Concurrent role deployment with PowerShell & GitHub Actions (Azure#299)

cds-snc · May 15, 2022 · c078a79 · c078a79
1 parent 31a214a
commit c078a79
Show file tree

Hide file tree

Showing 9 changed files with 38 additions and 8 deletions.
diff --git a/.github/workflows/0-everything.yml b/.github/workflows/0-everything.yml
@@ -63,6 +63,16 @@ jobs:
       - ManagementGroups
 
     name: Roles
+
+    strategy:
+      matrix:
+        roleName:
+          - la-vminsights-readonly
+          - lz-appowner
+          - lz-netops
+          - lz-secops
+          - lz-subowner
+      fail-fast: false
 
     runs-on: ubuntu-latest
     steps:
@@ -79,6 +89,7 @@ jobs:
       run: |
         ./RunWorkflows.ps1 `
           -DeployRoles `
+          -RoleNames '${{ matrix.roleName }}' `
           -EnvironmentName '${{github.event.inputs.environmentName}}' `
           -LoginServicePrincipalJson (ConvertTo-SecureString -String '${{secrets.ALZ_CREDENTIALS}}' -AsPlainText -Force) `
           -GitHubRepo ${env:GITHUB_REPOSITORY} `

diff --git a/.github/workflows/2-roles.yml b/.github/workflows/2-roles.yml
@@ -25,6 +25,17 @@ defaults:
 jobs:
   roles:
     name: Roles
+
+    strategy:
+      matrix:
+        roleName:
+          - la-vminsights-readonly
+          - lz-appowner
+          - lz-netops
+          - lz-secops
+          - lz-subowner
+      fail-fast: false
+
     runs-on: ubuntu-latest
     steps:
 
@@ -40,6 +51,7 @@ jobs:
       run: |
         ./RunWorkflows.ps1 `
           -DeployRoles `
+          -RoleNames '${{ matrix.roleName }}' `
           -EnvironmentName '${{github.event.inputs.environmentName}}' `
           -LoginServicePrincipalJson (ConvertTo-SecureString -String '${{secrets.ALZ_CREDENTIALS}}' -AsPlainText -Force) `
           -GitHubRepo ${env:GITHUB_REPOSITORY} `

diff --git a/roles/la-vminsights-readonly.bicep b/roles/la-vminsights-readonly.bicep
@@ -20,7 +20,7 @@ var roleDescription = 'Read only access to Log Analytics for VM Insights.'
 // Reference:  https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
 var telemetry = json(loadTextContent('../config/telemetry.json'))
 module telemetryCustomerUsageAttribution '../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {
-  name: 'pid-${telemetry.customerUsageAttribution.modules.roles}'
+  name: 'pid-${telemetry.customerUsageAttribution.modules.roles}-lavminsightsreadonly'
 }
 
 resource roleDefn 'Microsoft.Authorization/roleDefinitions@2018-01-01-preview' = {

diff --git a/roles/lz-appowner.bicep b/roles/lz-appowner.bicep
@@ -20,7 +20,7 @@ var roleDescription = 'Contributor role granted for application/operations team
 // Reference:  https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
 var telemetry = json(loadTextContent('../config/telemetry.json'))
 module telemetryCustomerUsageAttribution '../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {
-  name: 'pid-${telemetry.customerUsageAttribution.modules.roles}'
+  name: 'pid-${telemetry.customerUsageAttribution.modules.roles}-lzappowner'
 }
 
 // Reference:  https://docs.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access

diff --git a/roles/lz-netops.bicep b/roles/lz-netops.bicep
@@ -20,7 +20,7 @@ var roleDescription = 'Platform-wide global connectivity management: virtual net
 // Reference:  https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
 var telemetry = json(loadTextContent('../config/telemetry.json'))
 module telemetryCustomerUsageAttribution '../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {
-  name: 'pid-${telemetry.customerUsageAttribution.modules.roles}'
+  name: 'pid-${telemetry.customerUsageAttribution.modules.roles}-lznetops'
 }
 
 // Reference:  https://docs.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access

diff --git a/roles/lz-secops.bicep b/roles/lz-secops.bicep
@@ -20,7 +20,7 @@ var roleDescription = 'Security Administrator role with a horizontal view across
 // Reference:  https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
 var telemetry = json(loadTextContent('../config/telemetry.json'))
 module telemetryCustomerUsageAttribution '../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {
-  name: 'pid-${telemetry.customerUsageAttribution.modules.roles}'
+  name: 'pid-${telemetry.customerUsageAttribution.modules.roles}-lzsecops'
 }
 
 // Reference:  https://docs.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access

diff --git a/roles/lz-subowner.bicep b/roles/lz-subowner.bicep
@@ -20,7 +20,7 @@ var roleDescription = 'Delegated role for subscription owner generated from subs
 // Reference:  https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
 var telemetry = json(loadTextContent('../config/telemetry.json'))
 module telemetryCustomerUsageAttribution '../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {
-  name: 'pid-${telemetry.customerUsageAttribution.modules.roles}'
+  name: 'pid-${telemetry.customerUsageAttribution.modules.roles}-lzsubowner'
 }
 
 // Reference:  https://docs.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access

diff --git a/scripts/deployments/Functions/Roles.ps1 b/scripts/deployments/Functions/Roles.ps1
@@ -17,6 +17,9 @@ function Set-Roles {
     [Parameter(Mandatory = $true)]
     [String] $RolesDirectory,
 
+    [Parameter(Mandatory = $true)]
+    [string[]] $RoleNames,
+
     [Parameter(Mandatory = $true)]
     [String] $ManagementGroupId
   )
@@ -29,13 +32,15 @@ function Set-Roles {
     assignableMgId = $ManagementGroupId
   }
 
-  foreach ($roleDefinition in Get-ChildItem -Path $RolesDirectory) {
-    Write-Output "Deploying $($roleDefinition.FullName)"
+  foreach ($RoleName in $RoleNames) {
+    $RoleDefinitionFilePath = "$RolesDirectory/$RoleName.bicep"
+
+    Write-Output "Deploying $RoleName ($RoleDefinitionFilePath)"
 
     New-AzManagementGroupDeployment `
       -ManagementGroupId $ManagementGroupId `
       -Location $Context.DeploymentRegion `
-      -TemplateFile $roleDefinition.FullName `
+      -TemplateFile $RoleDefinitionFilePath `
       -TemplateParameterObject $DeploymentParameters
   }
 }
diff --git a/scripts/deployments/RunWorkflows.ps1 b/scripts/deployments/RunWorkflows.ps1
@@ -102,6 +102,7 @@ Param(
   # What to deploy
   [switch]$DeployManagementGroups,
   [switch]$DeployRoles,
+  [string[]]$RoleNames=@('la-vminsights-readonly', 'lz-appowner', 'lz-netops', 'lz-secops', 'lz-subowner'),
   [switch]$DeployLogging,
   [switch]$DeployCustomPolicy,
   [switch]$DeployBuiltinPolicy,
@@ -192,6 +193,7 @@ if ($DeployRoles) {
   Set-Roles `
     -Context $Context `
     -RolesDirectory $Context.RolesDirectory `
+    -RoleNames $RoleNames `
     -ManagementGroupId $Context.TopLevelManagementGroupId
 }