From 53ce8988ae729f6494162c52a2bba73a00431ae8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Evil=C3=A1zaro=20Alves?= Date: Tue, 5 Aug 2025 06:09:08 -0500 Subject: [PATCH 1/4] Fix Connectivity Managed network --- src/connectivity/connectivity.bicep | 10 +++++----- src/connectivity/vnet.bicep | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/src/connectivity/connectivity.bicep b/src/connectivity/connectivity.bicep index 267acec7..10d37bfc 100644 --- a/src/connectivity/connectivity.bicep +++ b/src/connectivity/connectivity.bicep @@ -10,7 +10,7 @@ param logAnalyticsId string @description('Azure region for resource deployment') param location string -var rgCreate = (projectNetwork.create && projectNetwork.virtualNetworkType == 'Unmanaged') +var netConectCreate = (projectNetwork.create && projectNetwork.virtualNetworkType == 'Unmanaged') || (!projectNetwork.create && projectNetwork.virtualNetworkType == 'Unmanaged') module Rg 'resourceGroup.bicep' = { name: 'projectNetworkRg-${uniqueString(projectNetwork.name, location)}' @@ -19,13 +19,15 @@ module Rg 'resourceGroup.bicep' = { name: projectNetwork.resourceGroupName location: location tags: projectNetwork.tags - create: rgCreate + create: netConectCreate } } +var rgName = (netConectCreate) ? projectNetwork.resourceGroupName : resourceGroup().name + module virtualNetwork 'vnet.bicep' = { name: 'virtualNetwork-${uniqueString(projectNetwork.name, location)}' - scope: resourceGroup(projectNetwork.resourceGroupName) + scope: resourceGroup(rgName) params: { logAnalyticsId: logAnalyticsId location: location @@ -44,8 +46,6 @@ module virtualNetwork 'vnet.bicep' = { ] } -var netConectCreate = (projectNetwork.create && projectNetwork.virtualNetworkType == 'Unmanaged') || (!projectNetwork.create && projectNetwork.virtualNetworkType == 'Unmanaged') - @description('Network Connection resource for DevCenter') module networkConnection './networkConnection.bicep' = if (netConectCreate) { name: 'netconn-${uniqueString(projectNetwork.name,resourceGroup().id)}' diff --git a/src/connectivity/vnet.bicep b/src/connectivity/vnet.bicep index b16ac445..b22cf12c 100644 --- a/src/connectivity/vnet.bicep +++ b/src/connectivity/vnet.bicep @@ -57,7 +57,7 @@ resource virtualNetwork 'Microsoft.Network/virtualNetworks@2024-07-01' = if (set @description('Reference to existing Virtual Network') resource existingVirtualNetwork 'Microsoft.Network/virtualNetworks@2024-07-01' existing = if (!settings.create && settings.virtualNetworkType == 'Unmanaged') { name: settings.name - scope: resourceGroup() + scope: resourceGroup(settings.resourceGroupName) } @description('Log Analytics Diagnostic Settings') From 6fd4b4319366b4353c224c720554c9cd303d2267 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Evil=C3=A1zaro=20Alves?= Date: Tue, 5 Aug 2025 06:40:52 -0500 Subject: [PATCH 2/4] Fix netconn deployment name --- src/connectivity/connectivity.bicep | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/connectivity/connectivity.bicep b/src/connectivity/connectivity.bicep index 10d37bfc..6dc1b82e 100644 --- a/src/connectivity/connectivity.bicep +++ b/src/connectivity/connectivity.bicep @@ -10,6 +10,8 @@ param logAnalyticsId string @description('Azure region for resource deployment') param location string +param dateTime string = utcNow('yyyy-MM-ddTHH:mm:ssZ') + var netConectCreate = (projectNetwork.create && projectNetwork.virtualNetworkType == 'Unmanaged') || (!projectNetwork.create && projectNetwork.virtualNetworkType == 'Unmanaged') module Rg 'resourceGroup.bicep' = { @@ -26,7 +28,7 @@ module Rg 'resourceGroup.bicep' = { var rgName = (netConectCreate) ? projectNetwork.resourceGroupName : resourceGroup().name module virtualNetwork 'vnet.bicep' = { - name: 'virtualNetwork-${uniqueString(projectNetwork.name, location)}' + name: 'virtualNetwork-${uniqueString(projectNetwork.name, resourceGroup().id, dateTime)}' scope: resourceGroup(rgName) params: { logAnalyticsId: logAnalyticsId @@ -48,7 +50,7 @@ module virtualNetwork 'vnet.bicep' = { @description('Network Connection resource for DevCenter') module networkConnection './networkConnection.bicep' = if (netConectCreate) { - name: 'netconn-${uniqueString(projectNetwork.name,resourceGroup().id)}' + name: 'netconn-${uniqueString(projectNetwork.name,resourceGroup().id,dateTime)}' scope: resourceGroup() params: { devCenterName: devCenterName From a3935ac5b4af871aa85b2b4645ff39a5c710fbb9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Evil=C3=A1zaro=20Alves?= Date: Tue, 5 Aug 2025 06:48:46 -0500 Subject: [PATCH 3/4] Add DateTime to Deployment names --- infra/main.bicep | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/infra/main.bicep b/infra/main.bicep index c88d9cac..af2017aa 100644 --- a/infra/main.bicep +++ b/infra/main.bicep @@ -31,6 +31,8 @@ param secretValue string @maxLength(10) param environmentName string +param dateTime string = utcNow('yyyyMMdd-HHmmss') + // Load configuration from YAML @description('Landing Zone resource organization') var landingZones = loadYamlContent('settings/resourceOrganization/azureResources.yaml') @@ -94,7 +96,7 @@ output WORKLOAD_AZURE_RESOURCE_GROUP_NAME string = workloadRg.name // Module deployments with improved names and organization @description('Log Analytics Workspace for centralized monitoring') module monitoring '../src/management/logAnalytics.bicep' = { - name: 'monitoring-logAnalytics-deployment-${environmentName}' + name: 'monitoring-logAnalytics-deployment-${environmentName}-${dateTime}' scope: resourceGroup(monitoringRgName) params: { name: 'logAnalytics' @@ -112,7 +114,7 @@ output AZURE_LOG_ANALYTICS_WORKSPACE_NAME string = monitoring.outputs.AZURE_LOG_ @description('Security components including Key Vault') module security '../src/security/security.bicep' = { - name: 'security-keyvault-deployment-${environmentName}' + name: 'security-keyvault-deployment-${environmentName}-${dateTime}' scope: resourceGroup(securityRgName) params: { secretValue: secretValue @@ -135,7 +137,7 @@ output AZURE_KEY_VAULT_ENDPOINT string = security.outputs.AZURE_KEY_VAULT_ENDPOI @description('DevCenter workload deployment') module workload '../src/workload/workload.bicep' = { - name: 'workload-devcenter-deployment-${environmentName}' + name: 'workload-devcenter-deployment-${environmentName}-${dateTime}' scope: resourceGroup(workloadRgName) params: { logAnalyticsId: monitoring.outputs.AZURE_LOG_ANALYTICS_WORKSPACE_ID From 98d62af61a0257470205ef5b1d0ca5c1abfe920d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Evil=C3=A1zaro=20Alves?= Date: Tue, 5 Aug 2025 06:57:16 -0500 Subject: [PATCH 4/4] update Documentation --- infra/settings/workload/devcenter.yaml | 42 ++++++++++++++++---------- 1 file changed, 26 insertions(+), 16 deletions(-) diff --git a/infra/settings/workload/devcenter.yaml b/infra/settings/workload/devcenter.yaml index d946b8eb..83851154 100644 --- a/infra/settings/workload/devcenter.yaml +++ b/infra/settings/workload/devcenter.yaml @@ -24,9 +24,13 @@ identity: # Role assignments section - defines permissions for Dev Center operation roleAssignments: + # Dev Center role assignments + # These roles control who can manage the Dev Center and its projects + # Best practice: Assign roles based on team responsibilities + # The following roles follow the principle of least privilege and best practices described in https://learn.microsoft.com/en-us/azure/dev-box/concept-dev-box-deployment-guide#organizational-roles-and-responsibilities guidance. devCenter: - id: "b24988ac-6180-42a0-ab88-20f7382dd24c" - name: "Contributor" + name: "Contributor" # Azure Contributor role for Dev Center management scope: "Subscription" - id: "18d7d88d-d35e-4fb5-a5c3-7773c20a72d9" name: "User Access Administrator" @@ -42,7 +46,7 @@ identity: # Dev Manager role - for users who manage Dev Box deployments # These users can configure Dev Box definitions but typically don't use Dev Boxes - type: DevManager - azureADGroupId: "5a1d1455-e771-4c19-aa03-fb4a08418f22" + azureADGroupId: "5a1d1455-e771-4c19-aa03-fb4a08418f22" # Azure AD group ID for Dev Managers. You must create this group in Azure AD and replace the , the default value in this example is "Platform Engineering Team" azureADGroupName: "Platform Engineering Team" # RBAC roles assigned to Dev Managers @@ -67,31 +71,31 @@ catalogs: # Best practice: Create environments that match your SDLC stages (dev, test, prod) environmentTypes: - name: "dev" - deploymentTargetId: "" # Empty for default subscription target + deploymentTargetId: "" # Empty for default subscription target. If you want to deploy to a specific target, provide the target ID here. - name: "staging" - deploymentTargetId: "" # Empty for default subscription target + deploymentTargetId: "" # Empty for default subscription target. If you want to deploy to a specific target, provide the target ID here. - name: "UAT" - deploymentTargetId: "" # Empty for default subscription target + deploymentTargetId: "" # Empty for default subscription target. If you want to deploy to a specific target, provide the target ID here. # Projects section - defines distinct projects within the Dev Center # Each project has its own Dev Box configurations, catalogs, and permissions # Best practice: Create separate projects for different teams or workstreams projects: # Identity Provider project - for authentication/authorization services - - name: "identityProvider" - description: "Identity Provider project." + - name: "identityProvider" # Name of the project + description: "Identity Provider project." # Project description network: - name: identityProvider - create: true - resourceGroupName: "identityProvider-connectivity-RG" - virtualNetworkType: Managed - addressPrefixes: + name: identityProvider # Name of the virtual network + create: true # Set this parameter to true to create the network. If its value is false, the the accelerator will connect to an existing network. + resourceGroupName: "identityProvider-connectivity-RG" # Resource group for network. If the create parameter is set to false, the resource group must already exist. + virtualNetworkType: Managed # Managed network type is recommended for Dev Center projects to ensure proper connectivity and security + addressPrefixes: # Address space for the virtual network. This should be a unique CIDR block that does not overlap with other networks in your Azure subscription. If the create parameter is set to true, the accelerator will create the network with this address space. - 10.0.0.0/16 subnets: - - name: identityProvider-subnet + - name: identityProvider-subnet # Subnet name. If the create parameter is set to true, the accelerator will create the subnet with this name and address prefix. If its value is false, the subnet must already exist. properties: - addressPrefix: 10.0.1.0/24 + addressPrefix: 10.0.1.0/24 # Subnet address range. If the create parameter is set to true, the accelerator will create the subnet with this address range. If its value is false, the subnet must already exist. tags: environment: dev division: Platforms @@ -104,9 +108,15 @@ projects: # Project identity configuration - controls project-level security identity: type: SystemAssigned + # Role assignments for the Project + # These roles control who can manage the project and its resources + # You must create the corresponding Azure AD groups and assign users to them + # The default values in this example are "Identity Provider Engineers" + # You can customize these values based on your organization's requirements + # The following roles follow the principle of least privilege and best practices described in https://learn.microsoft.com/en-us/azure/dev-box/concept-dev-box-deployment-guide#organizational-roles-and-responsibilities guidance. roleAssignments: - - azureADGroupId: "67a29bc3-f25c-4599-9cb1-4da19507e8ee" - azureADGroupName: "Identity Provider Engineers" + - azureADGroupId: "67a29bc3-f25c-4599-9cb1-4da19507e8ee" # Azure AD group ID for Identity Provider Engineers. You must create this group in Azure AD and replace the , the default value in this example is "Identity Provider Engineers" + azureADGroupName: "Identity Provider Engineers" # Azure AD group name azureRBACRoles: - name: "Contributor" id: "b24988ac-6180-42a0-ab88-20f7382dd24c"