From 0a067a679c95715a2eeb1cb30240cd2a017b4401 Mon Sep 17 00:00:00 2001 From: Jin Lee Date: Sun, 12 Nov 2023 18:39:09 -0600 Subject: [PATCH] Updated main readme --- .gitignore | 2 +- README.md | 85 +++++++++++++++++++----- shared/agentsetup.ps1 | 149 ------------------------------------------ 3 files changed, 69 insertions(+), 167 deletions(-) delete mode 100644 shared/agentsetup.ps1 diff --git a/.gitignore b/.gitignore index dbca554e..91f49915 100644 --- a/.gitignore +++ b/.gitignore @@ -43,7 +43,7 @@ override.tf.json # Ignore CLI configuration files .terraformrc terraform.rc -shared/agentsetup.ps1 +# shared/agentsetup.ps1 .vscode/tasks.json .vscode/launch.json .vscode/launch.json diff --git a/README.md b/README.md index 8132f1b4..525018c0 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,9 @@ # App Service Landing Zone Accelerator -This repository encompasses both enterprise architecture guidelines and a reference implementation for deploying Azure App Service solutions in multi-tenant and App Service Environment scenarios. It includes best practices, considerations and deployable artifacts for implementing a common reference architecture. +This repository provides both enterprise architecture guidelines and a reference implementation for deploying Azure App Service solutions in multi-tenant and App Service Environment scenarios. It includes best practices, considerations, and deployable artifacts for implementing a common reference architecture. + +Visit [EnterpriseScale-AppService](https://aka.ms/EnterpriseScale-AppService) for more information. -[aka.ms/EnterpriseScale-AppService](https://aka.ms/EnterpriseScale-AppService) ![image](/docs/Images/home-page.gif) @@ -18,43 +19,90 @@ The enterprise architecture is broken down into six different design areas, wher | Security, Governance, and Compliance|[Design Considerations](/docs/Design-Areas/security-governance-compliance.md#design-considerations)|[Design Recommendations](/docs/Design-Areas/security-governance-compliance.md#design-recommendations)| | Application Automation and DevOps|[Design Considerations](/docs/Design-Areas/automation-devops.md#design-considerations)|[Design Recommendations](/docs/Design-Areas/automation-devops.md#design-recommendations)| -## Enterprise-Scale Reference Implementation - -In this repo you will find reference implementations with supporting Infrastructure as Code templates. More reference implementations will be added as they become available. ## Next Steps to implement the Azure App Service Landing Zone Accelerator ### Step 1. Reference implementations -:arrow_forward: [App Service Secure Baseline](scenarios/secure-baseline-multitenant/README.md) +:arrow_forward: [App Service Secure Baseline Multi-Tenant](scenarios/secure-baseline-multitenant/README.md) -For configuring the GitHub Actions pipelines, please refer to the [GitHub Actions](docs/github-actions.md) documentation. +> **Note** + Currently, the App Service Secure Baseline Multi-Tenant is the only reference implementation available. However, both the Terraform and Bicep configuration files have feature flags available to accommodate additional scenarios. More reference input files will be provided to accommodate additional reference implementations in the future. ### Step 2. Configure and test the deployment on your own environment With the selected reference implementation, you can now choose between `Bicep` or `Terraform` to deploy the scenario's infrastructure. -#### Deploying Bicep +#### Deploy to Azure via Portal + +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#view/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fazure%2Fappservice-landing-zone-accelerator%2Fmain%2Fscenarios%2Fsecure-baseline-multitenant%2Fazure-resource-manager%2Fmain.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2Fazure%2Fappservice-landing-zone-accelerator%2Fmain%2Fscenarios%2Fsecure-baseline-multitenant%2Fazure-resource-manager%2Fmain-portal-ux.json) + +#### Deploy with Bicep + +For additional information, view the Bicep README [here](scenarios/secure-baseline-multitenant/bicep/README.md). + +The Bicep configuration files are located in the [scenarios/secure-baseline-multitenant/bicep](scenarios/secure-baseline-multitenant/bicep/) directory. + +Before deploying the Bicep IaC artifacts, you need to review and customize the values of the parameters in the [main.parameters.jsonc](scenarios/secure-baseline-multitenant/bicep/main.parameters.jsonc) file. + +> **Note** + Azure Developer CLI (azd) is also supported as a deployment method. Since azd CLI does not support parameter files with *jsonc* extension, we provide a simple json parameter file (which does not contain inline comments) + +The expandable table below summarizes the available parameters and the possible values that can be set. -#### Deploying Terraform +
+

Bicep Configuration Parameters Table

 + +| Name | Description | Example | +|------|-------------|---------| +|workloadName|A suffix that will be used to name the resources in a pattern similar to ` - ` . Must be up to 10 characters long, alphanumeric with dashes|app-svc-01| +|location|Azure region where the resources will be deployed in|northeurope| +|environment|Required. The name of the environment (e.g. "dev", "test", "prod", "preprod", "staging", "uat", "dr", "qa"). Up to 8 characters long.|dev| +|deployAseV3|Optional, default is false. Set to true if you want to deploy ASE v3 instead of Multitenant App Service Plan.|false| +|vnetHubResourceId|If empty, then a new hub will be created. If you select not to deploy a new Hub resource group, set the resource id of the Hub Virtual Network that you want to peer to. In that case, no new hub will be created and a peering will be created between the new spoke and and existing hub vnet|/subscriptions// resourceGroups//providers/ Microsoft.Network/virtualNetworks/| +|firewallInternalIp|If you select to create a new Hub, the UDR for locking the egress traffic will be created as well, no matter what value you set to that variable. However, if you select to connect to an existing hub, then you need to provide the internal IP of the azure firewal so that the deployment can create the UDR for locking down egress traffic. If not given, no UDR will be created|| +|vnetHubAddressSpace|If you deploy a new hub, you need to set the appropriate CIDR of the newly created Hub virtual network|10.242.0.0/20| +|subnetHubFirewallAddressSpace|CIDR of the subnet that will host the azure Firewall|10.242.0.0/26| +|subnetHubBastionAddressSpace|CIDR of the subnet that will host the Bastion Service|10.242.0.64/26| +|vnetSpokeAddressSpace|CIDR of the spoke vnet that will hold the app services plan and the rest supporting services (and their private endpoints)|10.240.0.0/20| +|subnetSpokeAppSvcAddressSpace|CIDR of the subnet that will hold the app services plan. ATTENTION: If you deploy ASEv3 this CIDR should be x.x.x.x/24 |10.240.0.0/26 (*USE 10.240.0.0/24 if deployAseV3=true*)| +|subnetSpokeDevOpsAddressSpace|CIDR of the subnet that will hold devOps agents etc|10.240.10.128/26| +|subnetSpokePrivateEndpointAddressSpace|CIDR of the subnet that will hold the private endpoints of the supporting services|10.240.11.0/24| +|webAppPlanSku|Defines the name, tier, size, family and capacity of the App Service Plan. Plans ending to _AZ, are deplying at least three instances in three Availability Zones. select one from: 'S1', 'S2', 'S3', 'P1V3', 'P2V3', 'P3V3', 'P1V3_AZ', 'P2V3_AZ', 'EP1', 'EP2', 'EP3', 'ASE_I1V2_AZ', 'ASE_I2V2_AZ', 'ASE_I3V2_AZ' || +|webAppBaseOs|The OS for the App service plan. Two options available: Windows or Linux|| +|resourceTags|Resource tags that we might need to add to all resources (i.e. Environment, Cost center, application name etc)|"resourceTags": {
"value": {
"deployment": "bicep",
"key1": "value1"
}
} | +|enableEgressLockdown|Feature Flag: te (or not) a UDR for the App Service Subnet, to route all egress traffic through Hub Azure Firewall| +|deployRedis|Feature Flag: Deploy (or not) a redis cache | +|deployAzureSql|Feature Flag: Deploy (or not) an Azure SQL with default database| +|deployAppConfig|Feature Flag: Deploy (or not) an Azure app configuration| +|deployJumpHost|Feature Flag: Deploy (or not) an Azure virtual machine (to be used as jumphost)| +|autoApproveAfdPrivateEndpoint|Default value: true. Set to true if you want to auto approve the Private Endpoint of the AFD Premium. See details [regarding approving the App Service private endpoint connection from Front Door](#approve-the-app-service-private-endpoint-connection-from-front-door-in-the-azure-portal) | false +|sqlServerAdministrators|The Azure Active Directory (AAD) administrator group used for SQL Server authentication. The Azure AD group must be created before running deployment. This has three values that need to be filled, as shown below
**login**: the name of the AAD Group
**sid**: the object id of the AAD Group
**tenantId**: The tenantId of the AAD || + +
+ +#### Deploy with Terraform 1. Ensure you are logged in to Azure CLI and have selected the correct subscription. 1. Navigate to the Terraform deployment directory (same directory as the `main.tf` file). - [scenarios/secure-baseline-multitenant/terraform/hub](scenarios/secure-baseline-multitenant/terraform/hub/) - [scenarios/secure-baseline-multitenant/terraform/spoke](scenarios/secure-baseline-multitenant/terraform/spoke/) -1. Familiarize yourself with the deployment files: + > **Note** + > The GitHub Action deployments for Terraform `hub` and `spoke` are currently separated due to the amount of time both components take to deploy. It is advised to use a self-hosted agent to ensure the deployment does not timeout. +2. Familiarize yourself with the deployment files: - `main.tf` - Contains the Terraform provider configurations for the selected deployment/module. Note the `backend "azurerm" {}` block as this configures your [Terraform deployment's remote state](https://developer.hashicorp.com/terraform/language/settings/backends/azurerm). Also contains the resource group definitions to host the deployed resources. - `_locals.tf` - Contains the local variable declarations as well as custom logic to support naming and tagging conventions across each module. - `variables.tf` - Contains the input variable declarations for the selected deployment/module. - `outputs.tf` - Contains the output variable declarations for the selected deployment/module. - other `.tf` files - Contains groupings of resources for organizational purposes. - `Parameters/uat.tfvars` - Reference input parameter file for the UAT environment. -1. Navigate to the Terraform deployment directory (same directory as the `main.tf` file). -1. Run `terraform init` to initialize the deployment. -1. Run `terraform plan -var-file="Parameters/uat.tfvars"` to review the deployment plan. -1. Run `terraform apply -var-file="Parameters/uat.tfvars"` to deploy the resources. +3. Navigate to the Terraform deployment directory (same directory as the `main.tf` file). +4. Run `terraform init` to initialize the deployment. +5. Run `terraform plan -var-file="Parameters/uat.tfvars"` to review the deployment plan. +6. Run `terraform apply -var-file="Parameters/uat.tfvars"` to deploy the resources. ### Step 3. Configure GitHub Actions + GitHub Actions pipelines are located in the [`.github/workflows`](.github/workflows/) directory with templates stored in the [`.github/actions`](.github/actions/) directory.i 1. Create an Azure AD Service Principal for OIDC Authentication @@ -67,14 +115,16 @@ GitHub Actions pipelines are located in the [`.github/workflows`](.github/workfl | `AZURE_CLIENT_ID` | GUID value for the Client ID of the service principal to authenticate with | `00000000-0000-0000-0000-000000000000` | | `AZURE_SUBSCRIPTION_ID` | GUID value for the Subscription ID to deploy resources to | `00000000-0000-0000-0000-000000000000` | | `AZURE_TENANT_ID` | GUID value for the Tenant ID of the service principal to authenticate with | `00000000-0000-0000-0000-000000000000` | - | `AZURE_TF_STATE_RESOURCE_GROUP_NAME` | Optional override value to configure the remote state resource group name | `rg-terraform-state` | - | `AZURE_TF_STATE_STORAGE_ACCOUNT_NAME` | Optional override value to configure the remote state storage account name | `tfstate` | - | `AZURE_TF_STATE_STORAGE_CONTAINER_NAME` | Optional override value to configure the remote state storage container name | `tfstate` | + | `AZURE_TF_STATE_RESOURCE_GROUP_NAME` | [**Optional**] override value to configure the remote state resource group name | `rg-terraform-state` | + | `AZURE_TF_STATE_STORAGE_ACCOUNT_NAME` | [**Optional**] override value to configure the remote state storage account name | `tfstate` | + | `AZURE_TF_STATE_STORAGE_CONTAINER_NAME` | [**Optional**] override value to configure the remote state storage container name | `tfstate` | | `ACCOUNT_NAME` | | `https://dev.azure.com/ORGNAME` OR `github.com/ORGUSERNAME` OR `none` | | `PAT` | Personal Access Token for the DevOps VM to leverage on provisioning the pipeline agent | `asdf1234567` | --- + ### App Patterns + Looking for developer-focused reference implementation? Check out Reliable Web Patterns for App Service. :arrow_forward: [Reliable web app pattern for .NET](https://github.com/Azure/reliable-web-app-pattern-dotnet) @@ -86,6 +136,7 @@ Looking for developer-focused reference implementation? Check out Reliable Web P Please leverage issues if you have any feedback or request on how we can improve on this repository. --- + ## Data Collection The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the repository. There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft's privacy statement. Our privacy statement is located at https://go.microsoft.com/fwlink/?LinkId=521839. You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices. diff --git a/shared/agentsetup.ps1 b/shared/agentsetup.ps1 deleted file mode 100644 index 5fcdfd30..00000000 --- a/shared/agentsetup.ps1 +++ /dev/null @@ -1,149 +0,0 @@ -param ( - [string]$URL, - [string]$PAT, - [string]$POOL, - [string]$AGENT, - [string]$AGENTTYPE -) - - -function setupazdevops{ - param( - [string]$URL, - [string]$PAT, - [string]$POOL, - [string]$AGENT - ) - - Write-Host "About to setup Azure DevOps Agent" - Start-Transcript - Write-Host "start" - - $azagentdir="c:\agent" - - #test if an old installation exists, if so, delete the folder - if (test-path $azagentdir) - { - set-location $azagentdir - $servicename=(Get-Content .service) - Stop-Service $servicename -ErrorAction SilentlyContinue - set-location 'c:\' - Remove-Item -Path $azagentdir -Force -Confirm:$false -Recurse - } - - #create a new folder - new-item -ItemType Directory -Force -Path $azagentdir - set-location $azagentdir - $global:ProgressPreference = 'SilentlyContinue' - $env:VSTS_AGENT_HTTPTRACE = $true - - #github requires tls 1.2 - [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - - $ProgressPreference = 'SilentlyContinue' - #get the latest build agent version - $wr = Invoke-WebRequest https://api.github.com/repos/Microsoft/azure-pipelines-agent/releases/latest -UseBasicParsing - $tag = ($wr | ConvertFrom-Json)[0].tag_name - $tag = $tag.Substring(1) - - write-host "$tag is the latest version" - #build the url - $download = "https://vstsagentpackage.azureedge.net/agent/$tag/vsts-agent-win-x64-$tag.zip" - - #download the agent - Invoke-WebRequest $download -Out agent.zip - - #expand the zip - Expand-Archive -Path agent.zip -DestinationPath $PWD - - Write-Output "--unattended --url $URL --auth pat --token "$PAT" --pool $POOL --agent $AGENT --acceptTeeEula --runAsService" - #run the config script of the build agent - .\config.cmd --unattended --url $URL --auth pat --token "$PAT" --pool $POOL --agent $AGENT --acceptTeeEula --runAsService --replace - - #exit - Stop-Transcript - exit 0 -} - -function setupghrunner { - param( - - [string]$URL, - [string]$PAT, - [string]$POOL, - [string]$AGENT - ) - - Start-Transcript - - Write-Host "About to setup GitHub Runner" - $ghrunnerdirectory="c:\actions-runner" - - -#test if an old installation exists, if so, delete the folder -if (test-path $ghrunnerdirectory) -{ - set-location $ghrunnerdirectory - $servicename=(Get-Content .service) - Stop-Service $servicename -ErrorAction SilentlyContinue - set-location 'c:\' - Remove-Item -Path $ghrunnerdirectory -Force -Confirm:$false -Recurse -} - -#create a new folder -new-item -ItemType Directory -Force -Path $ghrunnerdirectory -set-location $ghrunnerdirectory -$global:ProgressPreference = 'SilentlyContinue' -$env:VSTS_AGENT_HTTPTRACE = $true - -#github requires tls 1.2 -[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - -$ProgressPreference = 'SilentlyContinue' -#get the latest build agent version -$wr = Invoke-WebRequest https://api.github.com/repos/actions/runner/releases/latest -UseBasicParsing -$tag = ($wr | ConvertFrom-Json)[0].tag_name -$tag = $tag.Substring(1) - -write-host "$tag is the latest version" -#build the url - -$download = "https://github.com/actions/runner/releases/download/v$tag/actions-runner-win-x64-$tag.zip" - -#download the agent -Invoke-WebRequest $download -Out ghactionsrunner.zip - -#expand the zip -Expand-Archive -Path ghactionsrunner.zip -DestinationPath $PWD - - -#run the config script of the build agent -set-location $ghrunnerdirectory -.\config.cmd --unattended --url $URL --token "$PAT" --runnergroup $POOL --replace --runasservice --replace - - - -#exit -Stop-Transcript -exit 0 - -} - - - -Write-Output $URL -Write-Output $PAT -Write-Output $POOL -Write-Output $AGENT -Write-Output $AGENTTYPE - -if ($AGENTTYPE.ToLower() -eq "azuredevops") -{ - setupazdevops -URL $URL -PAT $PAT -POOL $POOL -AGENT $AGENT -} - -else - { - setupghrunner -URL $URL -PAT $PAT -POOL $POOL -AGENT $AGENT -} -