_SUBSCRIPTION: $(VDC_TOOLKIT_SUBSCRIPTION) + DEPLOYMENT_USER_ID: $(DEPLOYMENT_USER_ID) + ADMIN_USER_PWD: $(ADMIN_USER_PWD) + DOMAIN_ADMIN_USER_PWD: $(DOMAIN_ADMIN_USER_PWD) + TENANT_ID: $(TENANT_ID) + - task: AzurePowerShell@4 + displayName: "ARM Validation - Install Active Directory" + inputs: + azureSubscription: 'Kunachim Azure SC' + ScriptType: 'FilePath' + ScriptPath: 'Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1' + ScriptArguments: '-DefinitionPath "Environments/On-Premise/definition.json" -ModuleConfigurationName "InstallActiveDirectory" -Validate' + azurePowerShellVersion: 'LatestVersion' + env: + VDC_SUBSCRIPTIONS: $(VDC_SUBSCRIPTIONS) + VDC_TOOLKIT_SUBSCRIPTION: $(VDC_TOOLKIT_SUBSCRIPTION) + DEPLOYMENT_USER_ID: $(DEPLOYMENT_USER_ID) + ADMIN_USER_PWD: $(ADMIN_USER_PWD) + DOMAIN_ADMIN_USER_PWD: $(DOMAIN_ADMIN_USER_PWD) + TENANT_ID: $(TENANT_ID) + - job: TearDownValidationResourceGroup + pool: + name: 'vdc-self-hosted' + dependsOn: [ StorageAccounts, LogAnalytics, NetworkSecurityGroups, ApplicationSecurityGroups, VirtualNetwork, VirtualNetworkGateway, ActiveDirectory ] + steps: + - task: AzurePowerShell@4 + displayName: "Teardown Validation Resource Group" + inputs: + azureSubscription: 'Kunachim Azure SC' + ScriptType: 'FilePath' + ScriptPath: 'Orchestration/OrchestrationService/ValidationResourceGroupSetup.ps1' + ScriptArguments: '-TearDownResourceGroup' + azurePowerShellVersion: 'LatestVersion' +- stage: Deploy + jobs: + - job: DiagnosticStorageAccount + timeoutInMinutes: 0 + pool: + name: 'vdc-self-hosted' + steps: + - task: AzurePowerShell@4 + displayName: "Diagnostic Storage Account" + inputs: + azureSubscription: 'Kunachim Azure SC' + ScriptType: 'FilePath' + ScriptPath: 'Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1' + ScriptArguments: '-DefinitionPath "Environments/On-Premise/definition.json" -ModuleConfigurationName "DiagnosticStorageAccount"' + azurePowerShellVersion: 'LatestVersion' + env: + VDC_SUBSCRIPTIONS: $(VDC_SUBSCRIPTIONS) + VDC_TOOLKIT_SUBSCRIPTION: $(VDC_TOOLKIT_SUBSCRIPTION) + DEPLOYMENT_USER_ID: $(DEPLOYMENT_USER_ID) + ADMIN_USER_PWD: $(ADMIN_USER_PWD) + DOMAIN_ADMIN_USER_PWD: $(DOMAIN_ADMIN_USER_PWD) + TENANT_ID: $(TENANT_ID) + - job: LogAnalytics + timeoutInMinutes: 0 + pool: + name: 'vdc-self-hosted' + dependsOn: DiagnosticStorageAccount + variables: + BOOTSTRAP_INITIALIZED: $[dependencies.DiagnosticStorageAccount.outputs['bootstratInitializedOutput.BOOTSTRAP_INITIALIZED']] + steps: + - task: AzurePowerShell@4 + displayName: "Log Analytics" + inputs: + azureSubscription: 'Kunachim Azure SC' + ScriptType: 'FilePath' + ScriptPath: 'Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1' + ScriptArguments: '-DefinitionPath "Environments/On-Premise/definition.json" -ModuleConfigurationName "LogAnalytics"' + azurePowerShellVersion: 'LatestVersion' + env: + VDC_SUBSCRIPTIONS: $(VDC_SUBSCRIPTIONS) + VDC_TOOLKIT_SUBSCRIPTION: $(VDC_TOOLKIT_SUBSCRIPTION) + DEPLOYMENT_USER_ID: $(DEPLOYMENT_USER_ID) + ADMIN_USER_PWD: $(ADMIN_USER_PWD) + DOMAIN_ADMIN_USER_PWD: $(DOMAIN_ADMIN_USER_PWD) + TENANT_ID: $(TENANT_ID) + - job: OnPremisesNSG + timeoutInMinutes: 0 + pool: + name: 'vdc-self-hosted' + dependsOn: [ LogAnalytics, DiagnosticStorageAccount ] + variables: + BOOTSTRAP_INITIALIZED: $[dependencies.DiagnosticStorageAccount.outputs['bootstratInitializedOutput.BOOTSTRAP_INITIALIZED']] + steps: + - task: AzurePowerShell@4 + displayName: "Network Security Group" + inputs: + azureSubscription: 'Kunachim Azure SC' + ScriptType: 'FilePath' + ScriptPath: 'Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1' + ScriptArguments: '-DefinitionPath "Environments/On-Premise/definition.json" -ModuleConfigurationName "OnPremisesNSG"' + azurePowerShellVersion: 'LatestVersion' + env: + VDC_SUBSCRIPTIONS: $(VDC_SUBSCRIPTIONS) + VDC_TOOLKIT_SUBSCRIPTION: $(VDC_TOOLKIT_SUBSCRIPTION) + DEPLOYMENT_USER_ID: $(DEPLOYMENT_USER_ID) + ADMIN_USER_PWD: $(ADMIN_USER_PWD) + DOMAIN_ADMIN_USER_PWD: $(DOMAIN_ADMIN_USER_PWD) + TENANT_ID: $(TENANT_ID) + - job: DomainControllerASG + timeoutInMinutes: 0 + pool: + name: 'vdc-self-hosted' + variables: + BOOTSTRAP_INITIALIZED: $[dependencies.DiagnosticStorageAccount.outputs['bootstratInitializedOutput.BOOTSTRAP_INITIALIZED']] + dependsOn: DiagnosticStorageAccount + steps: + - task: AzurePowerShell@4 + displayName: "Application Security Group" + inputs: + azureSubscription: 'Kunachim Azure SC' + ScriptType: 'FilePath' + ScriptPath: 'Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1' + ScriptArguments: '-DefinitionPath "Environments/On-Premise/definition.json" -ModuleConfigurationName "DomainControllerASG"' + azurePowerShellVersion: 'LatestVersion' + env: + VDC_SUBSCRIPTIONS: $(VDC_SUBSCRIPTIONS) + VDC_TOOLKIT_SUBSCRIPTION: $(VDC_TOOLKIT_SUBSCRIPTION) + DEPLOYMENT_USER_ID: $(DEPLOYMENT_USER_ID) + ADMIN_USER_PWD: $(ADMIN_USER_PWD) + DOMAIN_ADMIN_USER_PWD: $(DOMAIN_ADMIN_USER_PWD) + TENANT_ID: $(TENANT_ID) + - job: VirtualNetwork + timeoutInMinutes: 0 + pool: + name: 'vdc-self-hosted' + dependsOn: [ OnPremisesNSG, DiagnosticStorageAccount ] + variables: + BOOTSTRAP_INITIALIZED: $[dependencies.DiagnosticStorageAccount.outputs['bootstratInitializedOutput.BOOTSTRAP_INITIALIZED']] + steps: + - task: AzurePowerShell@4 + displayName: "Virtual Network" + inputs: + azureSubscription: 'Kunachim Azure SC' + ScriptType: 'FilePath' + ScriptPath: 'Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1' + ScriptArguments: '-DefinitionPath "Environments/On-Premise/definition.json" -ModuleConfigurationName "VirtualNetwork"' + azurePowerShellVersion: 'LatestVersion' + env: + VDC_SUBSCRIPTIONS: $(VDC_SUBSCRIPTIONS) + VDC_TOOLKIT_SUBSCRIPTION: $(VDC_TOOLKIT_SUBSCRIPTION) + DEPLOYMENT_USER_ID: $(DEPLOYMENT_USER_ID) + ADMIN_USER_PWD: $(ADMIN_USER_PWD) + DOMAIN_ADMIN_USER_PWD: $(DOMAIN_ADMIN_USER_PWD) + TENANT_ID: $(TENANT_ID) + - job: KeyVault + timeoutInMinutes: 0 + pool: + name: 'vdc-self-hosted' + dependsOn: [ DiagnosticStorageAccount, LogAnalytics, DiagnosticStorageAccount ] + variables: + BOOTSTRAP_INITIALIZED: $[dependencies.DiagnosticStorageAccount.outputs['bootstratInitializedOutput.BOOTSTRAP_INITIALIZED']] + steps: + - task: AzurePowerShell@4 + displayName: "Key Vault" + inputs: + azureSubscription: 'Kunachim Azure SC' + ScriptType: 'FilePath' + ScriptPath: 'Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1' + ScriptArguments: '-DefinitionPath "Environments/On-Premise/definition.json" -ModuleConfigurationName "KeyVault"' + azurePowerShellVersion: 'LatestVersion' + env: + VDC_SUBSCRIPTIONS: $(VDC_SUBSCRIPTIONS) + VDC_TOOLKIT_SUBSCRIPTION: $(VDC_TOOLKIT_SUBSCRIPTION) + DEPLOYMENT_USER_ID: $(DEPLOYMENT_USER_ID) + ADMIN_USER_PWD: $(ADMIN_USER_PWD) + DOMAIN_ADMIN_USER_PWD: $(DOMAIN_ADMIN_USER_PWD) + TENANT_ID: $(TENANT_ID) + - job: CreateRootCertificate + timeoutInMinutes: 0 + pool: + name: 'vdc-self-hosted' + dependsOn: [ KeyVault, DiagnosticStorageAccount ] + variables: + BOOTSTRAP_INITIALIZED: $[dependencies.DiagnosticStorageAccount.outputs['bootstratInitializedOutput.BOOTSTRAP_INITIALIZED']] + steps: + - task: AzurePowerShell@4 + displayName: "Create Root Certificate" + inputs: + azureSubscription: 'Kunachim Azure SC' + ScriptType: 'FilePath' + ScriptPath: 'Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1' + ScriptArguments: '-DefinitionPath "Environments/On-Premise/definition.json" -ModuleConfigurationName "CreateRootCertificate"' + azurePowerShellVersion: 'LatestVersion' + env: + VDC_SUBSCRIPTIONS: $(VDC_SUBSCRIPTIONS) + VDC_TOOLKIT_SUBSCRIPTION: $(VDC_TOOLKIT_SUBSCRIPTION) + DEPLOYMENT_USER_ID: $(DEPLOYMENT_USER_ID) + ADMIN_USER_PWD: $(ADMIN_USER_PWD) + DOMAIN_ADMIN_USER_PWD: $(DOMAIN_ADMIN_USER_PWD) + TENANT_ID: $(TENANT_ID) + - job: VirtualNetworkGateway + timeoutInMinutes: 0 + pool: + name: 'vdc-self-hosted' + dependsOn: [ VirtualNetwork, CreateRootCertificate, DiagnosticStorageAccount ] + variables: + BOOTSTRAP_INITIALIZED: $[dependencies.DiagnosticStorageAccount.outputs['bootstratInitializedOutput.BOOTSTRAP_INITIALIZED']] + steps: + - task: AzurePowerShell@4 + displayName: "Virtual Network Gateway" + inputs: + azureSubscription: 'Kunachim Azure SC' + ScriptType: 'FilePath' + ScriptPath: 'Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1' + ScriptArguments: '-DefinitionPath "Environments/On-Premise/definition.json" -ModuleConfigurationName "VirtualNetworkGateway"' + azurePowerShellVersion: 'LatestVersion' + env: + VDC_SUBSCRIPTIONS: $(VDC_SUBSCRIPTIONS) + VDC_TOOLKIT_SUBSCRIPTION: $(VDC_TOOLKIT_SUBSCRIPTION) + DEPLOYMENT_USER_ID: $(DEPLOYMENT_USER_ID) + ADMIN_USER_PWD: $(ADMIN_USER_PWD) + DOMAIN_ADMIN_USER_PWD: $(DOMAIN_ADMIN_USER_PWD) + TENANT_ID: $(TENANT_ID) + - job: EnableServiceEndpointOnKeyVault + timeoutInMinutes: 0 + pool: + name: 'vdc-self-hosted' + dependsOn: [ VirtualNetworkGateway, DiagnosticStorageAccount ] + variables: + BOOTSTRAP_INITIALIZED: $[dependencies.DiagnosticStorageAccount.outputs['bootstratInitializedOutput.BOOTSTRAP_INITIALIZED']] + steps: + - task: AzurePowerShell@4 + displayName: "Key Vault" + inputs: + azureSubscription: 'Kunachim Azure SC' + ScriptType: 'FilePath' + ScriptPath: 'Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1' + ScriptArguments: '-DefinitionPath "Environments/On-Premise/definition.json" -ModuleConfigurationName "EnableServiceEndpointOnKeyVault"' + azurePowerShellVersion: 'LatestVersion' + env: + VDC_SUBSCRIPTIONS: $(VDC_SUBSCRIPTIONS) + VDC_TOOLKIT_SUBSCRIPTION: $(VDC_TOOLKIT_SUBSCRIPTION) + DEPLOYMENT_USER_ID: $(DEPLOYMENT_USER_ID) + ADMIN_USER_PWD: $(ADMIN_USER_PWD) + DOMAIN_ADMIN_USER_PWD: $(DOMAIN_ADMIN_USER_PWD) + TENANT_ID: $(TENANT_ID) + - job: ArtifactsStorageAccount + timeoutInMinutes: 0 + pool: + name: 'vdc-self-hosted' + variables: + BOOTSTRAP_INITIALIZED: $[dependencies.DiagnosticStorageAccount.outputs['bootstratInitializedOutput.BOOTSTRAP_INITIALIZED']] + dependsOn: DiagnosticStorageAccount + steps: + - task: AzurePowerShell@4 + displayName: "Artifacts Storage Account" + inputs: + azureSubscription: 'Kunachim Azure SC' + ScriptType: 'FilePath' + ScriptPath: 'Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1' + ScriptArguments: '-DefinitionPath "Environments/On-Premise/definition.json" -ModuleConfigurationName "ArtifactsStorageAccount"' + azurePowerShellVersion: 'LatestVersion' + env: + VDC_SUBSCRIPTIONS: $(VDC_SUBSCRIPTIONS) + VDC_TOOLKIT_SUBSCRIPTION: $(VDC_TOOLKIT_SUBSCRIPTION) + DEPLOYMENT_USER_ID: $(DEPLOYMENT_USER_ID) + ADMIN_USER_PWD: $(ADMIN_USER_PWD) + DOMAIN_ADMIN_USER_PWD: $(DOMAIN_ADMIN_USER_PWD) + TENANT_ID: $(TENANT_ID) + - job: UploadScriptsToArtifactsStorage + timeoutInMinutes: 0 + pool: + name: 'vdc-self-hosted' + dependsOn: [ ArtifactsStorageAccount, DiagnosticStorageAccount ] + variables: + BOOTSTRAP_INITIALIZED: $[dependencies.DiagnosticStorageAccount.outputs['bootstratInitializedOutput.BOOTSTRAP_INITIALIZED']] + steps: + - task: AzurePowerShell@4 + displayName: "Upload Scripts To Artifacts Storage" + inputs: + azureSubscription: 'Kunachim Azure SC' + ScriptType: 'FilePath' + ScriptPath: 'Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1' + ScriptArguments: '-DefinitionPath "Environments/On-Premise/definition.json" -ModuleConfigurationName "UploadScriptsToArtifactsStorage"' + azurePowerShellVersion: 'LatestVersion' + env: + VDC_SUBSCRIPTIONS: $(VDC_SUBSCRIPTIONS) + VDC_TOOLKIT_SUBSCRIPTION: $(VDC_TOOLKIT_SUBSCRIPTION) + DEPLOYMENT_USER_ID: $(DEPLOYMENT_USER_ID) + ADMIN_USER_PWD: $(ADMIN_USER_PWD) + DOMAIN_ADMIN_USER_PWD: $(DOMAIN_ADMIN_USER_PWD) + TENANT_ID: $(TENANT_ID) + - job: ActiveDirectoryVM + timeoutInMinutes: 0 + pool: + name: 'vdc-self-hosted' + dependsOn: [ VirtualNetwork, DiagnosticStorageAccount, LogAnalytics, KeyVault, ArtifactsStorageAccount ] + variables: + BOOTSTRAP_INITIALIZED: $[dependencies.DiagnosticStorageAccount.outputs['bootstratInitializedOutput.BOOTSTRAP_INITIALIZED']] + steps: + - task: AzurePowerShell@4 + displayName: "Active Directory VM" + inputs: + azureSubscription: 'Kunachim Azure SC' + ScriptType: 'FilePath' + ScriptPath: 'Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1' + ScriptArguments: '-DefinitionPath "Environments/On-Premise/definition.json" -ModuleConfigurationName "ActiveDirectoryVM"' + azurePowerShellVersion: 'LatestVersion' + env: + VDC_SUBSCRIPTIONS: $(VDC_SUBSCRIPTIONS) + VDC_TOOLKIT_SUBSCRIPTION: $(VDC_TOOLKIT_SUBSCRIPTION) + DEPLOYMENT_USER_ID: $(DEPLOYMENT_USER_ID) + ADMIN_USER_PWD: $(ADMIN_USER_PWD) + DOMAIN_ADMIN_USER_PWD: $(DOMAIN_ADMIN_USER_PWD) + TENANT_ID: $(TENANT_ID) + - job: InstallActiveDirectory + timeoutInMinutes: 0 + pool: + name: 'vdc-self-hosted' + dependsOn: [ ActiveDirectoryVM, DiagnosticStorageAccount ] + variables: + BOOTSTRAP_INITIALIZED: $[dependencies.DiagnosticStorageAccount.outputs['bootstratInitializedOutput.BOOTSTRAP_INITIALIZED']] + steps: + - task: AzurePowerShell@4 + displayName: "Install Active Directory" + inputs: + azureSubscription: 'Kunachim Azure SC' + ScriptType: 'FilePath' + ScriptPath: 'Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1' + ScriptArguments: '-DefinitionPath "Environments/On-Premise/definition.json" -ModuleConfigurationName "InstallActiveDirectory"' + azurePowerShellVersion: 'LatestVersion' + env: + VDC_SUBSCRIPTIONS: $(VDC_SUBSCRIPTIONS) + VDC_TOOLKIT_SUBSCRIPTION: $(VDC_TOOLKIT_SUBSCRIPTION) + DEPLOYMENT_USER_ID: $(DEPLOYMENT_USER_ID) + ADMIN_USER_PWD: $(ADMIN_USER_PWD) + DOMAIN_ADMIN_USER_PWD: $(DOMAIN_ADMIN_USER_PWD) + TENANT_ID: $(TENANT_ID) \ No newline at end of file diff --git a/Environments/_Common/artifactsStorageAccount.json b/Environments/_Common/artifactsStorageAccount.json index 7bcfddf..aefb756 100644 --- a/Environments/_Common/artifactsStorageAccount.json +++ b/Environments/_Common/artifactsStorageAccount.json @@ -1,5 +1,5 @@ { - "Name": "${Parameters.Organization}cstmartfcts01", + "Name": "${Parameters.Organization}cstmartfcts11", "ResourceGroup": "${Parameters.InstanceName}-artifacts-rg", "Sku": "Standard_GRS", "Location": "${Parameters.Location}", diff --git a/Modules/ActiveDirectory/2.0/Policy/git_placeholder.md b/Modules/ActiveDirectory/2.0/Policy/git_placeholder.md old mode 100644 new mode 100755 diff --git a/Modules/ActiveDirectory/2.0/RBAC/git_placeholder.md b/Modules/ActiveDirectory/2.0/RBAC/git_placeholder.md old mode 100644 new mode 100755 diff --git a/Modules/ActiveDirectory/2.0/Scripts/git_placeholder.md b/Modules/ActiveDirectory/2.0/Scripts/git_placeholder.md old mode 100644 new mode 100755 diff --git a/Modules/ActiveDirectory/2.0/Tests/module.tests.ps1 b/Modules/ActiveDirectory/2.0/Tests/module.tests.ps1 old mode 100644 new mode 100755 diff --git a/Modules/ActiveDirectory/2.0/deploy.json b/Modules/ActiveDirectory/2.0/deploy.json old mode 100644 new mode 100755 diff --git a/Modules/ActiveDirectory/2.0/readme.md b/Modules/ActiveDirectory/2.0/readme.md old mode 100644 new mode 100755 diff --git a/Modules/VirtualMachines/2.0/Tests/linux.parameters.json b/Modules/VirtualMachines/2.0/Tests/linux.parameters.json old mode 100644 new mode 100755 diff --git a/Modules/VirtualMachines/2.0/Tests/windows.parameters.json~8d27775b63b177a0a232b2555f41a903bee8779b b/Modules/VirtualMachines/2.0/Tests/windows.parameters.json~8d27775b63b177a0a232b2555f41a903bee8779b new file mode 100755 index 0000000..91f8069 --- /dev/null +++ b/Modules/VirtualMachines/2.0/Tests/windows.parameters.json~8d27775b63b177a0a232b2555f41a903bee8779b @@ -0,0 +1,61 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "virtualMachineName": { + "value": "adds" + }, + "virtualMachineSize": { + "value": "Standard_DS2_v2" + }, + "virtualMachineOSImage": { + "value": { + "offer": "WindowsServer", + "publisher": "MicrosoftWindowsServer", + "sku": "2016-Datacenter" + } + }, + "virtualMachineOSType": { + "value": "Windows" + }, + "workspaceId": { + "value": "00000000-0000-0000-0000-000000000000" + }, + "logAnalyticsWorkspaceId": { + "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup/providers/Microsoft.OperationalInsights/workspaces/contoso-example" + }, + "logAnalyticsWorkspacePrimarySharedKey": { + "value": "" + }, + "diagnosticsStorageAccountId": { + "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup/providers/Microsoft.Storage/storageAccounts/contosostrgexmpl" + }, + "diagnosticsStorageAccountName": { + "value": "contoso-diag-storage" + }, + "diagnosticsStorageAccountSasToken": { + "value": "" + }, + "artifactsStorageAccountName": { + "value": "vdcstorage" + }, + "artifactsStorageAccountKey": { + "value": "" + }, + "artifactsStorageAccountSasKey": { + "value": "" + }, + "vNetId": { + "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup/providers/Microsoft.Network/virtualNetworks/contoso-vnet-example" + }, + "subnetName": { + "value": "sharedsvcs" + }, + "adminUsername": { + "value": "contoso" + }, + "adminPassword": { + "value": "password" + } + } +} \ No newline at end of file diff --git a/Modules/VirtualMachines/2.0/deploy.json b/Modules/VirtualMachines/2.0/deploy.json index 7cd24c7..6bf8dc1 100644 --- a/Modules/VirtualMachines/2.0/deploy.json +++ b/Modules/VirtualMachines/2.0/deploy.json @@ -378,7 +378,7 @@ { "name": "dataDisks", "count": "[length(parameters('virtualMachineDataDisks'))]", - "input": + "input": { "lun": "[copyIndex('dataDisks')]", "name": "[replace(toLower(substring(concat(parameters('virtualMachineName'), copyIndex('vmLoop', parameters('virtualMachineOffset')), '-dsk', copyindex('dataDisks', parameters('virtualMachineOffset')), '-', replace(concat(variables('uniqueString'), variables('uniqueString')), '-', '')), 0, 30)), '-', '')]", @@ -1800,7 +1800,6 @@ } ] }, - { "type": "Microsoft.Compute/virtualMachines/extensions", "name": "[concat(parameters('virtualMachineName'), copyIndex(parameters('virtualMachineOffset')), '/', variables('DSCExtensionName'))]", @@ -1893,4 +1892,4 @@ } } } -} \ No newline at end of file +} diff --git a/Modules/VirtualNetworkGateway/2.0/Scripts/git_placeholder.md b/Modules/VirtualNetworkGateway/2.0/Scripts/git_placeholder.md deleted file mode 100644 index e69de29..0000000 diff --git a/Modules/VirtualNetworkGateway/2.0/Scripts/virtual.network.gateway.clientcert.ps1 b/Modules/VirtualNetworkGateway/2.0/Scripts/virtual.network.gateway.clientcert.ps1 new file mode 100644 index 0000000..c7427fc --- /dev/null +++ b/Modules/VirtualNetworkGateway/2.0/Scripts/virtual.network.gateway.clientcert.ps1 @@ -0,0 +1,23 @@ +[CmdletBinding()] +param( + [Parameter(Mandatory=$true)] + [string]$CertData, + [Parameter(Mandatory=$true)] + [string]$Password +) + +$certPath = "Cert:\CurrentUser\My"; +$CertData > C:\certs\rootCert.cer; +$file = ( Get-ChildItem -Path C:\certs\rootCert.cer ); +$file | Import-Certificate -CertStoreLocation $certPath; +if($null -eq $clientCert) { + New-SelfSignedCertificate -Type Custom -DnsName ContosoClient -KeySpec Signature ` + -Subject "CN=VPN Client" -KeyExportPolicy Exportable ` + -HashAlgorithm sha256 -KeyLength 2048 ` + -CertStoreLocation $certPath ` + -Signer $rootCert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2"); +} +$rootCert = (Get-ChildItem -Path $certPath) | Where-Object { $_.Subject -eq "CN=VPN CA" }; +$clientCert = (Get-ChildItem -Path $certPath) | Where-Object { $_.Subject -eq "CN=VPN Client" }; +$mypwd = ConvertTo-SecureString -String $Password -Force -AsPlainText; +Export-PfxCertificate -Cert $clientCert -FilePath c:\certs\clientCert.pfx -Password $mypwd; \ No newline at end of file diff --git a/Modules/VirtualNetworkGateway/2.0/Scripts/virtual.network.gateway.clientcert.sh b/Modules/VirtualNetworkGateway/2.0/Scripts/virtual.network.gateway.clientcert.sh new file mode 100755 index 0000000..bf94720 --- /dev/null +++ b/Modules/VirtualNetworkGateway/2.0/Scripts/virtual.network.gateway.clientcert.sh @@ -0,0 +1,8 @@ +CERT_DATA=$1 +PASSWORD=$2 +# Use a default value of "client" for USERNAME +USERNAME="client" +$CERT_DATA > ~/pki/caCert.pem +ipsec pki --gen --outform pem > ~/pki/"${USERNAME}Key.pem" +ipsec pki --pub --in ~/pki/"${USERNAME}Key.pem" | ipsec pki --issue --cacert ~/pki/caCert.pem --cakey ~/pki/caKey.pem --dn "CN=${USERNAME}" --san "${USERNAME}" --flag clientAuth --outform pem > ~/pki/"${USERNAME}Cert.pem" +openssl pkcs12 -in ~/pki/"${USERNAME}Cert.pem" -inkey ~/pki/"${USERNAME}Key.pem" -certfile ~/pki/caCert.pem -export -out ~/pki/"${USERNAME}.p12" -password "pass:${PASSWORD}" \ No newline at end of file diff --git a/Modules/VirtualNetworkGateway/2.0/Scripts/virtual.network.gateway.rootcert.ps1 b/Modules/VirtualNetworkGateway/2.0/Scripts/virtual.network.gateway.rootcert.ps1 new file mode 100644 index 0000000..f2f852a --- /dev/null +++ b/Modules/VirtualNetworkGateway/2.0/Scripts/virtual.network.gateway.rootcert.ps1 @@ -0,0 +1,44 @@ +[CmdletBinding()] +param( + [Parameter(Mandatory=$true)] + [string]$TenantId, + [Parameter(Mandatory=$true)] + [string]$ServicePrincipal_ID, + [Parameter(Mandatory=$true)] + [string]$ServicePrincipal_Secret, + [Parameter(Mandatory=$true)] + [string]$KeyVaultName, + [Parameter(Mandatory=$true)] + [string]$KeyName, + [Parameter(Mandatory=$true)] + [string]$BashScriptPath +) + +Import-Module -Name Az + +if($Env:OS -like "*windows*" -or $IsWindows -eq $true) { + $keyExists = Get-AzKeyVaultSecret -VaultName $KeyVaultName -Name $KeyName + + if($null -ne $keyExists) { + Write-Host "Generating Root Cert for Windows"; + $certPath = "Cert:\CurrentUser\My"; + $rootCert = Get-ChildItem -Path $certPath | Where-Object { $_.Subject -eq "CN=VPN CA" }; + if($null -eq $rootCert) { + $rootCert = New-SelfSignedCertificate -Type Custom -KeySpec Signature ` + -Subject "CN=VPN CA" -KeyExportPolicy Exportable ` + -HashAlgorithm sha256 -KeyLength 2048 ` + -CertStoreLocation $certPath -KeyUsageProperty Sign -KeyUsage CertSign; + } + $rootCertPublicKey = $rootCert.GetPublicKeyString(); + Export-Certificate -Cert $rootCert.PSPath -FilePath C:\certs\rootCert.cer + $rootCertPublicKey = $rootCert.GetRawCertDataString(); + $rootCertPublicKey = [Convert]::ToBase64String($rootCertPublicKey); + $secureString = ConvertTo-SecureString -String $rootCertPublicKey -AsPlainText -Force; + Set-AzKeyVaultSecret -VaultName $KeyVaultName -Name $KeyName -SecretValue $secureString; + } +} +else { + Write-Host "Generating Root Cert for Linux"; + Get-Location | Write-Host; + bash -c "$BashScriptPath $TenantId $ServicePrincipal_ID $ServicePrincipal_Secret $KeyVaultName $KeyName"; +} \ No newline at end of file diff --git a/Modules/VirtualNetworkGateway/2.0/Scripts/virtual.network.gateway.rootcert.sh b/Modules/VirtualNetworkGateway/2.0/Scripts/virtual.network.gateway.rootcert.sh new file mode 100755 index 0000000..16e8bcc --- /dev/null +++ b/Modules/VirtualNetworkGateway/2.0/Scripts/virtual.network.gateway.rootcert.sh @@ -0,0 +1,16 @@ +TENANT=$1 +SP_USERNAME=$2 +SP_PASSWORD=$3 +KEY_VAULT_NAME=$4 +KEY_VAULT_SECRET_NAME=$5 + +apt-get update +apt-get install -y strongswan strongswan-pki +mkdir -p ~/pki/{cacerts,certs,private} +chmod 700 ~/pki +ipsec pki --gen --outform pem > ~/pki/caKey.pem +ipsec pki --self --in ~/pki/caKey.pem --dn "CN=VPN CA" --ca --outform pem > ~/pki/caCert.pem +KEY=$(openssl x509 -in ~/pki/caCert.pem -outform der | base64 -w0) +# Store the base64 encoded public key of the rootCert as KeyVault secret +az login --service-principal --username $SP_USERNAME --password $SP_PASSWORD --tenant $TENANT +az keyvault secret set --vault-name $KEY_VAULT_NAME --name $KEY_VAULT_SECRET_NAME --value $KEY \ No newline at end of file diff --git a/Modules/VirtualNetworkGateway/2.0/deploy.json b/Modules/VirtualNetworkGateway/2.0/deploy.json index 69aaf5a..590a4fc 100644 --- a/Modules/VirtualNetworkGateway/2.0/deploy.json +++ b/Modules/VirtualNetworkGateway/2.0/deploy.json @@ -45,13 +45,62 @@ "metadata": { "description": "Optional. ASN value" } + }, + "vpnClientAddressPoolPrefix": { + "type": "string", + "metadata": { + "description": "The IP address range from which VPN clients will receive an IP address when connected. Range specified must not overlap with on-premise network." + } + }, + "clientRootCertData": { + "type": "string", + "metadata": { + "description": "Client root certificate data used to authenticate VPN clients." + } + }, + "clientRevokedCertThumbprint": { + "type": "string", + "metadata": { + "description": "Thumbprint of the revoked certificate. This would revoke VPN client certificates matching this thumbprint from connecting to the VNet." + } + }, + "enablePip": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Value to specify if BGP is enabled or not" + } } }, "variables": { "gatewayPipName": "[concat(parameters('virtualNetworkGatewayName'), '-pip')]", "gatewayPipResourceName": "[concat('Microsoft.Network/publicIpAddresses/',variables('gatewayPipName'))]", "gatewaySubnetId": "[concat(parameters('vNetId'), '/subnets/GatewaySubnet')]", - "gatewayPipId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('gatewayPipName'))]" + "gatewayPipId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('gatewayPipName'))]", + "gatewayPip": { + "id": "[variables('gatewayPipId')]" + }, + "vpnClientRootCertificates": [{ + "name": "RootCert1", + "properties": { + "PublicCertData": "[parameters('clientRootCertData')]" + } + }], + "vpmClientRevokedCertificates": [{ + "name": "RevokedCert1", + "properties": { + "Thumbprint": "[parameters('clientRevokedCertThumbprint')]" + } + }], + "vpnClientConfiguration": { + "vpnClientAddressPool": { + "addressPrefixes": [ + "[parameters('vpnClientAddressPoolPrefix')]" + ] + }, + "vpnClientRootCertificates": "[if(empty(parameters('clientRootCertData')), json('null'), variables('vpnClientRootCertificates'))]", + "vpnClientRevokedCertificates": "[if(empty(parameters('clientRevokedCertThumbprint')), json('null'), variables('vpmClientRevokedCertificates'))]" + } }, "resources": [ { @@ -80,9 +129,7 @@ "subnet": { "id": "[variables('gatewaySubnetId')]" }, - "publicIPAddress": { - "id": "[variables('gatewayPipId')]" - } + "publicIPAddress": "[variables('gatewayPip')]" }, "name": "vNetGatewayConfig" } @@ -96,7 +143,8 @@ "tier": "[parameters('virtualNetworkGatewaySku')]" }, "gatewayType": "[parameters('virtualNetworkGatewayType')]", - "vpnType": "[parameters('vpnType')]" + "vpnType": "[parameters('vpnType')]", + "vpnClientConfiguration": "[if(empty(parameters('vpnClientAddressPoolPrefix')), json('null'), variables('vpnClientConfiguration'))]" } } ], diff --git a/Modules/VirtualNetworkGateway/2.0/parameters.json b/Modules/VirtualNetworkGateway/2.0/parameters.json index 4275708..8b37c12 100644 --- a/Modules/VirtualNetworkGateway/2.0/parameters.json +++ b/Modules/VirtualNetworkGateway/2.0/parameters.json @@ -16,6 +16,15 @@ }, "vNetId": { "value": "subscriptions/0000000000/resourceGroups/resourceGroup" + }, + "vpnClientAddressPoolPrefix": { + "value": "10.10.8.0/24" + }, + "clientRootCertData": { + "value": "certData" + }, + "clientRevokedCertThumbprint": { + "value": "thumbprint" } } } \ No newline at end of file diff --git a/Orchestration/OrchestrationService/ConfigurationBuilder.ps1 b/Orchestration/OrchestrationService/ConfigurationBuilder.ps1 index 164c22d..a623c11 100644 --- a/Orchestration/OrchestrationService/ConfigurationBuilder.ps1 +++ b/Orchestration/OrchestrationService/ConfigurationBuilder.ps1 @@ -402,7 +402,7 @@ Class ConfigurationBuilder { # "TemplatePath": "modules/2.0/deploy.json", # "TemplatePath": "modules.json", # TODO: Include the above two cases - $pathExtractionRegex = "[`"\']([\.\/]+.*[.]?)[`"\']"; + $pathExtractionRegex = "[`"\']([\.\/]+.*?[.]?)[`"\']"; # Check if the path matches the regex pattern specified, # extract and return the path diff --git a/Orchestration/OrchestrationService/CustomScriptExecution.ps1 b/Orchestration/OrchestrationService/CustomScriptExecution.ps1 index 8f9258b..18df830 100644 --- a/Orchestration/OrchestrationService/CustomScriptExecution.ps1 +++ b/Orchestration/OrchestrationService/CustomScriptExecution.ps1 @@ -192,8 +192,8 @@ Class CustomScriptExecution { # there is no way to verify the order in bash. # We are only converting the hashtable to an # array - $arguments.Keys | ForEach-Object { - $argumentName = $_; + $arguments.GetEnumerator() | Sort-Object -Property Name | Select-Object -Property Name | ForEach-Object { + $argumentName = $_.Name; $orderedArguments += $arguments[$argumentName]; }