Skip to content

Commit

Permalink
Updates to allow optional identity resources (Azure#838)
Browse files Browse the repository at this point in the history
  • Loading branch information
jamasten authored Feb 2, 2024
1 parent 696b001 commit a791803
Show file tree
Hide file tree
Showing 5 changed files with 290 additions and 666 deletions.
20 changes: 16 additions & 4 deletions src/bicep/form/mlz.portal.json
Original file line number Diff line number Diff line change
Expand Up @@ -100,10 +100,20 @@
"text": "The Identity spoke can be used to house Active Directory and other AuthN and AuthZ solutions."
}
},
{
"name": "deployIdentity",
"type": "Microsoft.Common.CheckBox",
"label": "Deploy identity resources?",
"toolTip": "Check here to create the identity resources.",
"constraints": {
"required": false
}
},
{
"name": "identitySubscriptionId",
"label": "Identity Subscription",
"type": "Microsoft.Common.DropDown",
"visible": "[steps('basics').identitySection.deployIdentity]",
"defaultValue": "",
"toolTip": "Select the Subscription for your Mission Landing Zone Identity network.",
"multiselect": false,
Expand Down Expand Up @@ -195,11 +205,11 @@
"name": "location",
"type": "Microsoft.Common.LocationSelector",
"label": "Location",
"toolTip": "Select the location for the AVD session hosts.",
"toolTip": "Select the deployment location for MLZ.",
"resourceTypes": [
"Microsoft.Compute/virtualMachines"
"Microsoft.Compute/virtualMachines"
]
}
}
]
},
{
Expand Down Expand Up @@ -444,6 +454,7 @@
"name": "identityVirtualNetwork",
"label": "Identity Virtual Network",
"type": "Microsoft.Common.Section",
"visible": "[steps('basics').identitySection.deployIdentity]",
"elements": [
{
"name": "virtualNetworkAddressCidrRange",
Expand Down Expand Up @@ -992,6 +1003,7 @@
"parameters": {
"bastionHostSubnetAddressPrefix": "[steps('remoteAccess').azureBastionSubnetSection.bastionSubnetAddressCidrRange]",
"deployDefender": "[steps('compliance').defenderSection.deployDefender]",
"deployIdentity": "[steps('basics').identitySection.deployIdentity]",
"deployPolicy": "[steps('compliance').policySection.deployPolicy]",
"deployRemoteAccess": "[steps('remoteAccess').remoteAccessSection.deployRemoteAccess]",
"deploySentinel": "[steps('compliance').sentinelSection.deploySentinel]",
Expand All @@ -1004,7 +1016,7 @@
"hubVirtualNetworkAddressPrefix": "[steps('networking').hubVirtualNetwork.virtualNetworkAddressCidrRange]",
"hybridUseBenefit": "[steps('remoteAccess').windowsVmSection.hybridUseBenefit]",
"identitySubnetAddressPrefix": "[steps('networking').identityVirtualNetwork.subnetAddressCidrRange]",
"identitySubscriptionId": "[replace(steps('basics').identitySection.identitySubscriptionId, '/subscriptions/', '')]",
"identitySubscriptionId": "[if(steps('basics').identitySection.deployIdentity, replace(steps('basics').identitySection.identitySubscriptionId, '/subscriptions/', ''), replace(steps('basics').hubSection.hubSubscriptionId, '/subscriptions/', ''))]",
"identityVirtualNetworkAddressPrefix": "[steps('networking').identityVirtualNetwork.virtualNetworkAddressCidrRange]",
"linuxVmAdminPasswordOrKey": "[if(equals(steps('remoteAccess').linuxVmSection.linuxVmAdminPasswordOrKey.authenticationType, 'password'), steps('remoteAccess').linuxVmSection.linuxVmAdminPasswordOrKey.password, steps('remoteAccess').linuxVmSection.linuxVmAdminPasswordOrKey.sshPublicKey)]",
"linuxVmAdminUsername": "[steps('remoteAccess').linuxVmSection.linuxVmAdminUsername]",
Expand Down
62 changes: 39 additions & 23 deletions src/bicep/mlz.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,9 @@ param supportedClouds array = [
'AzureUSGovernment'
]

@description('Choose to deploy the identity resources. The identity resoures are not required if you plan to use cloud identities.')
param deployIdentity bool

// RESOURCE NAMING PARAMETERS

@description('A suffix to use for naming deployments uniquely. It defaults to the Bicep resolution of the "utcNow()" function.')
Expand Down Expand Up @@ -655,26 +658,8 @@ var bastionHostPublicIPAddressAllocationMethod = 'Static'

// SPOKES

var spokes = [
{
name: identityName
subscriptionId: identitySubscriptionId
resourceGroupName: identityResourceGroupName
logStorageAccountName: identityLogStorageAccountName
virtualNetworkName: identityVirtualNetworkName
virtualNetworkAddressPrefix: identityVirtualNetworkAddressPrefix
virtualNetworkDiagnosticsLogs: identityVirtualNetworkDiagnosticsLogs
virtualNetworkDiagnosticsMetrics: identityVirtualNetworkDiagnosticsMetrics
networkSecurityGroupName: identityNetworkSecurityGroupName
networkSecurityGroupRules: identityNetworkSecurityGroupRules
networkSecurityGroupDiagnosticsLogs: identityNetworkSecurityGroupDiagnosticsLogs
networkSecurityGroupDiagnosticsMetrics: identityNetworkSecurityGroupDiagnosticsMetrics
routeTableName: identityRouteTableName
subnetName: identitySubnetName
subnetAddressPrefix: identitySubnetAddressPrefix
subnetPrivateEndpointNetworkPolicies: 'Disabled'
subnetPrivateLinkServiceNetworkPolicies: 'Disabled'
}
var spokes = union(spokesCommon, spokesIdentity)
var spokesCommon = [
{
name: operationsName
subscriptionId: operationsSubscriptionId
Expand Down Expand Up @@ -714,6 +699,27 @@ var spokes = [
subnetPrivateLinkServiceNetworkPolicies: 'Disabled'
}
]
var spokesIdentity = deployIdentity ? [
{
name: identityName
subscriptionId: identitySubscriptionId
resourceGroupName: identityResourceGroupName
logStorageAccountName: identityLogStorageAccountName
virtualNetworkName: identityVirtualNetworkName
virtualNetworkAddressPrefix: identityVirtualNetworkAddressPrefix
virtualNetworkDiagnosticsLogs: identityVirtualNetworkDiagnosticsLogs
virtualNetworkDiagnosticsMetrics: identityVirtualNetworkDiagnosticsMetrics
networkSecurityGroupName: identityNetworkSecurityGroupName
networkSecurityGroupRules: identityNetworkSecurityGroupRules
networkSecurityGroupDiagnosticsLogs: identityNetworkSecurityGroupDiagnosticsLogs
networkSecurityGroupDiagnosticsMetrics: identityNetworkSecurityGroupDiagnosticsMetrics
routeTableName: identityRouteTableName
subnetName: identitySubnetName
subnetAddressPrefix: identitySubnetAddressPrefix
subnetPrivateEndpointNetworkPolicies: 'Disabled'
subnetPrivateLinkServiceNetworkPolicies: 'Disabled'
}
] : []

// TAGS

Expand Down Expand Up @@ -880,9 +886,19 @@ module privateDnsZones './modules/private-dns.bicep' = {
name: 'deploy-private-dns-zones-${deploymentNameSuffix}'
scope: resourceGroup(hubSubscriptionId, hubResourceGroupName)
params: {
vnetName: hubNetwork.outputs.virtualNetworkName
deployIdentity: deployIdentity
deploymentNameSuffix: deploymentNameSuffix
hubVirtualNetworkName: hubNetwork.outputs.virtualNetworkName
hubVirtualNetworkResourceGroupName: hubResourceGroupName
hubVirtualNetworkSubscriptionId: hubSubscriptionId
identityVirtualNetworkName: deployIdentity ? spokes[2].virtualNetworkName : ''
identityVirtualNetworkResourceGroupName: identityResourceGroupName
identityVirtualNetworkSubscriptionId: identitySubscriptionId
tags: tags
}
dependsOn: [
spokeNetworks
]
}

// OPERATIONS CMK DEPENDANCIES
Expand All @@ -897,7 +913,7 @@ module operationsCustomerManagedKeys './core/operations-customer-managed-keys.bi
keyVaultPrivateDnsZoneResourceId: privateDnsZones.outputs.keyvaultDnsPrivateDnsZoneId
location: location
resourcePrefix: resourcePrefix
subnetResourceId: spokeNetworks[1].outputs.subnetResourceId
subnetResourceId: spokeNetworks[0].outputs.subnetResourceId
tags: calculatedTags
userAssignedIdentityName: operationsUserAssignedIdentityName
}
Expand All @@ -921,7 +937,7 @@ module azureMonitor './modules/azure-monitor.bicep' = if (contains(supportedClou
location: location
tags: tags
resourcePrefix: resourcePrefix
subnetResourceId: spokeNetworks[1].outputs.subnetResourceId
subnetResourceId: spokeNetworks[0].outputs.subnetResourceId
}
dependsOn: [
logAnalyticsWorkspace
Expand Down
Loading

0 comments on commit a791803

Please sign in to comment.