From 69403f3b229ba8a163cd65a6be9c672ec4580913 Mon Sep 17 00:00:00 2001 From: Sven Aelterman <17446043+SvenAelterman@users.noreply.github.com> Date: Thu, 19 Dec 2024 10:03:16 -0500 Subject: [PATCH] Add support for creating custom static routes (#726) * Automated update for ARM templates * Add support for specifying custom static routes Some automatic Bicep linting * Update deploy.bicep --------- Co-authored-by: SvenAelterman Co-authored-by: Dany Contreras <78437433+danycontre@users.noreply.github.com> --- workload/bicep/deploy-baseline.bicep | 47 ++++++++++++++----- .../bicep/modules/networking/deploy.bicep | 8 +++- 2 files changed, 41 insertions(+), 14 deletions(-) diff --git a/workload/bicep/deploy-baseline.bicep b/workload/bicep/deploy-baseline.bicep index 6bccdb811..d2fd62950 100644 --- a/workload/bicep/deploy-baseline.bicep +++ b/workload/bicep/deploy-baseline.bicep @@ -27,10 +27,10 @@ param deploymentEnvironment string = 'Dev' param diskEncryptionKeyExpirationInDays int = 60 @sys.description('Required. Location where to deploy compute services.') -param avdSessionHostLocation string +param avdSessionHostLocation string @sys.description('Required. Location where to deploy AVD management plane.') -param avdManagementPlaneLocation string +param avdManagementPlaneLocation string @sys.description('AVD workload subscription ID, multiple subscriptions scenario. (Default: "")') param avdWorkloadSubsId string = '' @@ -107,7 +107,7 @@ param hostPoolPublicNetworkAccess string = 'Enabled' ]) @sys.description('Default to Enabled. Enables or Disables public network access on the workspace.') param workspacePublicNetworkAccess string = 'Enabled' - + @allowed([ 'Automatic' 'Direct' @@ -511,6 +511,9 @@ param enableKvPurgeProtection bool = true @sys.description('Deploys anti malware extension on session hosts. (Default: true)') param deployAntiMalwareExt bool = true +@sys.description('Additional customer-provided static routes to be added to the route tables.') +param customStaticRoutes array = [] + // =========== // // Variable declaration // // =========== // @@ -1093,7 +1096,9 @@ module networking './modules/networking/deploy.bicep' = if (createAvdVnet || cre createVnet: createAvdVnet deployAsg: (avdDeploySessionHosts || createAvdFslogixDeployment || varCreateMsixDeployment) ? true : false existingAvdSubnetResourceId: existingVnetAvdSubnetResourceId - createPrivateDnsZones: (deployPrivateEndpointKeyvaultStorage || deployAvdPrivateLinkService) ? createPrivateDnsZones : false + createPrivateDnsZones: (deployPrivateEndpointKeyvaultStorage || deployAvdPrivateLinkService) + ? createPrivateDnsZones + : false applicationSecurityGroupName: varApplicationSecurityGroupName computeObjectsRgName: varComputeObjectsRgName networkObjectsRgName: varNetworkObjectsRgName @@ -1125,6 +1130,7 @@ module networking './modules/networking/deploy.bicep' = if (createAvdVnet || cre ? monitoringDiagnosticSettings.outputs.avdAlaWorkspaceResourceId : alaExistingWorkspaceResourceId) : '' + customStaticRoutes: customStaticRoutes } dependsOn: [ baselineNetworkResourceGroup @@ -1152,7 +1158,9 @@ module managementPLane './modules/avdManagementPlane/deploy.bicep' = { preferredAppGroupType: (hostPoolPreferredAppGroupType == 'RemoteApp') ? 'RailApplications' : 'Desktop' deployScalingPlan: varDeployScalingPlan scalingPlanExclusionTag: varScalingPlanExclusionTag - scalingPlanSchedules: (avdHostPoolType == 'Pooled') ? varPooledScalingPlanSchedules : varPersonalScalingPlanSchedules + scalingPlanSchedules: (avdHostPoolType == 'Pooled') + ? varPooledScalingPlanSchedules + : varPersonalScalingPlanSchedules scalingPlanName: varScalingPlanName hostPoolMaxSessions: hostPoolMaxSessions personalAssignType: avdPersonalAssignType @@ -1172,9 +1180,19 @@ module managementPLane './modules/avdManagementPlane/deploy.bicep' = { deployAvdPrivateLinkService: deployAvdPrivateLinkService hostPoolPublicNetworkAccess: hostPoolPublicNetworkAccess workspacePublicNetworkAccess: workspacePublicNetworkAccess - privateEndpointSubnetResourceId: createAvdVnet ? '${networking.outputs.virtualNetworkResourceId}/subnets/${varVnetPrivateEndpointSubnetName}' : existingVnetPrivateEndpointSubnetResourceId - avdVnetPrivateDnsZoneDiscoveryResourceId: deployAvdPrivateLinkService ? (createPrivateDnsZones ? networking.outputs.avdDnsDiscoveryZoneResourceId : avdVnetPrivateDnsZoneDiscoveryResourceId) : '' - avdVnetPrivateDnsZoneConnectionResourceId: deployAvdPrivateLinkService ? (createPrivateDnsZones ? networking.outputs.avdDnsConnectionZoneResourceId : avdVnetPrivateDnsZoneConnectionResourceId) : '' + privateEndpointSubnetResourceId: createAvdVnet + ? '${networking.outputs.virtualNetworkResourceId}/subnets/${varVnetPrivateEndpointSubnetName}' + : existingVnetPrivateEndpointSubnetResourceId + avdVnetPrivateDnsZoneDiscoveryResourceId: deployAvdPrivateLinkService + ? (createPrivateDnsZones + ? networking.outputs.avdDnsDiscoveryZoneResourceId + : avdVnetPrivateDnsZoneDiscoveryResourceId) + : '' + avdVnetPrivateDnsZoneConnectionResourceId: deployAvdPrivateLinkService + ? (createPrivateDnsZones + ? networking.outputs.avdDnsConnectionZoneResourceId + : avdVnetPrivateDnsZoneConnectionResourceId) + : '' privateEndpointConnectionName: varPrivateEndPointConnectionName privateEndpointDiscoveryName: varPrivateEndPointDiscoveryName privateEndpointWorkspaceName: varPrivateEndPointWorkspaceName @@ -1267,7 +1285,8 @@ module wrklKeyVault '../../avm/1.0.0/res/key-vault/vault/main.bicep' = { ipRules: [] } : {} - privateEndpoints: deployPrivateEndpointKeyvaultStorage? [ + privateEndpoints: deployPrivateEndpointKeyvaultStorage + ? [ { name: varWrklKvPrivateEndpointName subnetResourceId: createAvdVnet @@ -1275,12 +1294,14 @@ module wrklKeyVault '../../avm/1.0.0/res/key-vault/vault/main.bicep' = { : existingVnetPrivateEndpointSubnetResourceId customNetworkInterfaceName: 'nic-01-${varWrklKvPrivateEndpointName}' service: 'vault' - privateDnsZoneGroupName: createPrivateDnsZones ? split(networking.outputs.keyVaultDnsZoneResourceId, '/')[8] : split(avdVnetPrivateDnsZoneKeyvaultId, '/')[8] + privateDnsZoneGroupName: createPrivateDnsZones + ? split(networking.outputs.keyVaultDnsZoneResourceId, '/')[8] + : split(avdVnetPrivateDnsZoneKeyvaultId, '/')[8] privateDnsZoneResourceIds: [ - createPrivateDnsZones ? networking.outputs.keyVaultDnsZoneResourceId : avdVnetPrivateDnsZoneKeyvaultId + createPrivateDnsZones ? networking.outputs.keyVaultDnsZoneResourceId : avdVnetPrivateDnsZoneKeyvaultId ] } - ] + ] : [] secrets: (avdIdentityServiceProvider != 'EntraID') ? [ @@ -1483,7 +1504,7 @@ module msixAzureFilesStorage './modules/storageAzureFiles/deploy.bicep' = if (va } // VMSS Flex -module vmScaleSetFlex './modules/avdSessionHosts/.bicep/vmScaleSet.bicep' = if (avdDeploySessionHosts && deployVmssFlex) { +module vmScaleSetFlex './modules/avdSessionHosts/.bicep/vmScaleSet.bicep' = if (avdDeploySessionHosts && deployVmssFlex) { name: 'AVD-VMSS-Flex-${time}' scope: resourceGroup('${avdWorkloadSubsId}', '${varComputeObjectsRgName}') params: { diff --git a/workload/bicep/modules/networking/deploy.bicep b/workload/bicep/modules/networking/deploy.bicep index 20231bc81..eb3aa6b55 100644 --- a/workload/bicep/modules/networking/deploy.bicep +++ b/workload/bicep/modules/networking/deploy.bicep @@ -103,6 +103,9 @@ param alaWorkspaceResourceId string @sys.description('Do not modify, used to set unique value for resource deployment') param time string = utcNow() +@sys.description('Additional customer-provided static routes to be added to the route tables.') +param customStaticRoutes array = [] + // =========== // // Variable declaration // // =========== // @@ -153,7 +156,7 @@ var varWindowsActivationKMSPrefixesNsg = (varAzureCloudName == 'AzureCloud') ] : [] // https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/windows/custom-routes-enable-kms-activation#solution -var varStaticRoutes = (varAzureCloudName == 'AzureCloud') +var varDefaultStaticRoutes = (varAzureCloudName == 'AzureCloud') ? [ { name: 'AVDServiceTraffic' @@ -283,6 +286,9 @@ var varStaticRoutes = (varAzureCloudName == 'AzureCloud') } ] : [] + +var varStaticRoutes = union(varDefaultStaticRoutes, customStaticRoutes) + var privateDnsZoneNames = { AutomationAgentService: 'privatelink.agentsvc.azure-automation.${privateDnsZoneSuffixes_AzureAutomation[environment().name]}' Automation: 'privatelink.azure-automation.${privateDnsZoneSuffixes_AzureAutomation[environment().name]}'