diff --git a/quickstarts/microsoft.azurestackhci/upgrade-cluster/azuredeploy.json b/quickstarts/microsoft.azurestackhci/upgrade-cluster/azuredeploy.json new file mode 100644 index 000000000000..8a9112fdee24 --- /dev/null +++ b/quickstarts/microsoft.azurestackhci/upgrade-cluster/azuredeploy.json @@ -0,0 +1,523 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "deploymentMode": { + "defaultValue": "Validate", + "type": "string", + "allowedValues": [ + "Validate", + "Deploy" + ], + "metadata": { + "description": "First must pass Validate prior running Deploy" + } + }, + "keyVaultName": { + "type": "string", + "metadata": { + "description": "The KeyVault name used to store the secrets." + } + }, + "createNewKeyVault": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Set this value as false, if you are re-using a Keyvault" + } + }, + "softDeleteRetentionDays": { + "type": "int", + "defaultValue": 30 + }, + "diagnosticStorageAccountName": { + "type": "string", + "metadata": { + "description": "The name of the storage account used for KV audit logs" + } + }, + "logsRetentionInDays": { + "type": "int", + "defaultValue": 30, + "minValue": 0, + "maxValue": 365, + "metadata": { + "description": "Specifies the number of days that logs are gonna be kept. If you do not want to apply any retention policy and retain data forever, set value to 0." + } + }, + "storageAccountType": { + "type": "string", + "defaultValue": "Standard_LRS", + "allowedValues": [ + "Premium_LRS", + "Premium_ZRS", + "Standard_GRS", + "Standard_GZRS", + "Standard_LRS", + "Standard_RAGRS", + "Standard_RAGZRS", + "Standard_ZRS" + ], + "metadata": { + "description": "Storage Account type" + } + }, + "clusterName": { + "type": "string" + // "minLength": 3, + // "maxLength": 24 + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]" + }, + "tenantId": { + "type": "string", + "defaultValue": "[subscription().tenantId]" + }, + "AzureStackLCMAdminUsername": { + "type": "string", + "minLength": 1, + "metadata": { + "description": "Deployment user username" + } + }, + "AzureStackLCMAdminPasssword": { + "type": "securestring", + "minLength": 1, + "metadata": { + "description": "Deployment user password" + } + }, + "arbDeploymentAppID": { + "type": "string", + "minLength": 1, + "metadata": { + "description": "ARB SPN's AppID" + } + }, + "arbDeploymentAppSecret": { + "type": "securestring", + "minLength": 1, + "metadata": { + "description": "ARB SPN's Password" + } + }, + "arbDeploymentSPNObjectID": { + "type": "string", + "minLength": 1, + "metadata": { + "description": "ARB SPN's ObjectID" + } + }, + "arcNodeResourceIds": { + "defaultValue": [], + "type": "array", + "metadata": { + "description": "The arc for server node Ids of the hci cluster" + } + }, + // "domainFqdn": { + // "defaultValue": "", + // "type": "string", + // "metadata": { + // "description": "The domain name of the Active Directory Domain Services" + // } + // }, + // "adouPath": { + // "defaultValue": "", + // "type": "string", + // "metadata": { + // "description": "The ADDS OU path" + // } + // }, + // "securityLevel": { + // "defaultValue": "Recommended", + // "type": "string", + // "allowedValues": [ + // "Recommended", + // "Customized" + // ], + // "metadata": { + // "description": "The security level data for deploying a hci cluster" + // } + // }, + "subnetMask": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "The subnet mask for deploying a hci cluster" + } + }, + "defaultGateway": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "The default gateway for deploying a hci cluster" + } + }, + "startingIPAddress": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "The starting ip address for deploying a hci cluster" + } + }, + "endingIPAddress": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "The ending ip address for deploying a hci cluster" + } + }, + "dnsServers": { + "defaultValue": [ + "" + ], + "type": "array", + "metadata": { + "description": "The dns servers for deploying a hci cluster" + } + }, + "physicalNodesSettings": { + "defaultValue": [ + { + "name": "node1", + "ipv4Address": "100.69.32.64" + }, + { + "name": "node2", + "ipv4Address": "100.69.32.65" + } + ], + "type": "array", + "metadata": { + "description": "The physical nodes settings for deploying a hci cluster" + } + }, + "customLocation": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "The custom location for deploying a hci cluster" + } + } + }, + "variables": { + "domainAdminCredentialECEName": "AzureStackLCMUserCredential", + "arbDeploymentSpnCredentialECEName": "DefaultARBApplication", + "domainAdminSecretName": "[concat( parameters('clusterName'), '-', 'AzureStackLCMUserCredential')]", + "arbDeploymentSpnSecretName": "[concat( parameters('clusterName'), '-', 'DefaultARBApplication')]", + "storageWitnessNameVar": "WitnessStorageKey", + "secretsLocationVar": "[concat('https://',parameters('keyVaultName'), '.vault.azure.net')]", + "domainAdminSecretValueVar": "[base64(concat(parameters('AzureStackLCMAdminUsername'),':',parameters('AzureStackLCMAdminPasssword')))]", + "arbDeploymentSpnValueVar": "[base64(concat(parameters('arbDeploymentAppID'),':',parameters('arbDeploymentAppSecret')))]", + "deploymentSecretsList":[ + { + "secretName": "[variables('domainAdminSecretName')]", + "eceSecretName" : "[variables('domainAdminCredentialECEName')]", + "secretLocation": "[concat('https://', parameters('keyVaultName'), '.vault.azure.net/secrets/', variables('domainAdminSecretName'))]" + }, + { + "secretName": "[variables('arbDeploymentSpnSecretName')]", + "eceSecretName" : "[variables('arbDeploymentSpnCredentialECEName')]", + "secretLocation": "[concat('https://', parameters('keyVaultName'), '.vault.azure.net/secrets/', variables('arbDeploymentSpnSecretName'))]" + } + ] + }, + "resources": [ + // { + // "type": "Microsoft.Storage/storageAccounts", + // "apiVersion": "2023-01-01", + // "name": "[parameters('clusterWitnessStorageAccountName')]", + // "location": "[parameters('location')]", + // "sku": { + // "name": "[parameters('storageAccountType')]", + // "tier": "Standard" + // }, + // "kind": "StorageV2", + // "properties": { + // "supportsHttpsTrafficOnly": true, + // "minimumTlsVersion": "TLS1_2" + // } + // }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[concat('MOC-ARB-Role-Assignment',guid(concat('MOCARB-SPN-Subscription-Scope-Role-Assignment',resourceGroup().id,parameters('location'), parameters('arbDeploymentSPNObjectID'))))]", + "location": "[parameters('location')]", + "subscriptionId": "[subscription().subscriptionId]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(concat('ARB-', parameters('arbDeploymentSPNObjectID')))]", + "properties": { + "mode": "Incremental", + "roleDefinitionId": "[concat(subscription().id, '/providers/Microsoft.Authorization/roleDefinitions/', '7b1f81f9-4196-4058-8aae-762e593270df')]", + "principalId": "[parameters('arbDeploymentSPNObjectID')]" + } + } + ] + } + } + }, + // { + // "type": "Microsoft.Authorization/roleAssignments", + // "apiVersion": "2022-04-01", + // "name": "[guid(concat('HCIRP-',resourceGroup().id, parameters('hciResourceProviderObjectID')))]", + // "properties": { + // "mode": "Incremental", + // "roleDefinitionId": "[concat(subscription().id, '/providers/Microsoft.Authorization/roleDefinitions/', 'f5819b54-e033-4d82-ac66-4fec3cbf3f4c')]", + // "principalId": "[parameters('hciResourceProviderObjectID')]", + // "scope": "[resourceGroup().id]", + // "description": "Azure Connected Machine Resource Manager role assignment to HCI Resource Provider" + // } + // }, + { + "copy": { + "name": "roleAssignmentCopy", + "count": "[length(parameters('arcNodeResourceIds'))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(concat('DMR-', parameters('arcNodeResourceIds')[copyIndex()]))]", + "properties": { + "mode": "Incremental", + "roleDefinitionId": "[concat(subscription().id, '/providers/Microsoft.Authorization/roleDefinitions/', '865ae368-6a45-4bd1-8fbf-0d5151f56fc1')]", + "principalId": "[reference(parameters('arcNodeResourceIds')[copyIndex()], '2023-10-03-preview', 'full').identity.principalId]", + "scope": "[resourceGroup().id]", + "description": "[concat(substring(parameters('arcNodeResourceIds')[copyIndex()],lastIndexOf(parameters('arcNodeResourceIds')[copyIndex()],'/')),'- Azure Stack HCI Device Management Role')]" + } + }, + { + "copy": { + "name": "roleAssignmentCopy", + "count": "[length(parameters('arcNodeResourceIds'))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(concat('KVSU-RoleAssign', parameters('arcNodeResourceIds')[copyIndex()]))]", + "properties": { + "mode": "Incremental", + "roleDefinitionId": "[concat(subscription().id, '/providers/Microsoft.Authorization/roleDefinitions/', '4633458b-17de-408a-b874-0445c86b69e6')]", + "principalId": "[reference(parameters('arcNodeResourceIds')[copyIndex()], '2023-10-03-preview', 'full').identity.principalId]", + "scope": "[resourceGroup().id]", + "description": "[concat(substring(parameters('arcNodeResourceIds')[copyIndex()],lastIndexOf(parameters('arcNodeResourceIds')[copyIndex()],'/')),'- Key Vault Secrets User')]" + } + }, + { + "copy": { + "name": "roleAssignmentCopy", + "count": "[length(parameters('arcNodeResourceIds'))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(concat('INFRAVM-RoleAssign', parameters('arcNodeResourceIds')[copyIndex()]))]", + "properties": { + "mode": "Incremental", + "roleDefinitionId": "[concat(subscription().id, '/providers/Microsoft.Authorization/roleDefinitions/', 'c99c945f8bd14fb1a90301460aae6068')]", + "principalId": "[reference(parameters('arcNodeResourceIds')[copyIndex()], '2023-10-03-preview', 'full').identity.principalId]", + "scope": "[resourceGroup().id]", + "description": "[concat(substring(parameters('arcNodeResourceIds')[copyIndex()],lastIndexOf(parameters('arcNodeResourceIds')[copyIndex()],'/')),'- Azure Stack HCI Connected InfraVMs')]" + } + }, + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2023-01-01", + "name": "[parameters('diagnosticStorageAccountName')]", + "location": "[parameters('location')]", + "condition": "[parameters('createNewKeyVault')]", + "sku": { + "name": "[parameters('storageAccountType')]", + "tier": "Standard" + }, + "kind": "StorageV2", + "properties": { + "publicNetworkAccess": "Disabled", + "supportsHttpsTrafficOnly": true, + "minimumTlsVersion": "TLS1_2", + "networkAcls": { + "defaultAction": "Deny" + } + } + }, + { + "type": "Microsoft.KeyVault/vaults", + "apiVersion": "2021-06-01-preview", + "name": "[parameters('keyVaultName')]", + "location": "[parameters('location')]", + "condition": "[parameters('createNewKeyVault')]", + "dependsOn": [ + // "[resourceId('Microsoft.Storage/storageAccounts', parameters('clusterWitnessStorageAccountName'))]", + "[resourceId('Microsoft.Storage/storageAccounts', parameters('diagnosticStorageAccountName'))]" + ], + "properties": { + "enabledForDeployment": true, + "enabledForTemplateDeployment": true, + "enabledForDiskEncryption": true, + "enableSoftDelete": false, + "softDeleteRetentionInDays": "[parameters('softDeleteRetentionDays')]", + "enableRbacAuthorization": true, + "publicNetworkAccess": "Enabled", + "accessPolicies": [], + "tenantId": "[parameters('tenantId')]", + "sku": { + "name": "standard", + "family": "A" + } + } + }, + { + "type": "Microsoft.KeyVault/vaults/providers/diagnosticsettings", + "name": "[concat(parameters('keyVaultName'), '/Microsoft.Insights/service')]", + "apiVersion": "2016-09-01", + "Location": "[resourceGroup().location]", + "condition": "[parameters('createNewKeyVault')]", + "dependsOn": [ + "[concat('Microsoft.KeyVault/vaults/', parameters('keyVaultName'))]", + "[concat('Microsoft.Storage/storageAccounts/', parameters('diagnosticStorageAccountName'))]" + ], + "properties": { + "storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('diagnosticStorageAccountName'))]", + "logs": [ + { + "category": "AuditEvent", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('LogsRetentionInDays')]" + } + } + ] + } + }, + // { + // "condition": "[equals(parameters('deploymentMode'), 'Validate')]", + // "type": "Microsoft.AzureStackHCI/clusters", + // "apiVersion": "[parameters('apiVersion')]", + // "name": "[parameters('clusterName')]", + // "dependsOn": [ + // "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]" + // ], + // "identity": { + // "type": "SystemAssigned" + // }, + // "location": "[parameters('location')]", + // "properties": {} + // }, + { + "type": "Microsoft.KeyVault/vaults/secrets", + "apiVersion": "2021-06-01-preview", + "name": "[concat(parameters('keyVaultName'), '/', variables('domainAdminSecretName'))]", + "dependsOn": [ + "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]" + ], + "location": "[parameters('location')]", + "scale": null, + "properties": { + "contentType": "Secret", + "value": "[variables('domainAdminSecretValueVar')]", + "attributes": { + "enabled": true + } + } + }, + // { + // "type": "Microsoft.KeyVault/vaults/secrets", + // "apiVersion": "2021-06-01-preview", + // "name": "[concat(parameters('keyVaultName'), '/', variables('LocalAdminCredentialSecretName'))]", + // "dependsOn": [ + // "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]" + // ], + // "location": "[parameters('location')]", + // "scale": null, + // "properties": { + // "contentType": "Secret", + // "value": "[variables('localAdminSecretValue')]", + // "attributes": { + // "enabled": true + // } + // } + // }, + { + "type": "Microsoft.KeyVault/vaults/secrets", + "apiVersion": "2021-06-01-preview", + "name": "[concat(parameters('keyVaultName'), '/', variables('arbDeploymentSpnSecretName'))]", + "dependsOn": [ + "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]" + ], + "location": "[parameters('location')]", + "scale": null, + "properties": { + "contentType": "Secret", + "value": "[variables('arbDeploymentSpnValueVar')]", + "attributes": { + "enabled": true + } + } + }, + { + "type": "microsoft.azurestackhci/clusters/deploymentSettings", + "apiVersion": "2024-04-01", + "name": "[format('{0}/default', parameters('clusterName'))]", + "dependsOn": [ + "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]" + ], + "properties": { + "arcNodeResourceIds": "[parameters('arcNodeResourceIds')]", + "deploymentMode": "[parameters('deploymentMode')]", + "operationType": "ClusterUpgrade", + "deploymentConfiguration": { + "version": "10.1.0.0", + "scaleUnits": [ + { + "deploymentData": { + "observability": { + "streamingDataClient": true, + "euLocation": true, + "episodicDataUpload": true + }, + "cluster": { + "name": "[parameters('clusterName')]" + }, + "storage": { + //TODO: confirm if this can be hardcoded + "configurationMode": "InfraOnly" + }, + "namingPrefix": "HCI001", + "domainFqdn": "", + "infrastructureNetwork": [ + { + "subnetMask": "[parameters('subnetMask')]", + "gateway": "[parameters('defaultGateway')]", + "ipPools": [ + { + "startingAddress": "[parameters('startingIPAddress')]", + "endingAddress": "[parameters('endingIPAddress')]" + } + ], + "dnsServers": "[parameters('dnsServers')]" + } + ], + "physicalNodes": "[parameters('physicalNodesSettings')]", + "adouPath": "", + "secrets": "[variables('deploymentSecretsList')]", + "optionalServices": { + "customLocation": "[parameters('customLocation')]" + } + } + } + ] + } + } + } + ] +} \ No newline at end of file diff --git a/quickstarts/microsoft.azurestackhci/upgrade-cluster/azuredeploy.parameters.json b/quickstarts/microsoft.azurestackhci/upgrade-cluster/azuredeploy.parameters.json new file mode 100644 index 000000000000..9884454d253d --- /dev/null +++ b/quickstarts/microsoft.azurestackhci/upgrade-cluster/azuredeploy.parameters.json @@ -0,0 +1,93 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "deploymentMode": { + "value": "Validate" + }, + "keyVaultName": { + "value": "armdeploykv" + }, + "softDeleteRetentionDays": { + "value": 30 + }, + "diagnosticStorageAccountName": { + "value": "partnerdiagsa3" + }, + "logsRetentionInDays": { + "value": 30 + }, + "storageAccountType": { + "value": "Standard_LRS" + }, + "clusterName": { + "value": "cluster1" + }, + "location": { + "value": "eastus" + }, + "tenantId": { + "value": "" + }, + "AzureStackLCMAdminUsername": { + "value": "lcmuser" + }, + "AzureStackLCMAdminPasssword": { + "value": null + }, + "arbDeploymentAppID": { + "value": "" + }, + "arbDeploymentAppSecret": { + "value": null + }, + "arbDeploymentSPNObjectID": { + "value": "" + }, + "hciResourceProviderObjectID": { + "value": "" + }, + "arcNodeResourceIds": { + "value": [ + "/subscriptions/86a43cee-777a-4d3e-b9bc-80d6a9c6c73c/resourceGroups/ARMRG/providers/Microsoft.HybridCompute/machines/vhost1" + ] + }, + "domainFqdn": { + "value": "s31r1501.masd.stbtest.microsoft.com" + }, + "adouPath": { + "value": "OU=HCI002,DC=s31r1501,DC=masd,DC=stbtest,DC=microsoft,DC=com" + }, + "securityLevel": { + "value": "Recommended" + }, + "subnetMask": { + "value": "255.255.255.0" + }, + "defaultGateway": { + "value": "100.69.32.1" + }, + "startingIPAddress": { + "value": "100.69.32.21" + }, + "endingIPAddress": { + "value": "100.69.32.27" + }, + "dnsServers": { + "value": [ + "100.71.45.125" + ] + }, + "physicalNodesSettings": { + "value": [ + { + "name": "vhost1", + "ipv4Address": "100.69.32.20" + } + ] + }, + "customLocation": { + "value": "mylocation" + } + } +} \ No newline at end of file diff --git a/quickstarts/microsoft.azurestackhci/upgrade-cluster/metadata.json b/quickstarts/microsoft.azurestackhci/upgrade-cluster/metadata.json new file mode 100644 index 000000000000..4c3128f7ca03 --- /dev/null +++ b/quickstarts/microsoft.azurestackhci/upgrade-cluster/metadata.json @@ -0,0 +1,10 @@ +{ + "$schema": "https://aka.ms/azure-quickstart-templates-metadata-schema#", + "type": "QuickStart", + "itemDisplayName": "upgrades an Azure Stack HCI 22H2 cluster to 23H2 cluster", + "description": "This template upgrades an Azure Stack HCI 22H2 cluster to 23H2 cluster using an ARM template.", + "summary": "This template upgrades an Azure Stack HCI 22H2 cluster to 23H2 cluster using an ARM template.", + "githubUsername": "troettinger", + "validationType": "Manual", + "dateUpdated": "2024-09-16" +} \ No newline at end of file