-
Notifications
You must be signed in to change notification settings - Fork 4
/
main-windows-server-2019.bicep
166 lines (133 loc) · 5.87 KB
/
main-windows-server-2019.bicep
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
@description('The base URI where artifacts required by this template are located including a trailing \'/\'')
param storageaccountName string
param container string
@description('Resource group of the storage account for customizer script')
param storageaccountRG string
@description('The Azure region where resources in the template should be deployed.')
param location string = resourceGroup().location
@description('location for image definition')
param image_location string = 'eastus2'
@description('The name of the customizer script which will be executed during image build.')
param customizerScriptName string = '/s/scripts/runScript.ps1?'
@description('Name of the user-assigned managed identity used by Azure Image Builder template, and for triggering the Azure Image Builder build at the end of the deployment')
param templateIdentityName string = substring('ImageGallery_${guid(resourceGroup().id)}', 0, 21)
@description('Permissions to allow for the user-assigned managed identity.')
param templateIdentityRoleDefinitionName string = guid(resourceGroup().id)
@description('Name of the new Azure Image Gallery resource.')
param imageGalleryName string = substring('ImageGallery_${guid(resourceGroup().id)}', 0, 21)
@description('Detailed image information to set for the custom image produced by the Azure Image Builder build.')
param imageDefinitionProperties object = {
name: 'Win2019_AzureWindowsBaseline_Definition'
publisher: 'AzureWindowsBaseline'
offer: 'WindowsServer'
sku: '2019-Datacenter'
}
@description('Name of the template to create in Azure Image Builder.')
param imageTemplateName string = 'Win2019_AzureWindowsBaseline_${deployment().name}'
@description('Name of the custom iamge to create and distribute using Azure Image Builder.')
param runOutputName string = 'Win2019_AzureWindowsBaseline_CustomImage'
@description('List the regions in Azure where you would like to replicate the custom image after it is created.')
param replicationRegions array = [
'canadacentral'
'eastus2'
]
@description('A unique string generated for each deployment, to make sure the script is always run.')
param forceUpdateTag string = newGuid()
//var customizerScriptUri = uri('${GetSASToken.outputs.ContainerBlobEndpoint}${customizerScriptName}', '${GetSASToken.outputs.myContainerUploadSAS}')
var customizerScriptUri = '${GetSASToken.outputs.ContainerBlobEndpoint}${customizerScriptName}${GetSASToken.outputs.myContainerUploadSAS}'
var AIBIdentityRoleAssignmentName = guid(AIBIdentity.outputs.identityId, resourceGroup().id, AIBCustomRoleDefinition.outputs.AIBCustomRoleDefinitionId)
var AIBIdentityRoleAssignNametoSA = guid(AIBIdentity.outputs.identityId, resourceGroup().id)
var StorageBlobReaderRoleID = '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1'
// Fetch the SAS token for the storage account containing customization scripts. Can be module [maybe ? ]
module GetSASToken 'bicep-modules/get-sas-token.bicep' = {
name: 'get-SAS-Token'
params: {
storageaccountName: storageaccountName
storageaccountRG: storageaccountRG
container: container
}
}
// Module for AIB Custom role definition
module AIBCustomRoleDefinition 'bicep-modules/aib-custom-role.bicep' = {
name: 'deploy-AIBCustomRoleDefinition'
params: {
name: templateIdentityRoleDefinitionName
}
}
// Module to create User Managed Identity for AIB
module AIBIdentity 'bicep-modules/user-assigned-identity.bicep' = {
name: 'deploy-AIB-Identity'
params: {
name: templateIdentityName
}
}
// Module for role assignment. AIB User assigned idenity to AIB RG
module AIBRoleAssignment 'bicep-modules/aib-role-assignment-to-sp.bicep' = {
name: 'Grant-AIB-identity-access-to-RG'
params: {
templateIdentityRoleAssignmentName: AIBIdentityRoleAssignmentName
scope: resourceGroup().id
RoleDefinitionID: AIBCustomRoleDefinition.outputs.AIBCustomRoleDefinitionId
PrincipalID: AIBIdentity.outputs.identityPrincipalId
}
}
// Module to assign Storage Reader role for storage account for Customization script to AIB user managed identity
module AIBRoleAssignmentoStorage 'bicep-modules/aib-role-assignment-sa.bicep' = {
name: 'Grant-AIB-identity-toCxSA'
scope: resourceGroup(storageaccountRG)
params:{
templateIdentityRoleAssignmentName: AIBIdentityRoleAssignNametoSA
storageaccountName: storageaccountName
RoleDefinitionID: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', StorageBlobReaderRoleID)
PrincipalID: AIBIdentity.outputs.identityPrincipalId
}
}
//Module for Shared Image Gallery (SIG)
module sig 'bicep-modules/sig.bicep' = {
name: 'deploy-Shared-Image-Gallery'
params: {
SIGName: imageGalleryName
location: location
}
}
// Module for Image definiition in SIG
module imageDefinition 'bicep-modules/imageDefinition.bicep' = {
name: 'deploy-Image-definition'
params: {
SIGname: imageGalleryName
location: location
imageDefinitionProperties:imageDefinitionProperties
}
dependsOn: [
sig
]
}
// Module for creating Image Template
module WindowsServer2019_AzureBaseline 'bicep-modules/images/WindowsServer2019-AzureBaseline.bicep' = {
name: 'create-image-definition-WinServ2019'
params: {
imageTemplateName: imageTemplateName
imageDefinitionID: imageDefinition.outputs.imageDefinitionID
location: image_location
AIBIdentityID: AIBIdentity.outputs.identityId
customizerScriptUri: customizerScriptUri
runOutputName: runOutputName
replicationRegions: replicationRegions
}
}
//Module for Image Build
module imageBuild 'bicep-modules/aib-image-build.bicep' = {
name: 'build-image'
params: {
location: image_location
AIBIdentity: AIBIdentity.outputs.identityId
imageTemplateName: imageTemplateName
forceUpdateTag: forceUpdateTag
}
dependsOn: [
WindowsServer2019_AzureBaseline
AIBRoleAssignment
]
}
output ImageTemplateName string = imageTemplateName
output ImageTemplateRG string = resourceGroup().name