feat: Hub infrastructure bootstrap bicep

Author: patrickmoore-nc

.gitleaksignore

@@ -11,3 +11,15 @@ infrastructure/terraform/resource_group_init/main.bicep:generic-api-key:32
 infrastructure/terraform/resource_group_init/main.bicep:generic-api-key:33
 infrastructure/terraform/resource_group_init/storage.bicep:generic-api-key:59
 infrastructure/terraform/resource_group_init/keyVault.bicep:generic-api-key:10
+infrastructure/bootstrap/core.bicep:generic-api-key:10
+infrastructure/bootstrap/core.bicep:generic-api-key:11
+infrastructure/bootstrap/core.bicep:generic-api-key:12
+infrastructure/bootstrap/core.bicep:generic-api-key:13
+infrastructure/bootstrap/core.bicep:generic-api-key:14
+infrastructure/bootstrap/main.bicep:generic-api-key:29
+infrastructure/bootstrap/main.bicep:generic-api-key:30
+infrastructure/bootstrap/main.bicep:generic-api-key:31
+infrastructure/bootstrap/main.bicep:generic-api-key:32
+infrastructure/bootstrap/main.bicep:generic-api-key:33
+infrastructure/bootstrap/modules/storage.bicep:generic-api-key:59
+infrastructure/bootstrap/modules/keyVault.bicep:generic-api-key:10

…terraform/resource_group_init/core.bicep infrastructure/bootstrap/core.bicepinfrastructure/terraform/resource_group_init/core.bicep renamed to infrastructure/bootstrap/core.bicep infrastructure/terraform/resource_group_init/core.bicep renamed to infrastructure/bootstrap/core.bicep

@@ -0,0 +1,8 @@
+using '../../hub.bicep'
+
+param hubType = 'live'
+param vnetAddressPrefixes = [
+  '10.21.0.0/16'
+]
+param devopsSubnetAddressPrefix = '10.21.1.0/24'
+param devopsInfrastructureId = ''

infrastructure/bootstrap/environments/live/hub.bicepparam

@@ -0,0 +1,3 @@
+AZURE_SUBSCRIPTION="name"
+BOOTSTRAP=hub
+HUB_TYPE=live

infrastructure/bootstrap/environments/live/variables.sh

@@ -0,0 +1,8 @@
+using '../../hub.bicep'
+
+param hubType = 'nonlive'
+param vnetAddressPrefixes = [
+  '10.11.0.0/16'
+]
+param devopsSubnetAddressPrefix = '10.11.1.0/24'
+param devopsInfrastructureId = ''

infrastructure/bootstrap/environments/nonlive/hub.bicepparam

@@ -0,0 +1,3 @@
+AZURE_SUBSCRIPTION="Digital Screening DToS - Sandbox"
+BOOTSTRAP=hub
+HUB_TYPE=nonlive

infrastructure/bootstrap/environments/nonlive/variables.sh

@@ -0,0 +1,66 @@
+/*
+  Root Bicep file for deploying Hub subscription bootstrap resources needed for Terraform to continue:
+    - Private VNet
+    - Managed DevOps Pool (for VNet-integrated ADO build agents)
+    - Managed Identity for Terraform
+    - Blob Storage Account with Container, Private Endpoint, and public access disabled
+    - Private DNS for Storage Account Private Endpoint
+
+  Subscription pre-requisites:
+    - az provider register --namespace 'Microsoft.DevOpsInfrastructure'
+    - az provider register --namespace 'Microsoft.DevCenter'
+
+  Run once, deployment of the Managed DevOps Pool will fail.
+  Manually Grant 'Reader' and 'Network Contributor' RBAC roles to the Service Principal 'DevopsInfrastructure' on the VNet resource.
+  Re-run, it will succeed. This cannot be automated in Bicep, the object ID (which needs to be resolved from the appId) will be considered invalid, even though it's fine using az cli.
+*/
+
+targetScope = 'subscription'
+
+param devopsSubnetAddressPrefix string
+// param enableSoftDelete bool
+param hubType string // live / nonlive
+param region string = 'uksouth'
+param regionShortName string = 'uks'
+param vnetAddressPrefixes array
+
+// var keyVaultName = 'kv-lungcs-${envConfig}-inf'
+
+var devopsSubnetName = 'sn-hub-${hubType}-${regionShortName}-devops'
+var devCenterName = 'devc-hub-${hubType}-${regionShortName}'
+var devCenterProjectName = 'prj-hub-${hubType}-${regionShortName}'
+var poolName = 'private-pool-hub-${hubType}-${regionShortName}'
+var resourceGroupName = 'rg-hub-${hubType}-${regionShortName}-bootstrap'
+var virtualNetworkName = 'vnet-hub-${hubType}-${regionShortName}'
+
+// var miADOtoAZname = 'mi-${appShortName}-${envConfig}-adotoaz-uks'
+// var miGHtoADOname = 'mi-${appShortName}-${envConfig}-ghtoado-uks'
+
+resource bootstrapRG 'Microsoft.Resources/resourceGroups@2025-04-01' = {
+  name: resourceGroupName
+  location: region
+}
+
+@description('Virtual Network Deployment')
+module virtualNetwork 'modules/virtualNetwork.bicep' = {
+  scope: bootstrapRG
+  params: {
+    name: virtualNetworkName
+    addressPrefixes: vnetAddressPrefixes
+  }
+}
+
+@description('Managed DevOps Pool Deployment')
+module managedDevopsPool 'modules/managedDevopsPool.bicep' = {
+  scope: bootstrapRG
+  params: {
+    adoOrg: 'nhse-pps-1'
+    agentProfileMaxAgentLifetime: '00.04:00:00'
+    devCenterName: devCenterName
+    devCenterProjectName: devCenterProjectName
+    devopsSubnetName: devopsSubnetName
+    devopsSubnetAddressPrefix: devopsSubnetAddressPrefix
+    poolName: poolName
+    virtualNetworkName: virtualNetwork.outputs.name
+  }
+}

infrastructure/bootstrap/hub.bicep

@@ -51,7 +51,7 @@ resource managedIdentityRG 'Microsoft.Resources/resourceGroups@2024-11-01' exist
 }
 
 // Create the managed identity assumed by Azure devops to connect to Azure
-module managedIdentiyADOtoAZ 'managedIdentity.bicep' = {
+module managedIdentiyADOtoAZ 'modules/managedIdentity.bicep' = {
   scope: managedIdentityRG
   params: {
     name: miADOtoAZname
@@ -60,7 +60,7 @@ module managedIdentiyADOtoAZ 'managedIdentity.bicep' = {
 }
 
 // Create the managed identity assumed by Github actions to trigger Azure devops pipelines
-module managedIdentiyGHtoADO 'managedIdentity.bicep' = {
+module managedIdentiyGHtoADO 'modules/managedIdentity.bicep' = {
   scope: managedIdentityRG
   params: {
     name: miGHtoADOname
@@ -84,7 +84,7 @@ resource readerAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' =
 }
 
 // Create the storage account, blob service and container
-module terraformStateStorageAccount 'storage.bicep' = {
+module terraformStateStorageAccount 'modules/storage.bicep' = {
   scope: storageAccountRG
   params: {
     storageLocation: region
@@ -96,23 +96,23 @@ module terraformStateStorageAccount 'storage.bicep' = {
 }
 
 // Retrieve storage private DNS zone
-module storagePrivateDNSZone 'dns.bicep' = {
+module storagePrivateDNSZone 'modules/dns.bicep' = {
   scope: privateDNSZoneRG
   params: {
     resourceServiceType: 'storage'
   }
 }
 
 // Retrieve key vault private DNS zone
-module keyVaultPrivateDNSZone 'dns.bicep' = {
+module keyVaultPrivateDNSZone 'modules/dns.bicep' = {
   scope: privateDNSZoneRG
   params: {
     resourceServiceType: 'keyVault'
   }
 }
 
 // Create private endpoint and register DNS
-module storageAccountPrivateEndpoint 'privateEndpoint.bicep' = {
+module storageAccountPrivateEndpoint 'modules/privateEndpoint.bicep' = {
   scope: privateEndpointResourceGroup
   params: {
     hub: hubMap[envConfig]
@@ -141,7 +141,7 @@ resource infraRG 'Microsoft.Resources/resourceGroups@2024-11-01' = {
 }
 
 // Private endpoint for infra key vault
-module kvPrivateEndpoint 'privateEndpoint.bicep' = {
+module kvPrivateEndpoint 'modules/privateEndpoint.bicep' = {
   scope: resourceGroup(infraResourceGroupName)
   params: {
     hub: hubMap[envConfig]
@@ -154,7 +154,7 @@ module kvPrivateEndpoint 'privateEndpoint.bicep' = {
 }
 
 // Use a module to deploy Key Vault into the infra RG
-module keyVaultModule 'keyVault.bicep' = {
+module keyVaultModule 'modules/keyVault.bicep' = {
   name: 'keyVaultDeployment'
   scope: resourceGroup(infraResourceGroupName)
   params: {

…terraform/resource_group_init/main.bicep infrastructure/bootstrap/main.bicepinfrastructure/terraform/resource_group_init/main.bicep renamed to infrastructure/bootstrap/main.bicep infrastructure/terraform/resource_group_init/main.bicep renamed to infrastructure/bootstrap/main.bicep

@@ -1,4 +1,3 @@
-
 param enableSoftDelete bool
 param keyVaultName string
 param miPrincipalId string