Merge pull request #15 from Brunoga-MS/main

Fixes to remove old assignment and 10 char limit
Azure · Sep 27, 2023 · bd020cf · bd020cf
2 parents 85f7dfb + 1dcdf6b
commit bd020cf
Show file tree

Hide file tree

Showing 10 changed files with 46 additions and 13 deletions.
diff --git a/docs/content/patterns/alz/Known-Issues.md b/docs/content/patterns/alz/Known-Issues.md
@@ -39,3 +39,34 @@ When a role or a role assignement is removed, some orphaned object can still app
 2. Select the management group (corresponding to the value entered for the *enterpriseScaleCompanyPrefix* during the deployment) were AMBA deployment was targeted to
 3. Select ***Access control (IAM)***
 4. Under the ***Contributor*** role, select all records named ***Identity not found*** entry and click ***Remove***
+
+## Failed to deploy to a different location
+
+### Error includes
+
+*Error: Code=InvalidDeploymentLocation; Message=Invalid deployment location 'westeurope'. The deployment 'ALZARM' already exists in location 'uksouth'.*
+
+### Cause
+
+A deployment has been performed using one region (i.e. 'uksouth') in the command line. A subsequent cleanup is performed to allow a second deploy against a different region (i.e. 'westeurope'). Deployment entries still exists from the previous operation, so a region conflict is detected blocking you to run another deployment using a different region.
+
+### Resolution
+
+To resolve this issue, follow the steps below:
+
+1. Navigate to ***Management Groups***
+2. Select the management group (corresponding to the value entered for the *enterpriseScaleCompanyPrefix* during the deployment) were AMBA deployment was targeted to
+3. Click ***Deployment***
+4. Select all the deployment instances related to AMBA and click ***Delete***.
+
+{{< hint type=Important >}}
+To recognize the deployment names belonging to AMBA, select those whose names start with:
+
+1. amba-
+2. pid-
+3. alzArm
+4. preparingToLaunch
+
+If you deployed AMBA just one time, you have 14 deployment instances
+
+{{< /hint >}}
diff --git a/patterns/alz/alzArm.json b/patterns/alz/alzArm.json
@@ -4,9 +4,8 @@
     "parameters": {
         "enterpriseScaleCompanyPrefix": {
             "type": "string",
-            "maxLength": 10,
             "metadata": {
-                "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale."
+                "description": "Provide a prefix (unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale."
             }
         },
         "telemetryOptOut": {

diff --git a/patterns/alz/policyAssignments/DINE-ConnectivityAssignment.json b/patterns/alz/policyAssignments/DINE-ConnectivityAssignment.json
@@ -79,7 +79,8 @@
             "properties": {
                 "principalType": "ServicePrincipal",
                 "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]",
-                "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').ambaConnectivity), '2019-09-01', 'Full' ).identity.principalId)]"
+                "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').ambaConnectivity), '2019-09-01', 'Full' ).identity.principalId)]",
+                "description": "_deployed_by_amba"
             }
         }
     ],

diff --git a/patterns/alz/policyAssignments/DINE-IdentityAssignment.json b/patterns/alz/policyAssignments/DINE-IdentityAssignment.json
@@ -79,7 +79,8 @@
             "properties": {
                 "principalType": "ServicePrincipal",
                 "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]",
-                "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').ambaIdentity), '2019-09-01', 'Full' ).identity.principalId)]"
+                "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').ambaIdentity), '2019-09-01', 'Full' ).identity.principalId)]",
+                "description": "_deployed_by_amba"
             }
         }
     ],

diff --git a/patterns/alz/policyAssignments/DINE-LandingZoneAssignment.json b/patterns/alz/policyAssignments/DINE-LandingZoneAssignment.json
@@ -79,7 +79,8 @@
             "properties": {
                 "principalType": "ServicePrincipal",
                 "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]",
-                "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').ambaLandingZone), '2019-09-01', 'Full' ).identity.principalId)]"
+                "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').ambaLandingZone), '2019-09-01', 'Full' ).identity.principalId)]",
+                "description": "_deployed_by_amba"
             }
         }
     ],

diff --git a/patterns/alz/policyAssignments/DINE-ManagementAssignment.json b/patterns/alz/policyAssignments/DINE-ManagementAssignment.json
@@ -79,7 +79,8 @@
             "properties": {
                 "principalType": "ServicePrincipal",
                 "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]",
-                "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').ambaManagement), '2019-09-01', 'Full' ).identity.principalId)]"
+                "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').ambaManagement), '2019-09-01', 'Full' ).identity.principalId)]",
+                "description": "_deployed_by_amba"
             }
         }
     ],

diff --git a/patterns/alz/policyAssignments/DINE-ServiceHealthAssignment.json b/patterns/alz/policyAssignments/DINE-ServiceHealthAssignment.json
@@ -79,7 +79,8 @@
             "properties": {
                 "principalType": "ServicePrincipal",
                 "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]",
-                "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').ambaServiceHealth), '2019-09-01', 'Full' ).identity.principalId)]"
+                "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').ambaServiceHealth), '2019-09-01', 'Full' ).identity.principalId)]",
+                "description": "_deployed_by_amba"
             }
         }
     ],

diff --git a/patterns/alz/policyDefinitions/policies.json b/patterns/alz/policyDefinitions/policies.json
@@ -5,16 +5,15 @@
     "_generator": {
       "name": "bicep",
       "version": "0.19.5.34762",
-      "templateHash": "14194738762871678875"
+      "templateHash": "6797539924020692135"
     }
   },
   "parameters": {
     "topLevelManagementGroupPrefix": {
       "type": "string",
       "defaultValue": "alz",
-      "maxLength": 10,
       "metadata": {
-        "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of an Azure landing zone. DEFAULT VALUE = \"alz\"",
+        "description": "Provide a prefix (unique at tenant-scope) for the Management Group hierarchy and other resources created as part of an Azure landing zone. DEFAULT VALUE = \"alz\"",
         "message": "The JSON version of this file is programatically generated from Bicep. PLEASE DO NOT UPDATE MANUALLY!!"
       }
     },

diff --git a/patterns/alz/scripts/Start-AMBACleanup.ps1 b/patterns/alz/scripts/Start-AMBACleanup.ps1
@@ -135,7 +135,7 @@ ForEach ($identity in $policyAssignmentIdentities) {
 
     ForEach ($roleAssignment in $identityRoleAssignments) {
 
-        If ($roleAssignment.Description -like '*_deployed_by_amba*') {
+        If ($roleAssignment.Description -eq '_deployed_by_amba') {
             $roleAssignments += $roleAssignment
         }
     }

diff --git a/patterns/alz/templates/policies.bicep b/patterns/alz/templates/policies.bicep
@@ -1,8 +1,7 @@
 targetScope = 'managementGroup'
 
 @metadata({ message: 'The JSON version of this file is programatically generated from Bicep. PLEASE DO NOT UPDATE MANUALLY!!' })
-@description('Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of an Azure landing zone. DEFAULT VALUE = "alz"')
-@maxLength(10)
+@description('Provide a prefix (unique at tenant-scope) for the Management Group hierarchy and other resources created as part of an Azure landing zone. DEFAULT VALUE = "alz"')
 param topLevelManagementGroupPrefix string = 'alz'
 
 @description('Optionally set the deployment location for policies with Deploy If Not Exists effect. DEFAULT VALUE = "deployment().location"')