Merge branch 'main' into vidbala/t3workload

Azure · Feb 22, 2022 · 1af7842 · 1af7842
2 parents 61fb904 + 199b986
commit 1af7842
Show file tree

Hide file tree

Showing 14 changed files with 4,005 additions and 26 deletions.
diff --git a/.azure-devops/prbuild/mlz-pr-sbom-pipelines.yml b/.azure-devops/prbuild/mlz-pr-sbom-pipelines.yml
@@ -0,0 +1,125 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+
+# disable CI per:
+# https://docs.microsoft.com/en-us/azure/devops/pipelines/repos/github?view=azure-devops&tabs=yaml#disabling-the-ci-trigger
+trigger: none
+
+pr:
+  branches:
+    include:
+    - main
+
+pool:
+  vmImage: ubuntu-latest
+
+jobs:
+- job: shouldGenerateSbom
+  displayName: 'Determine if SBOM needs to be generated'
+  steps:
+  - checkout: self
+
+  - bash: |
+      only_manifest_files=(
+        _manifest/manifest.json
+        _manifest/manifest.json.sha256
+        _manifest/spdx_2.2/manifest.spdx.json
+        _manifest/spdx_2.2/manifest.spdx.json.sha256
+      )
+
+      the_last_diff=( $(git log -1 --no-merges --name-only --pretty="") )
+
+      echo "only manifest files:"
+      echo ${only_manifest_files[*]}
+      echo ""
+
+      echo "the last git diff:"
+      echo ${the_last_diff[*]}
+      echo ""
+
+      BUILD_SBOM=true
+
+      if [[ "${the_last_diff[*]}" == "${only_manifest_files[*]}" ]]; then
+          BUILD_SBOM=false
+          echo "These changes are just the manifest files."
+      fi
+
+      echo "##vso[task.setvariable variable=BUILD_SBOM;isOutput=true]$BUILD_SBOM"
+      echo "BUILD_SBOM is $BUILD_SBOM"
+    name: determineSbom
+    displayName: 'Determine if SBOM needs to be built'
+
+- job: generateSbom
+  dependsOn: shouldGenerateSbom
+  condition: eq(dependencies.shouldGenerateSbom.outputs['determineSbom.BUILD_SBOM'], 'true')
+  displayName: 'Generate SBOM'
+  steps:
+  - checkout: self
+    persistCredentials: true
+
+  - bash: |
+      if [[ "$(Build.Reason)" == "Manual" ]]; then
+        SOURCE_BRANCH=$(Build.SourceBranch)
+      elif [[ "$(Build.Reason)" == "PullRequest" ]]; then
+        SOURCE_BRANCH=$(System.PullRequest.SourceBranch)
+      else
+        echo "This pipeline can only be invoked manually or on PR."
+        echo "Exiting."
+        exit 1
+      fi
+      echo "The source branch is $SOURCE_BRANCH"
+      echo "##vso[task.setvariable variable=SOURCE_BRANCH;]$SOURCE_BRANCH"
+    displayName: 'Determine the branch name'
+
+  - bash: |
+      cd $(Build.SourcesDirectory)
+      rm -rf _manifest
+    displayName: 'Remove previous _manifest contents'
+
+  - bash: |
+      cd $(Build.SourcesDirectory)
+      cp -r .git $(Build.ArtifactStagingDirectory)
+      rm -rf .git
+    displayName: 'Temporarily move .git so it is not a part of the SBOM'
+
+  - task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0
+    displayName: 'Generate SBOM'
+    inputs:
+      BuildComponentPath: '$(Build.SourcesDirectory)'
+      BuildDropPath: '$(Build.SourcesDirectory)'
+      PackageName: 'Mission LZ'
+      PackageVersion: '$(Build.BuildNumber)'
+      Verbosity: Verbose
+
+  - bash: |
+      cd $(Build.SourcesDirectory)
+      cat _manifest/manifest.json | jq . > temp.json \
+        && mv temp.json _manifest/manifest.json \
+        && rm -f temp.json
+      cat _manifest/spdx_2.2/manifest.spdx.json | jq . > temp.json \
+        && mv temp.json _manifest/spdx_2.2/manifest.spdx.json \
+        && rm -f temp.json
+    displayName: 'Pretty Print SBOM'
+
+  - bash: |
+      cd $(Build.ArtifactStagingDirectory)
+      cp -r .git $(Build.SourcesDirectory)
+      rm -rf .git
+    displayName: 'Restore .git so we can commit back to the source branch'
+
+  - bash: |
+      git config --global user.email "$BUILD_REQUESTEDFOREMAIL"
+      git config --global user.name "$BUILD_REQUESTEDFOR"
+      git checkout -t origin $(SOURCE_BRANCH)
+      git add '_manifest/*'
+      git status
+      git commit -m "Update Software Bill of Materials (SBOM)"
+      git push --set-upstream origin HEAD:$(SOURCE_BRANCH)
+    displayName: 'Commit SBOM changes back to source branch'
+
+  - task: PublishBuildArtifacts@1
+    displayName: 'Publish SBOM as Build Artifact'
+    inputs:
+      PathtoPublish: '$(Build.SourcesDirectory)/_manifest'
+      ArtifactName: 'drop'
+      publishLocation: 'Container'
diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
@@ -16,6 +16,9 @@ ARG TFLINT_AZURERM=0.14.0
 # Azure CLI version
 ARG AZURE_CLI_VERSION=2.31.0-1~focal
 
+# Bicep version
+ARG BICEP_VERSION=v0.4.1272
+
 # Update distro (software-properties-common installs the add-apt-repository command)
 RUN apt-get update \
     && apt-get -y install --no-install-recommends apt-utils software-properties-common 2>&1 \
@@ -89,7 +92,7 @@ RUN AZ_REPO=$(lsb_release -cs) \
 RUN apt-get update && apt-get install -y azure-cli=${AZURE_CLI_VERSION}
 
 # Install Bicep
-RUN curl -Lo /usr/local/bin/bicep https://github.com/Azure/bicep/releases/latest/download/bicep-linux-x64 \
+RUN curl -Lo /usr/local/bin/bicep https://github.com/Azure/bicep/releases/download/${BICEP_VERSION}/bicep-linux-x64 \
     && chmod +x /usr/local/bin/bicep
 
 # Clean up

diff --git a/.github/workflows/validate-build-bicep.yml b/.github/workflows/validate-build-bicep.yml
@@ -2,12 +2,14 @@
 # Licensed under the MIT License.
 
 name: validate-build-bicep
-on: 
+on:
   pull_request:
     branches: [main]
-    paths: 
+    paths:
     - 'src/bicep/**'
     - '!src/bicep/**.md'
+env:
+  BICEP_VERSION: 'v0.4.1272'
 jobs:
   validate-build:
     runs-on: ubuntu-latest
@@ -18,6 +20,8 @@ jobs:
       - run: |
           git config user.name github-actions
           git config user.email [email protected]
+          az bicep install --version "$BICEP_VERSION"
+          az bicep version
           az bicep build --file src/bicep/mlz.bicep --outfile src/bicep/mlz.json
           if [[ $(git status --porcelain) ]]; then
             git add src/bicep/mlz.json

diff --git a/README.md b/README.md
@@ -61,12 +61,12 @@ You must have [Owner RBAC permissions](https://docs.microsoft.com/en-us/azure/ro
     cd missionlz
     ```
 
-1. Deploy Mission Landing Zone with the [`az deployment sub create`](https://docs.microsoft.com/en-us/cli/azure/deployment/sub?view=azure-cli-latest#az_deployment_sub_create) command. For a quickstart test deployment into the current AZ CLI subscription we suggest setting these parameters:
+1. Deploy Mission Landing Zone with the [`az deployment sub create`](https://docs.microsoft.com/en-us/cli/azure/deployment/sub?view=azure-cli-latest#az_deployment_sub_create) command. For a quickstart, we suggest a test deployment into the current AZ CLI subscription setting these parameters:
 
     - `--name`: (optional) The deployment name, which is visible in the Azure Portal under Subscription/Deployments.
     - `--location`: (required) The Azure region to store the deployment metadata.
     - `--template-file`: (required) The file path to the `mlz.bicep` template.
-    - `--parameters resourcePrefix=<value>`: (required) The `resourcePrefix` Bicep parameter is used to generate names for your resources. It is the only required parameter in the Bicep file. You can set it to any alphanumeric value that is between 3-10 characters. You can omit this parameter and the `az deployment sub create` command will prompt you to enter a value.
+    - `--parameters resourcePrefix=<value>`: (required) The `resourcePrefix` Bicep parameter is used to generate names for your resources. It is the only required parameter in the Bicep file. You can set it to any alphanumeric value (without whitespace) that is between 3-10 characters. You can omit this parameter and the `az deployment sub create` command will prompt you to enter a value.
 
     Here's an example: