Subscription resource providers registration (#52)

* add rp registration

* typo

* update readme

* wording

* update guid to ds resources

* update cleanup workflow

* updates

* update output

* testing

* testing

* update tests

* update naming

* update naming

* update guid

* adding params

* check for empty providers array

* update cleanup

* add output message

* update readme

* adding default value

* update outputs

* update subscription parameter

* testing emty array

* testing

* add dependsOn for vnet for VHC

* Update main.bicep

Co-authored-by: Jack Tracey <[email protected]>

* Update main.bicep

Co-authored-by: Jack Tracey <[email protected]>

* pr comments

* updates

* revert testing

* unregister features

* update tests

* auto create docs

* add lock param

* add lock

* remove locks

* conditional loop fix

* trailing white space

* testing

* testing

* Apply suggestions from code review

* Update module-tests.yml

* add more error handling

* add logic for registering providers

* testing

* switch to write-host

* testing

* testing

* revert write-host

* update pester tests

* update features statuses

* readme updates

* enhance tests for rbac consistency

* typo on version number

* adding additional feature in examples

* add wording around empty array

* revert version update to 1.4.1

* test typo

* testing

* update version

* linting

* bump version

* linting

* try again

* minor fix

* testing

* testing

* testing

* testing

* testing

* testing

* increase wait

* testing

* testing

---------

Co-authored-by: Jack Tracey <[email protected]>
Co-authored-by: Jack Tracey <[email protected]>

.github/workflows/module-tests.yml

@@ -59,7 +59,7 @@ jobs:
               }
             }
             New-AzManagementGroupDeployment @inputObject -Whatif
-          azPSVersion: "latest"
+          azPSVersion: "10.4.1"
 
       - name: Vend Subscriptions & Networking Scenarios (Deploy)
         id: vend
@@ -80,7 +80,7 @@ jobs:
             $bicepDeployment = New-AzManagementGroupDeployment @inputObject
             $outputValue = $bicepDeployment.Outputs.createdSubId.Value
             "SUBID=$outputValue" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
-          azPSVersion: "latest"
+          azPSVersion: "10.4.1"
 
       - name: Pester Tests
         id: pester
@@ -103,23 +103,36 @@ jobs:
             }
             $result = Invoke-Pester -Configuration $pesterConfiguration
             exit $result.FailedCount
-          azPSVersion: "latest"
+          azPSVersion: "10.4.1"
 
       - name: Cleanup Vended Subscription & Networking Scenarios
         id: cleanup-vend
+        if: always()
         uses: azure/powershell@v1
         with:
           inlineScript: |
             # Resource Group Names
+            $subId = "${{ env.SUBID }}"
             $rsgHsName = "rsg-${{ env.ARM_LOCATION }}-net-hs-pr-${{ env.GH_PR_NUMBER }}"
             $rsgVwanName = "rsg-${{ env.ARM_LOCATION }}-net-vwan-pr-${{ env.GH_PR_NUMBER }}"
             $rsgNetworkWatcherName = "NetworkWatcherRG"
+            $guid = $subId.substring(0,8)
+            $rsgDeploymentScriptName = "rsg-${{ env.ARM_LOCATION }}-ds-pr-${{ env.GH_PR_NUMBER }}-$guid"
+            $allRoleAssignmentsSub = Get-AzRoleAssignment -Scope "/subscriptions/$subId" -ErrorAction SilentlyContinue
+            $rbacIdentitiyNotFoundToCleanupContributor = $allRoleAssignmentsSub | Where-Object { $_.ObjectType -eq "Unknown" -and $_.RoleDefinitionName -eq "Contributor" }
 
             Write-Host "Cleanup Vended Subscription Resources & Resource Groups..." -ForegroundColor Yellow
             Select-AzSubscription -SubscriptionId "${{ env.SUBID }}"
             Remove-AzResourceGroup -Name $rsgHsName -Force
             Remove-AzResourceGroup -Name $rsgVwanName -Force
             Remove-AzResourceGroup -Name $rsgNetworkWatcherName -Force
+            Remove-AzResourceGroup -Name $rsgDeploymentScriptName -Force
+
+            Write-Host "Cleanup registered resource providers and features..." -ForegroundColor Yellow
+            Unregister-AzProviderFeature -FeatureName "ArcServerPrivateLinkPreview" -ProviderNamespace "Microsoft.HybridCompute"
+            Unregister-AzProviderFeature -FeatureName "AzureServicesVm" -ProviderNamespace "Microsoft.AVS"
+            Unregister-AzResourceProvider -ProviderNamespace "Microsoft.HybridCompute"
+            Unregister-AzResourceProvider -ProviderNamespace "Microsoft.AVS"
 
             Write-Host "Cleanup Hub Subscription Resources..." -ForegroundColor Yellow
             Select-AzSubscription -SubscriptionId "${{ env.SUB_HUB_ID }}"
@@ -130,4 +143,10 @@ jobs:
             $hubVnetPeering = Get-AzVirtualNetworkPeering -ResourceGroupName "rsg-blzv-perm-hubs-001" -VirtualNetworkName "vnet-uksouth-hub-blzv" -Name *
             Remove-AzVirtualNetworkPeering -ResourceGroupName "rsg-blzv-perm-hubs-001" -VirtualNetworkName "vnet-uksouth-hub-blzv" -Name "$($hubVnetPeering.Name)" -Force
             Write-Host "Cleanup Hub Subscription Resources... Complete!" -ForegroundColor Green
-          azPSVersion: "latest"
+
+            Write-Host "Cleanup Unknown Contributor RBAC Assignments on Sub Scope..." -ForegroundColor Yellow
+            foreach ($assignment in $rbacIdentitiyNotFoundToCleanupContributor) {
+              Remove-AzRoleAssignment -objectId $assignment.ObjectId -Scope $assignment.Scope -RoleDefinitionName $assignment.RoleDefinitionName
+            }
+            Write-Host "Cleanup Unknown Contributor RBAC Assignments on Sub Scope... Complete!" -ForegroundColor Green
+          azPSVersion: "10.4.1"

README.md

@@ -21,11 +21,12 @@ This is currently split logically into the following capabilities:
 - Networking - deploy a Virtual Network with, optional:
   - Hub & spoke connectivity (peering to a hub Virtual Network)
   - Virtual WAN connectivity (peering to a Virtual Hub via a Virtual Hub Connection)
-      - Including support for connections to Virtual WAN Hubs with Routing Intent configured
+    - Including support for connections to Virtual WAN Hubs with Routing Intent configured
   - Link to existing DDoS Network Protection Plan
   - Specify Custom DNS Servers
 - Role assignments
 - Tags
+- Resource providers and resource providers features registration
 
 > When creating Virtual Network peerings, be aware of the [limit of peerings per Virtual Network.](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=%2Fazure%2Fvirtual-network%2Ftoc.json#azure-resource-manager-virtual-networking-limits)
 

docs/wiki/Example-5-Hub-and-Spoke-With-RP-registration.md

@@ -0,0 +1,188 @@
+<!-- markdownlint-disable MD041 -->
+## Example 5 - Landing Zone (Subscription) with a spoke Virtual Network peered to a Hub Virtual Network and resource providers and features registration
+
+### Bicep Module Registry
+
+Here is a simple example Bicep file for deploying a landing zone (Subscription) with a spoke Virtual Network peered to a Hub Virtual Network, resource providers and features registration using the [Bicep Module Registry](https://github.com/Azure/bicep-registry-modules):
+
+> A resoure group gets created in the subscription with the format "rsg-<location>-ds-<xxxx>" hosting a deployment script and a user-assigned managed identity. This resource group needs to be manually deleted if not needed after the resource providers features registration process.
+>
+> The resource providers registration process is asynchronous as it might take extended periods of time to register.
+> After a preview feature is registered in your subscription, you'll see one of two states: Registered or Pending.
+>
+>- For a preview feature that doesn't require approval, the state is Registered.
+>- If a preview feature requires approval, the registration state is Pending. You must request approval from the Azure service offering the preview feature. Usually, you request access through a support ticket.
+
+```bicep
+targetScope = 'managementGroup'
+
+@description('Specifies the location for resources.')
+param location string = 'uksouth'
+
+module sub003 'br/public:lz/sub-vending:1.4.1' = {
+  name: 'sub-bicep-lz-vending-example-001'
+  params: {
+    subscriptionAliasEnabled: true
+    subscriptionBillingScope: '/providers/Microsoft.Billing/billingAccounts/1234567/enrollmentAccounts/123456'
+    subscriptionAliasName: 'sub-bicep-lz-vending-example-001'
+    subscriptionDisplayName: 'sub-bicep-lz-vending-example-001'
+    subscriptionTags: {
+      test: 'true'
+    }
+    subscriptionWorkload: 'Production'
+    subscriptionManagementGroupAssociationEnabled: true
+    subscriptionManagementGroupId: 'alz-landingzones-corp'
+    virtualNetworkEnabled: true
+    virtualNetworkLocation: location
+    virtualNetworkResourceGroupName: 'rsg-${location}-net-001'
+    virtualNetworkName: 'vnet-${location}-001'
+    virtualNetworkAddressSpace: [
+      '10.0.0.0/16'
+    ]
+    virtualNetworkResourceGroupLockEnabled: false
+    virtualNetworkPeeringEnabled: true
+    hubNetworkResourceId: '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rsg-uks-net-hub-001/providers/Microsoft.Network/virtualNetworks/vnet-uks-hub-001'
+    resourceProviders : {
+      'Microsoft.Compute' : ['InGuestHotPatchVMPreview']
+      'Microsoft.AVS'     : ['AzureServicesVm','ArcAutomatedOnboarding']
+    }
+  }
+}
+```
+
+### ARM JSON Parameter File
+
+Here is a simple example parameter file for deploying a landing zone (Subscription) with a spoke Virtual Network peered to a Hub Virtual Network, resource providers and features registration:
+
+```json
+{
+  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "subscriptionAliasEnabled": {
+      "value": true
+    },
+    "subscriptionDisplayName": {
+      "value": "sub-bicep-lz-vending-example-001"
+    },
+    "subscriptionAliasName": {
+      "value": "sub-bicep-lz-vending-example-001"
+    },
+    "subscriptionBillingScope": {
+      "value": "providers/Microsoft.Billing/billingAccounts/1234567/enrollmentAccounts/123456"
+    },
+    "subscriptionWorkload": {
+      "value": "Production"
+    },
+    "existingSubscriptionId": {
+      "value": ""
+    },
+    "subscriptionManagementGroupAssociationEnabled": {
+      "value": true
+    },
+    "subscriptionManagementGroupId": {
+      "value": "alz-landingzones-corp"
+    },
+    "subscriptionTags": {
+      "value": {
+        "Cost-Center": "ABC123",
+        "Usage": "Example"
+      }
+    },
+    "virtualNetworkEnabled": {
+      "value": true
+    },
+    "virtualNetworkResourceGroupName": {
+      "value": "rg-networking-001"
+    },
+    "virtualNetworkResourceGroupTags": {
+      "value": {
+        "Cost-Center": "ABC123",
+        "Usage": "Example",
+        "Managed-By": "Platform Team"
+      }
+    },
+    "virtualNetworkResourceGroupLockEnabled": {
+      "value": true
+    },
+    "virtualNetworkLocation": {
+      "value": "uksouth"
+    },
+    "virtualNetworkName": {
+      "value": "vnet-example-001"
+    },
+    "virtualNetworkTags": {
+      "value": {
+        "Cost-Center": "ABC123",
+        "Usage": "Example",
+        "Managed-By": "Platform Team"
+      }
+    },
+    "virtualNetworkAddressSpace": {
+      "value": [
+        "10.0.0.0/16"
+      ]
+    },
+    "virtualNetworkDnsServers": {
+      "value": [
+        "10.4.1.4",
+        "10.2.1.5"
+      ]
+    },
+    "virtualNetworkDdosPlanId": {
+      "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rg-hub-network-001/providers/Microsoft.Network/ddosProtectionPlans/ddos-001"
+    },
+    "virtualNetworkPeeringEnabled": {
+      "value": true
+    },
+    "hubNetworkResourceId": {
+      "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rg-hub-network-001/providers/Microsoft.Network/virtualNetworks/vnet-hub-001"
+    },
+    "virtualNetworkUseRemoteGateways": {
+      "value": true
+    },
+    "virtualNetworkVwanAssociatedRouteTableResourceId": {
+      "value": ""
+    },
+    "virtualNetworkVwanPropagatedRouteTablesResourceIds": {
+      "value": []
+    },
+    "virtualNetworkVwanPropagatedLabels": {
+      "value": []
+    },
+    "roleAssignmentEnabled": {
+      "value": true
+    },
+    "roleAssignments": {
+      "value": [
+        {
+          "principalId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
+          "definition": "Contributor",
+          "relativeScope": ""
+        },
+        {
+          "principalId": "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy",
+          "definition": "/providers/Microsoft.Authorization/roleDefinitions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
+          "relativeScope": ""
+        },
+        {
+          "principalId": "zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz",
+          "definition": "Reader",
+          "relativeScope": "/resourceGroups/rg-networking-001"
+        }
+      ]
+    },
+    "resourceProviders":{
+      "value":{
+        "Microsoft.Compute": ["InGuestHotPatchVMPreview"],
+        "Microsoft.AVS" : ["AzureServicesVm","ArcAutomatedOnboarding"]
+      }
+    },
+    "disableTelemetry": {
+      "value": false
+    }
+  }
+}
+```
+
+Back to [Examples](Examples)

docs/wiki/Examples.md

@@ -5,9 +5,10 @@ Here are some example configurations that demonstrate the module usage.
 
 | Example                                                                                           | Description                                                                                                              |
 | ------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ |
-| [Hub & Spoke](Example-1-Hub-and-Spoke)                                                            | Example of how to create a landing zone (Subscription) with with a spoke Virtual Network peered to a Hub Virtual Network |
+| [Hub & Spoke](Example-1-Hub-and-Spoke)                                                            | Example of how to create a landing zone (Subscription) with a spoke Virtual Network peered to a Hub Virtual Network |
 | [Virtual WAN](Example-2-Virtual-WAN)                                                              | Example of how to create a landing zone (Subscription) with a spoke Virtual Network connected to a Virtual WAN Hub       |
 | [Use with existing subscriptions](Example-3-Use-With-Existing-Subscriptions)                      | Example of how to use this module with existing landing zone Subscriptions                                               |
 | [Multiple Virtual Networks in Single Subscription](Example-4-Multiple-VNets-In-Same-Subscription) | Example of how to create a landing zone (Subscription) with multiple spoke Virtual Networks                              |
+| [Hub & Spoke with resource providers and resource providers features registration](Example-5-Hub-and-Spoke-With-RP-registration) | Example of how to create a landing zone (Subscription) with a spoke Virtual Network peered to a Hub Virtual Network, register resource providers and resource providers features                              |
 
 Before deploying, review the [Consumer Guide](https://github.com/azure/bicep-lz-vending/wiki/consumerguide) for guidance on how to consume this module.