Updates to support ESRI Accelerator (Azure#945)

* Moved files to a new folder * Added files * Renamed folder * Renamed folder * Added required outputs, Compiled bicep changes * Added params * Updated deployment URLs * Updated param descriptions * GitHub Action: Build Bicep to JSON --------- Co-authored-by: github-actions <[email protected]>
ARPA-H · Mar 29, 2024 · dfa7661 · dfa7661
1 parent 2778a07
commit dfa7661
Show file tree

Hide file tree

Showing 55 changed files with 32,707 additions and 177 deletions.
diff --git a/...tivedirectory-domaincontrollers/README.md → ...-directory-domain-services/iaas/README.md b/...tivedirectory-domaincontrollers/README.md → ...-directory-domain-services/iaas/README.md
diff --git a/...rs/activeDirectoryDomainControllers.bicep → ...as/activeDirectoryDomainControllers.bicep b/...rs/activeDirectoryDomainControllers.bicep → ...as/activeDirectoryDomainControllers.bicep
diff --git a/...vedirectory-domaincontrollers/diagram.png → ...irectory-domain-services/iaas/diagram.png b/...vedirectory-domaincontrollers/diagram.png → ...irectory-domain-services/iaas/diagram.png
diff --git a/.../extensions/firstDomainController.ps1.zip → .../extensions/firstDomainController.ps1.zip b/.../extensions/firstDomainController.ps1.zip → .../extensions/firstDomainController.ps1.zip
diff --git a/...extensions/secondDomainController.ps1.zip → ...extensions/secondDomainController.ps1.zip b/...extensions/secondDomainController.ps1.zip → ...extensions/secondDomainController.ps1.zip
diff --git a/...ns/active-directory-domain-services/paas/scripts/Set-EntraDomainServicesPrerequisites.ps1 b/...ns/active-directory-domain-services/paas/scripts/Set-EntraDomainServicesPrerequisites.ps1
@@ -0,0 +1,76 @@
+[CmdletBinding()]
+param(
+
+    [Parameter(Mandatory)]
+    [ValidateSet('China','Global','USGov','USGovDoD','USNat','USSec')]
+    [string]$Environment,
+
+    [Parameter(Mandatory)]
+    [string]$SubscriptionId,
+
+    [Parameter(Mandatory)]
+    [string]$TenantId
+)
+
+# Install the Microsoft Graph module
+if (!$(Get-Module -ListAvailable | Where-Object {$_.Name -eq 'Microsoft.Graph'}))
+{
+    Install-Module -Name 'Microsoft.Graph' -Scope 'CurrentUser'
+}
+
+# Connect to Azure AD
+Connect-MgGraph `
+    -Environment $Environment `
+    -TenantId $TenantId
+
+# Determine the correct application ID for the 'Domain Controller Services' service principal
+$ApplicationId = switch($Environment)
+{
+    Global { '2565bd9d-da50-47d4-8b85-4c97f669dc36' }
+    default { '6ba9a5d4-8456-4118-b521-9c5ca10cdf84' }
+
+}
+# Register the 'Domain Controller Services' service principal to the subscription
+New-MgServicePrincipal `
+    -AppId $ApplicationId
+
+# If the group doesn't exist, create it
+if (!$(Get-MgGroup -Filter "DisplayName eq 'AAD DC Administrators'"))
+{
+  New-MgGroup `
+    -DisplayName "AAD DC Administrators" `
+    -Description "Delegated group to administer Microsoft Entra Domain Services" `
+    -SecurityEnabled:$true `
+    -MailEnabled:$false `
+    -MailNickName "AADDCAdministrators"
+} 
+else 
+{
+  Write-Output "Admin group already exists."
+}
+
+$AzureEnvironment = switch($Environment)
+{
+    China { 'AzureChinaCloud' }
+    Global { 'AzureCloud' }
+    USGov { 'AzureUSGovernment' }
+    USGovDoD { 'AzureUSGovernment' }
+    USNat { 'USNat' }
+    USSec { 'USSec' }
+}
+
+# Install the Az module
+if (!$(Get-Module -ListAvailable | Where-Object {$_.Name -eq 'Az.Resources'}))
+{
+    Install-Module -Name 'Az.Resources' -Scope 'CurrentUser'
+}
+
+# Connect to Azure
+Connect-AzAccount `
+    -Environment $AzureEnvironment `
+    -Tenant $TenantId `
+    -Subscription $SubscriptionId
+
+# Register the 'Microsoft.AAD' provider to the subscription, if not already registered
+Register-AzResourceProvider `
+    -ProviderNamespace 'Microsoft.AAD'
diff --git a/...cep/add-ons/active-directory-domain-services/paas/scripts/Update-NetworkSecurityGroup.ps1 b/...cep/add-ons/active-directory-domain-services/paas/scripts/Update-NetworkSecurityGroup.ps1
@@ -0,0 +1,144 @@
+[CmdletBinding()]
+param (
+    [Parameter()]
+    [string]
+    $Environment,
+
+    [Parameter()]
+    [string]
+    $NetworkSecurityGroupName,
+
+    [Parameter()]
+    [string]
+    $NetworkSecurityGroupResourceGroupName,
+
+    [Parameter()]
+    [string]
+    $SubscriptionId,
+
+    [Parameter()]
+    [string]
+    $TenantId,
+
+    [Parameter()]
+    [string]
+    $UserAssignedIdentityClientId
+)
+
+Connect-AzAccount `
+    -Environment $Environment `
+    -Tenant $TenantId `
+    -Subscription $SubscriptionId `
+    -Identity `
+    -AccountId $UserAssignedIdentityClientId
+
+$Rules = @(
+    [PSCustomObject]@{
+        Access = 'Allow'
+        DestinationAddressPrefix = '*'
+        DestinationPortRange = '5986'
+        Direction = 'Inbound'
+        Name = 'Allow_WinRM_EntraDS'
+        Priority = '300'
+        Protocol = 'TCP'
+        SourceAddressPrefix = 'AzureActiveDirectoryDomainServices'
+        SourcePortRange = '*'
+    },
+    [PSCustomObject]@{
+        Access = 'Allow'
+        DestinationAddressPrefix = 'AzureActiveDirectoryDomainServices'
+        DestinationPortRange = '443'
+        Direction = 'Outbound'
+        Name = 'Allow_HTTPS_EntraDS'
+        Priority = '300'
+        Protocol = 'TCP'
+        SourceAddressPrefix = '*'
+        SourcePortRange = '*'
+    },
+    [PSCustomObject]@{
+        Access = 'Allow'
+        DestinationAddressPrefix = 'AzureMonitor'
+        DestinationPortRange = '443'
+        Direction = 'Outbound'
+        Name = 'Allow_HTTPS_AzureMonitor'
+        Priority = '305'
+        Protocol = 'TCP'
+        SourceAddressPrefix = '*'
+        SourcePortRange = '*'
+    },
+    [PSCustomObject]@{
+        Access = 'Allow'
+        DestinationAddressPrefix = 'Storage'
+        DestinationPortRange = '443'
+        Direction = 'Outbound'
+        Name = 'Allow_HTTPS_Storage'
+        Priority = '310'
+        Protocol = 'TCP'
+        SourceAddressPrefix = '*'
+        SourcePortRange = '*'
+    },
+    [PSCustomObject]@{
+        Access = 'Allow'
+        DestinationAddressPrefix = 'AzureActiveDirectory'
+        DestinationPortRange = '443'
+        Direction = 'Outbound'
+        Name = 'Allow_HTTPS_MicrosoftEntraID'
+        Priority = '315'
+        Protocol = 'TCP'
+        SourceAddressPrefix = '*'
+        SourcePortRange = '*'
+    },
+    [PSCustomObject]@{
+        Access = 'Allow'
+        DestinationAddressPrefix = 'AzureUpdateDelivery'
+        DestinationPortRange = '443'
+        Direction = 'Outbound'
+        Name = 'Allow_HTTPS_AzureUpdateDelivery'
+        Priority = '320'
+        Protocol = 'TCP'
+        SourceAddressPrefix = '*'
+        SourcePortRange = '*'
+    },
+    [PSCustomObject]@{
+        Access = 'Allow'
+        DestinationAddressPrefix = 'AzureFrontDoor.FirstParty'
+        DestinationPortRange = '443'
+        Direction = 'Outbound'
+        Name = 'Allow_HTTPS_AzureFrontDoor'
+        Priority = '325'
+        Protocol = 'TCP'
+        SourceAddressPrefix = '*'
+        SourcePortRange = '*'
+    },
+    [PSCustomObject]@{
+        Access = 'Allow'
+        DestinationAddressPrefix = 'GuestAndHybridManagement'
+        DestinationPortRange = '443'
+        Direction = 'Outbound'
+        Name = 'Allow_HTTPS_GuestAndHybridManagement'
+        Priority = '330'
+        Protocol = 'TCP'
+        SourceAddressPrefix = '*'
+        SourcePortRange = '*'
+    }
+)
+
+$Configuration = Get-AzNetworkSecurityGroup `
+    -ResourceGroupName $NetworkSecurityGroupResourceGroupName `
+    -Name $NetworkSecurityGroupName
+
+foreach ($Rule in $Rules)
+{
+    $Configuration | Add-AzNetworkSecurityRuleConfig `
+        -Name $Rule.Name `
+        -Access $Rule.Access `
+        -Protocol $Rule.Protocol `
+        -Direction $Rule.Direction `
+        -Priority $Rule.Priority `
+        -SourceAddressPrefix $Rule.SourceAddressPrefix `
+        -SourcePortRange $Rule.SourcePortRange `
+        -DestinationPortRange $Rule.DestinationPortRange `
+        -DestinationAddressPrefix $Rule.DestinationAddressPrefix
+}
+
+Set-AzNetworkSecurityGroup -NetworkSecurityGroup $Configuration
diff --git a/src/bicep/add-ons/active-directory-domain-services/paas/solution.bicep b/src/bicep/add-ons/active-directory-domain-services/paas/solution.bicep
@@ -0,0 +1,33 @@
+@description('The domain name for the managed domain.')
+param domainName string
+
+@description('The location of the managed domain.')
+param location string
+
+@description('The resource ID of the subnet for the managed domain.')
+param subnetResourceId string
+
+resource domainServices 'Microsoft.AAD/DomainServices@2022-12-01' = {
+  name: domainName
+  location: location
+  properties: {
+    domainConfigurationType: 'FullySynced'
+    domainName: domainName
+    domainSecuritySettings: {
+      kerberosRc4Encryption: 'Disabled'
+    }
+    filteredSync: 'Disabled'
+    notificationSettings: {
+      notifyGlobalAdmins: 'Enabled'
+      notifyDcAdmins: 'Enabled'
+      additionalRecipients: []
+    }
+    replicaSets: [
+      {
+        subnetId: subnetResourceId
+        location: location
+      }
+    ]
+    sku: 'Standard'
+  }
+}
diff --git a/src/bicep/add-ons/esri-accelerator/modules/domainServices.bicep b/src/bicep/add-ons/esri-accelerator/modules/domainServices.bicep
@@ -0,0 +1,17 @@
+targetScope = 'subscription'
+
+param deploymentNameSuffix string
+param domainName string
+param location string
+param resourceGroupName string
+param subnetResourceId string
+
+module domainServices '../../active-directory-domain-services/paas/solution.bicep' = {
+  name: 'domain-services-${deploymentNameSuffix}'
+  scope: resourceGroup(resourceGroupName)
+  params: {
+    domainName: domainName
+    location: location
+    subnetResourceId: subnetResourceId
+  }
+}