Swap individual policy assignments to alzDefaultPolicyAssignments m…

…odule in E2E tests (#183) * Update file to new path * Update tests/pipelines/bicep-build-to-validate.yml Co-authored-by: Jack Tracey <[email protected]> * Update tests/pipelines/bicep-build-to-validate.yml Co-authored-by: Jack Tracey <[email protected]> * Add script to loop retries * decrease wait time for script * add throw on threshold met * fix unused param * Update .github/scripts/Set-AlzDefaultPolicyAssignment.ps1 Co-authored-by: Jack Tracey <[email protected]> * Update .github/scripts/Set-AlzDefaultPolicyAssignment.ps1 Co-authored-by: Jack Tracey <[email protected]> * Update tests/pipelines/bicep-build-to-validate.yml Co-authored-by: Jack Tracey <[email protected]> * Include policyAssignmentManagementGroup.bicep * fix displayname on pwsh task * trigger pipeline * handle string * remove quotes around subscriptionId * Include quotes in array * remove E2E trigger * re-include trigger * Remove trigger again Co-authored-by: Jack Tracey <[email protected]>
Azure · Mar 24, 2022 · afad38e · afad38e
1 parent f38bff3
commit afad38e
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 14 deletions.
diff --git a/.github/scripts/Set-AlzDefaultPolicyAssignment.ps1 b/.github/scripts/Set-AlzDefaultPolicyAssignment.ps1
@@ -0,0 +1,32 @@
+
+param (
+    #Added this back into parameters as error occurs if multiple tenants are found when using Get-AzTenant
+    [Parameter(Mandatory = $true)] [string] $ManagementGroupId,
+    [Parameter(Mandatory = $true)] [string] $parLocation,
+    [Parameter(Mandatory = $true)] [string] $templateFile,
+    [Parameter(Mandatory = $true)] [string] $parameterFile,
+    [Parameter(Mandatory = $true)] [string] $parTopLevelManagementGroupPrefix,
+    [Parameter(Mandatory = $true)] [string] $parLogAnalyticsWorkSpaceAndAutomationAccountLocation,
+    [Parameter(Mandatory = $true)] [string] $parLogAnalyticsWorkspaceResourceID,
+    [Parameter(Mandatory = $true)] [string] $parDdosProtectionPlanId
+)
+$state = 'fail'
+$i = 0
+$err.clear
+while ($i -lt 4 -and $state -eq 'fail') {
+    $ErrorActionPreference = "Stop"
+    Try {
+        New-AzManagementGroupDeployment -Managementgroupid $ManagementGroupId -Location $parLocation -TemplateFile $templateFile -TemplateParameterFile $parameterFile -parTopLevelManagementGroupPrefix $parTopLevelManagementGroupPrefix -parLogAnalyticsWorkSpaceAndAutomationAccountLocation $parLogAnalyticsWorkSpaceAndAutomationAccountLocation -parLogAnalyticsWorkspaceResourceID $parLogAnalyticsWorkspaceResourceID -parDdosProtectionPlanId $parDdosProtectionPlanId
+        $state = 'success'
+    }
+    Catch {
+        $i++
+        Write-Output "ALZ Default Policy Assignments module failed to deploy with $error"
+        Write-Output "Iteration number $i"
+        Write-Output "Will retry in 30 seconds"
+        Start-Sleep -Seconds 30
+    }
+}
+If ($state -eq 'fail') {
+    Throw "ALZ Default Policy Assignments module failed to deploy after $i attempts"
+}
diff --git a/tests/pipelines/bicep-build-to-validate.yml b/tests/pipelines/bicep-build-to-validate.yml
@@ -29,9 +29,10 @@ jobs:
           git_diff2=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep)
           git_diff3=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/policy/definitions/custom-policy-definitions.bicep)
           git_diff4=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep)
-          git_diff5=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.bicep)
-          git_diff6=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.bicep)
-          if [[ $git_diff1 != '' ]] || [[ $git_diff2 != '' ]] || [[ $git_diff3 != '' ]] || [[ $git_diff4 != '' ]] || [[ $git_diff5 != '' ]] || [[ $git_diff6 != '' ]]
+          git_diff5=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep)
+          git_diff6=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.bicep)
+          git_diff7=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.bicep)
+          if [[ $git_diff1 != '' ]] || [[ $git_diff2 != '' ]] || [[ $git_diff3 != '' ]] || [[ $git_diff4 != '' ]] || [[ $git_diff5 != '' ]] || [[ $git_diff6 != '' ]] || [[ $git_diff7 != '' ]]
             then echo "##vso[task.setvariable variable=gitManagementOutput]setmgmt"
           fi
           echo 
@@ -88,7 +89,7 @@ jobs:
     inputs:
       targetType: 'inline'
       script: |
-        subid=$(az deployment tenant create --name "deploy-$(SubscriptionName)" --location $(Location) --template-file infra-as-code/bicep/CRML/subscriptionAlias/subscriptionAlias.bicep --parameters @infra-as-code/bicep/CRML/subscriptionAlias/subscriptionAlias.parameters.example.json --parameters parSubscriptionBillingScope=$(ALZ-AZURE-SECRET-EA-BILLING-ACCOUNT) parSubscriptionName=$(SubscriptionName) | jq .properties.outputs.outSubscriptionId.value)
+        subid=$(az deployment tenant create --name "deploy-$(SubscriptionName)" --location $(Location) --template-file infra-as-code/bicep/CRML/subscriptionAlias/subscriptionAlias.bicep --parameters @infra-as-code/bicep/CRML/subscriptionAlias/subscriptionAlias.parameters.example.json --parameters parSubscriptionBillingScope=$(ALZ-AZURE-SECRET-EA-BILLING-ACCOUNT) parSubscriptionName=$(SubscriptionName) | jq .properties.outputs.outSubscriptionId.value | tr -d '"')
         echo $subId
         echo "##vso[task.setvariable variable=subscriptionId]$subid"
         echo "##vso[task.setvariable variable=IsDeployed;isoutput=true]$subid"
@@ -151,23 +152,26 @@ jobs:
       script: |
         az deployment group create --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/logging/logging.bicep --parameters @infra-as-code/bicep/modules/logging/logging.parameters.example.json
 
-  - task: Bash@3    
-    displayName: Az CLI Policy Assignment DINE for PR
-    name: create_policy_assignment_dine
-    condition: and(ne(variables['gitManagementOUTPUT'], ''), ne(variables['subscriptionId'], ''))
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment mg create --template-file infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep --parameters @infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.parameters.example.json parTopLevelManagementGroupPrefix=$(ManagementGroupPrefix) parLogAnalyticsWorkSpaceAndAutomationAccountLocation=$(Location) parLogAnalyticsWorkspaceResourceID="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.OperationalInsights/workspaces/alz-log-analytics" parDdosProtectionPlanId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/ddosProtectionPlans/alz-Ddos-Plan" --location $(Location) --management-group-id "$(ManagementGroupPrefix)-platform"
-
   - task: Bash@3    
     displayName: Az CLI Subscription Placement for PR
     name: move_sub
     condition: and(or(ne(variables['gitManagementOUTPUT'], ''), ne(variables['gitLoggingOUTPUT'], ''), ne(variables['gitSpokeOUTPUT'], ''), ne(variables['gitHubOUTPUT'], ''), ne(variables['gitVwanOUTPUT'], '')), ne(variables['subscriptionId'], ''))
     inputs:
       targetType: 'inline'
       script: |
-        az deployment mg create --template-file infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.bicep --parameters @infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.parameters.example.json parTargetManagementGroupId=$(ManagementGroupPrefix)-platform-connectivity parSubscriptionIds='[$(subscriptionId)]' --location $(Location) --management-group-id $(ManagementGroupPrefix)
+        az deployment mg create --template-file infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.bicep --parameters @infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.parameters.example.json parTargetManagementGroupId=$(ManagementGroupPrefix)-platform-connectivity parSubscriptionIds='["$(subscriptionId)"]' --location $(Location) --management-group-id $(ManagementGroupPrefix)
+
+  - task: AzurePowerShell@5
+    displayName: Az PwSh alzDefaultPolicyAssignments for PR
+    name: alz_default_policy_assignments
+    condition: and(ne(variables['gitManagementOUTPUT'], ''), ne(variables['subscriptionId'], ''))
+    inputs:
+      azureSubscription: 'azserviceconnection'
+      ScriptType: 'FilePath'
+      ScriptPath: '.github/scripts/Set-AlzDefaultPolicyAssignment.ps1'
+      ScriptArguments: '-ManagementGroupId "$(ManagementGroupPrefix)-platform" -parLocation $(Location) -templateFile ./infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep -parameterFile .\infra-as-code\bicep\modules\policy\assignments\alzDefaults\alzDefaultPolicyAssignments.parameters.example.json -parTopLevelManagementGroupPrefix $(ManagementGroupPrefix) -parLogAnalyticsWorkSpaceAndAutomationAccountLocation $(Location) -parLogAnalyticsWorkspaceResourceID "/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.OperationalInsights/workspaces/alz-log-analytics" -parDdosProtectionPlanId "/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/ddosProtectionPlans/alz-Ddos-Plan"'
+      azurePowerShellVersion: 'LatestVersion'
+      pwsh: true
 
   - task: Bash@3    
     displayName: Az CLI Deploy Hub Networking for PR