Azure
/
vdc
зеркало из https://github.com/Azure/vdc.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Modified Shared Services environment & added new MS-VDI environment - In support for this new environment changes have been made to support all Azure environments (#163) 

* Update dockerimage.yml

* Removed build.yml file

* Run toolkit container

* update

* fix

* mm

* bb

* nn

* qq

* ww

* ee

* rr

* pp

* aa

* Added storageblobURL to resources

* Added StorageblobURL to resources and env variable

* added storageblobURL

* added storageblobURL

* Commented out the Azure Provider feature Bastion

* added condition for resources gov vs com

* changed old GUID for Az Policy

* New change for gov. But need to adjust for com

* changed linux agent version number

* 1

* 2

* 3

* 4

* added logic for the ethernet

* added the ADDS module back after fixing script

* Updated modules IIS, SQLServerAlwaysOn,VM Scale sets for storagebloburl

* 5

* 6

* 7

* aa

* jj

* Update

* ll

* ll

* mm

* vv

* cv

* df

* Added logic for the NSG flow logs com vs gov

* changes to merge conflicts

* fixed conflict merge

* ee

* bnm

* yh

* vv

* sd

* bn

* xx

* vb

* tt

* ss

* zz

* remove sub ids

* aa

* updates

* ff

* updates

* tt

* updates

* mm

* rr

* Added info Azure cli to remove legal hold & other misc updates

* Fix typos

* Moved env variables for toolkit & subscription in the code

* ss

* kk

* Adding Az.Accounts to dockerfile

* cc

* ii

* ll

* yy

* vv

* cc

* ee

* Added all azure regions to AzureBastion module

* nn

* gg

* tt

* dd

* Adding install module in the code itself

* jk

* Added condition to connect to azure & install modules for dev ops

* qaz

* wsx

* bb

* Commented env variables in debug

* ff

* HUB vnet module

* changed MSVDI to connect to shrd svcs hub

* dummy values for config files

* changed para for msvdi with shrd svcs

* do not need to lowercase regions so commented out

* added variables to file so don't need to input

* new prereq script. Not necessary to run

* readme for shared services

* updated readme

* Update

* edc

* Topological path for DevOps pipeline

* test

* Update

* Running individual modules

* Updates

* updated comments

* new modules

* Create dockflow.yml

* Updates to SharedServices & MS-VDI readme

* qq

* Added more info on password restrictions

* Update

* 56

* 985

* 12

* 67

* 45

* 12

* 678

* 12

* 456

* tt

* 12

* 12

* 1q23

* 125

* 343

* 25

* 345

* 2134

* 12

* 2

* 454

* 124

* 312

* 12

* 23

* 34

* mylife

* q3

* 12

* 24

* q1234

* 696

* qw23

* q12e4

* w5

* 213

* 2198

* qw

* 255

* 89876

* 447

* 3242

* 89

* 43234

* 2342342

* q4eq3214

* 87

* 323

* 2345

* 123456

* New version of code for github action

* updates to files

* updated av set infoo

* 789234

* 234143

* 24223412342

* Teardown test

* Copied workflow from Jack's branch

* new changes

* update to readme in shrdsvcs

* new document for github actions

* 234

* adding changes to script for cleanup

* update readme

* update readme

* sdf

* 235

* 123

* 2345

* new changes to readme

* new changes to readme

* readme

* readme

* readmeupdate

* readme

* red

* read

* readme

* 1234

* readme

* 7897894

* update readme shrd svcs

* 345

* new changes to readme

* removed the cleanup and added to different script

* new change to clean up script

* Updates to shared services readme

* update

* 234

* Added passing parameters for subscription & tenant to parameters.json for shared services

* update for networkwatcher

* removed statement in av sets

* Test GH Actions

* Test GH Actions

* Update

* Update

* Cleared values

* Update

* changes to dockerfile version.

* Update

* Update readme

* Update README.md

* Updates to docs - added SPN info

Co-authored-by: jvalley19 <52843322+jvalley19@users.noreply.github.com>
This commit is contained in:
RKSelvi 2020-04-30 09:37:04 -04:00 коммит произвёл GitHub
Родитель 5a1c0a8415
Коммит 8b8ecd33ef
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
43 изменённых файлов: 1493 добавлений и 122 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

56
.github/workflows/README.md поставляемый Normal file
Просмотреть файл

@ -0,0 +1,56 @@
# Getting started with GitHub Actions and the VDC toolkit
#### GitHub Actions are apart of an automation workflow that can integrate with your CI/CD pipeline. Developers can build, test and deploy upon code pushes and pulls to GitHub.
##### To Learn more about GitHub actions visit the [GitHub Action Documentation](https://help.GitHub.com/en/actions)
## GitHub Actions with the VDC toolkit quickstart
### The GitHub action in this repository will create the [Shared Services](../../Environments/SharedServices) Environment and the [MS-VDI](../../Environments/MS-VDI) environment all from a "push" to the GitHub repository.
#### To change the environment being deployed you will need to manipulate the "entrypoint.ps1" file in the root directory.
### Get started on setting up the action below:
1. #### Ensure you have the latest code when setting up your action pipeline
- ##### Files you need before proceeding with your actions
- 'dockerfile' in your root repository
- 'action.yml' in your root repository
- 'entrypoint.ps1' in your root repository
- 'dockerimage.yml' under the "vdc/.GitHub/workflows" directory
2. Create Service Pricipal
Follow for creating the service principal and note the object id and password during creation. The service principal will require owner permissions.
- [Create SPN via PowerShell for password based authentication](https://docs.microsoft.com/en-us/powershell/azure/create-azure-service-principal-azureps?view=azps-3.8.0#password-based-authentication)
- [Create SPN via Azure Cli](https://docs.microsoft.com/en-us/cli/azure/create-an-azure-service-principal-azure-cli?view=azure-cli-latest)
- [Verify & add roles/permissions](https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal)
3. #### You will also need to setup your GitHub secrets for the pipeline to use
- ##### You will need the following secrets
- SERVICE_PRINCIPAL
- SERVICE_PRINCIPAL_PASS
- DEVOPS_SERVICE_PRINCIPAL_USER_ID
- ADMIN_USER_NAME
- ADMIN_USER_PWD
- DOMAIN_ADMIN_USERNAME
- DOMAIN_ADMIN_USER_PWD
- TENANT_ID
- SUBSCRIPTION_ID
- KEYVAULT_MANAGEMENT_USER_ID
- ADMIN_USER_SSH
- ##### To add these secrets in your GitHub repository navigate to
- "Settings" -> "Secrets"
- Then add each secret value with exactly the corresponding name above
- For more information visit the GitHub link for adding new [Secrets](https://help.GitHub.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets).
- *You do not need* "" around your secret values. Enter them with raw data.
3. #### In your dockerimage.yml file you will need to change the following values that suit your need
- ORGANIZATION_NAME
- AZURE_LOCATION
- Update "uses" to your GitHub repo name.
- uses: [YOUR_GITHUB_NAME]/vdc@master
- Please keep the AZURE_DISCOVERY_URL as is
4. #### Once you have all these changes and updated your GitHub secrets you can push the changes to your repository.
5. #### Upon the "push" you will kick off an action which will deploy the shared services and ms-vdi resources.

35
.github/workflows/dockerimage.yml поставляемый Normal file
Просмотреть файл

@ -0,0 +1,35 @@
name: Docker Image CI - MSVDI
on:
push:
branches: [ master ]
pull_request:
branches: [ master ]
jobs:
build:
env:
SERVICE_PRINCIPAL: ${{ secrets.SERVICE_PRINCIPAL }}
SERVICE_PRINCIPAL_PASS: ${{ secrets.SERVICE_PRINCIPAL_PASS }}
DEVOPS_SERVICE_PRINCIPAL_USER_ID: ${{ secrets.DEVOPS_SERVICE_PRINCIPAL_USER_ID }}
ADMIN_USER_NAME: ${{ secrets.ADMIN_USER_NAME }}
ADMIN_USER_PWD: ${{ secrets.ADMIN_USER_PWD }}
DOMAIN_ADMIN_USERNAME: ${{ secrets.DOMAIN_ADMIN_USERNAME }}
DOMAIN_ADMIN_USER_PWD: ${{ secrets.DOMAIN_ADMIN_USER_PWD }}
ORGANIZATION_NAME : "MSSK"
AZURE_LOCATION : "USGov Arizona"
AZURE_ENVIRONMENT_NAME : "AzureUSGovernment"
TENANT_ID : ${{ secrets.TENANT_ID }}
SUBSCRIPTION_ID : ${{ secrets.SUBSCRIPTION_ID }}
KEYVAULT_MANAGEMENT_USER_ID : ${{ secrets.KEYVAULT_MANAGEMENT_USER_ID }}
AZURE_DISCOVERY_URL : "https://management.azure.com/metadata/endpoints?api-version=2019-05-01"
ADMIN_USER_SSH : ${{ secrets.ADMIN_USER_SSH }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Build the Docker image & Deploy
id : hello
uses: rkselvi/vdc@master

2
Config/toolkit.config.json
Просмотреть файл

@ -14,7 +14,7 @@
},
"ValidationResourceGroup": {
"Name": "vdc-custom-rg",
"Location": "West US",
"Location": "env(azure_location)",
"Tags": {
"Policy": "Exempt"
}

10
Config/toolkit.subscription.json
Просмотреть файл

@ -1,6 +1,6 @@
{
"Comments": "Toolkit subscription and tenant information",
"TenantId": "00000000-0000-0000-0000-000000000000",
"SubscriptionId": "00000000-0000-0000-0000-000000000000",
"Location": "West US 2"
}
"Comments": "ToolKit for creating a new Virtual Data Center",
"TenantId": "000000-000-0000-0000",
"SubscriptionId": "000000-000-0000-0000",
"Location": "USGov Arizona"
}

11
Docs/quickstart.md
Просмотреть файл

@ -84,7 +84,11 @@ Strictly speaking, you do not need a service principal for the purpose of this q
You can reuse your user object id in place of the service principal object id.
However, if you want to deploy using Azure DevOps you will need to create the service principal.
Follow [these instructions](https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal) for creating the service principal and note the object id during creation. The service principal will require owner permissions.
Follow for creating the service principal and note the object id during creation. The service principal will require owner permissions.
- [Create SPN via PowerShell for password based authentication](https://docs.microsoft.com/en-us/powershell/azure/create-azure-service-principal-azureps?view=azps-3.8.0#password-based-authentication)
- [Create SPN via Azure Cli](https://docs.microsoft.com/en-us/cli/azure/create-an-azure-service-principal-azure-cli?view=azure-cli-latest)
- [Create SPN via Portal](https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal)
- [Verify & add roles/permissions](https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal)
### Setting the configuration
@ -119,7 +123,10 @@ $ENV:VDC_TOOLKIT_SUBSCRIPTION = (Get-Content .\Config\toolkit.subscription.json
$ENV:ORGANIZATION_NAME = "contoso"
$ENV:TENANT_ID = "00000000-0000-0000-0000-000000000000"
$ENV:SUBSCRIPTION_ID = "00000000-0000-0000-0000-000000000000"
$ENV:AZURE_ENVIRONMENT_NAME = "AzureCloud"
$ENV:AZURE_LOCATION = "West US 2"
$ENV:AZURE_DISCOVERY_URL = "https://management.azure.com/metadata/endpoints?api-version=2019-05-01"
$ENV:KEYVAULT_MANAGEMENT_USER_ID = "00000000-0000-0000-0000-000000000000"
$ENV:DEVOPS_SERVICE_PRINCIPAL_USER_ID = "00000000-0000-0000-0000-000000000000"

5
Environments/MS-VDI/definition.json Normal file
Просмотреть файл

@ -0,0 +1,5 @@
{
"Subscriptions": "env(VDC_SUBSCRIPTIONS)",
"Parameters": "file(./parameters.json)",
"Orchestration": "file(./orchestration.json)"
}

349
Environments/MS-VDI/orchestration.json Normal file
Просмотреть файл

@ -0,0 +1,349 @@
{
"ModuleConfigurationsPath": "../../Modules",
"ModuleConfigurations": [
{
"Name": "VirtualNetworkSPOKE",
"ModuleDefinitionName": "VirtualNetwork",
"ResourceGroupName": "${Parameters.ModuleConfigurationParameters.VirtualNetworkSPOKE.ResourceGroup}",
"DependsOn": [
"DiagnosticStorageAccount"
],
"Deployment": {
"OverrideParameters": {
"vnetName": {
"value": "${Parameters.ModuleConfigurationParameters.VirtualNetworkSPOKE.Name}"
},
"vnetAddressPrefixes": {
"value": "${Parameters.ModuleConfigurationParameters.VirtualNetworkSPOKE.AddressPrefixes}"
},
"subnets": {
"value": "${Parameters.ModuleConfigurationParameters.VirtualNetworkSPOKE.Subnets}"
},
"enableDdosProtection": {
"value": "${Parameters.ModuleConfigurationParameters.VirtualNetworkSPOKE.EnableDdosProtection}"
},
"enableVmProtection": {
"value": "${Parameters.ModuleConfigurationParameters.VirtualNetworkSPOKE.EnableVmProtection}"
}
}
}
},
{
"Name": "VirtualNetworkPeeringHub",
"ModuleDefinitionName": "VirtualNetworkPeering",
"ResourceGroupName": "${Parameters.ModuleConfigurationParameters.SharedServices.VirtualNetworkHUB.ResourceGroupName}",
"DependsOn": [
"VirtualNetworkHUB",
"VirtualNetworkSPOKE"
],
"Deployment": {
"OverrideParameters": {
"localVnetName": {
"value": "${Parameters.ModuleConfigurationParameters.SharedServices.VirtualNetworkHUB.Name}"
},
"peeringName": {
"value": "${Parameters.ModuleConfigurationParameters.VirtualNetworkPeering.LocalPeering.Name}"
},
"remoteVirtualNetworkId": {
"value": "${Parameters.ModuleConfigurationParameters.SharedServices.VirtualNetworkSPOKE.Id}"
},
"useRemoteGateways": {
"value": false
}
}
}
},
{
"Name": "VirtualNetworkPeeringSPOKE",
"ModuleDefinitionName": "VirtualNetworkPeering",
"ResourceGroupName": "${Parameters.ModuleConfigurationParameters.VirtualNetworkSPOKE.ResourceGroup}",
"DependsOn": [
"VirtualNetworkSPOKE",
"VirtualNetworkHUB"
],
"Deployment": {
"OverrideParameters": {
"localVnetName": {
"value": "${Parameters.ModuleConfigurationParameters.VirtualNetworkSPOKE.Name}"
},
"peeringName": {
"value": "${Parameters.ModuleConfigurationParameters.VirtualNetworkPeering.LocalPeering.Name}"
},
"remoteVirtualNetworkId": {
"value": "${Parameters.ModuleConfigurationParameters.SharedServices.VirtualNetworkHUB.Id}"
},
"useRemoteGateways": {
"value": false
}
}
}
},
{
"Name": "DiagnosticStorageAccount",
"ModuleDefinitionName": "StorageAccounts",
"ResourceGroupName": "${Parameters.ModuleConfigurationParameters.DiagnosticStorageAccount.ResourceGroup}",
"Comments": "Storage Account that is used for ...",
"Policies": {
"Comments": "Optional - If no object is specified, no Policies deployment will occur",
"OverrideParameters": {
"effect": {
"value": "${Parameters.ModuleConfigurationParameters.DiagnosticStorageAccount.Policies.Effect}"
},
"resourceGroup": {
"value": "${Parameters.ModuleConfigurationParameters.DiagnosticStorageAccount.ResourceGroup}"
},
"resourceGroupLocation": {
"value": "${Parameters.ModuleConfigurationParameters.DiagnosticStorageAccount.Location}"
}
}
},
"Deployment": {
"Comments": "We need the 'update' module instance to lock this resource after the Virtual Network got created",
"TemplatePath": "../../Modules/StorageAccounts/deploy.json",
"OverrideParameters": {
"storageAccountName": {
"value": "${Parameters.ModuleConfigurationParameters.DiagnosticStorageAccount.Name}"
},
"storageAccountSku": {
"value": "${Parameters.ModuleConfigurationParameters.DiagnosticStorageAccount.Sku}"
},
"location": {
"value": "${Parameters.ModuleConfigurationParameters.DiagnosticStorageAccount.Location}"
}
}
}
},
{
"Name": "EnableServiceEndpointOnDiagnosticStorageAccount",
"ModuleDefinitionName": "StorageAccounts",
"Updates": "DiagnosticStorageAccount",
"Comments": "Enables Service endpoint on the Storage Account",
"DependsOn": [
"DiagnosticStorageAccount",
"VirtualNetworkSPOKE"
],
"Deployment": {
"OverrideParameters": {
"networkAcls": {
"value": "${Parameters.ModuleConfigurationParameters.DiagnosticStorageAccount.NetworkAcls}"
},
"vNetId": {
"value": "reference(VirtualNetworkSPOKE.vNetResourceId)"
}
}
}
},
{
"Name": "LogAnalytics",
"ModuleDefinitionName": "LogAnalytics",
"ResourceGroupName": "${Parameters.ModuleConfigurationParameters.LogAnalytics.ResourceGroup}",
"DependsOn": [
"DiagnosticStorageAccount"
],
"Deployment": {
"OverrideParameters": {
"logAnalyticsWorkspaceName": {
"value": "${Parameters.ModuleConfigurationParameters.LogAnalytics.Name}"
},
"diagnosticStorageAccountName": {
"value": "reference(DiagnosticStorageAccount.storageAccountName)"
},
"diagnosticStorageAccountId": {
"value": "reference(DiagnosticStorageAccount.storageAccountResourceId)"
},
"diagnosticStorageAccountAccessKey": {
"value": "reference(DiagnosticStorageAccount.storageAccountAccessKey)"
},
"location": {
"value": "${Parameters.ModuleConfigurationParameters.LogAnalytics.Location}"
}
}
}
},
{
"Name": "KeyVault",
"ModuleDefinitionName": "KeyVault",
"ResourceGroupName": "${Parameters.ModuleConfigurationParameters.KeyVault.ResourceGroup}",
"DependsOn":[
"DiagnosticStorageAccount",
"LogAnalytics",
"VirtualNetworkSPOKE"
],
"Deployment": {
"OverrideParameters": {
"keyVaultName": {
"value": "${Parameters.ModuleConfigurationParameters.KeyVault.Name}"
},
"accessPolicies": {
"value": "${Parameters.ModuleConfigurationParameters.KeyVault.AccessPolicies}"
},
"secretsObject": {
"value": {
"secrets": "${Parameters.ModuleConfigurationParameters.KeyVault.SecretsObject.Secrets}"
}
},
"enableVaultForDeployment": {
"value": "${Parameters.ModuleConfigurationParameters.KeyVault.EnableVaultForDeployment}"
},
"enableVaultForDiskEncryption": {
"value": "${Parameters.ModuleConfigurationParameters.KeyVault.EnableVaultForDiskEncryption}"
},
"enableVaultForTemplateDeployment": {
"value": "${Parameters.ModuleConfigurationParameters.KeyVault.EnableVaultForTemplateDeployment}"
},
"vaultSku": {
"value": "${Parameters.ModuleConfigurationParameters.KeyVault.Sku}"
},
"diagnosticStorageAccountId": {
"value": "reference(DiagnosticStorageAccount.storageAccountResourceId)"
},
"workspaceId": {
"value": "reference(LogAnalytics.logAnalyticsWorkspaceResourceId)"
},
"vNetId": {
"value": "reference(VirtualNetworkSPOKE.vNetResourceId)"
},
"networkAcls": {
"value": {
"bypass": "AzureServices",
"defaultAction": "Allow",
"virtualNetworkRules": [],
"ipRules": []
}
}
}
}
},
{
"Name": "ArtifactsStorageAccount",
"Subscription": "Artifacts",
"ModuleDefinitionName": "StorageAccounts",
"ResourceGroupName": "${Parameters.ModuleConfigurationParameters.ArtifactsStorageAccount.ResourceGroup}",
"DependsOn": [],
"Comments": "Storage Account that is used for ...",
"Policies": {
"Comments": "Optional - If no object is specified, no Policies deployment will occur",
"OverrideParameters": {
"effect": {
"value": "${Parameters.ModuleConfigurationParameters.ArtifactsStorageAccount.Policies.Effect}"
},
"resourceGroup": {
"value": "${Parameters.ModuleConfigurationParameters.ArtifactsStorageAccount.ResourceGroup}"
},
"resourceGroupLocation": {
"value": "${Parameters.ModuleConfigurationParameters.ArtifactsStorageAccount.Location}"
}
}
},
"Deployment": {
"OverrideParameters": {
"storageAccountName": {
"value": "${Parameters.ModuleConfigurationParameters.ArtifactsStorageAccount.Name}"
},
"storageAccountSku": {
"value": "${Parameters.ModuleConfigurationParameters.ArtifactsStorageAccount.Sku}"
},
"location": {
"value": "${Parameters.ModuleConfigurationParameters.ArtifactsStorageAccount.Location}"
}
}
}
},
{
"Name": "JumpboxASG",
"ModuleDefinitionName": "ApplicationSecurityGroups",
"ResourceGroupName": "${Parameters.ModuleConfigurationParameters.ApplicationSecurityGroups.ResourceGroup}",
"DependsOn": [],
"Deployment": {
"OverrideParameters": {
"applicationSecurityGroupName": {
"value": "${Parameters.ModuleConfigurationParameters.ApplicationSecurityGroups.Jumpbox.Name}"
}
}
}
},
{
"Name": "WindowsVM",
"ModuleDefinitionName": "VirtualMachines",
"ResourceGroupName": "${Parameters.ModuleConfigurationParameters.Jumpbox.ResourceGroup}",
"DependsOn": [
"VirtualNetworkSPOKE",
"DiagnosticStorageAccount",
"LogAnalytics",
"KeyVault",
"ArtifactsStorageAccount",
"JumpboxASG"
],
"Comments": "Creates Windows Jumpbox",
"Deployment": {
"OverrideParameters": {
"virtualMachineName": {
"value": "${Parameters.ModuleConfigurationParameters.Jumpbox.Windows.Name}"
},
"virtualMachineSize": {
"value": "${Parameters.ModuleConfigurationParameters.Jumpbox.Windows.VMSize}"
},
"virtualMachineOSImage": {
"value": "${Parameters.ModuleConfigurationParameters.Jumpbox.Windows.OSImage}"
},
"virtualMachineOSType": {
"value": "${Parameters.ModuleConfigurationParameters.Jumpbox.Windows.OSType}"
},
"virtualMachineCount": {
"value": "${Parameters.ModuleConfigurationParameters.Jumpbox.Windows.VMCount}"
},
"workspaceId": {
"value": "reference(LogAnalytics.logAnalyticsWorkspaceId)"
},
"logAnalyticsWorkspaceId": {
"value": "reference(LogAnalytics.logAnalyticsWorkspaceResourceId)"
},
"logAnalyticsWorkspacePrimarySharedKey": {
"value": "reference(LogAnalytics.logAnalyticsPrimarySharedKey)"
},
"diagnosticStorageAccountId": {
"value": "reference(DiagnosticStorageAccount.storageAccountResourceId)"
},
"diagnosticStorageAccountName": {
"value": "reference(DiagnosticStorageAccount.storageAccountName)"
},
"diagnosticStorageAccountSasToken": {
"value": "reference(DiagnosticStorageAccount.storageAccountSasToken)"
},
"artifactsStorageAccountKey": {
"value": "reference(ArtifactsStorageAccount.storageAccountAccessKey)"
},
"artifactsStorageAccountName": {
"value": "reference(ArtifactsStorageAccount.storageAccountName)"
},
"artifactsStorageAccountSasKey": {
"value": "reference(ArtifactsStorageAccount.storageAccountSasToken)"
},
"vNetId": {
"value": "reference(VirtualNetworkSPOKE.vNetResourceId)"
},
"subnetName": {
"value": "${Parameters.ModuleConfigurationParameters.Jumpbox.SubnetName}"
},
"applicationSecurityGroupId": {
"value": "reference(JumpboxASG.applicationSecurityGroupResourceId)"
},
"adminUsername": {
"value": "${Parameters.ModuleConfigurationParameters.Jumpbox.AdminUsername}"
},
"adminPassword": {
"reference": {
"keyVault": {
"id": "reference(KeyVault.keyVaultResourceId)"
},
"secretName": "${Parameters.ModuleConfigurationParameters.KeyVault.SecretsObject.Secrets[1].secretName}"
}
},
"storageBlobUrl": {
"value": "${Parameters.ModuleConfigurationParameters.Jumpbox.StorageBlobUrl}"
}
}
}
}
]
}

271
Environments/MS-VDI/parameters.json Normal file
Просмотреть файл

@ -0,0 +1,271 @@
{
"Organization": "env(ORGANIZATION_NAME)",
"DeploymentName": "vdcvdi",
"InstanceName": "${Parameters.Organization}-${Parameters.DeploymentName}",
"Subscription": "VDCVDI",
"Location": "env(AZURE_LOCATION)",
"StorageBlobUrl": "env(AZURE_STORAGE_BLOB_URL)",
"ModuleConfigurationParameters": {
"SharedServices": {
"DeploymentName": "shrdsvcs",
"ActiveDirectory": {
"VmIpAddressStart": [ "172.0.0.10" ]
},
"VirtualNetworkHUB": {
"Id": "/subscriptions/${Subscriptions.SharedServices.SubscriptionId}/resourceGroups/${Parameters.ModuleConfigurationParameters.SharedServices.VirtualNetworkHUB.ResourceGroupName}/providers/Microsoft.Network/virtualNetworks/${Parameters.ModuleConfigurationParameters.SharedServices.VirtualNetworkHUB.Name}",
"Name": "${Parameters.Organization}-shrdsvcs-vnet",
"ResourceGroupName": "${Parameters.organization}-shrdsvcs-network-rg",
"AddressPrefix": "172.0.0.0/16",
"NetworkVirtualAppliance": {
"AzureFirewall": {
"Name": "${Parameters.Organization}-${Parameters.ModuleConfigurationParameters.SharedServices.DeploymentName}-azfw"
}
}
},
"VirtualNetworkSPOKE": {
"Id": "/subscriptions/${Subscriptions.VDCVDI.SubscriptionId}/resourceGroups/${Parameters.ModuleConfigurationParameters.SharedServices.VirtualNetworkSPOKE.ResourceGroupName}/providers/Microsoft.Network/virtualNetworks/${Parameters.ModuleConfigurationParameters.SharedServices.VirtualNetworkSPOKE.Name}",
"Name": "${Parameters.InstanceName}-SPOKE",
"ResourceGroupName": "${Parameters.InstanceName}-spokenetwork-rg",
"AddressPrefixes": "172.50.0.0/16",
"NetworkVirtualAppliance": {
"AzureFirewall": {
"Name": "${Parameters.Organization}-${Parameters.ModuleConfigurationParameters.SharedServices.DeploymentName}-spazfw"
}
}
}
},
"OnPremisesInformation": {
"InstanceName": "${Parameters.InstanceName}",
"Comments": "This InstanceName is a temporal value, this value is used in artifactsStorageAccount.json, the idea is to have a global set of services and this name should point to the InstanceName (deployment name) of the global services archetype"
},
"KeyVaultManagementUserId": "env(KEYVAULT_MANAGEMENT_USER_ID)",
"DevOpsServicePrincipalId": "env(DEVOPS_SERVICE_PRINCIPAL_USER_ID)",
"VirtualNetworkSPOKE": {
"Name": "${Parameters.InstanceName}-SPOKE",
"ResourceGroup": "${Parameters.InstanceName}-spokenetwork-rg",
"AddressPrefixes": [ "172.50.0.0/16" ],
"EnableDdosProtection": false,
"EnableVmProtection": false,
"Subnets": [
{
"name": "spokeshrdsvcs",
"addressPrefix": "172.50.1.0/28",
"networkSecurityGroupName": "",
"routeTableName": "",
"serviceEndpoints": [
{
"service": "Microsoft.EventHub"
},
{
"service": "Microsoft.Sql"
},
{
"service": "Microsoft.Storage"
},
{
"service": "Microsoft.KeyVault"
}
]
},
{
"name": "GatewaySubnet",
"addressPrefix": "172.50.2.0/28",
"networkSecurityGroupName": "",
"routeTableName": "",
"serviceEndpoints": []
},
{
"name": "AccessLayerSubnet",
"addressPrefix": "172.50.3.0/28",
"networkSecurityGroupName": "",
"routeTableName": "",
"serviceEndpoints": []
}
,
{
"name": "ResourceLayerSubnet",
"addressPrefix": "172.50.4.0/28",
"networkSecurityGroupName": "",
"routeTableName": "",
"serviceEndpoints": []
},
{
"name": "ControlLayerSubnet",
"addressPrefix": "172.50.5.0/28",
"networkSecurityGroupName": "",
"routeTableName": "",
"serviceEndpoints": []
}
],
"DnsServers": [
"${Parameters.ModuleConfigurationParameters.SharedServices.ActiveDirectory.VmIpAddressStart}"
]
},
"VirtualNetworkPeering": {
"LocalPeering": {
"Name": "${Parameters.DeploymentName}-to-sharedsvcs"
}
},
"ApplicationSecurityGroups": {
"ResourceGroup": "${Parameters.ModuleConfigurationParameters.VirtualNetworkSPOKE.ResourceGroup}",
"Jumpbox": {
"Name": "jumpbox-asg"
},
"DomainController": {
"Name": "dc-asg"
}
},
"NetworkSecurityGroups": {
"ResourceGroup": "${Parameters.ModuleConfigurationParameters.SharedServices.VirtualNetworkHUB.ResourceGroupName}",
"Comments": "Virtual Network (TCP and UDP) to Application Security Group rules are required for DNS resolution",
"SharedServices": {
"Name": "${Parameters.DeploymentName}-nsg",
"Rules": [
{
}
]
}
},
"DiagnosticStorageAccount": {
"Name": "${Parameters.Organization}${Parameters.DeploymentName}diag01",
"ResourceGroup": "${Parameters.InstanceName}-diagnostics-rg",
"Location": "${Parameters.Location}",
"Sku": "Standard_GRS",
"NetworkAcls": {
"bypass": "AzureServices",
"defaultAction": "Deny",
"virtualNetworkRules": [
{
"subnet": "${Parameters.ModuleConfigurationParameters.VirtualNetworkSPOKE.Subnets[0].Name}"
}
],
"ipRules": []
},
"Policies": {
"Effect": "Audit"
}
},
"LogAnalytics": {
"Name": "${Parameters.InstanceName}-la",
"Comments": "Log Analytics and Diagnostic Storage Account must be deployed in the same region",
"ResourceGroup": "${Parameters.InstanceName}-diagnostics-rg",
"Location": "${Parameters.ModuleConfigurationParameters.DiagnosticStorageAccount.Location}",
"ListOfAllowedRegions": [
"Australia Central",
"Australia East",
"Australia Southeast",
"Canada Central",
"Central India",
"Central US",
"East Asia",
"East US",
"East US 2",
"France Central",
"Japan East",
"Korea Central",
"North Europe",
"South Central US",
"Southeast Asia",
"UK South",
"West Europe",
"West US",
"West US 2",
"USGov Virginia",
"USGov Iowa",
"USGov Arizona",
"USGov Texas",
"USDoD Central",
"USDoD East"
]
},
"KeyVault": {
"Name": "${Parameters.InstanceName}-kv",
"ResourceGroup": "${Parameters.InstanceName}-keyvault-rg",
"Sku": "Premium",
"EnableVaultForDeployment": true,
"EnableVaultForDiskEncryption": true,
"EnableVaultForTemplateDeployment": true,
"AccessPolicies": [
{
"tenantId": "${Parameters.TenantId}",
"objectId": "${Parameters.ModuleConfigurationParameters.KeyVaultManagementUserId}",
"permissions": {
"certificates": [
"All"
],
"keys": [
"All"
],
"secrets": [
"All"
]
}
},
{
"tenantId": "${Parameters.TenantId}",
"objectId": "${Parameters.ModuleConfigurationParameters.DevOpsServicePrincipalId}",
"permissions": {
"certificates": [
"All"
],
"keys": [
"All"
],
"secrets": [
"All"
]
}
}
],
"SecretsObject": {
"Comments": "Creating an object so we can use a secretsobject parameter type in our ARM template",
"Secrets": [
{
"secretName": "admin-user",
"secretValue": "env(ADMIN_USER_NAME)"
},
{
"secretName": "admin-user-pswd",
"secretValue": "env(ADMIN_USER_PWD)"
}
]
},
"NetworkAcls": {
"bypass": "AzureServices",
"defaultAction": "Deny",
"virtualNetworkRules": [
{
"subnet": "${Parameters.ModuleConfigurationParameters.VirtualNetworkSPOKE.Subnets[0].Name}"
}
],
"ipRules": []
}
},
"ArtifactsStorageAccount": "file(../_Common/artifactsStorageAccount.json)",
"Jumpbox": {
"ResourceGroup": "${Parameters.InstanceName}-jumpbox-rg",
"AdminUsername": "${Parameters.ModuleConfigurationParameters.KeyVault.SecretsObject.Secrets[0].secretName}",
"SubnetName": "${Parameters.ModuleConfigurationParameters.VirtualNetworkSPOKE.Subnets[0].name}",
"StorageBlobUrl": "${Parameters.StorageBlobUrl}",
"Windows": {
"Comments": "Windows VM name cannot exceed 13 characters",
"Name": "win-jb-vm",
"VMCount": 1,
"OSType": "Windows",
"VMSize": "Standard_DS2_v2",
"OSImage": {
"offer": "WindowsServer",
"publisher": "MicrosoftWindowsServer",
"sku": "2016-Datacenter"
},
"Kek": {
"Name": "WindowsJumpboxKey",
"Comments": "Destination can be HSM or Software. Use HSM to create Production keys.",
"Destination": "HSM"
}
}
}
}
}

0
Environments/MS-VDI/pipeline.yml Normal file
Просмотреть файл

82
Environments/MS-VDI/readme.md Normal file
Просмотреть файл

@ -0,0 +1,82 @@
# **To deploy Azure Virtual Datacenter for VDI**
MS-VDI environment has Azure resources that are dependent on "Shared Services". This follows HUB and SPOKE model, with "Shared Services" as HUB and "MS-VDI" as SPOKE.
**If [Shared Services](../../Environments/SharedServices) are not yet deployed, please deploy Shared Services before deploying [MS-VDI](../../Environments/MS-VDI) archetypes provided in the toolkit.**
## Setting the Environmental variables
All the settings for Environmental variables for Shared Services will be reused for MS-VDI deployment. First set up, deploy Shared Services and continue for MS-VDI
## Setting the Parameters
Any application specific parameters updates should be done in the [parameters.json](../../Environments/MS-VDI/parameters.json) file such as IP address, subnet names, subnet range, secrets etc.
## Deploying the MS-VDI environment
1. Return to the running Docker container from earlier in the quickstart.
1. If you have not already done so, run `Connect-AzAccount -Tenant "[TENANT_ID]" -SubscriptionId "[SUBSCRIPTION_ID]" -EnvironmentName "[AZURE_ENVIRONMENT]"` to login and set an Azure context.
1. To deploy the entire MS-VDI environment, you can run a single command:
``` PowerShell
./Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1 -DefinitionPath ./Environments/MS-VDI/definition.json
```
The toolkit will begin deploying the constituent modules and the status will be sent to the terminal.
Open the [Azure portal](https://portal.azure.us) and you can check the status of the invididual deployments. Azure portal link will be based on azure environment.
## Deploying individual modules
If you prefer you can deploy the constituent modules for MS-VDI individually.
The following is the series of commands to execute.
``` PowerShell
.\Orchestration\OrchestrationService\ModuleConfigurationDeployment.ps1 -DefinitionPath .\Environments\MS-VDI\definition.json -ModuleConfigurationName "VirtualNetworkSPOKE"
.\Orchestration\OrchestrationService\ModuleConfigurationDeployment.ps1 -DefinitionPath .\Environments\MS-VDI\definition.json -ModuleConfigurationName "VirtualNetworkPeeringHub"
.\Orchestration\OrchestrationService\ModuleConfigurationDeployment.ps1 -DefinitionPath .\Environments\MS-VDI\definition.json -ModuleConfigurationName "VirtualNetworkPeeringSpoke"
.\Orchestration\OrchestrationService\ModuleConfigurationDeployment.ps1 -DefinitionPath .\Environments\MS-VDI\definition.json -ModuleConfigurationName "DiagnosticStorageAccount"
.\Orchestration\OrchestrationService\ModuleConfigurationDeployment.ps1 -DefinitionPath .\Environments\MS-VDI\definition.json -ModuleConfigurationName "EnableServiceEndpointOnDiagnosticStorageAccount"
.\Orchestration\OrchestrationService\ModuleConfigurationDeployment.ps1 -DefinitionPath .\Environments\MS-VDI\definition.json -ModuleConfigurationName "LogAnalytics"
.\Orchestration\OrchestrationService\ModuleConfigurationDeployment.ps1 -DefinitionPath .\Environments\MS-VDI\definition.json -ModuleConfigurationName "KeyVault"
.\Orchestration\OrchestrationService\ModuleConfigurationDeployment.ps1 -DefinitionPath .\Environments\MS-VDI\definition.json -ModuleConfigurationName "ArtifactsStorageAccount"
.\Orchestration\OrchestrationService\ModuleConfigurationDeployment.ps1 -DefinitionPath .\Environments\MS-VDI\definition.json -ModuleConfigurationName "UploadScriptsToArtifactsStorage"
.\Orchestration\OrchestrationService\ModuleConfigurationDeployment.ps1 -DefinitionPath .\Environments\MS-VDI\definition.json -ModuleConfigurationName "JumpboxASG"
.\Orchestration\OrchestrationService\ModuleConfigurationDeployment.ps1 -DefinitionPath .\Environments\MS-VDI\definition.json -ModuleConfigurationName "WindowsVM"
```
**NOTE:**
1. If deployment reports, unable to find deployment storage account, it could be that PowerShell is not connected to Azure.
2. Open a new PowerShell/Docker instance if there was any changes to files in Environments folder
### **Teardown the environment**
``` PowerShell
./Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1 -TearDownEnvironment -DefinitionPath ./Environments/MS-VDI/definition.json
```
Note: This is the same command you used to deploy except that you include ` -TearDownEnvironment`.
It uses the same configuration, so if you change the configuration the tear down may not execute as expected.
### **Remove vdc-toolkit-rg**
Teardown removes only the resources deployed from VDC toolkit orchestration but do not actually remove the resource group (vdc-toolkit-rg) and storage accounts created by VDC toolkit deployment.
vdc-toolkit-rg
Use the Azure Cli to remove the resource group and the storage accounts. Find the storage account name from the vdc-toolkit-rg resource group.
``` AzureCli
az account set --subscription [SUBSCRIPTION_ID]
az storage container legal-hold clear --resource-group vdc-toolkit-rg --account-name [STORAGE_ACCOUNT_NAME] --container-name deployments --tags audit
az storage container legal-hold clear --resource-group vdc-toolkit-rg --account-name [STORAGE_ACCOUNT_NAME] --container-name audit --tags audit
```
### **Remove KeyVault**
For safety reasons, the key vault will not be deleted. Instead, it will be set to a _removed_ state. This means that the name is still considered in use. To fully delete the key vault, use:
``` PowerShell
Get-AzKeyVault -InRemovedState | ? { Write-Host "Removing vault: $($_.VaultName)"; Remove-AzKeyVault -InRemovedState -VaultName $_.VaultName -Location $_.Location -Force }
```

3
Environments/OnPremises/orchestration.json
Просмотреть файл

@ -423,6 +423,9 @@
},
"domainAdminPassword": {
"reference": "${Parameters.ModuleConfigurationParameters.ActiveDirectory.DomainAdminPassword}"
},
"storageBlobUrl": {
"value": "${Parameters.ModuleConfigurationParameters.Jumpbox.StorageBlobUrl}"
}
}
}

2
Environments/OnPremises/parameters.json
Просмотреть файл

@ -4,6 +4,7 @@
"InstanceName": "${Parameters.Organization}-${Parameters.DeploymentName}",
"Subscription": "OnPremises",
"Location": "West US",
"StorageBlobUrl": "env(AZURE_STORAGE_BLOB_URL)",
"ModuleConfigurationParameters": {
"KeyVaultManagementUserId": "env(KEYVAULT_MANAGEMENT_USER_ID)",
"DevOpsServicePrincipalId": "env(DEVOPS_SERVICE_PRINCIPAL_USER_ID)",
@ -133,6 +134,7 @@
"ResourceGroup": "${Parameters.InstanceName}-ad-rg",
"ADSitename": "Cloud-Site",
"CloudZone": "contosocloud.com",
"StorageBlobUrl": "${Parameters.StorageBlobUrl}",
"DomainAdminUsername": "env(DOMAIN_ADMIN_USERNAME)",
"DomainAdminPassword": {
"keyVault": {

28
Environments/SharedServices/orchestration.json
Просмотреть файл

@ -74,6 +74,9 @@
"OverrideParameters": {
"workspaceId": {
"value": "reference(LogAnalytics.logAnalyticsWorkspaceResourceId)"
},
"environmentName": {
"value": "${Parameters.EnvironmentName}"
}
}
}
@ -207,7 +210,8 @@
"DiagnosticStorageAccountId": "reference(DiagnosticStorageAccount.storageAccountResourceId)",
"WorkspaceId": "reference(LogAnalytics.logAnalyticsWorkspaceId)",
"LogAnalyticsWorkspaceId": "reference(LogAnalytics.logAnalyticsWorkspaceResourceId)",
"WorkspaceRegion": "${Parameters.ModuleConfigurationParameters.LogAnalytics.Location}"
"WorkspaceRegion": "${Parameters.ModuleConfigurationParameters.LogAnalytics.Location}",
"environmentName": "${Parameters.EnvironmentName}"
}
}
},
@ -252,7 +256,8 @@
"DiagnosticStorageAccountId": "reference(DiagnosticStorageAccount.storageAccountResourceId)",
"WorkspaceId": "reference(LogAnalytics.logAnalyticsWorkspaceId)",
"LogAnalyticsWorkspaceId": "reference(LogAnalytics.logAnalyticsWorkspaceResourceId)",
"WorkspaceRegion": "${Parameters.ModuleConfigurationParameters.LogAnalytics.Location}"
"WorkspaceRegion": "${Parameters.ModuleConfigurationParameters.LogAnalytics.Location}",
"environmentName": "${Parameters.EnvironmentName}"
}
}
},
@ -621,6 +626,9 @@
},
"adminPassword": {
"reference": "${Parameters.ModuleConfigurationParameters.ActiveDirectory.DomainAdminPassword}"
},
"storageBlobUrl": {
"value": "${Parameters.ModuleConfigurationParameters.Jumpbox.StorageBlobUrl}"
}
}
}
@ -693,6 +701,9 @@
},
"domainAdminPassword": {
"reference": "${Parameters.ModuleConfigurationParameters.ActiveDirectory.DomainAdminPassword}"
},
"storageBlobUrl": {
"value": "${Parameters.ModuleConfigurationParameters.ActiveDirectory.StorageBlobUrl}"
}
}
}
@ -825,6 +836,9 @@
},
"secretName": "${Parameters.ModuleConfigurationParameters.KeyVault.SecretsObject.Secrets[0].secretName}"
}
},
"storageBlobUrl": {
"value": "${Parameters.ModuleConfigurationParameters.Jumpbox.StorageBlobUrl}"
}
}
}
@ -935,6 +949,9 @@
},
"secretName": "${Parameters.ModuleConfigurationParameters.KeyVault.SecretsObject.Secrets[2].secretName}"
}
},
"storageBlobUrl": {
"value": "${Parameters.ModuleConfigurationParameters.Jumpbox.StorageBlobUrl}"
}
}
}
@ -1048,6 +1065,9 @@
},
"adminPassword": {
"reference": "${Parameters.ModuleConfigurationParameters.ActiveDirectoryDomainServices.AdminPassword}"
},
"storageBlobUrl": {
"value": "${Parameters.ModuleConfigurationParameters.ActiveDirectoryDomainServices.StorageBlobUrl}"
}
}
}
@ -1092,6 +1112,7 @@
"EncryptActiveDirectoryDomainServices"
],
"Comments": "Installs Active Directory Domain Services",
"Deployment": {
"OverrideParameters": {
"virtualMachineName": {
@ -1129,6 +1150,9 @@
},
"domainAdminPassword": {
"reference": "${Parameters.ModuleConfigurationParameters.ActiveDirectoryDomainServices.DomainAdminPassword}"
},
"storageBlobUrl": {
"value": "${Parameters.ModuleConfigurationParameters.ActiveDirectoryDomainServices.StorageBlobUrl}"
}
}
}

33
Environments/SharedServices/parameters.json
Просмотреть файл

@ -3,7 +3,11 @@
"DeploymentName": "shrdsvcs",
"InstanceName": "${Parameters.Organization}-${Parameters.DeploymentName}",
"Subscription": "SharedServices",
"Location": "West US",
"SubscriptionId": "env(SUBSCRIPTION_ID)",
"TenantId": "env(TENANT_ID)",
"Location": "env(AZURE_LOCATION)",
"EnvironmentName": "env(AZURE_ENVIRONMENT_NAME)",
"StorageBlobUrl": "env(AZURE_STORAGE_BLOB_URL)",
"ModuleConfigurationParameters": {
"OnPremisesInformation": {
"InstanceName": "${Parameters.InstanceName}",
@ -55,7 +59,13 @@
"UK South",
"West Europe",
"West US",
"West US 2"
"West US 2",
"USGov Virginia",
"USGov Iowa",
"USGov Arizona",
"USGov Texas",
"USDoD Central",
"USDoD East"
]
},
"AutomationAccounts": {
@ -83,7 +93,13 @@
"West Central US",
"West Europe",
"West US 2",
"West US"
"West US",
"USGov Virginia",
"USGov Iowa",
"USGov Arizona",
"USGov Texas",
"USDoD Central",
"USDoD East"
]
},
"AzureBastion": {
@ -96,7 +112,13 @@
"West Europe",
"South Central US",
"Australia East",
"Japan East"
"Japan East",
"USGov Virginia",
"USGov Iowa",
"USGov Arizona",
"USGov Texas",
"USDoD Central",
"USDoD East"
]
},
"ApplicationSecurityGroups": {
@ -748,6 +770,7 @@
"ResourceGroup": "${Parameters.InstanceName}-jumpbox-rg",
"AdminUsername": "${Parameters.ModuleConfigurationParameters.KeyVault.SecretsObject.Secrets[0].secretName}",
"SubnetName": "${Parameters.ModuleConfigurationParameters.VirtualNetwork.Subnets[0].name}",
"StorageBlobUrl": "${Parameters.StorageBlobUrl}",
"Windows": {
"Comments": "Windows VM name cannot exceed 13 characters",
"Name": "win-jb-vm",
@ -790,6 +813,7 @@
"Comments": "Windows VM name cannot exceed 13 characters.",
"PrimaryDomainControllerIP": "172.0.0.10",
"DomainName": "contoso.com",
"StorageBlobUrl": "${Parameters.StorageBlobUrl}",
"ADSitename": "Cloud-Site",
"CloudZone": "contosocloud.com",
"DomainAdminUsername": "env(DOMAIN_ADMIN_USERNAME)",
@ -817,6 +841,7 @@
"Name": "adds-vm",
"ResourceGroup": "${Parameters.ModuleConfigurationParameters.ActiveDirectory.ResourceGroup}",
"Comments": "Windows VM name cannot exceed 13 characters. Additionally, Make sure that AddsIPAddressStart and ActiveDirectory.PrimaryDomainControllerIP are in the same subnet address prefix and they don't overlap",
"StorageBlobUrl": "${Parameters.StorageBlobUrl}",
"AdminUsername": "${Parameters.ModuleConfigurationParameters.KeyVault.SecretsObject.Secrets[0].secretName}",
"AdminPassword": {
"keyVault": {

222
Environments/SharedServices/readme.md Normal file
Просмотреть файл

@ -0,0 +1,222 @@
# **To deploy Azure Virtual Datacenter for Shared Services**
Deployment steps for [SharedServices](../../Environments/SharedServices) archetypes provided in the toolkit.
The documentation applies to manually building and running the docker instance. For github action setup click
[GitHub Action for VDC](../../.github/workflows/README.md)
### Clone the repository
These steps assume that the `git` command is on your path.
1. Open a terminal window
2. Navigate to a folder where you want to store the source for the toolkit. For, e.g. `c:\git`, navigate to that folder.
3. Run `git clone https://github.com/RKSelvi/vdc.git`. This will clone the GitHub repository in a folder named `vdc`.
4. Run `cd vdc` to change directory in the source folder.
5. Run `git checkout master` to switch to the branch with the current in-development version of the toolkit.
### Build the Docker image
1. Ensure that the [Docker daemon](https://docs.docker.com/config/daemon/) is running. If you are new to Docker, the easiest way to do this is to install [Docker Desktop](https://www.docker.com/products/docker-desktop).
1. Open a terminal window
1. Navigate to the folder where you cloned the repository. _The rest of the quickstart assumes that this path is `C:\git\vdc\`_
1. Run `docker build . -t vdc:latest` to build the image.
### Run the toolkit container
After the image finishing building, you can run it using:
`docker run -it --entrypoint="pwsh" --rm -v C:\git\vdc\Config:/usr/src/app/Config -v C:\git\vdc\Environments:/usr/src/app/Environments -v C:\git\vdc\Modules:/usr/src/app/Modules vdc:latest`
A few things to note:
- You don't need to build the image every time you want to run the container. You'll only need to rebuild it if there are changes to the source (primarily changes in the `Orchestration` folder).
- The `docker run` command above will map volumes in the container to volumes on the host machine. This will allow you to directly modify files in these directories (`Config`,`Environments`, and `Modules`).
When the container starts, you will see the prompt
`PS /usr/src/app>`
## Configure the toolkit
To configure the toolkit for this quickstart, we will need to collect the following information.
You'll need:
- A subscription for the toolkit to use for logging and tracking deployment.
- The associated tenant id of the Azure Active Directory associated with those subscriptions.
- The object id of the user account that you'll use to run the deployment.
- The object id of a [service principal](https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal) that Azure DevOps can use for deployment. This is only for CI/CD pipeline
- An organization name for generating a prefix for naming resources.
- The desired username and password for the Active Directory domain admin that will be created. Active Directory is not deployed now.
- The desired password of the Windows jumpbox.
- The [public ssh key](https://docs.microsoft.com/azure/virtual-machines/linux/mac-create-ssh-keys) for accessing the Linux jumpbox.
Note: You can use a single subscription. You'll just need to provide the same subscription id in multiple locations in the configuration.
### Collecting user object id and tentant id
You can get your user object id and tenant id in the portal or by using command line utitilies.
Using Azure PowerShell:
1. Run `Connect-AzAccount -Tenant "[TENANT_ID]" -SubscriptionId "[SUBSCRIPTION_ID]" -EnvironmentName "[AZURE_ENVIRONMENT]"` to login and set an Azure context. For Azure Commercial environment "AzureCloud" & for Azure Government "AzureUSGovernment"
2. Run `Get-AzContext | % { Get-AzADUser -UserPrincipalName $($_.Account.Id) } | select Id` to get the user object id.
3. Run `Get-AzContext | select Tenant` to get the tenant id.
#### Environmental variables
The toolkit uses environmental variables instead of configuration files to help avoid the accidental inclusion of secrets into your source control. In the context of a CI/CD pipeline, these values would be retrieved from a key vault. For GitHub Actions workflow this will be coming from GitHub Secrets.
Set these environmental variables by substituting the actual values in the script below.
Copy and paste this script into PowerShell to execute it.
Note: The first two variables are set with the content of the configuration files we just modified. The path will not resolve correctly unless you are in `/usr/src/app` directory.
```PowerShell
$ENV:ORGANIZATION_NAME = "[ORGANIZATION_NAME]"
$ENV:AZURE_ENVIRONMENT_NAME = "[AZURE_ENVIRONMENT]"
$ENV:AZURE_LOCATION = "[AZURE_REGION]"
$ENV:TENANT_ID = "[TENANT_ID]"
$ENV:SUBSCRIPTION_ID = "[SUBSCRIPTION_ID]"
$ENV:KEYVAULT_MANAGEMENT_USER_ID = "[KEY_VAULT_MANAGEMENT_USER_ID]"
$ENV:DEVOPS_SERVICE_PRINCIPAL_USER_ID = "[SERVICE_PRINCIPAL_USER_ID]"
$ENV:DOMAIN_ADMIN_USERNAME = "[DOMAIN_ADMIN_USER_NAME]"
$ENV:DOMAIN_ADMIN_USER_PWD = "[DOMAIN_ADMIN_USER_PASSWORD]"
$ENV:ADMIN_USER_NAME = "[VM_ADMIN_USER_NAME]"
$ENV:ADMIN_USER_PWD = "[VM_ADMIN_USER_PASSWORD]"
$ENV:AZURE_DISCOVERY_URL = "https://management.azure.com/metadata/endpoints?api-version=2019-05-01"
$ENV:ADMIN_USER_SSH = "[SSH_KEY]"
```
**NOTE:** Examples to setting the env variables
- "[ORGANIZATION_NAME]"
- Abbreviation of your org (for e.g. contoso) with **NO SPACES**
- Must be 10 characters or less
- "[AZURE_ENVIRONMENT]"
- For Azure Commercial
- "AzureCloud"
- For Azure Government
- "AzureUSGovernment"
- "[AZURE_REGION]" - Depending on the Azure Enviroment, provide Azure regions. For e.g.
- Azure public cloud
- "East US"
- "East US 2"
- Azure Government
- "USGov Virginia"
- "USGov Iowa"
- "[KEY_VAULT_MANAGEMENT_USER_ID]"
- User's GUID from AAD deploying the VDC toolkit
- "[SERVICE_PRINCIPAL_USER_ID]"
- Used by CI/CD (not yet implemented). Can be same as KEY_VAULT_MANAGEMENT_USER_ID
- "[TENANT_ID]" - Tenant's GUID
- "[SUBSCRIPTION_ID]" - Subscription's GUID
- "[DOMAIN_ADMIN_USER_NAME]"
- Domain user name - will be used for AD deployment and not yet included in current deployment
- "[DOMAIN_ADMIN_USER_PASSWORD]"
- Domain user password - will be used for AD deployment and not yet included in current deployment. Follow the [guidelines](https://docs.microsoft.com/en-us/azure/virtual-machines/windows/faq#what-are-the-password-requirements-when-creating-a-vm) for setting the password.
- "[VM_ADMIN_USER_NAME]"
- VM log in username
- "[VM_ADMIN_USER_PASSWORD]"
- VM user password. Follow the [guidelines](https://docs.microsoft.com/en-us/azure/virtual-machines/windows/faq#what-are-the-password-requirements-when-creating-a-vm) for setting the password.
- "[SSH_KEY]"
- Needs to be a valid public ssh rsa key for SSH to linux box
To use the above script:
1. Return to the running Docker container from earlier in the quickstart.
2. Confirm that you are in the `/usr/src/app` directory.
3. Make a copy of the above script and replace the necessary values.
4. Copy the script into the clipboard and paste it in the terminal.
5. Verify that the enviromental variables are set by running `env` to view the current values.
#### Pre-req script
##### This script will ensure that the configuration files are updated with your environment variables.
``` PowerShell
./Orchestration/OrchestrationService/Pre_req_script.ps1
```
**You will need to run the cleanup script after you are done deploying the modules to ensure your secret values are not passed into the GitHub repository.**
#### Parameters
Any application specific parameters updates should be done in the [parameters.json](../../Environments/SharedServices/parameters.json) file such as IP address, subnet names, subnet range, secrets etc.
## Deploying the Shared Services environment
1. Return to the running Docker container from earlier in the quickstart.
1. If you have not already done so, run `Connect-AzAccount -Tenant "[TENANT_ID]" -SubscriptionId "[SUBSCRIPTION_ID]" -EnvironmentName "[AZURE_ENVIRONMENT]"` to login and set an Azure context.
1. To deploy the entire Shared Services environment, you can run a single command:
``` PowerShell
./Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1 -DefinitionPath ./Environments/SharedServices/definition.json
```
The toolkit will begin deploying the constituent modules and the status will be sent to the terminal.
Open the [Azure portal](https://portal.azure.us) and you can check the status of the invididual deployments. Azure portal link will be based on azure environment.
## Deploying individual modules
If you prefer you can deploy the constituent modules for Shared Services individually.
The following is the series of commands to execute.
``` PowerShell
.\Orchestration\OrchestrationService\ModuleConfigurationDeployment.ps1 -DefinitionPath .\Environments\SharedServices\definition.json -ModuleConfigurationName "AzureFirewall"
.\Orchestration\OrchestrationService\ModuleConfigurationDeployment.ps1 -DefinitionPath .\Environments\SharedServices\definition.json -ModuleConfigurationName "VirtualNetwork"
.\Orchestration\OrchestrationService\ModuleConfigurationDeployment.ps1 -DefinitionPath .\Environments\SharedServices\definition.json -ModuleConfigurationName "AzureSecurityCenter"
.\Orchestration\OrchestrationService\ModuleConfigurationDeployment.ps1 -DefinitionPath .\Environments\SharedServices\definition.json -ModuleConfigurationName "NISTControls"
.\Orchestration\OrchestrationService\ModuleConfigurationDeployment.ps1 -DefinitionPath .\Environments\SharedServices\definition.json -ModuleConfigurationName "AutomationAccounts"
.\Orchestration\OrchestrationService\ModuleConfigurationDeployment.ps1 -DefinitionPath .\Environments\SharedServices\definition.json -ModuleConfigurationName "DomainControllerASG"
.\Orchestration\OrchestrationService\ModuleConfigurationDeployment.ps1 -DefinitionPath .\Environments\SharedServices\definition.json -ModuleConfigurationName "DiagnosticStorageAccount"
.\Orchestration\OrchestrationService\ModuleConfigurationDeployment.ps1 -DefinitionPath .\Environments\SharedServices\definition.json -ModuleConfigurationName "EnableServiceEndpointOnDiagnosticStorageAccount"
.\Orchestration\OrchestrationService\ModuleConfigurationDeployment.ps1 -DefinitionPath .\Environments\SharedServices\definition.json -ModuleConfigurationName "LogAnalytics"
.\Orchestration\OrchestrationService\ModuleConfigurationDeployment.ps1 -DefinitionPath .\Environments\SharedServices\definition.json -ModuleConfigurationName "KeyVault"
.\Orchestration\OrchestrationService\ModuleConfigurationDeployment.ps1 -DefinitionPath .\Environments\SharedServices\definition.json -ModuleConfigurationName "ArtifactsStorageAccount"
.\Orchestration\OrchestrationService\ModuleConfigurationDeployment.ps1 -DefinitionPath .\Environments\SharedServices\definition.json -ModuleConfigurationName "UploadScriptsToArtifactsStorage"
.\Orchestration\OrchestrationService\ModuleConfigurationDeployment.ps1 -DefinitionPath .\Environments\SharedServices\definition.json -ModuleConfigurationName "JumpboxASG"
.\Orchestration\OrchestrationService\ModuleConfigurationDeployment.ps1 -DefinitionPath .\Environments\SharedServices\definition.json -ModuleConfigurationName "SharedServicesNSG"
```
**NOTE:**
1. If deployment reports, unable to find deployment storage account, it could be that PowerShell is not connected to Azure.
2. Open a new PowerShell/Docker instance if there were any changes to files in Environments folder
### **Teardown the environment**
``` PowerShell
./Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1 -TearDownEnvironment -DefinitionPath ./Environments/SharedServices/definition.json
```
Note: This is the same command you used to deploy except that you include ` -TearDownEnvironment`.
It uses the same configuration, so if you change the configuration the tear down may not execute as expected.
### Cleanup script
#### This script will make sure all the environment variable values are not stored in your configuration files. Please run this after you are done deploying the modules. Usually you will run this script when you are about to exit your container.
``` PowerShell
./Orchestration/OrchestrationService/Cleanup_Script.ps1
```
### **Remove vdc-toolkit-rg**
Teardown removes only the resources deployed from VDC toolkit orchestration but do not actually remove the resource group (vdc-toolkit-rg) and storage accounts created by VDC toolkit deployment.
vdc-toolkit-rg
Use the Azure Cli to remove the resource group and the storage accounts. Find the storage account name from the vdc-toolkit-rg resource group.
``` AzureCli
az account set --subscription [SUBSCRIPTION_ID]
az storage container legal-hold clear --resource-group vdc-toolkit-rg --account-name [STORAGE_ACCOUNT_NAME] --container-name deployments --tags audit
az storage container legal-hold clear --resource-group vdc-toolkit-rg --account-name [STORAGE_ACCOUNT_NAME] --container-name audit --tags audit
```
### **Remove KeyVault**
For safety reasons, the key vault will not be deleted. Instead, it will be set to a _removed_ state. This means that the name is still considered in use. To fully delete the key vault, use:
``` PowerShell
Get-AzKeyVault -InRemovedState | ? { Write-Host "Removing vault: $($_.VaultName)"; Remove-AzKeyVault -InRemovedState -VaultName $_.VaultName -Location $_.Location -Force }
```

3
Environments/SharedServices_OnpremisesExtension/orchestration.json
Просмотреть файл

@ -1058,6 +1058,9 @@
},
"domainAdminPassword": {
"reference": "${Parameters.ModuleConfigurationParameters.ActiveDirectoryDomainServices.DomainAdminPassword}"
},
"storageBlobUrl": {
"value": "${Parameters.ModuleConfigurationParameters.Jumpbox.StorageBlobUrl}"
}
}
}

5
Environments/SharedServices_OnpremisesExtension/parameters.json
Просмотреть файл

@ -4,6 +4,7 @@
"InstanceName": "${Parameters.Organization}-${Parameters.DeploymentName}",
"Subscription": "SharedServices",
"Location": "West US",
"StorageBlobUrl": "env(AZURE_STORAGE_BLOB_URL)",
"ModuleConfigurationParameters": {
"KeyVaultManagementUserId": "env(KEYVAULT_MANAGEMENT_USER_ID)",
"DevOpsServicePrincipalId": "env(DEVOPS_SERVICE_PRINCIPAL_USER_ID)",
@ -682,7 +683,8 @@
"*.download.opensuse.org",
"download.opensuse.org",
"*.monitoring.azure.com",
"monitoring.azure.com"
"monitoring.azure.com",
"core.usgovcloudapi.net"
]
}
]
@ -876,6 +878,7 @@
"Name": "adds-vm",
"ResourceGroup": "${Parameters.InstanceName}-adds-rg",
"Comments": "Windows VM name cannot exceed 13 characters. Additionally, Make sure that AddsIPAddressStart and ActiveDirectory.PrimaryDomainControllerIP are in the same subnet address prefix and they don't overlap",
"StorageBlobUrl": "${Parameters.StorageBlobUrl}",
"AdminUsername": "${Parameters.ModuleConfigurationParameters.KeyVault.SecretsObject.Secrets[0].secretName}",
"AdminPassword": {
"keyVault": {

69
Environments/_Common/subscriptions.json
Просмотреть файл

@ -1,33 +1,38 @@
{
"Comments": "Dashes are not supported as part of a Subscription name",
"OnPremises": {
"Comments": "Simulated On-Premises subscription and tenant information",
"TenantId": "00000000-0000-0000-0000-000000000000",
"SubscriptionId": "00000000-0000-0000-0000-000000000000"
},
"SharedServices": {
"Comments": "Shared services subscription and tenant information",
"TenantId": "00000000-0000-0000-0000-000000000000",
"SubscriptionId": "00000000-0000-0000-0000-000000000000"
},
"AKS": {
"Comments": "Shared services subscription and tenant information",
"TenantId": "00000000-0000-0000-0000-000000000000",
"SubscriptionId": "00000000-0000-0000-0000-000000000000"
},
"ASE_SQLDB": {
"Comments": "Workload subscription and tenant information",
"TenantId": "00000000-0000-0000-0000-000000000000",
"SubscriptionId": "00000000-0000-0000-0000-000000000000"
},
"NTier_IaaS": {
"Comments": "Workload subscription and tenant information",
"TenantId": "00000000000000000000000",
"SubscriptionId": "00000000000000000000000"
},
"Artifacts": {
"Comments": "Subscription and tenant information where the Artifacts Storage Account will reside",
"TenantId": "00000000-0000-0000-0000-000000000000",
"SubscriptionId": "00000000-0000-0000-0000-000000000000"
}
}
"Comments": "ToolKit for Jack",
"VDCVDI": {
"Comments": "Microsoft VDC with VDI environment subscription and tenant information",
"TenantId": "000000-000-0000-0000",
"SubscriptionId": "000000-000-0000-0000"
},
"OnPremises": {
"Comments": "Simulated On-Premises subscription and tenant information",
"TenantId": "000000-000-0000-0000",
"SubscriptionId": "000000-000-0000-0000"
},
"SharedServices": {
"Comments": "Shared services subscription and tenant information",
"TenantId": "000000-000-0000-0000",
"SubscriptionId": "000000-000-0000-0000"
},
"AKS": {
"Comments": "Shared services subscription and tenant information",
"TenantId": "000000-000-0000-0000",
"SubscriptionId": "000000-000-0000-0000"
},
"ASE_SQLDB": {
"Comments": "Workload subscription and tenant information",
"TenantId": "000000-000-0000-0000",
"SubscriptionId": "00000000-0000-0000-0000-000000000000"
},
"NTier_IaaS": {
"Comments": "Workload subscription and tenant information",
"TenantId": "000000-000-0000-0000",
"SubscriptionId": "000000-000-0000-0000"
},
"Artifacts": {
"Comments": "Subscription and tenant information where the Artifacts Storage Account will reside",
"TenantId": "000000-000-0000-0000",
"SubscriptionId": "000000-000-0000-0000"
}
}

13
Modules/ActiveDirectory/deploy.json
Просмотреть файл

@ -84,6 +84,13 @@
"metadata": {
"description": "Optional. Location for all resources."
}
},
"storageBlobUrl": {
"type": "string",
"defaultValue": "core.windows.net",
"metadata": {
"description": "Required. BLOB Storage URL based on Azure Environment."
}
}
},
"variables": {
@ -107,7 +114,7 @@
"autoUpgradeMinorVersion": true,
"settings": {
"configuration": {
"url": "[concat('https://', parameters('artifactsStorageAccountName'), '.blob.core.windows.net/scripts/Windows/newADDomain.zip?', parameters('artifactsStorageAccountSasKey'))]",
"url": "[concat('https://', parameters('artifactsStorageAccountName'), '.blob.', parameters('storageBlobUrl'), '/', 'scripts/Windows/newADDomain.zip?', parameters('artifactsStorageAccountSasKey'))]",
"script": "newDomain.ps1",
"function": "NewDomain"
},
@ -148,7 +155,7 @@
"autoUpgradeMinorVersion": true,
"settings": {
"fileUris": [
"[concat('https://', parameters('artifactsStorageAccountName'), '.blob.core.windows.net/scripts/Windows/new-dns-zone.ps1')]"
"[concat('https://', parameters('artifactsStorageAccountName'), '.blob.', parameters('storageBlobUrl'), '/', 'scripts/Windows/new-dns-zone.ps1')]"
]
},
"protectedSettings": {
@ -198,7 +205,7 @@
"autoUpgradeMinorVersion": true,
"settings": {
"fileUris": [
"[concat('https://', parameters('artifactsStorageAccountName'), '.blob.core.windows.net/scripts/Windows/create-new-cloud-ad-site.ps1')]"
"[concat('https://', parameters('artifactsStorageAccountName'), '.blob.', parameters('storageBlobUrl'), '/', 'scripts/Windows/create-new-cloud-ad-site.ps1')]"
]
},
"protectedSettings": {

11
Modules/ActiveDirectoryDomainServices/deploy.json
Просмотреть файл

@ -90,6 +90,13 @@
"metadata": {
"description": "Optional. Location for all resources."
}
},
"storageBlobUrl": {
"type": "string",
"defaultValue": "core.windows.net",
"metadata": {
"description": "Required. BLOB Storage URL based on Azure Environment."
}
}
},
"variables": {
@ -122,7 +129,7 @@
"autoUpgradeMinorVersion": true,
"settings": {
"configuration": {
"url": "[concat('https://', parameters('artifactsStorageAccountName'), '.blob.core.windows.net/scripts/Windows/install_ADDS_No_Disk_Format.zip')]",
"url": "[concat('https://', parameters('artifactsStorageAccountName'), '.blob.', parameters('storageBlobUrl'), '/', 'scripts/Windows/install_ADDS_No_Disk_Format.zip')]",
"script": "azure.ps1",
"function": "CreateDomainController"
},
@ -167,7 +174,7 @@
"autoUpgradeMinorVersion": true,
"settings": {
"fileUris": [
"[concat('https://', parameters('artifactsStorageAccountName'), '.blob.core.windows.net/scripts/Windows/reboot_vm_async.ps1')]"
"[concat('https://', parameters('artifactsStorageAccountName'), '.blob.', parameters('storageBlobUrl'), '/', 'scripts/Windows/reboot_vm_async.ps1')]"
]
},
"protectedSettings": {

8
Modules/AutomationAccounts/deploy.json
Просмотреть файл

@ -29,7 +29,13 @@
"West Central US",
"West Europe",
"West US 2",
"West US"
"West US",
"USGov Virginia",
"USGov Iowa",
"USGov Arizona",
"USGov Texas",
"USDoD Central",
"USDoD East"
],
"metadata": {
"description": "Required. Specifies the region for your Automation Account"

11
Modules/AzureBastion/Scripts/register.provider.feature.ps1
Просмотреть файл

@ -1,12 +1,17 @@
$installed = Get-AzProviderFeature -ProviderNamespace Microsoft.Network | Where-Object -Property "FeatureName" -EQ "AllowBastionHost"
## Azure Government does not have this feature so it will always send the script into an infinite loop
#$installed = Get-AzProviderFeature -ProviderNamespace Microsoft.Network | Where-Object -Property "FeatureName" -EQ "AllowBastionHost"
# I am adding the Microsoft.Network provider here instead of the bastion.
$installed = Get-AzResourceProvider -ProviderNamespace Microsoft.Network
if ($null -eq $installed) {
Register-AzProviderFeature -FeatureName AllowBastionHost -ProviderNamespace Microsoft.Network
# Register-AzProviderFeature -FeatureName AllowBastionHost -ProviderNamespace Microsoft.Network
Register-AzResourceProvider -ProviderNamespace Microsoft.Network
}
While ($null -eq $installed) {
$installed = Get-AzProviderFeature -ProviderNamespace Microsoft.Network | Where-Object -Property "FeatureName" -EQ "AllowBastionHost"
#$installed = Get-AzProviderFeature -ProviderNamespace Microsoft.Network | Where-Object -Property "FeatureName" -EQ "AllowBastionHost"
$installed = Get-AzResourceProvider -ProviderNamespace Microsoft.Network
$isInstalled = $null -ne $installed
Write-Host "Is installed: $isInstalled"
Start-Sleep -Seconds 20

29
Modules/AzureBastion/deploy.json
Просмотреть файл

@ -39,12 +39,31 @@
"type": "string",
"defaultValue": "[resourceGroup().location]",
"allowedValues": [
"West US",
"East US",
"West Europe",
"South Central US",
"Australia Central",
"Australia East",
"Japan East"
"Australia Southeast",
"Brazil South",
"Canada Central",
"Central India",
"East US",
"East US 2",
"France Central",
"Japan East",
"Korea Central",
"North Europe",
"South Central US",
"Southeast Asia",
"UK South",
"West Central US",
"West Europe",
"West US 2",
"West US",
"USGov Virginia",
"USGov Iowa",
"USGov Arizona",
"USGov Texas",
"USDoD Central",
"USDoD East"
],
"metadata": {
"description": "Optional. Location for Azure Bastion, is currently limited to a small subset of regions."

9
Modules/AzureSecurityCenter/deploy.json
Просмотреть файл

@ -18,6 +18,13 @@
"metadata": {
"description": "Optional. Turns automatic deployment of a Log Analytics workspace"
}
},
"environmentName": {
"type": "string",
"defaultValue": "AzureCloud",
"metadata":{
"description": "This will determine if Azure Security Center is setup with Government or Commercial pricing tiers."
}
}
},
"variables": {
@ -44,6 +51,7 @@
}
},
{
"condition": "[equals(parameters('environmentName'), 'AzureCloud')]",
"type": "Microsoft.Security/pricings",
"apiVersion": "2018-06-01",
"name": "AppServices",
@ -66,6 +74,7 @@
}
},
{
"condition": "[equals(parameters('environmentName'), 'AzureCloud')]",
"type": "Microsoft.Security/pricings",
"apiVersion": "2018-06-01",
"name": "StorageAccounts",

11
Modules/InternetInformationServices/deploy.json
Просмотреть файл

@ -50,6 +50,13 @@
"metadata": {
"description": "Optional. Location for all resources."
}
},
"storageBlobUrl": {
"type": "string",
"defaultValue": "core.windows.net",
"metadata": {
"description": "Required. BLOB Storage URL based on Azure Environment."
}
}
},
"variables": {
@ -76,7 +83,7 @@
"autoUpgradeMinorVersion": true,
"settings": {
"configuration": {
"url": "[concat('https://', parameters('artifactsStorageAccountName'), '.blob.core.windows.net/scripts/Windows/iisaspnet.zip')]",
"url": "[concat('https://', parameters('artifactsStorageAccountName'), '.blob.', parameters('storageBlobUrl'), '/scripts/Windows/iisaspnet.zip')]",
"script": "iisaspnet.ps1",
"function": "IISASPNET"
}
@ -99,7 +106,7 @@
"autoUpgradeMinorVersion": true,
"settings": {
"configuration": {
"url": "[concat('https://', parameters('artifactsStorageAccountName'), '.blob.core.windows.net/scripts/Windows/iisaspnet.zip')]",
"url": "[concat('https://', parameters('artifactsStorageAccountName'), '.blob.', parameters('storageBlobUrl'), '/scripts/Windows/iisaspnet.zip')]",
"script": "iisaspnet.ps1",
"function": "IISASPNET"
}

8
Modules/LogAnalytics/deploy.json
Просмотреть файл

@ -51,7 +51,13 @@
"UK South",
"West Europe",
"West US",
"West US 2"
"West US 2",
"USGov Virginia",
"USGov Iowa",
"USGov Arizona",
"USGov Texas",
"USDoD Central",
"USDoD East"
],
"metadata": {
"description": "Required. Region used when establishing the workspace"

9
Modules/NISTControls/deploy.json
Просмотреть файл

@ -24,8 +24,9 @@
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Required. Location used as part of the Policy assignment."
"description": "Optional. Location of the Storage Account."
}
},
"listOfResourceTypesWithDiagnosticLogsEnabled": {
@ -805,13 +806,13 @@
}
},
{
"name": "[guid('08e6af2d-db70-460a-bfe9-d5bd474ba9d6')]",
"name": "[guid('f6de0be7-9a8a-4b8a-b349-43cf02d22f7c')]",
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2018-05-01",
"location": "[parameters('location')]",
"properties": {
"displayName": "Network Security Group Rules for Internet facing virtual machines should be hardened",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6",
"displayName": "Internet-facing virtual machines should be protected with Network Security Groups",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c",
"scope": "[subscription().id]",
"notScopes": [],
"parameters": {

2
Modules/NISTControls/parameters.json
Просмотреть файл

@ -6,7 +6,7 @@
"value": "/subscriptions/000000000/resourcegroups/rg/"
},
"location": {
"value": "West US"
"value": ""
}
}
}

18
Modules/NetworkSecurityGroups/Scripts/enable.flow.logs.ps1
Просмотреть файл

@ -20,7 +20,10 @@
$LogAnalyticsWorkspaceId,
[Parameter(Mandatory=$true)]
[string]
$WorkspaceRegion
$WorkspaceRegion,
[Parameter(Mandatory=$true)]
[string]
$environmentName
)
try {
@ -37,7 +40,6 @@ try {
Write-Host "No subscription switching is required."
}
$WorkspaceRegion = $WorkspaceRegion.Replace(' ', '').ToLower()
$NetworkWatcherRegion = $NetworkWatcherRegion.Replace(' ', '').ToLower()
$registered = Get-AzResourceProvider -ProviderNamespace Microsoft.Insights
@ -55,8 +57,18 @@ try {
Write-Host "Registration complete"
$NW = Get-AzNetworkWatcher -ResourceGroupName NetworkWatcherRg -Name "NetworkWatcher_$NetworkWatcherRegion"
$NW = Get-AzNetworkWatcher -ResourceGroupName NetworkWatcherRg -Name "NetworkWatcher_$NetworkWatcherRegion" -ErrorAction SilentlyContinue
if ($null -eq $NW) {
$NWRG = Get-AzResourceGroup -Name NetworkWatcherRG -ErrorAction SilentlyContinue
if ($null -eq $NWRG) {
$NWRG = New-AzResourceGroup -Name NetworkWatcherRG -Location $NetworkwatcherRegion
}
$NW = New-AzNetworkWatcher -ResourceGroupName NetworkWatcherRG -Location $NetworkWatcherRegion -Name "NetworkWatcher_$NetworkWatcherRegion"
}
#Configure Version 2 FLow Logs with Traffic Analytics Configured
Set-AzNetworkWatcherConfigFlowLog -EnableRetention $true -RetentionInDays 365 -NetworkWatcher $NW -TargetResourceId $NetworkSecurityGroupId -StorageAccountId $DiagnosticStorageAccountId -EnableFlowLog $true -FormatType Json -FormatVersion 2 -EnableTrafficAnalytics -WorkspaceResourceId $LogAnalyticsWorkspaceId -WorkspaceGUID $WorkspaceId -WorkspaceLocation $WorkspaceRegion | Out-Null
}

23
Modules/SQLServerAlwaysOn/deploy.json
Просмотреть файл

@ -102,6 +102,13 @@
"metadata": {
"description": "Optional. Location for all resources."
}
},
"storageBlobUrl": {
"type": "string",
"defaultValue": "core.windows.net",
"metadata": {
"description": "Required. BLOB Storage URL based on Azure Environment."
}
}
},
"variables": {
@ -135,7 +142,7 @@
"autoUpgradeMinorVersion": true,
"settings": {
"fileUris": [
"[concat('https://', parameters('artifactsStorageAccountName'), '.blob.core.windows.net/scripts/Windows/PrepareSQLServer_Install_Modules.ps1')]"
"[concat('https://', parameters('artifactsStorageAccountName'), '.blob.', parameters('storageBlobUrl'), '/scripts/Windows/PrepareSQLServer_Install_Modules.ps1')]"
]
},
"protectedSettings": {
@ -182,7 +189,7 @@
"autoUpgradeMinorVersion": true,
"settings": {
"configuration": {
"url": "[concat('https://', parameters('artifactsStorageAccountName'), '.blob.core.windows.net/scripts/Windows/PrepareSQLServer.ps1.zip')]",
"url": "[concat('https://', parameters('artifactsStorageAccountName'), '.blob.', parameters('storageBlobUrl'), '/scripts/Windows/PrepareSQLServer.ps1.zip')]",
"script": "PrepareSqlServer.ps1",
"function": "SqlServerPrepareDsc"
},
@ -191,7 +198,7 @@
"ClusterName": "[parameters('clusterName')]",
"ClusterOwnerNode": "[concat(parameters('virtualMachineName'), '1')]",
"ClusterIP": "[parameters('sqlServerILB_IPAddress')]",
"witnessStorageBlobEndPoint": "[concat('https://', parameters('cloudWitnessStorageAccountName'), '.blob.core.windows.net')]",
"witnessStorageBlobEndPoint": "[concat('https://', parameters('cloudWitnessStorageAccountName'), '.blob.', parameters('storageBlobUrl'))]",
"witnessStorageAccountKey": "[listkeys(resourceId('Microsoft.Storage/storageAccounts', parameters('cloudWitnessStorageAccountKey')), '2016-12-01').keys[0].value]"
}
},
@ -252,7 +259,7 @@
"autoUpgradeMinorVersion": true,
"settings": {
"fileUris": [
"[concat('https://', parameters('artifactsStorageAccountName'), '.blob.core.windows.net/scripts/Windows/sleep.ps1')]"
"[concat('https://', parameters('artifactsStorageAccountName'), '.blob.', parameters('storageBlobUrl'), '/scripts/Windows/sleep.ps1')]"
]
},
"protectedSettings": {
@ -304,7 +311,7 @@
"autoUpgradeMinorVersion": true,
"settings": {
"configuration": {
"url": "[concat('https://', parameters('artifactsStorageAccountName'), '.blob.core.windows.net/scripts/Windows/PrepareSQLServer.ps1.zip')]",
"url": "[concat('https://', parameters('artifactsStorageAccountName'), '.blob.', parameters('storageBlobUrl'), '/scripts/Windows/PrepareSQLServer.ps1.zip')]",
"script": "PrepareSqlServer.ps1",
"function": "SqlServerPrepareDsc"
},
@ -313,7 +320,7 @@
"ClusterName": "[parameters('clusterName')]",
"ClusterOwnerNode": "[concat(parameters('virtualMachineName'), '1')]",
"ClusterIP": "[parameters('sqlServerILB_IPAddress')]",
"witnessStorageBlobEndPoint": "[concat('https://', parameters('cloudWitnessStorageAccountName'), '.blob.core.windows.net')]",
"witnessStorageBlobEndPoint": "[concat('https://', parameters('cloudWitnessStorageAccountName'), '.blob.', parameters('storageBlobUrl'))]",
"witnessStorageAccountKey": "[listkeys(resourceId('Microsoft.Storage/storageAccounts', parameters('cloudWitnessStorageAccountKey')), '2016-12-01').keys[0].value]"
}
},
@ -374,7 +381,7 @@
"autoUpgradeMinorVersion": true,
"settings": {
"configuration": {
"url": "[concat('https://', parameters('artifactsStorageAccountName'), '.blob.core.windows.net/scripts/Windows/CreateHADB.ps1.zip')]",
"url": "[concat('https://', parameters('artifactsStorageAccountName'), '.blob.', parameters('storageBlobUrl'), '/scripts/Windows/CreateHADB.ps1.zip')]",
"script": "agdb.ps1",
"function": "SQLServerDBDsc"
},
@ -383,7 +390,7 @@
"ClusterName": "[parameters('clusterName')]",
"ClusterOwnerNode": "[concat(parameters('virtualMachineName'), '1')]",
"ClusterIP": "[parameters('sqlServerILB_IPAddress')]",
"witnessStorageBlobEndPoint": "[concat('https://', parameters('cloudWitnessStorageAccountName'), '.blob.core.windows.net')]",
"witnessStorageBlobEndPoint": "[concat('https://', parameters('cloudWitnessStorageAccountName'), '.blob.', parameters('storageBlobUrl'))]",
"witnessStorageAccountKey": "[listkeys(resourceId('Microsoft.Storage/storageAccounts', parameters('cloudWitnessStorageAccountKey')), '2016-12-01').keys[0].value]"
}
},

2
Modules/StorageAccounts/Policy/parameters.json
Просмотреть файл

@ -9,7 +9,7 @@
"value": "NetworkWatcherRG"
},
"resourceGroupLocation": {
"value": "West US"
"value": "[parameters('location')]"
}
}
}

13
Modules/VirtualMachineScaleSets/deploy.json
Просмотреть файл

@ -198,6 +198,13 @@
"metadata": {
"description": "Optional. Location for all resources."
}
},
"storageBlobUrl": {
"type": "string",
"defaultValue": "core.windows.net",
"metadata": {
"description": "Required. BLOB Storage URL based on Azure Environment."
}
}
},
"variables": {
@ -318,7 +325,7 @@
"diagnosticsProfile": {
"bootDiagnostics": {
"enabled": true,
"storageUri": "[concat('https://', parameters('diagnosticStorageAccountName'), '.blob.core.windows.net/')]"
"storageUri": "[concat('https://', parameters('diagnosticStorageAccountName'), '.blob.', parameters('storageBlobUrl'))]"
}
},
"extensionProfile": {
@ -639,7 +646,7 @@
"protectedSettings": {
"storageAccountName": "[parameters('diagnosticStorageAccountName')]",
"storageAccountSasToken": "[parameters('diagnosticStorageAccountSasToken')]",
"storageAccountEndPoint": "https://core.windows.net"
"storageAccountEndPoint": "[concat('https://', parameters('storageBlobUrl'))]"
}
}
},
@ -661,7 +668,7 @@
"autoUpgradeMinorVersion": true,
"settings": {
"configuration": {
"url": "[concat('https://', parameters('artifactsStorageAccountName'), '.blob.core.windows.net/scripts/Windows/formatDataDisks.zip')]",
"url": "[concat('https://', parameters('artifactsStorageAccountName'), '.blob.', parameters('storageBlobUrl'), '/scripts/Windows/formatDataDisks.zip')]",
"script": "formatDisk.ps1",
"function": "FormatDisk"
},

26
Modules/VirtualMachines/deploy.json
Просмотреть файл

@ -225,6 +225,13 @@
"metadata": {
"description": "Optional. AD domain name. If joinToDomain is set to true, this value becomes required."
}
},
"storageBlobUrl": {
"type": "string",
"defaultValue": "core.windows.net",
"metadata": {
"description": "Required. BLOB Storage URL based on Azure Environment."
}
}
},
"variables": {
@ -536,7 +543,7 @@
"diagnosticsProfile": {
"bootDiagnostics": {
"enabled": true,
"storageUri": "[concat('https://', parameters('diagnosticStorageAccountName'), '.blob.core.windows.net/')]"
"storageUri": "[concat('https://', parameters('diagnosticStorageAccountName'), '.blob.', parameters('storageBlobUrl'), '/')]"
}
}
},
@ -629,7 +636,7 @@
"autoUpgradeMinorVersion": true,
"settings": {
"configuration": {
"url": "[concat('https://', parameters('artifactsStorageAccountName'), '.blob.core.windows.net/scripts/Windows/formatDataDisks.zip')]",
"url": "[concat('https://', parameters('artifactsStorageAccountName'), '.blob.', parameters('storageBlobUrl'), '/scripts/Windows/formatDataDisks.zip')]",
"script": "formatDisk.ps1",
"function": "FormatDisk"
},
@ -931,7 +938,7 @@
"protectedSettings": {
"storageAccountName": "[parameters('diagnosticStorageAccountName')]",
"storageAccountSasToken": "[parameters('diagnosticStorageAccountSasToken')]",
"storageAccountEndPoint": "https://core.windows.net"
"storageAccountEndPoint": "[concat('https://', parameters('storageBlobUrl'))]"
}
}
},
@ -967,7 +974,7 @@
"autoUpgradeMinorVersion": true,
"settings": {
"fileUris": [
"[concat('https://', parameters('artifactsStorageAccountName'), '.blob.core.windows.net/scripts/Windows/enable-local-policy-settings.ps1')]"
"[concat('https://', parameters('artifactsStorageAccountName'), '.blob.', parameters('storageBlobUrl'), '/scripts/Windows/enable-local-policy-settings.ps1')]"
]
},
"protectedSettings": {
@ -1144,7 +1151,7 @@
"properties": {
"publisher": "Microsoft.EnterpriseCloud.Monitoring",
"type": "OmsAgentForLinux",
"typeHandlerVersion": "1.7",
"typeHandlerVersion": "1.8",
"settings": {
"workspaceId": "[parameters('workspaceId')]"
},
@ -1871,7 +1878,7 @@
},
"protectedSettings": {
"storageAccountName": "[parameters('diagnosticStorageAccountName')]",
"storageAccountEndPoint": "https://core.windows.net/",
"storageAccountEndPoint": "[concat('https://', parameters('storageBlobUrl'), '/')]",
"storageAccountSasToken": "[parameters('diagnosticStorageAccountSasToken')]"
}
}
@ -2067,6 +2074,13 @@
"metadata": {
"description": "The resource identifier of the VMs provisioned."
}
},
"AzureEnvUrl": {
"type": "string",
"value": "parameters('storageBlobUrl')",
"metadata": {
"description": "Checking the incoming storageBlobUrl."
}
}
}
}

16
Orchestration/Common/Helper.psm1
Просмотреть файл

@ -490,4 +490,18 @@ Function Format-FilePathSpecificToOS () {
return `
Join-Path @arguments;
}
}
}
Function Get-AzureApiUrl() {
[CmdletBinding()]
param(
[Parameter(Mandatory=$true)]
[string]
$AzureEnvironment = "AzureCloud",
[Parameter(Mandatory=$true)]
[string]
$AzureDiscoveryUrl
)
return ( Invoke-RestMethod -Uri $AzureDiscoveryUrl -Method Get -ContentType "application/json" ) | where { $_.name -eq $AzureEnvironment }
}

37
Orchestration/IntegrationService/Implementations/AzureResourceManagerDeploymentService.ps1
Просмотреть файл

@ -1,20 +1,26 @@
Import-Module "$($rootPath)/../Common/Helper.psd1" -Force;
Class AzureResourceManagerDeploymentService: IDeploymentService {
[string] $armResourceGroupDeploymentUri = "https://management.azure.com/subscriptions/{0}/resourcegroups/{1}/providers/Microsoft.Resources/deployments/{2}?api-version=2019-05-10";
[string] $armSubscriptionDeploymentUri = "https://management.azure.com/subscriptions/{0}/providers/Microsoft.Resources/deployments/{1}?api-version=2019-05-10"
[string] $armResourceGroupValidationUri = "https://management.azure.com/subscriptions/{0}/resourcegroups/{1}/providers/Microsoft.Resources/deployments/{2}/validate?api-version=2019-05-10";
[string] $armSubscriptionValidationUri = "https://management.azure.com/subscriptions/{0}/providers/Microsoft.Resources/deployments/{1}/validate?api-version=2019-05-10"
[string] $armResourceGroupDeploymentUri = ""
[string] $armSubscriptionDeploymentUri = ""
[string] $armResourceGroupValidationUri = ""
[string] $armSubscriptionValidationUri = ""
[bool] $isSubscriptionDeployment = $false;
[bool] $isSubscriptionDeployment = $false;
[hashtable] ExecuteDeployment([string] $tenantId, `
[string] $subscriptionId, `
[string] $resourceGroupName, `
[string] $deploymentTemplate, `
[string] $deploymentParameters, `
[string] $location) {
[string] $location,
[string] $azureManagementUrl) {
try {
# set the URL's from Discovery REST API call
$this.SetAzureEnvironmentBasedManagementUrls($azureManagementUrl);
# call arm deployment
$deployment = `
$this.InvokeARMOperation(
@ -754,4 +760,23 @@ Class AzureResourceManagerDeploymentService: IDeploymentService {
throw $_;
}
}
hidden [void] SetAzureEnvironmentBasedManagementUrls([string] $mngtUrl)
{
if(![string]::IsNullOrEmpty($mngtUrl)) {
$this.armResourceGroupDeploymentUri = $mngtUrl + "/subscriptions/{0}/resourcegroups/{1}/providers/Microsoft.Resources/deployments/{2}?api-version=2019-05-10";
$this.armSubscriptionDeploymentUri = $mngtUrl + "/subscriptions/{0}/providers/Microsoft.Resources/deployments/{1}?api-version=2019-05-10";
$this.armResourceGroupValidationUri = $mngtUrl + "/subscriptions/{0}/resourcegroups/{1}/providers/Microsoft.Resources/deployments/{2}/validate?api-version=2019-05-10";
$this.armSubscriptionValidationUri = $mngtUrl + "/subscriptions/{0}/providers/Microsoft.Resources/deployments/{1}/validate?api-version=2019-05-10";
}
else
{
$this.armResourceGroupDeploymentUri = "https://management.azure.com/subscriptions/{0}/resourcegroups/{1}/providers/Microsoft.Resources/deployments/{2}?api-version=2019-05-10";
$this.armSubscriptionDeploymentUri = "https://management.azure.com/subscriptions/{0}/providers/Microsoft.Resources/deployments/{1}?api-version=2019-05-10";
$this.armResourceGroupValidationUri = "https://management.azure.com/subscriptions/{0}/resourcegroups/{1}/providers/Microsoft.Resources/deployments/{2}/validate?api-version=2019-05-10";
$this.armSubscriptionValidationUri = "https://management.azure.com/subscriptions/{0}/providers/Microsoft.Resources/deployments/{1}/validate?api-version=2019-05-10";
}
Write-Debug "Management URL: $mngtUrl";
}
}

24
Orchestration/OrchestrationService/Cleanup_Script.ps1 Normal file
Просмотреть файл

@ -0,0 +1,24 @@
$var = (Get-Content -Path .\Config\toolkit.subscription.json) | ConvertFrom-Json
$var.Comments = "Cleaned up from deployment"
$var.SubscriptionId = "000000-000-0000-0000"
$var.TenantId = "00000-0000000-000000-0000-0"
$var.Location = "DUMMYVALUE"
$var | ConvertTo-Json | Set-Content -Path .\Config\toolkit.subscription.json
##### Replace values with environment variables for the subscription.json file
$vdc = (Get-Content -Path .\Environments\_Common\subscriptions.json) | ConvertFrom-Json
$vdc.VDCVDI.SubscriptionId = "000000-000-0000-0000"
$vdc.VDCVDI.TenantId = "000000-000-0000-0000"
$vdc | ConvertTo-Json | Set-Content -Path .\Environments\_Common\subscriptions.json
$SS = (Get-Content -Path .\Environments\_Common\subscriptions.json) | ConvertFrom-Json
$SS.SharedServices.SubscriptionId = "000000-000-0000-0000"
$SS.SharedServices.TenantId ="000000-000-0000-0000"
$SS | ConvertTo-Json | Set-Content -Path .\Environments\_Common\subscriptions.json
$arti = (Get-Content -Path .\Environments\_Common\subscriptions.json) | ConvertFrom-Json
$arti.Artifacts.SubscriptionId = "000000-000-0000-0000"
$arti.Artifacts.TenantId = "000000-000-0000-0000"
$arti | ConvertTo-Json | Set-Content -Path .\Environments\_Common\subscriptions.json
$onprem = (Get-Content -Path .\Environments\_Common\subscriptions.json) | ConvertFrom-Json
$onprem.OnPremises.SubscriptionId = "000000-000-0000-0000"
$onprem.OnPremises.TenantId = "000000-000-0000-0000"
$onprem | ConvertTo-Json | Set-Content -Path .\Environments\_Common\subscriptions.json

75
Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1
Просмотреть файл

@ -55,6 +55,24 @@ $defaultModuleConfigurationsFolderName = "Modules";
$defaultTemplateFileName = "deploy.json";
$defaultParametersFileName = "parameters.json";
# Get/Set the BLOB Storage & Management URL based on Azure Environment
$discUrlResponse = Get-AzureApiUrl -AzureEnvironment $ENV:AZURE_ENVIRONMENT_NAME -AzureDiscoveryUrl $ENV:AZURE_DISCOVERY_URL
$ENV:AZURE_STORAGE_BLOB_URL = $discUrlResponse.suffixes.storage
$AzureManagementUrl = $discUrlResponse.authentication.audiences[1]
Write-Debug "AZURE_STORAGE_BLOB_URL: $ENV:AZURE_STORAGE_BLOB_URL"
Write-Debug "AzureManagementUrl: $AzureManagementUrl"
$ENV:VDC_SUBSCRIPTIONS = (Get-Content .\Environments\_Common\subscriptions.json -Raw)
$ENV:VDC_TOOLKIT_SUBSCRIPTION = (Get-Content .\Config\toolkit.subscription.json -Raw)
Write-Debug "AZURE_STORAGE_BLOB_URL: $ENV:AZURE_STORAGE_BLOB_URL"
Write-Debug "AzureManagementUrl: $AzureManagementUrl"
# Get the config files
$ENV:VDC_SUBSCRIPTIONS = (Get-Content ./Environments/_Common/subscriptions.json -Raw)
$ENV:VDC_TOOLKIT_SUBSCRIPTION = (Get-Content ./Config/toolkit.subscription.json -Raw)
#Write-Debug "ToolkitJSON: $ENV:VDC_SUBSCRIPTIONS"
#Write-Debug "SubscriptionJson: $ENV:VDC_TOOLKIT_SUBSCRIPTION"
Function Start-Deployment {
[CmdletBinding()]
param (
@ -130,18 +148,18 @@ Function Start-Deployment {
$ModuleConfigurationName = `
$moduleConfiguration.Name;
$subscriptionInformation = $null;
$subscriptionInformation = `
Get-SubscriptionInformation `
-ArchetypeInstanceJson $archetypeInstanceJson `
-SubscriptionName $archetypeInstanceJson.Parameters.Subscription `
-ModuleConfiguration $moduleConfiguration `
-Mode @{ "False" = "deploy"; "True" = "validate"; }[$Validate.ToString()];
if ($null -eq $subscriptionInformation) {
throw "Subscription: $($archetypeInstanceJson.Parameters.Subscription) not found";
}
$subscriptionInformation = $null;
$subscriptionInformation = `
Get-SubscriptionInformation `
-ArchetypeInstanceJson $archetypeInstanceJson `
-SubscriptionName $archetypeInstanceJson.Parameters.Subscription `
-ModuleConfiguration $moduleConfiguration `
-Mode @{ "False" = "deploy"; "True" = "validate"; }[$Validate.ToString()];
if ($null -eq $subscriptionInformation) {
throw "Subscription: $($archetypeInstanceJson.Parameters.Subscription) not found";
}
# Let's get the current subscription context
$sub = Get-AzContext | Select-Object Subscription
@ -331,7 +349,8 @@ Function Start-Deployment {
-ModuleConfiguration $moduleConfiguration.Policies `
-ArchetypeInstanceName $ArchetypeInstanceName `
-Location $location `
-Validate:$($Validate.IsPresent);
-Validate:$($Validate.IsPresent) `
-AzureManagementUrl $AzureManagementUrl;
Write-Debug "Deployment complete, Resource state is: $(ConvertTo-Json -Compress $policyResourceState)";
}
else {
@ -392,7 +411,8 @@ Function Start-Deployment {
-ModuleConfiguration $moduleConfiguration.RBAC `
-ArchetypeInstanceName $ArchetypeInstanceName `
-Location $location `
-Validate:$($Validate.IsPresent);
-Validate:$($Validate.IsPresent) `
-AzureManagementUrl $AzureManagementUrl;
Write-Debug "Deployment complete, Resource state is: $(ConvertTo-Json -Compress $rbacResourceState)";
}
else {
@ -413,7 +433,8 @@ Function Start-Deployment {
-ModuleConfiguration $moduleConfiguration.Deployment `
-ArchetypeInstanceName $ArchetypeInstanceName `
-Location $location `
-Validate:$($Validate.IsPresent);
-Validate:$($Validate.IsPresent) `
-AzureManagementUrl $AzureManagementUrl;
Write-Debug "Deployment complete, Resource state is: $(ConvertTo-Json -Compress $resourceState)";
}
}
@ -745,7 +766,7 @@ Function Start-Init {
$global:customScriptExecution = `
$factory.GetInstance('CustomScriptExecution');
# Contruct the archetype instance object only if it is not already
# cached
$archetypeInstanceJson = `
@ -764,6 +785,9 @@ Function Start-Init {
$location = $archetypeInstanceJson.Parameters.Location
}
Write-Debug ($archetypeInstanceJson.Orchestration.ModuleConfigurations.Deployment.OverrideParameters[10].storageBlobUrl | Format-Table | Out-String)
Write-Debug ($archetypeInstanceJson.Parameters | Format-Table | Out-String)
# Retrieve the Archetype instance name if not already passed
# to this function
$archetypeInstanceName = `
@ -802,12 +826,12 @@ Function Get-AllModules {
$topologicalSortRootPath = `
Join-Path $rootPath -ChildPath 'TopologicalSort';
# Adding Out-Null to prevent outputs from the Invoke-Command from being added to
# Adding Out-Null to prevent outputs from the Invoke-Command from being added to
Invoke-Command -ScriptBlock { dotnet build $topologicalSortRootPath --configuration Release --output ./ } | Out-Null
$topologicalSortAssemblyPath = `
Join-Path $topologicalSortRootPath "TopologicalSort.dll"
$topologicalSortAssemblyPath = Join-Path $topologicalSortRootPath "TopologicalSort.dll"
Add-Type -Path $topologicalSortAssemblyPath
@ -1510,7 +1534,7 @@ Function Get-AuditStorageInformation {
StorageAccountName = ''
LocalPath = ''
};
if ($ToolkitConfigurationJson.Configuration.Audit -and
$ToolkitConfigurationJson.Configuration.Audit.StorageType.ToLower() -eq "storageaccount"){
@ -2180,7 +2204,9 @@ Function New-AzureResourceManagerDeployment {
$Location,
[Parameter(Mandatory=$true)]
[switch]
$Validate
$Validate,
[string]
$AzureManagementUrl
)
try {
@ -2216,7 +2242,8 @@ Function New-AzureResourceManagerDeployment {
$ResourceGroupName,
$DeploymentTemplate,
$DeploymentParameters,
$Location);
$Location,
$AzureManagementUrl);
}
}
catch {
@ -3172,3 +3199,5 @@ if (![string]::IsNullOrEmpty($DefinitionPath)) {
}
}
}

28
Orchestration/OrchestrationService/Pre_req_script.ps1 Normal file
Просмотреть файл

@ -0,0 +1,28 @@
##### Replace values with environment variables for the toolkit.subscription.json file
$var = (Get-Content -Path .\Config\toolkit.subscription.json) | ConvertFrom-Json
$var.Comments = "ToolKit for creating a new Virtual Data Center"
$var.SubscriptionId = $ENV:SUBSCRIPTION_ID
$var.TenantId = $ENV:TENANT_ID
$var.Location = $ENV:AZURE_LOCATION
$var | ConvertTo-Json | Set-Content -Path .\Config\toolkit.subscription.json
##### Replace values with environment variables for the subscription.json file
$vdc = (Get-Content -Path .\Environments\_Common\subscriptions.json) | ConvertFrom-Json
$vdc.VDCVDI.SubscriptionId = $ENV:SUBSCRIPTION_ID
$vdc.VDCVDI.TenantId = $ENV:TENANT_ID
$vdc | ConvertTo-Json | Set-Content -Path .\Environments\_Common\subscriptions.json
$SS = (Get-Content -Path .\Environments\_Common\subscriptions.json) | ConvertFrom-Json
$SS.SharedServices.SubscriptionId = $ENV:SUBSCRIPTION_ID
$SS.SharedServices.TenantId = $ENV:TENANT_ID
$SS | ConvertTo-Json | Set-Content -Path .\Environments\_Common\subscriptions.json
$arti = (Get-Content -Path .\Environments\_Common\subscriptions.json) | ConvertFrom-Json
$arti.Artifacts.SubscriptionId = $ENV:SUBSCRIPTION_ID
$arti.Artifacts.TenantId = $ENV:TENANT_ID
$arti | ConvertTo-Json | Set-Content -Path .\Environments\_Common\subscriptions.json
$onprem = (Get-Content -Path .\Environments\_Common\subscriptions.json) | ConvertFrom-Json
$onprem.OnPremises.SubscriptionId = $ENV:SUBSCRIPTION_ID
$onprem.OnPremises.TenantId = $ENV:TENANT_ID
$onprem | ConvertTo-Json | Set-Content -Path .\Environments\_Common\subscriptions.json

1
README.md
Просмотреть файл

@ -22,3 +22,4 @@ Here's what is included:
- [Modules](./Modules) Modules are the building blocks for the reference architectures. An indvidual module is an Azure Reousrce Manager template for deploying a single resource or a set of closely related resources. These modules are structured in a way to facilitate passing outputs to subsequent deployments.
- [Orchestration](./Orchestration) This folder contains the scripts for the toolkit. The primary entry point is `Orchestration\OrchestrationService\ModuleConfigurationDeployment.ps1`. This script is used for local deployments and by the sample Azure DevOps pipelines.
- [Scripts](./Scripts) These are additional assets that are used when deploying some of the environments.

Двоичные данные
Scripts/Windows/install_ADDS_No_Disk_Format.zip
Просмотреть файл

Двоичный файл не отображается.

11
action.yml Normal file
Просмотреть файл

@ -0,0 +1,11 @@
name: 'Build and deploy the VDC toolkit'
description: 'Builds toolkit for VDC.'
author: 'Jack '
runs:
using: 'docker'
image: 'dockerfile'
branding:
color: red
icon: flag

9
dockerfile
Просмотреть файл

@ -1,4 +1,4 @@
FROM ubuntu
FROM ubuntu:18.04
WORKDIR /usr/src/app
COPY . ./
RUN apt-get update \
@ -11,6 +11,7 @@ RUN apt-get update \
&& pwsh -Command "Install-Module -Name Az -Force" \
&& pwsh -Command "Install-Module -Name Pester -Force" \
&& pwsh -Command "Install-Module -Name Az.ResourceGraph -Force" \
&& pwsh -Command "Install-Module -Name Az.Accounts -Force" \
&& export VER="1.4.1" \
&& wget -q https://releases.hashicorp.com/packer/${VER}/packer_${VER}_linux_amd64.zip \
&& unzip packer_${VER}_linux_amd64.zip \
@ -24,4 +25,8 @@ RUN apt-get update \
&& apt-get install azure-cli \
&& apt-get install -y dotnet-sdk-2.2 \
&& dotnet build Orchestration/OrchestrationService/TopologicalSort/TopologicalSort.csproj --configuration Release
ENTRYPOINT [ "pwsh" ]
RUN chmod 755 /usr/src/app
COPY entrypoint1.ps1 /usr/src/app/entrypoint1.ps1
ENTRYPOINT [ "pwsh", "-c", "./entrypoint1.ps1" ]

35
entrypoint1.ps1 Normal file
Просмотреть файл

@ -0,0 +1,35 @@
#!/usr/src/app
$null = Find-Module -Name Az | Install-Module -Force
$null = Install-Module Az.ResourceGraph -Force
$null = Install-Module -Name Az.Accounts -Force
$null = Install-Module -Name Pester -Force
$secpasswd = ConvertTo-SecureString $env:SERVICE_PRINCIPAL_PASS -AsPlainText -Force
$Credential = New-Object System.Management.Automation.PSCredential ($env:SERVICE_PRINCIPAL, $secpasswd)
Connect-AzAccount -ServicePrincipal -Credential $Credential -Tenant $env:TENANT_ID -Subscription $env:SUBSCRIPTION_ID -EnvironmentName $env:AZURE_ENVIRONMENT_NAME
Write-Host "Welcome to the Virtual Datacenter tool kit"
## Execute the Pre-req script for adding Sub ID, Tenant ID, and Location to the configuration files
Write-Host "Executing the pre-req script in the config files"
./Orchestration/OrchestrationService/Pre_req_script.ps1
## Add a quick sleep to make sure the config files are updated before entering the main script
Start-Sleep -s 5
## Enter the main script for deploying shared services
Write-Host "Starting the script for deploying your Shared Services"
./Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1 -DefinitionPath ./Environments/SharedServices/definition.json
Write-Host "The deployment was succesfull if: Exit code $LASTEXITCODE == 0" -Verbose
Write-Host "Starting the script for deploying MS-VDI"
./Orchestration/OrchestrationService/ModuleConfigurationDeployment.ps1 -DefinitionPath ./Environments/MS-VDI/definition.json
Write-Host "The deployment was succesfull if: Exit code $LASTEXITCODE == 0" -Verbose
## Run the cleanup script so that no values are retained in code for the config files
Write-Host "Executing the cleanup script"
./Orchestration/OrchestrationService/Cleanup_Script.ps1