Arcbox 3.0 - Customize tags

azure_jumpstart_arcbox/artifacts/ArcServersLogonScript.ps1

@@ -11,6 +11,7 @@ $tenantId = $env:tenantId
 $subscriptionId = $env:subscriptionId
 $azureLocation = $env:azureLocation
 $resourceGroup = $env:resourceGroup
+$resourceTags = $env:resourceTags
 
 # Moved VHD storage account details here to keep only in place to prevent duplicates.
 $vhdSourceFolder = "https://jumpstartprodsg.blob.core.windows.net/arcbox/*"
@@ -212,7 +213,7 @@ if ($Env:flavor -ne "DevOps") {
 
     # Create SQL server extension as policy to auto deployment is disabled
     Write-Host "Installing SQL Server extension on the Arc-enabled Server."
-    az connectedmachine extension create --machine-name $SQLvmName --name "WindowsAgent.SqlServer" --resource-group $resourceGroup --type "WindowsAgent.SqlServer" --publisher "Microsoft.AzureData" --settings '{\"LicenseType\":\"Paid\", \"SqlManagement\": {\"IsEnabled\":true}}'
+    az connectedmachine extension create --machine-name $SQLvmName --name "WindowsAgent.SqlServer" --resource-group $resourceGroup --type "WindowsAgent.SqlServer" --publisher "Microsoft.AzureData" --settings '{\"LicenseType\":\"Paid\", \"SqlManagement\": {\"IsEnabled\":true}}' --tags $resourceTags --location $azureLocation --only-show-errors --no-wait
     Write-Host "SQL Server extension installation on the Arc-enabled Server successful."
 
     $retryCount = 0

azure_jumpstart_arcbox/artifacts/Bootstrap.ps1

@@ -32,7 +32,8 @@ param (
     [string]$sshPort,
     [string]$vmAutologon,
     [string]$addsDomainName,
-    [string]$customLocationRPOID
+    [string]$customLocationRPOID,
+    [object]$resourceTags
 )
 
 [System.Environment]::SetEnvironmentVariable('adminUsername', $adminUsername, [System.EnvironmentVariableTarget]::Machine)
@@ -62,6 +63,7 @@ param (
 [System.Environment]::SetEnvironmentVariable('aksArcClusterName', $aksArcClusterName, [System.EnvironmentVariableTarget]::Machine)
 [System.Environment]::SetEnvironmentVariable('aksdrArcClusterName', $aksdrArcClusterName, [System.EnvironmentVariableTarget]::Machine)
 [System.Environment]::SetEnvironmentVariable('customLocationRPOID', $customLocationRPOID, [System.EnvironmentVariableTarget]::Machine)
+[System.Environment]::SetEnvironmentVariable('resourceTags', $resourceTags, [System.EnvironmentVariableTarget]::Machine)
 
 [System.Environment]::SetEnvironmentVariable('ArcBoxDir', "C:\ArcBox", [System.EnvironmentVariableTarget]::Machine)
 

azure_jumpstart_arcbox/artifacts/dataController.parameters.json

@@ -32,11 +32,6 @@
       "logAnalyticsPrimaryKey": {
         "value": "logAnalyticsPrimaryKey-stage"
       },
-      "resourceTags": {
-        "value": {
-          "Project": "jumpstart_arcbox"
-        }
-      },
       "dockerRegistryCredential": {
         "value": "arc-private-registry"
       },

azure_jumpstart_arcbox/artifacts/installArcAgent.ps1

@@ -25,7 +25,6 @@
  --location $Azurelocation `
  --subscription-id $subscriptionId `
  --cloud "AzureCloud" `
- --tags "Project=jumpstart_arcbox" `
  --correlation-id "d009f5dd-dba8-4ac7-bac9-b54ef3a6671a" # Do no change!
 
  if($LastExitCode -eq 0){Write-Host -ForegroundColor yellow "To view your onboarded server(s), navigate to https://ms.portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.HybridCompute%2Fmachines"}

azure_jumpstart_arcbox/artifacts/installArcAgentUbuntu.sh

@@ -14,7 +14,7 @@ bash ~/install_linux_azcmagent.sh # 2>/dev/null
 ArcServerResourceName=$(hostname |sed -e "s/\b\(.\)/\u\1/g")
 
 # Run connect command
-azcmagent connect --access-token $accessToken --resource-group $resourceGroup --tenant-id $tenantId --location $Azurelocation --subscription-id $subscriptionId --resource-name "${ArcServerResourceName}" --cloud "AzureCloud" --tags "Project=jumpstart_arcbox" --correlation-id "d009f5dd-dba8-4ac7-bac9-b54ef3a6671a"
+azcmagent connect --access-token $accessToken --resource-group $resourceGroup --tenant-id $tenantId --location $Azurelocation --subscription-id $subscriptionId --resource-name "${ArcServerResourceName}" --cloud "AzureCloud" --correlation-id "d009f5dd-dba8-4ac7-bac9-b54ef3a6671a"
 
 # Configure the agent to allow connections on port 22
 azcmagent config set incomingconnections.ports 22

azure_jumpstart_arcbox/artifacts/installK3s.sh

@@ -152,7 +152,7 @@ if [[ "$k3sControlPlane" == "true" ]]; then
     workspaceResourceId=$(sudo -u $adminUsername az resource show --resource-group $resourceGroup --name $logAnalyticsWorkspace --resource-type "Microsoft.OperationalInsights/workspaces" --query id -o tsv)
     echo "Log Analytics workspace id $workspaceResourceId"
 
-    sudo -u $adminUsername az connectedk8s connect --name $vmName --resource-group $resourceGroup --location $location --tags 'Project=jumpstart_arcbox'
+    sudo -u $adminUsername az connectedk8s connect --name $vmName --resource-group $resourceGroup --location $location
     echo "Onboarding the k3s cluster to Azure Arc completed"
 
     # Verify if cluster is connected to Azure Arc successfully

azure_jumpstart_arcbox/artifacts/postgreSQL.parameters.json

@@ -53,11 +53,6 @@
         "logStorageClassName": {
             "value": "logsStorageClassName-stage"
         },
-        "resourceTags": {
-            "value": {
-                "Project": "jumpstart_arcbox"
-            }
-        },
         "numWorkers": {
             "value": numWorkersStage
         },

azure_jumpstart_arcbox/artifacts/sqlmi.parameters.json

@@ -59,11 +59,6 @@
         "replicas": {
             "value": replicasStage
         },
-        "resourceTags": {
-            "value": {
-                "Project": "jumpstart_arcbox"
-            }
-        },
         "apiVersion": {
             "value": "2023-01-15-preview"
         },

azure_jumpstart_arcbox/artifacts/sqlmiAD.parameters.json

@@ -59,11 +59,6 @@
         "replicas": {
             "value": replicasStage
         },
-        "resourceTags": {
-            "value": {
-                "Project": "jumpstart_arcbox"
-            }
-        },
         "apiVersion": {
             "value": "2023-01-15-preview"
         },

azure_jumpstart_arcbox/bicep/clientVm/clientVm.bicep

@@ -28,9 +28,6 @@ param location string = resourceGroup().location
 @description('Resource Id of the subnet in the virtual network')
 param subnetId string
 
-param resourceTags object = {
-  Project: 'jumpstart_arcbox'
-}
 param spnAuthority string = environment().authentication.loginEndpoint
 
 @description('Your Microsoft Entra tenant Id')
@@ -68,6 +65,11 @@ param workspaceName string
 @description('The base URL used for accessing artifacts and automation artifacts.')
 param templateBaseUrl string
 
+@description('Tags to assign for all ArcBox resources')
+param resourceTags object = {
+  Solution: 'jumpstart_arcbox'
+}
+
 @description('The flavor of ArcBox you want to deploy. Valid values are: \'Full\', \'ITPro\'')
 @allowed([
   'Full'
@@ -158,7 +160,6 @@ resource vmDisk 'Microsoft.Compute/disks@2023-04-02' = {
 resource vm 'Microsoft.Compute/virtualMachines@2022-03-01' = {
   name: vmName
   location: location
-  tags: resourceTags
   identity: {
     type: 'SystemAssigned'
   }
@@ -227,7 +228,7 @@ resource vmBootstrap 'Microsoft.Compute/virtualMachines/extensions@2022-03-01' =
       fileUris: [
         uri(templateBaseUrl, 'artifacts/Bootstrap.ps1')
       ]
-      commandToExecute: 'powershell.exe -ExecutionPolicy Bypass -File Bootstrap.ps1 -adminUsername ${windowsAdminUsername} -adminPassword ${windowsAdminPassword} -tenantId ${tenantId} -spnAuthority ${spnAuthority} -subscriptionId ${subscription().subscriptionId} -resourceGroup ${resourceGroup().name} -azdataUsername ${azdataUsername} -azdataPassword ${azdataPassword} -acceptEula ${acceptEula} -registryUsername ${registryUsername} -registryPassword ${registryPassword} -arcDcName ${arcDcName} -azureLocation ${location} -mssqlmiName ${mssqlmiName} -POSTGRES_NAME ${postgresName} -POSTGRES_WORKER_NODE_COUNT ${postgresWorkerNodeCount} -POSTGRES_DATASIZE ${postgresDatasize} -POSTGRES_SERVICE_TYPE ${postgresServiceType} -stagingStorageAccountName ${stagingStorageAccountName} -workspaceName ${workspaceName} -templateBaseUrl ${templateBaseUrl} -flavor ${flavor} -k3sArcDataClusterName ${k3sArcDataClusterName} -k3sArcClusterName ${k3sArcClusterName} -aksArcClusterName ${aksArcClusterName} -aksdrArcClusterName ${aksdrArcClusterName} -githubUser ${githubUser} -vmAutologon ${vmAutologon} -rdpPort ${rdpPort} -addsDomainName ${addsDomainName} -customLocationRPOID ${customLocationRPOID}'
+      commandToExecute: 'powershell.exe -ExecutionPolicy Bypass -File Bootstrap.ps1 -adminUsername ${windowsAdminUsername} -adminPassword ${windowsAdminPassword} -tenantId ${tenantId} -spnAuthority ${spnAuthority} -subscriptionId ${subscription().subscriptionId} -resourceGroup ${resourceGroup().name} -azdataUsername ${azdataUsername} -azdataPassword ${azdataPassword} -acceptEula ${acceptEula} -registryUsername ${registryUsername} -registryPassword ${registryPassword} -arcDcName ${arcDcName} -azureLocation ${location} -mssqlmiName ${mssqlmiName} -POSTGRES_NAME ${postgresName} -POSTGRES_WORKER_NODE_COUNT ${postgresWorkerNodeCount} -POSTGRES_DATASIZE ${postgresDatasize} -POSTGRES_SERVICE_TYPE ${postgresServiceType} -stagingStorageAccountName ${stagingStorageAccountName} -workspaceName ${workspaceName} -templateBaseUrl ${templateBaseUrl} -flavor ${flavor} -k3sArcDataClusterName ${k3sArcDataClusterName} -k3sArcClusterName ${k3sArcClusterName} -aksArcClusterName ${aksArcClusterName} -aksdrArcClusterName ${aksdrArcClusterName} -githubUser ${githubUser} -vmAutologon ${vmAutologon} -rdpPort ${rdpPort} -addsDomainName ${addsDomainName} -customLocationRPOID ${customLocationRPOID} -resourceTags ${resourceTags}'
     }
   }
 }

azure_jumpstart_arcbox/bicep/main.bicep

@@ -63,6 +63,11 @@ param location string = resourceGroup().location
 @description('The custom location RPO ID. This parameter is only needed when deploying the DataOps flavor.')
 param customLocationRPOID string = ''
 
+@description('Tags to assign for all ArcBox resources')
+param resourceTags object = {
+  Solution: 'jumpstart_arcbox'
+}
+
 var templateBaseUrl = 'https://raw.githubusercontent.com/${githubAccount}/azure_arc/${githubBranch}/azure_jumpstart_arcbox/'
 var aksArcDataClusterName = 'ArcBox-AKS-Data-${guid}'
 var aksDrArcDataClusterName = 'ArcBox-AKS-DR-Data-${guid}'
@@ -162,6 +167,7 @@ module mgmtArtifactsAndPolicyDeployment 'mgmt/mgmtArtifacts.bicep' = {
     deployBastion: deployBastion
     bastionSku: bastionSku
     location: location
+    resourceTags: resourceTags
   }
 }
 

azure_jumpstart_arcbox/bicep/main.bicepparam

@@ -15,3 +15,5 @@ param flavor = 'ITPro'
 param deployBastion = false
 
 param vmAutologon = true
+
+param resourceTags = {} // Add tags as needed

azure_jumpstart_arcbox/bicep/mgmt/mgmtArtifacts.bicep

@@ -53,6 +53,11 @@ param bastionNetworkSecurityGroupName string = 'ArcBox-Bastion-NSG'
 @description('DNS Server configuration')
 param dnsServers array = []
 
+@description('Tags to assign for all ArcBox resources')
+param resourceTags object = {
+  Solution: 'jumpstart_arcbox'
+}
+
 var keyVaultName = 'arcbox${uniqueString(resourceGroup().id)}'
 
 var security = {
@@ -123,6 +128,9 @@ var dataOpsSubnets = [
 resource arcVirtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = {
   name: virtualNetworkName
   location: location
+  dependsOn: [
+    policyDeployment
+  ]
   properties: {
     addressSpace: {
       addressPrefixes: [
@@ -139,6 +147,9 @@ resource arcVirtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = {
 resource drVirtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = if (flavor == 'DataOps') {
   name: drVirtualNetworkName
   location: location
+  dependsOn: [
+    policyDeployment
+  ]
   properties: {
     addressSpace: {
       addressPrefixes: [
@@ -165,6 +176,9 @@ resource drVirtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = if (f
 resource virtualNetworkName_peering_to_DR_vnet 'Microsoft.Network/virtualNetworks/virtualNetworkPeerings@2022-01-01' = if (flavor == 'DataOps') {
   parent: arcVirtualNetwork
   name: 'peering-to-DR-vnet'
+  dependsOn: [
+    policyDeployment
+  ]
   properties: {
     allowVirtualNetworkAccess: true
     allowForwardedTraffic: true
@@ -179,6 +193,9 @@ resource virtualNetworkName_peering_to_DR_vnet 'Microsoft.Network/virtualNetwork
 resource drVirtualNetworkName_peering_to_primary_vnet 'Microsoft.Network/virtualNetworks/virtualNetworkPeerings@2022-01-01' = if (flavor == 'DataOps') {
   parent: drVirtualNetwork
   name: 'peering-to-primary-vnet'
+  dependsOn: [
+    policyDeployment
+  ]
   properties: {
     allowVirtualNetworkAccess: true
     allowForwardedTraffic: true
@@ -193,6 +210,9 @@ resource drVirtualNetworkName_peering_to_primary_vnet 'Microsoft.Network/virtual
 resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2022-01-01' = {
   name: networkSecurityGroupName
   location: location
+  dependsOn: [
+    policyDeployment
+  ]
   properties: {
     securityRules: [
       {
@@ -306,6 +326,9 @@ resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2022-01-0
 resource bastionNetworkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2022-01-01' = if (deployBastion == true) {
   name: bastionNetworkSecurityGroupName
   location: location
+  dependsOn: [
+    policyDeployment
+  ]
   properties: {
     securityRules: [
       {
@@ -428,9 +451,11 @@ resource bastionNetworkSecurityGroup 'Microsoft.Network/networkSecurityGroups@20
   }
 }
 
+
 resource workspace 'Microsoft.OperationalInsights/workspaces@2021-06-01' = {
   name: workspaceName
   location: location
+  tags: resourceTags
   properties: {
     sku: {
       name: sku
@@ -455,6 +480,9 @@ resource securityGallery 'Microsoft.OperationsManagement/solutions@2015-11-01-pr
 resource publicIpAddress 'Microsoft.Network/publicIPAddresses@2022-01-01' = if (deployBastion == true) {
   name: bastionPublicIpAddressName
   location: location
+  dependsOn: [
+    policyDeployment
+  ]
   properties: {
     publicIPAllocationMethod: 'Static'
     publicIPAddressVersion: 'IPv4'
@@ -468,6 +496,9 @@ resource publicIpAddress 'Microsoft.Network/publicIPAddresses@2022-01-01' = if (
 resource bastionHost 'Microsoft.Network/bastionHosts@2023-11-01' = if (deployBastion == true) {
   name: bastionName
   location: location
+  dependsOn: [
+    policyDeployment
+  ]
   sku: {
     name: bastionSku
   }
@@ -497,11 +528,15 @@ module policyDeployment './policyAzureArc.bicep' = {
     azureLocation: location
     logAnalyticsWorkspaceId: workspace.id
     flavor: flavor
+    resourceTags: resourceTags
   }
 }
 
 module keyVault 'br/public:avm/res/key-vault/vault:0.5.1' = {
   name: 'keyVaultDeployment'
+  dependsOn: [
+    policyDeployment
+  ]
   params: {
     name: keyVaultName
     enablePurgeProtection: false

azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep

@@ -7,6 +7,13 @@ param logAnalyticsWorkspaceId string
 @description('The flavor of ArcBox you want to deploy. Valid values are: \'Full\', \'ITPro\', \'DevOps\'')
 param flavor string
 
+@description('Tags to assign for all ArcBox resources')
+param resourceTags object = {
+  Solution: 'jumpstart_arcbox'
+}
+
+param tagsRoleDefinitionId string = '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c'
+
 var policies = [
   {
     name: '(ArcBox) Enable Azure Monitor for Hybrid VMs with AMA'
@@ -29,25 +36,6 @@ var policies = [
       }
     }
   }
-  {
-    name: '(ArcBox) Tag resources'
-    definitionId: '/providers/Microsoft.Authorization/policyDefinitions/4f9dc7db-30c1-420c-b61a-e1d640128d26'
-    flavors: [
-      'Full'
-      'ITPro'
-      'DevOps'
-      'DataOps'
-    ]
-    roleDefinition: '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c'
-    parameters: {
-      tagName: {
-        value: 'Project'
-      }
-      tagValue: {
-        value: 'jumpstart_arcbox'
-      }
-    }
-  }
   {
     name: '(ArcBox) Enable Microsoft Defender on Kubernetes clusters'
     definitionId: '/providers/Microsoft.Authorization/policyDefinitions/708b60a6-d253-4fe0-9114-4be4c00f012c'
@@ -99,7 +87,7 @@ resource policy_AMA_role_2 'Microsoft.Authorization/roleAssignments@2020-10-01-p
   }
 }
 
-resource policy_tagging_resources 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = if (contains(policies[1].flavors, flavor)) {
+resource policy_defender_kubernetes 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = if (contains(policies[1].flavors, flavor)) {
   name: guid( policies[1].name, policies[1].roleDefinition,resourceGroup().id)
   properties: {
     roleDefinitionId: any(policies[1].roleDefinition)
@@ -108,12 +96,31 @@ resource policy_tagging_resources 'Microsoft.Authorization/roleAssignments@2020-
   }
 }
 
-resource policy_defender_kubernetes 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = if (contains(policies[2].flavors, flavor)) {
-  name: guid( policies[2].name, policies[2].roleDefinition,resourceGroup().id)
+
+resource applyCustomTags 'Microsoft.Authorization/policyAssignments@2021-06-01' = [for (tag,i) in items(resourceTags): {
+  name: '(ArcBox) Tag resources-${tag.key}'
+  location: azureLocation
+  identity: {
+    type: 'SystemAssigned'
+  }
   properties: {
-    roleDefinitionId: any(policies[2].roleDefinition)
-    principalId: contains(policies[2].flavors, flavor)?policies_name[2].identity.principalId:guid('policies_name_id${0}')
-    principalType: 'ServicePrincipal'
+    policyDefinitionId: any('/providers/Microsoft.Authorization/policyDefinitions/4f9dc7db-30c1-420c-b61a-e1d640128d26')
+    parameters:{
+      tagName: {
+        value: tag.key
+      }
+      tagValue: {
+        value: tag.value
+      }
+    }
   }
-}
+}]
 
+resource policy_tagging_resources 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = [for (tag,i) in items(resourceTags): {
+  name: guid(applyCustomTags[i].name, tagsRoleDefinitionId,resourceGroup().id)
+  properties: {
+    roleDefinitionId: tagsRoleDefinitionId
+    principalId: applyCustomTags[i].identity.principalId
+    principalType: 'ServicePrincipal'
+  }
+}]