From 2625c7dd83cf8c848a73946363f6cdf19c03f9cd Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Fri, 27 Dec 2024 11:09:24 +0100 Subject: [PATCH] Update to latest --- .../azure-image-builder/README.md | 47 ++++++++++++++----- .../azure-image-builder/main.bicep | 16 +++---- .../azure-image-builder/main.json | 18 +++---- .../tests/e2e/deployAll.linux/main.test.bicep | 1 + .../e2e/deployAll.windows/main.test.bicep | 1 + .../deployOnlyAssetsAndImage/main.test.bicep | 1 + .../tests/e2e/deployOnlyBase/main.test.bicep | 1 + .../tests/e2e/deployOnlyImage/main.test.bicep | 1 + 8 files changed, 58 insertions(+), 28 deletions(-) diff --git a/avm/ptn/virtual-machine-images/azure-image-builder/README.md b/avm/ptn/virtual-machine-images/azure-image-builder/README.md index 3ba3a6d99a..d7f74975c5 100644 --- a/avm/ptn/virtual-machine-images/azure-image-builder/README.md +++ b/avm/ptn/virtual-machine-images/azure-image-builder/README.md @@ -249,6 +249,7 @@ module azureImageBuilder 'br/public:avm/ptn/virtual-machine-images/azure-image-b // Non-required parameters assetsStorageAccountContainerName: '' assetsStorageAccountName: '' + customAIBRoleDefinitionName: 'Custom Azure Image Builder Image Definition (apvmiaibal - )' deploymentsToPerform: '' imageTemplateCustomizationSteps: [ { @@ -336,6 +337,9 @@ module azureImageBuilder 'br/public:avm/ptn/virtual-machine-images/azure-image-b "assetsStorageAccountName": { "value": "" }, + "customAIBRoleDefinitionName": { + "value": "Custom Azure Image Builder Image Definition (apvmiaibal - )" + }, "deploymentsToPerform": { "value": "" }, @@ -419,6 +423,7 @@ param imageTemplateImageSource = { // Non-required parameters param assetsStorageAccountContainerName = '' param assetsStorageAccountName = '' +param customAIBRoleDefinitionName = 'Custom Azure Image Builder Image Definition (apvmiaibal - )' param deploymentsToPerform = '' param imageTemplateCustomizationSteps = [ { @@ -496,6 +501,7 @@ module azureImageBuilder 'br/public:avm/ptn/virtual-machine-images/azure-image-b // Non-required parameters assetsStorageAccountContainerName: '' assetsStorageAccountName: '' + customAIBRoleDefinitionName: 'Custom Azure Image Builder Image Definition (apvmiaibaw - )' deploymentsToPerform: '' imageTemplateCustomizationSteps: [ { @@ -584,6 +590,9 @@ module azureImageBuilder 'br/public:avm/ptn/virtual-machine-images/azure-image-b "assetsStorageAccountName": { "value": "" }, + "customAIBRoleDefinitionName": { + "value": "Custom Azure Image Builder Image Definition (apvmiaibaw - )" + }, "deploymentsToPerform": { "value": "" }, @@ -670,6 +679,7 @@ param imageTemplateImageSource = { // Non-required parameters param assetsStorageAccountContainerName = '' param assetsStorageAccountName = '' +param customAIBRoleDefinitionName = 'Custom Azure Image Builder Image Definition (apvmiaibaw - )' param deploymentsToPerform = '' param imageTemplateCustomizationSteps = [ { @@ -736,6 +746,7 @@ module azureImageBuilder 'br/public:avm/ptn/virtual-machine-images/azure-image-b // Non-required parameters assetsStorageAccountContainerName: '' assetsStorageAccountName: '' + customAIBRoleDefinitionName: 'Custom Azure Image Builder Image Definition (apvmiaiboaai - )' deploymentScriptManagedIdentityName: '' deploymentScriptStorageAccountName: '' deploymentScriptSubnetName: '' @@ -801,6 +812,9 @@ module azureImageBuilder 'br/public:avm/ptn/virtual-machine-images/azure-image-b "assetsStorageAccountName": { "value": "" }, + "customAIBRoleDefinitionName": { + "value": "Custom Azure Image Builder Image Definition (apvmiaiboaai - )" + }, "deploymentScriptManagedIdentityName": { "value": "" }, @@ -876,6 +890,7 @@ param imageTemplateImageSource = { // Non-required parameters param assetsStorageAccountContainerName = '' param assetsStorageAccountName = '' +param customAIBRoleDefinitionName = 'Custom Azure Image Builder Image Definition (apvmiaiboaai - )' param deploymentScriptManagedIdentityName = '' param deploymentScriptStorageAccountName = '' param deploymentScriptSubnetName = '' @@ -942,6 +957,7 @@ module azureImageBuilder 'br/public:avm/ptn/virtual-machine-images/azure-image-b } // Non-required parameters assetsStorageAccountName: 'stapvmiaibob' + customAIBRoleDefinitionName: 'Custom Azure Image Builder Image Definition (apvmiaibob - )' deploymentsToPerform: 'Only base' imageManagedIdentityName: 'msi-it-apvmiaibob' location: '' @@ -997,6 +1013,9 @@ module azureImageBuilder 'br/public:avm/ptn/virtual-machine-images/azure-image-b "assetsStorageAccountName": { "value": "stapvmiaibob" }, + "customAIBRoleDefinitionName": { + "value": "Custom Azure Image Builder Image Definition (apvmiaibob - )" + }, "deploymentsToPerform": { "value": "Only base" }, @@ -1048,6 +1067,7 @@ param imageTemplateImageSource = { } // Non-required parameters param assetsStorageAccountName = 'stapvmiaibob' +param customAIBRoleDefinitionName = 'Custom Azure Image Builder Image Definition (apvmiaibob - )' param deploymentsToPerform = 'Only base' param imageManagedIdentityName = 'msi-it-apvmiaibob' param location = '' @@ -1082,6 +1102,7 @@ module azureImageBuilder 'br/public:avm/ptn/virtual-machine-images/azure-image-b version: 'latest' } // Non-required parameters + customAIBRoleDefinitionName: 'Custom Azure Image Builder Image Definition (apvmiaiboi - )' deploymentScriptManagedIdentityName: '' deploymentScriptStorageAccountName: '' deploymentScriptSubnetName: '' @@ -1135,6 +1156,9 @@ module azureImageBuilder 'br/public:avm/ptn/virtual-machine-images/azure-image-b } }, // Non-required parameters + "customAIBRoleDefinitionName": { + "value": "Custom Azure Image Builder Image Definition (apvmiaiboi - )" + }, "deploymentScriptManagedIdentityName": { "value": "" }, @@ -1200,6 +1224,7 @@ param imageTemplateImageSource = { version: 'latest' } // Non-required parameters +param customAIBRoleDefinitionName = 'Custom Azure Image Builder Image Definition (apvmiaiboi - )' param deploymentScriptManagedIdentityName = '' param deploymentScriptStorageAccountName = '' param deploymentScriptSubnetName = '' @@ -1237,10 +1262,10 @@ param virtualNetworkName = '' | Parameter | Type | Description | | :-- | :-- | :-- | -| [`aibRoleDefinitionName`](#parameter-aibroledefinitionname) | string | Then name of the AIB role definition to create. | | [`assetsStorageAccountContainerName`](#parameter-assetsstorageaccountcontainername) | string | The name of container in the Storage Account. | | [`assetsStorageAccountName`](#parameter-assetsstorageaccountname) | string | The name of the storage account. Only needed if you want to upload scripts to be used during image baking. | -| [`deployAndUseCustomRoleDefinition`](#parameter-deployandusecustomroledefinition) | bool | Define whether or not to deploy a custom, least priviledge, role for the Azure Image Builder on a subscription level and apply it to the deployed managed identities on the resource group level. If set to false, the Contributor role is applied instead. | +| [`customAIBRoleDefinitionName`](#parameter-customaibroledefinitionname) | string | Then name of the AIB role definition to create. | +| [`deployAndUseCustomAIBRoleDefinition`](#parameter-deployandusecustomaibroledefinition) | bool | Define whether or not to deploy a custom, least priviledge, role for the Azure Image Builder on a subscription level and apply it to the deployed managed identities on the resource group level. If set to false, the Contributor role is applied instead. | | [`deploymentScriptManagedIdentityName`](#parameter-deploymentscriptmanagedidentityname) | string | The name of the Managed Identity used by deployment scripts. | | [`deploymentScriptStorageAccountName`](#parameter-deploymentscriptstorageaccountname) | string | The name of the storage account. | | [`deploymentScriptSubnetName`](#parameter-deploymentscriptsubnetname) | string | The name of the Image Template Virtual Network Subnet to create. | @@ -1593,14 +1618,6 @@ The image source to use for the Image Template. - Required: Yes - Type: object -### Parameter: `aibRoleDefinitionName` - -Then name of the AIB role definition to create. - -- Required: No -- Type: string -- Default: `'Custom Azure Image Builder Image Definition'` - ### Parameter: `assetsStorageAccountContainerName` The name of container in the Storage Account. @@ -1616,7 +1633,15 @@ The name of the storage account. Only needed if you want to upload scripts to be - Required: No - Type: string -### Parameter: `deployAndUseCustomRoleDefinition` +### Parameter: `customAIBRoleDefinitionName` + +Then name of the AIB role definition to create. + +- Required: No +- Type: string +- Default: `'Custom Azure Image Builder Image Definition'` + +### Parameter: `deployAndUseCustomAIBRoleDefinition` Define whether or not to deploy a custom, least priviledge, role for the Azure Image Builder on a subscription level and apply it to the deployed managed identities on the resource group level. If set to false, the Contributor role is applied instead. diff --git a/avm/ptn/virtual-machine-images/azure-image-builder/main.bicep b/avm/ptn/virtual-machine-images/azure-image-builder/main.bicep index c5c9ee9fd7..ab584bed6e 100644 --- a/avm/ptn/virtual-machine-images/azure-image-builder/main.bicep +++ b/avm/ptn/virtual-machine-images/azure-image-builder/main.bicep @@ -32,10 +32,10 @@ param deploymentScriptManagedIdentityName string = 'msi-ds' param imageManagedIdentityName string = 'msi-aib' @description('Optional. Then name of the AIB role definition to create.') -param aibRoleDefinitionName string = 'Custom Azure Image Builder Image Definition' +param customAIBRoleDefinitionName string = 'Custom Azure Image Builder Image Definition' @description('Optional. Define whether or not to deploy a custom, least priviledge, role for the Azure Image Builder on a subscription level and apply it to the deployed managed identities on the resource group level. If set to false, the Contributor role is applied instead.') -param deployAndUseCustomRoleDefinition bool = true +param deployAndUseCustomAIBRoleDefinition bool = true // Azure Compute Gallery Parameters @description('Required. The name of the Azure Compute Gallery.') @@ -182,10 +182,10 @@ module imageMSI 'br/public:avm/res/managed-identity/user-assigned-identity:0.4.0 } // Custom role -resource aibRoleDefinition 'Microsoft.Authorization/roleDefinitions@2022-04-01' = if (deployAndUseCustomRoleDefinition) { - name: guid(subscription().id, aibRoleDefinitionName) +resource aibRoleDefinition 'Microsoft.Authorization/roleDefinitions@2022-04-01' = if (deployAndUseCustomAIBRoleDefinition) { + name: guid(subscription().id, customAIBRoleDefinitionName) properties: { - roleName: aibRoleDefinitionName + roleName: customAIBRoleDefinitionName description: 'Image Builder access to create & access resources for the image build.' type: 'customRole' permissions: [ @@ -216,7 +216,7 @@ resource aibRoleDefinition 'Microsoft.Authorization/roleDefinitions@2022-04-01' } // MSI RG contributor assignment -resource contributorRole 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = if (!deployAndUseCustomRoleDefinition) { +resource contributorRole 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = if (!deployAndUseCustomAIBRoleDefinition) { name: 'b24988ac-6180-42a0-ab88-20f7382dd24c' // Contributor scope: tenant() } @@ -228,7 +228,7 @@ module imageMSI_rg_rbac 'modules/msi_rbac.bicep' = if (deploymentsToPerform == ' msiResourceId: (deploymentsToPerform == 'All' || deploymentsToPerform == 'Only base') ? imageMSI.outputs.resourceId : '' - roleDefinitionId: deployAndUseCustomRoleDefinition ? aibRoleDefinition.id : contributorRole.id + roleDefinitionId: deployAndUseCustomAIBRoleDefinition ? aibRoleDefinition.id : contributorRole.id } } module imageMSI_aib_rg_rbac 'modules/msi_rbac.bicep' = if ((deploymentsToPerform == 'All' || deploymentsToPerform == 'Only base') && !empty(imageTemplateResourceGroupName)) { @@ -239,7 +239,7 @@ module imageMSI_aib_rg_rbac 'modules/msi_rbac.bicep' = if ((deploymentsToPerform msiResourceId: (deploymentsToPerform == 'All' || deploymentsToPerform == 'Only base') ? imageMSI.outputs.resourceId : '' - roleDefinitionId: deployAndUseCustomRoleDefinition ? aibRoleDefinition.id : contributorRole.id + roleDefinitionId: deployAndUseCustomAIBRoleDefinition ? aibRoleDefinition.id : contributorRole.id } } diff --git a/avm/ptn/virtual-machine-images/azure-image-builder/main.json b/avm/ptn/virtual-machine-images/azure-image-builder/main.json index ec5d7006ad..317e1ff522 100644 --- a/avm/ptn/virtual-machine-images/azure-image-builder/main.json +++ b/avm/ptn/virtual-machine-images/azure-image-builder/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.32.4.45862", - "templateHash": "11227891723786387080" + "templateHash": "11778294758856890530" }, "name": "Custom Images using Azure Image Builder", "description": "This module provides you with a packaged solution to create custom images using the Azure Image Builder service publishing to an Azure Compute Gallery.", @@ -327,14 +327,14 @@ "description": "Optional. The name of the Managed Identity used by the Azure Image Builder." } }, - "aibRoleDefinitionName": { + "customAIBRoleDefinitionName": { "type": "string", "defaultValue": "Custom Azure Image Builder Image Definition", "metadata": { "description": "Optional. Then name of the AIB role definition to create." } }, - "deployAndUseCustomRoleDefinition": { + "deployAndUseCustomAIBRoleDefinition": { "type": "bool", "defaultValue": true, "metadata": { @@ -555,12 +555,12 @@ "location": "[parameters('location')]" }, "aibRoleDefinition": { - "condition": "[parameters('deployAndUseCustomRoleDefinition')]", + "condition": "[parameters('deployAndUseCustomAIBRoleDefinition')]", "type": "Microsoft.Authorization/roleDefinitions", "apiVersion": "2022-04-01", - "name": "[guid(subscription().id, parameters('aibRoleDefinitionName'))]", + "name": "[guid(subscription().id, parameters('customAIBRoleDefinitionName'))]", "properties": { - "roleName": "[parameters('aibRoleDefinitionName')]", + "roleName": "[parameters('customAIBRoleDefinitionName')]", "description": "Image Builder access to create & access resources for the image build.", "type": "customRole", "permissions": [ @@ -585,7 +585,7 @@ } }, "contributorRole": { - "condition": "[not(parameters('deployAndUseCustomRoleDefinition'))]", + "condition": "[not(parameters('deployAndUseCustomAIBRoleDefinition'))]", "existing": true, "type": "Microsoft.Authorization/roleDefinitions", "apiVersion": "2022-04-01", @@ -1560,7 +1560,7 @@ "mode": "Incremental", "parameters": { "msiResourceId": "[if(or(equals(parameters('deploymentsToPerform'), 'All'), equals(parameters('deploymentsToPerform'), 'Only base')), createObject('value', reference('imageMSI').outputs.resourceId.value), createObject('value', ''))]", - "roleDefinitionId": "[if(parameters('deployAndUseCustomRoleDefinition'), createObject('value', subscriptionResourceId('Microsoft.Authorization/roleDefinitions', guid(subscription().id, parameters('aibRoleDefinitionName')))), createObject('value', tenantResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')))]" + "roleDefinitionId": "[if(parameters('deployAndUseCustomAIBRoleDefinition'), createObject('value', subscriptionResourceId('Microsoft.Authorization/roleDefinitions', guid(subscription().id, parameters('customAIBRoleDefinitionName')))), createObject('value', tenantResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')))]" }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", @@ -1619,7 +1619,7 @@ "mode": "Incremental", "parameters": { "msiResourceId": "[if(or(equals(parameters('deploymentsToPerform'), 'All'), equals(parameters('deploymentsToPerform'), 'Only base')), createObject('value', reference('imageMSI').outputs.resourceId.value), createObject('value', ''))]", - "roleDefinitionId": "[if(parameters('deployAndUseCustomRoleDefinition'), createObject('value', subscriptionResourceId('Microsoft.Authorization/roleDefinitions', guid(subscription().id, parameters('aibRoleDefinitionName')))), createObject('value', tenantResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')))]" + "roleDefinitionId": "[if(parameters('deployAndUseCustomAIBRoleDefinition'), createObject('value', subscriptionResourceId('Microsoft.Authorization/roleDefinitions', guid(subscription().id, parameters('customAIBRoleDefinitionName')))), createObject('value', tenantResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')))]" }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", diff --git a/avm/ptn/virtual-machine-images/azure-image-builder/tests/e2e/deployAll.linux/main.test.bicep b/avm/ptn/virtual-machine-images/azure-image-builder/tests/e2e/deployAll.linux/main.test.bicep index bde0e0847c..d4975023c2 100644 --- a/avm/ptn/virtual-machine-images/azure-image-builder/tests/e2e/deployAll.linux/main.test.bicep +++ b/avm/ptn/virtual-machine-images/azure-image-builder/tests/e2e/deployAll.linux/main.test.bicep @@ -37,6 +37,7 @@ module testDeployment '../../../main.bicep' = [ deploymentsToPerform: iteration == 'init' ? 'All' : 'Only base' // Restricting to only infra on re-run as we don't want to back 2 images but only test idempotency resourceGroupName: resourceGroupName location: resourceLocation + customAIBRoleDefinitionName: 'Custom Azure Image Builder Image Definition (${serviceShort} - ${namePrefix})' assetsStorageAccountName: assetsStorageAccountName assetsStorageAccountContainerName: assetsStorageAccountContainerName computeGalleryName: 'gal${namePrefix}${serviceShort}' diff --git a/avm/ptn/virtual-machine-images/azure-image-builder/tests/e2e/deployAll.windows/main.test.bicep b/avm/ptn/virtual-machine-images/azure-image-builder/tests/e2e/deployAll.windows/main.test.bicep index fbe43ca616..8259dd2665 100644 --- a/avm/ptn/virtual-machine-images/azure-image-builder/tests/e2e/deployAll.windows/main.test.bicep +++ b/avm/ptn/virtual-machine-images/azure-image-builder/tests/e2e/deployAll.windows/main.test.bicep @@ -38,6 +38,7 @@ module testDeployment '../../../main.bicep' = [ resourceGroupName: resourceGroupName imageTemplateResourceGroupName: '' // Setting to empty as a custom staging resource group currently fails the creation of a windows image for an unknown reason location: resourceLocation + customAIBRoleDefinitionName: 'Custom Azure Image Builder Image Definition (${serviceShort} - ${namePrefix})' assetsStorageAccountName: assetsStorageAccountName assetsStorageAccountContainerName: assetsStorageAccountContainerName computeGalleryName: 'gal${namePrefix}${serviceShort}' diff --git a/avm/ptn/virtual-machine-images/azure-image-builder/tests/e2e/deployOnlyAssetsAndImage/main.test.bicep b/avm/ptn/virtual-machine-images/azure-image-builder/tests/e2e/deployOnlyAssetsAndImage/main.test.bicep index 849d005a0e..a489539a01 100644 --- a/avm/ptn/virtual-machine-images/azure-image-builder/tests/e2e/deployOnlyAssetsAndImage/main.test.bicep +++ b/avm/ptn/virtual-machine-images/azure-image-builder/tests/e2e/deployOnlyAssetsAndImage/main.test.bicep @@ -54,6 +54,7 @@ module testDeployment '../../../main.bicep' = { deploymentsToPerform: 'Only assets & image' resourceGroupName: nestedDependencies.outputs.resourceGroupName location: resourceLocation + customAIBRoleDefinitionName: 'Custom Azure Image Builder Image Definition (${serviceShort} - ${namePrefix})' computeGalleryName: nestedDependencies.outputs.computeGalleryName computeGalleryImageDefinitionName: nestedDependencies.outputs.computeGalleryImageDefinitions[0].name computeGalleryImageDefinitions: nestedDependencies.outputs.computeGalleryImageDefinitions diff --git a/avm/ptn/virtual-machine-images/azure-image-builder/tests/e2e/deployOnlyBase/main.test.bicep b/avm/ptn/virtual-machine-images/azure-image-builder/tests/e2e/deployOnlyBase/main.test.bicep index 720941b1e9..ad7aabefea 100644 --- a/avm/ptn/virtual-machine-images/azure-image-builder/tests/e2e/deployOnlyBase/main.test.bicep +++ b/avm/ptn/virtual-machine-images/azure-image-builder/tests/e2e/deployOnlyBase/main.test.bicep @@ -33,6 +33,7 @@ module testDeployment '../../../main.bicep' = [ deploymentsToPerform: 'Only base' resourceGroupName: resourceGroupName location: resourceLocation + customAIBRoleDefinitionName: 'Custom Azure Image Builder Image Definition (${serviceShort} - ${namePrefix})' assetsStorageAccountName: 'st${namePrefix}${serviceShort}' imageManagedIdentityName: 'msi-it-${namePrefix}-${serviceShort}' computeGalleryName: 'gal${namePrefix}${serviceShort}' diff --git a/avm/ptn/virtual-machine-images/azure-image-builder/tests/e2e/deployOnlyImage/main.test.bicep b/avm/ptn/virtual-machine-images/azure-image-builder/tests/e2e/deployOnlyImage/main.test.bicep index c777fa31da..3b68f371fe 100644 --- a/avm/ptn/virtual-machine-images/azure-image-builder/tests/e2e/deployOnlyImage/main.test.bicep +++ b/avm/ptn/virtual-machine-images/azure-image-builder/tests/e2e/deployOnlyImage/main.test.bicep @@ -59,6 +59,7 @@ module testDeployment '../../../main.bicep' = { deploymentsToPerform: 'Only image' resourceGroupName: nestedDependencies.outputs.resourceGroupName location: resourceLocation + customAIBRoleDefinitionName: 'Custom Azure Image Builder Image Definition (${serviceShort} - ${namePrefix})' computeGalleryName: nestedDependencies.outputs.computeGalleryName computeGalleryImageDefinitions: nestedDependencies.outputs.computeGalleryImageDefinitions computeGalleryImageDefinitionName: nestedDependencies.outputs.computeGalleryImageDefinitions[0].name