From 13643b5400174de561fbf28b36561d372e42a154 Mon Sep 17 00:00:00 2001 From: Dany Contreras <78437433+danycontre@users.noreply.github.com> Date: Mon, 16 Oct 2023 15:36:09 -0500 Subject: [PATCH] updates --- workload/arm/deploy-baseline.json | 28 ++++++++----------- workload/bicep/deploy-baseline.bicep | 8 +++--- .../modules/storageAzureFiles/deploy.bicep | 4 +-- .../script-domainjoinstorage.ps1 | 12 ++++++-- 4 files changed, 26 insertions(+), 26 deletions(-) diff --git a/workload/arm/deploy-baseline.json b/workload/arm/deploy-baseline.json index a6299f325..8ef04fc62 100644 --- a/workload/arm/deploy-baseline.json +++ b/workload/arm/deploy-baseline.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.17.1.54307", - "templateHash": "11881349639014510533" + "templateHash": "8577237797049463431" }, "name": "AVD Accelerator - Baseline Deployment", "description": "AVD Accelerator - Deployment Baseline" @@ -12582,9 +12582,7 @@ "identityServiceProvider": { "value": "[parameters('avdIdentityServiceProvider')]" }, - "securityPrincipalIds": { - "value": "[array(parameters('securityPrincipalId'))]" - }, + "securityPrincipalIds": "[if(not(empty(parameters('securityPrincipalId'))), createObject('value', array(parameters('securityPrincipalId'))), createObject('value', createArray()))]", "tags": "[if(parameters('createResourceTags'), createObject('value', union(variables('varCustomResourceTags'), variables('varAvdDefaultTags'))), createObject('value', variables('varAvdDefaultTags')))]", "alaWorkspaceResourceId": "[if(parameters('avdDeployMonitoring'), if(parameters('deployAlaWorkspace'), createObject('value', reference(subscriptionResourceId('Microsoft.Resources/deployments', format('Monitoring-{0}', parameters('time'))), '2022-09-01').outputs.avdAlaWorkspaceResourceId.value), createObject('value', parameters('alaExistingWorkspaceResourceId'))), createObject('value', ''))]", "hostPoolAgentUpdateSchedule": { @@ -15062,9 +15060,7 @@ "createStorageDeployment": { "value": "[variables('varCreateStorageDeployment')]" }, - "securityPrincipalIds": { - "value": "[array(parameters('securityPrincipalId'))]" - }, + "securityPrincipalIds": "[if(not(empty(parameters('securityPrincipalId'))), createObject('value', array(parameters('securityPrincipalId'))), createObject('value', createArray()))]", "tags": "[if(parameters('createResourceTags'), createObject('value', union(variables('varCustomResourceTags'), variables('varAvdDefaultTags'))), createObject('value', variables('varAvdDefaultTags')))]" }, "template": { @@ -32104,9 +32100,7 @@ "value": "[variables('varOuStgPath')]" }, "managedIdentityClientId": "[if(variables('varCreateStorageDeployment'), createObject('value', reference(subscriptionResourceId('Microsoft.Resources/deployments', format('Identities-And-RoleAssign-{0}', parameters('time'))), '2022-09-01').outputs.managedIdentityStorageClientId.value), createObject('value', ''))]", - "securityPrincipalName": { - "value": "[parameters('securityPrincipalName')]" - }, + "securityPrincipalName": "[if(not(empty(parameters('securityPrincipalName'))), createObject('value', parameters('securityPrincipalName')), createObject('value', ''))]", "domainJoinUserName": { "value": "[parameters('avdDomainJoinUserName')]" }, @@ -32143,7 +32137,7 @@ "_generator": { "name": "bicep", "version": "0.17.1.54307", - "templateHash": "5936570404205322394" + "templateHash": "1142525422127830618" } }, "parameters": { @@ -32340,7 +32334,8 @@ ], "varWrklStoragePrivateEndpointName": "[format('pe-{0}-file', parameters('storageAccountName'))]", "vardirectoryServiceOptions": "[if(equals(parameters('identityServiceProvider'), 'AADDS'), 'AADDS', if(equals(parameters('identityServiceProvider'), 'AAD'), 'AADKERB', 'None'))]", - "varStorageToDomainScriptArgs": "[format('-DscPath {0} -StorageAccountName {1} -StorageAccountRG {2} -StoragePurpose {3} -DomainName {4} -IdentityServiceProvider {5} -AzureCloudEnvironment {6} -SubscriptionId {7} -DomainAdminUserName {8} -CustomOuPath {9} -OUName {10} -ShareName {11} -ClientId {12} -SecurityPrincipalName {13} -StorageAccountFqdn {14} ', parameters('dscAgentPackageLocation'), parameters('storageAccountName'), parameters('storageObjectsRgName'), parameters('storagePurpose'), parameters('identityDomainName'), parameters('identityServiceProvider'), variables('varAzureCloudName'), parameters('workloadSubsId'), parameters('domainJoinUserName'), parameters('storageCustomOuPath'), parameters('ouStgPath'), parameters('fileShareName'), parameters('managedIdentityClientId'), parameters('securityPrincipalName'), parameters('storageAccountFqdn'))]" + "varSecurityPrincipalName": "[if(not(empty(parameters('securityPrincipalName'))), parameters('securityPrincipalName'), 'none')]", + "varStorageToDomainScriptArgs": "[format('-DscPath {0} -StorageAccountName {1} -StorageAccountRG {2} -StoragePurpose {3} -DomainName {4} -IdentityServiceProvider {5} -AzureCloudEnvironment {6} -SubscriptionId {7} -DomainAdminUserName {8} -CustomOuPath {9} -OUName {10} -ShareName {11} -ClientId {12} -SecurityPrincipalName {13} -StorageAccountFqdn {14} ', parameters('dscAgentPackageLocation'), parameters('storageAccountName'), parameters('storageObjectsRgName'), parameters('storagePurpose'), parameters('identityDomainName'), parameters('identityServiceProvider'), variables('varAzureCloudName'), parameters('workloadSubsId'), parameters('domainJoinUserName'), parameters('storageCustomOuPath'), parameters('ouStgPath'), parameters('fileShareName'), parameters('managedIdentityClientId'), variables('varSecurityPrincipalName'), parameters('storageAccountFqdn'))]" }, "resources": [ { @@ -36313,9 +36308,7 @@ "value": "[variables('varOuStgPath')]" }, "managedIdentityClientId": "[if(variables('varCreateStorageDeployment'), createObject('value', reference(subscriptionResourceId('Microsoft.Resources/deployments', format('Identities-And-RoleAssign-{0}', parameters('time'))), '2022-09-01').outputs.managedIdentityStorageClientId.value), createObject('value', ''))]", - "securityPrincipalName": { - "value": "[parameters('securityPrincipalName')]" - }, + "securityPrincipalName": "[if(not(empty(parameters('securityPrincipalName'))), createObject('value', parameters('securityPrincipalName')), createObject('value', ''))]", "domainJoinUserName": { "value": "[parameters('avdDomainJoinUserName')]" }, @@ -36352,7 +36345,7 @@ "_generator": { "name": "bicep", "version": "0.17.1.54307", - "templateHash": "5936570404205322394" + "templateHash": "1142525422127830618" } }, "parameters": { @@ -36549,7 +36542,8 @@ ], "varWrklStoragePrivateEndpointName": "[format('pe-{0}-file', parameters('storageAccountName'))]", "vardirectoryServiceOptions": "[if(equals(parameters('identityServiceProvider'), 'AADDS'), 'AADDS', if(equals(parameters('identityServiceProvider'), 'AAD'), 'AADKERB', 'None'))]", - "varStorageToDomainScriptArgs": "[format('-DscPath {0} -StorageAccountName {1} -StorageAccountRG {2} -StoragePurpose {3} -DomainName {4} -IdentityServiceProvider {5} -AzureCloudEnvironment {6} -SubscriptionId {7} -DomainAdminUserName {8} -CustomOuPath {9} -OUName {10} -ShareName {11} -ClientId {12} -SecurityPrincipalName {13} -StorageAccountFqdn {14} ', parameters('dscAgentPackageLocation'), parameters('storageAccountName'), parameters('storageObjectsRgName'), parameters('storagePurpose'), parameters('identityDomainName'), parameters('identityServiceProvider'), variables('varAzureCloudName'), parameters('workloadSubsId'), parameters('domainJoinUserName'), parameters('storageCustomOuPath'), parameters('ouStgPath'), parameters('fileShareName'), parameters('managedIdentityClientId'), parameters('securityPrincipalName'), parameters('storageAccountFqdn'))]" + "varSecurityPrincipalName": "[if(not(empty(parameters('securityPrincipalName'))), parameters('securityPrincipalName'), 'none')]", + "varStorageToDomainScriptArgs": "[format('-DscPath {0} -StorageAccountName {1} -StorageAccountRG {2} -StoragePurpose {3} -DomainName {4} -IdentityServiceProvider {5} -AzureCloudEnvironment {6} -SubscriptionId {7} -DomainAdminUserName {8} -CustomOuPath {9} -OUName {10} -ShareName {11} -ClientId {12} -SecurityPrincipalName {13} -StorageAccountFqdn {14} ', parameters('dscAgentPackageLocation'), parameters('storageAccountName'), parameters('storageObjectsRgName'), parameters('storagePurpose'), parameters('identityDomainName'), parameters('identityServiceProvider'), variables('varAzureCloudName'), parameters('workloadSubsId'), parameters('domainJoinUserName'), parameters('storageCustomOuPath'), parameters('ouStgPath'), parameters('fileShareName'), parameters('managedIdentityClientId'), variables('varSecurityPrincipalName'), parameters('storageAccountFqdn'))]" }, "resources": [ { diff --git a/workload/bicep/deploy-baseline.bicep b/workload/bicep/deploy-baseline.bicep index e3b384b83..5b168ec33 100644 --- a/workload/bicep/deploy-baseline.bicep +++ b/workload/bicep/deploy-baseline.bicep @@ -960,7 +960,7 @@ module managementPLane './modules/avdManagementPlane/deploy.bicep' = { startVmOnConnect: (avdHostPoolType == 'Pooled') ? avdDeployScalingPlan : avdStartVmOnConnect workloadSubsId: avdWorkloadSubsId identityServiceProvider: avdIdentityServiceProvider - securityPrincipalIds: array(securityPrincipalId) + securityPrincipalIds: !empty(securityPrincipalId)? array(securityPrincipalId): [] tags: createResourceTags ? union(varCustomResourceTags, varAvdDefaultTags) : varAvdDefaultTags alaWorkspaceResourceId: avdDeployMonitoring ? (deployAlaWorkspace ? monitoringDiagnosticSettings.outputs.avdAlaWorkspaceResourceId : alaExistingWorkspaceResourceId) : '' hostPoolAgentUpdateSchedule: varHostPoolAgentUpdateSchedule @@ -987,7 +987,7 @@ module identity './modules/identity/deploy.bicep' = { enableStartVmOnConnect: avdStartVmOnConnect identityServiceProvider: avdIdentityServiceProvider createStorageDeployment: varCreateStorageDeployment - securityPrincipalIds: array(securityPrincipalId) + securityPrincipalIds: !empty(securityPrincipalId)? array(securityPrincipalId): [] tags: createResourceTags ? union(varCustomResourceTags, varAvdDefaultTags) : varAvdDefaultTags } dependsOn: [ @@ -1167,7 +1167,7 @@ module fslogixAzureFilesStorage './modules/storageAzureFiles/deploy.bicep' = if deployPrivateEndpoint: deployPrivateEndpointKeyvaultStorage ouStgPath: varOuStgPath managedIdentityClientId: varCreateStorageDeployment ? identity.outputs.managedIdentityStorageClientId : '' - securityPrincipalName: securityPrincipalName + securityPrincipalName: !empty(securityPrincipalName)? securityPrincipalName: '' domainJoinUserName: avdDomainJoinUserName wrklKvName: varWrklKvName serviceObjectsRgName: varServiceObjectsRgName @@ -1210,7 +1210,7 @@ module msixAzureFilesStorage './modules/storageAzureFiles/deploy.bicep' = if (cr deployPrivateEndpoint: deployPrivateEndpointKeyvaultStorage ouStgPath: varOuStgPath managedIdentityClientId: varCreateStorageDeployment ? identity.outputs.managedIdentityStorageClientId : '' - securityPrincipalName: securityPrincipalName + securityPrincipalName: !empty(securityPrincipalName)? securityPrincipalName: '' domainJoinUserName: avdDomainJoinUserName wrklKvName: varWrklKvName serviceObjectsRgName: varServiceObjectsRgName diff --git a/workload/bicep/modules/storageAzureFiles/deploy.bicep b/workload/bicep/modules/storageAzureFiles/deploy.bicep index d499966f1..4d3ff02e9 100644 --- a/workload/bicep/modules/storageAzureFiles/deploy.bicep +++ b/workload/bicep/modules/storageAzureFiles/deploy.bicep @@ -108,8 +108,8 @@ var varAvdFileShareMetricsDiagnostic = [ ] var varWrklStoragePrivateEndpointName = 'pe-${storageAccountName}-file' var vardirectoryServiceOptions = (identityServiceProvider == 'AADDS') ? 'AADDS': (identityServiceProvider == 'AAD') ? 'AADKERB': 'None' - -var varStorageToDomainScriptArgs = '-DscPath ${dscAgentPackageLocation} -StorageAccountName ${storageAccountName} -StorageAccountRG ${storageObjectsRgName} -StoragePurpose ${storagePurpose} -DomainName ${identityDomainName} -IdentityServiceProvider ${identityServiceProvider} -AzureCloudEnvironment ${varAzureCloudName} -SubscriptionId ${workloadSubsId} -DomainAdminUserName ${domainJoinUserName} -CustomOuPath ${storageCustomOuPath} -OUName ${ouStgPath} -ShareName ${fileShareName} -ClientId ${managedIdentityClientId} -SecurityPrincipalName ${securityPrincipalName} -StorageAccountFqdn ${storageAccountFqdn} ' +var varSecurityPrincipalName = !empty(securityPrincipalName)? securityPrincipalName : 'none' +var varStorageToDomainScriptArgs = '-DscPath ${dscAgentPackageLocation} -StorageAccountName ${storageAccountName} -StorageAccountRG ${storageObjectsRgName} -StoragePurpose ${storagePurpose} -DomainName ${identityDomainName} -IdentityServiceProvider ${identityServiceProvider} -AzureCloudEnvironment ${varAzureCloudName} -SubscriptionId ${workloadSubsId} -DomainAdminUserName ${domainJoinUserName} -CustomOuPath ${storageCustomOuPath} -OUName ${ouStgPath} -ShareName ${fileShareName} -ClientId ${managedIdentityClientId} -SecurityPrincipalName ${varSecurityPrincipalName} -StorageAccountFqdn ${storageAccountFqdn} ' // =========== // // Deployments // // =========== // diff --git a/workload/scripts/DSCStorageScripts/script-domainjoinstorage.ps1 b/workload/scripts/DSCStorageScripts/script-domainjoinstorage.ps1 index ca5a954af..d036dae46 100644 --- a/workload/scripts/DSCStorageScripts/script-domainjoinstorage.ps1 +++ b/workload/scripts/DSCStorageScripts/script-domainjoinstorage.ps1 @@ -169,10 +169,16 @@ Try { icacls ${DriveLetter}: /grant "Creator Owner:(OI)(CI)(IO)(M)" icacls ${DriveLetter}: /remove "Authenticated Users" icacls ${DriveLetter}: /remove "Builtin\Users" - # AVD group permissions - $Group = $DomainName + '\' + $SecurityPrincipalName - icacls ${DriveLetter}: /grant "${Group}:(M)" Write-Log "ACLs set" + # AVD group permissions + if ($SecurityPrincipalName -eq 'none') { + Write-Log "AD group not provided, ACLs for AD group not set" + } + else { + $Group = $DomainName + '\' + $SecurityPrincipalName + icacls ${DriveLetter}: /grant "${Group}:(M)" + Write-Log "AD group $Group ACLs set" + } Write-Log "Unmounting drive" # Remove-PSDrive -Name $DriveLetter -Force