Updated the ARM template so that the application of RBAC works correc…

…tly when re-deploying the same template and specifying a different resource group name for the target resource group or the network watchers resource group.
StratusOn · Mar 27, 2018 · cbe09a0 · cbe09a0
1 parent ac408c0
commit cbe09a0
Showing 1 changed file with 57 additions and 13 deletions.
diff --git a/NetworkWatcherDeployment/azuredeploy.json b/NetworkWatcherDeployment/azuredeploy.json
@@ -46,7 +46,7 @@
       "type": "string",
       "defaultValue": "UDP",
       "metadata": {
-        "description": "The protocol of the packet capture filter. This can be either UDP or TCP."
+        "description": "The protocol of the packet capture filter. This can be UDP, TCP or Any."
       },
       "allowedValues": [
         "TCP",
@@ -101,8 +101,8 @@
     "uniqueSuffix": "[uniqueString(resourceGroup().id, guid(resourceGroup().id, deployment().name))]",
     "logsStorageAccountName": "[concat('logsstorage', variables('uniqueSuffix'))]",
     "applyRbacUrl": "[concat(parameters('artifactsBaseUrl'), '/applyRBAC.json', parameters('artifactsBaseUrlSasToken'))]",
-    "roleAssignmentId": "[guid(resourceGroup().id, deployment().name)]",
-    "networkWatcherRoleAssignmentId": "[guid(resourceGroup().id, concat(deployment().name, 'networkwatcher'))]",
+    "roleAssignmentId": "[guid(resourceGroup().id, deployment().name, parameters('virtualMachinesResourceGroupName'))]",
+    "networkWatcherRoleAssignmentId": "[guid(resourceGroup().id, deployment().name, parameters('networkWatchersResourceGroupName'))]",
     "roleAssignmentsApiVersion": "2016-07-01",
     "msiApiVersion": "2015-08-31-PREVIEW",
     "eventGridApiVersion": "2018-01-01",
@@ -162,51 +162,51 @@
       },
       "SubscriptionId": {
         "Name": "SubscriptionId",
-        "Description": "The subscription id."
+        "Description": "The subscription id. For internal runbook use."
       },
       "TenantId": {
         "Name": "TenantId",
-        "Description": "The MSI tenant id."
+        "Description": "The MSI tenant id. For internal runbook use."
       },
       "MsiGetDefaultTokenEndpoint": {
         "Name": "MsiGetDefaultTokenEndpoint",
-        "Description": "The MSI token endpoint."
+        "Description": "The MSI token endpoint. For internal runbook use."
       },
       "MaxCaptureTimeInMinutes": {
         "Name": "MaxCaptureTimeInMinutes",
         "Description": "The maximum amount of time, in minutes, that a packet capture should run. Default is 300 minutes (5 hours). This value cannot be more than 300 minutes (5 hours)."
       },
       "NetworkWatcherStorageAccountName": {
         "Name": "NetworkWatcherStorageAccountName",
-        "Description": "The name of the Azure Storage Account where the Network Watcher packet capture logs will be written."
+        "Description": "The name of the Azure Storage Account where the Network Watcher packet capture logs will be written. For internal runbook use."
       },
       "NetworkWatcherStorageAccountResourceGroupName": {
         "Name": "NetworkWatcherStorageAccountResourceGroupName",
-        "Description": "The name of the Resource Group that contains the Azure Storage Account where the Network Watcher packet capture logs will be written."
+        "Description": "The name of the Resource Group that contains the Azure Storage Account where the Network Watcher packet capture logs will be written. For internal runbook use."
       },
       "NetworkWatcherResourceGroupName": {
         "Name": "NetworkWatcherResourceGroupName",
         "Description": "The name of the resource group where Network Watcher resources are created for the different regions. The default is typically 'NetworkWatcherRG'."
       },
       "ApplyRbacUrl": {
         "Name": "ApplyRbacUrl",
-        "Description": "The URL of the applyRbac template."
+        "Description": "The URL of the applyRbac template. For internal runbook use."
       },
       "RoleAssignmentsApiVersion": {
         "Name": "RoleAssignmentsApiVersion",
-        "Description": "The RBAC API version."
+        "Description": "The RBAC API version. For internal runbook use."
       },
       "MsiApiVersion": {
         "Name": "MsiApiVersion",
-        "Description": "The API version for MSI."
+        "Description": "The API version for MSI. For internal runbook use."
       },
       "FunctionAppIdentityResourceId": {
         "Name": "FunctionAppIdentityResourceId",
-        "Description": "The Principal Id of the function app."
+        "Description": "The Principal Id of the function app. For internal runbook use."
       },
       "PacketCaptureFilterProtocol": {
         "Name": "PacketCaptureFilterProtocol",
-        "Description": "The protocol of the packet capture filter. This can be either UDP or TCP."
+        "Description": "The protocol of the packet capture filter. This can be UDP, TCP or Any."
       },
       "PacketCaptureFilterRemoteIpAddress": {
         "Name": "PacketCaptureFilterRemoteIpAddress",
@@ -223,6 +223,14 @@
       "PacketCaptureFilterLocalPort": {
         "Name": "PacketCaptureFilterLocalPort",
         "Description": "The local port of the packet capture filter. This can be a single number or a port range. e.g. 1-65535."
+      },
+      "LastTargetResourceGroup": {
+        "Name": "LastTargetResourceGroup",
+        "Description": "The latest name of the resource group where new Storage Accounts whose usage is to be tracked will be created. For internal runbook use."
+      },
+      "LastNetworkWatcherResourceGroupName": {
+        "Name": "LastNetworkWatcherResourceGroupName",
+        "Description": "The latest name of the resource group where Network Watcher resources are created for the different regions. For internal runbook use."
       }
     }
   },
@@ -714,6 +722,42 @@
             "description": "[variables('automationVariables').PacketCaptureFilterLocalPort.Description]"
           }
         },
+        {
+          "name": "[variables('automationVariables').LastTargetResourceGroup.Name]",
+          "type": "variables",
+          "apiVersion": "2015-10-31",
+          "dependsOn": [
+            "[concat('Microsoft.Automation/automationAccounts/', variables('accountName'))]"
+          ],
+          "tags": {
+            "displayName": "LastTargetResourceGroupVariable",
+            "solutionName": "StartNetworkWatcherSolution"
+          },
+          "properties": {
+            "value": "[concat('\"', parameters('virtualMachinesResourceGroupName'), '\"')]",
+            "type": "string",
+            "isEncrypted": true,
+            "description": "[variables('automationVariables').LastTargetResourceGroup.Description]"
+          }
+        },
+        {
+          "name": "[variables('automationVariables').LastNetworkWatcherResourceGroupName.Name]",
+          "type": "variables",
+          "apiVersion": "2015-10-31",
+          "dependsOn": [
+            "[concat('Microsoft.Automation/automationAccounts/', variables('accountName'))]"
+          ],
+          "tags": {
+            "displayName": "LastNetworkWatcherResourceGroupNameVariable",
+            "solutionName": "StartNetworkWatcherSolution"
+          },
+          "properties": {
+            "value": "[concat('\"', parameters('networkWatchersResourceGroupName'), '\"')]",
+            "type": "string",
+            "isEncrypted": true,
+            "description": "[variables('automationVariables').LastNetworkWatcherResourceGroupName.Description]"
+          }
+        },
         {
           "name": "[variables('psModules').AzureRmProfile.Name]",
           "type": "modules",