Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PowerShell deployment scripts #271

Merged
merged 31 commits into from
Apr 29, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
31 commits
Select commit Hold shift + click to select a range
607074a
PS scaffolding for deploying MGs, Roles and Logging
SenthuranSivananthan Apr 28, 2022
d57270f
Add todo marker
SenthuranSivananthan Apr 28, 2022
77560c7
Update config path
SenthuranSivananthan Apr 28, 2022
761e0e2
Scaffolding for Policy
SenthuranSivananthan Apr 28, 2022
c968bce
Scaffolding for Hub with NVA
SenthuranSivananthan Apr 28, 2022
e1f8b1b
Add subscription move step
SenthuranSivananthan Apr 28, 2022
eebddc3
Fix path
SenthuranSivananthan Apr 28, 2022
d844122
Scaffolding for deploying AzFW Policy
SenthuranSivananthan Apr 28, 2022
cc8a3ea
Scaffolding for Hub + AzFW
SenthuranSivananthan Apr 28, 2022
3d32bbc
Refactor: Set environment context to preload configuration as global …
SenthuranSivananthan Apr 28, 2022
cb051b6
Scaffolding for subscriptions
SenthuranSivananthan Apr 28, 2022
e7bd21b
Ensure we enable Private DNS Zone & DDOS Standard policy assignments …
SenthuranSivananthan Apr 28, 2022
15f532b
Rename folder: helpers -> functions
SenthuranSivananthan Apr 28, 2022
8f97571
Add #requires
SenthuranSivananthan Apr 28, 2022
5802687
Ensure parameters are mandatory
SenthuranSivananthan Apr 28, 2022
dcefcd9
Wrap in function
SenthuranSivananthan Apr 28, 2022
16b851e
Spacing
SenthuranSivananthan Apr 28, 2022
c5db814
Wrap in function
SenthuranSivananthan Apr 28, 2022
0a67189
Refactor as functions
SenthuranSivananthan Apr 28, 2022
5dc0b15
Refactor
SenthuranSivananthan Apr 29, 2022
d058b88
Create MGs
SenthuranSivananthan Apr 29, 2022
825f730
Create roles
SenthuranSivananthan Apr 29, 2022
d293223
Be explicit on region
SenthuranSivananthan Apr 29, 2022
23c0185
Create logging
SenthuranSivananthan Apr 29, 2022
dfd1432
Retrieve LAW information from Azure
SenthuranSivananthan Apr 29, 2022
062340c
Create policy definitions
SenthuranSivananthan Apr 29, 2022
d81878b
Create policies & policy sets
SenthuranSivananthan Apr 29, 2022
954aa92
Ensure context is to the logging subscription
SenthuranSivananthan Apr 29, 2022
57c6c26
Create Hub Networking with NVA
SenthuranSivananthan Apr 29, 2022
36add77
Create Hub Networking with Azure Firewall
SenthuranSivananthan Apr 29, 2022
2a8e081
Update notes
SenthuranSivananthan Apr 29, 2022
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions config/variables/CanadaESLZ-main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ variables:
}

# Logging
var-logging-region: $(deploymentRegion)
var-logging-region: canadacentral
var-logging-managementGroupId: pubsecPlatformManagement
var-logging-subscriptionId: bc0a4f9f-07fa-4284-b1bd-fbad38578d3a
var-logging-configurationFileName: logging.parameters.json
Expand All @@ -67,7 +67,7 @@ variables:
var-logging-diagnosticSettingsforNetworkSecurityGroupsStoragePrefix: pubsecnsg

# Hub Networking
var-hubnetwork-region: $(deploymentRegion)
var-hubnetwork-region: canadacentral
var-hubnetwork-managementGroupId: pubsecPlatformConnectivity
var-hubnetwork-subscriptionId: ed7f4eed-9010-4227-b115-2a5e37728f27

Expand Down
174 changes: 174 additions & 0 deletions scripts/deployments/E2E.ps1
Original file line number Diff line number Diff line change
@@ -0,0 +1,174 @@
#Requires -Modules Az, powershell-yaml

. ".\Functions\EnvironmentContext.ps1"
. ".\Functions\ManagementGroups.ps1"
. ".\Functions\Roles.ps1"
. ".\Functions\Logging.ps1"
. ".\Functions\Policy.ps1"
. ".\Functions\HubNetworkWithNVA.ps1"
. ".\Functions\HubNetworkWithAzureFirewall.ps1"
. ".\Functions\Subscriptions.ps1"

$EnvironmentName = "CanadaESLZ-main"
$WorkingDirectory = Resolve-Path "../.."

# Replace the Tenant ID with the GUID for your Azure Active Directory instance.
# It can be found through https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview
$AzureADTenantId = "343ddfdb-bef5-46d9-99cf-ed67d5948783"

$Features = @{
# Prompt to login to Azure AD and set the context for Azure deployments
PromptForLogin = $false

# Resource Organization
DeployManagementGroups = $false

# Access Control
DeployRoles = $false

# Logging
DeployLogging = $false

# Guardrail & Compliance
DeployPolicy = $false

# Hub Networking - With Network Virtual Appliance
DeployHubNetworkWithNVA = $false

# Hub Networking - With Azure Firewall
DeployHubNetworkWithAzureFirewall = $false
}

Write-Output "Features configured for deployment:"
$Features

# Az Login
if ($Features.PromptForLogin) {
Connect-AzAccount `
-UseDeviceAuthentication `
-TenantId $AzureADTenantId
}

# Set Azure Landing Zones Context
$Context = New-EnvironmentContext -Environment $EnvironmentName -WorkingDirectory $WorkingDirectory

# Deploy Management Groups
if ($Features.DeployManagementGroups) {
Set-ManagementGroups `
-Context $Context `
-ManagementGroupHierarchy $Context.ManagementGroupHierarchy
}

# Deploy Roles
if ($Features.DeployRoles) {
Set-Roles `
-Context $Context `
-RolesDirectory $Context.RolesDirectory `
-ManagementGroupId $Context.TopLevelManagementGroupId
}

# Deploy Logging
if ($Features.DeployLogging) {
Set-Logging `
-Region $Context.Variables['var-logging-region'] `
-ManagementGroupId $Context.Variables['var-logging-managementGroupId'] `
-SubscriptionId $Context.Variables['var-logging-subscriptionId'] `
-ConfigurationFilePath "$($Context.LoggingDirectory)/$($Context.Variables['var-logging-configurationFileName'])"
}

# Deploy Policy
if ($Features.DeployPolicy) {
# Get Logging information using logging config file
$LoggingConfiguration = Get-LoggingConfiguration `
-ConfigurationFilePath "$($Context.LoggingDirectory)/$($Context.Variables['var-logging-configurationFileName'])" `
-SubscriptionId $Context.Variables['var-logging-subscriptionId']

# Custom Policy Definitions
Set-Policy-Definitions `
-PolicyDefinitionsDirectory $Context.PolicyCustomDefinitionDirectory `
-ManagementGroupId $Context.TopLevelManagementGroupId

# Custom Policy Set Definitions
Set-PolicySet-Defintions `
-Context $Context `
-PolicySetDefinitionsDirectory $Context.PolicySetCustomDefinitionDirectory `
-ManagementGroupId $Context.TopLevelManagementGroupId `
-PolicySetDefinitionNames $('AKS', 'DefenderForCloud', 'LogAnalytics', 'Network', 'DNSPrivateEndpoints', 'Tags')

# Built In Policy Set Assignments
Set-PolicySet-Assignments `
-Context $Context `
-PolicySetAssignmentsDirectory $Context.PolicySetBuiltInAssignmentsDirectory `
-PolicySetAssignmentManagementGroupId $Context.TopLevelManagementGroupId `
-PolicySetAssignmentNames $('asb', 'nist80053r4', 'nist80053r5', 'pbmm', 'cis-msft-130', 'fedramp-moderate', 'hitrust-hipaa', 'location') `
-LogAnalyticsWorkspaceResourceGroupName $LoggingConfiguration.ResourceGroupName `
-LogAnalyticsWorkspaceResourceId $LoggingConfiguration.LogAnalyticsWorkspaceResourceId `
-LogAnalyticsWorkspaceId $LoggingConfiguration.LogAnalyticsWorkspaceId `
-LogAnalyticsWorkspaceRetentionInDays $LoggingConfiguration.LogRetentionInDays

# Custom Policy Sets Assignments
Set-PolicySet-Assignments `
-Context $Context `
-PolicySetAssignmentsDirectory $Context.PolicySetCustomAssignmentsDirectory `
-PolicySetAssignmentManagementGroupId $Context.TopLevelManagementGroupId `
-PolicySetAssignmentNames $('AKS', 'DefenderForCloud', 'LogAnalytics', 'Network', 'Tags') `
-LogAnalyticsWorkspaceResourceGroupName $LoggingConfiguration.ResourceGroupName `
-LogAnalyticsWorkspaceResourceId $LoggingConfiguration.LogAnalyticsWorkspaceResourceId `
-LogAnalyticsWorkspaceId $LoggingConfiguration.LogAnalyticsWorkspaceId `
-LogAnalyticsWorkspaceRetentionInDays $LoggingConfiguration.LogRetentionInDays
}

# Deploy Hub Networking with NVA
if ($Features.DeployHubNetworkWithNVA) {
# Get Logging information using logging config file
$LoggingConfiguration = Get-LoggingConfiguration `
-ConfigurationFilePath "$($Context.LoggingDirectory)/$($Context.Variables['var-logging-configurationFileName'])" `
-SubscriptionId $Context.Variables['var-logging-subscriptionId']

Set-HubNetwork-With-NVA `
-Context $Context `
-Region $Context.Variables['var-hubnetwork-region'] `
-ManagementGroupId $Context.Variables['var-hubnetwork-managementGroupId'] `
-SubscriptionId $Context.Variables['var-hubnetwork-subscriptionId'] `
-ConfigurationFilePath "$($Context.NetworkingDirectory)/$($Context.Variables['var-hubnetwork-nva-configurationFileName'])" `
-LogAnalyticsWorkspaceResourceId $LoggingConfiguration.LogAnalyticsWorkspaceResourceId
}

# Hub Networking with Azure Firewall
if ($Features.DeployHubNetworkWithAzureFirewall) {
# Get Logging information using logging config file
$LoggingConfiguration = Get-LoggingConfiguration `
-ConfigurationFilePath "$($Context.LoggingDirectory)/$($Context.Variables['var-logging-configurationFileName'])" `
-SubscriptionId $Context.Variables['var-logging-subscriptionId']

# Create Azure Firewall Policy
Set-AzureFirewallPolicy `
-Region $Context.Variables['var-hubnetwork-region'] `
-SubscriptionId $Context.Variables['var-hubnetwork-subscriptionId'] `
-ConfigurationFilePath "$($Context.NetworkingDirectory)/$($Context.Variables['var-hubnetwork-azfwPolicy-configurationFileName'])"

# Retrieve Azure Firewall Policy
$AzureFirewallPolicyConfiguration = Get-AzureFirewallPolicy `
-SubscriptionId $Context.Variables['var-hubnetwork-subscriptionId'] `
-ConfigurationFilePath "$($Context.NetworkingDirectory)/$($Context.Variables['var-hubnetwork-azfwPolicy-configurationFileName'])"

# Create Hub Networking with Azure Firewall
Set-HubNetwork-With-AzureFirewall `
-Context $Context `
-Region $Context.Variables['var-hubnetwork-region'] `
-ManagementGroupId $Context.Variables['var-hubnetwork-managementGroupId'] `
-SubscriptionId $Context.Variables['var-hubnetwork-subscriptionId'] `
-ConfigurationFilePath "$($Context.NetworkingDirectory)/$($Context.Variables['var-hubnetwork-azfw-configurationFileName'])" `
-AzureFirewallPolicyResourceId $AzureFirewallPolicyConfiguration.AzureFirewallPolicyResourceId `
-LogAnalyticsWorkspaceResourceId $LoggingConfiguration.LogAnalyticsWorkspaceResourceId
}

<#

# Subscriptions
Set-Subscriptions `
-Region "canadacentral" `
-SubscriptionIds $("4f9", "ec6") `
-LogAnalyticsWorkspaceResourceId $LoggingConfiguration.LogAnalyticsWorkspaceResourceId

#>
48 changes: 48 additions & 0 deletions scripts/deployments/Functions/EnvironmentContext.ps1
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
#Requires -Modules powershell-yaml

Import-Module powershell-yaml

function New-EnvironmentContext {
param (
[Parameter(Mandatory = $true)]
[string] $WorkingDirectory,

[Parameter(Mandatory = $true)]
[string] $Environment
)

$EnvironmentConfigurationYamlFilePath = "$WorkingDirectory/config/variables/$Environment.yml"

# Load main environment variables file as YAML
$EnvironmentConfiguration = Get-Content $EnvironmentConfigurationYamlFilePath | ConvertFrom-Yaml
$Variables = $EnvironmentConfiguration.variables

# Retrieve the management group hierarchy variable as JSON
$ManagementGroupHierarchy = $Variables['var-managementgroup-hierarchy'] | ConvertFrom-Json

$PolicyDirectory = "$WorkingDirectory/policy"

# Create a new context object
return [PSCustomObject]@{
WorkingDirectory = $WorkingDirectory

RolesDirectory = "$WorkingDirectory/roles"

PolicyCustomDefinitionDirectory = "$PolicyDirectory/custom/definitions/policy"
PolicySetCustomDefinitionDirectory = "$PolicyDirectory/custom/definitions/policyset"
PolicySetCustomAssignmentsDirectory = "$PolicyDirectory/custom/assignments"
PolicySetBuiltInAssignmentsDirectory = "$PolicyDirectory/builtin/assignments"

LoggingDirectory = "$WorkingDirectory/config/logging/$Environment"
NetworkingDirectory = "$WorkingDirectory/config/networking/$Environment"

Variables = $Variables
ManagementGroupHierarchy = $ManagementGroupHierarchy

# Identify the top level management group (the first child underneath Tenant Root Group)
TopLevelManagementGroupId = $ManagementGroupHierarchy.children[0].id

# TODO: Retrieve from common.yml
DeploymentRegion = "canadacentral"
}
}
Loading