Add infra part one

ahelland · Jan 22, 2024 · 853b310 · 853b310
1 parent 71b961a
commit 853b310
Show file tree

Hide file tree

Showing 60 changed files with 4,034 additions and 0 deletions.
diff --git a/infra/.vscode/tasks.json b/infra/.vscode/tasks.json
@@ -0,0 +1,14 @@
+{
+    "version": "2.0.0",
+    "tasks": [
+      {
+        "label": "Publish modules to container registry",
+        "type": "shell",
+        "command": "./tasks/publish_modules.ps1",
+        "presentation": {
+          "reveal": "always",
+          "panel": "dedicated"
+        }
+      }
+    ]
+  }
diff --git a/infra/devCenter/main.bicep b/infra/devCenter/main.bicep
@@ -0,0 +1,78 @@
+targetScope = 'subscription'
+
+param location string
+
+@description('Tags retrieved from parameter file.')
+param resourceTags object = {}
+@description('Name of DevBox definition.')
+param definitionName string = 'DevBox-8-32'
+@description('DevBox definition SKU.')
+param definitionSKU string = 'general_i_8c32gb256ssd_v2'
+@description('DevBox definition storage type.')
+param definitionStorageType string = 'ssd_256gb'
+
+resource rg_devc 'Microsoft.Resources/resourceGroups@2021-04-01' = {
+  name: 'rg-eshop-devcenter'
+  location: location
+  tags: resourceTags
+}
+
+resource rg_vnet 'Microsoft.Resources/resourceGroups@2021-04-01' existing = {
+  name: 'rg-eshop-vnet'
+}
+
+param vnetName string = 'eshop-vnet-weu'
+resource vnet 'Microsoft.Network/virtualNetworks@2023-06-01' existing = {
+  scope: rg_vnet
+  name: vnetName
+}
+
+module devCenter '../modules/devcenters/devcenter/main.bicep' = {
+  scope: rg_devc
+  name: 'eshop-devcenter'
+  params: {
+    location: location
+    devCenterName: 'eshop-devCenter'
+    definitionName: definitionName
+    definitionSKU: definitionSKU
+    definitionStorageType: definitionStorageType
+    image: 'microsoftvisualstudio_visualstudioplustools_vs-2022-ent-general-win11-m365-gen2'
+    networkConnectionId: networkConnection.outputs.id    
+  }
+}
+
+module devProject '../modules/devcenters/project/main.bicep' = {
+  scope: rg_devc
+  name: 'eshop-devProject'
+  params: {
+    devBoxDefinitionName: definitionName
+    devCenterId: devCenter.outputs.devCenterId
+    devPoolName: 'eshop-devBoxPool'
+    location: location
+    networkConnectionName: devCenter.outputs.devCenterAttachedNetwork
+    projectName: 'eshop-devProject'
+    deploymentTargetId: subscription().id
+  }
+}
+
+//Add permissions for the dev environment identity to modify the vnet
+var networkContributorRole = resourceId('Microsoft.Authorization/roleAssignments','4d97b98b-1d4f-4787-a291-c67834d212e7')
+resource networkRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(rg_devc.id,devCenter.name,networkContributorRole)
+  properties: {
+    principalId: devProject.outputs.devEnvironmentManagedId
+    roleDefinitionId: networkContributorRole
+    principalType: 'ServicePrincipal'
+  }
+}
+
+//Connect the Dev Center to the custom vnet
+module networkConnection '../modules/devcenters/network-connection/main.bicep' = {
+  scope: rg_devc
+  name: 'eshop-devcenter-network-connection'
+  params: {
+    connectionName: 'eshop-devcenter-network-connection'
+    location: location
+    snetId: vnet.properties.subnets[0].id
+  }
+}
diff --git a/infra/devCenter/main.bicepparam b/infra/devCenter/main.bicepparam
@@ -0,0 +1,8 @@
+using './main.bicep'
+
+param resourceTags = {
+    IaC: 'Bicep'
+    Source: 'GitHub'  
+}
+
+param location = 'westeurope'
diff --git a/infra/level-2/main.bicep b/infra/level-2/main.bicep
@@ -0,0 +1,75 @@
+targetScope = 'subscription'
+
+@description('Azure region to deploy resources into.')
+param location string
+@description('Tags retrieved from parameter file.')
+param resourceTags object = {}
+
+resource rg_vnet 'Microsoft.Resources/resourceGroups@2021-04-01' = {
+  name: 'rg-eshop-vnet'
+  location: location
+  tags: resourceTags
+}
+
+resource rg_dns 'Microsoft.Resources/resourceGroups@2021-04-01' = {
+  name: 'rg-eshop-dns'
+  location: location
+  tags: resourceTags
+}
+
+param vnetName string = 'eshop-vnet-weu'
+module vnet 'br/public:network/virtual-network:1.1.3' = {
+  scope: rg_vnet
+  name: 'eshop-vnet-weu'
+  params: {
+    name: vnetName
+    location: location    
+    addressPrefixes: [
+      '10.1.0.0/16'
+    ]
+    subnets: [
+      {
+        name: 'snet-devbox-01'
+        addressPrefix: '10.1.1.0/24'
+        privateEndpointNetworkPolicies: 'Enabled'
+      }
+      {
+        name: 'snet-cae-01'
+        addressPrefix: '10.1.2.0/24'
+        privateEndpointNetworkPolicies: 'Enabled'
+        delegations: [
+          {            
+            name: 'Microsoft.App.environments'
+            properties: {
+              serviceName: 'Microsoft.App/environments'
+            }
+            type: 'Microsoft.Network/virtualNetworks/subnets/delegations'
+          }
+        ]
+      }
+      {
+        name: 'snet-pe-01'
+        addressPrefix: '10.1.3.0/24'
+        privateEndpointNetworkPolicies: 'Enabled'
+      }    
+    ]
+  }
+}
+
+//We import the vnet just created to be able to read the properties
+resource vnet_import 'Microsoft.Network/virtualNetworks@2023-06-01' existing = {
+  scope: rg_vnet
+  name: vnetName
+}
+//Private endpoint DNS
+module dnsZoneACR '../modules/network/private-dns-zone/main.bicep' = {
+  scope: rg_dns
+  name: 'eshop-private-dns-acr'
+  params: {
+    resourceTags: resourceTags
+    registrationEnabled: false
+    vnetId: vnet_import.id
+    vnetName: vnetName
+    zoneName: 'privatelink.azurecr.io'
+  }
+}
diff --git a/infra/level-2/main.bicepparam b/infra/level-2/main.bicepparam
@@ -0,0 +1,8 @@
+using './main.bicep'
+
+param resourceTags = {            
+  IaC: 'Bicep'
+  Source: 'GitHub'
+}
+
+param location = 'westeurope'
diff --git a/infra/level-3/acr-pe-endpoints.bicep b/infra/level-3/acr-pe-endpoints.bicep
@@ -0,0 +1,45 @@
+//Private Endpoints specifically for ACR
+
+@description('Specifies the location for resources.')
+param location string = resourceGroup().location
+@description('Tags retrieved from parameter file.')
+param resourceTags object = {}
+@description('Name of the Private Endpoint.')
+param peName string
+@description('String array - "foo, bar"')
+param serviceConnectionGroupIds string
+@description('Subnet to attach private endpoint to.')
+param snetId string?
+@description('The connection id for the private link service.')
+param serviceConnectionId string
+
+resource pe 'Microsoft.Network/privateEndpoints@2022-09-01' = {
+  name: peName
+  location: location
+  tags: resourceTags
+  properties: {
+    manualPrivateLinkServiceConnections: []
+    ipConfigurations: []
+    subnet: {
+      id: snetId
+    }
+    privateLinkServiceConnections: [
+      {
+         name: peName
+         properties: {
+          privateLinkServiceId: serviceConnectionId
+          groupIds: [serviceConnectionGroupIds]
+         }        
+      }
+    ]
+  }
+}
+
+@description('IP Address of root Private Endpoint')
+output ip_0 string = pe.properties.customDnsConfigs[0].ipAddresses[0]
+@description('IP Address of region-specific Private Endpoint')
+output ip_1 string = pe.properties.customDnsConfigs[1].ipAddresses[0]
+@description('FQDN (public zone) of root Private Endpoint')
+output fqdn_0 string = pe.properties.customDnsConfigs[0].fqdn
+@description('FQDN (public zone) of region-specific Private Endpoint')
+output fqdn_1 string = pe.properties.customDnsConfigs[1].fqdn
diff --git a/infra/level-3/main.bicep b/infra/level-3/main.bicep
@@ -0,0 +1,128 @@
+targetScope = 'subscription'
+
+@description('Azure region to deploy resources into.')
+param location string
+@description('Tags retrieved from parameter file.')
+param resourceTags object = {}
+
+resource rg_vnet 'Microsoft.Resources/resourceGroups@2021-04-01' existing = {
+  name: 'rg-eshop-vnet'
+}
+
+resource rg_dns 'Microsoft.Resources/resourceGroups@2021-04-01' existing = {
+  name: 'rg-eshop-dns'
+}
+
+resource rg_cae 'Microsoft.Resources/resourceGroups@2021-04-01' = {
+  name: 'rg-eshop-cae'
+  location: location
+  tags: resourceTags
+}
+
+param vnetName string = 'eshop-vnet-weu'
+resource vnet 'Microsoft.Network/virtualNetworks@2023-06-01' existing = {
+  scope: rg_vnet
+  name: vnetName
+}
+
+resource rg_acr 'Microsoft.Resources/resourceGroups@2021-04-01' = {
+  name: 'rg-eshop-acr'  
+  location: location
+  tags: resourceTags
+}
+
+param subId string = subscription().id
+param acrName string = 'acr${uniqueString(subId)}'
+//Private Endpoints require Premium SKU
+param acrSku string = 'Premium'
+param acrManagedIdentity string = 'SystemAssigned'
+
+module containerRegistry '../modules/containers/container-registry/main.bicep' = {
+  scope: rg_acr
+  name: acrName
+  params: {
+    resourceTags: resourceTags
+    acrName: acrName
+    acrSku: acrSku
+    adminUserEnabled: false
+    anonymousPullEnabled: false 
+    location: location
+    managedIdentity: acrManagedIdentity
+    publicNetworkAccess: 'Disabled'
+  }
+}
+
+//Private endpoints (two required for ACR)
+module peAcr 'acr-pe-endpoints.bicep' = {
+  scope: rg_acr
+  name: 'pe-acr'
+  params: {
+    resourceTags: resourceTags
+    location: location
+    peName: 'pe-acr'
+    serviceConnectionGroupIds: 'registry'
+    serviceConnectionId: containerRegistry.outputs.id
+    snetId: '${vnet.id}/subnets/snet-pe-01'
+  }
+}
+
+module acr_dns_pe_0 '../modules/network/private-dns-record-a/main.bicep' = {
+  scope: rg_dns
+  name: 'dns-a-acr-region'
+  params: {
+    ipAddress: peAcr.outputs.ip_0
+    recordName: '${containerRegistry.outputs.acrName}.${location}.data'
+    zone: 'privatelink.azurecr.io'
+  }
+}
+
+module acr_dns_pe_1 '../modules/network/private-dns-record-a/main.bicep' = {
+  scope: rg_dns
+  name: 'dns-a-acr-root'
+  params: {
+    ipAddress: peAcr.outputs.ip_1
+    recordName: containerRegistry.outputs.acrName
+    zone: 'privatelink.azurecr.io'
+  }
+}
+
+module containerenvironment '../modules/containers/container-environment/main.bicep' = {
+  scope: rg_cae
+  name: 'eshop-cae-01'
+  params: {
+    location: location
+    environmentName: 'eshop-cae-01'
+    snetId: '${vnet.id}/subnets/snet-cae-01'
+  }
+}
+
+module dnsZone '../modules/network/private-dns-zone/main.bicep' = {
+  scope: rg_cae
+  name: '${containerenvironment.name}-dns'
+  params: {
+    resourceTags: resourceTags
+    registrationEnabled: false
+    zoneName: containerenvironment.outputs.defaultDomain
+    vnetName: 'cae'
+    vnetId: vnet.id
+  }
+}
+
+module userMiCAE '../modules/identity/user-managed-identity/main.bicep' = {
+  scope: rg_cae
+  name: 'eshop-cae-user-mi'
+  params: {
+    location: location
+    miname: 'eshop-cae-user-mi'
+  }
+}
+
+module acrRole '../modules/identity/role-assignment-rg/main.bicep' = {
+  scope: rg_acr
+  name: 'eshop-cae-mi-acr-role'
+  params: {
+    principalId: userMiCAE.outputs.managedIdentityPrincipal
+    principalType: 'ServicePrincipal'
+    roleName: 'AcrPull'
+  }
+}
diff --git a/infra/level-3/main.bicepparam b/infra/level-3/main.bicepparam
@@ -0,0 +1,8 @@
+using './main.bicep'
+
+param resourceTags = {            
+  IaC: 'Bicep'
+  Source: 'GitHub'
+}
+
+param location = 'westeurope'