feat: avm bicep (#121)

* feat: avm bicep

* Fix role assignment check in cleanup script

* make replacements dynamic for bicep

* fix duplicate entries

* max allowed is 10

* Decrease retry attempts

* Fix order of installation

* Add deployment cleanup

* Adjust cleanup logic to happen before deployment

* improve bicep templating

* fix escaping

* fix file name

* linting

* add  default value capability with double pipe syntax

* remove test output

* fix e2e test

---------

Co-authored-by: Zach Trocinski <ztrocinski@outlook.com>

Author: jaredfholgate

.config/ALZ-Powershell.config.json

@@ -27,6 +27,12 @@
                 "release_artifact_root_path": ".",
                 "release_artifact_config_file": ".config/ALZ-Powershell.config.json"
             },
+            "bicep": {
+                "url": "https://github.com/Azure/alz-bicep-accelerator",
+                "release_artifact_name": "starter_modules.zip",
+                "release_artifact_root_path": ".",
+                "release_artifact_config_file": ".config/ALZ-Powershell.config.json"
+            },
             "bicep-classic": {
                 "url": "https://github.com/Azure/ALZ-Bicep",
                 "release_artifact_name": "accelerator.zip",

.github/tests/cleanup-scripts/cleanup_azure_resouces.ps1

@@ -1,5 +1,15 @@
 # This file can be used to clean up Resource Groups if there has been an issue with the End to End tests.
 # CAUTION: Make sure you are connected to the correct subscription before running this script!
+
+# Check for and install the resource-graph extension if not already installed
+$installedExtensions = az extension list --query "[].name" -o tsv
+if ($installedExtensions -notcontains "resource-graph") {
+    Write-Host "Installing Azure CLI resource-graph extension..."
+    az extension add --name resource-graph
+} else {
+    Write-Host "Azure CLI resource-graph extension is already installed."
+}
+
 $managementGroupFilter = "alz-r"
 if($managementGroupFilter -eq "")
 {
@@ -70,13 +80,15 @@ $managementGroups | ForEach-Object -Parallel {
     } -ThrottleLimit 10
 
     $roleDefinitionsFilter = $using:roleDefinitionsFilter
-    $subscriptions = $using:subscriptions
+
     $roleDefinitions = az role definition list --custom-role-only true --scope "/providers/Microsoft.Management/managementGroups/$managementGroup" --query "[].{name:name,roleName:roleName,id:id,assignableScopes:assignableScopes}" -o json  | ConvertFrom-Json | Where-Object { $_.roleName -like "*$roleDefinitionsFilter*" -and $_.assignableScopes -contains "/providers/Microsoft.Management/managementGroups/$managementGroup" }
     $roleDefinitions | ForEach-Object -Parallel {
         $managementGroup = $using:managementGroup
         $roleDefinition = $_
 
-        $roleAssignments = az role assignment list --role $roleDefinition.name --scope "/providers/Microsoft.Management/managementGroups/$managementGroup" --query "[].{id:id,principalName:principalName,principalId:principalId}" -o json | ConvertFrom-Json
+        Write-Host "$($roleDefinition.roleName) - $($managementGroup): Querying role assignments using Resource Graph for role definition $($roleDefinition.name)"
+        $query = "authorizationresources | where type == 'microsoft.authorization/roleassignments' | where properties.roleDefinitionId == '/providers/Microsoft.Authorization/RoleDefinitions/$($roleDefinition.name)' | order by ['name'] asc"
+        $roleAssignments = az graph query -q $query --query "data[].{id:id,principalId:properties.principalId}" -o json | ConvertFrom-Json
         $roleAssignments | ForEach-Object -Parallel {
             $managementGroup = $using:managementGroup
             $roleDefinition = $using:roleDefinition
@@ -85,19 +97,14 @@ $managementGroups | ForEach-Object -Parallel {
             az role assignment delete --ids $roleAssignment.id
         } -ThrottleLimit 10
 
-        foreach ($subscription in $using:subscriptions) {
-            $subscriptionRoleAssignments = az role assignment list --role $roleDefinition.name --subscription $subscription --query "[].{id:id,principalName:principalName,principalId:principalId}" -o json | ConvertFrom-Json
-            $subscriptionRoleAssignments | ForEach-Object -Parallel {
-                $roleDefinition = $using:roleDefinition
-                $subscription = $using:subscription
-                $roleAssignment = $_
-                Write-Host "Deleting role assignment: $($roleAssignment.id) for role definition: $($roleDefinition.roleName) in subscription: $subscription"
-                az role assignment delete --ids $roleAssignment.id
-            } -ThrottleLimit 10
-        }
-
         Write-Host "Deleting custom role definition: $($roleDefinition.roleName) in management group: $managementGroup"
-        az role definition delete --name $roleDefinition.name --scope "/providers/Microsoft.Management/managementGroups/$managementGroup"
+        $result = az role definition delete --name $roleDefinition.name --scope "/providers/Microsoft.Management/managementGroups/$managementGroup" 2>&1
+        if($result -like "*ERROR*")
+        {
+            Write-Warning "Role definition $($roleDefinition.roleName) in management group: $managementGroup could not be deleted...$([Environment]::NewLine)$result"
+        } else {
+            Write-Host "Role definition $($roleDefinition.roleName) in management group: $managementGroup deleted successfully."
+        }
 
     } -ThrottleLimit 10
 } -ThrottleLimit 10

.github/workflows/end-to-end-test.yml

@@ -310,6 +310,10 @@ jobs:
           if($infrastructureAsCode -eq "bicep") {
             $Inputs["network_type"] = "none"
             $Inputs["intermediate_root_management_group_id"] = "alz-$uniqueId"
+            $Inputs["management_group_id_prefix"] = ""
+            $Inputs["management_group_id_postfix"] = ""
+            $Inputs["management_group_name_prefix"] = ""
+            $Inputs["management_group_name_postfix"] = ""
           }
 
           $json = ConvertTo-Json $Inputs -Depth 100

alz/azuredevops/main.tf

@@ -116,8 +116,6 @@ module "file_manipulation" {
   cd_template_file_name                  = local.cd_template_file_name
   pipeline_target_folder_name            = local.target_folder_name
   bicep_parameters_file_path             = var.bicep_parameters_file_path
-  subscription_ids                       = var.subscription_ids
-  root_parent_management_group_id        = var.root_parent_management_group_id
   agent_pool_or_runner_configuration     = local.agent_pool_or_runner_configuration
   pipeline_files_directory_path          = local.pipeline_files_directory_path
   pipeline_template_files_directory_path = local.pipeline_template_files_directory_path

alz/azuredevops/pipelines/bicep/templates/cd-template.yaml

@@ -50,6 +50,10 @@ stages:
                   parameters:
                     parametersFileName: $(PARAMETERS_FILE_NAME)
 
+                - template: ./helpers/bicep-installer.yaml
+                  parameters:
+                    serviceConnection: '${service_connection_name_plan}'
+
                 - task: AzurePowerShell@5
                   displayName: 'Check for First Deployment'
                   inputs:
@@ -74,10 +78,6 @@ stages:
 
                       Write-Host "##vso[task.setvariable variable=FIRST_DEPLOYMENT;]$firstDeployment"
 
-                - template: ./helpers/bicep-installer.yaml
-                  parameters:
-                    serviceConnection: '${service_connection_name_plan}'
-
 %{ for script_file in script_files ~}
                 - $${{ if eq(parameters['${script_file.name}'], true) }}:
                   - template: ./helpers/bicep-deploy.yaml

alz/azuredevops/pipelines/bicep/templates/ci-template.yaml

@@ -66,6 +66,10 @@ stages:
                   parameters:
                     parametersFileName: $(PARAMETERS_FILE_NAME)
 
+                - template: ./helpers/bicep-installer.yaml
+                  parameters:
+                    serviceConnection: '${service_connection_name_plan}'
+
                 - task: AzurePowerShell@5
                   displayName: 'Check for First Deployment'
                   inputs:
@@ -90,10 +94,6 @@ stages:
 
                       Write-Host "##vso[task.setvariable variable=FIRST_DEPLOYMENT;]$firstDeployment"
 
-                - template: ./helpers/bicep-installer.yaml
-                  parameters:
-                    serviceConnection: '${service_connection_name_plan}'
-
 %{ for script_file in script_files ~}
                 - template: ./helpers/bicep-deploy.yaml
                   parameters:

alz/azuredevops/pipelines/bicep/templates/helpers/bicep-deploy.yaml

@@ -31,13 +31,14 @@ parameters:
 steps:
   - task: AzurePowerShell@5
     displayName: '$${{ parameters.displayName }}'
+    retryCountOnTaskFailure: 10
     inputs:
       azureSubscription: $${{ parameters.serviceConnection }}
       azurePowerShellVersion: 'LatestVersion'
       pwsh: true
       ScriptType: 'InlineScript'
       Inline: |
-        $deploymentType = "$${{ parameters.deploymentType }}"
+       $deploymentType = "$${{ parameters.deploymentType }}"
         $whatIfEnabled = [System.Convert]::ToBoolean("$${{ parameters.whatIfEnabled }}")
 
         # Check if we should skip what-if for first deployment
@@ -56,6 +57,17 @@ steps:
           exit 0
         }
 
+        # Check if this is a retry attempt and clean up previous deployments
+        $isRetry = $env:AGENT_JOBATTEMPT -and [int]$env:AGENT_JOBATTEMPT -gt 1
+        if ($isRetry) {
+          Write-Host ""
+          Write-Host "================================================" -ForegroundColor Yellow
+          Write-Host "⚠ Retry Attempt Detected (Attempt #$($env:AGENT_JOBATTEMPT))" -ForegroundColor Yellow
+          Write-Host "================================================" -ForegroundColor Yellow
+          Write-Host "Cleaning up previous failed deployment..." -ForegroundColor Yellow
+          Write-Host ""
+        }
+
         # Generate deployment name without timestamp for consistent deployment stack names
         $deploymentPrefix = "alz"
 
@@ -165,7 +177,6 @@ steps:
             Write-Error "What-If validation failed: $($_.Exception.Message)"
             throw
           }
-
         } else {
           # Deployment Stack mode - actual deployment
           $stackParameters = @{
@@ -178,82 +189,79 @@ steps:
             Verbose               = $true
           }
 
-          $retryCount = 0
-          $retryMax = 20
-          $initialRetryDelay = 20
-          $retryDelayIncrement = 10
-          $finalSuccess = $false
+          $result = $null
 
-          while ($retryCount -lt $retryMax) {
-            if ($retryCount -gt 0) {
-              $retryDelay = $initialRetryDelay + ($retryCount * $retryDelayIncrement)
-              Write-Host "Retrying deployment stack after $retryDelay seconds..." -ForegroundColor Yellow
-              Start-Sleep -Seconds $retryDelay
-              Write-Host "Retry attempt $retryCount" -ForegroundColor Yellow
-            }
-
-            $result = $null
+          try {
+            switch ($deploymentType) {
+              "managementGroup" {
+                $targetManagementGroupId = "$${{ parameters.managementGroupId }}"
+                if ([string]::IsNullOrWhiteSpace($targetManagementGroupId)) {
+                  $targetManagementGroupId = (Get-AzContext).Tenant.TenantId
+                }
 
-            try {
-              switch ($deploymentType) {
-                "managementGroup" {
-                  $targetManagementGroupId = "$${{ parameters.managementGroupId }}"
-                  if ([string]::IsNullOrWhiteSpace($targetManagementGroupId)) {
-                    $targetManagementGroupId = (Get-AzContext).Tenant.TenantId
+                # Clean up all deployments before each deployment to avoid quota issues
+                try {
+                  Write-Host "Cleaning up existing deployments in management group..." -ForegroundColor Cyan
+                  $allDeployments = Get-AzManagementGroupDeployment -ManagementGroupId $targetManagementGroupId -ErrorAction SilentlyContinue
+                  if ($allDeployments -and $allDeployments.Count -gt 0) {
+                    Write-Host "Found $($allDeployments.Count) deployment(s) to clean up" -ForegroundColor Yellow
+                    $batchSize = 200
+                    for ($i = 0; $i -lt $allDeployments.Count; $i += $batchSize) {
+                      $batch = $allDeployments | Select-Object -Skip $i -First $batchSize
+                      Write-Host "  Deleting batch of $($batch.Count) deployments..." -ForegroundColor Gray
+                      $batch | ForEach-Object -Parallel {
+                        Remove-AzManagementGroupDeployment -ManagementGroupId $using:targetManagementGroupId -Name $_.DeploymentName -ErrorAction SilentlyContinue
+                      } -ThrottleLimit 100
+                    }
+                    Write-Host "✓ All deployments cleaned up" -ForegroundColor Green
+                  } else {
+                    Write-Host "No deployments to clean up" -ForegroundColor Green
                   }
-
-                  Write-Host "Creating Management Group Deployment Stack: $deploymentName" -ForegroundColor Cyan
-                  $result = New-AzManagementGroupDeploymentStack @stackParameters -ManagementGroupId $targetManagementGroupId -Location "$${{ parameters.location }}"
+                } catch {
+                  Write-Warning "Could not clean up deployments: $($_.Exception.Message)"
                 }
-                "subscription" {
-                  if (-not [string]::IsNullOrWhiteSpace("$${{ parameters.subscriptionId }}")) {
-                    Write-Host "Setting subscription context to: $${{ parameters.subscriptionId }}" -ForegroundColor Cyan
-                    Select-AzSubscription -SubscriptionId "$${{ parameters.subscriptionId }}" | Out-Null
-                  }
 
-                  Write-Host "Creating Subscription Deployment Stack: $deploymentName" -ForegroundColor Cyan
-                  $result = New-AzSubscriptionDeploymentStack @stackParameters -Location "$${{ parameters.location }}"
+                Write-Host "Creating Management Group Deployment Stack: $deploymentName" -ForegroundColor Cyan
+                $result = New-AzManagementGroupDeploymentStack @stackParameters -ManagementGroupId $targetManagementGroupId -Location "$${{ parameters.location }}"
+              }
+              "subscription" {
+                if (-not [string]::IsNullOrWhiteSpace("$${{ parameters.subscriptionId }}")) {
+                  Write-Host "Setting subscription context to: $${{ parameters.subscriptionId }}" -ForegroundColor Cyan
+                  Select-AzSubscription -SubscriptionId "$${{ parameters.subscriptionId }}" | Out-Null
                 }
-                "resourceGroup" {
-                  if (-not [string]::IsNullOrWhiteSpace("$${{ parameters.subscriptionId }}")) {
-                    Write-Host "Setting subscription context to: $${{ parameters.subscriptionId }}" -ForegroundColor Cyan
-                    Select-AzSubscription -SubscriptionId "$${{ parameters.subscriptionId }}" | Out-Null
-                  }
 
-                  Write-Host "Creating Resource Group Deployment Stack: $deploymentName" -ForegroundColor Cyan
-                  $result = New-AzResourceGroupDeploymentStack @stackParameters -ResourceGroupName "$${{ parameters.resourceGroupName }}"
-                }
-                default {
-                  Write-Error "Invalid deployment type: $deploymentType"
-                  throw "Invalid deployment type: $deploymentType"
-                }
+                Write-Host "Creating Subscription Deployment Stack: $deploymentName" -ForegroundColor Cyan
+                $result = New-AzSubscriptionDeploymentStack @stackParameters -Location "$${{ parameters.location }}"
               }
+              "resourceGroup" {
+                if (-not [string]::IsNullOrWhiteSpace("$${{ parameters.subscriptionId }}")) {
+                  Write-Host "Setting subscription context to: $${{ parameters.subscriptionId }}" -ForegroundColor Cyan
+                  Select-AzSubscription -SubscriptionId "$${{ parameters.subscriptionId }}" | Out-Null
+                }
 
-              if ($result.ProvisioningState -eq "Succeeded") {
-                $finalSuccess = $true
-                Write-Host ""
-                Write-Host "================================================" -ForegroundColor Green
-                Write-Host "✓ Deployment Stack Succeeded: $deploymentName" -ForegroundColor Green
-                Write-Host "================================================" -ForegroundColor Green
-                Write-Host ""
-                break
-              } else {
-                Write-Warning "Deployment stack finished with state: $($result.ProvisioningState)"
-                $retryCount++
+                Write-Host "Creating Resource Group Deployment Stack: $deploymentName" -ForegroundColor Cyan
+                $result = New-AzResourceGroupDeploymentStack @stackParameters -ResourceGroupName "$${{ parameters.resourceGroupName }}"
               }
-            } catch {
-              Write-Warning "Deployment stack failed with error: $($_.Exception.Message)"
-              $retryCount++
-
-              if ($retryCount -ge $retryMax) {
-                Write-Error "Deployment stack failed after $retryMax attempts"
-                throw
+              default {
+                Write-Error "Invalid deployment type: $deploymentType"
+                throw "Invalid deployment type: $deploymentType"
               }
             }
-          }
 
-          if (-not $finalSuccess) {
-            Write-Error "Deployment stack did not succeed after $retryMax attempts"
-            throw "Deployment stack did not succeed after $retryMax attempts"
+            if ($result.ProvisioningState -eq "Succeeded") {
+              $finalSuccess = $true
+              Write-Host ""
+              Write-Host "================================================" -ForegroundColor Green
+              Write-Host "✓ Deployment Stack Succeeded: $deploymentName" -ForegroundColor Green
+              Write-Host "================================================" -ForegroundColor Green
+              Write-Host ""
+              break
+            } else {
+              Write-Error "Deployment stack finished with state: $($result.ProvisioningState)"
+              exit 1
+            }
+          } catch {
+            Write-Error "Deployment stack failed with error: $($_.Exception.Message)"
+            exit 1
           }
         }

alz/azuredevops/variables.tf

@@ -615,7 +615,7 @@ variable "bicep_parameters_file_path" {
     This JSON file specifies configuration values for Azure Landing Zones resources.
   EOT
   type        = string
-  default     = "parameters.json"
+  default     = "template-parameters.json"
 }
 
 variable "custom_role_definitions_terraform" {