generated from arcus-azure/arcus.github.template
-
Notifications
You must be signed in to change notification settings - Fork 13
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore: deploy to new Dev tenant (#432)
* chore: deploy test resources * pr-fix: use linux vm * pr-fix: missing backtick * pr-fix: use parameter secret * pr-fix: gen password * pr-fix: gen password * pr-fix: remove location param * pr-fix: add missing params * pr-fix: server name * pr-fix: app service name * pr-fix: correct plan * pr-fix: sql db sku * pr-fix: sql db basic max bytes * pr-fix: use ex max size * pr-fix: change sku * pr-fix: change sku * pr-fix: change server name * pr-fix: update min capacity * pr-fix: update min capacity * pr-fix: update min capacity * pr-fix: update min capacity * pr-fix: correct basic max size * pr-fix: pass in az service connection * pr-fix: expose test variables * pr-fix: add quotes to condition * pr-fix: correct var name * pr-fix: correct arg name * pr-fix: correct appsettings name * pr-fix: use correct role assignments * pr-fix: use correct password * pr-fix: add certificate permissions to built-in logic apps service principal * pr-fix: add role permissions access * pr-fix: correct authz * pr-fix: correct sql param name * pr-fix: use access policies * pr-fix: use correct access token * pr-fix: use correct key perm * pr-fix: sql filewalls * pr-fix: correct sql * pr-fix: correct sql * pr-fix: correct sql * pr-fix: correct ad * pr-fix: secret name * pr-fix: secret name * pr-fix: secret name * pr-fix: logging * pr-fix: tenant id * pr-fix: sql * pr-fix: sql * pr-fix: sql * pr-fix: sql * pr-fix: sql * pr-fix: use server instance * pr-fix: sql instance + connect graph * pr-fix: sql instance var * pr-fix: assign values ourselves * pr-fix: secure string * pr-fix: secure string * pr-fix: secure string * pr-fix: apim rest permissions? * pr-fix: activate all tests * pr-fix: remove commented-out sql tasks * pr-fix: skip both apim tests * temp: re-activate apim tets * Update Arcus.Scripting.DevOps.tests.ps1 * pr-fix: remove update ps tasks
- Loading branch information
1 parent
92f804a
commit b7446c6
Showing
14 changed files
with
390 additions
and
40 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,78 @@ | ||
name: Arcus Scripting - Deploy test resources | ||
|
||
trigger: none | ||
pr: none | ||
|
||
parameters: | ||
- name: azureServiceConnection | ||
displayName: 'Azure service connection' | ||
type: string | ||
default: 'Azure Codit-Arcus Service Principal' | ||
- name: resourceGroupName | ||
displayName: 'Resource group name' | ||
default: arcus-scripting-dev-we-rg | ||
|
||
variables: | ||
- template: ./variables/build.yml | ||
- template: ./variables/test.yml | ||
|
||
stages: | ||
- stage: Deploy | ||
jobs: | ||
- job: DeployBicep | ||
displayName: 'Deploy test resources' | ||
pool: | ||
vmImage: '$(Vm.Linux.Image)' | ||
steps: | ||
- task: AzureCLI@2 | ||
env: | ||
SYSTEM_ACCESSTOKEN: $(System.AccessToken) | ||
inputs: | ||
azureSubscription: '${{ parameters.azureServiceConnection }}' | ||
addSpnToEnvironment: true | ||
scriptType: 'pscore' | ||
scriptLocation: 'inlineScript' | ||
inlineScript: | | ||
az deployment sub create ` | ||
--location westeurope ` | ||
--template-file ./build/templates/deploy-resource-group.bicep ` | ||
--parameters resourceGroupName=$env:ARCUS_SCRIPTING_RESOURCEGROUP_NAME ` | ||
--parameters location=westeurope | ||
$objectId = (az ad sp show --id $env:servicePrincipalId | ConvertFrom-Json).id | ||
$symbols = '!@#$%^&*=(),.?'.ToCharArray() | ||
$characterList = 'a'..'z' + 'A'..'Z' + '0'..'9' + $symbols | ||
function Gen-Password { | ||
param($length) | ||
do { | ||
$password = "" | ||
for ($i = 0; $i -lt $length; $i++) { | ||
$randomIndex = [System.Security.Cryptography.RandomNumberGenerator]::GetInt32(0, $characterList.Length) | ||
$password += $characterList[$randomIndex] | ||
} | ||
$hasLowerChar = $password -cmatch '[a-z]' | ||
$hasUpperChar = $password -cmatch '[A-Z]' | ||
$hasDigit = $password -match '[0-9]' | ||
$hasSymbol = $password.IndexOfAny($symbols) -ne -1 | ||
} | ||
until (($hasLowerChar + $hasUpperChar + $hasDigit + $hasSymbol) -ge 3) | ||
$password | ||
} | ||
$sqlAdminPassword = Gen-Password 14 | ||
az deployment group create ` | ||
--resource-group $env:ARCUS_SCRIPTING_RESOURCEGROUP_NAME ` | ||
--template-file ./build/templates/deploy-test-resources.bicep ` | ||
--parameters location=westeurope ` | ||
--parameters keyVaultName=$env:ARCUS_SCRIPTING_KEYVAULT_NAME ` | ||
--parameters storageAccountName=$env:ARCUS_SCRIPTING_STORAGEACCOUNT_NAME ` | ||
--parameters appServiceName=$env:ARCUS_SCRIPTING_APPSERVICE_NAME ` | ||
--parameters sqlServerName=$env:ARCUS_SCRIPTING_SQL_SERVERNAME ` | ||
--parameters sqlDatabaseName=$env:ARCUS_SCRIPTING_SQL_DATABASENAME ` | ||
--parameters sqlAdminUserName=$env:ARCUS_SCRIPTING_SQL_USERNAME ` | ||
--parameters sqlAdminPassword=$sqlAdminPassword ` | ||
--parameters sqlAdminPassword_secretName=$env:ARCUS_SCRIPTING_SQL_PASSWORD_SECRETNAME ` | ||
--parameters integrationAccountName=$env:ARCUS_SCRIPTING_INTEGRATIONACCOUNT_NAME ` | ||
--parameters servicePrincipal_objectId=$objectId |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
// Define the name of the resource group. | ||
param resourceGroupName string | ||
|
||
// Define the location for the deployment of the components. | ||
param location string | ||
|
||
targetScope='subscription' | ||
|
||
module resourceGroup 'br/public:avm/res/resources/resource-group:0.2.3' = { | ||
name: 'resourceGroupDeployment' | ||
params: { | ||
name: resourceGroupName | ||
location: location | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,155 @@ | ||
// Define the location for the deployment of the components. | ||
param location string | ||
|
||
// Define the name of the storage account that will be created. | ||
param storageAccountName string | ||
|
||
// Define the name of the Azure Functions app service that will be created. | ||
param appServiceName string | ||
|
||
// Define the name of the Azure SQL server instance that will be created. | ||
param sqlServerName string | ||
|
||
// Define the username of the administrator login for the Azure SQL server instance. | ||
param sqlAdminUserName string | ||
|
||
// Define the password of the administrator login for the Azure SQL server instance. | ||
@secure() | ||
param sqlAdminPassword string | ||
|
||
// Define the Azure Key vault secret name of the administrator login password for the Azure SQL server instance. | ||
param sqlAdminPassword_secretName string | ||
|
||
// Define the name of the Azure SQL database that will be created within the Azure SQL server instance. | ||
param sqlDatabaseName string | ||
|
||
// Define the name of the integration account that will be created. | ||
param integrationAccountName string | ||
|
||
// Define the name of the Key Vault. | ||
param keyVaultName string | ||
|
||
// Define the Service Principal ID that needs access full access to the deployed resource group. | ||
param servicePrincipal_objectId string | ||
|
||
module storageAccount 'br/public:avm/res/storage/storage-account:0.9.1' = { | ||
name: 'storageAccountDeployment' | ||
params: { | ||
name: storageAccountName | ||
location: location | ||
allowBlobPublicAccess: true | ||
publicNetworkAccess: 'Enabled' | ||
networkAcls: { | ||
bypass: 'AzureServices' | ||
defaultAction: 'Allow' | ||
ipRules: [] | ||
virtualNetworkRules: [] | ||
} | ||
roleAssignments: [ | ||
{ | ||
principalId: servicePrincipal_objectId | ||
roleDefinitionIdOrName: 'Storage Blob Data Contributor' | ||
} | ||
{ | ||
principalId: servicePrincipal_objectId | ||
roleDefinitionIdOrName: 'Storage Table Data Contributor' | ||
} | ||
] | ||
} | ||
} | ||
|
||
module serverfarm 'br/public:avm/res/web/serverfarm:0.2.2' = { | ||
name: 'serverfarmDeployment' | ||
params: { | ||
name: '${appServiceName}-plan' | ||
skuCapacity: 2 | ||
skuName: 'Y1' | ||
location: location | ||
} | ||
} | ||
|
||
module functionApp 'br/public:avm/res/web/site:0.3.9' = { | ||
name: 'functionAppDeployment' | ||
params: { | ||
kind: 'functionapp' | ||
name: appServiceName | ||
serverFarmResourceId: serverfarm.outputs.resourceId | ||
location: location | ||
enableTelemetry: false | ||
siteConfig: { | ||
alwaysOn: false | ||
} | ||
} | ||
} | ||
|
||
module sqlServer 'br/public:avm/res/sql/server:0.4.1' = { | ||
name: 'sqlServerDeployment' | ||
params: { | ||
name: sqlServerName | ||
location: location | ||
administratorLogin: sqlAdminUserName | ||
administratorLoginPassword: sqlAdminPassword | ||
enableTelemetry: false | ||
publicNetworkAccess: 'Enabled' | ||
restrictOutboundNetworkAccess: 'Disabled' | ||
auditSettings: { | ||
state: 'Disabled' | ||
} | ||
databases: [ | ||
{ | ||
name: sqlDatabaseName | ||
skuName: 'Basic' | ||
skuTier: 'Basic' | ||
maxSizeBytes: 2147483648 | ||
} | ||
] | ||
} | ||
} | ||
|
||
resource integrationAccount 'Microsoft.Logic/integrationAccounts@2019-05-01' = { | ||
name: integrationAccountName | ||
location: location | ||
properties: { | ||
state: 'Enabled' | ||
} | ||
sku: { | ||
name: 'Free' | ||
} | ||
} | ||
|
||
module vault 'br/public:avm/res/key-vault/vault:0.6.1' = { | ||
name: 'vaultDeployment' | ||
params: { | ||
name: keyVaultName | ||
location: location | ||
enableRbacAuthorization: false | ||
sku: 'standard' | ||
accessPolicies: [ | ||
{ | ||
objectId: servicePrincipal_objectId | ||
permissions: { | ||
secrets: [ | ||
'get', 'list', 'set', 'delete' | ||
] | ||
keys: [ | ||
'get', 'list', 'create', 'delete' | ||
] | ||
} | ||
} | ||
{ | ||
objectId: '0d926a02-88dc-4279-8265-fbcd8178ecb0' // (built-in) Azure Logic Apps service principal | ||
permissions: { | ||
keys: [ | ||
'list', 'get', 'decrypt', 'sign' | ||
] | ||
} | ||
} | ||
] | ||
secrets: [ | ||
{ | ||
name: sqlAdminPassword_secretName | ||
value: sqlAdminPassword | ||
} | ||
] | ||
} | ||
} |
Oops, something went wrong.