Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

update github workflow for Deploy Enterprise Landing Zone Hub & Spoke Infrastructure #160

Open
wants to merge 82 commits into
base: main
Choose a base branch
from
Open

update github workflow for Deploy Enterprise Landing Zone Hub & Spoke Infrastructure #160

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
82 commits
Select commit Hold shift + click to select a range
becf30b
Update 1-deploy-infrastructure.yml
iamaliyousefi Oct 24, 2024
3908f5c
Update 1-deploy-infrastructure.yml
iamaliyousefi Oct 24, 2024
d42ca4e
Update 1-deploy-infrastructure.yml
iamaliyousefi Oct 24, 2024
9262d95
Update 1-deploy-infrastructure.yml
iamaliyousefi Oct 24, 2024
e673cbc
Update 1-deploy-infrastructure.yml
iamaliyousefi Oct 24, 2024
2aef71b
Update 1-deploy-infrastructure.yml
iamaliyousefi Oct 24, 2024
627e177
Update 1-deploy-infrastructure.yml
iamaliyousefi Oct 31, 2024
8d21ac3
Update 1-deploy-infrastructure.yml
iamaliyousefi Oct 31, 2024
208049a
Update 1-deploy-infrastructure.yml
iamaliyousefi Oct 31, 2024
d6fe25e
Update 1-deploy-infrastructure.yml
iamaliyousefi Nov 21, 2024
4bb7e29
update to use azure/arm-deploy@v2
iamaliyousefi Nov 21, 2024
47dacbb
Update 1-deploy-infrastructure.yml
iamaliyousefi Nov 21, 2024
d00f815
Update 1-deploy-infrastructure.yml
iamaliyousefi Nov 21, 2024
aed3aec
Change PascalCase for 4 parameters to camelCase
iamaliyousefi Nov 22, 2024
e57bf78
azure/CLI@v2
iamaliyousefi Nov 22, 2024
025500b
Fix git actions
iamaliyousefi Nov 22, 2024
bb600c8
Fix git actions
iamaliyousefi Nov 22, 2024
dff2840
ESLZ-HUB
iamaliyousefi Nov 22, 2024
0c137d5
Update parameters-main.json
iamaliyousefi Nov 22, 2024
7e84d92
comment out Create User Defined Route
iamaliyousefi Nov 25, 2024
9a89ca0
delete dnsServers lines
iamaliyousefi Nov 25, 2024
881b05a
remove dnsServers parameter
iamaliyousefi Nov 25, 2024
e20b635
Replace AKS-LZA-SPOKE with ESLZ-SPOKE-AKS
iamaliyousefi Nov 26, 2024
6bae1d4
replace AKS-LZA-SPOKE with ESLZ-SPOKE-AKS
iamaliyousefi Nov 26, 2024
5d88a6c
replace AKS-LZA-SPOKE with ESLZ-SPOKE-AKS
iamaliyousefi Nov 26, 2024
3696485
Replace AKS-LZA-SPOKE with ESLZ-SPOKE-AKS
iamaliyousefi Nov 26, 2024
783b4b7
Replace AKS-LZA-SPOKE with ESLZ-SPOKE-AKS
iamaliyousefi Nov 26, 2024
d5fb494
Remove the UDR block
iamaliyousefi Nov 28, 2024
c95c842
make names consistent
iamaliyousefi Nov 29, 2024
396a469
make hub and spoke name consistent
iamaliyousefi Nov 29, 2024
9eb40f8
Use consistent names for hub and spoke
iamaliyousefi Nov 29, 2024
96fbce1
Use consistent names for hub and spoke
iamaliyousefi Nov 29, 2024
75f4f42
Use consistent names for hub and spoke
iamaliyousefi Nov 29, 2024
ca36193
Use consistent names for hub and spoke
iamaliyousefi Nov 29, 2024
badd6d8
Use consistent names for hub and spoke
iamaliyousefi Nov 29, 2024
a5541cc
Use consistent names for hub and spoke
iamaliyousefi Nov 29, 2024
5a06461
Use consistent names for hub and spoke
iamaliyousefi Nov 29, 2024
d5d7062
update rg AVM
iamaliyousefi Dec 6, 2024
6636c89
update rg name
iamaliyousefi Dec 6, 2024
7609864
change rg
iamaliyousefi Dec 6, 2024
df2f80a
change spoke rg name
iamaliyousefi Dec 6, 2024
b813adf
fix vnetHUBRGName parameter
iamaliyousefi Dec 6, 2024
c737d14
fix rgHubName parameter
iamaliyousefi Dec 6, 2024
c133aeb
correct the rgspook name
iamaliyousefi Dec 6, 2024
18e0bf3
Corr
iamaliyousefi Dec 6, 2024
bc85d44
correct the rgspook name
iamaliyousefi Dec 6, 2024
79d06c6
Update modules versions in main.bicep
iamaliyousefi Dec 7, 2024
35cc677
Update modules versions in main.bicep
iamaliyousefi Dec 7, 2024
79975e8
Update modules versions in main.bicep
iamaliyousefi Dec 7, 2024
82a5b73
Update modules versions in main.bicep
iamaliyousefi Dec 7, 2024
e6906c2
Update bastion-host module param
iamaliyousefi Dec 7, 2024
791fb5e
Update availabilityZones param for PIP
iamaliyousefi Dec 7, 2024
61139ff
Update availability zone values
iamaliyousefi Dec 7, 2024
a2ca7e6
Add remoteVirtualNetworkResourceId to VNET peeing
iamaliyousefi Dec 7, 2024
a9871ca
Replace remoteVirtualNetworkId with remoteVirtualNetworkResourceId
iamaliyousefi Dec 7, 2024
7ba49f1
Update route table
iamaliyousefi Dec 7, 2024
f6f8a39
Update route table
iamaliyousefi Dec 7, 2024
13744b7
Update the route table
iamaliyousefi Dec 7, 2024
1d6dc2d
primaryAgentPoolProfiles instead of primaryAgentPoolProfile
iamaliyousefi Dec 7, 2024
32278c9
monitoringWorkspaceResourceId rather than monitoringWorkspaceId
iamaliyousefi Dec 7, 2024
40188ba
primaryAgentPoolProfiles rather than primaryAgentPoolProfile
iamaliyousefi Dec 7, 2024
7279024
fix availabilityZones default as it should be of type int
iamaliyousefi Dec 7, 2024
51ff6c4
kubeletIdentityObjectId rather than kubeletidentityObjectId
iamaliyousefi Dec 7, 2024
ac81dcb
aksClusterName rather than clusterName
iamaliyousefi Dec 7, 2024
1a20bd0
Error: ERROR: unrecognized template parameter 'aksuseraccessprincipal…
iamaliyousefi Dec 7, 2024
9abfcde
remove aksuseraccessprincipalId parameter
iamaliyousefi Dec 7, 2024
253db69
fix yaml syntax
iamaliyousefi Dec 7, 2024
014249b
update userAssignedIdentities to a recent version
iamaliyousefi Dec 7, 2024
4a21c63
Update AKS_VERSION to a recent version
iamaliyousefi Dec 7, 2024
1d4bafd
add akslaWorkspaceName parameter
iamaliyousefi Dec 9, 2024
c401513
Add aksadminaccessprincipalId as an env variable
iamaliyousefi Dec 9, 2024
3d0a6fe
remove aksadminaccessprincipalId parameter in favor an env variable
iamaliyousefi Dec 9, 2024
1c7e44c
add aksuseraccessprincipalId param
iamaliyousefi Dec 9, 2024
0790034
Remove appGatewayName parameter
iamaliyousefi Dec 9, 2024
7950d84
change MaxGracefulTerminationSec to int
iamaliyousefi Dec 9, 2024
a962f0d
change BalanceSimilarNodeGroups to bool
iamaliyousefi Dec 9, 2024
da6d35a
Update param types
iamaliyousefi Dec 9, 2024
b81ddb2
remove aksuseraccessprincipalId and aksadminaccessprincipalId
iamaliyousefi Dec 9, 2024
d17dcb2
Update main.bicep
iamaliyousefi Dec 9, 2024
e8848b6
Update LOG_ANALYTICS_WORKSPACE_NAME value to akslaworkspace
iamaliyousefi Dec 9, 2024
283f6b3
contoso rather than constoso
iamaliyousefi Dec 9, 2024
da11dc7
Merge branch 'Azure:main' into main
iamaliyousefi Dec 9, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
86 changes: 38 additions & 48 deletions .github/workflows/1-deploy-infrastructure.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,12 +14,12 @@ on:
env:
BICEP_ROOT_PATH: Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/
DEPLOYMENT_LOCATION: westus2
HUB_RESOURCE_GROUP: ESLZ-HUB
SPOKE_RESOURCE_GROUP: ESLZ-SPOKE
HUB_RESOURCE_GROUP: ESLZ-HUB-RG
SPOKE_RESOURCE_GROUP: ESLZ-SPOKE-RG
MANAGED_RESOURCE_GROUP: eslzakscluster-aksInfraRG
FIREWALL_NAME: AZFW
CLUSTER_NAME: eslzakscluster
LOG_ANALYTICS_WORKSPACE_NAME: eslzlaworkspace
LOG_ANALYTICS_WORKSPACE_NAME: akslaworkspace
vmSize: Standard_D4d_v5
RUNNER_VM_NAME: runner
SPOKE_VNET_NAME: VNet-SPOKE
Expand All @@ -33,7 +33,7 @@ env:
SPOKE_SUBNET_NAME: servicespe
AKS_SUBNET_CIDR: 10.1.1.0/24
APP_GATEWAY_PIP_NAME: APPGW-PIP
PRIVATE_DNS_NAME: constoso.internal
PRIVATE_DNS_NAME: contoso.internal

AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
Expand All @@ -46,32 +46,34 @@ env:
jobs:
deploy_infrastructure:
runs-on: ubuntu-latest
environment: production
name: 'Deploy Infrastructure'
steps:

- name: Azure Login
uses: Azure/login@v1
uses: Azure/login@v2
if: ${{ env.AZURE_CLIENT_ID != '' && env.AZURE_TENANT_ID != '' && env.AZURE_SUBSCRIPTION_ID != ''}}
with:
client-id: ${{ env.AZURE_CLIENT_ID }}
tenant-id: ${{ env.AZURE_TENANT_ID }}
subscription-id: ${{ env.AZURE_SUBSCRIPTION_ID }}

- name: Remove previous resources
uses: Azure/CLI@v1
uses: azure/cli@v2
if: ${{ inputs.DELETE_EXISTING_RESOURCES }}
continue-on-error: true
with:
azcliversion: latest
inlineScript: |



az group delete -n ${{ env.HUB_RESOURCE_GROUP }} -y
az group delete -n ${{ env.SPOKE_RESOURCE_GROUP }} -y
az deployment sub delete -n ESLZ-HUB-AKS
az deployment sub delete -n ESLZ-HUB
az deployment sub delete -n ESLZ-AKS-HUB-UDR
az deployment sub delete -n ESLZ-HUB-VM
az deployment sub delete -n ESLZ-HUB-RUNNER
az deployment sub delete -n ESLZ-SPOKE-AKS
az deployment sub delete -n ESLZ-SPOKE
az deployment sub delete -n ESLZ-SPOKE-AKS-SUPPORTING
az deployment sub delete -n ESLZ-SPOKE-AKS-UDRNSG
az deployment sub delete -n ESLZ-AKS-CLUSTER
Expand All @@ -91,20 +93,20 @@ jobs:
uses: actions/checkout@main

- name: Update Variables in IaC Templates
uses: Azure/CLI@v1
uses: azure/cli@v2
with:
azcliversion: latest
inlineScript: |

cd $GITHUB_WORKSPACE/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/03-Network-Hub/modules/VM
cd $GITHUB_WORKSPACE/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/03-Network-Hub/
find . -type f -exec sed -i 's/_OWNER_/${{ env.OWNER }}/g' {} +
find . -type f -exec sed -i 's/_REPO_/${{ env.REPO }}/g' {} +

- name: Create ESLZ Hub
if: ${{ env.AZURE_SUBSCRIPTION_ID != '' }}
uses: azure/arm-deploy@v1
uses: azure/arm-deploy@v2
with:
deploymentName: ESLZ-HUB-AKS
deploymentName: ESLZ-HUB
scope: subscription
region: ${{ env.DEPLOYMENT_LOCATION }}
subscriptionId: ${{ env.AZURE_SUBSCRIPTION_ID }}
Expand All @@ -114,7 +116,7 @@ jobs:
failOnStdErr: false

- name: Get CIDR of VM Subnet
uses: Azure/CLI@v1
uses: azure/cli@v2
with:
azcliversion: latest
inlineScript: |
Expand All @@ -123,7 +125,7 @@ jobs:
echo 'VM_SUBNET_CIDR='$VM_SUBNET_CIDR >> $GITHUB_ENV

- name: Update Firewall to allow VMs out
uses: Azure/CLI@v1
uses: azure/cli@v2
with:
azcliversion: latest
inlineScript: |
Expand All @@ -135,7 +137,7 @@ jobs:

- name: Create Jumpbox VM
if: ${{ env.AZURE_SUBSCRIPTION_ID != '' && env.VM_PW != '' }}
uses: azure/arm-deploy@v1
uses: azure/arm-deploy@v2
with:
deploymentName: ESLZ-HUB-VM
template: ${{ env.BICEP_ROOT_PATH }}03-Network-Hub/deploy-vm.bicep
Expand All @@ -148,7 +150,7 @@ jobs:

- name: Create GitHub Runner VM
if: ${{ env.AZURE_SUBSCRIPTION_ID != '' && env.VM_PW != '' && env.VM_PW != '' && env.GH_TOKEN != '' }}
uses: azure/arm-deploy@v1
uses: azure/arm-deploy@v2
with:
deploymentName: ESLZ-HUB-RUNNER
template: ${{ env.BICEP_ROOT_PATH }}03-Network-Hub/deploy-runner.bicep
Expand Down Expand Up @@ -177,23 +179,10 @@ jobs:
# STORAGE_ACCOUNT_NAME=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 24 | head -n 1)
echo 'STORAGE_ACCOUNT_NAME=s'$(uuidgen) | sed 's/-//g' | cut -c 1-45 >> $GITHUB_ENV

- name: Create User Defined Route
if: ${{ env.AZURE_SUBSCRIPTION_ID != '' }}
uses: azure/arm-deploy@v1
with:
deploymentName: ESLZ-AKS-HUB-UDR
template: ${{ env.BICEP_ROOT_PATH }}03-Network-Hub/updateUDR.bicep
parameters: ${{ env.BICEP_ROOT_PATH }}03-Network-Hub/parameters-updateUDR.json
scope: subscription
region: ${{ env.DEPLOYMENT_LOCATION }}
subscriptionId: ${{ env.AZURE_SUBSCRIPTION_ID }}
resourceGroupName: ${{ env.HUB_RESOURCE_GROUP }}
failOnStdErr: false

- name: Create Spoke
uses: azure/arm-deploy@v1
uses: azure/arm-deploy@v2
with:
deploymentName: ESLZ-SPOKE-AKS
deploymentName: ESLZ-SPOKE
template: ${{ env.BICEP_ROOT_PATH }}04-Network-LZ/main.bicep
parameters: ${{ env.BICEP_ROOT_PATH }}04-Network-LZ/parameters-main.json
scope: subscription
Expand All @@ -203,7 +192,7 @@ jobs:
failOnStdErr: false

- name: Create AKS Supporting Resources in Spoke
uses: azure/arm-deploy@v1
uses: azure/arm-deploy@v2
with:
deploymentName: ESLZ-SPOKE-AKS-SUPPORTING
template: ${{ env.BICEP_ROOT_PATH }}05-AKS-supporting/main.bicep
Expand All @@ -215,35 +204,35 @@ jobs:
failOnStdErr: false

- name: Set Environment Variables
uses: Azure/CLI@v1
uses: azure/cli@v2
with:
azcliversion: latest
inlineScript: |

RUNNER_MANAGED_IDENTITY_PRINCIPAL_ID="$(az resource list -n ${{ env.RUNNER_VM_NAME }} --query [*].identity.principalId --out tsv)"
echo 'RUNNER_MANAGED_IDENTITY_PRINCIPAL_ID='$RUNNER_MANAGED_IDENTITY_PRINCIPAL_ID >> $GITHUB_ENV

AKS_VERSION='1.26'
AKS_VERSION='1.30'
echo 'AKS_VERSION='$AKS_VERSION >> $GITHUB_ENV

- name: Azure Log out
if: ${{ env.AZURE_CLIENT_ID != '' && env.AZURE_TENANT_ID != '' && env.AZURE_SUBSCRIPTION_ID != ''}}
uses: azure/CLI@v1
uses: azure/cli@v2
with:
inlineScript: |

az logout

- name: Azure Login
uses: Azure/login@v1
uses: Azure/login@v2
if: ${{ env.AZURE_CLIENT_ID != '' && env.AZURE_TENANT_ID != '' && env.AZURE_SUBSCRIPTION_ID != ''}}
with:
client-id: ${{ env.AZURE_CLIENT_ID }}
tenant-id: ${{ env.AZURE_TENANT_ID }}
subscription-id: ${{ env.AZURE_SUBSCRIPTION_ID }}

- name: Configure AKS Subnet
uses: azure/CLI@v1
uses: azure/cli@v2
with:
inlineScript: |

Expand All @@ -260,19 +249,20 @@ jobs:
az network vnet subnet update --vnet-name ${{ env.SPOKE_VNET_NAME }} --name ${{ env.APP_GW_SUBNET }} --resource-group ${{ env.SPOKE_RESOURCE_GROUP }} --route-table ${{ env.APP_GW_ROUTE_TABLE }} --network-security-group ${{ env.APP_GW_NSG }}

- name: Deploy AKS in Spoke
uses: azure/arm-deploy@v1
uses: azure/arm-deploy@v2
with:
deploymentName: ESLZ-AKS-CLUSTER
template: ${{ env.BICEP_ROOT_PATH }}06-AKS-cluster/main.bicep
parameters: ${{ env.BICEP_ROOT_PATH }}06-AKS-cluster/parameters-main.json clusterName=${{ env.CLUSTER_NAME }} acrName=${{ env.ACR_NAME }} keyvaultName=${{ env.KEYVAULT_NAME }} kubernetesVersion=${{ env.AKS_VERSION }} networkPlugin=azure aksuseraccessprincipalId=${{ env.RUNNER_MANAGED_IDENTITY_PRINCIPAL_ID }} aksadminaccessprincipalId=${{ env.RUNNER_MANAGED_IDENTITY_PRINCIPAL_ID }} akslaWorkspaceName=${{ env.LOG_ANALYTICS_WORKSPACE_NAME }}
parameters: ${{ env.BICEP_ROOT_PATH }}06-AKS-cluster/parameters-main.json aksClusterName=${{ env.CLUSTER_NAME }} acrName=${{ env.ACR_NAME }} keyvaultName=${{ env.KEYVAULT_NAME }} kubernetesVersion=${{ env.AKS_VERSION }} networkPlugin=azure akslaWorkspaceName=${{ env.LOG_ANALYTICS_WORKSPACE_NAME }}
# parameters: ${{ env.BICEP_ROOT_PATH }}06-AKS-cluster/parameters-main.json aksClusterName=${{ env.CLUSTER_NAME }} acrName=${{ env.ACR_NAME }} keyvaultName=${{ env.KEYVAULT_NAME }} kubernetesVersion=${{ env.AKS_VERSION }} networkPlugin=azure aksuseraccessprincipalId=${{ env.RUNNER_MANAGED_IDENTITY_PRINCIPAL_ID }} aksadminaccessprincipalId=${{ env.RUNNER_MANAGED_IDENTITY_PRINCIPAL_ID }} akslaWorkspaceName=${{ env.LOG_ANALYTICS_WORKSPACE_NAME }}
scope: subscription
region: ${{ env.DEPLOYMENT_LOCATION }}
subscriptionId: ${{ env.AZURE_SUBSCRIPTION_ID }}
resourceGroupName: ${{ env.SPOKE_RESOURCE_GROUP }}
failOnStdErr: false

- name: Set AKS Environment Variables
uses: Azure/CLI@v1
uses: azure/cli@v2
with:
azcliversion: latest
inlineScript: |
Expand All @@ -293,15 +283,15 @@ jobs:
echo 'SUBNET_ID='$SUBNET_ID >> $GITHUB_ENV

- name: Enable AKS Auto-Upgrade
uses: Azure/CLI@v1
uses: azure/cli@v2
with:
azcliversion: latest
inlineScript: |

az aks update --resource-group ${{ env.SPOKE_RESOURCE_GROUP }} --name ${{ env.CLUSTER_NAME }} --auto-upgrade-channel stable

- name: Assign Permissions to GitHub Runner VM's Managed identity
uses: Azure/CLI@v1
uses: azure/cli@v2
if: ${{ env.AKS_ID != '' && env.RUNNER_MANAGED_IDENTITY_PRINCIPAL_ID != '' && env.AZURE_SUBSCRIPTION_ID != '' }}
with:
azcliversion: latest
Expand All @@ -320,7 +310,7 @@ jobs:
az keyvault set-policy --name ${{ env.KEYVAULT_NAME }} --object-id ${{ env.RUNNER_MANAGED_IDENTITY_PRINCIPAL_ID }} --secret-permissions set --resource-group ${{ env.SPOKE_RESOURCE_GROUP }}

- name: Create Custom DNS
uses: Azure/CLI@v1
uses: azure/cli@v2
with:
azcliversion: latest
inlineScript: |
Expand All @@ -332,7 +322,7 @@ jobs:
az network private-dns link vnet create --resource-group ${{ env.HUB_RESOURCE_GROUP }} --name ${{ env.PRIVATE_DNS_NAME }}-link-hub --zone ${{ env.PRIVATE_DNS_NAME }} --virtual-network ${{ env.HUB_VNET_NAME }} --registration-enabled true

- name: Update Firewall to allow AKS out
uses: Azure/CLI@v1
uses: azure/cli@v2
with:
azcliversion: latest
inlineScript: |
Expand All @@ -344,23 +334,23 @@ jobs:
az network firewall application-rule create --collection-name 'aks-egress' --name 'Allow-HTTPS' --target-fqdns '*' --firewall-name ${{ env.FIREWALL_NAME }} --protocols Https=443 --resource-group ${{ env.HUB_RESOURCE_GROUP }} --source-addresses '${{ env.AKS_SUBNET_CIDR }}' --priority 350 --action Allow

- name: Cap Log Analytics Workspace Ingress to save $
uses: Azure/CLI@v1
uses: azure/cli@v2
with:
azcliversion: latest
inlineScript: |

az monitor log-analytics workspace update --resource-group ${{ env.SPOKE_RESOURCE_GROUP }} --workspace-name ${{ env.LOG_ANALYTICS_WORKSPACE_NAME }} --quota 5

- name: Enable Auto-Scaler on Default Node Pool to save $
uses: Azure/CLI@v1
uses: azure/cli@v2
with:
azcliversion: latest
inlineScript: |

az aks nodepool update --resource-group ${{ env.SPOKE_RESOURCE_GROUP }} --name defaultpool --cluster-name ${{ env.CLUSTER_NAME }} --enable-cluster-autoscaler --min-count 2 --max-count 5

- name: Log out
uses: azure/CLI@v1
uses: azure/cli@v2
with:
inlineScript: |

Expand Down
Loading
Loading