Skip to content

Commit

Permalink
Merge pull request #131 from Azure/130-hub-deployment-fails-with-outp…
Browse files Browse the repository at this point in the history
…ut-issues-when-not-using-ad-authentication

Fix deployment when using Entra ID authentication
  • Loading branch information
vbalbarin authored Oct 29, 2024
2 parents 075def4 + 174ebde commit 18f7377
Show file tree
Hide file tree
Showing 4 changed files with 23 additions and 18 deletions.
3 changes: 2 additions & 1 deletion research-hub/deploy.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ bicep build-params $TemplateParameterFile --outfile $TemplateParameterJsonFile
# Read the values from the parameters file, to use when generating the $DeploymentName value
$ParameterFileContents = (Get-Content $TemplateParameterJsonFile | ConvertFrom-Json)
$WorkloadName = $ParameterFileContents.parameters.workloadName.value
$ImagingSubscriptionId = $ParameterFileContents.parameters.imageBuildSubscriptionId.value
$ImagingSubscriptionId = $ParameterFileContents.parameters.imageBuildSubscriptionId?.value ?? $TargetSubscriptionId

# Import the Azure subscription management module
Import-Module ..\scripts\PowerShell\Modules\AzSubscriptionManagement.psm1
Expand All @@ -64,6 +64,7 @@ Set-AzContextWrapper -SubscriptionId $ImagingSubscriptionId -Environment $Enviro

# LATER: Run provider and feature registrations in parallel
Register-AzResourceProviderWrapper -ProviderNamespace "Microsoft.Storage"
Register-AzResourceProviderWrapper -ProviderNamespace "Microsoft.Network"
Register-AzResourceProviderWrapper -ProviderNamespace "Microsoft.ContainerInstance" # For image builder

# Determine if a cloud context switch is required
Expand Down
18 changes: 10 additions & 8 deletions research-hub/hub-modules/networking/main.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,9 @@ module avdApplicationSecurityGroupModule 'br/public:avm/res/network/application-
module managementSubnetSecurityRulesModule 'securityRules/managementAndAvdSubnetSecurityRules.bicep' = if (deployManagementSubnet) {
name: take(replace(deploymentNameStructure, '{rtype}', 'sr-mgmt'), 64)
params: {
applicationSecurityGroupId: managementApplicationSecurityGroupModule.outputs.resourceId
applicationSecurityGroupId: deployManagementSubnet
? managementApplicationSecurityGroupModule.outputs.resourceId
: ''
customDnsIPs: customDnsIPs
deploySubnet: deployManagementSubnet
domainControllerIPAddresses: domainControllerIPAddresses
Expand All @@ -79,7 +81,7 @@ module managementSubnetSecurityRulesModule 'securityRules/managementAndAvdSubnet
module avdSubnetSecurityRulesModule 'securityRules/managementAndAvdSubnetSecurityRules.bicep' = if (deployAvdSubnet) {
name: take(replace(deploymentNameStructure, '{rtype}', 'sr-avd'), 64)
params: {
applicationSecurityGroupId: avdApplicationSecurityGroupModule.outputs.resourceId
applicationSecurityGroupId: deployAvdSubnet ? avdApplicationSecurityGroupModule.outputs.resourceId : ''
customDnsIPs: customDnsIPs
deploySubnet: deployAvdSubnet
domainControllerIPAddresses: domainControllerIPAddresses
Expand Down Expand Up @@ -256,7 +258,7 @@ module managementSubnetIPGroupModule '../../../shared-modules/networking/ipGroup
module azureFirewallModule './azureFirewall.bicep' = {
name: take(replace(deploymentNameStructure, '{rtype}', 'azfw'), 64)
params: {
firewallManagementSubnetId: networkModule.outputs.createdSubnets.AzureFirewallManagementSubnet.id
firewallManagementSubnetId: networkModule.outputs.createdSubnets.?AzureFirewallManagementSubnet.id // FW Management subnet is optional
firewallSubnetId: networkModule.outputs.createdSubnets.AzureFirewallSubnet.id
namingStructure: replace(resourceNamingStructure, '{subWorkloadName}', 'firewall')
firewallTier: firewallTier
Expand Down Expand Up @@ -305,7 +307,7 @@ module avdRouteTableModule '../../../shared-modules/networking/rt.bicep' = if (d
azureFirewallModule.outputs.fwPrIp
))

rtName: networkModule.outputs.createdSubnets.AvdSubnet.routeTableName
rtName: networkModule.outputs.createdSubnets.?AvdSubnet.routeTableName
tags: tags
}
}
Expand All @@ -322,7 +324,7 @@ module mgmtRouteTableModule '../../../shared-modules/networking/rt.bicep' = if (
azureFirewallModule.outputs.fwPrIp
))

rtName: networkModule.outputs.createdSubnets.ManagementSubnet.routeTableName
rtName: networkModule.outputs.createdSubnets.?ManagementSubnet.routeTableName
tags: tags
}
}
Expand All @@ -339,7 +341,7 @@ module airlockRouteTableModule '../../../shared-modules/networking/rt.bicep' = i
azureFirewallModule.outputs.fwPrIp
))

rtName: networkModule.outputs.createdSubnets.AirlockSubnet.routeTableName
rtName: networkModule.outputs.createdSubnets.?AirlockSubnet.routeTableName
tags: tags
}
}
Expand All @@ -352,7 +354,7 @@ module bastionModule './bastion.bicep' = if (deployBastion) {
name: take(replace(deploymentNameStructure, '{rtype}', 'bas'), 64)
params: {
location: location
bastionSubnetId: networkModule.outputs.createdSubnets.AzureBastionSubnet.id
bastionSubnetId: networkModule.outputs.createdSubnets.?AzureBastionSubnet.id
namingStructure: replace(resourceNamingStructure, '{subWorkloadName}', 'bas')
tags: tags
}
Expand All @@ -366,7 +368,7 @@ module vpnGatewayModule './vpnGateway.bicep' = if (deployVpn && !useRemoteGatewa
name: take(replace(deploymentNameStructure, '{rtype}', 'vpngw'), 64)
params: {
location: location
gatewaySubnetId: networkModule.outputs.createdSubnets.GatewaySubnet.id
gatewaySubnetId: networkModule.outputs.createdSubnets.?GatewaySubnet.id
namingStructure: replace(resourceNamingStructure, '{subWorkloadName}', 'vpn')
tags: tags
}
Expand Down
10 changes: 6 additions & 4 deletions research-hub/main.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,7 @@ param adOuPath string = ''
* Network configuration parameters for the research hub
*/

@description('The virtual network\'s address space in CIDR notation, e.g. 10.0.0.0/16. The last octet must be 0. The maximum IPv4 CIDR length is 24. The IPv6 CIDR length should be 64.')
@description('The virtual network\'s address space in CIDR notation, e.g. 10.0.0.0/23. The last octet must be 0. The maximum IPv4 CIDR length is 23. The IPv6 (untested) CIDR length should be 64.')
param networkAddressSpace string

@description('Any additional subnets for the hub virtual network. Specify the properties using ARM syntax/naming.')
Expand Down Expand Up @@ -324,6 +324,7 @@ module uamiModule '../shared-modules/security/uami.bicep' = {
}
}

// LATER: Move RBAC to uamiModule
module uamiKvRbacModule '../module-library/roleAssignments/roleAssignment-kv.bicep' = {
name: take(replace(deploymentNameStructure, '{rtype}', 'uami-kv-rbac'), 64)
scope: securityRg
Expand All @@ -348,6 +349,7 @@ module encryptionKeysModule '../shared-modules/security/encryptionKeys.bicep' =

var kvEncryptionKeys = reduce(encryptionKeysModule.outputs.keys, {}, (cur, next) => union(cur, next))

// Determine if any VMs are being deployed in the hub
var deployingVMs = (!researchVmsAreSessionHosts && jumpBoxSessionHostCount > 0) || isAirlockReviewCentralized

// Create a Disk Encryption Set if we're deploying any VMs and we need to use CMK
Expand Down Expand Up @@ -545,9 +547,9 @@ output hubPrivateDnsZonesResourceGroupId string = empty(existingPrivateDnsZonesR
? networkRg.id
: existingPrivateDnsZonesResourceGroupId

output managementVmId string = managementVmModule.outputs.vmId
output managementVmUamiPrincipalId string = managementVmModule.outputs.uamiPrincipalId
output managementVmUamiClientId string = managementVmModule.outputs.uamiClientId
output managementVmId string = logonType == 'ad' ? managementVmModule.outputs.vmId : 'N/A'
output managementVmUamiPrincipalId string = logonType == 'ad' ? managementVmModule.outputs.uamiPrincipalId : 'N/A'
output managementVmUamiClientId string = logonType == 'ad' ? managementVmModule.outputs.uamiClientId : 'N/A'

output imageDefinitionId string = imagingModule.outputs.imageDefinitionId

Expand Down
10 changes: 5 additions & 5 deletions research-hub/main.sample-aad.bicepparam
Original file line number Diff line number Diff line change
Expand Up @@ -16,11 +16,11 @@ param researchVmsAreSessionHosts = true
param addAutoDateCreatedTag = false
param addDateModifiedTag = true

param networkAddressSpace = '10.40.0.0/16'
param customDnsIPs = [
'10.40.6.4'
'10.40.6.5'
]
// Must be /23 or larger
param networkAddressSpace = '10.40.0.0/23'
param customDnsIPs = []

param ipAddressPool = ['10.40.0.0/16']

param enableAvmTelemetry = true

Expand Down

0 comments on commit 18f7377

Please sign in to comment.