Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Correct wiring of the subscriptions-ci pipeline and prompt for NVA firewall username & password #285

Merged
merged 82 commits into from
May 10, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
82 commits
Select commit Hold shift + click to select a range
0d5d94f
ocag148 yaml config
skeeler Jan 27, 2022
744cd37
generic subscription config
skeeler Jan 27, 2022
aa13e56
Merge branch 'main' of https://github.com/Azure/CanadaPubSecALZ
skeeler Jan 27, 2022
051e0f9
Merge branch 'main' of https://github.com/Azure/CanadaPubSecALZ
skeeler Feb 9, 2022
ec52e52
Merge branch 'main' of https://github.com/Azure/CanadaPubSecALZ
skeeler Feb 12, 2022
9bd97ef
Merge branch 'main' of https://github.com/Azure/CanadaPubSecALZ
skeeler Feb 18, 2022
74bcc0e
Merge branch 'main' of https://github.com/Azure/CanadaPubSecALZ
skeeler Feb 23, 2022
861e280
Merge branch 'main' of https://github.com/Azure/CanadaPubSecALZ
skeeler Feb 23, 2022
4ba23af
Merge branch 'main' of https://github.com/Azure/CanadaPubSecALZ
skeeler Feb 28, 2022
fec04b2
Fix Show Variables error on missing variables
skeeler Feb 28, 2022
836783e
Merge branch 'main' of https://github.com/Azure/CanadaPubSecALZ
skeeler Feb 28, 2022
199c814
test config
skeeler Feb 28, 2022
e7b251d
test config
skeeler Feb 28, 2022
9a448d0
Merge branch 'main' of https://github.com/Azure/CanadaPubSecALZ
skeeler Mar 3, 2022
6a99754
Merge branch 'main' of https://github.com/Azure/CanadaPubSecALZ
skeeler Mar 5, 2022
ba0e29a
Merge branch 'main' of https://github.com/Azure/CanadaPubSecALZ
skeeler Mar 5, 2022
faf9b45
Merge branch 'main' of https://github.com/Azure/CanadaPubSecALZ
skeeler Mar 12, 2022
4b0b8fe
Add UAT, remove QA from config
skeeler Mar 23, 2022
041ace6
add main branch config for my AzDO org
skeeler Mar 23, 2022
8a5ed9a
Merge branch 'main' of https://github.com/Azure/CanadaPubSecALZ
skeeler Mar 24, 2022
ffb3397
remove branch config
skeeler Mar 24, 2022
06c573c
test alternate mgmt group hierarchy
skeeler Mar 25, 2022
6a1391b
Updated management-groups.yml
Mar 25, 2022
611a169
Merge branch 'main' of https://dev.azure.com/ocag148outlook/CanadaPub…
skeeler Mar 25, 2022
61a9042
revert trigger condition [skip ci]
skeeler Mar 26, 2022
84a8b73
Merge branch 'main' of https://github.com/Azure/CanadaPubSecALZ
skeeler Mar 31, 2022
f1c8e1f
Merge branch 'main' of https://github.com/Azure/CanadaPubSecALZ
skeeler Apr 5, 2022
1bd3201
Merge branch 'main' of https://github.com/Azure/CanadaPubSecALZ
skeeler Apr 5, 2022
aacd233
Merge branch 'main' of https://github.com/Azure/CanadaPubSecALZ
skeeler Apr 11, 2022
6d443a6
Merge branch 'main' of https://github.com/Azure/CanadaPubSecALZ
skeeler Apr 11, 2022
4180451
Merge branch 'main' of https://github.com/Azure/CanadaPubSecALZ
skeeler Apr 12, 2022
1310fe1
Merge branch 'main' of https://github.com/Azure/CanadaPubSecALZ
skeeler Apr 13, 2022
0a4578a
update with new logging configuration
skeeler Apr 14, 2022
0af1d47
Merge branch 'main' of https://github.com/Azure/CanadaPubSecALZ
skeeler Apr 20, 2022
e5f81be
Merge branch 'main' of https://github.com/Azure/CanadaPubSecALZ
skeeler Apr 25, 2022
ab861cd
Merge branch 'main' of https://github.com/Azure/CanadaPubSecALZ
skeeler Apr 27, 2022
76db5fc
Merge branch 'main' of https://github.com/Azure/CanadaPubSecALZ
skeeler Apr 29, 2022
83e60db
Merge branch 'main' of https://github.com/Azure/CanadaPubSecALZ
skeeler Apr 30, 2022
6f3e109
Merge branch 'main' of https://github.com/Azure/CanadaPubSecALZ
skeeler May 3, 2022
6824cb3
Update CODEOWNERS
skeeler May 9, 2022
0062d67
add test config from stash
skeeler May 9, 2022
0558bfc
main implementation
skeeler May 9, 2022
606b68c
fix quoting issue
skeeler May 9, 2022
8b00238
reverse conditional
skeeler May 9, 2022
94a6159
revert CODEOWNERS so changes don't get back into upstream
skeeler May 9, 2022
c9dcb6f
fix subscription ids quoting
skeeler May 9, 2022
df419f2
Merge branch 'Azure:main' into skeeler
skeeler May 9, 2022
c4a71e2
Delete logging.parameters.json
skeeler May 9, 2022
dc48245
Delete azure-firewall-policy.parameters.json
skeeler May 9, 2022
a5a542a
Delete hub-network.parameters.json
skeeler May 9, 2022
f66a16c
Delete aef2d8e7-284e-4855-942b-6afc0469d1d5_generic-subscription_cana…
skeeler May 9, 2022
eb72fb0
Delete b30af792-1ec0-4a75-be1d-9aa4163ac626_generic-subscription_cana…
skeeler May 9, 2022
c8b2e7a
Delete CanadaPubSecALZ-skeeler-actions.yml
skeeler May 9, 2022
c450119
Delete hub-network.parameters.json
skeeler May 9, 2022
85dfa97
Merge branch 'main' of https://github.com/Azure/CanadaPubSecALZ
skeeler May 9, 2022
f8e7578
Merge remote-tracking branch 'azure/main' into skeeler
skeeler May 9, 2022
b1bedda
test configuration
skeeler May 9, 2022
247834e
test param passing
skeeler May 9, 2022
f64308d
test params
skeeler May 9, 2022
110a0f8
fix name
skeeler May 9, 2022
7c23d97
fix
skeeler May 9, 2022
bf5ecb1
testing
skeeler May 9, 2022
e91152a
fix DeploySubscriptionIds parameter eval
skeeler May 10, 2022
cf244c2
fix environment name quoting
skeeler May 10, 2022
3625a30
Merge branch 'Azure:main' into skeeler
skeeler May 10, 2022
2969e7f
Delete CanadaPubSecALZ-skeeler-actions.yml
skeeler May 10, 2022
f79db7b
Delete b30af792-1ec0-4a75-be1d-9aa4163ac626_generic-subscription_cana…
skeeler May 10, 2022
329bcdb
Delete aef2d8e7-284e-4855-942b-6afc0469d1d5_generic-subscription_cana…
skeeler May 10, 2022
087efea
Delete hub-network.parameters.json
skeeler May 10, 2022
a936347
Delete logging.parameters.json
skeeler May 10, 2022
2b98854
Delete azure-firewall-policy.parameters.json
skeeler May 10, 2022
60f227d
Delete hub-network.parameters.json
skeeler May 10, 2022
f253886
Merge remote-tracking branch 'azure/main' into skeeler
skeeler May 10, 2022
bf9e9be
Merge remote-tracking branch 'azure/main' into skeeler
skeeler May 10, 2022
780db2c
Merge branch 'skeeler' of https://github.com/devopsincanada/CanadaPub…
skeeler May 10, 2022
f6354df
Merge branch 'main' of https://github.com/Azure/CanadaPubSecALZ
skeeler May 10, 2022
5653582
test config
skeeler May 10, 2022
0d1378a
onboarding scripts updates
skeeler May 10, 2022
06e2160
Merge branch 'skeeler' of https://github.com/devopsincanada/CanadaPub…
skeeler May 10, 2022
1ea4a6c
remove local test configs
skeeler May 10, 2022
77c3400
Merge branch 'skeeler' of https://github.com/devopsincanada/CanadaPub…
skeeler May 10, 2022
2b20950
remove local test configs
skeeler May 10, 2022
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 7 additions & 3 deletions .pipelines/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,12 +18,16 @@ The following top-level pipelines are present in the `.pipelines/` repository fo
| 2 | Platform Logging | `platform-logging.yml` | platform-logging-ci
| 3 | Policy | `policy.yml` | policy-ci
| 4 | Roles | `roles.yml` | roles-ci
| 5 | Networking | `platform-connectivity-hub-nva.yml` | platform-connectivity-hub-nva-ci
| 6 | Subscription | `subscription.yml` | subscription-ci
| 5a | Networking (NVA) | `platform-connectivity-hub-nva.yml` | platform-connectivity-hub-nva-ci
| 5b | Networking (Azure Firewall) | `platform-connectivity-hub-azfw-policy.yml` | platform-connectivity-hub-azfw-policy-ci
| 5b | Networking (Azure Firewall) | `platform-connectivity-hub-azfw.yml` | platform-connectivity-hub-azfw-ci
| 6 | Subscriptions | `subscriptions.yml` | subscriptions-ci

These pipelines need to be run in the order specified. For example, the `Policy` pipeline is dependent on resources deployed by the `Platform Logging` pipeline. Think of it as a layered approach; once the layer is deployed, it only requires re-running if some configuration at that layer changes.

In the default implementation, the `Management Groups`, `Platform Logging`, `Policy`, and `Roles` pipelines are run automatically (trigger) whenever a related code change is detected on the `main` branch. The `Networking` and `Subscription` pipelines do not run automatically (no trigger). This behavior can be changed by modifying the corresponding YAML pipeline definition files.
There are two distinct `Networking` pipelines, each deploys the hub side of a hub & spoke network topology. The `Networking (NVA)` option is intended for environments with a Network Virtual Appliance, and the `Networking (Azure Firewall)` option is intended for environments using Azure Firewall.

In the default implementation, the `Management Groups`, `Platform Logging`, `Policy`, and `Roles` pipelines are run automatically (trigger) whenever a related code change is detected on the `main` branch. The `Networking` and `Subscriptions` pipelines do not run automatically (no trigger). This behavior can be changed by modifying the corresponding YAML pipeline definition files.

In the default implementation, the `Roles` and `Platform Logging` pipelines are run automatically after a successful run of the `Management Groups` pipeline, and the `Policy` pipeline is run automatically after a successful run of the `Platform Logging` pipeline. Again, this behavior can be changed by modifying the corresponding YAML pipeline definition files.

Expand Down
16 changes: 8 additions & 8 deletions docs/archetypes/authoring-guide.md
Original file line number Diff line number Diff line change
Expand Up @@ -116,12 +116,12 @@ Each archetype is intended to be self-contained and provides all deployment temp

6. Create a JSON Schema definition for the archetype. Consider using a tool such as [JSON to Jsonschema](https://jsonformatter.org/json-to-jsonschema) to generate the initial schema definition that you customize. For all common features, you must reference the existing definitions for the types. See example: [schemas/latest/landingzones/lz-generic-subscription.json](../../schemas/latest/landingzones/lz-generic-subscription.json)

7. Verify archetype deployment through `subscription-ci` Azure DevOps Pipeline. More information on the pipeline can be found in [Azure DevOps Onboarding Guide](../onboarding/ado.md#step-8--configure-subscription-archetypes).
7. Verify archetype deployment through `subscriptions-ci` Azure DevOps Pipeline. More information on the pipeline can be found in [Azure DevOps Onboarding Guide](../onboarding/ado.md#step-8--configure-subscription-archetypes).

- Create a subscription JSON Parameters file per [deployment instructions](#deployment-instructions).
- Run the pipeline by providing the subscription guid

`subscription-ci` pipeline will automatically identify the archetype, the subscription and region based on the file name. The JSON Schema is located by the archetype name and used for pre-deployment verification.
`subscriptions-ci` pipeline will automatically identify the archetype, the subscription and region based on the file name. The JSON Schema is located by the archetype name and used for pre-deployment verification.

Once verifications are complete, the pipeline will move the subscription to the target management group (based on the folder structure) and execute `main.bicep`.

Expand Down Expand Up @@ -175,7 +175,7 @@ An archetype can deploy & configure any number of Azure services. For consisten
- **Subscription Tags** - configures subscription tags
- **Resource Tags** - configures tags on resource groups

> **Log Analytics Workspace integration**: `main.bicep` must accept an input parameter named `logAnalyticsWorkspaceResourceId`. This parameter is automatically set by `subscription-ci` Pipeline based on the environment configuration. This parameter is used to link Microsoft Defender for Cloud to Log Analytics Workspace.
> **Log Analytics Workspace integration**: `main.bicep` must accept an input parameter named `logAnalyticsWorkspaceResourceId`. This parameter is automatically set by `subscriptions-ci` Pipeline based on the environment configuration. This parameter is used to link Microsoft Defender for Cloud to Log Analytics Workspace.

Input parameters for common features are:

Expand Down Expand Up @@ -276,7 +276,7 @@ As a result, we could either

- have Azure deploy the archetype and fail on invalid inputs. An administrator would have to deploy multiple times to fix all errors; or

- attempt to detect invalid inputs as a pre-check in our `subscription-ci` pipeline.
- attempt to detect invalid inputs as a pre-check in our `subscriptions-ci` pipeline.

We chose to check the input parameters prior to deployment to identify misconfigurations faster. Validations are performed using JSON Schema definitions. These definitions are located in [schemas/latest/landingzones](../../schemas/latest/landingzones) folder.

Expand Down Expand Up @@ -341,7 +341,7 @@ These parameter files are located in [config/subscription](../../config/subscrip

Immediate subfolder defines the environment which is based on Azure DevOps Organization (i.e. `CanadaESLZ`) & Git branch name (i.e. `main`), for example the subfolder will be called `CanadaESLZ-main`. You can have many environments based on Git branch names such as `CanadaESLZ-feature-1`, `CanadaESLZ-dev`, etc.

ARM parameter files are used by `subscription-ci` Azure DevOps Pipeline when configuring subscriptions with Azure resources. The pipeline will detect environment, management group, subscription, deployment location and deployment parameters using the folder hierarchy, file name and file content.
ARM parameter files are used by `subscriptions-ci` Azure DevOps Pipeline when configuring subscriptions with Azure resources. The pipeline will detect environment, management group, subscription, deployment location and deployment parameters using the folder hierarchy, file name and file content.

For example when the file path is:

Expand Down Expand Up @@ -395,7 +395,7 @@ There are two approaches for achieving uniquness:

In this approach, you must ensure all management group ids are unique yourself.

The `subscription-ci` management group detection logic is built to accommodate both scenarios.
The `subscriptions-ci` management group detection logic is built to accommodate both scenarios.

**To support approach #1:**

Expand All @@ -408,7 +408,7 @@ The `subscription-ci` management group detection logic is built to accommodate b
- DevTest
```

- `subscription-ci` will then take the folder structure and concatenate it to create the management group id. In this example `DevTest` management group id will be `pubsecLandingZonesDevTest`.
- `subscriptions-ci` will then take the folder structure and concatenate it to create the management group id. In this example `DevTest` management group id will be `pubsecLandingZonesDevTest`.

**To support approach #2:**

Expand All @@ -421,4 +421,4 @@ The `subscription-ci` management group detection logic is built to accommodate b
- DevTest
```

- `subscription-ci` will then take the folder name as the structure (since there aren't any sub folders). In this example `DevTest` management group id will be `DevTest`.
- `subscriptions-ci` will then take the folder name as the structure (since there aren't any sub folders). In this example `DevTest` management group id will be `DevTest`.
2 changes: 1 addition & 1 deletion docs/architecture.md
Original file line number Diff line number Diff line change
Expand Up @@ -556,7 +556,7 @@ Use the [Azure DevOps Pipelines](onboarding/azure-devops-pipelines.md) onboardin
| Platform – Hub Networking using NVAs | platform-connectivity-hub-nva.yml | platform-connectivity-hub-nva-ci | Configures Hub Networking with Fortigate Firewalls. | spn-azure-platform-ops | None |
| Platform – Hub Networking with Azure Firewall - Firewall Policy | platform-connectivity-hub-azfw-policy.yml | platform-connectivity-hub-azfw-policy-ci | Configures Azure Firewall Policy. A policy contains firewall rules and firewall configuration such as enabling DNS Proxy. Firewall policies can be updated independently of Azure Firewall. | spn-azure-platform-ops | None |
| Platform – Hub Networking with Azure Firewall | platform-connectivity-hub-azfw.yml | platform-connectivity-hub-azfw-ci | Configures Hub Networking with Azure Firewall. | spn-azure-platform-ops | None |
| Subscriptions | subscription.yml | subscription-ci | Configures a new subscription based on the archetype defined in the configuration file name. | spn-azure-platform-ops | None |
| Subscriptions | subscriptions.yml | subscriptions-ci | Configures a new subscription based on the archetype defined in the configuration file name. | spn-azure-platform-ops | None |
| Pull Request Validation | pull-request-check.yml | pull-request-validation-ci | Checks for breaking changes to Bicep templates & parameter schemas prior to merging the change to main branch. This pipeline must be configured as a check for the `main` branch. | spn-azure-platform-ops | None |

### 9.4 Release Process
Expand Down
6 changes: 3 additions & 3 deletions docs/onboarding/azure-devops-pipelines.md
Original file line number Diff line number Diff line change
Expand Up @@ -1500,7 +1500,7 @@ In order to configure audit stream for Azure Monitor, identify the following inf
5. Select Existing Azure Pipeline YAML file
6. Identify the pipeline in `.pipelines/subscriptions.yml`.
7. Save the pipeline (don't run it yet)
8. Rename the pipeline to `subscription-ci`
8. Rename the pipeline to `subscriptions-ci`

2. Create a subscription configuration file (JSON)

Expand All @@ -1525,9 +1525,9 @@ In order to configure audit stream for Azure Monitor, identify the following inf
3. Run the subscription pipeline

1. In Azure DevOps, go to Pipelines
2. Select the `subscription-ci` pipeline and run it.
2. Select the `subscriptions-ci` pipeline and run it.

> The `subscription-ci` pipeline YAML is configured, by default, to **not** run automatically; you can change this if desired.
> The `subscriptions-ci` pipeline YAML is configured, by default, to **not** run automatically; you can change this if desired.

3. In the Run Pipelines dialog window, enter the first 4 digits of your new subscription configuration file name (4 is usually enough of the GUID to uniquely identify the subscription) between the square brackets in the `subscriptions` parameter field. For example: `[802e]`.

Expand Down
5 changes: 2 additions & 3 deletions docs/onboarding/azure-devops-scripts.md
Original file line number Diff line number Diff line change
Expand Up @@ -227,7 +227,6 @@ Next, edit the newly created file, using the guidance in the following table.
| DEVOPS_SE_NAME | Azure DevOps service endpoint name. | spn-azure-platform-ops
| DEVOPS_SE_TEMPLATE | File name for the generated Azure DevOps service endpoint template JSON file. | service-endpoint.AzDevOpsOrg.json
| DEVOPS_VARIABLES_GROUP_NAME | Azure DevOps variable group name. Leave this set to `firewall-secrets` as the YAML pipeline for networking is hard-coded to use this value. | firewall-secrets
| DEVOPS_VARIABLES_VALUES | Specify values for the NVA firewall username and password in format `key=value key=value`. Replace `YourUsername` and `YourPassword` in the example with your values. DO NOT commit changes that include username and password plaintext values to your repository. | var-hubnetwork-nva-fwUsername=YourUserName var-hubnetwork-nva-fwPassword=YourPassword
| DEVOPS_VARIABLES_ARE_SECRET | Indicates whether variables in the variable group are marked as secret. Possible values are `true` or `false`. Recommend using `true` unless you plan to reconfigure your variable group to use another secure source such as KeyVault. | true
| DEVOPS_OUTPUT_DIR | Name of temporary folder for generated files. | .\output

Expand Down Expand Up @@ -261,7 +260,7 @@ Run the `create-pipelines.bat` script to create the landing zone pipelines:
- platform-connectivity-hub-nva-ci
- platform-connectivity-hub-azfw-ci
- platform-connectivity-hub-azfw-policy-ci
- subscription-ci
- subscriptions-ci

If you would rather perform these steps manually, detailed guidance is available in the following sections of the [Azure DevOps Pipelines Onboarding Guide](./azure-devops-pipelines.md):

Expand Down Expand Up @@ -296,7 +295,7 @@ Detailed guidance on these configuration requirements is available in the [Azure

### Run pipelines

Run the `run-pipelines.bat` script to interactively run individual landing zone pipelines. Note that at present time the `subscription-ci` pipeline is not included in the list of runnable pipelines as the script requires additional work to enable that capability.
Run the `run-pipelines.bat` script to interactively run individual landing zone pipelines. Note that at present time the `subscriptions-ci` pipeline is not included in the list of runnable pipelines as the script requires additional work to enable that capability.

### Clear environment variables used by scripts

Expand Down
2 changes: 1 addition & 1 deletion scripts/onboarding/create-pipelines.bat
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ choice /C YN /M "Do you want to proceed?"
if errorlevel 2 exit /b 0

REM Process all pipeline definitions
for %%N in (management-groups roles platform-logging policy platform-connectivity-hub-nva platform-connectivity-hub-azfw platform-connectivity-hub-azfw-policy subscription) do (
for %%N in (management-groups roles platform-logging policy platform-connectivity-hub-nva platform-connectivity-hub-azfw platform-connectivity-hub-azfw-policy subscriptions) do (

REM Check for pipeline existence
set FOUND=
Expand Down
31 changes: 24 additions & 7 deletions scripts/onboarding/create-variable-group.bat
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,6 @@ echo.
echo DevOps Organization: %DEVOPS_ORG%
echo DevOps Project: %DEVOPS_PROJECT_NAME%
echo DevOps Variable Group: %DEVOPS_VARIABLES_GROUP_NAME%
echo DevOps Variables: %DEVOPS_VARIABLES_VALUES%
echo DevOps Variables are Secret: %DEVOPS_VARIABLES_ARE_SECRET%
echo.
choice /C YN /M "Do you want to proceed?"
Expand All @@ -33,8 +32,18 @@ if defined ID (
)

REM Create the variable group
echo Creating variable group [%DEVOPS_VARIABLES_GROUP_NAME%] with variables: %DEVOPS_VARIABLES_VALUES%...
call az pipelines variable-group create --name %DEVOPS_VARIABLES_GROUP_NAME% --authorize true --query "[?name=='%DEVOPS_VARIABLES_GROUP_NAME%'].id | [0]" -o tsv --org %DEVOPS_ORG% --project %DEVOPS_PROJECT_NAME% --variables %DEVOPS_VARIABLES_VALUES%
echo Enter NVA username and password to set variables in DevOps variable group [%DEVOPS_VARIABLES_GROUP_NAME%]
echo.
echo **********************************************************************
echo CAUTION: your input is not masked, i.e. it will be visible on-screen
echo **********************************************************************
echo.
set /P NVA_USERNAME=Enter the user name for the NVA firewall:
set /P NVA_PASSWORD=Enter the password for the NVA firewall:
echo.

echo Creating variable group [%DEVOPS_VARIABLES_GROUP_NAME%]...
call az pipelines variable-group create --name %DEVOPS_VARIABLES_GROUP_NAME% --authorize true --query "[?name=='%DEVOPS_VARIABLES_GROUP_NAME%'].id | [0]" -o tsv --org %DEVOPS_ORG% --project %DEVOPS_PROJECT_NAME% --variables var-hubnetwork-nva-fwUsername=%NVA_USERNAME% var-hubnetwork-nva-fwPassword=%NVA_PASSWORD%
echo.
echo Variable group [%DEVOPS_VARIABLES_GROUP_NAME%] has been created.
echo.
Expand All @@ -43,9 +52,17 @@ echo.
echo RECOMMENDED that you use the Azure DevOps portal to restrict access to this
echo variable group to only the `platform-connectivity-hub-nva` pipeline.
echo.
echo RECOMMENDED that you DO NOT commit to your repository any changes made
echo to this file that include a plaintext username or password.
echo.

REM Set variables as secret in Azure DevOps if requested
if "%DEVOPS_VARIABLES_ARE_SECRET%" == "true" call update-variable-group.bat true
if "%DEVOPS_VARIABLES_ARE_SECRET%" == "true" (
echo.
echo Setting variables in Azure DevOps variable group [%DEVOPS_VARIABLES_GROUP_NAME%] as secret...
echo.
call update-variable-group.bat true
) else (
echo.
echo **************************************************************************
echo WARNING: NVA firewall variables are not marked as secret in Azure DevOps
echo **************************************************************************
echo.
)
4 changes: 0 additions & 4 deletions scripts/onboarding/set-variables.DevOpsOrgName.bat
Original file line number Diff line number Diff line change
Expand Up @@ -47,10 +47,6 @@ set DEVOPS_SE_TEMPLATE=service-endpoint.DEVOPS-ORG-NAME.json
REM Do not change this value (hard-coded in YAML pipeline definition)
set DEVOPS_VARIABLES_GROUP_NAME=firewall-secrets

REM Variables is a space-delimited key=value string. Provide values for
REM 'var-hubnetwork-nva-fwUsername' and 'var-hubnetwork-nva-fwPassword'.
set DEVOPS_VARIABLES_VALUES=var-hubnetwork-nva-fwUsername=YourUserName var-hubnetwork-nva-fwPassword=YourPassword

REM Are variables in the firewall-secrets group marked as secret? 'true' or 'false'.
set DEVOPS_VARIABLES_ARE_SECRET=true

Expand Down
4 changes: 0 additions & 4 deletions scripts/onboarding/set-variables.ocag148outlook.bat
Original file line number Diff line number Diff line change
Expand Up @@ -47,10 +47,6 @@ set DEVOPS_SE_TEMPLATE=service-endpoint.ocag148outlook.json
REM Do not change this value (hard-coded in YAML pipeline definition)
set DEVOPS_VARIABLES_GROUP_NAME=firewall-secrets

REM Variables is a space-delimited key=value string. Provide values for
REM 'var-hubnetwork-nva-fwUsername' and 'var-hubnetwork-nva-fwPassword'.
set DEVOPS_VARIABLES_VALUES=var-hubnetwork-nva-fwUsername=YourUserName var-hubnetwork-nva-fwPassword=YourPassword

REM Are variables in the firewall-secrets group marked as secret? 'true' or 'false'.
set DEVOPS_VARIABLES_ARE_SECRET=true

Expand Down