New Orchestration Module: subPlacementAll (#298)

* module complete and params * typos * docs complete * doc update * telmetry doc update * docs updates elsewhere * update tests * update tours
Azure · Aug 1, 2022 · 29139a6 · 29139a6
1 parent 55e6e6f
commit 29139a6
Show file tree

Hide file tree

Showing 15 changed files with 564 additions and 32 deletions.
diff --git a/.vscode/tours/azurechinacloud-base-validation-pipeline.tour b/.vscode/tours/azurechinacloud-base-validation-pipeline.tour
@@ -107,10 +107,15 @@
       "description": "Validate ALZ hub peered spoke orchestration module deployment. Depends on management groups previously created.\r\n\r\n",
       "line": 182
     },
+    {
+      "file": "tests/pipelines/mc-base-unit-validate.yml",
+      "description": "Validate ALZ subPlacementAll orchestration module deployment. Depends on management groups previously created.\r\n\r\n",
+      "line": 191
+    },
     {
       "file": "tests/pipelines/mc-base-unit-validate.yml",
       "description": "Job to clean up tenant after deploy -> remove management group structure specific to this PR, delete resources in created subscription. ",
-      "line": 190
+      "line": 193
     }
   ]
 }
diff --git a/.vscode/tours/azurecloud-base-validation-pipeline.tour b/.vscode/tours/azurecloud-base-validation-pipeline.tour
@@ -117,10 +117,15 @@
       "description": "Validate ALZ hub peered spoke orchestration module deployment. Depends on management groups previously created.\r\n\r\n",
       "line": 197
     },
+    {
+      "file": "tests/pipelines/mc-base-unit-validate.yml",
+      "description": "Validate ALZ subPlacementAll orchestration module deployment. Depends on management groups previously created.\r\n\r\n",
+      "line": 210
+    },
     {
       "file": "tests/pipelines/base-unit-validate.yml",
       "description": "Job to clean up tenant after deploy -> remove management group structure specific to this PR, delete resources in created subscription. ",
-      "line": 205
+      "line": 212
     }
   ]
 }
diff --git a/docs/wiki/CustomerUsage.md b/docs/wiki/CustomerUsage.md
@@ -24,27 +24,30 @@ module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdTen
   params: {}
 }
 ```
+
 ## Module PID Value Mapping
-The following are the unique ID's (also known as PIDs) used in each of the modules.
-
-| Module Name                    | PID                                  |
-| ------------------------------ | ------------------------------------ |
-| customRoleDefinitions          | 032d0904-3d50-45ef-a6c1-baa9d82e23ff |
-| getManagementGroupName         | cff0ca56-5d8c-4594-bf79-5c046809b017 |
-| hubNetworking                  | 2686e846-5fdc-4d4f-b533-16dcb09d6e6c |
-| logging                        | f8087c67-cc41-46b2-994d-66e4b661860d |
-| managementGroups               | 9b7965a0-d77c-41d6-85ef-ec3dfea4845b |
-| policy-definitions             | 2b136786-9881-412e-84ba-f4c2822e1ac9 |
-| policy-assignments             | 78001e36-9738-429c-a343-45cc84e8a527 |
-| alzDefaultPolicyAssignments    | 98cef979-5a6b-403b-83c7-10c8f04ac9a2 |
-| publicIp                       | 3f85b84c-6bad-4c42-86bf-11c233241c22 |
-| resourceGroup                  | b6718c54-b49e-4748-a466-88e3d7c789c8 |
-| roleAssignments                | 59c2ac61-cd36-413b-b999-86a3e0d958fb |
-| spokeNetworking                | 0c428583-f2a1-4448-975c-2d6262fd193a |
-| subscriptionPlacement          | 3dfa9e81-f0cf-4b25-858e-167937fd380b |
-| virtualNetworkPeer             | ab8e3b12-b0fa-40aa-8630-e3f7699e2142 |
-| vwanConnectivity               | 7f94f23b-7a59-4a5c-9a8d-2a253a566f61 |
-| vnetPeeringVwan                | 7b5e6db2-1e8c-4b01-8eee-e1830073a63d |
-| privateDnsZones                | 981733dd-3195-4fda-a4ee-605ab959edb6 |
-| hubSpoke - Orchestration       | 50ad3b1a-f72c-4de4-8293-8a6399991beb |
-| hubPeeredSpoke - Orchestration | 8ea6f19a-d698-4c00-9afb-5c92d4766fd2 |
+
+The following are the unique ID's (also known as PIDs) used in each of the modules:
+
+| Module Name                     | PID                                  |
+| ------------------------------- | ------------------------------------ |
+| customRoleDefinitions           | 032d0904-3d50-45ef-a6c1-baa9d82e23ff |
+| getManagementGroupName          | cff0ca56-5d8c-4594-bf79-5c046809b017 |
+| hubNetworking                   | 2686e846-5fdc-4d4f-b533-16dcb09d6e6c |
+| logging                         | f8087c67-cc41-46b2-994d-66e4b661860d |
+| managementGroups                | 9b7965a0-d77c-41d6-85ef-ec3dfea4845b |
+| policy-definitions              | 2b136786-9881-412e-84ba-f4c2822e1ac9 |
+| policy-assignments              | 78001e36-9738-429c-a343-45cc84e8a527 |
+| alzDefaultPolicyAssignments     | 98cef979-5a6b-403b-83c7-10c8f04ac9a2 |
+| publicIp                        | 3f85b84c-6bad-4c42-86bf-11c233241c22 |
+| resourceGroup                   | b6718c54-b49e-4748-a466-88e3d7c789c8 |
+| roleAssignments                 | 59c2ac61-cd36-413b-b999-86a3e0d958fb |
+| spokeNetworking                 | 0c428583-f2a1-4448-975c-2d6262fd193a |
+| subscriptionPlacement           | 3dfa9e81-f0cf-4b25-858e-167937fd380b |
+| virtualNetworkPeer              | ab8e3b12-b0fa-40aa-8630-e3f7699e2142 |
+| vwanConnectivity                | 7f94f23b-7a59-4a5c-9a8d-2a253a566f61 |
+| vnetPeeringVwan                 | 7b5e6db2-1e8c-4b01-8eee-e1830073a63d |
+| privateDnsZones                 | 981733dd-3195-4fda-a4ee-605ab959edb6 |
+| hubSpoke - Orchestration        | 50ad3b1a-f72c-4de4-8293-8a6399991beb |
+| hubPeeredSpoke - Orchestration  | 8ea6f19a-d698-4c00-9afb-5c92d4766fd2 |
+| SubPlacementAll - Orchestration | bb800623-86ff-4ab4-8901-93c2b70967ae |
diff --git a/docs/wiki/DeploymentFlow.md b/docs/wiki/DeploymentFlow.md
@@ -28,7 +28,7 @@ Modules in this reference implementation must be deployed in the following order
 |   4   | Logging & Sentinel                     | Configures a centrally managed Log Analytics Workspace, Automation Account and Sentinel in the `Logging` subscription.                                                      | Management Groups & Subscription for Log Analytics and Sentinel.       | [infra-as-code/bicep/modules/logging](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/modules/logging)                                               |
 |   5   | Hub Networking                         | Azure supports two types of hub-and-spoke design, VNet hub and Virtual WAN hub. Creates resources in the `Connectivity` subscription.                                       | Management Groups, Subscription for Hub Networking.                    | [See network topology deployment below](#network-topology-deployment)                                                                                                 |
 |   6   | Role Assignments                       | Creates role assignments using built-in and custom role definitions.                                                                                                        | Management Groups & Subscriptions.                                     | [infra-as-code/bicep/modules/roleAssignments](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/modules/roleAssignments)                               |
-|   7   | Subscription Placement                 | Moves one or more subscriptions to the target management group.                                                                                                             | Management Groups & Subscriptions.                                     | [infra-as-code/bicep/modules/subscriptionPlacement](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/modules/subscriptionPlacement)                   |
+|   7   | Subscription Placement                 | Moves one or more subscriptions (based on IDs) to the target Management Groups in your ALZ hierarchy.                                                                       | Management Groups & Subscriptions.                                     | [infra-as-code/bicep/orchestration/subPlacementAll](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/orchestration/subPlacementAll)                   |
 |   8   | Built-In and Custom Policy Assignments | Creates policy assignments to provide governance at scale.                                                                                                                  | Management Groups, Log Analytics Workspace & Custom Policy Definitions | [infra-as-code/bicep/modules/policy/assignments/alzDefaults](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/modules/policy/assignments/alzDefaults) |
 |   9   | Spoke Networking                       | Creates Spoke networking infrastructure for workloads with Virtual Network Peering (optional) to support Hub & Spoke network topology or Virtual Hub Connection (optional). | Management Groups, Hub Networking & Subscription for spoke networking  | [See network topology deployment below](#network-topology-deployment)                                                                                                 |
 
@@ -51,9 +51,10 @@ We have some orchestration modules (Bicep files that wrap/call other Bicep modul
 
 The current available orchestration modules are listed below:
 
-| Module         | Description                                                                                                                                                                                                                                                                                                                                                                                                            | Module Documentation                                                                                                                              |
-| -------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- |
-| hubPeeredSpoke | Creates Spoke networking infrastructure for workloads with Virtual Network Peering (optional) to support Hub & Spoke network topology or Virtual Hub Connection (optional). Also can optionally place Subscription in specified Management Group, create VNet Peering in both directions, create UDR and configure a next hop IP for the default route (`0.0.0.0/0`) ***Review docs of module for more information.*** | [infra-as-code/bicep/orchestration/hubPeeredSpoke](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/orchestration/hubPeeredSpoke) |
+| Module          | Description                                                                                                                                                                                                                                                                                                                                                                                                            | Module Documentation                                                                                                                                |
+| --------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- |
+| hubPeeredSpoke  | Creates Spoke networking infrastructure for workloads with Virtual Network Peering (optional) to support Hub & Spoke network topology or Virtual Hub Connection (optional). Also can optionally place Subscription in specified Management Group, create VNet Peering in both directions, create UDR and configure a next hop IP for the default route (`0.0.0.0/0`) ***Review docs of module for more information.*** | [infra-as-code/bicep/orchestration/hubPeeredSpoke](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/orchestration/hubPeeredSpoke)   |
+| subPlacementAll | Moves Subscription IDs that are passed in via the input parameters to the specified Management Group. Useful to have a single module's parameters that are updated over time and can be tracked in git, etc.                                                                                                                                                                                                           | [infra-as-code/bicep/orchestration/subPlacementAll](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/orchestration/subPlacementAll) |
 
 > Orchestration modules to deliver the entire ALZ deployment in a single Bicep file are on our backlog and being worked on, stay tuned!
 

diff --git a/infra-as-code/bicep/modules/managementGroups/README.md b/infra-as-code/bicep/modules/managementGroups/README.md
@@ -1,6 +1,6 @@
 # Module:  Management Groups
 
-The Management Groups module deploys a management group hierarchy in a customer's tenant under the `Tenant Root Group`.  This is accomplished through a tenant-scoped Azure Resource Manager (ARM) deployment.  The heirarchy can be modifed by editing `managementGroups.bicep`.  The hierarchy created by the deployment is:
+The Management Groups module deploys a management group hierarchy in a customer's tenant under the `Tenant Root Group`.  This is accomplished through a tenant-scoped Azure Resource Manager (ARM) deployment. The hierarchy can be modified by editing `managementGroups.bicep`.  The hierarchy created by the deployment is:
 
 - Tenant Root Group
   - Top Level Management Group (defined by parameter `parTopLevelManagementGroupPrefix`)

diff --git a/infra-as-code/bicep/modules/subscriptionPlacement/README.md b/infra-as-code/bicep/modules/subscriptionPlacement/README.md
@@ -2,6 +2,8 @@
 
 This module moves one or more subscriptions to be a child of the specified management group. Once the subscription(s) are moved under the management group, Azure Policies assigned to the management group or its parent management group(s) will begin to govern the subscription(s).
 
+> Consider using the `subPlacementAll` orchestration module instead to simplify Subscription placement across your entire Management Group hierarchy in a single module. [infra-as-code/bicep/orchestration/hubPeeredSpoke](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/orchestration/subPlacementAll)
+
 ## Parameters
 
 The module requires the following required input parameters.