Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: merge scenarios #192

Merged
merged 42 commits into from
Nov 29, 2023
Merged
Changes from 1 commit
Commits
Show all changes
42 commits
Select commit Hold shift + click to select a range
25563a1
feat: ASE shared modules (CARML)
thotheod Oct 17, 2023
f091c7b
feat: fixed spoke subnets
thotheod Oct 17, 2023
94dbdcd
doc: changes for deployAseV3
thotheod Oct 17, 2023
fb0c644
fix: typo
thotheod Oct 17, 2023
b5d16bd
doc: settings
thotheod Oct 17, 2023
1925a95
fix
thotheod Oct 17, 2023
4c0f5ad
fx
thotheod Oct 17, 2023
b4b55ae
feat: asp merged - test 1
thotheod Oct 17, 2023
ad5dbce
fix: nsg
thotheod Oct 17, 2023
f967ded
fix zone redundant
thotheod Oct 18, 2023
5f7cb31
fix: private DNS Zone
thotheod Oct 18, 2023
fc1204d
feat: merged scenarios BICEP
thotheod Oct 18, 2023
8031859
feat: portal deployment
thotheod Oct 18, 2023
0b39bcc
fix
thotheod Oct 18, 2023
daa1718
feat: deployAse Merged
thotheod Oct 20, 2023
1321bae
fix
thotheod Oct 20, 2023
9f072c8
Removed (most of) ASEV3 scenario
thotheod Oct 24, 2023
0ecc7d4
test actions
thotheod Oct 30, 2023
c03f2b1
action test
thotheod Oct 30, 2023
4e535d1
get latest from main (#193)
thotheod Oct 30, 2023
a278b44
test
thotheod Nov 1, 2023
8cf9c3a
there is Scenario 2
thotheod Nov 1, 2023
8dab768
fix: fix depedencies
thotheod Nov 2, 2023
501c761
depedency and conditional logic fix
thotheod Nov 2, 2023
5b2b255
ARM sync
thotheod Nov 2, 2023
0a067a6
Updated main readme
JinLee794 Nov 13, 2023
341986a
Merge branch 'main' into feature/merge-scenarios
thotheod Nov 14, 2023
50df878
ok
thotheod Nov 14, 2023
8eec99f
allow non-AZ ASE
thotheod Nov 14, 2023
6d37a2e
sync ARM
thotheod Nov 14, 2023
bc2a52a
fix: zone redundant or not support for ASE
thotheod Nov 14, 2023
0325b3e
Documentation cleanup, Adding ISSUE_TEMPLATES for bugs and features, …
JinLee794 Nov 14, 2023
882819f
sync json
thotheod Nov 15, 2023
9ff1858
Merge branch 'feature/merge-scenarios' of https://github.com/Azure/ap…
thotheod Nov 15, 2023
aa14ac4
fix: dependency error
thotheod Nov 15, 2023
3e5ef73
fix typo in condition
thotheod Nov 15, 2023
51735ff
test ASE Private DNS Zone Dependency
thotheod Nov 15, 2023
19b74b4
fix dependencies
thotheod Nov 15, 2023
1ab97fb
fix
thotheod Nov 15, 2023
6ea2ba1
ASE Private DNS Zone must be in same scope as ASE
thotheod Nov 15, 2023
aaa44dd
test
thotheod Nov 15, 2023
540a34b
fix outputs
thotheod Nov 16, 2023
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
feat: fixed spoke subnets
- added NSGs
thotheod committed Oct 17, 2023

Verified

This commit was signed with the committer’s verified signature.
michaelsproul Michael Sproul
commit f091c7b9980ec8b61668d6c322ffad73d31788d7
63 changes: 54 additions & 9 deletions scenarios/secure-baseline-multitenant/bicep/deploy.spoke.bicep
Original file line number Diff line number Diff line change
@@ -98,6 +98,8 @@ var resourceNames = {
snetAppSvc: 'snet-appSvc-${naming.virtualNetwork.name}-spoke'
snetDevOps: 'snet-devOps-${naming.virtualNetwork.name}-spoke'
snetPe: 'snet-pe-${naming.virtualNetwork.name}-spoke'
pepNsg: take('${naming.networkSecurityGroup.name}-pep', 80)
aseNsg: take('${naming.networkSecurityGroup.name}-ase', 80)
appSvcUserAssignedManagedIdentity: take('${naming.userAssignedManagedIdentity.name}-appSvc', 128)
vmJumpHostUserAssignedManagedIdentity: take('${naming.userAssignedManagedIdentity.name}-vmJumpHost', 128)
keyvault: naming.keyVault.nameUnique
@@ -134,21 +136,18 @@ var subnets = [
name: resourceNames.snetAppSvc
properties: {
addressPrefix: subnetSpokeAppSvcAddressSpace
privateEndpointNetworkPolicies: 'Enabled'
privateEndpointNetworkPolicies: !(deployAseV3) ? 'Enabled' : 'Disabled'
delegations: [
{
name: 'delegation'
properties: {
serviceName: 'Microsoft.Web/serverfarms'
serviceName: !(deployAseV3) ? 'Microsoft.Web/serverfarms' : 'Microsoft.Web/hostingEnvironments'
}
}
]
// networkSecurityGroup: {
// id: nsgAca.outputs.nsgID
// }
// routeTable: {
// id: !empty(firewallInternalIp) && (enableEgressLockdown) ? routeTableToFirewall.outputs.resourceId : ''
// }
networkSecurityGroup: {
id: !(deployAseV3) ? nsgPep.outputs.nsgId : nsgAse.outputs.nsgId
}
routeTable: !empty(firewallInternalIp) && (enableEgressLockdown) ? {
id: routeTableToFirewall.outputs.resourceId
} : null
@@ -160,13 +159,19 @@ var subnets = [
addressPrefix: subnetSpokeDevOpsAddressSpace
privateEndpointNetworkPolicies: 'Enabled'
}
networkSecurityGroup: {
id: nsgPep.outputs.nsgId
}
}
{
name: resourceNames.snetPe
properties: {
addressPrefix: subnetSpokePrivateEndpointAddressSpace
privateEndpointNetworkPolicies: 'Disabled'
}
networkSecurityGroup: {
id: nsgPep.outputs.nsgId
}
}
]

@@ -212,6 +217,46 @@ module routeTableToFirewall '../../shared/bicep/network/udr.bicep' = if (!empty(
}
}

@description('NSG Rules for the private enpoint subnet.')
module nsgPep '../../shared/bicep/network/nsg.bicep' = {
name: take('nsgPep-${deployment().name}', 64)
params: {
name: resourceNames.pepNsg
location: location
tags: tags
securityRules: []
diagnosticWorkspaceId: logAnalyticsWs.outputs.logAnalyticsWsId
}
}

@description('NSG Rules for the private enpoint subnet.')
module nsgAse '../../shared/bicep/network/nsg.bicep' = {
name: take('nsgAse-${deployment().name}', 64)
params: {
name: resourceNames.aseNsg
location: location
tags: tags
securityRules: [
{
name: 'SSL_WEB_443'
properties: {
direction: 'Inbound'
access: 'Allow'
protocol: 'Tcp'
sourceAddressPrefix: '*'
sourcePortRange: '*'
destinationAddressPrefix: '*'
destinationPortRange: '443'
priority: 100
}
}
]
diagnosticWorkspaceId: logAnalyticsWs.outputs.logAnalyticsWsId
}
}



resource snetAppSvc 'Microsoft.Network/virtualNetworks/subnets@2022-07-01' existing = {
name: '${vnetSpoke.outputs.vnetName}/${resourceNames.snetAppSvc}'
}
@@ -227,7 +272,7 @@ resource snetPe 'Microsoft.Network/virtualNetworks/subnets@2022-07-01' existing
module logAnalyticsWs '../../shared/bicep/log-analytics-ws.bicep' = {
name: 'logAnalyticsWs-Deployment'
params: {
name: resourceNames.logAnalyticsWs
name: resourceNames.logAnalticsWs
location: location
tags: tags
}
2 changes: 1 addition & 1 deletion scenarios/secure-baseline-multitenant/bicep/main.bicep
Original file line number Diff line number Diff line change
@@ -30,7 +30,7 @@ param subnetHubBastionAddressSpace string = '10.242.0.64/26'
@description('CIDR of the SPOKE vnet i.e. 192.168.0.0/24')
param vnetSpokeAddressSpace string = '10.240.0.0/20'

@description('CIDR of the subnet that will hold the app services plan')
@description('CIDR of the subnet that will hold the app services plan. ATTENTION: ASEv3 needs a /24 network')
param subnetSpokeAppSvcAddressSpace string = '10.240.0.0/26'

@description('CIDR of the subnet that will hold devOps agents etc ')
Original file line number Diff line number Diff line change
@@ -61,7 +61,7 @@
"vnetSpokeAddressSpace": {
"value": "10.240.0.0/20"
},
//CIDR of the subnet that will hold the app services plan
//CIDR of the subnet that will hold the app services plan. ATTENTION: ASEv3 needs a /24 network
"subnetSpokeAppSvcAddressSpace": {
"value": "10.240.0.0/26"
},
99 changes: 99 additions & 0 deletions scenarios/shared/bicep/network/nsg.bicep
Original file line number Diff line number Diff line change
@@ -0,0 +1,99 @@
// ------------------
// PARAMETERS
// ------------------

@description('Name of the Network Security Group. Alphanumerics, underscores, periods, and hyphens. Start with alphanumeric. End alphanumeric or underscore. ')
@maxLength(80)
param name string

@description('Azure Region where the resource will be deployed in')
param location string

@description('key-value pairs as tags, to identify the resource')
param tags object

@description('Optional. Array of Security Rules to deploy to the Network Security Group. When not provided, an NSG including only the built-in roles will be deployed.')
param securityRules array = []

@description('Optional. When enabled, flows created from Network Security Group connections will be re-evaluated when rules are updates. Initial enablement will trigger re-evaluation. Network Security Group connection flushing is not available in all regions.')
param flushConnection bool = false

@description('Optional. Resource ID of the diagnostic storage account.')
param diagnosticStorageAccountId string = ''

@description('Optional. Resource ID of the diagnostic log analytics workspace.')
param diagnosticWorkspaceId string = ''

@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.')
param diagnosticEventHubAuthorizationRuleId string = ''

@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.')
param diagnosticEventHubName string = ''

@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource.')
@allowed([
'allLogs'
'NetworkSecurityGroupEvent'
'NetworkSecurityGroupRuleCounter'
])
param diagnosticLogCategoriesToEnable array = [
'allLogs'
]

@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "<resourceName>-diagnosticSettings".')
param diagnosticSettingsName string = ''


// ------------------
// VARIABLES
// ------------------

var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs'): {
category: category
enabled: true
}]

var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [
{
categoryGroup: 'allLogs'
enabled: true
}
] : diagnosticsLogsSpecified


// ------------------
// RESOURCES
// ------------------

resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2022-07-01' = {
name: name
location: location
tags: tags
properties: {
flushConnection: flushConnection
securityRules: securityRules
}
}


resource networkSecurityGroup_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(diagnosticStorageAccountId) || !empty(diagnosticWorkspaceId) || !empty(diagnosticEventHubAuthorizationRuleId) || !empty(diagnosticEventHubName)) {
name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings'
properties: {
storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null
workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null
eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null
eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null
logs: diagnosticsLogs
}
scope: networkSecurityGroup
}

// ------------------
// OUTPUTS
// ------------------

@description('Resource id of the newly created Network Security Group')
output nsgId string = networkSecurityGroup.id

@description('Resource name of the newly created Network Security Group')
output nsgName string = networkSecurityGroup.name