Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Assign VM and Hybrid VM initiatives to Platform MG #435

Merged
merged 34 commits into from
Nov 28, 2024
Merged
Show file tree
Hide file tree
Changes from 30 commits
Commits
Show all changes
34 commits
Select commit Hold shift + click to select a range
7a6e6eb
Testing assignment to Identity MG
Brunoga-MS Nov 18, 2024
aa6af8d
changing UAMI scope
Brunoga-MS Nov 18, 2024
fc8dab7
removing delayCount
Brunoga-MS Nov 18, 2024
c1a40d6
Added connectivity assignment for VM
Brunoga-MS Nov 18, 2024
16c4e0b
removing additional assignment
Brunoga-MS Nov 18, 2024
5a770bb
Added Identity and Connectivity assignments back
Brunoga-MS Nov 18, 2024
c593757
Removing ambaPolicyCompletion references and code
Brunoga-MS Nov 18, 2024
685d13a
Added ending comma removed by mistake
Brunoga-MS Nov 18, 2024
d8701ba
Removed extra comma
Brunoga-MS Nov 18, 2024
48bea8b
Assigning both VMs and Hybrid VMs alerts to Platform
Brunoga-MS Nov 20, 2024
e853cf3
Merge branch 'Azure:main' into Assign_VM_To_Identity
Brunoga-MS Nov 20, 2024
9c7879f
Fixed variable names to see different deployment names
Brunoga-MS Nov 20, 2024
a9fe284
Merge branch 'Assign_VM_To_Identity' of https://github.com/Brunoga-MS…
Brunoga-MS Nov 20, 2024
05ed49f
Added new remediation script that align with the naming convention of…
Brunoga-MS Nov 20, 2024
f2cfa8f
Aligned default value for AMBA-ALZ resource group and rebuilding poli…
Brunoga-MS Nov 20, 2024
33a8dcf
Updating policy set difinitions' version
Brunoga-MS Nov 20, 2024
9d97538
Updating versons on missing files
Brunoga-MS Nov 20, 2024
1fc4613
moved unused script to a different folder before removing definitely
Brunoga-MS Nov 21, 2024
3dc8790
Merge branch 'Azure:main' into Assign_VM_To_Identity
Brunoga-MS Nov 22, 2024
520b61f
Merge branch 'Azure:main' into Assign_VM_To_Identity
Brunoga-MS Nov 26, 2024
7779ae8
Updating policySetDefinition version on LB
Brunoga-MS Nov 26, 2024
6eba19d
Merge branch 'Assign_VM_To_Identity' of https://github.com/Brunoga-MS…
Brunoga-MS Nov 26, 2024
c3fd5bb
Update templateHash and version in Network policy definition
Brunoga-MS Nov 26, 2024
e7bc645
Updating documentation to align with new assignments
Brunoga-MS Nov 26, 2024
c4915f8
Update version numbers and templateHash in both Recovery Services and…
Brunoga-MS Nov 26, 2024
b8520ec
Reverting maintenance script file
Brunoga-MS Nov 26, 2024
dc76f24
Adding alz-portal template to show Platform MG
Brunoga-MS Nov 26, 2024
77f3180
Merge branch 'Azure:main' into Assign_VM_To_Identity
Brunoga-MS Nov 26, 2024
a0ed04e
Updating BYOnotification page to point to the correct script
Brunoga-MS Nov 26, 2024
ba198f8
added missing variable to remediate policy procedure
Brunoga-MS Nov 26, 2024
b4c6d2e
changed the platform mg param to be required
Brunoga-MS Nov 27, 2024
140986c
fixing wrong platform mg assigned value
Brunoga-MS Nov 27, 2024
951bed7
Fixed issue with the removal deployments
Brunoga-MS Nov 27, 2024
95a0384
put a dependency from policySetDefinition deployment to ensure assign…
Brunoga-MS Nov 27, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,6 @@ Should customers decide to switch, it will be enough to:
- change the values in the parameter file to match one of the three cases previously discussed
- redeploy the ALZ pattern
- run the remediation for both [Notification Assets](https://raw.githubusercontent.com/Azure/azure-monitor-baseline-alerts/main/patterns/alz/policySetDefinitions/Deploy-Notification-Assets.json) and [Alerting-ServiceHealth](https://raw.githubusercontent.com/Azure/azure-monitor-baseline-alerts/main/patterns/alz/policySetDefinitions/Deploy-ServiceHealth-Alerts.json) policy initiatives
- remove notification assets deployed by ALZ patterns using the [**Remove-AMBANotificationAssets.ps1**](https://raw.githubusercontent.com/Azure/azure-monitor-baseline-alerts/main/patterns/alz/scripts/Remove-AMBANotificationAssets.ps1) script (_<b>***</b> only if moving from ALZ notification assets to BYON_)
- remove notification assets deployed by ALZ patterns using the [**Start-AMBA-ALZ-Maintenance.ps1**](https://raw.githubusercontent.com/Azure/azure-monitor-baseline-alerts/main/patterns/alz/scripts/Start-AMBA-ALZ-Maintenance.ps1) script (_<b>***</b> only if moving from ALZ notification assets to BYON_)

The code will reconfigure the Service Health alerts to use either the customer's action groups to the ALZ pattern notification assets according to the selected case.
The code will also reconfigure the Service Health alerts to use either the customer's action groups to the ALZ pattern notification assets according to the selected case.
5 changes: 4 additions & 1 deletion docs/content/patterns/alz/deploy/Remediate-Policies.md
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ For convenience, assuming that the management hierarchy is fully aligned to ALZ,
```powershell
#Modify the following variables to match your environment
$pseudoRootManagementGroup = "The pseudo root management group id parenting the Platform and Landing Zones management groups"
$platformManagementGroup = "The management group id for Platform"
$identityManagementGroup = "The management group id for Identity"
$managementManagementGroup = "The management group id for Management"
$connectivityManagementGroup = "The management group id for Connectivity"
Expand All @@ -53,15 +54,17 @@ $LZManagementGroup="The management group id for Landing Zones"
#Run the following commands to initiate remediation
.\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $pseudoRootManagementGroup -policyName Notification-Assets
.\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $pseudoRootManagementGroup -policyName Alerting-ServiceHealth
.\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $platformManagementGroup -policyName Alerting-HybridVM
.\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $platformManagementGroup -policyName Alerting-VM
.\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $connectivityManagementGroup -policyName Alerting-Connectivity
.\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $identityManagementGroup -policyName Alerting-Identity
.\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $managementManagementGroup -policyName Alerting-Management
.\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $LZManagementGroup -policyName Alerting-KeyManagement
.\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $LZManagementGroup -policyName Alerting-LoadBalancing
.\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $LZManagementGroup -policyName Alerting-NetworkChanges
.\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $LZManagementGroup -policyName Alerting-RecoveryServices
.\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $LZManagementGroup -policyName Alerting-HybridVM
.\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $LZManagementGroup -policyName Alerting-Storage
.\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $LZManagementGroup -policyName Alerting-HybridVM
.\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $LZManagementGroup -policyName Alerting-VM
.\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $LZManagementGroup -policyName Alerting-Web
```
Expand Down
Binary file not shown.
Binary file not shown.
Binary file modified docs/content/patterns/alz/media/alz-management-groups-single.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified docs/content/patterns/alz/media/alz-management-groups.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
2 changes: 1 addition & 1 deletion patterns/alz/alz-portal.json
Original file line number Diff line number Diff line change
Expand Up @@ -274,7 +274,7 @@
"allowedValues": "[map(steps('Configuration').ManagementGroupAPI.value, (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": false
},
"visible": false
"visible": true
},
{
"name": "enableAMBAIdentity",
Expand Down
152 changes: 78 additions & 74 deletions patterns/alz/alzArm.json
Original file line number Diff line number Diff line change
Expand Up @@ -339,15 +339,6 @@
"description": "Provide the alert processing rule used for monitoring."
}
},
"delayCount": {
"type": "int",
"defaultValue": 1,
"minValue": 1,
"maxValue": 60,
"metadata": {
"description": "Configure the count of empty deployments used to introduce a delay after policy deployment. Used to increase reliability of deployment, but can be reduced when re-deploying to an existing environment."
}
},
"currentDateTimeUtcNow": {
"type": "string",
"defaultValue": "[utcNow()]",
Expand Down Expand Up @@ -560,7 +551,8 @@
"policySetDefinitionsDeploymentName": "[take(concat('amba-PolicySet', variables('deploymentSuffix')), 64)]",
"AMBAConnectivityDeploymentName": "[take(concat('amba-Connectivity', variables('deploymentSuffix')), 64)]",
"AMBAIdentityDeploymentName": "[take(concat('amba-Identity', variables('deploymentSuffix')), 64)]",
"AMBAHybridVMDeploymentName": "[take(concat('amba-HybridVM', variables('deploymentSuffix')), 64)]",
"AMBAHybridVMDeploymentNameLandingZones": "[take(concat('amba-HybridVM-LandingZones', variables('deploymentSuffix')), 64)]",
"AMBAHybridVMDeploymentNamePlatform": "[take(concat('amba-HybridVM-Platform', variables('deploymentSuffix')), 64)]",
"AMBAManagementDeploymentName": "[take(concat('amba-Management', variables('deploymentSuffix')), 64)]",
"AMBAServiceHealthDeploymentName": "[take(concat('amba-ServiceHealth', variables('deploymentSuffix')), 64)]",
"AMBANotificationAssetsDeploymentName": "[take(concat('amba-NotificationAssets', variables('deploymentSuffix')), 64)]",
Expand All @@ -569,7 +561,8 @@
"AMBANetworkChangesDeploymentName": "[take(concat('amba-NetworkChanges', variables('deploymentSuffix')), 64)]",
"AMBARecoveryServicesDeploymentName": "[take(concat('amba-RecoveryServices', variables('deploymentSuffix')), 64)]",
"AMBAStorageDeploymentName": "[take(concat('amba-Storage', variables('deploymentSuffix')), 64)]",
"AMBAVMDeploymentName": "[take(concat('amba-VM', variables('deploymentSuffix')), 64)]",
"AMBAVMDeploymentNameLandingZones": "[take(concat('amba-VM-LandingZones', variables('deploymentSuffix')), 64)]",
"AMBAVMDeploymentNamePlatform": "[take(concat('amba-VM-Platform', variables('deploymentSuffix')), 64)]",
"AMBAWebDeploymentName": "[take(concat('amba-Web', variables('deploymentSuffix')), 64)]",
"pidCuaDeploymentName": "[take(concat('amba-pid-', variables('cuaid'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'))), 64)]",
"pidCuaConnectivityDeploymentName": "[take(concat('amba-pid-Connectivity-', variables('cuaidConnectivity'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'))), 64)]",
Expand Down Expand Up @@ -996,34 +989,6 @@
}
}
},
// MARK: Delay
// Adding delay to ensure policy deployment is completed before policy assignments
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "[concat('amba-PreparingToLaunch', copyIndex())]",
"location": "[deployment().location]",
"scope": "[concat('Microsoft.Management/managementGroups/', parameters('enterpriseScaleCompanyPrefix'))]",
"dependsOn": [
"[variables('deploymentNames').policySetDefinitionsDeploymentName]"
],
"copy": {
"batchSize": 1,
"count": "[parameters('delayCount')]",
"mode": "Serial",
"name": "ambaPolicyCompletion"
},
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"resources": [],
"outputs": {}
}
}
},
// MARK: Assign Policies
// Assigning AMBA Connectivity PolicySet to the connectivity management group if condition is true
{
Expand All @@ -1033,9 +998,6 @@
"name": "[variables('deploymentNames').AMBAConnectivityDeploymentName]",
"scope": "[concat('Microsoft.Management/managementGroups/', parameters('connectivityManagementGroup'))]",
"location": "[deployment().location]",
"dependsOn": [
"ambaPolicyCompletion"
],
"properties": {
"mode": "Incremental",
"templateLink": {
Expand All @@ -1060,9 +1022,6 @@
"name": "[variables('deploymentNames').AMBAIdentityDeploymentName]",
"scope": "[concat('Microsoft.Management/managementGroups/', parameters('identityManagementGroup'))]",
"location": "[deployment().location]",
"dependsOn": [
"ambaPolicyCompletion"
],
"properties": {
"mode": "Incremental",
"templateLink": {
Expand All @@ -1088,7 +1047,6 @@
"scope": "[concat('Microsoft.Management/managementGroups/', parameters('managementManagementGroup'))]",
"location": "[deployment().location]",
"dependsOn": [
"ambaPolicyCompletion",
"[variables('deploymentNames').AMBAUamiRoleAssignmentDeploymentName]"
],
"properties": {
Expand Down Expand Up @@ -1121,9 +1079,6 @@
"name": "[variables('deploymentNames').AMBAServiceHealthDeploymentName]",
"scope": "[concat('Microsoft.Management/managementGroups/', parameters('enterpriseScaleCompanyPrefix'))]",
"location": "[deployment().location]",
"dependsOn": [
"ambaPolicyCompletion"
],
"properties": {
"mode": "Incremental",
"templateLink": {
Expand All @@ -1148,9 +1103,6 @@
"name": "[variables('deploymentNames').AMBANotificationAssetsDeploymentName]",
"scope": "[concat('Microsoft.Management/managementGroups/', parameters('enterpriseScaleCompanyPrefix'))]",
"location": "[deployment().location]",
"dependsOn": [
"ambaPolicyCompletion"
],
"properties": {
"mode": "Incremental",
"templateLink": {
Expand All @@ -1172,11 +1124,10 @@
"condition": "[equals(parameters('enableAMBAHybridVM'), 'Yes')]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "[variables('deploymentNames').AMBAHybridVMDeploymentName]",
"name": "[variables('deploymentNames').AMBAHybridVMDeploymentNameLandingZones]",
"scope": "[concat('Microsoft.Management/managementGroups/', parameters('LandingZoneManagementGroup'))]",
"location": "[deployment().location]",
"dependsOn": [
"ambaPolicyCompletion",
"[variables('deploymentNames').AMBAUamiRoleAssignmentDeploymentName]"
],
"properties": {
Expand Down Expand Up @@ -1204,6 +1155,42 @@
}
}
},
// Assigning AMBA HybridVM PolicySet to the Platform management group if condition is true
{
"condition": "[equals(parameters('enableAMBAHybridVM'), 'Yes')]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "[variables('deploymentNames').AMBAHybridVMDeploymentNamePlatform]",
"scope": "[concat('Microsoft.Management/managementGroups/', parameters('platformManagementGroup'))]",
"location": "[deployment().location]",
"dependsOn": [
"[variables('deploymentNames').AMBAUamiRoleAssignmentDeploymentName]"
],
"properties": {
"mode": "Incremental",
"templateLink": {
"contentVersion": "1.0.0.0",
"uri": "[variables('deploymentUris').AMBAHybridVMInitiative]"
},
"parameters": {
"topLevelManagementGroupPrefix": {
"value": "[parameters('enterpriseScaleCompanyPrefix')]"
},
"scope": {
"value": "[parameters('platformManagementGroup')]"
},
"uamiScope": {
"value": "[parameters('managementManagementGroup')]"
},
"bringYourOwnUserAssignedManagedIdentity": {
"value": "[parameters('bringYourOwnUserAssignedManagedIdentity')]"
},
"policyAssignmentParameters": {
"value": "[variables('policyAssignmentParametersHybridVM')]"
}
}
}
},
// Assigning AMBA Key Management PolicySet to the Landing Zone management group if condition is true
{
"condition": "[equals(parameters('enableAMBAKeyManagement'), 'Yes')]",
Expand All @@ -1212,9 +1199,6 @@
"name": "[variables('deploymentNames').AMBAKeyManagementDeploymentName]",
"scope": "[concat('Microsoft.Management/managementGroups/', parameters('LandingZoneManagementGroup'))]",
"location": "[deployment().location]",
"dependsOn": [
"ambaPolicyCompletion"
],
"properties": {
"mode": "Incremental",
"templateLink": {
Expand All @@ -1239,9 +1223,6 @@
"name": "[variables('deploymentNames').AMBALoadBalancingDeploymentName]",
"scope": "[concat('Microsoft.Management/managementGroups/', parameters('LandingZoneManagementGroup'))]",
"location": "[deployment().location]",
"dependsOn": [
"ambaPolicyCompletion"
],
"properties": {
"mode": "Incremental",
"templateLink": {
Expand All @@ -1266,9 +1247,6 @@
"name": "[variables('deploymentNames').AMBANetworkChangesDeploymentName]",
"scope": "[concat('Microsoft.Management/managementGroups/', parameters('LandingZoneManagementGroup'))]",
"location": "[deployment().location]",
"dependsOn": [
"ambaPolicyCompletion"
],
"properties": {
"mode": "Incremental",
"templateLink": {
Expand All @@ -1293,9 +1271,6 @@
"name": "[variables('deploymentNames').AMBARecoveryServicesDeploymentName]",
"scope": "[concat('Microsoft.Management/managementGroups/', parameters('LandingZoneManagementGroup'))]",
"location": "[deployment().location]",
"dependsOn": [
"ambaPolicyCompletion"
],
"properties": {
"mode": "Incremental",
"templateLink": {
Expand All @@ -1320,9 +1295,6 @@
"name": "[variables('deploymentNames').AMBAStorageDeploymentName]",
"scope": "[concat('Microsoft.Management/managementGroups/', parameters('LandingZoneManagementGroup'))]",
"location": "[deployment().location]",
"dependsOn": [
"ambaPolicyCompletion"
],
"properties": {
"mode": "Incremental",
"templateLink": {
Expand All @@ -1344,11 +1316,10 @@
"condition": "[equals(parameters('enableAMBAVM'), 'Yes')]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "[variables('deploymentNames').AMBAVMDeploymentName]",
"name": "[variables('deploymentNames').AMBAVMDeploymentNameLandingZones]",
"scope": "[concat('Microsoft.Management/managementGroups/', parameters('LandingZoneManagementGroup'))]",
"location": "[deployment().location]",
"dependsOn": [
"ambaPolicyCompletion",
"[variables('deploymentNames').AMBAUamiRoleAssignmentDeploymentName]"
],
"properties": {
Expand Down Expand Up @@ -1376,6 +1347,42 @@
}
}
},
// Assigning AMBA VM PolicySet to the Platform management group if condition is true
{
"condition": "[equals(parameters('enableAMBAVM'), 'Yes')]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "[variables('deploymentNames').AMBAVMDeploymentNamePlatform]",
"scope": "[concat('Microsoft.Management/managementGroups/', parameters('platformManagementGroup'))]",
"location": "[deployment().location]",
"dependsOn": [
"[variables('deploymentNames').AMBAUamiRoleAssignmentDeploymentName]"
],
"properties": {
"mode": "Incremental",
"templateLink": {
"contentVersion": "1.0.0.0",
"uri": "[variables('deploymentUris').AMBAVMInitiative]"
},
"parameters": {
"topLevelManagementGroupPrefix": {
"value": "[parameters('enterpriseScaleCompanyPrefix')]"
},
"scope": {
"value": "[parameters('platformManagementGroup')]"
},
"uamiScope": {
"value": "[parameters('managementManagementGroup')]"
},
"bringYourOwnUserAssignedManagedIdentity": {
"value": "[parameters('bringYourOwnUserAssignedManagedIdentity')]"
},
"policyAssignmentParameters": {
"value": "[variables('policyAssignmentParametersVM')]"
}
}
}
},
// Assigning AMBA Web PolicySet to the Landing Zone group if condition is true
{
"condition": "[equals(parameters('enableAMBAWeb'), 'Yes')]",
Expand All @@ -1384,9 +1391,6 @@
"name": "[variables('deploymentNames').AMBAWebDeploymentName]",
"scope": "[concat('Microsoft.Management/managementGroups/', parameters('LandingZoneManagementGroup'))]",
"location": "[deployment().location]",
"dependsOn": [
"ambaPolicyCompletion"
],
"properties": {
"mode": "Incremental",
"templateLink": {
Expand Down
Loading