From 757b9e5f3b2cd021e44eab04938a49e072ed0206 Mon Sep 17 00:00:00 2001 From: Seif Bassem <38246040+sebassem@users.noreply.github.com> Date: Tue, 23 Jul 2024 09:33:13 +0300 Subject: [PATCH 01/24] testing --- .../bicep/mgmt/policyAzureArc.bicep | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep b/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep index a6a0f309ba..4df75b789e 100644 --- a/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep +++ b/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep @@ -117,3 +117,33 @@ resource policy_defender_kubernetes 'Microsoft.Authorization/roleAssignments@202 } } +resource tagPolicyAssignemnt 'Microsoft.Authorization/policyAssignments@2024-04-01' = { + name: 'tagPolicyAssignemnt' + scope: resourceGroup() + properties: { + displayName: 'Apply Tag to resource group' + policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/726aca4c-86e9-4b04-b0c5-073027359532' + parameters: { + tagName: { + value: 'Project' + } + tagValue: { + value: 'jumpstart_arcbox_policy' + } + } + } +} + +resource tagIngerit 'Microsoft.Authorization/policyAssignments@2024-04-01' = { + name: 'tagIngerit' + scope: resourceGroup() + properties: { + policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/cd3aa116-8754-49c9-a813-ad46512ece54' + parameters: { + tagName: { + value: 'Project' + } + } + } +} + From da4c16abc13804900694a30f7503b5210226f357 Mon Sep 17 00:00:00 2001 From: Seif Bassem <38246040+sebassem@users.noreply.github.com> Date: Tue, 23 Jul 2024 09:35:03 +0300 Subject: [PATCH 02/24] chore: Add SystemAssigned identity to tagPolicyAssignemnt and tagIngerit resources --- azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep b/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep index 4df75b789e..f2be387031 100644 --- a/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep +++ b/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep @@ -120,6 +120,9 @@ resource policy_defender_kubernetes 'Microsoft.Authorization/roleAssignments@202 resource tagPolicyAssignemnt 'Microsoft.Authorization/policyAssignments@2024-04-01' = { name: 'tagPolicyAssignemnt' scope: resourceGroup() + identity: { + type: 'SystemAssigned' + } properties: { displayName: 'Apply Tag to resource group' policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/726aca4c-86e9-4b04-b0c5-073027359532' @@ -137,6 +140,9 @@ resource tagPolicyAssignemnt 'Microsoft.Authorization/policyAssignments@2024-04- resource tagIngerit 'Microsoft.Authorization/policyAssignments@2024-04-01' = { name: 'tagIngerit' scope: resourceGroup() + identity: { + type: 'SystemAssigned' + } properties: { policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/cd3aa116-8754-49c9-a813-ad46512ece54' parameters: { From e6ae22b7bbbaaf38cf945e228bcb1a1a7d8875cd Mon Sep 17 00:00:00 2001 From: Seif Bassem <38246040+sebassem@users.noreply.github.com> Date: Tue, 23 Jul 2024 09:35:23 +0300 Subject: [PATCH 03/24] chore: Add SystemAssigned identity to tagPolicyAssignemnt and tagIngerit resources --- azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep b/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep index f2be387031..5785170124 100644 --- a/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep +++ b/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep @@ -125,7 +125,7 @@ resource tagPolicyAssignemnt 'Microsoft.Authorization/policyAssignments@2024-04- } properties: { displayName: 'Apply Tag to resource group' - policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/726aca4c-86e9-4b04-b0c5-073027359532' + policyDefinitionId: any('/providers/Microsoft.Authorization/policyDefinitions/726aca4c-86e9-4b04-b0c5-073027359532') parameters: { tagName: { value: 'Project' @@ -144,7 +144,7 @@ resource tagIngerit 'Microsoft.Authorization/policyAssignments@2024-04-01' = { type: 'SystemAssigned' } properties: { - policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/cd3aa116-8754-49c9-a813-ad46512ece54' + policyDefinitionId: any('/providers/Microsoft.Authorization/policyDefinitions/cd3aa116-8754-49c9-a813-ad46512ece54') parameters: { tagName: { value: 'Project' From 8af95fe49dc0dbe1e815142d5f7ebf566a85baae Mon Sep 17 00:00:00 2001 From: Seif Bassem <38246040+sebassem@users.noreply.github.com> Date: Tue, 23 Jul 2024 09:39:50 +0300 Subject: [PATCH 04/24] test --- .../bicep/mgmt/policyAzureArc.bicep | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep b/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep index 5785170124..5c9c0fdaf7 100644 --- a/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep +++ b/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep @@ -153,3 +153,21 @@ resource tagIngerit 'Microsoft.Authorization/policyAssignments@2024-04-01' = { } } +resource policy_tagging_resources_rg 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = { + name: guid( tagPolicyAssignemnt.name, any('/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c'),resourceGroup().id) + properties: { + roleDefinitionId: any('/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c') + principalId: tagPolicyAssignemnt.identity.principalId + principalType: 'ServicePrincipal' + } +} + +resource policy_tagging_resources_inherit 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = { + name: guid( tagIngerit.name, any('/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c'),resourceGroup().id) + properties: { + roleDefinitionId: any('/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c') + principalId: tagIngerit.identity.principalId + principalType: 'ServicePrincipal' + } +} + From ac00521004beff53faf22cec43dd12428465bbf3 Mon Sep 17 00:00:00 2001 From: Seif Bassem <38246040+sebassem@users.noreply.github.com> Date: Tue, 23 Jul 2024 09:42:18 +0300 Subject: [PATCH 05/24] test --- azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep | 2 ++ 1 file changed, 2 insertions(+) diff --git a/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep b/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep index 5c9c0fdaf7..edb69c8bbe 100644 --- a/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep +++ b/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep @@ -119,6 +119,7 @@ resource policy_defender_kubernetes 'Microsoft.Authorization/roleAssignments@202 resource tagPolicyAssignemnt 'Microsoft.Authorization/policyAssignments@2024-04-01' = { name: 'tagPolicyAssignemnt' + location: resourceGroup().location scope: resourceGroup() identity: { type: 'SystemAssigned' @@ -140,6 +141,7 @@ resource tagPolicyAssignemnt 'Microsoft.Authorization/policyAssignments@2024-04- resource tagIngerit 'Microsoft.Authorization/policyAssignments@2024-04-01' = { name: 'tagIngerit' scope: resourceGroup() + location: resourceGroup().location identity: { type: 'SystemAssigned' } From 35530484232e8667832ef31296f91f9c36252ce2 Mon Sep 17 00:00:00 2001 From: Seif Bassem <38246040+sebassem@users.noreply.github.com> Date: Tue, 23 Jul 2024 10:13:50 +0300 Subject: [PATCH 06/24] testing --- azure_jumpstart_arcbox/bicep/main.bicep | 9 ++ .../bicep/mgmt/mgmtArtifacts.bicep | 9 ++ .../bicep/mgmt/policyAzureArc.bicep | 82 ++++++++----------- 3 files changed, 50 insertions(+), 50 deletions(-) diff --git a/azure_jumpstart_arcbox/bicep/main.bicep b/azure_jumpstart_arcbox/bicep/main.bicep index 17c046a234..3e75d01563 100644 --- a/azure_jumpstart_arcbox/bicep/main.bicep +++ b/azure_jumpstart_arcbox/bicep/main.bicep @@ -63,6 +63,14 @@ param location string = resourceGroup().location @description('The custom location RPO ID. This parameter is only needed when deploying the DataOps flavor.') param customLocationRPOID string = '' +@description('Tags to assign for all ArcBox resources') +param resourceTags array = [ + { + tagName: 'Solution' + tagValue: 'jumpstart_arcbox' + } +] + var templateBaseUrl = 'https://raw.githubusercontent.com/${githubAccount}/azure_arc/${githubBranch}/azure_jumpstart_arcbox/' var aksArcDataClusterName = 'ArcBox-AKS-Data-${guid}' var aksDrArcDataClusterName = 'ArcBox-AKS-DR-Data-${guid}' @@ -162,6 +170,7 @@ module mgmtArtifactsAndPolicyDeployment 'mgmt/mgmtArtifacts.bicep' = { deployBastion: deployBastion bastionSku: bastionSku location: location + resourceTags: resourceTags } } diff --git a/azure_jumpstart_arcbox/bicep/mgmt/mgmtArtifacts.bicep b/azure_jumpstart_arcbox/bicep/mgmt/mgmtArtifacts.bicep index 3fb3385610..44e59890c7 100644 --- a/azure_jumpstart_arcbox/bicep/mgmt/mgmtArtifacts.bicep +++ b/azure_jumpstart_arcbox/bicep/mgmt/mgmtArtifacts.bicep @@ -53,6 +53,14 @@ param bastionNetworkSecurityGroupName string = 'ArcBox-Bastion-NSG' @description('DNS Server configuration') param dnsServers array = [] +@description('Tags to assign for all ArcBox resources') +param resourceTags array = [ + { + tagName: 'Solution' + tagValue: 'jumpstart_arcbox' + } +] + var keyVaultName = 'arcbox${uniqueString(resourceGroup().id)}' var security = { @@ -497,6 +505,7 @@ module policyDeployment './policyAzureArc.bicep' = { azureLocation: location logAnalyticsWorkspaceId: workspace.id flavor: flavor + resourceTags: resourceTags } } diff --git a/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep b/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep index edb69c8bbe..1df5dc8cf0 100644 --- a/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep +++ b/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep @@ -7,6 +7,16 @@ param logAnalyticsWorkspaceId string @description('The flavor of ArcBox you want to deploy. Valid values are: \'Full\', \'ITPro\', \'DevOps\'') param flavor string +@description('Tags to assign for all ArcBox resources') +param resourceTags array = [ + { + tagName: 'Solution' + tagValue: 'jumpstart_arcbox' + } +] + +var tagsRoleDefinitionId = '/providers/Microsoft.Authorization/policyDefinitions/4f9dc7db-30c1-420c-b61a-e1d640128d26' + var policies = [ { name: '(ArcBox) Enable Azure Monitor for Hybrid VMs with AMA' @@ -29,7 +39,7 @@ var policies = [ } } } - { + /*{ name: '(ArcBox) Tag resources' definitionId: '/providers/Microsoft.Authorization/policyDefinitions/4f9dc7db-30c1-420c-b61a-e1d640128d26' flavors: [ @@ -47,7 +57,7 @@ var policies = [ value: 'jumpstart_arcbox' } } - } + }*/ { name: '(ArcBox) Enable Microsoft Defender on Kubernetes clusters' definitionId: '/providers/Microsoft.Authorization/policyDefinitions/708b60a6-d253-4fe0-9114-4be4c00f012c' @@ -99,77 +109,49 @@ resource policy_AMA_role_2 'Microsoft.Authorization/roleAssignments@2020-10-01-p } } -resource policy_tagging_resources 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = if (contains(policies[1].flavors, flavor)) { +/*resource policy_tagging_resources 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = if (contains(policies[1].flavors, flavor)) { name: guid( policies[1].name, policies[1].roleDefinition,resourceGroup().id) properties: { roleDefinitionId: any(policies[1].roleDefinition) principalId: contains(policies[1].flavors, flavor)?policies_name[1].identity.principalId:guid('policies_name_id${0}') principalType: 'ServicePrincipal' } -} +}*/ -resource policy_defender_kubernetes 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = if (contains(policies[2].flavors, flavor)) { - name: guid( policies[2].name, policies[2].roleDefinition,resourceGroup().id) +resource policy_defender_kubernetes 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = if (contains(policies[1].flavors, flavor)) { + name: guid( policies[1].name, policies[1].roleDefinition,resourceGroup().id) properties: { - roleDefinitionId: any(policies[2].roleDefinition) - principalId: contains(policies[2].flavors, flavor)?policies_name[2].identity.principalId:guid('policies_name_id${0}') + roleDefinitionId: any(policies[1].roleDefinition) + principalId: contains(policies[1].flavors, flavor)?policies_name[2].identity.principalId:guid('policies_name_id${0}') principalType: 'ServicePrincipal' } } -resource tagPolicyAssignemnt 'Microsoft.Authorization/policyAssignments@2024-04-01' = { - name: 'tagPolicyAssignemnt' - location: resourceGroup().location - scope: resourceGroup() + +resource applyCustomTags 'Microsoft.Authorization/policyAssignments@2021-06-01' = [for (tag,i) in resourceTags: { + name: 'applyTag-${tag[i].tagName}' + location: azureLocation identity: { type: 'SystemAssigned' } properties: { - displayName: 'Apply Tag to resource group' - policyDefinitionId: any('/providers/Microsoft.Authorization/policyDefinitions/726aca4c-86e9-4b04-b0c5-073027359532') - parameters: { + policyDefinitionId: any('/providers/Microsoft.Authorization/policyDefinitions/4f9dc7db-30c1-420c-b61a-e1d640128d26') + parameters:{ tagName: { - value: 'Project' + value: tag[i].tagName } tagValue: { - value: 'jumpstart_arcbox_policy' + value: tag[i].tagValue } } } -} - -resource tagIngerit 'Microsoft.Authorization/policyAssignments@2024-04-01' = { - name: 'tagIngerit' - scope: resourceGroup() - location: resourceGroup().location - identity: { - type: 'SystemAssigned' - } - properties: { - policyDefinitionId: any('/providers/Microsoft.Authorization/policyDefinitions/cd3aa116-8754-49c9-a813-ad46512ece54') - parameters: { - tagName: { - value: 'Project' - } - } - } -} - -resource policy_tagging_resources_rg 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = { - name: guid( tagPolicyAssignemnt.name, any('/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c'),resourceGroup().id) - properties: { - roleDefinitionId: any('/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c') - principalId: tagPolicyAssignemnt.identity.principalId - principalType: 'ServicePrincipal' - } -} +}] -resource policy_tagging_resources_inherit 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = { - name: guid( tagIngerit.name, any('/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c'),resourceGroup().id) +resource policy_tagging_resources 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = [for (tag,i) in resourceTags: { + name: guid( tag[i].tagName, tagsRoleDefinitionId,resourceGroup().id) properties: { - roleDefinitionId: any('/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c') - principalId: tagIngerit.identity.principalId + roleDefinitionId: any(tagsRoleDefinitionId) + principalId: applyCustomTags[i].identity.principalId principalType: 'ServicePrincipal' } -} - +}] From 4688ce99c7ff49663c1d3d3e260263ac10cb2d5e Mon Sep 17 00:00:00 2001 From: Seif Bassem <38246040+sebassem@users.noreply.github.com> Date: Tue, 23 Jul 2024 10:16:12 +0300 Subject: [PATCH 07/24] test --- azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep b/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep index 1df5dc8cf0..f86e5be11a 100644 --- a/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep +++ b/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep @@ -129,7 +129,7 @@ resource policy_defender_kubernetes 'Microsoft.Authorization/roleAssignments@202 resource applyCustomTags 'Microsoft.Authorization/policyAssignments@2021-06-01' = [for (tag,i) in resourceTags: { - name: 'applyTag-${tag[i].tagName}' + name: 'applyTag-${i}' location: azureLocation identity: { type: 'SystemAssigned' From e870b0535cd634199a77b41580731510b5e4fd42 Mon Sep 17 00:00:00 2001 From: Seif Bassem <38246040+sebassem@users.noreply.github.com> Date: Tue, 23 Jul 2024 10:20:46 +0300 Subject: [PATCH 08/24] test --- azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep b/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep index f86e5be11a..3a9c056017 100644 --- a/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep +++ b/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep @@ -148,7 +148,7 @@ resource applyCustomTags 'Microsoft.Authorization/policyAssignments@2021-06-01' }] resource policy_tagging_resources 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = [for (tag,i) in resourceTags: { - name: guid( tag[i].tagName, tagsRoleDefinitionId,resourceGroup().id) + name: guid('applyTag-${i}', tagsRoleDefinitionId,resourceGroup().id) properties: { roleDefinitionId: any(tagsRoleDefinitionId) principalId: applyCustomTags[i].identity.principalId From baa14289d8735fb4096b98940ed56c661afa5827 Mon Sep 17 00:00:00 2001 From: Seif Bassem <38246040+sebassem@users.noreply.github.com> Date: Tue, 23 Jul 2024 10:22:00 +0300 Subject: [PATCH 09/24] test --- azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep b/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep index 3a9c056017..088a4934bc 100644 --- a/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep +++ b/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep @@ -101,9 +101,9 @@ resource policy_AMA_role_1 'Microsoft.Authorization/roleAssignments@2020-10-01-p } resource policy_AMA_role_2 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = if (contains(policies[0].flavors, flavor)) { - name: guid( policies[0].name, policies[0].roleDefinition[2],resourceGroup().id) + name: guid( policies[0].name, policies[0].roleDefinition[1],resourceGroup().id) properties: { - roleDefinitionId: any(policies[0].roleDefinition[2]) + roleDefinitionId: any(policies[0].roleDefinition[1]) principalId: contains(policies[0].flavors, flavor)?policies_name[0].identity.principalId:guid('policies_name_id${0}') principalType: 'ServicePrincipal' } From 605a76e76388daf3c0ebe3db31c9ad52a4cdaf87 Mon Sep 17 00:00:00 2001 From: Seif Bassem <38246040+sebassem@users.noreply.github.com> Date: Tue, 23 Jul 2024 10:23:28 +0300 Subject: [PATCH 10/24] test --- azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep b/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep index 088a4934bc..b17633b34f 100644 --- a/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep +++ b/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep @@ -103,7 +103,7 @@ resource policy_AMA_role_1 'Microsoft.Authorization/roleAssignments@2020-10-01-p resource policy_AMA_role_2 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = if (contains(policies[0].flavors, flavor)) { name: guid( policies[0].name, policies[0].roleDefinition[1],resourceGroup().id) properties: { - roleDefinitionId: any(policies[0].roleDefinition[1]) + roleDefinitionId: any(policies[0].roleDefinition[0]) principalId: contains(policies[0].flavors, flavor)?policies_name[0].identity.principalId:guid('policies_name_id${0}') principalType: 'ServicePrincipal' } @@ -122,7 +122,7 @@ resource policy_defender_kubernetes 'Microsoft.Authorization/roleAssignments@202 name: guid( policies[1].name, policies[1].roleDefinition,resourceGroup().id) properties: { roleDefinitionId: any(policies[1].roleDefinition) - principalId: contains(policies[1].flavors, flavor)?policies_name[2].identity.principalId:guid('policies_name_id${0}') + principalId: contains(policies[1].flavors, flavor)?policies_name[1].identity.principalId:guid('policies_name_id${0}') principalType: 'ServicePrincipal' } } From a3f0425081defb26e093ec9683f75dfb88b9a93a Mon Sep 17 00:00:00 2001 From: Seif Bassem <38246040+sebassem@users.noreply.github.com> Date: Tue, 23 Jul 2024 10:25:00 +0300 Subject: [PATCH 11/24] test --- azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep b/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep index b17633b34f..3a9c056017 100644 --- a/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep +++ b/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep @@ -101,9 +101,9 @@ resource policy_AMA_role_1 'Microsoft.Authorization/roleAssignments@2020-10-01-p } resource policy_AMA_role_2 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = if (contains(policies[0].flavors, flavor)) { - name: guid( policies[0].name, policies[0].roleDefinition[1],resourceGroup().id) + name: guid( policies[0].name, policies[0].roleDefinition[2],resourceGroup().id) properties: { - roleDefinitionId: any(policies[0].roleDefinition[0]) + roleDefinitionId: any(policies[0].roleDefinition[2]) principalId: contains(policies[0].flavors, flavor)?policies_name[0].identity.principalId:guid('policies_name_id${0}') principalType: 'ServicePrincipal' } @@ -122,7 +122,7 @@ resource policy_defender_kubernetes 'Microsoft.Authorization/roleAssignments@202 name: guid( policies[1].name, policies[1].roleDefinition,resourceGroup().id) properties: { roleDefinitionId: any(policies[1].roleDefinition) - principalId: contains(policies[1].flavors, flavor)?policies_name[1].identity.principalId:guid('policies_name_id${0}') + principalId: contains(policies[1].flavors, flavor)?policies_name[2].identity.principalId:guid('policies_name_id${0}') principalType: 'ServicePrincipal' } } From 8b2253c12674fd41c7ecba9f9bfcecc417d82468 Mon Sep 17 00:00:00 2001 From: Seif Bassem <38246040+sebassem@users.noreply.github.com> Date: Tue, 23 Jul 2024 10:26:27 +0300 Subject: [PATCH 12/24] test --- azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep b/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep index 3a9c056017..6d4a93ade5 100644 --- a/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep +++ b/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep @@ -39,7 +39,7 @@ var policies = [ } } } - /*{ + { name: '(ArcBox) Tag resources' definitionId: '/providers/Microsoft.Authorization/policyDefinitions/4f9dc7db-30c1-420c-b61a-e1d640128d26' flavors: [ @@ -57,7 +57,7 @@ var policies = [ value: 'jumpstart_arcbox' } } - }*/ + } { name: '(ArcBox) Enable Microsoft Defender on Kubernetes clusters' definitionId: '/providers/Microsoft.Authorization/policyDefinitions/708b60a6-d253-4fe0-9114-4be4c00f012c' From a61a943dfaa0283ee50656c354e1b3db0878f083 Mon Sep 17 00:00:00 2001 From: Seif Bassem <38246040+sebassem@users.noreply.github.com> Date: Tue, 23 Jul 2024 10:27:51 +0300 Subject: [PATCH 13/24] test --- azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep b/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep index 6d4a93ade5..fd00783bd6 100644 --- a/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep +++ b/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep @@ -129,7 +129,7 @@ resource policy_defender_kubernetes 'Microsoft.Authorization/roleAssignments@202 resource applyCustomTags 'Microsoft.Authorization/policyAssignments@2021-06-01' = [for (tag,i) in resourceTags: { - name: 'applyTag-${i}' + name: 'applyTag${i}' location: azureLocation identity: { type: 'SystemAssigned' @@ -148,7 +148,7 @@ resource applyCustomTags 'Microsoft.Authorization/policyAssignments@2021-06-01' }] resource policy_tagging_resources 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = [for (tag,i) in resourceTags: { - name: guid('applyTag-${i}', tagsRoleDefinitionId,resourceGroup().id) + name: guid('applyTag${i}', tagsRoleDefinitionId,resourceGroup().id) properties: { roleDefinitionId: any(tagsRoleDefinitionId) principalId: applyCustomTags[i].identity.principalId From 52da892201dab1dad35444129697ab356031d15c Mon Sep 17 00:00:00 2001 From: Seif Bassem <38246040+sebassem@users.noreply.github.com> Date: Tue, 23 Jul 2024 11:14:53 +0300 Subject: [PATCH 14/24] test --- azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep b/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep index fd00783bd6..e4398bd248 100644 --- a/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep +++ b/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep @@ -148,7 +148,7 @@ resource applyCustomTags 'Microsoft.Authorization/policyAssignments@2021-06-01' }] resource policy_tagging_resources 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = [for (tag,i) in resourceTags: { - name: guid('applyTag${i}', tagsRoleDefinitionId,resourceGroup().id) + name: guid(applyCustomTags[i].name, tagsRoleDefinitionId,resourceGroup().id) properties: { roleDefinitionId: any(tagsRoleDefinitionId) principalId: applyCustomTags[i].identity.principalId From e0c5679636cfee093ac6c0bc6d2cde3846724ebe Mon Sep 17 00:00:00 2001 From: Seif Bassem <38246040+sebassem@users.noreply.github.com> Date: Tue, 23 Jul 2024 11:18:21 +0300 Subject: [PATCH 15/24] test --- azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep b/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep index e4398bd248..f974656def 100644 --- a/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep +++ b/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep @@ -129,7 +129,7 @@ resource policy_defender_kubernetes 'Microsoft.Authorization/roleAssignments@202 resource applyCustomTags 'Microsoft.Authorization/policyAssignments@2021-06-01' = [for (tag,i) in resourceTags: { - name: 'applyTag${i}' + name: 'applyTag-${tag[i].tagName}' location: azureLocation identity: { type: 'SystemAssigned' From fd627b1a0c7c285d60da43e1f85bee98e6da56af Mon Sep 17 00:00:00 2001 From: Seif Bassem <38246040+sebassem@users.noreply.github.com> Date: Tue, 23 Jul 2024 11:19:44 +0300 Subject: [PATCH 16/24] test --- azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep b/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep index f974656def..b46ad073cd 100644 --- a/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep +++ b/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep @@ -129,7 +129,7 @@ resource policy_defender_kubernetes 'Microsoft.Authorization/roleAssignments@202 resource applyCustomTags 'Microsoft.Authorization/policyAssignments@2021-06-01' = [for (tag,i) in resourceTags: { - name: 'applyTag-${tag[i].tagName}' + name: 'applyTag-${tag.tagName}' location: azureLocation identity: { type: 'SystemAssigned' @@ -138,10 +138,10 @@ resource applyCustomTags 'Microsoft.Authorization/policyAssignments@2021-06-01' policyDefinitionId: any('/providers/Microsoft.Authorization/policyDefinitions/4f9dc7db-30c1-420c-b61a-e1d640128d26') parameters:{ tagName: { - value: tag[i].tagName + value: tag.tagName } tagValue: { - value: tag[i].tagValue + value: tag.tagValue } } } From a5f3e2ce80d61b38657de56f30ad69f2c6dc084a Mon Sep 17 00:00:00 2001 From: Seif Bassem <38246040+sebassem@users.noreply.github.com> Date: Tue, 23 Jul 2024 11:21:39 +0300 Subject: [PATCH 17/24] test --- azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep b/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep index b46ad073cd..05615701d8 100644 --- a/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep +++ b/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep @@ -15,7 +15,7 @@ param resourceTags array = [ } ] -var tagsRoleDefinitionId = '/providers/Microsoft.Authorization/policyDefinitions/4f9dc7db-30c1-420c-b61a-e1d640128d26' +param tagsRoleDefinitionId string = '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' var policies = [ { @@ -150,7 +150,7 @@ resource applyCustomTags 'Microsoft.Authorization/policyAssignments@2021-06-01' resource policy_tagging_resources 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = [for (tag,i) in resourceTags: { name: guid(applyCustomTags[i].name, tagsRoleDefinitionId,resourceGroup().id) properties: { - roleDefinitionId: any(tagsRoleDefinitionId) + roleDefinitionId: tagsRoleDefinitionId principalId: applyCustomTags[i].identity.principalId principalType: 'ServicePrincipal' } From f3b4b9e5a34347bc9e9e0dabfa1152afedca3cfb Mon Sep 17 00:00:00 2001 From: Seif Bassem <38246040+sebassem@users.noreply.github.com> Date: Tue, 23 Jul 2024 11:24:42 +0300 Subject: [PATCH 18/24] test --- azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep b/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep index 05615701d8..3d2c28dd1b 100644 --- a/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep +++ b/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep @@ -118,11 +118,11 @@ resource policy_AMA_role_2 'Microsoft.Authorization/roleAssignments@2020-10-01-p } }*/ -resource policy_defender_kubernetes 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = if (contains(policies[1].flavors, flavor)) { +resource policy_defender_kubernetes 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = if (contains(policies[2].flavors, flavor)) { name: guid( policies[1].name, policies[1].roleDefinition,resourceGroup().id) properties: { - roleDefinitionId: any(policies[1].roleDefinition) - principalId: contains(policies[1].flavors, flavor)?policies_name[2].identity.principalId:guid('policies_name_id${0}') + roleDefinitionId: any(policies[2].roleDefinition) + principalId: contains(policies[2].flavors, flavor)?policies_name[2].identity.principalId:guid('policies_name_id${0}') principalType: 'ServicePrincipal' } } From 8141b0cb2476768106d295888d7cb28e86c79edb Mon Sep 17 00:00:00 2001 From: Seif Bassem <38246040+sebassem@users.noreply.github.com> Date: Tue, 23 Jul 2024 11:27:03 +0300 Subject: [PATCH 19/24] test --- azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep b/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep index 3d2c28dd1b..06b0c2b63e 100644 --- a/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep +++ b/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep @@ -39,7 +39,7 @@ var policies = [ } } } - { + /*{ name: '(ArcBox) Tag resources' definitionId: '/providers/Microsoft.Authorization/policyDefinitions/4f9dc7db-30c1-420c-b61a-e1d640128d26' flavors: [ @@ -57,7 +57,7 @@ var policies = [ value: 'jumpstart_arcbox' } } - } + }*/ { name: '(ArcBox) Enable Microsoft Defender on Kubernetes clusters' definitionId: '/providers/Microsoft.Authorization/policyDefinitions/708b60a6-d253-4fe0-9114-4be4c00f012c' @@ -118,11 +118,11 @@ resource policy_AMA_role_2 'Microsoft.Authorization/roleAssignments@2020-10-01-p } }*/ -resource policy_defender_kubernetes 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = if (contains(policies[2].flavors, flavor)) { +resource policy_defender_kubernetes 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = if (contains(policies[1].flavors, flavor)) { name: guid( policies[1].name, policies[1].roleDefinition,resourceGroup().id) properties: { - roleDefinitionId: any(policies[2].roleDefinition) - principalId: contains(policies[2].flavors, flavor)?policies_name[2].identity.principalId:guid('policies_name_id${0}') + roleDefinitionId: any(policies[1].roleDefinition) + principalId: contains(policies[1].flavors, flavor)?policies_name[1].identity.principalId:guid('policies_name_id${0}') principalType: 'ServicePrincipal' } } From ef3af05d711bf40d9bf91519417e7775be5d44ae Mon Sep 17 00:00:00 2001 From: Seif Bassem <38246040+sebassem@users.noreply.github.com> Date: Tue, 23 Jul 2024 11:38:09 +0300 Subject: [PATCH 20/24] test --- .../bicep/clientVm/clientVm.bicep | 4 --- .../bicep/mgmt/mgmtArtifacts.bicep | 27 +++++++++++++++++++ .../bicep/mgmt/policyAzureArc.bicep | 2 +- 3 files changed, 28 insertions(+), 5 deletions(-) diff --git a/azure_jumpstart_arcbox/bicep/clientVm/clientVm.bicep b/azure_jumpstart_arcbox/bicep/clientVm/clientVm.bicep index 19d3e7ed0e..46335ce41d 100644 --- a/azure_jumpstart_arcbox/bicep/clientVm/clientVm.bicep +++ b/azure_jumpstart_arcbox/bicep/clientVm/clientVm.bicep @@ -28,9 +28,6 @@ param location string = resourceGroup().location @description('Resource Id of the subnet in the virtual network') param subnetId string -param resourceTags object = { - Project: 'jumpstart_arcbox' -} param spnAuthority string = environment().authentication.loginEndpoint @description('Your Microsoft Entra tenant Id') @@ -158,7 +155,6 @@ resource vmDisk 'Microsoft.Compute/disks@2023-04-02' = { resource vm 'Microsoft.Compute/virtualMachines@2022-03-01' = { name: vmName location: location - tags: resourceTags identity: { type: 'SystemAssigned' } diff --git a/azure_jumpstart_arcbox/bicep/mgmt/mgmtArtifacts.bicep b/azure_jumpstart_arcbox/bicep/mgmt/mgmtArtifacts.bicep index 44e59890c7..4b6562ac14 100644 --- a/azure_jumpstart_arcbox/bicep/mgmt/mgmtArtifacts.bicep +++ b/azure_jumpstart_arcbox/bicep/mgmt/mgmtArtifacts.bicep @@ -131,6 +131,9 @@ var dataOpsSubnets = [ resource arcVirtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = { name: virtualNetworkName location: location + dependsOn: [ + policyDeployment + ] properties: { addressSpace: { addressPrefixes: [ @@ -147,6 +150,9 @@ resource arcVirtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = { resource drVirtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = if (flavor == 'DataOps') { name: drVirtualNetworkName location: location + dependsOn: [ + policyDeployment + ] properties: { addressSpace: { addressPrefixes: [ @@ -173,6 +179,9 @@ resource drVirtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = if (f resource virtualNetworkName_peering_to_DR_vnet 'Microsoft.Network/virtualNetworks/virtualNetworkPeerings@2022-01-01' = if (flavor == 'DataOps') { parent: arcVirtualNetwork name: 'peering-to-DR-vnet' + dependsOn: [ + policyDeployment + ] properties: { allowVirtualNetworkAccess: true allowForwardedTraffic: true @@ -187,6 +196,9 @@ resource virtualNetworkName_peering_to_DR_vnet 'Microsoft.Network/virtualNetwork resource drVirtualNetworkName_peering_to_primary_vnet 'Microsoft.Network/virtualNetworks/virtualNetworkPeerings@2022-01-01' = if (flavor == 'DataOps') { parent: drVirtualNetwork name: 'peering-to-primary-vnet' + dependsOn: [ + policyDeployment + ] properties: { allowVirtualNetworkAccess: true allowForwardedTraffic: true @@ -201,6 +213,9 @@ resource drVirtualNetworkName_peering_to_primary_vnet 'Microsoft.Network/virtual resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2022-01-01' = { name: networkSecurityGroupName location: location + dependsOn: [ + policyDeployment + ] properties: { securityRules: [ { @@ -314,6 +329,9 @@ resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2022-01-0 resource bastionNetworkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2022-01-01' = if (deployBastion == true) { name: bastionNetworkSecurityGroupName location: location + dependsOn: [ + policyDeployment + ] properties: { securityRules: [ { @@ -463,6 +481,9 @@ resource securityGallery 'Microsoft.OperationsManagement/solutions@2015-11-01-pr resource publicIpAddress 'Microsoft.Network/publicIPAddresses@2022-01-01' = if (deployBastion == true) { name: bastionPublicIpAddressName location: location + dependsOn: [ + policyDeployment + ] properties: { publicIPAllocationMethod: 'Static' publicIPAddressVersion: 'IPv4' @@ -476,6 +497,9 @@ resource publicIpAddress 'Microsoft.Network/publicIPAddresses@2022-01-01' = if ( resource bastionHost 'Microsoft.Network/bastionHosts@2023-11-01' = if (deployBastion == true) { name: bastionName location: location + dependsOn: [ + policyDeployment + ] sku: { name: bastionSku } @@ -511,6 +535,9 @@ module policyDeployment './policyAzureArc.bicep' = { module keyVault 'br/public:avm/res/key-vault/vault:0.5.1' = { name: 'keyVaultDeployment' + dependsOn: [ + policyDeployment + ] params: { name: keyVaultName enablePurgeProtection: false diff --git a/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep b/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep index 06b0c2b63e..7e277dbcc4 100644 --- a/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep +++ b/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep @@ -129,7 +129,7 @@ resource policy_defender_kubernetes 'Microsoft.Authorization/roleAssignments@202 resource applyCustomTags 'Microsoft.Authorization/policyAssignments@2021-06-01' = [for (tag,i) in resourceTags: { - name: 'applyTag-${tag.tagName}' + name: '(ArcBox) Tag resources-${tag.tagName}' location: azureLocation identity: { type: 'SystemAssigned' From 8be060fc3320dbaeae6a41114a9c923a12899f09 Mon Sep 17 00:00:00 2001 From: Seif Bassem <38246040+sebassem@users.noreply.github.com> Date: Tue, 23 Jul 2024 12:17:49 +0300 Subject: [PATCH 21/24] test --- azure_jumpstart_arcbox/bicep/main.bicep | 10 ++++------ .../bicep/mgmt/mgmtArtifacts.bicep | 11 +++++------ .../bicep/mgmt/policyAzureArc.bicep | 19 ++++++++----------- 3 files changed, 17 insertions(+), 23 deletions(-) diff --git a/azure_jumpstart_arcbox/bicep/main.bicep b/azure_jumpstart_arcbox/bicep/main.bicep index 3e75d01563..d72d116f7d 100644 --- a/azure_jumpstart_arcbox/bicep/main.bicep +++ b/azure_jumpstart_arcbox/bicep/main.bicep @@ -64,12 +64,10 @@ param location string = resourceGroup().location param customLocationRPOID string = '' @description('Tags to assign for all ArcBox resources') -param resourceTags array = [ - { - tagName: 'Solution' - tagValue: 'jumpstart_arcbox' - } -] +param resourceTags object = { + Solution: 'jumpstart_arcbox' + Name: 'Seif' +} var templateBaseUrl = 'https://raw.githubusercontent.com/${githubAccount}/azure_arc/${githubBranch}/azure_jumpstart_arcbox/' var aksArcDataClusterName = 'ArcBox-AKS-Data-${guid}' diff --git a/azure_jumpstart_arcbox/bicep/mgmt/mgmtArtifacts.bicep b/azure_jumpstart_arcbox/bicep/mgmt/mgmtArtifacts.bicep index 4b6562ac14..c8c05b4aa4 100644 --- a/azure_jumpstart_arcbox/bicep/mgmt/mgmtArtifacts.bicep +++ b/azure_jumpstart_arcbox/bicep/mgmt/mgmtArtifacts.bicep @@ -54,12 +54,9 @@ param bastionNetworkSecurityGroupName string = 'ArcBox-Bastion-NSG' param dnsServers array = [] @description('Tags to assign for all ArcBox resources') -param resourceTags array = [ - { - tagName: 'Solution' - tagValue: 'jumpstart_arcbox' - } -] +param resourceTags object = { + Solution: 'jumpstart_arcbox' +} var keyVaultName = 'arcbox${uniqueString(resourceGroup().id)}' @@ -454,9 +451,11 @@ resource bastionNetworkSecurityGroup 'Microsoft.Network/networkSecurityGroups@20 } } + resource workspace 'Microsoft.OperationalInsights/workspaces@2021-06-01' = { name: workspaceName location: location + tags: resourceTags properties: { sku: { name: sku diff --git a/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep b/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep index 7e277dbcc4..3168f7d2e3 100644 --- a/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep +++ b/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep @@ -8,12 +8,9 @@ param logAnalyticsWorkspaceId string param flavor string @description('Tags to assign for all ArcBox resources') -param resourceTags array = [ - { - tagName: 'Solution' - tagValue: 'jumpstart_arcbox' - } -] +param resourceTags object = { + Solution: 'jumpstart_arcbox' +} param tagsRoleDefinitionId string = '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' @@ -128,8 +125,8 @@ resource policy_defender_kubernetes 'Microsoft.Authorization/roleAssignments@202 } -resource applyCustomTags 'Microsoft.Authorization/policyAssignments@2021-06-01' = [for (tag,i) in resourceTags: { - name: '(ArcBox) Tag resources-${tag.tagName}' +resource applyCustomTags 'Microsoft.Authorization/policyAssignments@2021-06-01' = [for (tag,i) in items(resourceTags): { + name: '(ArcBox) Tag resources-${tag.key}' location: azureLocation identity: { type: 'SystemAssigned' @@ -138,16 +135,16 @@ resource applyCustomTags 'Microsoft.Authorization/policyAssignments@2021-06-01' policyDefinitionId: any('/providers/Microsoft.Authorization/policyDefinitions/4f9dc7db-30c1-420c-b61a-e1d640128d26') parameters:{ tagName: { - value: tag.tagName + value: tag.key } tagValue: { - value: tag.tagValue + value: tag.value } } } }] -resource policy_tagging_resources 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = [for (tag,i) in resourceTags: { +resource policy_tagging_resources 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = [for (tag,i) in items(resourceTags): { name: guid(applyCustomTags[i].name, tagsRoleDefinitionId,resourceGroup().id) properties: { roleDefinitionId: tagsRoleDefinitionId From 89b3f80b3edb7c9ee524df2b79cefa964ac1080e Mon Sep 17 00:00:00 2001 From: Seif Bassem <38246040+sebassem@users.noreply.github.com> Date: Tue, 23 Jul 2024 12:32:09 +0300 Subject: [PATCH 22/24] chore: Add resourceTags parameter to main.bicepparam file --- azure_jumpstart_arcbox/bicep/main.bicepparam | 2 ++ .../bicep/mgmt/policyAzureArc.bicep | 28 ------------------- 2 files changed, 2 insertions(+), 28 deletions(-) diff --git a/azure_jumpstart_arcbox/bicep/main.bicepparam b/azure_jumpstart_arcbox/bicep/main.bicepparam index d1c0990b34..9db53aff1a 100644 --- a/azure_jumpstart_arcbox/bicep/main.bicepparam +++ b/azure_jumpstart_arcbox/bicep/main.bicepparam @@ -15,3 +15,5 @@ param flavor = 'ITPro' param deployBastion = false param vmAutologon = true + +param resourceTags = {} // Add tags as needed diff --git a/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep b/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep index 3168f7d2e3..78dffa8ac7 100644 --- a/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep +++ b/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep @@ -36,25 +36,6 @@ var policies = [ } } } - /*{ - name: '(ArcBox) Tag resources' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/4f9dc7db-30c1-420c-b61a-e1d640128d26' - flavors: [ - 'Full' - 'ITPro' - 'DevOps' - 'DataOps' - ] - roleDefinition: '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' - parameters: { - tagName: { - value: 'Project' - } - tagValue: { - value: 'jumpstart_arcbox' - } - } - }*/ { name: '(ArcBox) Enable Microsoft Defender on Kubernetes clusters' definitionId: '/providers/Microsoft.Authorization/policyDefinitions/708b60a6-d253-4fe0-9114-4be4c00f012c' @@ -106,15 +87,6 @@ resource policy_AMA_role_2 'Microsoft.Authorization/roleAssignments@2020-10-01-p } } -/*resource policy_tagging_resources 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = if (contains(policies[1].flavors, flavor)) { - name: guid( policies[1].name, policies[1].roleDefinition,resourceGroup().id) - properties: { - roleDefinitionId: any(policies[1].roleDefinition) - principalId: contains(policies[1].flavors, flavor)?policies_name[1].identity.principalId:guid('policies_name_id${0}') - principalType: 'ServicePrincipal' - } -}*/ - resource policy_defender_kubernetes 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = if (contains(policies[1].flavors, flavor)) { name: guid( policies[1].name, policies[1].roleDefinition,resourceGroup().id) properties: { From da92a9f1c56af512bcfc6f97471c6a111800f1dc Mon Sep 17 00:00:00 2001 From: Seif Bassem <38246040+sebassem@users.noreply.github.com> Date: Tue, 23 Jul 2024 12:39:34 +0300 Subject: [PATCH 23/24] remove explicit tags --- .../artifacts/dataController.parameters.json | 5 ----- azure_jumpstart_arcbox/artifacts/installArcAgent.ps1 | 1 - azure_jumpstart_arcbox/artifacts/installArcAgentUbuntu.sh | 2 +- azure_jumpstart_arcbox/artifacts/installK3s.sh | 2 +- azure_jumpstart_arcbox/artifacts/postgreSQL.parameters.json | 5 ----- azure_jumpstart_arcbox/artifacts/sqlmi.parameters.json | 5 ----- azure_jumpstart_arcbox/artifacts/sqlmiAD.parameters.json | 5 ----- 7 files changed, 2 insertions(+), 23 deletions(-) diff --git a/azure_jumpstart_arcbox/artifacts/dataController.parameters.json b/azure_jumpstart_arcbox/artifacts/dataController.parameters.json index 49d986f54a..28c74384a1 100644 --- a/azure_jumpstart_arcbox/artifacts/dataController.parameters.json +++ b/azure_jumpstart_arcbox/artifacts/dataController.parameters.json @@ -32,11 +32,6 @@ "logAnalyticsPrimaryKey": { "value": "logAnalyticsPrimaryKey-stage" }, - "resourceTags": { - "value": { - "Project": "jumpstart_arcbox" - } - }, "dockerRegistryCredential": { "value": "arc-private-registry" }, diff --git a/azure_jumpstart_arcbox/artifacts/installArcAgent.ps1 b/azure_jumpstart_arcbox/artifacts/installArcAgent.ps1 index 088ccf0363..32a7492b71 100644 --- a/azure_jumpstart_arcbox/artifacts/installArcAgent.ps1 +++ b/azure_jumpstart_arcbox/artifacts/installArcAgent.ps1 @@ -25,7 +25,6 @@ --location $Azurelocation ` --subscription-id $subscriptionId ` --cloud "AzureCloud" ` - --tags "Project=jumpstart_arcbox" ` --correlation-id "d009f5dd-dba8-4ac7-bac9-b54ef3a6671a" # Do no change! if($LastExitCode -eq 0){Write-Host -ForegroundColor yellow "To view your onboarded server(s), navigate to https://ms.portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.HybridCompute%2Fmachines"} \ No newline at end of file diff --git a/azure_jumpstart_arcbox/artifacts/installArcAgentUbuntu.sh b/azure_jumpstart_arcbox/artifacts/installArcAgentUbuntu.sh index 5f76ddcedf..d211327abe 100644 --- a/azure_jumpstart_arcbox/artifacts/installArcAgentUbuntu.sh +++ b/azure_jumpstart_arcbox/artifacts/installArcAgentUbuntu.sh @@ -14,7 +14,7 @@ bash ~/install_linux_azcmagent.sh # 2>/dev/null ArcServerResourceName=$(hostname |sed -e "s/\b\(.\)/\u\1/g") # Run connect command -azcmagent connect --access-token $accessToken --resource-group $resourceGroup --tenant-id $tenantId --location $Azurelocation --subscription-id $subscriptionId --resource-name "${ArcServerResourceName}" --cloud "AzureCloud" --tags "Project=jumpstart_arcbox" --correlation-id "d009f5dd-dba8-4ac7-bac9-b54ef3a6671a" +azcmagent connect --access-token $accessToken --resource-group $resourceGroup --tenant-id $tenantId --location $Azurelocation --subscription-id $subscriptionId --resource-name "${ArcServerResourceName}" --cloud "AzureCloud" --correlation-id "d009f5dd-dba8-4ac7-bac9-b54ef3a6671a" # Configure the agent to allow connections on port 22 azcmagent config set incomingconnections.ports 22 \ No newline at end of file diff --git a/azure_jumpstart_arcbox/artifacts/installK3s.sh b/azure_jumpstart_arcbox/artifacts/installK3s.sh index 5cf76b5ff7..7978d7a4ef 100644 --- a/azure_jumpstart_arcbox/artifacts/installK3s.sh +++ b/azure_jumpstart_arcbox/artifacts/installK3s.sh @@ -152,7 +152,7 @@ if [[ "$k3sControlPlane" == "true" ]]; then workspaceResourceId=$(sudo -u $adminUsername az resource show --resource-group $resourceGroup --name $logAnalyticsWorkspace --resource-type "Microsoft.OperationalInsights/workspaces" --query id -o tsv) echo "Log Analytics workspace id $workspaceResourceId" - sudo -u $adminUsername az connectedk8s connect --name $vmName --resource-group $resourceGroup --location $location --tags 'Project=jumpstart_arcbox' + sudo -u $adminUsername az connectedk8s connect --name $vmName --resource-group $resourceGroup --location $location echo "Onboarding the k3s cluster to Azure Arc completed" # Verify if cluster is connected to Azure Arc successfully diff --git a/azure_jumpstart_arcbox/artifacts/postgreSQL.parameters.json b/azure_jumpstart_arcbox/artifacts/postgreSQL.parameters.json index 55e8373957..7521bfc1b2 100644 --- a/azure_jumpstart_arcbox/artifacts/postgreSQL.parameters.json +++ b/azure_jumpstart_arcbox/artifacts/postgreSQL.parameters.json @@ -53,11 +53,6 @@ "logStorageClassName": { "value": "logsStorageClassName-stage" }, - "resourceTags": { - "value": { - "Project": "jumpstart_arcbox" - } - }, "numWorkers": { "value": numWorkersStage }, diff --git a/azure_jumpstart_arcbox/artifacts/sqlmi.parameters.json b/azure_jumpstart_arcbox/artifacts/sqlmi.parameters.json index ac7e3e5851..decc45a79b 100644 --- a/azure_jumpstart_arcbox/artifacts/sqlmi.parameters.json +++ b/azure_jumpstart_arcbox/artifacts/sqlmi.parameters.json @@ -59,11 +59,6 @@ "replicas": { "value": replicasStage }, - "resourceTags": { - "value": { - "Project": "jumpstart_arcbox" - } - }, "apiVersion": { "value": "2023-01-15-preview" }, diff --git a/azure_jumpstart_arcbox/artifacts/sqlmiAD.parameters.json b/azure_jumpstart_arcbox/artifacts/sqlmiAD.parameters.json index ad30f9d65d..282123b0a9 100644 --- a/azure_jumpstart_arcbox/artifacts/sqlmiAD.parameters.json +++ b/azure_jumpstart_arcbox/artifacts/sqlmiAD.parameters.json @@ -59,11 +59,6 @@ "replicas": { "value": replicasStage }, - "resourceTags": { - "value": { - "Project": "jumpstart_arcbox" - } - }, "apiVersion": { "value": "2023-01-15-preview" }, From 59c22a18213f84b5bfd3af1001c7fcd6505d7f8a Mon Sep 17 00:00:00 2001 From: Seif Bassem <38246040+sebassem@users.noreply.github.com> Date: Tue, 23 Jul 2024 12:58:27 +0300 Subject: [PATCH 24/24] Add resourceTags parameter to ArcServersLogonScript.ps1 and Bootstrap.ps1 --- azure_jumpstart_arcbox/artifacts/ArcServersLogonScript.ps1 | 3 ++- azure_jumpstart_arcbox/artifacts/Bootstrap.ps1 | 4 +++- azure_jumpstart_arcbox/bicep/clientVm/clientVm.bicep | 7 ++++++- azure_jumpstart_arcbox/bicep/main.bicep | 1 - 4 files changed, 11 insertions(+), 4 deletions(-) diff --git a/azure_jumpstart_arcbox/artifacts/ArcServersLogonScript.ps1 b/azure_jumpstart_arcbox/artifacts/ArcServersLogonScript.ps1 index 6800d53d9f..cbeb28b061 100644 --- a/azure_jumpstart_arcbox/artifacts/ArcServersLogonScript.ps1 +++ b/azure_jumpstart_arcbox/artifacts/ArcServersLogonScript.ps1 @@ -11,6 +11,7 @@ $tenantId = $env:tenantId $subscriptionId = $env:subscriptionId $azureLocation = $env:azureLocation $resourceGroup = $env:resourceGroup +$resourceTags = $env:resourceTags # Moved VHD storage account details here to keep only in place to prevent duplicates. $vhdSourceFolder = "https://jumpstartprodsg.blob.core.windows.net/arcbox/*" @@ -212,7 +213,7 @@ if ($Env:flavor -ne "DevOps") { # Create SQL server extension as policy to auto deployment is disabled Write-Host "Installing SQL Server extension on the Arc-enabled Server." - az connectedmachine extension create --machine-name $SQLvmName --name "WindowsAgent.SqlServer" --resource-group $resourceGroup --type "WindowsAgent.SqlServer" --publisher "Microsoft.AzureData" --settings '{\"LicenseType\":\"Paid\", \"SqlManagement\": {\"IsEnabled\":true}}' + az connectedmachine extension create --machine-name $SQLvmName --name "WindowsAgent.SqlServer" --resource-group $resourceGroup --type "WindowsAgent.SqlServer" --publisher "Microsoft.AzureData" --settings '{\"LicenseType\":\"Paid\", \"SqlManagement\": {\"IsEnabled\":true}}' --tags $resourceTags --location $azureLocation --only-show-errors --no-wait Write-Host "SQL Server extension installation on the Arc-enabled Server successful." $retryCount = 0 diff --git a/azure_jumpstart_arcbox/artifacts/Bootstrap.ps1 b/azure_jumpstart_arcbox/artifacts/Bootstrap.ps1 index 1755812d5e..91d16bccaa 100644 --- a/azure_jumpstart_arcbox/artifacts/Bootstrap.ps1 +++ b/azure_jumpstart_arcbox/artifacts/Bootstrap.ps1 @@ -32,7 +32,8 @@ param ( [string]$sshPort, [string]$vmAutologon, [string]$addsDomainName, - [string]$customLocationRPOID + [string]$customLocationRPOID, + [object]$resourceTags ) [System.Environment]::SetEnvironmentVariable('adminUsername', $adminUsername, [System.EnvironmentVariableTarget]::Machine) @@ -62,6 +63,7 @@ param ( [System.Environment]::SetEnvironmentVariable('aksArcClusterName', $aksArcClusterName, [System.EnvironmentVariableTarget]::Machine) [System.Environment]::SetEnvironmentVariable('aksdrArcClusterName', $aksdrArcClusterName, [System.EnvironmentVariableTarget]::Machine) [System.Environment]::SetEnvironmentVariable('customLocationRPOID', $customLocationRPOID, [System.EnvironmentVariableTarget]::Machine) +[System.Environment]::SetEnvironmentVariable('resourceTags', $resourceTags, [System.EnvironmentVariableTarget]::Machine) [System.Environment]::SetEnvironmentVariable('ArcBoxDir', "C:\ArcBox", [System.EnvironmentVariableTarget]::Machine) diff --git a/azure_jumpstart_arcbox/bicep/clientVm/clientVm.bicep b/azure_jumpstart_arcbox/bicep/clientVm/clientVm.bicep index 46335ce41d..3a3cf50c19 100644 --- a/azure_jumpstart_arcbox/bicep/clientVm/clientVm.bicep +++ b/azure_jumpstart_arcbox/bicep/clientVm/clientVm.bicep @@ -65,6 +65,11 @@ param workspaceName string @description('The base URL used for accessing artifacts and automation artifacts.') param templateBaseUrl string +@description('Tags to assign for all ArcBox resources') +param resourceTags object = { + Solution: 'jumpstart_arcbox' +} + @description('The flavor of ArcBox you want to deploy. Valid values are: \'Full\', \'ITPro\'') @allowed([ 'Full' @@ -223,7 +228,7 @@ resource vmBootstrap 'Microsoft.Compute/virtualMachines/extensions@2022-03-01' = fileUris: [ uri(templateBaseUrl, 'artifacts/Bootstrap.ps1') ] - commandToExecute: 'powershell.exe -ExecutionPolicy Bypass -File Bootstrap.ps1 -adminUsername ${windowsAdminUsername} -adminPassword ${windowsAdminPassword} -tenantId ${tenantId} -spnAuthority ${spnAuthority} -subscriptionId ${subscription().subscriptionId} -resourceGroup ${resourceGroup().name} -azdataUsername ${azdataUsername} -azdataPassword ${azdataPassword} -acceptEula ${acceptEula} -registryUsername ${registryUsername} -registryPassword ${registryPassword} -arcDcName ${arcDcName} -azureLocation ${location} -mssqlmiName ${mssqlmiName} -POSTGRES_NAME ${postgresName} -POSTGRES_WORKER_NODE_COUNT ${postgresWorkerNodeCount} -POSTGRES_DATASIZE ${postgresDatasize} -POSTGRES_SERVICE_TYPE ${postgresServiceType} -stagingStorageAccountName ${stagingStorageAccountName} -workspaceName ${workspaceName} -templateBaseUrl ${templateBaseUrl} -flavor ${flavor} -k3sArcDataClusterName ${k3sArcDataClusterName} -k3sArcClusterName ${k3sArcClusterName} -aksArcClusterName ${aksArcClusterName} -aksdrArcClusterName ${aksdrArcClusterName} -githubUser ${githubUser} -vmAutologon ${vmAutologon} -rdpPort ${rdpPort} -addsDomainName ${addsDomainName} -customLocationRPOID ${customLocationRPOID}' + commandToExecute: 'powershell.exe -ExecutionPolicy Bypass -File Bootstrap.ps1 -adminUsername ${windowsAdminUsername} -adminPassword ${windowsAdminPassword} -tenantId ${tenantId} -spnAuthority ${spnAuthority} -subscriptionId ${subscription().subscriptionId} -resourceGroup ${resourceGroup().name} -azdataUsername ${azdataUsername} -azdataPassword ${azdataPassword} -acceptEula ${acceptEula} -registryUsername ${registryUsername} -registryPassword ${registryPassword} -arcDcName ${arcDcName} -azureLocation ${location} -mssqlmiName ${mssqlmiName} -POSTGRES_NAME ${postgresName} -POSTGRES_WORKER_NODE_COUNT ${postgresWorkerNodeCount} -POSTGRES_DATASIZE ${postgresDatasize} -POSTGRES_SERVICE_TYPE ${postgresServiceType} -stagingStorageAccountName ${stagingStorageAccountName} -workspaceName ${workspaceName} -templateBaseUrl ${templateBaseUrl} -flavor ${flavor} -k3sArcDataClusterName ${k3sArcDataClusterName} -k3sArcClusterName ${k3sArcClusterName} -aksArcClusterName ${aksArcClusterName} -aksdrArcClusterName ${aksdrArcClusterName} -githubUser ${githubUser} -vmAutologon ${vmAutologon} -rdpPort ${rdpPort} -addsDomainName ${addsDomainName} -customLocationRPOID ${customLocationRPOID} -resourceTags ${resourceTags}' } } } diff --git a/azure_jumpstart_arcbox/bicep/main.bicep b/azure_jumpstart_arcbox/bicep/main.bicep index d72d116f7d..2972a3af22 100644 --- a/azure_jumpstart_arcbox/bicep/main.bicep +++ b/azure_jumpstart_arcbox/bicep/main.bicep @@ -66,7 +66,6 @@ param customLocationRPOID string = '' @description('Tags to assign for all ArcBox resources') param resourceTags object = { Solution: 'jumpstart_arcbox' - Name: 'Seif' } var templateBaseUrl = 'https://raw.githubusercontent.com/${githubAccount}/azure_arc/${githubBranch}/azure_jumpstart_arcbox/'