Initial Open Source Release (Azure#6)

.gitignore

@@ -0,0 +1,5 @@
+experiments/*
+**/*.swp
+.vscode/*
+/*.sh
+/*.ps1

.pipelines/README.md

@@ -0,0 +1,58 @@
+# Azure Pipelines
+
+## Disclaimer
+
+Copyright (c) Microsoft Corporation.
+
+Licensed under the MIT license.
+
+THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
+
+## Pipeline definitions
+
+The following top-level pipelines are present in the `.pipelines/` repository folder:
+
+| # | Pipeline | File | CI Name
+| :---: | ---------- | ---------- | ----------
+| 1 | Management Groups | `management-groups.yml` | management-groups-ci
+| 2 | Platform Logging | `platform-logging.yml` | platform-logging-ci
+| 3 | Policy | `policy.yml` | policy-ci
+| 4 | Roles | `roles.yml` | roles-ci
+| 5 | Networking | `platform-connectivity-hub-nva.yml` | platform-connectivity-hub-nva-ci
+| 6 | Subscription | `subscription.yml` | subscription-ci
+
+These pipelines need to be run in the order specified. For example, the `Policy` pipeline is dependent on resources deployed by the `Platform Logging` pipeline. Think of it as a layered approach; once the layer is deployed, it only requires re-running if some configuration at that layer changes.
+
+In the default implementation, the `Management Groups`, `Platform Logging`, `Policy`, and `Roles` pipelines are run automatically (trigger) whenever a related code change is detected on the `main` branch. The `Networking` and `Subscription` pipelines do not run automatically (no trigger). This behavior can be changed by modifying the corresponding YAML pipeline definition files.
+
+In the default implementation, the `Roles` and `Platform Logging` pipelines are run automatically after a successful run of the `Management Groups` pipeline, and the `Policy` pipeline is run automatically after a successful run of the `Platform Logging` pipeline. Again, this behavior can be changed by modifying the corresponding YAML pipeline definition files.
+
+The top-level pipeline definitions are implemented in a modular way, using nested YAML templates defined in the `.pipelines/templates/jobs/` and `.pipelines/templates/steps/` paths.
+
+## Pipeline configuration
+
+The top-level pipelines use configuration values from these locations:
+
+- environment related configuration values are stored in the `config/variables/` path.
+- subscription related configuration values are stored in the `config/subscriptions/` path.
+
+Additional information on configuration files is available here:
+
+- [Environment configuration files](../config/variables/README.md)
+- [Subscription configuration files](../config/subscriptions/README.md)
+
+## Additional pipelines
+
+In addition to the top-level pipelines mentioned previously, there are several other pipeline definitions in the `./pipelines` path that may be useful.
+
+### Check Bicep files
+
+The `checks-bicep-compile.yml` pipeline can be used to configure a `Build Validation` branch policy in your repository and validate any Bicep code changes by compiling all Bicep files with built-in linting.
+
+### Manual approval
+
+The `demo-approval.yml` pipeline demonstrates how to implement a manual approval gate/check in your pipeline definition.
+
+### Linting source files
+
+The `linters.yml` pipeline demonstrates using the GitHub SuperLinter project to run a linting process on many common source code file types.

.pipelines/checks-bicep-compile.yml

@@ -0,0 +1,39 @@
+# ----------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT license.
+#
+# THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, 
+# EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES 
+# OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
+# ----------------------------------------------------------------------------------
+
+trigger: none
+
+pool:
+  vmImage: ubuntu-latest
+
+stages:
+
+- stage: CheckBicepCompileStage
+  displayName: Checks - Bicep Compile Stage
+
+  jobs:
+
+  - deployment: CheckBicepCompileJob
+    displayName: Checks - Bicep Compile Job
+    environment: ${{ variables['Build.SourceBranchName'] }}
+    strategy:
+      runOnce:
+        deploy:
+          steps:
+          - checkout: self
+
+          - task: Bash@3
+            displayName: Compile all bicep templates
+            name: CompileBiceps
+            inputs:
+              targetType: 'inline'
+              script: |
+                find . -type f -name '*.bicep' | xargs -tn1 az bicep build -f 
+              
+              workingDirectory: ${{ variables['Build.SourcesDirectory'] }}

.pipelines/demo-approval.yml

@@ -0,0 +1,71 @@
+# ----------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT license.
+#
+# THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, 
+# EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES 
+# OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
+# ----------------------------------------------------------------------------------
+
+# To setup a CI trigger so this pipeline is automatically run on new commits:
+#   1. Remove the 'none' keyword after the 'trigger:' statement in the line below
+#   2. Uncomment the indented lines following the 'trigger:' statement
+trigger: none
+  # batch: true
+  # branches:
+  #   include:
+  #     - main
+  # paths:
+  #   include:
+  #     - config/*
+
+variables:
+- name: devops-org-name
+  value: ${{ replace(replace(variables['System.CollectionUri'], 'https://dev.azure.com/' , ''), '/', '') }}
+- name: variable-template-file
+  value: ${{ variables['devops-org-name'] }}-${{ variables['Build.SourceBranchName'] }}.yml
+- template: ../config/variables/common.yml
+- template: ../config/variables/${{ variables['variable-template-file'] }}
+
+pool:
+  vmImage: $[ variables.vmImage ]
+
+stages:
+
+- stage: DemoApprovalStage
+  displayName: Demo Approval Stage
+
+  jobs:
+
+  # - job: WaitForApproval
+  #   displayName: Wait For Approval
+  #   pool: server
+  #   timeoutInMinutes: 2
+  #   steps:
+  #     - task: ManualValidation@0
+  #       timeoutInMinutes: 2
+  #       inputs:
+  #         notifyUsers: |
+  #           alzcanadapubsec@microsoft.com
+  #           doic-release-approvers@microsoft.onmicrosoft.com
+  #         instructions: 'Review release and resume or reject'
+  #         onTimeout: 'reject'
+
+  # - job: DemoApprovalJob
+  #   displayName: Demo Approval Job
+  #   dependsOn: WaitForApproval
+  #   steps:
+  #     - script: |
+  #         echo "Demonstrating manual approval workflow"
+
+  - deployment: DemoApprovalJob2
+    displayName: Demo Approval Job 2
+    environment: ${{ variables['Build.SourceBranchName'] }}
+    strategy:
+      runOnce:
+        deploy:
+          steps:
+            - checkout: self
+            - script: |
+                echo "Demonstrating manual approval workflow for environment: $(var-environmentName)"
+                ls -al $(System.DefaultWorkingDirectory)

.pipelines/linters.yml

@@ -0,0 +1,54 @@
+# ----------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT license.
+#
+# THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, 
+# EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES 
+# OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
+# ----------------------------------------------------------------------------------
+
+#
+# GitHub Super Linter : https://github.com/github/super-linter
+# 
+
+# To setup a CI trigger so this pipeline is automatically run on new commits:
+#   1. Remove the 'none' keyword after the 'trigger:' statement in the line below
+#   2. Uncomment the indented lines following the 'trigger:' statement
+trigger: none
+  # batch: true
+  # branches:
+  #   include:
+  #     - main
+  # paths:
+  #   include:
+  #     - azresources/*
+  #     - config/*
+  #     - landingzones/*
+  #     - .pipelines/*
+
+variables:
+- name: devops-org-name
+  value: ${{ replace(replace(variables['System.CollectionUri'], 'https://dev.azure.com/' , ''), '/', '') }}
+- name: variable-template-file
+  value: ${{ variables['devops-org-name'] }}-${{ variables['Build.SourceBranchName'] }}.yml
+- template: ../config/variables/common.yml
+- template: ../config/variables/${{ variables['variable-template-file'] }}
+
+pool:
+  vmImage: $[ variables.vmImage ]
+
+stages:
+
+- stage: LinterStage
+  displayName: Linter Stage
+
+  jobs:
+
+  - job: LinterJob
+    displayName: Linter Job
+
+    steps:
+
+    - template: ./templates/steps/run-linter.yml
+      parameters:
+        validationTypes: 'ARM JSON YAML'

.pipelines/management-groups.yml

@@ -0,0 +1,57 @@
+# ----------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT license.
+#
+# THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, 
+# EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES 
+# OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
+# ----------------------------------------------------------------------------------
+
+trigger: 
+  batch: true
+  branches:
+    include:
+     - main
+  paths:
+    include:
+      - management-groups
+      - .pipelines/management-groups.yml
+      - .pipelines/templates/steps/deploy-management-groups.yml
+
+variables:
+- name: devops-org-name
+  value: ${{ replace(replace(variables['System.CollectionUri'], 'https://dev.azure.com/' , ''), '/', '') }}
+- name: variable-template-file
+  value: ${{ variables['devops-org-name'] }}-${{ variables['Build.SourceBranchName'] }}.yml
+- template: ../config/variables/common.yml
+- template: ../config/variables/${{ variables['variable-template-file'] }}
+
+pool:
+  vmImage: $[ variables.vmImage ]
+
+stages:
+
+- stage: DeployManagementGroupsStage
+  displayName: Deploy Management Groups Stage
+
+  jobs:
+
+  - deployment: DeployManagementGroupsJob
+    displayName: Deploy Management Groups Job
+    environment: ${{ variables['Build.SourceBranchName'] }}
+    strategy:
+      runOnce:
+        deploy:
+          steps:
+          - checkout: self
+
+          - template: templates/steps/show-variables.yml
+            parameters:
+              json: ${{ convertToJson(variables) }}
+
+          - template: templates/steps/deploy-management-groups.yml
+            parameters:
+              description: 'Create/Update Management Groups'
+              templateFile: structure.bicep
+              deployOperation: ${{ variables['deployOperation'] }}
+              workingDir: $(System.DefaultWorkingDirectory)/management-groups

.pipelines/platform-connectivity-hub-azfw-policy.yml

@@ -0,0 +1,44 @@
+# ----------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT license.
+#
+# THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, 
+# EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES 
+# OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
+# ----------------------------------------------------------------------------------
+
+trigger: none
+
+variables:
+- name: devops-org-name
+  value: ${{ replace(replace(variables['System.CollectionUri'], 'https://dev.azure.com/' , ''), '/', '') }}
+- name: variable-template-file
+  value: ${{ variables['devops-org-name'] }}-${{ variables['Build.SourceBranchName'] }}.yml
+- template: ../config/variables/common.yml
+- template: ../config/variables/${{ variables['variable-template-file'] }}
+
+pool:
+  vmImage: $[ variables.vmImage ]
+
+stages:
+
+- stage: DeployAzureFirewallPolicyStage
+  displayName: Deploy Azure Firewall Policy Stage
+
+  jobs:
+
+  - deployment: DeployAzureFirewallPolicyJob
+    displayName: Deploy Azure Firewall Policy Job
+    environment: ${{ variables['Build.SourceBranchName'] }}
+    strategy:
+      runOnce:
+        deploy:
+          steps:
+          - checkout: self
+
+          - template: templates/steps/deploy-platform-connectivity-hub-azfw-policy.yml
+            parameters:
+              description: 'Deploy Azure Firewall Policy'
+              templateFile: main-azfw-policy.bicep
+              deployOperation: ${{ variables['deployOperation'] }}
+              workingDir: $(System.DefaultWorkingDirectory)/landingzones

.pipelines/platform-connectivity-hub-azfw.yml

@@ -0,0 +1,60 @@
+# ----------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT license.
+#
+# THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, 
+# EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES 
+# OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
+# ----------------------------------------------------------------------------------
+
+trigger: none
+  # batch: true
+  # branches:
+  #   include:
+  #     - main
+  # paths:
+  #   include:
+  #     - landingzones/lz-platform-connectivity-hub-azfw
+  #     - .pipelines/platform-connectivity-hub-azfw.yml  
+  #     - .pipelines/templates/steps/deploy-platform-connectivity-hub-azfw.yml
+
+variables:
+- name: devops-org-name
+  value: ${{ replace(replace(variables['System.CollectionUri'], 'https://dev.azure.com/' , ''), '/', '') }}
+- name: variable-template-file
+  value: ${{ variables['devops-org-name'] }}-${{ variables['Build.SourceBranchName'] }}.yml
+- template: ../config/variables/common.yml
+- template: ../config/variables/${{ variables['variable-template-file'] }}
+
+pool:
+  vmImage: $[ variables.vmImage ]
+
+stages:
+
+- stage: DeployNetworkingStage
+  displayName: Deploy Networking Stage
+
+  jobs:
+
+  - deployment: DeployNetworkingJob
+    displayName: Deploy Networking Job
+    environment: ${{ variables['Build.SourceBranchName'] }}
+    strategy:
+      runOnce:
+        deploy:
+          steps:
+          - checkout: self
+
+          - template: templates/steps/load-log-analytics-vars.yml
+
+          - template: templates/steps/show-variables.yml
+            parameters:
+              json: ${{ convertToJson(variables) }}
+
+          - template: templates/steps/deploy-platform-connectivity-hub-azfw.yml
+            parameters:
+              description: 'Deploy Networking'
+              moveTemplate: move-subscription.bicep
+              templateFile: main.bicep
+              deployOperation: ${{ variables['deployOperation'] }}
+              workingDir: $(System.DefaultWorkingDirectory)/landingzones