Skip to content

Commit

Permalink
Merge pull request #2622 from sebassem/arcbox_3.0
Browse files Browse the repository at this point in the history
Arcbox 3.0 - Customize tags
  • Loading branch information
janegilring authored Jul 24, 2024
2 parents edf6d4f + 59c22a1 commit 6e92e2c
Show file tree
Hide file tree
Showing 14 changed files with 89 additions and 56 deletions.
3 changes: 2 additions & 1 deletion azure_jumpstart_arcbox/artifacts/ArcServersLogonScript.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ $tenantId = $env:tenantId
$subscriptionId = $env:subscriptionId
$azureLocation = $env:azureLocation
$resourceGroup = $env:resourceGroup
$resourceTags = $env:resourceTags

# Moved VHD storage account details here to keep only in place to prevent duplicates.
$vhdSourceFolder = "https://jumpstartprodsg.blob.core.windows.net/arcbox/*"
Expand Down Expand Up @@ -212,7 +213,7 @@ if ($Env:flavor -ne "DevOps") {

# Create SQL server extension as policy to auto deployment is disabled
Write-Host "Installing SQL Server extension on the Arc-enabled Server."
az connectedmachine extension create --machine-name $SQLvmName --name "WindowsAgent.SqlServer" --resource-group $resourceGroup --type "WindowsAgent.SqlServer" --publisher "Microsoft.AzureData" --settings '{\"LicenseType\":\"Paid\", \"SqlManagement\": {\"IsEnabled\":true}}'
az connectedmachine extension create --machine-name $SQLvmName --name "WindowsAgent.SqlServer" --resource-group $resourceGroup --type "WindowsAgent.SqlServer" --publisher "Microsoft.AzureData" --settings '{\"LicenseType\":\"Paid\", \"SqlManagement\": {\"IsEnabled\":true}}' --tags $resourceTags --location $azureLocation --only-show-errors --no-wait
Write-Host "SQL Server extension installation on the Arc-enabled Server successful."

$retryCount = 0
Expand Down
4 changes: 3 additions & 1 deletion azure_jumpstart_arcbox/artifacts/Bootstrap.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,8 @@ param (
[string]$sshPort,
[string]$vmAutologon,
[string]$addsDomainName,
[string]$customLocationRPOID
[string]$customLocationRPOID,
[object]$resourceTags
)

[System.Environment]::SetEnvironmentVariable('adminUsername', $adminUsername, [System.EnvironmentVariableTarget]::Machine)
Expand Down Expand Up @@ -62,6 +63,7 @@ param (
[System.Environment]::SetEnvironmentVariable('aksArcClusterName', $aksArcClusterName, [System.EnvironmentVariableTarget]::Machine)
[System.Environment]::SetEnvironmentVariable('aksdrArcClusterName', $aksdrArcClusterName, [System.EnvironmentVariableTarget]::Machine)
[System.Environment]::SetEnvironmentVariable('customLocationRPOID', $customLocationRPOID, [System.EnvironmentVariableTarget]::Machine)
[System.Environment]::SetEnvironmentVariable('resourceTags', $resourceTags, [System.EnvironmentVariableTarget]::Machine)

[System.Environment]::SetEnvironmentVariable('ArcBoxDir', "C:\ArcBox", [System.EnvironmentVariableTarget]::Machine)

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -32,11 +32,6 @@
"logAnalyticsPrimaryKey": {
"value": "logAnalyticsPrimaryKey-stage"
},
"resourceTags": {
"value": {
"Project": "jumpstart_arcbox"
}
},
"dockerRegistryCredential": {
"value": "arc-private-registry"
},
Expand Down
1 change: 0 additions & 1 deletion azure_jumpstart_arcbox/artifacts/installArcAgent.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,6 @@
--location $Azurelocation `
--subscription-id $subscriptionId `
--cloud "AzureCloud" `
--tags "Project=jumpstart_arcbox" `
--correlation-id "d009f5dd-dba8-4ac7-bac9-b54ef3a6671a" # Do no change!

if($LastExitCode -eq 0){Write-Host -ForegroundColor yellow "To view your onboarded server(s), navigate to https://ms.portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.HybridCompute%2Fmachines"}
2 changes: 1 addition & 1 deletion azure_jumpstart_arcbox/artifacts/installArcAgentUbuntu.sh
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ bash ~/install_linux_azcmagent.sh # 2>/dev/null
ArcServerResourceName=$(hostname |sed -e "s/\b\(.\)/\u\1/g")

# Run connect command
azcmagent connect --access-token $accessToken --resource-group $resourceGroup --tenant-id $tenantId --location $Azurelocation --subscription-id $subscriptionId --resource-name "${ArcServerResourceName}" --cloud "AzureCloud" --tags "Project=jumpstart_arcbox" --correlation-id "d009f5dd-dba8-4ac7-bac9-b54ef3a6671a"
azcmagent connect --access-token $accessToken --resource-group $resourceGroup --tenant-id $tenantId --location $Azurelocation --subscription-id $subscriptionId --resource-name "${ArcServerResourceName}" --cloud "AzureCloud" --correlation-id "d009f5dd-dba8-4ac7-bac9-b54ef3a6671a"

# Configure the agent to allow connections on port 22
azcmagent config set incomingconnections.ports 22
2 changes: 1 addition & 1 deletion azure_jumpstart_arcbox/artifacts/installK3s.sh
Original file line number Diff line number Diff line change
Expand Up @@ -152,7 +152,7 @@ if [[ "$k3sControlPlane" == "true" ]]; then
workspaceResourceId=$(sudo -u $adminUsername az resource show --resource-group $resourceGroup --name $logAnalyticsWorkspace --resource-type "Microsoft.OperationalInsights/workspaces" --query id -o tsv)
echo "Log Analytics workspace id $workspaceResourceId"

sudo -u $adminUsername az connectedk8s connect --name $vmName --resource-group $resourceGroup --location $location --tags 'Project=jumpstart_arcbox'
sudo -u $adminUsername az connectedk8s connect --name $vmName --resource-group $resourceGroup --location $location
echo "Onboarding the k3s cluster to Azure Arc completed"

# Verify if cluster is connected to Azure Arc successfully
Expand Down
5 changes: 0 additions & 5 deletions azure_jumpstart_arcbox/artifacts/postgreSQL.parameters.json
Original file line number Diff line number Diff line change
Expand Up @@ -53,11 +53,6 @@
"logStorageClassName": {
"value": "logsStorageClassName-stage"
},
"resourceTags": {
"value": {
"Project": "jumpstart_arcbox"
}
},
"numWorkers": {
"value": numWorkersStage
},
Expand Down
5 changes: 0 additions & 5 deletions azure_jumpstart_arcbox/artifacts/sqlmi.parameters.json
Original file line number Diff line number Diff line change
Expand Up @@ -59,11 +59,6 @@
"replicas": {
"value": replicasStage
},
"resourceTags": {
"value": {
"Project": "jumpstart_arcbox"
}
},
"apiVersion": {
"value": "2023-01-15-preview"
},
Expand Down
5 changes: 0 additions & 5 deletions azure_jumpstart_arcbox/artifacts/sqlmiAD.parameters.json
Original file line number Diff line number Diff line change
Expand Up @@ -59,11 +59,6 @@
"replicas": {
"value": replicasStage
},
"resourceTags": {
"value": {
"Project": "jumpstart_arcbox"
}
},
"apiVersion": {
"value": "2023-01-15-preview"
},
Expand Down
11 changes: 6 additions & 5 deletions azure_jumpstart_arcbox/bicep/clientVm/clientVm.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -28,9 +28,6 @@ param location string = resourceGroup().location
@description('Resource Id of the subnet in the virtual network')
param subnetId string

param resourceTags object = {
Project: 'jumpstart_arcbox'
}
param spnAuthority string = environment().authentication.loginEndpoint

@description('Your Microsoft Entra tenant Id')
Expand Down Expand Up @@ -68,6 +65,11 @@ param workspaceName string
@description('The base URL used for accessing artifacts and automation artifacts.')
param templateBaseUrl string

@description('Tags to assign for all ArcBox resources')
param resourceTags object = {
Solution: 'jumpstart_arcbox'
}

@description('The flavor of ArcBox you want to deploy. Valid values are: \'Full\', \'ITPro\'')
@allowed([
'Full'
Expand Down Expand Up @@ -158,7 +160,6 @@ resource vmDisk 'Microsoft.Compute/disks@2023-04-02' = {
resource vm 'Microsoft.Compute/virtualMachines@2022-03-01' = {
name: vmName
location: location
tags: resourceTags
identity: {
type: 'SystemAssigned'
}
Expand Down Expand Up @@ -227,7 +228,7 @@ resource vmBootstrap 'Microsoft.Compute/virtualMachines/extensions@2022-03-01' =
fileUris: [
uri(templateBaseUrl, 'artifacts/Bootstrap.ps1')
]
commandToExecute: 'powershell.exe -ExecutionPolicy Bypass -File Bootstrap.ps1 -adminUsername ${windowsAdminUsername} -adminPassword ${windowsAdminPassword} -tenantId ${tenantId} -spnAuthority ${spnAuthority} -subscriptionId ${subscription().subscriptionId} -resourceGroup ${resourceGroup().name} -azdataUsername ${azdataUsername} -azdataPassword ${azdataPassword} -acceptEula ${acceptEula} -registryUsername ${registryUsername} -registryPassword ${registryPassword} -arcDcName ${arcDcName} -azureLocation ${location} -mssqlmiName ${mssqlmiName} -POSTGRES_NAME ${postgresName} -POSTGRES_WORKER_NODE_COUNT ${postgresWorkerNodeCount} -POSTGRES_DATASIZE ${postgresDatasize} -POSTGRES_SERVICE_TYPE ${postgresServiceType} -stagingStorageAccountName ${stagingStorageAccountName} -workspaceName ${workspaceName} -templateBaseUrl ${templateBaseUrl} -flavor ${flavor} -k3sArcDataClusterName ${k3sArcDataClusterName} -k3sArcClusterName ${k3sArcClusterName} -aksArcClusterName ${aksArcClusterName} -aksdrArcClusterName ${aksdrArcClusterName} -githubUser ${githubUser} -vmAutologon ${vmAutologon} -rdpPort ${rdpPort} -addsDomainName ${addsDomainName} -customLocationRPOID ${customLocationRPOID}'
commandToExecute: 'powershell.exe -ExecutionPolicy Bypass -File Bootstrap.ps1 -adminUsername ${windowsAdminUsername} -adminPassword ${windowsAdminPassword} -tenantId ${tenantId} -spnAuthority ${spnAuthority} -subscriptionId ${subscription().subscriptionId} -resourceGroup ${resourceGroup().name} -azdataUsername ${azdataUsername} -azdataPassword ${azdataPassword} -acceptEula ${acceptEula} -registryUsername ${registryUsername} -registryPassword ${registryPassword} -arcDcName ${arcDcName} -azureLocation ${location} -mssqlmiName ${mssqlmiName} -POSTGRES_NAME ${postgresName} -POSTGRES_WORKER_NODE_COUNT ${postgresWorkerNodeCount} -POSTGRES_DATASIZE ${postgresDatasize} -POSTGRES_SERVICE_TYPE ${postgresServiceType} -stagingStorageAccountName ${stagingStorageAccountName} -workspaceName ${workspaceName} -templateBaseUrl ${templateBaseUrl} -flavor ${flavor} -k3sArcDataClusterName ${k3sArcDataClusterName} -k3sArcClusterName ${k3sArcClusterName} -aksArcClusterName ${aksArcClusterName} -aksdrArcClusterName ${aksdrArcClusterName} -githubUser ${githubUser} -vmAutologon ${vmAutologon} -rdpPort ${rdpPort} -addsDomainName ${addsDomainName} -customLocationRPOID ${customLocationRPOID} -resourceTags ${resourceTags}'
}
}
}
Expand Down
6 changes: 6 additions & 0 deletions azure_jumpstart_arcbox/bicep/main.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,11 @@ param location string = resourceGroup().location
@description('The custom location RPO ID. This parameter is only needed when deploying the DataOps flavor.')
param customLocationRPOID string = ''

@description('Tags to assign for all ArcBox resources')
param resourceTags object = {
Solution: 'jumpstart_arcbox'
}

var templateBaseUrl = 'https://raw.githubusercontent.com/${githubAccount}/azure_arc/${githubBranch}/azure_jumpstart_arcbox/'
var aksArcDataClusterName = 'ArcBox-AKS-Data-${guid}'
var aksDrArcDataClusterName = 'ArcBox-AKS-DR-Data-${guid}'
Expand Down Expand Up @@ -162,6 +167,7 @@ module mgmtArtifactsAndPolicyDeployment 'mgmt/mgmtArtifacts.bicep' = {
deployBastion: deployBastion
bastionSku: bastionSku
location: location
resourceTags: resourceTags
}
}

Expand Down
2 changes: 2 additions & 0 deletions azure_jumpstart_arcbox/bicep/main.bicepparam
Original file line number Diff line number Diff line change
Expand Up @@ -15,3 +15,5 @@ param flavor = 'ITPro'
param deployBastion = false

param vmAutologon = true

param resourceTags = {} // Add tags as needed
35 changes: 35 additions & 0 deletions azure_jumpstart_arcbox/bicep/mgmt/mgmtArtifacts.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,11 @@ param bastionNetworkSecurityGroupName string = 'ArcBox-Bastion-NSG'
@description('DNS Server configuration')
param dnsServers array = []

@description('Tags to assign for all ArcBox resources')
param resourceTags object = {
Solution: 'jumpstart_arcbox'
}

var keyVaultName = 'arcbox${uniqueString(resourceGroup().id)}'

var security = {
Expand Down Expand Up @@ -123,6 +128,9 @@ var dataOpsSubnets = [
resource arcVirtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = {
name: virtualNetworkName
location: location
dependsOn: [
policyDeployment
]
properties: {
addressSpace: {
addressPrefixes: [
Expand All @@ -139,6 +147,9 @@ resource arcVirtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = {
resource drVirtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = if (flavor == 'DataOps') {
name: drVirtualNetworkName
location: location
dependsOn: [
policyDeployment
]
properties: {
addressSpace: {
addressPrefixes: [
Expand All @@ -165,6 +176,9 @@ resource drVirtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = if (f
resource virtualNetworkName_peering_to_DR_vnet 'Microsoft.Network/virtualNetworks/virtualNetworkPeerings@2022-01-01' = if (flavor == 'DataOps') {
parent: arcVirtualNetwork
name: 'peering-to-DR-vnet'
dependsOn: [
policyDeployment
]
properties: {
allowVirtualNetworkAccess: true
allowForwardedTraffic: true
Expand All @@ -179,6 +193,9 @@ resource virtualNetworkName_peering_to_DR_vnet 'Microsoft.Network/virtualNetwork
resource drVirtualNetworkName_peering_to_primary_vnet 'Microsoft.Network/virtualNetworks/virtualNetworkPeerings@2022-01-01' = if (flavor == 'DataOps') {
parent: drVirtualNetwork
name: 'peering-to-primary-vnet'
dependsOn: [
policyDeployment
]
properties: {
allowVirtualNetworkAccess: true
allowForwardedTraffic: true
Expand All @@ -193,6 +210,9 @@ resource drVirtualNetworkName_peering_to_primary_vnet 'Microsoft.Network/virtual
resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2022-01-01' = {
name: networkSecurityGroupName
location: location
dependsOn: [
policyDeployment
]
properties: {
securityRules: [
{
Expand Down Expand Up @@ -306,6 +326,9 @@ resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2022-01-0
resource bastionNetworkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2022-01-01' = if (deployBastion == true) {
name: bastionNetworkSecurityGroupName
location: location
dependsOn: [
policyDeployment
]
properties: {
securityRules: [
{
Expand Down Expand Up @@ -428,9 +451,11 @@ resource bastionNetworkSecurityGroup 'Microsoft.Network/networkSecurityGroups@20
}
}


resource workspace 'Microsoft.OperationalInsights/workspaces@2021-06-01' = {
name: workspaceName
location: location
tags: resourceTags
properties: {
sku: {
name: sku
Expand All @@ -455,6 +480,9 @@ resource securityGallery 'Microsoft.OperationsManagement/solutions@2015-11-01-pr
resource publicIpAddress 'Microsoft.Network/publicIPAddresses@2022-01-01' = if (deployBastion == true) {
name: bastionPublicIpAddressName
location: location
dependsOn: [
policyDeployment
]
properties: {
publicIPAllocationMethod: 'Static'
publicIPAddressVersion: 'IPv4'
Expand All @@ -468,6 +496,9 @@ resource publicIpAddress 'Microsoft.Network/publicIPAddresses@2022-01-01' = if (
resource bastionHost 'Microsoft.Network/bastionHosts@2023-11-01' = if (deployBastion == true) {
name: bastionName
location: location
dependsOn: [
policyDeployment
]
sku: {
name: bastionSku
}
Expand Down Expand Up @@ -497,11 +528,15 @@ module policyDeployment './policyAzureArc.bicep' = {
azureLocation: location
logAnalyticsWorkspaceId: workspace.id
flavor: flavor
resourceTags: resourceTags
}
}

module keyVault 'br/public:avm/res/key-vault/vault:0.5.1' = {
name: 'keyVaultDeployment'
dependsOn: [
policyDeployment
]
params: {
name: keyVaultName
enablePurgeProtection: false
Expand Down
59 changes: 33 additions & 26 deletions azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,13 @@ param logAnalyticsWorkspaceId string
@description('The flavor of ArcBox you want to deploy. Valid values are: \'Full\', \'ITPro\', \'DevOps\'')
param flavor string

@description('Tags to assign for all ArcBox resources')
param resourceTags object = {
Solution: 'jumpstart_arcbox'
}

param tagsRoleDefinitionId string = '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c'

var policies = [
{
name: '(ArcBox) Enable Azure Monitor for Hybrid VMs with AMA'
Expand All @@ -29,25 +36,6 @@ var policies = [
}
}
}
{
name: '(ArcBox) Tag resources'
definitionId: '/providers/Microsoft.Authorization/policyDefinitions/4f9dc7db-30c1-420c-b61a-e1d640128d26'
flavors: [
'Full'
'ITPro'
'DevOps'
'DataOps'
]
roleDefinition: '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c'
parameters: {
tagName: {
value: 'Project'
}
tagValue: {
value: 'jumpstart_arcbox'
}
}
}
{
name: '(ArcBox) Enable Microsoft Defender on Kubernetes clusters'
definitionId: '/providers/Microsoft.Authorization/policyDefinitions/708b60a6-d253-4fe0-9114-4be4c00f012c'
Expand Down Expand Up @@ -99,7 +87,7 @@ resource policy_AMA_role_2 'Microsoft.Authorization/roleAssignments@2020-10-01-p
}
}

resource policy_tagging_resources 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = if (contains(policies[1].flavors, flavor)) {
resource policy_defender_kubernetes 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = if (contains(policies[1].flavors, flavor)) {
name: guid( policies[1].name, policies[1].roleDefinition,resourceGroup().id)
properties: {
roleDefinitionId: any(policies[1].roleDefinition)
Expand All @@ -108,12 +96,31 @@ resource policy_tagging_resources 'Microsoft.Authorization/roleAssignments@2020-
}
}

resource policy_defender_kubernetes 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = if (contains(policies[2].flavors, flavor)) {
name: guid( policies[2].name, policies[2].roleDefinition,resourceGroup().id)

resource applyCustomTags 'Microsoft.Authorization/policyAssignments@2021-06-01' = [for (tag,i) in items(resourceTags): {
name: '(ArcBox) Tag resources-${tag.key}'
location: azureLocation
identity: {
type: 'SystemAssigned'
}
properties: {
roleDefinitionId: any(policies[2].roleDefinition)
principalId: contains(policies[2].flavors, flavor)?policies_name[2].identity.principalId:guid('policies_name_id${0}')
principalType: 'ServicePrincipal'
policyDefinitionId: any('/providers/Microsoft.Authorization/policyDefinitions/4f9dc7db-30c1-420c-b61a-e1d640128d26')
parameters:{
tagName: {
value: tag.key
}
tagValue: {
value: tag.value
}
}
}
}
}]

resource policy_tagging_resources 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = [for (tag,i) in items(resourceTags): {
name: guid(applyCustomTags[i].name, tagsRoleDefinitionId,resourceGroup().id)
properties: {
roleDefinitionId: tagsRoleDefinitionId
principalId: applyCustomTags[i].identity.principalId
principalType: 'ServicePrincipal'
}
}]

0 comments on commit 6e92e2c

Please sign in to comment.