diff --git a/docs/content/patterns/alz/Known-Issues.md b/docs/content/patterns/alz/Known-Issues.md index 2d37e7547..ce1586fc1 100644 --- a/docs/content/patterns/alz/Known-Issues.md +++ b/docs/content/patterns/alz/Known-Issues.md @@ -39,3 +39,34 @@ When a role or a role assignement is removed, some orphaned object can still app 2. Select the management group (corresponding to the value entered for the *enterpriseScaleCompanyPrefix* during the deployment) were AMBA deployment was targeted to 3. Select ***Access control (IAM)*** 4. Under the ***Contributor*** role, select all records named ***Identity not found*** entry and click ***Remove*** + +## Failed to deploy to a different location + +### Error includes + +*Error: Code=InvalidDeploymentLocation; Message=Invalid deployment location 'westeurope'. The deployment 'ALZARM' already exists in location 'uksouth'.* + +### Cause + +A deployment has been performed using one region (i.e. 'uksouth') in the command line. A subsequent cleanup is performed to allow a second deploy against a different region (i.e. 'westeurope'). Deployment entries still exists from the previous operation, so a region conflict is detected blocking you to run another deployment using a different region. + +### Resolution + +To resolve this issue, follow the steps below: + +1. Navigate to ***Management Groups*** +2. Select the management group (corresponding to the value entered for the *enterpriseScaleCompanyPrefix* during the deployment) were AMBA deployment was targeted to +3. Click ***Deployment*** +4. Select all the deployment instances related to AMBA and click ***Delete***. + +{{< hint type=Important >}} +To recognize the deployment names belonging to AMBA, select those whose names start with: + +1. amba- +2. pid- +3. alzArm +4. preparingToLaunch + +If you deployed AMBA just one time, you have 14 deployment instances + +{{< /hint >}} diff --git a/patterns/alz/alzArm.json b/patterns/alz/alzArm.json index 595dac9cc..bcea29419 100644 --- a/patterns/alz/alzArm.json +++ b/patterns/alz/alzArm.json @@ -4,9 +4,8 @@ "parameters": { "enterpriseScaleCompanyPrefix": { "type": "string", - "maxLength": 10, "metadata": { - "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale." + "description": "Provide a prefix (unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale." } }, "telemetryOptOut": { diff --git a/patterns/alz/policyAssignments/DINE-ConnectivityAssignment.json b/patterns/alz/policyAssignments/DINE-ConnectivityAssignment.json index 1ddaa15fa..10ddcde9f 100644 --- a/patterns/alz/policyAssignments/DINE-ConnectivityAssignment.json +++ b/patterns/alz/policyAssignments/DINE-ConnectivityAssignment.json @@ -79,7 +79,8 @@ "properties": { "principalType": "ServicePrincipal", "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", - "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').ambaConnectivity), '2019-09-01', 'Full' ).identity.principalId)]" + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').ambaConnectivity), '2019-09-01', 'Full' ).identity.principalId)]", + "description": "_deployed_by_amba" } } ], diff --git a/patterns/alz/policyAssignments/DINE-IdentityAssignment.json b/patterns/alz/policyAssignments/DINE-IdentityAssignment.json index 021fedf6a..7a82cb368 100644 --- a/patterns/alz/policyAssignments/DINE-IdentityAssignment.json +++ b/patterns/alz/policyAssignments/DINE-IdentityAssignment.json @@ -79,7 +79,8 @@ "properties": { "principalType": "ServicePrincipal", "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", - "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').ambaIdentity), '2019-09-01', 'Full' ).identity.principalId)]" + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').ambaIdentity), '2019-09-01', 'Full' ).identity.principalId)]", + "description": "_deployed_by_amba" } } ], diff --git a/patterns/alz/policyAssignments/DINE-LandingZoneAssignment.json b/patterns/alz/policyAssignments/DINE-LandingZoneAssignment.json index 6bc53cb51..80f0fe588 100644 --- a/patterns/alz/policyAssignments/DINE-LandingZoneAssignment.json +++ b/patterns/alz/policyAssignments/DINE-LandingZoneAssignment.json @@ -79,7 +79,8 @@ "properties": { "principalType": "ServicePrincipal", "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", - "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').ambaLandingZone), '2019-09-01', 'Full' ).identity.principalId)]" + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').ambaLandingZone), '2019-09-01', 'Full' ).identity.principalId)]", + "description": "_deployed_by_amba" } } ], diff --git a/patterns/alz/policyAssignments/DINE-ManagementAssignment.json b/patterns/alz/policyAssignments/DINE-ManagementAssignment.json index b9ec7fde9..8c6d323ca 100644 --- a/patterns/alz/policyAssignments/DINE-ManagementAssignment.json +++ b/patterns/alz/policyAssignments/DINE-ManagementAssignment.json @@ -79,7 +79,8 @@ "properties": { "principalType": "ServicePrincipal", "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", - "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').ambaManagement), '2019-09-01', 'Full' ).identity.principalId)]" + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').ambaManagement), '2019-09-01', 'Full' ).identity.principalId)]", + "description": "_deployed_by_amba" } } ], diff --git a/patterns/alz/policyAssignments/DINE-ServiceHealthAssignment.json b/patterns/alz/policyAssignments/DINE-ServiceHealthAssignment.json index 4d83f4f86..7eac98b3d 100644 --- a/patterns/alz/policyAssignments/DINE-ServiceHealthAssignment.json +++ b/patterns/alz/policyAssignments/DINE-ServiceHealthAssignment.json @@ -79,7 +79,8 @@ "properties": { "principalType": "ServicePrincipal", "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", - "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').ambaServiceHealth), '2019-09-01', 'Full' ).identity.principalId)]" + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').ambaServiceHealth), '2019-09-01', 'Full' ).identity.principalId)]", + "description": "_deployed_by_amba" } } ], diff --git a/patterns/alz/policyDefinitions/policies.json b/patterns/alz/policyDefinitions/policies.json index 3f4c15c78..cf4c3333a 100644 --- a/patterns/alz/policyDefinitions/policies.json +++ b/patterns/alz/policyDefinitions/policies.json @@ -5,16 +5,15 @@ "_generator": { "name": "bicep", "version": "0.19.5.34762", - "templateHash": "14194738762871678875" + "templateHash": "6797539924020692135" } }, "parameters": { "topLevelManagementGroupPrefix": { "type": "string", "defaultValue": "alz", - "maxLength": 10, "metadata": { - "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of an Azure landing zone. DEFAULT VALUE = \"alz\"", + "description": "Provide a prefix (unique at tenant-scope) for the Management Group hierarchy and other resources created as part of an Azure landing zone. DEFAULT VALUE = \"alz\"", "message": "The JSON version of this file is programatically generated from Bicep. PLEASE DO NOT UPDATE MANUALLY!!" } }, diff --git a/patterns/alz/scripts/Start-AMBACleanup.ps1 b/patterns/alz/scripts/Start-AMBACleanup.ps1 index d0952aa34..7496b58d5 100644 --- a/patterns/alz/scripts/Start-AMBACleanup.ps1 +++ b/patterns/alz/scripts/Start-AMBACleanup.ps1 @@ -135,7 +135,7 @@ ForEach ($identity in $policyAssignmentIdentities) { ForEach ($roleAssignment in $identityRoleAssignments) { - If ($roleAssignment.Description -like '*_deployed_by_amba*') { + If ($roleAssignment.Description -eq '_deployed_by_amba') { $roleAssignments += $roleAssignment } } diff --git a/patterns/alz/templates/policies.bicep b/patterns/alz/templates/policies.bicep index c19f26df7..1a227c655 100644 --- a/patterns/alz/templates/policies.bicep +++ b/patterns/alz/templates/policies.bicep @@ -1,8 +1,7 @@ targetScope = 'managementGroup' @metadata({ message: 'The JSON version of this file is programatically generated from Bicep. PLEASE DO NOT UPDATE MANUALLY!!' }) -@description('Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of an Azure landing zone. DEFAULT VALUE = "alz"') -@maxLength(10) +@description('Provide a prefix (unique at tenant-scope) for the Management Group hierarchy and other resources created as part of an Azure landing zone. DEFAULT VALUE = "alz"') param topLevelManagementGroupPrefix string = 'alz' @description('Optionally set the deployment location for policies with Deploy If Not Exists effect. DEFAULT VALUE = "deployment().location"')