Ppha 417: Create infra as code for hub resources

This is an update to the Bicep code to deploy the foundation in hub subscription for Terraform to take over the rest of the deployment.

This will update:

The Managed DevOps Pool (with ADO Org integration) necessary to run the ADO Terraform deployment pipelines inside the private network.
The Compute Gallary to store the AVD images

Author: mrlockstar

infrastructure/bootstrap/environments/live/hub.bicepparam

@@ -5,4 +5,4 @@ param vnetAddressPrefixes = [
   '10.21.0.0/16'
 ]
 param devopsSubnetAddressPrefix = '10.21.1.0/24'
-param devopsInfrastructureId = ''
+//param devopsInfrastructureId = ''

infrastructure/bootstrap/environments/nonlive/hub.bicepparam

@@ -5,4 +5,6 @@ param vnetAddressPrefixes = [
   '10.11.0.0/16'
 ]
 param devopsSubnetAddressPrefix = '10.11.1.0/24'
-param devopsInfrastructureId = ''
+param privateEndpointSubnetAddressPrefix = '10.11.2.0/24'
+param enableSoftDelete = true
+// param devopsInfrastructureId = ''

infrastructure/bootstrap/environments/nonlive/variables.sh

@@ -1,3 +1,3 @@
-AZURE_SUBSCRIPTION="Digital Screening DToS - Sandbox"
+AZURE_SUBSCRIPTION="Lung Cancer Risk Check - Non-live hub"
 BOOTSTRAP=hub
 HUB_TYPE=nonlive

infrastructure/bootstrap/hub.bicep

@@ -17,24 +17,50 @@
 
 targetScope = 'subscription'
 
+// param devopsInfrastructureId string
 param devopsSubnetAddressPrefix string
+param privateEndpointSubnetAddressPrefix string
 // param enableSoftDelete bool
 param hubType string // live / nonlive
 param region string = 'uksouth'
 param regionShortName string = 'uks'
 param vnetAddressPrefixes array
+param enableSoftDelete bool
 
-// var keyVaultName = 'kv-lungcs-${envConfig}-inf'
 
+// removed when generalised
+var appShortName = 'lungcs'
+
+var devCenterSuffix = substring(uniqueString(subscription().id), 0, 3)
+var devCenterName = 'devc-hub-${hubType}-${regionShortName}-${devCenterSuffix}'
 var devopsSubnetName = 'sn-hub-${hubType}-${regionShortName}-devops'
-var devCenterName = 'devc-hub-${hubType}-${regionShortName}'
 var devCenterProjectName = 'prj-hub-${hubType}-${regionShortName}'
 var poolName = 'private-pool-hub-${hubType}-${regionShortName}'
 var resourceGroupName = 'rg-hub-${hubType}-${regionShortName}-bootstrap'
 var virtualNetworkName = 'vnet-hub-${hubType}-${regionShortName}'
+var managedIdentityRGName = 'rg-mi-${hubType}-${regionShortName}'
+var miHub = 'mi-hub-${hubType}-${regionShortName}'
+var privateDNSZoneRGName = 'rg-hub-${hubType}-${regionShortName}-private-dns-zones'
+var keyVaultName = 'kv-${appShortName}-${hubType}-inf'
+var privateEndpointSubnetName = 'sn-hub-${hubType}-${regionShortName}-private-endpoint'
+var storageAccountName = 'sa${appShortName}${regionShortName}state'
+var computeGalleryName = '${appShortName}_hub_compute_gallery'
+
+var miADOtoAZname = 'mi-${appShortName}-${hubType}-adotoaz-${regionShortName}'
+var miGHtoADOname = 'mi-${appShortName}-${hubType}-ghtoado-${regionShortName}'
+
+
+// See: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
+var roleID = {
+  CDNContributor: 'ec156ff8-a8d1-4d15-830c-5b80698ca432'
+  kvSecretsUser: '4633458b-17de-408a-b874-0445c86b69e6'
+  networkContributor: '4d97b98b-1d4f-4787-a291-c67834d212e7'
+  rbacAdmin: 'f58310d9-a9f6-439a-9e8d-f62e7b41a168'
+  reader: 'acdd72a7-3385-48ef-bd42-f606fba81ae7'
+  contributor: 'b24988ac-6180-42a0-ab88-20f7382dd24c'
+  storageBlobDataContributor: 'ba92f5b4-2d11-453d-a403-e96b0029c9fe'
+}
 
-// var miADOtoAZname = 'mi-${appShortName}-${envConfig}-adotoaz-uks'
-// var miGHtoADOname = 'mi-${appShortName}-${envConfig}-ghtoado-uks'
 
 resource bootstrapRG 'Microsoft.Resources/resourceGroups@2025-04-01' = {
   name: resourceGroupName
@@ -54,7 +80,8 @@ module virtualNetwork 'modules/virtualNetwork.bicep' = {
 module managedDevopsPool 'modules/managedDevopsPool.bicep' = {
   scope: bootstrapRG
   params: {
-    adoOrg: 'nhse-pps-1'
+    //adoOrg: 'nhse-pps-1'
+    adoOrg: 'nhse-dtos'
     agentProfileMaxAgentLifetime: '00.04:00:00'
     devCenterName: devCenterName
     devCenterProjectName: devCenterProjectName
@@ -64,3 +91,182 @@ module managedDevopsPool 'modules/managedDevopsPool.bicep' = {
     virtualNetworkName: virtualNetwork.outputs.name
   }
 }
+
+@description('Retrieve existing managed identity resource group')
+resource managedIdentityRG 'Microsoft.Resources/resourceGroups@2024-11-01' = {
+  name: managedIdentityRGName
+  location: region
+}
+
+@description('Retrieve existing private DNS zone resource group')
+resource privateDNSZoneRG 'Microsoft.Resources/resourceGroups@2024-11-01' = {
+  name: privateDNSZoneRGName
+  location: region
+}
+
+@description('Create the managed identity assumed by Azure devops to connect to Azure')
+module managedIdentiyHub 'modules/managedIdentity.bicep' = {
+  scope: managedIdentityRG
+  params: {
+    name: miHub
+    region: region
+  }
+}
+
+@description('Storage Deployment')
+module terraformStateStorageAccount 'modules/storage.bicep' = {
+  scope: bootstrapRG
+  params: {
+    storageLocation: region
+    storageName: storageAccountName
+    enableSoftDelete: true
+    miPrincipalID: managedIdentiyHub.outputs.miPrincipalID
+    miName: miHub
+  }
+}
+
+@description('Create private endpoint and register DNS')
+module storageAccountPrivateEndpoint 'modules/privateEndpoint.bicep' = {
+  scope: bootstrapRG
+  params: {
+    hub: hubType
+    region: region
+    name: storageAccountName
+    vnetName: virtualNetwork.outputs.name
+    virtualNetworkName: virtualNetwork.outputs.name
+    privateEndpointSubnetName: privateEndpointSubnetName
+    privateEndpointSubnetAddressPrefix: privateEndpointSubnetAddressPrefix
+    RGName: bootstrapRG.name
+    resourceServiceType: 'storage'
+    resourceID: terraformStateStorageAccount.outputs.storageAccountID
+    privateDNSZoneID: storagePrivateDNSZone.outputs.privateDNSZoneID
+  }
+}
+
+@description('Retrieve storage private DNS zone')
+module storagePrivateDNSZone 'modules/dns.bicep' = {
+  scope: privateDNSZoneRG
+  params: {
+    resourceServiceType: 'storage'
+    vnetId: virtualNetwork.outputs.id
+    location: region
+  }
+}
+
+@description('Create the managed identity assumed by Azure devops to connect to Azure')
+module managedIdentiyADOtoAZ 'modules/managedIdentity.bicep' = {
+  scope: managedIdentityRG
+  params: {
+    name: miADOtoAZname
+    region: region
+  }
+}
+
+@description('Let the managed identity configure vnet peering and DNS records')
+resource networkContributorAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(subscription().subscriptionId, hubType, 'networkContributor')
+  properties: {
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleID.networkContributor)
+    principalId: managedIdentiyADOtoAZ.outputs.miPrincipalID
+    description: '${miADOtoAZname} Network Contributor access to subscription'
+  }
+}
+
+@description('Let the managed identity assign RBAC roles (required for Azure Virtual Desktop)')
+resource userAccessAdministratorAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(subscription().subscriptionId, hubType, 'UserAccessAdministrator')
+  properties: {
+    roleDefinitionId: subscriptionResourceId(
+      'Microsoft.Authorization/roleDefinitions',
+      roleID.rbacAdmin
+    )
+    principalId: managedIdentiyADOtoAZ.outputs.miPrincipalID
+    description: '${miADOtoAZname} User Access Administrator access to subscription'
+  }
+}
+
+@description('Let the managed identity configure Front door and its resources')
+resource CDNContributorAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(subscription().subscriptionId, hubType, 'CDNContributor')
+  properties: {
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleID.CDNContributor)
+    principalId: managedIdentiyADOtoAZ.outputs.miPrincipalID
+    description: '${miADOtoAZname} CDN Contributor access to subscription'
+  }
+}
+
+@description('Let the managed identity deploy terraform on the subscription')
+resource TerraformContributorAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(subscription().subscriptionId, hubType, 'TerraformContributor')
+  properties: {
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleID.contributor)
+    principalId: managedIdentiyADOtoAZ.outputs.miPrincipalID
+    description: '${miADOtoAZname} Terraform Contributor access to subscription'
+  }
+}
+
+@description('Let the managed identity strore blobs in storage account')
+resource StorageAccountBlobContributorAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(subscription().subscriptionId, hubType, 'StorageAccountBlobContributorAssignment')
+  properties: {
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleID.storageBlobDataContributor)
+    principalId: managedIdentiyADOtoAZ.outputs.miPrincipalID
+    description: '${miADOtoAZname} Storage Account Blob Contributor access to subscription'
+  }
+}
+
+@description('Create the managed identity assumed by Github actions to trigger Azure devops pipelines')
+module managedIdentiyGHtoADO 'modules/managedIdentity.bicep' = {
+  scope: managedIdentityRG
+  params: {
+    name: miGHtoADOname
+    fedCredProperties: {
+      audiences: [ 'api://AzureADTokenExchange' ]
+      issuer: 'https://token.actions.githubusercontent.com'
+      subject: 'repo:NHSDigital/dtos-manage-breast-screening:environment:${hubType}'
+    }
+    region: region
+  }
+}
+
+@description('Let the GHtoADO managed identity access a subscription')
+resource readerAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(subscription().subscriptionId, hubType, 'reader')
+  properties: {
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleID.reader)
+    principalId: managedIdentiyGHtoADO.outputs.miPrincipalID
+    description: '${miGHtoADOname} Reader access to subscription'
+  }
+}
+
+@description('Deploy the Key Vault for storing secrets')
+module keyVaultModule 'modules/keyVault.bicep' = {
+  name: 'keyVaultDeployment'
+  scope: resourceGroup(resourceGroupName)
+  params: {
+    enableSoftDelete : enableSoftDelete
+    keyVaultName: keyVaultName
+    miName: miADOtoAZname
+    miPrincipalId: managedIdentiyADOtoAZ.outputs.miPrincipalID
+    region: region
+  }
+}
+
+@description('Retrieve key vault private DNS zone')
+module keyVaultPrivateDNSZone 'modules/dns.bicep' = {
+  scope: privateDNSZoneRG
+  params: {
+    resourceServiceType: 'keyVault'
+    vnetId: virtualNetwork.outputs.id
+    location: region
+  }
+}
+
+
+module computeGallery 'modules/computeGallery.bicep' = {
+  scope: resourceGroup(resourceGroupName)
+  params: {
+    galleryName: computeGalleryName
+    location: region
+  }
+}

infrastructure/bootstrap/main.bicep

@@ -59,7 +59,7 @@ module managedIdentiyADOtoAZ 'modules/managedIdentity.bicep' = {
   }
 }
 
-// Create the managed identity assumed by Github actions to trigger Azure devops pipelines
+// Create the managed identity assumed by GitHub actions to trigger Azure devops pipelines
 module managedIdentiyGHtoADO 'modules/managedIdentity.bicep' = {
   scope: managedIdentityRG
   params: {

infrastructure/bootstrap/modules/computeGallery.bicep

@@ -0,0 +1,18 @@
+targetScope = 'resourceGroup'
+
+@description('Name of the Azure Compute Gallery')
+param galleryName string
+
+@description('Location for the gallery')
+param location string
+
+resource computeGallery 'Microsoft.Compute/galleries@2023-07-03' = {
+  name: galleryName
+  location: location
+  properties: {
+    description: ''
+    softDeletePolicy: {
+      isSoftDeleteEnabled: false
+    }
+  }
+}

infrastructure/bootstrap/modules/dns.bicep

@@ -1,4 +1,10 @@
+targetScope = 'resourceGroup'
+
 param resourceServiceType string
+param vnetId string
+
+// location inside the resource — it just needs to exist so ARM can stamp it onto the nested deployment.
+param location string = 'uksouth'
 
 var dnsZoneName = {
   storage: 'privatelink.blob.${environment().suffixes.storage}'
@@ -7,8 +13,21 @@ var dnsZoneName = {
 }
 
 // Retrieve the private DNS zone for storage accounts
-resource privateDNSZone 'Microsoft.Network/privateDnsZones@2024-06-01' existing = {
+resource privateDNSZone 'Microsoft.Network/privateDnsZones@2024-06-01' = {
   name: dnsZoneName[resourceServiceType]
+  location: 'global'
+}
+
+resource vnetLink 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2024-06-01' = {
+  name: '${last(split(vnetId, '/'))}-link'
+  parent: privateDNSZone
+  location: 'global'
+  properties: {
+    virtualNetwork: {
+      id: vnetId
+    }
+    registrationEnabled: false
+  }
 }
 
 output privateDNSZoneID string = privateDNSZone.id

infrastructure/bootstrap/modules/managedDevopsPool.bicep

@@ -13,7 +13,8 @@ param devopsSubnetAddressPrefix string
 param virtualNetworkName string
 
 param fabricProfileSkuName string = 'Standard_D2ads_v5'
-param poolSize int = 2
+
+param poolSize int = 1
 param location string = 'uksouth'
 
 

infrastructure/bootstrap/modules/privateEndpoint.bicep

@@ -4,10 +4,11 @@ param privateDNSZoneID string
 param name string
 param resourceID string
 param resourceServiceType string
-
-var RGName = 'rg-hub-${hub}-uks-hub-networking'
-var vnetName = 'VNET-${toUpper(hub)}-UKS-HUB'
-var subnetName = 'SN-${toUpper(hub)}-UKS-HUB-pep'
+param RGName string
+param vnetName string
+param privateEndpointSubnetName string
+param virtualNetworkName string
+param privateEndpointSubnetAddressPrefix string
 
 var groupID = {
   storage: 'blob'
@@ -27,18 +28,28 @@ resource vnet 'Microsoft.Network/virtualNetworks@2024-01-01' existing = {
 }
 
 // Retrieve the existing Subnet within the vnet
-resource subnet 'Microsoft.Network/virtualNetworks/subnets@2024-01-01' existing = {
-  parent: vnet
-  name: subnetName
+// resource subnet 'Microsoft.Network/virtualNetworks/subnets@2024-01-01' = {
+//   parent: vnet
+//   name: subnetName
+//   region: region
+// }
+
+resource privateEndpointSubnet 'Microsoft.Network/virtualNetworks/subnets@2025-01-01' = {
+  name: '${virtualNetworkName}/${privateEndpointSubnetName}'
+  properties: {
+    addressPrefix: privateEndpointSubnetAddressPrefix
+    privateEndpointNetworkPolicies: 'Disabled'
+  }
 }
 
+
 // Create the private endpoint for the storage account
 resource privateEndpoint 'Microsoft.Network/privateEndpoints@2024-01-01' = {
   name: '${name}-pep'
   location: region
   properties: {
     subnet: {
-      id: subnet.id
+      id: privateEndpointSubnet.id
     }
     privateLinkServiceConnections: [
       {

infrastructure/bootstrap/modules/virtualNetwork.bicep

@@ -14,3 +14,4 @@ resource virtualNetwork 'Microsoft.Network/virtualNetworks@2025-01-01' = {
 }
 
 output name string = virtualNetwork.name
+output id string = virtualNetwork.id