Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove MSI references and CI / CD files #152

Merged
merged 3 commits into from
Jun 11, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 25 additions & 24 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
@@ -1,41 +1,42 @@
---
name: Release

on:
release:
types: [ created ]
types: [created]
workflow_dispatch:
pull_request:
branches:
- main

permissions:
contents: write
contents: write

jobs:
release:
name: Generate Release
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

- name: Zip and Tar
run: |
cd templates
tar -cvzf ../starter_modules.tar.gz .
zip -r ../starter_modules.zip .

- name: Upload Artifacts
uses: actions/upload-artifact@v4
with:
name: starter_modules
path: |
starter_modules.tar.gz
starter_modules.zip
- uses: actions/checkout@v4

- name: Release
uses: softprops/action-gh-release@v2
if: startsWith(github.ref, 'refs/tags/')
with:
files: |
./starter_modules.tar.gz
./starter_modules.zip
- name: Zip and Tar
run: |
cd templates
tar -cvzf ../starter_modules.tar.gz .
zip -r ../starter_modules.zip .

- name: Upload Artifacts
uses: actions/upload-artifact@v4
with:
name: starter_modules
path: |
starter_modules.tar.gz
starter_modules.zip

- name: Release
uses: softprops/action-gh-release@v2
if: startsWith(github.ref, 'refs/tags/')
with:
files: |
./starter_modules.tar.gz
./starter_modules.zip
38 changes: 2 additions & 36 deletions docs/wiki/Home.md
Original file line number Diff line number Diff line change
Expand Up @@ -23,14 +23,12 @@ The accelerator follows a 3 phase approach:

![Azure landing zone accelerator process][alz_accelerator_overview]

The components of the environment are similar, but differ depending on your choice of VCS and authentication:
The components of the environment are similar, but differ depending on your choice of VCS:

![Components][components]

### GitHub

We only support federated credentials for GitHub as a best practice.

- Azure:
- Resource Group for State
- Storage Account and Container for State
Expand All @@ -54,9 +52,7 @@ We only support federated credentials for GitHub as a best practice.
- Customised OIDC Token Subject for governed Actions
- [Optional] Runner Group

### Azure DevOps with Workload identity federation (WIF / OIDC)

This is the recommended authentication method for Azure DevOps.
### Azure DevOps

- Azure:
- Resource Group for State
Expand All @@ -83,36 +79,6 @@ This is the recommended authentication method for Azure DevOps.
- Group and Members for Apply Approval
- [Optional] Agent Pool

### Azure DevOps with Managed identity and self-hosted agents

We include this option as Workload identity federation (WIF) is still in preview, but it will be removed once WIF is generally available to simplify the accelerator and promote best practice.

- Azure:
- Resource Group for State
- Storage Account and Container for State
- Resource Group for Identity
- User Assigned Managed Identities (UAMI) for Plan and Apply
- Permissions for the UAMI on state storage container, subscriptions and management groups
- Resource Group for Agents
- Container Instances with UAMI hosting Azure DevOps Agents
- [Optional] Virtual network, subnets, private DNS zone and private endpoint.

- Azure DevOps
- Project (can be supplied or created)
- Repository for the Module
- Repository for the Pipeline Templates
- Starter Terraform module with tfvars
- Branch policy
- Pipeline for Continuous Integration
- Pipeline for Continuous Delivery
- Environment for Plan
- Environment for Apply
- Variable Group for Backend
- Service Connections with Managed identity for Plan and Apply
- Service Connection Approvals, Template Validation and Concurrency Control
- Group and Members for Apply Approval
- Agent Pools for Plan and Apply

### Local File System

This outputs the ALZ module files to the file system, so you can apply them manually or with your own VCS / automation.
Expand Down
5 changes: 2 additions & 3 deletions docs/wiki/[User-Guide]-Quick-Start-Phase-2-Azure-DevOps.md
Original file line number Diff line number Diff line change
Expand Up @@ -16,10 +16,9 @@
1. `azure_devops_use_organisation_legacy_url`: If you have not migrated to the modern url (still using `https://<organization_name>.visualstudio.com`) for your Azure DevOps organisation, then set this to `true`. This is ignored if you supply an fqdn to `version_control_system_organization`.
1. `azure_devops_create_project`: If you have an existing project you want to use rather than creating a new one, select `true`. We recommend creating a new project to ensure it is isolated by a strong security boundary.
1. `azure_devops_project_name`: Enter the name of the Azure DevOps project to create or the name of an existing project if you set `azure_devops_create_project` to `false`.
1. `azure_devops_authentication_scheme`: Enter the authentication scheme that your pipeline will use to authenticate to Azure. `WorkloadIdentityFederation` uses OpenId Connect and is the recommended approach. `ManagedServiceIdentity` requires the deployment of self-hosted agents are part of the bootstrap setup.
1. `use_self_hosted_agents`: This controls if you want to deploy self-hosted agents. If you are using `ManagedServiceIdentity` for `azure_devops_authentication_scheme`, then you will need to deploy self-hosted agents as part of the bootstrap, so this setting will have no effect. This will default to `true`.
1. `use_self_hosted_agents`: This controls if you want to deploy self-hosted agents. This will default to `true`.
1. `azure_devops_agents_personal_access_token`: Enter the Azure DevOps PAT you generated in a previous step specifically for the self-hosted agents. This only applies if you have `use_self_hosted_agents` set to `true`. This defaults to `""`.
1. `use_private_networking`: This controls whether private networking is deployed for your self-hosted agents and storage account. This only applies if you have `use_self_hosted_agents` set to `true` or `azure_devops_authentication_scheme` is set to `ManagedServiceIdentity`. This defaults to `true`.
1. `use_private_networking`: This controls whether private networking is deployed for your self-hosted agents and storage account. This only applies if you have `use_self_hosted_agents` set to `true`. This defaults to `true`.
1. `allow_storage_access_from_my_ip`: This controls whether to allow access to the storage account from your IP address. This is only needed for trouble shooting. This only applies if you have `use_private_networking` set to `true`. This defaults to `false`.
1. `apply_approvers`: This is a list of service principal names (SPN) of people you wish to be in the group that approves apply of the Azure landing zone module. This is a comma-separated list like `[email protected],[email protected],[email protected]`. You may need to check what the SPN is prior to filling this out as it can vary based on identity provider.
1. You will now see a green message telling you that the next section is specific to the starter module you choose. Navigate to the documentation for the relevant starter module to get details of the specific inputs.
Expand Down
4 changes: 2 additions & 2 deletions docs/wiki/[User-Guide]-Quick-Start-Phase-2-GitHub.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,9 @@
1. `service_name`: This is used to build up the names of your Azure and GitHub resources, for example `rg-<service_name>-mgmt-uksouth-001`. We recommend using `alz` for this.
1. `environment_name`: This is used to build up the names of your Azure and GitHub resources, for example `rg-alz-<environment_name>-uksouth-001`. We recommend using `mgmt` for this.
1. `postfix_number`: This is used to build up the names of your Azure and GitHub resources, for example `rg-alz-mgmt-uksouth-<postfix_number>`. We recommend using `1` for this.
1. `use_self_hosted_agents`: This controls if you want to deploy self-hosted runners. If you are using `ManagedServiceIdentity` for `azure_devops_authentication_scheme`, then you will need to deploy self-hosted runners as part of the bootstrap, so this setting will have no effect. This will default to `true`.
1. `use_self_hosted_agents`: This controls if you want to deploy self-hosted runners. This will default to `true`.
1. `github_runners_personal_access_token`: Enter the GitHub PAT you generated in a previous step specifically for the self-hosted runners. This only applies if you have `use_self_hosted_agents` set to `true`. This defaults to `""`.
1. `use_private_networking`: This controls whether private networking is deployed for your self-hosted runners and storage account. This only applies if you have `use_self_hosted_agents` set to `true` or `azure_devops_authentication_scheme` is set to `ManagedServiceIdentity`. This defaults to `true`.
1. `use_private_networking`: This controls whether private networking is deployed for your self-hosted runners and storage account. This only applies if you have `use_self_hosted_agents` set to `true`. This defaults to `true`.
1. `use_runner_group`: This controls whether to use a Runner Group for self hosted agents. This only applies if `use_self_hosted_agents` is `true` and your GitHub Organization is part of a licensed GitHub Enterprise. This defaults to `true`.
1. `allow_storage_access_from_my_ip`: This controls whether to allow access to the storage account from your IP address. This is only needed for trouble shooting. This only applies if you have `use_private_networking` set to `true`. This defaults to `false`.
1. `apply_approvers`: This is a list of service principal names (SPN) of people you wish to be in the group that approves apply of the Azure landing zone module. This is a comma-separated list like `[email protected],[email protected],[email protected]`. You may need to check what the SPN is prior to filling this out as it can vary based on identity provider.
Expand Down
1 change: 0 additions & 1 deletion docs/wiki/[User-Guide]-Starter-Module-Complete.md
Original file line number Diff line number Diff line change
Expand Up @@ -213,7 +213,6 @@ postfix_number: "1"
azure_devops_use_organisation_legacy_url: "false"
azure_devops_create_project: "true"
azure_devops_project_name: "alz-demo"
azure_devops_authentication_scheme: "WorkloadIdentityFederation"
version_control_system_use_separate_repository_for_templates: "true"
use_self_hosted_agents: "true"
use_private_networking: "true"
Expand Down
5 changes: 0 additions & 5 deletions docs/wiki/examples/powershell-inputs/inputs-azure-devops.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -58,11 +58,6 @@ azure_devops_create_project: "true"
# The name of the Azure DevOps project to use or create for the deployment
azure_devops_project_name: "<project name>"

# The authentication scheme to use for the Azure DevOps Pipelines
# (A valid authentication scheme e.g. 'WorkloadIdentityFederation')
# [allowed: WorkloadIdentityFederation ManagedServiceIdentity]
azure_devops_authentication_scheme: "WorkloadIdentityFederation"

# Controls whether to use self-hosted agents for the pipelines
use_self_hosted_agents: "true"

Expand Down
27 changes: 0 additions & 27 deletions templates/ci_cd/azuredevops/cd.yaml

This file was deleted.

14 changes: 0 additions & 14 deletions templates/ci_cd/azuredevops/ci.yaml

This file was deleted.

92 changes: 0 additions & 92 deletions templates/ci_cd/azuredevops/templates/cd.yaml

This file was deleted.

46 changes: 0 additions & 46 deletions templates/ci_cd/azuredevops/templates/ci.yaml

This file was deleted.

Loading
Loading