********************************** 
  Azure Automation Account 
**********************************/ 

//This code is provided "as is", without warranty of any kind, express or //implied. No support will be provided. 
//Bicep module to deploy a new Automation Account and all the child resources 
//Configurable role assignments using parameter values and can assign to different RG scopes 


/********************************* 
  parameters 
*********************************/ 

//Automation account parameters 
@sys.description('The name of the Automation Account to deploy') 
param automationAccountName string 
@sys.description('The specified location to deploy accounts. Allows only limited regions') 
@allowed([ 
  'australiasoutheast' 
  'australiaeast' 
]) 
param location string 
@sys.description('Controls if we want to allow outside traffic. Currently set as public allowed') 
param publicNetworkAccess bool 

//Runtime Environment params 
@sys.description('The name of the runtime environment to create') 
param runtimeName string 
@sys.description('An array of packages with URI links to PS Gallery') 
param runtimeEnvironmentPackageList array 
@sys.description('The RG where the automation account that has the runtime environment is') 
param automationAccountRgName string 

//Automation Account Variable params 
@sys.description('Name of the Automation Account Variable') 
param aaVariableName string 
@sys.description('List of Resource groups with Logic apps') 
param aaVariablesList array 


//Role assignment params 
@sys.description('Roles to be applied to the Automation Account') 
param automationAccountRoles array 

//Existing resource groups 
@sys.description('The roles applied to allow runbook to trigger on specific resource group(s)') 
param resourceGroupRoles array 
 
/********************************* 
  optional parameters 
*********************************/ 

/********************************* 
  resources 
*********************************/ 
 

//Deploys the automation account resource 
resource automationAccount 'Microsoft.Automation/automationAccounts@2024-10-23' = { 
  name: automationAccountName 
  location: location 
  identity: { 
    type: 'SystemAssigned' 
  } 
  properties: { 
    publicNetworkAccess: publicNetworkAccess 
    sku: { 
      name: 'Basic' 
    } 
  } 
} 

//Resource to deploy the Runtime environment for automation accounts 
//This allows a more automated way of managing non-standard packages required for runbook cmdlets 
resource RuntimeEnvironment 'Microsoft.Automation/automationAccounts/runtimeEnvironments@2024-10-23' = { 
  name: runtimeName 
  location: location 
  parent: automationAccount 
  properties: { 
    defaultPackages: { 
      az: '11.2.0' 
    } 
    runtime: { 
      language: 'PowerShell' 
      version: '7.2' 
    } 
  } 
} 

 
//Resource for non-standard packages to grab as part of the deployment in the Runtime Environment 
//We can specify non-standard modules to import as we deploy EG: MS Graph functionality 
//We can update versions and add additional packages as required. 
//See the sample param file to see the format 

module RuntimeEnvironmentPackages 'automation-account-runtime-package-module-v1.bicep' = [ 
  for package in runtimeEnvironmentPackageList: { 
    name: package.name 
    scope: resourceGroup(automationAccountRgName) 
    params: { 
      automationAccountName: automationAccountName 
      automationAccountRuntimeEnv: runtimeName 
      contentLinkUri: package.contentLinkUri 
      packageVersion: package.packageVersion 
      runtimeEnvPackageName: package.runtimeEnvPackageName 
    } 
    dependsOn:[ 
      RuntimeEnvironment 
    ] 
  } 
] 


//Pickup the script from the Azure DevOps repository and place with in the 
//Automation Account Runbook 
resource runbook 'Microsoft.Automation/automationAccounts/runbooks@2024-10-23' = { 
  name: 'DeployRunbook' 
  location: location 
  parent: automationAccount 
  properties: { 
    runbookType: 'PowerShell' 
    logVerbose: false 
    logProgress: true 
    description: 'Test deploy Runbook' 
    publishContentLink: { 
      uri: '${devopsOrg}/_git/${repository}?version=GB${scriptBranch}&path=${runBookFolderName}/${scriptName}' 
    } 
  } 
} 
resource automationAccountVariables 'Microsoft.Automation/automationAccounts/variables@2024-10-23' = { 
  name: aaVariableName 
  parent: automationAccount 
  properties: { 
    value: string(aaVariablesList) 
  } 
} 

//Role assignments for the Automation account 
resource roleAssignmentsAutomationAccount 'Microsoft.Authorization/roleAssignments@2022-04-01' = [ 
  for role in automationAccountRoles: { 
    name: 
guid('${role.roleDefinitionName}-${role.roleDefinitionId}-${automationAccountName}') 
    scope: automationAccount 
    properties: { 
      principalId: automationAccount.identity.principalId 
      roleDefinitionId: role.roleDefinitionId 
      principalType: 'ServicePrincipal' 
    } 
  } 
] 

//Role assignments for a Resource Group - required to manipulate logic apps 
//Module is required because we are applying to a different scope to Automation Account deployment 
//See sample payload on how to setup JSON params to apply to a different resource group to current scope 
module roleAssignmentRG1 '../Common/role-assignment-module.v1.bicep' = [ 
  for resourceGroups in resourceGroupRoles: { 
    name: guid('${resourceGroups.resourceGroupName}-${resourceGroups.roleAssignments}-${automationAccountName}') 
    scope: resourceGroup(resourceGroups.resourceGroupName) 
    params: { 
      assignedResource: automationAccount 
      resourceGroupName: resourceGroups.resourceGroupName 
      roleDefinitionArray: resourceGroups.roleAssignments 
      azureResourceName: automationAccountName 
    } 
  } 
] 


/********************************* 
  output 
*********************************/ 
