Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added AVD #844

Merged
merged 1 commit into from
Feb 7, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion src/bicep/add-ons/AVD/README.md

This file was deleted.

21 changes: 21 additions & 0 deletions src/bicep/add-ons/azureVirtualDesktop/LICENSE
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
MIT License

Copyright (c) 2023 Jason Masten

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
32 changes: 32 additions & 0 deletions src/bicep/add-ons/azureVirtualDesktop/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
# Azure Virtual Desktop Solution

[**Home**](./README.md) | [**Features**](./docs/features.md) | [**Design**](./docs/design.md) | [**Prerequisites**](./docs/prerequisites.md) | [**Troubleshooting**](./docs/troubleshooting.md)

This Azure Virtual Desktop (AVD) solution will deploy a fully operational [stamp](https://learn.microsoft.com/azure/architecture/patterns/deployment-stamp) in an Azure subscription adhereing to the [Zero Trust principles](https://learn.microsoft.com/security/zero-trust/azure-infrastructure-avd). Many of the [common features](./docs/features.md) used with AVD have been automated in this solution for your convenience. Be sure to complete the necessary [prerequisites](./docs/prerequisites.md) and to review the parameter descriptions to the understand the consequences of your selections.

## Deployment Options

> [!WARNING]
> Failure to complete the [prerequisites](./docs/prerequisites.md) will result in an unsuccessful deployment.

### Azure Portal

[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#blade/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fjamasten%2FAzureVirtualDesktop%2Fmain%2Fsolution.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2Fjamasten%2FAzureVirtualDesktop%2Fmain%2FuiDefinition.json)
[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#blade/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fjamasten%2FAzureVirtualDesktop%2Fmain%2Fsolution.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2Fjamasten%2FAzureVirtualDesktop%2Fmain%2FuiDefinition.json)

### PowerShell

````powershell
New-AzDeployment `
-Location '<Azure location>' `
-TemplateFile 'https://raw.githubusercontent.com/jamasten/AzureVirtualDesktop/main/solution.json' `
-Verbose
````

### Azure CLI

````cli
az deployment sub create \
--location '<Azure location>' \
--template-uri 'https://raw.githubusercontent.com/jamasten/AzureVirtualDesktop/main/solution.json'
````
260 changes: 260 additions & 0 deletions src/bicep/add-ons/azureVirtualDesktop/artifacts/Get-Validations.ps1
Original file line number Diff line number Diff line change
@@ -0,0 +1,260 @@
[Cmdletbinding()]
Param(
[parameter(Mandatory)]
[string]
$ActiveDirectorySolution,

[parameter(Mandatory)]
[int]
$CpuCountMax,

[parameter(Mandatory)]
[int]
$CpuCountMin,

[parameter(Mandatory)]
[string]
$DomainName,

[parameter(Mandatory)]
[string]
$Environment,

[parameter(Mandatory)]
[string]
$ImageDefinitionResourceId,

[parameter(Mandatory)]
[string]
$Location,

[parameter(Mandatory)]
[int]
$SessionHostCount,

[parameter(Mandatory)]
[string]
$StorageService,

[parameter(Mandatory)]
[string]
$SubscriptionId,

[parameter(Mandatory)]
[string]
$TenantId,

[parameter(Mandatory)]
[string]
$UserAssignedIdentityClientId,

[parameter(Mandatory)]
[string]
$VirtualMachineSize,

[parameter(Mandatory)]
[string]
$VirtualNetworkName,

[parameter(Mandatory)]
[string]
$VirtualNetworkResourceGroupName,

[parameter(Mandatory)]
[string]
$WorkspaceNamePrefix,

[parameter(Mandatory)]
[string]
$WorkspaceResourceGroupName
)

function Write-Log
{
param(
[parameter(Mandatory)]
[string]$Message,

[parameter(Mandatory)]
[string]$Type
)
$Path = 'C:\cse.txt'
if(!(Test-Path -Path $Path))
{
New-Item -Path 'C:\' -Name 'cse.txt' | Out-Null
}
$Timestamp = Get-Date -Format 'MM/dd/yyyy HH:mm:ss.ff'
$Entry = '[' + $Timestamp + '] [' + $Type + '] ' + $Message
$Entry | Out-File -FilePath $Path -Append
}

$ErrorActionPreference = 'Stop'
$WarningPreference = 'SilentlyContinue'

try
{
Connect-AzAccount -Environment $Environment -Tenant $TenantId -Subscription $SubscriptionId -Identity -AccountId $UserAssignedIdentityClientId | Out-Null
$Sku = Get-AzComputeResourceSku -Location $Location | Where-Object {$_.ResourceType -eq "virtualMachines" -and $_.Name -eq $VirtualMachineSize}

##############################################################
# Accelerated Networking Validation
##############################################################
$AcceleratedNetworking = ($Sku.capabilities | Where-Object {$_.name -eq "AcceleratedNetworkingEnabled"}).value
Write-Log -Message "Accelerated Networking Validation Succeeded" -Type 'INFO'

##############################################################
# Availability Zone Validation
##############################################################
$AvailabilityZones = $Sku.locationInfo.zones | Sort-Object
Write-Log -Message "Availability Zone Validation Succeeded" -Type 'INFO'

##############################################################
# Azure NetApp Files Validation
##############################################################
if($StorageService -eq 'AzureNetAppFiles')
{
$Vnet = Get-AzVirtualNetwork -Name $VirtualNetworkName -ResourceGroupName $VirtualNetworkResourceGroupName
$DnsServers = $Vnet.DhcpOptions.DnsServers -join ','
$SubnetId = ($Vnet.Subnets | Where-Object {$_.Delegations[0].ServiceName -eq "Microsoft.NetApp/volumes"}).Id
if($null -eq $SubnetId -or $SubnetId -eq "")
{
Write-Error -Exception "INVALID AZURE NETAPP FILES CONFIGURATION: A dedicated subnet must be delegated to the ANF resource provider."
}
$DeployAnfAd = "true"
$Accounts = Get-AzResource -ResourceType "Microsoft.NetApp/netAppAccounts" | Where-Object {$_.Location -eq $Location}
if($Accounts.Count -gt 0)
{
$AnfAdCounter = 0
foreach($Account in $Accounts)
{
$Params = @{
ResourceGroupName = $Account.ResourceGroupName
ResourceProviderName = 'Microsoft.NetApp'
ResourceType = 'netAppAccounts'
Name = $Account.Name
ApiVersion = '2023-07-01'
Method = 'GET'
}
$AD = ((Invoke-AzRestMethod @Params).Content | ConvertFrom-Json).properties.activeDirectories.activeDirectoryId
if($AD)
{
$AnfAdCounter++
}
}
if($AnfAdCounter -gt 0)
{
$DeployAnfAd = "false"
}
}
Write-Log -Message "Azure NetApp Files Validation Succeeded" -Type 'INFO'
}

##############################################################
# Disk SKU Validation
##############################################################
if(($Sku.capabilities | Where-Object {$_.name -eq "PremiumIO"}).value -eq $false)
{
Write-Error -Exception "INVALID DISK SKU: The selected VM Size does not support the Premium SKU for managed disks."
}
Write-Log -Message "Disk SKU Validation Succeeded" -Type 'INFO'

##############################################################
# Hyper-V Generation Validation
##############################################################
if(($Sku.capabilities | Where-Object {$_.name -eq "HyperVGenerations"}).value -notlike "*2")
{
Write-Error -Exception "INVALID HYPER-V GENERATION: The selected VM size does not support the selected Image Sku."
}
Write-Log -Message "Hyper-V Generation Validation Succeeded" -Type 'INFO'

##############################################################
# Kerberos Encryption Validation
##############################################################
if($ActiveDirectorySolution -eq 'MicrosoftEntraDomainServices')
{
$KerberosRc4Encryption = (Get-AzResource -Name $DomainName -ExpandProperties).Properties.domainSecuritySettings.kerberosRc4Encryption
if($KerberosRc4Encryption -eq "Enabled")
{
Write-Error -Exception "INVALID KERBEROS ENCRYPTION: The Kerberos Encryption on Azure AD DS does not match your Kerberos Encyrption selection."
}
Write-Log -Message "Kerberos Encryption Validation Succeeded" -Type 'INFO'
}

##############################################################
# Trusted Launch Validation
##############################################################
# Validates the VM Size does not have Trusted Launch disabled and has Hyper-V Generation enabled
# https://learn.microsoft.com/azure/virtual-machines/trusted-launch-faq?tabs=PowerShell#how-can-i-find-vm-sizes-that-support-trusted-launch
$TrustedLaunchDisabled = $Sku.Capabilities | Where-Object {$_.Name -eq "TrustedLaunchDisabled"} | Select-Object -ExpandProperty Value
$HyperVGeneration = $Sku.Capabilities | Where-Object {$_.Name -eq "HyperVGenerations"} | Select-Object -ExpandProperty Value

if($TrustedLaunchDisabled -or $HyperVGeneration -eq "V1")
{
Write-Error -Exception "INVALID TRUSTED LAUNCH: The selected VM Size does not support Trusted Launch."
}

# Validates the custom image if applicable
# https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch-faq?tabs=PowerShell#how-can-i-validate-if-os-image-supports-trusted-launch
if($ImageDefinitionResourceId -ne 'NotApplicable')
{
$ImageDefinition = Get-AzGalleryImageDefinition -ResourceId $ImageDefinitionResourceId
$SecurityType = ($ImageDefinition.Features | Where-Object {$_.Name -eq 'SecurityType'}).Value
$HyperVGeneration = $ImageDefinition.HyperVGeneration
if($SecurityType -notlike "*TrustedLaunch*" -or $HyperVGeneration -notlike "*V2*")
{
Write-Error -Exception "INVALID TRUSTED LAUNCH: The selected Image Definition does not support Trusted Launch."
}
}
Write-Log -Message "Trusted Launch Validation Succeeded" -Type 'INFO'


##############################################################
# vCPU Count Validation
##############################################################
# Recommended minimum vCPU is 4 for multisession hosts and 2 for single session hosts.
# Recommended maximum vCPU is 32 for multisession hosts and 128 for single session hosts.
# https://learn.microsoft.com/windows-server/remote/remote-desktop-services/virtual-machine-recs
$vCPUs = [int]($Sku.capabilities | Where-Object {$_.name -eq "vCPUs"}).value
if($vCPUs -lt $CpuCountMin -or $vCPUs -gt $CpuCountMax)
{
Write-Error -Exception "INVALID VCPU COUNT: The selected VM Size does not contain the appropriate amount of vCPUs for Azure Virtual Desktop. https://learn.microsoft.com/windows-server/remote/remote-desktop-services/virtual-machine-recs"
}
Write-Log -Message "vCPU Count Validation Succeeded" -Type 'INFO'

##############################################################
# vCPU Quota Validation
##############################################################
$RequestedCores = $vCPUs * $SessionHostCount
$Family = (Get-AzComputeResourceSku -Location $Location | Where-Object {$_.Name -eq $VirtualMachineSize}).Family
$CpuData = Get-AzVMUsage -Location $Location | Where-Object {$_.Name.Value -eq $Family}
$AvailableCores = $CpuData.Limit - $CpuData.CurrentValue; $RequestedCores = $vCPUs * $SessionHostCount
if($RequestedCores -gt $AvailableCores)
{
Write-Error -Exception "INSUFFICIENT CORE QUOTA: The selected VM size, $VirtualMachineSize, does not have adequate core quota in the selected location."
}
Write-Log -Message "vCPU Quota Validation Succeeded" -Type 'INFO'

##############################################################
# AVD Workspace Validation
##############################################################
$Workspace = Get-AzResource -ResourceGroupName $WorkspaceResourceGroupName -ResourceName $($WorkspaceNamePrefix + '-feed')
Write-Log -Message "Existing Workspace Validation Succeeded" -Type 'INFO'

Disconnect-AzAccount | Out-Null

$Output = [pscustomobject][ordered]@{
acceleratedNetworking = $AcceleratedNetworking.ToLower()
anfDnsServers = if($StorageService -eq "AzureNetAppFiles"){$DnsServers}else{"NotApplicable"}
anfSubnetId = if($StorageService -eq "AzureNetAppFiles"){$SubnetId}else{"NotApplicable"}
anfActiveDirectory = if($StorageService -eq "AzureNetAppFiles"){$DeployAnfAd}else{"false"}
availabilityZones = $AvailabilityZones
existingWorkspace = if($Workspace){"true"}else{"false"}
}
$JsonOutput = $Output | ConvertTo-Json
return $JsonOutput
}
catch
{
Write-Log -Message $_ -Type 'ERROR'
throw
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
[Cmdletbinding()]
Param(
[parameter(Mandatory)]
[string]
$Installer
)

function Write-Log
{
param(
[parameter(Mandatory)]
[string]$Message,

[parameter(Mandatory)]
[string]$Type
)
$Path = 'C:\cse.txt'
if(!(Test-Path -Path $Path))
{
New-Item -Path 'C:\' -Name 'cse.txt' | Out-Null
}
$Timestamp = Get-Date -Format 'MM/dd/yyyy HH:mm:ss.ff'
$Entry = '[' + $Timestamp + '] [' + $Type + '] ' + $Message
$Entry | Out-File -FilePath $Path -Append
}

$ErrorActionPreference = 'Stop'
$WarningPreference = 'SilentlyContinue'

try
{
Start-Process -FilePath 'msiexec.exe' -ArgumentList "/i $Installer /quiet /qn /norestart /passive" -Wait -Passthru | Out-Null
Write-Log -Message 'Installed Azure PowerShell AZ Module' -Type 'INFO'
$Output = [pscustomobject][ordered]@{
installer = $Installer
}
$Output | ConvertTo-Json
}
catch
{
Write-Log -Message $_ -Type 'ERROR'
throw
}
Loading
Loading