diff --git a/.github/actions/templates/avm-validateModuleDeployment/action.yml b/.github/actions/templates/avm-validateModuleDeployment/action.yml index f73968f350..715a2f642b 100644 --- a/.github/actions/templates/avm-validateModuleDeployment/action.yml +++ b/.github/actions/templates/avm-validateModuleDeployment/action.yml @@ -208,6 +208,7 @@ runs: AdditionalParameters = @{} } + # Add custom parameters as needed if($moduleTemplatePossibleParameters -contains 'resourceLocation') { $functionInput.AdditionalParameters += @{ resourceLocation = '${{ steps.get-resource-location.outputs.resourceLocation }}' @@ -219,6 +220,24 @@ runs: } } + # Fetch & add custom secrets, if any + # ----------------------------------- + $keyVaultName = "${{ env.CI_KEY_VAULT_NAME }}" + if(-not [String]::IsNullOrEmpty($keyVaultName)) { + # Note: This action requires at least 'Key Vault Secrets User' permissions + $customKeyVaultSecrets = Get-AzKeyVaultSecret -VaultName $keyVaultName | Where-Object { $_.Name -match '^CI-.+' } + + foreach($customSecret in $customKeyVaultSecrets) { + $formattedName = $customSecret.Name -replace '^CI-' # e.g. 'CI-mySecret' -> 'mySecret' + if($moduleTemplatePossibleParameters -contains $formattedName) { + Write-Verbose ('Setting value for parameter [{0}]' -f $formattedName) -Verbose + $functionInput.AdditionalParameters += @{ + $formattedName = (Get-AzKeyVaultSecret -VaultName $keyVaultName -Name $customSecret.Name).SecretValue + } + } + } + } + Write-Verbose 'Invoke task with' -Verbose Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose @@ -280,6 +299,24 @@ runs: } } + # Fetch & add custom secrets, if any + # ----------------------------------- + $keyVaultName = "${{ env.CI_KEY_VAULT_NAME }}" + if(-not [String]::IsNullOrEmpty($keyVaultName)) { + # Note: This action requires at least 'Key Vault Secrets User' permissions + $customKeyVaultSecrets = Get-AzKeyVaultSecret -VaultName $keyVaultName | Where-Object { $_.Name -match '^CI-.+' } + + foreach($customSecret in $customKeyVaultSecrets) { + $formattedName = $customSecret.Name -replace '^CI-' # e.g. 'CI-mySecret' -> 'mySecret' + if($moduleTemplatePossibleParameters -contains $formattedName) { + Write-Verbose ('Setting value for parameter [{0}]' -f $formattedName) -Verbose + $functionInput.AdditionalParameters += @{ + $formattedName = (Get-AzKeyVaultSecret -VaultName $keyVaultName -Name $customSecret.Name).SecretValue + } + } + } + } + Write-Verbose 'Invoke task with' -Verbose Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose diff --git a/.github/workflows/avm.template.module.yml b/.github/workflows/avm.template.module.yml index efb117c5f6..55bbbc0abd 100644 --- a/.github/workflows/avm.template.module.yml +++ b/.github/workflows/avm.template.module.yml @@ -25,6 +25,7 @@ env: ARM_MGMTGROUP_ID: "${{ secrets.ARM_MGMTGROUP_ID }}" ARM_TENANT_ID: "${{ secrets.ARM_TENANT_ID }}" TOKEN_NAMEPREFIX: "${{ secrets.TOKEN_NAMEPREFIX }}" + CI_KEY_VAULT_NAME: "${{ vars.CI_KEY_VAULT_NAME }}" jobs: ######################### diff --git a/avm/res/compute/virtual-machine/tests/e2e/linux.max/main.test.bicep b/avm/res/compute/virtual-machine/tests/e2e/linux.max/main.test.bicep index d52c494855..248bc72f56 100644 --- a/avm/res/compute/virtual-machine/tests/e2e/linux.max/main.test.bicep +++ b/avm/res/compute/virtual-machine/tests/e2e/linux.max/main.test.bicep @@ -20,6 +20,10 @@ param serviceShort string = 'cvmlinmax' @description('Optional. A token to inject into the name of each resource.') param namePrefix string = '#_namePrefix_#' +@description('Required. The object id of the Backup Management Service Enterprise Application. This value is tenant-specific and must be stored in the CI Key Vault in a secret named \'CI-BackupManagementServiceEnterpriseApplicationObjectId\'.') +@secure() +param backupManagementServiceEnterpriseApplicationObjectId string + // ============ // // Dependencies // // ============ // @@ -47,7 +51,7 @@ module nestedDependencies 'dependencies.bicep' = { sshDeploymentScriptName: 'dep-${namePrefix}-ds-${serviceShort}' sshKeyName: 'dep-${namePrefix}-ssh-${serviceShort}' dcrName: 'dep-${namePrefix}-dcr-${serviceShort}' - backupManagementServiceApplicationObjectId: 'be766fc3-eac4-4627-b8f5-298e35c8aea4' // Tenant-specific Backup Management Service Enterprise Application Object Id + backupManagementServiceApplicationObjectId: backupManagementServiceEnterpriseApplicationObjectId logAnalyticsWorkspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId } } diff --git a/avm/res/compute/virtual-machine/tests/e2e/waf-aligned/main.test.bicep b/avm/res/compute/virtual-machine/tests/e2e/waf-aligned/main.test.bicep index e12caa5c22..c2c0f9abf4 100644 --- a/avm/res/compute/virtual-machine/tests/e2e/waf-aligned/main.test.bicep +++ b/avm/res/compute/virtual-machine/tests/e2e/waf-aligned/main.test.bicep @@ -24,6 +24,10 @@ param password string = newGuid() @description('Optional. A token to inject into the name of each resource.') param namePrefix string = '#_namePrefix_#' +@description('Required. The object id of the Backup Management Service Enterprise Application. This value is tenant-specific and must be stored in the CI Key Vault in a secret named \'CI-BackupManagementServiceEnterpriseApplicationObjectId\'.') +@secure() +param backupManagementServiceEnterpriseApplicationObjectId string + // ============ // // Dependencies // // ============ // @@ -50,7 +54,7 @@ module nestedDependencies 'dependencies.bicep' = { storageAccountName: 'dep${namePrefix}sa${serviceShort}01' storageUploadDeploymentScriptName: 'dep-${namePrefix}-sads-${serviceShort}' proximityPlacementGroupName: 'dep-${namePrefix}-ppg-${serviceShort}' - backupManagementServiceApplicationObjectId: 'be766fc3-eac4-4627-b8f5-298e35c8aea4' // Tenant-specific Backup Management Service Enterprise Application Object Id + backupManagementServiceApplicationObjectId: backupManagementServiceEnterpriseApplicationObjectId dcrName: 'dep-${namePrefix}-dcr-${serviceShort}' logAnalyticsWorkspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId } diff --git a/avm/res/compute/virtual-machine/tests/e2e/windows.max/main.test.bicep b/avm/res/compute/virtual-machine/tests/e2e/windows.max/main.test.bicep index 62a7fd077f..ef5aef28f6 100644 --- a/avm/res/compute/virtual-machine/tests/e2e/windows.max/main.test.bicep +++ b/avm/res/compute/virtual-machine/tests/e2e/windows.max/main.test.bicep @@ -24,6 +24,10 @@ param password string = newGuid() @description('Optional. A token to inject into the name of each resource.') param namePrefix string = '#_namePrefix_#' +@description('Required. The object id of the Backup Management Service Enterprise Application. This value is tenant-specific and must be stored in the CI Key Vault in a secret named \'CI-BackupManagementServiceEnterpriseApplicationObjectId\'.') +@secure() +param backupManagementServiceEnterpriseApplicationObjectId string + // ============ // // Dependencies // // ============ // @@ -49,7 +53,7 @@ module nestedDependencies 'dependencies.bicep' = { storageAccountName: 'dep${namePrefix}sa${serviceShort}01' storageUploadDeploymentScriptName: 'dep-${namePrefix}-sads-${serviceShort}' proximityPlacementGroupName: 'dep-${namePrefix}-ppg-${serviceShort}' - backupManagementServiceApplicationObjectId: 'be766fc3-eac4-4627-b8f5-298e35c8aea4' // Tenant-specific Backup Management Service Enterprise Application Object Id + backupManagementServiceApplicationObjectId: backupManagementServiceEnterpriseApplicationObjectId dcrName: 'dep-${namePrefix}-dcr-${serviceShort}' logAnalyticsWorkspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId } diff --git a/avm/res/databricks/workspace/tests/e2e/max/main.test.bicep b/avm/res/databricks/workspace/tests/e2e/max/main.test.bicep index da9e093759..7f696b9c29 100644 --- a/avm/res/databricks/workspace/tests/e2e/max/main.test.bicep +++ b/avm/res/databricks/workspace/tests/e2e/max/main.test.bicep @@ -23,6 +23,10 @@ param baseTime string = utcNow('u') @description('Optional. A token to inject into the name of each resource.') param namePrefix string = '#_namePrefix_#' +@description('Required. The object id of the AzureDatabricks Enterprise Application. This value is tenant-specific and must be stored in the CI Key Vault in a secret named \'CI-AzureDatabricksEnterpriseApplicationObjectId\'.') +@secure() +param azureDatabricksEnterpriseApplicationObjectId string + // ============ // // Dependencies // // ============ // @@ -47,7 +51,7 @@ module nestedDependencies 'dependencies.bicep' = { storageAccountName: 'dep${namePrefix}sa${serviceShort}' virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' networkSecurityGroupName: 'dep-${namePrefix}-nsg-${serviceShort}' - databricksApplicationObjectId: '711330f9-cfad-4b10-a462-d82faa92027d' // Tenant-specific 'AzureDatabricks' Enterprise Application Object Id + databricksApplicationObjectId: azureDatabricksEnterpriseApplicationObjectId keyVaultDiskName: 'dep-${namePrefix}-kve-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' diff --git a/avm/res/databricks/workspace/tests/e2e/waf-aligned/main.test.bicep b/avm/res/databricks/workspace/tests/e2e/waf-aligned/main.test.bicep index 5211c6b795..b841659c89 100644 --- a/avm/res/databricks/workspace/tests/e2e/waf-aligned/main.test.bicep +++ b/avm/res/databricks/workspace/tests/e2e/waf-aligned/main.test.bicep @@ -23,6 +23,10 @@ param baseTime string = utcNow('u') @description('Optional. A token to inject into the name of each resource.') param namePrefix string = '#_namePrefix_#' +@description('Required. The object id of the AzureDatabricks Enterprise Application. This value is tenant-specific and must be stored in the CI Key Vault in a secret named \'CI-AzureDatabricksEnterpriseApplicationObjectId\'.') +@secure() +param azureDatabricksEnterpriseApplicationObjectId string + // ============ // // Dependencies // // ============ // @@ -47,7 +51,7 @@ module nestedDependencies 'dependencies.bicep' = { storageAccountName: 'dep${namePrefix}sa${serviceShort}' virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' networkSecurityGroupName: 'dep-${namePrefix}-nsg-${serviceShort}' - databricksApplicationObjectId: '711330f9-cfad-4b10-a462-d82faa92027d' // Tenant-specific 'AzureDatabricks' Enterprise Application Object Id + databricksApplicationObjectId: azureDatabricksEnterpriseApplicationObjectId keyVaultDiskName: 'dep-${namePrefix}-kve-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' diff --git a/avm/res/managed-services/registration-definition/README.md b/avm/res/managed-services/registration-definition/README.md index 51a35a1643..8802eff657 100644 --- a/avm/res/managed-services/registration-definition/README.md +++ b/avm/res/managed-services/registration-definition/README.md @@ -62,7 +62,7 @@ module registrationDefinition 'br/public:avm/res/managed-services/registration-d roleDefinitionId: '91c1777a-f3dc-4fae-b103-61d183457e46' } ] - managedByTenantId: '449fbe1d-9c99-4509-9014-4fd5cf25b014' + managedByTenantId: '' name: 'Component Validation - msrdmin Subscription assignment' registrationDescription: 'Managed by Lighthouse' // Non-required parameters @@ -97,7 +97,7 @@ module registrationDefinition 'br/public:avm/res/managed-services/registration-d ] }, "managedByTenantId": { - "value": "449fbe1d-9c99-4509-9014-4fd5cf25b014" + "value": "" }, "name": { "value": "Component Validation - msrdmin Subscription assignment" @@ -149,7 +149,7 @@ module registrationDefinition 'br/public:avm/res/managed-services/registration-d roleDefinitionId: '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9' } ] - managedByTenantId: '449fbe1d-9c99-4509-9014-4fd5cf25b014' + managedByTenantId: '' name: 'Component Validation - msrdmax Subscription assignment' registrationDescription: 'Managed by Lighthouse' // Non-required parameters @@ -194,7 +194,7 @@ module registrationDefinition 'br/public:avm/res/managed-services/registration-d ] }, "managedByTenantId": { - "value": "449fbe1d-9c99-4509-9014-4fd5cf25b014" + "value": "" }, "name": { "value": "Component Validation - msrdmax Subscription assignment" @@ -240,7 +240,7 @@ module registrationDefinition 'br/public:avm/res/managed-services/registration-d roleDefinitionId: '91c1777a-f3dc-4fae-b103-61d183457e46' } ] - managedByTenantId: '449fbe1d-9c99-4509-9014-4fd5cf25b014' + managedByTenantId: '' name: 'Component Validation - msrdrg Subscription assignment' registrationDescription: 'Managed by Lighthouse' // Non-required parameters @@ -277,7 +277,7 @@ module registrationDefinition 'br/public:avm/res/managed-services/registration-d ] }, "managedByTenantId": { - "value": "449fbe1d-9c99-4509-9014-4fd5cf25b014" + "value": "" }, "name": { "value": "Component Validation - msrdrg Subscription assignment" @@ -326,7 +326,7 @@ module registrationDefinition 'br/public:avm/res/managed-services/registration-d roleDefinitionId: '91c1777a-f3dc-4fae-b103-61d183457e46' } ] - managedByTenantId: '449fbe1d-9c99-4509-9014-4fd5cf25b014' + managedByTenantId: '' name: 'Component Validation - msrdwaf Subscription assignment' registrationDescription: 'Managed by Lighthouse' // Non-required parameters @@ -362,7 +362,7 @@ module registrationDefinition 'br/public:avm/res/managed-services/registration-d ] }, "managedByTenantId": { - "value": "449fbe1d-9c99-4509-9014-4fd5cf25b014" + "value": "" }, "name": { "value": "Component Validation - msrdwaf Subscription assignment" diff --git a/avm/res/managed-services/registration-definition/tests/e2e/defaults/main.test.bicep b/avm/res/managed-services/registration-definition/tests/e2e/defaults/main.test.bicep index 0c64dc087e..49c66084b1 100644 --- a/avm/res/managed-services/registration-definition/tests/e2e/defaults/main.test.bicep +++ b/avm/res/managed-services/registration-definition/tests/e2e/defaults/main.test.bicep @@ -16,6 +16,10 @@ param resourceLocation string = deployment().location @description('Optional. A token to inject into the name of each resource.') param namePrefix string = '#_namePrefix_#' +@description('Required. The tenant Id of the lighthouse tenant. This value is tenant-specific and must be stored in the CI Key Vault in a secret named \'CI-LighthouseManagedByTenantId\'.') +@secure() +param lighthouseManagedByTenantId string + // ============== // // Test Execution // // ============== // @@ -38,7 +42,7 @@ module testDeployment '../../../main.bicep' = [ roleDefinitionId: '91c1777a-f3dc-4fae-b103-61d183457e46' } ] - managedByTenantId: '449fbe1d-9c99-4509-9014-4fd5cf25b014' + managedByTenantId: lighthouseManagedByTenantId } } ] diff --git a/avm/res/managed-services/registration-definition/tests/e2e/max/main.test.bicep b/avm/res/managed-services/registration-definition/tests/e2e/max/main.test.bicep index 17fdc6a502..774e4d5165 100644 --- a/avm/res/managed-services/registration-definition/tests/e2e/max/main.test.bicep +++ b/avm/res/managed-services/registration-definition/tests/e2e/max/main.test.bicep @@ -16,6 +16,10 @@ param resourceLocation string = deployment().location @description('Optional. A token to inject into the name of each resource.') param namePrefix string = '#_namePrefix_#' +@description('Required. The tenant Id of the lighthouse tenant. This value is tenant-specific and must be stored in the CI Key Vault in a secret named \'CI-LighthouseManagedByTenantId\'.') +@secure() +param lighthouseManagedByTenantId string + // ============== // // Test Execution // // ============== // @@ -48,7 +52,7 @@ module testDeployment '../../../main.bicep' = [ roleDefinitionId: '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9' // User Access Administrator } ] - managedByTenantId: '449fbe1d-9c99-4509-9014-4fd5cf25b014' + managedByTenantId: lighthouseManagedByTenantId } } ] diff --git a/avm/res/managed-services/registration-definition/tests/e2e/rg/main.test.bicep b/avm/res/managed-services/registration-definition/tests/e2e/rg/main.test.bicep index 710d6a08ce..0779dc39e3 100644 --- a/avm/res/managed-services/registration-definition/tests/e2e/rg/main.test.bicep +++ b/avm/res/managed-services/registration-definition/tests/e2e/rg/main.test.bicep @@ -20,6 +20,10 @@ param resourceLocation string = deployment().location @description('Optional. A token to inject into the name of each resource.') param namePrefix string = '#_namePrefix_#' +@description('Required. The tenant Id of the lighthouse tenant. This value is tenant-specific and must be stored in the CI Key Vault in a secret named \'CI-LighthouseManagedByTenantId\'.') +@secure() +param lighthouseManagedByTenantId string + // ============ // // Dependencies // // ============ // @@ -61,7 +65,7 @@ module testDeployment '../../../main.bicep' = [ roleDefinitionId: '91c1777a-f3dc-4fae-b103-61d183457e46' } ] - managedByTenantId: '449fbe1d-9c99-4509-9014-4fd5cf25b014' + managedByTenantId: lighthouseManagedByTenantId } } ] diff --git a/avm/res/managed-services/registration-definition/tests/e2e/waf-aligned/main.test.bicep b/avm/res/managed-services/registration-definition/tests/e2e/waf-aligned/main.test.bicep index add8fba41d..b69547f748 100644 --- a/avm/res/managed-services/registration-definition/tests/e2e/waf-aligned/main.test.bicep +++ b/avm/res/managed-services/registration-definition/tests/e2e/waf-aligned/main.test.bicep @@ -20,6 +20,10 @@ param resourceLocation string = deployment().location @description('Optional. A token to inject into the name of each resource.') param namePrefix string = '#_namePrefix_#' +@description('Required. The tenant Id of the lighthouse tenant. This value is tenant-specific and must be stored in the CI Key Vault in a secret named \'CI-LighthouseManagedByTenantId\'.') +@secure() +param lighthouseManagedByTenantId string + // ============ // // Dependencies // // ============ // @@ -54,7 +58,7 @@ module testDeployment '../../../main.bicep' = [ roleDefinitionId: '91c1777a-f3dc-4fae-b103-61d183457e46' } ] - managedByTenantId: '449fbe1d-9c99-4509-9014-4fd5cf25b014' + managedByTenantId: lighthouseManagedByTenantId } } ]