azure / bicep-lz-vending Goto Github PK
View Code? Open in Web Editor NEWBicep module & pipelines to deploy landing zone subscriptions
License: MIT License
Bicep module & pipelines to deploy landing zone subscriptions
License: MIT License
Thanks for the community update session earlier this week, it was good to see the direction of ALZ and future focus on expanding the offering. I have been using the Vending approach recently and had some feedback from customers to compliment the role assignment with privileged role assignments as part of the deployment.
Follow a similar concept to the role assignment but include Azure AD PIM role assignments.
This approach can address permanent assigned access for "read" type access using role assignments and eligible access for "write" access using Azure AD PIM.
Hi,
I am fairly new to subscription/lz vending and would very much like to try it out as I most likely think that my customer would love to automate the e2e process for the application teams. However, at this point I wonder, is there any easy way to try the concept out?
I tried to follow example 1, which led to the following error message "User is not authorized to create subscriptions on this enrollment account", which made me realize I need an account on the EA side be it an SPN or whatever to allow me to create subscriptions. Is there like a detailed step-by-step guide to follow in order to follow along and get some more insights?
I've found one customer over Medium who achieved to make a nice subscription vending solution, but their articles are mainly on a conceptual level rather than on a detailed level, which I believe is what I am looking for...
What I loved in the ALZ Bicep series where the sessions with real examples - Do you @jtracey93 and the team maybe have in the pipeline to record a session where you provide a real example of subscription vending e2e too?
Thanks!
Add budget support for Subscriptions scope
N/A
N/A
Looked at the ALZ-Bicep Orchestration - hubPeeredSpoke module and it contains route table creation with nexthop to the firewall. Think that should be added in the vending module as well for the corp landing zones.
Add any other context or screenshots about the feature request here. ๐ท
Enable service health alerts on provisioned subscriptions to enable better workload reliability through various alerts generated from service health
N/A
Add any other context or screenshots about the feature request here. ๐ท
Upgrade to CARML v0.7.0
Example 5 is missing from the Wiki 's side bar
Enable Telemetry for Bicep LZ Vending using CUA PID method
Also investigate "bitfield" feasibility to track what features have been enabled in the modules
Add some of our documentation from enterprise scale, AzOps etc and modifying it. For example the access needed for the SPN to create subscriptions:
https://github.com/Azure/Enterprise-Scale/wiki/Create-Landingzones
Add support for linking VNet to existing DDoS plan
Add a module to :
N/A
Add any other context or screenshots about the feature request here. ๐ท
In the subscription resource provider registration logic, it very much looks like there is a bug that ends up causing an error.
The reason is because that output from Invoke-RegisterSubscriptionResourceProviders.ps1
is not existing since this section is not being invoked, as expected since I haven't passed in any features to register on the provider. The main.bicep
on the other hand doesn't take this into consideration and will try to emit a non-existing value.
Lines 705 to 706 in 4e411ef
I also might suspect there is an additional bug, as it looks like there is missing a parameter in the script to pass features at all. Looking at the log a unknown parameter is passed to Invoke-RegisterSubscriptionResourceProviders.ps1
with no value and not declared as a parameter in the script either, hence ignored.
Steps to reproduce the behaviour:
Example configuration that triggers the behaviour:
module sub001 'br/public:lz/sub-vending:1.5.1' = {
name: 'd-org-001'
params: {
subscriptionAliasEnabled: true
subscriptionBillingScope: subscriptionBillingScope
subscriptionAliasName: subscriptionAliasName
subscriptionDisplayName: subscriptionAliasName
subscriptionTags: {
example: 'true'
}
subscriptionWorkload: 'DevTest'
subscriptionManagementGroupAssociationEnabled: true
subscriptionManagementGroupId: 'my-mg'
}
}
No error should be emitted.
2e19e2fa-54e9-4a37-b415-2b1ca5aa8274
If needed, we can schedule a meeting to explain further.
The ability to update the Partner ID within the partner information section of a subscription
Info and documentation https://learn.microsoft.com/en-us/azure/lighthouse/how-to/partner-earned-credit
Add support for custom DNS servers on virtual networks
I have found the code passes an object over for the routing configuration of the VNET connection despite the values of the routing configuration being empty.
This fails as it should be passing over a null or empty value when routing intent is enabled:
Routing configuration for Connection /subscriptions/<SUBGUID>/resourceGroups/<RESOURCEGROUP>/providers/Microsoft.Network/virtualHubs/<VIRTUALHUB>/hubVirtualNetworkConnections/<VIRTUALNETWORKCONNECTION> conflicts with Routing Intent /subscriptions/<SUBGUID>/resourceGroups/<RESOURCEGROUP>/providers/Microsoft.Network/virtualHubs/<VIRTUALHUB>/routingIntent/hubRoutingIntent. Leave Routing configuration empty to auto-populate.
The VWAN VNET connection is expecting an object for routingConfiguration and in the existing code the following values should not be set when routing intent is enabled:
"virtualNetworkVwanAssociatedRouteTableResourceId": {
"value": ""
},
"virtualNetworkVwanPropagatedRouteTablesResourceIds": {
"value": []
},
"virtualNetworkVwanPropagatedLabels": {
"value": []
}
When these values are constructed into the object in the src\self\subResourceWrapper\deploy.bicep
file:
associatedRouteTable: {
id: virtualWanHubConnectionAssociatedRouteTable
}
propagatedRouteTables: {
ids: virtualWanHubConnectionPropogatedRouteTables
labels: virtualWanHubConnectionPropogatedLabels
}
It still passes an object and results in the error above.
To get round this is have introduced a boolean parameter for routingIntent and amended the src\self\subResourceWrapper\deploy.bicep
as follows:
routingConfiguration: !routingIntent ? {
associatedRouteTable: {
id: virtualWanHubConnectionAssociatedRouteTable
}
propagatedRouteTables: {
ids: virtualWanHubConnectionPropogatedRouteTables
labels: virtualWanHubConnectionPropogatedLabels
}
} : {}
Let me know if you want me to create a PR for this - i have not managed to test this code when routing intent is not enabled.
Steps to reproduce the behaviour:
The virtual network connection should be routing intent aware
73196261-75d5-4aa8-a426-aeed9e2a7230
is IaaC code for subscription-vending here based on the new AVM ?
in that link : https://learn.microsoft.com/en-us/azure/architecture/landing-zones/subscription-vending
Just want us to confirm your thinking, let us know any possible answers you've considered and we can confirm ๐
We are trying to create a new subscription using our lz-vending-module CD pipeline, under the "Sandbox" archetype, without a VNET and all of its related configuration/resources. Everything seems to work fine, except our role assignments seems to be completely ignored.
We have used the same pipeline before to create other subscriptions under "Corp" archetype with the only difference being that we provision those with a Spoke VNet peered to our Hub. In those scenarios, the role assignments works just fine.
Also, if I search for "roleAssignments" in the pipeline output, I can find outputs from the subscriptions containing VNets but nothing for the one without a VNet.
I did some troubleshooting in the bicep scripts and I'm guessing that this is the reason of this behaviour (src > self > subResourceWrapper > deploy.bicep):
module createLzRoleAssignments '../../carml/v0.6.0/Microsoft.Authorization/roleAssignments/deploy.bicep' = [for assignment in roleAssignments: if (roleAssignmentEnabled && !empty(roleAssignments)) {
dependsOn: [
createResourceGroupForLzNetworking
]
name: take('${deploymentNames.createLzRoleAssignments}-${uniqueString(assignment.principalId, assignment.definition, assignment.relativeScope)}', 64)
params: {
location: virtualNetworkLocation
principalId: assignment.principalId
roleDefinitionIdOrName: assignment.definition
subscriptionId: subscriptionId
resourceGroupName: (contains(assignment.relativeScope, '/resourceGroups/') ? split(assignment.relativeScope, '/')[2] : '')
enableDefaultTelemetry: enableTelemetryForCarml
}
}]
From what I understand, this means that the role assignments are dependent on the VNet resource group creation. Problem is, we don't provision a VNet or any of its associated resources during deployment, since this is a sandbox subscription. Seems odd that there would have to be a relation between these two things. Is this really the intended behaviour?
Use the following parameter file to reproduce. Make sure to replace the placeholders.
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"subscriptionAliasEnabled": {
"value": true
},
"subscriptionDisplayName": {
"value": "ALZ Example Dev"
},
"subscriptionAliasName": {
"value": "ALZ-Example-Dev"
},
"subscriptionBillingScope": {
"value": "providers/Microsoft.Billing/billingAccounts/XXXXXXXX/enrollmentAccounts/XXXXXX"
},
"subscriptionWorkload": {
"value": "DevTest"
},
"existingSubscriptionId": {
"value": ""
},
"subscriptionManagementGroupAssociationEnabled": {
"value": true
},
"subscriptionManagementGroupId": {
"value": "lz-sandbox"
},
"subscriptionTags": {
"value": {}
},
"virtualNetworkEnabled": {
"value": false
},
"virtualNetworkResourceGroupName": {
"value": ""
},
"virtualNetworkResourceGroupTags": {
"value": {}
},
"virtualNetworkResourceGroupLockEnabled": {
"value": false
},
"virtualNetworkLocation": {
"value": ""
},
"virtualNetworkName": {
"value": ""
},
"virtualNetworkTags": {
"value": {}
},
"virtualNetworkAddressSpace": {
"value": []
},
"virtualNetworkDnsServers": {
"value": []
},
"virtualNetworkDdosPlanId": {
"value": ""
},
"virtualNetworkPeeringEnabled": {
"value": false
},
"hubNetworkResourceId": {
"value": ""
},
"virtualNetworkUseRemoteGateways": {
"value": false
},
"virtualNetworkVwanAssociatedRouteTableResourceId": {
"value": ""
},
"virtualNetworkVwanPropagatedRouteTablesResourceIds": {
"value": []
},
"virtualNetworkVwanPropagatedLabels": {
"value": []
},
"roleAssignmentEnabled": {
"value": true
},
"roleAssignments": {
"value": [
{
"principalId": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
"definition": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
"relativeScope": ""
}
]
},
"disableTelemetry": {
"value": true
}
}
}
My expectation is that role assignments should be applied during provisioning, whether I choose to include a VNet or not.
Convert test workflows to use pull_request_target
and protect with labels as today tests from forks will not run due to no access to secrets.
Protect jobs with label techniques here and require all workflows to have an approval
Sorry if this is a daft question. I wondered how people are handling subnet creation when using this module? - We've leveraged this useful module for customer deployment as part of an internal orchestration module, and defined the subvending vnet as an existing resource to then continue the deployment with workload specific subnets etc
There is a warning in the documentation here around not creating subnets as child resources this way: https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/scenarios-virtual-networks
Is there a better way to do this currently or can the module be developed to support additional subnets?
Certainly no BiCep expert but optional parameters to define additional subnets, name ,route table, cidr ?
Example 4 uses the same identifier for the modules twice. The second module should be renamed to for example createSubAndSecondVnet
Add this module to the Bicep public module registry - https://github.com/Azure/bicep-registry-modules
N/A
N/A
Management Group ID Example Incorrect
A clear and concise description of what you expected to happen without this bug ๐
If applicable, add screenshots to help explain your problem. Please feel free to blur/cover any sensitive information.
A correlation ID really helps us investigate your issue further. Please provide one if possible. Details on how to find a correlation ID can be found here: Correlation ID and support
Anything else we should know to help us troubleshoot this bug?
Creating subscriptions without networking resources causes management group placement and sub tags etc. to not be deployed/created
Steps to reproduce the behaviour:
Below example will create subscription fine, but will not move to corp
MG or tag the subscription
targetScope = 'managementGroup'
module sub001 'br/public:lz/sub-vending:1.1.1' = {
name: 'sub001'
params: {
subscriptionAliasEnabled: true
subscriptionBillingScope: '/providers/Microsoft.Billing/billingAccounts/1234567/enrollmentAccounts/123456'
subscriptionAliasName: 'sub-test-001'
subscriptionDisplayName: 'sub-test-001'
subscriptionTags: {
example: 'true'
}
subscriptionWorkload: 'Production'
subscriptionManagementGroupAssociationEnabled: true
subscriptionManagementGroupId: 'corp'
}
}
Above example should tag and move sub to correct MG
Provide Reference/Example GitHub Action to Vend LZs (Subs)
Notes:
main
landingZones
folder that have changed or been added and deploy themdisableTelemetry
not being passed into child CARML modules and therefore some telemetry being left enabled
cc: @AlexanderSehr JFYI
I don't see a pattern in the documentation (perhaps it's not obvious), for how I can add some common fixtures in subscriptions that can be used by Application teams. Ex: Resource Group for a KeyVault, Resource Group for Storage Accounts, Recovery Vaults and so on.
In my case the subscriptions already exist and I see there's an example to accommodate adding the networking and peering.
What would I need to do to extend that a bit to include the resources I mentioned above?
I'd like to follow a recommended pattern so that it doesn't break away too much from the LZ-Vending approach. (I'd like to reuse, leverage the existing automation as much as possible found in the repo.)
I get this error when using version 1.5.1
{
"status": "Failed",
"error": {
"code": "DeploymentFailed",
"target": "/providers/Microsoft.Management/managementGroups/xenia-corp/providers/Microsoft.Resources/deployments/shared-services",
"message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.",
"details": [
{
"code": "ResourceDeploymentFailure",
"target": "/providers/Microsoft.Management/managementGroups/xenia-corp/providers/Microsoft.Resources/deployments/lz-vend-sub-res-create-shared-services-i7ug2kbzlb7vc",
"message": "The resource write operation failed to complete successfully, because it reached terminal provisioning state 'Failed'.",
"details": [
{
"code": "DeploymentOutputEvaluationFailed",
"target": "/providers/Microsoft.Management/managementGroups/xenia-corp/providers/Microsoft.Resources/deployments/lz-vend-sub-res-create-shared-services-i7ug2kbzlb7vc",
"message": "Unable to evaluate template outputs: 'failedFeatures'. Please see error details and deployment operations. Please see https://aka.ms/arm-common-errors for usage details.",
"details": [
{
"code": "DeploymentOutputEvaluationFailed",
"target": "failedFeatures",
"message": "The template output 'failedFeatures' is not valid: The language expression property 'failedFeaturesRegistrations' doesn't exist, available properties are 'failedProvidersRegistrations'.."
}
]
}
]
}
]
}
}
Steps to reproduce the behaviour:
targetScope = 'managementGroup'
module subscriptionmod 'br/public:lz/sub-vending:1.5.1' = {
name: '<my-name>'
params: {
subscriptionAliasEnabled: true
subscriptionBillingScope: '<my billing scope>'
subscriptionAliasName: '<my-name>'
subscriptionDisplayName: '<my-name>'
subscriptionWorkload: 'Production'
subscriptionManagementGroupAssociationEnabled: true
subscriptionManagementGroupId: '<my-mg>'
}
}
results in above error
module subscriptionmod 'br/public:lz/sub-vending:1.4.1' = {
name: '<my-name>'
params: {
subscriptionAliasEnabled: true
subscriptionBillingScope: '<my billing scope>'
subscriptionAliasName: '<my-name>'
subscriptionDisplayName: '<my-name>'
subscriptionWorkload: 'Production'
subscriptionManagementGroupAssociationEnabled: true
subscriptionManagementGroupId: '<my-mg>'
}
}
results in successful deployment
I'm happy to try and look into this one myself
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.