Skip to content

Commit

Permalink
Azure vWAN custom template | Added managed identity support
Browse files Browse the repository at this point in the history
  • Loading branch information
@chkp-natanelm
chkp-natanelm committed Feb 2, 2025
1 parent 8d32b55 commit c23004b
Show file tree
Hide file tree
Showing 3 changed files with 177 additions and 2 deletions.
31 changes: 31 additions & 0 deletions azure/templates/nestedtemplates/vwan-public-ip-join-permission-assignment.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"managed_identity_name": {
"type": "string"
},
"managed_identity_principal_id": {
"type": "string"
},
"role_definition_id": {
"type": "string"
},
"deploymentTime": {
"type": "string",
"defaultValue": "[utcNow()]"
}
},
"resources": [
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2022-04-01",
"name": "[guid(parameters('deploymentTime'), resourceGroup().id, 'managed_app_public_ip_join_role')]",
"properties": {
"roleDefinitionId": "[parameters('role_definition_id')]",
"principalType": "ServicePrincipal",
"principalId": "[parameters('managed_identity_principal_id')]"
}
}
]
}
32 changes: 32 additions & 0 deletions azure/templates/nestedtemplates/vwan-reader-role-assignment.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"hubId": {
"type": "string"
},
"managed_identity_name": {
"type": "string"
},
"managed_identity_principal_id": {
"type": "string"
},
"deploymentTime": {
"type": "string",
"defaultValue": "[utcNow()]"
}
},
"resources": [
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2022-04-01",
"name": "[guid(parameters('deploymentTime'), resourceGroup().id, 'managed_app_reader_role')]",
"scope": "[parameters('hubId')]",
"properties": {
"roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]",
"principalType": "ServicePrincipal",
"principalId": "[parameters('managed_identity_principal_id')]"
}
}
]
}
116 changes: 114 additions & 2 deletions azure/templates/vwan-managed-app/mainTemplate.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -185,14 +185,117 @@
"description": "The resource id of the public IP"
},
"defaultValue": ""
},
"deploymentTime": {
"type": "string",
"defaultValue": "[utcNow()]"
}
},
"variables": {
"managedResourceGroupId": "[concat(subscription().id, '/resourceGroups/', parameters('managedResourceGroupName'))]"
"managedResourceGroupId": "[concat(subscription().id, '/resourceGroups/', parameters('managedResourceGroupName'))]",
"_artifactsLocation": "https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/",
"managed_identity_name": "[concat(resourceGroup().name, '-managed_app_identity')]",
"public_ip_resource_group":"[if(equals(parameters('publicIPIngress'), 'yes'), if(equals(parameters('createNewIPIngress'), 'yes'), resourceGroup().name, split(parameters('ipIngressExistingResourceId'), '/')[4]),'')]"
},
"resources": [
{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities",
"apiVersion": "2023-01-31",
"name": "[variables('managed_identity_name')]",
"location": "[resourceGroup().location]"
},
{
"condition": "[equals(parameters('publicIPIngress'), 'yes')]",
"type": "Microsoft.Authorization/roleDefinitions",
"apiVersion": "2022-04-01",
"name": "[guid(parameters('deploymentTime') , resourceGroup().name, 'PublicIPAddressJoinActionRole')]",
"properties": {
"roleName": "[guid(parameters('deploymentTime'), resourceGroup().name, 'PublicIPAddressJoinActionRole')]",
"description": "Custom role for allowing public IP address join action",
"permissions": [
{
"actions": [
"Microsoft.Network/publicIPAddresses/join/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"assignableScopes": [
"[subscription().id]", "[resourceGroup().id]"
]
}
},
{
"type": "Microsoft.Resources/deployments",
"dependsOn": [
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('managed_identity_name'))]"
],
"name": "reader_role_assignment",
"apiVersion": "2021-04-01",
"resourceGroup": "[split(parameters('hubId'), '/')[4]]",
"subscriptionId": "[subscription().subscriptionId]",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "[uri(variables('_artifactsLocation'), concat('nestedtemplates/vwan-reader-role-assignment', '.json'))]",
"contentVersion": "1.0.0.0"
},
"parameters": {
"managed_identity_name": {
"value": "[variables('managed_identity_name')]"
},
"hubId": {
"value": "[parameters('hubId')]"
},
"managed_identity_principal_id": {
"value": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('managed_identity_name')), '2023-01-31', 'full').properties.principalId]"
},
"deploymentTime": {
"value": "[parameters('deploymentTime')]"
}
}
}
},
{
"condition": "[equals(parameters('publicIPIngress'), 'yes')]",
"type": "Microsoft.Resources/deployments",
"dependsOn": [
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('managed_identity_name'))]",
"[resourceId('Microsoft.Authorization/roleDefinitions', guid(parameters('deploymentTime'), resourceGroup().name, 'PublicIPAddressJoinActionRole'))]"
],
"name": "public_ip_join_permission_assignment",
"apiVersion": "2021-04-01",
"resourceGroup": "[variables('public_ip_resource_group')]",
"subscriptionId": "[subscription().subscriptionId]",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "[uri(variables('_artifactsLocation'), concat('nestedtemplates/vwan-public-ip-join-permission-assignment', '.json'))]",
"contentVersion": "1.0.0.0"
},
"parameters": {
"managed_identity_name": {
"value": "[variables('managed_identity_name')]"
},
"managed_identity_principal_id": {
"value": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('managed_identity_name')), '2023-01-31', 'full').properties.principalId]"
},
"role_definition_id": {
"value": "[resourceId('Microsoft.Authorization/roleDefinitions', guid(parameters('deploymentTime'), resourceGroup().name, 'PublicIPAddressJoinActionRole'))]"
},
"deploymentTime": {
"value": "[parameters('deploymentTime')]"
}
}
}
},
{
"type": "Microsoft.Solutions/applications",
"dependsOn": [
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('managed_identity_name'))]"
],
"apiVersion": "2021-07-01",
"name": "[parameters('applicationResourceName')]",
"location": "[resourceGroup().location]",
Expand All @@ -201,7 +304,13 @@
"name": "vwan-app",
"product": "cp-vwan-managed-app",
"publisher": "checkpoint",
"version": "1.0.16"
"version": "1.0.21"
},
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('managed_identity_name'))]": {}
}
},
"properties": {
"managedResourceGroupId": "[variables('managedResourceGroupId')]",
Expand Down Expand Up @@ -277,6 +386,9 @@
},
"ipIngressExistingResourceId": {
"value": "[parameters('ipIngressExistingResourceId')]"
},
"templateName": {
"value": "wan_custom_template"
}
}
}
Expand Down

0 comments on commit c23004b

Please sign in to comment.