From 53364b65526a8eacafa153f05e77698eee0f2372 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=B4mulo=20Farias?= Date: Thu, 4 Apr 2024 10:44:57 +0200 Subject: [PATCH 01/33] Add Lint ARM Templates step --- .github/workflows/arm-template-lint.yml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 .github/workflows/arm-template-lint.yml diff --git a/.github/workflows/arm-template-lint.yml b/.github/workflows/arm-template-lint.yml new file mode 100644 index 0000000000..7582acf96f --- /dev/null +++ b/.github/workflows/arm-template-lint.yml @@ -0,0 +1,23 @@ +name: Lint ARM Templates + +on: + pull_request: + paths: + - ./deploy/azure/*.json + push: + branches: [ main ] + paths: + - ./deploy/azure/*.json + +jobs: + lint-arm-ttk: + name: Lint ARM templates + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - uses: microsoft/action-armttk@v1 + with: + github_token: ${{ secrets.github_token }} + # Change reviewdog reporter if you need [github-pr-check,github-check,github-pr-review]. + reporter: github-pr-review + glob_pattern: "./deploy/azure/*.json" From 0d4adf63fa59538f6cf0ab0f9a8ad98f8d6b461f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=B4mulo=20Farias?= Date: Thu, 4 Apr 2024 10:49:03 +0200 Subject: [PATCH 02/33] Update template to force check --- deploy/azure/ARM-for-organization-account.json | 1 + 1 file changed, 1 insertion(+) diff --git a/deploy/azure/ARM-for-organization-account.json b/deploy/azure/ARM-for-organization-account.json index 45653fb226..358aa82b6a 100644 --- a/deploy/azure/ARM-for-organization-account.json +++ b/deploy/azure/ARM-for-organization-account.json @@ -2,6 +2,7 @@ "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { + "ResourceGroupName": { "type": "string", "defaultValue": "[concat('cloudbeat-resource-group-', dateTimeToEpoch(utcNow('u')))]", From a4611c314f918dee0319400f6634c5b3db272db4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=B4mulo=20Farias?= Date: Thu, 4 Apr 2024 10:51:02 +0200 Subject: [PATCH 03/33] Comment paths to check it's working --- .github/workflows/arm-template-lint.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/arm-template-lint.yml b/.github/workflows/arm-template-lint.yml index 7582acf96f..326c46317c 100644 --- a/.github/workflows/arm-template-lint.yml +++ b/.github/workflows/arm-template-lint.yml @@ -2,12 +2,12 @@ name: Lint ARM Templates on: pull_request: - paths: - - ./deploy/azure/*.json +# paths: +# - ./deploy/azure/*.json push: branches: [ main ] - paths: - - ./deploy/azure/*.json +# paths: +# - ./deploy/azure/*.json jobs: lint-arm-ttk: From ff6df4f1bd4f3c2096d7460cfafb0560a2925316 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=B4mulo=20Farias?= Date: Thu, 4 Apr 2024 10:57:22 +0200 Subject: [PATCH 04/33] Specificy workdir --- .github/workflows/arm-template-lint.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/arm-template-lint.yml b/.github/workflows/arm-template-lint.yml index 326c46317c..30a31448e6 100644 --- a/.github/workflows/arm-template-lint.yml +++ b/.github/workflows/arm-template-lint.yml @@ -20,4 +20,5 @@ jobs: github_token: ${{ secrets.github_token }} # Change reviewdog reporter if you need [github-pr-check,github-check,github-pr-review]. reporter: github-pr-review - glob_pattern: "./deploy/azure/*.json" + workdir: "./deploy/azure/" + glob_pattern: "*.json" From b3e9027160f1b974f05b06bbfbdb9c986b1e1bda Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=B4mulo=20Farias?= Date: Thu, 4 Apr 2024 12:13:35 +0200 Subject: [PATCH 05/33] Copy files to another dir --- .github/workflows/arm-template-lint.yml | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/.github/workflows/arm-template-lint.yml b/.github/workflows/arm-template-lint.yml index 30a31448e6..2d7042325f 100644 --- a/.github/workflows/arm-template-lint.yml +++ b/.github/workflows/arm-template-lint.yml @@ -15,10 +15,25 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 + # Copy files to its own folder because it's what the official ARM-TTK action expects + # Docs https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/test-toolkit#test-parameters + - name: copy-files + working-directory: ./deploy/azure + run: | + mkdir ARM-for-organization-account + cp ARM-for-organization-account.json ARM-for-organization-account/azuredeploy.json + + mkdir ARM-for-single-account + cp ARM-for-single-account.json ARM-for-single-account/azuredeploy.json + + - uses: microsoft/action-armttk@v1 + with: + github_token: ${{ secrets.github_token }} + workdir: "./deploy/azure/ARM-for-organization-account" + glob_pattern: "*.json" + - uses: microsoft/action-armttk@v1 with: github_token: ${{ secrets.github_token }} - # Change reviewdog reporter if you need [github-pr-check,github-check,github-pr-review]. - reporter: github-pr-review - workdir: "./deploy/azure/" + workdir: "./deploy/azure/ARM-for-single-account" glob_pattern: "*.json" From 6eb2cac279483b5d4ee4e64a0e5d55e1a251c3a0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=B4mulo=20Farias?= Date: Thu, 4 Apr 2024 12:20:28 +0200 Subject: [PATCH 06/33] Add matrix --- .github/workflows/arm-template-lint.yml | 22 ++++++++-------------- 1 file changed, 8 insertions(+), 14 deletions(-) diff --git a/.github/workflows/arm-template-lint.yml b/.github/workflows/arm-template-lint.yml index 2d7042325f..578173d0e1 100644 --- a/.github/workflows/arm-template-lint.yml +++ b/.github/workflows/arm-template-lint.yml @@ -13,27 +13,21 @@ jobs: lint-arm-ttk: name: Lint ARM templates runs-on: ubuntu-latest + strategy: + matrix: + template: [ "ARM-for-organization-account", "ARM-for-single-account" ] steps: - uses: actions/checkout@v2 # Copy files to its own folder because it's what the official ARM-TTK action expects # Docs https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/test-toolkit#test-parameters - - name: copy-files + - name: copy file working-directory: ./deploy/azure run: | - mkdir ARM-for-organization-account - cp ARM-for-organization-account.json ARM-for-organization-account/azuredeploy.json - - mkdir ARM-for-single-account - cp ARM-for-single-account.json ARM-for-single-account/azuredeploy.json - - - uses: microsoft/action-armttk@v1 - with: - github_token: ${{ secrets.github_token }} - workdir: "./deploy/azure/ARM-for-organization-account" - glob_pattern: "*.json" + mkdir ${{ matrix.template }} + cp ${{ matrix.template }}.json ${{ matrix.template }}/azuredeploy.json - uses: microsoft/action-armttk@v1 + name: lint ${{ matrix.template }} with: github_token: ${{ secrets.github_token }} - workdir: "./deploy/azure/ARM-for-single-account" - glob_pattern: "*.json" + workdir: "./deploy/azure/${{ matrix.template }}" From 7478d75055cd3f4524ee1866471dacde72d54046 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=B4mulo=20Farias?= Date: Thu, 4 Apr 2024 12:23:32 +0200 Subject: [PATCH 07/33] Bring path back --- .github/workflows/arm-template-lint.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/.github/workflows/arm-template-lint.yml b/.github/workflows/arm-template-lint.yml index 578173d0e1..6c3e5405cf 100644 --- a/.github/workflows/arm-template-lint.yml +++ b/.github/workflows/arm-template-lint.yml @@ -2,16 +2,15 @@ name: Lint ARM Templates on: pull_request: -# paths: -# - ./deploy/azure/*.json + paths: + - ./deploy/azure/*.json push: branches: [ main ] -# paths: -# - ./deploy/azure/*.json + paths: + - ./deploy/azure/*.json jobs: lint-arm-ttk: - name: Lint ARM templates runs-on: ubuntu-latest strategy: matrix: From bc2740519153d15d8c85bd8f09eeee5ec6a603f4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=B4mulo=20Farias?= Date: Thu, 4 Apr 2024 12:26:59 +0200 Subject: [PATCH 08/33] Fix paths --- .github/workflows/arm-template-lint.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/arm-template-lint.yml b/.github/workflows/arm-template-lint.yml index 6c3e5405cf..e34c9e6ef0 100644 --- a/.github/workflows/arm-template-lint.yml +++ b/.github/workflows/arm-template-lint.yml @@ -3,11 +3,12 @@ name: Lint ARM Templates on: pull_request: paths: - - ./deploy/azure/*.json + - "deploy/azure/*.json" push: - branches: [ main ] + branches: + - main paths: - - ./deploy/azure/*.json + - "deploy/azure/*.json" jobs: lint-arm-ttk: From a0c38ee200c95cdc31f7e5bc8f1e5b534736ee09 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=B4mulo=20Farias?= Date: Thu, 4 Apr 2024 12:28:00 +0200 Subject: [PATCH 09/33] Remove any changes to see if doesn't trigger --- .github/workflows/arm-template-lint.yml | 3 ++- deploy/azure/ARM-for-organization-account.json | 1 - 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/arm-template-lint.yml b/.github/workflows/arm-template-lint.yml index e34c9e6ef0..e41b9395c6 100644 --- a/.github/workflows/arm-template-lint.yml +++ b/.github/workflows/arm-template-lint.yml @@ -1,4 +1,4 @@ -name: Lint ARM Templates +name: ARM Templates on: pull_request: @@ -12,6 +12,7 @@ on: jobs: lint-arm-ttk: + name: Lint runs-on: ubuntu-latest strategy: matrix: diff --git a/deploy/azure/ARM-for-organization-account.json b/deploy/azure/ARM-for-organization-account.json index 358aa82b6a..45653fb226 100644 --- a/deploy/azure/ARM-for-organization-account.json +++ b/deploy/azure/ARM-for-organization-account.json @@ -2,7 +2,6 @@ "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { - "ResourceGroupName": { "type": "string", "defaultValue": "[concat('cloudbeat-resource-group-', dateTimeToEpoch(utcNow('u')))]", From 27092a31e6ddec5c57d3d7f4abf1337df8114fe4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=B4mulo=20Farias?= Date: Thu, 4 Apr 2024 13:08:15 +0200 Subject: [PATCH 10/33] Fix all linting issues from organizational template --- .../ARM-for-organization-account.dev.json | 71 +++++++------- .../azure/ARM-for-organization-account.json | 96 +++++++++++-------- 2 files changed, 87 insertions(+), 80 deletions(-) diff --git a/deploy/azure/ARM-for-organization-account.dev.json b/deploy/azure/ARM-for-organization-account.dev.json index 411c5b5b23..f08db1973d 100644 --- a/deploy/azure/ARM-for-organization-account.dev.json +++ b/deploy/azure/ARM-for-organization-account.dev.json @@ -41,6 +41,13 @@ "description": "The enrollment token of elastic-agent" } }, + "DeploymentLocation": { + "type": "string", + "defaultValue": "[deployment().location]", + "metadata": { + "description": "Deployment location" + } + }, "PublicKeyDevOnly": { "type": "string", "metadata": { @@ -49,8 +56,8 @@ } }, "variables": { - "resourceGroupDeployment": "[concat('resource-group-deployment-', deployment().location)]", - "roleAssignmentDeployment": "[concat('role-assignment-deployment-', deployment().location)]", + "resourceGroupDeployment": "[concat('resource-group-deployment-', parameters('DeploymentLocation'))]", + "roleAssignmentDeployment": "[concat('role-assignment-deployment-', parameters('DeploymentLocation'))]", "roleGUID": "[guid(parameters('SubscriptionId'))]" }, "resources": [ @@ -58,7 +65,7 @@ "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "[variables('resourceGroupDeployment')]", - "location": "[deployment().location]", + "location": "[parameters('DeploymentLocation')]", "subscriptionId": "[parameters('SubscriptionId')]", "properties": { "expressionEvaluationOptions": { @@ -70,7 +77,7 @@ "value": "[parameters('ResourceGroupName')]" }, "Location": { - "value": "[deployment().location]" + "value": "[parameters('DeploymentLocation')]" } }, "template": { @@ -99,7 +106,7 @@ "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "[variables('roleAssignmentDeployment')]", - "location": "[deployment().location]", + "location": "[parameters('DeploymentLocation')]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -143,7 +150,7 @@ "name": "[guid(parameters('ManagementGroupID'), parameters('SubscriptionId'), parameters('ResourceGroupName'), deployment().name, 'securityaudit')]", "properties": { "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7", - "principalId": "[reference(resourceId(parameters('SubscriptionId'), parameters('ResourceGroupName'), 'Microsoft.Compute/virtualMachines', 'cloudbeatVM'), '2019-07-01', 'Full').identity.principalId]", + "principalId": "[reference(resourceId(parameters('SubscriptionId'), parameters('ResourceGroupName'), 'Microsoft.Compute/virtualMachines', 'cloudbeatVM'), '2023-09-01', 'Full').identity.principalId]", "principalType": "ServicePrincipal" } }, @@ -153,7 +160,7 @@ "name": "[guid(parameters('SubscriptionId'), parameters('ResourceGroupName'), deployment().name, 'additional-role')]", "properties": { "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', parameters('AdditionalRoleGUID'))]", - "principalId": "[reference(resourceId(parameters('SubscriptionId'), parameters('ResourceGroupName'), 'Microsoft.Compute/virtualMachines', 'cloudbeatVM'), '2019-07-01', 'Full').identity.principalId]", + "principalId": "[reference(resourceId(parameters('SubscriptionId'), parameters('ResourceGroupName'), 'Microsoft.Compute/virtualMachines', 'cloudbeatVM'), '2023-09-01', 'Full').identity.principalId]", "principalType": "ServicePrincipal" } } @@ -192,15 +199,15 @@ "resources": [ { "type": "Microsoft.Compute/virtualMachines", - "apiVersion": "2021-04-01", + "apiVersion": "2023-09-01", "name": "cloudbeatVM", - "location": "[resourceGroup().location]", + "location": "[parameters('ResourceGroupLocation')]", "dependsOn": [ "cloudbeatNic" ], "properties": { "hardwareProfile": { - "vmSize": "Standard_DS2_v2" + "vmSize": "[parameters('VMSize')]" }, "storageProfile": { "osDisk": { @@ -218,7 +225,7 @@ }, "osProfile": { "computerName": "cloudbeatVM", - "adminUsername": "cloudbeat", + "adminUsername": "[parameters('AdminUsername')]", "linuxConfiguration": { "disablePasswordAuthentication": true, "ssh": { @@ -245,9 +252,9 @@ }, { "type": "Microsoft.Network/virtualNetworks", - "apiVersion": "2021-04-01", + "apiVersion": "2023-06-01", "name": "cloudbeatVNet", - "location": "[resourceGroup().location]", + "location": "[parameters('ResourceGroupLocation')]", "properties": { "addressSpace": { "addressPrefixes": [ @@ -272,9 +279,9 @@ }, { "type": "Microsoft.Network/networkInterfaces", - "apiVersion": "2021-04-01", + "apiVersion": "2023-06-01", "name": "cloudbeatNic", - "location": "[resourceGroup().location]", + "location": "[parameters('ResourceGroupLocation')]", "dependsOn": [ "cloudbeatVNet", "[resourceId('Microsoft.Network/publicIPAddresses', 'cloudbeatPublicIPDevOnly')]" @@ -295,24 +302,6 @@ ] } }, - { - "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2021-04-01", - "name": "cloudbeatVM/EnableMSIExtension", - "location": "[resourceGroup().location]", - "dependsOn": [ - "cloudbeatVM" - ], - "properties": { - "publisher": "Microsoft.ManagedIdentity", - "type": "ManagedIdentityExtensionForLinux", - "typeHandlerVersion": "1.0", - "autoUpgradeMinorVersion": true, - "settings": { - "port": 50342 - } - } - }, { "type": "Microsoft.Authorization/roleDefinitions", "apiVersion": "2022-04-01", @@ -330,10 +319,7 @@ "Microsoft.Web/sites/*/read", "Microsoft.Web/sites/config/Read", "Microsoft.Web/sites/config/list/Action" - ], - "dataActions": [], - "notActions": [], - "notDataActions": [] + ] } ], "roleName": "cloudbeatVM additional permissions", @@ -419,14 +405,21 @@ }, "ElasticAgentVersion": { "type": "string" + }, + "ResourceGroupLocation": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Resource Group Location" + } } }, "resources": [ { "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2021-04-01", + "apiVersion": "2023-09-01", "name": "cloudbeatVM/customScriptExtension", - "location": "[resourceGroup().location]", + "location": "[parameters('ResourceGroupLocation')]", "properties": { "publisher": "Microsoft.Azure.Extensions", "type": "CustomScript", diff --git a/deploy/azure/ARM-for-organization-account.json b/deploy/azure/ARM-for-organization-account.json index 45653fb226..50884b4e9f 100644 --- a/deploy/azure/ARM-for-organization-account.json +++ b/deploy/azure/ARM-for-organization-account.json @@ -40,11 +40,18 @@ "metadata": { "description": "The enrollment token of elastic-agent" } + }, + "DeploymentLocation": { + "type": "string", + "defaultValue": "[deployment().location]", + "metadata": { + "description": "Deployment location" + } } }, "variables": { - "resourceGroupDeployment": "[concat('resource-group-deployment-', deployment().location)]", - "roleAssignmentDeployment": "[concat('role-assignment-deployment-', deployment().location)]", + "resourceGroupDeployment": "[concat('resource-group-deployment-', parameters('DeploymentLocation'))]", + "roleAssignmentDeployment": "[concat('role-assignment-deployment-', parameters('DeploymentLocation'))]", "roleGUID": "[guid(parameters('SubscriptionId'))]" }, "resources": [ @@ -52,7 +59,7 @@ "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "[variables('resourceGroupDeployment')]", - "location": "[deployment().location]", + "location": "[parameters('DeploymentLocation')]", "subscriptionId": "[parameters('SubscriptionId')]", "properties": { "expressionEvaluationOptions": { @@ -64,7 +71,7 @@ "value": "[parameters('ResourceGroupName')]" }, "Location": { - "value": "[deployment().location]" + "value": "[parameters('DeploymentLocation')]" } }, "template": { @@ -93,7 +100,7 @@ "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "[variables('roleAssignmentDeployment')]", - "location": "[deployment().location]", + "location": "[parameters('DeploymentLocation')]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -137,7 +144,7 @@ "name": "[guid(parameters('ManagementGroupID'), parameters('SubscriptionId'), parameters('ResourceGroupName'), deployment().name, 'securityaudit')]", "properties": { "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7", - "principalId": "[reference(resourceId(parameters('SubscriptionId'), parameters('ResourceGroupName'), 'Microsoft.Compute/virtualMachines', 'cloudbeatVM'), '2019-07-01', 'Full').identity.principalId]", + "principalId": "[reference(resourceId(parameters('SubscriptionId'), parameters('ResourceGroupName'), 'Microsoft.Compute/virtualMachines', 'cloudbeatVM'), '2023-09-01', 'Full').identity.principalId]", "principalType": "ServicePrincipal" } }, @@ -147,7 +154,7 @@ "name": "[guid(parameters('SubscriptionId'), parameters('ResourceGroupName'), deployment().name, 'additional-role')]", "properties": { "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', parameters('AdditionalRoleGUID'))]", - "principalId": "[reference(resourceId(parameters('SubscriptionId'), parameters('ResourceGroupName'), 'Microsoft.Compute/virtualMachines', 'cloudbeatVM'), '2019-07-01', 'Full').identity.principalId]", + "principalId": "[reference(resourceId(parameters('SubscriptionId'), parameters('ResourceGroupName'), 'Microsoft.Compute/virtualMachines', 'cloudbeatVM'), '2023-09-01', 'Full').identity.principalId]", "principalType": "ServicePrincipal" } } @@ -199,21 +206,42 @@ }, "SubscriptionId": { "type": "string" + }, + "AdminUsername": { + "type": "string", + "defaultValue": "cloudbeat", + "metadata": { + "description": "Admin username for the OS profile (Don't change)" + } + }, + "ResourceGroupLocation": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Resource Group Location" + } + }, + "VMSize": { + "type": "string", + "defaultValue": "Standard_DS2_v2", + "metadata": { + "description": "Size of the VM to be deployed" + } } }, "resources": [ { "type": "Microsoft.Compute/virtualMachines", - "apiVersion": "2021-04-01", + "apiVersion": "2023-09-01", "name": "cloudbeatVM", - "location": "[resourceGroup().location]", + "location": "[parameters('ResourceGroupLocation')]", "dependsOn": [ "cloudbeatNic", "cloudbeatGenerateKeypair" ], "properties": { "hardwareProfile": { - "vmSize": "Standard_DS2_v2" + "vmSize": "[parameters('VMSize')]" }, "storageProfile": { "osDisk": { @@ -231,7 +259,7 @@ }, "osProfile": { "computerName": "cloudbeatVM", - "adminUsername": "cloudbeat", + "adminUsername": "[parameters('AdminUsername')]", "linuxConfiguration": { "disablePasswordAuthentication": true, "ssh": { @@ -258,9 +286,9 @@ }, { "type": "Microsoft.Network/virtualNetworks", - "apiVersion": "2021-04-01", + "apiVersion": "2023-06-01", "name": "cloudbeatVNet", - "location": "[resourceGroup().location]", + "location": "[parameters('ResourceGroupLocation')]", "properties": { "addressSpace": { "addressPrefixes": [ @@ -279,9 +307,9 @@ }, { "type": "Microsoft.Network/networkInterfaces", - "apiVersion": "2021-04-01", + "apiVersion": "2023-06-01", "name": "cloudbeatNic", - "location": "[resourceGroup().location]", + "location": "[parameters('ResourceGroupLocation')]", "dependsOn": [ "cloudbeatVNet" ], @@ -298,29 +326,11 @@ ] } }, - { - "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2021-04-01", - "name": "cloudbeatVM/EnableMSIExtension", - "location": "[resourceGroup().location]", - "dependsOn": [ - "cloudbeatVM" - ], - "properties": { - "publisher": "Microsoft.ManagedIdentity", - "type": "ManagedIdentityExtensionForLinux", - "typeHandlerVersion": "1.0", - "autoUpgradeMinorVersion": true, - "settings": { - "port": 50342 - } - } - }, { "type": "Microsoft.Resources/deploymentScripts", - "apiVersion": "2020-10-01", + "apiVersion": "2023-08-01", "name": "cloudbeatGenerateKeypair", - "location": "[resourceGroup().location]", + "location": "[parameters('ResourceGroupLocation')]", "kind": "AzureCLI", "properties": { "azCliVersion": "2.51.0", @@ -347,10 +357,7 @@ "Microsoft.Web/sites/*/read", "Microsoft.Web/sites/config/Read", "Microsoft.Web/sites/config/list/Action" - ], - "dataActions": [], - "notActions": [], - "notDataActions": [] + ] } ], "roleName": "cloudbeatVM additional permissions", @@ -404,14 +411,21 @@ }, "ElasticAgentVersion": { "type": "string" + }, + "ResourceGroupLocation": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Resource Group Location" + } } }, "resources": [ { "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2021-04-01", + "apiVersion": "2023-09-01", "name": "cloudbeatVM/customScriptExtension", - "location": "[resourceGroup().location]", + "location": "[parameters('ResourceGroupLocation')]", "properties": { "publisher": "Microsoft.Azure.Extensions", "type": "CustomScript", From 50aa79ae1d8f5f39ca402731689514f087a023fe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=B4mulo=20Farias?= Date: Thu, 4 Apr 2024 13:22:34 +0200 Subject: [PATCH 11/33] Fix all linting issues from single template --- .github/workflows/arm-template-lint.yml | 1 + deploy/azure/ARM-for-single-account.dev.json | 63 ++++++++--------- deploy/azure/ARM-for-single-account.json | 74 ++++++++++---------- 3 files changed, 66 insertions(+), 72 deletions(-) diff --git a/.github/workflows/arm-template-lint.yml b/.github/workflows/arm-template-lint.yml index e41b9395c6..8291b96346 100644 --- a/.github/workflows/arm-template-lint.yml +++ b/.github/workflows/arm-template-lint.yml @@ -15,6 +15,7 @@ jobs: name: Lint runs-on: ubuntu-latest strategy: + fail-fast: false matrix: template: [ "ARM-for-organization-account", "ARM-for-single-account" ] steps: diff --git a/deploy/azure/ARM-for-single-account.dev.json b/deploy/azure/ARM-for-single-account.dev.json index 00fe94de29..607bd21e52 100644 --- a/deploy/azure/ARM-for-single-account.dev.json +++ b/deploy/azure/ARM-for-single-account.dev.json @@ -28,6 +28,13 @@ "description": "The enrollment token of elastic-agent" } }, + "ResourceGroupLocation": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Resource Group location" + } + }, "PublicKeyDevOnly": { "type": "string", "metadata": { @@ -44,7 +51,7 @@ "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "[variables('roleAssignmentDeployment')]", - "location": "[resourceGroup().location]", + "location": "[parameters('ResourceGroupLocation')]", "subscriptionId": "[subscription().subscriptionId]", "properties": { "expressionEvaluationOptions": { @@ -77,7 +84,7 @@ "name": "[guid(subscription().id, parameters('ResourceGroupName'), deployment().name, 'securityaudit')]", "properties": { "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7", - "principalId": "[reference(resourceId(subscription().subscriptionId, parameters('ResourceGroupName'), 'Microsoft.Compute/virtualMachines', 'cloudbeatVM'), '2019-07-01', 'Full').identity.principalId]", + "principalId": "[reference('Microsoft.Compute/virtualMachines', 'cloudbeatVM'), '2023-09-01', 'Full').identity.principalId]", "principalType": "ServicePrincipal" } }, @@ -87,7 +94,7 @@ "name": "[guid(subscription().id, parameters('ResourceGroupName'), deployment().name, 'additional-role')]", "properties": { "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', parameters('AdditionalRoleGUID'))]", - "principalId": "[reference(resourceId(subscription().subscriptionId, parameters('ResourceGroupName'), 'Microsoft.Compute/virtualMachines', 'cloudbeatVM'), '2019-07-01', 'Full').identity.principalId]", + "principalId": "[reference(resourceId('Microsoft.Compute/virtualMachines', 'cloudbeatVM'), '2023-09-01', 'Full').identity.principalId]", "principalType": "ServicePrincipal" } } @@ -123,15 +130,15 @@ "resources": [ { "type": "Microsoft.Compute/virtualMachines", - "apiVersion": "2021-04-01", + "apiVersion": "2023-09-01", "name": "cloudbeatVM", - "location": "[resourceGroup().location]", + "location": "[parameters('ResourceGroupLocation')]", "dependsOn": [ "cloudbeatNic" ], "properties": { "hardwareProfile": { - "vmSize": "Standard_DS2_v2" + "vmSize": "[parameters('VMSize'))]" }, "storageProfile": { "osDisk": { @@ -145,11 +152,18 @@ "offer": "0001-com-ubuntu-server-jammy", "sku": "22_04-lts-gen2", "version": "latest" + }, + "AdminUsername": { + "type": "string", + "defaultValue": "cloudbeat", + "metadata": { + "description": "Admin username for the OS profile (Don't change)" + } } }, "osProfile": { "computerName": "cloudbeatVM", - "adminUsername": "cloudbeat", + "adminUsername": "[parameters('AdminUsername')]", "linuxConfiguration": { "disablePasswordAuthentication": true, "ssh": { @@ -176,9 +190,9 @@ }, { "type": "Microsoft.Network/virtualNetworks", - "apiVersion": "2021-04-01", + "apiVersion": "2023-06-01", "name": "cloudbeatVNet", - "location": "[resourceGroup().location]", + "location": "[parameters('ResourceGroupLocation')]", "properties": { "addressSpace": { "addressPrefixes": [ @@ -203,9 +217,9 @@ }, { "type": "Microsoft.Network/networkInterfaces", - "apiVersion": "2021-04-01", + "apiVersion": "2023-06-01", "name": "cloudbeatNic", - "location": "[resourceGroup().location]", + "location": "[parameters('ResourceGroupLocation')]", "dependsOn": [ "cloudbeatVNet", "[resourceId('Microsoft.Network/publicIPAddresses', 'cloudbeatPublicIPDevOnly')]" @@ -226,24 +240,6 @@ ] } }, - { - "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2021-04-01", - "name": "cloudbeatVM/EnableMSIExtension", - "location": "[resourceGroup().location]", - "dependsOn": [ - "cloudbeatVM" - ], - "properties": { - "publisher": "Microsoft.ManagedIdentity", - "type": "ManagedIdentityExtensionForLinux", - "typeHandlerVersion": "1.0", - "autoUpgradeMinorVersion": true, - "settings": { - "port": 50342 - } - } - }, { "type": "Microsoft.Authorization/roleDefinitions", "apiVersion": "2022-04-01", @@ -260,10 +256,7 @@ "Microsoft.Web/sites/*/read", "Microsoft.Web/sites/config/Read", "Microsoft.Web/sites/config/list/Action" - ], - "dataActions": [], - "notActions": [], - "notDataActions": [] + ] } ], "roleName": "cloudbeatVM additional permissions", @@ -349,9 +342,9 @@ "resources": [ { "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2021-04-01", + "apiVersion": "2023-09-01", "name": "cloudbeatVM/customScriptExtension", - "location": "[resourceGroup().location]", + "location": "[parameters('ResourceGroupLocation')]", "properties": { "publisher": "Microsoft.Azure.Extensions", "type": "CustomScript", diff --git a/deploy/azure/ARM-for-single-account.json b/deploy/azure/ARM-for-single-account.json index 6bd1ad3ae7..0a78ed6693 100644 --- a/deploy/azure/ARM-for-single-account.json +++ b/deploy/azure/ARM-for-single-account.json @@ -27,6 +27,13 @@ "metadata": { "description": "The enrollment token of elastic-agent" } + }, + "ResourceGroupLocation": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Resource Group location" + } } }, "variables": { @@ -38,7 +45,7 @@ "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "[variables('roleAssignmentDeployment')]", - "location": "[resourceGroup().location]", + "location": "[parameters('ResourceGroupLocation')]", "subscriptionId": "[subscription().subscriptionId]", "properties": { "expressionEvaluationOptions": { @@ -71,7 +78,7 @@ "name": "[guid(subscription().id, parameters('ResourceGroupName'), deployment().name, 'securityaudit')]", "properties": { "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7", - "principalId": "[reference(resourceId(subscription().subscriptionId, parameters('ResourceGroupName'), 'Microsoft.Compute/virtualMachines', 'cloudbeatVM'), '2019-07-01', 'Full').identity.principalId]", + "principalId": "[reference('Microsoft.Compute/virtualMachines', 'cloudbeatVM'), '2023-09-01', 'Full').identity.principalId]", "principalType": "ServicePrincipal" } }, @@ -81,7 +88,7 @@ "name": "[guid(subscription().id, parameters('ResourceGroupName'), deployment().name, 'additional-role')]", "properties": { "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', parameters('AdditionalRoleGUID'))]", - "principalId": "[reference(resourceId(subscription().subscriptionId, parameters('ResourceGroupName'), 'Microsoft.Compute/virtualMachines', 'cloudbeatVM'), '2019-07-01', 'Full').identity.principalId]", + "principalId": "[reference(resourceId('Microsoft.Compute/virtualMachines', 'cloudbeatVM'), '2023-09-01', 'Full').identity.principalId]", "principalType": "ServicePrincipal" } } @@ -118,21 +125,28 @@ }, "AdditionalRoleGUID": { "type": "string" + }, + "VMSize": { + "type": "string", + "defaultValue": "Standard_DS2_v2", + "metadata": { + "description": "VM Size" + } } }, "resources": [ { "type": "Microsoft.Compute/virtualMachines", - "apiVersion": "2021-04-01", + "apiVersion": "2023-09-01", "name": "cloudbeatVM", - "location": "[resourceGroup().location]", + "location": "[parameters('ResourceGroupLocation')]", "dependsOn": [ "cloudbeatNic", "cloudbeatGenerateKeypair" ], "properties": { "hardwareProfile": { - "vmSize": "Standard_DS2_v2" + "vmSize": "[parameters('VMSize'))]" }, "storageProfile": { "osDisk": { @@ -146,11 +160,18 @@ "offer": "0001-com-ubuntu-server-jammy", "sku": "22_04-lts-gen2", "version": "latest" + }, + "AdminUsername": { + "type": "string", + "defaultValue": "cloudbeat", + "metadata": { + "description": "Admin username for the OS profile (Don't change)" + } } }, "osProfile": { "computerName": "cloudbeatVM", - "adminUsername": "cloudbeat", + "adminUsername": "[parameters('AdminUsername')]", "linuxConfiguration": { "disablePasswordAuthentication": true, "ssh": { @@ -177,9 +198,9 @@ }, { "type": "Microsoft.Network/virtualNetworks", - "apiVersion": "2021-04-01", + "apiVersion": "2023-06-01", "name": "cloudbeatVNet", - "location": "[resourceGroup().location]", + "location": "[parameters('ResourceGroupLocation')]", "properties": { "addressSpace": { "addressPrefixes": [ @@ -198,9 +219,9 @@ }, { "type": "Microsoft.Network/networkInterfaces", - "apiVersion": "2021-04-01", + "apiVersion": "2023-06-01", "name": "cloudbeatNic", - "location": "[resourceGroup().location]", + "location": "[parameters('ResourceGroupLocation')]", "dependsOn": [ "cloudbeatVNet" ], @@ -217,29 +238,11 @@ ] } }, - { - "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2021-04-01", - "name": "cloudbeatVM/EnableMSIExtension", - "location": "[resourceGroup().location]", - "dependsOn": [ - "cloudbeatVM" - ], - "properties": { - "publisher": "Microsoft.ManagedIdentity", - "type": "ManagedIdentityExtensionForLinux", - "typeHandlerVersion": "1.0", - "autoUpgradeMinorVersion": true, - "settings": { - "port": 50342 - } - } - }, { "type": "Microsoft.Resources/deploymentScripts", - "apiVersion": "2020-10-01", + "apiVersion": "2023-08-01", "name": "cloudbeatGenerateKeypair", - "location": "[resourceGroup().location]", + "location": "[parameters('ResourceGroupLocation')]", "kind": "AzureCLI", "properties": { "azCliVersion": "2.51.0", @@ -265,10 +268,7 @@ "Microsoft.Web/sites/*/read", "Microsoft.Web/sites/config/Read", "Microsoft.Web/sites/config/list/Action" - ], - "dataActions": [], - "notActions": [], - "notDataActions": [] + ] } ], "roleName": "cloudbeatVM additional permissions", @@ -322,9 +322,9 @@ "resources": [ { "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2021-04-01", + "apiVersion": "2023-09-01", "name": "cloudbeatVM/customScriptExtension", - "location": "[resourceGroup().location]", + "location": "[parameters('ResourceGroupLocation')]", "properties": { "publisher": "Microsoft.Azure.Extensions", "type": "CustomScript", From c1a9777cd781a52e9b6824716a59ef257e70f372 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=B4mulo=20Farias?= Date: Fri, 5 Apr 2024 10:36:10 +0200 Subject: [PATCH 12/33] Bring back MSI Extension --- .github/workflows/arm-template-lint.yml | 4 ++++ .../ARM-for-organization-account.dev.json | 18 ++++++++++++++++++ deploy/azure/ARM-for-organization-account.json | 18 ++++++++++++++++++ deploy/azure/ARM-for-single-account.dev.json | 18 ++++++++++++++++++ deploy/azure/ARM-for-single-account.json | 18 ++++++++++++++++++ 5 files changed, 76 insertions(+) diff --git a/.github/workflows/arm-template-lint.yml b/.github/workflows/arm-template-lint.yml index 8291b96346..f375ddd6c0 100644 --- a/.github/workflows/arm-template-lint.yml +++ b/.github/workflows/arm-template-lint.yml @@ -20,6 +20,10 @@ jobs: template: [ "ARM-for-organization-account", "ARM-for-single-account" ] steps: - uses: actions/checkout@v2 + + - name: remove unwanted rules + run: ls ~/ + # Copy files to its own folder because it's what the official ARM-TTK action expects # Docs https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/test-toolkit#test-parameters - name: copy file diff --git a/deploy/azure/ARM-for-organization-account.dev.json b/deploy/azure/ARM-for-organization-account.dev.json index f08db1973d..4813515835 100644 --- a/deploy/azure/ARM-for-organization-account.dev.json +++ b/deploy/azure/ARM-for-organization-account.dev.json @@ -302,6 +302,24 @@ ] } }, + { + "type": "Microsoft.Compute/virtualMachines/extensions", + "apiVersion": "2023-09-01", + "name": "cloudbeatVM/EnableMSIExtension", + "location": "[parameters('ResourceGroupLocation')]", + "dependsOn": [ + "cloudbeatVM" + ], + "properties": { + "publisher": "Microsoft.ManagedIdentity", + "type": "ManagedIdentityExtensionForLinux", + "typeHandlerVersion": "1.0", + "autoUpgradeMinorVersion": true, + "settings": { + "port": 50342 + } + } + }, { "type": "Microsoft.Authorization/roleDefinitions", "apiVersion": "2022-04-01", diff --git a/deploy/azure/ARM-for-organization-account.json b/deploy/azure/ARM-for-organization-account.json index 50884b4e9f..11def31842 100644 --- a/deploy/azure/ARM-for-organization-account.json +++ b/deploy/azure/ARM-for-organization-account.json @@ -326,6 +326,24 @@ ] } }, + { + "type": "Microsoft.Compute/virtualMachines/extensions", + "apiVersion": "2023-09-01", + "name": "cloudbeatVM/EnableMSIExtension", + "location": "[parameters('ResourceGroupLocation')]", + "dependsOn": [ + "cloudbeatVM" + ], + "properties": { + "publisher": "Microsoft.ManagedIdentity", + "type": "ManagedIdentityExtensionForLinux", + "typeHandlerVersion": "1.0", + "autoUpgradeMinorVersion": true, + "settings": { + "port": 50342 + } + } + }, { "type": "Microsoft.Resources/deploymentScripts", "apiVersion": "2023-08-01", diff --git a/deploy/azure/ARM-for-single-account.dev.json b/deploy/azure/ARM-for-single-account.dev.json index 607bd21e52..91cb53b32d 100644 --- a/deploy/azure/ARM-for-single-account.dev.json +++ b/deploy/azure/ARM-for-single-account.dev.json @@ -240,6 +240,24 @@ ] } }, + { + "type": "Microsoft.Compute/virtualMachines/extensions", + "apiVersion": "2023-09-01", + "name": "cloudbeatVM/EnableMSIExtension", + "location": "[parameters('ResourceGroupLocation')]", + "dependsOn": [ + "cloudbeatVM" + ], + "properties": { + "publisher": "Microsoft.ManagedIdentity", + "type": "ManagedIdentityExtensionForLinux", + "typeHandlerVersion": "1.0", + "autoUpgradeMinorVersion": true, + "settings": { + "port": 50342 + } + } + }, { "type": "Microsoft.Authorization/roleDefinitions", "apiVersion": "2022-04-01", diff --git a/deploy/azure/ARM-for-single-account.json b/deploy/azure/ARM-for-single-account.json index 0a78ed6693..563728cca0 100644 --- a/deploy/azure/ARM-for-single-account.json +++ b/deploy/azure/ARM-for-single-account.json @@ -238,6 +238,24 @@ ] } }, + { + "type": "Microsoft.Compute/virtualMachines/extensions", + "apiVersion": "2023-09-01", + "name": "cloudbeatVM/EnableMSIExtension", + "location": "[parameters('ResourceGroupLocation')]", + "dependsOn": [ + "cloudbeatVM" + ], + "properties": { + "publisher": "Microsoft.ManagedIdentity", + "type": "ManagedIdentityExtensionForLinux", + "typeHandlerVersion": "1.0", + "autoUpgradeMinorVersion": true, + "settings": { + "port": 50342 + } + } + }, { "type": "Microsoft.Resources/deploymentScripts", "apiVersion": "2023-08-01", From b7753527ec4c209eb454fdb4400131f8df662343 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=B4mulo=20Farias?= Date: Fri, 5 Apr 2024 10:44:56 +0200 Subject: [PATCH 13/33] Add reasoning to remove files --- .github/workflows/arm-template-lint.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/arm-template-lint.yml b/.github/workflows/arm-template-lint.yml index f375ddd6c0..1b82790ec5 100644 --- a/.github/workflows/arm-template-lint.yml +++ b/.github/workflows/arm-template-lint.yml @@ -21,6 +21,8 @@ jobs: steps: - uses: actions/checkout@v2 + # The only way to skip lint checks is by deleting files + # https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/test-toolkit#customize-tests - name: remove unwanted rules run: ls ~/ From 55de72e0fd86eb5df30c88dd723611e1b0fe93ce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=B4mulo=20Farias?= Date: Fri, 5 Apr 2024 11:30:03 +0200 Subject: [PATCH 14/33] List arm-ttk files --- .github/workflows/arm-template-lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/arm-template-lint.yml b/.github/workflows/arm-template-lint.yml index 1b82790ec5..5c3ca31802 100644 --- a/.github/workflows/arm-template-lint.yml +++ b/.github/workflows/arm-template-lint.yml @@ -24,7 +24,7 @@ jobs: # The only way to skip lint checks is by deleting files # https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/test-toolkit#customize-tests - name: remove unwanted rules - run: ls ~/ + run: ls ./arm-ttk/arm-ttk/ # Copy files to its own folder because it's what the official ARM-TTK action expects # Docs https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/test-toolkit#test-parameters From af9bc800ca0d798a099524fb7d016e19b61f1da4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=B4mulo=20Farias?= Date: Fri, 5 Apr 2024 11:39:40 +0200 Subject: [PATCH 15/33] Ditch ARM TTK Action and implement ourselves --- .github/workflows/arm-template-lint.yml | 49 ++++++++++++++++++------- 1 file changed, 35 insertions(+), 14 deletions(-) diff --git a/.github/workflows/arm-template-lint.yml b/.github/workflows/arm-template-lint.yml index 5c3ca31802..fe657ff2a6 100644 --- a/.github/workflows/arm-template-lint.yml +++ b/.github/workflows/arm-template-lint.yml @@ -17,25 +17,46 @@ jobs: strategy: fail-fast: false matrix: - template: [ "ARM-for-organization-account", "ARM-for-single-account" ] + template: [ "ARM-for-organization-account.json", "ARM-for-single-account.json" ] steps: - uses: actions/checkout@v2 # The only way to skip lint checks is by deleting files # https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/test-toolkit#customize-tests - - name: remove unwanted rules - run: ls ./arm-ttk/arm-ttk/ +# - name: remove unwanted rules +# run: ls ./arm-ttk/arm-ttk/ - # Copy files to its own folder because it's what the official ARM-TTK action expects - # Docs https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/test-toolkit#test-parameters - - name: copy file +# # Copy files to its own folder because it's what the official ARM-TTK action expects +# # Docs https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/test-toolkit#test-parameters +# - name: copy file +# working-directory: ./deploy/azure +# run: | +# mkdir ${{ matrix.template }} +# cp ${{ matrix.template }}.json ${{ matrix.template }}/azuredeploy.json + + # Based on https://github.com/microsoft/action-armttk/blob/main/action.yml#L56 + # + # Not used the official MS ARM TTK Action because we need to ignore some rules + # which must be done by deleting `.ps1` files https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/test-toolkit#customize-tests + # The ARM TTK Action didn't give us such flexibility + - name: Run ARM-TTK ${{ matrix.template }} working-directory: ./deploy/azure + shell: pwsh run: | - mkdir ${{ matrix.template }} - cp ${{ matrix.template }}.json ${{ matrix.template }}/azuredeploy.json - - - uses: microsoft/action-armttk@v1 - name: lint ${{ matrix.template }} - with: - github_token: ${{ secrets.github_token }} - workdir: "./deploy/azure/${{ matrix.template }}" + Install-Module -Name Pester -RequiredVersion 4.10.1 -Force + Import-Module -Name Pester -RequiredVersion 4.10.1 -Force + Invoke-WebRequest -Uri 'aka.ms/arm-ttk-latest' -OutFile arm-template-toolkit.zip + Expand-Archive -LiteralPath arm-template-toolkit.zip -DestinationPath arm-ttk + + # Delete Unwanted rules + Remove-Item ./arm-ttk/arm-ttk/testcases/deploymentTemplate/ManagedIdentityExtension-must-not-be-used.test.ps1 + + Import-Module ./arm-ttk/arm-ttk/arm-ttk.psd1 + echo "Test-AzTemplate -TemplateF ${{ matrix.template }} -Pester -Skip Secure-Params-In-Nested-Deployments" | Out-File -FilePath ./armttk.ps1 + Invoke-Pester -Script ./armttk.ps1 -EnableExit -OutputFormat NUnitXml -OutputFile ./armttk.xml + +# - uses: microsoft/action-armttk@v1 +# name: lint ${{ matrix.template }} +# with: +# github_token: ${{ secrets.github_token }} +# workdir: "./deploy/azure/${{ matrix.template }}" From 75bcf8e1225b540a855305bccec8c725f03906b7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=B4mulo=20Farias?= Date: Fri, 5 Apr 2024 11:41:09 +0200 Subject: [PATCH 16/33] Fix typo --- .github/workflows/arm-template-lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/arm-template-lint.yml b/.github/workflows/arm-template-lint.yml index fe657ff2a6..23552ce762 100644 --- a/.github/workflows/arm-template-lint.yml +++ b/.github/workflows/arm-template-lint.yml @@ -52,7 +52,7 @@ jobs: Remove-Item ./arm-ttk/arm-ttk/testcases/deploymentTemplate/ManagedIdentityExtension-must-not-be-used.test.ps1 Import-Module ./arm-ttk/arm-ttk/arm-ttk.psd1 - echo "Test-AzTemplate -TemplateF ${{ matrix.template }} -Pester -Skip Secure-Params-In-Nested-Deployments" | Out-File -FilePath ./armttk.ps1 + echo "Test-AzTemplate -TemplatePath ${{ matrix.template }} -Pester -Skip Secure-Params-In-Nested-Deployments" | Out-File -FilePath ./armttk.ps1 Invoke-Pester -Script ./armttk.ps1 -EnableExit -OutputFormat NUnitXml -OutputFile ./armttk.xml # - uses: microsoft/action-armttk@v1 From 8caa1db10e08cc635c5e86dc55272a6dde83e87a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=B4mulo=20Farias?= Date: Fri, 5 Apr 2024 11:49:54 +0200 Subject: [PATCH 17/33] Add comment over ignored rules --- .github/workflows/arm-template-lint.yml | 27 ++++++++----------------- 1 file changed, 8 insertions(+), 19 deletions(-) diff --git a/.github/workflows/arm-template-lint.yml b/.github/workflows/arm-template-lint.yml index 23552ce762..de6149b350 100644 --- a/.github/workflows/arm-template-lint.yml +++ b/.github/workflows/arm-template-lint.yml @@ -21,19 +21,6 @@ jobs: steps: - uses: actions/checkout@v2 - # The only way to skip lint checks is by deleting files - # https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/test-toolkit#customize-tests -# - name: remove unwanted rules -# run: ls ./arm-ttk/arm-ttk/ - -# # Copy files to its own folder because it's what the official ARM-TTK action expects -# # Docs https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/test-toolkit#test-parameters -# - name: copy file -# working-directory: ./deploy/azure -# run: | -# mkdir ${{ matrix.template }} -# cp ${{ matrix.template }}.json ${{ matrix.template }}/azuredeploy.json - # Based on https://github.com/microsoft/action-armttk/blob/main/action.yml#L56 # # Not used the official MS ARM TTK Action because we need to ignore some rules @@ -43,20 +30,22 @@ jobs: working-directory: ./deploy/azure shell: pwsh run: | + # Install Dependencies Install-Module -Name Pester -RequiredVersion 4.10.1 -Force Import-Module -Name Pester -RequiredVersion 4.10.1 -Force Invoke-WebRequest -Uri 'aka.ms/arm-ttk-latest' -OutFile arm-template-toolkit.zip Expand-Archive -LiteralPath arm-template-toolkit.zip -DestinationPath arm-ttk # Delete Unwanted rules + + # Deleting ManagedIdentityExtension-must-not-be-used.test.ps1 + # Under VMs release notes of May 7, 2018 https://learn.microsoft.com/en-us/cli/azure/release-notes-azure-cli#vm-27 + # ManagedIdentityExtension is not recommended to be used anymore ([BREAKING CHANGE] Do not use VM 'ManagedIdentityExtension' for MSI support) + # But no alternative was found and even it's possible to find official MS docs using ManagedIdentityExtension for MSI still + # Therefore, let's just skip this rule Remove-Item ./arm-ttk/arm-ttk/testcases/deploymentTemplate/ManagedIdentityExtension-must-not-be-used.test.ps1 + # Load and run test Import-Module ./arm-ttk/arm-ttk/arm-ttk.psd1 echo "Test-AzTemplate -TemplatePath ${{ matrix.template }} -Pester -Skip Secure-Params-In-Nested-Deployments" | Out-File -FilePath ./armttk.ps1 Invoke-Pester -Script ./armttk.ps1 -EnableExit -OutputFormat NUnitXml -OutputFile ./armttk.xml - -# - uses: microsoft/action-armttk@v1 -# name: lint ${{ matrix.template }} -# with: -# github_token: ${{ secrets.github_token }} -# workdir: "./deploy/azure/${{ matrix.template }}" From c495e55d7969ddf2b99b43dc86357fbb4df325ca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=B4mulo=20Farias?= Date: Fri, 5 Apr 2024 15:33:54 +0200 Subject: [PATCH 18/33] Fix resourceGroup location --- deploy/azure/ARM-for-organization-account.dev.json | 2 +- deploy/azure/ARM-for-organization-account.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/deploy/azure/ARM-for-organization-account.dev.json b/deploy/azure/ARM-for-organization-account.dev.json index 4813515835..b8bff35162 100644 --- a/deploy/azure/ARM-for-organization-account.dev.json +++ b/deploy/azure/ARM-for-organization-account.dev.json @@ -96,7 +96,7 @@ "type": "Microsoft.Resources/resourceGroups", "apiVersion": "2022-09-01", "name": "[parameters('ResourceGroupName')]", - "location": "[parameters('Location')]" + "location": "[parameters('DeploymentLocation')]" } ] } diff --git a/deploy/azure/ARM-for-organization-account.json b/deploy/azure/ARM-for-organization-account.json index 11def31842..78cd541fa1 100644 --- a/deploy/azure/ARM-for-organization-account.json +++ b/deploy/azure/ARM-for-organization-account.json @@ -90,7 +90,7 @@ "type": "Microsoft.Resources/resourceGroups", "apiVersion": "2022-09-01", "name": "[parameters('ResourceGroupName')]", - "location": "[parameters('Location')]" + "location": "[parameters('DeploymentLocation')]" } ] } From 2b0d0829f60f5fb35d04785e54603a15023a5c9e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=B4mulo=20Farias?= Date: Fri, 5 Apr 2024 15:39:56 +0200 Subject: [PATCH 19/33] Add parameter on nested deployment --- deploy/azure/ARM-for-single-account.json | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/deploy/azure/ARM-for-single-account.json b/deploy/azure/ARM-for-single-account.json index 563728cca0..34a59df5d5 100644 --- a/deploy/azure/ARM-for-single-account.json +++ b/deploy/azure/ARM-for-single-account.json @@ -132,6 +132,10 @@ "metadata": { "description": "VM Size" } + }, + "ResourceGroupLocation": { + "type": "string", + "defaultValue": "[resourceGroup().location]" } }, "resources": [ From bfb1d0505e5a6f32e969dd40c9250ca9b9594d73 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=B4mulo=20Farias?= Date: Mon, 22 Apr 2024 12:33:47 +0200 Subject: [PATCH 20/33] Fix github action version --- .github/workflows/arm-template-lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/arm-template-lint.yml b/.github/workflows/arm-template-lint.yml index de6149b350..04367e7984 100644 --- a/.github/workflows/arm-template-lint.yml +++ b/.github/workflows/arm-template-lint.yml @@ -19,7 +19,7 @@ jobs: matrix: template: [ "ARM-for-organization-account.json", "ARM-for-single-account.json" ] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 # Based on https://github.com/microsoft/action-armttk/blob/main/action.yml#L56 # From c12def97c598ed26f4c3b51136f67f945465ed14 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=B4mulo=20Farias?= Date: Mon, 22 Apr 2024 12:37:42 +0200 Subject: [PATCH 21/33] Fix location parameter --- deploy/azure/ARM-for-organization-account.dev.json | 2 +- deploy/azure/ARM-for-organization-account.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/deploy/azure/ARM-for-organization-account.dev.json b/deploy/azure/ARM-for-organization-account.dev.json index b8bff35162..cea2113a47 100644 --- a/deploy/azure/ARM-for-organization-account.dev.json +++ b/deploy/azure/ARM-for-organization-account.dev.json @@ -76,7 +76,7 @@ "ResourceGroupName": { "value": "[parameters('ResourceGroupName')]" }, - "Location": { + "DeploymentLocation": { "value": "[parameters('DeploymentLocation')]" } }, diff --git a/deploy/azure/ARM-for-organization-account.json b/deploy/azure/ARM-for-organization-account.json index 78cd541fa1..c7e1ea8cf8 100644 --- a/deploy/azure/ARM-for-organization-account.json +++ b/deploy/azure/ARM-for-organization-account.json @@ -70,7 +70,7 @@ "ResourceGroupName": { "value": "[parameters('ResourceGroupName')]" }, - "Location": { + "DeploymentLocation": { "value": "[parameters('DeploymentLocation')]" } }, From deb1d9ffe07cf406a13bd6023e37e5b22f975294 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=B4mulo=20Farias?= Date: Mon, 22 Apr 2024 13:36:45 +0200 Subject: [PATCH 22/33] Fix location parameter --- deploy/azure/ARM-for-organization-account.dev.json | 3 ++- deploy/azure/ARM-for-organization-account.json | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/deploy/azure/ARM-for-organization-account.dev.json b/deploy/azure/ARM-for-organization-account.dev.json index cea2113a47..be76a212c5 100644 --- a/deploy/azure/ARM-for-organization-account.dev.json +++ b/deploy/azure/ARM-for-organization-account.dev.json @@ -77,7 +77,8 @@ "value": "[parameters('ResourceGroupName')]" }, "DeploymentLocation": { - "value": "[parameters('DeploymentLocation')]" + "value": "[parameters('DeploymentLocation')]", + "type": "string" } }, "template": { diff --git a/deploy/azure/ARM-for-organization-account.json b/deploy/azure/ARM-for-organization-account.json index c7e1ea8cf8..a7d8f7864c 100644 --- a/deploy/azure/ARM-for-organization-account.json +++ b/deploy/azure/ARM-for-organization-account.json @@ -71,7 +71,8 @@ "value": "[parameters('ResourceGroupName')]" }, "DeploymentLocation": { - "value": "[parameters('DeploymentLocation')]" + "value": "[parameters('DeploymentLocation')]", + "type": "string" } }, "template": { From fbc847b7ab3bc55309df835b130bdb19116a189b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=B4mulo=20Farias?= Date: Mon, 22 Apr 2024 13:40:55 +0200 Subject: [PATCH 23/33] Fix Location Parameter --- deploy/azure/ARM-for-organization-account.dev.json | 7 ------- deploy/azure/ARM-for-organization-account.json | 7 ------- 2 files changed, 14 deletions(-) diff --git a/deploy/azure/ARM-for-organization-account.dev.json b/deploy/azure/ARM-for-organization-account.dev.json index be76a212c5..445ff799b5 100644 --- a/deploy/azure/ARM-for-organization-account.dev.json +++ b/deploy/azure/ARM-for-organization-account.dev.json @@ -75,10 +75,6 @@ "parameters": { "ResourceGroupName": { "value": "[parameters('ResourceGroupName')]" - }, - "DeploymentLocation": { - "value": "[parameters('DeploymentLocation')]", - "type": "string" } }, "template": { @@ -87,9 +83,6 @@ "parameters": { "ResourceGroupName": { "type": "string" - }, - "Location": { - "type": "string" } }, "resources": [ diff --git a/deploy/azure/ARM-for-organization-account.json b/deploy/azure/ARM-for-organization-account.json index a7d8f7864c..d3e5ad507c 100644 --- a/deploy/azure/ARM-for-organization-account.json +++ b/deploy/azure/ARM-for-organization-account.json @@ -69,10 +69,6 @@ "parameters": { "ResourceGroupName": { "value": "[parameters('ResourceGroupName')]" - }, - "DeploymentLocation": { - "value": "[parameters('DeploymentLocation')]", - "type": "string" } }, "template": { @@ -81,9 +77,6 @@ "parameters": { "ResourceGroupName": { "type": "string" - }, - "Location": { - "type": "string" } }, "resources": [ From 6313fff3a1d6cb651e75b8c0c3bb0b32436aa5a6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=B4mulo=20Farias?= Date: Mon, 22 Apr 2024 14:04:00 +0200 Subject: [PATCH 24/33] Fix Location Parameter --- deploy/azure/ARM-for-organization-account.dev.json | 6 ++++++ deploy/azure/ARM-for-organization-account.json | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/deploy/azure/ARM-for-organization-account.dev.json b/deploy/azure/ARM-for-organization-account.dev.json index 445ff799b5..028fe3a9ed 100644 --- a/deploy/azure/ARM-for-organization-account.dev.json +++ b/deploy/azure/ARM-for-organization-account.dev.json @@ -75,6 +75,9 @@ "parameters": { "ResourceGroupName": { "value": "[parameters('ResourceGroupName')]" + }, + "DeploymentLocation": { + "value": "[parameters('DeploymentLocation')]" } }, "template": { @@ -83,6 +86,9 @@ "parameters": { "ResourceGroupName": { "type": "string" + }, + "DeploymentLocation": { + "type": "string" } }, "resources": [ diff --git a/deploy/azure/ARM-for-organization-account.json b/deploy/azure/ARM-for-organization-account.json index d3e5ad507c..7a7b9fe0f7 100644 --- a/deploy/azure/ARM-for-organization-account.json +++ b/deploy/azure/ARM-for-organization-account.json @@ -69,6 +69,9 @@ "parameters": { "ResourceGroupName": { "value": "[parameters('ResourceGroupName')]" + }, + "DeploymentLocation": { + "value": "[parameters('DeploymentLocation')]" } }, "template": { @@ -77,6 +80,9 @@ "parameters": { "ResourceGroupName": { "type": "string" + }, + "DeploymentLocation": { + "type": "string" } }, "resources": [ From bc437c73a87adcb228b59bf572ff137e7d18208c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=B4mulo=20Farias?= Date: Mon, 22 Apr 2024 14:10:21 +0200 Subject: [PATCH 25/33] Fix uneven parenthesis --- deploy/azure/ARM-for-single-account.dev.json | 4 ++-- deploy/azure/ARM-for-single-account.json | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/deploy/azure/ARM-for-single-account.dev.json b/deploy/azure/ARM-for-single-account.dev.json index 91cb53b32d..16848a5917 100644 --- a/deploy/azure/ARM-for-single-account.dev.json +++ b/deploy/azure/ARM-for-single-account.dev.json @@ -84,7 +84,7 @@ "name": "[guid(subscription().id, parameters('ResourceGroupName'), deployment().name, 'securityaudit')]", "properties": { "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7", - "principalId": "[reference('Microsoft.Compute/virtualMachines', 'cloudbeatVM'), '2023-09-01', 'Full').identity.principalId]", + "principalId": "[reference('Microsoft.Compute/virtualMachines', 'cloudbeatVM', '2023-09-01', 'Full').identity.principalId]", "principalType": "ServicePrincipal" } }, @@ -94,7 +94,7 @@ "name": "[guid(subscription().id, parameters('ResourceGroupName'), deployment().name, 'additional-role')]", "properties": { "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', parameters('AdditionalRoleGUID'))]", - "principalId": "[reference(resourceId('Microsoft.Compute/virtualMachines', 'cloudbeatVM'), '2023-09-01', 'Full').identity.principalId]", + "principalId": "[reference(resourceId('Microsoft.Compute/virtualMachines', 'cloudbeatVM', '2023-09-01', 'Full').identity.principalId]", "principalType": "ServicePrincipal" } } diff --git a/deploy/azure/ARM-for-single-account.json b/deploy/azure/ARM-for-single-account.json index 34a59df5d5..ad4a50c600 100644 --- a/deploy/azure/ARM-for-single-account.json +++ b/deploy/azure/ARM-for-single-account.json @@ -78,7 +78,7 @@ "name": "[guid(subscription().id, parameters('ResourceGroupName'), deployment().name, 'securityaudit')]", "properties": { "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7", - "principalId": "[reference('Microsoft.Compute/virtualMachines', 'cloudbeatVM'), '2023-09-01', 'Full').identity.principalId]", + "principalId": "[reference('Microsoft.Compute/virtualMachines', 'cloudbeatVM', '2023-09-01', 'Full').identity.principalId]", "principalType": "ServicePrincipal" } }, @@ -88,7 +88,7 @@ "name": "[guid(subscription().id, parameters('ResourceGroupName'), deployment().name, 'additional-role')]", "properties": { "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', parameters('AdditionalRoleGUID'))]", - "principalId": "[reference(resourceId('Microsoft.Compute/virtualMachines', 'cloudbeatVM'), '2023-09-01', 'Full').identity.principalId]", + "principalId": "[reference(resourceId('Microsoft.Compute/virtualMachines', 'cloudbeatVM', '2023-09-01', 'Full').identity.principalId]", "principalType": "ServicePrincipal" } } From 3d515f154921c6b9023bcd9dc7238c3d9d513c30 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=B4mulo=20Farias?= Date: Mon, 22 Apr 2024 14:16:11 +0200 Subject: [PATCH 26/33] Fix uneven parenthesis --- deploy/azure/ARM-for-single-account.dev.json | 4 ++-- deploy/azure/ARM-for-single-account.json | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/deploy/azure/ARM-for-single-account.dev.json b/deploy/azure/ARM-for-single-account.dev.json index 16848a5917..8dfbfc1e73 100644 --- a/deploy/azure/ARM-for-single-account.dev.json +++ b/deploy/azure/ARM-for-single-account.dev.json @@ -84,7 +84,7 @@ "name": "[guid(subscription().id, parameters('ResourceGroupName'), deployment().name, 'securityaudit')]", "properties": { "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7", - "principalId": "[reference('Microsoft.Compute/virtualMachines', 'cloudbeatVM', '2023-09-01', 'Full').identity.principalId]", + "principalId": "[reference(resourceId('Microsoft.Compute/virtualMachines', 'cloudbeatVM'), '2023-09-01', 'Full').identity.principalId]", "principalType": "ServicePrincipal" } }, @@ -94,7 +94,7 @@ "name": "[guid(subscription().id, parameters('ResourceGroupName'), deployment().name, 'additional-role')]", "properties": { "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', parameters('AdditionalRoleGUID'))]", - "principalId": "[reference(resourceId('Microsoft.Compute/virtualMachines', 'cloudbeatVM', '2023-09-01', 'Full').identity.principalId]", + "principalId": "[reference(resourceId('Microsoft.Compute/virtualMachines', 'cloudbeatVM'), '2023-09-01', 'Full').identity.principalId]", "principalType": "ServicePrincipal" } } diff --git a/deploy/azure/ARM-for-single-account.json b/deploy/azure/ARM-for-single-account.json index ad4a50c600..7b85ca3ba1 100644 --- a/deploy/azure/ARM-for-single-account.json +++ b/deploy/azure/ARM-for-single-account.json @@ -78,7 +78,7 @@ "name": "[guid(subscription().id, parameters('ResourceGroupName'), deployment().name, 'securityaudit')]", "properties": { "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7", - "principalId": "[reference('Microsoft.Compute/virtualMachines', 'cloudbeatVM', '2023-09-01', 'Full').identity.principalId]", + "principalId": "[reference(resourceId('Microsoft.Compute/virtualMachines', 'cloudbeatVM'), '2023-09-01', 'Full').identity.principalId]", "principalType": "ServicePrincipal" } }, @@ -88,7 +88,7 @@ "name": "[guid(subscription().id, parameters('ResourceGroupName'), deployment().name, 'additional-role')]", "properties": { "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', parameters('AdditionalRoleGUID'))]", - "principalId": "[reference(resourceId('Microsoft.Compute/virtualMachines', 'cloudbeatVM', '2023-09-01', 'Full').identity.principalId]", + "principalId": "[reference(resourceId('Microsoft.Compute/virtualMachines', 'cloudbeatVM'), '2023-09-01', 'Full').identity.principalId]", "principalType": "ServicePrincipal" } } From 9b5532a51d3c4075a6c8984de11d6215f08f78d5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=B4mulo=20Farias?= Date: Mon, 22 Apr 2024 14:21:48 +0200 Subject: [PATCH 27/33] Fix uneven parenthesis --- deploy/azure/ARM-for-single-account.dev.json | 2 +- deploy/azure/ARM-for-single-account.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/deploy/azure/ARM-for-single-account.dev.json b/deploy/azure/ARM-for-single-account.dev.json index 8dfbfc1e73..1c0f6cb103 100644 --- a/deploy/azure/ARM-for-single-account.dev.json +++ b/deploy/azure/ARM-for-single-account.dev.json @@ -138,7 +138,7 @@ ], "properties": { "hardwareProfile": { - "vmSize": "[parameters('VMSize'))]" + "vmSize": "[parameters('VMSize')]" }, "storageProfile": { "osDisk": { diff --git a/deploy/azure/ARM-for-single-account.json b/deploy/azure/ARM-for-single-account.json index 7b85ca3ba1..a29bddd034 100644 --- a/deploy/azure/ARM-for-single-account.json +++ b/deploy/azure/ARM-for-single-account.json @@ -150,7 +150,7 @@ ], "properties": { "hardwareProfile": { - "vmSize": "[parameters('VMSize'))]" + "vmSize": "[parameters('VMSize')]" }, "storageProfile": { "osDisk": { From 6fc065cd6760d84b795fdfc7ccea64a2fff89754 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=B4mulo=20Farias?= Date: Mon, 22 Apr 2024 14:25:35 +0200 Subject: [PATCH 28/33] Fix uneven parenthesis --- deploy/azure/ARM-for-single-account.dev.json | 6 ++++++ deploy/azure/ARM-for-single-account.json | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/deploy/azure/ARM-for-single-account.dev.json b/deploy/azure/ARM-for-single-account.dev.json index 1c0f6cb103..a1497cbe02 100644 --- a/deploy/azure/ARM-for-single-account.dev.json +++ b/deploy/azure/ARM-for-single-account.dev.json @@ -338,6 +338,9 @@ }, "ElasticAgentVersion": { "value": "[parameters('ElasticAgentVersion')]" + }, + "ResourceGroupLocation": { + "value": "[parameters('ResourceGroupLocation')]" } }, "template": { @@ -355,6 +358,9 @@ }, "ElasticAgentVersion": { "type": "string" + }, + "ResourceGroupLocation": { + "type": "string" } }, "resources": [ diff --git a/deploy/azure/ARM-for-single-account.json b/deploy/azure/ARM-for-single-account.json index a29bddd034..81c60ede27 100644 --- a/deploy/azure/ARM-for-single-account.json +++ b/deploy/azure/ARM-for-single-account.json @@ -322,6 +322,9 @@ }, "ElasticAgentVersion": { "value": "[parameters('ElasticAgentVersion')]" + }, + "ResourceGroupLocation": { + "value": "[parameters('ResourceGroupLocation')]" } }, "template": { @@ -339,6 +342,9 @@ }, "ElasticAgentVersion": { "type": "string" + }, + "ResourceGroupLocation": { + "type": "string" } }, "resources": [ From 9e164794be68884dc207855fdf04927e4a7ce729 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=B4mulo=20Farias?= Date: Mon, 22 Apr 2024 14:32:23 +0200 Subject: [PATCH 29/33] Add AdminUsername a value --- deploy/azure/ARM-for-single-account.dev.json | 7 +++++++ deploy/azure/ARM-for-single-account.json | 7 +++++++ 2 files changed, 14 insertions(+) diff --git a/deploy/azure/ARM-for-single-account.dev.json b/deploy/azure/ARM-for-single-account.dev.json index a1497cbe02..78f48d8e6c 100644 --- a/deploy/azure/ARM-for-single-account.dev.json +++ b/deploy/azure/ARM-for-single-account.dev.json @@ -35,6 +35,13 @@ "description": "Resource Group location" } }, + "AdminUsername": { + "type": "string", + "defaultValue": "cloudbeat", + "metadata": { + "description": "Admin username for the OS profile of the VM (Don't change)" + } + }, "PublicKeyDevOnly": { "type": "string", "metadata": { diff --git a/deploy/azure/ARM-for-single-account.json b/deploy/azure/ARM-for-single-account.json index 81c60ede27..b6181a5003 100644 --- a/deploy/azure/ARM-for-single-account.json +++ b/deploy/azure/ARM-for-single-account.json @@ -34,6 +34,13 @@ "metadata": { "description": "Resource Group location" } + }, + "AdminUsername": { + "type": "string", + "defaultValue": "cloudbeat", + "metadata": { + "description": "Admin username for the OS profile of the VM (Don't change)" + } } }, "variables": { From 6a669a83af0312fb7c82ee527c6396d2d708e2c8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=B4mulo=20Farias?= Date: Mon, 22 Apr 2024 14:38:21 +0200 Subject: [PATCH 30/33] Add AdminUsername a value --- deploy/azure/ARM-for-single-account.dev.json | 14 ------------- deploy/azure/ARM-for-single-account.json | 21 +++++++------------- 2 files changed, 7 insertions(+), 28 deletions(-) diff --git a/deploy/azure/ARM-for-single-account.dev.json b/deploy/azure/ARM-for-single-account.dev.json index 78f48d8e6c..9a72597e63 100644 --- a/deploy/azure/ARM-for-single-account.dev.json +++ b/deploy/azure/ARM-for-single-account.dev.json @@ -35,13 +35,6 @@ "description": "Resource Group location" } }, - "AdminUsername": { - "type": "string", - "defaultValue": "cloudbeat", - "metadata": { - "description": "Admin username for the OS profile of the VM (Don't change)" - } - }, "PublicKeyDevOnly": { "type": "string", "metadata": { @@ -159,13 +152,6 @@ "offer": "0001-com-ubuntu-server-jammy", "sku": "22_04-lts-gen2", "version": "latest" - }, - "AdminUsername": { - "type": "string", - "defaultValue": "cloudbeat", - "metadata": { - "description": "Admin username for the OS profile (Don't change)" - } } }, "osProfile": { diff --git a/deploy/azure/ARM-for-single-account.json b/deploy/azure/ARM-for-single-account.json index b6181a5003..92d5a07e20 100644 --- a/deploy/azure/ARM-for-single-account.json +++ b/deploy/azure/ARM-for-single-account.json @@ -34,13 +34,6 @@ "metadata": { "description": "Resource Group location" } - }, - "AdminUsername": { - "type": "string", - "defaultValue": "cloudbeat", - "metadata": { - "description": "Admin username for the OS profile of the VM (Don't change)" - } } }, "variables": { @@ -143,6 +136,13 @@ "ResourceGroupLocation": { "type": "string", "defaultValue": "[resourceGroup().location]" + }, + "AdminUsername": { + "type": "string", + "defaultValue": "cloudbeat", + "metadata": { + "description": "Admin username for the OS profile (Don't change)" + } } }, "resources": [ @@ -171,13 +171,6 @@ "offer": "0001-com-ubuntu-server-jammy", "sku": "22_04-lts-gen2", "version": "latest" - }, - "AdminUsername": { - "type": "string", - "defaultValue": "cloudbeat", - "metadata": { - "description": "Admin username for the OS profile (Don't change)" - } } }, "osProfile": { From d7558661eb3a8605860c4b29595c7ab59992ffa8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=B4mulo=20Farias?= Date: Tue, 23 Apr 2024 13:11:05 +0200 Subject: [PATCH 31/33] Remove deprecated VM extension --- .github/workflows/arm-template-lint.yml | 12 +--------- .../ARM-for-organization-account.dev.json | 24 +++---------------- .../azure/ARM-for-organization-account.json | 24 +++---------------- deploy/azure/ARM-for-single-account.dev.json | 20 +--------------- deploy/azure/ARM-for-single-account.json | 20 +--------------- 5 files changed, 9 insertions(+), 91 deletions(-) diff --git a/.github/workflows/arm-template-lint.yml b/.github/workflows/arm-template-lint.yml index 04367e7984..0eb78b9ce1 100644 --- a/.github/workflows/arm-template-lint.yml +++ b/.github/workflows/arm-template-lint.yml @@ -23,8 +23,7 @@ jobs: # Based on https://github.com/microsoft/action-armttk/blob/main/action.yml#L56 # - # Not used the official MS ARM TTK Action because we need to ignore some rules - # which must be done by deleting `.ps1` files https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/test-toolkit#customize-tests + # Not used the official MS ARM TTK Action because we don't follow the standard file naming convertion # The ARM TTK Action didn't give us such flexibility - name: Run ARM-TTK ${{ matrix.template }} working-directory: ./deploy/azure @@ -36,15 +35,6 @@ jobs: Invoke-WebRequest -Uri 'aka.ms/arm-ttk-latest' -OutFile arm-template-toolkit.zip Expand-Archive -LiteralPath arm-template-toolkit.zip -DestinationPath arm-ttk - # Delete Unwanted rules - - # Deleting ManagedIdentityExtension-must-not-be-used.test.ps1 - # Under VMs release notes of May 7, 2018 https://learn.microsoft.com/en-us/cli/azure/release-notes-azure-cli#vm-27 - # ManagedIdentityExtension is not recommended to be used anymore ([BREAKING CHANGE] Do not use VM 'ManagedIdentityExtension' for MSI support) - # But no alternative was found and even it's possible to find official MS docs using ManagedIdentityExtension for MSI still - # Therefore, let's just skip this rule - Remove-Item ./arm-ttk/arm-ttk/testcases/deploymentTemplate/ManagedIdentityExtension-must-not-be-used.test.ps1 - # Load and run test Import-Module ./arm-ttk/arm-ttk/arm-ttk.psd1 echo "Test-AzTemplate -TemplatePath ${{ matrix.template }} -Pester -Skip Secure-Params-In-Nested-Deployments" | Out-File -FilePath ./armttk.ps1 diff --git a/deploy/azure/ARM-for-organization-account.dev.json b/deploy/azure/ARM-for-organization-account.dev.json index 028fe3a9ed..2af2fb8ef7 100644 --- a/deploy/azure/ARM-for-organization-account.dev.json +++ b/deploy/azure/ARM-for-organization-account.dev.json @@ -58,7 +58,7 @@ "variables": { "resourceGroupDeployment": "[concat('resource-group-deployment-', parameters('DeploymentLocation'))]", "roleAssignmentDeployment": "[concat('role-assignment-deployment-', parameters('DeploymentLocation'))]", - "roleGUID": "[guid(parameters('SubscriptionId'))]" + "roleGUID": "[guid(parameters('SubscriptionId'), parameters('ResourceGroupName'))]" }, "resources": [ { @@ -302,24 +302,6 @@ ] } }, - { - "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2023-09-01", - "name": "cloudbeatVM/EnableMSIExtension", - "location": "[parameters('ResourceGroupLocation')]", - "dependsOn": [ - "cloudbeatVM" - ], - "properties": { - "publisher": "Microsoft.ManagedIdentity", - "type": "ManagedIdentityExtensionForLinux", - "typeHandlerVersion": "1.0", - "autoUpgradeMinorVersion": true, - "settings": { - "port": 50342 - } - } - }, { "type": "Microsoft.Authorization/roleDefinitions", "apiVersion": "2022-04-01", @@ -330,7 +312,7 @@ "[concat('/subscriptions/', parameters('SubscriptionId'))]", "[concat('/subscriptions/', parameters('SubscriptionId'), '/resourcegroups/', parameters('ResourceGroupName'))]" ], - "description": "Additional read permissions for cloudbeatVM", + "description": "Additional read permissions for cloudbeatVM (edit)", "permissions": [ { "actions": [ @@ -340,7 +322,7 @@ ] } ], - "roleName": "cloudbeatVM additional permissions", + "roleName": "[concat('cloudbeatVM additional permissions ', parameters('ResourceGroupName'))]", "type": "CustomRole" } }, diff --git a/deploy/azure/ARM-for-organization-account.json b/deploy/azure/ARM-for-organization-account.json index 7a7b9fe0f7..f1970d85b9 100644 --- a/deploy/azure/ARM-for-organization-account.json +++ b/deploy/azure/ARM-for-organization-account.json @@ -52,7 +52,7 @@ "variables": { "resourceGroupDeployment": "[concat('resource-group-deployment-', parameters('DeploymentLocation'))]", "roleAssignmentDeployment": "[concat('role-assignment-deployment-', parameters('DeploymentLocation'))]", - "roleGUID": "[guid(parameters('SubscriptionId'))]" + "roleGUID": "[guid(parameters('SubscriptionId'), parameters('ResourceGroupName'))]" }, "resources": [ { @@ -326,24 +326,6 @@ ] } }, - { - "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2023-09-01", - "name": "cloudbeatVM/EnableMSIExtension", - "location": "[parameters('ResourceGroupLocation')]", - "dependsOn": [ - "cloudbeatVM" - ], - "properties": { - "publisher": "Microsoft.ManagedIdentity", - "type": "ManagedIdentityExtensionForLinux", - "typeHandlerVersion": "1.0", - "autoUpgradeMinorVersion": true, - "settings": { - "port": 50342 - } - } - }, { "type": "Microsoft.Resources/deploymentScripts", "apiVersion": "2023-08-01", @@ -368,7 +350,7 @@ "[concat('/subscriptions/', parameters('SubscriptionId'))]", "[concat('/subscriptions/', parameters('SubscriptionId'), '/resourcegroups/', parameters('ResourceGroupName'))]" ], - "description": "Additional read permissions for cloudbeatVM", + "description": "Additional read permissions for cloudbeatVM (edit)", "permissions": [ { "actions": [ @@ -378,7 +360,7 @@ ] } ], - "roleName": "cloudbeatVM additional permissions", + "roleName": "[concat('cloudbeatVM additional permissions ', parameters('ResourceGroupName'))]", "type": "CustomRole" } } diff --git a/deploy/azure/ARM-for-single-account.dev.json b/deploy/azure/ARM-for-single-account.dev.json index 9a72597e63..85c8414d12 100644 --- a/deploy/azure/ARM-for-single-account.dev.json +++ b/deploy/azure/ARM-for-single-account.dev.json @@ -51,8 +51,8 @@ "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "[variables('roleAssignmentDeployment')]", - "location": "[parameters('ResourceGroupLocation')]", "subscriptionId": "[subscription().subscriptionId]", + "resourceGroup": "[resourceGroup().name]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -233,24 +233,6 @@ ] } }, - { - "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2023-09-01", - "name": "cloudbeatVM/EnableMSIExtension", - "location": "[parameters('ResourceGroupLocation')]", - "dependsOn": [ - "cloudbeatVM" - ], - "properties": { - "publisher": "Microsoft.ManagedIdentity", - "type": "ManagedIdentityExtensionForLinux", - "typeHandlerVersion": "1.0", - "autoUpgradeMinorVersion": true, - "settings": { - "port": 50342 - } - } - }, { "type": "Microsoft.Authorization/roleDefinitions", "apiVersion": "2022-04-01", diff --git a/deploy/azure/ARM-for-single-account.json b/deploy/azure/ARM-for-single-account.json index 92d5a07e20..8a72fa9d53 100644 --- a/deploy/azure/ARM-for-single-account.json +++ b/deploy/azure/ARM-for-single-account.json @@ -45,8 +45,8 @@ "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "[variables('roleAssignmentDeployment')]", - "location": "[parameters('ResourceGroupLocation')]", "subscriptionId": "[subscription().subscriptionId]", + "resourceGroup": "[resourceGroup().name]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -242,24 +242,6 @@ ] } }, - { - "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2023-09-01", - "name": "cloudbeatVM/EnableMSIExtension", - "location": "[parameters('ResourceGroupLocation')]", - "dependsOn": [ - "cloudbeatVM" - ], - "properties": { - "publisher": "Microsoft.ManagedIdentity", - "type": "ManagedIdentityExtensionForLinux", - "typeHandlerVersion": "1.0", - "autoUpgradeMinorVersion": true, - "settings": { - "port": 50342 - } - } - }, { "type": "Microsoft.Resources/deploymentScripts", "apiVersion": "2023-08-01", From 485e02c3953eb150ebdd062c3180f694f9fe9199 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=B4mulo=20Farias?= Date: Tue, 23 Apr 2024 13:14:16 +0200 Subject: [PATCH 32/33] Use official gh action --- .github/workflows/arm-template-lint.yml | 27 ++++++++++--------------- 1 file changed, 11 insertions(+), 16 deletions(-) diff --git a/.github/workflows/arm-template-lint.yml b/.github/workflows/arm-template-lint.yml index 0eb78b9ce1..8ccc7fb519 100644 --- a/.github/workflows/arm-template-lint.yml +++ b/.github/workflows/arm-template-lint.yml @@ -17,25 +17,20 @@ jobs: strategy: fail-fast: false matrix: - template: [ "ARM-for-organization-account.json", "ARM-for-single-account.json" ] + template: [ "ARM-for-organization-account", "ARM-for-single-account" ] steps: - uses: actions/checkout@v4 - # Based on https://github.com/microsoft/action-armttk/blob/main/action.yml#L56 - # - # Not used the official MS ARM TTK Action because we don't follow the standard file naming convertion - # The ARM TTK Action didn't give us such flexibility - - name: Run ARM-TTK ${{ matrix.template }} + # Copy files to its own folder because it's what the official ARM-TTK action expects + # Docs https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/test-toolkit#test-parameters + - name: copy file working-directory: ./deploy/azure - shell: pwsh run: | - # Install Dependencies - Install-Module -Name Pester -RequiredVersion 4.10.1 -Force - Import-Module -Name Pester -RequiredVersion 4.10.1 -Force - Invoke-WebRequest -Uri 'aka.ms/arm-ttk-latest' -OutFile arm-template-toolkit.zip - Expand-Archive -LiteralPath arm-template-toolkit.zip -DestinationPath arm-ttk + mkdir ${{ matrix.template }} + cp ${{ matrix.template }}.json ${{ matrix.template }}/azuredeploy.json - # Load and run test - Import-Module ./arm-ttk/arm-ttk/arm-ttk.psd1 - echo "Test-AzTemplate -TemplatePath ${{ matrix.template }} -Pester -Skip Secure-Params-In-Nested-Deployments" | Out-File -FilePath ./armttk.ps1 - Invoke-Pester -Script ./armttk.ps1 -EnableExit -OutputFormat NUnitXml -OutputFile ./armttk.xml + - uses: microsoft/action-armttk@v1 + name: lint ${{ matrix.template }} + with: + github_token: ${{ secrets.github_token }} + workdir: "./deploy/azure/${{ matrix.template }}" From e45fda311e1495a987d8a2f842bbafcec9f219ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=B4mulo=20Farias?= Date: Tue, 23 Apr 2024 13:18:07 +0200 Subject: [PATCH 33/33] Remove unnecessary edit --- deploy/azure/ARM-for-organization-account.dev.json | 2 +- deploy/azure/ARM-for-organization-account.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/deploy/azure/ARM-for-organization-account.dev.json b/deploy/azure/ARM-for-organization-account.dev.json index 2af2fb8ef7..f61d33924f 100644 --- a/deploy/azure/ARM-for-organization-account.dev.json +++ b/deploy/azure/ARM-for-organization-account.dev.json @@ -312,7 +312,7 @@ "[concat('/subscriptions/', parameters('SubscriptionId'))]", "[concat('/subscriptions/', parameters('SubscriptionId'), '/resourcegroups/', parameters('ResourceGroupName'))]" ], - "description": "Additional read permissions for cloudbeatVM (edit)", + "description": "Additional read permissions for cloudbeatVM", "permissions": [ { "actions": [ diff --git a/deploy/azure/ARM-for-organization-account.json b/deploy/azure/ARM-for-organization-account.json index f1970d85b9..ef56bec54a 100644 --- a/deploy/azure/ARM-for-organization-account.json +++ b/deploy/azure/ARM-for-organization-account.json @@ -350,7 +350,7 @@ "[concat('/subscriptions/', parameters('SubscriptionId'))]", "[concat('/subscriptions/', parameters('SubscriptionId'), '/resourcegroups/', parameters('ResourceGroupName'))]" ], - "description": "Additional read permissions for cloudbeatVM (edit)", + "description": "Additional read permissions for cloudbeatVM", "permissions": [ { "actions": [