JanVidarElven/deploy-security-copilot.yml

## deploy-security-copilot.yml
name: CD-$(rev:r)-Deploy-Security-Copilot-$(Date:dd.MM.yyyy) # build numbering format

trigger: none

schedules:
- cron: "0 7 * * 1-5"
  displayName: Morning weekdays
  branches:
    include:
      - main
  always: true

parameters:
  - name: azureServiceConnection
    default: serviceconn-<your-wif-connection>
  - name: azureSubscriptionTarget
    default: '<your-sub-name-or-id'
  - name: deploySecureCapacityUnit
    type: boolean
    default: true

pool:
  vmImage: windows-latest

variables:
- name: deploymentDefaultLocation
  value: westeurope
- name: deploymentBicepTemplate
  value: .\SecurityCopilot-Bicep\main.bicep

jobs:
- job:
  steps:
  - task: AzureCLI@2
    displayName: 'Deploy Security Copilot Compute Unit'
    inputs:
      azureSubscription: '${{ parameters.azureServiceConnection }}'
      scriptType: pscore
      scriptLocation: inlineScript
      inlineScript: |
        az --version
        az account set --subscription '${{ parameters.azureSubscriptionTarget }}'
        az stack sub create `
          --location $(deploymentDefaultLocation) `
          --name "stack-scu-yourorg-we" `
          --template-file $(deploymentBicepTemplate) `
          --parameters deploySecureCapacityUnit=${{ parameters.deploySecureCapacityUnit }} `
          --deny-settings-mode none `
          --action-on-unmanage deleteResources


## destroy-security-copilot.yml
name: CD-$(rev:r)-Destroy-Security-Copilot-$(Date:dd.MM.yyyy) # build numbering format

trigger: none

schedules:
- cron: "0 14 * * 1-5"
  displayName: Afternoon weekdays
  branches:
    include:
      - main
  always: true

parameters:
  - name: azureServiceConnection
    default: serviceconn-<your-wif-connection>
  - name: azureSubscriptionTarget
    default: '<your-sub-name-or-id'
  - name: deploySecureCapacityUnit
    type: boolean
    default: false

pool:
  vmImage: windows-latest

variables:
- name: deploymentDefaultLocation
  value: westeurope
- name: deploymentBicepTemplate
  value: .\SecurityCopilot-Bicep\main.bicep

jobs:
- job:
  steps:
  - task: AzureCLI@2
    displayName: 'Deploy Security Copilot Compute Unit'
    inputs:
      azureSubscription: '${{ parameters.azureServiceConnection }}'
      scriptType: pscore
      scriptLocation: inlineScript
      inlineScript: |
        az --version
        az account set --subscription '${{ parameters.azureSubscriptionTarget }}'
        az stack sub create `
          --location $(deploymentDefaultLocation) `
          --name "stack-scu-elven-we" `
          --template-file $(deploymentBicepTemplate) `
          --parameters deploySecureCapacityUnit=${{ parameters.deploySecureCapacityUnit }} `
          --deny-settings-mode none `
          --action-on-unmanage deleteResources

## main.bicep
targetScope = 'subscription'

// If an environment is set up (dev, test, prod...), it is used in the application name
param environment string = 'dev'
param applicationName string = 'security-copilot'
param location string = 'westeurope'
param resourceGroupName string = 'rg-sec-copilot-scu-we'
param capacityName string = 'scu-<yourorg>-we'
param capacityGeo string = 'EU'

// Some params for provisioning the secure capacity unit, and if it should be deployed or not
param defaultNumberOfUnits int = 1
param deploySecureCapacityUnit bool = true

var defaultTags = {
  Environment: environment
  Application: '${applicationName}-${environment}'
  Dataclassification: 'Confidential'
  Costcenter: 'AI'
  Criticality: 'Normal'
  Service: 'Security Copilot'
  Deploymenttype: 'Bicep'
  Owner: 'Jan Vidar Elven'
  Business: 'Elven'
}

resource rg 'Microsoft.Resources/resourceGroups@2021-04-01' = {
  name: resourceGroupName
  location: location
  tags: defaultTags
}

// Deploy the secure capacity unit module dependent on the deploySecureCapacityUnit parameter
module scu 'secure-capacity/secure-compute-unit.bicep' = if (deploySecureCapacityUnit) {
  name: capacityName
  scope: resourceGroup(rg.name)
  params: {
    capacityName: capacityName
    geo: capacityGeo
    crossGeoCompute: 'NotAllowed'
    numberOfUnits: defaultNumberOfUnits
    resourceTags: defaultTags
  }
}

## secure-compute-unit.bicep
// Secure Compute Unit - Bicep module
// Created by - Jan Vidar Elven

@description('The name of the Security Copilot Capacity. It has to be unique.')
param capacityName string

@description('A list of tags to apply to the resources')
param resourceTags object

@description('Number of Secure Compute Units.')
@allowed([
  1
  2
  3
])
param numberOfUnits int

@description('If Prompts are are allowed to cross default region for performance reasons.')
@allowed([
  'NotAllowed'
  'Allowed'
])
param crossGeoCompute string

@description('Prompt evaluation region. Allowed values are EU, ANZ, US, UK.')
@allowed([
  'EU'
  'ANZ'
  'US'
  'UK'
])
param geo string

var locationMap = {
  EU: 'westeurope'
  ANZ: 'australiaeast'
  US: 'eastus'
  UK: 'uksouth'
}
var location = contains(locationMap, geo) ? locationMap[geo] : 'defaultlocation'

resource Copilot 'Microsoft.SecurityCopilot/capacities@2023-12-01-preview' = {
  name: capacityName
  location: location
  properties: {
      numberOfUnits: numberOfUnits
      crossGeoCompute: crossGeoCompute
      geo: geo
  }
  tags: resourceTags
}
	name: CD-$(rev:r)-Deploy-Security-Copilot-$(Date:dd.MM.yyyy) # build numbering format

	trigger: none

	schedules:
	- cron: "0 7 * * 1-5"
	displayName: Morning weekdays
	branches:
	include:
	- main
	always: true

	parameters:
	- name: azureServiceConnection
	default: serviceconn-<your-wif-connection>
	- name: azureSubscriptionTarget
	default: '<your-sub-name-or-id'
	- name: deploySecureCapacityUnit
	type: boolean
	default: true

	pool:
	vmImage: windows-latest

	variables:
	- name: deploymentDefaultLocation
	value: westeurope
	- name: deploymentBicepTemplate
	value: .\SecurityCopilot-Bicep\main.bicep

	jobs:
	- job:
	steps:
	- task: AzureCLI@2
	displayName: 'Deploy Security Copilot Compute Unit'
	inputs:
	azureSubscription: '${{ parameters.azureServiceConnection }}'
	scriptType: pscore
	scriptLocation: inlineScript
	inlineScript: \|
	az --version
	az account set --subscription '${{ parameters.azureSubscriptionTarget }}'
	az stack sub create `
	--location $(deploymentDefaultLocation) `
	--name "stack-scu-yourorg-we" `
	--template-file $(deploymentBicepTemplate) `
	--parameters deploySecureCapacityUnit=${{ parameters.deploySecureCapacityUnit }} `
	--deny-settings-mode none `
	--action-on-unmanage deleteResources
	name: CD-$(rev:r)-Destroy-Security-Copilot-$(Date:dd.MM.yyyy) # build numbering format

	trigger: none

	schedules:
	- cron: "0 14 * * 1-5"
	displayName: Afternoon weekdays
	branches:
	include:
	- main
	always: true

	parameters:
	- name: azureServiceConnection
	default: serviceconn-<your-wif-connection>
	- name: azureSubscriptionTarget
	default: '<your-sub-name-or-id'
	- name: deploySecureCapacityUnit
	type: boolean
	default: false

	pool:
	vmImage: windows-latest

	variables:
	- name: deploymentDefaultLocation
	value: westeurope
	- name: deploymentBicepTemplate
	value: .\SecurityCopilot-Bicep\main.bicep

	jobs:
	- job:
	steps:
	- task: AzureCLI@2
	displayName: 'Deploy Security Copilot Compute Unit'
	inputs:
	azureSubscription: '${{ parameters.azureServiceConnection }}'
	scriptType: pscore
	scriptLocation: inlineScript
	inlineScript: \|
	az --version
	az account set --subscription '${{ parameters.azureSubscriptionTarget }}'
	az stack sub create `
	--location $(deploymentDefaultLocation) `
	--name "stack-scu-elven-we" `
	--template-file $(deploymentBicepTemplate) `
	--parameters deploySecureCapacityUnit=${{ parameters.deploySecureCapacityUnit }} `
	--deny-settings-mode none `
	--action-on-unmanage deleteResources
	targetScope = 'subscription'

	// If an environment is set up (dev, test, prod...), it is used in the application name
	param environment string = 'dev'
	param applicationName string = 'security-copilot'
	param location string = 'westeurope'
	param resourceGroupName string = 'rg-sec-copilot-scu-we'
	param capacityName string = 'scu-<yourorg>-we'
	param capacityGeo string = 'EU'

	// Some params for provisioning the secure capacity unit, and if it should be deployed or not
	param defaultNumberOfUnits int = 1
	param deploySecureCapacityUnit bool = true

	var defaultTags = {
	Environment: environment
	Application: '${applicationName}-${environment}'
	Dataclassification: 'Confidential'
	Costcenter: 'AI'
	Criticality: 'Normal'
	Service: 'Security Copilot'
	Deploymenttype: 'Bicep'
	Owner: 'Jan Vidar Elven'
	Business: 'Elven'
	}

	resource rg 'Microsoft.Resources/resourceGroups@2021-04-01' = {
	name: resourceGroupName
	location: location
	tags: defaultTags
	}

	// Deploy the secure capacity unit module dependent on the deploySecureCapacityUnit parameter
	module scu 'secure-capacity/secure-compute-unit.bicep' = if (deploySecureCapacityUnit) {
	name: capacityName
	scope: resourceGroup(rg.name)
	params: {
	capacityName: capacityName
	geo: capacityGeo
	crossGeoCompute: 'NotAllowed'
	numberOfUnits: defaultNumberOfUnits
	resourceTags: defaultTags
	}
	}
	// Secure Compute Unit - Bicep module
	// Created by - Jan Vidar Elven

	@description('The name of the Security Copilot Capacity. It has to be unique.')
	param capacityName string

	@description('A list of tags to apply to the resources')
	param resourceTags object

	@description('Number of Secure Compute Units.')
	@allowed([
	1
	2
	3
	])
	param numberOfUnits int

	@description('If Prompts are are allowed to cross default region for performance reasons.')
	@allowed([
	'NotAllowed'
	'Allowed'
	])
	param crossGeoCompute string

	@description('Prompt evaluation region. Allowed values are EU, ANZ, US, UK.')
	@allowed([
	'EU'
	'ANZ'
	'US'
	'UK'
	])
	param geo string

	var locationMap = {
	EU: 'westeurope'
	ANZ: 'australiaeast'
	US: 'eastus'
	UK: 'uksouth'
	}
	var location = contains(locationMap, geo) ? locationMap[geo] : 'defaultlocation'

	resource Copilot 'Microsoft.SecurityCopilot/capacities@2023-12-01-preview' = {
	name: capacityName
	location: location
	properties: {
	numberOfUnits: numberOfUnits
	crossGeoCompute: crossGeoCompute
	geo: geo
	}
	tags: resourceTags
	}