cds-snc
diff --git a/‎.github/CODEOWNERS‎
Lines changed: 1 addition & 1 deletion b/‎.github/CODEOWNERS‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/0-everything.yml‎
Lines changed: 33 additions & 0 deletions b/‎.github/workflows/0-everything.yml‎
Lines changed: 33 additions & 0 deletions
diff --git a/‎.github/workflows/6-identity.yml‎
Lines changed: 46 additions & 0 deletions b/‎.github/workflows/6-identity.yml‎
Lines changed: 46 additions & 0 deletions
diff --git a/‎.github/workflows/7-subscriptions.yml‎
Lines changed: 84 additions & 0 deletions b/‎.github/workflows/7-subscriptions.yml‎
Lines changed: 84 additions & 0 deletions
diff --git a/‎.github/workflows/README.md‎
Lines changed: 2 additions & 1 deletion b/‎.github/workflows/README.md‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎.github/workflows/consistency-check.yml‎
Lines changed: 9 additions & 0 deletions b/‎.github/workflows/consistency-check.yml‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎.github/workflows/pull-request-check.yml‎
Lines changed: 9 additions & 0 deletions b/‎.github/workflows/pull-request-check.yml‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎.pipelines/platform-identity.yml‎
Lines changed: 64 additions & 0 deletions b/‎.pipelines/platform-identity.yml‎
Lines changed: 64 additions & 0 deletions
diff --git a/‎.pipelines/policy.yml‎
Lines changed: 1 addition & 1 deletion b/‎.pipelines/policy.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.pipelines/templates/steps/deploy-platform-identity.yml‎
Lines changed: 83 additions & 0 deletions b/‎.pipelines/templates/steps/deploy-platform-identity.yml‎
Lines changed: 83 additions & 0 deletions
@@ -1,2 +1,2 @@
 # These owners will be the default owners for everything in the repo.
-*           @hudua @SenthuranSivananthan @skeeler @kevinevans @bawillis
+*           @hudua @SenthuranSivananthan @skeeler @Tredell
@@ -20,6 +20,11 @@ on:
           - "HubNetworkWithNVA"
           - "HubNetworkWithAzureFirewall"
         default: "HubNetworkWithAzureFirewall"
+      deployIdentity:
+        type: boolean
+        description: "Deploy Identity Subscription"
+        required: true
+        default: false
       subscriptionIds:
         type: string
         description: Subscription ID(s) (optional), e.g. "abcd", "1234"
@@ -306,6 +311,34 @@ jobs:
           -NvaUsername (ConvertTo-SecureString -String '${{secrets.NVA_USERNAME}}' -AsPlainText -Force) `
           -NvaPassword (ConvertTo-SecureString -String '${{secrets.NVA_PASSWORD}} '-AsPlainText -Force)
 
+  identity:
+    name: Identity
+    if: github.event.inputs.deployIdentity == 'true'
+
+    needs:
+      - Logging
+      - HubNetworking
+
+    runs-on: ubuntu-latest
+    
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v3
+
+    - name: Configure PowerShell modules
+      run: |
+        Install-Module Az -Force
+        Install-Module powershell-yaml -Force
+
+    - name: Deploy Identity
+      run: |
+        ./RunWorkflows.ps1 `
+          -DeployIdentity `
+          -EnvironmentName '${{github.event.inputs.environmentName}}' `
+          -LoginServicePrincipalJson (ConvertTo-SecureString -String '${{secrets.ALZ_CREDENTIALS}}' -AsPlainText -Force) `
+          -GitHubRepo ${env:GITHUB_REPOSITORY} `
+          -GitHubRef ${env:GITHUB_REF}
+
   SubscriptionMatrix:
     if: github.event.inputs.subscriptionIds != ''
 
 
@@ -0,0 +1,46 @@
+# ----------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT license.
+#
+# THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, 
+# EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES 
+# OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
+# ----------------------------------------------------------------------------------
+
+name: 6 - Identity
+
+on:
+  workflow_dispatch:
+    inputs:
+      environmentName:
+        type: string
+        description: Environment name (optional), e.g. CanadaESLZ-main
+        required: false
+
+defaults:
+  run:
+    shell: pwsh
+    working-directory: scripts/deployments
+
+jobs:
+  identity:
+    name: Identity
+    runs-on: ubuntu-latest
+    steps:
+
+    - name: Checkout
+      uses: actions/checkout@v3
+
+    - name: Configure PowerShell modules
+      run: |
+        Install-Module Az -Force
+        Install-Module powershell-yaml -Force
+
+    - name: Deploy Identity
+      run: |
+        ./RunWorkflows.ps1 `
+          -DeployIdentity `
+          -EnvironmentName '${{github.event.inputs.environmentName}}' `
+          -LoginServicePrincipalJson (ConvertTo-SecureString -String '${{secrets.ALZ_CREDENTIALS}}' -AsPlainText -Force) `
+          -GitHubRepo ${env:GITHUB_REPOSITORY} `
+          -GitHubRef ${env:GITHUB_REF}
@@ -0,0 +1,84 @@
+# ----------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT license.
+#
+# THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, 
+# EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES 
+# OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
+# ----------------------------------------------------------------------------------
+
+
+name: 7 - Subscriptions
+
+on:
+  workflow_dispatch:
+    inputs:
+      subscriptionIds:
+        type: string
+        description: Subscription ID(s), e.g. "abcd", "1234"
+        required: true
+      environmentName:
+        type: string
+        description: Environment name (optional), e.g. CanadaESLZ-main
+        required: false
+
+defaults:
+  run:
+    shell: pwsh
+    working-directory: scripts/deployments
+
+jobs:
+  SubscriptionMatrix:
+    if: github.event.inputs.subscriptionIds != ''
+
+    name: Create subscription deployment(s) as matrix
+    
+    runs-on: ubuntu-latest
+    
+    outputs:
+      matrix: ${{ steps.set-matrix.outputs.matrix }}
+    
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - id: set-matrix
+        run: |
+          $SubscriptionIdJsonObject = @{
+              SubscriptionId = ${{github.event.inputs.subscriptionIds}} -Split ","
+          }
+
+          $SubscriptionIdJson = $SubscriptionIdJsonObject | ConvertTo-Json -Compress
+
+          Write-Output "::set-output name=matrix::$SubscriptionIdJson"
+
+  Subscriptions:
+    if: github.event.inputs.subscriptionIds != ''
+    needs:
+      - SubscriptionMatrix
+
+    name: Subscriptions
+
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix: ${{fromJSON(needs.SubscriptionMatrix.outputs.matrix)}}
+      fail-fast: false
+
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v3
+
+    - name: Configure PowerShell modules
+      run: |
+        Install-Module Az -Force
+        Install-Module powershell-yaml -Force
+
+    - name: Deploy Subscription
+      run: |
+        ./RunWorkflows.ps1 `
+          -DeploySubscriptionIds '${{ matrix.subscriptionId }}' `
+          -EnvironmentName '${{github.event.inputs.environmentName}}' `
+          -LoginServicePrincipalJson (ConvertTo-SecureString -String '${{secrets.ALZ_CREDENTIALS}}' -AsPlainText -Force) `
+          -GitHubRepo ${env:GITHUB_REPOSITORY} `
+          -GitHubRef ${env:GITHUB_REF}
@@ -22,7 +22,8 @@ The following workflows are present in the `.github/workflows` repository folder
 | 5 | Azure Firewall Policy (required for Hub Networking with Azure Firewall) | `5-azure-firewall-policy.yml`
 | 5 | Hub Networking with Azure Firewall | `5-hub-network-with-azure-firewall.yml`
 | 5 | Hub Networking with NVA | `5-hub-network-with-nva.yml`
-| 6 | Subscriptions | `6-subscriptions.yml`
+| 6 | Identity | `6-identity.yml`
+| 7 | Subscriptions | `7-subscriptions.yml`
 
 With the exception of the `Everything` workflow, all other workflows need to be run in the order specified. For example, the `Policy` workflow is dependent on resources deployed by the `Logging` workflow. Think of it as a layered approach; once the layer is deployed, it only requires re-running if some configuration at that layer changes.
 
 
@@ -9,6 +9,7 @@ env:
   SCHEMA_FOLDER: schemas/latest/landingzones
   LOGGING_PATH_FROM_ROOT: config/logging
   NETWORKING_PATH_FROM_ROOT: config/networking
+  IDENTITY_PATH_FROM_ROOT: config/identity
   SUBSCRIPTIONS_PATH_FROM_ROOT: config/subscriptions
 
 jobs:
@@ -82,6 +83,14 @@ jobs:
               Get-Content -Raw $_ | Test-Json -SchemaFile $HubNetworkWithNVASchemaFile
           }
 
+          $IdentityFileFilter="*.json"
+          $IdentitySchemaFile="${{env.SCHEMA_FOLDER}}/lz-platform-identity.json"
+
+          Get-ChildItem -Recurse -Filter $IdentityFileFilter -Path "${{env.IDENTITY_PATH_FROM_ROOT}}" | ForEach-Object {
+              Write-Host "Validating: $_ with $IdentitySchemaFile"
+              Get-Content -Raw $_ | Test-Json -SchemaFile $IdentitySchemaFile
+          }
+
           $GenericSubscriptionFileFilter="*generic-subscription*.json"
           $GenericSubscriptionSchemaFile="${{env.SCHEMA_FOLDER}}/lz-generic-subscription.json"
 
 
@@ -12,6 +12,7 @@ env:
   SCHEMA_FOLDER: schemas/latest/landingzones
   LOGGING_PATH_FROM_ROOT: config/logging
   NETWORKING_PATH_FROM_ROOT: config/networking
+  IDENTITY_PATH_FROM_ROOT: config/identity
   SUBSCRIPTIONS_PATH_FROM_ROOT: config/subscriptions
 
 jobs:
@@ -84,6 +85,14 @@ jobs:
               Write-Host "Validating: $_ with $HubNetworkWithNVASchemaFile"
               Get-Content -Raw $_ | Test-Json -SchemaFile $HubNetworkWithNVASchemaFile
           }
+
+          $IdentityFileFilter="*.json"
+          $IdentitySchemaFile="${{env.SCHEMA_FOLDER}}/lz-platform-identity.json"
+
+          Get-ChildItem -Recurse -Filter $IdentityFileFilter -Path "${{env.IDENTITY_PATH_FROM_ROOT}}" | ForEach-Object {
+              Write-Host "Validating: $_ with $IdentitySchemaFile"
+              Get-Content -Raw $_ | Test-Json -SchemaFile $IdentitySchemaFile
+          }
           
           $GenericSubscriptionFileFilter="*generic-subscription*.json"
           $GenericSubscriptionSchemaFile="${{env.SCHEMA_FOLDER}}/lz-generic-subscription.json"
 
@@ -0,0 +1,64 @@
+# ----------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT license.
+#
+# THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, 
+# EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES 
+# OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
+# ----------------------------------------------------------------------------------
+
+trigger: none
+
+pr: none
+
+variables:
+- name: devops-org-name
+  value: ${{ replace(replace(variables['System.CollectionUri'], 'https://dev.azure.com/' , ''), '/', '') }}
+- name: logging-config-directory
+  value: $(System.DefaultWorkingDirectory)/$(loggingPathFromRoot)/${{ variables['devops-org-name'] }}-${{ variables['Build.SourceBranchName'] }}
+- name: identity-config-directory
+  value: $(System.DefaultWorkingDirectory)/$(identityPathFromRoot)/${{ variables['devops-org-name'] }}-${{ variables['Build.SourceBranchName'] }}
+- name: variable-template-file
+  value: ${{ variables['devops-org-name'] }}-${{ variables['Build.SourceBranchName'] }}.yml
+- template: ../config/variables/common.yml
+- template: ../config/variables/${{ variables['variable-template-file'] }}
+
+
+pool:
+  vmImage: $[ variables.vmImage ]
+  
+stages:
+
+- stage: DeployNetworkingStage
+  displayName: Deploy Networking Stage
+
+  jobs:
+
+  - deployment: DeployIdentityJob
+    displayName: Deploy Identity Job
+    environment: ${{ variables['Build.SourceBranchName'] }}
+    strategy:
+      runOnce:
+        deploy:
+          steps:
+          - checkout: self
+
+          - template: templates/steps/load-variables.yml
+
+          - template: templates/steps/load-log-analytics-vars.yml
+            parameters:
+              logAnalyticsSubscriptionId: $(var-logging-subscriptionId)
+              logAnalyticsConfigurationFile: ${{ variables['logging-config-directory'] }}/$(var-logging-configurationFileName)
+
+          - template: templates/steps/show-variables.yml
+            parameters:
+              json: ${{ convertToJson(variables) }}
+
+          - template: templates/steps/deploy-platform-identity.yml
+            parameters:
+              workingDir: $(System.DefaultWorkingDirectory)/landingzones
+              deployOperation: ${{ variables['deployOperation'] }}
+              identityManagementGroupId: $(var-identity-managementGroupId)
+              identitySubscriptionId: $(var-identity-subscriptionId)
+              identityRegion: $(var-identity-region)
+              identityConfigurationPath: ${{ variables['identity-config-directory'] }}/$(var-identity-configurationFileName)
@@ -96,7 +96,7 @@ stages:
     - template: templates/steps/define-policyset.yml
       parameters:
         description: 'Define Policy Set'
-        deployTemplates: [AKS, DefenderForCloud, LogAnalytics, Network, DNSPrivateEndpoints, Tags]
+        deployTemplates: [AKS, DefenderForCloud, DNSPrivateEndpoints, LogAnalytics, Network, Tags]
         deployOperation: ${{ variables['deployOperation'] }}
         workingDir: $(System.DefaultWorkingDirectory)/policy/custom/definitions/policyset
 
 
@@ -0,0 +1,83 @@
+# ----------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT license.
+#
+# THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, 
+# EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES 
+# OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
+# ----------------------------------------------------------------------------------
+
+parameters:
+  - name: workingDir
+    type: string
+  - name: deployOperation
+    type: string
+    default: create
+    values:
+      - create
+      - what-if
+  - name: identityManagementGroupId
+    type: string
+  - name: identitySubscriptionId
+    type: string
+  - name: identityRegion
+    type: string
+  - name: identityConfigurationPath
+    type: string
+
+steps:
+
+- task: PowerShell@2
+  displayName: Validate identity Parameters
+  inputs:
+    targetType: 'inline'
+    script: |
+      $schemaFile="$(Build.SourcesDirectory)/schemas/latest/landingzones/lz-platform-identity.json"
+
+      Write-Host "Parameters File: ${{ parameters.identityConfigurationPath }}"
+      Write-Host "Schema File: ${schemaFile}"
+
+      Get-Content -Raw "${{ parameters.identityConfigurationPath }}" | Test-Json -SchemaFile "${schemaFile}"
+
+- template: ./move-subscription.yml
+  parameters:
+    managementGroup: ${{ parameters.identityManagementGroupId }}
+    subscriptionGuid: ${{ parameters.identitySubscriptionId }}
+    subscriptionLocation: ${{ parameters.identityRegion }}
+    templateDirectory: $(Build.SourcesDirectory)/landingzones/utils/mg-move
+    templateFile: move-subscription.bicep
+    workingDir: ${{ parameters.workingDir }}/utils/mg-move
+
+- task: AzureCLI@2
+  displayName: Configure Identity LZ
+  inputs:
+    azureSubscription: $(serviceConnection)
+    scriptType: 'bash'
+    scriptLocation: 'inlineScript'
+    inlineScript: |
+      $(var-bashPreInjectScript)
+
+      # Check if the log analytics workspace id is provided in the parameters json.
+      # If present, then do no change it.  Otherwise add it to the json parameter file.
+      LOG_ANALYTICS_WORKSPACE_RESOURCE_ID_IN_PARAMETERS=`jq -r .parameters.logAnalyticsWorkspaceResourceId.value ${{ parameters.identityConfigurationPath }}`   
+
+      if [[ $LOG_ANALYTICS_WORKSPACE_RESOURCE_ID_IN_PARAMETERS != null && "$LOG_ANALYTICS_WORKSPACE_RESOURCE_ID_IN_PARAMETERS" != "" ]];
+      then
+        echo "Log Analytics Workspace Resource ID is set in ${{ parameters.identityConfigurationPath }} to $LOG_ANALYTICS_WORKSPACE_RESOURCE_ID_IN_PARAMETERS"
+      else
+        echo "Log Analytics Workspace Resource ID is not set in ${{ parameters.identityConfigurationPath }}.  Updating ${{ parameters.identityConfigurationPath }} with $(var-logging-logAnalyticsWorkspaceResourceId)"
+
+        # use jq to update the json parameter file
+        echo "$( jq '.parameters.logAnalyticsWorkspaceResourceId.value = "$(var-logging-logAnalyticsWorkspaceResourceId)"' ${{ parameters.identityConfigurationPath }} )" > ${{ parameters.identityConfigurationPath }}
+      fi
+
+      echo "Deploying main.bicep using ${{ parameters.deployOperation}} operation using ${{ parameters.identityConfigurationPath  }}..."
+      
+      az deployment sub ${{ parameters.deployOperation }} \
+      --location ${{ parameters.identityRegion }} \
+      --subscription ${{ parameters.identitySubscriptionId }} \
+      --template-file main.bicep \
+      --parameters @${{ parameters.identityConfigurationPath }}
+          
+      $(var-bashPostInjectScript)
+    workingDirectory: '${{ parameters.workingDir }}/lz-platform-identity'
Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`	`1`	`# These owners will be the default owners for everything in the repo.`
`2`		`-* @hudua @SenthuranSivananthan @skeeler @kevinevans @bawillis`
	`2`	`+* @hudua @SenthuranSivananthan @skeeler @Tredell`