diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index ff628c325..e93623970 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -1697,7 +1697,7 @@ "roleDefinitions": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/roleDefinitions/customRoleDefinitions.json')]", "policyDefinitions": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyDefinitions/policies.json')]", "initiativeDefinitions": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyDefinitions/initiatives.json')]", - "preRequisites": "[uri(deployment().properties.templateLink.uri, 'prerequisites/deployPrerequisites1.json')]", + "preRequisites": "[uri(deployment().properties.templateLink.uri, 'prerequisites/deployPrerequisites.json')]", "avnmConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/avnmConfiguration.json')]", "avnmPolicy": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/avnmPolicy.json')]", "vnetConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/hubspoke-connectivity.json')]", diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index 61435ea80..ca6cf4923 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -1,204 +1,252 @@ { - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "resourceGroupName": { - "type": "string", - "defaultValue": "rg-alz-prereqs", - "metadata": { - "description": "The resource group name where the AVNM resources will be created" - } - }, - "location": { - "type": "string", - "minLength": 6, - "metadata": { - "description": "The location of this AVNM instance. All resources will be deployed to this region." - } - }, - "eslzRootName": { - "type": "string", - "metadata": { - "description": "The name of the Enterprise Scale Landing Zone root resource." + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceGroupName": { + "type": "string", + "defaultValue": "rg-alz-prereqs", + "metadata": { + "description": "The resource group name where the AVNM resources will be created" + } + }, + "location": { + "type": "string", + "minLength": 6, + "metadata": { + "description": "The location of this AVNM instance. All resources will be deployed to this region." + } + }, + "eslzRootName": { + "type": "string", + "metadata": { + "description": "The name of the Enterprise Scale Landing Zone root resource." + } + }, + "managementSubscriptionId": { + "type": "string", + "metadata": { + "description": "The subscription ID of the management subscription." + } } - } - }, - "resources": [ - { - "type": "Microsoft.Resources/resourceGroups", - "apiVersion": "2022-09-01", - "name": "[parameters('resourceGroupName')]", - "location": "[parameters('location')]" }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "alz-prerequisites-uai", - "resourceGroup": "[parameters('resourceGroupName')]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "location": { - "value": "[parameters('location')]" - }, - "eslzRootName": { - "value": "[parameters('eslzRootName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "location": { - "type": "string" - }, - "eslzRootName": { - "type": "string" - } - }, - "variables": {}, - "resources": [ - { - "type": "Microsoft.ManagedIdentity/userAssignedIdentities", - "apiVersion": "2022-01-31-preview", - "name": "[format('uai-prereq-{0}', parameters('location'))]", - "location": "[parameters('location')]", - "metadata": { - "description": "This user assigned identity is used by the Deployment Script resource to interact with Azure resources." - } - }, - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "name": "[guid(resourceGroup().id, format('uai-prereq-{0}', parameters('location')))]", - "properties": { - "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location'))), '2022-01-31-preview').principalId]", - "principalType": "ServicePrincipal" - }, - "dependsOn": [ - "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location')))]" - ], - "metadata": { - "description": "This role assignment grants the user assigned identity the Contributor role on the resource group." - } - } - ], - "outputs": { - "userAssignedIdentityId": { - "type": "string", - "value": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location')))]" - } + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "alz-prerequisites-001", + "location": "[parameters('location')]", + "subscriptionId": "[parameters('managementSubscriptionId')]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2022-09-01", + "name": "[parameters('resourceGroupName')]", + "location": "[parameters('location')]" + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "alz-prerequisites-uai", + "resourceGroup": "[parameters('resourceGroupName')]", + "dependsOn": [ + "[format('/subscriptions/{0}/resourceGroups/{1}', parameters('managementSubscriptionId'), parameters('resourceGroupName'))]" + ], + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "managementSubscriptionId": { + "value": "[parameters('managementSubscriptionId')]" + }, + "resourceGroupName": { + "value": "[parameters('resourceGroupName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "managementSubscriptionId": { + "type": "string" + }, + "resourceGroupName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "apiVersion": "2023-07-31-preview", + "name": "uai-alz-prereq", + "location": "[parameters('location')]" + } + ], + "outputs": { + "userAssignedIdentityId": { + "type": "string", + "value": "[resourceId(parameters('managementSubscriptionId'),parameters('resourceGroupName'),'Microsoft.ManagedIdentity/userAssignedIdentities', 'uai-alz-prereq')]" + } + } + } + } + } + ] } } }, - "dependsOn": [ - "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]" - ] - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('ds-{0}-prereqs', parameters('location'))]", - "resourceGroup": "[parameters('resourceGroupName')]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(format('alz-prerequisites-{0}-{1}', parameters('eslzRootName'), parameters('location')))]", + "location": "[parameters('location')]", + "properties": { + "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", + "principalId": "[reference(resourceId(parameters('managementSubscriptionId'),parameters('resourceGroupName'),'Microsoft.ManagedIdentity/userAssignedIdentities', 'uai-alz-prereq'), '2023-07-31-preview').principalId]", + "principalType": "ServicePrincipal" }, - "mode": "Incremental", - "parameters": { - "location": { - "value": "[parameters('location')]" - }, - "userAssignedIdentityId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai'), '2022-09-01').outputs.userAssignedIdentityId.value]" - }, - "eslzRootName": { - "value": "[parameters('eslzRootName')]" + "dependsOn": [ + "alz-prerequisites-001", + "[format('/subscriptions/{0}/resourceGroups/{1}', parameters('managementSubscriptionId'), parameters('resourceGroupName'))]" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "alz-prerequisites-003", + "location": "[parameters('location')]", + "subscriptionId": "[parameters('managementSubscriptionId')]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "alz-prereq-ds", + "resourceGroup": "[parameters('resourceGroupName')]", + "dependsOn": [], + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "eslzRootName": { + "value": "[parameters('eslzRootName')]" + }, + "managementSubscriptionId": { + "value": "[parameters('managementSubscriptionId')]" + }, + "resourceGroupName": { + "value": "[parameters('resourceGroupName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "eslzRootName":{ + "type": "string" + }, + "managementSubscriptionId": { + "type": "string" + }, + "resourceGroupName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Resources/deploymentScripts", + "apiVersion": "2020-10-01", + "name": "alz-prereq-deploymentscript", + "location": "[parameters('location')]", + "kind": "AzurePowerShell", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[resourceId(parameters('managementSubscriptionId'),parameters('resourceGroupName'),'Microsoft.ManagedIdentity/userAssignedIdentities', 'uai-alz-prereq')]": {} + } + }, + "properties": { + "azPowerShellVersion": "12.3", + "retentionInterval": "PT1H", + "timeout": "PT2H", + "arguments": "[format('-eslzRootName \"{0}\"', parameters('eslzRootName'))]", + "scriptContent": " + param( + [Parameter(Mandatory=$true, HelpMessage=\"Enter the ESLZ root name.\")] + [string] + $eslzRootName + ) + + #API call to register the Microsoft.Network provider against intermediate resource group for AVNM + Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" + + #Sleep for XX minutes to wait for Management Groups to load to cache before assignments + Start-Sleep -Duration (New-TimeSpan -Minutes 10) + + $result = \"\" + $count = 0 + + do { + $result = Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" + $count++ + Start-Sleep -Seconds 30 + Write-Host 'MG RP Register - Status Code: ' $result.StatusCode ' Count: ' $count + } while ($result.StatusCode -ne 200 -and $count -lt 10) + + #Register all resource providers + $subs = Search-AzGraph -Query \"ResourceContainers | where type =~ 'microsoft.resources/subscriptions'\" -ManagementGroup $eslzRootName + $rps = @('Microsoft.Insights','Microsoft.AlertsManagement','Microsoft.OperationalInsights','Microsoft.OperationsManagement','Microsoft.Automation','Microsoft.AlertsManagement','Microsoft.Security','Microsoft.Network','Microsoft.EventGrid','Microsoft.ManagedIdentity','Microsoft.GuestConfiguration','Microsoft.Advisor','Microsoft.PolicyInsights') + + foreach ($sub in $subs) { + Select-AzSubscription -SubscriptionId $sub.id + Write-Host 'Registering resource providers for subscription: ' $sub.id + Get-AzResourceProvider -ProviderNamespace $rps | where {$_.RegistrationState -ne \"Registered\"} | Register-AzResourceProvider + } + " + }, + "metadata": { + "description": "Create a Deployment Script resource to perform the prerequisites." + } + } + ], + "outputs": {} + } + } + } + ] } }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "location": { - "type": "string" - }, - "eslzRootName":{ - "type": "string" - }, - "userAssignedIdentityId": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.Resources/deploymentScripts", - "apiVersion": "2020-10-01", - "name": "alz-prereq-deploymentscript", - "location": "[parameters('location')]", - "kind": "AzurePowerShell", - "identity": { - "type": "UserAssigned", - "userAssignedIdentities": { - "[format('{0}', parameters('userAssignedIdentityId'))]": {} - } - }, - "properties": { - "azPowerShellVersion": "12.3", - "retentionInterval": "PT1H", - "timeout": "PT2H", - "arguments": "[format('-eslzRootName \"{0}\"', parameters('eslzRootName'))]", - "scriptContent": " - param( - [Parameter(Mandatory=$true, HelpMessage=\"Enter the ESLZ root name.\")] - [string] - $eslzRootName - ) - - #API call to register the Microsoft.Network provider against intermediate resource group for AVNM - Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" - - #Sleep for XX minutes to wait for Management Groups to load to cache before assignments - Start-Sleep -Duration (New-TimeSpan -Minutes 10) - - $result = \"\" - $count = 0 - - do { - $result = Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" - $count++ - Start-Sleep -Seconds 30 - Write-Host 'MG RP Register - Status Code: ' $result.StatusCode ' Count: ' $count - } while ($result.StatusCode -ne 200 -and $count -lt 10) - - #Register all resource providers - $subs = Search-AzGraph -Query \"ResourceContainers | where type =~ 'microsoft.resources/subscriptions'\" -ManagementGroup $eslzRootName - $rps = @('Microsoft.Insights','Microsoft.AlertsManagement','Microsoft.OperationalInsights','Microsoft.OperationsManagement','Microsoft.Automation','Microsoft.AlertsManagement','Microsoft.Security','Microsoft.Network','Microsoft.EventGrid','Microsoft.ManagedIdentity','Microsoft.GuestConfiguration','Microsoft.Advisor','Microsoft.PolicyInsights') - - foreach ($sub in $subs) { - Select-AzSubscription -SubscriptionId $sub.id - Write-Host 'Registering resource providers for subscription: ' $sub.id - Get-AzResourceProvider -ProviderNamespace $rps | where {$_.RegistrationState -ne \"Registered\"} | Register-AzResourceProvider - } - " - }, - "metadata": { - "description": "Create a Deployment Script resource to perform the prerequisites." - } - } - ], - "outputs": {} - } - }, - "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai')]", - "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]" - ] - } - ], - "outputs": {} -} \ No newline at end of file + "dependsOn": [ + "alz-prerequisites-001", + "[guid(format('alz-prerequisites-002-{0}', parameters('location')))]", + "[format('/subscriptions/{0}/resourceGroups/{1}', parameters('managementSubscriptionId'), parameters('resourceGroupName'))]" + ] + } + ], + "outputs": {} + } \ No newline at end of file diff --git a/eslzArm/prerequisites/deployPrerequisites1.json b/eslzArm/prerequisites/deployPrerequisites1.json deleted file mode 100644 index b5a1b97d6..000000000 --- a/eslzArm/prerequisites/deployPrerequisites1.json +++ /dev/null @@ -1,250 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "resourceGroupName": { - "type": "string", - "defaultValue": "rg-alz-prereqs", - "metadata": { - "description": "The resource group name where the AVNM resources will be created" - } - }, - "location": { - "type": "string", - "minLength": 6, - "metadata": { - "description": "The location of this AVNM instance. All resources will be deployed to this region." - } - }, - "eslzRootName": { - "type": "string", - "metadata": { - "description": "The name of the Enterprise Scale Landing Zone root resource." - } - }, - "managementSubscriptionId": { - "type": "string", - "metadata": { - "description": "The subscription ID of the management subscription." - } - } - }, - "resources": [ - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "alz-prerequisites-001", - "location": "[parameters('location')]", - "subscriptionId": "[parameters('managementSubscriptionId')]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [ - { - "type": "Microsoft.Resources/resourceGroups", - "apiVersion": "2022-09-01", - "name": "[parameters('resourceGroupName')]", - "location": "[parameters('location')]" - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "alz-prerequisites-uai", - "resourceGroup": "[parameters('resourceGroupName')]", - "dependsOn": [ - "[format('/subscriptions/{0}/resourceGroups/{1}', parameters('managementSubscriptionId'), parameters('resourceGroupName'))]" - ], - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "location": { - "value": "[parameters('location')]" - }, - "managementSubscriptionId": { - "value": "[parameters('managementSubscriptionId')]" - }, - "resourceGroupName": { - "value": "[parameters('resourceGroupName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "location": { - "type": "string" - }, - "managementSubscriptionId": { - "type": "string" - }, - "resourceGroupName": { - "type": "string" - } - }, - "variables": {}, - "resources": [ - { - "type": "Microsoft.ManagedIdentity/userAssignedIdentities", - "apiVersion": "2023-07-31-preview", - "name": "uai-alz-prereq", - "location": "[parameters('location')]" - } - ], - "outputs": { - "userAssignedIdentityId": { - "type": "string", - "value": "[resourceId(parameters('managementSubscriptionId'),parameters('resourceGroupName'),'Microsoft.ManagedIdentity/userAssignedIdentities', 'uai-alz-prereq')]" - } - } - } - } - } - ] - } - } - }, - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "name": "[guid(format('alz-prerequisites-002-{0}', parameters('location')))]", - "location": "[parameters('location')]", - "properties": { - "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", - "principalId": "[reference(resourceId(parameters('managementSubscriptionId'),parameters('resourceGroupName'),'Microsoft.ManagedIdentity/userAssignedIdentities', 'uai-alz-prereq'), '2023-07-31-preview').principalId]", - "principalType": "ServicePrincipal" - }, - "dependsOn": [ - "alz-prerequisites-001" - ] - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "alz-prerequisites-003", - "location": "[parameters('location')]", - "subscriptionId": "[parameters('managementSubscriptionId')]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [ - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "alz-prereq-ds", - "resourceGroup": "[parameters('resourceGroupName')]", - "dependsOn": [], - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "location": { - "value": "[parameters('location')]" - }, - "eslzRootName": { - "value": "[parameters('eslzRootName')]" - }, - "managementSubscriptionId": { - "value": "[parameters('managementSubscriptionId')]" - }, - "resourceGroupName": { - "value": "[parameters('resourceGroupName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "location": { - "type": "string" - }, - "eslzRootName":{ - "type": "string" - }, - "managementSubscriptionId": { - "type": "string" - }, - "resourceGroupName": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.Resources/deploymentScripts", - "apiVersion": "2020-10-01", - "name": "alz-prereq-deploymentscript", - "location": "[parameters('location')]", - "kind": "AzurePowerShell", - "identity": { - "type": "UserAssigned", - "userAssignedIdentities": { - "[resourceId(parameters('managementSubscriptionId'),parameters('resourceGroupName'),'Microsoft.ManagedIdentity/userAssignedIdentities', 'uai-alz-prereq')]": {} - } - }, - "properties": { - "azPowerShellVersion": "12.3", - "retentionInterval": "PT1H", - "timeout": "PT2H", - "arguments": "[format('-eslzRootName \"{0}\"', parameters('eslzRootName'))]", - "scriptContent": " - param( - [Parameter(Mandatory=$true, HelpMessage=\"Enter the ESLZ root name.\")] - [string] - $eslzRootName - ) - - #API call to register the Microsoft.Network provider against intermediate resource group for AVNM - Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" - - #Sleep for XX minutes to wait for Management Groups to load to cache before assignments - Start-Sleep -Duration (New-TimeSpan -Minutes 10) - - $result = \"\" - $count = 0 - - do { - $result = Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" - $count++ - Start-Sleep -Seconds 30 - Write-Host 'MG RP Register - Status Code: ' $result.StatusCode ' Count: ' $count - } while ($result.StatusCode -ne 200 -and $count -lt 10) - - #Register all resource providers - $subs = Search-AzGraph -Query \"ResourceContainers | where type =~ 'microsoft.resources/subscriptions'\" -ManagementGroup $eslzRootName - $rps = @('Microsoft.Insights','Microsoft.AlertsManagement','Microsoft.OperationalInsights','Microsoft.OperationsManagement','Microsoft.Automation','Microsoft.AlertsManagement','Microsoft.Security','Microsoft.Network','Microsoft.EventGrid','Microsoft.ManagedIdentity','Microsoft.GuestConfiguration','Microsoft.Advisor','Microsoft.PolicyInsights') - - foreach ($sub in $subs) { - Select-AzSubscription -SubscriptionId $sub.id - Write-Host 'Registering resource providers for subscription: ' $sub.id - Get-AzResourceProvider -ProviderNamespace $rps | where {$_.RegistrationState -ne \"Registered\"} | Register-AzResourceProvider - } - " - }, - "metadata": { - "description": "Create a Deployment Script resource to perform the prerequisites." - } - } - ], - "outputs": {} - } - } - } - ] - } - }, - "dependsOn": [ - "alz-prerequisites-001", - "[guid(format('alz-prerequisites-002-{0}', parameters('location')))]" - ] - } - ], - "outputs": {} - } \ No newline at end of file diff --git a/eslzArm/prerequisites/deployPrerequisites2.json b/eslzArm/prerequisites/deployPrerequisites2.json new file mode 100644 index 000000000..61435ea80 --- /dev/null +++ b/eslzArm/prerequisites/deployPrerequisites2.json @@ -0,0 +1,204 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceGroupName": { + "type": "string", + "defaultValue": "rg-alz-prereqs", + "metadata": { + "description": "The resource group name where the AVNM resources will be created" + } + }, + "location": { + "type": "string", + "minLength": 6, + "metadata": { + "description": "The location of this AVNM instance. All resources will be deployed to this region." + } + }, + "eslzRootName": { + "type": "string", + "metadata": { + "description": "The name of the Enterprise Scale Landing Zone root resource." + } + } + }, + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2022-09-01", + "name": "[parameters('resourceGroupName')]", + "location": "[parameters('location')]" + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "alz-prerequisites-uai", + "resourceGroup": "[parameters('resourceGroupName')]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "eslzRootName": { + "value": "[parameters('eslzRootName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "eslzRootName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "apiVersion": "2022-01-31-preview", + "name": "[format('uai-prereq-{0}', parameters('location'))]", + "location": "[parameters('location')]", + "metadata": { + "description": "This user assigned identity is used by the Deployment Script resource to interact with Azure resources." + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(resourceGroup().id, format('uai-prereq-{0}', parameters('location')))]", + "properties": { + "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location'))), '2022-01-31-preview').principalId]", + "principalType": "ServicePrincipal" + }, + "dependsOn": [ + "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location')))]" + ], + "metadata": { + "description": "This role assignment grants the user assigned identity the Contributor role on the resource group." + } + } + ], + "outputs": { + "userAssignedIdentityId": { + "type": "string", + "value": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location')))]" + } + } + } + }, + "dependsOn": [ + "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('ds-{0}-prereqs', parameters('location'))]", + "resourceGroup": "[parameters('resourceGroupName')]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "userAssignedIdentityId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai'), '2022-09-01').outputs.userAssignedIdentityId.value]" + }, + "eslzRootName": { + "value": "[parameters('eslzRootName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "eslzRootName":{ + "type": "string" + }, + "userAssignedIdentityId": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Resources/deploymentScripts", + "apiVersion": "2020-10-01", + "name": "alz-prereq-deploymentscript", + "location": "[parameters('location')]", + "kind": "AzurePowerShell", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[format('{0}', parameters('userAssignedIdentityId'))]": {} + } + }, + "properties": { + "azPowerShellVersion": "12.3", + "retentionInterval": "PT1H", + "timeout": "PT2H", + "arguments": "[format('-eslzRootName \"{0}\"', parameters('eslzRootName'))]", + "scriptContent": " + param( + [Parameter(Mandatory=$true, HelpMessage=\"Enter the ESLZ root name.\")] + [string] + $eslzRootName + ) + + #API call to register the Microsoft.Network provider against intermediate resource group for AVNM + Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" + + #Sleep for XX minutes to wait for Management Groups to load to cache before assignments + Start-Sleep -Duration (New-TimeSpan -Minutes 10) + + $result = \"\" + $count = 0 + + do { + $result = Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" + $count++ + Start-Sleep -Seconds 30 + Write-Host 'MG RP Register - Status Code: ' $result.StatusCode ' Count: ' $count + } while ($result.StatusCode -ne 200 -and $count -lt 10) + + #Register all resource providers + $subs = Search-AzGraph -Query \"ResourceContainers | where type =~ 'microsoft.resources/subscriptions'\" -ManagementGroup $eslzRootName + $rps = @('Microsoft.Insights','Microsoft.AlertsManagement','Microsoft.OperationalInsights','Microsoft.OperationsManagement','Microsoft.Automation','Microsoft.AlertsManagement','Microsoft.Security','Microsoft.Network','Microsoft.EventGrid','Microsoft.ManagedIdentity','Microsoft.GuestConfiguration','Microsoft.Advisor','Microsoft.PolicyInsights') + + foreach ($sub in $subs) { + Select-AzSubscription -SubscriptionId $sub.id + Write-Host 'Registering resource providers for subscription: ' $sub.id + Get-AzResourceProvider -ProviderNamespace $rps | where {$_.RegistrationState -ne \"Registered\"} | Register-AzResourceProvider + } + " + }, + "metadata": { + "description": "Create a Deployment Script resource to perform the prerequisites." + } + } + ], + "outputs": {} + } + }, + "dependsOn": [ + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai')]", + "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]" + ] + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/subscriptionTemplates/avnmPolicy.json b/eslzArm/subscriptionTemplates/avnmPolicy.json index 9100d75b6..8e7bcde1c 100644 --- a/eslzArm/subscriptionTemplates/avnmPolicy.json +++ b/eslzArm/subscriptionTemplates/avnmPolicy.json @@ -73,6 +73,19 @@ "metadata": { "description": "Assigns above policy for dynamic group membership" } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "role-AVNM-NetworkGroup", + "dependsOn": [ + "[uniqueString(variables('networkGroupId'))]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', uniqueString(variables('networkGroupId'))), '2019-09-01', 'Full' ).identity.principalId)]" + } } ],