-
Notifications
You must be signed in to change notification settings - Fork 518
/
Copy pathbase-unit-validate.yml
247 lines (219 loc) · 15 KB
/
base-unit-validate.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
name: "ALZ-Bicep - Unit Tests - Validate All Modules"
trigger: none
variables:
- group: csu-bicep-environment
- name: ResourceGroupName
value: "rsg-github-pr-$(System.PullRequest.PullRequestNumber)"
- name: ManagementGroupPrefix
value: "PR-$(System.PullRequest.PullRequestNumber)"
- name: TopLevelManagementGroupDisplayName
value: "PR $(System.PullRequest.PullRequestNumber) Azure Landing Zones"
- name: SubscriptionName
value: "sub-unit-test-pr-$(System.PullRequest.PullRequestNumber)"
jobs:
- job: bicep_validate
displayName: Validate Bicep Module Deployments for PR
pool:
vmImage: ubuntu-latest
steps:
- task: AzureCLI@2
displayName: 'Azure CLI Get Federated Token'
inputs:
azureSubscription: azserviceconnection
addSpnToEnvironment: true
scriptType: bash
scriptLocation: inlineScript
inlineScript: |
echo "##vso[task.setvariable variable=ARM_CLIENT_ID]$servicePrincipalId"
echo "##vso[task.setvariable variable=ARM_ID_TOKEN]$idToken"
echo "##vso[task.setvariable variable=ARM_TENANT_ID]$tenantId"
- task: Bash@3
displayName: Login to Azure for Subsequent Tasks
name: git_azlogin
inputs:
targetType: "inline"
script: |
az login --service-principal -u $(ARM_CLIENT_ID) --tenant $(ARM_TENANT_ID) --allow-no-subscriptions --federated-token $(ARM_ID_TOKEN)
- task: Bash@3
displayName: Az CLI Create Subscription for PR
name: create_subscription
inputs:
targetType: "inline"
script: |
subid=$(az deployment tenant create --name "deploy-$(SubscriptionName)" --location $(Location) --template-file infra-as-code/bicep/CRML/subscriptionAlias/subscriptionAlias.bicep --parameters @infra-as-code/bicep/CRML/subscriptionAlias/parameters/subscriptionAlias.parameters.min.json --parameters parSubscriptionBillingScope=$(ALZ-AZURE-SECRET-EA-BILLING-ACCOUNT) parSubscriptionName=$(SubscriptionName) | jq .properties.outputs.outSubscriptionId.value | tr -d '"')
echo $subId
echo "##vso[task.setvariable variable=subscriptionId]$subid"
- task: Bash@3
displayName: Az CLI Refresh subscription list
name: refresh_subscription
inputs:
targetType: "inline"
script: |
az account list --refresh
- task: Bash@3
displayName: Az CLI Create Resource Group for PR
name: create_rsg
inputs:
targetType: "inline"
script: |
az account set --subscription $(subscriptionId)
if [ $(az group exists --name $(ResourceGroupName) ) == false ]; then
sleep 300
fi
az deployment sub create --name "deploy-$(ResourceGroupName)" --template-file infra-as-code/bicep/modules/resourceGroup/resourceGroup.bicep --location $(Location) --parameters parLocation=$(Location) parResourceGroupName=$(ResourceGroupName)
- task: Bash@3
displayName: Az CLI Register Resource Providers for PR
name: register_providers
inputs:
targetType: "inline"
script: |
az account set --subscription $(subscriptionId)
az provider register -n 'Microsoft.Insights'
- task: Bash@3
displayName: Az CLI Deploy Management Groups for PR
name: create_mgs
inputs:
targetType: "inline"
script: |
az deployment tenant create --template-file infra-as-code/bicep/modules/managementGroups/managementGroups.bicep --parameters @infra-as-code/bicep/modules/managementGroups/parameters/managementGroups.parameters.all.json parTopLevelManagementGroupPrefix=$(ManagementGroupPrefix) --location $(Location) --name $(ManagementGroupPrefix)
- task: Bash@3
displayName: Az CLI Validate Custom Role Definitions for PR
name: validate_rbac_roles
inputs:
targetType: "inline"
script: |
az deployment mg validate --template-file infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep --parameters @infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.all.json parAssignableScopeManagementGroupId=$(ManagementGroupPrefix) --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
- task: Bash@3
displayName: Az CLI Validate Custom Policy Definitions for PR
name: validate_policy_defs
inputs:
targetType: "inline"
script: |
az deployment mg validate --template-file infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep --parameters @infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.all.json parTargetManagementGroupId=$(ManagementGroupPrefix) --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
- task: Bash@3
displayName: Az CLI Deploy Logging for PR
name: create_logging
inputs:
targetType: "inline"
script: |
az deployment group create --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/logging/logging.bicep --parameters @infra-as-code/bicep/modules/logging/parameters/logging.parameters.min.json
- task: Bash@3
displayName: Az CLI Validate mgDiagSettingsAll for PR
name: create_mgDiagSettingsAll
inputs:
targetType: "inline"
script: |
az deployment mg validate --template-file infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep --parameters @infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.min.json parTopLevelManagementGroupPrefix="$(ManagementGroupPrefix)" parLogAnalyticsWorkspaceResourceId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.OperationalInsights/workspaces/alz-log-analytics" --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
- task: Bash@3
displayName: Az CLI Validate Subscription Placement for PR
name: move_sub
inputs:
targetType: "inline"
script: |
az deployment mg validate --template-file infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.bicep --parameters @infra-as-code/bicep/modules/subscriptionPlacement/parameters/subscriptionPlacement.parameters.all.json parTargetManagementGroupId=$(ManagementGroupPrefix)-platform-connectivity parSubscriptionIds='["$(subscriptionId)"]' --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
- task: Bash@3
displayName: Az CLI Validate Alz Default policy assignments
name: validate_alz_default_policy_assign
inputs:
targetType: "inline"
script: |
az deployment mg validate --template-file infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep --parameters @infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json parTopLevelManagementGroupPrefix=$(ManagementGroupPrefix) --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
- task: Bash@3
displayName: Az CLI Validate Hub Networking for PR
name: validate_hub_network
inputs:
targetType: "inline"
script: |
az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep --parameters @infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json --name $(ManagementGroupPrefix)
- task: Bash@3
displayName: Az CLI Validate vWan Networking for PR
name: validate_vwan_network
inputs:
targetType: "inline"
script: |
az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep --parameters @infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.all.json --name $(ManagementGroupPrefix)
- task: Bash@3
displayName: Az CLI Validate Spoke Networking for PR
name: validate_spoke_network
inputs:
targetType: "inline"
script: |
az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/spokeNetworking/spokeNetworking.bicep --name $(ManagementGroupPrefix)
- task: Bash@3
displayName: Az CLI Validate vWan Network connection for PR
name: validate_vwan_network_connection
inputs:
targetType: "inline"
script: |
az deployment sub validate --location $(Location) --template-file infra-as-code/bicep/modules/vnetPeeringVwan/vnetPeeringVwan.bicep --parameters @infra-as-code/bicep/modules/vnetPeeringVwan/parameters/vnetPeeringVwan.parameters.all.json parVirtualWanHubResourceId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualHubs/alz-vhub-$(Location)" parRemoteVirtualNetworkResourceId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualNetworks/vnet-spoke" --name $(ManagementGroupPrefix)
- task: Bash@3
displayName: Az CLI Validate vNet Peer for PR
name: validate_vnet_peer_spoke_2_hub
inputs:
targetType: "inline"
script: |
az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/vnetPeering/vnetPeering.bicep --parameters parDestinationVirtualNetworkId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualNetworks/alz-hub-$(Location)" parSourceVirtualNetworkName="vnet-spoke" parDestinationVirtualNetworkName="alz-hub-$(Location)" --name $(ManagementGroupPrefix)
- task: Bash@3
displayName: Az CLI Validate Public IP
name: validate_public_ip
inputs:
targetType: "inline"
script: |
az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/publicIp/publicIp.bicep --parameters @infra-as-code/bicep/modules/publicIp/parameters/publicIp.parameters.min.json --name $(ManagementGroupPrefix)
- task: Bash@3
displayName: Az CLI Validate Role Assignment to single Management Group
name: validate_role_assign_single_mg
inputs:
targetType: "inline"
script: |
az deployment mg validate --template-file infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.bicep --parameters @infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.managedIdentity.parameters.all.json --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
- task: Bash@3
displayName: Az CLI Validate Role Assignment to multiple Management Groups
name: validate_role_assign_multiple_mg
inputs:
targetType: "inline"
script: |
az deployment mg validate --template-file infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroupMany.bicep --parameters @infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.managedIdentity.parameters.all.json parManagementGroupIds='("$(ManagementGroupPrefix)-landingzones", "$(ManagementGroupPrefix)-platform")' --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
- task: Bash@3
displayName: Az CLI Validate Role Assignment to single subscription
name: validate_role_assign_single_subscription
inputs:
targetType: "inline"
script: |
az deployment sub validate --template-file infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscription.bicep --parameters @infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.managedIdentity.parameters.all.json --location $(Location) --name $(ManagementGroupPrefix)
- task: Bash@3
displayName: Az CLI Validate Role Assignment to multiple subscriptions
name: validate_role_assign_multiple_subscription
inputs:
targetType: "inline"
script: |
az deployment mg validate --template-file infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscriptionMany.bicep --parameters @infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.managedIdentity.parameters.all.json parSubscriptionIds='("$(subscriptionId)","$(azvalidatesubscription)")' --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
- task: Bash@3
displayName: Az CLI Validate hub peered spoke orchestration module
name: validate_hub_peer_spoke
inputs:
targetType: "inline"
script: |
az deployment mg validate --template-file infra-as-code/bicep/orchestration/hubPeeredSpoke/hubPeeredSpoke.bicep --parameters @infra-as-code/bicep/orchestration/hubPeeredSpoke/parameters/hubPeeredSpoke.parameters.all.json parPeeredVnetSubscriptionId="$(subscriptionId)" parHubVirtualNetworkId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualNetworks/alz-hub-$(Location)" parTopLevelManagementGroupPrefix="$(ManagementGroupPrefix)" --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
- task: Bash@3
displayName: Az CLI Validate subPlacementAll orchestration module
name: validate_sub_placement_all
inputs:
targetType: "inline"
script: |
az deployment mg validate --template-file infra-as-code/bicep/orchestration/subPlacementAll/subPlacementAll.bicep --parameters @infra-as-code/bicep/orchestration/subPlacementAll/parameters/subPlacementAll.parameters.all.json parTopLevelManagementGroupPrefix="$(ManagementGroupPrefix)" parPlatformConnectivityMgSubs='["$(subscriptionId)"]' --location $(Location) --management-group-id $(ManagementGroupPrefix) --name "$(ManagementGroupPrefix)-subPlacement"
- job: bicep_cleanup
dependsOn: bicep_validate
displayName: Cleanup Bicep Validate Deployment for PR
pool:
vmImage: ubuntu-latest
steps:
- task: AzurePowerShell@5
displayName: Az CLI Remove/Cleanup Deployment
inputs:
azureSubscription: "azserviceconnection"
ScriptType: "FilePath"
ScriptPath: ".github/scripts/Wipe-AlzTenant.ps1"
ScriptArguments: '-tenantRootGroupID $(azclitenant) -intermediateRootGroupID "$(ManagementGroupPrefix)" -subscriptionName "$(SubscriptionName)"'
azurePowerShellVersion: "LatestVersion"
pwsh: true