feat: Integration of AVM based alz-bicep-accelerator (#111)

* Update readme

* Initial changes for local version of bicep-avm

* Updates to deploy local

* Add logic for networktype and subscription id replacment

* Adding subscription id replacement logic

* Changes for new local config file for bicep-avm

* Final updates for local bicep-avm deployment

* Update error messaging

* All changes requird for working Github implementation for bicep-avm

* Add support for firstwhatif deployment to github

* Initial azure devops files

* Align permissiosn with github

* Update permissions

* Add location replacement logic

* simplify deployment stack names and replacment managment group id

* Update variable checks for network_type

* Update logic for first deployment

* Fix formatting

* Add lint bypass

* Add end-to-tests for bicep-avm

* Add logic to exit for both bicep and bicep avm scripts if error

* Extend retry duration

* Add verbose logging

* jared pedant changes

* fixy mcfixington

* fix e2e test

* save changes

* extract file manipulation and fix templating

* more fixes

* fixes for local

* GitHub throttling

* fix tests

* fix e2e tests

* fixes

* i tests

* fix bug

* fix tf local

* bug fix

* fix templated files

* reverse throttling

* add option for debugging

* bug fix

* fix e2e tests

* soft fail PowerShell module upgrade

* fix  tests

* skip destory for avm bicep

* unique deployment name

* do not use runner groups  in tests until we have a method to delete them

* improve clean up jobs

* loop cleanup

* add time stamp capability

* fix lin endings for linting

* linting

* linting

* fix typo

* engage brain

* fix date format

* randomise location to ensure a retry on a location specific issue can succeed

* typo

* simplify

* remove canada

* specify regions that have aci support and quota

* fix regions list

* fix scripts

* remove eastus

* Add nest MG test

* fix first run check

* fix logic...

* improve clean up script

* lookup sub

* add provider no rbac for what if

* feat: update alz custom roles (#117)

* remove ARM deployment and stacks from TF

* refine roles

* clean up MGs

* add check

* trigger new run

* fix what if perms

* fix type for ps argument

* add tenant role assignment for bicep

* fix local name

* refactor: rename tenant role assignment variables for bicep compatibility

* docs and pipeline fixes

* trigger a new run

* try reverting role def

* attempt to fix bootstrap perms issues

* fix bug

* revert variables

* revert classic bicep perms

* clean role defs

* fix role def cleanup

* typo

* Fix spacing

* revert classic what if change

* stupid mistake...

* fix linting

---------

Co-authored-by: Jared Holgate <jaredholgate@microsoft.com>
Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>

Author: 3 people

.config/ALZ-Powershell.config.json

@@ -26,84 +26,19 @@
                 "release_artifact_name": "starter_modules.zip",
                 "release_artifact_root_path": ".",
                 "release_artifact_config_file": ".config/ALZ-Powershell.config.json"
-
             },
             "bicep": {
+                "url": "https://github.com/Azure/alz-bicep-accelerator",
+                "release_artifact_name": "starter_modules.zip",
+                "release_artifact_root_path": ".",
+                "release_artifact_config_file": ".config/ALZ-Powershell.config.json"
+            },
+            "bicep-classic": {
                 "url": "https://github.com/Azure/ALZ-Bicep",
                 "release_artifact_name": "accelerator.zip",
                 "release_artifact_root_path": ".",
                 "release_artifact_config_file": "accelerator/.config/ALZ-Powershell-Auto.config.json"
             }
         }
-    },
-    "validators": {
-        "auth_scheme": {
-            "Type": "AllowedValues",
-            "Description": "A valid authentication scheme e.g. 'WorkloadIdentityFederation'",
-            "AllowedValues": {
-                "Display": true,
-                "Values": [
-                    "WorkloadIdentityFederation",
-                    "ManagedServiceIdentity"
-                ]
-            }
-        },
-        "azure_subscription_id": {
-            "Type": "Valid",
-            "Description": "A valid subscription id GUID e.g. '12345678-1234-1234-1234-123456789012'",
-            "Valid": "^( {){0,1}[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}(}){0,1}$"
-        },
-        "azure_name": {
-            "Type": "Valid",
-            "Description": "A valid Azure name e.g. 'my-azure-name'",
-            "Valid": "^[a-zA-Z0-9]{2,10}(-[a-zA-Z0-9]{2,10}){0,1}(-[a-zA-Z0-9]{2,10})?$"
-        },
-        "azure_name_section": {
-            "Type": "Valid",
-            "Description": "A valid Azure name with no hyphens and limited length e.g. 'abcd'",
-            "Valid": "^[a-zA-Z0-9]{2,10}$"
-        },
-        "guid": {
-            "Type": "Valid",
-            "Description": "A valid GUID e.g. '12345678-1234-1234-1234-123456789012'",
-            "Valid": "^( {){0,1}[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}(}){0,1}$"
-        },
-        "cidr_range": {
-            "Type": "Valid",
-            "Description": "A valid CIDR range e.g '10.0.0.0/16'",
-            "Valid": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(/(3[0-2]|[1-2][0-9]|[0-9]))$"
-        },
-        "configuration_file_path": {
-            "Type": "Valid",
-            "Description": "A valid yaml or json configuration file path e.g. './my-folder/my-config-file.yaml' or `c:\\my-folder\\my-config-file.yaml`",
-            "Valid": "^.+\\.(yaml|yml|json)$"
-        },
-        "network_type": {
-            "Type": "AllowedValues",
-            "Description": "Networking Type'",
-            "AllowedValues": {
-                "Display": true,
-                "Values": [
-                    "hubNetworking",
-                    "hubNetworkingMultiRegion",
-                    "vwanConnectivity",
-                    "vwanConnectivityMultiRegion",
-                    "none"
-                ]
-            }
-        },
-        "email": {
-            "Type": "Valid",
-            "Description": "A valid email address",
-            "Valid": "^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}$"
-        },
-        "azure_location": {
-            "Type": "AllowedValues",
-            "Description": "An Azure deployment location e.g. 'uksouth'",
-            "AllowedValues": {
-                "Display": false,
-                "Values": [ "This is dynamically populated from Azure" ]
-            }
-        }
     }
 }

.github/linters/.yaml-lint.yml

@@ -4,8 +4,12 @@ extends: default
 ignore: |
   **/bicep/**/ci-template.yaml
   **/bicep/**/cd-template.yaml
+  **/bicep-classic/**/ci-template.yaml
+  **/bicep-classic/**/cd-template.yaml
   *bicep-templates.yaml
   **/bicep/**/cd.yaml
+  **/bicep-classic/**/cd.yaml
+  **/bicep-classic/**/ci.yaml
 
 rules:
   # 500 chars should be enough, but don't fail if a line is longer

.github/tests/cleanup-scripts/cleanup_azure_resouces.ps1

@@ -0,0 +1,105 @@
+# This file can be used to clean up Resource Groups if there has been an issue with the End to End tests.
+# CAUTION: Make sure you are connected to the correct subscription before running this script!
+$managementGroupFilter = "alz-r"
+if($managementGroupFilter -eq "")
+{
+    throw "Please set a management group filter to avoid disaster!"
+}
+$subscriptionFilter = ""
+
+$managementGroups = @(
+    "dac8feee-8768-4fbd-9cf9-9d96d4718018",
+    "alz-accelerator-parent-test"
+)
+
+$subscriptions = @(
+    "6be58818-3390-4c43-a3bb-2666110eeb66",
+    "5331601a-985a-4f45-87d1-6b4156c8acf5",
+    "bceedecb-9f0b-4aa3-9778-1d1fa92f289e",
+    "9ebf45b8-555d-49c6-81fb-d27ca08f7c28",
+    "eac9acf5-0a34-4db8-ae56-cdbcc7e2cf4c",
+    "3a6bdc35-0830-41ac-b323-37a5a030e241",
+    "c4332eb2-f966-47db-aa47-5d71e239d8aa",
+    "0aeefd1c-62c7-4071-91ad-925899603976",
+    "0d754f66-65b4-4f64-97f5-221f0174ad48"
+)
+
+$roleDefinitionsFilter = "Azure Landing Zones"
+
+$subscriptions | ForEach-Object -Parallel {
+    $subscription = $_
+    $subscriptionDetails = az account show --subscription $subscription | ConvertFrom-Json
+    Write-Host "Processing subscription: $subscription - $($subscriptionDetails.name)"
+
+    $resourceGroups = @("")
+    while ($resourceGroups.Count -gt 0) {
+        if($subscriptionFilter -eq "")
+        {
+            $resourceGroups = az group list --subscription $subscription | ConvertFrom-Json
+        }
+        else
+        {
+            $resourceGroups = az group list --subscription $subscription --query "[?contains(name, '$subscriptionFilter')]" | ConvertFrom-Json
+        }
+
+        $resourceGroups | ForEach-Object -Parallel {
+            $subscription = $using:subscription
+            $subscriptionDetails = $using:subscriptionDetails
+            Write-Host "Deleting resource group: $($_.name) in subscription: $subscription - $($subscriptionDetails.name)"
+            az group delete --subscription $subscription --name $_.name --yes
+        } -ThrottleLimit 10
+    }
+} -ThrottleLimit 10
+
+$managementGroups | ForEach-Object -Parallel {
+    $managementGroupFilter = $using:managementGroupFilter
+    $managementGroup = $_
+    Write-Host "Processing management group: $managementGroup"
+
+    $managementGroupDetails = az account management-group show --name $managementGroup --expand | ConvertFrom-Json
+    $childManagementGroups = $managementGroupDetails.children | Where-Object { $_.type -eq "Microsoft.Management/managementGroups" }
+    if($managementGroupFilter -ne "") {
+        $childManagementGroups = $childManagementGroups | Where-Object { $_.name -like "*$managementGroupFilter*" }
+    }
+
+    $childManagementGroups | ForEach-Object -Parallel {
+        $managementGroup = $using:managementGroup
+        $childManagementGroup = $_
+        Write-Host "Deleting management group: $($childManagementGroup.name) under parent: $managementGroup"
+        az account management-group delete --name $childManagementGroup.name
+    } -ThrottleLimit 10
+
+    $roleDefinitionsFilter = $using:roleDefinitionsFilter
+    $subscriptions = $using:subscriptions
+    $roleDefinitions = az role definition list --custom-role-only true --scope "/providers/Microsoft.Management/managementGroups/$managementGroup" --query "[].{name:name,roleName:roleName,id:id,assignableScopes:assignableScopes}" -o json  | ConvertFrom-Json | Where-Object { $_.roleName -like "*$roleDefinitionsFilter*" -and $_.assignableScopes -contains "/providers/Microsoft.Management/managementGroups/$managementGroup" }
+    $roleDefinitions | ForEach-Object -Parallel {
+        $managementGroup = $using:managementGroup
+        $roleDefinition = $_
+
+        $roleAssignments = az role assignment list --role $roleDefinition.name --scope "/providers/Microsoft.Management/managementGroups/$managementGroup" --query "[].{id:id,principalName:principalName,principalId:principalId}" -o json | ConvertFrom-Json
+        $roleAssignments | ForEach-Object -Parallel {
+            $managementGroup = $using:managementGroup
+            $roleDefinition = $using:roleDefinition
+            $roleAssignment = $_
+            Write-Host "Deleting role assignment: $($roleAssignment.id) for role definition: $($roleDefinition.roleName) in management group: $managementGroup"
+            az role assignment delete --ids $roleAssignment.id
+        } -ThrottleLimit 10
+
+        foreach ($subscription in $using:subscriptions) {
+            $subscriptionRoleAssignments = az role assignment list --role $roleDefinition.name --subscription $subscription --query "[].{id:id,principalName:principalName,principalId:principalId}" -o json | ConvertFrom-Json
+            $subscriptionRoleAssignments | ForEach-Object -Parallel {
+                $roleDefinition = $using:roleDefinition
+                $subscription = $using:subscription
+                $roleAssignment = $_
+                Write-Host "Deleting role assignment: $($roleAssignment.id) for role definition: $($roleDefinition.roleName) in subscription: $subscription"
+                az role assignment delete --ids $roleAssignment.id
+            } -ThrottleLimit 10
+        }
+
+        Write-Host "Deleting custom role definition: $($roleDefinition.roleName) in management group: $managementGroup"
+        az role definition delete --name $roleDefinition.name --scope "/providers/Microsoft.Management/managementGroups/$managementGroup"
+
+    } -ThrottleLimit 10
+} -ThrottleLimit 10
+
+Write-Host "Cleanup complete. :)"

.github/tests/cleanup-scripts/cleanup_github-repositories.ps1

@@ -1,15 +1,19 @@
 # This file can be used to clean up GitHub repositories if there has been an issue with the End to End tests.
 # CAUTION: Make sure you are connected to the correct organization before running this script!
-$repos = gh repo list microsoft-azure-landing-zones-cd-tests --json name,owner | ConvertFrom-Json
+$filter = ""
 
-$repos | ForEach-Object -Parallel {
-    $match = "*229*"
-    $repoName = "$($_.owner.login)/$($_.name)"
-    
-    if($repoName -like $match)
+$repos = @("")
+while ($repos.Count -gt 0) {
+    $repos = gh repo list microsoft-azure-landing-zones-cd-tests --json name,owner | ConvertFrom-Json
+    if($filter -ne "")
     {
+        $repos = $repos | Where-Object { $_.name -like "*$filter*" }
+    }
+
+    $repos | ForEach-Object -Parallel {
+        $repoName = "$($_.owner.login)/$($_.name)"
+
         Write-Host "Deleting repo: $repoName"
         gh repo delete $repoName --yes
-    
-    }
-} -ThrottleLimit 10
+    } -ThrottleLimit 10
+}

.github/tests/cleanup-scripts/cleanup_resouce_groups.ps1

@@ -50,6 +50,18 @@ function Invoke-Pipeline {
         }
 
         if($iac -eq "bicep") {
+            $pipelineDispatchBody = @{
+                "resources" = @{
+                    "repositories" = @{
+                        "self" = @{
+                            "refName" = "refs/heads/main"
+                        }
+                    }
+                }
+            } | ConvertTo-Json -Depth 100
+        }
+
+        if($iac -eq "bicep-classic") {
             $pipelineDispatchBody = @{
                 "resources" = @{
                     "repositories" = @{