Identity Archetype

.github/workflows/0-everything.yml

@@ -20,6 +20,11 @@ on:
           - "HubNetworkWithNVA"
           - "HubNetworkWithAzureFirewall"
         default: "HubNetworkWithAzureFirewall"
+      deployIdentity:
+        type: boolean
+        description: "Deploy Identity Subscription"
+        required: true
+        default: false
       subscriptionIds:
         type: string
         description: Subscription ID(s) (optional), e.g. "abcd", "1234"
@@ -306,6 +311,34 @@ jobs:
           -NvaUsername (ConvertTo-SecureString -String '${{secrets.NVA_USERNAME}}' -AsPlainText -Force) `
           -NvaPassword (ConvertTo-SecureString -String '${{secrets.NVA_PASSWORD}} '-AsPlainText -Force)
 
+  identity:
+    name: Identity
+    if: github.event.inputs.deployIdentity == 'true'
+
+    needs:
+      - Logging
+      - HubNetworking
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v3
+
+    - name: Configure PowerShell modules
+      run: |
+        Install-Module Az -Force
+        Install-Module powershell-yaml -Force
+
+    - name: Deploy Identity
+      run: |
+        ./RunWorkflows.ps1 `
+          -DeployIdentity `
+          -EnvironmentName '${{github.event.inputs.environmentName}}' `
+          -LoginServicePrincipalJson (ConvertTo-SecureString -String '${{secrets.ALZ_CREDENTIALS}}' -AsPlainText -Force) `
+          -GitHubRepo ${env:GITHUB_REPOSITORY} `
+          -GitHubRef ${env:GITHUB_REF}
+
   SubscriptionMatrix:
     if: github.event.inputs.subscriptionIds != ''
 

.github/workflows/6-identity.yml

@@ -0,0 +1,46 @@
+# ----------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT license.
+#
+# THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, 
+# EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES 
+# OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
+# ----------------------------------------------------------------------------------
+
+name: 6 - Identity
+
+on:
+  workflow_dispatch:
+    inputs:
+      environmentName:
+        type: string
+        description: Environment name (optional), e.g. CanadaESLZ-main
+        required: false
+
+defaults:
+  run:
+    shell: pwsh
+    working-directory: scripts/deployments
+
+jobs:
+  identity:
+    name: Identity
+    runs-on: ubuntu-latest
+    steps:
+
+    - name: Checkout
+      uses: actions/checkout@v3
+
+    - name: Configure PowerShell modules
+      run: |
+        Install-Module Az -Force
+        Install-Module powershell-yaml -Force
+
+    - name: Deploy Identity
+      run: |
+        ./RunWorkflows.ps1 `
+          -DeployIdentity `
+          -EnvironmentName '${{github.event.inputs.environmentName}}' `
+          -LoginServicePrincipalJson (ConvertTo-SecureString -String '${{secrets.ALZ_CREDENTIALS}}' -AsPlainText -Force) `
+          -GitHubRepo ${env:GITHUB_REPOSITORY} `
+          -GitHubRef ${env:GITHUB_REF}

.github/workflows/README.md

@@ -22,7 +22,8 @@ The following workflows are present in the `.github/workflows` repository folder
 | 5 | Azure Firewall Policy (required for Hub Networking with Azure Firewall) | `5-azure-firewall-policy.yml`
 | 5 | Hub Networking with Azure Firewall | `5-hub-network-with-azure-firewall.yml`
 | 5 | Hub Networking with NVA | `5-hub-network-with-nva.yml`
-| 6 | Subscriptions | `6-subscriptions.yml`
+| 6 | Identity | `6-identity.yml`
+| 7 | Subscriptions | `7-subscriptions.yml`
 
 With the exception of the `Everything` workflow, all other workflows need to be run in the order specified. For example, the `Policy` workflow is dependent on resources deployed by the `Logging` workflow. Think of it as a layered approach; once the layer is deployed, it only requires re-running if some configuration at that layer changes.
 

.github/workflows/consistency-check.yml

@@ -9,6 +9,7 @@ env:
   SCHEMA_FOLDER: schemas/latest/landingzones
   LOGGING_PATH_FROM_ROOT: config/logging
   NETWORKING_PATH_FROM_ROOT: config/networking
+  IDENTITY_PATH_FROM_ROOT: config/identity
   SUBSCRIPTIONS_PATH_FROM_ROOT: config/subscriptions
 
 jobs:
@@ -82,6 +83,14 @@ jobs:
               Get-Content -Raw $_ | Test-Json -SchemaFile $HubNetworkWithNVASchemaFile
           }
 
+          $IdentityFileFilter="*.json"
+          $IdentitySchemaFile="${{env.SCHEMA_FOLDER}}/lz-platform-identity.json"
+
+          Get-ChildItem -Recurse -Filter $IdentityFileFilter -Path "${{env.IDENTITY_PATH_FROM_ROOT}}" | ForEach-Object {
+              Write-Host "Validating: $_ with $IdentitySchemaFile"
+              Get-Content -Raw $_ | Test-Json -SchemaFile $IdentitySchemaFile
+          }
+
           $GenericSubscriptionFileFilter="*generic-subscription*.json"
           $GenericSubscriptionSchemaFile="${{env.SCHEMA_FOLDER}}/lz-generic-subscription.json"
 

.github/workflows/pull-request-check.yml

@@ -12,6 +12,7 @@ env:
   SCHEMA_FOLDER: schemas/latest/landingzones
   LOGGING_PATH_FROM_ROOT: config/logging
   NETWORKING_PATH_FROM_ROOT: config/networking
+  IDENTITY_PATH_FROM_ROOT: config/identity
   SUBSCRIPTIONS_PATH_FROM_ROOT: config/subscriptions
 
 jobs:
@@ -84,6 +85,14 @@ jobs:
               Write-Host "Validating: $_ with $HubNetworkWithNVASchemaFile"
               Get-Content -Raw $_ | Test-Json -SchemaFile $HubNetworkWithNVASchemaFile
           }
+
+          $IdentityFileFilter="*.json"
+          $IdentitySchemaFile="${{env.SCHEMA_FOLDER}}/lz-platform-identity.json"
+
+          Get-ChildItem -Recurse -Filter $IdentityFileFilter -Path "${{env.IDENTITY_PATH_FROM_ROOT}}" | ForEach-Object {
+              Write-Host "Validating: $_ with $IdentitySchemaFile"
+              Get-Content -Raw $_ | Test-Json -SchemaFile $IdentitySchemaFile
+          }
 
           $GenericSubscriptionFileFilter="*generic-subscription*.json"
           $GenericSubscriptionSchemaFile="${{env.SCHEMA_FOLDER}}/lz-generic-subscription.json"

.pipelines/platform-identity.yml

@@ -0,0 +1,64 @@
+# ----------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT license.
+#
+# THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, 
+# EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES 
+# OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
+# ----------------------------------------------------------------------------------
+
+trigger: none
+
+pr: none
+
+variables:
+- name: devops-org-name
+  value: ${{ replace(replace(variables['System.CollectionUri'], 'https://dev.azure.com/' , ''), '/', '') }}
+- name: logging-config-directory
+  value: $(System.DefaultWorkingDirectory)/$(loggingPathFromRoot)/${{ variables['devops-org-name'] }}-${{ variables['Build.SourceBranchName'] }}
+- name: identity-config-directory
+  value: $(System.DefaultWorkingDirectory)/$(identityPathFromRoot)/${{ variables['devops-org-name'] }}-${{ variables['Build.SourceBranchName'] }}
+- name: variable-template-file
+  value: ${{ variables['devops-org-name'] }}-${{ variables['Build.SourceBranchName'] }}.yml
+- template: ../config/variables/common.yml
+- template: ../config/variables/${{ variables['variable-template-file'] }}
+
+
+pool:
+  vmImage: $[ variables.vmImage ]
+
+stages:
+
+- stage: DeployNetworkingStage
+  displayName: Deploy Networking Stage
+
+  jobs:
+
+  - deployment: DeployIdentityJob
+    displayName: Deploy Identity Job
+    environment: ${{ variables['Build.SourceBranchName'] }}
+    strategy:
+      runOnce:
+        deploy:
+          steps:
+          - checkout: self
+
+          - template: templates/steps/load-variables.yml
+
+          - template: templates/steps/load-log-analytics-vars.yml
+            parameters:
+              logAnalyticsSubscriptionId: $(var-logging-subscriptionId)
+              logAnalyticsConfigurationFile: ${{ variables['logging-config-directory'] }}/$(var-logging-configurationFileName)
+
+          - template: templates/steps/show-variables.yml
+            parameters:
+              json: ${{ convertToJson(variables) }}
+
+          - template: templates/steps/deploy-platform-identity.yml
+            parameters:
+              workingDir: $(System.DefaultWorkingDirectory)/landingzones
+              deployOperation: ${{ variables['deployOperation'] }}
+              identityManagementGroupId: $(var-identity-managementGroupId)
+              identitySubscriptionId: $(var-identity-subscriptionId)
+              identityRegion: $(var-identity-region)
+              identityConfigurationPath: ${{ variables['identity-config-directory'] }}/$(var-identity-configurationFileName)

.pipelines/policy.yml

@@ -96,7 +96,7 @@ stages:
     - template: templates/steps/define-policyset.yml
       parameters:
         description: 'Define Policy Set'
-        deployTemplates: [AKS, DefenderForCloud, LogAnalytics, Network, DNSPrivateEndpoints, Tags]
+        deployTemplates: [AKS, DefenderForCloud, DNSPrivateEndpoints, LogAnalytics, Network, Tags]
         deployOperation: ${{ variables['deployOperation'] }}
         workingDir: $(System.DefaultWorkingDirectory)/policy/custom/definitions/policyset
 

.pipelines/templates/steps/deploy-platform-identity.yml

@@ -0,0 +1,83 @@
+# ----------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT license.
+#
+# THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, 
+# EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES 
+# OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
+# ----------------------------------------------------------------------------------
+
+parameters:
+  - name: workingDir
+    type: string
+  - name: deployOperation
+    type: string
+    default: create
+    values:
+      - create
+      - what-if
+  - name: identityManagementGroupId
+    type: string
+  - name: identitySubscriptionId
+    type: string
+  - name: identityRegion
+    type: string
+  - name: identityConfigurationPath
+    type: string
+
+steps:
+
+- task: PowerShell@2
+  displayName: Validate identity Parameters
+  inputs:
+    targetType: 'inline'
+    script: |
+      $schemaFile="$(Build.SourcesDirectory)/schemas/latest/landingzones/lz-platform-identity.json"
+
+      Write-Host "Parameters File: ${{ parameters.identityConfigurationPath }}"
+      Write-Host "Schema File: ${schemaFile}"
+
+      Get-Content -Raw "${{ parameters.identityConfigurationPath }}" | Test-Json -SchemaFile "${schemaFile}"
+
+- template: ./move-subscription.yml
+  parameters:
+    managementGroup: ${{ parameters.identityManagementGroupId }}
+    subscriptionGuid: ${{ parameters.identitySubscriptionId }}
+    subscriptionLocation: ${{ parameters.identityRegion }}
+    templateDirectory: $(Build.SourcesDirectory)/landingzones/utils/mg-move
+    templateFile: move-subscription.bicep
+    workingDir: ${{ parameters.workingDir }}/utils/mg-move
+
+- task: AzureCLI@2
+  displayName: Configure Identity LZ
+  inputs:
+    azureSubscription: $(serviceConnection)
+    scriptType: 'bash'
+    scriptLocation: 'inlineScript'
+    inlineScript: |
+      $(var-bashPreInjectScript)
+
+      # Check if the log analytics workspace id is provided in the parameters json.
+      # If present, then do no change it.  Otherwise add it to the json parameter file.
+      LOG_ANALYTICS_WORKSPACE_RESOURCE_ID_IN_PARAMETERS=`jq -r .parameters.logAnalyticsWorkspaceResourceId.value ${{ parameters.identityConfigurationPath }}`   
+
+      if [[ $LOG_ANALYTICS_WORKSPACE_RESOURCE_ID_IN_PARAMETERS != null && "$LOG_ANALYTICS_WORKSPACE_RESOURCE_ID_IN_PARAMETERS" != "" ]];
+      then
+        echo "Log Analytics Workspace Resource ID is set in ${{ parameters.identityConfigurationPath }} to $LOG_ANALYTICS_WORKSPACE_RESOURCE_ID_IN_PARAMETERS"
+      else
+        echo "Log Analytics Workspace Resource ID is not set in ${{ parameters.identityConfigurationPath }}.  Updating ${{ parameters.identityConfigurationPath }} with $(var-logging-logAnalyticsWorkspaceResourceId)"
+
+        # use jq to update the json parameter file
+        echo "$( jq '.parameters.logAnalyticsWorkspaceResourceId.value = "$(var-logging-logAnalyticsWorkspaceResourceId)"' ${{ parameters.identityConfigurationPath }} )" > ${{ parameters.identityConfigurationPath }}
+      fi
+
+      echo "Deploying main.bicep using ${{ parameters.deployOperation}} operation using ${{ parameters.identityConfigurationPath  }}..."
+
+      az deployment sub ${{ parameters.deployOperation }} \
+      --location ${{ parameters.identityRegion }} \
+      --subscription ${{ parameters.identitySubscriptionId }} \
+      --template-file main.bicep \
+      --parameters @${{ parameters.identityConfigurationPath }}
+
+      $(var-bashPostInjectScript)
+    workingDirectory: '${{ parameters.workingDir }}/lz-platform-identity'

.pipelines/templates/steps/show-variables.yml

@@ -70,4 +70,10 @@ steps:
       echo
       printenv -0 | grep -zi '^var-hubnetwork-nva-' | xargs -0 -L 1 echo
 
+      echo
+      echo
+      echo "IDENTITY"
+      echo
+      printenv -0 | grep -zi '^var-identity-' | xargs -0 -L 1 echo
+
       $(var-bashPostInjectScript)

azresources/network/dns-forwarding-ruleset.bicep

@@ -0,0 +1,57 @@
+// ----------------------------------------------------------------------------------
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+//
+// THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, 
+// EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES 
+// OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
+// ----------------------------------------------------------------------------------
+
+param name string
+param location string = resourceGroup().location
+
+@description('Outbound endpoint id')
+param outEndpointId string
+
+param forwardingRuleSet array
+
+param linkRuleSetToVnet bool = false
+param linkName string = ''
+param vnetId string = '' 
+
+
+
+resource ruleset 'Microsoft.Network/dnsForwardingRulesets@2022-07-01' = {
+  name: name
+  location: location
+  properties: {
+    dnsResolverOutboundEndpoints: [
+      {
+        id: outEndpointId
+      }
+    ]
+  }
+}
+
+resource fwRule 'Microsoft.Network/dnsForwardingRulesets/forwardingRules@2022-07-01' = [for rule in forwardingRuleSet: {
+  name: rule.name
+  parent: ruleset
+  properties: {
+    forwardingRuleState: rule.state
+    domainName: endsWith(rule.domain, '.') ? rule.domain : '${rule.domain}.' //Adding a '.' at the end of the domain name if it is not present
+    targetDnsServers: rule.targetDnsServers
+  }
+}]
+
+
+module dnsResolverLinkVnet 'dnsresolver-vnet-link.bicep'= if(linkRuleSetToVnet){
+  name:'deploy-private-dns-resolver-vnet-link'
+  params:{
+    forwardingRulesetName: ruleset.name
+    linkName: linkName
+    vnetId: vnetId
+  }
+}
+
+output ruleSetName string = ruleset.name
+