Skip to content

Commit

Permalink
Added parameters to deploy Bastion, Windows and Linux VMs separately. (
Browse files Browse the repository at this point in the history 
…Azure#1020)

* Added parameters to deploy Bastion, Windows and Linux VMs separately.

* Added conditional statement if deployVirtualMachine is false then give the param an empty string

* GitHub Action: Build Bicep to JSON

* Fixed spacing

---------

Co-authored-by: Jason Masten <[email protected]>
Co-authored-by: github-actions <[email protected]>
  • Loading branch information
@tsweatman1 @jamasten
3 people authored May 3, 2024
1 parent 58d83fa commit 9d5ed93
Show file tree
Hide file tree
Showing 6 changed files with 222 additions and 151 deletions.
77 changes: 50 additions & 27 deletions src/bicep/form/mlz.portal.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -981,27 +981,27 @@
"options": {
"text": "Enabling remote access is optional, but recommended."
}
},
{
"name": "deployRemoteAccess",
"type": "Microsoft.Common.CheckBox",
"label": "Remotely access the network?",
"toolTip": "Check here to create an Azure Bastion Host and virtual machines to remotely access the network.",
"constraints": {
"required": false
}
}
]
},
{
"name": "azureBastionSubnetSection",
"label": "Azure Bastion Subnet",
"name": "azureBastionSection",
"label": "Azure Bastion",
"type": "Microsoft.Common.Section",
"visible": "[steps('remoteAccess').remoteAccessSection.deployRemoteAccess]",
"elements": [
{
"name": "deployBastion",
"type": "Microsoft.Common.CheckBox",
"label": "Deploy Bastion?",
"toolTip": "Check here to deploy Bastion.",
"constraints": {
"required": false
}
},
{
"name": "remoteAccessSubnetTextBlock",
"type": "Microsoft.Common.TextBlock",
"visible": "[steps('remoteAccess').azureBastionSection.deployBastion]",
"options": {
"text": "Specify a CIDR range for the Azure Bastion Host subnet within the Hub Virtual Network range. It must be of size /26 or larger."
}
Expand All @@ -1010,7 +1010,7 @@
"name": "bastionSubnetAddressCidrRange",
"label": "Azure Bastion Subnet CIDR Range",
"type": "Microsoft.Common.TextBox",
"visible": "[steps('remoteAccess').remoteAccessSection.deployRemoteAccess]",
"visible": "[steps('remoteAccess').azureBastionSection.deployBastion]",
"defaultValue": "10.0.128.192/26",
"toolTip": "[concat('Specify a CIDR range for the Azure Bastion Host subnet within the Hub Virtual Network range: ', steps('networking').hubVirtualNetwork.virtualNetworkAddressCidrRange, '. It must be of size /26 or larger.')]",
"constraints": {
Expand All @@ -1021,19 +1021,19 @@
"message": "Invalid CIDR range. The address prefix must be in the range [24,26]."
},
{
"isValid": "[if(greaterOrEquals(last(split(steps('networking').hubVirtualNetwork.virtualNetworkAddressCidrRange, '/')), 8), equals(last(take(split(first(split(steps('networking').hubVirtualNetwork.virtualNetworkAddressCidrRange, '/')), '.'), 1)), last(take(split(first(split(steps('remoteAccess').azureBastionSubnetSection.bastionSubnetAddressCidrRange, '/')), '.'), 1))), true)]",
"isValid": "[if(greaterOrEquals(last(split(steps('networking').hubVirtualNetwork.virtualNetworkAddressCidrRange, '/')), 8), equals(last(take(split(first(split(steps('networking').hubVirtualNetwork.virtualNetworkAddressCidrRange, '/')), '.'), 1)), last(take(split(first(split(steps('remoteAccess').azureBastionSection.bastionSubnetAddressCidrRange, '/')), '.'), 1))), true)]",
"message": "[concat('First octet not within the Hub virtual network CIDR range: ', steps('networking').hubVirtualNetwork.virtualNetworkAddressCidrRange)]"
},
{
"isValid": "[if(greaterOrEquals(last(split(steps('networking').hubVirtualNetwork.virtualNetworkAddressCidrRange, '/')), 16), equals(last(take(split(first(split(steps('networking').hubVirtualNetwork.virtualNetworkAddressCidrRange, '/')), '.'), 2)), last(take(split(first(split(steps('remoteAccess').azureBastionSubnetSection.bastionSubnetAddressCidrRange, '/')), '.'), 2))), true)]",
"isValid": "[if(greaterOrEquals(last(split(steps('networking').hubVirtualNetwork.virtualNetworkAddressCidrRange, '/')), 16), equals(last(take(split(first(split(steps('networking').hubVirtualNetwork.virtualNetworkAddressCidrRange, '/')), '.'), 2)), last(take(split(first(split(steps('remoteAccess').azureBastionSection.bastionSubnetAddressCidrRange, '/')), '.'), 2))), true)]",
"message": "[concat('Second octet not within the Hub virtual network CIDR range: ', steps('networking').hubVirtualNetwork.virtualNetworkAddressCidrRange)]"
},
{
"isValid": "[if(greaterOrEquals(last(split(steps('networking').hubVirtualNetwork.virtualNetworkAddressCidrRange, '/')), 24), equals(last(take(split(first(split(steps('networking').hubVirtualNetwork.virtualNetworkAddressCidrRange, '/')), '.'), 3)), last(take(split(first(split(steps('remoteAccess').azureBastionSubnetSection.bastionSubnetAddressCidrRange, '/')), '.'), 3))), true)]",
"isValid": "[if(greaterOrEquals(last(split(steps('networking').hubVirtualNetwork.virtualNetworkAddressCidrRange, '/')), 24), equals(last(take(split(first(split(steps('networking').hubVirtualNetwork.virtualNetworkAddressCidrRange, '/')), '.'), 3)), last(take(split(first(split(steps('remoteAccess').azureBastionSection.bastionSubnetAddressCidrRange, '/')), '.'), 3))), true)]",
"message": "[concat('Third octet not within the Hub virtual network CIDR range: ', steps('networking').hubVirtualNetwork.virtualNetworkAddressCidrRange)]"
},
{
"isValid": "[lessOrEquals(last(split(steps('networking').hubVirtualNetwork.virtualNetworkAddressCidrRange, '/')), last(split(steps('remoteAccess').azureBastionSubnetSection.bastionSubnetAddressCidrRange, '/')))]",
"isValid": "[lessOrEquals(last(split(steps('networking').hubVirtualNetwork.virtualNetworkAddressCidrRange, '/')), last(split(steps('remoteAccess').azureBastionSection.bastionSubnetAddressCidrRange, '/')))]",
"message": "[concat('Subnet mask not within the Hub virtual network CIDR range: ', steps('networking').hubVirtualNetwork.virtualNetworkAddressCidrRange)]"
}
]
Expand All @@ -1045,11 +1045,20 @@
"name": "windowsVmSection",
"label": "Windows Virtual Machine",
"type": "Microsoft.Common.Section",
"visible": "[steps('remoteAccess').remoteAccessSection.deployRemoteAccess]",
"elements": [
{
"name": "deployWindowsVirtualMachine",
"type": "Microsoft.Common.CheckBox",
"label": "Deploy Windows Virtual Machine?",
"toolTip": "Check here to deploy Windows Virtual Machine.",
"constraints": {
"required": false
}
},
{
"name": "windowsVmDescriptionTextblock",
"type": "Microsoft.Common.TextBlock",
"visible": "[steps('remoteAccess').windowsVmSection.deployWindowsVirtualMachine]",
"options": {
"text": "Provide an administrator username and password for the Windows virtual machine."
}
Expand All @@ -1066,7 +1075,7 @@
"validationMessage": "Only alphanumeric characters are allowed, and the value must be 1-30 characters long."
},
"osPlatform": "Windows",
"visible": true
"visible": "[steps('remoteAccess').windowsVmSection.deployWindowsVirtualMachine]"
},
{
"name": "windowsVmAdminPassword",
Expand All @@ -1084,7 +1093,8 @@
},
"options": {
"hideConfirmation": false
}
},
"visible": "[steps('remoteAccess').windowsVmSection.deployWindowsVirtualMachine]"
},
{
"name": "hybridUseBenefit",
Expand All @@ -1093,22 +1103,32 @@
"toolTip": "Check here to enable the Hybrid Use Benefit on your virtual machines.",
"constraints": {
"required": false
}
},
"visible": "[steps('remoteAccess').windowsVmSection.deployWindowsVirtualMachine]"
}
]
},
{
"name": "linuxVmSection",
"label": "Linux Virtual Machine",
"type": "Microsoft.Common.Section",
"visible": "[steps('remoteAccess').remoteAccessSection.deployRemoteAccess]",
"elements": [
{
"name": "deployLinuxVirtualMachine",
"type": "Microsoft.Common.CheckBox",
"label": "Deploy Linux Virtual Machine?",
"toolTip": "Check here to deploy Linux Virtual Machine.",
"constraints": {
"required": false
}
},
{
"name": "linuxVmDescriptionTextblock",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Provide an administrator username and password for the Linux virtual machine."
}
},
"visible": "[steps('remoteAccess').linuxVmSection.deployLinuxVirtualMachine]"
},
{
"name": "linuxVmAdminUsername",
Expand All @@ -1122,7 +1142,7 @@
"validationMessage": "Only alphanumeric characters are allowed, and the value must be 1-30 characters long."
},
"osPlatform": "Linux",
"visible": true
"visible": "[steps('remoteAccess').linuxVmSection.deployLinuxVirtualMachine]"
},
{
"name": "linuxVmAdminPasswordOrKey",
Expand All @@ -1139,7 +1159,8 @@
},
"options": {
"hideConfirmation": false
}
},
"visible": "[steps('remoteAccess').linuxVmSection.deployLinuxVirtualMachine]"
}
]
}
Expand Down Expand Up @@ -1186,13 +1207,15 @@
"location": "[steps('basics').locationSection.location.name]",
"subscriptionId": "[steps('basics').hubSection.hubSubscriptionId]",
"parameters": {
"bastionHostSubnetAddressPrefix": "[steps('remoteAccess').azureBastionSubnetSection.bastionSubnetAddressCidrRange]",
"bastionHostSubnetAddressPrefix": "[steps('remoteAccess').azureBastionSection.bastionSubnetAddressCidrRange]",
"defenderSkuTier": "[if(steps('compliance').defenderSection.deployDefender, 'Standard', 'Free')]",
"deployDefenderPlans": "[steps('compliance').defenderSection.deployDefenderPlans]",
"deployIdentity": "[steps('basics').identitySection.deployIdentity]",
"deployLinuxVirtualMachine": "[steps('remoteAccess').linuxVmSection.deployLinuxVirtualMachine]",
"deployWindowsVirtualMachine": "[steps('remoteAccess').windowsVmSection.deployWindowsVirtualMachine]",
"deployNetworkWatcher": "[empty(filter(steps('networking').networkWatchersApi.value, (item) => equals(item.location, steps('basics').locationSection.location.name)))]",
"deployPolicy": "[steps('compliance').policySection.deployPolicy]",
"deployRemoteAccess": "[steps('remoteAccess').remoteAccessSection.deployRemoteAccess]",
"deployBastion": "[steps('remoteAccess').azureBastionSection.deployBastion]",
"deploySentinel": "[steps('compliance').sentinelSection.deploySentinel]",
"emailSecurityContact": "[steps('compliance').defenderSection.emailSecurityContact]",
"firewallClientSubnetAddressPrefix": "[steps('networking').hubVirtualNetwork.firewallClientSubnetAddressCidrRange]",
Expand Down
22 changes: 15 additions & 7 deletions src/bicep/mlz.bicep
View file
Original file line number Diff line number Diff line change
Expand Up @@ -323,8 +323,14 @@ param logStorageSkuName string = 'Standard_GRS'

// REMOTE ACCESS PARAMETERS

@description('When set to "true", provisions Azure Bastion Host and virtual machine jumpboxes. It defaults to "false".')
param deployRemoteAccess bool = false
@description('When set to "true", provisions Azure Bastion Host only. It defaults to "false".')
param deployBastion bool = false

@description('When set to "true", provisions Windows Virtual Machine Host only. It defaults to "false".')
param deployWindowsVirtualMachine bool = false

@description('When set to "true", provisions Linux Virtual Machine Host only. It defaults to "false".')
param deployLinuxVirtualMachine bool = false

@description('The CIDR Subnet Address Prefix for the Azure Bastion Subnet. It must be in the Hub Virtual Network space "hubVirtualNetworkAddressPrefix" parameter value. It must be /27 or larger.')
param bastionHostSubnetAddressPrefix string = '10.0.128.192/26'
Expand All @@ -350,7 +356,7 @@ param linuxVmAuthenticationType string = 'password'
@description('The administrator password or public SSH key for the Linux Virtual Machine to Azure Bastion remote into. See https://docs.microsoft.com/en-us/azure/virtual-machines/linux/faq#what-are-the-password-requirements-when-creating-a-vm- for password requirements.')
@secure()
@minLength(12)
param linuxVmAdminPasswordOrKey string = deployRemoteAccess ? '' : newGuid()
param linuxVmAdminPasswordOrKey string = deployLinuxVirtualMachine ? '' : newGuid()

@description('The size of the Linux Virtual Machine to Azure Bastion remote into. It defaults to "Standard_B2s".')
param linuxVmSize string = 'Standard_B2s'
Expand Down Expand Up @@ -388,7 +394,7 @@ param windowsVmAdminUsername string = 'azureuser'
@description('The administrator password the Windows Virtual Machine to Azure Bastion remote into. It must be > 12 characters in length. See https://docs.microsoft.com/en-us/azure/virtual-machines/windows/faq#what-are-the-password-requirements-when-creating-a-vm- for password requirements.')
@secure()
@minLength(12)
param windowsVmAdminPassword string = deployRemoteAccess ? '' : newGuid()
param windowsVmAdminPassword string = deployWindowsVirtualMachine ? '' : newGuid()

@description('The size of the Windows Virtual Machine to Azure Bastion remote into. It defaults to "Standard_DS1_v2".')
param windowsVmSize string = 'Standard_DS1_v2'
Expand Down Expand Up @@ -558,7 +564,7 @@ module networking 'modules/networking.bicep' = {
deployIdentity: deployIdentity
deploymentNameSuffix: deploymentNameSuffix
deployNetworkWatcher: deployNetworkWatcher
deployRemoteAccess: deployRemoteAccess
deployBastion: deployBastion
dnsServers: dnsServers
enableProxy: enableProxy
firewallSettings: {
Expand Down Expand Up @@ -626,14 +632,16 @@ module monitoring 'modules/monitoring.bicep' = {

// REMOTE ACCESS

module remoteAccess 'modules/remote-access.bicep' =
if (deployRemoteAccess) {
module remoteAccess 'modules/remote-access.bicep' = {
name: 'deploy-remote-access-${deploymentNameSuffix}'
params: {
bastionHostPublicIPAddressAllocationMethod: 'Static'
bastionHostPublicIPAddressAvailabilityZones: bastionHostPublicIPAddressAvailabilityZones
bastionHostPublicIPAddressSkuName: 'Standard'
bastionHostSubnetResourceId: networking.outputs.bastionHostSubnetResourceId
deployBastion: deployBastion
deployLinuxVirtualMachine: deployLinuxVirtualMachine
deployWindowsVirtualMachine: deployWindowsVirtualMachine
diskEncryptionSetResourceId: customerManagedKeys.outputs.diskEncryptionSetResourceId
hubNetworkSecurityGroupResourceId: networking.outputs.hubNetworkSecurityGroupResourceId
hubProperties: first(filter(logic.outputs.networks, network => network.name == 'hub'))
Expand Down
Loading

0 comments on commit 9d5ed93

Please sign in to comment.