azure / bicep-lz-vending Goto Github PK

Describe the solution you'd like

Thanks for the community update session earlier this week, it was good to see the direction of ALZ and future focus on expanding the offering. I have been using the Vending approach recently and had some feedback from customers to compliment the role assignment with privileged role assignments as part of the deployment.

Describe alternatives you've considered

Follow a similar concept to the role assignment but include Azure AD PIM role assignments.

• optional
• boolean true / false
• pass in an array of objects for role assignments
• applied to the subscription or Resource Group context

Additional context

This approach can address permanent assigned access for "read" type access using role assignments and eligible access for "write" access using Azure AD PIM.

Question

Hi,

I am fairly new to subscription/lz vending and would very much like to try it out as I most likely think that my customer would love to automate the e2e process for the application teams. However, at this point I wonder, is there any easy way to try the concept out?

I tried to follow example 1, which led to the following error message "User is not authorized to create subscriptions on this enrollment account", which made me realize I need an account on the EA side be it an SPN or whatever to allow me to create subscriptions. Is there like a detailed step-by-step guide to follow in order to follow along and get some more insights?
I've found one customer over Medium who achieved to make a nice subscription vending solution, but their articles are mainly on a conceptual level rather than on a detailed level, which I believe is what I am looking for...

What I loved in the ALZ Bicep series where the sessions with real examples - Do you @jtracey93 and the team maybe have in the pipeline to record a session where you provide a real example of subscription vending e2e too?

Thanks!

Describe the solution you'd like

Add budget support for Subscriptions scope

Describe alternatives you've considered

N/A

Additional context

N/A

Describe the solution you'd like

Looked at the ALZ-Bicep Orchestration - hubPeeredSpoke module and it contains route table creation with nexthop to the firewall. Think that should be added in the vending module as well for the corp landing zones.

Additional context

Add any other context or screenshots about the feature request here. 📷

Describe the solution you'd like

Enable service health alerts on provisioned subscriptions to enable better workload reliability through various alerts generated from service health

Describe alternatives you've considered

N/A

Additional context

Add any other context or screenshots about the feature request here. 📷

Upgrade to CARML v0.7.0

Describe the bug

Example 5 is missing from the Wiki 's side bar

Describe the solution you'd like

Enable Telemetry for Bicep LZ Vending using CUA PID method

Also investigate "bitfield" feasibility to track what features have been enabled in the modules

Describe the solution you'd like

Add some of our documentation from enterprise scale, AzOps etc and modifying it. For example the access needed for the SPN to create subscriptions:
https://github.com/Azure/Enterprise-Scale/wiki/Create-Landingzones

Describe the solution you'd like

Add support for linking VNet to existing DDoS plan

Describe the solution you'd like

Add a module to :

• Register the most commonly used resource providers or providers provided by user input
• Register resource providers features provided by user input

Describe alternatives you've considered

N/A

Additional context

Add any other context or screenshots about the feature request here. 📷

Describe the bug

In the subscription resource provider registration logic, it very much looks like there is a bug that ends up causing an error.

The reason is because that output from Invoke-RegisterSubscriptionResourceProviders.ps1 is not existing since this section is not being invoked, as expected since I haven't passed in any features to register on the provider. The main.bicep on the other hand doesn't take this into consideration and will try to emit a non-existing value.

I also might suspect there is an additional bug, as it looks like there is missing a parameter in the script to pass features at all. Looking at the log a unknown parameter is passed to Invoke-RegisterSubscriptionResourceProviders.ps1 with no value and not declared as a parameter in the script either, hence ignored.

To Reproduce

Steps to reproduce the behaviour:

Example configuration that triggers the behaviour:

module sub001 'br/public:lz/sub-vending:1.5.1' = {
  name: 'd-org-001'
  params: {
    subscriptionAliasEnabled: true
    subscriptionBillingScope: subscriptionBillingScope
    subscriptionAliasName: subscriptionAliasName
    subscriptionDisplayName: subscriptionAliasName
    subscriptionTags: {
      example: 'true'
    }
    subscriptionWorkload: 'DevTest'
    subscriptionManagementGroupAssociationEnabled: true
    subscriptionManagementGroupId: 'my-mg'
  }
}

Expected behaviour

No error should be emitted.

Screenshots 📷

Correlation ID

2e19e2fa-54e9-4a37-b415-2b1ca5aa8274

Additional context

If needed, we can schedule a meeting to explain further.

Describe the solution you'd like

The ability to update the Partner ID within the partner information section of a subscription

Additional context

Info and documentation https://learn.microsoft.com/en-us/azure/lighthouse/how-to/partner-earned-credit

Describe the solution you'd like

Add support for custom DNS servers on virtual networks

Describe the bug

I have found the code passes an object over for the routing configuration of the VNET connection despite the values of the routing configuration being empty.

This fails as it should be passing over a null or empty value when routing intent is enabled:

Routing configuration for Connection /subscriptions/<SUBGUID>/resourceGroups/<RESOURCEGROUP>/providers/Microsoft.Network/virtualHubs/<VIRTUALHUB>/hubVirtualNetworkConnections/<VIRTUALNETWORKCONNECTION> conflicts with Routing Intent /subscriptions/<SUBGUID>/resourceGroups/<RESOURCEGROUP>/providers/Microsoft.Network/virtualHubs/<VIRTUALHUB>/routingIntent/hubRoutingIntent. Leave Routing configuration empty to auto-populate.

The VWAN VNET connection is expecting an object for routingConfiguration and in the existing code the following values should not be set when routing intent is enabled:

"virtualNetworkVwanAssociatedRouteTableResourceId": {
        "value": ""
      },
      "virtualNetworkVwanPropagatedRouteTablesResourceIds": {
        "value": []
      },
      "virtualNetworkVwanPropagatedLabels": {
        "value": []
      }

When these values are constructed into the object in the src\self\subResourceWrapper\deploy.bicep file:

associatedRouteTable: {
        id: virtualWanHubConnectionAssociatedRouteTable
      }
      propagatedRouteTables: {
        ids: virtualWanHubConnectionPropogatedRouteTables
        labels: virtualWanHubConnectionPropogatedLabels
        }

It still passes an object and results in the error above.

To get round this is have introduced a boolean parameter for routingIntent and amended the src\self\subResourceWrapper\deploy.bicep as follows:

routingConfiguration: !routingIntent ? { 
      associatedRouteTable: {
        id: virtualWanHubConnectionAssociatedRouteTable
      }
      propagatedRouteTables: {
        ids: virtualWanHubConnectionPropogatedRouteTables
        labels: virtualWanHubConnectionPropogatedLabels
        }
    
    } : {}

Let me know if you want me to create a PR for this - i have not managed to test this code when routing intent is not enabled.

To Reproduce

Steps to reproduce the behaviour:

1. Deploy vWAN with routing intent enabled.
2. Run the example VWAN scenario.

Expected behaviour

The virtual network connection should be routing intent aware

Correlation ID

73196261-75d5-4aa8-a426-aeed9e2a7230

Question/Feedback

is IaaC code for subscription-vending here based on the new AVM ?

in that link : https://learn.microsoft.com/en-us/azure/architecture/landing-zones/subscription-vending

Possible Answers/Solutions?

Just want us to confirm your thinking, let us know any possible answers you've considered and we can confirm 👍

Description

We are trying to create a new subscription using our lz-vending-module CD pipeline, under the "Sandbox" archetype, without a VNET and all of its related configuration/resources. Everything seems to work fine, except our role assignments seems to be completely ignored.

We have used the same pipeline before to create other subscriptions under "Corp" archetype with the only difference being that we provision those with a Spoke VNet peered to our Hub. In those scenarios, the role assignments works just fine.

Also, if I search for "roleAssignments" in the pipeline output, I can find outputs from the subscriptions containing VNets but nothing for the one without a VNet.

I did some troubleshooting in the bicep scripts and I'm guessing that this is the reason of this behaviour (src > self > subResourceWrapper > deploy.bicep):

module createLzRoleAssignments '../../carml/v0.6.0/Microsoft.Authorization/roleAssignments/deploy.bicep' = [for assignment in roleAssignments: if (roleAssignmentEnabled && !empty(roleAssignments)) {
dependsOn: [
createResourceGroupForLzNetworking
]
name: take('${deploymentNames.createLzRoleAssignments}-${uniqueString(assignment.principalId, assignment.definition, assignment.relativeScope)}', 64)
params: {
location: virtualNetworkLocation
principalId: assignment.principalId
roleDefinitionIdOrName: assignment.definition
subscriptionId: subscriptionId
resourceGroupName: (contains(assignment.relativeScope, '/resourceGroups/') ? split(assignment.relativeScope, '/')[2] : '')
enableDefaultTelemetry: enableTelemetryForCarml
}
}]

From what I understand, this means that the role assignments are dependent on the VNet resource group creation. Problem is, we don't provision a VNet or any of its associated resources during deployment, since this is a sandbox subscription. Seems odd that there would have to be a relation between these two things. Is this really the intended behaviour?

To Reproduce

Use the following parameter file to reproduce. Make sure to replace the placeholders.

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "subscriptionAliasEnabled": {
            "value": true
        },
        "subscriptionDisplayName": {
            "value": "ALZ Example Dev"
        },
        "subscriptionAliasName": {
            "value": "ALZ-Example-Dev"
        },
        "subscriptionBillingScope": {
            "value": "providers/Microsoft.Billing/billingAccounts/XXXXXXXX/enrollmentAccounts/XXXXXX"
        },
        "subscriptionWorkload": {
            "value": "DevTest"
        },
        "existingSubscriptionId": {
            "value": ""
        },
        "subscriptionManagementGroupAssociationEnabled": {
            "value": true
        },
        "subscriptionManagementGroupId": {
            "value": "lz-sandbox"
        },
        "subscriptionTags": {
            "value": {}
        },
        "virtualNetworkEnabled": {
            "value": false
        },
        "virtualNetworkResourceGroupName": {
            "value": ""
        },
        "virtualNetworkResourceGroupTags": {
            "value": {}
        },
        "virtualNetworkResourceGroupLockEnabled": {
            "value": false
        },
        "virtualNetworkLocation": {
            "value": ""
        },
        "virtualNetworkName": {
            "value": ""
        },
        "virtualNetworkTags": {
            "value": {}
        },
        "virtualNetworkAddressSpace": {
            "value": []
        },
        "virtualNetworkDnsServers": {
            "value": []
        },
        "virtualNetworkDdosPlanId": {
            "value": ""
        },
        "virtualNetworkPeeringEnabled": {
            "value": false
        },
        "hubNetworkResourceId": {
            "value": ""
        },
        "virtualNetworkUseRemoteGateways": {
            "value": false
        },
        "virtualNetworkVwanAssociatedRouteTableResourceId": {
            "value": ""
        },
        "virtualNetworkVwanPropagatedRouteTablesResourceIds": {
            "value": []
        },
        "virtualNetworkVwanPropagatedLabels": {
            "value": []
        },
        "roleAssignmentEnabled": {
            "value": true
        },
        "roleAssignments": {
            "value": [
                {
                    "principalId": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
                    "definition": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
                    "relativeScope": ""
                }
            ]
        },
        "disableTelemetry": {
            "value": true
        }
    }
}

Expected behaviour

My expectation is that role assignments should be applied during provisioning, whether I choose to include a VNet or not.

Convert test workflows to use pull_request_target and protect with labels as today tests from forks will not run due to no access to secrets.

Protect jobs with label techniques here and require all workflows to have an approval

Question/Feedback

Sorry if this is a daft question. I wondered how people are handling subnet creation when using this module? - We've leveraged this useful module for customer deployment as part of an internal orchestration module, and defined the subvending vnet as an existing resource to then continue the deployment with workload specific subnets etc

There is a warning in the documentation here around not creating subnets as child resources this way: https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/scenarios-virtual-networks

Is there a better way to do this currently or can the module be developed to support additional subnets?

Possible Answers/Solutions?

Certainly no BiCep expert but optional parameters to define additional subnets, name ,route table, cidr ?

Describe the bug

Example 4 uses the same identifier for the modules twice. The second module should be renamed to for example createSubAndSecondVnet

Describe the solution you'd like

Add this module to the Bicep public module registry - https://github.com/Azure/bicep-registry-modules

Describe alternatives you've considered

N/A

Additional context

N/A

Describe the bug

Management Group ID Example Incorrect

Expected behaviour

A clear and concise description of what you expected to happen without this bug 🙂

Screenshots 📷

If applicable, add screenshots to help explain your problem. Please feel free to blur/cover any sensitive information.

Correlation ID

A correlation ID really helps us investigate your issue further. Please provide one if possible. Details on how to find a correlation ID can be found here: Correlation ID and support

Additional context

Anything else we should know to help us troubleshoot this bug?

Describe the bug

Creating subscriptions without networking resources causes management group placement and sub tags etc. to not be deployed/created

To Reproduce

Steps to reproduce the behaviour:

Below example will create subscription fine, but will not move to corp MG or tag the subscription

targetScope = 'managementGroup'

module sub001 'br/public:lz/sub-vending:1.1.1' = {
  name: 'sub001'
  params: {
    subscriptionAliasEnabled: true
    subscriptionBillingScope: '/providers/Microsoft.Billing/billingAccounts/1234567/enrollmentAccounts/123456'
    subscriptionAliasName: 'sub-test-001'
    subscriptionDisplayName: 'sub-test-001'
    subscriptionTags: {
      example: 'true'
    }
    subscriptionWorkload: 'Production'
    subscriptionManagementGroupAssociationEnabled: true
    subscriptionManagementGroupId: 'corp'
  }
}

Expected behaviour

Above example should tag and move sub to correct MG

Describe the solution you'd like

Provide Reference/Example GitHub Action to Vend LZs (Subs)

Notes:

• Based on a git diff to check for what's changed since last push into main
  • Only do added or modified files
    • Modified files brings the VNET issue to a head and may have to solve here
• Loop through and deploy all parameter files in landingZones folder that have changed or been added and deploy them

Describe the bug

disableTelemetry not being passed into child CARML modules and therefore some telemetry being left enabled

To Reproduce

cc: @AlexanderSehr JFYI

Question/Feedback

I don't see a pattern in the documentation (perhaps it's not obvious), for how I can add some common fixtures in subscriptions that can be used by Application teams. Ex: Resource Group for a KeyVault, Resource Group for Storage Accounts, Recovery Vaults and so on.

In my case the subscriptions already exist and I see there's an example to accommodate adding the networking and peering.

What would I need to do to extend that a bit to include the resources I mentioned above?

Possible Answers/Solutions?

I'd like to follow a recommended pattern so that it doesn't break away too much from the LZ-Vending approach. (I'd like to reuse, leverage the existing automation as much as possible found in the repo.)

Describe the bug

I get this error when using version 1.5.1

{
    "status": "Failed",
    "error": {
        "code": "DeploymentFailed",
        "target": "/providers/Microsoft.Management/managementGroups/xenia-corp/providers/Microsoft.Resources/deployments/shared-services",
        "message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.",
        "details": [
            {
                "code": "ResourceDeploymentFailure",
                "target": "/providers/Microsoft.Management/managementGroups/xenia-corp/providers/Microsoft.Resources/deployments/lz-vend-sub-res-create-shared-services-i7ug2kbzlb7vc",
                "message": "The resource write operation failed to complete successfully, because it reached terminal provisioning state 'Failed'.",
                "details": [
                    {
                        "code": "DeploymentOutputEvaluationFailed",
                        "target": "/providers/Microsoft.Management/managementGroups/xenia-corp/providers/Microsoft.Resources/deployments/lz-vend-sub-res-create-shared-services-i7ug2kbzlb7vc",
                        "message": "Unable to evaluate template outputs: 'failedFeatures'. Please see error details and deployment operations. Please see https://aka.ms/arm-common-errors for usage details.",
                        "details": [
                            {
                                "code": "DeploymentOutputEvaluationFailed",
                                "target": "failedFeatures",
                                "message": "The template output 'failedFeatures' is not valid: The language expression property 'failedFeaturesRegistrations' doesn't exist, available properties are 'failedProvidersRegistrations'.."
                            }
                        ]
                    }
                ]
            }
        ]
    }
}

To Reproduce

Steps to reproduce the behaviour:

targetScope = 'managementGroup'

module subscriptionmod 'br/public:lz/sub-vending:1.5.1' = {
  name: '<my-name>'
  params: {
    subscriptionAliasEnabled: true
    subscriptionBillingScope: '<my billing scope>'
    subscriptionAliasName: '<my-name>'
    subscriptionDisplayName: '<my-name>'
    subscriptionWorkload: 'Production'
    subscriptionManagementGroupAssociationEnabled: true
    subscriptionManagementGroupId: '<my-mg>'
  }
}

results in above error

module subscriptionmod 'br/public:lz/sub-vending:1.4.1' = {
  name: '<my-name>'
  params: {
    subscriptionAliasEnabled: true
    subscriptionBillingScope: '<my billing scope>'
    subscriptionAliasName: '<my-name>'
    subscriptionDisplayName: '<my-name>'
    subscriptionWorkload: 'Production'
    subscriptionManagementGroupAssociationEnabled: true
    subscriptionManagementGroupId: '<my-mg>'
  }
}

results in successful deployment

Additional context

I'm happy to try and look into this one myself