From 7407de03082ca2e409772c6895c7697c7d78db5d Mon Sep 17 00:00:00 2001 From: Jason Masten Date: Sat, 20 Jan 2024 23:53:03 -0500 Subject: [PATCH 01/28] Added storage pvt endpoints & customer managed keys, Fixed idempotency --- src/bicep/core/hub-diagnostics.bicep | 58 + src/bicep/core/hub-network.bicep | 304 +- src/bicep/core/hub-storage.bicep | 31 + .../operations-customer-managed-keys.bicep | 31 + src/bicep/core/remote-access.bicep | 83 +- src/bicep/core/spoke-diagnostics.bicep | 30 + src/bicep/core/spoke-network.bicep | 79 +- src/bicep/core/spoke-storage.bicep | 31 + src/bicep/form/mlz.portal.json | 4 +- src/bicep/mlz.bicep | 419 +- src/bicep/mlz.json | 9034 ++++++++--------- src/bicep/modules/bastion-host.bicep | 28 +- src/bicep/modules/firewall-diagnostics.bicep | 27 + src/bicep/modules/firewall.bicep | 75 +- src/bicep/modules/key-vault.bicep | 99 + src/bicep/modules/linux-virtual-machine.bicep | 38 +- src/bicep/modules/network-interface.bicep | 1 - .../network-security-group-diagnostics.bicep | 26 + .../modules/network-security-group.bicep | 22 +- src/bicep/modules/network-watcher.bicep | 10 + src/bicep/modules/private-dns.bicep | 1 + .../public-ip-address-diagnostics.bicep | 25 + src/bicep/modules/public-ip-address.bicep | 29 +- src/bicep/modules/route-table.bicep | 7 +- src/bicep/modules/storage-account.bicep | 85 +- .../modules/user-assigned-identity.bicep | 21 + .../modules/virtual-network-diagnostics.bicep | 25 + src/bicep/modules/virtual-network.bicep | 25 +- .../modules/windows-virtual-machine.bicep | 15 +- 29 files changed, 5192 insertions(+), 5471 deletions(-) create mode 100644 src/bicep/core/hub-diagnostics.bicep create mode 100644 src/bicep/core/hub-storage.bicep create mode 100644 src/bicep/core/operations-customer-managed-keys.bicep create mode 100644 src/bicep/core/spoke-diagnostics.bicep create mode 100644 src/bicep/core/spoke-storage.bicep create mode 100644 src/bicep/modules/firewall-diagnostics.bicep create mode 100644 src/bicep/modules/key-vault.bicep create mode 100644 src/bicep/modules/network-security-group-diagnostics.bicep create mode 100644 src/bicep/modules/network-watcher.bicep create mode 100644 src/bicep/modules/public-ip-address-diagnostics.bicep create mode 100644 src/bicep/modules/user-assigned-identity.bicep create mode 100644 src/bicep/modules/virtual-network-diagnostics.bicep diff --git a/src/bicep/core/hub-diagnostics.bicep b/src/bicep/core/hub-diagnostics.bicep new file mode 100644 index 000000000..40ed0359e --- /dev/null +++ b/src/bicep/core/hub-diagnostics.bicep @@ -0,0 +1,58 @@ +param firewallDiagnosticsLogs array +param firewallDiagnosticsMetrics array +param firewallName string +param hubStorageAccountResourceId string +param logAnalyticsWorkspaceResourceId string +param networkSecurityGroupDiagnosticsLogs array +param networkSecurityGroupDiagnosticsMetrics array +param networkSecurityGroupName string +param publicIPAddressDiagnosticsLogs array +param publicIPAddressDiagnosticsMetrics array +param publicIPAddressNames array +param virtualNetworkDiagnosticsLogs array +param virtualNetworkDiagnosticsMetrics array +param virtualNetworkName string + +module networkSecurityGroupDiagnostics '../modules/network-security-group-diagnostics.bicep' = { + name: 'networkSecurityGroupDiagnostics' + params: { + logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId + logs: networkSecurityGroupDiagnosticsLogs + logStorageAccountResourceId: hubStorageAccountResourceId + metrics: networkSecurityGroupDiagnosticsMetrics + name: networkSecurityGroupName + } +} + +module virtualNetworkDiagnostics '../modules/virtual-network-diagnostics.bicep' = { + name: 'virtualNetworkDiagnostics' + params: { + logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId + logs: virtualNetworkDiagnosticsLogs + logStorageAccountResourceId: hubStorageAccountResourceId + metrics: virtualNetworkDiagnosticsMetrics + name: virtualNetworkName + } +} + +module publicIpAddressDiagnostics '../modules/public-ip-address-diagnostics.bicep' = [for publicIPAddressName in publicIPAddressNames: { + name: 'publicIPAddressDiagnostics_${publicIPAddressName}' + params: { + hubStorageAccountResourceId: hubStorageAccountResourceId + logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId + name: publicIPAddressName + publicIPAddressDiagnosticsLogs: publicIPAddressDiagnosticsLogs + publicIPAddressDiagnosticsMetrics: publicIPAddressDiagnosticsMetrics + } +}] + +module firewallDiagnostics '../modules/firewall-diagnostics.bicep' = { + name: 'firewallDiagnostics' + params: { + logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId + logs: firewallDiagnosticsLogs + logStorageAccountResourceId: hubStorageAccountResourceId + metrics: firewallDiagnosticsMetrics + name: firewallName + } +} diff --git a/src/bicep/core/hub-network.bicep b/src/bicep/core/hub-network.bicep index 1360d5c4f..3ffb56514 100644 --- a/src/bicep/core/hub-network.bicep +++ b/src/bicep/core/hub-network.bicep @@ -3,248 +3,194 @@ Copyright (c) Microsoft Corporation. Licensed under the MIT License. */ -param location string = resourceGroup().location -param tags object = {} - -param logStorageAccountName string -param logStorageSkuName string -param vNetDnsServers array = [] - -param logAnalyticsWorkspaceResourceId string - -param virtualNetworkName string -param virtualNetworkAddressPrefix string -param virtualNetworkDiagnosticsLogs array -param virtualNetworkDiagnosticsMetrics array - -param networkSecurityGroupName string -param networkSecurityGroupRules array -param networkSecurityGroupDiagnosticsLogs array -param networkSecurityGroupDiagnosticsMetrics array - -param subnetName string -param subnetAddressPrefix string -param subnetServiceEndpoints array - -param routeTableName string = '${subnetName}-routetable' -param routeTableRouteName string = 'default_route' -param routeTableRouteAddressPrefix string = '0.0.0.0/0' -param routeTableRouteNextHopType string = 'VirtualAppliance' - -param firewallName string -param firewallSkuTier string -param firewallPolicyName string - -param enableProxy bool = false -param dnsServers array = [] - -param firewallSupernetIPAddress string - -@allowed([ - 'Alert' - 'Deny' - 'Off' -]) -param firewallThreatIntelMode string - +param bastionHostSubnetAddressPrefix string +param deployRemoteAccess bool +param dnsServers array +param enableProxy bool +param firewallClientIpConfigurationName string +param firewallClientPrivateIpAddress string +param firewallClientPublicIPAddressAvailabilityZones array +param firewallClientPublicIPAddressName string +param firewallClientPublicIPAddressSkuName string +param firewallClientPublicIpAllocationMethod string +param firewallClientSubnetAddressPrefix string +param firewallClientSubnetName string @allowed([ 'Alert' 'Deny' 'Off' ]) param firewallIntrusionDetectionMode string -param firewallDiagnosticsLogs array -param firewallDiagnosticsMetrics array -param firewallClientIpConfigurationName string -param firewallClientSubnetName string -param firewallClientSubnetAddressPrefix string -param firewallClientSubnetServiceEndpoints array -param firewallClientPublicIPAddressName string -param firewallClientPublicIPAddressSkuName string -param firewallClientPublicIpAllocationMethod string -param firewallClientPublicIPAddressAvailabilityZones array param firewallManagementIpConfigurationName string -param firewallManagementSubnetName string -param firewallManagementSubnetAddressPrefix string -param firewallManagementSubnetServiceEndpoints array +param firewallManagementPublicIPAddressAvailabilityZones array param firewallManagementPublicIPAddressName string param firewallManagementPublicIPAddressSkuName string param firewallManagementPublicIpAllocationMethod string -param firewallManagementPublicIPAddressAvailabilityZones array - -param publicIPAddressDiagnosticsLogs array -param publicIPAddressDiagnosticsMetrics array - -module logStorage '../modules/storage-account.bicep' = { - name: 'logStorage' - params: { - storageAccountName: logStorageAccountName - location: location - skuName: logStorageSkuName - tags: tags +param firewallManagementSubnetAddressPrefix string +param firewallManagementSubnetName string +param firewallName string +param firewallPolicyName string +param firewallSkuTier string +param firewallSupernetIPAddress string +@allowed([ + 'Alert' + 'Deny' + 'Off' +]) +param firewallThreatIntelMode string +param location string +param networkSecurityGroupName string +param networkSecurityGroupRules array +param networkWatcherName string +param routeTableName string = '${subnetName}-routetable' +param routeTableRouteAddressPrefix string = '0.0.0.0/0' +param routeTableRouteName string = 'default_route' +param routeTableRouteNextHopType string = 'VirtualAppliance' +param subnetAddressPrefix string +param subnetName string +param tags object +param virtualNetworkAddressPrefix string +param virtualNetworkName string +param vNetDnsServers array + +var subnets = union(subnetsCommon, subnetsBastion) +var subnetsBastion = deployRemoteAccess ? [ + { + name: 'AzureBastionSubnet' + properties: { + addressPrefix: bastionHostSubnetAddressPrefix + } } -} +] : [] +var subnetsCommon = [ + { + name: 'AzureFirewallSubnet' + properties: { + addressPrefix: firewallClientSubnetAddressPrefix + } + } + { + name: 'AzureFirewallManagementSubnet' + properties: { + addressPrefix: firewallManagementSubnetAddressPrefix + } + } + { + name: subnetName + properties: { + addressPrefix: subnetAddressPrefix + networkSecurityGroup: { + id: networkSecurityGroup.outputs.id + } + privateEndpointNetworkPolicies: 'Disabled' + privateLinkServiceNetworkPolicies: 'Disabled' + routeTable: { + id: routeTable.outputs.id + } + } + } +] module networkSecurityGroup '../modules/network-security-group.bicep' = { name: 'networkSecurityGroup' params: { - name: networkSecurityGroupName location: location - tags: tags - + name: networkSecurityGroupName securityRules: networkSecurityGroupRules - - logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId - logStorageAccountResourceId: logStorage.outputs.id - - logs: networkSecurityGroupDiagnosticsLogs - metrics: networkSecurityGroupDiagnosticsMetrics + tags: tags } } -module virtualNetwork '../modules/virtual-network.bicep' = { - name: 'virtualNetwork' +module routeTable '../modules/route-table.bicep' = { + name: 'routeTable' params: { - name: virtualNetworkName location: location + name: routeTableName + routeAddressPrefix: routeTableRouteAddressPrefix + routeName: routeTableRouteName + routeNextHopIpAddress: firewallClientPrivateIpAddress + routeNextHopType: routeTableRouteNextHopType tags: tags - - addressPrefix: virtualNetworkAddressPrefix - vNetDnsServers: vNetDnsServers - - subnets: [ - { - name: firewallClientSubnetName - properties: { - addressPrefix: firewallClientSubnetAddressPrefix - serviceEndpoints: firewallClientSubnetServiceEndpoints - } - } - { - name: firewallManagementSubnetName - properties: { - addressPrefix: firewallManagementSubnetAddressPrefix - serviceEndpoints: firewallManagementSubnetServiceEndpoints - } - } - ] - - logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId - logStorageAccountResourceId: logStorage.outputs.id - - logs: virtualNetworkDiagnosticsLogs - metrics: virtualNetworkDiagnosticsMetrics } } -module routeTable '../modules/route-table.bicep' = { - name: 'routeTable' +module networkWatcher '../modules/network-watcher.bicep' = { + name: 'networkWatcher' params: { - name: routeTableName location: location + name: networkWatcherName tags: tags - - routeName: routeTableRouteName - routeAddressPrefix: routeTableRouteAddressPrefix - routeNextHopIpAddress: firewall.outputs.privateIPAddress - routeNextHopType: routeTableRouteNextHopType } } -resource subnet 'Microsoft.Network/virtualNetworks/subnets@2021-02-01' = { - name: '${virtualNetworkName}/${subnetName}' - properties: { - addressPrefix: subnetAddressPrefix - networkSecurityGroup: { - id: networkSecurityGroup.outputs.id - } - routeTable: { - id: routeTable.outputs.id - } - serviceEndpoints: subnetServiceEndpoints - privateEndpointNetworkPolicies: 'Disabled' - privateLinkServiceNetworkPolicies: 'Enabled' +module virtualNetwork '../modules/virtual-network.bicep' = { + name: 'virtualNetwork' + params: { + addressPrefix: virtualNetworkAddressPrefix + location: location + name: virtualNetworkName + subnets: subnets + tags: tags + vNetDnsServers: vNetDnsServers } dependsOn: [ - virtualNetwork - firewall + networkWatcher ] } module firewallClientPublicIPAddress '../modules/public-ip-address.bicep' = { name: 'firewallClientPublicIPAddress' params: { - name: firewallClientPublicIPAddressName + availabilityZones: firewallClientPublicIPAddressAvailabilityZones location: location - tags: tags - - skuName: firewallClientPublicIPAddressSkuName + name: firewallClientPublicIPAddressName publicIpAllocationMethod: firewallClientPublicIpAllocationMethod - availabilityZones: firewallClientPublicIPAddressAvailabilityZones - - logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId - logStorageAccountResourceId: logStorage.outputs.id - - logs: publicIPAddressDiagnosticsLogs - metrics: publicIPAddressDiagnosticsMetrics + skuName: firewallClientPublicIPAddressSkuName + tags: tags } } module firewallManagementPublicIPAddress '../modules/public-ip-address.bicep' = { name: 'firewallManagementPublicIPAddress' params: { - name: firewallManagementPublicIPAddressName + availabilityZones: firewallManagementPublicIPAddressAvailabilityZones location: location - tags: tags - - skuName: firewallManagementPublicIPAddressSkuName + name: firewallManagementPublicIPAddressName publicIpAllocationMethod: firewallManagementPublicIpAllocationMethod - availabilityZones: firewallManagementPublicIPAddressAvailabilityZones - - logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId - logStorageAccountResourceId: logStorage.outputs.id - - logs: publicIPAddressDiagnosticsLogs - metrics: publicIPAddressDiagnosticsMetrics + skuName: firewallManagementPublicIPAddressSkuName + tags: tags } } module firewall '../modules/firewall.bicep' = { name: 'firewall' params: { - name: firewallName - location: location - tags: tags - - skuTier: firewallSkuTier - - firewallPolicyName: firewallPolicyName - threatIntelMode: firewallThreatIntelMode - intrusionDetectionMode: firewallIntrusionDetectionMode clientIpConfigurationName: firewallClientIpConfigurationName - clientIpConfigurationSubnetResourceId: '${virtualNetwork.outputs.id}/subnets/${firewallClientSubnetName}' clientIpConfigurationPublicIPAddressResourceId: firewallClientPublicIPAddress.outputs.id - firewallSupernetIPAddress: firewallSupernetIPAddress - enableProxy: enableProxy + clientIpConfigurationSubnetResourceId: '${virtualNetwork.outputs.id}/subnets/${firewallClientSubnetName}' dnsServers: dnsServers - + enableProxy: enableProxy + firewallPolicyName: firewallPolicyName + firewallSupernetIPAddress: firewallSupernetIPAddress + intrusionDetectionMode: firewallIntrusionDetectionMode + location: location managementIpConfigurationName: firewallManagementIpConfigurationName - managementIpConfigurationSubnetResourceId: '${virtualNetwork.outputs.id}/subnets/${firewallManagementSubnetName}' managementIpConfigurationPublicIPAddressResourceId: firewallManagementPublicIPAddress.outputs.id - - logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId - logStorageAccountResourceId: logStorage.outputs.id - - logs: firewallDiagnosticsLogs - metrics: firewallDiagnosticsMetrics + managementIpConfigurationSubnetResourceId: '${virtualNetwork.outputs.id}/subnets/${firewallManagementSubnetName}' + name: firewallName + skuTier: firewallSkuTier + tags: tags + threatIntelMode: firewallThreatIntelMode } } -output virtualNetworkName string = virtualNetwork.outputs.name -output virtualNetworkResourceId string = virtualNetwork.outputs.id -output subnetName string = subnet.name -output subnetAddressPrefix string = subnet.properties.addressPrefix -output subnetResourceId string = subnet.id +output bastionHostSubnetResourceId string = deployRemoteAccess ? virtualNetwork.outputs.subnets[3].id : '' +output firewallName string = firewall.outputs.name +output firewallPrivateIPAddress string = firewall.outputs.privateIPAddress output networkSecurityGroupName string = networkSecurityGroup.outputs.name output networkSecurityGroupResourceId string = networkSecurityGroup.outputs.id -output firewallPrivateIPAddress string = firewall.outputs.privateIPAddress +output subnetAddressPrefix string = virtualNetwork.outputs.subnets[2].properties.addressPrefix +output subnetName string = virtualNetwork.outputs.subnets[2].name +output subnetResourceId string = virtualNetwork.outputs.subnets[2].id +output virtualNetworkName string = virtualNetwork.outputs.name +output virtualNetworkResourceId string = virtualNetwork.outputs.id diff --git a/src/bicep/core/hub-storage.bicep b/src/bicep/core/hub-storage.bicep new file mode 100644 index 000000000..9526d0d37 --- /dev/null +++ b/src/bicep/core/hub-storage.bicep @@ -0,0 +1,31 @@ +/* +Copyright (c) Microsoft Corporation. +Licensed under the MIT License. +*/ + +param azureBlobsPrivateDnsZoneResourceId string +param keyVaultUri string +param logStorageAccountName string +param logStorageSkuName string +param location string +param storageEncryptionKeyName string +param subnetResourceId string +param tags object +param userAssignedIdentityResourceId string + +module storageAccount '../modules/storage-account.bicep' = { + name: 'storage' + params: { + azureBlobsPrivateDnsZoneResourceId: azureBlobsPrivateDnsZoneResourceId + userAssignedIdentityResourceId: userAssignedIdentityResourceId + keyVaultUri: keyVaultUri + location: location + skuName: logStorageSkuName + storageAccountName: logStorageAccountName + storageEncryptionKeyName: storageEncryptionKeyName + subnetResourceId: subnetResourceId + tags: tags + } +} + +output storageAccountResourceId string = storageAccount.outputs.id diff --git a/src/bicep/core/operations-customer-managed-keys.bicep b/src/bicep/core/operations-customer-managed-keys.bicep new file mode 100644 index 000000000..9e8907523 --- /dev/null +++ b/src/bicep/core/operations-customer-managed-keys.bicep @@ -0,0 +1,31 @@ +/* +Copyright (c) Microsoft Corporation. +Licensed under the MIT License. +*/ + +param keyVaultName string +param location string +param tags object +param userAssignedIdentityName string + +module keyVault '../modules/key-vault.bicep' = { + name: 'keyVault' + params: { + keyVaultName: keyVaultName + location: location + tags: tags + } +} + +module userAssignedIdentity '../modules/user-assigned-identity.bicep' = { + name: 'userAssignedIdentity' + params: { + location: location + name: userAssignedIdentityName + tags: tags + } +} + +output keyVaultUri string = keyVault.outputs.keyVaultUri +output storageKeyName string = keyVault.outputs.storageKeyName +output userAssignedIdentityResourceId string = userAssignedIdentity.outputs.resourceId diff --git a/src/bicep/core/remote-access.bicep b/src/bicep/core/remote-access.bicep index 3fdcf3e77..50d3290e4 100644 --- a/src/bicep/core/remote-access.bicep +++ b/src/bicep/core/remote-access.bicep @@ -3,81 +3,66 @@ Copyright (c) Microsoft Corporation. Licensed under the MIT License. */ -param location string -param tags object = {} - -param hubVirtualNetworkName string -param hubSubnetResourceId string -param hubNetworkSecurityGroupResourceId string - +param bastionHostIPConfigurationName string param bastionHostName string -param bastionHostSubnetAddressPrefix string -param bastionHostPublicIPAddressName string -param bastionHostPublicIPAddressSkuName string param bastionHostPublicIPAddressAllocationMethod string param bastionHostPublicIPAddressAvailabilityZones array -param bastionHostIPConfigurationName string - -param linuxNetworkInterfaceName string +param bastionHostPublicIPAddressName string +param bastionHostPublicIPAddressSkuName string +param bastionHostSubnetResourceId string +param hubNetworkSecurityGroupResourceId string +param hubSubnetResourceId string param linuxNetworkInterfaceIpConfigurationName string +param linuxNetworkInterfaceName string param linuxNetworkInterfacePrivateIPAddressAllocationMethod string - -param linuxVmName string -param linuxVmSize string -param linuxVmOsDiskCreateOption string -param linuxVmOsDiskType string -param linuxVmImagePublisher string -param linuxVmImageOffer string -param linuxVmImageSku string -param linuxVmImageVersion string +@secure() +@minLength(12) +param linuxVmAdminPasswordOrKey string param linuxVmAdminUsername string @allowed([ 'sshPublicKey' 'password' ]) param linuxVmAuthenticationType string -@secure() -@minLength(12) -param linuxVmAdminPasswordOrKey string - -param windowsNetworkInterfaceName string +param linuxVmImageOffer string +param linuxVmImagePublisher string +param linuxVmImageSku string +param linuxVmImageVersion string +param linuxVmName string +param linuxVmOsDiskCreateOption string +param linuxVmOsDiskType string +param linuxVmSize string +param location string +param logAnalyticsWorkspaceId string +param tags object param windowsNetworkInterfaceIpConfigurationName string +param windowsNetworkInterfaceName string param windowsNetworkInterfacePrivateIPAddressAllocationMethod string - -param windowsVmName string -param windowsVmSize string -param windowsVmAdminUsername string @secure() @minLength(12) param windowsVmAdminPassword string -param windowsVmPublisher string +param windowsVmAdminUsername string +param windowsVmCreateOption string +param windowsVmName string param windowsVmOffer string +param windowsVmPublisher string +param windowsVmSize string param windowsVmSku string -param windowsVmVersion string -param windowsVmCreateOption string param windowsVmStorageAccountType string - -param logAnalyticsWorkspaceId string - -resource hubVirtualNetwork 'Microsoft.Network/virtualNetworks@2021-02-01' existing = { - name: hubVirtualNetworkName -} +param windowsVmVersion string module bastionHost '../modules/bastion-host.bicep' = { name: 'remoteAccess-bastionHost' - params: { - name: bastionHostName + bastionHostSubnetResourceId: bastionHostSubnetResourceId + ipConfigurationName: bastionHostIPConfigurationName location: location - tags: tags - - virtualNetworkName: hubVirtualNetwork.name - subnetAddressPrefix: bastionHostSubnetAddressPrefix - publicIPAddressName: bastionHostPublicIPAddressName - publicIPAddressSkuName: bastionHostPublicIPAddressSkuName + name: bastionHostName publicIPAddressAllocationMethod: bastionHostPublicIPAddressAllocationMethod publicIPAddressAvailabilityZones: bastionHostPublicIPAddressAvailabilityZones - ipConfigurationName: bastionHostIPConfigurationName + publicIPAddressName: bastionHostPublicIPAddressName + publicIPAddressSkuName: bastionHostPublicIPAddressSkuName + tags: tags } } diff --git a/src/bicep/core/spoke-diagnostics.bicep b/src/bicep/core/spoke-diagnostics.bicep new file mode 100644 index 000000000..d1ab9d7e6 --- /dev/null +++ b/src/bicep/core/spoke-diagnostics.bicep @@ -0,0 +1,30 @@ +param hubStorageAccountResourceId string +param logAnalyticsWorkspaceResourceId string +param networkSecurityGroupDiagnosticsLogs array +param networkSecurityGroupDiagnosticsMetrics array +param networkSecurityGroupName string +param virtualNetworkDiagnosticsLogs array +param virtualNetworkDiagnosticsMetrics array +param virtualNetworkName string + +module networkSecurityGroupDiagnostics '../modules/network-security-group-diagnostics.bicep' = { + name: 'networkSecurityGroupDiagnostics' + params: { + logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId + logs: networkSecurityGroupDiagnosticsLogs + logStorageAccountResourceId: hubStorageAccountResourceId + metrics: networkSecurityGroupDiagnosticsMetrics + name: networkSecurityGroupName + } +} + +module virtualNetworkDiagnostics '../modules/virtual-network-diagnostics.bicep' = { + name: 'virtualNetworkDiagnostics' + params: { + logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId + logs: virtualNetworkDiagnosticsLogs + logStorageAccountResourceId: hubStorageAccountResourceId + metrics: virtualNetworkDiagnosticsMetrics + name: virtualNetworkName + } +} diff --git a/src/bicep/core/spoke-network.bicep b/src/bicep/core/spoke-network.bicep index 25ea25b4c..0e9dc4851 100644 --- a/src/bicep/core/spoke-network.bicep +++ b/src/bicep/core/spoke-network.bicep @@ -3,92 +3,52 @@ Copyright (c) Microsoft Corporation. Licensed under the MIT License. */ -param location string = resourceGroup().location -param tags object = {} - -param logStorageAccountName string -param logStorageSkuName string - -param logAnalyticsWorkspaceResourceId string - -param firewallPrivateIPAddress string - -param virtualNetworkName string -param virtualNetworkAddressPrefix string -param virtualNetworkDiagnosticsLogs array -param virtualNetworkDiagnosticsMetrics array -param vNetDnsServers array - +param location string param networkSecurityGroupName string param networkSecurityGroupRules array - -param networkSecurityGroupDiagnosticsLogs array -param networkSecurityGroupDiagnosticsMetrics array - -param subnetName string -param subnetAddressPrefix string -param subnetServiceEndpoints array - param routeTableName string = '${subnetName}-routetable' param routeTableRouteName string = 'default_route' param routeTableRouteAddressPrefix string = '0.0.0.0/0' -param routeTableRouteNextHopIpAddress string = firewallPrivateIPAddress +param routeTableRouteNextHopIpAddress string param routeTableRouteNextHopType string = 'VirtualAppliance' - +param subnetAddressPrefix string +param subnetName string param subnetPrivateEndpointNetworkPolicies string param subnetPrivateLinkServiceNetworkPolicies string - -module logStorage '../modules/storage-account.bicep' = { - name: 'logStorage' - params: { - storageAccountName: logStorageAccountName - location: location - skuName: logStorageSkuName - tags: tags - } -} +param tags object +param virtualNetworkAddressPrefix string +param virtualNetworkName string +param vNetDnsServers array module networkSecurityGroup '../modules/network-security-group.bicep' = { name: 'networkSecurityGroup' params: { - name: networkSecurityGroupName location: location - tags: tags - + name: networkSecurityGroupName securityRules: networkSecurityGroupRules - - logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId - logStorageAccountResourceId: logStorage.outputs.id - - logs: networkSecurityGroupDiagnosticsLogs - metrics: networkSecurityGroupDiagnosticsMetrics + tags: tags } } module routeTable '../modules/route-table.bicep' = { name: 'routeTable' params: { - name: routeTableName location: location - tags: tags - - routeName: routeTableRouteName + name: routeTableName routeAddressPrefix: routeTableRouteAddressPrefix + routeName: routeTableRouteName routeNextHopIpAddress: routeTableRouteNextHopIpAddress routeNextHopType: routeTableRouteNextHopType + tags: tags } } module virtualNetwork '../modules/virtual-network.bicep' = { name: 'virtualNetwork' params: { - name: virtualNetworkName - location: location - tags: tags - addressPrefix: virtualNetworkAddressPrefix - vNetDnsServers: vNetDnsServers - + location: location + name: virtualNetworkName subnets: [ { name: subnetName @@ -100,18 +60,13 @@ module virtualNetwork '../modules/virtual-network.bicep' = { routeTable: { id: routeTable.outputs.id } - serviceEndpoints: subnetServiceEndpoints privateEndpointNetworkPolicies: subnetPrivateEndpointNetworkPolicies privateLinkServiceNetworkPolicies: subnetPrivateLinkServiceNetworkPolicies } } ] - - logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId - logStorageAccountResourceId: logStorage.outputs.id - - logs: virtualNetworkDiagnosticsLogs - metrics: virtualNetworkDiagnosticsMetrics + tags: tags + vNetDnsServers: vNetDnsServers } } diff --git a/src/bicep/core/spoke-storage.bicep b/src/bicep/core/spoke-storage.bicep new file mode 100644 index 000000000..720fadad8 --- /dev/null +++ b/src/bicep/core/spoke-storage.bicep @@ -0,0 +1,31 @@ +/* +Copyright (c) Microsoft Corporation. +Licensed under the MIT License. +*/ + +param azureBlobsPrivateDnsZoneResourceId string +param keyVaultUri string +param location string +param logStorageAccountName string +param logStorageSkuName string +param storageEncryptionKeyName string +param subnetResourceId string +param tags object +param userAssignedIdentityResourceId string + +module storageAccount '../modules/storage-account.bicep' = { + name: 'storage' + params: { + storageAccountName: logStorageAccountName + location: location + skuName: logStorageSkuName + tags: tags + azureBlobsPrivateDnsZoneResourceId: azureBlobsPrivateDnsZoneResourceId + keyVaultUri: keyVaultUri + storageEncryptionKeyName: storageEncryptionKeyName + subnetResourceId: subnetResourceId + userAssignedIdentityResourceId: userAssignedIdentityResourceId + } +} + +output ResourceId string = storageAccount.outputs.id diff --git a/src/bicep/form/mlz.portal.json b/src/bicep/form/mlz.portal.json index 59624478e..5ef323f75 100644 --- a/src/bicep/form/mlz.portal.json +++ b/src/bicep/form/mlz.portal.json @@ -217,8 +217,8 @@ "required": true, "validations": [ { - "regex": "^[a-z0-9]{1,10}$", - "message": "The prefix must be between 1-10 lowercase characters and numbers." + "regex": "^[a-z][a-z0-9]{1,9}$", + "message": "The prefix must contain alphanumeric characters, begin with a letter, letters must be lowercase, and not exceed 10 characters." } ] } diff --git a/src/bicep/mlz.bicep b/src/bicep/mlz.bicep index 041685c48..7e478652e 100644 --- a/src/bicep/mlz.bicep +++ b/src/bicep/mlz.bicep @@ -117,7 +117,7 @@ param firewallIntrusionDetectionMode string = 'Alert' param enableProxy bool = true @description('''['168.63.129.16'] The Azure Firewall DNS Proxy will forward all DNS traffic. When this value is set to true, you must provide a value for "servers". This should be a comma separated list of IP addresses to forward DNS traffic''') -param dnsServers array = ['168.63.129.16'] +param dnsServers array = [ '168.63.129.16' ] @description('An array of Firewall Diagnostic Logs categories to collect. See "https://docs.microsoft.com/en-us/azure/firewall/firewall-diagnostics#enable-diagnostic-logging-through-the-azure-portal" for valid values.') param firewallDiagnosticsLogs array = [ @@ -143,15 +143,9 @@ param firewallDiagnosticsMetrics array = [ } ] -@description('An array of Service Endpoints to enable for the Azure Firewall Client Subnet. See https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview for valid settings.') -param firewallClientSubnetServiceEndpoints array = [] - @description('An array of Azure Firewall Public IP Address Availability Zones. It defaults to empty, or "No-Zone", because Availability Zones are not available in every cloud. See https://docs.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#sku for valid settings.') param firewallClientPublicIPAddressAvailabilityZones array = [] -@description('An array of Service Endpoints to enable for the Azure Firewall Management Subnet. See https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview for valid settings.') -param firewallManagementSubnetServiceEndpoints array = [] - @description('An array of Azure Firewall Public IP Address Availability Zones. It defaults to empty, or "No-Zone", because Availability Zones are not available in every cloud. See https://docs.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#sku for valid settings.') param firewallManagementPublicIPAddressAvailabilityZones array = [] @@ -208,13 +202,6 @@ param hubNetworkSecurityGroupDiagnosticsLogs array = [ @description('An array of Network Security Group Metrics to apply to enable for the Hub Virtual Network. See https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#metrics for valid settings.') param hubNetworkSecurityGroupDiagnosticsMetrics array = [] -@description('An array of Service Endpoints to enable for the Hub subnet. See https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview for valid settings.') -param hubSubnetServiceEndpoints array = [ - { - service: 'Microsoft.Storage' - } -] - // IDENTITY PARAMETERS @description('An array of Network Diagnostic Logs to enable for the Identity Virtual Network. See https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#logs for valid settings.') @@ -265,13 +252,6 @@ param identityNetworkSecurityGroupDiagnosticsLogs array = [ @description('An array of Network Security Group Metrics to apply to enable for the Identity Virtual Network. See https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#metrics for valid settings.') param identityNetworkSecurityGroupDiagnosticsMetrics array = [] -@description('An array of Service Endpoints to enable for the Identity subnet. See https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview for valid settings.') -param identitySubnetServiceEndpoints array = [ - { - service: 'Microsoft.Storage' - } -] - // OPERATIONS PARAMETERS @description('An array of Network Diagnostic Logs to enable for the Operations Virtual Network. See https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#logs for valid settings.') @@ -322,13 +302,6 @@ param operationsNetworkSecurityGroupDiagnosticsLogs array = [ @description('An array of Network Security Group Diagnostic Metrics to enable for the Operations Virtual Network. See https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#metrics for valid settings.') param operationsNetworkSecurityGroupDiagnosticsMetrics array = [] -@description('An array of Service Endpoints to enable for the Operations subnet. See https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview for valid settings.') -param operationsSubnetServiceEndpoints array = [ - { - service: 'Microsoft.Storage' - } -] - // SHARED SERVICES PARAMETERS @description('An array of Network Diagnostic Logs to enable for the SharedServices Virtual Network. See https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#logs for valid settings.') @@ -379,13 +352,6 @@ param sharedServicesNetworkSecurityGroupDiagnosticsLogs array = [ @description('An array of Network Security Group Diagnostic Metrics to enable for the SharedServices Virtual Network. See https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#metrics for valid settings.') param sharedServicesNetworkSecurityGroupDiagnosticsMetrics array = [] -@description('An array of Service Endpoints to enable for the SharedServices subnet. See https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview for valid settings.') -param sharedServicesSubnetServiceEndpoints array = [ - { - service: 'Microsoft.Storage' - } -] - // LOGGING PARAMETERS @description('When set to "true", enables Microsoft Sentinel within the Log Analytics Workspace created in this deployment. It defaults to "false".') @@ -568,14 +534,17 @@ var namingConvention = '${toLower(resourcePrefix)}-${resourceToken}-${nameToken} var bastionHostNamingConvention = replace(namingConvention, resourceToken, 'bas') var firewallNamingConvention = replace(namingConvention, resourceToken, 'afw') var firewallPolicyNamingConvention = replace(namingConvention, resourceToken, 'afwp') +var keyVaultNamingConvention = replace(namingConvention, resourceToken, 'kv') var ipConfigurationNamingConvention = replace(namingConvention, resourceToken, 'ipconf') var logAnalyticsWorkspaceNamingConvention = replace(namingConvention, resourceToken, 'log') var networkInterfaceNamingConvention = replace(namingConvention, resourceToken, 'nic') var networkSecurityGroupNamingConvention = replace(namingConvention, resourceToken, 'nsg') +var networkWatcherNamingConvention = replace(namingConvention, resourceToken, 'nw') var publicIpAddressNamingConvention = replace(namingConvention, resourceToken, 'pip') var resourceGroupNamingConvention = replace(namingConvention, resourceToken, 'rg') var storageAccountNamingConvention = toLower('${resourcePrefix}st${nameToken}unique_storage_token') var subnetNamingConvention = replace(namingConvention, resourceToken, 'snet') +var userAssignedIdentityNamingConvention = replace(namingConvention, resourceToken, 'uaid') var virtualMachineNamingConvention = replace(namingConvention, resourceToken, 'vm') var virtualNetworkNamingConvention = replace(namingConvention, resourceToken, 'vnet') @@ -583,13 +552,14 @@ var virtualNetworkNamingConvention = replace(namingConvention, resourceToken, 'v var hubName = 'hub' var hubShortName = 'hub' -var hubResourceGroupName = replace(resourceGroupNamingConvention, nameToken, hubName) +var hubLogStorageAccountName = take(hubLogStorageAccountUniqueName, 23) var hubLogStorageAccountShortName = replace(storageAccountNamingConvention, nameToken, hubShortName) var hubLogStorageAccountUniqueName = replace(hubLogStorageAccountShortName, 'unique_storage_token', uniqueString(resourcePrefix, resourceSuffix, hubSubscriptionId)) -var hubLogStorageAccountName = take(hubLogStorageAccountUniqueName, 23) -var hubVirtualNetworkName = replace(virtualNetworkNamingConvention, nameToken, hubName) +var hubNetworkWatcherName = replace(networkWatcherNamingConvention, nameToken, hubName) var hubNetworkSecurityGroupName = replace(networkSecurityGroupNamingConvention, nameToken, hubName) +var hubResourceGroupName = replace(resourceGroupNamingConvention, nameToken, hubName) var hubSubnetName = replace(subnetNamingConvention, nameToken, hubName) +var hubVirtualNetworkName = replace(virtualNetworkNamingConvention, nameToken, hubName) // IDENTITY NAMES @@ -607,6 +577,7 @@ var identitySubnetName = replace(subnetNamingConvention, nameToken, identityName var operationsName = 'operations' var operationsShortName = 'ops' +var operationsKeyVaultName = replace(keyVaultNamingConvention, nameToken, operationsName) var operationsResourceGroupName = replace(resourceGroupNamingConvention, nameToken, operationsName) var operationsLogStorageAccountShortName = replace(storageAccountNamingConvention, nameToken, operationsShortName) var operationsLogStorageAccountUniqueName = replace(operationsLogStorageAccountShortName, 'unique_storage_token', uniqueString(resourcePrefix, resourceSuffix, operationsSubscriptionId)) @@ -614,6 +585,7 @@ var operationsLogStorageAccountName = take(operationsLogStorageAccountUniqueName var operationsVirtualNetworkName = replace(virtualNetworkNamingConvention, nameToken, operationsName) var operationsNetworkSecurityGroupName = replace(networkSecurityGroupNamingConvention, nameToken, operationsName) var operationsSubnetName = replace(subnetNamingConvention, nameToken, operationsName) +var operationsUserAssignedIdentityName = replace(userAssignedIdentityNamingConvention, nameToken, operationsName) // SHARED SERVICES NAMES @@ -642,6 +614,8 @@ var firewallManagementPublicIPAddressName = replace(publicIpAddressNamingConvent // FIREWALL VALUES +var firewallClientUsableIpAddresses = [for i in range(0, 4): cidrHost(firewallClientSubnetAddressPrefix, i)] +var firewallClientPrivateIpAddress = firewallClientUsableIpAddresses[3] var firewallPublicIpAddressSkuName = 'Standard' var firewallPublicIpAddressAllocationMethod = 'Static' @@ -680,9 +654,8 @@ var spokes = [ networkSecurityGroupDiagnosticsMetrics: identityNetworkSecurityGroupDiagnosticsMetrics subnetName: identitySubnetName subnetAddressPrefix: identitySubnetAddressPrefix - subnetServiceEndpoints: identitySubnetServiceEndpoints - subnetPrivateEndpointNetworkPolicies: 'Enabled' - subnetPrivateLinkServiceNetworkPolicies: 'Enabled' + subnetPrivateEndpointNetworkPolicies: 'Disabled' + subnetPrivateLinkServiceNetworkPolicies: 'Disabled' } { name: operationsName @@ -699,7 +672,6 @@ var spokes = [ networkSecurityGroupDiagnosticsMetrics: operationsNetworkSecurityGroupDiagnosticsMetrics subnetName: operationsSubnetName subnetAddressPrefix: operationsSubnetAddressPrefix - subnetServiceEndpoints: operationsSubnetServiceEndpoints subnetPrivateEndpointNetworkPolicies: 'Disabled' subnetPrivateLinkServiceNetworkPolicies: 'Disabled' } @@ -718,9 +690,8 @@ var spokes = [ networkSecurityGroupDiagnosticsMetrics: sharedServicesNetworkSecurityGroupDiagnosticsMetrics subnetName: sharedServicesSubnetName subnetAddressPrefix: sharedServicesSubnetAddressPrefix - subnetServiceEndpoints: sharedServicesSubnetServiceEndpoints - subnetPrivateEndpointNetworkPolicies: 'Enabled' - subnetPrivateLinkServiceNetworkPolicies: 'Enabled' + subnetPrivateEndpointNetworkPolicies: 'Disabled' + subnetPrivateLinkServiceNetworkPolicies: 'Disabled' } ] @@ -789,117 +760,46 @@ module hubNetwork './core/hub-network.bicep' = { name: 'deploy-vnet-hub-${deploymentNameSuffix}' scope: resourceGroup(hubSubscriptionId, hubResourceGroupName) params: { - location: location - tags: calculatedTags - - logStorageAccountName: hubLogStorageAccountName - logStorageSkuName: logStorageSkuName - logAnalyticsWorkspaceResourceId: logAnalyticsWorkspace.outputs.id - - virtualNetworkName: hubVirtualNetworkName - virtualNetworkAddressPrefix: hubVirtualNetworkAddressPrefix - virtualNetworkDiagnosticsLogs: hubVirtualNetworkDiagnosticsLogs - virtualNetworkDiagnosticsMetrics: hubVirtualNetworkDiagnosticsMetrics - - networkSecurityGroupName: hubNetworkSecurityGroupName - networkSecurityGroupRules: hubNetworkSecurityGroupRules - networkSecurityGroupDiagnosticsLogs: hubNetworkSecurityGroupDiagnosticsLogs - networkSecurityGroupDiagnosticsMetrics: hubNetworkSecurityGroupDiagnosticsMetrics - - subnetName: hubSubnetName - subnetAddressPrefix: hubSubnetAddressPrefix - subnetServiceEndpoints: hubSubnetServiceEndpoints - - firewallName: firewallName - firewallSkuTier: firewallSkuTier - firewallPolicyName: firewallPolicyName - firewallThreatIntelMode: firewallThreatIntelMode - firewallIntrusionDetectionMode: firewallIntrusionDetectionMode - firewallDiagnosticsLogs: firewallDiagnosticsLogs - firewallDiagnosticsMetrics: firewallDiagnosticsMetrics + bastionHostSubnetAddressPrefix: bastionHostSubnetAddressPrefix + deployRemoteAccess: deployRemoteAccess + dnsServers: dnsServers + enableProxy: enableProxy firewallClientIpConfigurationName: firewallClientIpConfigurationName - firewallClientSubnetName: 'AzureFirewallSubnet' // this must be 'AzureFirewallSubnet' - firewallClientSubnetAddressPrefix: firewallClientSubnetAddressPrefix - firewallClientSubnetServiceEndpoints: firewallClientSubnetServiceEndpoints + firewallClientPrivateIpAddress: firewallClientPrivateIpAddress + firewallClientPublicIPAddressAvailabilityZones: firewallClientPublicIPAddressAvailabilityZones firewallClientPublicIPAddressName: firewallClientPublicIPAddressName firewallClientPublicIPAddressSkuName: firewallPublicIpAddressSkuName firewallClientPublicIpAllocationMethod: firewallPublicIpAddressAllocationMethod - firewallClientPublicIPAddressAvailabilityZones: firewallClientPublicIPAddressAvailabilityZones + firewallClientSubnetAddressPrefix: firewallClientSubnetAddressPrefix + firewallClientSubnetName: 'AzureFirewallSubnet' // this must be 'AzureFirewallSubnet' + firewallIntrusionDetectionMode: firewallIntrusionDetectionMode firewallManagementIpConfigurationName: firewallManagementIpConfigurationName - firewallManagementSubnetName: 'AzureFirewallManagementSubnet' // this must be 'AzureFirewallManagementSubnet' - firewallManagementSubnetAddressPrefix: firewallManagementSubnetAddressPrefix - firewallManagementSubnetServiceEndpoints: firewallManagementSubnetServiceEndpoints + firewallManagementPublicIPAddressAvailabilityZones: firewallManagementPublicIPAddressAvailabilityZones firewallManagementPublicIPAddressName: firewallManagementPublicIPAddressName firewallManagementPublicIPAddressSkuName: firewallPublicIpAddressSkuName firewallManagementPublicIpAllocationMethod: firewallPublicIpAddressAllocationMethod - firewallManagementPublicIPAddressAvailabilityZones: firewallManagementPublicIPAddressAvailabilityZones + firewallManagementSubnetAddressPrefix: firewallManagementSubnetAddressPrefix + firewallManagementSubnetName: 'AzureFirewallManagementSubnet' // this must be 'AzureFirewallManagementSubnet' + firewallName: firewallName + firewallPolicyName: firewallPolicyName + firewallSkuTier: firewallSkuTier firewallSupernetIPAddress: firewallSupernetIPAddress - - publicIPAddressDiagnosticsLogs: publicIPAddressDiagnosticsLogs - publicIPAddressDiagnosticsMetrics: publicIPAddressDiagnosticsMetrics - enableProxy: enableProxy - dnsServers: dnsServers - } -} - -module hubNetworkDNS './core/hub-network.bicep' = { - name: 'deploy-vnet-hub-DNS-${deploymentNameSuffix}' - scope: resourceGroup(hubSubscriptionId, hubResourceGroupName) - params: { + firewallThreatIntelMode: firewallThreatIntelMode location: location - tags: calculatedTags - - logStorageAccountName: hubLogStorageAccountName - logStorageSkuName: logStorageSkuName - logAnalyticsWorkspaceResourceId: logAnalyticsWorkspace.outputs.id - - virtualNetworkName: hubVirtualNetworkName - virtualNetworkAddressPrefix: hubVirtualNetworkAddressPrefix - virtualNetworkDiagnosticsLogs: hubVirtualNetworkDiagnosticsLogs - virtualNetworkDiagnosticsMetrics: hubVirtualNetworkDiagnosticsMetrics - networkSecurityGroupName: hubNetworkSecurityGroupName networkSecurityGroupRules: hubNetworkSecurityGroupRules - networkSecurityGroupDiagnosticsLogs: hubNetworkSecurityGroupDiagnosticsLogs - networkSecurityGroupDiagnosticsMetrics: hubNetworkSecurityGroupDiagnosticsMetrics - - subnetName: hubSubnetName + networkWatcherName: hubNetworkWatcherName subnetAddressPrefix: hubSubnetAddressPrefix - subnetServiceEndpoints: hubSubnetServiceEndpoints - - firewallName: firewallName - firewallSkuTier: firewallSkuTier - firewallPolicyName: firewallPolicyName - firewallThreatIntelMode: firewallThreatIntelMode - firewallIntrusionDetectionMode: firewallIntrusionDetectionMode - firewallDiagnosticsLogs: firewallDiagnosticsLogs - firewallDiagnosticsMetrics: firewallDiagnosticsMetrics - firewallClientIpConfigurationName: firewallClientIpConfigurationName - firewallClientSubnetName: 'AzureFirewallSubnet' // this must be 'AzureFirewallSubnet' - firewallClientSubnetAddressPrefix: firewallClientSubnetAddressPrefix - firewallClientSubnetServiceEndpoints: firewallClientSubnetServiceEndpoints - firewallClientPublicIPAddressName: firewallClientPublicIPAddressName - firewallClientPublicIPAddressSkuName: firewallPublicIpAddressSkuName - firewallClientPublicIpAllocationMethod: firewallPublicIpAddressAllocationMethod - firewallClientPublicIPAddressAvailabilityZones: firewallClientPublicIPAddressAvailabilityZones - firewallManagementIpConfigurationName: firewallManagementIpConfigurationName - firewallManagementSubnetName: 'AzureFirewallManagementSubnet' // this must be 'AzureFirewallManagementSubnet' - firewallManagementSubnetAddressPrefix: firewallManagementSubnetAddressPrefix - firewallManagementSubnetServiceEndpoints: firewallManagementSubnetServiceEndpoints - firewallManagementPublicIPAddressName: firewallManagementPublicIPAddressName - firewallManagementPublicIPAddressSkuName: firewallPublicIpAddressSkuName - firewallManagementPublicIpAllocationMethod: firewallPublicIpAddressAllocationMethod - firewallManagementPublicIPAddressAvailabilityZones: firewallManagementPublicIPAddressAvailabilityZones - firewallSupernetIPAddress: firewallSupernetIPAddress - vNetDnsServers: [hubNetwork.outputs.firewallPrivateIPAddress] - - publicIPAddressDiagnosticsLogs: publicIPAddressDiagnosticsLogs - publicIPAddressDiagnosticsMetrics: publicIPAddressDiagnosticsMetrics - enableProxy: enableProxy - dnsServers: dnsServers + subnetName: hubSubnetName + tags: calculatedTags + virtualNetworkAddressPrefix: hubVirtualNetworkAddressPrefix + virtualNetworkName: hubVirtualNetworkName + vNetDnsServers: [ + firewallClientPrivateIpAddress + ] } dependsOn: [ - hubNetwork + hubResourceGroup ] } @@ -908,33 +808,21 @@ module spokeNetworks './core/spoke-network.bicep' = [for spoke in spokes: { scope: resourceGroup(spoke.subscriptionId, spoke.resourceGroupName) params: { location: location - tags: calculatedTags - - logStorageAccountName: spoke.logStorageAccountName - logStorageSkuName: logStorageSkuName - - logAnalyticsWorkspaceResourceId: logAnalyticsWorkspace.outputs.id - - firewallPrivateIPAddress: hubNetwork.outputs.firewallPrivateIPAddress - vNetDnsServers: [hubNetwork.outputs.firewallPrivateIPAddress] - - virtualNetworkName: spoke.virtualNetworkName - virtualNetworkAddressPrefix: spoke.virtualNetworkAddressPrefix - virtualNetworkDiagnosticsLogs: spoke.virtualNetworkDiagnosticsLogs - virtualNetworkDiagnosticsMetrics: spoke.virtualNetworkDiagnosticsMetrics - networkSecurityGroupName: spoke.networkSecurityGroupName networkSecurityGroupRules: spoke.networkSecurityGroupRules - networkSecurityGroupDiagnosticsLogs: spoke.networkSecurityGroupDiagnosticsLogs - networkSecurityGroupDiagnosticsMetrics: spoke.networkSecurityGroupDiagnosticsMetrics - - subnetName: spoke.subnetName + routeTableRouteNextHopIpAddress: firewallClientPrivateIpAddress subnetAddressPrefix: spoke.subnetAddressPrefix - subnetServiceEndpoints: spoke.subnetServiceEndpoints - + subnetName: spoke.subnetName subnetPrivateEndpointNetworkPolicies: spoke.subnetPrivateEndpointNetworkPolicies subnetPrivateLinkServiceNetworkPolicies: spoke.subnetPrivateLinkServiceNetworkPolicies + tags: calculatedTags + virtualNetworkAddressPrefix: spoke.virtualNetworkAddressPrefix + virtualNetworkName: spoke.virtualNetworkName + vNetDnsServers: [ hubNetwork.outputs.firewallPrivateIPAddress ] } + dependsOn: [ + spokeResourceGroups + ] }] // VIRTUAL NETWORK PEERINGS @@ -964,46 +852,112 @@ module spokeVirtualNetworkPeerings './core/spoke-network-peering.bicep' = [for ( } }] -// POLICY ASSIGNMENTS +// PRIVATE DNS -module hubPolicyAssignment './modules/policy-assignment.bicep' = if (deployPolicy) { - name: 'assign-policy-hub-${deploymentNameSuffix}' +module privateDnsZones './modules/private-dns.bicep' = { + name: 'azure-private-dns' scope: resourceGroup(hubSubscriptionId, hubResourceGroupName) params: { - builtInAssignment: policy - logAnalyticsWorkspaceName: logAnalyticsWorkspace.outputs.name - logAnalyticsWorkspaceResourceGroupName: logAnalyticsWorkspace.outputs.resourceGroupName - operationsSubscriptionId: operationsSubscriptionId + vnetName: hubNetwork.outputs.virtualNetworkName + tags: tags + } +} + +// OPERATIONS CMK DEPENDANCIES + +module operationsCustomerManagedKeys './core/operations-customer-managed-keys.bicep' = { + name: 'deploy-cmk-ops-${deploymentNameSuffix}' + scope: resourceGroup(operationsSubscriptionId, operationsResourceGroupName) + params: { + keyVaultName: operationsKeyVaultName location: location + tags: calculatedTags + userAssignedIdentityName: operationsUserAssignedIdentityName } + dependsOn: [ + spokeNetworks + ] } -module spokePolicyAssignments './modules/policy-assignment.bicep' = [for spoke in spokes: if (deployPolicy) { - name: 'assign-policy-${spoke.name}-${deploymentNameSuffix}' +// HUB LOGGING STORAGE + +module hubStorage './core/hub-storage.bicep' = { + name: 'deploy-log-storage-hub-${deploymentNameSuffix}' + scope: resourceGroup(hubSubscriptionId, hubResourceGroupName) + params: { + azureBlobsPrivateDnsZoneResourceId: privateDnsZones.outputs.blobPrivateDnsZoneId + keyVaultUri: operationsCustomerManagedKeys.outputs.keyVaultUri + location: location + logStorageAccountName: hubLogStorageAccountName + logStorageSkuName: logStorageSkuName + storageEncryptionKeyName: operationsCustomerManagedKeys.outputs.storageKeyName + subnetResourceId: hubNetwork.outputs.subnetResourceId + tags: calculatedTags + userAssignedIdentityResourceId: operationsCustomerManagedKeys.outputs.userAssignedIdentityResourceId + } +} + +// SPOKE LOGGING STORAGE + +module spokeStorage './core/spoke-storage.bicep' = [for (spoke, i) in spokes: { + name: 'deploy-log-storage-${spoke.name}-${deploymentNameSuffix}' scope: resourceGroup(spoke.subscriptionId, spoke.resourceGroupName) params: { - builtInAssignment: policy - logAnalyticsWorkspaceName: logAnalyticsWorkspace.outputs.name - logAnalyticsWorkspaceResourceGroupName: logAnalyticsWorkspace.outputs.resourceGroupName - operationsSubscriptionId: operationsSubscriptionId + azureBlobsPrivateDnsZoneResourceId: privateDnsZones.outputs.blobPrivateDnsZoneId + keyVaultUri: operationsCustomerManagedKeys.outputs.keyVaultUri location: location + logStorageAccountName: spoke.logStorageAccountName + logStorageSkuName: logStorageSkuName + storageEncryptionKeyName: operationsCustomerManagedKeys.outputs.storageKeyName + subnetResourceId: spokeNetworks[i].outputs.subnetResourceId + tags: tags + userAssignedIdentityResourceId: operationsCustomerManagedKeys.outputs.userAssignedIdentityResourceId } }] -// PRIVATE DNS +// HUB DIAGONSTIC LOGGING -module azurePrivateDns './modules/private-dns.bicep' = { - name: 'azure-private-dns' +module hubDiagnostics 'core/hub-diagnostics.bicep' = { scope: resourceGroup(hubSubscriptionId, hubResourceGroupName) + name: 'deploy-diagnostic-logging-hub-${deploymentNameSuffix}' params: { - vnetName: hubNetwork.outputs.virtualNetworkName - tags: tags + firewallDiagnosticsLogs: firewallDiagnosticsLogs + firewallDiagnosticsMetrics: firewallDiagnosticsMetrics + firewallName: hubNetwork.outputs.firewallName + hubStorageAccountResourceId: hubStorage.outputs.storageAccountResourceId + logAnalyticsWorkspaceResourceId: logAnalyticsWorkspace.outputs.id + networkSecurityGroupDiagnosticsLogs: hubNetworkSecurityGroupDiagnosticsLogs + networkSecurityGroupDiagnosticsMetrics: hubNetworkSecurityGroupDiagnosticsMetrics + networkSecurityGroupName: hubNetworkSecurityGroupName + publicIPAddressDiagnosticsLogs: publicIPAddressDiagnosticsLogs + publicIPAddressDiagnosticsMetrics: publicIPAddressDiagnosticsMetrics + publicIPAddressNames: [ + firewallClientPublicIPAddressName + firewallManagementPublicIPAddressName + ] + virtualNetworkDiagnosticsLogs: hubVirtualNetworkDiagnosticsLogs + virtualNetworkDiagnosticsMetrics: hubVirtualNetworkDiagnosticsMetrics + virtualNetworkName: hubNetwork.outputs.virtualNetworkName } - dependsOn: [ - hubNetwork - ] } +// SPOKE DIAGONSTIC LOGGING + +module spokeDiagnostics 'core/spoke-diagnostics.bicep' = [for (spoke, i) in spokes: { + scope: resourceGroup(spoke.subscriptionId, spoke.resourceGroupName) + name: 'deploy-diagnostic-logging-${spoke.name}-${deploymentNameSuffix}' + params: { + hubStorageAccountResourceId: spokeStorage[i].outputs.ResourceId + logAnalyticsWorkspaceResourceId: logAnalyticsWorkspace.outputs.id + networkSecurityGroupDiagnosticsLogs: spoke.NetworkSecurityGroupDiagnosticsLogs + networkSecurityGroupDiagnosticsMetrics: spoke.NetworkSecurityGroupDiagnosticsMetrics + networkSecurityGroupName: spokeNetworks[i].outputs.networkSecurityGroupName + virtualNetworkDiagnosticsLogs: spoke.VirtualNetworkDiagnosticsLogs + virtualNetworkDiagnosticsMetrics: spoke.VirtualNetworkDiagnosticsMetrics + virtualNetworkName: spokeNetworks[i].outputs.virtualNetworkName + } +}] + // CENTRAL LOGGING module hubSubscriptionActivityLogging './modules/central-logging.bicep' = { @@ -1026,17 +980,17 @@ module azureMonitorPrivateLink './modules/private-link.bicep' = if (contains(sup logAnalyticsWorkspaceResourceId: logAnalyticsWorkspace.outputs.id privateEndpointSubnetName: operationsSubnetName privateEndpointVnetName: operationsVirtualNetworkName - monitorPrivateDnsZoneId: azurePrivateDns.outputs.monitorPrivateDnsZoneId - omsPrivateDnsZoneId: azurePrivateDns.outputs.omsPrivateDnsZoneId - odsPrivateDnsZoneId: azurePrivateDns.outputs.odsPrivateDnsZoneId - agentsvcPrivateDnsZoneId: azurePrivateDns.outputs.agentsvcPrivateDnsZoneId + monitorPrivateDnsZoneId: privateDnsZones.outputs.monitorPrivateDnsZoneId + omsPrivateDnsZoneId: privateDnsZones.outputs.omsPrivateDnsZoneId + odsPrivateDnsZoneId: privateDnsZones.outputs.odsPrivateDnsZoneId + agentsvcPrivateDnsZoneId: privateDnsZones.outputs.agentsvcPrivateDnsZoneId location: location tags: tags } dependsOn: [ logAnalyticsWorkspace + privateDnsZones spokeNetworks - azurePrivateDns ] } @@ -1060,11 +1014,36 @@ module logAnalyticsDiagnosticLogging './modules/log-analytics-diagnostic-logging logAnalyticsWorkspaceName: logAnalyticsWorkspace.outputs.name } dependsOn: [ - hubNetwork - spokeNetworks + spokeStorage ] } +// POLICY ASSIGNMENTS + +module hubPolicyAssignment './modules/policy-assignment.bicep' = if (deployPolicy) { + name: 'assign-policy-hub-${deploymentNameSuffix}' + scope: resourceGroup(hubSubscriptionId, hubResourceGroupName) + params: { + builtInAssignment: policy + logAnalyticsWorkspaceName: logAnalyticsWorkspace.outputs.name + logAnalyticsWorkspaceResourceGroupName: logAnalyticsWorkspace.outputs.resourceGroupName + operationsSubscriptionId: operationsSubscriptionId + location: location + } +} + +module spokePolicyAssignments './modules/policy-assignment.bicep' = [for spoke in spokes: if (deployPolicy) { + name: 'assign-policy-${spoke.name}-${deploymentNameSuffix}' + scope: resourceGroup(spoke.subscriptionId, spoke.resourceGroupName) + params: { + builtInAssignment: policy + logAnalyticsWorkspaceName: logAnalyticsWorkspace.outputs.name + logAnalyticsWorkspaceResourceGroupName: logAnalyticsWorkspace.outputs.resourceGroupName + operationsSubscriptionId: operationsSubscriptionId + location: location + } +}] + // Microsoft Defender for Cloud module hubDefender './modules/defender.bicep' = if (deployDefender) { @@ -1092,58 +1071,50 @@ module spokeDefender './modules/defender.bicep' = [for spoke in spokes: if ((dep module remoteAccess './core/remote-access.bicep' = if (deployRemoteAccess) { name: 'deploy-remote-access-${deploymentNameSuffix}' scope: resourceGroup(hubSubscriptionId, hubResourceGroupName) - params: { - location: location - - hubVirtualNetworkName: hubNetwork.outputs.virtualNetworkName - hubSubnetResourceId: hubNetwork.outputs.subnetResourceId - hubNetworkSecurityGroupResourceId: hubNetwork.outputs.networkSecurityGroupResourceId - + bastionHostIPConfigurationName: bastionHostIPConfigurationName bastionHostName: bastionHostName - bastionHostSubnetAddressPrefix: bastionHostSubnetAddressPrefix - bastionHostPublicIPAddressName: bastionHostPublicIPAddressName - bastionHostPublicIPAddressSkuName: bastionHostPublicIPAddressSkuName bastionHostPublicIPAddressAllocationMethod: bastionHostPublicIPAddressAllocationMethod bastionHostPublicIPAddressAvailabilityZones: bastionHostPublicIPAddressAvailabilityZones - bastionHostIPConfigurationName: bastionHostIPConfigurationName - - linuxNetworkInterfaceName: linuxNetworkInterfaceName + bastionHostPublicIPAddressName: bastionHostPublicIPAddressName + bastionHostPublicIPAddressSkuName: bastionHostPublicIPAddressSkuName + bastionHostSubnetResourceId: hubNetwork.outputs.bastionHostSubnetResourceId + hubNetworkSecurityGroupResourceId: hubNetwork.outputs.networkSecurityGroupResourceId + hubSubnetResourceId: hubNetwork.outputs.subnetResourceId linuxNetworkInterfaceIpConfigurationName: linuxNetworkInterfaceIpConfigurationName + linuxNetworkInterfaceName: linuxNetworkInterfaceName linuxNetworkInterfacePrivateIPAddressAllocationMethod: linuxNetworkInterfacePrivateIPAddressAllocationMethod - - linuxVmName: linuxVmName - linuxVmSize: linuxVmSize - linuxVmOsDiskCreateOption: linuxVmOsDiskCreateOption - linuxVmOsDiskType: linuxVmOsDiskType - linuxVmImagePublisher: linuxVmImagePublisher + linuxVmAdminPasswordOrKey: linuxVmAdminPasswordOrKey + linuxVmAdminUsername: linuxVmAdminUsername + linuxVmAuthenticationType: linuxVmAuthenticationType linuxVmImageOffer: linuxVmImageOffer + linuxVmImagePublisher: linuxVmImagePublisher linuxVmImageSku: linuxVmImageSku linuxVmImageVersion: linuxVmImageVersion - linuxVmAdminUsername: linuxVmAdminUsername - linuxVmAuthenticationType: linuxVmAuthenticationType - linuxVmAdminPasswordOrKey: linuxVmAdminPasswordOrKey - - windowsNetworkInterfaceName: windowsNetworkInterfaceName + linuxVmName: linuxVmName + linuxVmOsDiskCreateOption: linuxVmOsDiskCreateOption + linuxVmOsDiskType: linuxVmOsDiskType + linuxVmSize: linuxVmSize + location: location + logAnalyticsWorkspaceId: logAnalyticsWorkspace.outputs.id + tags: tags windowsNetworkInterfaceIpConfigurationName: windowsNetworkInterfaceIpConfigurationName + windowsNetworkInterfaceName: windowsNetworkInterfaceName windowsNetworkInterfacePrivateIPAddressAllocationMethod: windowsNetworkInterfacePrivateIPAddressAllocationMethod - - windowsVmName: windowsVmName - windowsVmSize: windowsVmSize - windowsVmAdminUsername: windowsVmAdminUsername windowsVmAdminPassword: windowsVmAdminPassword - windowsVmPublisher: windowsVmPublisher + windowsVmAdminUsername: windowsVmAdminUsername + windowsVmCreateOption: windowsVmCreateOption + windowsVmName: windowsVmName windowsVmOffer: windowsVmOffer + windowsVmPublisher: windowsVmPublisher + windowsVmSize: windowsVmSize windowsVmSku: windowsVmSku - windowsVmVersion: windowsVmVersion - windowsVmCreateOption: windowsVmCreateOption windowsVmStorageAccountType: windowsVmStorageAccountType - - logAnalyticsWorkspaceId: logAnalyticsWorkspace.outputs.id + windowsVmVersion: windowsVmVersion } dependsOn: [ azureMonitorPrivateLink - hubNetworkDNS + //hubNetworkDNS ] } diff --git a/src/bicep/mlz.json b/src/bicep/mlz.json index 68bfca091..17daef7f4 100644 --- a/src/bicep/mlz.json +++ b/src/bicep/mlz.json @@ -4,27 +4,27 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "2822344535003118565" + "version": "0.24.24.22086", + "templateHash": "7750568451689560969" } }, "parameters": { "resourcePrefix": { "type": "string", + "minLength": 3, + "maxLength": 10, "metadata": { "description": "A prefix, 3-10 alphanumeric characters without whitespace, used to prefix resources and generate uniqueness for resources with globally unique naming requirements like Storage Accounts and Log Analytics Workspaces" - }, - "maxLength": 10, - "minLength": 3 + } }, "resourceSuffix": { "type": "string", "defaultValue": "mlz", + "minLength": 3, + "maxLength": 6, "metadata": { "description": "A suffix, 3 to 6 characters in length, to append to resource names (e.g. \"dev\", \"test\", \"prod\", \"mlz\"). It defaults to \"mlz\"." - }, - "maxLength": 6, - "minLength": 3 + } }, "hubSubscriptionId": { "type": "string", @@ -158,37 +158,37 @@ "firewallSkuTier": { "type": "string", "defaultValue": "Premium", - "metadata": { - "description": "[Standard/Premium] The SKU for Azure Firewall. It defaults to \"Premium\"." - }, "allowedValues": [ "Standard", "Premium" - ] + ], + "metadata": { + "description": "[Standard/Premium] The SKU for Azure Firewall. It defaults to \"Premium\"." + } }, "firewallThreatIntelMode": { "type": "string", "defaultValue": "Alert", - "metadata": { - "description": "[Alert/Deny/Off] The Azure Firewall Threat Intelligence Rule triggered logging behavior. Valid values are \"Alert\", \"Deny\", or \"Off\". The default value is \"Alert\"." - }, "allowedValues": [ "Alert", "Deny", "Off" - ] + ], + "metadata": { + "description": "[Alert/Deny/Off] The Azure Firewall Threat Intelligence Rule triggered logging behavior. Valid values are \"Alert\", \"Deny\", or \"Off\". The default value is \"Alert\"." + } }, "firewallIntrusionDetectionMode": { "type": "string", "defaultValue": "Alert", - "metadata": { - "description": "[Alert/Deny/Off] The Azure Firewall Intrusion Detection mode. Valid values are \"Alert\", \"Deny\", or \"Off\". The default value is \"Alert\"." - }, "allowedValues": [ "Alert", "Deny", "Off" - ] + ], + "metadata": { + "description": "[Alert/Deny/Off] The Azure Firewall Intrusion Detection mode. Valid values are \"Alert\", \"Deny\", or \"Off\". The default value is \"Alert\"." + } }, "enableProxy": { "type": "bool", @@ -238,13 +238,6 @@ "description": "An array of Firewall Diagnostic Metrics categories to collect. See \"https://docs.microsoft.com/en-us/azure/firewall/firewall-diagnostics#enable-diagnostic-logging-through-the-azure-portal\" for valid values." } }, - "firewallClientSubnetServiceEndpoints": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "An array of Service Endpoints to enable for the Azure Firewall Client Subnet. See https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview for valid settings." - } - }, "firewallClientPublicIPAddressAvailabilityZones": { "type": "array", "defaultValue": [], @@ -252,13 +245,6 @@ "description": "An array of Azure Firewall Public IP Address Availability Zones. It defaults to empty, or \"No-Zone\", because Availability Zones are not available in every cloud. See https://docs.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#sku for valid settings." } }, - "firewallManagementSubnetServiceEndpoints": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "An array of Service Endpoints to enable for the Azure Firewall Management Subnet. See https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview for valid settings." - } - }, "firewallManagementPublicIPAddressAvailabilityZones": { "type": "array", "defaultValue": [], @@ -349,17 +335,6 @@ "description": "An array of Network Security Group Metrics to apply to enable for the Hub Virtual Network. See https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#metrics for valid settings." } }, - "hubSubnetServiceEndpoints": { - "type": "array", - "defaultValue": [ - { - "service": "Microsoft.Storage" - } - ], - "metadata": { - "description": "An array of Service Endpoints to enable for the Hub subnet. See https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview for valid settings." - } - }, "identityVirtualNetworkDiagnosticsLogs": { "type": "array", "defaultValue": [], @@ -428,17 +403,6 @@ "description": "An array of Network Security Group Metrics to apply to enable for the Identity Virtual Network. See https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#metrics for valid settings." } }, - "identitySubnetServiceEndpoints": { - "type": "array", - "defaultValue": [ - { - "service": "Microsoft.Storage" - } - ], - "metadata": { - "description": "An array of Service Endpoints to enable for the Identity subnet. See https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview for valid settings." - } - }, "operationsVirtualNetworkDiagnosticsLogs": { "type": "array", "defaultValue": [], @@ -507,17 +471,6 @@ "description": "An array of Network Security Group Diagnostic Metrics to enable for the Operations Virtual Network. See https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#metrics for valid settings." } }, - "operationsSubnetServiceEndpoints": { - "type": "array", - "defaultValue": [ - { - "service": "Microsoft.Storage" - } - ], - "metadata": { - "description": "An array of Service Endpoints to enable for the Operations subnet. See https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview for valid settings." - } - }, "sharedServicesVirtualNetworkDiagnosticsLogs": { "type": "array", "defaultValue": [], @@ -586,17 +539,6 @@ "description": "An array of Network Security Group Diagnostic Metrics to enable for the SharedServices Virtual Network. See https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#metrics for valid settings." } }, - "sharedServicesSubnetServiceEndpoints": { - "type": "array", - "defaultValue": [ - { - "service": "Microsoft.Storage" - } - ], - "metadata": { - "description": "An array of Service Endpoints to enable for the SharedServices subnet. See https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview for valid settings." - } - }, "deploySentinel": { "type": "bool", "defaultValue": false, @@ -621,9 +563,6 @@ "logAnalyticsWorkspaceSkuName": { "type": "string", "defaultValue": "PerGB2018", - "metadata": { - "description": "[Free/Standard/Premium/PerNode/PerGB2018/Standalone] The SKU for the Log Analytics Workspace. It defaults to \"PerGB2018\". See https://docs.microsoft.com/en-us/azure/azure-monitor/logs/resource-manager-workspace for valid settings." - }, "allowedValues": [ "Free", "Standard", @@ -631,7 +570,10 @@ "PerNode", "PerGB2018", "Standalone" - ] + ], + "metadata": { + "description": "[Free/Standard/Premium/PerNode/PerGB2018/Standalone] The SKU for the Log Analytics Workspace. It defaults to \"PerGB2018\". See https://docs.microsoft.com/en-us/azure/azure-monitor/logs/resource-manager-workspace for valid settings." + } }, "logStorageSkuName": { "type": "string", @@ -671,16 +613,16 @@ "linuxVmAuthenticationType": { "type": "string", "defaultValue": "password", - "metadata": { - "description": "[sshPublicKey/password] The authentication type for the Linux Virtual Machine to Azure Bastion remote into. It defaults to \"password\"." - }, "allowedValues": [ "sshPublicKey", "password" - ] + ], + "metadata": { + "description": "[sshPublicKey/password] The authentication type for the Linux Virtual Machine to Azure Bastion remote into. It defaults to \"password\"." + } }, "linuxVmAdminPasswordOrKey": { - "type": "secureString", + "type": "securestring", "defaultValue": "[if(parameters('deployRemoteAccess'), '', newGuid())]", "minLength": 12, "metadata": { @@ -739,13 +681,13 @@ "linuxNetworkInterfacePrivateIPAddressAllocationMethod": { "type": "string", "defaultValue": "Dynamic", - "metadata": { - "description": "[Static/Dynamic] The public IP Address allocation method for the Linux virtual machine. It defaults to \"Dynamic\"." - }, "allowedValues": [ "Static", "Dynamic" - ] + ], + "metadata": { + "description": "[Static/Dynamic] The public IP Address allocation method for the Linux virtual machine. It defaults to \"Dynamic\"." + } }, "windowsVmAdminUsername": { "type": "string", @@ -755,7 +697,7 @@ } }, "windowsVmAdminPassword": { - "type": "secureString", + "type": "securestring", "defaultValue": "[if(parameters('deployRemoteAccess'), '', newGuid())]", "minLength": 12, "metadata": { @@ -814,13 +756,13 @@ "windowsNetworkInterfacePrivateIPAddressAllocationMethod": { "type": "string", "defaultValue": "Dynamic", - "metadata": { - "description": "[Static/Dynamic] The public IP Address allocation method for the Windows virtual machine. It defaults to \"Dynamic\"." - }, "allowedValues": [ "Static", "Dynamic" - ] + ], + "metadata": { + "description": "[Static/Dynamic] The public IP Address allocation method for the Windows virtual machine. It defaults to \"Dynamic\"." + } }, "deployPolicy": { "type": "bool", @@ -832,15 +774,15 @@ "policy": { "type": "string", "defaultValue": "NISTRev4", - "metadata": { - "description": "[NISTRev4/NISTRev5/IL5/CMMC] Built-in policy assignments to assign, it defaults to \"NISTRev4\". IL5 is only available for AzureUsGovernment and will switch to NISTRev4 if tried in AzureCloud." - }, "allowedValues": [ "NISTRev4", "NISTRev5", "IL5", "CMMC" - ] + ], + "metadata": { + "description": "[NISTRev4/NISTRev5/IL5/CMMC] Built-in policy assignments to assign, it defaults to \"NISTRev4\". IL5 is only available for AzureUsGovernment and will switch to NISTRev4 if tried in AzureCloud." + } }, "deployDefender": { "type": "bool", @@ -852,13 +794,13 @@ "defenderSkuTier": { "type": "string", "defaultValue": "Standard", - "metadata": { - "description": "[Standard/Free] The SKU for Defender. It defaults to \"Standard\"." - }, "allowedValues": [ "Standard", "Free" - ] + ], + "metadata": { + "description": "[Standard/Free] The SKU for Defender. It defaults to \"Standard\"." + } }, "emailSecurityContact": { "type": "string", @@ -869,31 +811,42 @@ } }, "variables": { + "copy": [ + { + "name": "firewallClientUsableIpAddresses", + "count": "[length(range(0, 4))]", + "input": "[cidrHost(parameters('firewallClientSubnetAddressPrefix'), range(0, 4)[copyIndex('firewallClientUsableIpAddresses')])]" + } + ], "resourceToken": "resource_token", "nameToken": "name_token", "namingConvention": "[format('{0}-{1}-{2}-{3}', toLower(parameters('resourcePrefix')), variables('resourceToken'), variables('nameToken'), toLower(parameters('resourceSuffix')))]", "bastionHostNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'bas')]", "firewallNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'afw')]", "firewallPolicyNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'afwp')]", + "keyVaultNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'kv')]", "ipConfigurationNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'ipconf')]", "logAnalyticsWorkspaceNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'log')]", "networkInterfaceNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'nic')]", "networkSecurityGroupNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'nsg')]", + "networkWatcherNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'nw')]", "publicIpAddressNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'pip')]", "resourceGroupNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'rg')]", "storageAccountNamingConvention": "[toLower(format('{0}st{1}unique_storage_token', parameters('resourcePrefix'), variables('nameToken')))]", "subnetNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'snet')]", + "userAssignedIdentityNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'uaid')]", "virtualMachineNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'vm')]", "virtualNetworkNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'vnet')]", "hubName": "hub", "hubShortName": "hub", - "hubResourceGroupName": "[replace(variables('resourceGroupNamingConvention'), variables('nameToken'), variables('hubName'))]", + "hubLogStorageAccountName": "[take(variables('hubLogStorageAccountUniqueName'), 23)]", "hubLogStorageAccountShortName": "[replace(variables('storageAccountNamingConvention'), variables('nameToken'), variables('hubShortName'))]", "hubLogStorageAccountUniqueName": "[replace(variables('hubLogStorageAccountShortName'), 'unique_storage_token', uniqueString(parameters('resourcePrefix'), parameters('resourceSuffix'), parameters('hubSubscriptionId')))]", - "hubLogStorageAccountName": "[take(variables('hubLogStorageAccountUniqueName'), 23)]", - "hubVirtualNetworkName": "[replace(variables('virtualNetworkNamingConvention'), variables('nameToken'), variables('hubName'))]", + "hubNetworkWatcherName": "[replace(variables('networkWatcherNamingConvention'), variables('nameToken'), variables('hubName'))]", "hubNetworkSecurityGroupName": "[replace(variables('networkSecurityGroupNamingConvention'), variables('nameToken'), variables('hubName'))]", + "hubResourceGroupName": "[replace(variables('resourceGroupNamingConvention'), variables('nameToken'), variables('hubName'))]", "hubSubnetName": "[replace(variables('subnetNamingConvention'), variables('nameToken'), variables('hubName'))]", + "hubVirtualNetworkName": "[replace(variables('virtualNetworkNamingConvention'), variables('nameToken'), variables('hubName'))]", "identityName": "identity", "identityShortName": "id", "identityResourceGroupName": "[replace(variables('resourceGroupNamingConvention'), variables('nameToken'), variables('identityName'))]", @@ -905,6 +858,7 @@ "identitySubnetName": "[replace(variables('subnetNamingConvention'), variables('nameToken'), variables('identityName'))]", "operationsName": "operations", "operationsShortName": "ops", + "operationsKeyVaultName": "[replace(variables('keyVaultNamingConvention'), variables('nameToken'), variables('operationsName'))]", "operationsResourceGroupName": "[replace(variables('resourceGroupNamingConvention'), variables('nameToken'), variables('operationsName'))]", "operationsLogStorageAccountShortName": "[replace(variables('storageAccountNamingConvention'), variables('nameToken'), variables('operationsShortName'))]", "operationsLogStorageAccountUniqueName": "[replace(variables('operationsLogStorageAccountShortName'), 'unique_storage_token', uniqueString(parameters('resourcePrefix'), parameters('resourceSuffix'), parameters('operationsSubscriptionId')))]", @@ -912,6 +866,7 @@ "operationsVirtualNetworkName": "[replace(variables('virtualNetworkNamingConvention'), variables('nameToken'), variables('operationsName'))]", "operationsNetworkSecurityGroupName": "[replace(variables('networkSecurityGroupNamingConvention'), variables('nameToken'), variables('operationsName'))]", "operationsSubnetName": "[replace(variables('subnetNamingConvention'), variables('nameToken'), variables('operationsName'))]", + "operationsUserAssignedIdentityName": "[replace(variables('userAssignedIdentityNamingConvention'), variables('nameToken'), variables('operationsName'))]", "sharedServicesName": "sharedServices", "sharedServicesShortName": "svcs", "sharedServicesResourceGroupName": "[replace(variables('resourceGroupNamingConvention'), variables('nameToken'), variables('sharedServicesName'))]", @@ -928,6 +883,7 @@ "firewallClientPublicIPAddressName": "[replace(variables('publicIpAddressNamingConvention'), variables('nameToken'), 'afw-client')]", "firewallManagementIpConfigurationName": "[replace(variables('ipConfigurationNamingConvention'), variables('nameToken'), 'afw-mgmt')]", "firewallManagementPublicIPAddressName": "[replace(variables('publicIpAddressNamingConvention'), variables('nameToken'), 'afw-mgmt')]", + "firewallClientPrivateIpAddress": "[variables('firewallClientUsableIpAddresses')[3]]", "firewallPublicIpAddressSkuName": "Standard", "firewallPublicIpAddressAllocationMethod": "Static", "bastionHostName": "[replace(variables('bastionHostNamingConvention'), variables('nameToken'), variables('hubName'))]", @@ -957,9 +913,8 @@ "networkSecurityGroupDiagnosticsMetrics": "[parameters('identityNetworkSecurityGroupDiagnosticsMetrics')]", "subnetName": "[variables('identitySubnetName')]", "subnetAddressPrefix": "[parameters('identitySubnetAddressPrefix')]", - "subnetServiceEndpoints": "[parameters('identitySubnetServiceEndpoints')]", - "subnetPrivateEndpointNetworkPolicies": "Enabled", - "subnetPrivateLinkServiceNetworkPolicies": "Enabled" + "subnetPrivateEndpointNetworkPolicies": "Disabled", + "subnetPrivateLinkServiceNetworkPolicies": "Disabled" }, { "name": "[variables('operationsName')]", @@ -976,7 +931,6 @@ "networkSecurityGroupDiagnosticsMetrics": "[parameters('operationsNetworkSecurityGroupDiagnosticsMetrics')]", "subnetName": "[variables('operationsSubnetName')]", "subnetAddressPrefix": "[parameters('operationsSubnetAddressPrefix')]", - "subnetServiceEndpoints": "[parameters('operationsSubnetServiceEndpoints')]", "subnetPrivateEndpointNetworkPolicies": "Disabled", "subnetPrivateLinkServiceNetworkPolicies": "Disabled" }, @@ -995,9 +949,8 @@ "networkSecurityGroupDiagnosticsMetrics": "[parameters('sharedServicesNetworkSecurityGroupDiagnosticsMetrics')]", "subnetName": "[variables('sharedServicesSubnetName')]", "subnetAddressPrefix": "[parameters('sharedServicesSubnetAddressPrefix')]", - "subnetServiceEndpoints": "[parameters('sharedServicesSubnetServiceEndpoints')]", - "subnetPrivateEndpointNetworkPolicies": "Enabled", - "subnetPrivateLinkServiceNetworkPolicies": "Enabled" + "subnetPrivateEndpointNetworkPolicies": "Disabled", + "subnetPrivateLinkServiceNetworkPolicies": "Disabled" } ], "defaultTags": { @@ -1010,7 +963,7 @@ "resources": [ { "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", + "apiVersion": "2022-09-01", "name": "[format('deploy-rg-hub-{0}', parameters('deploymentNameSuffix'))]", "subscriptionId": "[parameters('hubSubscriptionId')]", "location": "[deployment().location]", @@ -1036,8 +989,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "18346155787391352255" + "version": "0.24.24.22086", + "templateHash": "7140967460139920692" } }, "parameters": { @@ -1088,7 +1041,7 @@ "count": "[length(variables('spokes'))]" }, "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", + "apiVersion": "2022-09-01", "name": "[format('deploy-rg-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))]", "subscriptionId": "[variables('spokes')[copyIndex()].subscriptionId]", "location": "[deployment().location]", @@ -1114,8 +1067,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "18346155787391352255" + "version": "0.24.24.22086", + "templateHash": "7140967460139920692" } }, "parameters": { @@ -1162,7 +1115,7 @@ }, { "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", + "apiVersion": "2022-09-01", "name": "[format('deploy-laws-{0}', parameters('deploymentNameSuffix'))]", "subscriptionId": "[parameters('operationsSubscriptionId')]", "resourceGroup": "[variables('operationsResourceGroupName')]", @@ -1200,8 +1153,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "4363803513381780626" + "version": "0.24.24.22086", + "templateHash": "9947295372567029530" } }, "parameters": { @@ -1316,11 +1269,11 @@ } }, { - "condition": "[variables('solutions')[copyIndex()].deploy]", "copy": { "name": "logAnalyticsSolutions", "count": "[length(variables('solutions'))]" }, + "condition": "[variables('solutions')[copyIndex()].deploy]", "type": "Microsoft.OperationsManagement/solutions", "apiVersion": "2015-11-01-preview", "name": "[format('{0}({1})', variables('solutions')[copyIndex()].name, parameters('name'))]", @@ -1374,7 +1327,7 @@ }, { "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", + "apiVersion": "2022-09-01", "name": "[format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))]", "subscriptionId": "[parameters('hubSubscriptionId')]", "resourceGroup": "[variables('hubResourceGroupName')]", @@ -1384,86 +1337,26 @@ }, "mode": "Incremental", "parameters": { - "location": { - "value": "[parameters('location')]" - }, - "tags": { - "value": "[variables('calculatedTags')]" - }, - "logStorageAccountName": { - "value": "[variables('hubLogStorageAccountName')]" - }, - "logStorageSkuName": { - "value": "[parameters('logStorageSkuName')]" - }, - "logAnalyticsWorkspaceResourceId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))).outputs.id.value]" - }, - "virtualNetworkName": { - "value": "[variables('hubVirtualNetworkName')]" - }, - "virtualNetworkAddressPrefix": { - "value": "[parameters('hubVirtualNetworkAddressPrefix')]" - }, - "virtualNetworkDiagnosticsLogs": { - "value": "[parameters('hubVirtualNetworkDiagnosticsLogs')]" - }, - "virtualNetworkDiagnosticsMetrics": { - "value": "[parameters('hubVirtualNetworkDiagnosticsMetrics')]" - }, - "networkSecurityGroupName": { - "value": "[variables('hubNetworkSecurityGroupName')]" - }, - "networkSecurityGroupRules": { - "value": "[parameters('hubNetworkSecurityGroupRules')]" - }, - "networkSecurityGroupDiagnosticsLogs": { - "value": "[parameters('hubNetworkSecurityGroupDiagnosticsLogs')]" - }, - "networkSecurityGroupDiagnosticsMetrics": { - "value": "[parameters('hubNetworkSecurityGroupDiagnosticsMetrics')]" - }, - "subnetName": { - "value": "[variables('hubSubnetName')]" - }, - "subnetAddressPrefix": { - "value": "[parameters('hubSubnetAddressPrefix')]" - }, - "subnetServiceEndpoints": { - "value": "[parameters('hubSubnetServiceEndpoints')]" - }, - "firewallName": { - "value": "[variables('firewallName')]" - }, - "firewallSkuTier": { - "value": "[parameters('firewallSkuTier')]" - }, - "firewallPolicyName": { - "value": "[variables('firewallPolicyName')]" - }, - "firewallThreatIntelMode": { - "value": "[parameters('firewallThreatIntelMode')]" + "bastionHostSubnetAddressPrefix": { + "value": "[parameters('bastionHostSubnetAddressPrefix')]" }, - "firewallIntrusionDetectionMode": { - "value": "[parameters('firewallIntrusionDetectionMode')]" + "deployRemoteAccess": { + "value": "[parameters('deployRemoteAccess')]" }, - "firewallDiagnosticsLogs": { - "value": "[parameters('firewallDiagnosticsLogs')]" + "dnsServers": { + "value": "[parameters('dnsServers')]" }, - "firewallDiagnosticsMetrics": { - "value": "[parameters('firewallDiagnosticsMetrics')]" + "enableProxy": { + "value": "[parameters('enableProxy')]" }, "firewallClientIpConfigurationName": { "value": "[variables('firewallClientIpConfigurationName')]" }, - "firewallClientSubnetName": { - "value": "AzureFirewallSubnet" - }, - "firewallClientSubnetAddressPrefix": { - "value": "[parameters('firewallClientSubnetAddressPrefix')]" + "firewallClientPrivateIpAddress": { + "value": "[variables('firewallClientPrivateIpAddress')]" }, - "firewallClientSubnetServiceEndpoints": { - "value": "[parameters('firewallClientSubnetServiceEndpoints')]" + "firewallClientPublicIPAddressAvailabilityZones": { + "value": "[parameters('firewallClientPublicIPAddressAvailabilityZones')]" }, "firewallClientPublicIPAddressName": { "value": "[variables('firewallClientPublicIPAddressName')]" @@ -1474,20 +1367,20 @@ "firewallClientPublicIpAllocationMethod": { "value": "[variables('firewallPublicIpAddressAllocationMethod')]" }, - "firewallClientPublicIPAddressAvailabilityZones": { - "value": "[parameters('firewallClientPublicIPAddressAvailabilityZones')]" + "firewallClientSubnetAddressPrefix": { + "value": "[parameters('firewallClientSubnetAddressPrefix')]" }, - "firewallManagementIpConfigurationName": { - "value": "[variables('firewallManagementIpConfigurationName')]" + "firewallClientSubnetName": { + "value": "AzureFirewallSubnet" }, - "firewallManagementSubnetName": { - "value": "AzureFirewallManagementSubnet" + "firewallIntrusionDetectionMode": { + "value": "[parameters('firewallIntrusionDetectionMode')]" }, - "firewallManagementSubnetAddressPrefix": { - "value": "[parameters('firewallManagementSubnetAddressPrefix')]" + "firewallManagementIpConfigurationName": { + "value": "[variables('firewallManagementIpConfigurationName')]" }, - "firewallManagementSubnetServiceEndpoints": { - "value": "[parameters('firewallManagementSubnetServiceEndpoints')]" + "firewallManagementPublicIPAddressAvailabilityZones": { + "value": "[parameters('firewallManagementPublicIPAddressAvailabilityZones')]" }, "firewallManagementPublicIPAddressName": { "value": "[variables('firewallManagementPublicIPAddressName')]" @@ -1498,23 +1391,58 @@ "firewallManagementPublicIpAllocationMethod": { "value": "[variables('firewallPublicIpAddressAllocationMethod')]" }, - "firewallManagementPublicIPAddressAvailabilityZones": { - "value": "[parameters('firewallManagementPublicIPAddressAvailabilityZones')]" + "firewallManagementSubnetAddressPrefix": { + "value": "[parameters('firewallManagementSubnetAddressPrefix')]" + }, + "firewallManagementSubnetName": { + "value": "AzureFirewallManagementSubnet" + }, + "firewallName": { + "value": "[variables('firewallName')]" + }, + "firewallPolicyName": { + "value": "[variables('firewallPolicyName')]" + }, + "firewallSkuTier": { + "value": "[parameters('firewallSkuTier')]" }, "firewallSupernetIPAddress": { "value": "[parameters('firewallSupernetIPAddress')]" }, - "publicIPAddressDiagnosticsLogs": { - "value": "[parameters('publicIPAddressDiagnosticsLogs')]" + "firewallThreatIntelMode": { + "value": "[parameters('firewallThreatIntelMode')]" }, - "publicIPAddressDiagnosticsMetrics": { - "value": "[parameters('publicIPAddressDiagnosticsMetrics')]" + "location": { + "value": "[parameters('location')]" }, - "enableProxy": { - "value": "[parameters('enableProxy')]" + "networkSecurityGroupName": { + "value": "[variables('hubNetworkSecurityGroupName')]" }, - "dnsServers": { - "value": "[parameters('dnsServers')]" + "networkSecurityGroupRules": { + "value": "[parameters('hubNetworkSecurityGroupRules')]" + }, + "networkWatcherName": { + "value": "[variables('hubNetworkWatcherName')]" + }, + "subnetAddressPrefix": { + "value": "[parameters('hubSubnetAddressPrefix')]" + }, + "subnetName": { + "value": "[variables('hubSubnetName')]" + }, + "tags": { + "value": "[variables('calculatedTags')]" + }, + "virtualNetworkAddressPrefix": { + "value": "[parameters('hubVirtualNetworkAddressPrefix')]" + }, + "virtualNetworkName": { + "value": "[variables('hubVirtualNetworkName')]" + }, + "vNetDnsServers": { + "value": [ + "[variables('firewallClientPrivateIpAddress')]" + ] } }, "template": { @@ -1523,97 +1451,84 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "1557820237271279412" + "version": "0.24.24.22086", + "templateHash": "1909314089015819241" } }, "parameters": { - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]" - }, - "tags": { - "type": "object", - "defaultValue": {} - }, - "logStorageAccountName": { + "bastionHostSubnetAddressPrefix": { "type": "string" }, - "logStorageSkuName": { - "type": "string" + "deployRemoteAccess": { + "type": "bool" }, - "vNetDnsServers": { - "type": "array", - "defaultValue": [] + "dnsServers": { + "type": "array" }, - "logAnalyticsWorkspaceResourceId": { - "type": "string" + "enableProxy": { + "type": "bool" }, - "virtualNetworkName": { + "firewallClientIpConfigurationName": { "type": "string" }, - "virtualNetworkAddressPrefix": { + "firewallClientPrivateIpAddress": { "type": "string" }, - "virtualNetworkDiagnosticsLogs": { - "type": "array" - }, - "virtualNetworkDiagnosticsMetrics": { + "firewallClientPublicIPAddressAvailabilityZones": { "type": "array" }, - "networkSecurityGroupName": { + "firewallClientPublicIPAddressName": { "type": "string" }, - "networkSecurityGroupRules": { - "type": "array" + "firewallClientPublicIPAddressSkuName": { + "type": "string" }, - "networkSecurityGroupDiagnosticsLogs": { - "type": "array" + "firewallClientPublicIpAllocationMethod": { + "type": "string" }, - "networkSecurityGroupDiagnosticsMetrics": { - "type": "array" + "firewallClientSubnetAddressPrefix": { + "type": "string" }, - "subnetName": { + "firewallClientSubnetName": { "type": "string" }, - "subnetAddressPrefix": { + "firewallIntrusionDetectionMode": { + "type": "string", + "allowedValues": [ + "Alert", + "Deny", + "Off" + ] + }, + "firewallManagementIpConfigurationName": { "type": "string" }, - "subnetServiceEndpoints": { + "firewallManagementPublicIPAddressAvailabilityZones": { "type": "array" }, - "routeTableName": { - "type": "string", - "defaultValue": "[format('{0}-routetable', parameters('subnetName'))]" + "firewallManagementPublicIPAddressName": { + "type": "string" }, - "routeTableRouteName": { - "type": "string", - "defaultValue": "default_route" + "firewallManagementPublicIPAddressSkuName": { + "type": "string" }, - "routeTableRouteAddressPrefix": { - "type": "string", - "defaultValue": "0.0.0.0/0" + "firewallManagementPublicIpAllocationMethod": { + "type": "string" }, - "routeTableRouteNextHopType": { - "type": "string", - "defaultValue": "VirtualAppliance" + "firewallManagementSubnetAddressPrefix": { + "type": "string" }, - "firewallName": { + "firewallManagementSubnetName": { "type": "string" }, - "firewallSkuTier": { + "firewallName": { "type": "string" }, "firewallPolicyName": { "type": "string" }, - "enableProxy": { - "type": "bool", - "defaultValue": false - }, - "dnsServers": { - "type": "array", - "defaultValue": [] + "firewallSkuTier": { + "type": "string" }, "firewallSupernetIPAddress": { "type": "string" @@ -1626,117 +1541,75 @@ "Off" ] }, - "firewallIntrusionDetectionMode": { - "type": "string", - "allowedValues": [ - "Alert", - "Deny", - "Off" - ] - }, - "firewallDiagnosticsLogs": { - "type": "array" - }, - "firewallDiagnosticsMetrics": { - "type": "array" - }, - "firewallClientIpConfigurationName": { - "type": "string" - }, - "firewallClientSubnetName": { + "location": { "type": "string" }, - "firewallClientSubnetAddressPrefix": { + "networkSecurityGroupName": { "type": "string" }, - "firewallClientSubnetServiceEndpoints": { + "networkSecurityGroupRules": { "type": "array" }, - "firewallClientPublicIPAddressName": { + "networkWatcherName": { "type": "string" }, - "firewallClientPublicIPAddressSkuName": { - "type": "string" + "routeTableName": { + "type": "string", + "defaultValue": "[format('{0}-routetable', parameters('subnetName'))]" }, - "firewallClientPublicIpAllocationMethod": { - "type": "string" + "routeTableRouteAddressPrefix": { + "type": "string", + "defaultValue": "0.0.0.0/0" }, - "firewallClientPublicIPAddressAvailabilityZones": { - "type": "array" + "routeTableRouteName": { + "type": "string", + "defaultValue": "default_route" }, - "firewallManagementIpConfigurationName": { - "type": "string" + "routeTableRouteNextHopType": { + "type": "string", + "defaultValue": "VirtualAppliance" }, - "firewallManagementSubnetName": { + "subnetAddressPrefix": { "type": "string" }, - "firewallManagementSubnetAddressPrefix": { + "subnetName": { "type": "string" }, - "firewallManagementSubnetServiceEndpoints": { - "type": "array" - }, - "firewallManagementPublicIPAddressName": { - "type": "string" + "tags": { + "type": "object" }, - "firewallManagementPublicIPAddressSkuName": { + "virtualNetworkAddressPrefix": { "type": "string" }, - "firewallManagementPublicIpAllocationMethod": { + "virtualNetworkName": { "type": "string" }, - "firewallManagementPublicIPAddressAvailabilityZones": { - "type": "array" - }, - "publicIPAddressDiagnosticsLogs": { - "type": "array" - }, - "publicIPAddressDiagnosticsMetrics": { + "vNetDnsServers": { "type": "array" } }, + "variables": { + "subnetsBastion": "[if(parameters('deployRemoteAccess'), createArray(createObject('name', 'AzureBastionSubnet', 'properties', createObject('addressPrefix', parameters('bastionHostSubnetAddressPrefix')))), createArray())]" + }, "resources": [ - { - "type": "Microsoft.Network/virtualNetworks/subnets", - "apiVersion": "2021-02-01", - "name": "[format('{0}/{1}', parameters('virtualNetworkName'), parameters('subnetName'))]", - "properties": { - "addressPrefix": "[parameters('subnetAddressPrefix')]", - "networkSecurityGroup": { - "id": "[reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup')).outputs.id.value]" - }, - "routeTable": { - "id": "[reference(resourceId('Microsoft.Resources/deployments', 'routeTable')).outputs.id.value]" - }, - "serviceEndpoints": "[parameters('subnetServiceEndpoints')]", - "privateEndpointNetworkPolicies": "Disabled", - "privateLinkServiceNetworkPolicies": "Enabled" - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', 'firewall')]", - "[resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup')]", - "[resourceId('Microsoft.Resources/deployments', 'routeTable')]", - "[resourceId('Microsoft.Resources/deployments', 'virtualNetwork')]" - ] - }, { "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "logStorage", + "apiVersion": "2022-09-01", + "name": "networkSecurityGroup", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { - "storageAccountName": { - "value": "[parameters('logStorageAccountName')]" - }, "location": { "value": "[parameters('location')]" }, - "skuName": { - "value": "[parameters('logStorageSkuName')]" + "name": { + "value": "[parameters('networkSecurityGroupName')]" + }, + "securityRules": { + "value": "[parameters('networkSecurityGroupRules')]" }, "tags": { "value": "[parameters('tags')]" @@ -1748,63 +1621,44 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "4435843471246172620" + "version": "0.24.24.22086", + "templateHash": "14964080576155541488" } }, "parameters": { - "storageAccountName": { - "type": "string" - }, "location": { "type": "string" }, - "skuName": { + "name": { "type": "string" }, + "securityRules": { + "type": "array" + }, "tags": { - "type": "object", - "defaultValue": {} + "type": "object" } }, "resources": [ { - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2021-01-01", - "name": "[parameters('storageAccountName')]", + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "2021-02-01", + "name": "[parameters('name')]", "location": "[parameters('location')]", - "kind": "StorageV2", - "sku": { - "name": "[parameters('skuName')]" - }, "tags": "[parameters('tags')]", "properties": { - "minimumTlsVersion": "TLS1_2", - "encryption": { - "keySource": "Microsoft.Storage", - "requireInfrastructureEncryption": true, - "services": { - "blob": { - "enabled": true - }, - "file": { - "enabled": true - }, - "queue": { - "enabled": true - }, - "table": { - "enabled": true - } - } - } + "securityRules": "[parameters('securityRules')]" } } ], "outputs": { "id": { "type": "string", - "value": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]" + "value": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('name'))]" + }, + "name": { + "type": "string", + "value": "[parameters('name')]" } } } @@ -1812,37 +1666,34 @@ }, { "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "networkSecurityGroup", + "apiVersion": "2022-09-01", + "name": "routeTable", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { - "name": { - "value": "[parameters('networkSecurityGroupName')]" - }, "location": { "value": "[parameters('location')]" }, - "tags": { - "value": "[parameters('tags')]" + "name": { + "value": "[parameters('routeTableName')]" }, - "securityRules": { - "value": "[parameters('networkSecurityGroupRules')]" + "routeAddressPrefix": { + "value": "[parameters('routeTableRouteAddressPrefix')]" }, - "logAnalyticsWorkspaceResourceId": { - "value": "[parameters('logAnalyticsWorkspaceResourceId')]" + "routeName": { + "value": "[parameters('routeTableRouteName')]" }, - "logStorageAccountResourceId": { - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'logStorage')).outputs.id.value]" + "routeNextHopIpAddress": { + "value": "[parameters('firewallClientPrivateIpAddress')]" }, - "logs": { - "value": "[parameters('networkSecurityGroupDiagnosticsLogs')]" + "routeNextHopType": { + "value": "[parameters('routeTableRouteNextHopType')]" }, - "metrics": { - "value": "[parameters('networkSecurityGroupDiagnosticsMetrics')]" + "tags": { + "value": "[parameters('tags')]" } }, "template": { @@ -1851,68 +1702,58 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "7894763285242421186" + "version": "0.24.24.22086", + "templateHash": "3954150695911654455" } }, "parameters": { - "name": { - "type": "string" - }, "location": { "type": "string" }, - "tags": { - "type": "object", - "defaultValue": {} + "name": { + "type": "string" }, - "securityRules": { - "type": "array" + "routeAddressPrefix": { + "type": "string" }, - "logStorageAccountResourceId": { + "routeName": { "type": "string" }, - "logAnalyticsWorkspaceResourceId": { + "routeNextHopIpAddress": { "type": "string" }, - "logs": { - "type": "array" + "routeNextHopType": { + "type": "string" }, - "metrics": { - "type": "array" + "tags": { + "type": "object" } }, "resources": [ { - "type": "Microsoft.Network/networkSecurityGroups", + "type": "Microsoft.Network/routeTables", "apiVersion": "2021-02-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { - "securityRules": "[parameters('securityRules')]" + "routes": [ + { + "name": "[parameters('routeName')]", + "properties": { + "addressPrefix": "[parameters('routeAddressPrefix')]", + "nextHopIpAddress": "[parameters('routeNextHopIpAddress')]", + "nextHopType": "[parameters('routeNextHopType')]" + } + } + ] } - }, - { - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2017-05-01-preview", - "scope": "[format('Microsoft.Network/networkSecurityGroups/{0}', parameters('name'))]", - "name": "[format('{0}-diagnostics', parameters('name'))]", - "properties": { - "storageAccountId": "[parameters('logStorageAccountResourceId')]", - "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", - "logs": "[parameters('logs')]", - "metrics": "[parameters('metrics')]" - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('name'))]" - ] } ], "outputs": { "id": { "type": "string", - "value": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('name'))]" + "value": "[resourceId('Microsoft.Network/routeTables', parameters('name'))]" }, "name": { "type": "string", @@ -1920,65 +1761,89 @@ } } } - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', 'logStorage')]" - ] + } }, { "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "virtualNetwork", + "apiVersion": "2022-09-01", + "name": "networkWatcher", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { - "name": { - "value": "[parameters('virtualNetworkName')]" - }, "location": { "value": "[parameters('location')]" }, + "name": { + "value": "[parameters('networkWatcherName')]" + }, "tags": { "value": "[parameters('tags')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "14546557041983787127" + } + }, + "parameters": { + "location": { + "type": "string" + }, + "name": { + "type": "string" + }, + "tags": { + "type": "object" + } }, + "resources": [ + { + "type": "Microsoft.Network/networkWatchers", + "apiVersion": "2021-02-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": {} + } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "virtualNetwork", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { "addressPrefix": { "value": "[parameters('virtualNetworkAddressPrefix')]" }, - "vNetDnsServers": { - "value": "[parameters('vNetDnsServers')]" - }, - "subnets": { - "value": [ - { - "name": "[parameters('firewallClientSubnetName')]", - "properties": { - "addressPrefix": "[parameters('firewallClientSubnetAddressPrefix')]", - "serviceEndpoints": "[parameters('firewallClientSubnetServiceEndpoints')]" - } - }, - { - "name": "[parameters('firewallManagementSubnetName')]", - "properties": { - "addressPrefix": "[parameters('firewallManagementSubnetAddressPrefix')]", - "serviceEndpoints": "[parameters('firewallManagementSubnetServiceEndpoints')]" - } - } - ] + "location": { + "value": "[parameters('location')]" }, - "logAnalyticsWorkspaceResourceId": { - "value": "[parameters('logAnalyticsWorkspaceResourceId')]" + "name": { + "value": "[parameters('virtualNetworkName')]" }, - "logStorageAccountResourceId": { - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'logStorage')).outputs.id.value]" + "subnets": { + "value": "[union(createArray(createObject('name', 'AzureFirewallSubnet', 'properties', createObject('addressPrefix', parameters('firewallClientSubnetAddressPrefix'))), createObject('name', 'AzureFirewallManagementSubnet', 'properties', createObject('addressPrefix', parameters('firewallManagementSubnetAddressPrefix'))), createObject('name', parameters('subnetName'), 'properties', createObject('addressPrefix', parameters('subnetAddressPrefix'), 'networkSecurityGroup', createObject('id', reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup'), '2022-09-01').outputs.id.value), 'privateEndpointNetworkPolicies', 'Disabled', 'privateLinkServiceNetworkPolicies', 'Disabled', 'routeTable', createObject('id', reference(resourceId('Microsoft.Resources/deployments', 'routeTable'), '2022-09-01').outputs.id.value)))), variables('subnetsBastion'))]" }, - "logs": { - "value": "[parameters('virtualNetworkDiagnosticsLogs')]" + "tags": { + "value": "[parameters('tags')]" }, - "metrics": { - "value": "[parameters('virtualNetworkDiagnosticsMetrics')]" + "vNetDnsServers": { + "value": "[parameters('vNetDnsServers')]" } }, "template": { @@ -1987,41 +1852,27 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "16443263514490560792" + "version": "0.24.24.22086", + "templateHash": "12638783015880972122" } }, "parameters": { - "name": { - "type": "string" - }, - "location": { - "type": "string" - }, - "tags": { - "type": "object", - "defaultValue": {} - }, "addressPrefix": { "type": "string" }, - "vNetDnsServers": { - "type": "array", - "defaultValue": [] - }, - "logAnalyticsWorkspaceResourceId": { + "location": { "type": "string" }, - "logStorageAccountResourceId": { + "name": { "type": "string" }, "subnets": { "type": "array" }, - "logs": { - "type": "array" + "tags": { + "type": "object" }, - "metrics": { + "vNetDnsServers": { "type": "array" } }, @@ -2041,21 +1892,6 @@ "subnets": "[parameters('subnets')]", "dhcpOptions": "[if(not(equals(parameters('vNetDnsServers'), null())), createObject('dnsServers', parameters('vNetDnsServers')), null())]" } - }, - { - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2017-05-01-preview", - "scope": "[format('Microsoft.Network/virtualNetworks/{0}', parameters('name'))]", - "name": "[format('{0}-diagnostics', parameters('name'))]", - "properties": { - "storageAccountId": "[parameters('logStorageAccountResourceId')]", - "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", - "logs": "[parameters('logs')]", - "metrics": "[parameters('metrics')]" - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/virtualNetworks', parameters('name'))]" - ] } ], "outputs": { @@ -2069,49 +1905,48 @@ }, "subnets": { "type": "array", - "value": "[reference(resourceId('Microsoft.Network/virtualNetworks', parameters('name'))).subnets]" + "value": "[reference(resourceId('Microsoft.Network/virtualNetworks', parameters('name')), '2021-02-01').subnets]" }, "addressPrefix": { "type": "string", - "value": "[reference(resourceId('Microsoft.Network/virtualNetworks', parameters('name'))).addressSpace.addressPrefixes[0]]" + "value": "[reference(resourceId('Microsoft.Network/virtualNetworks', parameters('name')), '2021-02-01').addressSpace.addressPrefixes[0]]" } } } }, "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', 'logStorage')]" + "[resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup')]", + "[resourceId('Microsoft.Resources/deployments', 'networkWatcher')]", + "[resourceId('Microsoft.Resources/deployments', 'routeTable')]" ] }, { "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "routeTable", + "apiVersion": "2022-09-01", + "name": "firewallClientPublicIPAddress", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { - "name": { - "value": "[parameters('routeTableName')]" + "availabilityZones": { + "value": "[parameters('firewallClientPublicIPAddressAvailabilityZones')]" }, "location": { "value": "[parameters('location')]" }, - "tags": { - "value": "[parameters('tags')]" - }, - "routeName": { - "value": "[parameters('routeTableRouteName')]" + "name": { + "value": "[parameters('firewallClientPublicIPAddressName')]" }, - "routeAddressPrefix": { - "value": "[parameters('routeTableRouteAddressPrefix')]" + "publicIpAllocationMethod": { + "value": "[parameters('firewallClientPublicIpAllocationMethod')]" }, - "routeNextHopIpAddress": { - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'firewall')).outputs.privateIPAddress.value]" + "skuName": { + "value": "[parameters('firewallClientPublicIPAddressSkuName')]" }, - "routeNextHopType": { - "value": "[parameters('routeTableRouteNextHopType')]" + "tags": { + "value": "[parameters('tags')]" } }, "template": { @@ -2120,110 +1955,82 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "8332169477119932515" + "version": "0.24.24.22086", + "templateHash": "6027084282099740925" } }, "parameters": { - "name": { - "type": "string" + "availabilityZones": { + "type": "array" }, "location": { "type": "string" }, - "tags": { - "type": "object", - "defaultValue": {} - }, - "routeName": { + "name": { "type": "string" }, - "routeAddressPrefix": { + "publicIpAllocationMethod": { "type": "string" }, - "routeNextHopIpAddress": { + "skuName": { "type": "string" }, - "routeNextHopType": { - "type": "string" + "tags": { + "type": "object" } }, "resources": [ { - "type": "Microsoft.Network/routeTables", + "type": "Microsoft.Network/publicIPAddresses", "apiVersion": "2021-02-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", + "sku": { + "name": "[parameters('skuName')]" + }, "properties": { - "routes": [ - { - "name": "[parameters('routeName')]", - "properties": { - "addressPrefix": "[parameters('routeAddressPrefix')]", - "nextHopIpAddress": "[parameters('routeNextHopIpAddress')]", - "nextHopType": "[parameters('routeNextHopType')]" - } - } - ] - } + "publicIPAllocationMethod": "[parameters('publicIpAllocationMethod')]" + }, + "zones": "[parameters('availabilityZones')]" } ], "outputs": { "id": { "type": "string", - "value": "[resourceId('Microsoft.Network/routeTables', parameters('name'))]" - }, - "name": { - "type": "string", - "value": "[parameters('name')]" + "value": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" } } } - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', 'firewall')]" - ] + } }, { "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "firewallClientPublicIPAddress", + "apiVersion": "2022-09-01", + "name": "firewallManagementPublicIPAddress", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { - "name": { - "value": "[parameters('firewallClientPublicIPAddressName')]" + "availabilityZones": { + "value": "[parameters('firewallManagementPublicIPAddressAvailabilityZones')]" }, "location": { "value": "[parameters('location')]" }, - "tags": { - "value": "[parameters('tags')]" - }, - "skuName": { - "value": "[parameters('firewallClientPublicIPAddressSkuName')]" + "name": { + "value": "[parameters('firewallManagementPublicIPAddressName')]" }, "publicIpAllocationMethod": { - "value": "[parameters('firewallClientPublicIpAllocationMethod')]" - }, - "availabilityZones": { - "value": "[parameters('firewallClientPublicIPAddressAvailabilityZones')]" - }, - "logAnalyticsWorkspaceResourceId": { - "value": "[parameters('logAnalyticsWorkspaceResourceId')]" - }, - "logStorageAccountResourceId": { - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'logStorage')).outputs.id.value]" + "value": "[parameters('firewallManagementPublicIpAllocationMethod')]" }, - "logs": { - "value": "[parameters('publicIPAddressDiagnosticsLogs')]" + "skuName": { + "value": "[parameters('firewallManagementPublicIPAddressSkuName')]" }, - "metrics": { - "value": "[parameters('publicIPAddressDiagnosticsMetrics')]" + "tags": { + "value": "[parameters('tags')]" } }, "template": { @@ -2232,41 +2039,28 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "18439825222758045392" + "version": "0.24.24.22086", + "templateHash": "6027084282099740925" } }, "parameters": { - "name": { - "type": "string" + "availabilityZones": { + "type": "array" }, "location": { "type": "string" }, - "tags": { - "type": "object", - "defaultValue": {} - }, - "skuName": { + "name": { "type": "string" }, "publicIpAllocationMethod": { "type": "string" }, - "availabilityZones": { - "type": "array" - }, - "logStorageAccountResourceId": { - "type": "string" - }, - "logAnalyticsWorkspaceResourceId": { + "skuName": { "type": "string" }, - "logs": { - "type": "array" - }, - "metrics": { - "type": "array" + "tags": { + "type": "object" } }, "resources": [ @@ -2283,21 +2077,6 @@ "publicIPAllocationMethod": "[parameters('publicIpAllocationMethod')]" }, "zones": "[parameters('availabilityZones')]" - }, - { - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2017-05-01-preview", - "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', parameters('name'))]", - "name": "[format('{0}-diagnostics', parameters('name'))]", - "properties": { - "storageAccountId": "[parameters('logStorageAccountResourceId')]", - "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", - "logs": "[parameters('logs')]", - "metrics": "[parameters('metrics')]" - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" - ] } ], "outputs": { @@ -2307,50 +2086,65 @@ } } } - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', 'logStorage')]" - ] + } }, { "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "firewallManagementPublicIPAddress", + "apiVersion": "2022-09-01", + "name": "firewall", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { - "name": { - "value": "[parameters('firewallManagementPublicIPAddressName')]" + "clientIpConfigurationName": { + "value": "[parameters('firewallClientIpConfigurationName')]" + }, + "clientIpConfigurationPublicIPAddressResourceId": { + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'firewallClientPublicIPAddress'), '2022-09-01').outputs.id.value]" + }, + "clientIpConfigurationSubnetResourceId": { + "value": "[format('{0}/subnets/{1}', reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2022-09-01').outputs.id.value, parameters('firewallClientSubnetName'))]" + }, + "dnsServers": { + "value": "[parameters('dnsServers')]" + }, + "enableProxy": { + "value": "[parameters('enableProxy')]" + }, + "firewallPolicyName": { + "value": "[parameters('firewallPolicyName')]" + }, + "firewallSupernetIPAddress": { + "value": "[parameters('firewallSupernetIPAddress')]" + }, + "intrusionDetectionMode": { + "value": "[parameters('firewallIntrusionDetectionMode')]" }, "location": { "value": "[parameters('location')]" }, - "tags": { - "value": "[parameters('tags')]" - }, - "skuName": { - "value": "[parameters('firewallManagementPublicIPAddressSkuName')]" + "managementIpConfigurationName": { + "value": "[parameters('firewallManagementIpConfigurationName')]" }, - "publicIpAllocationMethod": { - "value": "[parameters('firewallManagementPublicIpAllocationMethod')]" + "managementIpConfigurationPublicIPAddressResourceId": { + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'firewallManagementPublicIPAddress'), '2022-09-01').outputs.id.value]" }, - "availabilityZones": { - "value": "[parameters('firewallManagementPublicIPAddressAvailabilityZones')]" + "managementIpConfigurationSubnetResourceId": { + "value": "[format('{0}/subnets/{1}', reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2022-09-01').outputs.id.value, parameters('firewallManagementSubnetName'))]" }, - "logAnalyticsWorkspaceResourceId": { - "value": "[parameters('logAnalyticsWorkspaceResourceId')]" + "name": { + "value": "[parameters('firewallName')]" }, - "logStorageAccountResourceId": { - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'logStorage')).outputs.id.value]" + "skuTier": { + "value": "[parameters('firewallSkuTier')]" }, - "logs": { - "value": "[parameters('publicIPAddressDiagnosticsLogs')]" + "tags": { + "value": "[parameters('tags')]" }, - "metrics": { - "value": "[parameters('publicIPAddressDiagnosticsMetrics')]" + "threatIntelMode": { + "value": "[parameters('firewallThreatIntelMode')]" } }, "template": { @@ -2359,319 +2153,149 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "18439825222758045392" + "version": "0.24.24.22086", + "templateHash": "11702995579311223719" } }, "parameters": { - "name": { + "clientIpConfigurationName": { "type": "string" }, - "location": { + "clientIpConfigurationSubnetResourceId": { "type": "string" }, - "tags": { - "type": "object", - "defaultValue": {} + "clientIpConfigurationPublicIPAddressResourceId": { + "type": "string" }, - "skuName": { + "dnsServers": { + "type": "array" + }, + "enableProxy": { + "type": "bool" + }, + "firewallPolicyName": { "type": "string" }, - "publicIpAllocationMethod": { + "firewallSupernetIPAddress": { "type": "string" }, - "availabilityZones": { - "type": "array" + "intrusionDetectionMode": { + "type": "string", + "allowedValues": [ + "Alert", + "Deny", + "Off" + ] }, - "logStorageAccountResourceId": { + "location": { "type": "string" }, - "logAnalyticsWorkspaceResourceId": { + "managementIpConfigurationName": { "type": "string" }, - "logs": { - "type": "array" + "managementIpConfigurationSubnetResourceId": { + "type": "string" }, - "metrics": { - "type": "array" + "managementIpConfigurationPublicIPAddressResourceId": { + "type": "string" + }, + "name": { + "type": "string" + }, + "skuTier": { + "type": "string", + "allowedValues": [ + "Standard", + "Premium" + ] + }, + "tags": { + "type": "object", + "defaultValue": {} + }, + "threatIntelMode": { + "type": "string", + "allowedValues": [ + "Alert", + "Deny", + "Off" + ] + } + }, + "variables": { + "intrusionDetectionObject": { + "mode": "[parameters('intrusionDetectionMode')]" } }, "resources": [ { - "type": "Microsoft.Network/publicIPAddresses", + "type": "Microsoft.Network/firewallPolicies", "apiVersion": "2021-02-01", - "name": "[parameters('name')]", + "name": "[parameters('firewallPolicyName')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", - "sku": { - "name": "[parameters('skuName')]" - }, "properties": { - "publicIPAllocationMethod": "[parameters('publicIpAllocationMethod')]" - }, - "zones": "[parameters('availabilityZones')]" + "threatIntelMode": "[parameters('threatIntelMode')]", + "intrusionDetection": "[if(equals(parameters('skuTier'), 'Premium'), variables('intrusionDetectionObject'), null())]", + "sku": { + "tier": "[parameters('skuTier')]" + }, + "dnsSettings": { + "enableProxy": "[parameters('enableProxy')]", + "servers": "[parameters('dnsServers')]" + } + } }, { - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2017-05-01-preview", - "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', parameters('name'))]", - "name": "[format('{0}-diagnostics', parameters('name'))]", + "type": "Microsoft.Network/firewallPolicies/ruleCollectionGroups", + "apiVersion": "2021-02-01", + "name": "[format('{0}/{1}', parameters('firewallPolicyName'), 'DefaultApplicationRuleCollectionGroup')]", "properties": { - "storageAccountId": "[parameters('logStorageAccountResourceId')]", - "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", - "logs": "[parameters('logs')]", - "metrics": "[parameters('metrics')]" + "priority": 300, + "ruleCollections": [ + { + "ruleCollectionType": "FirewallPolicyFilterRuleCollection", + "action": { + "type": "Allow" + }, + "rules": [ + { + "ruleType": "ApplicationRule", + "name": "msftauth", + "protocols": [ + { + "protocolType": "Https", + "port": 443 + } + ], + "fqdnTags": [], + "webCategories": [], + "targetFqdns": [ + "aadcdn.msftauth.net", + "aadcdn.msauth.net" + ], + "targetUrls": [], + "terminateTLS": false, + "sourceAddresses": [ + "*" + ], + "destinationAddresses": [], + "sourceIpGroups": [] + } + ], + "name": "AzureAuth", + "priority": 110 + } + ] }, "dependsOn": [ - "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" - ] - } - ], - "outputs": { - "id": { - "type": "string", - "value": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" - } - } - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', 'logStorage')]" - ] - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "firewall", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('firewallName')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "tags": { - "value": "[parameters('tags')]" - }, - "skuTier": { - "value": "[parameters('firewallSkuTier')]" - }, - "firewallPolicyName": { - "value": "[parameters('firewallPolicyName')]" - }, - "threatIntelMode": { - "value": "[parameters('firewallThreatIntelMode')]" - }, - "intrusionDetectionMode": { - "value": "[parameters('firewallIntrusionDetectionMode')]" - }, - "clientIpConfigurationName": { - "value": "[parameters('firewallClientIpConfigurationName')]" - }, - "clientIpConfigurationSubnetResourceId": { - "value": "[format('{0}/subnets/{1}', reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork')).outputs.id.value, parameters('firewallClientSubnetName'))]" - }, - "clientIpConfigurationPublicIPAddressResourceId": { - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'firewallClientPublicIPAddress')).outputs.id.value]" - }, - "firewallSupernetIPAddress": { - "value": "[parameters('firewallSupernetIPAddress')]" - }, - "enableProxy": { - "value": "[parameters('enableProxy')]" - }, - "dnsServers": { - "value": "[parameters('dnsServers')]" - }, - "managementIpConfigurationName": { - "value": "[parameters('firewallManagementIpConfigurationName')]" - }, - "managementIpConfigurationSubnetResourceId": { - "value": "[format('{0}/subnets/{1}', reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork')).outputs.id.value, parameters('firewallManagementSubnetName'))]" - }, - "managementIpConfigurationPublicIPAddressResourceId": { - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'firewallManagementPublicIPAddress')).outputs.id.value]" - }, - "logAnalyticsWorkspaceResourceId": { - "value": "[parameters('logAnalyticsWorkspaceResourceId')]" - }, - "logStorageAccountResourceId": { - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'logStorage')).outputs.id.value]" - }, - "logs": { - "value": "[parameters('firewallDiagnosticsLogs')]" - }, - "metrics": { - "value": "[parameters('firewallDiagnosticsMetrics')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "3970955170518833761" - } - }, - "parameters": { - "name": { - "type": "string" - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]" - }, - "tags": { - "type": "object", - "defaultValue": {} - }, - "skuTier": { - "type": "string", - "allowedValues": [ - "Standard", - "Premium" - ] - }, - "threatIntelMode": { - "type": "string", - "allowedValues": [ - "Alert", - "Deny", - "Off" - ] - }, - "intrusionDetectionMode": { - "type": "string", - "allowedValues": [ - "Alert", - "Deny", - "Off" - ] - }, - "enableProxy": { - "type": "bool" - }, - "dnsServers": { - "type": "array" - }, - "clientIpConfigurationName": { - "type": "string" - }, - "clientIpConfigurationSubnetResourceId": { - "type": "string" - }, - "clientIpConfigurationPublicIPAddressResourceId": { - "type": "string" - }, - "managementIpConfigurationName": { - "type": "string" - }, - "managementIpConfigurationSubnetResourceId": { - "type": "string" - }, - "managementIpConfigurationPublicIPAddressResourceId": { - "type": "string" - }, - "firewallPolicyName": { - "type": "string" - }, - "firewallSupernetIPAddress": { - "type": "string" - }, - "logStorageAccountResourceId": { - "type": "string" - }, - "logAnalyticsWorkspaceResourceId": { - "type": "string" - }, - "logs": { - "type": "array" - }, - "metrics": { - "type": "array" - } - }, - "variables": { - "intrusionDetectionObject": { - "mode": "[parameters('intrusionDetectionMode')]" - } - }, - "resources": [ - { - "type": "Microsoft.Network/firewallPolicies", - "apiVersion": "2021-02-01", - "name": "[parameters('firewallPolicyName')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "threatIntelMode": "[parameters('threatIntelMode')]", - "intrusionDetection": "[if(equals(parameters('skuTier'), 'Premium'), variables('intrusionDetectionObject'), null())]", - "sku": { - "tier": "[parameters('skuTier')]" - }, - "dnsSettings": { - "enableProxy": "[parameters('enableProxy')]", - "servers": "[parameters('dnsServers')]" - } - } - }, - { - "type": "Microsoft.Network/firewallPolicies/ruleCollectionGroups", - "apiVersion": "2021-02-01", - "name": "[format('{0}/DefaultApplicationRuleCollectionGroup', parameters('firewallPolicyName'))]", - "properties": { - "priority": 300, - "ruleCollections": [ - { - "ruleCollectionType": "FirewallPolicyFilterRuleCollection", - "action": { - "type": "Allow" - }, - "rules": [ - { - "ruleType": "ApplicationRule", - "name": "msftauth", - "protocols": [ - { - "protocolType": "Https", - "port": 443 - } - ], - "fqdnTags": [], - "webCategories": [], - "targetFqdns": [ - "aadcdn.msftauth.net", - "aadcdn.msauth.net" - ], - "targetUrls": [], - "terminateTLS": false, - "sourceAddresses": [ - "*" - ], - "destinationAddresses": [], - "sourceIpGroups": [] - } - ], - "name": "AzureAuth", - "priority": 110 - } - ] - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/firewallPolicies', parameters('firewallPolicyName'))]" + "[resourceId('Microsoft.Network/firewallPolicies', parameters('firewallPolicyName'))]" ] }, { "type": "Microsoft.Network/firewallPolicies/ruleCollectionGroups", "apiVersion": "2021-02-01", - "name": "[format('{0}/DefaultNetworkRuleCollectionGroup', parameters('firewallPolicyName'))]", + "name": "[format('{0}/{1}', parameters('firewallPolicyName'), 'DefaultNetworkRuleCollectionGroup')]", "properties": { "priority": 200, "ruleCollections": [ @@ -2736,7 +2360,7 @@ ] }, "dependsOn": [ - "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', split(format('{0}/DefaultApplicationRuleCollectionGroup', parameters('firewallPolicyName')), '/')[0], split(format('{0}/DefaultApplicationRuleCollectionGroup', parameters('firewallPolicyName')), '/')[1])]", + "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', parameters('firewallPolicyName'), 'DefaultApplicationRuleCollectionGroup')]", "[resourceId('Microsoft.Network/firewallPolicies', parameters('firewallPolicyName'))]" ] }, @@ -2779,31 +2403,20 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', split(format('{0}/DefaultApplicationRuleCollectionGroup', parameters('firewallPolicyName')), '/')[0], split(format('{0}/DefaultApplicationRuleCollectionGroup', parameters('firewallPolicyName')), '/')[1])]", - "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', split(format('{0}/DefaultNetworkRuleCollectionGroup', parameters('firewallPolicyName')), '/')[0], split(format('{0}/DefaultNetworkRuleCollectionGroup', parameters('firewallPolicyName')), '/')[1])]", + "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', parameters('firewallPolicyName'), 'DefaultApplicationRuleCollectionGroup')]", + "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', parameters('firewallPolicyName'), 'DefaultNetworkRuleCollectionGroup')]", "[resourceId('Microsoft.Network/firewallPolicies', parameters('firewallPolicyName'))]" ] - }, - { - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2017-05-01-preview", - "scope": "[format('Microsoft.Network/azureFirewalls/{0}', parameters('name'))]", - "name": "[format('{0}-diagnostics', parameters('name'))]", - "properties": { - "storageAccountId": "[parameters('logStorageAccountResourceId')]", - "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", - "logs": "[parameters('logs')]", - "metrics": "[parameters('metrics')]" - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/azureFirewalls', parameters('name'))]" - ] } ], "outputs": { + "name": { + "type": "string", + "value": "[parameters('name')]" + }, "privateIPAddress": { "type": "string", - "value": "[reference(resourceId('Microsoft.Network/azureFirewalls', parameters('name'))).ipConfigurations[0].properties.privateIPAddress]" + "value": "[reference(resourceId('Microsoft.Network/azureFirewalls', parameters('name')), '2021-02-01').ipConfigurations[0].properties.privateIPAddress]" } } } @@ -2811,57 +2424,68 @@ "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', 'firewallClientPublicIPAddress')]", "[resourceId('Microsoft.Resources/deployments', 'firewallManagementPublicIPAddress')]", - "[resourceId('Microsoft.Resources/deployments', 'logStorage')]", "[resourceId('Microsoft.Resources/deployments', 'virtualNetwork')]" ] } ], "outputs": { - "virtualNetworkName": { + "bastionHostSubnetResourceId": { "type": "string", - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork')).outputs.name.value]" + "value": "[if(parameters('deployRemoteAccess'), reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2022-09-01').outputs.subnets.value[3].id, '')]" }, - "virtualNetworkResourceId": { + "firewallName": { "type": "string", - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork')).outputs.id.value]" + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'firewall'), '2022-09-01').outputs.name.value]" }, - "subnetName": { + "firewallPrivateIPAddress": { "type": "string", - "value": "[format('{0}/{1}', parameters('virtualNetworkName'), parameters('subnetName'))]" + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'firewall'), '2022-09-01').outputs.privateIPAddress.value]" }, - "subnetAddressPrefix": { + "networkSecurityGroupName": { "type": "string", - "value": "[reference(resourceId('Microsoft.Network/virtualNetworks/subnets', split(format('{0}/{1}', parameters('virtualNetworkName'), parameters('subnetName')), '/')[0], split(format('{0}/{1}', parameters('virtualNetworkName'), parameters('subnetName')), '/')[1])).addressPrefix]" + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup'), '2022-09-01').outputs.name.value]" }, - "subnetResourceId": { + "networkSecurityGroupResourceId": { "type": "string", - "value": "[resourceId('Microsoft.Network/virtualNetworks/subnets', split(format('{0}/{1}', parameters('virtualNetworkName'), parameters('subnetName')), '/')[0], split(format('{0}/{1}', parameters('virtualNetworkName'), parameters('subnetName')), '/')[1])]" + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup'), '2022-09-01').outputs.id.value]" }, - "networkSecurityGroupName": { + "subnetAddressPrefix": { "type": "string", - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup')).outputs.name.value]" + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2022-09-01').outputs.subnets.value[2].properties.addressPrefix]" }, - "networkSecurityGroupResourceId": { + "subnetName": { "type": "string", - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup')).outputs.id.value]" + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2022-09-01').outputs.subnets.value[2].name]" }, - "firewallPrivateIPAddress": { + "subnetResourceId": { "type": "string", - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'firewall')).outputs.privateIPAddress.value]" + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2022-09-01').outputs.subnets.value[2].id]" + }, + "virtualNetworkName": { + "type": "string", + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2022-09-01').outputs.name.value]" + }, + "virtualNetworkResourceId": { + "type": "string", + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2022-09-01').outputs.id.value]" } } } }, "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]" + "[subscriptionResourceId(parameters('hubSubscriptionId'), 'Microsoft.Resources/deployments', format('deploy-rg-hub-{0}', parameters('deploymentNameSuffix')))]" ] }, { + "copy": { + "name": "spokeNetworks", + "count": "[length(variables('spokes'))]" + }, "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "[format('deploy-vnet-hub-DNS-{0}', parameters('deploymentNameSuffix'))]", - "subscriptionId": "[parameters('hubSubscriptionId')]", - "resourceGroup": "[variables('hubResourceGroupName')]", + "apiVersion": "2022-09-01", + "name": "[format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))]", + "subscriptionId": "[variables('spokes')[copyIndex()].subscriptionId]", + "resourceGroup": "[variables('spokes')[copyIndex()].resourceGroupName]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -2871,139 +2495,40 @@ "location": { "value": "[parameters('location')]" }, - "tags": { - "value": "[variables('calculatedTags')]" - }, - "logStorageAccountName": { - "value": "[variables('hubLogStorageAccountName')]" - }, - "logStorageSkuName": { - "value": "[parameters('logStorageSkuName')]" - }, - "logAnalyticsWorkspaceResourceId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))).outputs.id.value]" - }, - "virtualNetworkName": { - "value": "[variables('hubVirtualNetworkName')]" - }, - "virtualNetworkAddressPrefix": { - "value": "[parameters('hubVirtualNetworkAddressPrefix')]" - }, - "virtualNetworkDiagnosticsLogs": { - "value": "[parameters('hubVirtualNetworkDiagnosticsLogs')]" - }, - "virtualNetworkDiagnosticsMetrics": { - "value": "[parameters('hubVirtualNetworkDiagnosticsMetrics')]" - }, "networkSecurityGroupName": { - "value": "[variables('hubNetworkSecurityGroupName')]" + "value": "[variables('spokes')[copyIndex()].networkSecurityGroupName]" }, "networkSecurityGroupRules": { - "value": "[parameters('hubNetworkSecurityGroupRules')]" - }, - "networkSecurityGroupDiagnosticsLogs": { - "value": "[parameters('hubNetworkSecurityGroupDiagnosticsLogs')]" - }, - "networkSecurityGroupDiagnosticsMetrics": { - "value": "[parameters('hubNetworkSecurityGroupDiagnosticsMetrics')]" + "value": "[variables('spokes')[copyIndex()].networkSecurityGroupRules]" }, - "subnetName": { - "value": "[variables('hubSubnetName')]" + "routeTableRouteNextHopIpAddress": { + "value": "[variables('firewallClientPrivateIpAddress')]" }, "subnetAddressPrefix": { - "value": "[parameters('hubSubnetAddressPrefix')]" - }, - "subnetServiceEndpoints": { - "value": "[parameters('hubSubnetServiceEndpoints')]" - }, - "firewallName": { - "value": "[variables('firewallName')]" - }, - "firewallSkuTier": { - "value": "[parameters('firewallSkuTier')]" - }, - "firewallPolicyName": { - "value": "[variables('firewallPolicyName')]" - }, - "firewallThreatIntelMode": { - "value": "[parameters('firewallThreatIntelMode')]" - }, - "firewallIntrusionDetectionMode": { - "value": "[parameters('firewallIntrusionDetectionMode')]" - }, - "firewallDiagnosticsLogs": { - "value": "[parameters('firewallDiagnosticsLogs')]" - }, - "firewallDiagnosticsMetrics": { - "value": "[parameters('firewallDiagnosticsMetrics')]" - }, - "firewallClientIpConfigurationName": { - "value": "[variables('firewallClientIpConfigurationName')]" - }, - "firewallClientSubnetName": { - "value": "AzureFirewallSubnet" - }, - "firewallClientSubnetAddressPrefix": { - "value": "[parameters('firewallClientSubnetAddressPrefix')]" - }, - "firewallClientSubnetServiceEndpoints": { - "value": "[parameters('firewallClientSubnetServiceEndpoints')]" - }, - "firewallClientPublicIPAddressName": { - "value": "[variables('firewallClientPublicIPAddressName')]" - }, - "firewallClientPublicIPAddressSkuName": { - "value": "[variables('firewallPublicIpAddressSkuName')]" - }, - "firewallClientPublicIpAllocationMethod": { - "value": "[variables('firewallPublicIpAddressAllocationMethod')]" - }, - "firewallClientPublicIPAddressAvailabilityZones": { - "value": "[parameters('firewallClientPublicIPAddressAvailabilityZones')]" - }, - "firewallManagementIpConfigurationName": { - "value": "[variables('firewallManagementIpConfigurationName')]" - }, - "firewallManagementSubnetName": { - "value": "AzureFirewallManagementSubnet" - }, - "firewallManagementSubnetAddressPrefix": { - "value": "[parameters('firewallManagementSubnetAddressPrefix')]" + "value": "[variables('spokes')[copyIndex()].subnetAddressPrefix]" }, - "firewallManagementSubnetServiceEndpoints": { - "value": "[parameters('firewallManagementSubnetServiceEndpoints')]" + "subnetName": { + "value": "[variables('spokes')[copyIndex()].subnetName]" }, - "firewallManagementPublicIPAddressName": { - "value": "[variables('firewallManagementPublicIPAddressName')]" + "subnetPrivateEndpointNetworkPolicies": { + "value": "[variables('spokes')[copyIndex()].subnetPrivateEndpointNetworkPolicies]" }, - "firewallManagementPublicIPAddressSkuName": { - "value": "[variables('firewallPublicIpAddressSkuName')]" + "subnetPrivateLinkServiceNetworkPolicies": { + "value": "[variables('spokes')[copyIndex()].subnetPrivateLinkServiceNetworkPolicies]" }, - "firewallManagementPublicIpAllocationMethod": { - "value": "[variables('firewallPublicIpAddressAllocationMethod')]" + "tags": { + "value": "[variables('calculatedTags')]" }, - "firewallManagementPublicIPAddressAvailabilityZones": { - "value": "[parameters('firewallManagementPublicIPAddressAvailabilityZones')]" + "virtualNetworkAddressPrefix": { + "value": "[variables('spokes')[copyIndex()].virtualNetworkAddressPrefix]" }, - "firewallSupernetIPAddress": { - "value": "[parameters('firewallSupernetIPAddress')]" + "virtualNetworkName": { + "value": "[variables('spokes')[copyIndex()].virtualNetworkName]" }, "vNetDnsServers": { "value": [ - "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))).outputs.firewallPrivateIPAddress.value]" + "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.firewallPrivateIPAddress.value]" ] - }, - "publicIPAddressDiagnosticsLogs": { - "value": "[parameters('publicIPAddressDiagnosticsLogs')]" - }, - "publicIPAddressDiagnosticsMetrics": { - "value": "[parameters('publicIPAddressDiagnosticsMetrics')]" - }, - "enableProxy": { - "value": "[parameters('enableProxy')]" - }, - "dnsServers": { - "value": "[parameters('dnsServers')]" } }, "template": { @@ -3012,65 +2537,20 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "1557820237271279412" + "version": "0.24.24.22086", + "templateHash": "9071918703658960835" } }, "parameters": { "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]" - }, - "tags": { - "type": "object", - "defaultValue": {} - }, - "logStorageAccountName": { - "type": "string" - }, - "logStorageSkuName": { - "type": "string" - }, - "vNetDnsServers": { - "type": "array", - "defaultValue": [] - }, - "logAnalyticsWorkspaceResourceId": { - "type": "string" - }, - "virtualNetworkName": { - "type": "string" - }, - "virtualNetworkAddressPrefix": { "type": "string" }, - "virtualNetworkDiagnosticsLogs": { - "type": "array" - }, - "virtualNetworkDiagnosticsMetrics": { - "type": "array" - }, "networkSecurityGroupName": { "type": "string" }, "networkSecurityGroupRules": { "type": "array" }, - "networkSecurityGroupDiagnosticsLogs": { - "type": "array" - }, - "networkSecurityGroupDiagnosticsMetrics": { - "type": "array" - }, - "subnetName": { - "type": "string" - }, - "subnetAddressPrefix": { - "type": "string" - }, - "subnetServiceEndpoints": { - "type": "array" - }, "routeTableName": { "type": "string", "defaultValue": "[format('{0}-routetable', parameters('subnetName'))]" @@ -3083,149 +2563,57 @@ "type": "string", "defaultValue": "0.0.0.0/0" }, + "routeTableRouteNextHopIpAddress": { + "type": "string" + }, "routeTableRouteNextHopType": { "type": "string", "defaultValue": "VirtualAppliance" }, - "firewallName": { - "type": "string" - }, - "firewallSkuTier": { - "type": "string" - }, - "firewallPolicyName": { - "type": "string" - }, - "enableProxy": { - "type": "bool", - "defaultValue": false - }, - "dnsServers": { - "type": "array", - "defaultValue": [] - }, - "firewallSupernetIPAddress": { + "subnetAddressPrefix": { "type": "string" }, - "firewallThreatIntelMode": { - "type": "string", - "allowedValues": [ - "Alert", - "Deny", - "Off" - ] - }, - "firewallIntrusionDetectionMode": { - "type": "string", - "allowedValues": [ - "Alert", - "Deny", - "Off" - ] - }, - "firewallDiagnosticsLogs": { - "type": "array" - }, - "firewallDiagnosticsMetrics": { - "type": "array" - }, - "firewallClientIpConfigurationName": { + "subnetName": { "type": "string" }, - "firewallClientSubnetName": { + "subnetPrivateEndpointNetworkPolicies": { "type": "string" }, - "firewallClientSubnetAddressPrefix": { + "subnetPrivateLinkServiceNetworkPolicies": { "type": "string" }, - "firewallClientSubnetServiceEndpoints": { - "type": "array" - }, - "firewallClientPublicIPAddressName": { - "type": "string" + "tags": { + "type": "object" }, - "firewallClientPublicIPAddressSkuName": { + "virtualNetworkAddressPrefix": { "type": "string" }, - "firewallClientPublicIpAllocationMethod": { + "virtualNetworkName": { "type": "string" }, - "firewallClientPublicIPAddressAvailabilityZones": { - "type": "array" - }, - "firewallManagementIpConfigurationName": { - "type": "string" - }, - "firewallManagementSubnetName": { - "type": "string" - }, - "firewallManagementSubnetAddressPrefix": { - "type": "string" - }, - "firewallManagementSubnetServiceEndpoints": { - "type": "array" - }, - "firewallManagementPublicIPAddressName": { - "type": "string" - }, - "firewallManagementPublicIPAddressSkuName": { - "type": "string" - }, - "firewallManagementPublicIpAllocationMethod": { - "type": "string" - }, - "firewallManagementPublicIPAddressAvailabilityZones": { - "type": "array" - }, - "publicIPAddressDiagnosticsLogs": { - "type": "array" - }, - "publicIPAddressDiagnosticsMetrics": { + "vNetDnsServers": { "type": "array" } }, "resources": [ - { - "type": "Microsoft.Network/virtualNetworks/subnets", - "apiVersion": "2021-02-01", - "name": "[format('{0}/{1}', parameters('virtualNetworkName'), parameters('subnetName'))]", - "properties": { - "addressPrefix": "[parameters('subnetAddressPrefix')]", - "networkSecurityGroup": { - "id": "[reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup')).outputs.id.value]" - }, - "routeTable": { - "id": "[reference(resourceId('Microsoft.Resources/deployments', 'routeTable')).outputs.id.value]" - }, - "serviceEndpoints": "[parameters('subnetServiceEndpoints')]", - "privateEndpointNetworkPolicies": "Disabled", - "privateLinkServiceNetworkPolicies": "Enabled" - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', 'firewall')]", - "[resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup')]", - "[resourceId('Microsoft.Resources/deployments', 'routeTable')]", - "[resourceId('Microsoft.Resources/deployments', 'virtualNetwork')]" - ] - }, { "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "logStorage", + "apiVersion": "2022-09-01", + "name": "networkSecurityGroup", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { - "storageAccountName": { - "value": "[parameters('logStorageAccountName')]" - }, "location": { "value": "[parameters('location')]" }, - "skuName": { - "value": "[parameters('logStorageSkuName')]" + "name": { + "value": "[parameters('networkSecurityGroupName')]" + }, + "securityRules": { + "value": "[parameters('networkSecurityGroupRules')]" }, "tags": { "value": "[parameters('tags')]" @@ -3237,63 +2625,44 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "4435843471246172620" + "version": "0.24.24.22086", + "templateHash": "14964080576155541488" } }, "parameters": { - "storageAccountName": { - "type": "string" - }, "location": { "type": "string" }, - "skuName": { + "name": { "type": "string" }, + "securityRules": { + "type": "array" + }, "tags": { - "type": "object", - "defaultValue": {} + "type": "object" } }, "resources": [ { - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2021-01-01", - "name": "[parameters('storageAccountName')]", + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "2021-02-01", + "name": "[parameters('name')]", "location": "[parameters('location')]", - "kind": "StorageV2", - "sku": { - "name": "[parameters('skuName')]" - }, "tags": "[parameters('tags')]", "properties": { - "minimumTlsVersion": "TLS1_2", - "encryption": { - "keySource": "Microsoft.Storage", - "requireInfrastructureEncryption": true, - "services": { - "blob": { - "enabled": true - }, - "file": { - "enabled": true - }, - "queue": { - "enabled": true - }, - "table": { - "enabled": true - } - } - } + "securityRules": "[parameters('securityRules')]" } } ], "outputs": { "id": { "type": "string", - "value": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]" + "value": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('name'))]" + }, + "name": { + "type": "string", + "value": "[parameters('name')]" } } } @@ -3301,37 +2670,34 @@ }, { "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "networkSecurityGroup", + "apiVersion": "2022-09-01", + "name": "routeTable", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { - "name": { - "value": "[parameters('networkSecurityGroupName')]" - }, "location": { "value": "[parameters('location')]" }, - "tags": { - "value": "[parameters('tags')]" + "name": { + "value": "[parameters('routeTableName')]" }, - "securityRules": { - "value": "[parameters('networkSecurityGroupRules')]" + "routeAddressPrefix": { + "value": "[parameters('routeTableRouteAddressPrefix')]" }, - "logAnalyticsWorkspaceResourceId": { - "value": "[parameters('logAnalyticsWorkspaceResourceId')]" + "routeName": { + "value": "[parameters('routeTableRouteName')]" }, - "logStorageAccountResourceId": { - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'logStorage')).outputs.id.value]" + "routeNextHopIpAddress": { + "value": "[parameters('routeTableRouteNextHopIpAddress')]" }, - "logs": { - "value": "[parameters('networkSecurityGroupDiagnosticsLogs')]" + "routeNextHopType": { + "value": "[parameters('routeTableRouteNextHopType')]" }, - "metrics": { - "value": "[parameters('networkSecurityGroupDiagnosticsMetrics')]" + "tags": { + "value": "[parameters('tags')]" } }, "template": { @@ -3340,68 +2706,58 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "7894763285242421186" + "version": "0.24.24.22086", + "templateHash": "3954150695911654455" } }, "parameters": { - "name": { - "type": "string" - }, "location": { "type": "string" }, - "tags": { - "type": "object", - "defaultValue": {} + "name": { + "type": "string" }, - "securityRules": { - "type": "array" + "routeAddressPrefix": { + "type": "string" }, - "logStorageAccountResourceId": { + "routeName": { "type": "string" }, - "logAnalyticsWorkspaceResourceId": { + "routeNextHopIpAddress": { "type": "string" }, - "logs": { - "type": "array" + "routeNextHopType": { + "type": "string" }, - "metrics": { - "type": "array" + "tags": { + "type": "object" } }, "resources": [ { - "type": "Microsoft.Network/networkSecurityGroups", + "type": "Microsoft.Network/routeTables", "apiVersion": "2021-02-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { - "securityRules": "[parameters('securityRules')]" + "routes": [ + { + "name": "[parameters('routeName')]", + "properties": { + "addressPrefix": "[parameters('routeAddressPrefix')]", + "nextHopIpAddress": "[parameters('routeNextHopIpAddress')]", + "nextHopType": "[parameters('routeNextHopType')]" + } + } + ] } - }, - { - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2017-05-01-preview", - "scope": "[format('Microsoft.Network/networkSecurityGroups/{0}', parameters('name'))]", - "name": "[format('{0}-diagnostics', parameters('name'))]", - "properties": { - "storageAccountId": "[parameters('logStorageAccountResourceId')]", - "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", - "logs": "[parameters('logs')]", - "metrics": "[parameters('metrics')]" - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('name'))]" - ] } ], "outputs": { "id": { "type": "string", - "value": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('name'))]" + "value": "[resourceId('Microsoft.Network/routeTables', parameters('name'))]" }, "name": { "type": "string", @@ -3409,14 +2765,11 @@ } } } - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', 'logStorage')]" - ] + } }, { "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", + "apiVersion": "2022-09-01", "name": "virtualNetwork", "properties": { "expressionEvaluationOptions": { @@ -3424,50 +2777,38 @@ }, "mode": "Incremental", "parameters": { - "name": { - "value": "[parameters('virtualNetworkName')]" + "addressPrefix": { + "value": "[parameters('virtualNetworkAddressPrefix')]" }, "location": { "value": "[parameters('location')]" }, - "tags": { - "value": "[parameters('tags')]" - }, - "addressPrefix": { - "value": "[parameters('virtualNetworkAddressPrefix')]" - }, - "vNetDnsServers": { - "value": "[parameters('vNetDnsServers')]" + "name": { + "value": "[parameters('virtualNetworkName')]" }, "subnets": { "value": [ { - "name": "[parameters('firewallClientSubnetName')]", - "properties": { - "addressPrefix": "[parameters('firewallClientSubnetAddressPrefix')]", - "serviceEndpoints": "[parameters('firewallClientSubnetServiceEndpoints')]" - } - }, - { - "name": "[parameters('firewallManagementSubnetName')]", + "name": "[parameters('subnetName')]", "properties": { - "addressPrefix": "[parameters('firewallManagementSubnetAddressPrefix')]", - "serviceEndpoints": "[parameters('firewallManagementSubnetServiceEndpoints')]" + "addressPrefix": "[parameters('subnetAddressPrefix')]", + "networkSecurityGroup": { + "id": "[reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup'), '2022-09-01').outputs.id.value]" + }, + "routeTable": { + "id": "[reference(resourceId('Microsoft.Resources/deployments', 'routeTable'), '2022-09-01').outputs.id.value]" + }, + "privateEndpointNetworkPolicies": "[parameters('subnetPrivateEndpointNetworkPolicies')]", + "privateLinkServiceNetworkPolicies": "[parameters('subnetPrivateLinkServiceNetworkPolicies')]" } } ] }, - "logAnalyticsWorkspaceResourceId": { - "value": "[parameters('logAnalyticsWorkspaceResourceId')]" - }, - "logStorageAccountResourceId": { - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'logStorage')).outputs.id.value]" - }, - "logs": { - "value": "[parameters('virtualNetworkDiagnosticsLogs')]" + "tags": { + "value": "[parameters('tags')]" }, - "metrics": { - "value": "[parameters('virtualNetworkDiagnosticsMetrics')]" + "vNetDnsServers": { + "value": "[parameters('vNetDnsServers')]" } }, "template": { @@ -3476,41 +2817,27 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "16443263514490560792" + "version": "0.24.24.22086", + "templateHash": "12638783015880972122" } }, "parameters": { - "name": { - "type": "string" - }, - "location": { - "type": "string" - }, - "tags": { - "type": "object", - "defaultValue": {} - }, "addressPrefix": { "type": "string" }, - "vNetDnsServers": { - "type": "array", - "defaultValue": [] - }, - "logAnalyticsWorkspaceResourceId": { + "location": { "type": "string" }, - "logStorageAccountResourceId": { + "name": { "type": "string" }, "subnets": { "type": "array" }, - "logs": { - "type": "array" + "tags": { + "type": "object" }, - "metrics": { + "vNetDnsServers": { "type": "array" } }, @@ -3530,21 +2857,6 @@ "subnets": "[parameters('subnets')]", "dhcpOptions": "[if(not(equals(parameters('vNetDnsServers'), null())), createObject('dnsServers', parameters('vNetDnsServers')), null())]" } - }, - { - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2017-05-01-preview", - "scope": "[format('Microsoft.Network/virtualNetworks/{0}', parameters('name'))]", - "name": "[format('{0}-diagnostics', parameters('name'))]", - "properties": { - "storageAccountId": "[parameters('logStorageAccountResourceId')]", - "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", - "logs": "[parameters('logs')]", - "metrics": "[parameters('metrics')]" - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/virtualNetworks', parameters('name'))]" - ] } ], "outputs": { @@ -3558,23 +2870,114 @@ }, "subnets": { "type": "array", - "value": "[reference(resourceId('Microsoft.Network/virtualNetworks', parameters('name'))).subnets]" + "value": "[reference(resourceId('Microsoft.Network/virtualNetworks', parameters('name')), '2021-02-01').subnets]" }, "addressPrefix": { "type": "string", - "value": "[reference(resourceId('Microsoft.Network/virtualNetworks', parameters('name'))).addressSpace.addressPrefixes[0]]" + "value": "[reference(resourceId('Microsoft.Network/virtualNetworks', parameters('name')), '2021-02-01').addressSpace.addressPrefixes[0]]" } } } }, "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', 'logStorage')]" + "[resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup')]", + "[resourceId('Microsoft.Resources/deployments', 'routeTable')]" ] + } + ], + "outputs": { + "virtualNetworkName": { + "type": "string", + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2022-09-01').outputs.name.value]" }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "routeTable", + "virtualNetworkResourceId": { + "type": "string", + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2022-09-01').outputs.id.value]" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2022-09-01').outputs.addressPrefix.value]" + }, + "subnetName": { + "type": "string", + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2022-09-01').outputs.subnets.value[0].name]" + }, + "subnetAddressPrefix": { + "type": "string", + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2022-09-01').outputs.subnets.value[0].properties.addressPrefix]" + }, + "subnetResourceId": { + "type": "string", + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2022-09-01').outputs.subnets.value[0].id]" + }, + "networkSecurityGroupName": { + "type": "string", + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup'), '2022-09-01').outputs.name.value]" + }, + "networkSecurityGroupResourceId": { + "type": "string", + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup'), '2022-09-01').outputs.id.value]" + } + } + } + }, + "dependsOn": [ + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))]", + "spokeResourceGroups" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('deploy-vnet-peerings-hub-{0}', parameters('deploymentNameSuffix'))]", + "subscriptionId": "[parameters('hubSubscriptionId')]", + "resourceGroup": "[variables('hubResourceGroupName')]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "hubVirtualNetworkName": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.virtualNetworkName.value]" + }, + "spokes": { + "copy": [ + { + "name": "value", + "count": "[length(variables('spokes'))]", + "input": "[createObject('type', variables('spokes')[copyIndex('value')].name, 'virtualNetworkName', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex('value')].subscriptionId, variables('spokes')[copyIndex('value')].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex('value')].name, parameters('deploymentNameSuffix'))), '2022-09-01').outputs.virtualNetworkName.value, 'virtualNetworkResourceId', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex('value')].subscriptionId, variables('spokes')[copyIndex('value')].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex('value')].name, parameters('deploymentNameSuffix'))), '2022-09-01').outputs.virtualNetworkResourceId.value)]" + } + ] + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "9588462177817329290" + } + }, + "parameters": { + "hubVirtualNetworkName": { + "type": "string" + }, + "spokes": { + "type": "array" + } + }, + "resources": [ + { + "copy": { + "name": "hubToSpokePeering", + "count": "[length(parameters('spokes'))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('hub-to-{0}-vnet-peering', parameters('spokes')[copyIndex()].type)]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -3582,25 +2985,10 @@ "mode": "Incremental", "parameters": { "name": { - "value": "[parameters('routeTableName')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "tags": { - "value": "[parameters('tags')]" - }, - "routeName": { - "value": "[parameters('routeTableRouteName')]" - }, - "routeAddressPrefix": { - "value": "[parameters('routeTableRouteAddressPrefix')]" - }, - "routeNextHopIpAddress": { - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'firewall')).outputs.privateIPAddress.value]" + "value": "[format('{0}/to-{1}', parameters('hubVirtualNetworkName'), parameters('spokes')[copyIndex()].virtualNetworkName)]" }, - "routeNextHopType": { - "value": "[parameters('routeTableRouteNextHopType')]" + "remoteVirtualNetworkResourceId": { + "value": "[parameters('spokes')[copyIndex()].virtualNetworkResourceId]" } }, "template": { @@ -3609,75 +2997,107 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "8332169477119932515" + "version": "0.24.24.22086", + "templateHash": "9853575474833495545" } }, "parameters": { "name": { "type": "string" }, - "location": { - "type": "string" - }, - "tags": { - "type": "object", - "defaultValue": {} - }, - "routeName": { - "type": "string" - }, - "routeAddressPrefix": { - "type": "string" - }, - "routeNextHopIpAddress": { - "type": "string" - }, - "routeNextHopType": { + "remoteVirtualNetworkResourceId": { "type": "string" } }, "resources": [ { - "type": "Microsoft.Network/routeTables", + "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings", "apiVersion": "2021-02-01", "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", "properties": { - "routes": [ - { - "name": "[parameters('routeName')]", - "properties": { - "addressPrefix": "[parameters('routeAddressPrefix')]", - "nextHopIpAddress": "[parameters('routeNextHopIpAddress')]", - "nextHopType": "[parameters('routeNextHopType')]" - } - } - ] + "allowForwardedTraffic": true, + "remoteVirtualNetwork": { + "id": "[parameters('remoteVirtualNetworkResourceId')]" + } } } - ], - "outputs": { - "id": { - "type": "string", - "value": "[resourceId('Microsoft.Network/routeTables', parameters('name'))]" - }, - "name": { - "type": "string", - "value": "[parameters('name')]" - } - } + ] } - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', 'firewall')]" - ] + } + } + ] + } + }, + "dependsOn": [ + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))]", + "spokeNetworks" + ] + }, + { + "copy": { + "name": "spokeVirtualNetworkPeerings", + "count": "[length(variables('spokes'))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('deploy-vnet-peerings-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))]", + "subscriptionId": "[variables('spokes')[copyIndex()].subscriptionId]", + "location": "[deployment().location]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "spokeName": { + "value": "[variables('spokes')[copyIndex()].name]" + }, + "spokeResourceGroupName": { + "value": "[variables('spokes')[copyIndex()].resourceGroupName]" + }, + "spokeVirtualNetworkName": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))), '2022-09-01').outputs.virtualNetworkName.value]" + }, + "hubVirtualNetworkName": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.virtualNetworkName.value]" + }, + "hubVirtualNetworkResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.virtualNetworkResourceId.value]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "1352997920612289656" + } + }, + "parameters": { + "spokeName": { + "type": "string" + }, + "spokeResourceGroupName": { + "type": "string" + }, + "spokeVirtualNetworkName": { + "type": "string" + }, + "hubVirtualNetworkName": { + "type": "string" }, + "hubVirtualNetworkResourceId": { + "type": "string" + } + }, + "resources": [ { "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "firewallClientPublicIPAddress", + "apiVersion": "2022-09-01", + "name": "[format('{0}-to-hub-vnet-peering', parameters('spokeName'))]", + "resourceGroup": "[parameters('spokeResourceGroupName')]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -3685,34 +3105,10 @@ "mode": "Incremental", "parameters": { "name": { - "value": "[parameters('firewallClientPublicIPAddressName')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "tags": { - "value": "[parameters('tags')]" - }, - "skuName": { - "value": "[parameters('firewallClientPublicIPAddressSkuName')]" - }, - "publicIpAllocationMethod": { - "value": "[parameters('firewallClientPublicIpAllocationMethod')]" - }, - "availabilityZones": { - "value": "[parameters('firewallClientPublicIPAddressAvailabilityZones')]" - }, - "logAnalyticsWorkspaceResourceId": { - "value": "[parameters('logAnalyticsWorkspaceResourceId')]" - }, - "logStorageAccountResourceId": { - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'logStorage')).outputs.id.value]" - }, - "logs": { - "value": "[parameters('publicIPAddressDiagnosticsLogs')]" + "value": "[format('{0}/to-{1}', parameters('spokeVirtualNetworkName'), parameters('hubVirtualNetworkName'))]" }, - "metrics": { - "value": "[parameters('publicIPAddressDiagnosticsMetrics')]" + "remoteVirtualNetworkResourceId": { + "value": "[parameters('hubVirtualNetworkResourceId')]" } }, "template": { @@ -3721,2947 +3117,2935 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "18439825222758045392" + "version": "0.24.24.22086", + "templateHash": "9853575474833495545" } }, "parameters": { "name": { "type": "string" }, - "location": { - "type": "string" - }, - "tags": { - "type": "object", - "defaultValue": {} - }, - "skuName": { - "type": "string" - }, - "publicIpAllocationMethod": { + "remoteVirtualNetworkResourceId": { "type": "string" - }, - "availabilityZones": { - "type": "array" - }, - "logStorageAccountResourceId": { - "type": "string" - }, - "logAnalyticsWorkspaceResourceId": { - "type": "string" - }, - "logs": { - "type": "array" - }, - "metrics": { - "type": "array" } }, "resources": [ { - "type": "Microsoft.Network/publicIPAddresses", + "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings", "apiVersion": "2021-02-01", "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "sku": { - "name": "[parameters('skuName')]" - }, - "properties": { - "publicIPAllocationMethod": "[parameters('publicIpAllocationMethod')]" - }, - "zones": "[parameters('availabilityZones')]" - }, - { - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2017-05-01-preview", - "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', parameters('name'))]", - "name": "[format('{0}-diagnostics', parameters('name'))]", "properties": { - "storageAccountId": "[parameters('logStorageAccountResourceId')]", - "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", - "logs": "[parameters('logs')]", - "metrics": "[parameters('metrics')]" - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" - ] - } - ], - "outputs": { - "id": { - "type": "string", - "value": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" + "allowForwardedTraffic": true, + "remoteVirtualNetwork": { + "id": "[parameters('remoteVirtualNetworkResourceId')]" + } + } } - } + ] } - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', 'logStorage')]" - ] + } + } + ] + } + }, + "dependsOn": [ + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))]", + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix')))]" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "azure-private-dns", + "subscriptionId": "[parameters('hubSubscriptionId')]", + "resourceGroup": "[variables('hubResourceGroupName')]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "vnetName": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.virtualNetworkName.value]" + }, + "tags": { + "value": "[parameters('tags')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "15825906422669965879" + } + }, + "parameters": { + "vnetName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network the private dns zones will be connected to" + } }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "firewallManagementPublicIPAddress", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('firewallManagementPublicIPAddressName')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "tags": { - "value": "[parameters('tags')]" - }, - "skuName": { - "value": "[parameters('firewallManagementPublicIPAddressSkuName')]" - }, - "publicIpAllocationMethod": { - "value": "[parameters('firewallManagementPublicIpAllocationMethod')]" - }, - "availabilityZones": { - "value": "[parameters('firewallManagementPublicIPAddressAvailabilityZones')]" - }, - "logAnalyticsWorkspaceResourceId": { - "value": "[parameters('logAnalyticsWorkspaceResourceId')]" - }, - "logStorageAccountResourceId": { - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'logStorage')).outputs.id.value]" - }, - "logs": { - "value": "[parameters('publicIPAddressDiagnosticsLogs')]" - }, - "metrics": { - "value": "[parameters('publicIPAddressDiagnosticsMetrics')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "18439825222758045392" - } - }, - "parameters": { - "name": { - "type": "string" - }, - "location": { - "type": "string" - }, - "tags": { - "type": "object", - "defaultValue": {} - }, - "skuName": { - "type": "string" - }, - "publicIpAllocationMethod": { - "type": "string" - }, - "availabilityZones": { - "type": "array" - }, - "logStorageAccountResourceId": { - "type": "string" - }, - "logAnalyticsWorkspaceResourceId": { - "type": "string" - }, - "logs": { - "type": "array" - }, - "metrics": { - "type": "array" - } - }, - "resources": [ - { - "type": "Microsoft.Network/publicIPAddresses", - "apiVersion": "2021-02-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "sku": { - "name": "[parameters('skuName')]" - }, - "properties": { - "publicIPAllocationMethod": "[parameters('publicIpAllocationMethod')]" - }, - "zones": "[parameters('availabilityZones')]" - }, - { - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2017-05-01-preview", - "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', parameters('name'))]", - "name": "[format('{0}-diagnostics', parameters('name'))]", - "properties": { - "storageAccountId": "[parameters('logStorageAccountResourceId')]", - "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", - "logs": "[parameters('logs')]", - "metrics": "[parameters('metrics')]" - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" - ] - } - ], - "outputs": { - "id": { - "type": "string", - "value": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" - } - } - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', 'logStorage')]" - ] + "vnetResourceGroup": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "The name of the the resource group where the virtual network exists" + } }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "firewall", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" + "vnetSubscriptionId": { + "type": "string", + "defaultValue": "[subscription().subscriptionId]", + "metadata": { + "description": "The subscription id of the subscription the virtual network exists in" + } + }, + "tags": { + "type": "object", + "metadata": { + "description": "The tags that will be associated to the resources" + } + } + }, + "variables": { + "copy": [ + { + "name": "privatelink_backup_names", + "count": "[length(items(variables('locations')))]", + "input": "[format('privatelink.backup.{0}.{1}', items(variables('locations'))[copyIndex('privatelink_backup_names')].value.recoveryServicesGeo, variables('cloudSuffix'))]" + } + ], + "$fxv#0": { + "AzureChina": { + "chinaeast": { + "abbreviation": "cne", + "recoveryServicesGeo": "sha", + "timeDifference": "+8:00", + "timeZone": "China Standard Time" }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('firewallName')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "tags": { - "value": "[parameters('tags')]" - }, - "skuTier": { - "value": "[parameters('firewallSkuTier')]" - }, - "firewallPolicyName": { - "value": "[parameters('firewallPolicyName')]" - }, - "threatIntelMode": { - "value": "[parameters('firewallThreatIntelMode')]" - }, - "intrusionDetectionMode": { - "value": "[parameters('firewallIntrusionDetectionMode')]" - }, - "clientIpConfigurationName": { - "value": "[parameters('firewallClientIpConfigurationName')]" - }, - "clientIpConfigurationSubnetResourceId": { - "value": "[format('{0}/subnets/{1}', reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork')).outputs.id.value, parameters('firewallClientSubnetName'))]" - }, - "clientIpConfigurationPublicIPAddressResourceId": { - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'firewallClientPublicIPAddress')).outputs.id.value]" - }, - "firewallSupernetIPAddress": { - "value": "[parameters('firewallSupernetIPAddress')]" - }, - "enableProxy": { - "value": "[parameters('enableProxy')]" - }, - "dnsServers": { - "value": "[parameters('dnsServers')]" - }, - "managementIpConfigurationName": { - "value": "[parameters('firewallManagementIpConfigurationName')]" - }, - "managementIpConfigurationSubnetResourceId": { - "value": "[format('{0}/subnets/{1}', reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork')).outputs.id.value, parameters('firewallManagementSubnetName'))]" - }, - "managementIpConfigurationPublicIPAddressResourceId": { - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'firewallManagementPublicIPAddress')).outputs.id.value]" - }, - "logAnalyticsWorkspaceResourceId": { - "value": "[parameters('logAnalyticsWorkspaceResourceId')]" - }, - "logStorageAccountResourceId": { - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'logStorage')).outputs.id.value]" - }, - "logs": { - "value": "[parameters('firewallDiagnosticsLogs')]" - }, - "metrics": { - "value": "[parameters('firewallDiagnosticsMetrics')]" - } + "chinaeast2": { + "abbreviation": "cne2", + "recoveryServicesGeo": "sha2", + "timeDifference": "+8:00", + "timeZone": "China Standard Time" }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "3970955170518833761" - } - }, - "parameters": { - "name": { - "type": "string" - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]" - }, - "tags": { - "type": "object", - "defaultValue": {} - }, - "skuTier": { - "type": "string", - "allowedValues": [ - "Standard", - "Premium" - ] - }, - "threatIntelMode": { - "type": "string", - "allowedValues": [ - "Alert", - "Deny", - "Off" - ] - }, - "intrusionDetectionMode": { - "type": "string", - "allowedValues": [ - "Alert", - "Deny", - "Off" - ] - }, - "enableProxy": { - "type": "bool" - }, - "dnsServers": { - "type": "array" - }, - "clientIpConfigurationName": { - "type": "string" - }, - "clientIpConfigurationSubnetResourceId": { - "type": "string" - }, - "clientIpConfigurationPublicIPAddressResourceId": { - "type": "string" - }, - "managementIpConfigurationName": { - "type": "string" - }, - "managementIpConfigurationSubnetResourceId": { - "type": "string" - }, - "managementIpConfigurationPublicIPAddressResourceId": { - "type": "string" - }, - "firewallPolicyName": { - "type": "string" - }, - "firewallSupernetIPAddress": { - "type": "string" - }, - "logStorageAccountResourceId": { - "type": "string" - }, - "logAnalyticsWorkspaceResourceId": { - "type": "string" - }, - "logs": { - "type": "array" - }, - "metrics": { - "type": "array" - } - }, - "variables": { - "intrusionDetectionObject": { - "mode": "[parameters('intrusionDetectionMode')]" - } - }, - "resources": [ - { - "type": "Microsoft.Network/firewallPolicies", - "apiVersion": "2021-02-01", - "name": "[parameters('firewallPolicyName')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "threatIntelMode": "[parameters('threatIntelMode')]", - "intrusionDetection": "[if(equals(parameters('skuTier'), 'Premium'), variables('intrusionDetectionObject'), null())]", - "sku": { - "tier": "[parameters('skuTier')]" - }, - "dnsSettings": { - "enableProxy": "[parameters('enableProxy')]", - "servers": "[parameters('dnsServers')]" - } - } - }, - { - "type": "Microsoft.Network/firewallPolicies/ruleCollectionGroups", - "apiVersion": "2021-02-01", - "name": "[format('{0}/DefaultApplicationRuleCollectionGroup', parameters('firewallPolicyName'))]", - "properties": { - "priority": 300, - "ruleCollections": [ - { - "ruleCollectionType": "FirewallPolicyFilterRuleCollection", - "action": { - "type": "Allow" - }, - "rules": [ - { - "ruleType": "ApplicationRule", - "name": "msftauth", - "protocols": [ - { - "protocolType": "Https", - "port": 443 - } - ], - "fqdnTags": [], - "webCategories": [], - "targetFqdns": [ - "aadcdn.msftauth.net", - "aadcdn.msauth.net" - ], - "targetUrls": [], - "terminateTLS": false, - "sourceAddresses": [ - "*" - ], - "destinationAddresses": [], - "sourceIpGroups": [] - } - ], - "name": "AzureAuth", - "priority": 110 - } - ] - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/firewallPolicies', parameters('firewallPolicyName'))]" - ] - }, - { - "type": "Microsoft.Network/firewallPolicies/ruleCollectionGroups", - "apiVersion": "2021-02-01", - "name": "[format('{0}/DefaultNetworkRuleCollectionGroup', parameters('firewallPolicyName'))]", - "properties": { - "priority": 200, - "ruleCollections": [ - { - "ruleCollectionType": "FirewallPolicyFilterRuleCollection", - "action": { - "type": "Allow" - }, - "rules": [ - { - "ruleType": "NetworkRule", - "name": "AzureCloud", - "ipProtocols": [ - "Any" - ], - "sourceAddresses": [ - "*" - ], - "sourceIpGroups": [], - "destinationAddresses": [ - "AzureCloud" - ], - "destinationIpGroups": [], - "destinationFqdns": [], - "destinationPorts": [ - "*" - ] - } - ], - "name": "AllowAzureCloud", - "priority": 100 - }, - { - "ruleCollectionType": "FirewallPolicyFilterRuleCollection", - "action": { - "type": "Allow" - }, - "rules": [ - { - "ruleType": "NetworkRule", - "name": "AllSpokeTraffic", - "ipProtocols": [ - "Any" - ], - "sourceAddresses": [ - "[parameters('firewallSupernetIPAddress')]" - ], - "sourceIpGroups": [], - "destinationAddresses": [ - "*" - ], - "destinationIpGroups": [], - "destinationFqdns": [], - "destinationPorts": [ - "*" - ] - } - ], - "name": "AllowTrafficBetweenSpokes", - "priority": 200 - } - ] - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', split(format('{0}/DefaultApplicationRuleCollectionGroup', parameters('firewallPolicyName')), '/')[0], split(format('{0}/DefaultApplicationRuleCollectionGroup', parameters('firewallPolicyName')), '/')[1])]", - "[resourceId('Microsoft.Network/firewallPolicies', parameters('firewallPolicyName'))]" - ] - }, - { - "type": "Microsoft.Network/azureFirewalls", - "apiVersion": "2021-02-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "ipConfigurations": [ - { - "name": "[parameters('clientIpConfigurationName')]", - "properties": { - "subnet": { - "id": "[parameters('clientIpConfigurationSubnetResourceId')]" - }, - "publicIPAddress": { - "id": "[parameters('clientIpConfigurationPublicIPAddressResourceId')]" - } - } - } - ], - "managementIpConfiguration": { - "name": "[parameters('managementIpConfigurationName')]", - "properties": { - "subnet": { - "id": "[parameters('managementIpConfigurationSubnetResourceId')]" - }, - "publicIPAddress": { - "id": "[parameters('managementIpConfigurationPublicIPAddressResourceId')]" - } - } - }, - "firewallPolicy": { - "id": "[resourceId('Microsoft.Network/firewallPolicies', parameters('firewallPolicyName'))]" - }, - "sku": { - "tier": "[parameters('skuTier')]" - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', split(format('{0}/DefaultApplicationRuleCollectionGroup', parameters('firewallPolicyName')), '/')[0], split(format('{0}/DefaultApplicationRuleCollectionGroup', parameters('firewallPolicyName')), '/')[1])]", - "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', split(format('{0}/DefaultNetworkRuleCollectionGroup', parameters('firewallPolicyName')), '/')[0], split(format('{0}/DefaultNetworkRuleCollectionGroup', parameters('firewallPolicyName')), '/')[1])]", - "[resourceId('Microsoft.Network/firewallPolicies', parameters('firewallPolicyName'))]" - ] - }, - { - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2017-05-01-preview", - "scope": "[format('Microsoft.Network/azureFirewalls/{0}', parameters('name'))]", - "name": "[format('{0}-diagnostics', parameters('name'))]", - "properties": { - "storageAccountId": "[parameters('logStorageAccountResourceId')]", - "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", - "logs": "[parameters('logs')]", - "metrics": "[parameters('metrics')]" - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/azureFirewalls', parameters('name'))]" - ] - } - ], - "outputs": { - "privateIPAddress": { - "type": "string", - "value": "[reference(resourceId('Microsoft.Network/azureFirewalls', parameters('name'))).ipConfigurations[0].properties.privateIPAddress]" - } - } + "chinanorth": { + "abbreviation": "cnn", + "recoveryServicesGeo": "bjb", + "timeDifference": "+8:00", + "timeZone": "China Standard Time" + }, + "chinanorth2": { + "abbreviation": "cnn2", + "recoveryServicesGeo": "bjb2", + "timeDifference": "+8:00", + "timeZone": "China Standard Time" } }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', 'firewallClientPublicIPAddress')]", - "[resourceId('Microsoft.Resources/deployments', 'firewallManagementPublicIPAddress')]", - "[resourceId('Microsoft.Resources/deployments', 'logStorage')]", - "[resourceId('Microsoft.Resources/deployments', 'virtualNetwork')]" - ] - } - ], - "outputs": { - "virtualNetworkName": { - "type": "string", - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork')).outputs.name.value]" - }, - "virtualNetworkResourceId": { - "type": "string", - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork')).outputs.id.value]" - }, - "subnetName": { - "type": "string", - "value": "[format('{0}/{1}', parameters('virtualNetworkName'), parameters('subnetName'))]" - }, - "subnetAddressPrefix": { - "type": "string", - "value": "[reference(resourceId('Microsoft.Network/virtualNetworks/subnets', split(format('{0}/{1}', parameters('virtualNetworkName'), parameters('subnetName')), '/')[0], split(format('{0}/{1}', parameters('virtualNetworkName'), parameters('subnetName')), '/')[1])).addressPrefix]" - }, - "subnetResourceId": { - "type": "string", - "value": "[resourceId('Microsoft.Network/virtualNetworks/subnets', split(format('{0}/{1}', parameters('virtualNetworkName'), parameters('subnetName')), '/')[0], split(format('{0}/{1}', parameters('virtualNetworkName'), parameters('subnetName')), '/')[1])]" - }, - "networkSecurityGroupName": { - "type": "string", - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup')).outputs.name.value]" - }, - "networkSecurityGroupResourceId": { - "type": "string", - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup')).outputs.id.value]" - }, - "firewallPrivateIPAddress": { - "type": "string", - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'firewall')).outputs.privateIPAddress.value]" - } - } - } - }, - "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))]", - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]" - ] - }, - { - "copy": { - "name": "spokeNetworks", - "count": "[length(variables('spokes'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "[format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))]", - "subscriptionId": "[variables('spokes')[copyIndex()].subscriptionId]", - "resourceGroup": "[variables('spokes')[copyIndex()].resourceGroupName]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "location": { - "value": "[parameters('location')]" - }, - "tags": { - "value": "[variables('calculatedTags')]" - }, - "logStorageAccountName": { - "value": "[variables('spokes')[copyIndex()].logStorageAccountName]" - }, - "logStorageSkuName": { - "value": "[parameters('logStorageSkuName')]" - }, - "logAnalyticsWorkspaceResourceId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))).outputs.id.value]" - }, - "firewallPrivateIPAddress": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))).outputs.firewallPrivateIPAddress.value]" - }, - "vNetDnsServers": { - "value": [ - "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))).outputs.firewallPrivateIPAddress.value]" - ] - }, - "virtualNetworkName": { - "value": "[variables('spokes')[copyIndex()].virtualNetworkName]" - }, - "virtualNetworkAddressPrefix": { - "value": "[variables('spokes')[copyIndex()].virtualNetworkAddressPrefix]" - }, - "virtualNetworkDiagnosticsLogs": { - "value": "[variables('spokes')[copyIndex()].virtualNetworkDiagnosticsLogs]" - }, - "virtualNetworkDiagnosticsMetrics": { - "value": "[variables('spokes')[copyIndex()].virtualNetworkDiagnosticsMetrics]" - }, - "networkSecurityGroupName": { - "value": "[variables('spokes')[copyIndex()].networkSecurityGroupName]" - }, - "networkSecurityGroupRules": { - "value": "[variables('spokes')[copyIndex()].networkSecurityGroupRules]" - }, - "networkSecurityGroupDiagnosticsLogs": { - "value": "[variables('spokes')[copyIndex()].networkSecurityGroupDiagnosticsLogs]" - }, - "networkSecurityGroupDiagnosticsMetrics": { - "value": "[variables('spokes')[copyIndex()].networkSecurityGroupDiagnosticsMetrics]" - }, - "subnetName": { - "value": "[variables('spokes')[copyIndex()].subnetName]" - }, - "subnetAddressPrefix": { - "value": "[variables('spokes')[copyIndex()].subnetAddressPrefix]" - }, - "subnetServiceEndpoints": { - "value": "[variables('spokes')[copyIndex()].subnetServiceEndpoints]" - }, - "subnetPrivateEndpointNetworkPolicies": { - "value": "[variables('spokes')[copyIndex()].subnetPrivateEndpointNetworkPolicies]" - }, - "subnetPrivateLinkServiceNetworkPolicies": { - "value": "[variables('spokes')[copyIndex()].subnetPrivateLinkServiceNetworkPolicies]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "6504783739414137516" - } - }, - "parameters": { - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]" - }, - "tags": { - "type": "object", - "defaultValue": {} - }, - "logStorageAccountName": { - "type": "string" - }, - "logStorageSkuName": { - "type": "string" - }, - "logAnalyticsWorkspaceResourceId": { - "type": "string" - }, - "firewallPrivateIPAddress": { - "type": "string" - }, - "virtualNetworkName": { - "type": "string" - }, - "virtualNetworkAddressPrefix": { - "type": "string" - }, - "virtualNetworkDiagnosticsLogs": { - "type": "array" - }, - "virtualNetworkDiagnosticsMetrics": { - "type": "array" - }, - "vNetDnsServers": { - "type": "array" - }, - "networkSecurityGroupName": { - "type": "string" - }, - "networkSecurityGroupRules": { - "type": "array" - }, - "networkSecurityGroupDiagnosticsLogs": { - "type": "array" - }, - "networkSecurityGroupDiagnosticsMetrics": { - "type": "array" - }, - "subnetName": { - "type": "string" - }, - "subnetAddressPrefix": { - "type": "string" - }, - "subnetServiceEndpoints": { - "type": "array" - }, - "routeTableName": { - "type": "string", - "defaultValue": "[format('{0}-routetable', parameters('subnetName'))]" - }, - "routeTableRouteName": { - "type": "string", - "defaultValue": "default_route" - }, - "routeTableRouteAddressPrefix": { - "type": "string", - "defaultValue": "0.0.0.0/0" - }, - "routeTableRouteNextHopIpAddress": { - "type": "string", - "defaultValue": "[parameters('firewallPrivateIPAddress')]" - }, - "routeTableRouteNextHopType": { - "type": "string", - "defaultValue": "VirtualAppliance" - }, - "subnetPrivateEndpointNetworkPolicies": { - "type": "string" - }, - "subnetPrivateLinkServiceNetworkPolicies": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "logStorage", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" + "AzureCloud": { + "australiacentral": { + "abbreviation": "auc", + "recoveryServicesGeo": "acl", + "timeDifference": "+10:00", + "timeZone": "AUS Eastern Standard Time" + }, + "australiacentral2": { + "abbreviation": "auc2", + "recoveryServicesGeo": "acl2", + "timeDifference": "+10:00", + "timeZone": "AUS Eastern Standard Time" + }, + "australiaeast": { + "abbreviation": "aue", + "recoveryServicesGeo": "ae", + "timeDifference": "+10:00", + "timeZone": "AUS Eastern Standard Time" + }, + "australiasoutheast": { + "abbreviation": "ause", + "recoveryServicesGeo": "ase", + "timeDifference": "+10:00", + "timeZone": "AUS Eastern Standard Time" + }, + "brazilsouth": { + "abbreviation": "brs", + "recoveryServicesGeo": "brs", + "timeDifference": "-3:00", + "timeZone": "E. South America Standard Time" + }, + "brazilsoutheast": { + "abbreviation": "brse", + "recoveryServicesGeo": "bse", + "timeDifference": "-3:00", + "timeZone": "E. South America Standard Time" + }, + "canadacentral": { + "abbreviation": "cac", + "recoveryServicesGeo": "cnc", + "timeDifference": "-5:00", + "timeZone": "Eastern Standard Time" + }, + "canadaeast": { + "abbreviation": "cae", + "recoveryServicesGeo": "cne", + "timeDifference": "-5:00", + "timeZone": "Eastern Standard Time" + }, + "centralindia": { + "abbreviation": "inc", + "recoveryServicesGeo": "inc", + "timeDifference": "+5:30", + "timeZone": "India Standard Time" + }, + "centralus": { + "abbreviation": "usc", + "recoveryServicesGeo": "cus", + "timeDifference": "-6:00", + "timeZone": "Central Standard Time" + }, + "eastasia": { + "abbreviation": "ase", + "recoveryServicesGeo": "ea", + "timeDifference": "+8:00", + "timeZone": "China Standard Time" + }, + "eastus": { + "abbreviation": "use", + "recoveryServicesGeo": "eus", + "timeDifference": "-5:00", + "timeZone": "Eastern Standard Time" + }, + "eastus2": { + "abbreviation": "use2", + "recoveryServicesGeo": "eus2", + "timeDifference": "-5:00", + "timeZone": "Eastern Standard Time" + }, + "francecentral": { + "abbreviation": "frc", + "recoveryServicesGeo": "frc", + "timeDifference": "+1:00", + "timeZone": "Central Europe Standard Time" + }, + "francesouth": { + "abbreviation": "frs", + "recoveryServicesGeo": "frs", + "timeDifference": "+1:00", + "timeZone": "Central Europe Standard Time" + }, + "germanynorth": { + "abbreviation": "den", + "recoveryServicesGeo": "gn", + "timeDifference": "+1:00", + "timeZone": "Central Europe Standard Time" + }, + "germanywestcentral": { + "abbreviation": "dewc", + "recoveryServicesGeo": "gwc", + "timeDifference": "+1:00", + "timeZone": "Central Europe Standard Time" + }, + "israelcentral": { + "abbreviation": "ilc", + "recoveryServicesGeo": "ilc", + "timeDifference": "+2:00", + "timeZone": "Israel Standard Time" + }, + "italynorth": { + "abbreviation": "itn", + "recoveryServicesGeo": "itn", + "timeDifference": "+1:00", + "timeZone": "Central Europe Standard Time" + }, + "japaneast": { + "abbreviation": "jpe", + "recoveryServicesGeo": "jpe", + "timeDifference": "+9:00", + "timeZone": "Tokyo Standard Time" + }, + "japanwest": { + "abbreviation": "jpw", + "recoveryServicesGeo": "jpw", + "timeDifference": "+9:00", + "timeZone": "Tokyo Standard Time" + }, + "jioindiacentral": { + "abbreviation": "injc", + "recoveryServicesGeo": "jic", + "timeDifference": "+5:30", + "timeZone": "India Standard Time" + }, + "jioindiawest": { + "abbreviation": "injw", + "recoveryServicesGeo": "jiw", + "timeDifference": "+5:30", + "timeZone": "India Standard Time" + }, + "koreacentral": { + "abbreviation": "krc", + "recoveryServicesGeo": "krc", + "timeDifference": "+9:00", + "timeZone": "Korea Standard Time" + }, + "koreasouth": { + "abbreviation": "krs", + "recoveryServicesGeo": "krs", + "timeDifference": "+9:00", + "timeZone": "Korea Standard Time" + }, + "northcentralus": { + "abbreviation": "usnc", + "recoveryServicesGeo": "ncus", + "timeDifference": "-6:00", + "timeZone": "Central Standard Time" + }, + "northeurope": { + "abbreviation": "eun", + "recoveryServicesGeo": "ne", + "timeDifference": "0:00", + "timeZone": "GMT Standard Time" + }, + "norwayeast": { + "abbreviation": "noe", + "recoveryServicesGeo": "nwe", + "timeDifference": "+1:00", + "timeZone": "Central Europe Standard Time" + }, + "norwaywest": { + "abbreviation": "now", + "recoveryServicesGeo": "nww", + "timeDifference": "+1:00", + "timeZone": "Central Europe Standard Time" + }, + "polandcentral": { + "abbreviation": "plc", + "recoveryServicesGeo": "plc", + "timeDifference": "+1:00", + "timeZone": "Central Europe Standard Time" }, - "mode": "Incremental", - "parameters": { - "storageAccountName": { - "value": "[parameters('logStorageAccountName')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "skuName": { - "value": "[parameters('logStorageSkuName')]" - }, - "tags": { - "value": "[parameters('tags')]" - } + "qatarcentral": { + "abbreviation": "qac", + "recoveryServicesGeo": "qac", + "timeDifference": "+3:00", + "timeZone": "Arabian Standard Time" }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "4435843471246172620" - } - }, - "parameters": { - "storageAccountName": { - "type": "string" - }, - "location": { - "type": "string" - }, - "skuName": { - "type": "string" - }, - "tags": { - "type": "object", - "defaultValue": {} - } - }, - "resources": [ - { - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2021-01-01", - "name": "[parameters('storageAccountName')]", - "location": "[parameters('location')]", - "kind": "StorageV2", - "sku": { - "name": "[parameters('skuName')]" - }, - "tags": "[parameters('tags')]", - "properties": { - "minimumTlsVersion": "TLS1_2", - "encryption": { - "keySource": "Microsoft.Storage", - "requireInfrastructureEncryption": true, - "services": { - "blob": { - "enabled": true - }, - "file": { - "enabled": true - }, - "queue": { - "enabled": true - }, - "table": { - "enabled": true - } - } - } - } - } - ], - "outputs": { - "id": { - "type": "string", - "value": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]" - } - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "networkSecurityGroup", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" + "southafricanorth": { + "abbreviation": "zan", + "recoveryServicesGeo": "san", + "timeDifference": "+2:00", + "timeZone": "South Africa Standard Time" }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('networkSecurityGroupName')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "tags": { - "value": "[parameters('tags')]" - }, - "securityRules": { - "value": "[parameters('networkSecurityGroupRules')]" - }, - "logAnalyticsWorkspaceResourceId": { - "value": "[parameters('logAnalyticsWorkspaceResourceId')]" - }, - "logStorageAccountResourceId": { - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'logStorage')).outputs.id.value]" - }, - "logs": { - "value": "[parameters('networkSecurityGroupDiagnosticsLogs')]" - }, - "metrics": { - "value": "[parameters('networkSecurityGroupDiagnosticsMetrics')]" - } + "southafricawest": { + "abbreviation": "zaw", + "recoveryServicesGeo": "saw", + "timeDifference": "+2:00", + "timeZone": "South Africa Standard Time" }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "7894763285242421186" - } - }, - "parameters": { - "name": { - "type": "string" - }, - "location": { - "type": "string" - }, - "tags": { - "type": "object", - "defaultValue": {} - }, - "securityRules": { - "type": "array" - }, - "logStorageAccountResourceId": { - "type": "string" - }, - "logAnalyticsWorkspaceResourceId": { - "type": "string" - }, - "logs": { - "type": "array" - }, - "metrics": { - "type": "array" - } - }, - "resources": [ - { - "type": "Microsoft.Network/networkSecurityGroups", - "apiVersion": "2021-02-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "securityRules": "[parameters('securityRules')]" - } - }, - { - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2017-05-01-preview", - "scope": "[format('Microsoft.Network/networkSecurityGroups/{0}', parameters('name'))]", - "name": "[format('{0}-diagnostics', parameters('name'))]", - "properties": { - "storageAccountId": "[parameters('logStorageAccountResourceId')]", - "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", - "logs": "[parameters('logs')]", - "metrics": "[parameters('metrics')]" - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('name'))]" - ] - } - ], - "outputs": { - "id": { - "type": "string", - "value": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('name'))]" - }, - "name": { - "type": "string", - "value": "[parameters('name')]" - } - } - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', 'logStorage')]" - ] - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "routeTable", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" + "southcentralus": { + "abbreviation": "ussc", + "recoveryServicesGeo": "scus", + "timeDifference": "-6:00", + "timeZone": "Central Standard Time" + }, + "southeastasia": { + "abbreviation": "asse", + "recoveryServicesGeo": "sea", + "timeDifference": "+8:00", + "timeZone": "Singapore Standard Time" + }, + "southindia": { + "abbreviation": "ins", + "recoveryServicesGeo": "ins", + "timeDifference": "+5:30", + "timeZone": "India Standard Time" + }, + "swedencentral": { + "abbreviation": "sec", + "recoveryServicesGeo": "sdc", + "timeDifference": "+1:00", + "timeZone": "Central Europe Standard Time" + }, + "switzerlandnorth": { + "abbreviation": "chn", + "recoveryServicesGeo": "szn", + "timeDifference": "+1:00", + "timeZone": "Central Europe Standard Time" + }, + "switzerlandwest": { + "abbreviation": "chw", + "recoveryServicesGeo": "szw", + "timeDifference": "+1:00", + "timeZone": "Central Europe Standard Time" + }, + "uaecentral": { + "abbreviation": "aec", + "recoveryServicesGeo": "uac", + "timeDifference": "+3:00", + "timeZone": "Arabian Standard Time" + }, + "uaenorth": { + "abbreviation": "aen", + "recoveryServicesGeo": "uan", + "timeDifference": "+3:00", + "timeZone": "Arabian Standard Time" + }, + "uksouth": { + "abbreviation": "uks", + "recoveryServicesGeo": "uks", + "timeDifference": "0:00", + "timeZone": "GMT Standard Time" }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('routeTableName')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "tags": { - "value": "[parameters('tags')]" - }, - "routeName": { - "value": "[parameters('routeTableRouteName')]" - }, - "routeAddressPrefix": { - "value": "[parameters('routeTableRouteAddressPrefix')]" - }, - "routeNextHopIpAddress": { - "value": "[parameters('routeTableRouteNextHopIpAddress')]" - }, - "routeNextHopType": { - "value": "[parameters('routeTableRouteNextHopType')]" - } + "ukwest": { + "abbreviation": "ukw", + "recoveryServicesGeo": "ukw", + "timeDifference": "0:00", + "timeZone": "GMT Standard Time" }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "8332169477119932515" - } - }, - "parameters": { - "name": { - "type": "string" - }, - "location": { - "type": "string" - }, - "tags": { - "type": "object", - "defaultValue": {} - }, - "routeName": { - "type": "string" - }, - "routeAddressPrefix": { - "type": "string" - }, - "routeNextHopIpAddress": { - "type": "string" - }, - "routeNextHopType": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.Network/routeTables", - "apiVersion": "2021-02-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "routes": [ - { - "name": "[parameters('routeName')]", - "properties": { - "addressPrefix": "[parameters('routeAddressPrefix')]", - "nextHopIpAddress": "[parameters('routeNextHopIpAddress')]", - "nextHopType": "[parameters('routeNextHopType')]" - } - } - ] - } - } - ], - "outputs": { - "id": { - "type": "string", - "value": "[resourceId('Microsoft.Network/routeTables', parameters('name'))]" - }, - "name": { - "type": "string", - "value": "[parameters('name')]" - } - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "virtualNetwork", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" + "westcentralus": { + "abbreviation": "uswc", + "recoveryServicesGeo": "wcus", + "timeDifference": "-7:00", + "timeZone": "Mountain Standard Time" }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('virtualNetworkName')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "tags": { - "value": "[parameters('tags')]" - }, - "addressPrefix": { - "value": "[parameters('virtualNetworkAddressPrefix')]" - }, - "vNetDnsServers": { - "value": "[parameters('vNetDnsServers')]" - }, - "subnets": { - "value": [ - { - "name": "[parameters('subnetName')]", - "properties": { - "addressPrefix": "[parameters('subnetAddressPrefix')]", - "networkSecurityGroup": { - "id": "[reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup')).outputs.id.value]" - }, - "routeTable": { - "id": "[reference(resourceId('Microsoft.Resources/deployments', 'routeTable')).outputs.id.value]" - }, - "serviceEndpoints": "[parameters('subnetServiceEndpoints')]", - "privateEndpointNetworkPolicies": "[parameters('subnetPrivateEndpointNetworkPolicies')]", - "privateLinkServiceNetworkPolicies": "[parameters('subnetPrivateLinkServiceNetworkPolicies')]" - } - } - ] - }, - "logAnalyticsWorkspaceResourceId": { - "value": "[parameters('logAnalyticsWorkspaceResourceId')]" - }, - "logStorageAccountResourceId": { - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'logStorage')).outputs.id.value]" - }, - "logs": { - "value": "[parameters('virtualNetworkDiagnosticsLogs')]" - }, - "metrics": { - "value": "[parameters('virtualNetworkDiagnosticsMetrics')]" - } + "westeurope": { + "abbreviation": "euw", + "recoveryServicesGeo": "we", + "timeDifference": "+1:00", + "timeZone": "Central Europe Standard Time" }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "16443263514490560792" - } - }, - "parameters": { - "name": { - "type": "string" - }, - "location": { - "type": "string" - }, - "tags": { - "type": "object", - "defaultValue": {} - }, - "addressPrefix": { - "type": "string" - }, - "vNetDnsServers": { - "type": "array", - "defaultValue": [] - }, - "logAnalyticsWorkspaceResourceId": { - "type": "string" - }, - "logStorageAccountResourceId": { - "type": "string" - }, - "subnets": { - "type": "array" - }, - "logs": { - "type": "array" - }, - "metrics": { - "type": "array" - } - }, - "resources": [ - { - "type": "Microsoft.Network/virtualNetworks", - "apiVersion": "2021-02-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "addressSpace": { - "addressPrefixes": [ - "[parameters('addressPrefix')]" - ] - }, - "subnets": "[parameters('subnets')]", - "dhcpOptions": "[if(not(equals(parameters('vNetDnsServers'), null())), createObject('dnsServers', parameters('vNetDnsServers')), null())]" - } - }, - { - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2017-05-01-preview", - "scope": "[format('Microsoft.Network/virtualNetworks/{0}', parameters('name'))]", - "name": "[format('{0}-diagnostics', parameters('name'))]", - "properties": { - "storageAccountId": "[parameters('logStorageAccountResourceId')]", - "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", - "logs": "[parameters('logs')]", - "metrics": "[parameters('metrics')]" - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/virtualNetworks', parameters('name'))]" - ] - } - ], - "outputs": { - "name": { - "type": "string", - "value": "[parameters('name')]" - }, - "id": { - "type": "string", - "value": "[resourceId('Microsoft.Network/virtualNetworks', parameters('name'))]" - }, - "subnets": { - "type": "array", - "value": "[reference(resourceId('Microsoft.Network/virtualNetworks', parameters('name'))).subnets]" - }, - "addressPrefix": { - "type": "string", - "value": "[reference(resourceId('Microsoft.Network/virtualNetworks', parameters('name'))).addressSpace.addressPrefixes[0]]" - } - } + "westindia": { + "abbreviation": "inw", + "recoveryServicesGeo": "inw", + "timeDifference": "+5:30", + "timeZone": "India Standard Time" + }, + "westus": { + "abbreviation": "usw", + "recoveryServicesGeo": "wus", + "timeDifference": "-8:00", + "timeZone": "Pacific Standard Time" + }, + "westus2": { + "abbreviation": "usw2", + "recoveryServicesGeo": "wus2", + "timeDifference": "-8:00", + "timeZone": "Pacific Standard Time" + }, + "westus3": { + "abbreviation": "usw3", + "recoveryServicesGeo": "wus3", + "timeDifference": "-7:00", + "timeZone": "Mountain Standard Time" } }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', 'logStorage')]", - "[resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup')]", - "[resourceId('Microsoft.Resources/deployments', 'routeTable')]" - ] - } - ], - "outputs": { - "virtualNetworkName": { - "type": "string", - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork')).outputs.name.value]" - }, - "virtualNetworkResourceId": { - "type": "string", - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork')).outputs.id.value]" - }, - "virtualNetworkAddressPrefix": { - "type": "string", - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork')).outputs.addressPrefix.value]" - }, - "subnetName": { - "type": "string", - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork')).outputs.subnets.value[0].name]" - }, - "subnetAddressPrefix": { - "type": "string", - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork')).outputs.subnets.value[0].properties.addressPrefix]" - }, - "subnetResourceId": { - "type": "string", - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork')).outputs.subnets.value[0].id]" - }, - "networkSecurityGroupName": { - "type": "string", - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup')).outputs.name.value]" - }, - "networkSecurityGroupResourceId": { - "type": "string", - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup')).outputs.id.value]" - } - } - } - }, - "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))]", - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]" - ] - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "[format('deploy-vnet-peerings-hub-{0}', parameters('deploymentNameSuffix'))]", - "subscriptionId": "[parameters('hubSubscriptionId')]", - "resourceGroup": "[variables('hubResourceGroupName')]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "hubVirtualNetworkName": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))).outputs.virtualNetworkName.value]" - }, - "spokes": { - "copy": [ - { - "name": "value", - "count": "[length(variables('spokes'))]", - "input": "[createObject('type', variables('spokes')[copyIndex('value')].name, 'virtualNetworkName', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex('value')].subscriptionId, variables('spokes')[copyIndex('value')].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex('value')].name, parameters('deploymentNameSuffix')))).outputs.virtualNetworkName.value, 'virtualNetworkResourceId', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex('value')].subscriptionId, variables('spokes')[copyIndex('value')].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex('value')].name, parameters('deploymentNameSuffix')))).outputs.virtualNetworkResourceId.value)]" - } - ] - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "15629689242937002521" - } - }, - "parameters": { - "hubVirtualNetworkName": { - "type": "string" - }, - "spokes": { - "type": "array" - } - }, - "resources": [ - { - "copy": { - "name": "hubToSpokePeering", - "count": "[length(parameters('spokes'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "[format('hub-to-{0}-vnet-peering', parameters('spokes')[copyIndex()].type)]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" + "AzureUSGovernment": { + "usdodcentral": { + "abbreviation": "dodc", + "recoveryServicesGeo": "udc", + "timeDifference": "-6:00", + "timeZone": "Central Standard Time" }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[format('{0}/to-{1}', parameters('hubVirtualNetworkName'), parameters('spokes')[copyIndex()].virtualNetworkName)]" - }, - "remoteVirtualNetworkResourceId": { - "value": "[parameters('spokes')[copyIndex()].virtualNetworkResourceId]" - } + "usdodeast": { + "abbreviation": "dode", + "recoveryServicesGeo": "ude", + "timeDifference": "-5:00", + "timeZone": "Eastern Standard Time" }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "18419282456813263047" - } - }, - "parameters": { - "name": { - "type": "string" - }, - "remoteVirtualNetworkResourceId": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings", - "apiVersion": "2021-02-01", - "name": "[parameters('name')]", - "properties": { - "allowForwardedTraffic": true, - "remoteVirtualNetwork": { - "id": "[parameters('remoteVirtualNetworkResourceId')]" - } - } - } - ] + "usgovarizona": { + "abbreviation": "az", + "recoveryServicesGeo": "uga", + "timeDifference": "-7:00", + "timeZone": "Mountain Standard Time" + }, + "usgovtexas": { + "abbreviation": "tx", + "recoveryServicesGeo": "ugt", + "timeDifference": "-6:00", + "timeZone": "Central Standard Time" + }, + "usgovvirginia": { + "abbreviation": "va", + "recoveryServicesGeo": "ugv", + "timeDifference": "-5:00", + "timeZone": "Eastern Standard Time" } - } - } - ] - } - }, - "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))]", - "spokeNetworks" - ] - }, - { - "copy": { - "name": "spokeVirtualNetworkPeerings", - "count": "[length(variables('spokes'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "[format('deploy-vnet-peerings-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))]", - "subscriptionId": "[variables('spokes')[copyIndex()].subscriptionId]", - "location": "[deployment().location]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "spokeName": { - "value": "[variables('spokes')[copyIndex()].name]" - }, - "spokeResourceGroupName": { - "value": "[variables('spokes')[copyIndex()].resourceGroupName]" - }, - "spokeVirtualNetworkName": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix')))).outputs.virtualNetworkName.value]" - }, - "hubVirtualNetworkName": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))).outputs.virtualNetworkName.value]" - }, - "hubVirtualNetworkResourceId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))).outputs.virtualNetworkResourceId.value]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "2611495743947239031" - } - }, - "parameters": { - "spokeName": { - "type": "string" - }, - "spokeResourceGroupName": { - "type": "string" - }, - "spokeVirtualNetworkName": { - "type": "string" - }, - "hubVirtualNetworkName": { - "type": "string" - }, - "hubVirtualNetworkResourceId": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "[format('{0}-to-hub-vnet-peering', parameters('spokeName'))]", - "resourceGroup": "[parameters('spokeResourceGroupName')]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" + }, + "USNat": { + "usnateast": { + "abbreviation": "east", + "recoveryServicesGeo": "exe", + "timeDifference": "-5:00", + "timeZone": "Eastern Standard Time" }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[format('{0}/to-{1}', parameters('spokeVirtualNetworkName'), parameters('hubVirtualNetworkName'))]" - }, - "remoteVirtualNetworkResourceId": { - "value": "[parameters('hubVirtualNetworkResourceId')]" - } + "usnatwest": { + "abbreviation": "west", + "recoveryServicesGeo": "exw", + "timeDifference": "-8:00", + "timeZone": "Pacific Standard Time" + } + }, + "USSec": { + "usseceast": { + "abbreviation": "east", + "recoveryServicesGeo": "rxe", + "timeDifference": "-5:00", + "timeZone": "Eastern Standard Time" }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "18419282456813263047" - } - }, - "parameters": { - "name": { - "type": "string" - }, - "remoteVirtualNetworkResourceId": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings", - "apiVersion": "2021-02-01", - "name": "[parameters('name')]", - "properties": { - "allowForwardedTraffic": true, - "remoteVirtualNetwork": { - "id": "[parameters('remoteVirtualNetworkResourceId')]" - } - } - } - ] + "ussecwest": { + "abbreviation": "west", + "recoveryServicesGeo": "rxw", + "timeDifference": "-8:00", + "timeZone": "Pacific Standard Time" } } - } - ] - } - }, - "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))]", - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix')))]" - ] - }, - { - "condition": "[parameters('deployPolicy')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "[format('assign-policy-hub-{0}', parameters('deploymentNameSuffix'))]", - "subscriptionId": "[parameters('hubSubscriptionId')]", - "resourceGroup": "[variables('hubResourceGroupName')]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "builtInAssignment": { - "value": "[parameters('policy')]" - }, - "logAnalyticsWorkspaceName": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))).outputs.name.value]" - }, - "logAnalyticsWorkspaceResourceGroupName": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))).outputs.resourceGroupName.value]" - }, - "operationsSubscriptionId": { - "value": "[parameters('operationsSubscriptionId')]" - }, - "location": { - "value": "[parameters('location')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "3765055138598353912" - } + }, + "cloudSuffix": "[replace(replace(environment().resourceManager, 'https://management.', ''), '/', '')]", + "automationSuffix": "[replace(environment().suffixes.storage, 'core.windows.', '')]", + "locations": "[variables('$fxv#0')[environment().name]]", + "privatelink_agentsvc_azure_automation_name": "[format('privatelink.agentsvc.azure-automation.{0}', variables('automationSuffix'))]", + "privatelink_azure_automation_name": "[format('privatelink.azure-automation.{0}', variables('automationSuffix'))]", + "privatelink_avd_name": "[format('privatelink.wvd.{0}', variables('cloudSuffix'))]", + "privatelink_avd_global_name": "[format('privatelink-global.wvd.{0}', variables('cloudSuffix'))]", + "privatelink_file_name": "[format('privatelink.file.{0}', environment().suffixes.storage)]", + "privatelink_queue_name": "[format('privatelink.queue.{0}', environment().suffixes.storage)]", + "privatelink_table_name": "[format('privatelink.table.{0}', environment().suffixes.storage)]", + "privatelink_blob_name": "[format('privatelink.blob.{0}', environment().suffixes.storage)]", + "privatelink_keyvaultDns_name": "[replace(format('privatelink{0}', environment().suffixes.keyvaultDns), 'vault', 'vaultcore')]", + "privatelink_monitor_name": "[format('privatelink.monitor.{0}', variables('cloudSuffix'))]", + "privatelink_ods_opinsights_name": "[format('privatelink.ods.opinsights.{0}', variables('cloudSuffix'))]", + "privatelink_oms_opinsights_name": "[format('privatelink.oms.opinsights.{0}', variables('cloudSuffix'))]" }, - "parameters": { - "builtInAssignment": { - "type": "string", - "defaultValue": "NISTRev4", - "metadata": { - "description": "[NISTRev4/NISTRev5/IL5/CMMC] Built-in policy assignments to assign, default is NISTRev4. IL5 is only available for AzureUsGovernment and will switch to NISTRev4 if tried in AzureCloud." - }, - "allowedValues": [ - "NISTRev4", - "NISTRev5", - "IL5", - "CMMC" - ] + "resources": [ + { + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2018-09-01", + "name": "[variables('privatelink_avd_name')]", + "location": "global", + "tags": "[parameters('tags')]" }, - "logAnalyticsWorkspaceName": { - "type": "string" + { + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2018-09-01", + "name": "[variables('privatelink_avd_global_name')]", + "location": "global", + "tags": "[parameters('tags')]" }, - "logAnalyticsWorkspaceResourceGroupName": { - "type": "string" + { + "copy": { + "name": "privateDnsZone_backup_rsv", + "count": "[length(variables('privatelink_backup_names'))]" + }, + "condition": "[not(contains(variables('privatelink_backup_names')[copyIndex()], '..'))]", + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2018-09-01", + "name": "[variables('privatelink_backup_names')[copyIndex()]]", + "location": "global", + "tags": "[parameters('tags')]" }, - "operationsSubscriptionId": { - "type": "string" + { + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2018-09-01", + "name": "[variables('privatelink_file_name')]", + "location": "global", + "tags": "[parameters('tags')]" }, - "deployRemediation": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Starts a policy remediation for the VM Agent policies in hub RG. Set to false by default since this is time consuming in deployment." - } + { + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2018-09-01", + "name": "[variables('privatelink_queue_name')]", + "location": "global", + "tags": "[parameters('tags')]" }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "The location of this resource" - } - } - }, - "variables": { - "$fxv#0": " {\n \"listOfMembersToExcludeFromWindowsVMAdministratorsGroup\": \n {\n \"value\": \"admin\"\n },\n \"listOfMembersToIncludeInWindowsVMAdministratorsGroup\": \n {\n \"value\": \"azureuser\"\n },\n \"logAnalyticsWorkspaceIdforVMReporting\": \n {\n \"value\": \"\"\n },\n \"IncludeArcMachines\": \n {\n \"value\": \"true\"\n },\n \"MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112\": \n {\n \"value\": \"1.2\"\n },\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\": \n {\n \"value\": \"Compliant\"\n },\n \"requiredRetentionDays\": \n {\n \"value\": \"365\"\n },\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\": \n {\n \"value\": \"NetworkWatcherRG\"\n }\n }", - "$fxv#1": " {\n \"IncludeArcMachines\": \n {\n \"value\": \"true\"\n },\n \"MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112\": \n {\n \"value\": \"1.2\"\n },\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\": \n {\n \"value\": \"Compliant\"\n },\n \"requiredRetentionDays\": \n {\n \"value\": \"365\"\n },\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\": \n {\n \"value\": \"NetworkWatcherRG\"\n }\n }", - "$fxv#2": "{\n \"IncludeArcMachines\" : { \n \"value\" : \"false\"\n },\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\" : { \n \"value\" : \"Compliant\"\n },\n \"MinimumTLSVersionForWindowsServers\" : { \n \"value\" : \"1.2\"\n },\n \"requiredRetentionDays\" : { \n \"value\" : \"365\"\n },\n \"effect-febd0533-8e55-448f-b837-bd0e06f16469\" : { \n \"value\" : \"audit\"\n },\n \"allowedContainerImagesRegex-febd0533-8e55-448f-b837-bd0e06f16469\" : { \n \"value\" : \"^(.+){0}$\"\n },\n \"effect-95edb821-ddaf-4404-9732-666045e056b4\" : { \n \"value\" : \"audit\"\n },\n \"effect-440b515e-a580-421e-abeb-b159a61ddcbc\" : { \n \"value\" : \"audit\"\n },\n \"effect-233a2a17-77ca-4fb1-9b6b-69223d272a44\" : { \n \"value\" : \"audit\"\n },\n \"effect-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \n \"value\" : \"audit\"\n },\n \"cpuLimit-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \n \"value\" : \"0\"\n },\n \"memoryLimit-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \n \"value\" : \"0\"\n },\n \"effect-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"audit\"\n },\n \"runAsUserRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"MustRunAsNonRoot\"\n },\n \"runAsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"RunAsAny\"\n },\n \"supplementalGroupsRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"RunAsAny\"\n },\n \"fsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"RunAsAny\"\n },\n \"effect-1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\" : { \n \"value\" : \"audit\"\n },\n \"effect-47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\" : { \n \"value\" : \"audit\"\n },\n \"effect-df49d893-a74c-421d-bc95-c663042e5b80\" : { \n \"value\" : \"audit\"\n },\n \"effect-1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\" : { \n \"value\" : \"audit\"\n },\n \"effect-c26596ff-4d70-4e6a-9a30-c2506bd2f80c\" : { \n \"value\" : \"audit\"\n },\n \"effect-511f5417-5d12-434d-ab2e-816901e72a5e\" : { \n \"value\" : \"audit\"\n },\n \"effect-82985f06-dc18-4a48-bc1c-b9f4f0098cfe\" : { \n \"value\" : \"audit\"\n },\n \"effect-098fc59e-46c7-4d99-9b16-64990e543d75\" : { \n \"value\" : \"audit\"\n },\n \"NetworkWatcherResourceGroupName\" : { \n \"value\" : \"NetworkWatcherRG\"\n },\n \"setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \n \"value\" : \"enabled\"\n },\n \"aadAuthenticationInServiceFabricMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"effect-71ef260a-8f18-47b7-abcb-62d0673d94dc\" : { \n \"value\" : \"Audit\"\n },\n \"effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\" : { \n \"value\" : \"Audit\"\n },\n \"effect-862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d9da03a1-f3c3-412a-9709-947156872263\" : { \n \"value\" : \"Audit\"\n },\n \"effect-617c02be-7f02-4efd-8836-3180d47b6c68\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c349d81b-9985-44ae-a8da-ff98d108ede8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-3657f5a0-770e-44a3-b44e-9431ba1e9735\" : { \n \"value\" : \"Audit\"\n },\n \"effect-b4ac1030-89c5-4697-8e00-28b5ba6a8811\" : { \n \"value\" : \"audit\"\n },\n \"effect-ea0dfaed-95fb-448c-934e-d6e713ce393d\" : { \n \"value\" : \"audit\"\n },\n \"effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a\" : { \n \"value\" : \"Audit\"\n },\n \"effect-f4b53539-8df9-40e4-86c6-6b607703bd4e\" : { \n \"value\" : \"Audit\"\n },\n \"effect-41425d9f-d1a5-499a-9932-f8ed8453932c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-fc4d8e41-e223-45ea-9bf5-eada37891d87\" : { \n \"value\" : \"Audit\"\n },\n \"effect-86efb160-8de7-451d-bc08-5d475b0aadae\" : { \n \"value\" : \"Audit\"\n },\n \"effect-4ec52d6d-beb7-40c4-9a9e-fe753254690e\" : { \n \"value\" : \"Audit\"\n },\n \"effect-64d314f6-6062-4780-a861-c23e8951bee5\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-fa298e57-9444-42ba-bf04-86e8470e32c7\" : { \n \"value\" : \"audit\"\n },\n \"effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1f905d99-2ab7-462c-a6b0-f709acca6c8f\" : { \n \"value\" : \"audit\"\n },\n \"effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ba769a63-b8cc-4b2d-abf6-ac33c7204be8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-81e74cea-30fd-40d5-802f-d72103c2aaaa\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0aa61e00-0a01-4a3c-9945-e93cffedf0e6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-47031206-ce96-41f8-861b-6a915f3de284\" : { \n \"value\" : \"Audit\"\n },\n \"effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7\" : { \n \"value\" : \"audit\"\n },\n \"effect-51522a96-0869-4791-82f3-981000c2c67f\" : { \n \"value\" : \"audit\"\n },\n \"effect-b5ec538c-daa0-4006-8596-35468b9148e8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-56a5ee18-2ae6-4810-86f7-18e39ce5629b\" : { \n \"value\" : \"Audit\"\n },\n \"effect-2e94d99a-8a36-4563-bc77-810d8893b671\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5\" : { \n \"value\" : \"Audit\"\n },\n \"effect-99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1f68a601-6e6d-4e42-babf-3f643a047ea2\" : { \n \"value\" : \"audit\"\n },\n \"effect-f7d52b2d-e161-4dfa-a82b-55e564167385\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ca91455f-eace-4f96-be59-e6e2c35b4816\" : { \n \"value\" : \"Audit\"\n },\n \"effect-702dd420-7fcc-42c5-afe8-4026edd20fe0\" : { \n \"value\" : \"Audit\"\n },\n \"diagnosticsLogsInRedisCacheMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"secureTransferToStorageAccountMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d0793b48-0edc-4296-a390-4c75d1bdfd71\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7d092e0a-7acd-40d2-a975-dca21cae48c4\" : { \n \"value\" : \"Audit\"\n },\n \"effect-2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\" : { \n \"value\" : \"Audit\"\n },\n \"disableUnrestrictedNetworkToStorageAccountMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"effect-55615ac9-af46-4a59-874e-391cc3dfb490\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1b8ca024-1d5c-4dec-8995-b1a932b41780\" : { \n \"value\" : \"Audit\"\n },\n \"effect-037eea7a-bd0a-46c5-9a66-03aea78705d3\" : { \n \"value\" : \"Audit\"\n },\n \"effect-53503636-bcc9-4748-9663-5348217f160f\" : { \n \"value\" : \"Audit\"\n },\n \"effect-40cec1dd-a100-4920-b15b-3024fe8901ab\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca\" : { \n \"value\" : \"Audit\"\n },\n \"effect-a049bf77-880b-470f-ba6d-9f21c530cf83\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ee980b6d-0eca-4501-8d54-f6290fd512c3\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1d84d5fb-01f6-4d12-ba4f-4a26081d403d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-37e0d2fe-28a5-43d6-a273-67d37d1f5606\" : { \n \"value\" : \"Audit\"\n },\n \"identityDesignateMoreThanOneOwnerMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"diskEncryptionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"emailNotificationToSubscriptionOwnerHighSeverityAlertsEnabledEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"functionAppDisableRemoteDebuggingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"sqlDbEncryptionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vulnerabilityAssessmentOnManagedInstanceMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePHPVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"aadAuthenticationInSqlServerMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vmssEndpointProtectionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vmssOsVulnerabilitiesMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"adaptiveApplicationControlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"geoRedundantBackupShouldBeEnabledForAzureDatabaseForPostgreSQLEffect\" : { \n \"value\" : \"Audit\"\n },\n \"ensureJavaVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityDesignateLessThanOwnersMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"securityContactEmailAddressForSubscriptionEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"webAppRestrictCORSAccessMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveDeprecatedAccountMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"functionAppEnforceHttpsMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"ensurePythonVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePythonVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePHPVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePythonVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"geoRedundantBackupShouldBeEnabledForAzureDatabaseForMySQLEffect\" : { \n \"value\" : \"Audit\"\n },\n \"systemUpdatesMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureJavaVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureHTTPVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"apiAppRequireLatestTlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityEnableMFAForWritePermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureHTTPVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureJavaVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"nextGenerationFirewallMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"useRbacRulesMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"webAppEnforceHttpsMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"sqlServerAuditingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vnetEnableDDoSProtectionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityEnableMFAForOwnerPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"sqlServerAdvancedDataSecurityMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"sqlManagedInstanceAdvancedDataSecurityMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"endpointProtectionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"jitNetworkAccessMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"apiAppEnforceHttpsMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"geoRedundantStorageShouldBeEnabledForStorageAccountsEffect\" : { \n \"value\" : \"Audit\"\n },\n \"vmssSystemUpdatesMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"webAppDisableRemoteDebuggingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"systemConfigurationsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureHTTPVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityEnableMFAForReadPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"containerBenchmarkMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"apiAppDisableRemoteDebuggingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vulnerabilityAssessmentOnServerMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"webAppRequireLatestTlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"functionAppRequireLatestTlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"kubernetesServiceVersionUpToDateMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"sqlDbVulnerabilityAssesmentMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"membersToIncludeInLocalAdministratorsGroup\" : { \n \"value\" : \"\"\n },\n \"membersToExcludeInLocalAdministratorsGroup\" : { \n \"value\" : \"\"\n },\n \"logAnalyticsWorkspaceIDForVMAgents\" : { \n \"value\" : \"\"\n },\n \"PHPLatestVersionForAppServices\" : { \n \"value\" : \"7.4\"\n },\n \"JavaLatestVersionForAppServices\" : { \n \"value\" : \"11\"\n },\n \"WindowsPythonLatestVersionForAppServices\" : { \n \"value\" : \"3.6\"\n },\n \"LinuxPythonLatestVersionForAppServices\" : { \n \"value\" : \"3.9\"\n },\n \"ensureDotNetFrameworkLatestForFunctionAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlManagedInstanceAdvancedDataSecurityEmailsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"vulnerabilityAssessmentMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"ensureDotNetFrameworkLatestForWebAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlServerAdvancedDataSecurityEmailsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"microsoftIaaSAntimalwareExtensionShouldBeDeployedOnWindowsServersEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"securityCenterStandardPricingTierShouldBeSelectedEffect\" : { \n \"value\" : \"Audit\"\n },\n \"theLogAnalyticsAgentShouldBeInstalledOnVirtualMachinesEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"ensurePHPVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlManagedInstanceAdvancedDataSecurityEmailAdminsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"securityContactPhoneNumberShouldBeProvidedForSubscriptionEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"threatDetectionTypesOnManagedInstanceMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"ensureDotNetFrameworkLatestForAPIAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlServerAdvancedDataSecurityEmailAdminsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"threatDetectionTypesOnServerMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"theLogAnalyticsAgentShouldBeInstalledOnVirtualMachineScaleSetsEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n }\n}", - "$fxv#3": "{\n \"logAnalyticsWorkspaceId-f47b5582-33ec-4c5c-87c0-b010a6b2e917\" : { \n \"value\" : \"\"\n },\n \"effect-09024ccc-0c5f-475e-9457-b7c0d9ed487b\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"MembersToExclude-69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f\" :{\n \"value\": \"\"\n },\n \"MembersToInclude-30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7\": {\n \"value\": \"\"\n },\n \"effect-0961003e-5a0a-4549-abde-af6a37f2724d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0b15565f-aa9e-48ba-8619-45960f2c314d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0e60b895-3786-45da-8377-9c6b4b6ac5f9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-17k78e20-9358-41c9-923c-fb736d382a12\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"PHPLatestVersion\" : { \n \"value\" : \"7.3\"\n },\n \"effect-22bee202-a82f-4305-9a2a-6d7f44d4dedb\" : { \n \"value\" : \"Audit\"\n },\n \"effect-26a828e1-e88f-464e-bbb3-c134a282b9de\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-34c877ad-507e-4c82-993e-3452a6e0ad3c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-404c3081-a854-4457-ae30-26a93ef643f9\" : { \n \"value\" : \"Audit\"\n },\n \"effect-47a6b606-51aa-4496-8bb7-64b11cf66adc\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-496223c3-ad65-4ecd-878a-bae78737e9ed\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"JavaLatestVersion\" : { \n \"value\" : \"11\"\n },\n \"effect-4f11b553-d42e-4e3a-89be-32ca364cad4c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-5c607a2e-c700-4744-8254-d77e7c9eb5e4\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-5f76cf89-fbf2-47fd-a3f4-b891fa780b60\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-6b1cbf55-e8b6-442f-ba4c-7246b6381474\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7008174a-fd10-4ef0-817e-fc820a951d73\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"LinuxPythonLatestVersion\" : { \n \"value\" : \"3.8\"\n },\n \"effect-7238174a-fd10-4ef0-817e-fc820a951d73\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-7261b898-8a84-4db8-9e04-18527132abb3\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-74c3584d-afae-46f7-a20a-6f8adba71a16\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-86b3d65f-7626-441e-b690-81a8b71cff60\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-88999f4c-376a-45c8-bcb3-4058f713cf39\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-8c122334-9d20-4eb8-89ea-ac9a705b74ae\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9297c21d-2ed6-4474-b48f-163f75654ce3\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-991310cd-e9f3-47bc-b7b6-f57b557d07db\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9b597639-28e4-48eb-b506-56b05d366257\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9daedab3-fb2d-461e-b861-71790eead4f6\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-a4af4a39-4135-47fb-b175-47fbdf85311d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \n \"value\" : \"enabled\"\n },\n \"effect-a70ca396-0a34-413a-88e1-b956c1e683be\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-aa633080-8b72-40c4-a2d7-d00c03e80bed\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-af6cd1bd-1635-48cb-bde7-5b15693900b9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\" : { \n \"value\" : \"NetworkWatcherRG\"\n },\n \"effect-b7ddfbdc-1260-477d-91fd-98bd9be789a6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c3f317a7-a95c-4547-b7e7-11017ebdf2fe\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-cb510bfd-1cba-4d9f-a230-cb0976f4bb71\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e2c1c086-2d84-4019-bff3-c44ccd95113c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e3576e28-8b17-4677-84c3-db2990658d64\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e8cbc669-f12d-49eb-93e7-9273119e9933\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ebb62a0c-3560-49e1-89ed-27e074e9f8ad\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-efbde977-ba53-4479-b8e9-10b957924fbf\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f8456c1c-aa66-4dfb-861a-25d127b775c9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f9d614c5-c173-4d56-95a7-b4437057d193\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-fb893a29-21bb-418c-a157-e99480ec364c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-feedbf84-6b99-488c-acc2-71c829aa5ffc\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-3b980d31-7904-4bb7-8575-5665739a8052\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-6e2593d9-add6-4083-9c9b-4b7d2188c899\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-12430be1-6cc8-4527-a9a8-e3d38f250096\" : { \n \"value\" : \"Audit\"\n },\n \"modeRequirement-12430be1-6cc8-4527-a9a8-e3d38f250096\" : { \n \"value\" : \"Detection\"\n },\n \"effect-425bea59-a659-4cbb-8d31-34499bd030b8\" : { \n \"value\" : \"Audit\"\n },\n \"modeRequirement-425bea59-a659-4cbb-8d31-34499bd030b8\" : { \n \"value\" : \"Detection\"\n },\n \"effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\" : { \n \"value\" : \"Audit\"\n },\n \"effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-013e242c-8828-4970-87b3-ab247555486d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-d38fc420-0735-4ef3-ac11-c806f651a570\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-a1181c5f-672a-477a-979a-7d58aa086233\" : { \n \"value\" : \"Audit\"\n },\n \"effect-308fbb08-4ab8-4e67-9b29-592e93fb94fa\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-4da35fc9-c9e7-4960-aec9-797fe7d9051d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-523b5cd1-3e23-492f-a539-13118b6d1e3a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-7fe3b40f-802b-4cdd-8bd4-fd799c948cc2\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-c25d9a16-bc35-4e15-a7e5-9db606bf9ed4\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b0f33259-77d7-4c9e-aac6-3aabcfae693c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-037eea7a-bd0a-46c5-9a66-03aea78705d3\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0820b7b9-23aa-4725-a1ce-ae4558f718e5\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-2c89a2e5-7285-40fe-afe0-ae8654b92fab\" : { \n \"value\" : \"Audit\"\n },\n \"effect-358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-5744710e-cc2f-4ee8-8809-3b11e89f4bc9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c9d007d0-c057-4772-b18c-01e546713bcd\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d0793b48-0edc-4296-a390-4c75d1bdfd71\" : { \n \"value\" : \"Audit\"\n },\n \"effect-e372f825-a257-4fb8-9175-797a8a8627d6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d158790f-bfb0-486c-8631-2dc6b4e8e6af\" : { \n \"value\" : \"Audit\"\n },\n \"effect-e802a67a-daf5-4436-9ea6-f6d821dd0c5d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-a451c1ef-c6ca-483d-87ed-f49761e3ffb5\" : { \n \"value\" : \"Audit\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftSql-servers-firewallRules-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftClassicNetwork-networkSecurityGroups-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-securityRules-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftClassicNetwork-networkSecurityGroups-securityRules-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ae89ebca-1c92-4898-ac2c-9f63decb045c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-d26f7642-7545-4e18-9b75-8c9bbdee3a9a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-1a4e592a-6a6e-44a5-9814-e36264ca96e7\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-7796937f-307b-4598-941c-67d3a05ebfe7\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-c5447c04-a4d7-4ba8-a263-c9ee321a6858\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-41388f1c-2db0-4c25-95b2-35d7f5ccbfa9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b02aacc0-b073-424e-8298-42b22829ee0a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0ec47710-77ff-4a3d-9181-6aa50af424d0\" : { \n \"value\" : \"Audit\"\n },\n \"effect-48af4db5-9b8b-401c-8e74-076be876a430\" : { \n \"value\" : \"Audit\"\n },\n \"effect-82339799-d096-41ae-8538-b108becf0970\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1b7aa243-30e4-4c9e-bca8-d0d3022b634a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-bb91dfba-c30d-4263-9add-9c2384e659a6\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e71308d3-144b-4262-b144-efdc3cc90517\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-2bdd0062-9d75-436e-89df-487dd8e4b3c7\" : { \n \"value\" : \"Disabled\"\n },\n \"effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a\" : { \n \"value\" : \"Audit\"\n },\n \"effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-6fac406b-40ca-413b-bf8e-0bf964659c25\" : { \n \"value\" : \"Audit\"\n },\n \"effect-81e74cea-30fd-40d5-802f-d72103c2aaaa\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c349d81b-9985-44ae-a8da-ff98d108ede8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-f4b53539-8df9-40e4-86c6-6b607703bd4e\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\" : { \n \"value\" : \"Audit\"\n },\n \"effect-048248b0-55cd-46da-b1ff-39efd52db260\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0d134df8-db83-46fb-ad72-fe0c9428c8dd\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-2c89a2e5-7285-40fe-afe0-ae8654b92fb2\" : { \n \"value\" : \"Audit\"\n },\n \"effect-3657f5a0-770e-44a3-b44e-9431ba1e9735\" : { \n \"value\" : \"Audit\"\n },\n \"effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\" : { \n \"value\" : \"Audit\"\n },\n \"effect-617c02be-7f02-4efd-8836-3180d47b6c68\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67\" : { \n \"value\" : \"Audit\"\n },\n \"effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7\" : { \n \"value\" : \"audit\"\n },\n \"effect-f7d52b2d-e161-4dfa-a82b-55e564167385\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c43e4a30-77cb-48ab-a4dd-93f175c63b57\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1f314764-cb73-4fc9-b863-8eca98ac36e9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-123a3936-f020-408a-ba0c-47873faf1534\" : { \n \"value\" : \"AuditIfNotExists\"\n }\n}\n", - "modifiedAssignment": "[if(and(equals(toLower(environment().name), toLower('AzureCloud')), equals(toLower(parameters('builtInAssignment')), toLower('IL5'))), 'NISTRev4', parameters('builtInAssignment'))]", - "assignmentName": "[format('{0} {1}', variables('modifiedAssignment'), resourceGroup().name)]", - "agentVmssAssignmentName": "[format('Deploy VMSS Agents {0}', resourceGroup().name)]", - "agentVmAssignmentName": "[format('Deploy VM Agents {0}', resourceGroup().name)]", - "contributorRoleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "lawsReaderRoleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]" - }, - "resources": [ { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2020-09-01", - "name": "[variables('assignmentName')]", - "location": "[parameters('location')]", - "properties": { - "policyDefinitionId": "[createObject('NISTRev4', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f', 'parameters', json(replace(variables('$fxv#0'), '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'NISTRev5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f', 'parameters', json(variables('$fxv#1'))), 'IL5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/f9a961fa-3241-4b20-adc4-bbf8ad9d7197', 'parameters', json(replace(variables('$fxv#2'), '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'CMMC', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/b5629c75-5c77-4422-87b9-2509e680f8de', 'parameters', json(replace(variables('$fxv#3'), '', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName')), '2021-06-01').customerId))))[variables('modifiedAssignment')].id]", - "parameters": "[createObject('NISTRev4', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f', 'parameters', json(replace(variables('$fxv#0'), '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'NISTRev5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f', 'parameters', json(variables('$fxv#1'))), 'IL5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/f9a961fa-3241-4b20-adc4-bbf8ad9d7197', 'parameters', json(replace(variables('$fxv#2'), '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'CMMC', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/b5629c75-5c77-4422-87b9-2509e680f8de', 'parameters', json(replace(variables('$fxv#3'), '', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName')), '2021-06-01').customerId))))[variables('modifiedAssignment')].parameters]" - }, - "identity": { - "type": "SystemAssigned" - } + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2018-09-01", + "name": "[variables('privatelink_table_name')]", + "location": "global", + "tags": "[parameters('tags')]" }, { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2020-09-01", - "name": "[variables('agentVmssAssignmentName')]", - "location": "[parameters('location')]", - "properties": { - "policyDefinitionId": "[tenantResourceId('Microsoft.Authorization/policySetDefinitions', '75714362-cae7-409e-9b99-a8e5075b7fad')]", - "parameters": { - "logAnalytics_1": { - "value": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))]" - } - } - }, - "identity": { - "type": "SystemAssigned" - } + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2018-09-01", + "name": "[variables('privatelink_keyvaultDns_name')]", + "location": "global", + "tags": "[parameters('tags')]" }, { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2020-09-01", - "name": "[variables('agentVmAssignmentName')]", - "location": "[parameters('location')]", - "properties": { - "policyDefinitionId": "[tenantResourceId('Microsoft.Authorization/policySetDefinitions', '55f3eceb-5573-4f18-9695-226972c6d74a')]", - "parameters": { - "logAnalytics_1": { - "value": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))]" - } - } - }, - "identity": { - "type": "SystemAssigned" - } + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2018-09-01", + "name": "[variables('privatelink_monitor_name')]", + "location": "global", + "tags": "[parameters('tags')]" }, { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2020-04-01-preview", - "name": "[guid(variables('contributorRoleDefinitionId'), variables('assignmentName'))]", - "properties": { - "roleDefinitionId": "[variables('contributorRoleDefinitionId')]", - "principalId": "[if(empty(variables('modifiedAssignment')), '', reference(resourceId('Microsoft.Authorization/policyAssignments', variables('assignmentName')), '2020-09-01', 'full').identity.principalId)]", - "principalType": "ServicePrincipal" - }, - "dependsOn": [ - "[resourceId('Microsoft.Authorization/policyAssignments', variables('assignmentName'))]" - ] + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2018-09-01", + "name": "[variables('privatelink_oms_opinsights_name')]", + "location": "global", + "tags": "[parameters('tags')]" + }, + { + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2018-09-01", + "name": "[variables('privatelink_ods_opinsights_name')]", + "location": "global", + "tags": "[parameters('tags')]" }, { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2020-04-01-preview", - "name": "[guid(variables('contributorRoleDefinitionId'), variables('agentVmssAssignmentName'))]", - "properties": { - "roleDefinitionId": "[variables('contributorRoleDefinitionId')]", - "principalId": "[reference(resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmssAssignmentName')), '2020-09-01', 'full').identity.principalId]", - "principalType": "ServicePrincipal" - }, - "dependsOn": [ - "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmssAssignmentName'))]" - ] + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2018-09-01", + "name": "[variables('privatelink_agentsvc_azure_automation_name')]", + "location": "global", + "tags": "[parameters('tags')]" }, { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2020-04-01-preview", - "name": "[guid(variables('contributorRoleDefinitionId'), variables('agentVmAssignmentName'))]", - "properties": { - "roleDefinitionId": "[variables('contributorRoleDefinitionId')]", - "principalId": "[reference(resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName')), '2020-09-01', 'full').identity.principalId]", - "principalType": "ServicePrincipal" - }, - "dependsOn": [ - "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName'))]" - ] + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2018-09-01", + "name": "[variables('privatelink_azure_automation_name')]", + "location": "global", + "tags": "[parameters('tags')]" }, { - "condition": "[parameters('deployRemediation')]", - "type": "Microsoft.PolicyInsights/remediations", - "apiVersion": "2019-07-01", - "name": "VM-Agent-Policy-Remediation", - "properties": { - "policyAssignmentId": "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName'))]", - "resourceDiscoveryMode": "ReEvaluateCompliance" - }, - "dependsOn": [ - "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName'))]" - ] + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2018-09-01", + "name": "[variables('privatelink_blob_name')]", + "location": "global", + "tags": "[parameters('tags')]" }, { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "[format('Assign-Laws-Role-Policy-{0}', resourceGroup().name)]", - "subscriptionId": "[parameters('operationsSubscriptionId')]", - "resourceGroup": "[parameters('logAnalyticsWorkspaceResourceGroupName')]", + "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", + "apiVersion": "2018-09-01", + "name": "[format('{0}/{1}', variables('privatelink_avd_name'), format('{0}-link', variables('privatelink_avd_name')))]", + "location": "global", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "targetResourceId": { - "value": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))]" - }, - "roleDefinitionId": { - "value": "[variables('lawsReaderRoleDefinitionId')]" - }, - "principalId": { - "value": "[reference(resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName')), '2020-09-01', 'full').identity.principalId]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "15761836246481461949" - } - }, - "parameters": { - "targetResourceId": { - "type": "string" - }, - "roleDefinitionId": { - "type": "string" - }, - "principalId": { - "type": "string" - }, - "principalType": { - "type": "string", - "defaultValue": "ServicePrincipal", - "allowedValues": [ - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ] - }, - "description": { - "type": "string", - "defaultValue": "" - } - }, - "resources": [ - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2020-04-01-preview", - "name": "[guid(parameters('targetResourceId'), parameters('roleDefinitionId'), parameters('principalId'))]", - "properties": { - "principalId": "[parameters('principalId')]", - "principalType": "[parameters('principalType')]", - "roleDefinitionId": "[parameters('roleDefinitionId')]", - "description": "[parameters('description')]" - } - } - ] + "registrationEnabled": false, + "virtualNetwork": { + "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]" } }, "dependsOn": [ - "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName'))]" - ] - } - ] - } - }, - "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]" - ] - }, - { - "condition": "[parameters('deployPolicy')]", - "copy": { - "name": "spokePolicyAssignments", - "count": "[length(variables('spokes'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "[format('assign-policy-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))]", - "subscriptionId": "[variables('spokes')[copyIndex()].subscriptionId]", - "resourceGroup": "[variables('spokes')[copyIndex()].resourceGroupName]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "builtInAssignment": { - "value": "[parameters('policy')]" - }, - "logAnalyticsWorkspaceName": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))).outputs.name.value]" - }, - "logAnalyticsWorkspaceResourceGroupName": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))).outputs.resourceGroupName.value]" - }, - "operationsSubscriptionId": { - "value": "[parameters('operationsSubscriptionId')]" - }, - "location": { - "value": "[parameters('location')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "3765055138598353912" - } - }, - "parameters": { - "builtInAssignment": { - "type": "string", - "defaultValue": "NISTRev4", - "metadata": { - "description": "[NISTRev4/NISTRev5/IL5/CMMC] Built-in policy assignments to assign, default is NISTRev4. IL5 is only available for AzureUsGovernment and will switch to NISTRev4 if tried in AzureCloud." - }, - "allowedValues": [ - "NISTRev4", - "NISTRev5", - "IL5", - "CMMC" + "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_avd_name'))]" ] }, - "logAnalyticsWorkspaceName": { - "type": "string" - }, - "logAnalyticsWorkspaceResourceGroupName": { - "type": "string" - }, - "operationsSubscriptionId": { - "type": "string" - }, - "deployRemediation": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Starts a policy remediation for the VM Agent policies in hub RG. Set to false by default since this is time consuming in deployment." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "The location of this resource" - } - } - }, - "variables": { - "$fxv#0": " {\n \"listOfMembersToExcludeFromWindowsVMAdministratorsGroup\": \n {\n \"value\": \"admin\"\n },\n \"listOfMembersToIncludeInWindowsVMAdministratorsGroup\": \n {\n \"value\": \"azureuser\"\n },\n \"logAnalyticsWorkspaceIdforVMReporting\": \n {\n \"value\": \"\"\n },\n \"IncludeArcMachines\": \n {\n \"value\": \"true\"\n },\n \"MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112\": \n {\n \"value\": \"1.2\"\n },\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\": \n {\n \"value\": \"Compliant\"\n },\n \"requiredRetentionDays\": \n {\n \"value\": \"365\"\n },\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\": \n {\n \"value\": \"NetworkWatcherRG\"\n }\n }", - "$fxv#1": " {\n \"IncludeArcMachines\": \n {\n \"value\": \"true\"\n },\n \"MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112\": \n {\n \"value\": \"1.2\"\n },\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\": \n {\n \"value\": \"Compliant\"\n },\n \"requiredRetentionDays\": \n {\n \"value\": \"365\"\n },\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\": \n {\n \"value\": \"NetworkWatcherRG\"\n }\n }", - "$fxv#2": "{\n \"IncludeArcMachines\" : { \n \"value\" : \"false\"\n },\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\" : { \n \"value\" : \"Compliant\"\n },\n \"MinimumTLSVersionForWindowsServers\" : { \n \"value\" : \"1.2\"\n },\n \"requiredRetentionDays\" : { \n \"value\" : \"365\"\n },\n \"effect-febd0533-8e55-448f-b837-bd0e06f16469\" : { \n \"value\" : \"audit\"\n },\n \"allowedContainerImagesRegex-febd0533-8e55-448f-b837-bd0e06f16469\" : { \n \"value\" : \"^(.+){0}$\"\n },\n \"effect-95edb821-ddaf-4404-9732-666045e056b4\" : { \n \"value\" : \"audit\"\n },\n \"effect-440b515e-a580-421e-abeb-b159a61ddcbc\" : { \n \"value\" : \"audit\"\n },\n \"effect-233a2a17-77ca-4fb1-9b6b-69223d272a44\" : { \n \"value\" : \"audit\"\n },\n \"effect-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \n \"value\" : \"audit\"\n },\n \"cpuLimit-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \n \"value\" : \"0\"\n },\n \"memoryLimit-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \n \"value\" : \"0\"\n },\n \"effect-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"audit\"\n },\n \"runAsUserRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"MustRunAsNonRoot\"\n },\n \"runAsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"RunAsAny\"\n },\n \"supplementalGroupsRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"RunAsAny\"\n },\n \"fsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"RunAsAny\"\n },\n \"effect-1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\" : { \n \"value\" : \"audit\"\n },\n \"effect-47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\" : { \n \"value\" : \"audit\"\n },\n \"effect-df49d893-a74c-421d-bc95-c663042e5b80\" : { \n \"value\" : \"audit\"\n },\n \"effect-1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\" : { \n \"value\" : \"audit\"\n },\n \"effect-c26596ff-4d70-4e6a-9a30-c2506bd2f80c\" : { \n \"value\" : \"audit\"\n },\n \"effect-511f5417-5d12-434d-ab2e-816901e72a5e\" : { \n \"value\" : \"audit\"\n },\n \"effect-82985f06-dc18-4a48-bc1c-b9f4f0098cfe\" : { \n \"value\" : \"audit\"\n },\n \"effect-098fc59e-46c7-4d99-9b16-64990e543d75\" : { \n \"value\" : \"audit\"\n },\n \"NetworkWatcherResourceGroupName\" : { \n \"value\" : \"NetworkWatcherRG\"\n },\n \"setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \n \"value\" : \"enabled\"\n },\n \"aadAuthenticationInServiceFabricMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"effect-71ef260a-8f18-47b7-abcb-62d0673d94dc\" : { \n \"value\" : \"Audit\"\n },\n \"effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\" : { \n \"value\" : \"Audit\"\n },\n \"effect-862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d9da03a1-f3c3-412a-9709-947156872263\" : { \n \"value\" : \"Audit\"\n },\n \"effect-617c02be-7f02-4efd-8836-3180d47b6c68\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c349d81b-9985-44ae-a8da-ff98d108ede8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-3657f5a0-770e-44a3-b44e-9431ba1e9735\" : { \n \"value\" : \"Audit\"\n },\n \"effect-b4ac1030-89c5-4697-8e00-28b5ba6a8811\" : { \n \"value\" : \"audit\"\n },\n \"effect-ea0dfaed-95fb-448c-934e-d6e713ce393d\" : { \n \"value\" : \"audit\"\n },\n \"effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a\" : { \n \"value\" : \"Audit\"\n },\n \"effect-f4b53539-8df9-40e4-86c6-6b607703bd4e\" : { \n \"value\" : \"Audit\"\n },\n \"effect-41425d9f-d1a5-499a-9932-f8ed8453932c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-fc4d8e41-e223-45ea-9bf5-eada37891d87\" : { \n \"value\" : \"Audit\"\n },\n \"effect-86efb160-8de7-451d-bc08-5d475b0aadae\" : { \n \"value\" : \"Audit\"\n },\n \"effect-4ec52d6d-beb7-40c4-9a9e-fe753254690e\" : { \n \"value\" : \"Audit\"\n },\n \"effect-64d314f6-6062-4780-a861-c23e8951bee5\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-fa298e57-9444-42ba-bf04-86e8470e32c7\" : { \n \"value\" : \"audit\"\n },\n \"effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1f905d99-2ab7-462c-a6b0-f709acca6c8f\" : { \n \"value\" : \"audit\"\n },\n \"effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ba769a63-b8cc-4b2d-abf6-ac33c7204be8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-81e74cea-30fd-40d5-802f-d72103c2aaaa\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0aa61e00-0a01-4a3c-9945-e93cffedf0e6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-47031206-ce96-41f8-861b-6a915f3de284\" : { \n \"value\" : \"Audit\"\n },\n \"effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7\" : { \n \"value\" : \"audit\"\n },\n \"effect-51522a96-0869-4791-82f3-981000c2c67f\" : { \n \"value\" : \"audit\"\n },\n \"effect-b5ec538c-daa0-4006-8596-35468b9148e8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-56a5ee18-2ae6-4810-86f7-18e39ce5629b\" : { \n \"value\" : \"Audit\"\n },\n \"effect-2e94d99a-8a36-4563-bc77-810d8893b671\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5\" : { \n \"value\" : \"Audit\"\n },\n \"effect-99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1f68a601-6e6d-4e42-babf-3f643a047ea2\" : { \n \"value\" : \"audit\"\n },\n \"effect-f7d52b2d-e161-4dfa-a82b-55e564167385\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ca91455f-eace-4f96-be59-e6e2c35b4816\" : { \n \"value\" : \"Audit\"\n },\n \"effect-702dd420-7fcc-42c5-afe8-4026edd20fe0\" : { \n \"value\" : \"Audit\"\n },\n \"diagnosticsLogsInRedisCacheMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"secureTransferToStorageAccountMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d0793b48-0edc-4296-a390-4c75d1bdfd71\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7d092e0a-7acd-40d2-a975-dca21cae48c4\" : { \n \"value\" : \"Audit\"\n },\n \"effect-2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\" : { \n \"value\" : \"Audit\"\n },\n \"disableUnrestrictedNetworkToStorageAccountMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"effect-55615ac9-af46-4a59-874e-391cc3dfb490\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1b8ca024-1d5c-4dec-8995-b1a932b41780\" : { \n \"value\" : \"Audit\"\n },\n \"effect-037eea7a-bd0a-46c5-9a66-03aea78705d3\" : { \n \"value\" : \"Audit\"\n },\n \"effect-53503636-bcc9-4748-9663-5348217f160f\" : { \n \"value\" : \"Audit\"\n },\n \"effect-40cec1dd-a100-4920-b15b-3024fe8901ab\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca\" : { \n \"value\" : \"Audit\"\n },\n \"effect-a049bf77-880b-470f-ba6d-9f21c530cf83\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ee980b6d-0eca-4501-8d54-f6290fd512c3\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1d84d5fb-01f6-4d12-ba4f-4a26081d403d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-37e0d2fe-28a5-43d6-a273-67d37d1f5606\" : { \n \"value\" : \"Audit\"\n },\n \"identityDesignateMoreThanOneOwnerMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"diskEncryptionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"emailNotificationToSubscriptionOwnerHighSeverityAlertsEnabledEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"functionAppDisableRemoteDebuggingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"sqlDbEncryptionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vulnerabilityAssessmentOnManagedInstanceMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePHPVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"aadAuthenticationInSqlServerMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vmssEndpointProtectionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vmssOsVulnerabilitiesMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"adaptiveApplicationControlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"geoRedundantBackupShouldBeEnabledForAzureDatabaseForPostgreSQLEffect\" : { \n \"value\" : \"Audit\"\n },\n \"ensureJavaVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityDesignateLessThanOwnersMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"securityContactEmailAddressForSubscriptionEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"webAppRestrictCORSAccessMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveDeprecatedAccountMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"functionAppEnforceHttpsMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"ensurePythonVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePythonVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePHPVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePythonVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"geoRedundantBackupShouldBeEnabledForAzureDatabaseForMySQLEffect\" : { \n \"value\" : \"Audit\"\n },\n \"systemUpdatesMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureJavaVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureHTTPVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"apiAppRequireLatestTlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityEnableMFAForWritePermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureHTTPVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureJavaVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"nextGenerationFirewallMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"useRbacRulesMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"webAppEnforceHttpsMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"sqlServerAuditingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vnetEnableDDoSProtectionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityEnableMFAForOwnerPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"sqlServerAdvancedDataSecurityMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"sqlManagedInstanceAdvancedDataSecurityMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"endpointProtectionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"jitNetworkAccessMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"apiAppEnforceHttpsMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"geoRedundantStorageShouldBeEnabledForStorageAccountsEffect\" : { \n \"value\" : \"Audit\"\n },\n \"vmssSystemUpdatesMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"webAppDisableRemoteDebuggingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"systemConfigurationsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureHTTPVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityEnableMFAForReadPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"containerBenchmarkMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"apiAppDisableRemoteDebuggingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vulnerabilityAssessmentOnServerMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"webAppRequireLatestTlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"functionAppRequireLatestTlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"kubernetesServiceVersionUpToDateMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"sqlDbVulnerabilityAssesmentMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"membersToIncludeInLocalAdministratorsGroup\" : { \n \"value\" : \"\"\n },\n \"membersToExcludeInLocalAdministratorsGroup\" : { \n \"value\" : \"\"\n },\n \"logAnalyticsWorkspaceIDForVMAgents\" : { \n \"value\" : \"\"\n },\n \"PHPLatestVersionForAppServices\" : { \n \"value\" : \"7.4\"\n },\n \"JavaLatestVersionForAppServices\" : { \n \"value\" : \"11\"\n },\n \"WindowsPythonLatestVersionForAppServices\" : { \n \"value\" : \"3.6\"\n },\n \"LinuxPythonLatestVersionForAppServices\" : { \n \"value\" : \"3.9\"\n },\n \"ensureDotNetFrameworkLatestForFunctionAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlManagedInstanceAdvancedDataSecurityEmailsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"vulnerabilityAssessmentMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"ensureDotNetFrameworkLatestForWebAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlServerAdvancedDataSecurityEmailsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"microsoftIaaSAntimalwareExtensionShouldBeDeployedOnWindowsServersEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"securityCenterStandardPricingTierShouldBeSelectedEffect\" : { \n \"value\" : \"Audit\"\n },\n \"theLogAnalyticsAgentShouldBeInstalledOnVirtualMachinesEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"ensurePHPVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlManagedInstanceAdvancedDataSecurityEmailAdminsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"securityContactPhoneNumberShouldBeProvidedForSubscriptionEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"threatDetectionTypesOnManagedInstanceMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"ensureDotNetFrameworkLatestForAPIAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlServerAdvancedDataSecurityEmailAdminsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"threatDetectionTypesOnServerMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"theLogAnalyticsAgentShouldBeInstalledOnVirtualMachineScaleSetsEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n }\n}", - "$fxv#3": "{\n \"logAnalyticsWorkspaceId-f47b5582-33ec-4c5c-87c0-b010a6b2e917\" : { \n \"value\" : \"\"\n },\n \"effect-09024ccc-0c5f-475e-9457-b7c0d9ed487b\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"MembersToExclude-69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f\" :{\n \"value\": \"\"\n },\n \"MembersToInclude-30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7\": {\n \"value\": \"\"\n },\n \"effect-0961003e-5a0a-4549-abde-af6a37f2724d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0b15565f-aa9e-48ba-8619-45960f2c314d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0e60b895-3786-45da-8377-9c6b4b6ac5f9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-17k78e20-9358-41c9-923c-fb736d382a12\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"PHPLatestVersion\" : { \n \"value\" : \"7.3\"\n },\n \"effect-22bee202-a82f-4305-9a2a-6d7f44d4dedb\" : { \n \"value\" : \"Audit\"\n },\n \"effect-26a828e1-e88f-464e-bbb3-c134a282b9de\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-34c877ad-507e-4c82-993e-3452a6e0ad3c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-404c3081-a854-4457-ae30-26a93ef643f9\" : { \n \"value\" : \"Audit\"\n },\n \"effect-47a6b606-51aa-4496-8bb7-64b11cf66adc\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-496223c3-ad65-4ecd-878a-bae78737e9ed\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"JavaLatestVersion\" : { \n \"value\" : \"11\"\n },\n \"effect-4f11b553-d42e-4e3a-89be-32ca364cad4c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-5c607a2e-c700-4744-8254-d77e7c9eb5e4\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-5f76cf89-fbf2-47fd-a3f4-b891fa780b60\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-6b1cbf55-e8b6-442f-ba4c-7246b6381474\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7008174a-fd10-4ef0-817e-fc820a951d73\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"LinuxPythonLatestVersion\" : { \n \"value\" : \"3.8\"\n },\n \"effect-7238174a-fd10-4ef0-817e-fc820a951d73\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-7261b898-8a84-4db8-9e04-18527132abb3\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-74c3584d-afae-46f7-a20a-6f8adba71a16\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-86b3d65f-7626-441e-b690-81a8b71cff60\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-88999f4c-376a-45c8-bcb3-4058f713cf39\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-8c122334-9d20-4eb8-89ea-ac9a705b74ae\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9297c21d-2ed6-4474-b48f-163f75654ce3\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-991310cd-e9f3-47bc-b7b6-f57b557d07db\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9b597639-28e4-48eb-b506-56b05d366257\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9daedab3-fb2d-461e-b861-71790eead4f6\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-a4af4a39-4135-47fb-b175-47fbdf85311d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \n \"value\" : \"enabled\"\n },\n \"effect-a70ca396-0a34-413a-88e1-b956c1e683be\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-aa633080-8b72-40c4-a2d7-d00c03e80bed\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-af6cd1bd-1635-48cb-bde7-5b15693900b9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\" : { \n \"value\" : \"NetworkWatcherRG\"\n },\n \"effect-b7ddfbdc-1260-477d-91fd-98bd9be789a6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c3f317a7-a95c-4547-b7e7-11017ebdf2fe\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-cb510bfd-1cba-4d9f-a230-cb0976f4bb71\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e2c1c086-2d84-4019-bff3-c44ccd95113c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e3576e28-8b17-4677-84c3-db2990658d64\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e8cbc669-f12d-49eb-93e7-9273119e9933\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ebb62a0c-3560-49e1-89ed-27e074e9f8ad\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-efbde977-ba53-4479-b8e9-10b957924fbf\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f8456c1c-aa66-4dfb-861a-25d127b775c9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f9d614c5-c173-4d56-95a7-b4437057d193\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-fb893a29-21bb-418c-a157-e99480ec364c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-feedbf84-6b99-488c-acc2-71c829aa5ffc\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-3b980d31-7904-4bb7-8575-5665739a8052\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-6e2593d9-add6-4083-9c9b-4b7d2188c899\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-12430be1-6cc8-4527-a9a8-e3d38f250096\" : { \n \"value\" : \"Audit\"\n },\n \"modeRequirement-12430be1-6cc8-4527-a9a8-e3d38f250096\" : { \n \"value\" : \"Detection\"\n },\n \"effect-425bea59-a659-4cbb-8d31-34499bd030b8\" : { \n \"value\" : \"Audit\"\n },\n \"modeRequirement-425bea59-a659-4cbb-8d31-34499bd030b8\" : { \n \"value\" : \"Detection\"\n },\n \"effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\" : { \n \"value\" : \"Audit\"\n },\n \"effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-013e242c-8828-4970-87b3-ab247555486d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-d38fc420-0735-4ef3-ac11-c806f651a570\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-a1181c5f-672a-477a-979a-7d58aa086233\" : { \n \"value\" : \"Audit\"\n },\n \"effect-308fbb08-4ab8-4e67-9b29-592e93fb94fa\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-4da35fc9-c9e7-4960-aec9-797fe7d9051d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-523b5cd1-3e23-492f-a539-13118b6d1e3a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-7fe3b40f-802b-4cdd-8bd4-fd799c948cc2\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-c25d9a16-bc35-4e15-a7e5-9db606bf9ed4\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b0f33259-77d7-4c9e-aac6-3aabcfae693c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-037eea7a-bd0a-46c5-9a66-03aea78705d3\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0820b7b9-23aa-4725-a1ce-ae4558f718e5\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-2c89a2e5-7285-40fe-afe0-ae8654b92fab\" : { \n \"value\" : \"Audit\"\n },\n \"effect-358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-5744710e-cc2f-4ee8-8809-3b11e89f4bc9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c9d007d0-c057-4772-b18c-01e546713bcd\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d0793b48-0edc-4296-a390-4c75d1bdfd71\" : { \n \"value\" : \"Audit\"\n },\n \"effect-e372f825-a257-4fb8-9175-797a8a8627d6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d158790f-bfb0-486c-8631-2dc6b4e8e6af\" : { \n \"value\" : \"Audit\"\n },\n \"effect-e802a67a-daf5-4436-9ea6-f6d821dd0c5d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-a451c1ef-c6ca-483d-87ed-f49761e3ffb5\" : { \n \"value\" : \"Audit\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftSql-servers-firewallRules-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftClassicNetwork-networkSecurityGroups-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-securityRules-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftClassicNetwork-networkSecurityGroups-securityRules-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ae89ebca-1c92-4898-ac2c-9f63decb045c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-d26f7642-7545-4e18-9b75-8c9bbdee3a9a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-1a4e592a-6a6e-44a5-9814-e36264ca96e7\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-7796937f-307b-4598-941c-67d3a05ebfe7\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-c5447c04-a4d7-4ba8-a263-c9ee321a6858\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-41388f1c-2db0-4c25-95b2-35d7f5ccbfa9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b02aacc0-b073-424e-8298-42b22829ee0a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0ec47710-77ff-4a3d-9181-6aa50af424d0\" : { \n \"value\" : \"Audit\"\n },\n \"effect-48af4db5-9b8b-401c-8e74-076be876a430\" : { \n \"value\" : \"Audit\"\n },\n \"effect-82339799-d096-41ae-8538-b108becf0970\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1b7aa243-30e4-4c9e-bca8-d0d3022b634a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-bb91dfba-c30d-4263-9add-9c2384e659a6\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e71308d3-144b-4262-b144-efdc3cc90517\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-2bdd0062-9d75-436e-89df-487dd8e4b3c7\" : { \n \"value\" : \"Disabled\"\n },\n \"effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a\" : { \n \"value\" : \"Audit\"\n },\n \"effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-6fac406b-40ca-413b-bf8e-0bf964659c25\" : { \n \"value\" : \"Audit\"\n },\n \"effect-81e74cea-30fd-40d5-802f-d72103c2aaaa\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c349d81b-9985-44ae-a8da-ff98d108ede8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-f4b53539-8df9-40e4-86c6-6b607703bd4e\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\" : { \n \"value\" : \"Audit\"\n },\n \"effect-048248b0-55cd-46da-b1ff-39efd52db260\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0d134df8-db83-46fb-ad72-fe0c9428c8dd\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-2c89a2e5-7285-40fe-afe0-ae8654b92fb2\" : { \n \"value\" : \"Audit\"\n },\n \"effect-3657f5a0-770e-44a3-b44e-9431ba1e9735\" : { \n \"value\" : \"Audit\"\n },\n \"effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\" : { \n \"value\" : \"Audit\"\n },\n \"effect-617c02be-7f02-4efd-8836-3180d47b6c68\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67\" : { \n \"value\" : \"Audit\"\n },\n \"effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7\" : { \n \"value\" : \"audit\"\n },\n \"effect-f7d52b2d-e161-4dfa-a82b-55e564167385\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c43e4a30-77cb-48ab-a4dd-93f175c63b57\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1f314764-cb73-4fc9-b863-8eca98ac36e9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-123a3936-f020-408a-ba0c-47873faf1534\" : { \n \"value\" : \"AuditIfNotExists\"\n }\n}\n", - "modifiedAssignment": "[if(and(equals(toLower(environment().name), toLower('AzureCloud')), equals(toLower(parameters('builtInAssignment')), toLower('IL5'))), 'NISTRev4', parameters('builtInAssignment'))]", - "assignmentName": "[format('{0} {1}', variables('modifiedAssignment'), resourceGroup().name)]", - "agentVmssAssignmentName": "[format('Deploy VMSS Agents {0}', resourceGroup().name)]", - "agentVmAssignmentName": "[format('Deploy VM Agents {0}', resourceGroup().name)]", - "contributorRoleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "lawsReaderRoleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]" - }, - "resources": [ { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2020-09-01", - "name": "[variables('assignmentName')]", - "location": "[parameters('location')]", + "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", + "apiVersion": "2018-09-01", + "name": "[format('{0}/{1}', variables('privatelink_file_name'), format('{0}-link', variables('privatelink_file_name')))]", + "location": "global", "properties": { - "policyDefinitionId": "[createObject('NISTRev4', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f', 'parameters', json(replace(variables('$fxv#0'), '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'NISTRev5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f', 'parameters', json(variables('$fxv#1'))), 'IL5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/f9a961fa-3241-4b20-adc4-bbf8ad9d7197', 'parameters', json(replace(variables('$fxv#2'), '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'CMMC', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/b5629c75-5c77-4422-87b9-2509e680f8de', 'parameters', json(replace(variables('$fxv#3'), '', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName')), '2021-06-01').customerId))))[variables('modifiedAssignment')].id]", - "parameters": "[createObject('NISTRev4', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f', 'parameters', json(replace(variables('$fxv#0'), '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'NISTRev5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f', 'parameters', json(variables('$fxv#1'))), 'IL5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/f9a961fa-3241-4b20-adc4-bbf8ad9d7197', 'parameters', json(replace(variables('$fxv#2'), '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'CMMC', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/b5629c75-5c77-4422-87b9-2509e680f8de', 'parameters', json(replace(variables('$fxv#3'), '', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName')), '2021-06-01').customerId))))[variables('modifiedAssignment')].parameters]" + "registrationEnabled": false, + "virtualNetwork": { + "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]" + } }, - "identity": { - "type": "SystemAssigned" - } + "dependsOn": [ + "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_file_name'))]" + ] }, { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2020-09-01", - "name": "[variables('agentVmssAssignmentName')]", - "location": "[parameters('location')]", + "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", + "apiVersion": "2018-09-01", + "name": "[format('{0}/{1}', variables('privatelink_table_name'), format('{0}-link', variables('privatelink_table_name')))]", + "location": "global", "properties": { - "policyDefinitionId": "[tenantResourceId('Microsoft.Authorization/policySetDefinitions', '75714362-cae7-409e-9b99-a8e5075b7fad')]", - "parameters": { - "logAnalytics_1": { - "value": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))]" - } + "registrationEnabled": false, + "virtualNetwork": { + "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]" } }, - "identity": { - "type": "SystemAssigned" - } + "dependsOn": [ + "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_table_name'))]" + ] }, { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2020-09-01", - "name": "[variables('agentVmAssignmentName')]", - "location": "[parameters('location')]", + "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", + "apiVersion": "2018-09-01", + "name": "[format('{0}/{1}', variables('privatelink_keyvaultDns_name'), format('{0}-link', variables('privatelink_keyvaultDns_name')))]", + "location": "global", "properties": { - "policyDefinitionId": "[tenantResourceId('Microsoft.Authorization/policySetDefinitions', '55f3eceb-5573-4f18-9695-226972c6d74a')]", - "parameters": { - "logAnalytics_1": { - "value": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))]" - } + "registrationEnabled": false, + "virtualNetwork": { + "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]" } }, - "identity": { - "type": "SystemAssigned" - } + "dependsOn": [ + "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_keyvaultDns_name'))]" + ] }, { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2020-04-01-preview", - "name": "[guid(variables('contributorRoleDefinitionId'), variables('assignmentName'))]", + "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", + "apiVersion": "2018-09-01", + "name": "[format('{0}/{1}', variables('privatelink_queue_name'), format('{0}-link', variables('privatelink_queue_name')))]", + "location": "global", "properties": { - "roleDefinitionId": "[variables('contributorRoleDefinitionId')]", - "principalId": "[if(empty(variables('modifiedAssignment')), '', reference(resourceId('Microsoft.Authorization/policyAssignments', variables('assignmentName')), '2020-09-01', 'full').identity.principalId)]", - "principalType": "ServicePrincipal" + "registrationEnabled": false, + "virtualNetwork": { + "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]" + } }, "dependsOn": [ - "[resourceId('Microsoft.Authorization/policyAssignments', variables('assignmentName'))]" + "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_queue_name'))]" ] }, { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2020-04-01-preview", - "name": "[guid(variables('contributorRoleDefinitionId'), variables('agentVmssAssignmentName'))]", + "copy": { + "name": "virtualNetworkLink_backup_rsv", + "count": "[length(variables('privatelink_backup_names'))]" + }, + "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", + "apiVersion": "2018-09-01", + "name": "[format('{0}/{1}', variables('privatelink_backup_names')[copyIndex()], format('{0}-link', variables('privatelink_backup_names')[copyIndex()]))]", + "location": "global", "properties": { - "roleDefinitionId": "[variables('contributorRoleDefinitionId')]", - "principalId": "[reference(resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmssAssignmentName')), '2020-09-01', 'full').identity.principalId]", - "principalType": "ServicePrincipal" + "registrationEnabled": false, + "virtualNetwork": { + "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]" + } }, "dependsOn": [ - "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmssAssignmentName'))]" + "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_backup_names')[copyIndex()])]" ] }, { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2020-04-01-preview", - "name": "[guid(variables('contributorRoleDefinitionId'), variables('agentVmAssignmentName'))]", + "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", + "apiVersion": "2018-09-01", + "name": "[format('{0}/{1}', variables('privatelink_avd_global_name'), format('{0}-link', variables('privatelink_avd_global_name')))]", + "location": "global", "properties": { - "roleDefinitionId": "[variables('contributorRoleDefinitionId')]", - "principalId": "[reference(resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName')), '2020-09-01', 'full').identity.principalId]", - "principalType": "ServicePrincipal" + "registrationEnabled": false, + "virtualNetwork": { + "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]" + } }, "dependsOn": [ - "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName'))]" + "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_avd_global_name'))]" ] }, { - "condition": "[parameters('deployRemediation')]", - "type": "Microsoft.PolicyInsights/remediations", - "apiVersion": "2019-07-01", - "name": "VM-Agent-Policy-Remediation", + "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", + "apiVersion": "2018-09-01", + "name": "[format('{0}/{1}', variables('privatelink_monitor_name'), format('{0}-link', variables('privatelink_monitor_name')))]", + "location": "global", "properties": { - "policyAssignmentId": "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName'))]", - "resourceDiscoveryMode": "ReEvaluateCompliance" + "registrationEnabled": false, + "virtualNetwork": { + "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]" + } }, "dependsOn": [ - "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName'))]" + "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_monitor_name'))]" ] }, { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "[format('Assign-Laws-Role-Policy-{0}', resourceGroup().name)]", - "subscriptionId": "[parameters('operationsSubscriptionId')]", - "resourceGroup": "[parameters('logAnalyticsWorkspaceResourceGroupName')]", + "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", + "apiVersion": "2018-09-01", + "name": "[format('{0}/{1}', variables('privatelink_oms_opinsights_name'), format('{0}-link', variables('privatelink_oms_opinsights_name')))]", + "location": "global", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "targetResourceId": { - "value": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))]" - }, - "roleDefinitionId": { - "value": "[variables('lawsReaderRoleDefinitionId')]" - }, - "principalId": { - "value": "[reference(resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName')), '2020-09-01', 'full').identity.principalId]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "15761836246481461949" - } - }, - "parameters": { - "targetResourceId": { - "type": "string" - }, - "roleDefinitionId": { - "type": "string" - }, - "principalId": { - "type": "string" - }, - "principalType": { - "type": "string", - "defaultValue": "ServicePrincipal", - "allowedValues": [ - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ] - }, - "description": { - "type": "string", - "defaultValue": "" - } - }, - "resources": [ - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2020-04-01-preview", - "name": "[guid(parameters('targetResourceId'), parameters('roleDefinitionId'), parameters('principalId'))]", - "properties": { - "principalId": "[parameters('principalId')]", - "principalType": "[parameters('principalType')]", - "roleDefinitionId": "[parameters('roleDefinitionId')]", - "description": "[parameters('description')]" - } - } - ] + "registrationEnabled": false, + "virtualNetwork": { + "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]" } }, "dependsOn": [ - "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName'))]" + "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_oms_opinsights_name'))]" ] - } - ] - } - }, - "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]" - ] - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "azure-private-dns", - "subscriptionId": "[parameters('hubSubscriptionId')]", - "resourceGroup": "[variables('hubResourceGroupName')]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "vnetName": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))).outputs.virtualNetworkName.value]" - }, - "tags": { - "value": "[parameters('tags')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "15092561807650368974" - } - }, - "parameters": { - "vnetName": { - "type": "string", - "metadata": { - "description": "The name of the virtual network the private dns zones will be connected to" - } - }, - "vnetResourceGroup": { - "type": "string", - "defaultValue": "[resourceGroup().name]", - "metadata": { - "description": "The name of the the resource group where the virtual network exists" - } - }, - "vnetSubscriptionId": { - "type": "string", - "defaultValue": "[subscription().subscriptionId]", - "metadata": { - "description": "The subscription id of the subscription the virtual network exists in" - } }, - "tags": { - "type": "object", - "metadata": { - "description": "The tags that will be associated to the resources" - } - } - }, - "variables": { - "$fxv#0": { - "AzureChina": { - "chinaeast": { - "abbreviation": "cne", - "recoveryServicesGeo": "sha", - "timeDifference": "+8:00", - "timeZone": "China Standard Time" - }, - "chinaeast2": { - "abbreviation": "cne2", - "recoveryServicesGeo": "sha2", - "timeDifference": "+8:00", - "timeZone": "China Standard Time" - }, - "chinanorth": { - "abbreviation": "cnn", - "recoveryServicesGeo": "bjb", - "timeDifference": "+8:00", - "timeZone": "China Standard Time" - }, - "chinanorth2": { - "abbreviation": "cnn2", - "recoveryServicesGeo": "bjb2", - "timeDifference": "+8:00", - "timeZone": "China Standard Time" + { + "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", + "apiVersion": "2018-09-01", + "name": "[format('{0}/{1}', variables('privatelink_ods_opinsights_name'), format('{0}-link', variables('privatelink_ods_opinsights_name')))]", + "location": "global", + "properties": { + "registrationEnabled": false, + "virtualNetwork": { + "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]" } }, - "AzureCloud": { - "australiacentral": { - "abbreviation": "auc", - "recoveryServicesGeo": "acl", - "timeDifference": "+10:00", - "timeZone": "AUS Eastern Standard Time" - }, - "australiacentral2": { - "abbreviation": "auc2", - "recoveryServicesGeo": "acl2", - "timeDifference": "+10:00", - "timeZone": "AUS Eastern Standard Time" - }, - "australiaeast": { - "abbreviation": "aue", - "recoveryServicesGeo": "ae", - "timeDifference": "+10:00", - "timeZone": "AUS Eastern Standard Time" - }, - "australiasoutheast": { - "abbreviation": "ause", - "recoveryServicesGeo": "ase", - "timeDifference": "+10:00", - "timeZone": "AUS Eastern Standard Time" - }, - "brazilsouth": { - "abbreviation": "brs", - "recoveryServicesGeo": "brs", - "timeDifference": "-3:00", - "timeZone": "E. South America Standard Time" - }, - "brazilsoutheast": { - "abbreviation": "brse", - "recoveryServicesGeo": "bse", - "timeDifference": "-3:00", - "timeZone": "E. South America Standard Time" - }, - "canadacentral": { - "abbreviation": "cac", - "recoveryServicesGeo": "cnc", - "timeDifference": "-5:00", - "timeZone": "Eastern Standard Time" - }, - "canadaeast": { - "abbreviation": "cae", - "recoveryServicesGeo": "cne", - "timeDifference": "-5:00", - "timeZone": "Eastern Standard Time" - }, - "centralindia": { - "abbreviation": "inc", - "recoveryServicesGeo": "inc", - "timeDifference": "+5:30", - "timeZone": "India Standard Time" - }, - "centralus": { - "abbreviation": "usc", - "recoveryServicesGeo": "cus", - "timeDifference": "-6:00", - "timeZone": "Central Standard Time" - }, - "eastasia": { - "abbreviation": "ase", - "recoveryServicesGeo": "ea", - "timeDifference": "+8:00", - "timeZone": "China Standard Time" - }, - "eastus": { - "abbreviation": "use", - "recoveryServicesGeo": "eus", - "timeDifference": "-5:00", - "timeZone": "Eastern Standard Time" - }, - "eastus2": { - "abbreviation": "use2", - "recoveryServicesGeo": "eus2", - "timeDifference": "-5:00", - "timeZone": "Eastern Standard Time" - }, - "francecentral": { - "abbreviation": "frc", - "recoveryServicesGeo": "frc", - "timeDifference": "+1:00", - "timeZone": "Central Europe Standard Time" - }, - "francesouth": { - "abbreviation": "frs", - "recoveryServicesGeo": "frs", - "timeDifference": "+1:00", - "timeZone": "Central Europe Standard Time" - }, - "germanynorth": { - "abbreviation": "den", - "recoveryServicesGeo": "gn", - "timeDifference": "+1:00", - "timeZone": "Central Europe Standard Time" - }, - "germanywestcentral": { - "abbreviation": "dewc", - "recoveryServicesGeo": "gwc", - "timeDifference": "+1:00", - "timeZone": "Central Europe Standard Time" - }, - "israelcentral": { - "abbreviation": "ilc", - "recoveryServicesGeo": "ilc", - "timeDifference": "+2:00", - "timeZone": "Israel Standard Time" - }, - "italynorth": { - "abbreviation": "itn", - "recoveryServicesGeo": "itn", - "timeDifference": "+1:00", - "timeZone": "Central Europe Standard Time" - }, - "japaneast": { - "abbreviation": "jpe", - "recoveryServicesGeo": "jpe", - "timeDifference": "+9:00", - "timeZone": "Tokyo Standard Time" - }, - "japanwest": { - "abbreviation": "jpw", - "recoveryServicesGeo": "jpw", - "timeDifference": "+9:00", - "timeZone": "Tokyo Standard Time" - }, - "jioindiacentral": { - "abbreviation": "injc", - "recoveryServicesGeo": "jic", - "timeDifference": "+5:30", - "timeZone": "India Standard Time" - }, - "jioindiawest": { - "abbreviation": "injw", - "recoveryServicesGeo": "jiw", - "timeDifference": "+5:30", - "timeZone": "India Standard Time" - }, - "koreacentral": { - "abbreviation": "krc", - "recoveryServicesGeo": "krc", - "timeDifference": "+9:00", - "timeZone": "Korea Standard Time" - }, - "koreasouth": { - "abbreviation": "krs", - "recoveryServicesGeo": "krs", - "timeDifference": "+9:00", - "timeZone": "Korea Standard Time" - }, - "northcentralus": { - "abbreviation": "usnc", - "recoveryServicesGeo": "ncus", - "timeDifference": "-6:00", - "timeZone": "Central Standard Time" - }, - "northeurope": { - "abbreviation": "eun", - "recoveryServicesGeo": "ne", - "timeDifference": "0:00", - "timeZone": "GMT Standard Time" - }, - "norwayeast": { - "abbreviation": "noe", - "recoveryServicesGeo": "nwe", - "timeDifference": "+1:00", - "timeZone": "Central Europe Standard Time" - }, - "norwaywest": { - "abbreviation": "now", - "recoveryServicesGeo": "nww", - "timeDifference": "+1:00", - "timeZone": "Central Europe Standard Time" - }, - "polandcentral": { - "abbreviation": "plc", - "recoveryServicesGeo": "plc", - "timeDifference": "+1:00", - "timeZone": "Central Europe Standard Time" - }, - "qatarcentral": { - "abbreviation": "qac", - "recoveryServicesGeo": "qac", - "timeDifference": "+3:00", - "timeZone": "Arabian Standard Time" - }, - "southafricanorth": { - "abbreviation": "zan", - "recoveryServicesGeo": "san", - "timeDifference": "+2:00", - "timeZone": "South Africa Standard Time" - }, - "southafricawest": { - "abbreviation": "zaw", - "recoveryServicesGeo": "saw", - "timeDifference": "+2:00", - "timeZone": "South Africa Standard Time" - }, - "southcentralus": { - "abbreviation": "ussc", - "recoveryServicesGeo": "scus", - "timeDifference": "-6:00", - "timeZone": "Central Standard Time" - }, - "southeastasia": { - "abbreviation": "asse", - "recoveryServicesGeo": "sea", - "timeDifference": "+8:00", - "timeZone": "Singapore Standard Time" - }, - "southindia": { - "abbreviation": "ins", - "recoveryServicesGeo": "ins", - "timeDifference": "+5:30", - "timeZone": "India Standard Time" - }, - "swedencentral": { - "abbreviation": "sec", - "recoveryServicesGeo": "sdc", - "timeDifference": "+1:00", - "timeZone": "Central Europe Standard Time" - }, - "switzerlandnorth": { - "abbreviation": "chn", - "recoveryServicesGeo": "szn", - "timeDifference": "+1:00", - "timeZone": "Central Europe Standard Time" - }, - "switzerlandwest": { - "abbreviation": "chw", - "recoveryServicesGeo": "szw", - "timeDifference": "+1:00", - "timeZone": "Central Europe Standard Time" + "dependsOn": [ + "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_ods_opinsights_name'))]" + ] + }, + { + "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", + "apiVersion": "2018-09-01", + "name": "[format('{0}/{1}', variables('privatelink_agentsvc_azure_automation_name'), format('{0}-link', variables('privatelink_agentsvc_azure_automation_name')))]", + "location": "global", + "properties": { + "registrationEnabled": false, + "virtualNetwork": { + "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]" + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_agentsvc_azure_automation_name'))]" + ] + }, + { + "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", + "apiVersion": "2018-09-01", + "name": "[format('{0}/{1}', variables('privatelink_azure_automation_name'), format('{0}-link', variables('privatelink_azure_automation_name')))]", + "location": "global", + "properties": { + "registrationEnabled": false, + "virtualNetwork": { + "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]" + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_azure_automation_name'))]" + ] + }, + { + "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", + "apiVersion": "2018-09-01", + "name": "[format('{0}/{1}', variables('privatelink_blob_name'), format('{0}-link', variables('privatelink_blob_name')))]", + "location": "global", + "properties": { + "registrationEnabled": false, + "virtualNetwork": { + "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]" + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_blob_name'))]" + ] + } + ], + "outputs": { + "agentsvcPrivateDnsZoneId": { + "type": "string", + "value": "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_agentsvc_azure_automation_name'))]" + }, + "automationPrivateDnsZoneId": { + "type": "string", + "value": "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_azure_automation_name'))]" + }, + "avdGlobalPrivateDnsZoneId": { + "type": "string", + "value": "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_avd_global_name'))]" + }, + "avdPrivateDnsZoneId": { + "type": "string", + "value": "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_avd_name'))]" + }, + "backupPrivateDnsZoneIds": { + "type": "array", + "copy": { + "count": "[length(variables('privatelink_backup_names'))]", + "input": "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_backup_names')[copyIndex()])]" + } + }, + "blobPrivateDnsZoneId": { + "type": "string", + "value": "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_blob_name'))]" + }, + "filePrivateDnsZoneId": { + "type": "string", + "value": "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_file_name'))]" + }, + "keyvaultDnsPrivateDnsZoneId": { + "type": "string", + "value": "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_keyvaultDns_name'))]" + }, + "monitorPrivateDnsZoneId": { + "type": "string", + "value": "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_monitor_name'))]" + }, + "odsPrivateDnsZoneId": { + "type": "string", + "value": "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_ods_opinsights_name'))]" + }, + "omsPrivateDnsZoneId": { + "type": "string", + "value": "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_oms_opinsights_name'))]" + }, + "queuePrivateDnsZoneId": { + "type": "string", + "value": "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_queue_name'))]" + }, + "storagePrivateDnsZoneId": { + "type": "string", + "value": "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_blob_name'))]" + }, + "tablePrivateDnsZoneId": { + "type": "string", + "value": "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_table_name'))]" + } + } + } + }, + "dependsOn": [ + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))]" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix'))]", + "subscriptionId": "[parameters('operationsSubscriptionId')]", + "resourceGroup": "[variables('operationsResourceGroupName')]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "keyVaultName": { + "value": "[variables('operationsKeyVaultName')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "tags": { + "value": "[variables('calculatedTags')]" + }, + "userAssignedIdentityName": { + "value": "[variables('operationsUserAssignedIdentityName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "17165778028720193930" + } + }, + "parameters": { + "keyVaultName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "tags": { + "type": "object" + }, + "userAssignedIdentityName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "keyVault", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" }, - "uaecentral": { - "abbreviation": "aec", - "recoveryServicesGeo": "uac", - "timeDifference": "+3:00", - "timeZone": "Arabian Standard Time" + "mode": "Incremental", + "parameters": { + "keyVaultName": { + "value": "[parameters('keyVaultName')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "tags": { + "value": "[parameters('tags')]" + } }, - "uaenorth": { - "abbreviation": "aen", - "recoveryServicesGeo": "uan", - "timeDifference": "+3:00", - "timeZone": "Arabian Standard Time" + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "14987883252195967823" + } + }, + "parameters": { + "diskEncryptionKeyExpirationInDays": { + "type": "int", + "defaultValue": 30 + }, + "keyVaultName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "tags": { + "type": "object" + } + }, + "resources": [ + { + "type": "Microsoft.KeyVault/vaults", + "apiVersion": "2022-07-01", + "name": "[parameters('keyVaultName')]", + "location": "[parameters('location')]", + "tags": "[if(contains(parameters('tags'), 'Microsoft.KeyVault/vaults'), parameters('tags')['Microsoft.KeyVault/vaults'], createObject())]", + "properties": { + "enabledForDeployment": false, + "enabledForDiskEncryption": true, + "enabledForTemplateDeployment": false, + "enablePurgeProtection": true, + "enableRbacAuthorization": true, + "enableSoftDelete": true, + "sku": { + "family": "A", + "name": "standard" + }, + "softDeleteRetentionInDays": 7, + "tenantId": "[subscription().tenantId]" + } + }, + { + "type": "Microsoft.KeyVault/vaults/keys", + "apiVersion": "2022-07-01", + "name": "[format('{0}/{1}', parameters('keyVaultName'), 'DiskEncryptionKey')]", + "properties": { + "attributes": { + "enabled": true + }, + "keySize": 4096, + "kty": "RSA", + "rotationPolicy": { + "attributes": { + "expiryTime": "[format('P{0}D', string(parameters('diskEncryptionKeyExpirationInDays')))]" + }, + "lifetimeActions": [ + { + "action": { + "type": "Notify" + }, + "trigger": { + "timeBeforeExpiry": "P10D" + } + }, + { + "action": { + "type": "Rotate" + }, + "trigger": { + "timeAfterCreate": "[format('P{0}D', string(sub(parameters('diskEncryptionKeyExpirationInDays'), 7)))]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]" + ] + }, + { + "type": "Microsoft.KeyVault/vaults/keys", + "apiVersion": "2022-07-01", + "name": "[format('{0}/{1}', parameters('keyVaultName'), 'StorageEncryptionKey')]", + "properties": { + "attributes": { + "enabled": true + }, + "keySize": 4096, + "kty": "RSA", + "rotationPolicy": { + "attributes": { + "expiryTime": "[format('P{0}D', string(parameters('diskEncryptionKeyExpirationInDays')))]" + }, + "lifetimeActions": [ + { + "action": { + "type": "Notify" + }, + "trigger": { + "timeBeforeExpiry": "P10D" + } + }, + { + "action": { + "type": "Rotate" + }, + "trigger": { + "timeAfterCreate": "[format('P{0}D', string(sub(parameters('diskEncryptionKeyExpirationInDays'), 7)))]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]" + ] + } + ], + "outputs": { + "keyUriWithVersion": { + "type": "string", + "value": "[reference(resourceId('Microsoft.KeyVault/vaults/keys', parameters('keyVaultName'), 'DiskEncryptionKey'), '2022-07-01').keyUriWithVersion]" + }, + "keyVaultResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]" + }, + "keyVaultUri": { + "type": "string", + "value": "[reference(resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName')), '2022-07-01').vaultUri]" + }, + "storageKeyName": { + "type": "string", + "value": "StorageEncryptionKey" + } + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "userAssignedIdentity", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" }, - "uksouth": { - "abbreviation": "uks", - "recoveryServicesGeo": "uks", - "timeDifference": "0:00", - "timeZone": "GMT Standard Time" + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "name": { + "value": "[parameters('userAssignedIdentityName')]" + }, + "tags": { + "value": "[parameters('tags')]" + } }, - "ukwest": { - "abbreviation": "ukw", - "recoveryServicesGeo": "ukw", - "timeDifference": "0:00", - "timeZone": "GMT Standard Time" + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "10179940749207677256" + } + }, + "parameters": { + "location": { + "type": "string" + }, + "name": { + "type": "string" + }, + "tags": { + "type": "object" + } + }, + "resources": [ + { + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "apiVersion": "2018-11-30", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]" + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "roleAssignmentEncryption", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "principalId": { + "value": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('name')), '2018-11-30').principalId]" + }, + "principalType": { + "value": "ServicePrincipal" + }, + "roleDefinitionId": { + "value": "[resourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6')]" + }, + "targetResourceId": { + "value": "[resourceGroup().id]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "8686326864657481429" + } + }, + "parameters": { + "targetResourceId": { + "type": "string" + }, + "roleDefinitionId": { + "type": "string" + }, + "principalId": { + "type": "string" + }, + "principalType": { + "type": "string", + "defaultValue": "ServicePrincipal", + "allowedValues": [ + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ] + }, + "description": { + "type": "string", + "defaultValue": "" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[guid(parameters('targetResourceId'), parameters('roleDefinitionId'), parameters('principalId'))]", + "properties": { + "principalId": "[parameters('principalId')]", + "principalType": "[parameters('principalType')]", + "roleDefinitionId": "[parameters('roleDefinitionId')]", + "description": "[parameters('description')]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('name'))]" + ] + } + ], + "outputs": { + "resourceId": { + "type": "string", + "value": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('name'))]" + } + } + } + } + } + ], + "outputs": { + "keyVaultUri": { + "type": "string", + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'keyVault'), '2022-09-01').outputs.keyVaultUri.value]" + }, + "storageKeyName": { + "type": "string", + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'keyVault'), '2022-09-01').outputs.storageKeyName.value]" + }, + "userAssignedIdentityResourceId": { + "type": "string", + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'userAssignedIdentity'), '2022-09-01').outputs.resourceId.value]" + } + } + } + }, + "dependsOn": [ + "spokeNetworks" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('deploy-log-storage-hub-{0}', parameters('deploymentNameSuffix'))]", + "subscriptionId": "[parameters('hubSubscriptionId')]", + "resourceGroup": "[variables('hubResourceGroupName')]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "azureBlobsPrivateDnsZoneResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', 'azure-private-dns'), '2022-09-01').outputs.blobPrivateDnsZoneId.value]" + }, + "keyVaultUri": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.keyVaultUri.value]" + }, + "location": { + "value": "[parameters('location')]" + }, + "logStorageAccountName": { + "value": "[variables('hubLogStorageAccountName')]" + }, + "logStorageSkuName": { + "value": "[parameters('logStorageSkuName')]" + }, + "storageEncryptionKeyName": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.storageKeyName.value]" + }, + "subnetResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.subnetResourceId.value]" + }, + "tags": { + "value": "[variables('calculatedTags')]" + }, + "userAssignedIdentityResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.userAssignedIdentityResourceId.value]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "14124653364128132696" + } + }, + "parameters": { + "azureBlobsPrivateDnsZoneResourceId": { + "type": "string" + }, + "keyVaultUri": { + "type": "string" + }, + "logStorageAccountName": { + "type": "string" + }, + "logStorageSkuName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "storageEncryptionKeyName": { + "type": "string" + }, + "subnetResourceId": { + "type": "string" + }, + "tags": { + "type": "object" + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "storage", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" }, - "westcentralus": { - "abbreviation": "uswc", - "recoveryServicesGeo": "wcus", - "timeDifference": "-7:00", - "timeZone": "Mountain Standard Time" + "mode": "Incremental", + "parameters": { + "azureBlobsPrivateDnsZoneResourceId": { + "value": "[parameters('azureBlobsPrivateDnsZoneResourceId')]" + }, + "userAssignedIdentityResourceId": { + "value": "[parameters('userAssignedIdentityResourceId')]" + }, + "keyVaultUri": { + "value": "[parameters('keyVaultUri')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "skuName": { + "value": "[parameters('logStorageSkuName')]" + }, + "storageAccountName": { + "value": "[parameters('logStorageAccountName')]" + }, + "storageEncryptionKeyName": { + "value": "[parameters('storageEncryptionKeyName')]" + }, + "subnetResourceId": { + "value": "[parameters('subnetResourceId')]" + }, + "tags": { + "value": "[parameters('tags')]" + } }, - "westeurope": { - "abbreviation": "euw", - "recoveryServicesGeo": "we", - "timeDifference": "+1:00", - "timeZone": "Central Europe Standard Time" + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "13226692994420197356" + } + }, + "parameters": { + "azureBlobsPrivateDnsZoneResourceId": { + "type": "string" + }, + "keyVaultUri": { + "type": "string" + }, + "location": { + "type": "string" + }, + "skuName": { + "type": "string" + }, + "storageAccountName": { + "type": "string" + }, + "storageEncryptionKeyName": { + "type": "string" + }, + "subnetResourceId": { + "type": "string" + }, + "tags": { + "type": "object" + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2023-01-01", + "name": "[parameters('storageAccountName')]", + "location": "[parameters('location')]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[format('{0}', parameters('userAssignedIdentityResourceId'))]": {} + } + }, + "kind": "StorageV2", + "sku": { + "name": "[parameters('skuName')]" + }, + "tags": "[parameters('tags')]", + "properties": { + "accessTier": "Hot", + "allowBlobPublicAccess": false, + "allowCrossTenantReplication": false, + "allowedCopyScope": "PrivateLink", + "allowSharedKeyAccess": true, + "defaultToOAuthAuthentication": false, + "dnsEndpointType": "Standard", + "encryption": { + "identity": { + "userAssignedIdentity": "[parameters('userAssignedIdentityResourceId')]" + }, + "keySource": "Microsoft.KeyVault", + "keyvaultproperties": { + "keyvaulturi": "[parameters('keyVaultUri')]", + "keyname": "[parameters('storageEncryptionKeyName')]" + }, + "requireInfrastructureEncryption": true, + "services": { + "blob": { + "keyType": "Account", + "enabled": true + }, + "file": { + "keyType": "Account", + "enabled": true + }, + "queue": { + "keyType": "Account", + "enabled": true + }, + "table": { + "keyType": "Account", + "enabled": true + } + } + }, + "minimumTlsVersion": "TLS1_2", + "networkAcls": { + "bypass": "AzureServices", + "virtualNetworkRules": [], + "ipRules": [], + "defaultAction": "Deny" + }, + "publicNetworkAccess": "Disabled", + "supportsHttpsTrafficOnly": true + } + }, + { + "type": "Microsoft.Network/privateEndpoints", + "apiVersion": "2020-05-01", + "name": "[format('pe-{0}', parameters('storageAccountName'))]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": { + "subnet": { + "id": "[parameters('subnetResourceId')]" + }, + "privateLinkServiceConnections": [ + { + "name": "[format('pe-{0}_{1}', parameters('storageAccountName'), guid(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))))]", + "properties": { + "privateLinkServiceId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]", + "groupIds": [ + "blob" + ] + } + } + ] + }, + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]" + ] + }, + { + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "apiVersion": "2021-08-01", + "name": "[format('{0}/{1}', format('pe-{0}', parameters('storageAccountName')), parameters('storageAccountName'))]", + "properties": { + "privateDnsZoneConfigs": [ + { + "name": "ipconfig1", + "properties": { + "privateDnsZoneId": "[parameters('azureBlobsPrivateDnsZoneResourceId')]" + } + } + ] + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/privateEndpoints', format('pe-{0}', parameters('storageAccountName')))]" + ] + } + ], + "outputs": { + "id": { + "type": "string", + "value": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]" + } + } + } + } + } + ], + "outputs": { + "storageAccountResourceId": { + "type": "string", + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'storage'), '2022-09-01').outputs.id.value]" + } + } + } + }, + "dependsOn": [ + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))]", + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix')))]", + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', 'azure-private-dns')]" + ] + }, + { + "copy": { + "name": "spokeStorage", + "count": "[length(variables('spokes'))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('deploy-log-storage-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))]", + "subscriptionId": "[variables('spokes')[copyIndex()].subscriptionId]", + "resourceGroup": "[variables('spokes')[copyIndex()].resourceGroupName]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "azureBlobsPrivateDnsZoneResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', 'azure-private-dns'), '2022-09-01').outputs.blobPrivateDnsZoneId.value]" + }, + "keyVaultUri": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.keyVaultUri.value]" + }, + "location": { + "value": "[parameters('location')]" + }, + "logStorageAccountName": { + "value": "[variables('spokes')[copyIndex()].logStorageAccountName]" + }, + "logStorageSkuName": { + "value": "[parameters('logStorageSkuName')]" + }, + "storageEncryptionKeyName": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.storageKeyName.value]" + }, + "subnetResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))), '2022-09-01').outputs.subnetResourceId.value]" + }, + "tags": { + "value": "[parameters('tags')]" + }, + "userAssignedIdentityResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.userAssignedIdentityResourceId.value]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "17590283376492382893" + } + }, + "parameters": { + "azureBlobsPrivateDnsZoneResourceId": { + "type": "string" + }, + "keyVaultUri": { + "type": "string" + }, + "location": { + "type": "string" + }, + "logStorageAccountName": { + "type": "string" + }, + "logStorageSkuName": { + "type": "string" + }, + "storageEncryptionKeyName": { + "type": "string" + }, + "subnetResourceId": { + "type": "string" + }, + "tags": { + "type": "object" + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "storage", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" }, - "westindia": { - "abbreviation": "inw", - "recoveryServicesGeo": "inw", - "timeDifference": "+5:30", - "timeZone": "India Standard Time" + "mode": "Incremental", + "parameters": { + "storageAccountName": { + "value": "[parameters('logStorageAccountName')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "skuName": { + "value": "[parameters('logStorageSkuName')]" + }, + "tags": { + "value": "[parameters('tags')]" + }, + "azureBlobsPrivateDnsZoneResourceId": { + "value": "[parameters('azureBlobsPrivateDnsZoneResourceId')]" + }, + "keyVaultUri": { + "value": "[parameters('keyVaultUri')]" + }, + "storageEncryptionKeyName": { + "value": "[parameters('storageEncryptionKeyName')]" + }, + "subnetResourceId": { + "value": "[parameters('subnetResourceId')]" + }, + "userAssignedIdentityResourceId": { + "value": "[parameters('userAssignedIdentityResourceId')]" + } }, - "westus": { - "abbreviation": "usw", - "recoveryServicesGeo": "wus", - "timeDifference": "-8:00", - "timeZone": "Pacific Standard Time" + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "13226692994420197356" + } + }, + "parameters": { + "azureBlobsPrivateDnsZoneResourceId": { + "type": "string" + }, + "keyVaultUri": { + "type": "string" + }, + "location": { + "type": "string" + }, + "skuName": { + "type": "string" + }, + "storageAccountName": { + "type": "string" + }, + "storageEncryptionKeyName": { + "type": "string" + }, + "subnetResourceId": { + "type": "string" + }, + "tags": { + "type": "object" + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2023-01-01", + "name": "[parameters('storageAccountName')]", + "location": "[parameters('location')]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[format('{0}', parameters('userAssignedIdentityResourceId'))]": {} + } + }, + "kind": "StorageV2", + "sku": { + "name": "[parameters('skuName')]" + }, + "tags": "[parameters('tags')]", + "properties": { + "accessTier": "Hot", + "allowBlobPublicAccess": false, + "allowCrossTenantReplication": false, + "allowedCopyScope": "PrivateLink", + "allowSharedKeyAccess": true, + "defaultToOAuthAuthentication": false, + "dnsEndpointType": "Standard", + "encryption": { + "identity": { + "userAssignedIdentity": "[parameters('userAssignedIdentityResourceId')]" + }, + "keySource": "Microsoft.KeyVault", + "keyvaultproperties": { + "keyvaulturi": "[parameters('keyVaultUri')]", + "keyname": "[parameters('storageEncryptionKeyName')]" + }, + "requireInfrastructureEncryption": true, + "services": { + "blob": { + "keyType": "Account", + "enabled": true + }, + "file": { + "keyType": "Account", + "enabled": true + }, + "queue": { + "keyType": "Account", + "enabled": true + }, + "table": { + "keyType": "Account", + "enabled": true + } + } + }, + "minimumTlsVersion": "TLS1_2", + "networkAcls": { + "bypass": "AzureServices", + "virtualNetworkRules": [], + "ipRules": [], + "defaultAction": "Deny" + }, + "publicNetworkAccess": "Disabled", + "supportsHttpsTrafficOnly": true + } + }, + { + "type": "Microsoft.Network/privateEndpoints", + "apiVersion": "2020-05-01", + "name": "[format('pe-{0}', parameters('storageAccountName'))]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": { + "subnet": { + "id": "[parameters('subnetResourceId')]" + }, + "privateLinkServiceConnections": [ + { + "name": "[format('pe-{0}_{1}', parameters('storageAccountName'), guid(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))))]", + "properties": { + "privateLinkServiceId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]", + "groupIds": [ + "blob" + ] + } + } + ] + }, + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]" + ] + }, + { + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "apiVersion": "2021-08-01", + "name": "[format('{0}/{1}', format('pe-{0}', parameters('storageAccountName')), parameters('storageAccountName'))]", + "properties": { + "privateDnsZoneConfigs": [ + { + "name": "ipconfig1", + "properties": { + "privateDnsZoneId": "[parameters('azureBlobsPrivateDnsZoneResourceId')]" + } + } + ] + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/privateEndpoints', format('pe-{0}', parameters('storageAccountName')))]" + ] + } + ], + "outputs": { + "id": { + "type": "string", + "value": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]" + } + } + } + } + } + ], + "outputs": { + "ResourceId": { + "type": "string", + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'storage'), '2022-09-01').outputs.id.value]" + } + } + } + }, + "dependsOn": [ + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix')))]", + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', 'azure-private-dns')]", + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix')))]" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('deploy-diagnostic-logging-hub-{0}', parameters('deploymentNameSuffix'))]", + "subscriptionId": "[parameters('hubSubscriptionId')]", + "resourceGroup": "[variables('hubResourceGroupName')]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "firewallDiagnosticsLogs": { + "value": "[parameters('firewallDiagnosticsLogs')]" + }, + "firewallDiagnosticsMetrics": { + "value": "[parameters('firewallDiagnosticsMetrics')]" + }, + "firewallName": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.firewallName.value]" + }, + "hubStorageAccountResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-log-storage-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.storageAccountResourceId.value]" + }, + "logAnalyticsWorkspaceResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.id.value]" + }, + "networkSecurityGroupDiagnosticsLogs": { + "value": "[parameters('hubNetworkSecurityGroupDiagnosticsLogs')]" + }, + "networkSecurityGroupDiagnosticsMetrics": { + "value": "[parameters('hubNetworkSecurityGroupDiagnosticsMetrics')]" + }, + "networkSecurityGroupName": { + "value": "[variables('hubNetworkSecurityGroupName')]" + }, + "publicIPAddressDiagnosticsLogs": { + "value": "[parameters('publicIPAddressDiagnosticsLogs')]" + }, + "publicIPAddressDiagnosticsMetrics": { + "value": "[parameters('publicIPAddressDiagnosticsMetrics')]" + }, + "publicIPAddressNames": { + "value": [ + "[variables('firewallClientPublicIPAddressName')]", + "[variables('firewallManagementPublicIPAddressName')]" + ] + }, + "virtualNetworkDiagnosticsLogs": { + "value": "[parameters('hubVirtualNetworkDiagnosticsLogs')]" + }, + "virtualNetworkDiagnosticsMetrics": { + "value": "[parameters('hubVirtualNetworkDiagnosticsMetrics')]" + }, + "virtualNetworkName": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.virtualNetworkName.value]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "5804157384629948286" + } + }, + "parameters": { + "firewallDiagnosticsLogs": { + "type": "array" + }, + "firewallDiagnosticsMetrics": { + "type": "array" + }, + "firewallName": { + "type": "string" + }, + "hubStorageAccountResourceId": { + "type": "string" + }, + "logAnalyticsWorkspaceResourceId": { + "type": "string" + }, + "networkSecurityGroupDiagnosticsLogs": { + "type": "array" + }, + "networkSecurityGroupDiagnosticsMetrics": { + "type": "array" + }, + "networkSecurityGroupName": { + "type": "string" + }, + "publicIPAddressDiagnosticsLogs": { + "type": "array" + }, + "publicIPAddressDiagnosticsMetrics": { + "type": "array" + }, + "publicIPAddressNames": { + "type": "array" + }, + "virtualNetworkDiagnosticsLogs": { + "type": "array" + }, + "virtualNetworkDiagnosticsMetrics": { + "type": "array" + }, + "virtualNetworkName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "networkSecurityGroupDiagnostics", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" }, - "westus2": { - "abbreviation": "usw2", - "recoveryServicesGeo": "wus2", - "timeDifference": "-8:00", - "timeZone": "Pacific Standard Time" + "mode": "Incremental", + "parameters": { + "logAnalyticsWorkspaceResourceId": { + "value": "[parameters('logAnalyticsWorkspaceResourceId')]" + }, + "logs": { + "value": "[parameters('networkSecurityGroupDiagnosticsLogs')]" + }, + "logStorageAccountResourceId": { + "value": "[parameters('hubStorageAccountResourceId')]" + }, + "metrics": { + "value": "[parameters('networkSecurityGroupDiagnosticsMetrics')]" + }, + "name": { + "value": "[parameters('networkSecurityGroupName')]" + } }, - "westus3": { - "abbreviation": "usw3", - "recoveryServicesGeo": "wus3", - "timeDifference": "-7:00", - "timeZone": "Mountain Standard Time" + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "7786315125053139576" + } + }, + "parameters": { + "name": { + "type": "string" + }, + "logAnalyticsWorkspaceResourceId": { + "type": "string" + }, + "logs": { + "type": "array" + }, + "logStorageAccountResourceId": { + "type": "string" + }, + "metrics": { + "type": "array" + } + }, + "resources": [ + { + "type": "Microsoft.Insights/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "scope": "[format('Microsoft.Network/networkSecurityGroups/{0}', parameters('name'))]", + "name": "[format('{0}-diagnostics', parameters('name'))]", + "properties": { + "storageAccountId": "[parameters('logStorageAccountResourceId')]", + "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", + "logs": "[parameters('logs')]", + "metrics": "[parameters('metrics')]" + } + } + ] } - }, - "AzureUSGovernment": { - "usdodcentral": { - "abbreviation": "dodc", - "recoveryServicesGeo": "udc", - "timeDifference": "-6:00", - "timeZone": "Central Standard Time" - }, - "usdodeast": { - "abbreviation": "dode", - "recoveryServicesGeo": "ude", - "timeDifference": "-5:00", - "timeZone": "Eastern Standard Time" - }, - "usgovarizona": { - "abbreviation": "az", - "recoveryServicesGeo": "uga", - "timeDifference": "-7:00", - "timeZone": "Mountain Standard Time" - }, - "usgovtexas": { - "abbreviation": "tx", - "recoveryServicesGeo": "ugt", - "timeDifference": "-6:00", - "timeZone": "Central Standard Time" + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "virtualNetworkDiagnostics", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" }, - "usgovvirginia": { - "abbreviation": "va", - "recoveryServicesGeo": "ugv", - "timeDifference": "-5:00", - "timeZone": "Eastern Standard Time" - } - }, - "USNat": { - "usnateast": { - "abbreviation": "east", - "recoveryServicesGeo": "exe", - "timeDifference": "-5:00", - "timeZone": "Eastern Standard Time" + "mode": "Incremental", + "parameters": { + "logAnalyticsWorkspaceResourceId": { + "value": "[parameters('logAnalyticsWorkspaceResourceId')]" + }, + "logs": { + "value": "[parameters('virtualNetworkDiagnosticsLogs')]" + }, + "logStorageAccountResourceId": { + "value": "[parameters('hubStorageAccountResourceId')]" + }, + "metrics": { + "value": "[parameters('virtualNetworkDiagnosticsMetrics')]" + }, + "name": { + "value": "[parameters('virtualNetworkName')]" + } }, - "usnatwest": { - "abbreviation": "west", - "recoveryServicesGeo": "exw", - "timeDifference": "-8:00", - "timeZone": "Pacific Standard Time" + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "15623637455522175927" + } + }, + "parameters": { + "logAnalyticsWorkspaceResourceId": { + "type": "string" + }, + "logs": { + "type": "array" + }, + "logStorageAccountResourceId": { + "type": "string" + }, + "metrics": { + "type": "array" + }, + "name": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Insights/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "scope": "[format('Microsoft.Network/virtualNetworks/{0}', parameters('name'))]", + "name": "[format('{0}-diagnostics', parameters('name'))]", + "properties": { + "storageAccountId": "[parameters('logStorageAccountResourceId')]", + "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", + "logs": "[parameters('logs')]", + "metrics": "[parameters('metrics')]" + } + } + ] } + } + }, + { + "copy": { + "name": "publicIpAddressDiagnostics", + "count": "[length(parameters('publicIPAddressNames'))]" }, - "USSec": { - "usseceast": { - "abbreviation": "east", - "recoveryServicesGeo": "rxe", - "timeDifference": "-5:00", - "timeZone": "Eastern Standard Time" + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('publicIPAddressDiagnostics_{0}', parameters('publicIPAddressNames')[copyIndex()])]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" }, - "ussecwest": { - "abbreviation": "west", - "recoveryServicesGeo": "rxw", - "timeDifference": "-8:00", - "timeZone": "Pacific Standard Time" + "mode": "Incremental", + "parameters": { + "hubStorageAccountResourceId": { + "value": "[parameters('hubStorageAccountResourceId')]" + }, + "logAnalyticsWorkspaceResourceId": { + "value": "[parameters('logAnalyticsWorkspaceResourceId')]" + }, + "name": { + "value": "[parameters('publicIPAddressNames')[copyIndex()]]" + }, + "publicIPAddressDiagnosticsLogs": { + "value": "[parameters('publicIPAddressDiagnosticsLogs')]" + }, + "publicIPAddressDiagnosticsMetrics": { + "value": "[parameters('publicIPAddressDiagnosticsMetrics')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "8851210835492653728" + } + }, + "parameters": { + "hubStorageAccountResourceId": { + "type": "string" + }, + "logAnalyticsWorkspaceResourceId": { + "type": "string" + }, + "name": { + "type": "string" + }, + "publicIPAddressDiagnosticsLogs": { + "type": "array" + }, + "publicIPAddressDiagnosticsMetrics": { + "type": "array" + } + }, + "resources": [ + { + "type": "Microsoft.Insights/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', parameters('name'))]", + "name": "[format('{0}-diagnostics', parameters('name'))]", + "properties": { + "storageAccountId": "[parameters('hubStorageAccountResourceId')]", + "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", + "logs": "[parameters('publicIPAddressDiagnosticsLogs')]", + "metrics": "[parameters('publicIPAddressDiagnosticsMetrics')]" + } + } + ] } } }, - "copy": [ - { - "name": "privatelink_backup_names", - "count": "[length(items(variables('locations')))]", - "input": "[format('privatelink.backup.{0}.{1}', items(variables('locations'))[copyIndex('privatelink_backup_names')].value.recoveryServicesGeo, variables('cloudSuffix'))]" + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "firewallDiagnostics", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "logAnalyticsWorkspaceResourceId": { + "value": "[parameters('logAnalyticsWorkspaceResourceId')]" + }, + "logs": { + "value": "[parameters('firewallDiagnosticsLogs')]" + }, + "logStorageAccountResourceId": { + "value": "[parameters('hubStorageAccountResourceId')]" + }, + "metrics": { + "value": "[parameters('firewallDiagnosticsMetrics')]" + }, + "name": { + "value": "[parameters('firewallName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "9632306168160596389" + } + }, + "parameters": { + "logAnalyticsWorkspaceResourceId": { + "type": "string" + }, + "logs": { + "type": "array" + }, + "logStorageAccountResourceId": { + "type": "string" + }, + "metrics": { + "type": "array" + }, + "name": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Insights/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "scope": "[format('Microsoft.Network/azureFirewalls/{0}', parameters('name'))]", + "name": "[format('{0}-diagnostics', parameters('name'))]", + "properties": { + "storageAccountId": "[parameters('logStorageAccountResourceId')]", + "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", + "logs": "[parameters('logs')]", + "metrics": "[parameters('metrics')]" + } + } + ], + "outputs": { + "privateIPAddress": { + "type": "string", + "value": "[reference(resourceId('Microsoft.Network/azureFirewalls', parameters('name')), '2021-02-01').ipConfigurations[0].properties.privateIPAddress]" + } + } + } } - ], - "cloudSuffix": "[replace(replace(environment().resourceManager, 'https://management.', ''), '/', '')]", - "automationSuffix": "[replace(environment().suffixes.storage, 'core.windows.', '')]", - "locations": "[variables('$fxv#0')[environment().name]]", - "privatelink_agentsvc_azure_automation_name": "[format('privatelink.agentsvc.azure-automation.{0}', variables('automationSuffix'))]", - "privatelink_azure_automation_name": "[format('privatelink.azure-automation.{0}', variables('automationSuffix'))]", - "privatelink_avd_name": "[format('privatelink.wvd.{0}', variables('cloudSuffix'))]", - "privatelink_avd_global_name": "[format('privatelink-global.wvd.{0}', variables('cloudSuffix'))]", - "privatelink_file_name": "[format('privatelink.file.{0}', environment().suffixes.storage)]", - "privatelink_queue_name": "[format('privatelink.queue.{0}', environment().suffixes.storage)]", - "privatelink_table_name": "[format('privatelink.table.{0}', environment().suffixes.storage)]", - "privatelink_blob_name": "[format('privatelink.blob.{0}', environment().suffixes.storage)]", - "privatelink_keyvaultDns_name": "[replace(format('privatelink{0}', environment().suffixes.keyvaultDns), 'vault', 'vaultcore')]", - "privatelink_monitor_name": "[format('privatelink.monitor.{0}', variables('cloudSuffix'))]", - "privatelink_ods_opinsights_name": "[format('privatelink.ods.opinsights.{0}', variables('cloudSuffix'))]", - "privatelink_oms_opinsights_name": "[format('privatelink.oms.opinsights.{0}', variables('cloudSuffix'))]" + } + ] + } + }, + "dependsOn": [ + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))]", + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-log-storage-hub-{0}', parameters('deploymentNameSuffix')))]", + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]" + ] + }, + { + "copy": { + "name": "spokeDiagnostics", + "count": "[length(variables('spokes'))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('deploy-diagnostic-logging-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))]", + "subscriptionId": "[variables('spokes')[copyIndex()].subscriptionId]", + "resourceGroup": "[variables('spokes')[copyIndex()].resourceGroupName]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "hubStorageAccountResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-log-storage-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))), '2022-09-01').outputs.ResourceId.value]" }, - "resources": [ - { - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2018-09-01", - "name": "[variables('privatelink_avd_name')]", - "location": "global", - "tags": "[parameters('tags')]" + "logAnalyticsWorkspaceResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.id.value]" + }, + "networkSecurityGroupDiagnosticsLogs": { + "value": "[variables('spokes')[copyIndex()].NetworkSecurityGroupDiagnosticsLogs]" + }, + "networkSecurityGroupDiagnosticsMetrics": { + "value": "[variables('spokes')[copyIndex()].NetworkSecurityGroupDiagnosticsMetrics]" + }, + "networkSecurityGroupName": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))), '2022-09-01').outputs.networkSecurityGroupName.value]" + }, + "virtualNetworkDiagnosticsLogs": { + "value": "[variables('spokes')[copyIndex()].VirtualNetworkDiagnosticsLogs]" + }, + "virtualNetworkDiagnosticsMetrics": { + "value": "[variables('spokes')[copyIndex()].VirtualNetworkDiagnosticsMetrics]" + }, + "virtualNetworkName": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))), '2022-09-01').outputs.virtualNetworkName.value]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "1181334419264940080" + } + }, + "parameters": { + "hubStorageAccountResourceId": { + "type": "string" }, - { - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2018-09-01", - "name": "[variables('privatelink_avd_global_name')]", - "location": "global", - "tags": "[parameters('tags')]" + "logAnalyticsWorkspaceResourceId": { + "type": "string" }, - { - "condition": "[not(contains(variables('privatelink_backup_names')[copyIndex()], '..'))]", - "copy": { - "name": "privateDnsZone_backup_rsv", - "count": "[length(variables('privatelink_backup_names'))]" - }, - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2018-09-01", - "name": "[variables('privatelink_backup_names')[copyIndex()]]", - "location": "global", - "tags": "[parameters('tags')]" + "networkSecurityGroupDiagnosticsLogs": { + "type": "array" }, - { - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2018-09-01", - "name": "[variables('privatelink_file_name')]", - "location": "global", - "tags": "[parameters('tags')]" + "networkSecurityGroupDiagnosticsMetrics": { + "type": "array" }, - { - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2018-09-01", - "name": "[variables('privatelink_queue_name')]", - "location": "global", - "tags": "[parameters('tags')]" + "networkSecurityGroupName": { + "type": "string" }, - { - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2018-09-01", - "name": "[variables('privatelink_table_name')]", - "location": "global", - "tags": "[parameters('tags')]" + "virtualNetworkDiagnosticsLogs": { + "type": "array" }, - { - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2018-09-01", - "name": "[variables('privatelink_keyvaultDns_name')]", - "location": "global", - "tags": "[parameters('tags')]" + "virtualNetworkDiagnosticsMetrics": { + "type": "array" }, + "virtualNetworkName": { + "type": "string" + } + }, + "resources": [ { - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2018-09-01", - "name": "[variables('privatelink_monitor_name')]", - "location": "global", - "tags": "[parameters('tags')]" + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "networkSecurityGroupDiagnostics", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "logAnalyticsWorkspaceResourceId": { + "value": "[parameters('logAnalyticsWorkspaceResourceId')]" + }, + "logs": { + "value": "[parameters('networkSecurityGroupDiagnosticsLogs')]" + }, + "logStorageAccountResourceId": { + "value": "[parameters('hubStorageAccountResourceId')]" + }, + "metrics": { + "value": "[parameters('networkSecurityGroupDiagnosticsMetrics')]" + }, + "name": { + "value": "[parameters('networkSecurityGroupName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "7786315125053139576" + } + }, + "parameters": { + "name": { + "type": "string" + }, + "logAnalyticsWorkspaceResourceId": { + "type": "string" + }, + "logs": { + "type": "array" + }, + "logStorageAccountResourceId": { + "type": "string" + }, + "metrics": { + "type": "array" + } + }, + "resources": [ + { + "type": "Microsoft.Insights/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "scope": "[format('Microsoft.Network/networkSecurityGroups/{0}', parameters('name'))]", + "name": "[format('{0}-diagnostics', parameters('name'))]", + "properties": { + "storageAccountId": "[parameters('logStorageAccountResourceId')]", + "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", + "logs": "[parameters('logs')]", + "metrics": "[parameters('metrics')]" + } + } + ] + } + } }, { - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2018-09-01", - "name": "[variables('privatelink_oms_opinsights_name')]", - "location": "global", - "tags": "[parameters('tags')]" + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "virtualNetworkDiagnostics", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "logAnalyticsWorkspaceResourceId": { + "value": "[parameters('logAnalyticsWorkspaceResourceId')]" + }, + "logs": { + "value": "[parameters('virtualNetworkDiagnosticsLogs')]" + }, + "logStorageAccountResourceId": { + "value": "[parameters('hubStorageAccountResourceId')]" + }, + "metrics": { + "value": "[parameters('virtualNetworkDiagnosticsMetrics')]" + }, + "name": { + "value": "[parameters('virtualNetworkName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "15623637455522175927" + } + }, + "parameters": { + "logAnalyticsWorkspaceResourceId": { + "type": "string" + }, + "logs": { + "type": "array" + }, + "logStorageAccountResourceId": { + "type": "string" + }, + "metrics": { + "type": "array" + }, + "name": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Insights/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "scope": "[format('Microsoft.Network/virtualNetworks/{0}', parameters('name'))]", + "name": "[format('{0}-diagnostics', parameters('name'))]", + "properties": { + "storageAccountId": "[parameters('logStorageAccountResourceId')]", + "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", + "logs": "[parameters('logs')]", + "metrics": "[parameters('metrics')]" + } + } + ] + } + } + } + ] + } + }, + "dependsOn": [ + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]", + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix')))]", + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix')))]", + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-log-storage-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix')))]" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('activity-logs-hub-{0}', parameters('deploymentNameSuffix'))]", + "subscriptionId": "[parameters('hubSubscriptionId')]", + "location": "[deployment().location]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "diagnosticSettingName": { + "value": "[format('log-hub-sub-activity-to-{0}', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.name.value)]" + }, + "logAnalyticsWorkspaceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.id.value]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "3850477028148266020" + } + }, + "parameters": { + "diagnosticSettingName": { + "type": "string" }, - { - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2018-09-01", - "name": "[variables('privatelink_ods_opinsights_name')]", - "location": "global", - "tags": "[parameters('tags')]" + "logAnalyticsWorkspaceId": { + "type": "string" }, + "supportedClouds": { + "type": "array", + "defaultValue": [ + "AzureCloud", + "AzureUSGovernment" + ] + } + }, + "resources": [ { - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2018-09-01", - "name": "[variables('privatelink_agentsvc_azure_automation_name')]", - "location": "global", - "tags": "[parameters('tags')]" + "condition": "[contains(parameters('supportedClouds'), environment().name)]", + "type": "Microsoft.Insights/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[parameters('diagnosticSettingName')]", + "properties": { + "workspaceId": "[parameters('logAnalyticsWorkspaceId')]", + "logs": [ + { + "category": "Administrative", + "enabled": true + }, + { + "category": "Security", + "enabled": true + }, + { + "category": "ServiceHealth", + "enabled": true + }, + { + "category": "Alert", + "enabled": true + }, + { + "category": "Recommendation", + "enabled": true + }, + { + "category": "Policy", + "enabled": true + }, + { + "category": "Autoscale", + "enabled": true + }, + { + "category": "ResourceHealth", + "enabled": true + } + ] + } + } + ] + } + }, + "dependsOn": [ + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))]", + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]" + ] + }, + { + "condition": "[contains(parameters('supportedClouds'), environment().name)]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "azure-monitor-private-link", + "subscriptionId": "[parameters('operationsSubscriptionId')]", + "resourceGroup": "[variables('operationsResourceGroupName')]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "logAnalyticsWorkspaceName": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.name.value]" + }, + "logAnalyticsWorkspaceResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.id.value]" + }, + "privateEndpointSubnetName": { + "value": "[variables('operationsSubnetName')]" + }, + "privateEndpointVnetName": { + "value": "[variables('operationsVirtualNetworkName')]" + }, + "monitorPrivateDnsZoneId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', 'azure-private-dns'), '2022-09-01').outputs.monitorPrivateDnsZoneId.value]" + }, + "omsPrivateDnsZoneId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', 'azure-private-dns'), '2022-09-01').outputs.omsPrivateDnsZoneId.value]" + }, + "odsPrivateDnsZoneId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', 'azure-private-dns'), '2022-09-01').outputs.odsPrivateDnsZoneId.value]" + }, + "agentsvcPrivateDnsZoneId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', 'azure-private-dns'), '2022-09-01').outputs.agentsvcPrivateDnsZoneId.value]" + }, + "location": { + "value": "[parameters('location')]" + }, + "tags": { + "value": "[parameters('tags')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "8401513239082999873" + } + }, + "parameters": { + "logAnalyticsWorkspaceName": { + "type": "string", + "metadata": { + "description": "The name of the resource the private endpoint is being created for" + } }, - { - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2018-09-01", - "name": "[variables('privatelink_azure_automation_name')]", - "location": "global", - "tags": "[parameters('tags')]" + "logAnalyticsWorkspaceResourceId": { + "type": "string", + "metadata": { + "description": "The resource id of the resoure the private endpoint is being created for" + } }, - { - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2018-09-01", - "name": "[variables('privatelink_blob_name')]", - "location": "global", - "tags": "[parameters('tags')]" + "privateEndpointSubnetName": { + "type": "string", + "metadata": { + "description": "The name of the subnet in the virtual network where the private endpoint will be placed" + } }, - { - "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", - "apiVersion": "2018-09-01", - "name": "[format('{0}/{1}', variables('privatelink_avd_name'), format('{0}-link', variables('privatelink_avd_name')))]", - "location": "global", - "properties": { - "registrationEnabled": false, - "virtualNetwork": { - "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]" - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_avd_name'))]" - ] + "privateEndpointVnetName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network where the private endpoint will be placed" + } }, - { - "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", - "apiVersion": "2018-09-01", - "name": "[format('{0}/{1}', variables('privatelink_file_name'), format('{0}-link', variables('privatelink_file_name')))]", - "location": "global", - "properties": { - "registrationEnabled": false, - "virtualNetwork": { - "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]" - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_file_name'))]" - ] + "tags": { + "type": "object", + "metadata": { + "description": "The tags that will be associated to the VM" + } }, - { - "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", - "apiVersion": "2018-09-01", - "name": "[format('{0}/{1}', variables('privatelink_table_name'), format('{0}-link', variables('privatelink_table_name')))]", - "location": "global", - "properties": { - "registrationEnabled": false, - "virtualNetwork": { - "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]" - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_table_name'))]" - ] + "uniqueData": { + "type": "string", + "defaultValue": "[substring(uniqueString(subscription().subscriptionId, deployment().name), 0, 8)]", + "metadata": { + "description": "Data used to append to resources to ensure uniqueness" + } }, - { - "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", - "apiVersion": "2018-09-01", - "name": "[format('{0}/{1}', variables('privatelink_keyvaultDns_name'), format('{0}-link', variables('privatelink_keyvaultDns_name')))]", - "location": "global", - "properties": { - "registrationEnabled": false, - "virtualNetwork": { - "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]" - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_keyvaultDns_name'))]" - ] + "vnetResourceGroup": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "The name of the the resource group where the virtual network exists" + } }, - { - "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", - "apiVersion": "2018-09-01", - "name": "[format('{0}/{1}', variables('privatelink_queue_name'), format('{0}-link', variables('privatelink_queue_name')))]", - "location": "global", - "properties": { - "registrationEnabled": false, - "virtualNetwork": { - "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]" - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_queue_name'))]" - ] + "vnetSubscriptionId": { + "type": "string", + "defaultValue": "[subscription().subscriptionId]", + "metadata": { + "description": "The subscription id of the subscription the virtual network exists in" + } }, - { - "copy": { - "name": "virtualNetworkLink_backup_rsv", - "count": "[length(variables('privatelink_backup_names'))]" - }, - "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", - "apiVersion": "2018-09-01", - "name": "[format('{0}/{1}', variables('privatelink_backup_names')[copyIndex()], format('{0}-link', variables('privatelink_backup_names')[copyIndex()]))]", - "location": "global", - "properties": { - "registrationEnabled": false, - "virtualNetwork": { - "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]" - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_backup_names')[copyIndex()])]" - ] + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location of this resource" + } }, - { - "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", - "apiVersion": "2018-09-01", - "name": "[format('{0}/{1}', variables('privatelink_avd_global_name'), format('{0}-link', variables('privatelink_avd_global_name')))]", - "location": "global", - "properties": { - "registrationEnabled": false, - "virtualNetwork": { - "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]" - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_avd_global_name'))]" - ] + "monitorPrivateDnsZoneId": { + "type": "string", + "metadata": { + "description": "Azure Monitor Private DNS Zone resource id" + } }, - { - "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", - "apiVersion": "2018-09-01", - "name": "[format('{0}/{1}', variables('privatelink_monitor_name'), format('{0}-link', variables('privatelink_monitor_name')))]", - "location": "global", - "properties": { - "registrationEnabled": false, - "virtualNetwork": { - "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]" - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_monitor_name'))]" - ] + "omsPrivateDnsZoneId": { + "type": "string", + "metadata": { + "description": "OMS Private DNS Zone resource id" + } }, - { - "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", - "apiVersion": "2018-09-01", - "name": "[format('{0}/{1}', variables('privatelink_oms_opinsights_name'), format('{0}-link', variables('privatelink_oms_opinsights_name')))]", - "location": "global", - "properties": { - "registrationEnabled": false, - "virtualNetwork": { - "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]" - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_oms_opinsights_name'))]" - ] + "odsPrivateDnsZoneId": { + "type": "string", + "metadata": { + "description": "ODS Private DNS Zone resource id" + } }, + "agentsvcPrivateDnsZoneId": { + "type": "string", + "metadata": { + "description": "Agentsvc Private DNS Zone resource id" + } + } + }, + "variables": { + "privateLinkConnectionName": "[take(format('plconn{0}{1}', parameters('logAnalyticsWorkspaceName'), parameters('uniqueData')), 80)]", + "privateLinkEndpointName": "[take(format('pe{0}{1}', parameters('logAnalyticsWorkspaceName'), parameters('uniqueData')), 80)]", + "privateLinkScopeName": "[take(format('plscope{0}{1}', parameters('logAnalyticsWorkspaceName'), parameters('uniqueData')), 80)]", + "privateLinkScopeResourceName": "[take(format('plscres{0}{1}', parameters('logAnalyticsWorkspaceName'), parameters('uniqueData')), 80)]" + }, + "resources": [ { - "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", - "apiVersion": "2018-09-01", - "name": "[format('{0}/{1}', variables('privatelink_ods_opinsights_name'), format('{0}-link', variables('privatelink_ods_opinsights_name')))]", + "type": "microsoft.insights/privateLinkScopes", + "apiVersion": "2019-10-17-preview", + "name": "[variables('privateLinkScopeName')]", "location": "global", - "properties": { - "registrationEnabled": false, - "virtualNetwork": { - "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]" - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_ods_opinsights_name'))]" - ] + "properties": {} }, { - "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", - "apiVersion": "2018-09-01", - "name": "[format('{0}/{1}', variables('privatelink_agentsvc_azure_automation_name'), format('{0}-link', variables('privatelink_agentsvc_azure_automation_name')))]", - "location": "global", + "type": "Microsoft.Insights/privateLinkScopes/scopedResources", + "apiVersion": "2019-10-17-preview", + "name": "[format('{0}/{1}', variables('privateLinkScopeName'), variables('privateLinkScopeResourceName'))]", "properties": { - "registrationEnabled": false, - "virtualNetwork": { - "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]" - } + "linkedResourceId": "[parameters('logAnalyticsWorkspaceResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_agentsvc_azure_automation_name'))]" + "[resourceId('microsoft.insights/privateLinkScopes', variables('privateLinkScopeName'))]" ] }, { - "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", - "apiVersion": "2018-09-01", - "name": "[format('{0}/{1}', variables('privatelink_azure_automation_name'), format('{0}-link', variables('privatelink_azure_automation_name')))]", - "location": "global", + "type": "Microsoft.Network/privateEndpoints", + "apiVersion": "2020-07-01", + "name": "[variables('privateLinkEndpointName')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", "properties": { - "registrationEnabled": false, - "virtualNetwork": { - "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]" - } + "subnet": { + "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks/subnets', parameters('privateEndpointVnetName'), parameters('privateEndpointSubnetName'))]" + }, + "privateLinkServiceConnections": [ + { + "name": "[variables('privateLinkConnectionName')]", + "properties": { + "privateLinkServiceId": "[resourceId('microsoft.insights/privateLinkScopes', variables('privateLinkScopeName'))]", + "groupIds": [ + "azuremonitor" + ] + } + } + ] }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_azure_automation_name'))]" + "[resourceId('microsoft.insights/privateLinkScopes', variables('privateLinkScopeName'))]", + "[resourceId('Microsoft.Insights/privateLinkScopes/scopedResources', split(format('{0}/{1}', variables('privateLinkScopeName'), variables('privateLinkScopeResourceName')), '/')[0], split(format('{0}/{1}', variables('privateLinkScopeName'), variables('privateLinkScopeResourceName')), '/')[1])]" ] }, { - "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", - "apiVersion": "2018-09-01", - "name": "[format('{0}/{1}', variables('privatelink_blob_name'), format('{0}-link', variables('privatelink_blob_name')))]", - "location": "global", + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "apiVersion": "2020-07-01", + "name": "[format('{0}/{1}', variables('privateLinkEndpointName'), variables('privateLinkEndpointName'))]", "properties": { - "registrationEnabled": false, - "virtualNetwork": { - "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]" - } + "privateDnsZoneConfigs": [ + { + "name": "monitor", + "properties": { + "privateDnsZoneId": "[parameters('monitorPrivateDnsZoneId')]" + } + }, + { + "name": "oms", + "properties": { + "privateDnsZoneId": "[parameters('omsPrivateDnsZoneId')]" + } + }, + { + "name": "ods", + "properties": { + "privateDnsZoneId": "[parameters('odsPrivateDnsZoneId')]" + } + }, + { + "name": "agentsvc", + "properties": { + "privateDnsZoneId": "[parameters('agentsvcPrivateDnsZoneId')]" + } + } + ] }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_blob_name'))]" + "[resourceId('Microsoft.Network/privateEndpoints', variables('privateLinkEndpointName'))]" ] } - ], - "outputs": { - "agentsvcPrivateDnsZoneId": { - "type": "string", - "value": "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_agentsvc_azure_automation_name'))]" - }, - "automationPrivateDnsZoneId": { - "type": "string", - "value": "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_azure_automation_name'))]" - }, - "avdGlobalPrivateDnsZoneId": { - "type": "string", - "value": "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_avd_global_name'))]" + ] + } + }, + "dependsOn": [ + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]", + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', 'azure-private-dns')]", + "spokeNetworks" + ] + }, + { + "copy": { + "name": "spokeSubscriptionActivityLogging", + "count": "[length(variables('spokes'))]" + }, + "condition": "[not(equals(variables('spokes')[copyIndex()].subscriptionId, parameters('hubSubscriptionId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('activity-logs-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))]", + "subscriptionId": "[variables('spokes')[copyIndex()].subscriptionId]", + "location": "[deployment().location]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "diagnosticSettingName": { + "value": "[format('log-{0}-sub-activity-to-{1}', variables('spokes')[copyIndex()].name, reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.name.value)]" + }, + "logAnalyticsWorkspaceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.id.value]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "3850477028148266020" + } + }, + "parameters": { + "diagnosticSettingName": { + "type": "string" }, - "avdPrivateDnsZoneId": { - "type": "string", - "value": "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_avd_name'))]" + "logAnalyticsWorkspaceId": { + "type": "string" }, - "backupPrivateDnsZoneIds": { + "supportedClouds": { "type": "array", - "copy": { - "count": "[length(variables('privatelink_backup_names'))]", - "input": "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_backup_names')[copyIndex()])]" + "defaultValue": [ + "AzureCloud", + "AzureUSGovernment" + ] + } + }, + "resources": [ + { + "condition": "[contains(parameters('supportedClouds'), environment().name)]", + "type": "Microsoft.Insights/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[parameters('diagnosticSettingName')]", + "properties": { + "workspaceId": "[parameters('logAnalyticsWorkspaceId')]", + "logs": [ + { + "category": "Administrative", + "enabled": true + }, + { + "category": "Security", + "enabled": true + }, + { + "category": "ServiceHealth", + "enabled": true + }, + { + "category": "Alert", + "enabled": true + }, + { + "category": "Recommendation", + "enabled": true + }, + { + "category": "Policy", + "enabled": true + }, + { + "category": "Autoscale", + "enabled": true + }, + { + "category": "ResourceHealth", + "enabled": true + } + ] } - }, - "filePrivateDnsZoneId": { - "type": "string", - "value": "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_file_name'))]" - }, - "keyvaultDnsPrivateDnsZoneId": { - "type": "string", - "value": "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_keyvaultDns_name'))]" - }, - "monitorPrivateDnsZoneId": { - "type": "string", - "value": "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_monitor_name'))]" - }, - "odsPrivateDnsZoneId": { - "type": "string", - "value": "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_ods_opinsights_name'))]" - }, - "omsPrivateDnsZoneId": { - "type": "string", - "value": "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_oms_opinsights_name'))]" - }, - "queuePrivateDnsZoneId": { - "type": "string", - "value": "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_queue_name'))]" - }, - "storagePrivateDnsZoneId": { - "type": "string", - "value": "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_blob_name'))]" - }, - "tablePrivateDnsZoneId": { - "type": "string", - "value": "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_table_name'))]" } - } + ] } }, "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))]" + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]", + "spokeNetworks" ] }, { "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "[format('activity-logs-hub-{0}', parameters('deploymentNameSuffix'))]", - "subscriptionId": "[parameters('hubSubscriptionId')]", - "location": "[deployment().location]", + "apiVersion": "2022-09-01", + "name": "[format('deploy-diagnostic-logging-{0}', parameters('deploymentNameSuffix'))]", + "subscriptionId": "[parameters('operationsSubscriptionId')]", + "resourceGroup": "[variables('operationsResourceGroupName')]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { - "diagnosticSettingName": { - "value": "[format('log-hub-sub-activity-to-{0}', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))).outputs.name.value)]" + "diagnosticStorageAccountName": { + "value": "[variables('operationsLogStorageAccountName')]" }, - "logAnalyticsWorkspaceId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))).outputs.id.value]" + "logAnalyticsWorkspaceName": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.name.value]" } }, "template": { - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "4564752438272570911" + "version": "0.24.24.22086", + "templateHash": "6866155279282592403" } }, "parameters": { - "diagnosticSettingName": { + "diagnosticStorageAccountName": { "type": "string" }, - "logAnalyticsWorkspaceId": { + "logAnalyticsWorkspaceName": { "type": "string" }, "supportedClouds": { @@ -6677,40 +6061,20 @@ "condition": "[contains(parameters('supportedClouds'), environment().name)]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2017-05-01-preview", - "name": "[parameters('diagnosticSettingName')]", + "scope": "[format('Microsoft.OperationalInsights/workspaces/{0}', parameters('logAnalyticsWorkspaceName'))]", + "name": "enable-log-analytics-diagnostics", "properties": { - "workspaceId": "[parameters('logAnalyticsWorkspaceId')]", + "workspaceId": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))]", + "storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('diagnosticStorageAccountName'))]", "logs": [ { - "category": "Administrative", - "enabled": true - }, - { - "category": "Security", - "enabled": true - }, - { - "category": "ServiceHealth", - "enabled": true - }, - { - "category": "Alert", - "enabled": true - }, - { - "category": "Recommendation", - "enabled": true - }, - { - "category": "Policy", - "enabled": true - }, - { - "category": "Autoscale", + "category": "Audit", "enabled": true - }, + } + ], + "metrics": [ { - "category": "ResourceHealth", + "category": "AllMetrics", "enabled": true } ] @@ -6720,52 +6084,37 @@ } }, "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))]", - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]" + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]", + "spokeStorage" ] }, { - "condition": "[contains(parameters('supportedClouds'), environment().name)]", + "condition": "[parameters('deployPolicy')]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "azure-monitor-private-link", - "subscriptionId": "[parameters('operationsSubscriptionId')]", - "resourceGroup": "[variables('operationsResourceGroupName')]", + "apiVersion": "2022-09-01", + "name": "[format('assign-policy-hub-{0}', parameters('deploymentNameSuffix'))]", + "subscriptionId": "[parameters('hubSubscriptionId')]", + "resourceGroup": "[variables('hubResourceGroupName')]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { - "logAnalyticsWorkspaceName": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))).outputs.name.value]" - }, - "logAnalyticsWorkspaceResourceId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))).outputs.id.value]" - }, - "privateEndpointSubnetName": { - "value": "[variables('operationsSubnetName')]" - }, - "privateEndpointVnetName": { - "value": "[variables('operationsVirtualNetworkName')]" - }, - "monitorPrivateDnsZoneId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', 'azure-private-dns')).outputs.monitorPrivateDnsZoneId.value]" + "builtInAssignment": { + "value": "[parameters('policy')]" }, - "omsPrivateDnsZoneId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', 'azure-private-dns')).outputs.omsPrivateDnsZoneId.value]" + "logAnalyticsWorkspaceName": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.name.value]" }, - "odsPrivateDnsZoneId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', 'azure-private-dns')).outputs.odsPrivateDnsZoneId.value]" + "logAnalyticsWorkspaceResourceGroupName": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.resourceGroupName.value]" }, - "agentsvcPrivateDnsZoneId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', 'azure-private-dns')).outputs.agentsvcPrivateDnsZoneId.value]" + "operationsSubscriptionId": { + "value": "[parameters('operationsSubscriptionId')]" }, "location": { "value": "[parameters('location')]" - }, - "tags": { - "value": "[parameters('tags')]" } }, "template": { @@ -6774,60 +6123,38 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "10271763324309057378" + "version": "0.24.24.22086", + "templateHash": "16693295535307781768" } }, "parameters": { - "logAnalyticsWorkspaceName": { - "type": "string", - "metadata": { - "description": "The name of the resource the private endpoint is being created for" - } - }, - "logAnalyticsWorkspaceResourceId": { - "type": "string", - "metadata": { - "description": "The resource id of the resoure the private endpoint is being created for" - } - }, - "privateEndpointSubnetName": { - "type": "string", - "metadata": { - "description": "The name of the subnet in the virtual network where the private endpoint will be placed" - } - }, - "privateEndpointVnetName": { + "builtInAssignment": { "type": "string", + "defaultValue": "NISTRev4", + "allowedValues": [ + "NISTRev4", + "NISTRev5", + "IL5", + "CMMC" + ], "metadata": { - "description": "The name of the virtual network where the private endpoint will be placed" + "description": "[NISTRev4/NISTRev5/IL5/CMMC] Built-in policy assignments to assign, default is NISTRev4. IL5 is only available for AzureUsGovernment and will switch to NISTRev4 if tried in AzureCloud." } }, - "tags": { - "type": "object", - "metadata": { - "description": "The tags that will be associated to the VM" - } + "logAnalyticsWorkspaceName": { + "type": "string" }, - "uniqueData": { - "type": "string", - "defaultValue": "[substring(uniqueString(subscription().subscriptionId, deployment().name), 0, 8)]", - "metadata": { - "description": "Data used to append to resources to ensure uniqueness" - } + "logAnalyticsWorkspaceResourceGroupName": { + "type": "string" }, - "vnetResourceGroup": { - "type": "string", - "defaultValue": "[resourceGroup().name]", - "metadata": { - "description": "The name of the the resource group where the virtual network exists" - } + "operationsSubscriptionId": { + "type": "string" }, - "vnetSubscriptionId": { - "type": "string", - "defaultValue": "[subscription().subscriptionId]", + "deployRemediation": { + "type": "bool", + "defaultValue": false, "metadata": { - "description": "The subscription id of the subscription the virtual network exists in" + "description": "Starts a policy remediation for the VM Agent policies in hub RG. Set to false by default since this is time consuming in deployment." } }, "location": { @@ -6836,247 +6163,234 @@ "metadata": { "description": "The location of this resource" } - }, - "monitorPrivateDnsZoneId": { - "type": "string", - "metadata": { - "description": "Azure Monitor Private DNS Zone resource id" + } + }, + "variables": { + "$fxv#0": " {\r\n \"listOfMembersToExcludeFromWindowsVMAdministratorsGroup\": \r\n {\r\n \"value\": \"admin\"\r\n },\r\n \"listOfMembersToIncludeInWindowsVMAdministratorsGroup\": \r\n {\r\n \"value\": \"azureuser\"\r\n },\r\n \"logAnalyticsWorkspaceIdforVMReporting\": \r\n {\r\n \"value\": \"\"\r\n },\r\n \"IncludeArcMachines\": \r\n {\r\n \"value\": \"true\"\r\n },\r\n \"MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112\": \r\n {\r\n \"value\": \"1.2\"\r\n },\r\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\": \r\n {\r\n \"value\": \"Compliant\"\r\n },\r\n \"requiredRetentionDays\": \r\n {\r\n \"value\": \"365\"\r\n },\r\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\": \r\n {\r\n \"value\": \"NetworkWatcherRG\"\r\n }\r\n }", + "$fxv#1": " {\r\n \"IncludeArcMachines\": \r\n {\r\n \"value\": \"true\"\r\n },\r\n \"MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112\": \r\n {\r\n \"value\": \"1.2\"\r\n },\r\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\": \r\n {\r\n \"value\": \"Compliant\"\r\n },\r\n \"requiredRetentionDays\": \r\n {\r\n \"value\": \"365\"\r\n },\r\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\": \r\n {\r\n \"value\": \"NetworkWatcherRG\"\r\n }\r\n }", + "$fxv#2": "{\r\n \"IncludeArcMachines\" : { \r\n \"value\" : \"false\"\r\n },\r\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\" : { \r\n \"value\" : \"Compliant\"\r\n },\r\n \"MinimumTLSVersionForWindowsServers\" : { \r\n \"value\" : \"1.2\"\r\n },\r\n \"requiredRetentionDays\" : { \r\n \"value\" : \"365\"\r\n },\r\n \"effect-febd0533-8e55-448f-b837-bd0e06f16469\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"allowedContainerImagesRegex-febd0533-8e55-448f-b837-bd0e06f16469\" : { \r\n \"value\" : \"^(.+){0}$\"\r\n },\r\n \"effect-95edb821-ddaf-4404-9732-666045e056b4\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-440b515e-a580-421e-abeb-b159a61ddcbc\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-233a2a17-77ca-4fb1-9b6b-69223d272a44\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"cpuLimit-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \r\n \"value\" : \"0\"\r\n },\r\n \"memoryLimit-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \r\n \"value\" : \"0\"\r\n },\r\n \"effect-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"runAsUserRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \r\n \"value\" : \"MustRunAsNonRoot\"\r\n },\r\n \"runAsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \r\n \"value\" : \"RunAsAny\"\r\n },\r\n \"supplementalGroupsRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \r\n \"value\" : \"RunAsAny\"\r\n },\r\n \"fsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \r\n \"value\" : \"RunAsAny\"\r\n },\r\n \"effect-1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-df49d893-a74c-421d-bc95-c663042e5b80\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-c26596ff-4d70-4e6a-9a30-c2506bd2f80c\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-511f5417-5d12-434d-ab2e-816901e72a5e\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-82985f06-dc18-4a48-bc1c-b9f4f0098cfe\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-098fc59e-46c7-4d99-9b16-64990e543d75\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"NetworkWatcherResourceGroupName\" : { \r\n \"value\" : \"NetworkWatcherRG\"\r\n },\r\n \"setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \r\n \"value\" : \"enabled\"\r\n },\r\n \"aadAuthenticationInServiceFabricMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-71ef260a-8f18-47b7-abcb-62d0673d94dc\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-d9da03a1-f3c3-412a-9709-947156872263\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-617c02be-7f02-4efd-8836-3180d47b6c68\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-c349d81b-9985-44ae-a8da-ff98d108ede8\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-3657f5a0-770e-44a3-b44e-9431ba1e9735\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-b4ac1030-89c5-4697-8e00-28b5ba6a8811\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-ea0dfaed-95fb-448c-934e-d6e713ce393d\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-f4b53539-8df9-40e4-86c6-6b607703bd4e\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-41425d9f-d1a5-499a-9932-f8ed8453932c\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-fc4d8e41-e223-45ea-9bf5-eada37891d87\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-86efb160-8de7-451d-bc08-5d475b0aadae\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-4ec52d6d-beb7-40c4-9a9e-fe753254690e\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-64d314f6-6062-4780-a861-c23e8951bee5\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-fa298e57-9444-42ba-bf04-86e8470e32c7\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1f905d99-2ab7-462c-a6b0-f709acca6c8f\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-ba769a63-b8cc-4b2d-abf6-ac33c7204be8\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-81e74cea-30fd-40d5-802f-d72103c2aaaa\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-0aa61e00-0a01-4a3c-9945-e93cffedf0e6\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-47031206-ce96-41f8-861b-6a915f3de284\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-51522a96-0869-4791-82f3-981000c2c67f\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-b5ec538c-daa0-4006-8596-35468b9148e8\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-56a5ee18-2ae6-4810-86f7-18e39ce5629b\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-2e94d99a-8a36-4563-bc77-810d8893b671\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1f68a601-6e6d-4e42-babf-3f643a047ea2\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-f7d52b2d-e161-4dfa-a82b-55e564167385\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-ca91455f-eace-4f96-be59-e6e2c35b4816\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-702dd420-7fcc-42c5-afe8-4026edd20fe0\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"diagnosticsLogsInRedisCacheMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"secureTransferToStorageAccountMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-d0793b48-0edc-4296-a390-4c75d1bdfd71\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-7d092e0a-7acd-40d2-a975-dca21cae48c4\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"disableUnrestrictedNetworkToStorageAccountMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-55615ac9-af46-4a59-874e-391cc3dfb490\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1b8ca024-1d5c-4dec-8995-b1a932b41780\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-037eea7a-bd0a-46c5-9a66-03aea78705d3\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-53503636-bcc9-4748-9663-5348217f160f\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-40cec1dd-a100-4920-b15b-3024fe8901ab\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-a049bf77-880b-470f-ba6d-9f21c530cf83\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-ee980b6d-0eca-4501-8d54-f6290fd512c3\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1d84d5fb-01f6-4d12-ba4f-4a26081d403d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-37e0d2fe-28a5-43d6-a273-67d37d1f5606\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"identityDesignateMoreThanOneOwnerMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"diskEncryptionMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"emailNotificationToSubscriptionOwnerHighSeverityAlertsEnabledEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"functionAppDisableRemoteDebuggingMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"sqlDbEncryptionMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"vulnerabilityAssessmentOnManagedInstanceMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensurePHPVersionLatestForAPIAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"aadAuthenticationInSqlServerMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"vmssEndpointProtectionMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"vmssOsVulnerabilitiesMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"adaptiveApplicationControlsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"geoRedundantBackupShouldBeEnabledForAzureDatabaseForPostgreSQLEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"ensureJavaVersionLatestForWebAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityDesignateLessThanOwnersMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"securityContactEmailAddressForSubscriptionEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"webAppRestrictCORSAccessMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityRemoveDeprecatedAccountMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"functionAppEnforceHttpsMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"ensurePythonVersionLatestForWebAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensurePythonVersionLatestForFunctionAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensurePHPVersionLatestForWebAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensurePythonVersionLatestForAPIAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"geoRedundantBackupShouldBeEnabledForAzureDatabaseForMySQLEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"systemUpdatesMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensureJavaVersionLatestForAPIAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensureHTTPVersionLatestForWebAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"apiAppRequireLatestTlsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityEnableMFAForWritePermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensureHTTPVersionLatestForAPIAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensureJavaVersionLatestForFunctionAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"nextGenerationFirewallMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"useRbacRulesMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"webAppEnforceHttpsMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"sqlServerAuditingMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"vnetEnableDDoSProtectionMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityEnableMFAForOwnerPermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"sqlServerAdvancedDataSecurityMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"sqlManagedInstanceAdvancedDataSecurityMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"endpointProtectionMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"jitNetworkAccessMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"apiAppEnforceHttpsMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"geoRedundantStorageShouldBeEnabledForStorageAccountsEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"vmssSystemUpdatesMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"webAppDisableRemoteDebuggingMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"systemConfigurationsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensureHTTPVersionLatestForFunctionAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityEnableMFAForReadPermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"containerBenchmarkMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"apiAppDisableRemoteDebuggingMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"vulnerabilityAssessmentOnServerMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"webAppRequireLatestTlsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"functionAppRequireLatestTlsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"kubernetesServiceVersionUpToDateMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"sqlDbVulnerabilityAssesmentMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"membersToIncludeInLocalAdministratorsGroup\" : { \r\n \"value\" : \"\"\r\n },\r\n \"membersToExcludeInLocalAdministratorsGroup\" : { \r\n \"value\" : \"\"\r\n },\r\n \"logAnalyticsWorkspaceIDForVMAgents\" : { \r\n \"value\" : \"\"\r\n },\r\n \"PHPLatestVersionForAppServices\" : { \r\n \"value\" : \"7.4\"\r\n },\r\n \"JavaLatestVersionForAppServices\" : { \r\n \"value\" : \"11\"\r\n },\r\n \"WindowsPythonLatestVersionForAppServices\" : { \r\n \"value\" : \"3.6\"\r\n },\r\n \"LinuxPythonLatestVersionForAppServices\" : { \r\n \"value\" : \"3.9\"\r\n },\r\n \"ensureDotNetFrameworkLatestForFunctionAppEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"sqlManagedInstanceAdvancedDataSecurityEmailsMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"vulnerabilityAssessmentMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"ensureDotNetFrameworkLatestForWebAppEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"sqlServerAdvancedDataSecurityEmailsMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"microsoftIaaSAntimalwareExtensionShouldBeDeployedOnWindowsServersEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"securityCenterStandardPricingTierShouldBeSelectedEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"theLogAnalyticsAgentShouldBeInstalledOnVirtualMachinesEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"ensurePHPVersionLatestForFunctionAppEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"sqlManagedInstanceAdvancedDataSecurityEmailAdminsMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"securityContactPhoneNumberShouldBeProvidedForSubscriptionEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"threatDetectionTypesOnManagedInstanceMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"ensureDotNetFrameworkLatestForAPIAppEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"sqlServerAdvancedDataSecurityEmailAdminsMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"threatDetectionTypesOnServerMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"theLogAnalyticsAgentShouldBeInstalledOnVirtualMachineScaleSetsEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n }\r\n}", + "$fxv#3": "{\r\n \"logAnalyticsWorkspaceId-f47b5582-33ec-4c5c-87c0-b010a6b2e917\" : { \r\n \"value\" : \"\"\r\n },\r\n \"effect-09024ccc-0c5f-475e-9457-b7c0d9ed487b\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"MembersToExclude-69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f\" :{\r\n \"value\": \"\"\r\n },\r\n \"MembersToInclude-30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7\": {\r\n \"value\": \"\"\r\n },\r\n \"effect-0961003e-5a0a-4549-abde-af6a37f2724d\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-0b15565f-aa9e-48ba-8619-45960f2c314d\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-0e60b895-3786-45da-8377-9c6b4b6ac5f9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-17k78e20-9358-41c9-923c-fb736d382a12\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"PHPLatestVersion\" : { \r\n \"value\" : \"7.3\"\r\n },\r\n \"effect-22bee202-a82f-4305-9a2a-6d7f44d4dedb\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-26a828e1-e88f-464e-bbb3-c134a282b9de\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-34c877ad-507e-4c82-993e-3452a6e0ad3c\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-404c3081-a854-4457-ae30-26a93ef643f9\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-47a6b606-51aa-4496-8bb7-64b11cf66adc\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-496223c3-ad65-4ecd-878a-bae78737e9ed\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"JavaLatestVersion\" : { \r\n \"value\" : \"11\"\r\n },\r\n \"effect-4f11b553-d42e-4e3a-89be-32ca364cad4c\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-5c607a2e-c700-4744-8254-d77e7c9eb5e4\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-5f76cf89-fbf2-47fd-a3f4-b891fa780b60\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-6b1cbf55-e8b6-442f-ba4c-7246b6381474\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-7008174a-fd10-4ef0-817e-fc820a951d73\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"LinuxPythonLatestVersion\" : { \r\n \"value\" : \"3.8\"\r\n },\r\n \"effect-7238174a-fd10-4ef0-817e-fc820a951d73\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-7261b898-8a84-4db8-9e04-18527132abb3\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-74c3584d-afae-46f7-a20a-6f8adba71a16\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-86b3d65f-7626-441e-b690-81a8b71cff60\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-88999f4c-376a-45c8-bcb3-4058f713cf39\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-8c122334-9d20-4eb8-89ea-ac9a705b74ae\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-9297c21d-2ed6-4474-b48f-163f75654ce3\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-991310cd-e9f3-47bc-b7b6-f57b557d07db\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-9b597639-28e4-48eb-b506-56b05d366257\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-9daedab3-fb2d-461e-b861-71790eead4f6\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-a4af4a39-4135-47fb-b175-47fbdf85311d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \r\n \"value\" : \"enabled\"\r\n },\r\n \"effect-a70ca396-0a34-413a-88e1-b956c1e683be\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-aa633080-8b72-40c4-a2d7-d00c03e80bed\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-af6cd1bd-1635-48cb-bde7-5b15693900b9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\" : { \r\n \"value\" : \"NetworkWatcherRG\"\r\n },\r\n \"effect-b7ddfbdc-1260-477d-91fd-98bd9be789a6\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-c3f317a7-a95c-4547-b7e7-11017ebdf2fe\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-cb510bfd-1cba-4d9f-a230-cb0976f4bb71\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e2c1c086-2d84-4019-bff3-c44ccd95113c\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e3576e28-8b17-4677-84c3-db2990658d64\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e8cbc669-f12d-49eb-93e7-9273119e9933\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-ebb62a0c-3560-49e1-89ed-27e074e9f8ad\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-efbde977-ba53-4479-b8e9-10b957924fbf\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-f8456c1c-aa66-4dfb-861a-25d127b775c9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-f9d614c5-c173-4d56-95a7-b4437057d193\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-fb893a29-21bb-418c-a157-e99480ec364c\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-feedbf84-6b99-488c-acc2-71c829aa5ffc\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-3b980d31-7904-4bb7-8575-5665739a8052\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-6e2593d9-add6-4083-9c9b-4b7d2188c899\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-12430be1-6cc8-4527-a9a8-e3d38f250096\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"modeRequirement-12430be1-6cc8-4527-a9a8-e3d38f250096\" : { \r\n \"value\" : \"Detection\"\r\n },\r\n \"effect-425bea59-a659-4cbb-8d31-34499bd030b8\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"modeRequirement-425bea59-a659-4cbb-8d31-34499bd030b8\" : { \r\n \"value\" : \"Detection\"\r\n },\r\n \"effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-013e242c-8828-4970-87b3-ab247555486d\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-d38fc420-0735-4ef3-ac11-c806f651a570\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-a1181c5f-672a-477a-979a-7d58aa086233\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-308fbb08-4ab8-4e67-9b29-592e93fb94fa\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-4da35fc9-c9e7-4960-aec9-797fe7d9051d\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-523b5cd1-3e23-492f-a539-13118b6d1e3a\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-7fe3b40f-802b-4cdd-8bd4-fd799c948cc2\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-c25d9a16-bc35-4e15-a7e5-9db606bf9ed4\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b0f33259-77d7-4c9e-aac6-3aabcfae693c\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-037eea7a-bd0a-46c5-9a66-03aea78705d3\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-0820b7b9-23aa-4725-a1ce-ae4558f718e5\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-2c89a2e5-7285-40fe-afe0-ae8654b92fab\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-5744710e-cc2f-4ee8-8809-3b11e89f4bc9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-c9d007d0-c057-4772-b18c-01e546713bcd\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-d0793b48-0edc-4296-a390-4c75d1bdfd71\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-e372f825-a257-4fb8-9175-797a8a8627d6\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-d158790f-bfb0-486c-8631-2dc6b4e8e6af\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-e802a67a-daf5-4436-9ea6-f6d821dd0c5d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-a451c1ef-c6ca-483d-87ed-f49761e3ffb5\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftSql-servers-firewallRules-delete\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-delete\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftClassicNetwork-networkSecurityGroups-delete\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-securityRules-delete\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftClassicNetwork-networkSecurityGroups-securityRules-delete\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-ae89ebca-1c92-4898-ac2c-9f63decb045c\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-d26f7642-7545-4e18-9b75-8c9bbdee3a9a\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-1a4e592a-6a6e-44a5-9814-e36264ca96e7\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-7796937f-307b-4598-941c-67d3a05ebfe7\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-c5447c04-a4d7-4ba8-a263-c9ee321a6858\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-41388f1c-2db0-4c25-95b2-35d7f5ccbfa9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b02aacc0-b073-424e-8298-42b22829ee0a\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-0ec47710-77ff-4a3d-9181-6aa50af424d0\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-48af4db5-9b8b-401c-8e74-076be876a430\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-82339799-d096-41ae-8538-b108becf0970\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1b7aa243-30e4-4c9e-bca8-d0d3022b634a\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-bb91dfba-c30d-4263-9add-9c2384e659a6\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e71308d3-144b-4262-b144-efdc3cc90517\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-2bdd0062-9d75-436e-89df-487dd8e4b3c7\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-6fac406b-40ca-413b-bf8e-0bf964659c25\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-81e74cea-30fd-40d5-802f-d72103c2aaaa\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-c349d81b-9985-44ae-a8da-ff98d108ede8\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-f4b53539-8df9-40e4-86c6-6b607703bd4e\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-048248b0-55cd-46da-b1ff-39efd52db260\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-0d134df8-db83-46fb-ad72-fe0c9428c8dd\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-2c89a2e5-7285-40fe-afe0-ae8654b92fb2\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-3657f5a0-770e-44a3-b44e-9431ba1e9735\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-617c02be-7f02-4efd-8836-3180d47b6c68\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-f7d52b2d-e161-4dfa-a82b-55e564167385\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-c43e4a30-77cb-48ab-a4dd-93f175c63b57\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1f314764-cb73-4fc9-b863-8eca98ac36e9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-123a3936-f020-408a-ba0c-47873faf1534\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n }\r\n}\r\n", + "modifiedAssignment": "[if(and(equals(toLower(environment().name), toLower('AzureCloud')), equals(toLower(parameters('builtInAssignment')), toLower('IL5'))), 'NISTRev4', parameters('builtInAssignment'))]", + "assignmentName": "[format('{0} {1}', variables('modifiedAssignment'), resourceGroup().name)]", + "agentVmssAssignmentName": "[format('Deploy VMSS Agents {0}', resourceGroup().name)]", + "agentVmAssignmentName": "[format('Deploy VM Agents {0}', resourceGroup().name)]", + "contributorRoleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "lawsReaderRoleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]" + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2020-09-01", + "name": "[variables('assignmentName')]", + "location": "[parameters('location')]", + "properties": { + "policyDefinitionId": "[createObject('NISTRev4', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f', 'parameters', json(replace(variables('$fxv#0'), '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'NISTRev5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f', 'parameters', json(variables('$fxv#1'))), 'IL5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/f9a961fa-3241-4b20-adc4-bbf8ad9d7197', 'parameters', json(replace(variables('$fxv#2'), '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'CMMC', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/b5629c75-5c77-4422-87b9-2509e680f8de', 'parameters', json(replace(variables('$fxv#3'), '', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName')), '2021-06-01').customerId))))[variables('modifiedAssignment')].id]", + "parameters": "[createObject('NISTRev4', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f', 'parameters', json(replace(variables('$fxv#0'), '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'NISTRev5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f', 'parameters', json(variables('$fxv#1'))), 'IL5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/f9a961fa-3241-4b20-adc4-bbf8ad9d7197', 'parameters', json(replace(variables('$fxv#2'), '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'CMMC', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/b5629c75-5c77-4422-87b9-2509e680f8de', 'parameters', json(replace(variables('$fxv#3'), '', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName')), '2021-06-01').customerId))))[variables('modifiedAssignment')].parameters]" + }, + "identity": { + "type": "SystemAssigned" } }, - "omsPrivateDnsZoneId": { - "type": "string", - "metadata": { - "description": "OMS Private DNS Zone resource id" + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2020-09-01", + "name": "[variables('agentVmssAssignmentName')]", + "location": "[parameters('location')]", + "properties": { + "policyDefinitionId": "[tenantResourceId('Microsoft.Authorization/policySetDefinitions', '75714362-cae7-409e-9b99-a8e5075b7fad')]", + "parameters": { + "logAnalytics_1": { + "value": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))]" + } + } + }, + "identity": { + "type": "SystemAssigned" } }, - "odsPrivateDnsZoneId": { - "type": "string", - "metadata": { - "description": "ODS Private DNS Zone resource id" + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2020-09-01", + "name": "[variables('agentVmAssignmentName')]", + "location": "[parameters('location')]", + "properties": { + "policyDefinitionId": "[tenantResourceId('Microsoft.Authorization/policySetDefinitions', '55f3eceb-5573-4f18-9695-226972c6d74a')]", + "parameters": { + "logAnalytics_1": { + "value": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))]" + } + } + }, + "identity": { + "type": "SystemAssigned" } }, - "agentsvcPrivateDnsZoneId": { - "type": "string", - "metadata": { - "description": "Agentsvc Private DNS Zone resource id" - } - } - }, - "variables": { - "privateLinkConnectionName": "[take(format('plconn{0}{1}', parameters('logAnalyticsWorkspaceName'), parameters('uniqueData')), 80)]", - "privateLinkEndpointName": "[take(format('pe{0}{1}', parameters('logAnalyticsWorkspaceName'), parameters('uniqueData')), 80)]", - "privateLinkScopeName": "[take(format('plscope{0}{1}', parameters('logAnalyticsWorkspaceName'), parameters('uniqueData')), 80)]", - "privateLinkScopeResourceName": "[take(format('plscres{0}{1}', parameters('logAnalyticsWorkspaceName'), parameters('uniqueData')), 80)]" - }, - "resources": [ { - "type": "microsoft.insights/privateLinkScopes", - "apiVersion": "2019-10-17-preview", - "name": "[variables('privateLinkScopeName')]", - "location": "global", - "properties": {} + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[guid(variables('contributorRoleDefinitionId'), variables('assignmentName'))]", + "properties": { + "roleDefinitionId": "[variables('contributorRoleDefinitionId')]", + "principalId": "[if(empty(variables('modifiedAssignment')), '', reference(resourceId('Microsoft.Authorization/policyAssignments', variables('assignmentName')), '2020-09-01', 'full').identity.principalId)]", + "principalType": "ServicePrincipal" + }, + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('assignmentName'))]" + ] + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[guid(variables('contributorRoleDefinitionId'), variables('agentVmssAssignmentName'))]", + "properties": { + "roleDefinitionId": "[variables('contributorRoleDefinitionId')]", + "principalId": "[reference(resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmssAssignmentName')), '2020-09-01', 'full').identity.principalId]", + "principalType": "ServicePrincipal" + }, + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmssAssignmentName'))]" + ] }, { - "type": "Microsoft.Insights/privateLinkScopes/scopedResources", - "apiVersion": "2019-10-17-preview", - "name": "[format('{0}/{1}', variables('privateLinkScopeName'), variables('privateLinkScopeResourceName'))]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[guid(variables('contributorRoleDefinitionId'), variables('agentVmAssignmentName'))]", "properties": { - "linkedResourceId": "[parameters('logAnalyticsWorkspaceResourceId')]" + "roleDefinitionId": "[variables('contributorRoleDefinitionId')]", + "principalId": "[reference(resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName')), '2020-09-01', 'full').identity.principalId]", + "principalType": "ServicePrincipal" }, "dependsOn": [ - "[resourceId('microsoft.insights/privateLinkScopes', variables('privateLinkScopeName'))]" + "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName'))]" ] }, { - "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2020-07-01", - "name": "[variables('privateLinkEndpointName')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", + "condition": "[parameters('deployRemediation')]", + "type": "Microsoft.PolicyInsights/remediations", + "apiVersion": "2019-07-01", + "name": "VM-Agent-Policy-Remediation", "properties": { - "subnet": { - "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks/subnets', parameters('privateEndpointVnetName'), parameters('privateEndpointSubnetName'))]" - }, - "privateLinkServiceConnections": [ - { - "name": "[variables('privateLinkConnectionName')]", - "properties": { - "privateLinkServiceId": "[resourceId('microsoft.insights/privateLinkScopes', variables('privateLinkScopeName'))]", - "groupIds": [ - "azuremonitor" - ] - } - } - ] + "policyAssignmentId": "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName'))]", + "resourceDiscoveryMode": "ReEvaluateCompliance" }, "dependsOn": [ - "[resourceId('microsoft.insights/privateLinkScopes', variables('privateLinkScopeName'))]", - "[resourceId('Microsoft.Insights/privateLinkScopes/scopedResources', split(format('{0}/{1}', variables('privateLinkScopeName'), variables('privateLinkScopeResourceName')), '/')[0], split(format('{0}/{1}', variables('privateLinkScopeName'), variables('privateLinkScopeResourceName')), '/')[1])]" + "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName'))]" ] }, { - "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", - "apiVersion": "2020-07-01", - "name": "[format('{0}/{1}', variables('privateLinkEndpointName'), variables('privateLinkEndpointName'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('Assign-Laws-Role-Policy-{0}', resourceGroup().name)]", + "subscriptionId": "[parameters('operationsSubscriptionId')]", + "resourceGroup": "[parameters('logAnalyticsWorkspaceResourceGroupName')]", "properties": { - "privateDnsZoneConfigs": [ - { - "name": "monitor", - "properties": { - "privateDnsZoneId": "[parameters('monitorPrivateDnsZoneId')]" - } + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "targetResourceId": { + "value": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))]" }, - { - "name": "oms", - "properties": { - "privateDnsZoneId": "[parameters('omsPrivateDnsZoneId')]" + "roleDefinitionId": { + "value": "[variables('lawsReaderRoleDefinitionId')]" + }, + "principalId": { + "value": "[reference(resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName')), '2020-09-01', 'full').identity.principalId]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "8686326864657481429" } }, - { - "name": "ods", - "properties": { - "privateDnsZoneId": "[parameters('odsPrivateDnsZoneId')]" + "parameters": { + "targetResourceId": { + "type": "string" + }, + "roleDefinitionId": { + "type": "string" + }, + "principalId": { + "type": "string" + }, + "principalType": { + "type": "string", + "defaultValue": "ServicePrincipal", + "allowedValues": [ + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ] + }, + "description": { + "type": "string", + "defaultValue": "" } }, - { - "name": "agentsvc", - "properties": { - "privateDnsZoneId": "[parameters('agentsvcPrivateDnsZoneId')]" + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[guid(parameters('targetResourceId'), parameters('roleDefinitionId'), parameters('principalId'))]", + "properties": { + "principalId": "[parameters('principalId')]", + "principalType": "[parameters('principalType')]", + "roleDefinitionId": "[parameters('roleDefinitionId')]", + "description": "[parameters('description')]" + } } - } - ] + ] + } }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', variables('privateLinkEndpointName'))]" + "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName'))]" ] } ] } }, "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', 'azure-private-dns')]", - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]", - "spokeNetworks" + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]" ] }, { - "condition": "[not(equals(variables('spokes')[copyIndex()].subscriptionId, parameters('hubSubscriptionId')))]", "copy": { - "name": "spokeSubscriptionActivityLogging", + "name": "spokePolicyAssignments", "count": "[length(variables('spokes'))]" }, + "condition": "[parameters('deployPolicy')]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "[format('activity-logs-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))]", + "apiVersion": "2022-09-01", + "name": "[format('assign-policy-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))]", "subscriptionId": "[variables('spokes')[copyIndex()].subscriptionId]", - "location": "[deployment().location]", + "resourceGroup": "[variables('spokes')[copyIndex()].resourceGroupName]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { - "diagnosticSettingName": { - "value": "[format('log-{0}-sub-activity-to-{1}', variables('spokes')[copyIndex()].name, reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))).outputs.name.value)]" + "builtInAssignment": { + "value": "[parameters('policy')]" }, - "logAnalyticsWorkspaceId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))).outputs.id.value]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "4564752438272570911" - } + "logAnalyticsWorkspaceName": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.name.value]" }, - "parameters": { - "diagnosticSettingName": { - "type": "string" - }, - "logAnalyticsWorkspaceId": { - "type": "string" - }, - "supportedClouds": { - "type": "array", - "defaultValue": [ - "AzureCloud", - "AzureUSGovernment" - ] - } + "logAnalyticsWorkspaceResourceGroupName": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.resourceGroupName.value]" }, - "resources": [ - { - "condition": "[contains(parameters('supportedClouds'), environment().name)]", - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2017-05-01-preview", - "name": "[parameters('diagnosticSettingName')]", - "properties": { - "workspaceId": "[parameters('logAnalyticsWorkspaceId')]", - "logs": [ - { - "category": "Administrative", - "enabled": true - }, - { - "category": "Security", - "enabled": true - }, - { - "category": "ServiceHealth", - "enabled": true - }, - { - "category": "Alert", - "enabled": true - }, - { - "category": "Recommendation", - "enabled": true - }, - { - "category": "Policy", - "enabled": true - }, - { - "category": "Autoscale", - "enabled": true - }, - { - "category": "ResourceHealth", - "enabled": true - } - ] - } - } - ] - } - }, - "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]", - "spokeNetworks" - ] - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "[format('deploy-diagnostic-logging-{0}', parameters('deploymentNameSuffix'))]", - "subscriptionId": "[parameters('operationsSubscriptionId')]", - "resourceGroup": "[variables('operationsResourceGroupName')]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "diagnosticStorageAccountName": { - "value": "[variables('operationsLogStorageAccountName')]" + "operationsSubscriptionId": { + "value": "[parameters('operationsSubscriptionId')]" }, - "logAnalyticsWorkspaceName": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))).outputs.name.value]" + "location": { + "value": "[parameters('location')]" } }, "template": { @@ -7085,62 +6399,247 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "5252752072010358356" + "version": "0.24.24.22086", + "templateHash": "16693295535307781768" } }, "parameters": { - "diagnosticStorageAccountName": { + "builtInAssignment": { + "type": "string", + "defaultValue": "NISTRev4", + "allowedValues": [ + "NISTRev4", + "NISTRev5", + "IL5", + "CMMC" + ], + "metadata": { + "description": "[NISTRev4/NISTRev5/IL5/CMMC] Built-in policy assignments to assign, default is NISTRev4. IL5 is only available for AzureUsGovernment and will switch to NISTRev4 if tried in AzureCloud." + } + }, + "logAnalyticsWorkspaceName": { + "type": "string" + }, + "logAnalyticsWorkspaceResourceGroupName": { "type": "string" }, - "logAnalyticsWorkspaceName": { + "operationsSubscriptionId": { "type": "string" }, - "supportedClouds": { - "type": "array", - "defaultValue": [ - "AzureCloud", - "AzureUSGovernment" - ] + "deployRemediation": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Starts a policy remediation for the VM Agent policies in hub RG. Set to false by default since this is time consuming in deployment." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location of this resource" + } } }, + "variables": { + "$fxv#0": " {\r\n \"listOfMembersToExcludeFromWindowsVMAdministratorsGroup\": \r\n {\r\n \"value\": \"admin\"\r\n },\r\n \"listOfMembersToIncludeInWindowsVMAdministratorsGroup\": \r\n {\r\n \"value\": \"azureuser\"\r\n },\r\n \"logAnalyticsWorkspaceIdforVMReporting\": \r\n {\r\n \"value\": \"\"\r\n },\r\n \"IncludeArcMachines\": \r\n {\r\n \"value\": \"true\"\r\n },\r\n \"MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112\": \r\n {\r\n \"value\": \"1.2\"\r\n },\r\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\": \r\n {\r\n \"value\": \"Compliant\"\r\n },\r\n \"requiredRetentionDays\": \r\n {\r\n \"value\": \"365\"\r\n },\r\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\": \r\n {\r\n \"value\": \"NetworkWatcherRG\"\r\n }\r\n }", + "$fxv#1": " {\r\n \"IncludeArcMachines\": \r\n {\r\n \"value\": \"true\"\r\n },\r\n \"MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112\": \r\n {\r\n \"value\": \"1.2\"\r\n },\r\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\": \r\n {\r\n \"value\": \"Compliant\"\r\n },\r\n \"requiredRetentionDays\": \r\n {\r\n \"value\": \"365\"\r\n },\r\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\": \r\n {\r\n \"value\": \"NetworkWatcherRG\"\r\n }\r\n }", + "$fxv#2": "{\r\n \"IncludeArcMachines\" : { \r\n \"value\" : \"false\"\r\n },\r\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\" : { \r\n \"value\" : \"Compliant\"\r\n },\r\n \"MinimumTLSVersionForWindowsServers\" : { \r\n \"value\" : \"1.2\"\r\n },\r\n \"requiredRetentionDays\" : { \r\n \"value\" : \"365\"\r\n },\r\n \"effect-febd0533-8e55-448f-b837-bd0e06f16469\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"allowedContainerImagesRegex-febd0533-8e55-448f-b837-bd0e06f16469\" : { \r\n \"value\" : \"^(.+){0}$\"\r\n },\r\n \"effect-95edb821-ddaf-4404-9732-666045e056b4\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-440b515e-a580-421e-abeb-b159a61ddcbc\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-233a2a17-77ca-4fb1-9b6b-69223d272a44\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"cpuLimit-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \r\n \"value\" : \"0\"\r\n },\r\n \"memoryLimit-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \r\n \"value\" : \"0\"\r\n },\r\n \"effect-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"runAsUserRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \r\n \"value\" : \"MustRunAsNonRoot\"\r\n },\r\n \"runAsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \r\n \"value\" : \"RunAsAny\"\r\n },\r\n \"supplementalGroupsRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \r\n \"value\" : \"RunAsAny\"\r\n },\r\n \"fsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \r\n \"value\" : \"RunAsAny\"\r\n },\r\n \"effect-1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-df49d893-a74c-421d-bc95-c663042e5b80\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-c26596ff-4d70-4e6a-9a30-c2506bd2f80c\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-511f5417-5d12-434d-ab2e-816901e72a5e\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-82985f06-dc18-4a48-bc1c-b9f4f0098cfe\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-098fc59e-46c7-4d99-9b16-64990e543d75\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"NetworkWatcherResourceGroupName\" : { \r\n \"value\" : \"NetworkWatcherRG\"\r\n },\r\n \"setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \r\n \"value\" : \"enabled\"\r\n },\r\n \"aadAuthenticationInServiceFabricMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-71ef260a-8f18-47b7-abcb-62d0673d94dc\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-d9da03a1-f3c3-412a-9709-947156872263\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-617c02be-7f02-4efd-8836-3180d47b6c68\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-c349d81b-9985-44ae-a8da-ff98d108ede8\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-3657f5a0-770e-44a3-b44e-9431ba1e9735\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-b4ac1030-89c5-4697-8e00-28b5ba6a8811\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-ea0dfaed-95fb-448c-934e-d6e713ce393d\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-f4b53539-8df9-40e4-86c6-6b607703bd4e\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-41425d9f-d1a5-499a-9932-f8ed8453932c\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-fc4d8e41-e223-45ea-9bf5-eada37891d87\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-86efb160-8de7-451d-bc08-5d475b0aadae\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-4ec52d6d-beb7-40c4-9a9e-fe753254690e\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-64d314f6-6062-4780-a861-c23e8951bee5\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-fa298e57-9444-42ba-bf04-86e8470e32c7\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1f905d99-2ab7-462c-a6b0-f709acca6c8f\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-ba769a63-b8cc-4b2d-abf6-ac33c7204be8\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-81e74cea-30fd-40d5-802f-d72103c2aaaa\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-0aa61e00-0a01-4a3c-9945-e93cffedf0e6\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-47031206-ce96-41f8-861b-6a915f3de284\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-51522a96-0869-4791-82f3-981000c2c67f\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-b5ec538c-daa0-4006-8596-35468b9148e8\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-56a5ee18-2ae6-4810-86f7-18e39ce5629b\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-2e94d99a-8a36-4563-bc77-810d8893b671\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1f68a601-6e6d-4e42-babf-3f643a047ea2\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-f7d52b2d-e161-4dfa-a82b-55e564167385\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-ca91455f-eace-4f96-be59-e6e2c35b4816\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-702dd420-7fcc-42c5-afe8-4026edd20fe0\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"diagnosticsLogsInRedisCacheMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"secureTransferToStorageAccountMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-d0793b48-0edc-4296-a390-4c75d1bdfd71\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-7d092e0a-7acd-40d2-a975-dca21cae48c4\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"disableUnrestrictedNetworkToStorageAccountMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-55615ac9-af46-4a59-874e-391cc3dfb490\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1b8ca024-1d5c-4dec-8995-b1a932b41780\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-037eea7a-bd0a-46c5-9a66-03aea78705d3\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-53503636-bcc9-4748-9663-5348217f160f\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-40cec1dd-a100-4920-b15b-3024fe8901ab\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-a049bf77-880b-470f-ba6d-9f21c530cf83\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-ee980b6d-0eca-4501-8d54-f6290fd512c3\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1d84d5fb-01f6-4d12-ba4f-4a26081d403d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-37e0d2fe-28a5-43d6-a273-67d37d1f5606\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"identityDesignateMoreThanOneOwnerMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"diskEncryptionMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"emailNotificationToSubscriptionOwnerHighSeverityAlertsEnabledEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"functionAppDisableRemoteDebuggingMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"sqlDbEncryptionMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"vulnerabilityAssessmentOnManagedInstanceMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensurePHPVersionLatestForAPIAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"aadAuthenticationInSqlServerMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"vmssEndpointProtectionMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"vmssOsVulnerabilitiesMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"adaptiveApplicationControlsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"geoRedundantBackupShouldBeEnabledForAzureDatabaseForPostgreSQLEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"ensureJavaVersionLatestForWebAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityDesignateLessThanOwnersMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"securityContactEmailAddressForSubscriptionEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"webAppRestrictCORSAccessMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityRemoveDeprecatedAccountMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"functionAppEnforceHttpsMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"ensurePythonVersionLatestForWebAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensurePythonVersionLatestForFunctionAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensurePHPVersionLatestForWebAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensurePythonVersionLatestForAPIAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"geoRedundantBackupShouldBeEnabledForAzureDatabaseForMySQLEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"systemUpdatesMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensureJavaVersionLatestForAPIAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensureHTTPVersionLatestForWebAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"apiAppRequireLatestTlsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityEnableMFAForWritePermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensureHTTPVersionLatestForAPIAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensureJavaVersionLatestForFunctionAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"nextGenerationFirewallMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"useRbacRulesMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"webAppEnforceHttpsMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"sqlServerAuditingMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"vnetEnableDDoSProtectionMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityEnableMFAForOwnerPermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"sqlServerAdvancedDataSecurityMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"sqlManagedInstanceAdvancedDataSecurityMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"endpointProtectionMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"jitNetworkAccessMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"apiAppEnforceHttpsMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"geoRedundantStorageShouldBeEnabledForStorageAccountsEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"vmssSystemUpdatesMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"webAppDisableRemoteDebuggingMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"systemConfigurationsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensureHTTPVersionLatestForFunctionAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityEnableMFAForReadPermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"containerBenchmarkMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"apiAppDisableRemoteDebuggingMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"vulnerabilityAssessmentOnServerMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"webAppRequireLatestTlsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"functionAppRequireLatestTlsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"kubernetesServiceVersionUpToDateMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"sqlDbVulnerabilityAssesmentMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"membersToIncludeInLocalAdministratorsGroup\" : { \r\n \"value\" : \"\"\r\n },\r\n \"membersToExcludeInLocalAdministratorsGroup\" : { \r\n \"value\" : \"\"\r\n },\r\n \"logAnalyticsWorkspaceIDForVMAgents\" : { \r\n \"value\" : \"\"\r\n },\r\n \"PHPLatestVersionForAppServices\" : { \r\n \"value\" : \"7.4\"\r\n },\r\n \"JavaLatestVersionForAppServices\" : { \r\n \"value\" : \"11\"\r\n },\r\n \"WindowsPythonLatestVersionForAppServices\" : { \r\n \"value\" : \"3.6\"\r\n },\r\n \"LinuxPythonLatestVersionForAppServices\" : { \r\n \"value\" : \"3.9\"\r\n },\r\n \"ensureDotNetFrameworkLatestForFunctionAppEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"sqlManagedInstanceAdvancedDataSecurityEmailsMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"vulnerabilityAssessmentMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"ensureDotNetFrameworkLatestForWebAppEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"sqlServerAdvancedDataSecurityEmailsMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"microsoftIaaSAntimalwareExtensionShouldBeDeployedOnWindowsServersEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"securityCenterStandardPricingTierShouldBeSelectedEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"theLogAnalyticsAgentShouldBeInstalledOnVirtualMachinesEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"ensurePHPVersionLatestForFunctionAppEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"sqlManagedInstanceAdvancedDataSecurityEmailAdminsMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"securityContactPhoneNumberShouldBeProvidedForSubscriptionEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"threatDetectionTypesOnManagedInstanceMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"ensureDotNetFrameworkLatestForAPIAppEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"sqlServerAdvancedDataSecurityEmailAdminsMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"threatDetectionTypesOnServerMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"theLogAnalyticsAgentShouldBeInstalledOnVirtualMachineScaleSetsEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n }\r\n}", + "$fxv#3": "{\r\n \"logAnalyticsWorkspaceId-f47b5582-33ec-4c5c-87c0-b010a6b2e917\" : { \r\n \"value\" : \"\"\r\n },\r\n \"effect-09024ccc-0c5f-475e-9457-b7c0d9ed487b\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"MembersToExclude-69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f\" :{\r\n \"value\": \"\"\r\n },\r\n \"MembersToInclude-30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7\": {\r\n \"value\": \"\"\r\n },\r\n \"effect-0961003e-5a0a-4549-abde-af6a37f2724d\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-0b15565f-aa9e-48ba-8619-45960f2c314d\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-0e60b895-3786-45da-8377-9c6b4b6ac5f9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-17k78e20-9358-41c9-923c-fb736d382a12\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"PHPLatestVersion\" : { \r\n \"value\" : \"7.3\"\r\n },\r\n \"effect-22bee202-a82f-4305-9a2a-6d7f44d4dedb\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-26a828e1-e88f-464e-bbb3-c134a282b9de\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-34c877ad-507e-4c82-993e-3452a6e0ad3c\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-404c3081-a854-4457-ae30-26a93ef643f9\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-47a6b606-51aa-4496-8bb7-64b11cf66adc\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-496223c3-ad65-4ecd-878a-bae78737e9ed\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"JavaLatestVersion\" : { \r\n \"value\" : \"11\"\r\n },\r\n \"effect-4f11b553-d42e-4e3a-89be-32ca364cad4c\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-5c607a2e-c700-4744-8254-d77e7c9eb5e4\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-5f76cf89-fbf2-47fd-a3f4-b891fa780b60\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-6b1cbf55-e8b6-442f-ba4c-7246b6381474\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-7008174a-fd10-4ef0-817e-fc820a951d73\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"LinuxPythonLatestVersion\" : { \r\n \"value\" : \"3.8\"\r\n },\r\n \"effect-7238174a-fd10-4ef0-817e-fc820a951d73\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-7261b898-8a84-4db8-9e04-18527132abb3\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-74c3584d-afae-46f7-a20a-6f8adba71a16\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-86b3d65f-7626-441e-b690-81a8b71cff60\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-88999f4c-376a-45c8-bcb3-4058f713cf39\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-8c122334-9d20-4eb8-89ea-ac9a705b74ae\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-9297c21d-2ed6-4474-b48f-163f75654ce3\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-991310cd-e9f3-47bc-b7b6-f57b557d07db\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-9b597639-28e4-48eb-b506-56b05d366257\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-9daedab3-fb2d-461e-b861-71790eead4f6\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-a4af4a39-4135-47fb-b175-47fbdf85311d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \r\n \"value\" : \"enabled\"\r\n },\r\n \"effect-a70ca396-0a34-413a-88e1-b956c1e683be\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-aa633080-8b72-40c4-a2d7-d00c03e80bed\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-af6cd1bd-1635-48cb-bde7-5b15693900b9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\" : { \r\n \"value\" : \"NetworkWatcherRG\"\r\n },\r\n \"effect-b7ddfbdc-1260-477d-91fd-98bd9be789a6\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-c3f317a7-a95c-4547-b7e7-11017ebdf2fe\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-cb510bfd-1cba-4d9f-a230-cb0976f4bb71\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e2c1c086-2d84-4019-bff3-c44ccd95113c\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e3576e28-8b17-4677-84c3-db2990658d64\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e8cbc669-f12d-49eb-93e7-9273119e9933\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-ebb62a0c-3560-49e1-89ed-27e074e9f8ad\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-efbde977-ba53-4479-b8e9-10b957924fbf\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-f8456c1c-aa66-4dfb-861a-25d127b775c9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-f9d614c5-c173-4d56-95a7-b4437057d193\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-fb893a29-21bb-418c-a157-e99480ec364c\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-feedbf84-6b99-488c-acc2-71c829aa5ffc\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-3b980d31-7904-4bb7-8575-5665739a8052\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-6e2593d9-add6-4083-9c9b-4b7d2188c899\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-12430be1-6cc8-4527-a9a8-e3d38f250096\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"modeRequirement-12430be1-6cc8-4527-a9a8-e3d38f250096\" : { \r\n \"value\" : \"Detection\"\r\n },\r\n \"effect-425bea59-a659-4cbb-8d31-34499bd030b8\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"modeRequirement-425bea59-a659-4cbb-8d31-34499bd030b8\" : { \r\n \"value\" : \"Detection\"\r\n },\r\n \"effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-013e242c-8828-4970-87b3-ab247555486d\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-d38fc420-0735-4ef3-ac11-c806f651a570\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-a1181c5f-672a-477a-979a-7d58aa086233\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-308fbb08-4ab8-4e67-9b29-592e93fb94fa\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-4da35fc9-c9e7-4960-aec9-797fe7d9051d\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-523b5cd1-3e23-492f-a539-13118b6d1e3a\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-7fe3b40f-802b-4cdd-8bd4-fd799c948cc2\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-c25d9a16-bc35-4e15-a7e5-9db606bf9ed4\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b0f33259-77d7-4c9e-aac6-3aabcfae693c\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-037eea7a-bd0a-46c5-9a66-03aea78705d3\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-0820b7b9-23aa-4725-a1ce-ae4558f718e5\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-2c89a2e5-7285-40fe-afe0-ae8654b92fab\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-5744710e-cc2f-4ee8-8809-3b11e89f4bc9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-c9d007d0-c057-4772-b18c-01e546713bcd\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-d0793b48-0edc-4296-a390-4c75d1bdfd71\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-e372f825-a257-4fb8-9175-797a8a8627d6\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-d158790f-bfb0-486c-8631-2dc6b4e8e6af\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-e802a67a-daf5-4436-9ea6-f6d821dd0c5d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-a451c1ef-c6ca-483d-87ed-f49761e3ffb5\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftSql-servers-firewallRules-delete\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-delete\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftClassicNetwork-networkSecurityGroups-delete\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-securityRules-delete\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftClassicNetwork-networkSecurityGroups-securityRules-delete\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-ae89ebca-1c92-4898-ac2c-9f63decb045c\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-d26f7642-7545-4e18-9b75-8c9bbdee3a9a\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-1a4e592a-6a6e-44a5-9814-e36264ca96e7\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-7796937f-307b-4598-941c-67d3a05ebfe7\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-c5447c04-a4d7-4ba8-a263-c9ee321a6858\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-41388f1c-2db0-4c25-95b2-35d7f5ccbfa9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b02aacc0-b073-424e-8298-42b22829ee0a\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-0ec47710-77ff-4a3d-9181-6aa50af424d0\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-48af4db5-9b8b-401c-8e74-076be876a430\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-82339799-d096-41ae-8538-b108becf0970\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1b7aa243-30e4-4c9e-bca8-d0d3022b634a\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-bb91dfba-c30d-4263-9add-9c2384e659a6\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e71308d3-144b-4262-b144-efdc3cc90517\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-2bdd0062-9d75-436e-89df-487dd8e4b3c7\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-6fac406b-40ca-413b-bf8e-0bf964659c25\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-81e74cea-30fd-40d5-802f-d72103c2aaaa\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-c349d81b-9985-44ae-a8da-ff98d108ede8\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-f4b53539-8df9-40e4-86c6-6b607703bd4e\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-048248b0-55cd-46da-b1ff-39efd52db260\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-0d134df8-db83-46fb-ad72-fe0c9428c8dd\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-2c89a2e5-7285-40fe-afe0-ae8654b92fb2\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-3657f5a0-770e-44a3-b44e-9431ba1e9735\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-617c02be-7f02-4efd-8836-3180d47b6c68\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-f7d52b2d-e161-4dfa-a82b-55e564167385\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-c43e4a30-77cb-48ab-a4dd-93f175c63b57\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1f314764-cb73-4fc9-b863-8eca98ac36e9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-123a3936-f020-408a-ba0c-47873faf1534\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n }\r\n}\r\n", + "modifiedAssignment": "[if(and(equals(toLower(environment().name), toLower('AzureCloud')), equals(toLower(parameters('builtInAssignment')), toLower('IL5'))), 'NISTRev4', parameters('builtInAssignment'))]", + "assignmentName": "[format('{0} {1}', variables('modifiedAssignment'), resourceGroup().name)]", + "agentVmssAssignmentName": "[format('Deploy VMSS Agents {0}', resourceGroup().name)]", + "agentVmAssignmentName": "[format('Deploy VM Agents {0}', resourceGroup().name)]", + "contributorRoleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "lawsReaderRoleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]" + }, "resources": [ { - "condition": "[contains(parameters('supportedClouds'), environment().name)]", - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2017-05-01-preview", - "scope": "[format('Microsoft.OperationalInsights/workspaces/{0}', parameters('logAnalyticsWorkspaceName'))]", - "name": "enable-log-analytics-diagnostics", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2020-09-01", + "name": "[variables('assignmentName')]", + "location": "[parameters('location')]", "properties": { - "workspaceId": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))]", - "storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('diagnosticStorageAccountName'))]", - "logs": [ - { - "category": "Audit", - "enabled": true + "policyDefinitionId": "[createObject('NISTRev4', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f', 'parameters', json(replace(variables('$fxv#0'), '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'NISTRev5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f', 'parameters', json(variables('$fxv#1'))), 'IL5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/f9a961fa-3241-4b20-adc4-bbf8ad9d7197', 'parameters', json(replace(variables('$fxv#2'), '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'CMMC', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/b5629c75-5c77-4422-87b9-2509e680f8de', 'parameters', json(replace(variables('$fxv#3'), '', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName')), '2021-06-01').customerId))))[variables('modifiedAssignment')].id]", + "parameters": "[createObject('NISTRev4', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f', 'parameters', json(replace(variables('$fxv#0'), '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'NISTRev5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f', 'parameters', json(variables('$fxv#1'))), 'IL5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/f9a961fa-3241-4b20-adc4-bbf8ad9d7197', 'parameters', json(replace(variables('$fxv#2'), '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'CMMC', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/b5629c75-5c77-4422-87b9-2509e680f8de', 'parameters', json(replace(variables('$fxv#3'), '', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName')), '2021-06-01').customerId))))[variables('modifiedAssignment')].parameters]" + }, + "identity": { + "type": "SystemAssigned" + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2020-09-01", + "name": "[variables('agentVmssAssignmentName')]", + "location": "[parameters('location')]", + "properties": { + "policyDefinitionId": "[tenantResourceId('Microsoft.Authorization/policySetDefinitions', '75714362-cae7-409e-9b99-a8e5075b7fad')]", + "parameters": { + "logAnalytics_1": { + "value": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))]" } - ], - "metrics": [ - { - "category": "AllMetrics", - "enabled": true + } + }, + "identity": { + "type": "SystemAssigned" + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2020-09-01", + "name": "[variables('agentVmAssignmentName')]", + "location": "[parameters('location')]", + "properties": { + "policyDefinitionId": "[tenantResourceId('Microsoft.Authorization/policySetDefinitions', '55f3eceb-5573-4f18-9695-226972c6d74a')]", + "parameters": { + "logAnalytics_1": { + "value": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))]" } - ] + } + }, + "identity": { + "type": "SystemAssigned" } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[guid(variables('contributorRoleDefinitionId'), variables('assignmentName'))]", + "properties": { + "roleDefinitionId": "[variables('contributorRoleDefinitionId')]", + "principalId": "[if(empty(variables('modifiedAssignment')), '', reference(resourceId('Microsoft.Authorization/policyAssignments', variables('assignmentName')), '2020-09-01', 'full').identity.principalId)]", + "principalType": "ServicePrincipal" + }, + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('assignmentName'))]" + ] + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[guid(variables('contributorRoleDefinitionId'), variables('agentVmssAssignmentName'))]", + "properties": { + "roleDefinitionId": "[variables('contributorRoleDefinitionId')]", + "principalId": "[reference(resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmssAssignmentName')), '2020-09-01', 'full').identity.principalId]", + "principalType": "ServicePrincipal" + }, + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmssAssignmentName'))]" + ] + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[guid(variables('contributorRoleDefinitionId'), variables('agentVmAssignmentName'))]", + "properties": { + "roleDefinitionId": "[variables('contributorRoleDefinitionId')]", + "principalId": "[reference(resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName')), '2020-09-01', 'full').identity.principalId]", + "principalType": "ServicePrincipal" + }, + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName'))]" + ] + }, + { + "condition": "[parameters('deployRemediation')]", + "type": "Microsoft.PolicyInsights/remediations", + "apiVersion": "2019-07-01", + "name": "VM-Agent-Policy-Remediation", + "properties": { + "policyAssignmentId": "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName'))]", + "resourceDiscoveryMode": "ReEvaluateCompliance" + }, + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName'))]" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('Assign-Laws-Role-Policy-{0}', resourceGroup().name)]", + "subscriptionId": "[parameters('operationsSubscriptionId')]", + "resourceGroup": "[parameters('logAnalyticsWorkspaceResourceGroupName')]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "targetResourceId": { + "value": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))]" + }, + "roleDefinitionId": { + "value": "[variables('lawsReaderRoleDefinitionId')]" + }, + "principalId": { + "value": "[reference(resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName')), '2020-09-01', 'full').identity.principalId]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "8686326864657481429" + } + }, + "parameters": { + "targetResourceId": { + "type": "string" + }, + "roleDefinitionId": { + "type": "string" + }, + "principalId": { + "type": "string" + }, + "principalType": { + "type": "string", + "defaultValue": "ServicePrincipal", + "allowedValues": [ + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ] + }, + "description": { + "type": "string", + "defaultValue": "" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[guid(parameters('targetResourceId'), parameters('roleDefinitionId'), parameters('principalId'))]", + "properties": { + "principalId": "[parameters('principalId')]", + "principalType": "[parameters('principalType')]", + "roleDefinitionId": "[parameters('roleDefinitionId')]", + "description": "[parameters('description')]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName'))]" + ] } ] } }, "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))]", - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]", - "spokeNetworks" + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]" ] }, { "condition": "[parameters('deployDefender')]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", + "apiVersion": "2022-09-01", "name": "[format('set-hub-sub-defender-{0}', parameters('deploymentNameSuffix'))]", "subscriptionId": "[parameters('hubSubscriptionId')]", "location": "[deployment().location]", @@ -7151,7 +6650,7 @@ "mode": "Incremental", "parameters": { "logAnalyticsWorkspaceId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))).outputs.id.value]" + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.id.value]" }, "emailSecurityContact": { "value": "[parameters('emailSecurityContact')]" @@ -7166,8 +6665,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "9863600299947422102" + "version": "0.24.24.22086", + "templateHash": "17349871984393503749" } }, "parameters": { @@ -7285,13 +6784,13 @@ ] }, { - "condition": "[and(parameters('deployDefender'), not(equals(variables('spokes')[copyIndex()].subscriptionId, parameters('hubSubscriptionId'))))]", "copy": { "name": "spokeDefender", "count": "[length(variables('spokes'))]" }, + "condition": "[and(parameters('deployDefender'), not(equals(variables('spokes')[copyIndex()].subscriptionId, parameters('hubSubscriptionId'))))]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", + "apiVersion": "2022-09-01", "name": "[format('set-{0}-sub-defender', variables('spokes')[copyIndex()].name)]", "subscriptionId": "[variables('spokes')[copyIndex()].subscriptionId]", "location": "[deployment().location]", @@ -7302,7 +6801,7 @@ "mode": "Incremental", "parameters": { "logAnalyticsWorkspaceId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))).outputs.id.value]" + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.id.value]" }, "emailSecurityContact": { "value": "[parameters('emailSecurityContact')]" @@ -7317,8 +6816,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "9863600299947422102" + "version": "0.24.24.22086", + "templateHash": "17349871984393503749" } }, "parameters": { @@ -7438,7 +6937,7 @@ { "condition": "[parameters('deployRemoteAccess')]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", + "apiVersion": "2022-09-01", "name": "[format('deploy-remote-access-{0}', parameters('deploymentNameSuffix'))]", "subscriptionId": "[parameters('hubSubscriptionId')]", "resourceGroup": "[variables('hubResourceGroupName')]", @@ -7448,23 +6947,17 @@ }, "mode": "Incremental", "parameters": { - "location": { - "value": "[parameters('location')]" - }, - "hubVirtualNetworkName": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))).outputs.virtualNetworkName.value]" - }, - "hubSubnetResourceId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))).outputs.subnetResourceId.value]" - }, - "hubNetworkSecurityGroupResourceId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))).outputs.networkSecurityGroupResourceId.value]" + "bastionHostIPConfigurationName": { + "value": "[variables('bastionHostIPConfigurationName')]" }, "bastionHostName": { "value": "[variables('bastionHostName')]" }, - "bastionHostSubnetAddressPrefix": { - "value": "[parameters('bastionHostSubnetAddressPrefix')]" + "bastionHostPublicIPAddressAllocationMethod": { + "value": "[variables('bastionHostPublicIPAddressAllocationMethod')]" + }, + "bastionHostPublicIPAddressAvailabilityZones": { + "value": "[parameters('bastionHostPublicIPAddressAvailabilityZones')]" }, "bastionHostPublicIPAddressName": { "value": "[variables('bastionHostPublicIPAddressName')]" @@ -7472,98 +6965,104 @@ "bastionHostPublicIPAddressSkuName": { "value": "[variables('bastionHostPublicIPAddressSkuName')]" }, - "bastionHostPublicIPAddressAllocationMethod": { - "value": "[variables('bastionHostPublicIPAddressAllocationMethod')]" - }, - "bastionHostPublicIPAddressAvailabilityZones": { - "value": "[parameters('bastionHostPublicIPAddressAvailabilityZones')]" + "bastionHostSubnetResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.bastionHostSubnetResourceId.value]" }, - "bastionHostIPConfigurationName": { - "value": "[variables('bastionHostIPConfigurationName')]" + "hubNetworkSecurityGroupResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.networkSecurityGroupResourceId.value]" }, - "linuxNetworkInterfaceName": { - "value": "[variables('linuxNetworkInterfaceName')]" + "hubSubnetResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.subnetResourceId.value]" }, "linuxNetworkInterfaceIpConfigurationName": { "value": "[variables('linuxNetworkInterfaceIpConfigurationName')]" }, + "linuxNetworkInterfaceName": { + "value": "[variables('linuxNetworkInterfaceName')]" + }, "linuxNetworkInterfacePrivateIPAddressAllocationMethod": { "value": "[parameters('linuxNetworkInterfacePrivateIPAddressAllocationMethod')]" }, - "linuxVmName": { - "value": "[variables('linuxVmName')]" - }, - "linuxVmSize": { - "value": "[parameters('linuxVmSize')]" - }, - "linuxVmOsDiskCreateOption": { - "value": "[parameters('linuxVmOsDiskCreateOption')]" + "linuxVmAdminPasswordOrKey": { + "value": "[parameters('linuxVmAdminPasswordOrKey')]" }, - "linuxVmOsDiskType": { - "value": "[parameters('linuxVmOsDiskType')]" + "linuxVmAdminUsername": { + "value": "[parameters('linuxVmAdminUsername')]" }, - "linuxVmImagePublisher": { - "value": "[parameters('linuxVmImagePublisher')]" + "linuxVmAuthenticationType": { + "value": "[parameters('linuxVmAuthenticationType')]" }, "linuxVmImageOffer": { "value": "[parameters('linuxVmImageOffer')]" }, + "linuxVmImagePublisher": { + "value": "[parameters('linuxVmImagePublisher')]" + }, "linuxVmImageSku": { "value": "[parameters('linuxVmImageSku')]" }, "linuxVmImageVersion": { "value": "[parameters('linuxVmImageVersion')]" }, - "linuxVmAdminUsername": { - "value": "[parameters('linuxVmAdminUsername')]" + "linuxVmName": { + "value": "[variables('linuxVmName')]" }, - "linuxVmAuthenticationType": { - "value": "[parameters('linuxVmAuthenticationType')]" + "linuxVmOsDiskCreateOption": { + "value": "[parameters('linuxVmOsDiskCreateOption')]" }, - "linuxVmAdminPasswordOrKey": { - "value": "[parameters('linuxVmAdminPasswordOrKey')]" + "linuxVmOsDiskType": { + "value": "[parameters('linuxVmOsDiskType')]" }, - "windowsNetworkInterfaceName": { - "value": "[variables('windowsNetworkInterfaceName')]" + "linuxVmSize": { + "value": "[parameters('linuxVmSize')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "logAnalyticsWorkspaceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.id.value]" + }, + "tags": { + "value": "[parameters('tags')]" }, "windowsNetworkInterfaceIpConfigurationName": { "value": "[variables('windowsNetworkInterfaceIpConfigurationName')]" }, + "windowsNetworkInterfaceName": { + "value": "[variables('windowsNetworkInterfaceName')]" + }, "windowsNetworkInterfacePrivateIPAddressAllocationMethod": { "value": "[parameters('windowsNetworkInterfacePrivateIPAddressAllocationMethod')]" }, - "windowsVmName": { - "value": "[variables('windowsVmName')]" - }, - "windowsVmSize": { - "value": "[parameters('windowsVmSize')]" + "windowsVmAdminPassword": { + "value": "[parameters('windowsVmAdminPassword')]" }, "windowsVmAdminUsername": { "value": "[parameters('windowsVmAdminUsername')]" }, - "windowsVmAdminPassword": { - "value": "[parameters('windowsVmAdminPassword')]" + "windowsVmCreateOption": { + "value": "[parameters('windowsVmCreateOption')]" }, - "windowsVmPublisher": { - "value": "[parameters('windowsVmPublisher')]" + "windowsVmName": { + "value": "[variables('windowsVmName')]" }, "windowsVmOffer": { "value": "[parameters('windowsVmOffer')]" }, - "windowsVmSku": { - "value": "[parameters('windowsVmSku')]" + "windowsVmPublisher": { + "value": "[parameters('windowsVmPublisher')]" }, - "windowsVmVersion": { - "value": "[parameters('windowsVmVersion')]" + "windowsVmSize": { + "value": "[parameters('windowsVmSize')]" }, - "windowsVmCreateOption": { - "value": "[parameters('windowsVmCreateOption')]" + "windowsVmSku": { + "value": "[parameters('windowsVmSku')]" }, "windowsVmStorageAccountType": { "value": "[parameters('windowsVmStorageAccountType')]" }, - "logAnalyticsWorkspaceId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))).outputs.id.value]" + "windowsVmVersion": { + "value": "[parameters('windowsVmVersion')]" } }, "template": { @@ -7572,73 +7071,65 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "12263908493790666338" + "version": "0.24.24.22086", + "templateHash": "2948298183799059014" } }, "parameters": { - "location": { - "type": "string" - }, - "tags": { - "type": "object", - "defaultValue": {} - }, - "hubVirtualNetworkName": { - "type": "string" - }, - "hubSubnetResourceId": { - "type": "string" - }, - "hubNetworkSecurityGroupResourceId": { + "bastionHostIPConfigurationName": { "type": "string" }, "bastionHostName": { "type": "string" }, - "bastionHostSubnetAddressPrefix": { + "bastionHostPublicIPAddressAllocationMethod": { "type": "string" }, + "bastionHostPublicIPAddressAvailabilityZones": { + "type": "array" + }, "bastionHostPublicIPAddressName": { "type": "string" }, "bastionHostPublicIPAddressSkuName": { "type": "string" }, - "bastionHostPublicIPAddressAllocationMethod": { + "bastionHostSubnetResourceId": { "type": "string" }, - "bastionHostPublicIPAddressAvailabilityZones": { - "type": "array" - }, - "bastionHostIPConfigurationName": { + "hubNetworkSecurityGroupResourceId": { "type": "string" }, - "linuxNetworkInterfaceName": { + "hubSubnetResourceId": { "type": "string" }, "linuxNetworkInterfaceIpConfigurationName": { "type": "string" }, - "linuxNetworkInterfacePrivateIPAddressAllocationMethod": { + "linuxNetworkInterfaceName": { "type": "string" }, - "linuxVmName": { + "linuxNetworkInterfacePrivateIPAddressAllocationMethod": { "type": "string" }, - "linuxVmSize": { - "type": "string" + "linuxVmAdminPasswordOrKey": { + "type": "securestring", + "minLength": 12 }, - "linuxVmOsDiskCreateOption": { + "linuxVmAdminUsername": { "type": "string" }, - "linuxVmOsDiskType": { - "type": "string" + "linuxVmAuthenticationType": { + "type": "string", + "allowedValues": [ + "sshPublicKey", + "password" + ] }, - "linuxVmImagePublisher": { + "linuxVmImageOffer": { "type": "string" }, - "linuxVmImageOffer": { + "linuxVmImagePublisher": { "type": "string" }, "linuxVmImageSku": { @@ -7647,68 +7138,72 @@ "linuxVmImageVersion": { "type": "string" }, - "linuxVmAdminUsername": { + "linuxVmName": { "type": "string" }, - "linuxVmAuthenticationType": { - "type": "string", - "allowedValues": [ - "sshPublicKey", - "password" - ] + "linuxVmOsDiskCreateOption": { + "type": "string" }, - "linuxVmAdminPasswordOrKey": { - "type": "secureString", - "minLength": 12 + "linuxVmOsDiskType": { + "type": "string" }, - "windowsNetworkInterfaceName": { + "linuxVmSize": { "type": "string" }, - "windowsNetworkInterfaceIpConfigurationName": { + "location": { "type": "string" }, - "windowsNetworkInterfacePrivateIPAddressAllocationMethod": { + "logAnalyticsWorkspaceId": { "type": "string" }, - "windowsVmName": { + "tags": { + "type": "object" + }, + "windowsNetworkInterfaceIpConfigurationName": { "type": "string" }, - "windowsVmSize": { + "windowsNetworkInterfaceName": { "type": "string" }, - "windowsVmAdminUsername": { + "windowsNetworkInterfacePrivateIPAddressAllocationMethod": { "type": "string" }, "windowsVmAdminPassword": { - "type": "secureString", + "type": "securestring", "minLength": 12 }, - "windowsVmPublisher": { + "windowsVmAdminUsername": { + "type": "string" + }, + "windowsVmCreateOption": { + "type": "string" + }, + "windowsVmName": { "type": "string" }, "windowsVmOffer": { "type": "string" }, - "windowsVmSku": { + "windowsVmPublisher": { "type": "string" }, - "windowsVmVersion": { + "windowsVmSize": { "type": "string" }, - "windowsVmCreateOption": { + "windowsVmSku": { "type": "string" }, "windowsVmStorageAccountType": { "type": "string" }, - "logAnalyticsWorkspaceId": { + "windowsVmVersion": { "type": "string" } }, "resources": [ { "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", + "apiVersion": "2022-09-01", "name": "remoteAccess-bastionHost", "properties": { "expressionEvaluationOptions": { @@ -7716,20 +7211,23 @@ }, "mode": "Incremental", "parameters": { - "name": { - "value": "[parameters('bastionHostName')]" + "bastionHostSubnetResourceId": { + "value": "[parameters('bastionHostSubnetResourceId')]" + }, + "ipConfigurationName": { + "value": "[parameters('bastionHostIPConfigurationName')]" }, "location": { "value": "[parameters('location')]" }, - "tags": { - "value": "[parameters('tags')]" + "name": { + "value": "[parameters('bastionHostName')]" }, - "virtualNetworkName": { - "value": "[parameters('hubVirtualNetworkName')]" + "publicIPAddressAllocationMethod": { + "value": "[parameters('bastionHostPublicIPAddressAllocationMethod')]" }, - "subnetAddressPrefix": { - "value": "[parameters('bastionHostSubnetAddressPrefix')]" + "publicIPAddressAvailabilityZones": { + "value": "[parameters('bastionHostPublicIPAddressAvailabilityZones')]" }, "publicIPAddressName": { "value": "[parameters('bastionHostPublicIPAddressName')]" @@ -7737,14 +7235,8 @@ "publicIPAddressSkuName": { "value": "[parameters('bastionHostPublicIPAddressSkuName')]" }, - "publicIPAddressAllocationMethod": { - "value": "[parameters('bastionHostPublicIPAddressAllocationMethod')]" - }, - "publicIPAddressAvailabilityZones": { - "value": "[parameters('bastionHostPublicIPAddressAvailabilityZones')]" - }, - "ipConfigurationName": { - "value": "[parameters('bastionHostIPConfigurationName')]" + "tags": { + "value": "[parameters('tags')]" } }, "template": { @@ -7753,31 +7245,21 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "9188768803513020911" + "version": "0.24.24.22086", + "templateHash": "11993026043185066546" } }, "parameters": { - "name": { - "type": "string" - }, - "location": { - "type": "string" - }, - "tags": { - "type": "object", - "defaultValue": {} - }, - "virtualNetworkName": { + "bastionHostSubnetResourceId": { "type": "string" }, - "subnetAddressPrefix": { + "ipConfigurationName": { "type": "string" }, - "publicIPAddressName": { + "location": { "type": "string" }, - "publicIPAddressSkuName": { + "name": { "type": "string" }, "publicIPAddressAllocationMethod": { @@ -7786,13 +7268,16 @@ "publicIPAddressAvailabilityZones": { "type": "array" }, - "ipConfigurationName": { + "publicIPAddressName": { + "type": "string" + }, + "publicIPAddressSkuName": { "type": "string" + }, + "tags": { + "type": "object" } }, - "variables": { - "subnetName": "AzureBastionSubnet" - }, "resources": [ { "type": "Microsoft.Network/publicIPAddresses", @@ -7808,14 +7293,6 @@ }, "zones": "[parameters('publicIPAddressAvailabilityZones')]" }, - { - "type": "Microsoft.Network/virtualNetworks/subnets", - "apiVersion": "2021-02-01", - "name": "[format('{0}/{1}', parameters('virtualNetworkName'), variables('subnetName'))]", - "properties": { - "addressPrefix": "[parameters('subnetAddressPrefix')]" - } - }, { "type": "Microsoft.Network/bastionHosts", "apiVersion": "2021-02-01", @@ -7828,7 +7305,7 @@ "name": "[parameters('ipConfigurationName')]", "properties": { "subnet": { - "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', split(format('{0}/{1}', parameters('virtualNetworkName'), variables('subnetName')), '/')[0], split(format('{0}/{1}', parameters('virtualNetworkName'), variables('subnetName')), '/')[1])]" + "id": "[parameters('bastionHostSubnetResourceId')]" }, "publicIPAddress": { "id": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIPAddressName'))]" @@ -7838,8 +7315,7 @@ ] }, "dependsOn": [ - "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIPAddressName'))]", - "[resourceId('Microsoft.Network/virtualNetworks/subnets', split(format('{0}/{1}', parameters('virtualNetworkName'), variables('subnetName')), '/')[0], split(format('{0}/{1}', parameters('virtualNetworkName'), variables('subnetName')), '/')[1])]" + "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIPAddressName'))]" ] } ] @@ -7848,7 +7324,7 @@ }, { "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", + "apiVersion": "2022-09-01", "name": "remoteAccess-linuxNetworkInterface", "properties": { "expressionEvaluationOptions": { @@ -7884,8 +7360,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "11989297668424739974" + "version": "0.24.24.22086", + "templateHash": "16624262267285514706" } }, "parameters": { @@ -7952,7 +7428,7 @@ }, { "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", + "apiVersion": "2022-09-01", "name": "remoteAccess-linuxVirtualMachine", "properties": { "expressionEvaluationOptions": { @@ -8000,7 +7476,7 @@ "value": "[parameters('linuxVmAdminPasswordOrKey')]" }, "networkInterfaceName": { - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'remoteAccess-linuxNetworkInterface')).outputs.name.value]" + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'remoteAccess-linuxNetworkInterface'), '2022-09-01').outputs.name.value]" }, "logAnalyticsWorkspaceId": { "value": "[parameters('logAnalyticsWorkspaceId')]" @@ -8012,25 +7488,32 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "13732851487663219597" + "version": "0.24.24.22086", + "templateHash": "11466857937583591261" } }, "parameters": { - "name": { + "adminPasswordOrKey": { + "type": "securestring", + "minLength": 12 + }, + "adminUsername": { "type": "string" }, + "authenticationType": { + "type": "string", + "allowedValues": [ + "sshPublicKey", + "password" + ] + }, "location": { "type": "string" }, - "tags": { - "type": "object", - "defaultValue": {} - }, - "networkInterfaceName": { + "name": { "type": "string" }, - "vmSize": { + "networkInterfaceName": { "type": "string" }, "osDiskCreateOption": { @@ -8039,32 +7522,24 @@ "osDiskType": { "type": "string" }, - "vmImagePublisher": { - "type": "string" + "tags": { + "type": "object" }, "vmImageOffer": { "type": "string" }, + "vmImagePublisher": { + "type": "string" + }, "vmImageSku": { "type": "string" }, "vmImageVersion": { "type": "string" }, - "adminUsername": { + "vmSize": { "type": "string" }, - "authenticationType": { - "type": "string", - "allowedValues": [ - "sshPublicKey", - "password" - ] - }, - "adminPasswordOrKey": { - "type": "secureString", - "minLength": 12 - }, "logAnalyticsWorkspaceId": { "type": "string" } @@ -8125,7 +7600,7 @@ { "type": "Microsoft.Compute/virtualMachines/extensions", "apiVersion": "2020-06-01", - "name": "[format('{0}/Microsoft.Azure.NetworkWatcher', parameters('name'))]", + "name": "[format('{0}/{1}', parameters('name'), 'Microsoft.Azure.NetworkWatcher')]", "location": "[parameters('location')]", "properties": { "publisher": "Microsoft.Azure.NetworkWatcher", @@ -8156,7 +7631,7 @@ { "type": "Microsoft.Compute/virtualMachines/extensions", "apiVersion": "2020-06-01", - "name": "[format('{0}/OMSExtension', parameters('name'))]", + "name": "[format('{0}/{1}', parameters('name'), 'OMSExtension')]", "location": "[parameters('location')]", "properties": { "publisher": "Microsoft.EnterpriseCloud.Monitoring", @@ -8171,14 +7646,14 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Compute/virtualMachines/extensions', split(format('{0}/Microsoft.Azure.NetworkWatcher', parameters('name')), '/')[0], split(format('{0}/Microsoft.Azure.NetworkWatcher', parameters('name')), '/')[1])]", + "[resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('name'), 'Microsoft.Azure.NetworkWatcher')]", "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" ] }, { "type": "Microsoft.Compute/virtualMachines/extensions", "apiVersion": "2020-06-01", - "name": "[format('{0}/DependencyAgentLinux', parameters('name'))]", + "name": "[format('{0}/{1}', parameters('name'), 'DependencyAgentLinux')]", "location": "[parameters('location')]", "properties": { "publisher": "Microsoft.Azure.Monitoring.DependencyAgent", @@ -8187,7 +7662,7 @@ "autoUpgradeMinorVersion": true }, "dependsOn": [ - "[resourceId('Microsoft.Compute/virtualMachines/extensions', split(format('{0}/OMSExtension', parameters('name')), '/')[0], split(format('{0}/OMSExtension', parameters('name')), '/')[1])]", + "[resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('name'), 'OMSExtension')]", "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" ] } @@ -8210,7 +7685,7 @@ }, { "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", + "apiVersion": "2022-09-01", "name": "remoteAccess-windowsNetworkInterface", "properties": { "expressionEvaluationOptions": { @@ -8246,8 +7721,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "11989297668424739974" + "version": "0.24.24.22086", + "templateHash": "16624262267285514706" } }, "parameters": { @@ -8314,7 +7789,7 @@ }, { "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", + "apiVersion": "2022-09-01", "name": "remoteAccess-windowsVirtualMachine", "properties": { "expressionEvaluationOptions": { @@ -8359,7 +7834,7 @@ "value": "[parameters('windowsVmStorageAccountType')]" }, "networkInterfaceName": { - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'remoteAccess-windowsNetworkInterface')).outputs.name.value]" + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'remoteAccess-windowsNetworkInterface'), '2022-09-01').outputs.name.value]" }, "logAnalyticsWorkspaceId": { "value": "[parameters('logAnalyticsWorkspaceId')]" @@ -8371,8 +7846,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "3741703278800278886" + "version": "0.24.24.22086", + "templateHash": "8202416321533561618" } }, "parameters": { @@ -8396,7 +7871,7 @@ "type": "string" }, "adminPassword": { - "type": "secureString", + "type": "securestring", "minLength": 12 }, "publisher": { @@ -8473,7 +7948,7 @@ { "type": "Microsoft.Compute/virtualMachines/extensions", "apiVersion": "2021-04-01", - "name": "[format('{0}/DependencyAgentWindows', parameters('name'))]", + "name": "[format('{0}/{1}', parameters('name'), 'DependencyAgentWindows')]", "location": "[parameters('location')]", "properties": { "publisher": "Microsoft.Azure.Monitoring.DependencyAgent", @@ -8488,7 +7963,7 @@ { "type": "Microsoft.Compute/virtualMachines/extensions", "apiVersion": "2021-04-01", - "name": "[format('{0}/AzurePolicyforWindows', parameters('name'))]", + "name": "[format('{0}/{1}', parameters('name'), 'AzurePolicyforWindows')]", "location": "[parameters('location')]", "properties": { "publisher": "Microsoft.GuestConfiguration", @@ -8504,7 +7979,7 @@ { "type": "Microsoft.Compute/virtualMachines/extensions", "apiVersion": "2021-04-01", - "name": "[format('{0}/MMAExtension', parameters('name'))]", + "name": "[format('{0}/{1}', parameters('name'), 'MMAExtension')]", "location": "[parameters('location')]", "properties": { "publisher": "Microsoft.EnterpriseCloud.Monitoring", @@ -8525,7 +8000,7 @@ { "type": "Microsoft.Compute/virtualMachines/extensions", "apiVersion": "2020-06-01", - "name": "[format('{0}/Microsoft.Azure.NetworkWatcher', parameters('name'))]", + "name": "[format('{0}/{1}', parameters('name'), 'Microsoft.Azure.NetworkWatcher')]", "location": "[parameters('location')]", "properties": { "publisher": "Microsoft.Azure.NetworkWatcher", @@ -8549,7 +8024,6 @@ "dependsOn": [ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', 'azure-monitor-private-link')]", "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))]", - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-DNS-{0}', parameters('deploymentNameSuffix')))]", "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]" ] } @@ -8561,21 +8035,21 @@ }, "firewallPrivateIPAddress": { "type": "string", - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))).outputs.firewallPrivateIPAddress.value]" + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.firewallPrivateIPAddress.value]" }, "hub": { "type": "object", "value": { "subscriptionId": "[parameters('hubSubscriptionId')]", - "resourceGroupName": "[reference(subscriptionResourceId(parameters('hubSubscriptionId'), 'Microsoft.Resources/deployments', format('deploy-rg-hub-{0}', parameters('deploymentNameSuffix')))).outputs.name.value]", - "resourceGroupResourceId": "[reference(subscriptionResourceId(parameters('hubSubscriptionId'), 'Microsoft.Resources/deployments', format('deploy-rg-hub-{0}', parameters('deploymentNameSuffix')))).outputs.id.value]", - "virtualNetworkName": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))).outputs.virtualNetworkName.value]", - "virtualNetworkResourceId": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))).outputs.virtualNetworkResourceId.value]", - "subnetName": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))).outputs.subnetName.value]", - "subnetResourceId": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))).outputs.subnetResourceId.value]", - "subnetAddressPrefix": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))).outputs.subnetAddressPrefix.value]", - "networkSecurityGroupName": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))).outputs.networkSecurityGroupName.value]", - "networkSecurityGroupResourceId": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))).outputs.networkSecurityGroupResourceId.value]" + "resourceGroupName": "[reference(subscriptionResourceId(parameters('hubSubscriptionId'), 'Microsoft.Resources/deployments', format('deploy-rg-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.name.value]", + "resourceGroupResourceId": "[reference(subscriptionResourceId(parameters('hubSubscriptionId'), 'Microsoft.Resources/deployments', format('deploy-rg-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.id.value]", + "virtualNetworkName": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.virtualNetworkName.value]", + "virtualNetworkResourceId": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.virtualNetworkResourceId.value]", + "subnetName": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.subnetName.value]", + "subnetResourceId": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.subnetResourceId.value]", + "subnetAddressPrefix": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.subnetAddressPrefix.value]", + "networkSecurityGroupName": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.networkSecurityGroupName.value]", + "networkSecurityGroupResourceId": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.networkSecurityGroupResourceId.value]" } }, "deployDefender": { @@ -8588,11 +8062,11 @@ }, "logAnalyticsWorkspaceName": { "type": "string", - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))).outputs.name.value]" + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.name.value]" }, "logAnalyticsWorkspaceResourceId": { "type": "string", - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))).outputs.id.value]" + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.id.value]" }, "diagnosticStorageAccountName": { "type": "string", @@ -8613,15 +8087,15 @@ "input": { "name": "[variables('spokes')[copyIndex()].name]", "subscriptionId": "[variables('spokes')[copyIndex()].subscriptionId]", - "resourceGroupName": "[reference(subscriptionResourceId(variables('spokes')[copyIndex()].subscriptionId, 'Microsoft.Resources/deployments', format('deploy-rg-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix')))).outputs.name.value]", - "resourceGroupId": "[reference(subscriptionResourceId(variables('spokes')[copyIndex()].subscriptionId, 'Microsoft.Resources/deployments', format('deploy-rg-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix')))).outputs.id.value]", - "virtualNetworkName": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix')))).outputs.virtualNetworkName.value]", - "virtualNetworkResourceId": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix')))).outputs.virtualNetworkResourceId.value]", - "subnetName": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix')))).outputs.subnetName.value]", - "subnetResourceId": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix')))).outputs.subnetResourceId.value]", - "subnetAddressPrefix": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix')))).outputs.subnetAddressPrefix.value]", - "networkSecurityGroupName": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix')))).outputs.networkSecurityGroupName.value]", - "networkSecurityGroupResourceId": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix')))).outputs.networkSecurityGroupResourceId.value]" + "resourceGroupName": "[reference(subscriptionResourceId(variables('spokes')[copyIndex()].subscriptionId, 'Microsoft.Resources/deployments', format('deploy-rg-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))), '2022-09-01').outputs.name.value]", + "resourceGroupId": "[reference(subscriptionResourceId(variables('spokes')[copyIndex()].subscriptionId, 'Microsoft.Resources/deployments', format('deploy-rg-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))), '2022-09-01').outputs.id.value]", + "virtualNetworkName": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))), '2022-09-01').outputs.virtualNetworkName.value]", + "virtualNetworkResourceId": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))), '2022-09-01').outputs.virtualNetworkResourceId.value]", + "subnetName": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))), '2022-09-01').outputs.subnetName.value]", + "subnetResourceId": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))), '2022-09-01').outputs.subnetResourceId.value]", + "subnetAddressPrefix": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))), '2022-09-01').outputs.subnetAddressPrefix.value]", + "networkSecurityGroupName": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))), '2022-09-01').outputs.networkSecurityGroupName.value]", + "networkSecurityGroupResourceId": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))), '2022-09-01').outputs.networkSecurityGroupResourceId.value]" } } } diff --git a/src/bicep/modules/bastion-host.bicep b/src/bicep/modules/bastion-host.bicep index dbc110f19..b4916690f 100644 --- a/src/bicep/modules/bastion-host.bicep +++ b/src/bicep/modules/bastion-host.bicep @@ -3,21 +3,15 @@ Copyright (c) Microsoft Corporation. Licensed under the MIT License. */ -param name string +param bastionHostSubnetResourceId string +param ipConfigurationName string param location string -param tags object = {} - -param virtualNetworkName string - -var subnetName = 'AzureBastionSubnet' // The subnet name for Azure Bastion Hosts must be 'AzureBastionSubnet' -param subnetAddressPrefix string - -param publicIPAddressName string -param publicIPAddressSkuName string +param name string param publicIPAddressAllocationMethod string param publicIPAddressAvailabilityZones array - -param ipConfigurationName string +param publicIPAddressName string +param publicIPAddressSkuName string +param tags object resource publicIPAddress 'Microsoft.Network/publicIPAddresses@2021-02-01' = { name: publicIPAddressName @@ -35,14 +29,6 @@ resource publicIPAddress 'Microsoft.Network/publicIPAddresses@2021-02-01' = { zones: publicIPAddressAvailabilityZones } -resource subnet 'Microsoft.Network/virtualNetworks/subnets@2021-02-01' = { - name: '${virtualNetworkName}/${subnetName}' - - properties: { - addressPrefix: subnetAddressPrefix - } -} - resource bastionHost 'Microsoft.Network/bastionHosts@2021-02-01' = { name: name location: location @@ -54,7 +40,7 @@ resource bastionHost 'Microsoft.Network/bastionHosts@2021-02-01' = { name: ipConfigurationName properties: { subnet: { - id: subnet.id + id: bastionHostSubnetResourceId } publicIPAddress: { id: publicIPAddress.id diff --git a/src/bicep/modules/firewall-diagnostics.bicep b/src/bicep/modules/firewall-diagnostics.bicep new file mode 100644 index 000000000..77c45b69d --- /dev/null +++ b/src/bicep/modules/firewall-diagnostics.bicep @@ -0,0 +1,27 @@ +/* +Copyright (c) Microsoft Corporation. +Licensed under the MIT License. +*/ + +param logAnalyticsWorkspaceResourceId string +param logs array +param logStorageAccountResourceId string +param metrics array +param name string + +resource firewall 'Microsoft.Network/azureFirewalls@2021-02-01' existing = { + name: name +} + +resource diagnostics 'Microsoft.Insights/diagnosticSettings@2017-05-01-preview' = { + scope: firewall + name: '${firewall.name}-diagnostics' + properties: { + storageAccountId: logStorageAccountResourceId + workspaceId: logAnalyticsWorkspaceResourceId + logs: logs + metrics: metrics + } +} + +output privateIPAddress string = firewall.properties.ipConfigurations[0].properties.privateIPAddress diff --git a/src/bicep/modules/firewall.bicep b/src/bicep/modules/firewall.bicep index 9c7a5c40e..3b97c3a91 100644 --- a/src/bicep/modules/firewall.bicep +++ b/src/bicep/modules/firewall.bicep @@ -3,17 +3,30 @@ Copyright (c) Microsoft Corporation. Licensed under the MIT License. */ - +param clientIpConfigurationName string +param clientIpConfigurationSubnetResourceId string +param clientIpConfigurationPublicIPAddressResourceId string +param dnsServers array +param enableProxy bool +param firewallPolicyName string +param firewallSupernetIPAddress string +@allowed([ + 'Alert' + 'Deny' + 'Off' +]) +param intrusionDetectionMode string +param location string +param managementIpConfigurationName string +param managementIpConfigurationSubnetResourceId string +param managementIpConfigurationPublicIPAddressResourceId string param name string -param location string = resourceGroup().location -param tags object = {} - @allowed([ 'Standard' 'Premium' ]) param skuTier string - +param tags object = {} @allowed([ 'Alert' 'Deny' @@ -21,40 +34,10 @@ param skuTier string ]) param threatIntelMode string -@allowed([ - 'Alert' - 'Deny' - 'Off' -]) -param intrusionDetectionMode string - -//DNS Proxy Settings -param enableProxy bool -param dnsServers array - -param clientIpConfigurationName string -param clientIpConfigurationSubnetResourceId string -param clientIpConfigurationPublicIPAddressResourceId string - -param managementIpConfigurationName string -param managementIpConfigurationSubnetResourceId string -param managementIpConfigurationPublicIPAddressResourceId string - -param firewallPolicyName string - -param firewallSupernetIPAddress string - -param logStorageAccountResourceId string -param logAnalyticsWorkspaceResourceId string - -param logs array -param metrics array - var intrusionDetectionObject = { mode: intrusionDetectionMode } - resource firewallPolicy 'Microsoft.Network/firewallPolicies@2021-02-01' = { name: firewallPolicyName location: location @@ -73,10 +56,8 @@ resource firewallPolicy 'Microsoft.Network/firewallPolicies@2021-02-01' = { } resource firewallAppRuleCollectionGroup 'Microsoft.Network/firewallPolicies/ruleCollectionGroups@2021-02-01' = { - name: '${firewallPolicyName}/DefaultApplicationRuleCollectionGroup' - dependsOn: [ - firewallPolicy - ] + parent: firewallPolicy + name: 'DefaultApplicationRuleCollectionGroup' properties: { priority: 300 ruleCollections: [ @@ -118,9 +99,9 @@ resource firewallAppRuleCollectionGroup 'Microsoft.Network/firewallPolicies/rule } resource firewallNetworkRuleCollectionGroup 'Microsoft.Network/firewallPolicies/ruleCollectionGroups@2021-02-01' = { - name: '${firewallPolicyName}/DefaultNetworkRuleCollectionGroup' + parent: firewallPolicy + name: 'DefaultNetworkRuleCollectionGroup' dependsOn: [ - firewallPolicy firewallAppRuleCollectionGroup ] properties: { @@ -230,15 +211,5 @@ resource firewall 'Microsoft.Network/azureFirewalls@2021-02-01' = { } } -resource diagnostics 'Microsoft.Insights/diagnosticSettings@2017-05-01-preview' = { - scope: firewall - name: '${firewall.name}-diagnostics' - properties: { - storageAccountId: logStorageAccountResourceId - workspaceId: logAnalyticsWorkspaceResourceId - logs: logs - metrics: metrics - } -} - +output name string = firewall.name output privateIPAddress string = firewall.properties.ipConfigurations[0].properties.privateIPAddress diff --git a/src/bicep/modules/key-vault.bicep b/src/bicep/modules/key-vault.bicep new file mode 100644 index 000000000..63828972c --- /dev/null +++ b/src/bicep/modules/key-vault.bicep @@ -0,0 +1,99 @@ +param diskEncryptionKeyExpirationInDays int = 30 +param keyVaultName string +param location string +param tags object + +resource vault 'Microsoft.KeyVault/vaults@2022-07-01' = { + name: keyVaultName + location: location + tags: contains(tags, 'Microsoft.KeyVault/vaults') ? tags['Microsoft.KeyVault/vaults'] : {} + properties: { + enabledForDeployment: false + enabledForDiskEncryption: true + enabledForTemplateDeployment: false + enablePurgeProtection: true + enableRbacAuthorization: true + enableSoftDelete: true + sku: { + family: 'A' + name: 'standard' + } + softDeleteRetentionInDays: 7 + tenantId: subscription().tenantId + } +} + +resource key_disks 'Microsoft.KeyVault/vaults/keys@2022-07-01' = { + parent: vault + name: 'DiskEncryptionKey' + properties: { + attributes: { + enabled: true + } + keySize: 4096 + kty: 'RSA' + rotationPolicy: { + attributes: { + expiryTime: 'P${string(diskEncryptionKeyExpirationInDays)}D' + } + lifetimeActions: [ + { + action: { + type: 'Notify' + } + trigger: { + timeBeforeExpiry: 'P10D' + } + } + { + action: { + type: 'Rotate' + } + trigger: { + timeAfterCreate: 'P${string(diskEncryptionKeyExpirationInDays - 7)}D' + } + } + ] + } + } +} + +resource key_storageAccounts 'Microsoft.KeyVault/vaults/keys@2022-07-01' = { + parent: vault + name: 'StorageEncryptionKey' + properties: { + attributes: { + enabled: true + } + keySize: 4096 + kty: 'RSA' + rotationPolicy: { + attributes: { + expiryTime: 'P${string(diskEncryptionKeyExpirationInDays)}D' + } + lifetimeActions: [ + { + action: { + type: 'Notify' + } + trigger: { + timeBeforeExpiry: 'P10D' + } + } + { + action: { + type: 'Rotate' + } + trigger: { + timeAfterCreate: 'P${string(diskEncryptionKeyExpirationInDays - 7)}D' + } + } + ] + } + } +} + +output keyUriWithVersion string = key_disks.properties.keyUriWithVersion +output keyVaultResourceId string = vault.id +output keyVaultUri string = vault.properties.vaultUri +output storageKeyName string = key_storageAccounts.name diff --git a/src/bicep/modules/linux-virtual-machine.bicep b/src/bicep/modules/linux-virtual-machine.bicep index ebf2c1c81..d6efd0777 100644 --- a/src/bicep/modules/linux-virtual-machine.bicep +++ b/src/bicep/modules/linux-virtual-machine.bicep @@ -3,28 +3,26 @@ Copyright (c) Microsoft Corporation. Licensed under the MIT License. */ -param name string +@secure() +@minLength(12) +param adminPasswordOrKey string +param adminUsername string +@allowed([ + 'sshPublicKey' + 'password' +]) +param authenticationType string param location string -param tags object = {} - +param name string param networkInterfaceName string - -param vmSize string param osDiskCreateOption string param osDiskType string -param vmImagePublisher string +param tags object param vmImageOffer string +param vmImagePublisher string param vmImageSku string param vmImageVersion string -param adminUsername string -@allowed([ - 'sshPublicKey' - 'password' -]) -param authenticationType string -@secure() -@minLength(12) -param adminPasswordOrKey string +param vmSize string var linuxConfiguration = { disablePasswordAuthentication: true @@ -47,7 +45,6 @@ resource virtualMachine 'Microsoft.Compute/virtualMachines@2020-06-01' = { name: name location: location tags: tags - properties: { hardwareProfile: { vmSize: vmSize @@ -83,7 +80,8 @@ resource virtualMachine 'Microsoft.Compute/virtualMachines@2020-06-01' = { } resource networkWatcher 'Microsoft.Compute/virtualMachines/extensions@2020-06-01' = { - name: '${virtualMachine.name}/Microsoft.Azure.NetworkWatcher' + parent: virtualMachine + name: 'Microsoft.Azure.NetworkWatcher' location: location properties: { publisher: 'Microsoft.Azure.NetworkWatcher' @@ -109,7 +107,8 @@ resource policyExtension 'Microsoft.Compute/virtualMachines/extensions@2020-12-0 } resource omsExtension 'Microsoft.Compute/virtualMachines/extensions@2020-06-01' = { - name: '${virtualMachine.name}/OMSExtension' + parent: virtualMachine + name: 'OMSExtension' location: location properties: { publisher: 'Microsoft.EnterpriseCloud.Monitoring' @@ -129,7 +128,8 @@ resource omsExtension 'Microsoft.Compute/virtualMachines/extensions@2020-06-01' } resource dependencyAgent 'Microsoft.Compute/virtualMachines/extensions@2020-06-01' = { - name: '${virtualMachine.name}/DependencyAgentLinux' + parent: virtualMachine + name: 'DependencyAgentLinux' location: location properties: { publisher: 'Microsoft.Azure.Monitoring.DependencyAgent' diff --git a/src/bicep/modules/network-interface.bicep b/src/bicep/modules/network-interface.bicep index e90e65ba0..21f90e0cd 100644 --- a/src/bicep/modules/network-interface.bicep +++ b/src/bicep/modules/network-interface.bicep @@ -16,7 +16,6 @@ resource networkInterface 'Microsoft.Network/networkInterfaces@2021-02-01' = { name: name location: location tags: tags - properties: { ipConfigurations: [ { diff --git a/src/bicep/modules/network-security-group-diagnostics.bicep b/src/bicep/modules/network-security-group-diagnostics.bicep new file mode 100644 index 000000000..1fff4d97c --- /dev/null +++ b/src/bicep/modules/network-security-group-diagnostics.bicep @@ -0,0 +1,26 @@ +/* +Copyright (c) Microsoft Corporation. +Licensed under the MIT License. +*/ + +param name string + +param logAnalyticsWorkspaceResourceId string +param logs array +param logStorageAccountResourceId string +param metrics array + +resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2021-02-01' existing = { + name: name +} + +resource diagnostics 'Microsoft.Insights/diagnosticSettings@2017-05-01-preview' = { + scope: networkSecurityGroup + name: '${networkSecurityGroup.name}-diagnostics' + properties: { + storageAccountId: logStorageAccountResourceId + workspaceId: logAnalyticsWorkspaceResourceId + logs: logs + metrics: metrics + } +} diff --git a/src/bicep/modules/network-security-group.bicep b/src/bicep/modules/network-security-group.bicep index ef2b7af59..695fcf489 100644 --- a/src/bicep/modules/network-security-group.bicep +++ b/src/bicep/modules/network-security-group.bicep @@ -3,17 +3,10 @@ Copyright (c) Microsoft Corporation. Licensed under the MIT License. */ -param name string param location string -param tags object = {} - +param name string param securityRules array - -param logStorageAccountResourceId string -param logAnalyticsWorkspaceResourceId string - -param logs array -param metrics array +param tags object resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2021-02-01' = { name: name @@ -25,16 +18,5 @@ resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2021-02-0 } } -resource diagnostics 'Microsoft.Insights/diagnosticSettings@2017-05-01-preview' = { - scope: networkSecurityGroup - name: '${networkSecurityGroup.name}-diagnostics' - properties: { - storageAccountId: logStorageAccountResourceId - workspaceId: logAnalyticsWorkspaceResourceId - logs: logs - metrics: metrics - } -} - output id string = networkSecurityGroup.id output name string = networkSecurityGroup.name diff --git a/src/bicep/modules/network-watcher.bicep b/src/bicep/modules/network-watcher.bicep new file mode 100644 index 000000000..e6eaef11a --- /dev/null +++ b/src/bicep/modules/network-watcher.bicep @@ -0,0 +1,10 @@ +param location string +param name string +param tags object + +resource networkWatcher 'Microsoft.Network/networkWatchers@2021-02-01' = { + name: name + location: location + tags: tags + properties: {} +} diff --git a/src/bicep/modules/private-dns.bicep b/src/bicep/modules/private-dns.bicep index 258b5c57d..77a5e5003 100644 --- a/src/bicep/modules/private-dns.bicep +++ b/src/bicep/modules/private-dns.bicep @@ -282,6 +282,7 @@ output automationPrivateDnsZoneId string = privateDnsZone_azure_automation.id output avdGlobalPrivateDnsZoneId string = privateDnsZone_avd_global.id output avdPrivateDnsZoneId string = privateDnsZone_avd.id output backupPrivateDnsZoneIds array = [for (name, i) in privatelink_backup_names: privateDnsZone_backup_rsv[i].id] +output blobPrivateDnsZoneId string = privateDnsZone_blob.id output filePrivateDnsZoneId string = privateDnsZone_file.id output keyvaultDnsPrivateDnsZoneId string = privateDnsZone_keyvaultDns.id output monitorPrivateDnsZoneId string = privateDnsZone_monitor.id diff --git a/src/bicep/modules/public-ip-address-diagnostics.bicep b/src/bicep/modules/public-ip-address-diagnostics.bicep new file mode 100644 index 000000000..ca84868b7 --- /dev/null +++ b/src/bicep/modules/public-ip-address-diagnostics.bicep @@ -0,0 +1,25 @@ +/* +Copyright (c) Microsoft Corporation. +Licensed under the MIT License. +*/ + +param hubStorageAccountResourceId string +param logAnalyticsWorkspaceResourceId string +param name string +param publicIPAddressDiagnosticsLogs array +param publicIPAddressDiagnosticsMetrics array + +resource publicIPAddress 'Microsoft.Network/publicIPAddresses@2021-02-01' existing = { + name: name +} + +resource publicIpAddressDiagnostics 'Microsoft.Insights/diagnosticSettings@2017-05-01-preview' = { + scope: publicIPAddress + name: '${publicIPAddress.name}-diagnostics' + properties: { + storageAccountId: hubStorageAccountResourceId + workspaceId: logAnalyticsWorkspaceResourceId + logs: publicIPAddressDiagnosticsLogs + metrics: publicIPAddressDiagnosticsMetrics + } +} diff --git a/src/bicep/modules/public-ip-address.bicep b/src/bicep/modules/public-ip-address.bicep index f1cddda7c..cd81e6088 100644 --- a/src/bicep/modules/public-ip-address.bicep +++ b/src/bicep/modules/public-ip-address.bicep @@ -3,45 +3,24 @@ Copyright (c) Microsoft Corporation. Licensed under the MIT License. */ -param name string +param availabilityZones array param location string -param tags object = {} - -param skuName string +param name string param publicIpAllocationMethod string -param availabilityZones array - -param logStorageAccountResourceId string -param logAnalyticsWorkspaceResourceId string - -param logs array -param metrics array +param skuName string +param tags object resource publicIPAddress 'Microsoft.Network/publicIPAddresses@2021-02-01' = { name: name location: location tags: tags - sku: { name: skuName } - properties: { publicIPAllocationMethod: publicIpAllocationMethod } - zones: availabilityZones } -resource diagnostics 'Microsoft.Insights/diagnosticSettings@2017-05-01-preview' = { - scope: publicIPAddress - name: '${publicIPAddress.name}-diagnostics' - properties: { - storageAccountId: logStorageAccountResourceId - workspaceId: logAnalyticsWorkspaceResourceId - logs: logs - metrics: metrics - } -} - output id string = publicIPAddress.id diff --git a/src/bicep/modules/route-table.bicep b/src/bicep/modules/route-table.bicep index d1a4306ee..1aa64b243 100644 --- a/src/bicep/modules/route-table.bicep +++ b/src/bicep/modules/route-table.bicep @@ -3,14 +3,13 @@ Copyright (c) Microsoft Corporation. Licensed under the MIT License. */ -param name string param location string -param tags object = {} - -param routeName string +param name string param routeAddressPrefix string +param routeName string param routeNextHopIpAddress string param routeNextHopType string +param tags object resource routeTable 'Microsoft.Network/routeTables@2021-02-01' = { name: name diff --git a/src/bicep/modules/storage-account.bicep b/src/bicep/modules/storage-account.bicep index a8324ca2f..c2c7bf813 100644 --- a/src/bicep/modules/storage-account.bicep +++ b/src/bicep/modules/storage-account.bicep @@ -3,39 +3,114 @@ Copyright (c) Microsoft Corporation. Licensed under the MIT License. */ -param storageAccountName string +param azureBlobsPrivateDnsZoneResourceId string +param keyVaultUri string param location string param skuName string -param tags object = {} +param storageAccountName string +param storageEncryptionKeyName string +param subnetResourceId string +param tags object +param userAssignedIdentityResourceId string -resource storageAccount 'Microsoft.Storage/storageAccounts@2021-01-01' = { +resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = { name: storageAccountName location: location + identity: { + type: 'UserAssigned' + userAssignedIdentities: { + '${userAssignedIdentityResourceId}': {} + } + } kind: 'StorageV2' sku: { name: skuName } tags: tags properties: { - minimumTlsVersion: 'TLS1_2' + accessTier: 'Hot' + allowBlobPublicAccess: false + allowCrossTenantReplication: false + allowedCopyScope: 'PrivateLink' + allowSharedKeyAccess: true + defaultToOAuthAuthentication: false + dnsEndpointType: 'Standard' encryption: { - keySource: 'Microsoft.Storage' + identity: { + userAssignedIdentity: userAssignedIdentityResourceId + } + keySource: 'Microsoft.KeyVault' + keyvaultproperties: { + keyvaulturi: keyVaultUri + keyname: storageEncryptionKeyName + } requireInfrastructureEncryption: true services: { blob: { + keyType: 'Account' enabled: true } file: { + keyType: 'Account' enabled: true } queue: { + keyType: 'Account' enabled: true } table: { + keyType: 'Account' enabled: true } } } + minimumTlsVersion: 'TLS1_2' + networkAcls: { + bypass: 'AzureServices' + virtualNetworkRules: [] + ipRules: [] + defaultAction: 'Deny' + } + publicNetworkAccess: 'Disabled' + supportsHttpsTrafficOnly: true + } +} + +resource privateEndpoint 'Microsoft.Network/privateEndpoints@2020-05-01' = { + name: 'pe-${storageAccountName}' + location: location + tags: tags + properties: { + subnet: { + id: subnetResourceId + } + privateLinkServiceConnections: [ + { + name: 'pe-${storageAccountName}_${guid(storageAccount.id)}' + properties: { + privateLinkServiceId: storageAccount.id + groupIds: [ + 'blob' + ] + } + } + ] } } + +resource privateDnsZoneGroups 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2021-08-01' = { + parent: privateEndpoint + name: storageAccountName + properties: { + privateDnsZoneConfigs: [ + { + name: 'ipconfig1' + properties: { + privateDnsZoneId: azureBlobsPrivateDnsZoneResourceId + } + } + ] + } +} + output id string = storageAccount.id diff --git a/src/bicep/modules/user-assigned-identity.bicep b/src/bicep/modules/user-assigned-identity.bicep new file mode 100644 index 000000000..2e4692b7c --- /dev/null +++ b/src/bicep/modules/user-assigned-identity.bicep @@ -0,0 +1,21 @@ +param location string +param name string +param tags object + +resource userAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: name + location: location + tags: tags +} + +module roleAssignment 'role-assignment.bicep' = { + name: 'roleAssignmentEncryption' + params: { + principalId: userAssignedIdentity.properties.principalId + principalType: 'ServicePrincipal' + roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6') // Key Vault Crypto Service Encryption User + targetResourceId: resourceGroup().id + } +} + +output resourceId string = userAssignedIdentity.id diff --git a/src/bicep/modules/virtual-network-diagnostics.bicep b/src/bicep/modules/virtual-network-diagnostics.bicep new file mode 100644 index 000000000..8c48743d9 --- /dev/null +++ b/src/bicep/modules/virtual-network-diagnostics.bicep @@ -0,0 +1,25 @@ +/* +Copyright (c) Microsoft Corporation. +Licensed under the MIT License. +*/ + +param logAnalyticsWorkspaceResourceId string +param logs array +param logStorageAccountResourceId string +param metrics array +param name string + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2021-02-01' existing = { + name: name +} + +resource diagnostics 'Microsoft.Insights/diagnosticSettings@2017-05-01-preview' = { + scope: virtualNetwork + name: '${virtualNetwork.name}-diagnostics' + properties: { + storageAccountId: logStorageAccountResourceId + workspaceId: logAnalyticsWorkspaceResourceId + logs: logs + metrics: metrics + } +} diff --git a/src/bicep/modules/virtual-network.bicep b/src/bicep/modules/virtual-network.bicep index afe38843d..cd2f38f1e 100644 --- a/src/bicep/modules/virtual-network.bicep +++ b/src/bicep/modules/virtual-network.bicep @@ -3,18 +3,12 @@ Copyright (c) Microsoft Corporation. Licensed under the MIT License. */ -param name string -param location string -param tags object = {} - param addressPrefix string -param vNetDnsServers array = [] -param logAnalyticsWorkspaceResourceId string -param logStorageAccountResourceId string +param location string +param name string param subnets array - -param logs array -param metrics array +param tags object +param vNetDnsServers array resource virtualNetwork 'Microsoft.Network/virtualNetworks@2021-02-01' = { name: name @@ -34,17 +28,6 @@ resource virtualNetwork 'Microsoft.Network/virtualNetworks@2021-02-01' = { } } -resource diagnostics 'Microsoft.Insights/diagnosticSettings@2017-05-01-preview' = { - scope: virtualNetwork - name: '${virtualNetwork.name}-diagnostics' - properties: { - storageAccountId: logStorageAccountResourceId - workspaceId: logAnalyticsWorkspaceResourceId - logs: logs - metrics: metrics - } -} - output name string = virtualNetwork.name output id string = virtualNetwork.id output subnets array = virtualNetwork.properties.subnets diff --git a/src/bicep/modules/windows-virtual-machine.bicep b/src/bicep/modules/windows-virtual-machine.bicep index a9a2fbfed..2fe6cccb4 100644 --- a/src/bicep/modules/windows-virtual-machine.bicep +++ b/src/bicep/modules/windows-virtual-machine.bicep @@ -6,9 +6,7 @@ Licensed under the MIT License. param name string param location string param tags object = {} - param networkInterfaceName string - param size string param adminUsername string @secure() @@ -32,7 +30,6 @@ resource windowsVirtualMachine 'Microsoft.Compute/virtualMachines@2021-04-01' = name: name location: location tags: tags - properties: { availabilitySet: ((availabilitySet != {}) ? availabilitySet : null) hardwareProfile: { @@ -69,7 +66,8 @@ resource windowsVirtualMachine 'Microsoft.Compute/virtualMachines@2021-04-01' = } resource dependencyAgent 'Microsoft.Compute/virtualMachines/extensions@2021-04-01' = { - name: '${windowsVirtualMachine.name}/DependencyAgentWindows' + parent: windowsVirtualMachine + name: 'DependencyAgentWindows' location: location properties: { publisher: 'Microsoft.Azure.Monitoring.DependencyAgent' @@ -80,7 +78,8 @@ resource dependencyAgent 'Microsoft.Compute/virtualMachines/extensions@2021-04-0 } resource policyExtension 'Microsoft.Compute/virtualMachines/extensions@2021-04-01' = { - name: '${windowsVirtualMachine.name}/AzurePolicyforWindows' + parent: windowsVirtualMachine + name: 'AzurePolicyforWindows' location: location properties: { publisher: 'Microsoft.GuestConfiguration' @@ -92,7 +91,8 @@ resource policyExtension 'Microsoft.Compute/virtualMachines/extensions@2021-04-0 } resource mmaExtension 'Microsoft.Compute/virtualMachines/extensions@2021-04-01' = { - name: '${windowsVirtualMachine.name}/MMAExtension' + parent: windowsVirtualMachine + name: 'MMAExtension' location: location properties: { publisher: 'Microsoft.EnterpriseCloud.Monitoring' @@ -109,7 +109,8 @@ resource mmaExtension 'Microsoft.Compute/virtualMachines/extensions@2021-04-01' } resource networkWatcher 'Microsoft.Compute/virtualMachines/extensions@2020-06-01' = { - name: '${windowsVirtualMachine.name}/Microsoft.Azure.NetworkWatcher' + parent: windowsVirtualMachine + name: 'Microsoft.Azure.NetworkWatcher' location: location properties: { publisher: 'Microsoft.Azure.NetworkWatcher' From e6df34a86d04e5f7d4dfbb732523e30ee9fbc6a2 Mon Sep 17 00:00:00 2001 From: Jason Masten Date: Sun, 21 Jan 2024 00:03:38 -0500 Subject: [PATCH 02/28] Fixed pvt endpoint names --- src/bicep/core/hub-storage.bicep | 2 + src/bicep/core/spoke-storage.bicep | 10 ++-- src/bicep/mlz.bicep | 2 + src/bicep/mlz.json | 70 +++++++++++++++++-------- src/bicep/modules/storage-account.bicep | 5 +- 5 files changed, 60 insertions(+), 29 deletions(-) diff --git a/src/bicep/core/hub-storage.bicep b/src/bicep/core/hub-storage.bicep index 9526d0d37..a864eec31 100644 --- a/src/bicep/core/hub-storage.bicep +++ b/src/bicep/core/hub-storage.bicep @@ -8,6 +8,7 @@ param keyVaultUri string param logStorageAccountName string param logStorageSkuName string param location string +param resourcePrefix string param storageEncryptionKeyName string param subnetResourceId string param tags object @@ -20,6 +21,7 @@ module storageAccount '../modules/storage-account.bicep' = { userAssignedIdentityResourceId: userAssignedIdentityResourceId keyVaultUri: keyVaultUri location: location + resourcePrefix: resourcePrefix skuName: logStorageSkuName storageAccountName: logStorageAccountName storageEncryptionKeyName: storageEncryptionKeyName diff --git a/src/bicep/core/spoke-storage.bicep b/src/bicep/core/spoke-storage.bicep index 720fadad8..37b65d9ef 100644 --- a/src/bicep/core/spoke-storage.bicep +++ b/src/bicep/core/spoke-storage.bicep @@ -8,6 +8,7 @@ param keyVaultUri string param location string param logStorageAccountName string param logStorageSkuName string +param resourcePrefix string param storageEncryptionKeyName string param subnetResourceId string param tags object @@ -16,14 +17,15 @@ param userAssignedIdentityResourceId string module storageAccount '../modules/storage-account.bicep' = { name: 'storage' params: { - storageAccountName: logStorageAccountName - location: location - skuName: logStorageSkuName - tags: tags azureBlobsPrivateDnsZoneResourceId: azureBlobsPrivateDnsZoneResourceId keyVaultUri: keyVaultUri + location: location + resourcePrefix: resourcePrefix + skuName: logStorageSkuName + storageAccountName: logStorageAccountName storageEncryptionKeyName: storageEncryptionKeyName subnetResourceId: subnetResourceId + tags: tags userAssignedIdentityResourceId: userAssignedIdentityResourceId } } diff --git a/src/bicep/mlz.bicep b/src/bicep/mlz.bicep index 7e478652e..edda0ce69 100644 --- a/src/bicep/mlz.bicep +++ b/src/bicep/mlz.bicep @@ -890,6 +890,7 @@ module hubStorage './core/hub-storage.bicep' = { location: location logStorageAccountName: hubLogStorageAccountName logStorageSkuName: logStorageSkuName + resourcePrefix: resourcePrefix storageEncryptionKeyName: operationsCustomerManagedKeys.outputs.storageKeyName subnetResourceId: hubNetwork.outputs.subnetResourceId tags: calculatedTags @@ -908,6 +909,7 @@ module spokeStorage './core/spoke-storage.bicep' = [for (spoke, i) in spokes: { location: location logStorageAccountName: spoke.logStorageAccountName logStorageSkuName: logStorageSkuName + resourcePrefix: resourcePrefix storageEncryptionKeyName: operationsCustomerManagedKeys.outputs.storageKeyName subnetResourceId: spokeNetworks[i].outputs.subnetResourceId tags: tags diff --git a/src/bicep/mlz.json b/src/bicep/mlz.json index 17daef7f4..9c5e8c52d 100644 --- a/src/bicep/mlz.json +++ b/src/bicep/mlz.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "7750568451689560969" + "templateHash": "16958536441744639775" } }, "parameters": { @@ -4381,6 +4381,9 @@ "logStorageSkuName": { "value": "[parameters('logStorageSkuName')]" }, + "resourcePrefix": { + "value": "[parameters('resourcePrefix')]" + }, "storageEncryptionKeyName": { "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.storageKeyName.value]" }, @@ -4401,7 +4404,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "14124653364128132696" + "templateHash": "11462674206164110982" } }, "parameters": { @@ -4420,6 +4423,9 @@ "location": { "type": "string" }, + "resourcePrefix": { + "type": "string" + }, "storageEncryptionKeyName": { "type": "string" }, @@ -4456,6 +4462,9 @@ "location": { "value": "[parameters('location')]" }, + "resourcePrefix": { + "value": "[parameters('resourcePrefix')]" + }, "skuName": { "value": "[parameters('logStorageSkuName')]" }, @@ -4479,7 +4488,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "13226692994420197356" + "templateHash": "1520789956270360080" } }, "parameters": { @@ -4492,6 +4501,9 @@ "location": { "type": "string" }, + "resourcePrefix": { + "type": "string" + }, "skuName": { "type": "string" }, @@ -4579,7 +4591,7 @@ { "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2020-05-01", - "name": "[format('pe-{0}', parameters('storageAccountName'))]", + "name": "[format('{0}-blob', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe', parameters('resourcePrefix'))))]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { @@ -4588,7 +4600,7 @@ }, "privateLinkServiceConnections": [ { - "name": "[format('pe-{0}_{1}', parameters('storageAccountName'), guid(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))))]", + "name": "[format('{0}-blob_{1}', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe', parameters('resourcePrefix'))), guid(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))))]", "properties": { "privateLinkServiceId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]", "groupIds": [ @@ -4605,7 +4617,7 @@ { "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", "apiVersion": "2021-08-01", - "name": "[format('{0}/{1}', format('pe-{0}', parameters('storageAccountName')), parameters('storageAccountName'))]", + "name": "[format('{0}/{1}', format('{0}-blob', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe', parameters('resourcePrefix')))), parameters('storageAccountName'))]", "properties": { "privateDnsZoneConfigs": [ { @@ -4617,7 +4629,7 @@ ] }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', format('pe-{0}', parameters('storageAccountName')))]" + "[resourceId('Microsoft.Network/privateEndpoints', format('{0}-blob', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe', parameters('resourcePrefix')))))]" ] } ], @@ -4676,6 +4688,9 @@ "logStorageSkuName": { "value": "[parameters('logStorageSkuName')]" }, + "resourcePrefix": { + "value": "[parameters('resourcePrefix')]" + }, "storageEncryptionKeyName": { "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.storageKeyName.value]" }, @@ -4696,7 +4711,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "17590283376492382893" + "templateHash": "6757591555111592544" } }, "parameters": { @@ -4715,6 +4730,9 @@ "logStorageSkuName": { "type": "string" }, + "resourcePrefix": { + "type": "string" + }, "storageEncryptionKeyName": { "type": "string" }, @@ -4739,23 +4757,23 @@ }, "mode": "Incremental", "parameters": { - "storageAccountName": { - "value": "[parameters('logStorageAccountName')]" + "azureBlobsPrivateDnsZoneResourceId": { + "value": "[parameters('azureBlobsPrivateDnsZoneResourceId')]" + }, + "keyVaultUri": { + "value": "[parameters('keyVaultUri')]" }, "location": { "value": "[parameters('location')]" }, + "resourcePrefix": { + "value": "[parameters('resourcePrefix')]" + }, "skuName": { "value": "[parameters('logStorageSkuName')]" }, - "tags": { - "value": "[parameters('tags')]" - }, - "azureBlobsPrivateDnsZoneResourceId": { - "value": "[parameters('azureBlobsPrivateDnsZoneResourceId')]" - }, - "keyVaultUri": { - "value": "[parameters('keyVaultUri')]" + "storageAccountName": { + "value": "[parameters('logStorageAccountName')]" }, "storageEncryptionKeyName": { "value": "[parameters('storageEncryptionKeyName')]" @@ -4763,6 +4781,9 @@ "subnetResourceId": { "value": "[parameters('subnetResourceId')]" }, + "tags": { + "value": "[parameters('tags')]" + }, "userAssignedIdentityResourceId": { "value": "[parameters('userAssignedIdentityResourceId')]" } @@ -4774,7 +4795,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "13226692994420197356" + "templateHash": "1520789956270360080" } }, "parameters": { @@ -4787,6 +4808,9 @@ "location": { "type": "string" }, + "resourcePrefix": { + "type": "string" + }, "skuName": { "type": "string" }, @@ -4874,7 +4898,7 @@ { "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2020-05-01", - "name": "[format('pe-{0}', parameters('storageAccountName'))]", + "name": "[format('{0}-blob', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe', parameters('resourcePrefix'))))]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { @@ -4883,7 +4907,7 @@ }, "privateLinkServiceConnections": [ { - "name": "[format('pe-{0}_{1}', parameters('storageAccountName'), guid(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))))]", + "name": "[format('{0}-blob_{1}', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe', parameters('resourcePrefix'))), guid(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))))]", "properties": { "privateLinkServiceId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]", "groupIds": [ @@ -4900,7 +4924,7 @@ { "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", "apiVersion": "2021-08-01", - "name": "[format('{0}/{1}', format('pe-{0}', parameters('storageAccountName')), parameters('storageAccountName'))]", + "name": "[format('{0}/{1}', format('{0}-blob', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe', parameters('resourcePrefix')))), parameters('storageAccountName'))]", "properties": { "privateDnsZoneConfigs": [ { @@ -4912,7 +4936,7 @@ ] }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', format('pe-{0}', parameters('storageAccountName')))]" + "[resourceId('Microsoft.Network/privateEndpoints', format('{0}-blob', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe', parameters('resourcePrefix')))))]" ] } ], diff --git a/src/bicep/modules/storage-account.bicep b/src/bicep/modules/storage-account.bicep index c2c7bf813..91bda4415 100644 --- a/src/bicep/modules/storage-account.bicep +++ b/src/bicep/modules/storage-account.bicep @@ -6,6 +6,7 @@ Licensed under the MIT License. param azureBlobsPrivateDnsZoneResourceId string param keyVaultUri string param location string +param resourcePrefix string param skuName string param storageAccountName string param storageEncryptionKeyName string @@ -77,7 +78,7 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = { } resource privateEndpoint 'Microsoft.Network/privateEndpoints@2020-05-01' = { - name: 'pe-${storageAccountName}' + name: '${replace(storageAccountName, resourcePrefix, '${resourcePrefix}-pe')}-blob' location: location tags: tags properties: { @@ -86,7 +87,7 @@ resource privateEndpoint 'Microsoft.Network/privateEndpoints@2020-05-01' = { } privateLinkServiceConnections: [ { - name: 'pe-${storageAccountName}_${guid(storageAccount.id)}' + name: '${replace(storageAccountName, resourcePrefix, '${resourcePrefix}-pe')}-blob_${guid(storageAccount.id)}' properties: { privateLinkServiceId: storageAccount.id groupIds: [ From 9dd2f25e9723c1975cdf11841850468b06ea7390 Mon Sep 17 00:00:00 2001 From: Jason Masten Date: Sun, 21 Jan 2024 08:44:43 -0500 Subject: [PATCH 03/28] Fixed storage pvt endpoint name --- src/bicep/mlz.json | 26 ++++++++++++------------- src/bicep/modules/storage-account.bicep | 4 ++-- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/src/bicep/mlz.json b/src/bicep/mlz.json index 9c5e8c52d..b157c13ea 100644 --- a/src/bicep/mlz.json +++ b/src/bicep/mlz.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "16958536441744639775" + "templateHash": "14718053459101585776" } }, "parameters": { @@ -4404,7 +4404,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "11462674206164110982" + "templateHash": "5510129619512917487" } }, "parameters": { @@ -4488,7 +4488,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "1520789956270360080" + "templateHash": "4946922031441593051" } }, "parameters": { @@ -4591,7 +4591,7 @@ { "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2020-05-01", - "name": "[format('{0}-blob', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe', parameters('resourcePrefix'))))]", + "name": "[format('{0}-blob', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe-', parameters('resourcePrefix'))))]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { @@ -4600,7 +4600,7 @@ }, "privateLinkServiceConnections": [ { - "name": "[format('{0}-blob_{1}', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe', parameters('resourcePrefix'))), guid(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))))]", + "name": "[format('{0}-blob_{1}', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe-', parameters('resourcePrefix'))), guid(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))))]", "properties": { "privateLinkServiceId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]", "groupIds": [ @@ -4617,7 +4617,7 @@ { "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", "apiVersion": "2021-08-01", - "name": "[format('{0}/{1}', format('{0}-blob', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe', parameters('resourcePrefix')))), parameters('storageAccountName'))]", + "name": "[format('{0}/{1}', format('{0}-blob', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe-', parameters('resourcePrefix')))), parameters('storageAccountName'))]", "properties": { "privateDnsZoneConfigs": [ { @@ -4629,7 +4629,7 @@ ] }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', format('{0}-blob', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe', parameters('resourcePrefix')))))]" + "[resourceId('Microsoft.Network/privateEndpoints', format('{0}-blob', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe-', parameters('resourcePrefix')))))]" ] } ], @@ -4711,7 +4711,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "6757591555111592544" + "templateHash": "17374882761460444084" } }, "parameters": { @@ -4795,7 +4795,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "1520789956270360080" + "templateHash": "4946922031441593051" } }, "parameters": { @@ -4898,7 +4898,7 @@ { "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2020-05-01", - "name": "[format('{0}-blob', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe', parameters('resourcePrefix'))))]", + "name": "[format('{0}-blob', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe-', parameters('resourcePrefix'))))]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { @@ -4907,7 +4907,7 @@ }, "privateLinkServiceConnections": [ { - "name": "[format('{0}-blob_{1}', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe', parameters('resourcePrefix'))), guid(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))))]", + "name": "[format('{0}-blob_{1}', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe-', parameters('resourcePrefix'))), guid(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))))]", "properties": { "privateLinkServiceId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]", "groupIds": [ @@ -4924,7 +4924,7 @@ { "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", "apiVersion": "2021-08-01", - "name": "[format('{0}/{1}', format('{0}-blob', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe', parameters('resourcePrefix')))), parameters('storageAccountName'))]", + "name": "[format('{0}/{1}', format('{0}-blob', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe-', parameters('resourcePrefix')))), parameters('storageAccountName'))]", "properties": { "privateDnsZoneConfigs": [ { @@ -4936,7 +4936,7 @@ ] }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', format('{0}-blob', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe', parameters('resourcePrefix')))))]" + "[resourceId('Microsoft.Network/privateEndpoints', format('{0}-blob', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe-', parameters('resourcePrefix')))))]" ] } ], diff --git a/src/bicep/modules/storage-account.bicep b/src/bicep/modules/storage-account.bicep index 91bda4415..47b109706 100644 --- a/src/bicep/modules/storage-account.bicep +++ b/src/bicep/modules/storage-account.bicep @@ -78,7 +78,7 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = { } resource privateEndpoint 'Microsoft.Network/privateEndpoints@2020-05-01' = { - name: '${replace(storageAccountName, resourcePrefix, '${resourcePrefix}-pe')}-blob' + name: '${replace(storageAccountName, resourcePrefix, '${resourcePrefix}-pe-')}-blob' location: location tags: tags properties: { @@ -87,7 +87,7 @@ resource privateEndpoint 'Microsoft.Network/privateEndpoints@2020-05-01' = { } privateLinkServiceConnections: [ { - name: '${replace(storageAccountName, resourcePrefix, '${resourcePrefix}-pe')}-blob_${guid(storageAccount.id)}' + name: '${replace(storageAccountName, resourcePrefix, '${resourcePrefix}-pe-')}-blob_${guid(storageAccount.id)}' properties: { privateLinkServiceId: storageAccount.id groupIds: [ From 2a010437933a8f59fbecc41053792841ca9a8abc Mon Sep 17 00:00:00 2001 From: Jason Masten Date: Sun, 21 Jan 2024 09:05:17 -0500 Subject: [PATCH 04/28] Added pvt endpoint for key vault --- .../operations-customer-managed-keys.bicep | 6 ++ src/bicep/mlz.bicep | 3 + src/bicep/mlz.json | 93 ++++++++++++++++++- src/bicep/modules/key-vault.bicep | 46 +++++++++ 4 files changed, 145 insertions(+), 3 deletions(-) diff --git a/src/bicep/core/operations-customer-managed-keys.bicep b/src/bicep/core/operations-customer-managed-keys.bicep index 9e8907523..e9d69a56e 100644 --- a/src/bicep/core/operations-customer-managed-keys.bicep +++ b/src/bicep/core/operations-customer-managed-keys.bicep @@ -4,7 +4,10 @@ Licensed under the MIT License. */ param keyVaultName string +param keyVaultPrivateDnsZoneResourceId string param location string +param resourcePrefix string +param subnetResourceId string param tags object param userAssignedIdentityName string @@ -12,7 +15,10 @@ module keyVault '../modules/key-vault.bicep' = { name: 'keyVault' params: { keyVaultName: keyVaultName + keyVaultPrivateDnsZoneResourceId: keyVaultPrivateDnsZoneResourceId location: location + resourcePrefix: resourcePrefix + subnetResourceId: subnetResourceId tags: tags } } diff --git a/src/bicep/mlz.bicep b/src/bicep/mlz.bicep index edda0ce69..e6a4fb3a5 100644 --- a/src/bicep/mlz.bicep +++ b/src/bicep/mlz.bicep @@ -873,6 +873,9 @@ module operationsCustomerManagedKeys './core/operations-customer-managed-keys.bi location: location tags: calculatedTags userAssignedIdentityName: operationsUserAssignedIdentityName + keyVaultPrivateDnsZoneResourceId: privateDnsZones.outputs.keyvaultDnsPrivateDnsZoneId + resourcePrefix: resourcePrefix + subnetResourceId: spokeNetworks[1].outputs.subnetResourceId } dependsOn: [ spokeNetworks diff --git a/src/bicep/mlz.json b/src/bicep/mlz.json index b157c13ea..68f8d5d13 100644 --- a/src/bicep/mlz.json +++ b/src/bicep/mlz.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "14718053459101585776" + "templateHash": "8925990070387210835" } }, "parameters": { @@ -4005,6 +4005,15 @@ }, "userAssignedIdentityName": { "value": "[variables('operationsUserAssignedIdentityName')]" + }, + "keyVaultPrivateDnsZoneResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', 'azure-private-dns'), '2022-09-01').outputs.keyvaultDnsPrivateDnsZoneId.value]" + }, + "resourcePrefix": { + "value": "[parameters('resourcePrefix')]" + }, + "subnetResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[1].subscriptionId, variables('spokes')[1].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[1].name, parameters('deploymentNameSuffix'))), '2022-09-01').outputs.subnetResourceId.value]" } }, "template": { @@ -4014,16 +4023,25 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "17165778028720193930" + "templateHash": "14463858223926181103" } }, "parameters": { "keyVaultName": { "type": "string" }, + "keyVaultPrivateDnsZoneResourceId": { + "type": "string" + }, "location": { "type": "string" }, + "resourcePrefix": { + "type": "string" + }, + "subnetResourceId": { + "type": "string" + }, "tags": { "type": "object" }, @@ -4045,9 +4063,18 @@ "keyVaultName": { "value": "[parameters('keyVaultName')]" }, + "keyVaultPrivateDnsZoneResourceId": { + "value": "[parameters('keyVaultPrivateDnsZoneResourceId')]" + }, "location": { "value": "[parameters('location')]" }, + "resourcePrefix": { + "value": "[parameters('resourcePrefix')]" + }, + "subnetResourceId": { + "value": "[parameters('subnetResourceId')]" + }, "tags": { "value": "[parameters('tags')]" } @@ -4059,7 +4086,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "14987883252195967823" + "templateHash": "17786330016094382581" } }, "parameters": { @@ -4070,9 +4097,18 @@ "keyVaultName": { "type": "string" }, + "keyVaultPrivateDnsZoneResourceId": { + "type": "string" + }, "location": { "type": "string" }, + "resourcePrefix": { + "type": "string" + }, + "subnetResourceId": { + "type": "string" + }, "tags": { "type": "object" } @@ -4091,6 +4127,12 @@ "enablePurgeProtection": true, "enableRbacAuthorization": true, "enableSoftDelete": true, + "networkAcls": { + "bypass": "AzureServices", + "virtualNetworkRules": [], + "ipRules": [], + "defaultAction": "Deny" + }, "sku": { "family": "A", "name": "standard" @@ -4099,6 +4141,50 @@ "tenantId": "[subscription().tenantId]" } }, + { + "type": "Microsoft.Network/privateEndpoints", + "apiVersion": "2020-05-01", + "name": "[replace(parameters('keyVaultName'), parameters('resourcePrefix'), format('{0}-pe-', parameters('resourcePrefix')))]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": { + "subnet": { + "id": "[parameters('subnetResourceId')]" + }, + "privateLinkServiceConnections": [ + { + "name": "[replace(parameters('keyVaultName'), parameters('resourcePrefix'), format('{0}-nic-', parameters('resourcePrefix')))]", + "properties": { + "privateLinkServiceId": "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]", + "groupIds": [ + "vault" + ] + } + } + ] + }, + "dependsOn": [ + "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]" + ] + }, + { + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "apiVersion": "2021-08-01", + "name": "[format('{0}/{1}', replace(parameters('keyVaultName'), parameters('resourcePrefix'), format('{0}-pe-', parameters('resourcePrefix'))), parameters('keyVaultName'))]", + "properties": { + "privateDnsZoneConfigs": [ + { + "name": "ipconfig1", + "properties": { + "privateDnsZoneId": "[parameters('keyVaultPrivateDnsZoneResourceId')]" + } + } + ] + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/privateEndpoints', replace(parameters('keyVaultName'), parameters('resourcePrefix'), format('{0}-pe-', parameters('resourcePrefix'))))]" + ] + }, { "type": "Microsoft.KeyVault/vaults/keys", "apiVersion": "2022-07-01", @@ -4351,6 +4437,7 @@ } }, "dependsOn": [ + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', 'azure-private-dns')]", "spokeNetworks" ] }, diff --git a/src/bicep/modules/key-vault.bicep b/src/bicep/modules/key-vault.bicep index 63828972c..a2908dbf0 100644 --- a/src/bicep/modules/key-vault.bicep +++ b/src/bicep/modules/key-vault.bicep @@ -1,6 +1,9 @@ param diskEncryptionKeyExpirationInDays int = 30 param keyVaultName string +param keyVaultPrivateDnsZoneResourceId string param location string +param resourcePrefix string +param subnetResourceId string param tags object resource vault 'Microsoft.KeyVault/vaults@2022-07-01' = { @@ -14,6 +17,12 @@ resource vault 'Microsoft.KeyVault/vaults@2022-07-01' = { enablePurgeProtection: true enableRbacAuthorization: true enableSoftDelete: true + networkAcls: { + bypass: 'AzureServices' + virtualNetworkRules: [] + ipRules: [] + defaultAction: 'Deny' + } sku: { family: 'A' name: 'standard' @@ -23,6 +32,43 @@ resource vault 'Microsoft.KeyVault/vaults@2022-07-01' = { } } +resource privateEndpoint 'Microsoft.Network/privateEndpoints@2020-05-01' = { + name: replace(keyVaultName, resourcePrefix, '${resourcePrefix}-pe-') + location: location + tags: tags + properties: { + subnet: { + id: subnetResourceId + } + privateLinkServiceConnections: [ + { + name: replace(keyVaultName, resourcePrefix, '${resourcePrefix}-nic-') + properties: { + privateLinkServiceId: vault.id + groupIds: [ + 'vault' + ] + } + } + ] + } +} + +resource privateDnsZoneGroups 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2021-08-01' = { + parent: privateEndpoint + name: keyVaultName + properties: { + privateDnsZoneConfigs: [ + { + name: 'ipconfig1' + properties: { + privateDnsZoneId: keyVaultPrivateDnsZoneResourceId + } + } + ] + } +} + resource key_disks 'Microsoft.KeyVault/vaults/keys@2022-07-01' = { parent: vault name: 'DiskEncryptionKey' From c837a91f9daef848a1d073a12dfd2ab3a1ebff8b Mon Sep 17 00:00:00 2001 From: Jason Masten Date: Sun, 21 Jan 2024 09:06:12 -0500 Subject: [PATCH 05/28] Updated nic name for storage pvt endpoint --- src/bicep/mlz.json | 14 +++++++------- src/bicep/modules/storage-account.bicep | 2 +- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/src/bicep/mlz.json b/src/bicep/mlz.json index 68f8d5d13..864f832dd 100644 --- a/src/bicep/mlz.json +++ b/src/bicep/mlz.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "8925990070387210835" + "templateHash": "9972767709466004443" } }, "parameters": { @@ -4491,7 +4491,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "5510129619512917487" + "templateHash": "10734217835166840924" } }, "parameters": { @@ -4575,7 +4575,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "4946922031441593051" + "templateHash": "9704332619171498618" } }, "parameters": { @@ -4687,7 +4687,7 @@ }, "privateLinkServiceConnections": [ { - "name": "[format('{0}-blob_{1}', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe-', parameters('resourcePrefix'))), guid(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))))]", + "name": "[format('{0}-blob', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-nic-', parameters('resourcePrefix'))))]", "properties": { "privateLinkServiceId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]", "groupIds": [ @@ -4798,7 +4798,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "17374882761460444084" + "templateHash": "2099731221487572818" } }, "parameters": { @@ -4882,7 +4882,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "4946922031441593051" + "templateHash": "9704332619171498618" } }, "parameters": { @@ -4994,7 +4994,7 @@ }, "privateLinkServiceConnections": [ { - "name": "[format('{0}-blob_{1}', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe-', parameters('resourcePrefix'))), guid(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))))]", + "name": "[format('{0}-blob', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-nic-', parameters('resourcePrefix'))))]", "properties": { "privateLinkServiceId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]", "groupIds": [ diff --git a/src/bicep/modules/storage-account.bicep b/src/bicep/modules/storage-account.bicep index 47b109706..0ffd32394 100644 --- a/src/bicep/modules/storage-account.bicep +++ b/src/bicep/modules/storage-account.bicep @@ -87,7 +87,7 @@ resource privateEndpoint 'Microsoft.Network/privateEndpoints@2020-05-01' = { } privateLinkServiceConnections: [ { - name: '${replace(storageAccountName, resourcePrefix, '${resourcePrefix}-pe-')}-blob_${guid(storageAccount.id)}' + name: '${replace(storageAccountName, resourcePrefix, '${resourcePrefix}-nic-')}-blob' properties: { privateLinkServiceId: storageAccount.id groupIds: [ From 9f0b40d0054e0fcaabcb7f31139b2c7f3b3ba2ad Mon Sep 17 00:00:00 2001 From: Jason Masten Date: Sun, 21 Jan 2024 16:40:33 -0500 Subject: [PATCH 06/28] Added CMK for VMs, Fixed VM settings --- .../operations-customer-managed-keys.bicep | 19 +- src/bicep/core/remote-access.bicep | 64 +- src/bicep/form/mlz.portal.json | 68 ++- src/bicep/mlz.bicep | 24 +- src/bicep/mlz.json | 563 ++++++++++++++---- src/bicep/modules/disk-encryption-set.bicep | 42 ++ src/bicep/modules/linux-virtual-machine.bicep | 63 +- .../modules/windows-virtual-machine.bicep | 80 ++- 8 files changed, 688 insertions(+), 235 deletions(-) create mode 100644 src/bicep/modules/disk-encryption-set.bicep diff --git a/src/bicep/core/operations-customer-managed-keys.bicep b/src/bicep/core/operations-customer-managed-keys.bicep index e9d69a56e..d4a7fcd7b 100644 --- a/src/bicep/core/operations-customer-managed-keys.bicep +++ b/src/bicep/core/operations-customer-managed-keys.bicep @@ -3,6 +3,8 @@ Copyright (c) Microsoft Corporation. Licensed under the MIT License. */ +param diskEncryptionSetName string +param deploymentNameSuffix string param keyVaultName string param keyVaultPrivateDnsZoneResourceId string param location string @@ -12,7 +14,7 @@ param tags object param userAssignedIdentityName string module keyVault '../modules/key-vault.bicep' = { - name: 'keyVault' + name: 'deploy-key-vault-${deploymentNameSuffix}' params: { keyVaultName: keyVaultName keyVaultPrivateDnsZoneResourceId: keyVaultPrivateDnsZoneResourceId @@ -23,8 +25,20 @@ module keyVault '../modules/key-vault.bicep' = { } } +module diskEncryptionSet '../modules/disk-encryption-set.bicep' = { + name: 'deploy-disk-encryption-set_${deploymentNameSuffix}' + params: { + deploymentNameSuffix: deploymentNameSuffix + diskEncryptionSetName: diskEncryptionSetName + keyUrl: keyVault.outputs.keyUriWithVersion + keyVaultResourceId: keyVault.outputs.keyVaultResourceId + location: location + tags: contains(tags, 'Microsoft.Compute/diskEncryptionSets') ? tags['Microsoft.Compute/diskEncryptionSets'] : {} + } +} + module userAssignedIdentity '../modules/user-assigned-identity.bicep' = { - name: 'userAssignedIdentity' + name: 'deploy-user-assigned-identity-${deploymentNameSuffix}' params: { location: location name: userAssignedIdentityName @@ -32,6 +46,7 @@ module userAssignedIdentity '../modules/user-assigned-identity.bicep' = { } } +output diskEncryptionSetResourceId string = diskEncryptionSet.outputs.resourceId output keyVaultUri string = keyVault.outputs.keyVaultUri output storageKeyName string = keyVault.outputs.storageKeyName output userAssignedIdentityResourceId string = userAssignedIdentity.outputs.resourceId diff --git a/src/bicep/core/remote-access.bicep b/src/bicep/core/remote-access.bicep index 50d3290e4..a40ad4b25 100644 --- a/src/bicep/core/remote-access.bicep +++ b/src/bicep/core/remote-access.bicep @@ -10,8 +10,11 @@ param bastionHostPublicIPAddressAvailabilityZones array param bastionHostPublicIPAddressName string param bastionHostPublicIPAddressSkuName string param bastionHostSubnetResourceId string +param diskEncryptionSetResourceId string param hubNetworkSecurityGroupResourceId string param hubSubnetResourceId string +param hybridUseBenefit bool +param linuxDiskName string param linuxNetworkInterfaceIpConfigurationName string param linuxNetworkInterfaceName string param linuxNetworkInterfacePrivateIPAddressAllocationMethod string @@ -35,6 +38,7 @@ param linuxVmSize string param location string param logAnalyticsWorkspaceId string param tags object +param windowsDiskName string param windowsNetworkInterfaceIpConfigurationName string param windowsNetworkInterfaceName string param windowsNetworkInterfacePrivateIPAddressAllocationMethod string @@ -69,70 +73,72 @@ module bastionHost '../modules/bastion-host.bicep' = { module linuxNetworkInterface '../modules/network-interface.bicep' = { name: 'remoteAccess-linuxNetworkInterface' params: { - name: linuxNetworkInterfaceName - location: location - tags: tags - ipConfigurationName: linuxNetworkInterfaceIpConfigurationName + location: location + name: linuxNetworkInterfaceName networkSecurityGroupId: hubNetworkSecurityGroupResourceId privateIPAddressAllocationMethod: linuxNetworkInterfacePrivateIPAddressAllocationMethod subnetId: hubSubnetResourceId + tags: tags } } module linuxVirtualMachine '../modules/linux-virtual-machine.bicep' = { name: 'remoteAccess-linuxVirtualMachine' params: { - name: linuxVmName + adminPasswordOrKey: linuxVmAdminPasswordOrKey + adminUsername: linuxVmAdminUsername + authenticationType: linuxVmAuthenticationType + diskEncryptionSetResourceId: diskEncryptionSetResourceId + diskName: linuxDiskName + hybridUseBenefit: hybridUseBenefit location: location - tags: tags - - vmSize: linuxVmSize + logAnalyticsWorkspaceId: logAnalyticsWorkspaceId + name: linuxVmName + networkInterfaceName: linuxNetworkInterface.outputs.name osDiskCreateOption: linuxVmOsDiskCreateOption osDiskType: linuxVmOsDiskType - vmImagePublisher: linuxVmImagePublisher + tags: tags vmImageOffer: linuxVmImageOffer + vmImagePublisher: linuxVmImagePublisher vmImageSku: linuxVmImageSku vmImageVersion: linuxVmImageVersion - adminUsername: linuxVmAdminUsername - authenticationType: linuxVmAuthenticationType - adminPasswordOrKey: linuxVmAdminPasswordOrKey - networkInterfaceName: linuxNetworkInterface.outputs.name - logAnalyticsWorkspaceId: logAnalyticsWorkspaceId + vmSize: linuxVmSize } } module windowsNetworkInterface '../modules/network-interface.bicep' = { name: 'remoteAccess-windowsNetworkInterface' params: { - name: windowsNetworkInterfaceName - location: location - tags: tags - ipConfigurationName: windowsNetworkInterfaceIpConfigurationName + location: location + name: windowsNetworkInterfaceName networkSecurityGroupId: hubNetworkSecurityGroupResourceId privateIPAddressAllocationMethod: windowsNetworkInterfacePrivateIPAddressAllocationMethod subnetId: hubSubnetResourceId + tags: tags } } module windowsVirtualMachine '../modules/windows-virtual-machine.bicep' = { name: 'remoteAccess-windowsVirtualMachine' params: { - name: windowsVmName - location: location - tags: tags - - size: windowsVmSize - adminUsername: windowsVmAdminUsername adminPassword: windowsVmAdminPassword - publisher: windowsVmPublisher + adminUsername: windowsVmAdminUsername + createOption: windowsVmCreateOption + diskEncryptionSetResourceId: diskEncryptionSetResourceId + diskName: windowsDiskName + hybridUseBenefit: hybridUseBenefit + location: location + logAnalyticsWorkspaceId: logAnalyticsWorkspaceId + name: windowsVmName + networkInterfaceName: windowsNetworkInterface.outputs.name offer: windowsVmOffer + publisher: windowsVmPublisher + size: windowsVmSize sku: windowsVmSku - version: windowsVmVersion - createOption: windowsVmCreateOption storageAccountType: windowsVmStorageAccountType - networkInterfaceName: windowsNetworkInterface.outputs.name - logAnalyticsWorkspaceId: logAnalyticsWorkspaceId + tags: tags + version: windowsVmVersion } } diff --git a/src/bicep/form/mlz.portal.json b/src/bicep/form/mlz.portal.json index 5ef323f75..ac4966c8c 100644 --- a/src/bicep/form/mlz.portal.json +++ b/src/bicep/form/mlz.portal.json @@ -858,6 +858,23 @@ } ] }, + { + "name": "hybridUseBenefit", + "label": "Hybrid Use Benefit", + "type": "Microsoft.Common.Section", + "visible": "[steps('remoteAccess').remoteAccessSection.deployRemoteAccess]", + "elements": [ + { + "name": "enable", + "type": "Microsoft.Common.CheckBox", + "label": "Enable Hybrid Use Benefit?", + "toolTip": "Check here to enable the Hybrid Use Benefit on your virtual machines.", + "constraints": { + "required": false + } + } + ] + }, { "name": "windowsVmSection", "label": "Windows Virtual Machine", @@ -981,37 +998,38 @@ "location": "[steps('basics').locationSection.location.name]", "subscriptionId": "[steps('basics').hubSection.hubSubscriptionId]", "parameters": { - "resourcePrefix": "[steps('basics').namingSection.resourcePrefix]", - "resourceSuffix": "[steps('basics').namingSection.resourceSuffix]", - "hubSubscriptionId": "[replace(steps('basics').hubSection.hubSubscriptionId, '/subscriptions/', '')]", - "identitySubscriptionId": "[replace(steps('basics').identitySection.identitySubscriptionId, '/subscriptions/', '')]", - "operationsSubscriptionId": "[replace(steps('basics').operationsSection.operationsSubscriptionId, '/subscriptions/', '')]", - "sharedServicesSubscriptionId": "[replace(steps('basics').sharedServicesSection.sharedServicesSubscriptionId, '/subscriptions/', '')]", - "location": "[steps('basics').locationSection.location.name]", - "firewallSupernetIPAddress": "[steps('networking').hubVirtualNetwork.superNetworkAddressCidrRange]", - "tags": "[if(not(contains(steps('tags').tagsByResource, 'MissionLandingZone')), parse('{}'), first(map(parse(concat('[', string(steps('tags').tagsByResource), ']')), (item) => item.MissionLandingZone)))]", - "hubVirtualNetworkAddressPrefix": "[steps('networking').hubVirtualNetwork.virtualNetworkAddressCidrRange]", - "hubSubnetAddressPrefix": "[steps('networking').hubVirtualNetwork.subnetAddressCidrRange]", + "bastionHostSubnetAddressPrefix": "[steps('remoteAccess').azureBastionSubnetSection.bastionSubnetAddressCidrRange]", + "deployDefender": "[steps('compliance').defenderSection.deployDefender]", + "deployPolicy": "[steps('compliance').policySection.deployPolicy]", + "deployRemoteAccess": "[steps('remoteAccess').remoteAccessSection.deployRemoteAccess]", + "deploySentinel": "[steps('compliance').sentinelSection.deploySentinel]", + "emailSecurityContact": "[steps('compliance').defenderSection.emailSecurityContact]", "firewallClientSubnetAddressPrefix": "[steps('networking').hubVirtualNetwork.firewallClientSubnetAddressCidrRange]", "firewallManagementSubnetAddressPrefix": "[steps('networking').hubVirtualNetwork.firewallManagementSubnetAddressCidrRange]", - "identityVirtualNetworkAddressPrefix": "[steps('networking').identityVirtualNetwork.virtualNetworkAddressCidrRange]", + "firewallSupernetIPAddress": "[steps('networking').hubVirtualNetwork.superNetworkAddressCidrRange]", + "hubSubnetAddressPrefix": "[steps('networking').hubVirtualNetwork.subnetAddressCidrRange]", + "hubSubscriptionId": "[replace(steps('basics').hubSection.hubSubscriptionId, '/subscriptions/', '')]", + "hubVirtualNetworkAddressPrefix": "[steps('networking').hubVirtualNetwork.virtualNetworkAddressCidrRange]", + "hybridUseBenefit": "[steps('remoteAccess').hybridUseBenefit.enable]", "identitySubnetAddressPrefix": "[steps('networking').identityVirtualNetwork.subnetAddressCidrRange]", - "operationsVirtualNetworkAddressPrefix": "[steps('networking').operationsVirtualNetwork.virtualNetworkAddressCidrRange]", + "identitySubscriptionId": "[replace(steps('basics').identitySection.identitySubscriptionId, '/subscriptions/', '')]", + "identityVirtualNetworkAddressPrefix": "[steps('networking').identityVirtualNetwork.virtualNetworkAddressCidrRange]", + "linuxVmAdminPasswordOrKey": "[if(equals(steps('remoteAccess').linuxVmSection.linuxVmAdminPasswordOrKey.authenticationType, 'password'), steps('remoteAccess').linuxVmSection.linuxVmAdminPasswordOrKey.password, steps('remoteAccess').linuxVmSection.linuxVmAdminPasswordOrKey.sshPublicKey)]", + "linuxVmAdminUsername": "[steps('remoteAccess').linuxVmSection.linuxVmAdminUsername]", + "linuxVmAuthenticationType": "password", + "location": "[steps('basics').locationSection.location.name]", "operationsSubnetAddressPrefix": "[steps('networking').operationsVirtualNetwork.subnetAddressCidrRange]", - "sharedServicesVirtualNetworkAddressPrefix": "[steps('networking').sharedServicesVirtualNetwork.virtualNetworkAddressCidrRange]", - "sharedServicesSubnetAddressPrefix": "[steps('networking').sharedServicesVirtualNetwork.subnetAddressCidrRange]", - "deploySentinel": "[steps('compliance').sentinelSection.deploySentinel]", - "deployPolicy": "[steps('compliance').policySection.deployPolicy]", + "operationsSubscriptionId": "[replace(steps('basics').operationsSection.operationsSubscriptionId, '/subscriptions/', '')]", + "operationsVirtualNetworkAddressPrefix": "[steps('networking').operationsVirtualNetwork.virtualNetworkAddressCidrRange]", "policy": "[steps('compliance').policySection.policy]", - "deployDefender": "[steps('compliance').defenderSection.deployDefender]", - "emailSecurityContact": "[steps('compliance').defenderSection.emailSecurityContact]", - "deployRemoteAccess": "[steps('remoteAccess').remoteAccessSection.deployRemoteAccess]", - "bastionHostSubnetAddressPrefix": "[steps('remoteAccess').azureBastionSubnetSection.bastionSubnetAddressCidrRange]", - "windowsVmAdminUsername": "[steps('remoteAccess').windowsVmSection.windowsVmAdminUsername]", + "resourcePrefix": "[steps('basics').namingSection.resourcePrefix]", + "resourceSuffix": "[steps('basics').namingSection.resourceSuffix]", + "sharedServicesSubnetAddressPrefix": "[steps('networking').sharedServicesVirtualNetwork.subnetAddressCidrRange]", + "sharedServicesSubscriptionId": "[replace(steps('basics').sharedServicesSection.sharedServicesSubscriptionId, '/subscriptions/', '')]", + "sharedServicesVirtualNetworkAddressPrefix": "[steps('networking').sharedServicesVirtualNetwork.virtualNetworkAddressCidrRange]", + "tags": "[if(not(contains(steps('tags').tagsByResource, 'MissionLandingZone')), parse('{}'), first(map(parse(concat('[', string(steps('tags').tagsByResource), ']')), (item) => item.MissionLandingZone)))]", "windowsVmAdminPassword": "[steps('remoteAccess').windowsVmSection.windowsVmAdminPassword.password]", - "linuxVmAdminUsername": "[steps('remoteAccess').linuxVmSection.linuxVmAdminUsername]", - "linuxVmAuthenticationType": "password", - "linuxVmAdminPasswordOrKey": "[if(equals(steps('remoteAccess').linuxVmSection.linuxVmAdminPasswordOrKey.authenticationType, 'password'), steps('remoteAccess').linuxVmSection.linuxVmAdminPasswordOrKey.password, steps('remoteAccess').linuxVmSection.linuxVmAdminPasswordOrKey.sshPublicKey)]" + "windowsVmAdminUsername": "[steps('remoteAccess').windowsVmSection.windowsVmAdminUsername]" } } } diff --git a/src/bicep/mlz.bicep b/src/bicep/mlz.bicep index e6a4fb3a5..1914cfc09 100644 --- a/src/bicep/mlz.bicep +++ b/src/bicep/mlz.bicep @@ -388,6 +388,9 @@ param bastionHostSubnetAddressPrefix string = '10.0.100.160/27' @description('The Azure Bastion Public IP Address Availability Zones. It defaults to "No-Zone" because Availability Zones are not available in every cloud. See https://docs.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#sku for valid settings.') param bastionHostPublicIPAddressAvailabilityZones array = [] +@description('The hybrid use benefit provides a discount on virtual machines when a customer has an on-premises Windows Server license with Software Assurance.') +param hybridUseBenefit bool = false + // LINUX VIRTUAL MACHINE PARAMETERS @description('The administrator username for the Linux Virtual Machine to Azure Bastion remote into. It defaults to "azureuser".') @@ -532,6 +535,8 @@ var namingConvention = '${toLower(resourcePrefix)}-${resourceToken}-${nameToken} // RESOURCE NAME CONVENTIONS WITH ABBREVIATIONS var bastionHostNamingConvention = replace(namingConvention, resourceToken, 'bas') +var diskEncryptionSetNamingConvention = replace(namingConvention, resourceToken, 'des') +var diskNamingConvention = replace(namingConvention, resourceToken, 'disk') var firewallNamingConvention = replace(namingConvention, resourceToken, 'afw') var firewallPolicyNamingConvention = replace(namingConvention, resourceToken, 'afwp') var keyVaultNamingConvention = replace(namingConvention, resourceToken, 'kv') @@ -577,7 +582,8 @@ var identitySubnetName = replace(subnetNamingConvention, nameToken, identityName var operationsName = 'operations' var operationsShortName = 'ops' -var operationsKeyVaultName = replace(keyVaultNamingConvention, nameToken, operationsName) +var operationsDiskEncryptionSetName = replace(diskEncryptionSetNamingConvention, nameToken, operationsName) +var operationsKeyVaultName = replace(keyVaultNamingConvention, nameToken, operationsShortName) var operationsResourceGroupName = replace(resourceGroupNamingConvention, nameToken, operationsName) var operationsLogStorageAccountShortName = replace(storageAccountNamingConvention, nameToken, operationsShortName) var operationsLogStorageAccountUniqueName = replace(operationsLogStorageAccountShortName, 'unique_storage_token', uniqueString(resourcePrefix, resourceSuffix, operationsSubscriptionId)) @@ -619,14 +625,16 @@ var firewallClientPrivateIpAddress = firewallClientUsableIpAddresses[3] var firewallPublicIpAddressSkuName = 'Standard' var firewallPublicIpAddressAllocationMethod = 'Static' -// BASTION NAMES +// REMOTE ACCESS NAMES var bastionHostName = replace(bastionHostNamingConvention, nameToken, hubName) var bastionHostPublicIPAddressName = replace(publicIpAddressNamingConvention, nameToken, 'bas') var bastionHostIPConfigurationName = replace(ipConfigurationNamingConvention, nameToken, 'bas') +var linuxDiskName = replace(diskNamingConvention, nameToken, 'bas-linux') var linuxNetworkInterfaceName = replace(networkInterfaceNamingConvention, nameToken, 'bas-linux') var linuxNetworkInterfaceIpConfigurationName = replace(ipConfigurationNamingConvention, nameToken, 'bas-linux') var linuxVmName = replace(virtualMachineNamingConvention, nameToken, 'bas-linux') +var windowsDiskName = replace(diskNamingConvention, nameToken, 'bas-windows') var windowsNetworkInterfaceName = replace(networkInterfaceNamingConvention, nameToken, 'bas-windows') var windowsNetworkInterfaceIpConfigurationName = replace(ipConfigurationNamingConvention, nameToken, 'bas-windows') var windowsVmName = replace(virtualMachineNamingConvention, nameToken, 'bas-windows') @@ -869,13 +877,15 @@ module operationsCustomerManagedKeys './core/operations-customer-managed-keys.bi name: 'deploy-cmk-ops-${deploymentNameSuffix}' scope: resourceGroup(operationsSubscriptionId, operationsResourceGroupName) params: { + deploymentNameSuffix: deploymentNameSuffix + diskEncryptionSetName: operationsDiskEncryptionSetName keyVaultName: operationsKeyVaultName - location: location - tags: calculatedTags - userAssignedIdentityName: operationsUserAssignedIdentityName keyVaultPrivateDnsZoneResourceId: privateDnsZones.outputs.keyvaultDnsPrivateDnsZoneId + location: location resourcePrefix: resourcePrefix subnetResourceId: spokeNetworks[1].outputs.subnetResourceId + tags: calculatedTags + userAssignedIdentityName: operationsUserAssignedIdentityName } dependsOn: [ spokeNetworks @@ -1116,6 +1126,10 @@ module remoteAccess './core/remote-access.bicep' = if (deployRemoteAccess) { windowsVmSku: windowsVmSku windowsVmStorageAccountType: windowsVmStorageAccountType windowsVmVersion: windowsVmVersion + diskEncryptionSetResourceId: operationsCustomerManagedKeys.outputs.diskEncryptionSetResourceId + hybridUseBenefit: hybridUseBenefit + linuxDiskName: linuxDiskName + windowsDiskName: windowsDiskName } dependsOn: [ azureMonitorPrivateLink diff --git a/src/bicep/mlz.json b/src/bicep/mlz.json index 864f832dd..71b525a2b 100644 --- a/src/bicep/mlz.json +++ b/src/bicep/mlz.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "9972767709466004443" + "templateHash": "5491266495088901132" } }, "parameters": { @@ -603,6 +603,13 @@ "description": "The Azure Bastion Public IP Address Availability Zones. It defaults to \"No-Zone\" because Availability Zones are not available in every cloud. See https://docs.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#sku for valid settings." } }, + "hybridUseBenefit": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "The hybrid use benefit provides a discount on virtual machines when a customer has an on-premises Windows Server license with Software Assurance." + } + }, "linuxVmAdminUsername": { "type": "string", "defaultValue": "azureuser", @@ -822,6 +829,8 @@ "nameToken": "name_token", "namingConvention": "[format('{0}-{1}-{2}-{3}', toLower(parameters('resourcePrefix')), variables('resourceToken'), variables('nameToken'), toLower(parameters('resourceSuffix')))]", "bastionHostNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'bas')]", + "diskEncryptionSetNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'des')]", + "diskNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'disk')]", "firewallNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'afw')]", "firewallPolicyNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'afwp')]", "keyVaultNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'kv')]", @@ -858,7 +867,8 @@ "identitySubnetName": "[replace(variables('subnetNamingConvention'), variables('nameToken'), variables('identityName'))]", "operationsName": "operations", "operationsShortName": "ops", - "operationsKeyVaultName": "[replace(variables('keyVaultNamingConvention'), variables('nameToken'), variables('operationsName'))]", + "operationsDiskEncryptionSetName": "[replace(variables('diskEncryptionSetNamingConvention'), variables('nameToken'), variables('operationsName'))]", + "operationsKeyVaultName": "[replace(variables('keyVaultNamingConvention'), variables('nameToken'), variables('operationsShortName'))]", "operationsResourceGroupName": "[replace(variables('resourceGroupNamingConvention'), variables('nameToken'), variables('operationsName'))]", "operationsLogStorageAccountShortName": "[replace(variables('storageAccountNamingConvention'), variables('nameToken'), variables('operationsShortName'))]", "operationsLogStorageAccountUniqueName": "[replace(variables('operationsLogStorageAccountShortName'), 'unique_storage_token', uniqueString(parameters('resourcePrefix'), parameters('resourceSuffix'), parameters('operationsSubscriptionId')))]", @@ -889,9 +899,11 @@ "bastionHostName": "[replace(variables('bastionHostNamingConvention'), variables('nameToken'), variables('hubName'))]", "bastionHostPublicIPAddressName": "[replace(variables('publicIpAddressNamingConvention'), variables('nameToken'), 'bas')]", "bastionHostIPConfigurationName": "[replace(variables('ipConfigurationNamingConvention'), variables('nameToken'), 'bas')]", + "linuxDiskName": "[replace(variables('diskNamingConvention'), variables('nameToken'), 'bas-linux')]", "linuxNetworkInterfaceName": "[replace(variables('networkInterfaceNamingConvention'), variables('nameToken'), 'bas-linux')]", "linuxNetworkInterfaceIpConfigurationName": "[replace(variables('ipConfigurationNamingConvention'), variables('nameToken'), 'bas-linux')]", "linuxVmName": "[replace(variables('virtualMachineNamingConvention'), variables('nameToken'), 'bas-linux')]", + "windowsDiskName": "[replace(variables('diskNamingConvention'), variables('nameToken'), 'bas-windows')]", "windowsNetworkInterfaceName": "[replace(variables('networkInterfaceNamingConvention'), variables('nameToken'), 'bas-windows')]", "windowsNetworkInterfaceIpConfigurationName": "[replace(variables('ipConfigurationNamingConvention'), variables('nameToken'), 'bas-windows')]", "windowsVmName": "[replace(variables('virtualMachineNamingConvention'), variables('nameToken'), 'bas-windows')]", @@ -3994,26 +4006,32 @@ }, "mode": "Incremental", "parameters": { - "keyVaultName": { - "value": "[variables('operationsKeyVaultName')]" + "deploymentNameSuffix": { + "value": "[parameters('deploymentNameSuffix')]" }, - "location": { - "value": "[parameters('location')]" + "diskEncryptionSetName": { + "value": "[variables('operationsDiskEncryptionSetName')]" }, - "tags": { - "value": "[variables('calculatedTags')]" - }, - "userAssignedIdentityName": { - "value": "[variables('operationsUserAssignedIdentityName')]" + "keyVaultName": { + "value": "[variables('operationsKeyVaultName')]" }, "keyVaultPrivateDnsZoneResourceId": { "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', 'azure-private-dns'), '2022-09-01').outputs.keyvaultDnsPrivateDnsZoneId.value]" }, + "location": { + "value": "[parameters('location')]" + }, "resourcePrefix": { "value": "[parameters('resourcePrefix')]" }, "subnetResourceId": { "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[1].subscriptionId, variables('spokes')[1].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[1].name, parameters('deploymentNameSuffix'))), '2022-09-01').outputs.subnetResourceId.value]" + }, + "tags": { + "value": "[variables('calculatedTags')]" + }, + "userAssignedIdentityName": { + "value": "[variables('operationsUserAssignedIdentityName')]" } }, "template": { @@ -4023,10 +4041,16 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "14463858223926181103" + "templateHash": "152028927580700612" } }, "parameters": { + "diskEncryptionSetName": { + "type": "string" + }, + "deploymentNameSuffix": { + "type": "string" + }, "keyVaultName": { "type": "string" }, @@ -4053,7 +4077,7 @@ { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "keyVault", + "name": "[format('deploy-key-vault-{0}', parameters('deploymentNameSuffix'))]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -4286,7 +4310,175 @@ { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "userAssignedIdentity", + "name": "[format('deploy-disk-encryption-set_{0}', parameters('deploymentNameSuffix'))]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "deploymentNameSuffix": { + "value": "[parameters('deploymentNameSuffix')]" + }, + "diskEncryptionSetName": { + "value": "[parameters('diskEncryptionSetName')]" + }, + "keyUrl": { + "value": "[reference(resourceId('Microsoft.Resources/deployments', format('deploy-key-vault-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.keyUriWithVersion.value]" + }, + "keyVaultResourceId": { + "value": "[reference(resourceId('Microsoft.Resources/deployments', format('deploy-key-vault-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.keyVaultResourceId.value]" + }, + "location": { + "value": "[parameters('location')]" + }, + "tags": "[if(contains(parameters('tags'), 'Microsoft.Compute/diskEncryptionSets'), createObject('value', parameters('tags')['Microsoft.Compute/diskEncryptionSets']), createObject('value', createObject()))]" + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "10434464295768923462" + } + }, + "parameters": { + "deploymentNameSuffix": { + "type": "string" + }, + "diskEncryptionSetName": { + "type": "string" + }, + "keyUrl": { + "type": "string" + }, + "keyVaultResourceId": { + "type": "string" + }, + "location": { + "type": "string" + }, + "tags": { + "type": "object" + } + }, + "resources": [ + { + "type": "Microsoft.Compute/diskEncryptionSets", + "apiVersion": "2023-04-02", + "name": "[parameters('diskEncryptionSetName')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "activeKey": { + "sourceVault": { + "id": "[parameters('keyVaultResourceId')]" + }, + "keyUrl": "[parameters('keyUrl')]" + }, + "encryptionType": "EncryptionAtRestWithPlatformAndCustomerKeys", + "rotationToLatestKeyVersionEnabled": true + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('assign-role-disk-encryption-set-ops-{0}', parameters('deploymentNameSuffix'))]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "principalId": { + "value": "[reference(resourceId('Microsoft.Compute/diskEncryptionSets', parameters('diskEncryptionSetName')), '2023-04-02', 'full').identity.principalId]" + }, + "principalType": { + "value": "ServicePrincipal" + }, + "roleDefinitionId": { + "value": "e147488a-f6f5-4113-8e2d-b22465e65bf6" + }, + "targetResourceId": { + "value": "[resourceGroup().id]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "8686326864657481429" + } + }, + "parameters": { + "targetResourceId": { + "type": "string" + }, + "roleDefinitionId": { + "type": "string" + }, + "principalId": { + "type": "string" + }, + "principalType": { + "type": "string", + "defaultValue": "ServicePrincipal", + "allowedValues": [ + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ] + }, + "description": { + "type": "string", + "defaultValue": "" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[guid(parameters('targetResourceId'), parameters('roleDefinitionId'), parameters('principalId'))]", + "properties": { + "principalId": "[parameters('principalId')]", + "principalType": "[parameters('principalType')]", + "roleDefinitionId": "[parameters('roleDefinitionId')]", + "description": "[parameters('description')]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Compute/diskEncryptionSets', parameters('diskEncryptionSetName'))]" + ] + } + ], + "outputs": { + "resourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Compute/diskEncryptionSets', parameters('diskEncryptionSetName'))]" + } + } + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', format('deploy-key-vault-{0}', parameters('deploymentNameSuffix')))]" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('deploy-user-assigned-identity-{0}', parameters('deploymentNameSuffix'))]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -4421,17 +4613,21 @@ } ], "outputs": { + "diskEncryptionSetResourceId": { + "type": "string", + "value": "[reference(resourceId('Microsoft.Resources/deployments', format('deploy-disk-encryption-set_{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.resourceId.value]" + }, "keyVaultUri": { "type": "string", - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'keyVault'), '2022-09-01').outputs.keyVaultUri.value]" + "value": "[reference(resourceId('Microsoft.Resources/deployments', format('deploy-key-vault-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.keyVaultUri.value]" }, "storageKeyName": { "type": "string", - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'keyVault'), '2022-09-01').outputs.storageKeyName.value]" + "value": "[reference(resourceId('Microsoft.Resources/deployments', format('deploy-key-vault-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.storageKeyName.value]" }, "userAssignedIdentityResourceId": { "type": "string", - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'userAssignedIdentity'), '2022-09-01').outputs.resourceId.value]" + "value": "[reference(resourceId('Microsoft.Resources/deployments', format('deploy-user-assigned-identity-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.resourceId.value]" } } } @@ -7174,6 +7370,18 @@ }, "windowsVmVersion": { "value": "[parameters('windowsVmVersion')]" + }, + "diskEncryptionSetResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.diskEncryptionSetResourceId.value]" + }, + "hybridUseBenefit": { + "value": "[parameters('hybridUseBenefit')]" + }, + "linuxDiskName": { + "value": "[variables('linuxDiskName')]" + }, + "windowsDiskName": { + "value": "[variables('windowsDiskName')]" } }, "template": { @@ -7183,7 +7391,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "2948298183799059014" + "templateHash": "8181077966537772080" } }, "parameters": { @@ -7208,12 +7416,21 @@ "bastionHostSubnetResourceId": { "type": "string" }, + "diskEncryptionSetResourceId": { + "type": "string" + }, "hubNetworkSecurityGroupResourceId": { "type": "string" }, "hubSubnetResourceId": { "type": "string" }, + "hybridUseBenefit": { + "type": "bool" + }, + "linuxDiskName": { + "type": "string" + }, "linuxNetworkInterfaceIpConfigurationName": { "type": "string" }, @@ -7270,6 +7487,9 @@ "tags": { "type": "object" }, + "windowsDiskName": { + "type": "string" + }, "windowsNetworkInterfaceIpConfigurationName": { "type": "string" }, @@ -7443,17 +7663,14 @@ }, "mode": "Incremental", "parameters": { - "name": { - "value": "[parameters('linuxNetworkInterfaceName')]" + "ipConfigurationName": { + "value": "[parameters('linuxNetworkInterfaceIpConfigurationName')]" }, "location": { "value": "[parameters('location')]" }, - "tags": { - "value": "[parameters('tags')]" - }, - "ipConfigurationName": { - "value": "[parameters('linuxNetworkInterfaceIpConfigurationName')]" + "name": { + "value": "[parameters('linuxNetworkInterfaceName')]" }, "networkSecurityGroupId": { "value": "[parameters('hubNetworkSecurityGroupResourceId')]" @@ -7463,6 +7680,9 @@ }, "subnetId": { "value": "[parameters('hubSubnetResourceId')]" + }, + "tags": { + "value": "[parameters('tags')]" } }, "template": { @@ -7547,17 +7767,35 @@ }, "mode": "Incremental", "parameters": { - "name": { - "value": "[parameters('linuxVmName')]" + "adminPasswordOrKey": { + "value": "[parameters('linuxVmAdminPasswordOrKey')]" + }, + "adminUsername": { + "value": "[parameters('linuxVmAdminUsername')]" + }, + "authenticationType": { + "value": "[parameters('linuxVmAuthenticationType')]" + }, + "diskEncryptionSetResourceId": { + "value": "[parameters('diskEncryptionSetResourceId')]" + }, + "diskName": { + "value": "[parameters('linuxDiskName')]" + }, + "hybridUseBenefit": { + "value": "[parameters('hybridUseBenefit')]" }, "location": { "value": "[parameters('location')]" }, - "tags": { - "value": "[parameters('tags')]" + "logAnalyticsWorkspaceId": { + "value": "[parameters('logAnalyticsWorkspaceId')]" }, - "vmSize": { - "value": "[parameters('linuxVmSize')]" + "name": { + "value": "[parameters('linuxVmName')]" + }, + "networkInterfaceName": { + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'remoteAccess-linuxNetworkInterface'), '2022-09-01').outputs.name.value]" }, "osDiskCreateOption": { "value": "[parameters('linuxVmOsDiskCreateOption')]" @@ -7565,32 +7803,23 @@ "osDiskType": { "value": "[parameters('linuxVmOsDiskType')]" }, - "vmImagePublisher": { - "value": "[parameters('linuxVmImagePublisher')]" + "tags": { + "value": "[parameters('tags')]" }, "vmImageOffer": { "value": "[parameters('linuxVmImageOffer')]" }, + "vmImagePublisher": { + "value": "[parameters('linuxVmImagePublisher')]" + }, "vmImageSku": { "value": "[parameters('linuxVmImageSku')]" }, "vmImageVersion": { "value": "[parameters('linuxVmImageVersion')]" }, - "adminUsername": { - "value": "[parameters('linuxVmAdminUsername')]" - }, - "authenticationType": { - "value": "[parameters('linuxVmAuthenticationType')]" - }, - "adminPasswordOrKey": { - "value": "[parameters('linuxVmAdminPasswordOrKey')]" - }, - "networkInterfaceName": { - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'remoteAccess-linuxNetworkInterface'), '2022-09-01').outputs.name.value]" - }, - "logAnalyticsWorkspaceId": { - "value": "[parameters('logAnalyticsWorkspaceId')]" + "vmSize": { + "value": "[parameters('linuxVmSize')]" } }, "template": { @@ -7600,7 +7829,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "11466857937583591261" + "templateHash": "15673259361514742625" } }, "parameters": { @@ -7618,6 +7847,15 @@ "password" ] }, + "diskEncryptionSetResourceId": { + "type": "string" + }, + "diskName": { + "type": "string" + }, + "hybridUseBenefit": { + "type": "bool" + }, "location": { "type": "string" }, @@ -7671,20 +7909,56 @@ "resources": [ { "type": "Microsoft.Compute/virtualMachines", - "apiVersion": "2020-06-01", + "apiVersion": "2021-04-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": false + } + }, "hardwareProfile": { "vmSize": "[parameters('vmSize')]" }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', parameters('networkInterfaceName'))]", + "properties": { + "deleteOption": "Delete" + } + } + ] + }, + "osProfile": { + "computerName": "[parameters('name')]", + "adminUsername": "[parameters('adminUsername')]", + "adminPassword": "[parameters('adminPasswordOrKey')]", + "linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), null(), variables('linuxConfiguration'))]" + }, + "securityProfile": { + "uefiSettings": { + "secureBootEnabled": true, + "vTpmEnabled": true + }, + "securityType": "trustedLaunch", + "encryptionAtHost": true + }, "storageProfile": { "osDisk": { + "caching": "ReadWrite", "createOption": "[parameters('osDiskCreateOption')]", + "deleteOption": "Delete", "managedDisk": { + "diskEncryptionSet": { + "id": "[parameters('diskEncryptionSetResourceId')]" + }, "storageAccountType": "[parameters('osDiskType')]" - } + }, + "name": "[parameters('diskName')]", + "osType": "Linux" }, "imageReference": { "publisher": "[parameters('vmImagePublisher')]", @@ -7693,24 +7967,12 @@ "version": "[parameters('vmImageVersion')]" } }, - "networkProfile": { - "networkInterfaces": [ - { - "id": "[resourceId('Microsoft.Network/networkInterfaces', parameters('networkInterfaceName'))]" - } - ] - }, - "osProfile": { - "computerName": "[parameters('name')]", - "adminUsername": "[parameters('adminUsername')]", - "adminPassword": "[parameters('adminPasswordOrKey')]", - "linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), null(), variables('linuxConfiguration'))]" - } + "licenseType": "[if(parameters('hybridUseBenefit'), 'Windows_Server', null())]" } }, { "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2020-06-01", + "apiVersion": "2021-04-01", "name": "[format('{0}/{1}', parameters('name'), 'Microsoft.Azure.NetworkWatcher')]", "location": "[parameters('location')]", "properties": { @@ -7725,7 +7987,7 @@ }, { "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2020-12-01", + "apiVersion": "2021-04-01", "name": "[format('{0}/{1}', parameters('name'), 'AzurePolicyforLinux')]", "location": "[parameters('location')]", "properties": { @@ -7741,7 +8003,7 @@ }, { "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2020-06-01", + "apiVersion": "2021-04-01", "name": "[format('{0}/{1}', parameters('name'), 'OMSExtension')]", "location": "[parameters('location')]", "properties": { @@ -7763,7 +8025,7 @@ }, { "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2020-06-01", + "apiVersion": "2021-04-01", "name": "[format('{0}/{1}', parameters('name'), 'DependencyAgentLinux')]", "location": "[parameters('location')]", "properties": { @@ -7804,17 +8066,14 @@ }, "mode": "Incremental", "parameters": { - "name": { - "value": "[parameters('windowsNetworkInterfaceName')]" + "ipConfigurationName": { + "value": "[parameters('windowsNetworkInterfaceIpConfigurationName')]" }, "location": { "value": "[parameters('location')]" }, - "tags": { - "value": "[parameters('tags')]" - }, - "ipConfigurationName": { - "value": "[parameters('windowsNetworkInterfaceIpConfigurationName')]" + "name": { + "value": "[parameters('windowsNetworkInterfaceName')]" }, "networkSecurityGroupId": { "value": "[parameters('hubNetworkSecurityGroupResourceId')]" @@ -7824,6 +8083,9 @@ }, "subnetId": { "value": "[parameters('hubSubnetResourceId')]" + }, + "tags": { + "value": "[parameters('tags')]" } }, "template": { @@ -7908,47 +8170,56 @@ }, "mode": "Incremental", "parameters": { - "name": { - "value": "[parameters('windowsVmName')]" + "adminPassword": { + "value": "[parameters('windowsVmAdminPassword')]" + }, + "adminUsername": { + "value": "[parameters('windowsVmAdminUsername')]" + }, + "createOption": { + "value": "[parameters('windowsVmCreateOption')]" + }, + "diskEncryptionSetResourceId": { + "value": "[parameters('diskEncryptionSetResourceId')]" + }, + "diskName": { + "value": "[parameters('windowsDiskName')]" + }, + "hybridUseBenefit": { + "value": "[parameters('hybridUseBenefit')]" }, "location": { "value": "[parameters('location')]" }, - "tags": { - "value": "[parameters('tags')]" + "logAnalyticsWorkspaceId": { + "value": "[parameters('logAnalyticsWorkspaceId')]" }, - "size": { - "value": "[parameters('windowsVmSize')]" + "name": { + "value": "[parameters('windowsVmName')]" }, - "adminUsername": { - "value": "[parameters('windowsVmAdminUsername')]" + "networkInterfaceName": { + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'remoteAccess-windowsNetworkInterface'), '2022-09-01').outputs.name.value]" }, - "adminPassword": { - "value": "[parameters('windowsVmAdminPassword')]" + "offer": { + "value": "[parameters('windowsVmOffer')]" }, "publisher": { "value": "[parameters('windowsVmPublisher')]" }, - "offer": { - "value": "[parameters('windowsVmOffer')]" + "size": { + "value": "[parameters('windowsVmSize')]" }, "sku": { "value": "[parameters('windowsVmSku')]" }, - "version": { - "value": "[parameters('windowsVmVersion')]" - }, - "createOption": { - "value": "[parameters('windowsVmCreateOption')]" - }, "storageAccountType": { "value": "[parameters('windowsVmStorageAccountType')]" }, - "networkInterfaceName": { - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'remoteAccess-windowsNetworkInterface'), '2022-09-01').outputs.name.value]" + "tags": { + "value": "[parameters('tags')]" }, - "logAnalyticsWorkspaceId": { - "value": "[parameters('logAnalyticsWorkspaceId')]" + "version": { + "value": "[parameters('windowsVmVersion')]" } }, "template": { @@ -7958,61 +8229,66 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "8202416321533561618" + "templateHash": "14439588153238255023" } }, "parameters": { - "name": { + "adminPassword": { + "type": "securestring", + "minLength": 12 + }, + "adminUsername": { "type": "string" }, - "location": { + "createOption": { "type": "string" }, - "tags": { - "type": "object", - "defaultValue": {} + "dataDisks": { + "type": "array", + "defaultValue": [] }, - "networkInterfaceName": { + "diskEncryptionSetResourceId": { "type": "string" }, - "size": { + "diskName": { "type": "string" }, - "adminUsername": { + "hybridUseBenefit": { + "type": "bool" + }, + "location": { "type": "string" }, - "adminPassword": { - "type": "securestring", - "minLength": 12 + "logAnalyticsWorkspaceId": { + "type": "string" }, - "publisher": { + "name": { "type": "string" }, - "offer": { + "networkInterfaceName": { "type": "string" }, - "sku": { + "offer": { "type": "string" }, - "version": { + "publisher": { "type": "string" }, - "createOption": { + "size": { "type": "string" }, - "storageAccountType": { + "sku": { "type": "string" }, - "logAnalyticsWorkspaceId": { + "storageAccountType": { "type": "string" }, - "availabilitySet": { + "tags": { "type": "object", "defaultValue": {} }, - "dataDisks": { - "type": "array", - "defaultValue": [] + "version": { + "type": "string" } }, "resources": [ @@ -8022,16 +8298,41 @@ "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", + "identity": { + "type": "SystemAssigned" + }, "properties": { - "availabilitySet": "[if(not(equals(parameters('availabilitySet'), createObject())), parameters('availabilitySet'), null())]", + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": false + } + }, "hardwareProfile": { "vmSize": "[parameters('size')]" }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', parameters('networkInterfaceName'))]", + "properties": { + "deleteOption": "Delete" + } + } + ] + }, "osProfile": { "computerName": "[take(parameters('name'), 15)]", "adminUsername": "[parameters('adminUsername')]", "adminPassword": "[parameters('adminPassword')]" }, + "securityProfile": { + "uefiSettings": { + "secureBootEnabled": true, + "vTpmEnabled": true + }, + "securityType": "trustedLaunch", + "encryptionAtHost": true + }, "storageProfile": { "imageReference": { "publisher": "[parameters('publisher')]", @@ -8040,20 +8341,21 @@ "version": "[parameters('version')]" }, "osDisk": { + "caching": "ReadWrite", "createOption": "[parameters('createOption')]", + "deleteOption": "Delete", "managedDisk": { + "diskEncryptionSet": { + "id": "[parameters('diskEncryptionSetResourceId')]" + }, "storageAccountType": "[parameters('storageAccountType')]" - } + }, + "name": "[parameters('diskName')]", + "osType": "Windows" }, "dataDisks": "[parameters('dataDisks')]" }, - "networkProfile": { - "networkInterfaces": [ - { - "id": "[resourceId('Microsoft.Network/networkInterfaces', parameters('networkInterfaceName'))]" - } - ] - } + "licenseType": "[if(parameters('hybridUseBenefit'), 'Windows_Server', null())]" } }, { @@ -8110,7 +8412,7 @@ }, { "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2020-06-01", + "apiVersion": "2021-04-01", "name": "[format('{0}/{1}', parameters('name'), 'Microsoft.Azure.NetworkWatcher')]", "location": "[parameters('location')]", "properties": { @@ -8135,7 +8437,8 @@ "dependsOn": [ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', 'azure-monitor-private-link')]", "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))]", - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]" + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]", + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix')))]" ] } ], diff --git a/src/bicep/modules/disk-encryption-set.bicep b/src/bicep/modules/disk-encryption-set.bicep new file mode 100644 index 000000000..0c567501f --- /dev/null +++ b/src/bicep/modules/disk-encryption-set.bicep @@ -0,0 +1,42 @@ +/* +Copyright (c) Microsoft Corporation. +Licensed under the MIT License. +*/ + +param deploymentNameSuffix string +param diskEncryptionSetName string +param keyUrl string +param keyVaultResourceId string +param location string +param tags object + +resource diskEncryptionSet 'Microsoft.Compute/diskEncryptionSets@2023-04-02' = { + name: diskEncryptionSetName + location: location + tags: tags + identity: { + type: 'SystemAssigned' + } + properties: { + activeKey: { + sourceVault: { + id: keyVaultResourceId + } + keyUrl: keyUrl + } + encryptionType: 'EncryptionAtRestWithPlatformAndCustomerKeys' + rotationToLatestKeyVersionEnabled: true + } +} + +module roleAssignment 'role-assignment.bicep' = { + name: 'assign-role-disk-encryption-set-ops-${deploymentNameSuffix}' + params: { + principalId: diskEncryptionSet.identity.principalId + principalType: 'ServicePrincipal' + roleDefinitionId: 'e147488a-f6f5-4113-8e2d-b22465e65bf6' // Key Vault Crypto Service Encryption User + targetResourceId: resourceGroup().id + } +} + +output resourceId string = diskEncryptionSet.id diff --git a/src/bicep/modules/linux-virtual-machine.bicep b/src/bicep/modules/linux-virtual-machine.bicep index d6efd0777..b8b644ab4 100644 --- a/src/bicep/modules/linux-virtual-machine.bicep +++ b/src/bicep/modules/linux-virtual-machine.bicep @@ -12,6 +12,9 @@ param adminUsername string 'password' ]) param authenticationType string +param diskEncryptionSetResourceId string +param diskName string +param hybridUseBenefit bool param location string param name string param networkInterfaceName string @@ -41,20 +44,56 @@ resource networkInterface 'Microsoft.Network/networkInterfaces@2021-02-01' exist name: networkInterfaceName } -resource virtualMachine 'Microsoft.Compute/virtualMachines@2020-06-01' = { +resource virtualMachine 'Microsoft.Compute/virtualMachines@2021-04-01' = { name: name location: location tags: tags properties: { + diagnosticsProfile: { + bootDiagnostics: { + enabled: false + } + } hardwareProfile: { vmSize: vmSize } + networkProfile: { + networkInterfaces: [ + { + id: networkInterface.id + properties: { + deleteOption: 'Delete' + } + } + ] + } + osProfile: { + computerName: name + adminUsername: adminUsername + adminPassword: adminPasswordOrKey + linuxConfiguration: ((authenticationType == 'password') ? null : linuxConfiguration) + } + securityProfile: { + uefiSettings: { + secureBootEnabled: true + vTpmEnabled: true + } + securityType: 'trustedLaunch' + encryptionAtHost: true + } storageProfile: { osDisk: { + caching: 'ReadWrite' createOption: osDiskCreateOption + deleteOption: 'Delete' managedDisk: { + diskEncryptionSet: { + id: diskEncryptionSetResourceId + } storageAccountType: osDiskType } + name: diskName + osType: 'Linux' } imageReference: { publisher: vmImagePublisher @@ -63,23 +102,11 @@ resource virtualMachine 'Microsoft.Compute/virtualMachines@2020-06-01' = { version: vmImageVersion } } - networkProfile: { - networkInterfaces: [ - { - id: networkInterface.id - } - ] - } - osProfile: { - computerName: name - adminUsername: adminUsername - adminPassword: adminPasswordOrKey - linuxConfiguration: ((authenticationType == 'password') ? null : linuxConfiguration) - } + licenseType: hybridUseBenefit ? 'Windows_Server' : null } } -resource networkWatcher 'Microsoft.Compute/virtualMachines/extensions@2020-06-01' = { +resource networkWatcher 'Microsoft.Compute/virtualMachines/extensions@2021-04-01' = { parent: virtualMachine name: 'Microsoft.Azure.NetworkWatcher' location: location @@ -93,7 +120,7 @@ resource networkWatcher 'Microsoft.Compute/virtualMachines/extensions@2020-06-01 ] } -resource policyExtension 'Microsoft.Compute/virtualMachines/extensions@2020-12-01' = { +resource policyExtension 'Microsoft.Compute/virtualMachines/extensions@2021-04-01' = { parent: virtualMachine name: 'AzurePolicyforLinux' location: location @@ -106,7 +133,7 @@ resource policyExtension 'Microsoft.Compute/virtualMachines/extensions@2020-12-0 } } -resource omsExtension 'Microsoft.Compute/virtualMachines/extensions@2020-06-01' = { +resource omsExtension 'Microsoft.Compute/virtualMachines/extensions@2021-04-01' = { parent: virtualMachine name: 'OMSExtension' location: location @@ -127,7 +154,7 @@ resource omsExtension 'Microsoft.Compute/virtualMachines/extensions@2020-06-01' ] } -resource dependencyAgent 'Microsoft.Compute/virtualMachines/extensions@2020-06-01' = { +resource dependencyAgent 'Microsoft.Compute/virtualMachines/extensions@2021-04-01' = { parent: virtualMachine name: 'DependencyAgentLinux' location: location diff --git a/src/bicep/modules/windows-virtual-machine.bicep b/src/bicep/modules/windows-virtual-machine.bicep index 2fe6cccb4..05c5725b5 100644 --- a/src/bicep/modules/windows-virtual-machine.bicep +++ b/src/bicep/modules/windows-virtual-machine.bicep @@ -3,43 +3,70 @@ Copyright (c) Microsoft Corporation. Licensed under the MIT License. */ -param name string -param location string -param tags object = {} -param networkInterfaceName string -param size string -param adminUsername string @secure() @minLength(12) param adminPassword string -param publisher string +param adminUsername string +param createOption string +param dataDisks array = [] +param diskEncryptionSetResourceId string +param diskName string +param hybridUseBenefit bool +param location string +param logAnalyticsWorkspaceId string +param name string +param networkInterfaceName string param offer string +param publisher string +param size string param sku string -param version string -param createOption string param storageAccountType string -param logAnalyticsWorkspaceId string -param availabilitySet object = {} -param dataDisks array = [] +param tags object = {} +param version string resource networkInterface 'Microsoft.Network/networkInterfaces@2021-02-01' existing = { name: networkInterfaceName } -resource windowsVirtualMachine 'Microsoft.Compute/virtualMachines@2021-04-01' = { +resource virtualMachine 'Microsoft.Compute/virtualMachines@2021-04-01' = { name: name location: location tags: tags + identity: { + type: 'SystemAssigned' + } properties: { - availabilitySet: ((availabilitySet != {}) ? availabilitySet : null) + diagnosticsProfile: { + bootDiagnostics: { + enabled: false + } + } hardwareProfile: { vmSize: size } + networkProfile: { + networkInterfaces: [ + { + id: networkInterface.id + properties: { + deleteOption: 'Delete' + } + } + ] + } osProfile: { computerName: take(name, 15) adminUsername: adminUsername adminPassword: adminPassword } + securityProfile: { + uefiSettings: { + secureBootEnabled: true + vTpmEnabled: true + } + securityType: 'trustedLaunch' + encryptionAtHost: true + } storageProfile: { imageReference: { publisher: publisher @@ -48,25 +75,26 @@ resource windowsVirtualMachine 'Microsoft.Compute/virtualMachines@2021-04-01' = version: version } osDisk: { + caching: 'ReadWrite' createOption: createOption + deleteOption: 'Delete' managedDisk: { + diskEncryptionSet: { + id: diskEncryptionSetResourceId + } storageAccountType: storageAccountType } + name: diskName + osType: 'Windows' } dataDisks: dataDisks } - networkProfile: { - networkInterfaces: [ - { - id: networkInterface.id - } - ] - } + licenseType: hybridUseBenefit ? 'Windows_Server' : null } } resource dependencyAgent 'Microsoft.Compute/virtualMachines/extensions@2021-04-01' = { - parent: windowsVirtualMachine + parent: virtualMachine name: 'DependencyAgentWindows' location: location properties: { @@ -78,7 +106,7 @@ resource dependencyAgent 'Microsoft.Compute/virtualMachines/extensions@2021-04-0 } resource policyExtension 'Microsoft.Compute/virtualMachines/extensions@2021-04-01' = { - parent: windowsVirtualMachine + parent: virtualMachine name: 'AzurePolicyforWindows' location: location properties: { @@ -91,7 +119,7 @@ resource policyExtension 'Microsoft.Compute/virtualMachines/extensions@2021-04-0 } resource mmaExtension 'Microsoft.Compute/virtualMachines/extensions@2021-04-01' = { - parent: windowsVirtualMachine + parent: virtualMachine name: 'MMAExtension' location: location properties: { @@ -108,8 +136,8 @@ resource mmaExtension 'Microsoft.Compute/virtualMachines/extensions@2021-04-01' } } -resource networkWatcher 'Microsoft.Compute/virtualMachines/extensions@2020-06-01' = { - parent: windowsVirtualMachine +resource networkWatcher 'Microsoft.Compute/virtualMachines/extensions@2021-04-01' = { + parent: virtualMachine name: 'Microsoft.Azure.NetworkWatcher' location: location properties: { From 068d6e9a1fcb337c73390e3fd2fe4fe7d2c0a047 Mon Sep 17 00:00:00 2001 From: Jason Masten Date: Sun, 21 Jan 2024 18:41:49 -0500 Subject: [PATCH 07/28] Added pvt endpoints for table storage --- src/bicep/core/hub-storage.bicep | 6 +- src/bicep/core/spoke-storage.bicep | 6 +- src/bicep/mlz.bicep | 6 +- src/bicep/mlz.json | 102 ++++++++++++++++++------ src/bicep/modules/storage-account.bicep | 24 +++--- 5 files changed, 104 insertions(+), 40 deletions(-) diff --git a/src/bicep/core/hub-storage.bicep b/src/bicep/core/hub-storage.bicep index a864eec31..5c3ee7015 100644 --- a/src/bicep/core/hub-storage.bicep +++ b/src/bicep/core/hub-storage.bicep @@ -3,7 +3,7 @@ Copyright (c) Microsoft Corporation. Licensed under the MIT License. */ -param azureBlobsPrivateDnsZoneResourceId string +param blobsPrivateDnsZoneResourceId string param keyVaultUri string param logStorageAccountName string param logStorageSkuName string @@ -11,13 +11,14 @@ param location string param resourcePrefix string param storageEncryptionKeyName string param subnetResourceId string +param tablesPrivateDnsZoneResourceId string param tags object param userAssignedIdentityResourceId string module storageAccount '../modules/storage-account.bicep' = { name: 'storage' params: { - azureBlobsPrivateDnsZoneResourceId: azureBlobsPrivateDnsZoneResourceId + blobsPrivateDnsZoneResourceId: blobsPrivateDnsZoneResourceId userAssignedIdentityResourceId: userAssignedIdentityResourceId keyVaultUri: keyVaultUri location: location @@ -26,6 +27,7 @@ module storageAccount '../modules/storage-account.bicep' = { storageAccountName: logStorageAccountName storageEncryptionKeyName: storageEncryptionKeyName subnetResourceId: subnetResourceId + tablesPrivateDnsZoneResourceId: tablesPrivateDnsZoneResourceId tags: tags } } diff --git a/src/bicep/core/spoke-storage.bicep b/src/bicep/core/spoke-storage.bicep index 37b65d9ef..a3851e9e2 100644 --- a/src/bicep/core/spoke-storage.bicep +++ b/src/bicep/core/spoke-storage.bicep @@ -3,7 +3,7 @@ Copyright (c) Microsoft Corporation. Licensed under the MIT License. */ -param azureBlobsPrivateDnsZoneResourceId string +param blobsPrivateDnsZoneResourceId string param keyVaultUri string param location string param logStorageAccountName string @@ -11,13 +11,14 @@ param logStorageSkuName string param resourcePrefix string param storageEncryptionKeyName string param subnetResourceId string +param tablesPrivateDnsZoneResourceId string param tags object param userAssignedIdentityResourceId string module storageAccount '../modules/storage-account.bicep' = { name: 'storage' params: { - azureBlobsPrivateDnsZoneResourceId: azureBlobsPrivateDnsZoneResourceId + blobsPrivateDnsZoneResourceId: blobsPrivateDnsZoneResourceId keyVaultUri: keyVaultUri location: location resourcePrefix: resourcePrefix @@ -25,6 +26,7 @@ module storageAccount '../modules/storage-account.bicep' = { storageAccountName: logStorageAccountName storageEncryptionKeyName: storageEncryptionKeyName subnetResourceId: subnetResourceId + tablesPrivateDnsZoneResourceId: tablesPrivateDnsZoneResourceId tags: tags userAssignedIdentityResourceId: userAssignedIdentityResourceId } diff --git a/src/bicep/mlz.bicep b/src/bicep/mlz.bicep index 1914cfc09..9660dfa51 100644 --- a/src/bicep/mlz.bicep +++ b/src/bicep/mlz.bicep @@ -898,7 +898,7 @@ module hubStorage './core/hub-storage.bicep' = { name: 'deploy-log-storage-hub-${deploymentNameSuffix}' scope: resourceGroup(hubSubscriptionId, hubResourceGroupName) params: { - azureBlobsPrivateDnsZoneResourceId: privateDnsZones.outputs.blobPrivateDnsZoneId + blobsPrivateDnsZoneResourceId: privateDnsZones.outputs.blobPrivateDnsZoneId keyVaultUri: operationsCustomerManagedKeys.outputs.keyVaultUri location: location logStorageAccountName: hubLogStorageAccountName @@ -906,6 +906,7 @@ module hubStorage './core/hub-storage.bicep' = { resourcePrefix: resourcePrefix storageEncryptionKeyName: operationsCustomerManagedKeys.outputs.storageKeyName subnetResourceId: hubNetwork.outputs.subnetResourceId + tablesPrivateDnsZoneResourceId: privateDnsZones.outputs.tablePrivateDnsZoneId tags: calculatedTags userAssignedIdentityResourceId: operationsCustomerManagedKeys.outputs.userAssignedIdentityResourceId } @@ -917,7 +918,7 @@ module spokeStorage './core/spoke-storage.bicep' = [for (spoke, i) in spokes: { name: 'deploy-log-storage-${spoke.name}-${deploymentNameSuffix}' scope: resourceGroup(spoke.subscriptionId, spoke.resourceGroupName) params: { - azureBlobsPrivateDnsZoneResourceId: privateDnsZones.outputs.blobPrivateDnsZoneId + blobsPrivateDnsZoneResourceId: privateDnsZones.outputs.blobPrivateDnsZoneId keyVaultUri: operationsCustomerManagedKeys.outputs.keyVaultUri location: location logStorageAccountName: spoke.logStorageAccountName @@ -925,6 +926,7 @@ module spokeStorage './core/spoke-storage.bicep' = [for (spoke, i) in spokes: { resourcePrefix: resourcePrefix storageEncryptionKeyName: operationsCustomerManagedKeys.outputs.storageKeyName subnetResourceId: spokeNetworks[i].outputs.subnetResourceId + tablesPrivateDnsZoneResourceId: privateDnsZones.outputs.tablePrivateDnsZoneId tags: tags userAssignedIdentityResourceId: operationsCustomerManagedKeys.outputs.userAssignedIdentityResourceId } diff --git a/src/bicep/mlz.json b/src/bicep/mlz.json index 71b525a2b..acc96d409 100644 --- a/src/bicep/mlz.json +++ b/src/bicep/mlz.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "5491266495088901132" + "templateHash": "8889267249540517056" } }, "parameters": { @@ -4649,7 +4649,7 @@ }, "mode": "Incremental", "parameters": { - "azureBlobsPrivateDnsZoneResourceId": { + "blobsPrivateDnsZoneResourceId": { "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', 'azure-private-dns'), '2022-09-01').outputs.blobPrivateDnsZoneId.value]" }, "keyVaultUri": { @@ -4673,6 +4673,9 @@ "subnetResourceId": { "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.subnetResourceId.value]" }, + "tablesPrivateDnsZoneResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', 'azure-private-dns'), '2022-09-01').outputs.tablePrivateDnsZoneId.value]" + }, "tags": { "value": "[variables('calculatedTags')]" }, @@ -4687,11 +4690,11 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "10734217835166840924" + "templateHash": "16562264313481397415" } }, "parameters": { - "azureBlobsPrivateDnsZoneResourceId": { + "blobsPrivateDnsZoneResourceId": { "type": "string" }, "keyVaultUri": { @@ -4715,6 +4718,9 @@ "subnetResourceId": { "type": "string" }, + "tablesPrivateDnsZoneResourceId": { + "type": "string" + }, "tags": { "type": "object" }, @@ -4733,8 +4739,8 @@ }, "mode": "Incremental", "parameters": { - "azureBlobsPrivateDnsZoneResourceId": { - "value": "[parameters('azureBlobsPrivateDnsZoneResourceId')]" + "blobsPrivateDnsZoneResourceId": { + "value": "[parameters('blobsPrivateDnsZoneResourceId')]" }, "userAssignedIdentityResourceId": { "value": "[parameters('userAssignedIdentityResourceId')]" @@ -4760,6 +4766,9 @@ "subnetResourceId": { "value": "[parameters('subnetResourceId')]" }, + "tablesPrivateDnsZoneResourceId": { + "value": "[parameters('tablesPrivateDnsZoneResourceId')]" + }, "tags": { "value": "[parameters('tags')]" } @@ -4771,11 +4780,11 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "9704332619171498618" + "templateHash": "9753044048835183070" } }, "parameters": { - "azureBlobsPrivateDnsZoneResourceId": { + "blobsPrivateDnsZoneResourceId": { "type": "string" }, "keyVaultUri": { @@ -4799,6 +4808,9 @@ "subnetResourceId": { "type": "string" }, + "tablesPrivateDnsZoneResourceId": { + "type": "string" + }, "tags": { "type": "object" }, @@ -4806,6 +4818,12 @@ "type": "string" } }, + "variables": { + "zones": [ + "[parameters('blobsPrivateDnsZoneResourceId')]", + "[parameters('tablesPrivateDnsZoneResourceId')]" + ] + }, "resources": [ { "type": "Microsoft.Storage/storageAccounts", @@ -4872,9 +4890,13 @@ } }, { + "copy": { + "name": "privateEndpoints", + "count": "[length(variables('zones'))]" + }, "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2020-05-01", - "name": "[format('{0}-blob', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe-', parameters('resourcePrefix'))))]", + "name": "[format('{0}-{1}', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe-', parameters('resourcePrefix'))), split(split(variables('zones')[copyIndex()], '/')[8], '.')[1])]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { @@ -4883,7 +4905,7 @@ }, "privateLinkServiceConnections": [ { - "name": "[format('{0}-blob', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-nic-', parameters('resourcePrefix'))))]", + "name": "[format('{0}-{1}', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-nic-', parameters('resourcePrefix'))), split(split(variables('zones')[copyIndex()], '/')[8], '.')[1])]", "properties": { "privateLinkServiceId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]", "groupIds": [ @@ -4898,21 +4920,25 @@ ] }, { + "copy": { + "name": "privateDnsZoneGroups", + "count": "[length(variables('zones'))]" + }, "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", "apiVersion": "2021-08-01", - "name": "[format('{0}/{1}', format('{0}-blob', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe-', parameters('resourcePrefix')))), parameters('storageAccountName'))]", + "name": "[format('{0}/{1}', format('{0}-{1}', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe-', parameters('resourcePrefix'))), split(split(variables('zones')[copyIndex()], '/')[8], '.')[1]), parameters('storageAccountName'))]", "properties": { "privateDnsZoneConfigs": [ { "name": "ipconfig1", "properties": { - "privateDnsZoneId": "[parameters('azureBlobsPrivateDnsZoneResourceId')]" + "privateDnsZoneId": "[variables('zones')[copyIndex()]]" } } ] }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', format('{0}-blob', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe-', parameters('resourcePrefix')))))]" + "[resourceId('Microsoft.Network/privateEndpoints', format('{0}-{1}', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe-', parameters('resourcePrefix'))), split(split(variables('zones')[copyIndex()], '/')[8], '.')[1]))]" ] } ], @@ -4956,7 +4982,7 @@ }, "mode": "Incremental", "parameters": { - "azureBlobsPrivateDnsZoneResourceId": { + "blobsPrivateDnsZoneResourceId": { "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', 'azure-private-dns'), '2022-09-01').outputs.blobPrivateDnsZoneId.value]" }, "keyVaultUri": { @@ -4980,6 +5006,9 @@ "subnetResourceId": { "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))), '2022-09-01').outputs.subnetResourceId.value]" }, + "tablesPrivateDnsZoneResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', 'azure-private-dns'), '2022-09-01').outputs.tablePrivateDnsZoneId.value]" + }, "tags": { "value": "[parameters('tags')]" }, @@ -4994,11 +5023,11 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "2099731221487572818" + "templateHash": "8173689652147359226" } }, "parameters": { - "azureBlobsPrivateDnsZoneResourceId": { + "blobsPrivateDnsZoneResourceId": { "type": "string" }, "keyVaultUri": { @@ -5022,6 +5051,9 @@ "subnetResourceId": { "type": "string" }, + "tablesPrivateDnsZoneResourceId": { + "type": "string" + }, "tags": { "type": "object" }, @@ -5040,8 +5072,8 @@ }, "mode": "Incremental", "parameters": { - "azureBlobsPrivateDnsZoneResourceId": { - "value": "[parameters('azureBlobsPrivateDnsZoneResourceId')]" + "blobsPrivateDnsZoneResourceId": { + "value": "[parameters('blobsPrivateDnsZoneResourceId')]" }, "keyVaultUri": { "value": "[parameters('keyVaultUri')]" @@ -5064,6 +5096,9 @@ "subnetResourceId": { "value": "[parameters('subnetResourceId')]" }, + "tablesPrivateDnsZoneResourceId": { + "value": "[parameters('tablesPrivateDnsZoneResourceId')]" + }, "tags": { "value": "[parameters('tags')]" }, @@ -5078,11 +5113,11 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "9704332619171498618" + "templateHash": "9753044048835183070" } }, "parameters": { - "azureBlobsPrivateDnsZoneResourceId": { + "blobsPrivateDnsZoneResourceId": { "type": "string" }, "keyVaultUri": { @@ -5106,6 +5141,9 @@ "subnetResourceId": { "type": "string" }, + "tablesPrivateDnsZoneResourceId": { + "type": "string" + }, "tags": { "type": "object" }, @@ -5113,6 +5151,12 @@ "type": "string" } }, + "variables": { + "zones": [ + "[parameters('blobsPrivateDnsZoneResourceId')]", + "[parameters('tablesPrivateDnsZoneResourceId')]" + ] + }, "resources": [ { "type": "Microsoft.Storage/storageAccounts", @@ -5179,9 +5223,13 @@ } }, { + "copy": { + "name": "privateEndpoints", + "count": "[length(variables('zones'))]" + }, "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2020-05-01", - "name": "[format('{0}-blob', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe-', parameters('resourcePrefix'))))]", + "name": "[format('{0}-{1}', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe-', parameters('resourcePrefix'))), split(split(variables('zones')[copyIndex()], '/')[8], '.')[1])]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { @@ -5190,7 +5238,7 @@ }, "privateLinkServiceConnections": [ { - "name": "[format('{0}-blob', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-nic-', parameters('resourcePrefix'))))]", + "name": "[format('{0}-{1}', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-nic-', parameters('resourcePrefix'))), split(split(variables('zones')[copyIndex()], '/')[8], '.')[1])]", "properties": { "privateLinkServiceId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]", "groupIds": [ @@ -5205,21 +5253,25 @@ ] }, { + "copy": { + "name": "privateDnsZoneGroups", + "count": "[length(variables('zones'))]" + }, "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", "apiVersion": "2021-08-01", - "name": "[format('{0}/{1}', format('{0}-blob', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe-', parameters('resourcePrefix')))), parameters('storageAccountName'))]", + "name": "[format('{0}/{1}', format('{0}-{1}', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe-', parameters('resourcePrefix'))), split(split(variables('zones')[copyIndex()], '/')[8], '.')[1]), parameters('storageAccountName'))]", "properties": { "privateDnsZoneConfigs": [ { "name": "ipconfig1", "properties": { - "privateDnsZoneId": "[parameters('azureBlobsPrivateDnsZoneResourceId')]" + "privateDnsZoneId": "[variables('zones')[copyIndex()]]" } } ] }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', format('{0}-blob', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe-', parameters('resourcePrefix')))))]" + "[resourceId('Microsoft.Network/privateEndpoints', format('{0}-{1}', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe-', parameters('resourcePrefix'))), split(split(variables('zones')[copyIndex()], '/')[8], '.')[1]))]" ] } ], diff --git a/src/bicep/modules/storage-account.bicep b/src/bicep/modules/storage-account.bicep index 0ffd32394..be4f4719b 100644 --- a/src/bicep/modules/storage-account.bicep +++ b/src/bicep/modules/storage-account.bicep @@ -3,7 +3,7 @@ Copyright (c) Microsoft Corporation. Licensed under the MIT License. */ -param azureBlobsPrivateDnsZoneResourceId string +param blobsPrivateDnsZoneResourceId string param keyVaultUri string param location string param resourcePrefix string @@ -11,9 +11,15 @@ param skuName string param storageAccountName string param storageEncryptionKeyName string param subnetResourceId string +param tablesPrivateDnsZoneResourceId string param tags object param userAssignedIdentityResourceId string +var zones = [ + blobsPrivateDnsZoneResourceId + tablesPrivateDnsZoneResourceId +] + resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = { name: storageAccountName location: location @@ -77,8 +83,8 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = { } } -resource privateEndpoint 'Microsoft.Network/privateEndpoints@2020-05-01' = { - name: '${replace(storageAccountName, resourcePrefix, '${resourcePrefix}-pe-')}-blob' +resource privateEndpoints 'Microsoft.Network/privateEndpoints@2020-05-01' = [for (zone, i) in zones: { + name: '${replace(storageAccountName, resourcePrefix, '${resourcePrefix}-pe-')}-${split(split(zone, '/')[8], '.')[1]}' location: location tags: tags properties: { @@ -87,7 +93,7 @@ resource privateEndpoint 'Microsoft.Network/privateEndpoints@2020-05-01' = { } privateLinkServiceConnections: [ { - name: '${replace(storageAccountName, resourcePrefix, '${resourcePrefix}-nic-')}-blob' + name: '${replace(storageAccountName, resourcePrefix, '${resourcePrefix}-nic-')}-${split(split(zone, '/')[8], '.')[1]}' properties: { privateLinkServiceId: storageAccount.id groupIds: [ @@ -97,21 +103,21 @@ resource privateEndpoint 'Microsoft.Network/privateEndpoints@2020-05-01' = { } ] } -} +}] -resource privateDnsZoneGroups 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2021-08-01' = { - parent: privateEndpoint +resource privateDnsZoneGroups 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2021-08-01' = [for (zone, i) in zones: { + parent: privateEndpoints[i] name: storageAccountName properties: { privateDnsZoneConfigs: [ { name: 'ipconfig1' properties: { - privateDnsZoneId: azureBlobsPrivateDnsZoneResourceId + privateDnsZoneId: zone } } ] } -} +}] output id string = storageAccount.id From c84f4b77ebea1fc8b34db1a89de46c2cd55243d9 Mon Sep 17 00:00:00 2001 From: Jason Masten Date: Sun, 21 Jan 2024 18:50:36 -0500 Subject: [PATCH 08/28] Fixed deployment name --- src/bicep/mlz.bicep | 2 +- src/bicep/mlz.json | 30 +++++++++++++++--------------- 2 files changed, 16 insertions(+), 16 deletions(-) diff --git a/src/bicep/mlz.bicep b/src/bicep/mlz.bicep index 9660dfa51..276c1245b 100644 --- a/src/bicep/mlz.bicep +++ b/src/bicep/mlz.bicep @@ -863,7 +863,7 @@ module spokeVirtualNetworkPeerings './core/spoke-network-peering.bicep' = [for ( // PRIVATE DNS module privateDnsZones './modules/private-dns.bicep' = { - name: 'azure-private-dns' + name: 'deploy-private-dns-zones-${deploymentNameSuffix}' scope: resourceGroup(hubSubscriptionId, hubResourceGroupName) params: { vnetName: hubNetwork.outputs.virtualNetworkName diff --git a/src/bicep/mlz.json b/src/bicep/mlz.json index acc96d409..de52aa8f8 100644 --- a/src/bicep/mlz.json +++ b/src/bicep/mlz.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "8889267249540517056" + "templateHash": "9525560853532155756" } }, "parameters": { @@ -3168,7 +3168,7 @@ { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "azure-private-dns", + "name": "[format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix'))]", "subscriptionId": "[parameters('hubSubscriptionId')]", "resourceGroup": "[variables('hubResourceGroupName')]", "properties": { @@ -4016,7 +4016,7 @@ "value": "[variables('operationsKeyVaultName')]" }, "keyVaultPrivateDnsZoneResourceId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', 'azure-private-dns'), '2022-09-01').outputs.keyvaultDnsPrivateDnsZoneId.value]" + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.keyvaultDnsPrivateDnsZoneId.value]" }, "location": { "value": "[parameters('location')]" @@ -4633,7 +4633,7 @@ } }, "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', 'azure-private-dns')]", + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix')))]", "spokeNetworks" ] }, @@ -4650,7 +4650,7 @@ "mode": "Incremental", "parameters": { "blobsPrivateDnsZoneResourceId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', 'azure-private-dns'), '2022-09-01').outputs.blobPrivateDnsZoneId.value]" + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.blobPrivateDnsZoneId.value]" }, "keyVaultUri": { "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.keyVaultUri.value]" @@ -4674,7 +4674,7 @@ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.subnetResourceId.value]" }, "tablesPrivateDnsZoneResourceId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', 'azure-private-dns'), '2022-09-01').outputs.tablePrivateDnsZoneId.value]" + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.tablePrivateDnsZoneId.value]" }, "tags": { "value": "[variables('calculatedTags')]" @@ -4963,7 +4963,7 @@ "dependsOn": [ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))]", "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix')))]", - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', 'azure-private-dns')]" + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix')))]" ] }, { @@ -4983,7 +4983,7 @@ "mode": "Incremental", "parameters": { "blobsPrivateDnsZoneResourceId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', 'azure-private-dns'), '2022-09-01').outputs.blobPrivateDnsZoneId.value]" + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.blobPrivateDnsZoneId.value]" }, "keyVaultUri": { "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.keyVaultUri.value]" @@ -5007,7 +5007,7 @@ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))), '2022-09-01').outputs.subnetResourceId.value]" }, "tablesPrivateDnsZoneResourceId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', 'azure-private-dns'), '2022-09-01').outputs.tablePrivateDnsZoneId.value]" + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.tablePrivateDnsZoneId.value]" }, "tags": { "value": "[parameters('tags')]" @@ -5295,7 +5295,7 @@ }, "dependsOn": [ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix')))]", - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', 'azure-private-dns')]", + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix')))]", "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix')))]" ] }, @@ -6061,16 +6061,16 @@ "value": "[variables('operationsVirtualNetworkName')]" }, "monitorPrivateDnsZoneId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', 'azure-private-dns'), '2022-09-01').outputs.monitorPrivateDnsZoneId.value]" + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.monitorPrivateDnsZoneId.value]" }, "omsPrivateDnsZoneId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', 'azure-private-dns'), '2022-09-01').outputs.omsPrivateDnsZoneId.value]" + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.omsPrivateDnsZoneId.value]" }, "odsPrivateDnsZoneId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', 'azure-private-dns'), '2022-09-01').outputs.odsPrivateDnsZoneId.value]" + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.odsPrivateDnsZoneId.value]" }, "agentsvcPrivateDnsZoneId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', 'azure-private-dns'), '2022-09-01').outputs.agentsvcPrivateDnsZoneId.value]" + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.agentsvcPrivateDnsZoneId.value]" }, "location": { "value": "[parameters('location')]" @@ -6266,7 +6266,7 @@ }, "dependsOn": [ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]", - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', 'azure-private-dns')]", + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix')))]", "spokeNetworks" ] }, From 7b19729727fc10d10120ee3f0265f316a3d906a1 Mon Sep 17 00:00:00 2001 From: Jason Masten Date: Sun, 21 Jan 2024 18:52:59 -0500 Subject: [PATCH 09/28] Fixed deployment name --- src/bicep/mlz.bicep | 2 +- src/bicep/mlz.json | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/bicep/mlz.bicep b/src/bicep/mlz.bicep index 276c1245b..49148756d 100644 --- a/src/bicep/mlz.bicep +++ b/src/bicep/mlz.bicep @@ -990,7 +990,7 @@ module hubSubscriptionActivityLogging './modules/central-logging.bicep' = { } module azureMonitorPrivateLink './modules/private-link.bicep' = if (contains(supportedClouds, environment().name)) { - name: 'azure-monitor-private-link' + name: 'deploy-azure-monitor-private-link-${deploymentNameSuffix}' scope: resourceGroup(operationsSubscriptionId, operationsResourceGroupName) params: { logAnalyticsWorkspaceName: logAnalyticsWorkspace.outputs.name diff --git a/src/bicep/mlz.json b/src/bicep/mlz.json index de52aa8f8..fbb14ea5d 100644 --- a/src/bicep/mlz.json +++ b/src/bicep/mlz.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "9525560853532155756" + "templateHash": "11802488858058743522" } }, "parameters": { @@ -6039,7 +6039,7 @@ "condition": "[contains(parameters('supportedClouds'), environment().name)]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "azure-monitor-private-link", + "name": "[format('deploy-azure-monitor-private-link-{0}', parameters('deploymentNameSuffix'))]", "subscriptionId": "[parameters('operationsSubscriptionId')]", "resourceGroup": "[variables('operationsResourceGroupName')]", "properties": { @@ -8487,7 +8487,7 @@ } }, "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', 'azure-monitor-private-link')]", + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-azure-monitor-private-link-{0}', parameters('deploymentNameSuffix')))]", "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))]", "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]", "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix')))]" From 1e4c6c63c4af7bbfbb145c3e90e9c565b5b611a8 Mon Sep 17 00:00:00 2001 From: Jason Masten Date: Sun, 21 Jan 2024 18:54:03 -0500 Subject: [PATCH 10/28] Removed comment --- src/bicep/mlz.bicep | 1 - 1 file changed, 1 deletion(-) diff --git a/src/bicep/mlz.bicep b/src/bicep/mlz.bicep index 49148756d..bbe235b0b 100644 --- a/src/bicep/mlz.bicep +++ b/src/bicep/mlz.bicep @@ -1135,7 +1135,6 @@ module remoteAccess './core/remote-access.bicep' = if (deployRemoteAccess) { } dependsOn: [ azureMonitorPrivateLink - //hubNetworkDNS ] } From 2253191fc2a0137cd9aa5654e29d5a19801cee13 Mon Sep 17 00:00:00 2001 From: Jason Masten Date: Sun, 21 Jan 2024 18:56:43 -0500 Subject: [PATCH 11/28] Fixed role assignment for DES --- src/bicep/mlz.json | 8 ++++---- src/bicep/modules/disk-encryption-set.bicep | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/bicep/mlz.json b/src/bicep/mlz.json index fbb14ea5d..cd3c011f1 100644 --- a/src/bicep/mlz.json +++ b/src/bicep/mlz.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "11802488858058743522" + "templateHash": "16553787041595370535" } }, "parameters": { @@ -4041,7 +4041,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "152028927580700612" + "templateHash": "16150908492534844813" } }, "parameters": { @@ -4341,7 +4341,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "10434464295768923462" + "templateHash": "168612721220957252" } }, "parameters": { @@ -4402,7 +4402,7 @@ "value": "ServicePrincipal" }, "roleDefinitionId": { - "value": "e147488a-f6f5-4113-8e2d-b22465e65bf6" + "value": "[resourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6')]" }, "targetResourceId": { "value": "[resourceGroup().id]" diff --git a/src/bicep/modules/disk-encryption-set.bicep b/src/bicep/modules/disk-encryption-set.bicep index 0c567501f..085cad3b3 100644 --- a/src/bicep/modules/disk-encryption-set.bicep +++ b/src/bicep/modules/disk-encryption-set.bicep @@ -34,7 +34,7 @@ module roleAssignment 'role-assignment.bicep' = { params: { principalId: diskEncryptionSet.identity.principalId principalType: 'ServicePrincipal' - roleDefinitionId: 'e147488a-f6f5-4113-8e2d-b22465e65bf6' // Key Vault Crypto Service Encryption User + roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions','e147488a-f6f5-4113-8e2d-b22465e65bf6') // Key Vault Crypto Service Encryption User targetResourceId: resourceGroup().id } } From 03d645ca4e20f1d13bdb3459f3432449756d054e Mon Sep 17 00:00:00 2001 From: Jason Masten Date: Sun, 21 Jan 2024 19:38:50 -0500 Subject: [PATCH 12/28] Fixed hybrid use benefit for linux vm --- src/bicep/core/remote-access.bicep | 1 - src/bicep/mlz.json | 14 ++++---------- src/bicep/modules/linux-virtual-machine.bicep | 3 +-- 3 files changed, 5 insertions(+), 13 deletions(-) diff --git a/src/bicep/core/remote-access.bicep b/src/bicep/core/remote-access.bicep index a40ad4b25..349870266 100644 --- a/src/bicep/core/remote-access.bicep +++ b/src/bicep/core/remote-access.bicep @@ -91,7 +91,6 @@ module linuxVirtualMachine '../modules/linux-virtual-machine.bicep' = { authenticationType: linuxVmAuthenticationType diskEncryptionSetResourceId: diskEncryptionSetResourceId diskName: linuxDiskName - hybridUseBenefit: hybridUseBenefit location: location logAnalyticsWorkspaceId: logAnalyticsWorkspaceId name: linuxVmName diff --git a/src/bicep/mlz.json b/src/bicep/mlz.json index cd3c011f1..de2105434 100644 --- a/src/bicep/mlz.json +++ b/src/bicep/mlz.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "16553787041595370535" + "templateHash": "10148461992192012808" } }, "parameters": { @@ -7443,7 +7443,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "8181077966537772080" + "templateHash": "16121888738065093211" } }, "parameters": { @@ -7834,9 +7834,6 @@ "diskName": { "value": "[parameters('linuxDiskName')]" }, - "hybridUseBenefit": { - "value": "[parameters('hybridUseBenefit')]" - }, "location": { "value": "[parameters('location')]" }, @@ -7881,7 +7878,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "15673259361514742625" + "templateHash": "14884645693106953752" } }, "parameters": { @@ -7905,9 +7902,6 @@ "diskName": { "type": "string" }, - "hybridUseBenefit": { - "type": "bool" - }, "location": { "type": "string" }, @@ -8019,7 +8013,7 @@ "version": "[parameters('vmImageVersion')]" } }, - "licenseType": "[if(parameters('hybridUseBenefit'), 'Windows_Server', null())]" + "licenseType": null } }, { diff --git a/src/bicep/modules/linux-virtual-machine.bicep b/src/bicep/modules/linux-virtual-machine.bicep index b8b644ab4..4e742ff01 100644 --- a/src/bicep/modules/linux-virtual-machine.bicep +++ b/src/bicep/modules/linux-virtual-machine.bicep @@ -14,7 +14,6 @@ param adminUsername string param authenticationType string param diskEncryptionSetResourceId string param diskName string -param hybridUseBenefit bool param location string param name string param networkInterfaceName string @@ -102,7 +101,7 @@ resource virtualMachine 'Microsoft.Compute/virtualMachines@2021-04-01' = { version: vmImageVersion } } - licenseType: hybridUseBenefit ? 'Windows_Server' : null + licenseType: null } } From 4e6b22187a936fa87a5e5115eca6d2afec9b414c Mon Sep 17 00:00:00 2001 From: Jason Masten Date: Sun, 21 Jan 2024 21:31:45 -0500 Subject: [PATCH 13/28] Updated images to G2 for trusted launch support --- src/bicep/mlz.bicep | 4 ++-- src/bicep/mlz.json | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/bicep/mlz.bicep b/src/bicep/mlz.bicep index bbe235b0b..828cdf5a3 100644 --- a/src/bicep/mlz.bicep +++ b/src/bicep/mlz.bicep @@ -424,7 +424,7 @@ param linuxVmImagePublisher string = 'Canonical' param linuxVmImageOffer string = 'UbuntuServer' @description('The image SKU of the Linux Virtual Machine to Azure Bastion remote into. It defaults to "18.04-LTS".') -param linuxVmImageSku string = '18.04-LTS' +param linuxVmImageSku string = '18_04-lts-gen2' @description('The image version of the Linux Virtual Machine to Azure Bastion remote into. It defaults to "latest".') param linuxVmImageVersion string = 'latest' @@ -456,7 +456,7 @@ param windowsVmPublisher string = 'MicrosoftWindowsServer' param windowsVmOffer string = 'WindowsServer' @description('The SKU of the Windows Virtual Machine to Azure Bastion remote into. It defaults to "2019-datacenter".') -param windowsVmSku string = '2019-datacenter' +param windowsVmSku string = '2019-datacenter-gensecond' @description('The version of the Windows Virtual Machine to Azure Bastion remote into. It defaults to "latest".') param windowsVmVersion string = 'latest' diff --git a/src/bicep/mlz.json b/src/bicep/mlz.json index de2105434..848f1daae 100644 --- a/src/bicep/mlz.json +++ b/src/bicep/mlz.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "10148461992192012808" + "templateHash": "8799805699963881561" } }, "parameters": { @@ -673,7 +673,7 @@ }, "linuxVmImageSku": { "type": "string", - "defaultValue": "18.04-LTS", + "defaultValue": "18_04-lts-gen2", "metadata": { "description": "The image SKU of the Linux Virtual Machine to Azure Bastion remote into. It defaults to \"18.04-LTS\"." } @@ -734,7 +734,7 @@ }, "windowsVmSku": { "type": "string", - "defaultValue": "2019-datacenter", + "defaultValue": "2019-datacenter-gensecond", "metadata": { "description": "The SKU of the Windows Virtual Machine to Azure Bastion remote into. It defaults to \"2019-datacenter\"." } From 2145edb8715656164ecb49122361aa43acf484f5 Mon Sep 17 00:00:00 2001 From: Jason Masten Date: Sun, 21 Jan 2024 23:08:02 -0500 Subject: [PATCH 14/28] Updated API version, Organized code --- src/bicep/modules/linux-virtual-machine.bicep | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/src/bicep/modules/linux-virtual-machine.bicep b/src/bicep/modules/linux-virtual-machine.bicep index 4e742ff01..ae7e5f795 100644 --- a/src/bicep/modules/linux-virtual-machine.bicep +++ b/src/bicep/modules/linux-virtual-machine.bicep @@ -105,6 +105,19 @@ resource virtualMachine 'Microsoft.Compute/virtualMachines@2021-04-01' = { } } +resource policyExtension 'Microsoft.Compute/virtualMachines/extensions@2021-04-01' = { + parent: virtualMachine + name: 'AzurePolicyforLinux' + location: location + properties: { + publisher: 'Microsoft.GuestConfiguration' + type: 'ConfigurationforLinux' + typeHandlerVersion: '1.0' + autoUpgradeMinorVersion: true + enableAutomaticUpgrade: true + } +} + resource networkWatcher 'Microsoft.Compute/virtualMachines/extensions@2021-04-01' = { parent: virtualMachine name: 'Microsoft.Azure.NetworkWatcher' @@ -119,20 +132,7 @@ resource networkWatcher 'Microsoft.Compute/virtualMachines/extensions@2021-04-01 ] } -resource policyExtension 'Microsoft.Compute/virtualMachines/extensions@2021-04-01' = { - parent: virtualMachine - name: 'AzurePolicyforLinux' - location: location - properties: { - publisher: 'Microsoft.GuestConfiguration' - type: 'ConfigurationforLinux' - typeHandlerVersion: '1.0' - autoUpgradeMinorVersion: true - enableAutomaticUpgrade: true - } -} - -resource omsExtension 'Microsoft.Compute/virtualMachines/extensions@2021-04-01' = { +resource omsExtension 'Microsoft.Compute/virtualMachines/extensions@2020-06-01' = { parent: virtualMachine name: 'OMSExtension' location: location From e05e2e70040e5cbffbf68347030658bf142b0ae8 Mon Sep 17 00:00:00 2001 From: Jason Masten Date: Sun, 21 Jan 2024 23:08:26 -0500 Subject: [PATCH 15/28] Fixed group ID for pvt endpoint --- src/bicep/modules/storage-account.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/bicep/modules/storage-account.bicep b/src/bicep/modules/storage-account.bicep index be4f4719b..c1fe9754d 100644 --- a/src/bicep/modules/storage-account.bicep +++ b/src/bicep/modules/storage-account.bicep @@ -97,7 +97,7 @@ resource privateEndpoints 'Microsoft.Network/privateEndpoints@2020-05-01' = [for properties: { privateLinkServiceId: storageAccount.id groupIds: [ - 'blob' + split(split(zone, '/')[8], '.')[1] ] } } From 18c87d556409210e7e4182bb35554bda6c786308 Mon Sep 17 00:00:00 2001 From: Jason Masten Date: Sun, 21 Jan 2024 23:08:38 -0500 Subject: [PATCH 16/28] Compiled bicep changes --- src/bicep/mlz.json | 42 +++++++++++++++++++++--------------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/src/bicep/mlz.json b/src/bicep/mlz.json index 848f1daae..8096fc655 100644 --- a/src/bicep/mlz.json +++ b/src/bicep/mlz.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "8799805699963881561" + "templateHash": "10319856952736988147" } }, "parameters": { @@ -4690,7 +4690,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "16562264313481397415" + "templateHash": "6330010367702999075" } }, "parameters": { @@ -4780,7 +4780,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "9753044048835183070" + "templateHash": "8153769194575738814" } }, "parameters": { @@ -4909,7 +4909,7 @@ "properties": { "privateLinkServiceId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]", "groupIds": [ - "blob" + "[split(split(variables('zones')[copyIndex()], '/')[8], '.')[1]]" ] } } @@ -5023,7 +5023,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "8173689652147359226" + "templateHash": "15353088112920784086" } }, "parameters": { @@ -5113,7 +5113,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "9753044048835183070" + "templateHash": "8153769194575738814" } }, "parameters": { @@ -5242,7 +5242,7 @@ "properties": { "privateLinkServiceId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]", "groupIds": [ - "blob" + "[split(split(variables('zones')[copyIndex()], '/')[8], '.')[1]]" ] } } @@ -7443,7 +7443,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "16121888738065093211" + "templateHash": "13146069844365146864" } }, "parameters": { @@ -7878,7 +7878,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "14884645693106953752" + "templateHash": "11340554190693694553" } }, "parameters": { @@ -8019,37 +8019,37 @@ { "type": "Microsoft.Compute/virtualMachines/extensions", "apiVersion": "2021-04-01", - "name": "[format('{0}/{1}', parameters('name'), 'Microsoft.Azure.NetworkWatcher')]", + "name": "[format('{0}/{1}', parameters('name'), 'AzurePolicyforLinux')]", "location": "[parameters('location')]", "properties": { - "publisher": "Microsoft.Azure.NetworkWatcher", - "type": "NetworkWatcherAgentLinux", - "typeHandlerVersion": "1.4" + "publisher": "Microsoft.GuestConfiguration", + "type": "ConfigurationforLinux", + "typeHandlerVersion": "1.0", + "autoUpgradeMinorVersion": true, + "enableAutomaticUpgrade": true }, "dependsOn": [ - "[resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('name'), 'AzurePolicyforLinux')]", "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" ] }, { "type": "Microsoft.Compute/virtualMachines/extensions", "apiVersion": "2021-04-01", - "name": "[format('{0}/{1}', parameters('name'), 'AzurePolicyforLinux')]", + "name": "[format('{0}/{1}', parameters('name'), 'Microsoft.Azure.NetworkWatcher')]", "location": "[parameters('location')]", "properties": { - "publisher": "Microsoft.GuestConfiguration", - "type": "ConfigurationforLinux", - "typeHandlerVersion": "1.0", - "autoUpgradeMinorVersion": true, - "enableAutomaticUpgrade": true + "publisher": "Microsoft.Azure.NetworkWatcher", + "type": "NetworkWatcherAgentLinux", + "typeHandlerVersion": "1.4" }, "dependsOn": [ + "[resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('name'), 'AzurePolicyforLinux')]", "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" ] }, { "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2021-04-01", + "apiVersion": "2020-06-01", "name": "[format('{0}/{1}', parameters('name'), 'OMSExtension')]", "location": "[parameters('location')]", "properties": { From fb6006a4bfc6ad9c8960562154a7f87a24bc2a43 Mon Sep 17 00:00:00 2001 From: Jason Masten Date: Sun, 21 Jan 2024 23:42:09 -0500 Subject: [PATCH 17/28] Updated API version, Added custom name for the NIC --- src/bicep/modules/storage-account.bicep | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/src/bicep/modules/storage-account.bicep b/src/bicep/modules/storage-account.bicep index c1fe9754d..315e2c74f 100644 --- a/src/bicep/modules/storage-account.bicep +++ b/src/bicep/modules/storage-account.bicep @@ -83,14 +83,12 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = { } } -resource privateEndpoints 'Microsoft.Network/privateEndpoints@2020-05-01' = [for (zone, i) in zones: { +resource privateEndpoints 'Microsoft.Network/privateEndpoints@2023-04-01' = [for (zone, i) in zones: { name: '${replace(storageAccountName, resourcePrefix, '${resourcePrefix}-pe-')}-${split(split(zone, '/')[8], '.')[1]}' location: location tags: tags properties: { - subnet: { - id: subnetResourceId - } + customNetworkInterfaceName: '${replace(storageAccountName, resourcePrefix, '${resourcePrefix}-nic-')}-${split(split(zone, '/')[8], '.')[1]}' privateLinkServiceConnections: [ { name: '${replace(storageAccountName, resourcePrefix, '${resourcePrefix}-nic-')}-${split(split(zone, '/')[8], '.')[1]}' @@ -102,6 +100,9 @@ resource privateEndpoints 'Microsoft.Network/privateEndpoints@2020-05-01' = [for } } ] + subnet: { + id: subnetResourceId + } } }] From 3bab61365b945fa5953f034302f873f2f09c066f Mon Sep 17 00:00:00 2001 From: Jason Masten Date: Sun, 21 Jan 2024 23:42:49 -0500 Subject: [PATCH 18/28] Added location abbreviation to naming convention --- src/bicep/mlz.bicep | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/bicep/mlz.bicep b/src/bicep/mlz.bicep index 828cdf5a3..5a9b539d6 100644 --- a/src/bicep/mlz.bicep +++ b/src/bicep/mlz.bicep @@ -514,9 +514,11 @@ param emailSecurityContact string = '' */ +var locations = (loadJsonContent('data/locations.json'))[environment().name] +var locationAbbreviation = locations[location].abbreviation var resourceToken = 'resource_token' var nameToken = 'name_token' -var namingConvention = '${toLower(resourcePrefix)}-${resourceToken}-${nameToken}-${toLower(resourceSuffix)}' +var namingConvention = '${toLower(resourcePrefix)}-${resourceToken}-${nameToken}-${toLower(resourceSuffix)}-${locationAbbreviation}' /* From 49df646db762dfc5c277d4d600159720d0836a53 Mon Sep 17 00:00:00 2001 From: Jason Masten Date: Sun, 21 Jan 2024 23:43:01 -0500 Subject: [PATCH 19/28] Compiled bicep changes --- src/bicep/mlz.json | 420 +++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 404 insertions(+), 16 deletions(-) diff --git a/src/bicep/mlz.json b/src/bicep/mlz.json index 8096fc655..6543bef7e 100644 --- a/src/bicep/mlz.json +++ b/src/bicep/mlz.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "10319856952736988147" + "templateHash": "9786233197329383717" } }, "parameters": { @@ -825,9 +825,395 @@ "input": "[cidrHost(parameters('firewallClientSubnetAddressPrefix'), range(0, 4)[copyIndex('firewallClientUsableIpAddresses')])]" } ], + "$fxv#0": { + "AzureChina": { + "chinaeast": { + "abbreviation": "cne", + "recoveryServicesGeo": "sha", + "timeDifference": "+8:00", + "timeZone": "China Standard Time" + }, + "chinaeast2": { + "abbreviation": "cne2", + "recoveryServicesGeo": "sha2", + "timeDifference": "+8:00", + "timeZone": "China Standard Time" + }, + "chinanorth": { + "abbreviation": "cnn", + "recoveryServicesGeo": "bjb", + "timeDifference": "+8:00", + "timeZone": "China Standard Time" + }, + "chinanorth2": { + "abbreviation": "cnn2", + "recoveryServicesGeo": "bjb2", + "timeDifference": "+8:00", + "timeZone": "China Standard Time" + } + }, + "AzureCloud": { + "australiacentral": { + "abbreviation": "auc", + "recoveryServicesGeo": "acl", + "timeDifference": "+10:00", + "timeZone": "AUS Eastern Standard Time" + }, + "australiacentral2": { + "abbreviation": "auc2", + "recoveryServicesGeo": "acl2", + "timeDifference": "+10:00", + "timeZone": "AUS Eastern Standard Time" + }, + "australiaeast": { + "abbreviation": "aue", + "recoveryServicesGeo": "ae", + "timeDifference": "+10:00", + "timeZone": "AUS Eastern Standard Time" + }, + "australiasoutheast": { + "abbreviation": "ause", + "recoveryServicesGeo": "ase", + "timeDifference": "+10:00", + "timeZone": "AUS Eastern Standard Time" + }, + "brazilsouth": { + "abbreviation": "brs", + "recoveryServicesGeo": "brs", + "timeDifference": "-3:00", + "timeZone": "E. South America Standard Time" + }, + "brazilsoutheast": { + "abbreviation": "brse", + "recoveryServicesGeo": "bse", + "timeDifference": "-3:00", + "timeZone": "E. South America Standard Time" + }, + "canadacentral": { + "abbreviation": "cac", + "recoveryServicesGeo": "cnc", + "timeDifference": "-5:00", + "timeZone": "Eastern Standard Time" + }, + "canadaeast": { + "abbreviation": "cae", + "recoveryServicesGeo": "cne", + "timeDifference": "-5:00", + "timeZone": "Eastern Standard Time" + }, + "centralindia": { + "abbreviation": "inc", + "recoveryServicesGeo": "inc", + "timeDifference": "+5:30", + "timeZone": "India Standard Time" + }, + "centralus": { + "abbreviation": "usc", + "recoveryServicesGeo": "cus", + "timeDifference": "-6:00", + "timeZone": "Central Standard Time" + }, + "eastasia": { + "abbreviation": "ase", + "recoveryServicesGeo": "ea", + "timeDifference": "+8:00", + "timeZone": "China Standard Time" + }, + "eastus": { + "abbreviation": "use", + "recoveryServicesGeo": "eus", + "timeDifference": "-5:00", + "timeZone": "Eastern Standard Time" + }, + "eastus2": { + "abbreviation": "use2", + "recoveryServicesGeo": "eus2", + "timeDifference": "-5:00", + "timeZone": "Eastern Standard Time" + }, + "francecentral": { + "abbreviation": "frc", + "recoveryServicesGeo": "frc", + "timeDifference": "+1:00", + "timeZone": "Central Europe Standard Time" + }, + "francesouth": { + "abbreviation": "frs", + "recoveryServicesGeo": "frs", + "timeDifference": "+1:00", + "timeZone": "Central Europe Standard Time" + }, + "germanynorth": { + "abbreviation": "den", + "recoveryServicesGeo": "gn", + "timeDifference": "+1:00", + "timeZone": "Central Europe Standard Time" + }, + "germanywestcentral": { + "abbreviation": "dewc", + "recoveryServicesGeo": "gwc", + "timeDifference": "+1:00", + "timeZone": "Central Europe Standard Time" + }, + "israelcentral": { + "abbreviation": "ilc", + "recoveryServicesGeo": "ilc", + "timeDifference": "+2:00", + "timeZone": "Israel Standard Time" + }, + "italynorth": { + "abbreviation": "itn", + "recoveryServicesGeo": "itn", + "timeDifference": "+1:00", + "timeZone": "Central Europe Standard Time" + }, + "japaneast": { + "abbreviation": "jpe", + "recoveryServicesGeo": "jpe", + "timeDifference": "+9:00", + "timeZone": "Tokyo Standard Time" + }, + "japanwest": { + "abbreviation": "jpw", + "recoveryServicesGeo": "jpw", + "timeDifference": "+9:00", + "timeZone": "Tokyo Standard Time" + }, + "jioindiacentral": { + "abbreviation": "injc", + "recoveryServicesGeo": "jic", + "timeDifference": "+5:30", + "timeZone": "India Standard Time" + }, + "jioindiawest": { + "abbreviation": "injw", + "recoveryServicesGeo": "jiw", + "timeDifference": "+5:30", + "timeZone": "India Standard Time" + }, + "koreacentral": { + "abbreviation": "krc", + "recoveryServicesGeo": "krc", + "timeDifference": "+9:00", + "timeZone": "Korea Standard Time" + }, + "koreasouth": { + "abbreviation": "krs", + "recoveryServicesGeo": "krs", + "timeDifference": "+9:00", + "timeZone": "Korea Standard Time" + }, + "northcentralus": { + "abbreviation": "usnc", + "recoveryServicesGeo": "ncus", + "timeDifference": "-6:00", + "timeZone": "Central Standard Time" + }, + "northeurope": { + "abbreviation": "eun", + "recoveryServicesGeo": "ne", + "timeDifference": "0:00", + "timeZone": "GMT Standard Time" + }, + "norwayeast": { + "abbreviation": "noe", + "recoveryServicesGeo": "nwe", + "timeDifference": "+1:00", + "timeZone": "Central Europe Standard Time" + }, + "norwaywest": { + "abbreviation": "now", + "recoveryServicesGeo": "nww", + "timeDifference": "+1:00", + "timeZone": "Central Europe Standard Time" + }, + "polandcentral": { + "abbreviation": "plc", + "recoveryServicesGeo": "plc", + "timeDifference": "+1:00", + "timeZone": "Central Europe Standard Time" + }, + "qatarcentral": { + "abbreviation": "qac", + "recoveryServicesGeo": "qac", + "timeDifference": "+3:00", + "timeZone": "Arabian Standard Time" + }, + "southafricanorth": { + "abbreviation": "zan", + "recoveryServicesGeo": "san", + "timeDifference": "+2:00", + "timeZone": "South Africa Standard Time" + }, + "southafricawest": { + "abbreviation": "zaw", + "recoveryServicesGeo": "saw", + "timeDifference": "+2:00", + "timeZone": "South Africa Standard Time" + }, + "southcentralus": { + "abbreviation": "ussc", + "recoveryServicesGeo": "scus", + "timeDifference": "-6:00", + "timeZone": "Central Standard Time" + }, + "southeastasia": { + "abbreviation": "asse", + "recoveryServicesGeo": "sea", + "timeDifference": "+8:00", + "timeZone": "Singapore Standard Time" + }, + "southindia": { + "abbreviation": "ins", + "recoveryServicesGeo": "ins", + "timeDifference": "+5:30", + "timeZone": "India Standard Time" + }, + "swedencentral": { + "abbreviation": "sec", + "recoveryServicesGeo": "sdc", + "timeDifference": "+1:00", + "timeZone": "Central Europe Standard Time" + }, + "switzerlandnorth": { + "abbreviation": "chn", + "recoveryServicesGeo": "szn", + "timeDifference": "+1:00", + "timeZone": "Central Europe Standard Time" + }, + "switzerlandwest": { + "abbreviation": "chw", + "recoveryServicesGeo": "szw", + "timeDifference": "+1:00", + "timeZone": "Central Europe Standard Time" + }, + "uaecentral": { + "abbreviation": "aec", + "recoveryServicesGeo": "uac", + "timeDifference": "+3:00", + "timeZone": "Arabian Standard Time" + }, + "uaenorth": { + "abbreviation": "aen", + "recoveryServicesGeo": "uan", + "timeDifference": "+3:00", + "timeZone": "Arabian Standard Time" + }, + "uksouth": { + "abbreviation": "uks", + "recoveryServicesGeo": "uks", + "timeDifference": "0:00", + "timeZone": "GMT Standard Time" + }, + "ukwest": { + "abbreviation": "ukw", + "recoveryServicesGeo": "ukw", + "timeDifference": "0:00", + "timeZone": "GMT Standard Time" + }, + "westcentralus": { + "abbreviation": "uswc", + "recoveryServicesGeo": "wcus", + "timeDifference": "-7:00", + "timeZone": "Mountain Standard Time" + }, + "westeurope": { + "abbreviation": "euw", + "recoveryServicesGeo": "we", + "timeDifference": "+1:00", + "timeZone": "Central Europe Standard Time" + }, + "westindia": { + "abbreviation": "inw", + "recoveryServicesGeo": "inw", + "timeDifference": "+5:30", + "timeZone": "India Standard Time" + }, + "westus": { + "abbreviation": "usw", + "recoveryServicesGeo": "wus", + "timeDifference": "-8:00", + "timeZone": "Pacific Standard Time" + }, + "westus2": { + "abbreviation": "usw2", + "recoveryServicesGeo": "wus2", + "timeDifference": "-8:00", + "timeZone": "Pacific Standard Time" + }, + "westus3": { + "abbreviation": "usw3", + "recoveryServicesGeo": "wus3", + "timeDifference": "-7:00", + "timeZone": "Mountain Standard Time" + } + }, + "AzureUSGovernment": { + "usdodcentral": { + "abbreviation": "dodc", + "recoveryServicesGeo": "udc", + "timeDifference": "-6:00", + "timeZone": "Central Standard Time" + }, + "usdodeast": { + "abbreviation": "dode", + "recoveryServicesGeo": "ude", + "timeDifference": "-5:00", + "timeZone": "Eastern Standard Time" + }, + "usgovarizona": { + "abbreviation": "az", + "recoveryServicesGeo": "uga", + "timeDifference": "-7:00", + "timeZone": "Mountain Standard Time" + }, + "usgovtexas": { + "abbreviation": "tx", + "recoveryServicesGeo": "ugt", + "timeDifference": "-6:00", + "timeZone": "Central Standard Time" + }, + "usgovvirginia": { + "abbreviation": "va", + "recoveryServicesGeo": "ugv", + "timeDifference": "-5:00", + "timeZone": "Eastern Standard Time" + } + }, + "USNat": { + "usnateast": { + "abbreviation": "east", + "recoveryServicesGeo": "exe", + "timeDifference": "-5:00", + "timeZone": "Eastern Standard Time" + }, + "usnatwest": { + "abbreviation": "west", + "recoveryServicesGeo": "exw", + "timeDifference": "-8:00", + "timeZone": "Pacific Standard Time" + } + }, + "USSec": { + "usseceast": { + "abbreviation": "east", + "recoveryServicesGeo": "rxe", + "timeDifference": "-5:00", + "timeZone": "Eastern Standard Time" + }, + "ussecwest": { + "abbreviation": "west", + "recoveryServicesGeo": "rxw", + "timeDifference": "-8:00", + "timeZone": "Pacific Standard Time" + } + } + }, + "locations": "[variables('$fxv#0')[environment().name]]", + "locationAbbreviation": "[variables('locations')[parameters('location')].abbreviation]", "resourceToken": "resource_token", "nameToken": "name_token", - "namingConvention": "[format('{0}-{1}-{2}-{3}', toLower(parameters('resourcePrefix')), variables('resourceToken'), variables('nameToken'), toLower(parameters('resourceSuffix')))]", + "namingConvention": "[format('{0}-{1}-{2}-{3}-{4}', toLower(parameters('resourcePrefix')), variables('resourceToken'), variables('nameToken'), toLower(parameters('resourceSuffix')), variables('locationAbbreviation'))]", "bastionHostNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'bas')]", "diskEncryptionSetNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'des')]", "diskNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'disk')]", @@ -4690,7 +5076,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "6330010367702999075" + "templateHash": "3711120774165826362" } }, "parameters": { @@ -4780,7 +5166,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "8153769194575738814" + "templateHash": "234191582863282012" } }, "parameters": { @@ -4895,14 +5281,12 @@ "count": "[length(variables('zones'))]" }, "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2020-05-01", + "apiVersion": "2023-04-01", "name": "[format('{0}-{1}', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe-', parameters('resourcePrefix'))), split(split(variables('zones')[copyIndex()], '/')[8], '.')[1])]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { - "subnet": { - "id": "[parameters('subnetResourceId')]" - }, + "customNetworkInterfaceName": "[format('{0}-{1}', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-nic-', parameters('resourcePrefix'))), split(split(variables('zones')[copyIndex()], '/')[8], '.')[1])]", "privateLinkServiceConnections": [ { "name": "[format('{0}-{1}', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-nic-', parameters('resourcePrefix'))), split(split(variables('zones')[copyIndex()], '/')[8], '.')[1])]", @@ -4913,7 +5297,10 @@ ] } } - ] + ], + "subnet": { + "id": "[parameters('subnetResourceId')]" + } }, "dependsOn": [ "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]" @@ -5023,7 +5410,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "15353088112920784086" + "templateHash": "6037549614709568341" } }, "parameters": { @@ -5113,7 +5500,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "8153769194575738814" + "templateHash": "234191582863282012" } }, "parameters": { @@ -5228,14 +5615,12 @@ "count": "[length(variables('zones'))]" }, "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2020-05-01", + "apiVersion": "2023-04-01", "name": "[format('{0}-{1}', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe-', parameters('resourcePrefix'))), split(split(variables('zones')[copyIndex()], '/')[8], '.')[1])]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { - "subnet": { - "id": "[parameters('subnetResourceId')]" - }, + "customNetworkInterfaceName": "[format('{0}-{1}', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-nic-', parameters('resourcePrefix'))), split(split(variables('zones')[copyIndex()], '/')[8], '.')[1])]", "privateLinkServiceConnections": [ { "name": "[format('{0}-{1}', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-nic-', parameters('resourcePrefix'))), split(split(variables('zones')[copyIndex()], '/')[8], '.')[1])]", @@ -5246,7 +5631,10 @@ ] } } - ] + ], + "subnet": { + "id": "[parameters('subnetResourceId')]" + } }, "dependsOn": [ "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]" From 024cc886660948f0e9c7363bef642ad30bc20269 Mon Sep 17 00:00:00 2001 From: Jason Masten Date: Sun, 21 Jan 2024 23:52:30 -0500 Subject: [PATCH 20/28] Fixed pvt endpoint & NIC name --- src/bicep/mlz.json | 25 +++++++++++++------------ src/bicep/modules/key-vault.bicep | 13 +++++++------ 2 files changed, 20 insertions(+), 18 deletions(-) diff --git a/src/bicep/mlz.json b/src/bicep/mlz.json index 6543bef7e..0a1e548a5 100644 --- a/src/bicep/mlz.json +++ b/src/bicep/mlz.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "9786233197329383717" + "templateHash": "10941512818639211433" } }, "parameters": { @@ -4427,7 +4427,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "16150908492534844813" + "templateHash": "12054782223447234085" } }, "parameters": { @@ -4496,7 +4496,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "17786330016094382581" + "templateHash": "11779575706720375217" } }, "parameters": { @@ -4553,17 +4553,15 @@ }, { "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2020-05-01", - "name": "[replace(parameters('keyVaultName'), parameters('resourcePrefix'), format('{0}-pe-', parameters('resourcePrefix')))]", + "apiVersion": "2023-04-01", + "name": "[replace(parameters('keyVaultName'), parameters('resourcePrefix'), format('{0}-pe', parameters('resourcePrefix')))]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { - "subnet": { - "id": "[parameters('subnetResourceId')]" - }, + "customNetworkInterfaceName": "[replace(parameters('keyVaultName'), parameters('resourcePrefix'), format('{0}-nic', parameters('resourcePrefix')))]", "privateLinkServiceConnections": [ { - "name": "[replace(parameters('keyVaultName'), parameters('resourcePrefix'), format('{0}-nic-', parameters('resourcePrefix')))]", + "name": "[replace(parameters('keyVaultName'), parameters('resourcePrefix'), format('{0}-nic', parameters('resourcePrefix')))]", "properties": { "privateLinkServiceId": "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]", "groupIds": [ @@ -4571,7 +4569,10 @@ ] } } - ] + ], + "subnet": { + "id": "[parameters('subnetResourceId')]" + } }, "dependsOn": [ "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]" @@ -4580,7 +4581,7 @@ { "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", "apiVersion": "2021-08-01", - "name": "[format('{0}/{1}', replace(parameters('keyVaultName'), parameters('resourcePrefix'), format('{0}-pe-', parameters('resourcePrefix'))), parameters('keyVaultName'))]", + "name": "[format('{0}/{1}', replace(parameters('keyVaultName'), parameters('resourcePrefix'), format('{0}-pe', parameters('resourcePrefix'))), parameters('keyVaultName'))]", "properties": { "privateDnsZoneConfigs": [ { @@ -4592,7 +4593,7 @@ ] }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', replace(parameters('keyVaultName'), parameters('resourcePrefix'), format('{0}-pe-', parameters('resourcePrefix'))))]" + "[resourceId('Microsoft.Network/privateEndpoints', replace(parameters('keyVaultName'), parameters('resourcePrefix'), format('{0}-pe', parameters('resourcePrefix'))))]" ] }, { diff --git a/src/bicep/modules/key-vault.bicep b/src/bicep/modules/key-vault.bicep index a2908dbf0..65e51d777 100644 --- a/src/bicep/modules/key-vault.bicep +++ b/src/bicep/modules/key-vault.bicep @@ -32,17 +32,15 @@ resource vault 'Microsoft.KeyVault/vaults@2022-07-01' = { } } -resource privateEndpoint 'Microsoft.Network/privateEndpoints@2020-05-01' = { - name: replace(keyVaultName, resourcePrefix, '${resourcePrefix}-pe-') +resource privateEndpoint 'Microsoft.Network/privateEndpoints@2023-04-01' = { + name: replace(keyVaultName, resourcePrefix, '${resourcePrefix}-pe') location: location tags: tags properties: { - subnet: { - id: subnetResourceId - } + customNetworkInterfaceName: replace(keyVaultName, resourcePrefix, '${resourcePrefix}-nic') privateLinkServiceConnections: [ { - name: replace(keyVaultName, resourcePrefix, '${resourcePrefix}-nic-') + name: replace(keyVaultName, resourcePrefix, '${resourcePrefix}-nic') properties: { privateLinkServiceId: vault.id groupIds: [ @@ -51,6 +49,9 @@ resource privateEndpoint 'Microsoft.Network/privateEndpoints@2020-05-01' = { } } ] + subnet: { + id: subnetResourceId + } } } From feac9f7dcc03b0eccf8bd85ae57e710bf8af7e82 Mon Sep 17 00:00:00 2001 From: Jason Masten Date: Mon, 22 Jan 2024 00:04:36 -0500 Subject: [PATCH 21/28] Added guest attestation for trusted launch --- src/bicep/mlz.json | 66 +++++++++++++++++-- src/bicep/modules/linux-virtual-machine.bicep | 26 ++++++++ .../modules/windows-virtual-machine.bicep | 26 ++++++++ 3 files changed, 114 insertions(+), 4 deletions(-) diff --git a/src/bicep/mlz.json b/src/bicep/mlz.json index 0a1e548a5..86869db76 100644 --- a/src/bicep/mlz.json +++ b/src/bicep/mlz.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "10941512818639211433" + "templateHash": "13130523633992801856" } }, "parameters": { @@ -7832,7 +7832,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "13146069844365146864" + "templateHash": "5778706831016165290" } }, "parameters": { @@ -8267,7 +8267,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "11340554190693694553" + "templateHash": "13448922027561695966" } }, "parameters": { @@ -8405,6 +8405,35 @@ "licenseType": null } }, + { + "type": "Microsoft.Compute/virtualMachines/extensions", + "apiVersion": "2021-03-01", + "name": "[format('{0}/{1}', parameters('name'), 'GuestAttestation')]", + "location": "[parameters('location')]", + "properties": { + "publisher": "Microsoft.Azure.Security.LinuxAttestation", + "type": "GuestAttestation", + "typeHandlerVersion": "1.0", + "autoUpgradeMinorVersion": true, + "settings": { + "AttestationConfig": { + "MaaSettings": { + "maaEndpoint": "", + "maaTenantName": "GuestAttestation" + }, + "AscSettings": { + "ascReportingEndpoint": "", + "ascReportingFrequency": "" + }, + "useCustomToken": "false", + "disableAlerts": "false" + } + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" + ] + }, { "type": "Microsoft.Compute/virtualMachines/extensions", "apiVersion": "2021-04-01", @@ -8664,7 +8693,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "14439588153238255023" + "templateHash": "5793129099305307535" } }, "parameters": { @@ -8793,6 +8822,35 @@ "licenseType": "[if(parameters('hybridUseBenefit'), 'Windows_Server', null())]" } }, + { + "type": "Microsoft.Compute/virtualMachines/extensions", + "apiVersion": "2021-03-01", + "name": "[format('{0}/{1}', parameters('name'), 'GuestAttestation')]", + "location": "[parameters('location')]", + "properties": { + "publisher": "Microsoft.Azure.Security.WindowsAttestation", + "type": "GuestAttestation", + "typeHandlerVersion": "1.0", + "autoUpgradeMinorVersion": true, + "settings": { + "AttestationConfig": { + "MaaSettings": { + "maaEndpoint": "", + "maaTenantName": "GuestAttestation" + }, + "AscSettings": { + "ascReportingEndpoint": "", + "ascReportingFrequency": "" + }, + "useCustomToken": "false", + "disableAlerts": "false" + } + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" + ] + }, { "type": "Microsoft.Compute/virtualMachines/extensions", "apiVersion": "2021-04-01", diff --git a/src/bicep/modules/linux-virtual-machine.bicep b/src/bicep/modules/linux-virtual-machine.bicep index ae7e5f795..94007d118 100644 --- a/src/bicep/modules/linux-virtual-machine.bicep +++ b/src/bicep/modules/linux-virtual-machine.bicep @@ -105,6 +105,32 @@ resource virtualMachine 'Microsoft.Compute/virtualMachines@2021-04-01' = { } } +resource guestAttestationExtension 'Microsoft.Compute/virtualMachines/extensions@2021-03-01' = { + parent: virtualMachine + name: 'GuestAttestation' + location: location + properties: { + publisher: 'Microsoft.Azure.Security.LinuxAttestation' + type: 'GuestAttestation' + typeHandlerVersion: '1.0' + autoUpgradeMinorVersion: true + settings: { + AttestationConfig: { + MaaSettings: { + maaEndpoint: '' + maaTenantName: 'GuestAttestation' + } + AscSettings: { + ascReportingEndpoint: '' + ascReportingFrequency: '' + } + useCustomToken: 'false' + disableAlerts: 'false' + } + } + } +} + resource policyExtension 'Microsoft.Compute/virtualMachines/extensions@2021-04-01' = { parent: virtualMachine name: 'AzurePolicyforLinux' diff --git a/src/bicep/modules/windows-virtual-machine.bicep b/src/bicep/modules/windows-virtual-machine.bicep index 05c5725b5..09a220438 100644 --- a/src/bicep/modules/windows-virtual-machine.bicep +++ b/src/bicep/modules/windows-virtual-machine.bicep @@ -93,6 +93,32 @@ resource virtualMachine 'Microsoft.Compute/virtualMachines@2021-04-01' = { } } +resource guestAttestationExtension 'Microsoft.Compute/virtualMachines/extensions@2021-03-01' = { + parent: virtualMachine + name: 'GuestAttestation' + location: location + properties: { + publisher: 'Microsoft.Azure.Security.WindowsAttestation' + type: 'GuestAttestation' + typeHandlerVersion: '1.0' + autoUpgradeMinorVersion: true + settings: { + AttestationConfig: { + MaaSettings: { + maaEndpoint: '' + maaTenantName: 'GuestAttestation' + } + AscSettings: { + ascReportingEndpoint: '' + ascReportingFrequency: '' + } + useCustomToken: 'false' + disableAlerts: 'false' + } + } + } +} + resource dependencyAgent 'Microsoft.Compute/virtualMachines/extensions@2021-04-01' = { parent: virtualMachine name: 'DependencyAgentWindows' From 615f7a02d9ac3dbaed8b2fa21519948c176f159c Mon Sep 17 00:00:00 2001 From: Jason Masten Date: Mon, 22 Jan 2024 08:58:40 -0500 Subject: [PATCH 22/28] Fixed resource naming --- src/bicep/core/hub-network.bicep | 2 +- src/bicep/core/spoke-network.bicep | 2 +- src/bicep/mlz.bicep | 36 ++++-- src/bicep/mlz.json | 184 +++++++++++---------------- src/bicep/modules/private-link.bicep | 84 ++++-------- 5 files changed, 121 insertions(+), 187 deletions(-) diff --git a/src/bicep/core/hub-network.bicep b/src/bicep/core/hub-network.bicep index 3ffb56514..b3f2dbfb2 100644 --- a/src/bicep/core/hub-network.bicep +++ b/src/bicep/core/hub-network.bicep @@ -42,7 +42,7 @@ param location string param networkSecurityGroupName string param networkSecurityGroupRules array param networkWatcherName string -param routeTableName string = '${subnetName}-routetable' +param routeTableName string param routeTableRouteAddressPrefix string = '0.0.0.0/0' param routeTableRouteName string = 'default_route' param routeTableRouteNextHopType string = 'VirtualAppliance' diff --git a/src/bicep/core/spoke-network.bicep b/src/bicep/core/spoke-network.bicep index 0e9dc4851..dfe013e28 100644 --- a/src/bicep/core/spoke-network.bicep +++ b/src/bicep/core/spoke-network.bicep @@ -6,7 +6,7 @@ Licensed under the MIT License. param location string param networkSecurityGroupName string param networkSecurityGroupRules array -param routeTableName string = '${subnetName}-routetable' +param routeTableName string param routeTableRouteName string = 'default_route' param routeTableRouteAddressPrefix string = '0.0.0.0/0' param routeTableRouteNextHopIpAddress string diff --git a/src/bicep/mlz.bicep b/src/bicep/mlz.bicep index 5a9b539d6..240b5a7df 100644 --- a/src/bicep/mlz.bicep +++ b/src/bicep/mlz.bicep @@ -549,7 +549,8 @@ var networkSecurityGroupNamingConvention = replace(namingConvention, resourceTok var networkWatcherNamingConvention = replace(namingConvention, resourceToken, 'nw') var publicIpAddressNamingConvention = replace(namingConvention, resourceToken, 'pip') var resourceGroupNamingConvention = replace(namingConvention, resourceToken, 'rg') -var storageAccountNamingConvention = toLower('${resourcePrefix}st${nameToken}unique_storage_token') +var routeTableNamingConvention = replace(namingConvention, resourceToken, 'rt') +var storageAccountNamingConvention = toLower('${replace(replace(namingConvention, resourceToken, 'st'), '-', '')}unique_storage_token') var subnetNamingConvention = replace(namingConvention, resourceToken, 'snet') var userAssignedIdentityNamingConvention = replace(namingConvention, resourceToken, 'uaid') var virtualMachineNamingConvention = replace(namingConvention, resourceToken, 'vm') @@ -559,12 +560,13 @@ var virtualNetworkNamingConvention = replace(namingConvention, resourceToken, 'v var hubName = 'hub' var hubShortName = 'hub' -var hubLogStorageAccountName = take(hubLogStorageAccountUniqueName, 23) +var hubLogStorageAccountName = take(hubLogStorageAccountUniqueName, 24) var hubLogStorageAccountShortName = replace(storageAccountNamingConvention, nameToken, hubShortName) var hubLogStorageAccountUniqueName = replace(hubLogStorageAccountShortName, 'unique_storage_token', uniqueString(resourcePrefix, resourceSuffix, hubSubscriptionId)) var hubNetworkWatcherName = replace(networkWatcherNamingConvention, nameToken, hubName) var hubNetworkSecurityGroupName = replace(networkSecurityGroupNamingConvention, nameToken, hubName) var hubResourceGroupName = replace(resourceGroupNamingConvention, nameToken, hubName) +var hubRouteTableName = replace(routeTableNamingConvention, nameToken, hubName) var hubSubnetName = replace(subnetNamingConvention, nameToken, hubName) var hubVirtualNetworkName = replace(virtualNetworkNamingConvention, nameToken, hubName) @@ -572,13 +574,14 @@ var hubVirtualNetworkName = replace(virtualNetworkNamingConvention, nameToken, h var identityName = 'identity' var identityShortName = 'id' -var identityResourceGroupName = replace(resourceGroupNamingConvention, nameToken, identityName) +var identityLogStorageAccountName = take(identityLogStorageAccountUniqueName, 24) var identityLogStorageAccountShortName = replace(storageAccountNamingConvention, nameToken, identityShortName) var identityLogStorageAccountUniqueName = replace(identityLogStorageAccountShortName, 'unique_storage_token', uniqueString(resourcePrefix, resourceSuffix, identitySubscriptionId)) -var identityLogStorageAccountName = take(identityLogStorageAccountUniqueName, 23) -var identityVirtualNetworkName = replace(virtualNetworkNamingConvention, nameToken, identityName) var identityNetworkSecurityGroupName = replace(networkSecurityGroupNamingConvention, nameToken, identityName) +var identityResourceGroupName = replace(resourceGroupNamingConvention, nameToken, identityName) +var identityRouteTableName = replace(routeTableNamingConvention, nameToken, identityName) var identitySubnetName = replace(subnetNamingConvention, nameToken, identityName) +var identityVirtualNetworkName = replace(virtualNetworkNamingConvention, nameToken, identityName) // OPERATIONS NAMES @@ -586,26 +589,28 @@ var operationsName = 'operations' var operationsShortName = 'ops' var operationsDiskEncryptionSetName = replace(diskEncryptionSetNamingConvention, nameToken, operationsName) var operationsKeyVaultName = replace(keyVaultNamingConvention, nameToken, operationsShortName) -var operationsResourceGroupName = replace(resourceGroupNamingConvention, nameToken, operationsName) +var operationsLogStorageAccountName = take(operationsLogStorageAccountUniqueName, 24) var operationsLogStorageAccountShortName = replace(storageAccountNamingConvention, nameToken, operationsShortName) var operationsLogStorageAccountUniqueName = replace(operationsLogStorageAccountShortName, 'unique_storage_token', uniqueString(resourcePrefix, resourceSuffix, operationsSubscriptionId)) -var operationsLogStorageAccountName = take(operationsLogStorageAccountUniqueName, 23) -var operationsVirtualNetworkName = replace(virtualNetworkNamingConvention, nameToken, operationsName) var operationsNetworkSecurityGroupName = replace(networkSecurityGroupNamingConvention, nameToken, operationsName) +var operationsResourceGroupName = replace(resourceGroupNamingConvention, nameToken, operationsName) +var operationsRouteTableName = replace(routeTableNamingConvention, nameToken, operationsName) var operationsSubnetName = replace(subnetNamingConvention, nameToken, operationsName) var operationsUserAssignedIdentityName = replace(userAssignedIdentityNamingConvention, nameToken, operationsName) +var operationsVirtualNetworkName = replace(virtualNetworkNamingConvention, nameToken, operationsName) // SHARED SERVICES NAMES var sharedServicesName = 'sharedServices' var sharedServicesShortName = 'svcs' -var sharedServicesResourceGroupName = replace(resourceGroupNamingConvention, nameToken, sharedServicesName) +var sharedServicesLogStorageAccountName = take(sharedServicesLogStorageAccountUniqueName, 24) var sharedServicesLogStorageAccountShortName = replace(storageAccountNamingConvention, nameToken, sharedServicesShortName) var sharedServicesLogStorageAccountUniqueName = replace(sharedServicesLogStorageAccountShortName, 'unique_storage_token', uniqueString(resourcePrefix, resourceSuffix, sharedServicesSubscriptionId)) -var sharedServicesLogStorageAccountName = take(sharedServicesLogStorageAccountUniqueName, 23) -var sharedServicesVirtualNetworkName = replace(virtualNetworkNamingConvention, nameToken, sharedServicesName) var sharedServicesNetworkSecurityGroupName = replace(networkSecurityGroupNamingConvention, nameToken, sharedServicesName) +var sharedServicesResourceGroupName = replace(resourceGroupNamingConvention, nameToken, sharedServicesName) +var sharedServicesRouteTableName = replace(routeTableNamingConvention, nameToken, sharedServicesName) var sharedServicesSubnetName = replace(subnetNamingConvention, nameToken, sharedServicesName) +var sharedServicesVirtualNetworkName = replace(virtualNetworkNamingConvention, nameToken, sharedServicesName) // LOG ANALYTICS NAMES @@ -662,6 +667,7 @@ var spokes = [ networkSecurityGroupRules: identityNetworkSecurityGroupRules networkSecurityGroupDiagnosticsLogs: identityNetworkSecurityGroupDiagnosticsLogs networkSecurityGroupDiagnosticsMetrics: identityNetworkSecurityGroupDiagnosticsMetrics + routeTableName: identityRouteTableName subnetName: identitySubnetName subnetAddressPrefix: identitySubnetAddressPrefix subnetPrivateEndpointNetworkPolicies: 'Disabled' @@ -680,6 +686,7 @@ var spokes = [ networkSecurityGroupRules: operationsNetworkSecurityGroupRules networkSecurityGroupDiagnosticsLogs: operationsNetworkSecurityGroupDiagnosticsLogs networkSecurityGroupDiagnosticsMetrics: operationsNetworkSecurityGroupDiagnosticsMetrics + routeTableName: operationsRouteTableName subnetName: operationsSubnetName subnetAddressPrefix: operationsSubnetAddressPrefix subnetPrivateEndpointNetworkPolicies: 'Disabled' @@ -698,6 +705,7 @@ var spokes = [ networkSecurityGroupRules: sharedServicesNetworkSecurityGroupRules networkSecurityGroupDiagnosticsLogs: sharedServicesNetworkSecurityGroupDiagnosticsLogs networkSecurityGroupDiagnosticsMetrics: sharedServicesNetworkSecurityGroupDiagnosticsMetrics + routeTableName: sharedServicesRouteTableName subnetName: sharedServicesSubnetName subnetAddressPrefix: sharedServicesSubnetAddressPrefix subnetPrivateEndpointNetworkPolicies: 'Disabled' @@ -799,6 +807,7 @@ module hubNetwork './core/hub-network.bicep' = { networkSecurityGroupName: hubNetworkSecurityGroupName networkSecurityGroupRules: hubNetworkSecurityGroupRules networkWatcherName: hubNetworkWatcherName + routeTableName: hubRouteTableName subnetAddressPrefix: hubSubnetAddressPrefix subnetName: hubSubnetName tags: calculatedTags @@ -820,6 +829,7 @@ module spokeNetworks './core/spoke-network.bicep' = [for spoke in spokes: { location: location networkSecurityGroupName: spoke.networkSecurityGroupName networkSecurityGroupRules: spoke.networkSecurityGroupRules + routeTableName: spoke.routeTableName routeTableRouteNextHopIpAddress: firewallClientPrivateIpAddress subnetAddressPrefix: spoke.subnetAddressPrefix subnetName: spoke.subnetName @@ -997,14 +1007,14 @@ module azureMonitorPrivateLink './modules/private-link.bicep' = if (contains(sup params: { logAnalyticsWorkspaceName: logAnalyticsWorkspace.outputs.name logAnalyticsWorkspaceResourceId: logAnalyticsWorkspace.outputs.id - privateEndpointSubnetName: operationsSubnetName - privateEndpointVnetName: operationsVirtualNetworkName monitorPrivateDnsZoneId: privateDnsZones.outputs.monitorPrivateDnsZoneId omsPrivateDnsZoneId: privateDnsZones.outputs.omsPrivateDnsZoneId odsPrivateDnsZoneId: privateDnsZones.outputs.odsPrivateDnsZoneId agentsvcPrivateDnsZoneId: privateDnsZones.outputs.agentsvcPrivateDnsZoneId location: location tags: tags + resourcePrefix: resourcePrefix + subnetResourceId: spokeNetworks[1].outputs.subnetResourceId } dependsOn: [ logAnalyticsWorkspace diff --git a/src/bicep/mlz.json b/src/bicep/mlz.json index 86869db76..721b75912 100644 --- a/src/bicep/mlz.json +++ b/src/bicep/mlz.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "13130523633992801856" + "templateHash": "4808476122647380464" } }, "parameters": { @@ -1227,51 +1227,56 @@ "networkWatcherNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'nw')]", "publicIpAddressNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'pip')]", "resourceGroupNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'rg')]", - "storageAccountNamingConvention": "[toLower(format('{0}st{1}unique_storage_token', parameters('resourcePrefix'), variables('nameToken')))]", + "routeTableNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'rt')]", + "storageAccountNamingConvention": "[toLower(format('{0}unique_storage_token', replace(replace(variables('namingConvention'), variables('resourceToken'), 'st'), '-', '')))]", "subnetNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'snet')]", "userAssignedIdentityNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'uaid')]", "virtualMachineNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'vm')]", "virtualNetworkNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'vnet')]", "hubName": "hub", "hubShortName": "hub", - "hubLogStorageAccountName": "[take(variables('hubLogStorageAccountUniqueName'), 23)]", + "hubLogStorageAccountName": "[take(variables('hubLogStorageAccountUniqueName'), 24)]", "hubLogStorageAccountShortName": "[replace(variables('storageAccountNamingConvention'), variables('nameToken'), variables('hubShortName'))]", "hubLogStorageAccountUniqueName": "[replace(variables('hubLogStorageAccountShortName'), 'unique_storage_token', uniqueString(parameters('resourcePrefix'), parameters('resourceSuffix'), parameters('hubSubscriptionId')))]", "hubNetworkWatcherName": "[replace(variables('networkWatcherNamingConvention'), variables('nameToken'), variables('hubName'))]", "hubNetworkSecurityGroupName": "[replace(variables('networkSecurityGroupNamingConvention'), variables('nameToken'), variables('hubName'))]", "hubResourceGroupName": "[replace(variables('resourceGroupNamingConvention'), variables('nameToken'), variables('hubName'))]", + "hubRouteTableName": "[replace(variables('routeTableNamingConvention'), variables('nameToken'), variables('hubName'))]", "hubSubnetName": "[replace(variables('subnetNamingConvention'), variables('nameToken'), variables('hubName'))]", "hubVirtualNetworkName": "[replace(variables('virtualNetworkNamingConvention'), variables('nameToken'), variables('hubName'))]", "identityName": "identity", "identityShortName": "id", - "identityResourceGroupName": "[replace(variables('resourceGroupNamingConvention'), variables('nameToken'), variables('identityName'))]", + "identityLogStorageAccountName": "[take(variables('identityLogStorageAccountUniqueName'), 24)]", "identityLogStorageAccountShortName": "[replace(variables('storageAccountNamingConvention'), variables('nameToken'), variables('identityShortName'))]", "identityLogStorageAccountUniqueName": "[replace(variables('identityLogStorageAccountShortName'), 'unique_storage_token', uniqueString(parameters('resourcePrefix'), parameters('resourceSuffix'), parameters('identitySubscriptionId')))]", - "identityLogStorageAccountName": "[take(variables('identityLogStorageAccountUniqueName'), 23)]", - "identityVirtualNetworkName": "[replace(variables('virtualNetworkNamingConvention'), variables('nameToken'), variables('identityName'))]", "identityNetworkSecurityGroupName": "[replace(variables('networkSecurityGroupNamingConvention'), variables('nameToken'), variables('identityName'))]", + "identityResourceGroupName": "[replace(variables('resourceGroupNamingConvention'), variables('nameToken'), variables('identityName'))]", + "identityRouteTableName": "[replace(variables('routeTableNamingConvention'), variables('nameToken'), variables('identityName'))]", "identitySubnetName": "[replace(variables('subnetNamingConvention'), variables('nameToken'), variables('identityName'))]", + "identityVirtualNetworkName": "[replace(variables('virtualNetworkNamingConvention'), variables('nameToken'), variables('identityName'))]", "operationsName": "operations", "operationsShortName": "ops", "operationsDiskEncryptionSetName": "[replace(variables('diskEncryptionSetNamingConvention'), variables('nameToken'), variables('operationsName'))]", "operationsKeyVaultName": "[replace(variables('keyVaultNamingConvention'), variables('nameToken'), variables('operationsShortName'))]", - "operationsResourceGroupName": "[replace(variables('resourceGroupNamingConvention'), variables('nameToken'), variables('operationsName'))]", + "operationsLogStorageAccountName": "[take(variables('operationsLogStorageAccountUniqueName'), 24)]", "operationsLogStorageAccountShortName": "[replace(variables('storageAccountNamingConvention'), variables('nameToken'), variables('operationsShortName'))]", "operationsLogStorageAccountUniqueName": "[replace(variables('operationsLogStorageAccountShortName'), 'unique_storage_token', uniqueString(parameters('resourcePrefix'), parameters('resourceSuffix'), parameters('operationsSubscriptionId')))]", - "operationsLogStorageAccountName": "[take(variables('operationsLogStorageAccountUniqueName'), 23)]", - "operationsVirtualNetworkName": "[replace(variables('virtualNetworkNamingConvention'), variables('nameToken'), variables('operationsName'))]", "operationsNetworkSecurityGroupName": "[replace(variables('networkSecurityGroupNamingConvention'), variables('nameToken'), variables('operationsName'))]", + "operationsResourceGroupName": "[replace(variables('resourceGroupNamingConvention'), variables('nameToken'), variables('operationsName'))]", + "operationsRouteTableName": "[replace(variables('routeTableNamingConvention'), variables('nameToken'), variables('operationsName'))]", "operationsSubnetName": "[replace(variables('subnetNamingConvention'), variables('nameToken'), variables('operationsName'))]", "operationsUserAssignedIdentityName": "[replace(variables('userAssignedIdentityNamingConvention'), variables('nameToken'), variables('operationsName'))]", + "operationsVirtualNetworkName": "[replace(variables('virtualNetworkNamingConvention'), variables('nameToken'), variables('operationsName'))]", "sharedServicesName": "sharedServices", "sharedServicesShortName": "svcs", - "sharedServicesResourceGroupName": "[replace(variables('resourceGroupNamingConvention'), variables('nameToken'), variables('sharedServicesName'))]", + "sharedServicesLogStorageAccountName": "[take(variables('sharedServicesLogStorageAccountUniqueName'), 24)]", "sharedServicesLogStorageAccountShortName": "[replace(variables('storageAccountNamingConvention'), variables('nameToken'), variables('sharedServicesShortName'))]", "sharedServicesLogStorageAccountUniqueName": "[replace(variables('sharedServicesLogStorageAccountShortName'), 'unique_storage_token', uniqueString(parameters('resourcePrefix'), parameters('resourceSuffix'), parameters('sharedServicesSubscriptionId')))]", - "sharedServicesLogStorageAccountName": "[take(variables('sharedServicesLogStorageAccountUniqueName'), 23)]", - "sharedServicesVirtualNetworkName": "[replace(variables('virtualNetworkNamingConvention'), variables('nameToken'), variables('sharedServicesName'))]", "sharedServicesNetworkSecurityGroupName": "[replace(variables('networkSecurityGroupNamingConvention'), variables('nameToken'), variables('sharedServicesName'))]", + "sharedServicesResourceGroupName": "[replace(variables('resourceGroupNamingConvention'), variables('nameToken'), variables('sharedServicesName'))]", + "sharedServicesRouteTableName": "[replace(variables('routeTableNamingConvention'), variables('nameToken'), variables('sharedServicesName'))]", "sharedServicesSubnetName": "[replace(variables('subnetNamingConvention'), variables('nameToken'), variables('sharedServicesName'))]", + "sharedServicesVirtualNetworkName": "[replace(variables('virtualNetworkNamingConvention'), variables('nameToken'), variables('sharedServicesName'))]", "logAnalyticsWorkspaceName": "[replace(variables('logAnalyticsWorkspaceNamingConvention'), variables('nameToken'), variables('operationsName'))]", "firewallName": "[replace(variables('firewallNamingConvention'), variables('nameToken'), variables('hubName'))]", "firewallPolicyName": "[replace(variables('firewallPolicyNamingConvention'), variables('nameToken'), variables('hubName'))]", @@ -1309,6 +1314,7 @@ "networkSecurityGroupRules": "[parameters('identityNetworkSecurityGroupRules')]", "networkSecurityGroupDiagnosticsLogs": "[parameters('identityNetworkSecurityGroupDiagnosticsLogs')]", "networkSecurityGroupDiagnosticsMetrics": "[parameters('identityNetworkSecurityGroupDiagnosticsMetrics')]", + "routeTableName": "[variables('identityRouteTableName')]", "subnetName": "[variables('identitySubnetName')]", "subnetAddressPrefix": "[parameters('identitySubnetAddressPrefix')]", "subnetPrivateEndpointNetworkPolicies": "Disabled", @@ -1327,6 +1333,7 @@ "networkSecurityGroupRules": "[parameters('operationsNetworkSecurityGroupRules')]", "networkSecurityGroupDiagnosticsLogs": "[parameters('operationsNetworkSecurityGroupDiagnosticsLogs')]", "networkSecurityGroupDiagnosticsMetrics": "[parameters('operationsNetworkSecurityGroupDiagnosticsMetrics')]", + "routeTableName": "[variables('operationsRouteTableName')]", "subnetName": "[variables('operationsSubnetName')]", "subnetAddressPrefix": "[parameters('operationsSubnetAddressPrefix')]", "subnetPrivateEndpointNetworkPolicies": "Disabled", @@ -1345,6 +1352,7 @@ "networkSecurityGroupRules": "[parameters('sharedServicesNetworkSecurityGroupRules')]", "networkSecurityGroupDiagnosticsLogs": "[parameters('sharedServicesNetworkSecurityGroupDiagnosticsLogs')]", "networkSecurityGroupDiagnosticsMetrics": "[parameters('sharedServicesNetworkSecurityGroupDiagnosticsMetrics')]", + "routeTableName": "[variables('sharedServicesRouteTableName')]", "subnetName": "[variables('sharedServicesSubnetName')]", "subnetAddressPrefix": "[parameters('sharedServicesSubnetAddressPrefix')]", "subnetPrivateEndpointNetworkPolicies": "Disabled", @@ -1822,6 +1830,9 @@ "networkWatcherName": { "value": "[variables('hubNetworkWatcherName')]" }, + "routeTableName": { + "value": "[variables('hubRouteTableName')]" + }, "subnetAddressPrefix": { "value": "[parameters('hubSubnetAddressPrefix')]" }, @@ -1850,7 +1861,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "1909314089015819241" + "templateHash": "15296079850903192633" } }, "parameters": { @@ -1952,8 +1963,7 @@ "type": "string" }, "routeTableName": { - "type": "string", - "defaultValue": "[format('{0}-routetable', parameters('subnetName'))]" + "type": "string" }, "routeTableRouteAddressPrefix": { "type": "string", @@ -2899,6 +2909,9 @@ "networkSecurityGroupRules": { "value": "[variables('spokes')[copyIndex()].networkSecurityGroupRules]" }, + "routeTableName": { + "value": "[variables('spokes')[copyIndex()].routeTableName]" + }, "routeTableRouteNextHopIpAddress": { "value": "[variables('firewallClientPrivateIpAddress')]" }, @@ -2936,7 +2949,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "9071918703658960835" + "templateHash": "9456730802221898162" } }, "parameters": { @@ -2950,8 +2963,7 @@ "type": "array" }, "routeTableName": { - "type": "string", - "defaultValue": "[format('{0}-routetable', parameters('subnetName'))]" + "type": "string" }, "routeTableRouteName": { "type": "string", @@ -6443,12 +6455,6 @@ "logAnalyticsWorkspaceResourceId": { "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.id.value]" }, - "privateEndpointSubnetName": { - "value": "[variables('operationsSubnetName')]" - }, - "privateEndpointVnetName": { - "value": "[variables('operationsVirtualNetworkName')]" - }, "monitorPrivateDnsZoneId": { "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.monitorPrivateDnsZoneId.value]" }, @@ -6466,6 +6472,12 @@ }, "tags": { "value": "[parameters('tags')]" + }, + "resourcePrefix": { + "value": "[parameters('resourcePrefix')]" + }, + "subnetResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[1].subscriptionId, variables('spokes')[1].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[1].name, parameters('deploymentNameSuffix'))), '2022-09-01').outputs.subnetResourceId.value]" } }, "template": { @@ -6475,98 +6487,46 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "8401513239082999873" + "templateHash": "1496252344531989324" } }, "parameters": { - "logAnalyticsWorkspaceName": { - "type": "string", - "metadata": { - "description": "The name of the resource the private endpoint is being created for" - } - }, - "logAnalyticsWorkspaceResourceId": { - "type": "string", - "metadata": { - "description": "The resource id of the resoure the private endpoint is being created for" - } - }, - "privateEndpointSubnetName": { - "type": "string", - "metadata": { - "description": "The name of the subnet in the virtual network where the private endpoint will be placed" - } - }, - "privateEndpointVnetName": { - "type": "string", - "metadata": { - "description": "The name of the virtual network where the private endpoint will be placed" - } - }, - "tags": { - "type": "object", - "metadata": { - "description": "The tags that will be associated to the VM" - } - }, - "uniqueData": { - "type": "string", - "defaultValue": "[substring(uniqueString(subscription().subscriptionId, deployment().name), 0, 8)]", - "metadata": { - "description": "Data used to append to resources to ensure uniqueness" - } + "agentsvcPrivateDnsZoneId": { + "type": "string" }, - "vnetResourceGroup": { + "location": { "type": "string", - "defaultValue": "[resourceGroup().name]", - "metadata": { - "description": "The name of the the resource group where the virtual network exists" - } + "defaultValue": "[resourceGroup().location]" }, - "vnetSubscriptionId": { - "type": "string", - "defaultValue": "[subscription().subscriptionId]", - "metadata": { - "description": "The subscription id of the subscription the virtual network exists in" - } + "logAnalyticsWorkspaceName": { + "type": "string" }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "The location of this resource" - } + "logAnalyticsWorkspaceResourceId": { + "type": "string" }, "monitorPrivateDnsZoneId": { - "type": "string", - "metadata": { - "description": "Azure Monitor Private DNS Zone resource id" - } + "type": "string" + }, + "odsPrivateDnsZoneId": { + "type": "string" }, "omsPrivateDnsZoneId": { - "type": "string", - "metadata": { - "description": "OMS Private DNS Zone resource id" - } + "type": "string" }, - "odsPrivateDnsZoneId": { - "type": "string", - "metadata": { - "description": "ODS Private DNS Zone resource id" - } + "resourcePrefix": { + "type": "string" }, - "agentsvcPrivateDnsZoneId": { - "type": "string", - "metadata": { - "description": "Agentsvc Private DNS Zone resource id" - } + "subnetResourceId": { + "type": "string" + }, + "tags": { + "type": "object" } }, "variables": { - "privateLinkConnectionName": "[take(format('plconn{0}{1}', parameters('logAnalyticsWorkspaceName'), parameters('uniqueData')), 80)]", - "privateLinkEndpointName": "[take(format('pe{0}{1}', parameters('logAnalyticsWorkspaceName'), parameters('uniqueData')), 80)]", - "privateLinkScopeName": "[take(format('plscope{0}{1}', parameters('logAnalyticsWorkspaceName'), parameters('uniqueData')), 80)]", - "privateLinkScopeResourceName": "[take(format('plscres{0}{1}', parameters('logAnalyticsWorkspaceName'), parameters('uniqueData')), 80)]" + "privateEndpointName": "[replace(parameters('logAnalyticsWorkspaceName'), parameters('resourcePrefix'), format('{0}-pe', parameters('resourcePrefix')))]", + "privateEndpointNetworkInterfaceName": "[replace(parameters('logAnalyticsWorkspaceName'), parameters('resourcePrefix'), format('{0}-nic', parameters('resourcePrefix')))]", + "privateLinkScopeName": "[replace(parameters('logAnalyticsWorkspaceName'), parameters('resourcePrefix'), format('{0}-pls', parameters('resourcePrefix')))]" }, "resources": [ { @@ -6579,7 +6539,7 @@ { "type": "Microsoft.Insights/privateLinkScopes/scopedResources", "apiVersion": "2019-10-17-preview", - "name": "[format('{0}/{1}', variables('privateLinkScopeName'), variables('privateLinkScopeResourceName'))]", + "name": "[format('{0}/{1}', variables('privateLinkScopeName'), parameters('logAnalyticsWorkspaceName'))]", "properties": { "linkedResourceId": "[parameters('logAnalyticsWorkspaceResourceId')]" }, @@ -6589,17 +6549,15 @@ }, { "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2020-07-01", - "name": "[variables('privateLinkEndpointName')]", + "apiVersion": "2023-04-01", + "name": "[variables('privateEndpointName')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { - "subnet": { - "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks/subnets', parameters('privateEndpointVnetName'), parameters('privateEndpointSubnetName'))]" - }, + "customNetworkInterfaceName": "[variables('privateEndpointNetworkInterfaceName')]", "privateLinkServiceConnections": [ { - "name": "[variables('privateLinkConnectionName')]", + "name": "[variables('privateEndpointNetworkInterfaceName')]", "properties": { "privateLinkServiceId": "[resourceId('microsoft.insights/privateLinkScopes', variables('privateLinkScopeName'))]", "groupIds": [ @@ -6607,17 +6565,19 @@ ] } } - ] + ], + "subnet": { + "id": "[parameters('subnetResourceId')]" + } }, "dependsOn": [ - "[resourceId('microsoft.insights/privateLinkScopes', variables('privateLinkScopeName'))]", - "[resourceId('Microsoft.Insights/privateLinkScopes/scopedResources', split(format('{0}/{1}', variables('privateLinkScopeName'), variables('privateLinkScopeResourceName')), '/')[0], split(format('{0}/{1}', variables('privateLinkScopeName'), variables('privateLinkScopeResourceName')), '/')[1])]" + "[resourceId('microsoft.insights/privateLinkScopes', variables('privateLinkScopeName'))]" ] }, { "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", "apiVersion": "2020-07-01", - "name": "[format('{0}/{1}', variables('privateLinkEndpointName'), variables('privateLinkEndpointName'))]", + "name": "[format('{0}/{1}', variables('privateEndpointName'), variables('privateEndpointName'))]", "properties": { "privateDnsZoneConfigs": [ { @@ -6647,7 +6607,7 @@ ] }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', variables('privateLinkEndpointName'))]" + "[resourceId('Microsoft.Network/privateEndpoints', variables('privateEndpointName'))]" ] } ] diff --git a/src/bicep/modules/private-link.bicep b/src/bicep/modules/private-link.bicep index 183bae98e..3e319a1b8 100644 --- a/src/bicep/modules/private-link.bicep +++ b/src/bicep/modules/private-link.bicep @@ -3,95 +3,62 @@ Copyright (c) Microsoft Corporation. Licensed under the MIT License. */ -@description('The name of the resource the private endpoint is being created for') +param agentsvcPrivateDnsZoneId string +param location string = resourceGroup().location param logAnalyticsWorkspaceName string - -@description('The resource id of the resoure the private endpoint is being created for') param logAnalyticsWorkspaceResourceId string - -@description('The name of the subnet in the virtual network where the private endpoint will be placed') -param privateEndpointSubnetName string - -@description('The name of the virtual network where the private endpoint will be placed') -param privateEndpointVnetName string - -@description('The tags that will be associated to the VM') -param tags object - -@description('Data used to append to resources to ensure uniqueness') -param uniqueData string = substring(uniqueString(subscription().subscriptionId, deployment().name), 0, 8) - -@description('The name of the the resource group where the virtual network exists') -param vnetResourceGroup string = resourceGroup().name - -@description('The subscription id of the subscription the virtual network exists in') -param vnetSubscriptionId string = subscription().subscriptionId - -@description('The location of this resource') -param location string = resourceGroup().location - -@description('Azure Monitor Private DNS Zone resource id') param monitorPrivateDnsZoneId string - -@description('OMS Private DNS Zone resource id') -param omsPrivateDnsZoneId string - -@description('ODS Private DNS Zone resource id') param odsPrivateDnsZoneId string +param omsPrivateDnsZoneId string +param resourcePrefix string +param subnetResourceId string +param tags object -@description('Agentsvc Private DNS Zone resource id') -param agentsvcPrivateDnsZoneId string - -var privateLinkConnectionName = take('plconn${logAnalyticsWorkspaceName}${uniqueData}', 80) -var privateLinkEndpointName = take('pe${logAnalyticsWorkspaceName}${uniqueData}', 80) -var privateLinkScopeName = take('plscope${logAnalyticsWorkspaceName}${uniqueData}', 80) -var privateLinkScopeResourceName = take('plscres${logAnalyticsWorkspaceName}${uniqueData}', 80) +var privateEndpointName = replace(logAnalyticsWorkspaceName, resourcePrefix, '${resourcePrefix}-pe') +var privateEndpointNetworkInterfaceName = replace(logAnalyticsWorkspaceName, resourcePrefix, '${resourcePrefix}-nic') +var privateLinkScopeName = replace(logAnalyticsWorkspaceName, resourcePrefix, '${resourcePrefix}-pls') -resource globalPrivateLinkScope 'microsoft.insights/privateLinkScopes@2019-10-17-preview' = { +resource privateLinkScope 'microsoft.insights/privateLinkScopes@2019-10-17-preview' = { name: privateLinkScopeName location: 'global' properties: {} } -resource logAnalyticsWorkspacePrivateLinkScope 'microsoft.insights/privateLinkScopes/scopedResources@2019-10-17-preview' = { - name: '${privateLinkScopeName}/${privateLinkScopeResourceName}' +resource scopedResource 'microsoft.insights/privateLinkScopes/scopedResources@2019-10-17-preview' = { + parent: privateLinkScope + name: logAnalyticsWorkspaceName properties: { linkedResourceId: logAnalyticsWorkspaceResourceId } - dependsOn: [ - globalPrivateLinkScope - ] } -resource subnetPrivateEndpoint 'Microsoft.Network/privateEndpoints@2020-07-01' = { - name: privateLinkEndpointName +resource privateEndpoint 'Microsoft.Network/privateEndpoints@2023-04-01' = { + name: privateEndpointName location: location tags: tags properties: { - subnet: { - id: resourceId(vnetSubscriptionId, vnetResourceGroup, 'Microsoft.Network/virtualNetworks/subnets', privateEndpointVnetName, privateEndpointSubnetName) - } + customNetworkInterfaceName: privateEndpointNetworkInterfaceName privateLinkServiceConnections: [ { - name: privateLinkConnectionName + name: privateEndpointNetworkInterfaceName properties: { - privateLinkServiceId: globalPrivateLinkScope.id + privateLinkServiceId: privateLinkScope.id groupIds: [ 'azuremonitor' ] } } ] + subnet: { + id: subnetResourceId + } } - dependsOn: [ - logAnalyticsWorkspacePrivateLinkScope - ] } -resource dnsZonePrivateLinkEndpoint 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2020-07-01' = { - name: privateLinkEndpointName - parent: subnetPrivateEndpoint +resource privateDnsZoneGroup 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2020-07-01' = { + name: privateEndpointName + parent: privateEndpoint properties: { privateDnsZoneConfigs: [ { @@ -120,8 +87,5 @@ resource dnsZonePrivateLinkEndpoint 'Microsoft.Network/privateEndpoints/privateD } ] } - dependsOn: [ - subnetPrivateEndpoint - ] } From 7ff1e1cde916c6a589c0cf977d5fe55ee3e0942a Mon Sep 17 00:00:00 2001 From: Jason Masten Date: Mon, 22 Jan 2024 11:35:02 -0500 Subject: [PATCH 23/28] Added settings, Updated API versions --- src/bicep/modules/private-link.bicep | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/src/bicep/modules/private-link.bicep b/src/bicep/modules/private-link.bicep index 3e319a1b8..c73648466 100644 --- a/src/bicep/modules/private-link.bicep +++ b/src/bicep/modules/private-link.bicep @@ -18,13 +18,18 @@ var privateEndpointName = replace(logAnalyticsWorkspaceName, resourcePrefix, '${ var privateEndpointNetworkInterfaceName = replace(logAnalyticsWorkspaceName, resourcePrefix, '${resourcePrefix}-nic') var privateLinkScopeName = replace(logAnalyticsWorkspaceName, resourcePrefix, '${resourcePrefix}-pls') -resource privateLinkScope 'microsoft.insights/privateLinkScopes@2019-10-17-preview' = { +resource privateLinkScope 'microsoft.insights/privateLinkScopes@2021-09-01' = { name: privateLinkScopeName location: 'global' - properties: {} + properties: { + accessModeSettings: { + ingestionAccessMode: 'Private' + queryAccessMode: 'Private' + } + } } -resource scopedResource 'microsoft.insights/privateLinkScopes/scopedResources@2019-10-17-preview' = { +resource scopedResource 'Microsoft.Insights/privateLinkScopes/scopedResources@2021-09-01' = { parent: privateLinkScope name: logAnalyticsWorkspaceName properties: { @@ -55,8 +60,7 @@ resource privateEndpoint 'Microsoft.Network/privateEndpoints@2023-04-01' = { } } - -resource privateDnsZoneGroup 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2020-07-01' = { +resource privateDnsZoneGroup 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2023-04-01' = { name: privateEndpointName parent: privateEndpoint properties: { @@ -88,4 +92,3 @@ resource privateDnsZoneGroup 'Microsoft.Network/privateEndpoints/privateDnsZoneG ] } } - From 7b3570a6fc198189b013f1257ffd09350b548d85 Mon Sep 17 00:00:00 2001 From: Jason Masten Date: Mon, 22 Jan 2024 11:35:17 -0500 Subject: [PATCH 24/28] Fixed network access --- src/bicep/modules/key-vault.bicep | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/bicep/modules/key-vault.bicep b/src/bicep/modules/key-vault.bicep index 65e51d777..e86482f32 100644 --- a/src/bicep/modules/key-vault.bicep +++ b/src/bicep/modules/key-vault.bicep @@ -19,10 +19,11 @@ resource vault 'Microsoft.KeyVault/vaults@2022-07-01' = { enableSoftDelete: true networkAcls: { bypass: 'AzureServices' - virtualNetworkRules: [] - ipRules: [] defaultAction: 'Deny' + ipRules: [] + virtualNetworkRules: [] } + publicNetworkAccess: 'Disabled' sku: { family: 'A' name: 'standard' From f5861c3fc0e2b4ad3c6a9367a85ce558ab2fc2b7 Mon Sep 17 00:00:00 2001 From: Jason Masten Date: Mon, 22 Jan 2024 11:35:32 -0500 Subject: [PATCH 25/28] Compiled bicep changes --- src/bicep/mlz.json | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/src/bicep/mlz.json b/src/bicep/mlz.json index 721b75912..dffe3f070 100644 --- a/src/bicep/mlz.json +++ b/src/bicep/mlz.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "4808476122647380464" + "templateHash": "16684754708957299071" } }, "parameters": { @@ -4439,7 +4439,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "12054782223447234085" + "templateHash": "15205511176758446611" } }, "parameters": { @@ -4508,7 +4508,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "11779575706720375217" + "templateHash": "8627782382405074284" } }, "parameters": { @@ -4551,10 +4551,11 @@ "enableSoftDelete": true, "networkAcls": { "bypass": "AzureServices", - "virtualNetworkRules": [], + "defaultAction": "Deny", "ipRules": [], - "defaultAction": "Deny" + "virtualNetworkRules": [] }, + "publicNetworkAccess": "Disabled", "sku": { "family": "A", "name": "standard" @@ -6487,7 +6488,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "1496252344531989324" + "templateHash": "2378480114537074668" } }, "parameters": { @@ -6531,14 +6532,19 @@ "resources": [ { "type": "microsoft.insights/privateLinkScopes", - "apiVersion": "2019-10-17-preview", + "apiVersion": "2021-09-01", "name": "[variables('privateLinkScopeName')]", "location": "global", - "properties": {} + "properties": { + "accessModeSettings": { + "ingestionAccessMode": "Private", + "queryAccessMode": "Private" + } + } }, { "type": "Microsoft.Insights/privateLinkScopes/scopedResources", - "apiVersion": "2019-10-17-preview", + "apiVersion": "2021-09-01", "name": "[format('{0}/{1}', variables('privateLinkScopeName'), parameters('logAnalyticsWorkspaceName'))]", "properties": { "linkedResourceId": "[parameters('logAnalyticsWorkspaceResourceId')]" @@ -6576,7 +6582,7 @@ }, { "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", - "apiVersion": "2020-07-01", + "apiVersion": "2023-04-01", "name": "[format('{0}/{1}', variables('privateEndpointName'), variables('privateEndpointName'))]", "properties": { "privateDnsZoneConfigs": [ From 74e393f5e50370c9494e956f9ac4f3913747d046 Mon Sep 17 00:00:00 2001 From: Jason Masten Date: Mon, 22 Jan 2024 12:05:03 -0500 Subject: [PATCH 26/28] Added dependency --- src/bicep/mlz.json | 7 ++++--- src/bicep/modules/private-link.bicep | 3 +++ 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/src/bicep/mlz.json b/src/bicep/mlz.json index dffe3f070..f685f547d 100644 --- a/src/bicep/mlz.json +++ b/src/bicep/mlz.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "16684754708957299071" + "templateHash": "16320808462178016270" } }, "parameters": { @@ -6488,7 +6488,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "2378480114537074668" + "templateHash": "8449324246862763859" } }, "parameters": { @@ -6577,7 +6577,8 @@ } }, "dependsOn": [ - "[resourceId('microsoft.insights/privateLinkScopes', variables('privateLinkScopeName'))]" + "[resourceId('microsoft.insights/privateLinkScopes', variables('privateLinkScopeName'))]", + "[resourceId('Microsoft.Insights/privateLinkScopes/scopedResources', variables('privateLinkScopeName'), parameters('logAnalyticsWorkspaceName'))]" ] }, { diff --git a/src/bicep/modules/private-link.bicep b/src/bicep/modules/private-link.bicep index c73648466..f1f4adfad 100644 --- a/src/bicep/modules/private-link.bicep +++ b/src/bicep/modules/private-link.bicep @@ -58,6 +58,9 @@ resource privateEndpoint 'Microsoft.Network/privateEndpoints@2023-04-01' = { id: subnetResourceId } } + dependsOn: [ + scopedResource + ] } resource privateDnsZoneGroup 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2023-04-01' = { From bf431ce652daf7757d9bc7c41c0675cf9c11fc2b Mon Sep 17 00:00:00 2001 From: Jason Masten Date: Mon, 22 Jan 2024 12:14:20 -0500 Subject: [PATCH 27/28] Moved hybrid use benefit input --- src/bicep/form/mlz.portal.json | 28 ++++++++++------------------ 1 file changed, 10 insertions(+), 18 deletions(-) diff --git a/src/bicep/form/mlz.portal.json b/src/bicep/form/mlz.portal.json index ac4966c8c..ad5c6b0eb 100644 --- a/src/bicep/form/mlz.portal.json +++ b/src/bicep/form/mlz.portal.json @@ -858,23 +858,6 @@ } ] }, - { - "name": "hybridUseBenefit", - "label": "Hybrid Use Benefit", - "type": "Microsoft.Common.Section", - "visible": "[steps('remoteAccess').remoteAccessSection.deployRemoteAccess]", - "elements": [ - { - "name": "enable", - "type": "Microsoft.Common.CheckBox", - "label": "Enable Hybrid Use Benefit?", - "toolTip": "Check here to enable the Hybrid Use Benefit on your virtual machines.", - "constraints": { - "required": false - } - } - ] - }, { "name": "windowsVmSection", "label": "Windows Virtual Machine", @@ -919,6 +902,15 @@ "options": { "hideConfirmation": false } + }, + { + "name": "hybridUseBenefit", + "type": "Microsoft.Common.CheckBox", + "label": "Enable Hybrid Use Benefit?", + "toolTip": "Check here to enable the Hybrid Use Benefit on your virtual machines.", + "constraints": { + "required": false + } } ] }, @@ -1010,7 +1002,7 @@ "hubSubnetAddressPrefix": "[steps('networking').hubVirtualNetwork.subnetAddressCidrRange]", "hubSubscriptionId": "[replace(steps('basics').hubSection.hubSubscriptionId, '/subscriptions/', '')]", "hubVirtualNetworkAddressPrefix": "[steps('networking').hubVirtualNetwork.virtualNetworkAddressCidrRange]", - "hybridUseBenefit": "[steps('remoteAccess').hybridUseBenefit.enable]", + "hybridUseBenefit": "[steps('remoteAccess').windowsVmSection.hybridUseBenefit]", "identitySubnetAddressPrefix": "[steps('networking').identityVirtualNetwork.subnetAddressCidrRange]", "identitySubscriptionId": "[replace(steps('basics').identitySection.identitySubscriptionId, '/subscriptions/', '')]", "identityVirtualNetworkAddressPrefix": "[steps('networking').identityVirtualNetwork.virtualNetworkAddressCidrRange]", From bcb9fb24070998ab635883afe0dacf4fece3f15b Mon Sep 17 00:00:00 2001 From: Jason Masten Date: Mon, 22 Jan 2024 12:45:21 -0500 Subject: [PATCH 28/28] Updated names for Azure Monitor deployment --- src/bicep/mlz.bicep | 162 +- src/bicep/mlz.json | 6146 +++++++++-------- ...private-link.bicep => azure-monitor.bicep} | 0 3 files changed, 3159 insertions(+), 3149 deletions(-) rename src/bicep/modules/{private-link.bicep => azure-monitor.bicep} (100%) diff --git a/src/bicep/mlz.bicep b/src/bicep/mlz.bicep index 240b5a7df..2563b71cd 100644 --- a/src/bicep/mlz.bicep +++ b/src/bicep/mlz.bicep @@ -904,6 +904,85 @@ module operationsCustomerManagedKeys './core/operations-customer-managed-keys.bi ] } +// AZURE MONITOR + +module azureMonitor './modules/azure-monitor.bicep' = if (contains(supportedClouds, environment().name)) { + name: 'deploy-azure-monitor-${deploymentNameSuffix}' + scope: resourceGroup(operationsSubscriptionId, operationsResourceGroupName) + params: { + logAnalyticsWorkspaceName: logAnalyticsWorkspace.outputs.name + logAnalyticsWorkspaceResourceId: logAnalyticsWorkspace.outputs.id + monitorPrivateDnsZoneId: privateDnsZones.outputs.monitorPrivateDnsZoneId + omsPrivateDnsZoneId: privateDnsZones.outputs.omsPrivateDnsZoneId + odsPrivateDnsZoneId: privateDnsZones.outputs.odsPrivateDnsZoneId + agentsvcPrivateDnsZoneId: privateDnsZones.outputs.agentsvcPrivateDnsZoneId + location: location + tags: tags + resourcePrefix: resourcePrefix + subnetResourceId: spokeNetworks[1].outputs.subnetResourceId + } + dependsOn: [ + logAnalyticsWorkspace + privateDnsZones + spokeNetworks + ] +} + +// REMOTE ACCESS + +module remoteAccess './core/remote-access.bicep' = if (deployRemoteAccess) { + name: 'deploy-remote-access-${deploymentNameSuffix}' + scope: resourceGroup(hubSubscriptionId, hubResourceGroupName) + params: { + bastionHostIPConfigurationName: bastionHostIPConfigurationName + bastionHostName: bastionHostName + bastionHostPublicIPAddressAllocationMethod: bastionHostPublicIPAddressAllocationMethod + bastionHostPublicIPAddressAvailabilityZones: bastionHostPublicIPAddressAvailabilityZones + bastionHostPublicIPAddressName: bastionHostPublicIPAddressName + bastionHostPublicIPAddressSkuName: bastionHostPublicIPAddressSkuName + bastionHostSubnetResourceId: hubNetwork.outputs.bastionHostSubnetResourceId + hubNetworkSecurityGroupResourceId: hubNetwork.outputs.networkSecurityGroupResourceId + hubSubnetResourceId: hubNetwork.outputs.subnetResourceId + linuxNetworkInterfaceIpConfigurationName: linuxNetworkInterfaceIpConfigurationName + linuxNetworkInterfaceName: linuxNetworkInterfaceName + linuxNetworkInterfacePrivateIPAddressAllocationMethod: linuxNetworkInterfacePrivateIPAddressAllocationMethod + linuxVmAdminPasswordOrKey: linuxVmAdminPasswordOrKey + linuxVmAdminUsername: linuxVmAdminUsername + linuxVmAuthenticationType: linuxVmAuthenticationType + linuxVmImageOffer: linuxVmImageOffer + linuxVmImagePublisher: linuxVmImagePublisher + linuxVmImageSku: linuxVmImageSku + linuxVmImageVersion: linuxVmImageVersion + linuxVmName: linuxVmName + linuxVmOsDiskCreateOption: linuxVmOsDiskCreateOption + linuxVmOsDiskType: linuxVmOsDiskType + linuxVmSize: linuxVmSize + location: location + logAnalyticsWorkspaceId: logAnalyticsWorkspace.outputs.id + tags: tags + windowsNetworkInterfaceIpConfigurationName: windowsNetworkInterfaceIpConfigurationName + windowsNetworkInterfaceName: windowsNetworkInterfaceName + windowsNetworkInterfacePrivateIPAddressAllocationMethod: windowsNetworkInterfacePrivateIPAddressAllocationMethod + windowsVmAdminPassword: windowsVmAdminPassword + windowsVmAdminUsername: windowsVmAdminUsername + windowsVmCreateOption: windowsVmCreateOption + windowsVmName: windowsVmName + windowsVmOffer: windowsVmOffer + windowsVmPublisher: windowsVmPublisher + windowsVmSize: windowsVmSize + windowsVmSku: windowsVmSku + windowsVmStorageAccountType: windowsVmStorageAccountType + windowsVmVersion: windowsVmVersion + diskEncryptionSetResourceId: operationsCustomerManagedKeys.outputs.diskEncryptionSetResourceId + hybridUseBenefit: hybridUseBenefit + linuxDiskName: linuxDiskName + windowsDiskName: windowsDiskName + } + dependsOn: [ + azureMonitor + ] +} + // HUB LOGGING STORAGE module hubStorage './core/hub-storage.bicep' = { @@ -922,6 +1001,9 @@ module hubStorage './core/hub-storage.bicep' = { tags: calculatedTags userAssignedIdentityResourceId: operationsCustomerManagedKeys.outputs.userAssignedIdentityResourceId } + dependsOn: [ + remoteAccess + ] } // SPOKE LOGGING STORAGE @@ -942,6 +1024,9 @@ module spokeStorage './core/spoke-storage.bicep' = [for (spoke, i) in spokes: { tags: tags userAssignedIdentityResourceId: operationsCustomerManagedKeys.outputs.userAssignedIdentityResourceId } + dependsOn: [ + remoteAccess + ] }] // HUB DIAGONSTIC LOGGING @@ -1001,28 +1086,6 @@ module hubSubscriptionActivityLogging './modules/central-logging.bicep' = { ] } -module azureMonitorPrivateLink './modules/private-link.bicep' = if (contains(supportedClouds, environment().name)) { - name: 'deploy-azure-monitor-private-link-${deploymentNameSuffix}' - scope: resourceGroup(operationsSubscriptionId, operationsResourceGroupName) - params: { - logAnalyticsWorkspaceName: logAnalyticsWorkspace.outputs.name - logAnalyticsWorkspaceResourceId: logAnalyticsWorkspace.outputs.id - monitorPrivateDnsZoneId: privateDnsZones.outputs.monitorPrivateDnsZoneId - omsPrivateDnsZoneId: privateDnsZones.outputs.omsPrivateDnsZoneId - odsPrivateDnsZoneId: privateDnsZones.outputs.odsPrivateDnsZoneId - agentsvcPrivateDnsZoneId: privateDnsZones.outputs.agentsvcPrivateDnsZoneId - location: location - tags: tags - resourcePrefix: resourcePrefix - subnetResourceId: spokeNetworks[1].outputs.subnetResourceId - } - dependsOn: [ - logAnalyticsWorkspace - privateDnsZones - spokeNetworks - ] -} - module spokeSubscriptionActivityLogging './modules/central-logging.bicep' = [for spoke in spokes: if (spoke.subscriptionId != hubSubscriptionId) { name: 'activity-logs-${spoke.name}-${deploymentNameSuffix}' scope: subscription(spoke.subscriptionId) @@ -1095,61 +1158,6 @@ module spokeDefender './modules/defender.bicep' = [for spoke in spokes: if ((dep } }] -// REMOTE ACCESS - -module remoteAccess './core/remote-access.bicep' = if (deployRemoteAccess) { - name: 'deploy-remote-access-${deploymentNameSuffix}' - scope: resourceGroup(hubSubscriptionId, hubResourceGroupName) - params: { - bastionHostIPConfigurationName: bastionHostIPConfigurationName - bastionHostName: bastionHostName - bastionHostPublicIPAddressAllocationMethod: bastionHostPublicIPAddressAllocationMethod - bastionHostPublicIPAddressAvailabilityZones: bastionHostPublicIPAddressAvailabilityZones - bastionHostPublicIPAddressName: bastionHostPublicIPAddressName - bastionHostPublicIPAddressSkuName: bastionHostPublicIPAddressSkuName - bastionHostSubnetResourceId: hubNetwork.outputs.bastionHostSubnetResourceId - hubNetworkSecurityGroupResourceId: hubNetwork.outputs.networkSecurityGroupResourceId - hubSubnetResourceId: hubNetwork.outputs.subnetResourceId - linuxNetworkInterfaceIpConfigurationName: linuxNetworkInterfaceIpConfigurationName - linuxNetworkInterfaceName: linuxNetworkInterfaceName - linuxNetworkInterfacePrivateIPAddressAllocationMethod: linuxNetworkInterfacePrivateIPAddressAllocationMethod - linuxVmAdminPasswordOrKey: linuxVmAdminPasswordOrKey - linuxVmAdminUsername: linuxVmAdminUsername - linuxVmAuthenticationType: linuxVmAuthenticationType - linuxVmImageOffer: linuxVmImageOffer - linuxVmImagePublisher: linuxVmImagePublisher - linuxVmImageSku: linuxVmImageSku - linuxVmImageVersion: linuxVmImageVersion - linuxVmName: linuxVmName - linuxVmOsDiskCreateOption: linuxVmOsDiskCreateOption - linuxVmOsDiskType: linuxVmOsDiskType - linuxVmSize: linuxVmSize - location: location - logAnalyticsWorkspaceId: logAnalyticsWorkspace.outputs.id - tags: tags - windowsNetworkInterfaceIpConfigurationName: windowsNetworkInterfaceIpConfigurationName - windowsNetworkInterfaceName: windowsNetworkInterfaceName - windowsNetworkInterfacePrivateIPAddressAllocationMethod: windowsNetworkInterfacePrivateIPAddressAllocationMethod - windowsVmAdminPassword: windowsVmAdminPassword - windowsVmAdminUsername: windowsVmAdminUsername - windowsVmCreateOption: windowsVmCreateOption - windowsVmName: windowsVmName - windowsVmOffer: windowsVmOffer - windowsVmPublisher: windowsVmPublisher - windowsVmSize: windowsVmSize - windowsVmSku: windowsVmSku - windowsVmStorageAccountType: windowsVmStorageAccountType - windowsVmVersion: windowsVmVersion - diskEncryptionSetResourceId: operationsCustomerManagedKeys.outputs.diskEncryptionSetResourceId - hybridUseBenefit: hybridUseBenefit - linuxDiskName: linuxDiskName - windowsDiskName: windowsDiskName - } - dependsOn: [ - azureMonitorPrivateLink - ] -} - /* OUTPUTS diff --git a/src/bicep/mlz.json b/src/bicep/mlz.json index f685f547d..594714dc7 100644 --- a/src/bicep/mlz.json +++ b/src/bicep/mlz.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "16320808462178016270" + "templateHash": "14049943017147962936" } }, "parameters": { @@ -5038,49 +5038,47 @@ ] }, { + "condition": "[contains(parameters('supportedClouds'), environment().name)]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('deploy-log-storage-hub-{0}', parameters('deploymentNameSuffix'))]", - "subscriptionId": "[parameters('hubSubscriptionId')]", - "resourceGroup": "[variables('hubResourceGroupName')]", + "name": "[format('deploy-azure-monitor-{0}', parameters('deploymentNameSuffix'))]", + "subscriptionId": "[parameters('operationsSubscriptionId')]", + "resourceGroup": "[variables('operationsResourceGroupName')]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { - "blobsPrivateDnsZoneResourceId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.blobPrivateDnsZoneId.value]" + "logAnalyticsWorkspaceName": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.name.value]" }, - "keyVaultUri": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.keyVaultUri.value]" + "logAnalyticsWorkspaceResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.id.value]" + }, + "monitorPrivateDnsZoneId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.monitorPrivateDnsZoneId.value]" + }, + "omsPrivateDnsZoneId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.omsPrivateDnsZoneId.value]" + }, + "odsPrivateDnsZoneId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.odsPrivateDnsZoneId.value]" + }, + "agentsvcPrivateDnsZoneId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.agentsvcPrivateDnsZoneId.value]" }, "location": { "value": "[parameters('location')]" }, - "logStorageAccountName": { - "value": "[variables('hubLogStorageAccountName')]" - }, - "logStorageSkuName": { - "value": "[parameters('logStorageSkuName')]" + "tags": { + "value": "[parameters('tags')]" }, "resourcePrefix": { "value": "[parameters('resourcePrefix')]" }, - "storageEncryptionKeyName": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.storageKeyName.value]" - }, "subnetResourceId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.subnetResourceId.value]" - }, - "tablesPrivateDnsZoneResourceId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.tablePrivateDnsZoneId.value]" - }, - "tags": { - "value": "[variables('calculatedTags')]" - }, - "userAssignedIdentityResourceId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.userAssignedIdentityResourceId.value]" + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[1].subscriptionId, variables('spokes')[1].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[1].name, parameters('deploymentNameSuffix'))), '2022-09-01').outputs.subnetResourceId.value]" } }, "template": { @@ -5090,375 +5088,431 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "3711120774165826362" + "templateHash": "8449324246862763859" } }, "parameters": { - "blobsPrivateDnsZoneResourceId": { + "agentsvcPrivateDnsZoneId": { "type": "string" }, - "keyVaultUri": { - "type": "string" + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]" }, - "logStorageAccountName": { + "logAnalyticsWorkspaceName": { "type": "string" }, - "logStorageSkuName": { + "logAnalyticsWorkspaceResourceId": { "type": "string" }, - "location": { + "monitorPrivateDnsZoneId": { "type": "string" }, - "resourcePrefix": { + "odsPrivateDnsZoneId": { "type": "string" }, - "storageEncryptionKeyName": { + "omsPrivateDnsZoneId": { "type": "string" }, - "subnetResourceId": { + "resourcePrefix": { "type": "string" }, - "tablesPrivateDnsZoneResourceId": { + "subnetResourceId": { "type": "string" }, "tags": { "type": "object" - }, - "userAssignedIdentityResourceId": { - "type": "string" } }, + "variables": { + "privateEndpointName": "[replace(parameters('logAnalyticsWorkspaceName'), parameters('resourcePrefix'), format('{0}-pe', parameters('resourcePrefix')))]", + "privateEndpointNetworkInterfaceName": "[replace(parameters('logAnalyticsWorkspaceName'), parameters('resourcePrefix'), format('{0}-nic', parameters('resourcePrefix')))]", + "privateLinkScopeName": "[replace(parameters('logAnalyticsWorkspaceName'), parameters('resourcePrefix'), format('{0}-pls', parameters('resourcePrefix')))]" + }, "resources": [ { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "storage", + "type": "microsoft.insights/privateLinkScopes", + "apiVersion": "2021-09-01", + "name": "[variables('privateLinkScopeName')]", + "location": "global", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "blobsPrivateDnsZoneResourceId": { - "value": "[parameters('blobsPrivateDnsZoneResourceId')]" - }, - "userAssignedIdentityResourceId": { - "value": "[parameters('userAssignedIdentityResourceId')]" - }, - "keyVaultUri": { - "value": "[parameters('keyVaultUri')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "resourcePrefix": { - "value": "[parameters('resourcePrefix')]" - }, - "skuName": { - "value": "[parameters('logStorageSkuName')]" - }, - "storageAccountName": { - "value": "[parameters('logStorageAccountName')]" - }, - "storageEncryptionKeyName": { - "value": "[parameters('storageEncryptionKeyName')]" - }, - "subnetResourceId": { - "value": "[parameters('subnetResourceId')]" - }, - "tablesPrivateDnsZoneResourceId": { - "value": "[parameters('tablesPrivateDnsZoneResourceId')]" - }, - "tags": { - "value": "[parameters('tags')]" + "accessModeSettings": { + "ingestionAccessMode": "Private", + "queryAccessMode": "Private" + } + } + }, + { + "type": "Microsoft.Insights/privateLinkScopes/scopedResources", + "apiVersion": "2021-09-01", + "name": "[format('{0}/{1}', variables('privateLinkScopeName'), parameters('logAnalyticsWorkspaceName'))]", + "properties": { + "linkedResourceId": "[parameters('logAnalyticsWorkspaceResourceId')]" + }, + "dependsOn": [ + "[resourceId('microsoft.insights/privateLinkScopes', variables('privateLinkScopeName'))]" + ] + }, + { + "type": "Microsoft.Network/privateEndpoints", + "apiVersion": "2023-04-01", + "name": "[variables('privateEndpointName')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": { + "customNetworkInterfaceName": "[variables('privateEndpointNetworkInterfaceName')]", + "privateLinkServiceConnections": [ + { + "name": "[variables('privateEndpointNetworkInterfaceName')]", + "properties": { + "privateLinkServiceId": "[resourceId('microsoft.insights/privateLinkScopes', variables('privateLinkScopeName'))]", + "groupIds": [ + "azuremonitor" + ] + } } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "234191582863282012" + ], + "subnet": { + "id": "[parameters('subnetResourceId')]" + } + }, + "dependsOn": [ + "[resourceId('microsoft.insights/privateLinkScopes', variables('privateLinkScopeName'))]", + "[resourceId('Microsoft.Insights/privateLinkScopes/scopedResources', variables('privateLinkScopeName'), parameters('logAnalyticsWorkspaceName'))]" + ] + }, + { + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "apiVersion": "2023-04-01", + "name": "[format('{0}/{1}', variables('privateEndpointName'), variables('privateEndpointName'))]", + "properties": { + "privateDnsZoneConfigs": [ + { + "name": "monitor", + "properties": { + "privateDnsZoneId": "[parameters('monitorPrivateDnsZoneId')]" } }, - "parameters": { - "blobsPrivateDnsZoneResourceId": { - "type": "string" - }, - "keyVaultUri": { - "type": "string" - }, - "location": { - "type": "string" - }, - "resourcePrefix": { - "type": "string" - }, - "skuName": { - "type": "string" - }, - "storageAccountName": { - "type": "string" - }, - "storageEncryptionKeyName": { - "type": "string" - }, - "subnetResourceId": { - "type": "string" - }, - "tablesPrivateDnsZoneResourceId": { - "type": "string" - }, - "tags": { - "type": "object" - }, - "userAssignedIdentityResourceId": { - "type": "string" + { + "name": "oms", + "properties": { + "privateDnsZoneId": "[parameters('omsPrivateDnsZoneId')]" } }, - "variables": { - "zones": [ - "[parameters('blobsPrivateDnsZoneResourceId')]", - "[parameters('tablesPrivateDnsZoneResourceId')]" - ] + { + "name": "ods", + "properties": { + "privateDnsZoneId": "[parameters('odsPrivateDnsZoneId')]" + } }, - "resources": [ - { - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2023-01-01", - "name": "[parameters('storageAccountName')]", - "location": "[parameters('location')]", - "identity": { - "type": "UserAssigned", - "userAssignedIdentities": { - "[format('{0}', parameters('userAssignedIdentityResourceId'))]": {} - } - }, - "kind": "StorageV2", - "sku": { - "name": "[parameters('skuName')]" - }, - "tags": "[parameters('tags')]", - "properties": { - "accessTier": "Hot", - "allowBlobPublicAccess": false, - "allowCrossTenantReplication": false, - "allowedCopyScope": "PrivateLink", - "allowSharedKeyAccess": true, - "defaultToOAuthAuthentication": false, - "dnsEndpointType": "Standard", - "encryption": { - "identity": { - "userAssignedIdentity": "[parameters('userAssignedIdentityResourceId')]" - }, - "keySource": "Microsoft.KeyVault", - "keyvaultproperties": { - "keyvaulturi": "[parameters('keyVaultUri')]", - "keyname": "[parameters('storageEncryptionKeyName')]" - }, - "requireInfrastructureEncryption": true, - "services": { - "blob": { - "keyType": "Account", - "enabled": true - }, - "file": { - "keyType": "Account", - "enabled": true - }, - "queue": { - "keyType": "Account", - "enabled": true - }, - "table": { - "keyType": "Account", - "enabled": true - } - } - }, - "minimumTlsVersion": "TLS1_2", - "networkAcls": { - "bypass": "AzureServices", - "virtualNetworkRules": [], - "ipRules": [], - "defaultAction": "Deny" - }, - "publicNetworkAccess": "Disabled", - "supportsHttpsTrafficOnly": true - } - }, - { - "copy": { - "name": "privateEndpoints", - "count": "[length(variables('zones'))]" - }, - "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2023-04-01", - "name": "[format('{0}-{1}', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe-', parameters('resourcePrefix'))), split(split(variables('zones')[copyIndex()], '/')[8], '.')[1])]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "customNetworkInterfaceName": "[format('{0}-{1}', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-nic-', parameters('resourcePrefix'))), split(split(variables('zones')[copyIndex()], '/')[8], '.')[1])]", - "privateLinkServiceConnections": [ - { - "name": "[format('{0}-{1}', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-nic-', parameters('resourcePrefix'))), split(split(variables('zones')[copyIndex()], '/')[8], '.')[1])]", - "properties": { - "privateLinkServiceId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]", - "groupIds": [ - "[split(split(variables('zones')[copyIndex()], '/')[8], '.')[1]]" - ] - } - } - ], - "subnet": { - "id": "[parameters('subnetResourceId')]" - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]" - ] - }, - { - "copy": { - "name": "privateDnsZoneGroups", - "count": "[length(variables('zones'))]" - }, - "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", - "apiVersion": "2021-08-01", - "name": "[format('{0}/{1}', format('{0}-{1}', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe-', parameters('resourcePrefix'))), split(split(variables('zones')[copyIndex()], '/')[8], '.')[1]), parameters('storageAccountName'))]", - "properties": { - "privateDnsZoneConfigs": [ - { - "name": "ipconfig1", - "properties": { - "privateDnsZoneId": "[variables('zones')[copyIndex()]]" - } - } - ] - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', format('{0}-{1}', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe-', parameters('resourcePrefix'))), split(split(variables('zones')[copyIndex()], '/')[8], '.')[1]))]" - ] - } - ], - "outputs": { - "id": { - "type": "string", - "value": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]" + { + "name": "agentsvc", + "properties": { + "privateDnsZoneId": "[parameters('agentsvcPrivateDnsZoneId')]" } } - } - } - } - ], - "outputs": { - "storageAccountResourceId": { - "type": "string", - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'storage'), '2022-09-01').outputs.id.value]" + ] + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/privateEndpoints', variables('privateEndpointName'))]" + ] } - } + ] } }, "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))]", - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix')))]", - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix')))]" + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]", + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix')))]", + "spokeNetworks" ] }, { - "copy": { - "name": "spokeStorage", - "count": "[length(variables('spokes'))]" - }, + "condition": "[parameters('deployRemoteAccess')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('deploy-log-storage-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))]", - "subscriptionId": "[variables('spokes')[copyIndex()].subscriptionId]", - "resourceGroup": "[variables('spokes')[copyIndex()].resourceGroupName]", + "name": "[format('deploy-remote-access-{0}', parameters('deploymentNameSuffix'))]", + "subscriptionId": "[parameters('hubSubscriptionId')]", + "resourceGroup": "[variables('hubResourceGroupName')]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { - "blobsPrivateDnsZoneResourceId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.blobPrivateDnsZoneId.value]" + "bastionHostIPConfigurationName": { + "value": "[variables('bastionHostIPConfigurationName')]" }, - "keyVaultUri": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.keyVaultUri.value]" + "bastionHostName": { + "value": "[variables('bastionHostName')]" }, - "location": { - "value": "[parameters('location')]" + "bastionHostPublicIPAddressAllocationMethod": { + "value": "[variables('bastionHostPublicIPAddressAllocationMethod')]" }, - "logStorageAccountName": { - "value": "[variables('spokes')[copyIndex()].logStorageAccountName]" + "bastionHostPublicIPAddressAvailabilityZones": { + "value": "[parameters('bastionHostPublicIPAddressAvailabilityZones')]" }, - "logStorageSkuName": { - "value": "[parameters('logStorageSkuName')]" + "bastionHostPublicIPAddressName": { + "value": "[variables('bastionHostPublicIPAddressName')]" }, - "resourcePrefix": { - "value": "[parameters('resourcePrefix')]" + "bastionHostPublicIPAddressSkuName": { + "value": "[variables('bastionHostPublicIPAddressSkuName')]" }, - "storageEncryptionKeyName": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.storageKeyName.value]" + "bastionHostSubnetResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.bastionHostSubnetResourceId.value]" }, - "subnetResourceId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))), '2022-09-01').outputs.subnetResourceId.value]" + "hubNetworkSecurityGroupResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.networkSecurityGroupResourceId.value]" }, - "tablesPrivateDnsZoneResourceId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.tablePrivateDnsZoneId.value]" + "hubSubnetResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.subnetResourceId.value]" + }, + "linuxNetworkInterfaceIpConfigurationName": { + "value": "[variables('linuxNetworkInterfaceIpConfigurationName')]" + }, + "linuxNetworkInterfaceName": { + "value": "[variables('linuxNetworkInterfaceName')]" + }, + "linuxNetworkInterfacePrivateIPAddressAllocationMethod": { + "value": "[parameters('linuxNetworkInterfacePrivateIPAddressAllocationMethod')]" + }, + "linuxVmAdminPasswordOrKey": { + "value": "[parameters('linuxVmAdminPasswordOrKey')]" + }, + "linuxVmAdminUsername": { + "value": "[parameters('linuxVmAdminUsername')]" + }, + "linuxVmAuthenticationType": { + "value": "[parameters('linuxVmAuthenticationType')]" + }, + "linuxVmImageOffer": { + "value": "[parameters('linuxVmImageOffer')]" + }, + "linuxVmImagePublisher": { + "value": "[parameters('linuxVmImagePublisher')]" + }, + "linuxVmImageSku": { + "value": "[parameters('linuxVmImageSku')]" + }, + "linuxVmImageVersion": { + "value": "[parameters('linuxVmImageVersion')]" + }, + "linuxVmName": { + "value": "[variables('linuxVmName')]" + }, + "linuxVmOsDiskCreateOption": { + "value": "[parameters('linuxVmOsDiskCreateOption')]" + }, + "linuxVmOsDiskType": { + "value": "[parameters('linuxVmOsDiskType')]" + }, + "linuxVmSize": { + "value": "[parameters('linuxVmSize')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "logAnalyticsWorkspaceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.id.value]" }, "tags": { "value": "[parameters('tags')]" }, - "userAssignedIdentityResourceId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.userAssignedIdentityResourceId.value]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "6037549614709568341" - } + "windowsNetworkInterfaceIpConfigurationName": { + "value": "[variables('windowsNetworkInterfaceIpConfigurationName')]" }, - "parameters": { - "blobsPrivateDnsZoneResourceId": { - "type": "string" - }, - "keyVaultUri": { - "type": "string" - }, - "location": { - "type": "string" - }, - "logStorageAccountName": { - "type": "string" - }, - "logStorageSkuName": { - "type": "string" - }, - "resourcePrefix": { - "type": "string" - }, - "storageEncryptionKeyName": { - "type": "string" - }, - "subnetResourceId": { + "windowsNetworkInterfaceName": { + "value": "[variables('windowsNetworkInterfaceName')]" + }, + "windowsNetworkInterfacePrivateIPAddressAllocationMethod": { + "value": "[parameters('windowsNetworkInterfacePrivateIPAddressAllocationMethod')]" + }, + "windowsVmAdminPassword": { + "value": "[parameters('windowsVmAdminPassword')]" + }, + "windowsVmAdminUsername": { + "value": "[parameters('windowsVmAdminUsername')]" + }, + "windowsVmCreateOption": { + "value": "[parameters('windowsVmCreateOption')]" + }, + "windowsVmName": { + "value": "[variables('windowsVmName')]" + }, + "windowsVmOffer": { + "value": "[parameters('windowsVmOffer')]" + }, + "windowsVmPublisher": { + "value": "[parameters('windowsVmPublisher')]" + }, + "windowsVmSize": { + "value": "[parameters('windowsVmSize')]" + }, + "windowsVmSku": { + "value": "[parameters('windowsVmSku')]" + }, + "windowsVmStorageAccountType": { + "value": "[parameters('windowsVmStorageAccountType')]" + }, + "windowsVmVersion": { + "value": "[parameters('windowsVmVersion')]" + }, + "diskEncryptionSetResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.diskEncryptionSetResourceId.value]" + }, + "hybridUseBenefit": { + "value": "[parameters('hybridUseBenefit')]" + }, + "linuxDiskName": { + "value": "[variables('linuxDiskName')]" + }, + "windowsDiskName": { + "value": "[variables('windowsDiskName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "5778706831016165290" + } + }, + "parameters": { + "bastionHostIPConfigurationName": { "type": "string" }, - "tablesPrivateDnsZoneResourceId": { + "bastionHostName": { + "type": "string" + }, + "bastionHostPublicIPAddressAllocationMethod": { + "type": "string" + }, + "bastionHostPublicIPAddressAvailabilityZones": { + "type": "array" + }, + "bastionHostPublicIPAddressName": { + "type": "string" + }, + "bastionHostPublicIPAddressSkuName": { + "type": "string" + }, + "bastionHostSubnetResourceId": { + "type": "string" + }, + "diskEncryptionSetResourceId": { + "type": "string" + }, + "hubNetworkSecurityGroupResourceId": { + "type": "string" + }, + "hubSubnetResourceId": { + "type": "string" + }, + "hybridUseBenefit": { + "type": "bool" + }, + "linuxDiskName": { + "type": "string" + }, + "linuxNetworkInterfaceIpConfigurationName": { + "type": "string" + }, + "linuxNetworkInterfaceName": { + "type": "string" + }, + "linuxNetworkInterfacePrivateIPAddressAllocationMethod": { + "type": "string" + }, + "linuxVmAdminPasswordOrKey": { + "type": "securestring", + "minLength": 12 + }, + "linuxVmAdminUsername": { + "type": "string" + }, + "linuxVmAuthenticationType": { + "type": "string", + "allowedValues": [ + "sshPublicKey", + "password" + ] + }, + "linuxVmImageOffer": { + "type": "string" + }, + "linuxVmImagePublisher": { + "type": "string" + }, + "linuxVmImageSku": { + "type": "string" + }, + "linuxVmImageVersion": { + "type": "string" + }, + "linuxVmName": { + "type": "string" + }, + "linuxVmOsDiskCreateOption": { + "type": "string" + }, + "linuxVmOsDiskType": { + "type": "string" + }, + "linuxVmSize": { + "type": "string" + }, + "location": { + "type": "string" + }, + "logAnalyticsWorkspaceId": { "type": "string" }, "tags": { "type": "object" }, - "userAssignedIdentityResourceId": { + "windowsDiskName": { + "type": "string" + }, + "windowsNetworkInterfaceIpConfigurationName": { + "type": "string" + }, + "windowsNetworkInterfaceName": { + "type": "string" + }, + "windowsNetworkInterfacePrivateIPAddressAllocationMethod": { + "type": "string" + }, + "windowsVmAdminPassword": { + "type": "securestring", + "minLength": 12 + }, + "windowsVmAdminUsername": { + "type": "string" + }, + "windowsVmCreateOption": { + "type": "string" + }, + "windowsVmName": { + "type": "string" + }, + "windowsVmOffer": { + "type": "string" + }, + "windowsVmPublisher": { + "type": "string" + }, + "windowsVmSize": { + "type": "string" + }, + "windowsVmSku": { + "type": "string" + }, + "windowsVmStorageAccountType": { + "type": "string" + }, + "windowsVmVersion": { "type": "string" } }, @@ -5466,45 +5520,39 @@ { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "storage", + "name": "remoteAccess-bastionHost", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { - "blobsPrivateDnsZoneResourceId": { - "value": "[parameters('blobsPrivateDnsZoneResourceId')]" + "bastionHostSubnetResourceId": { + "value": "[parameters('bastionHostSubnetResourceId')]" }, - "keyVaultUri": { - "value": "[parameters('keyVaultUri')]" + "ipConfigurationName": { + "value": "[parameters('bastionHostIPConfigurationName')]" }, "location": { "value": "[parameters('location')]" }, - "resourcePrefix": { - "value": "[parameters('resourcePrefix')]" - }, - "skuName": { - "value": "[parameters('logStorageSkuName')]" + "name": { + "value": "[parameters('bastionHostName')]" }, - "storageAccountName": { - "value": "[parameters('logStorageAccountName')]" + "publicIPAddressAllocationMethod": { + "value": "[parameters('bastionHostPublicIPAddressAllocationMethod')]" }, - "storageEncryptionKeyName": { - "value": "[parameters('storageEncryptionKeyName')]" + "publicIPAddressAvailabilityZones": { + "value": "[parameters('bastionHostPublicIPAddressAvailabilityZones')]" }, - "subnetResourceId": { - "value": "[parameters('subnetResourceId')]" + "publicIPAddressName": { + "value": "[parameters('bastionHostPublicIPAddressName')]" }, - "tablesPrivateDnsZoneResourceId": { - "value": "[parameters('tablesPrivateDnsZoneResourceId')]" + "publicIPAddressSkuName": { + "value": "[parameters('bastionHostPublicIPAddressSkuName')]" }, "tags": { "value": "[parameters('tags')]" - }, - "userAssignedIdentityResourceId": { - "value": "[parameters('userAssignedIdentityResourceId')]" } }, "template": { @@ -5514,330 +5562,246 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "234191582863282012" + "templateHash": "11993026043185066546" } }, "parameters": { - "blobsPrivateDnsZoneResourceId": { + "bastionHostSubnetResourceId": { "type": "string" }, - "keyVaultUri": { + "ipConfigurationName": { "type": "string" }, "location": { "type": "string" }, - "resourcePrefix": { - "type": "string" - }, - "skuName": { + "name": { "type": "string" }, - "storageAccountName": { + "publicIPAddressAllocationMethod": { "type": "string" }, - "storageEncryptionKeyName": { - "type": "string" + "publicIPAddressAvailabilityZones": { + "type": "array" }, - "subnetResourceId": { + "publicIPAddressName": { "type": "string" }, - "tablesPrivateDnsZoneResourceId": { + "publicIPAddressSkuName": { "type": "string" }, "tags": { "type": "object" - }, - "userAssignedIdentityResourceId": { - "type": "string" } }, - "variables": { - "zones": [ - "[parameters('blobsPrivateDnsZoneResourceId')]", - "[parameters('tablesPrivateDnsZoneResourceId')]" - ] - }, "resources": [ { - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2023-01-01", - "name": "[parameters('storageAccountName')]", + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "2021-02-01", + "name": "[parameters('publicIPAddressName')]", "location": "[parameters('location')]", - "identity": { - "type": "UserAssigned", - "userAssignedIdentities": { - "[format('{0}', parameters('userAssignedIdentityResourceId'))]": {} - } - }, - "kind": "StorageV2", + "tags": "[parameters('tags')]", "sku": { - "name": "[parameters('skuName')]" + "name": "[parameters('publicIPAddressSkuName')]" }, - "tags": "[parameters('tags')]", "properties": { - "accessTier": "Hot", - "allowBlobPublicAccess": false, - "allowCrossTenantReplication": false, - "allowedCopyScope": "PrivateLink", - "allowSharedKeyAccess": true, - "defaultToOAuthAuthentication": false, - "dnsEndpointType": "Standard", - "encryption": { - "identity": { - "userAssignedIdentity": "[parameters('userAssignedIdentityResourceId')]" - }, - "keySource": "Microsoft.KeyVault", - "keyvaultproperties": { - "keyvaulturi": "[parameters('keyVaultUri')]", - "keyname": "[parameters('storageEncryptionKeyName')]" - }, - "requireInfrastructureEncryption": true, - "services": { - "blob": { - "keyType": "Account", - "enabled": true - }, - "file": { - "keyType": "Account", - "enabled": true - }, - "queue": { - "keyType": "Account", - "enabled": true - }, - "table": { - "keyType": "Account", - "enabled": true - } - } - }, - "minimumTlsVersion": "TLS1_2", - "networkAcls": { - "bypass": "AzureServices", - "virtualNetworkRules": [], - "ipRules": [], - "defaultAction": "Deny" - }, - "publicNetworkAccess": "Disabled", - "supportsHttpsTrafficOnly": true - } + "publicIPAllocationMethod": "[parameters('publicIPAddressAllocationMethod')]" + }, + "zones": "[parameters('publicIPAddressAvailabilityZones')]" }, { - "copy": { - "name": "privateEndpoints", - "count": "[length(variables('zones'))]" - }, - "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2023-04-01", - "name": "[format('{0}-{1}', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe-', parameters('resourcePrefix'))), split(split(variables('zones')[copyIndex()], '/')[8], '.')[1])]", + "type": "Microsoft.Network/bastionHosts", + "apiVersion": "2021-02-01", + "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { - "customNetworkInterfaceName": "[format('{0}-{1}', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-nic-', parameters('resourcePrefix'))), split(split(variables('zones')[copyIndex()], '/')[8], '.')[1])]", - "privateLinkServiceConnections": [ + "ipConfigurations": [ { - "name": "[format('{0}-{1}', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-nic-', parameters('resourcePrefix'))), split(split(variables('zones')[copyIndex()], '/')[8], '.')[1])]", + "name": "[parameters('ipConfigurationName')]", "properties": { - "privateLinkServiceId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]", - "groupIds": [ - "[split(split(variables('zones')[copyIndex()], '/')[8], '.')[1]]" - ] + "subnet": { + "id": "[parameters('bastionHostSubnetResourceId')]" + }, + "publicIPAddress": { + "id": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIPAddressName'))]" + } } } - ], - "subnet": { - "id": "[parameters('subnetResourceId')]" - } + ] }, "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]" + "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIPAddressName'))]" ] + } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "remoteAccess-linuxNetworkInterface", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "ipConfigurationName": { + "value": "[parameters('linuxNetworkInterfaceIpConfigurationName')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "name": { + "value": "[parameters('linuxNetworkInterfaceName')]" + }, + "networkSecurityGroupId": { + "value": "[parameters('hubNetworkSecurityGroupResourceId')]" + }, + "privateIPAddressAllocationMethod": { + "value": "[parameters('linuxNetworkInterfacePrivateIPAddressAllocationMethod')]" + }, + "subnetId": { + "value": "[parameters('hubSubnetResourceId')]" + }, + "tags": { + "value": "[parameters('tags')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "16624262267285514706" + } + }, + "parameters": { + "name": { + "type": "string" + }, + "location": { + "type": "string" + }, + "tags": { + "type": "object", + "defaultValue": {} + }, + "ipConfigurationName": { + "type": "string" + }, + "subnetId": { + "type": "string" + }, + "networkSecurityGroupId": { + "type": "string" }, + "privateIPAddressAllocationMethod": { + "type": "string" + } + }, + "resources": [ { - "copy": { - "name": "privateDnsZoneGroups", - "count": "[length(variables('zones'))]" - }, - "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", - "apiVersion": "2021-08-01", - "name": "[format('{0}/{1}', format('{0}-{1}', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe-', parameters('resourcePrefix'))), split(split(variables('zones')[copyIndex()], '/')[8], '.')[1]), parameters('storageAccountName'))]", + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2021-02-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", "properties": { - "privateDnsZoneConfigs": [ + "ipConfigurations": [ { - "name": "ipconfig1", + "name": "[parameters('ipConfigurationName')]", "properties": { - "privateDnsZoneId": "[variables('zones')[copyIndex()]]" + "subnet": { + "id": "[parameters('subnetId')]" + }, + "privateIPAllocationMethod": "[parameters('privateIPAddressAllocationMethod')]" } } - ] - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', format('{0}-{1}', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe-', parameters('resourcePrefix'))), split(split(variables('zones')[copyIndex()], '/')[8], '.')[1]))]" - ] + ], + "networkSecurityGroup": { + "id": "[parameters('networkSecurityGroupId')]" + } + } } ], "outputs": { "id": { "type": "string", - "value": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]" + "value": "[resourceId('Microsoft.Network/networkInterfaces', parameters('name'))]" + }, + "name": { + "type": "string", + "value": "[parameters('name')]" } } } } - } - ], - "outputs": { - "ResourceId": { - "type": "string", - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'storage'), '2022-09-01').outputs.id.value]" - } - } - } - }, - "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix')))]", - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix')))]", - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix')))]" - ] - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('deploy-diagnostic-logging-hub-{0}', parameters('deploymentNameSuffix'))]", - "subscriptionId": "[parameters('hubSubscriptionId')]", - "resourceGroup": "[variables('hubResourceGroupName')]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "firewallDiagnosticsLogs": { - "value": "[parameters('firewallDiagnosticsLogs')]" - }, - "firewallDiagnosticsMetrics": { - "value": "[parameters('firewallDiagnosticsMetrics')]" - }, - "firewallName": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.firewallName.value]" - }, - "hubStorageAccountResourceId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-log-storage-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.storageAccountResourceId.value]" - }, - "logAnalyticsWorkspaceResourceId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.id.value]" - }, - "networkSecurityGroupDiagnosticsLogs": { - "value": "[parameters('hubNetworkSecurityGroupDiagnosticsLogs')]" - }, - "networkSecurityGroupDiagnosticsMetrics": { - "value": "[parameters('hubNetworkSecurityGroupDiagnosticsMetrics')]" - }, - "networkSecurityGroupName": { - "value": "[variables('hubNetworkSecurityGroupName')]" - }, - "publicIPAddressDiagnosticsLogs": { - "value": "[parameters('publicIPAddressDiagnosticsLogs')]" - }, - "publicIPAddressDiagnosticsMetrics": { - "value": "[parameters('publicIPAddressDiagnosticsMetrics')]" - }, - "publicIPAddressNames": { - "value": [ - "[variables('firewallClientPublicIPAddressName')]", - "[variables('firewallManagementPublicIPAddressName')]" - ] - }, - "virtualNetworkDiagnosticsLogs": { - "value": "[parameters('hubVirtualNetworkDiagnosticsLogs')]" - }, - "virtualNetworkDiagnosticsMetrics": { - "value": "[parameters('hubVirtualNetworkDiagnosticsMetrics')]" - }, - "virtualNetworkName": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.virtualNetworkName.value]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "5804157384629948286" - } - }, - "parameters": { - "firewallDiagnosticsLogs": { - "type": "array" - }, - "firewallDiagnosticsMetrics": { - "type": "array" - }, - "firewallName": { - "type": "string" - }, - "hubStorageAccountResourceId": { - "type": "string" - }, - "logAnalyticsWorkspaceResourceId": { - "type": "string" - }, - "networkSecurityGroupDiagnosticsLogs": { - "type": "array" - }, - "networkSecurityGroupDiagnosticsMetrics": { - "type": "array" - }, - "networkSecurityGroupName": { - "type": "string" - }, - "publicIPAddressDiagnosticsLogs": { - "type": "array" - }, - "publicIPAddressDiagnosticsMetrics": { - "type": "array" - }, - "publicIPAddressNames": { - "type": "array" - }, - "virtualNetworkDiagnosticsLogs": { - "type": "array" }, - "virtualNetworkDiagnosticsMetrics": { - "type": "array" - }, - "virtualNetworkName": { - "type": "string" - } - }, - "resources": [ { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "networkSecurityGroupDiagnostics", + "name": "remoteAccess-linuxVirtualMachine", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { - "logAnalyticsWorkspaceResourceId": { - "value": "[parameters('logAnalyticsWorkspaceResourceId')]" + "adminPasswordOrKey": { + "value": "[parameters('linuxVmAdminPasswordOrKey')]" }, - "logs": { - "value": "[parameters('networkSecurityGroupDiagnosticsLogs')]" + "adminUsername": { + "value": "[parameters('linuxVmAdminUsername')]" }, - "logStorageAccountResourceId": { - "value": "[parameters('hubStorageAccountResourceId')]" + "authenticationType": { + "value": "[parameters('linuxVmAuthenticationType')]" }, - "metrics": { - "value": "[parameters('networkSecurityGroupDiagnosticsMetrics')]" + "diskEncryptionSetResourceId": { + "value": "[parameters('diskEncryptionSetResourceId')]" + }, + "diskName": { + "value": "[parameters('linuxDiskName')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "logAnalyticsWorkspaceId": { + "value": "[parameters('logAnalyticsWorkspaceId')]" }, "name": { - "value": "[parameters('networkSecurityGroupName')]" + "value": "[parameters('linuxVmName')]" + }, + "networkInterfaceName": { + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'remoteAccess-linuxNetworkInterface'), '2022-09-01').outputs.name.value]" + }, + "osDiskCreateOption": { + "value": "[parameters('linuxVmOsDiskCreateOption')]" + }, + "osDiskType": { + "value": "[parameters('linuxVmOsDiskType')]" + }, + "tags": { + "value": "[parameters('tags')]" + }, + "vmImageOffer": { + "value": "[parameters('linuxVmImageOffer')]" + }, + "vmImagePublisher": { + "value": "[parameters('linuxVmImagePublisher')]" + }, + "vmImageSku": { + "value": "[parameters('linuxVmImageSku')]" + }, + "vmImageVersion": { + "value": "[parameters('linuxVmImageVersion')]" + }, + "vmSize": { + "value": "[parameters('linuxVmSize')]" } }, "template": { @@ -5847,141 +5811,289 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "7786315125053139576" + "templateHash": "13448922027561695966" } }, "parameters": { + "adminPasswordOrKey": { + "type": "securestring", + "minLength": 12 + }, + "adminUsername": { + "type": "string" + }, + "authenticationType": { + "type": "string", + "allowedValues": [ + "sshPublicKey", + "password" + ] + }, + "diskEncryptionSetResourceId": { + "type": "string" + }, + "diskName": { + "type": "string" + }, + "location": { + "type": "string" + }, "name": { "type": "string" }, - "logAnalyticsWorkspaceResourceId": { + "networkInterfaceName": { "type": "string" }, - "logs": { - "type": "array" + "osDiskCreateOption": { + "type": "string" }, - "logStorageAccountResourceId": { + "osDiskType": { "type": "string" }, - "metrics": { - "type": "array" - } - }, - "resources": [ - { - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2017-05-01-preview", - "scope": "[format('Microsoft.Network/networkSecurityGroups/{0}', parameters('name'))]", - "name": "[format('{0}-diagnostics', parameters('name'))]", - "properties": { - "storageAccountId": "[parameters('logStorageAccountResourceId')]", - "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", - "logs": "[parameters('logs')]", - "metrics": "[parameters('metrics')]" - } - } - ] - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "virtualNetworkDiagnostics", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "logAnalyticsWorkspaceResourceId": { - "value": "[parameters('logAnalyticsWorkspaceResourceId')]" - }, - "logs": { - "value": "[parameters('virtualNetworkDiagnosticsLogs')]" - }, - "logStorageAccountResourceId": { - "value": "[parameters('hubStorageAccountResourceId')]" - }, - "metrics": { - "value": "[parameters('virtualNetworkDiagnosticsMetrics')]" - }, - "name": { - "value": "[parameters('virtualNetworkName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "15623637455522175927" - } - }, - "parameters": { - "logAnalyticsWorkspaceResourceId": { + "tags": { + "type": "object" + }, + "vmImageOffer": { "type": "string" }, - "logs": { - "type": "array" + "vmImagePublisher": { + "type": "string" }, - "logStorageAccountResourceId": { + "vmImageSku": { "type": "string" }, - "metrics": { - "type": "array" + "vmImageVersion": { + "type": "string" }, - "name": { + "vmSize": { "type": "string" + }, + "logAnalyticsWorkspaceId": { + "type": "string" + } + }, + "variables": { + "linuxConfiguration": { + "disablePasswordAuthentication": true, + "ssh": { + "publicKeys": [ + { + "path": "[format('/home/{0}/.ssh/authorized_keys', parameters('adminUsername'))]", + "keyData": "[parameters('adminPasswordOrKey')]" + } + ] + } } }, "resources": [ { - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2017-05-01-preview", - "scope": "[format('Microsoft.Network/virtualNetworks/{0}', parameters('name'))]", - "name": "[format('{0}-diagnostics', parameters('name'))]", + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "2021-04-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", "properties": { - "storageAccountId": "[parameters('logStorageAccountResourceId')]", - "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", - "logs": "[parameters('logs')]", - "metrics": "[parameters('metrics')]" + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": false + } + }, + "hardwareProfile": { + "vmSize": "[parameters('vmSize')]" + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', parameters('networkInterfaceName'))]", + "properties": { + "deleteOption": "Delete" + } + } + ] + }, + "osProfile": { + "computerName": "[parameters('name')]", + "adminUsername": "[parameters('adminUsername')]", + "adminPassword": "[parameters('adminPasswordOrKey')]", + "linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), null(), variables('linuxConfiguration'))]" + }, + "securityProfile": { + "uefiSettings": { + "secureBootEnabled": true, + "vTpmEnabled": true + }, + "securityType": "trustedLaunch", + "encryptionAtHost": true + }, + "storageProfile": { + "osDisk": { + "caching": "ReadWrite", + "createOption": "[parameters('osDiskCreateOption')]", + "deleteOption": "Delete", + "managedDisk": { + "diskEncryptionSet": { + "id": "[parameters('diskEncryptionSetResourceId')]" + }, + "storageAccountType": "[parameters('osDiskType')]" + }, + "name": "[parameters('diskName')]", + "osType": "Linux" + }, + "imageReference": { + "publisher": "[parameters('vmImagePublisher')]", + "offer": "[parameters('vmImageOffer')]", + "sku": "[parameters('vmImageSku')]", + "version": "[parameters('vmImageVersion')]" + } + }, + "licenseType": null } + }, + { + "type": "Microsoft.Compute/virtualMachines/extensions", + "apiVersion": "2021-03-01", + "name": "[format('{0}/{1}', parameters('name'), 'GuestAttestation')]", + "location": "[parameters('location')]", + "properties": { + "publisher": "Microsoft.Azure.Security.LinuxAttestation", + "type": "GuestAttestation", + "typeHandlerVersion": "1.0", + "autoUpgradeMinorVersion": true, + "settings": { + "AttestationConfig": { + "MaaSettings": { + "maaEndpoint": "", + "maaTenantName": "GuestAttestation" + }, + "AscSettings": { + "ascReportingEndpoint": "", + "ascReportingFrequency": "" + }, + "useCustomToken": "false", + "disableAlerts": "false" + } + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" + ] + }, + { + "type": "Microsoft.Compute/virtualMachines/extensions", + "apiVersion": "2021-04-01", + "name": "[format('{0}/{1}', parameters('name'), 'AzurePolicyforLinux')]", + "location": "[parameters('location')]", + "properties": { + "publisher": "Microsoft.GuestConfiguration", + "type": "ConfigurationforLinux", + "typeHandlerVersion": "1.0", + "autoUpgradeMinorVersion": true, + "enableAutomaticUpgrade": true + }, + "dependsOn": [ + "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" + ] + }, + { + "type": "Microsoft.Compute/virtualMachines/extensions", + "apiVersion": "2021-04-01", + "name": "[format('{0}/{1}', parameters('name'), 'Microsoft.Azure.NetworkWatcher')]", + "location": "[parameters('location')]", + "properties": { + "publisher": "Microsoft.Azure.NetworkWatcher", + "type": "NetworkWatcherAgentLinux", + "typeHandlerVersion": "1.4" + }, + "dependsOn": [ + "[resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('name'), 'AzurePolicyforLinux')]", + "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" + ] + }, + { + "type": "Microsoft.Compute/virtualMachines/extensions", + "apiVersion": "2020-06-01", + "name": "[format('{0}/{1}', parameters('name'), 'OMSExtension')]", + "location": "[parameters('location')]", + "properties": { + "publisher": "Microsoft.EnterpriseCloud.Monitoring", + "type": "OmsAgentForLinux", + "typeHandlerVersion": "1.13", + "settings": { + "workspaceId": "[reference(parameters('logAnalyticsWorkspaceId'), '2015-11-01-preview').customerId]", + "stopOnMultipleConnections": true + }, + "protectedSettings": { + "workspaceKey": "[listKeys(parameters('logAnalyticsWorkspaceId'), '2015-11-01-preview').primarySharedKey]" + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('name'), 'Microsoft.Azure.NetworkWatcher')]", + "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" + ] + }, + { + "type": "Microsoft.Compute/virtualMachines/extensions", + "apiVersion": "2021-04-01", + "name": "[format('{0}/{1}', parameters('name'), 'DependencyAgentLinux')]", + "location": "[parameters('location')]", + "properties": { + "publisher": "Microsoft.Azure.Monitoring.DependencyAgent", + "type": "DependencyAgentLinux", + "typeHandlerVersion": "9.5", + "autoUpgradeMinorVersion": true + }, + "dependsOn": [ + "[resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('name'), 'OMSExtension')]", + "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" + ] } - ] + ], + "outputs": { + "adminUsername": { + "type": "string", + "value": "[parameters('adminUsername')]" + }, + "authenticationType": { + "type": "string", + "value": "[parameters('authenticationType')]" + } + } } - } + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', 'remoteAccess-linuxNetworkInterface')]" + ] }, { - "copy": { - "name": "publicIpAddressDiagnostics", - "count": "[length(parameters('publicIPAddressNames'))]" - }, "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('publicIPAddressDiagnostics_{0}', parameters('publicIPAddressNames')[copyIndex()])]", + "name": "remoteAccess-windowsNetworkInterface", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { - "hubStorageAccountResourceId": { - "value": "[parameters('hubStorageAccountResourceId')]" + "ipConfigurationName": { + "value": "[parameters('windowsNetworkInterfaceIpConfigurationName')]" }, - "logAnalyticsWorkspaceResourceId": { - "value": "[parameters('logAnalyticsWorkspaceResourceId')]" + "location": { + "value": "[parameters('location')]" }, "name": { - "value": "[parameters('publicIPAddressNames')[copyIndex()]]" + "value": "[parameters('windowsNetworkInterfaceName')]" }, - "publicIPAddressDiagnosticsLogs": { - "value": "[parameters('publicIPAddressDiagnosticsLogs')]" + "networkSecurityGroupId": { + "value": "[parameters('hubNetworkSecurityGroupResourceId')]" }, - "publicIPAddressDiagnosticsMetrics": { - "value": "[parameters('publicIPAddressDiagnosticsMetrics')]" + "privateIPAddressAllocationMethod": { + "value": "[parameters('windowsNetworkInterfacePrivateIPAddressAllocationMethod')]" + }, + "subnetId": { + "value": "[parameters('hubSubnetResourceId')]" + }, + "tags": { + "value": "[parameters('tags')]" } }, "template": { @@ -5991,230 +6103,131 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "8851210835492653728" + "templateHash": "16624262267285514706" } }, "parameters": { - "hubStorageAccountResourceId": { + "name": { "type": "string" }, - "logAnalyticsWorkspaceResourceId": { + "location": { "type": "string" }, - "name": { + "tags": { + "type": "object", + "defaultValue": {} + }, + "ipConfigurationName": { "type": "string" }, - "publicIPAddressDiagnosticsLogs": { - "type": "array" + "subnetId": { + "type": "string" }, - "publicIPAddressDiagnosticsMetrics": { - "type": "array" + "networkSecurityGroupId": { + "type": "string" + }, + "privateIPAddressAllocationMethod": { + "type": "string" } }, "resources": [ { - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2017-05-01-preview", - "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', parameters('name'))]", - "name": "[format('{0}-diagnostics', parameters('name'))]", + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2021-02-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", "properties": { - "storageAccountId": "[parameters('hubStorageAccountResourceId')]", - "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", - "logs": "[parameters('publicIPAddressDiagnosticsLogs')]", - "metrics": "[parameters('publicIPAddressDiagnosticsMetrics')]" - } - } - ] - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "firewallDiagnostics", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "logAnalyticsWorkspaceResourceId": { - "value": "[parameters('logAnalyticsWorkspaceResourceId')]" - }, - "logs": { - "value": "[parameters('firewallDiagnosticsLogs')]" - }, - "logStorageAccountResourceId": { - "value": "[parameters('hubStorageAccountResourceId')]" - }, - "metrics": { - "value": "[parameters('firewallDiagnosticsMetrics')]" - }, - "name": { - "value": "[parameters('firewallName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "9632306168160596389" - } - }, - "parameters": { - "logAnalyticsWorkspaceResourceId": { - "type": "string" - }, - "logs": { - "type": "array" - }, - "logStorageAccountResourceId": { - "type": "string" - }, - "metrics": { - "type": "array" - }, - "name": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2017-05-01-preview", - "scope": "[format('Microsoft.Network/azureFirewalls/{0}', parameters('name'))]", - "name": "[format('{0}-diagnostics', parameters('name'))]", - "properties": { - "storageAccountId": "[parameters('logStorageAccountResourceId')]", - "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", - "logs": "[parameters('logs')]", - "metrics": "[parameters('metrics')]" + "ipConfigurations": [ + { + "name": "[parameters('ipConfigurationName')]", + "properties": { + "subnet": { + "id": "[parameters('subnetId')]" + }, + "privateIPAllocationMethod": "[parameters('privateIPAddressAllocationMethod')]" + } + } + ], + "networkSecurityGroup": { + "id": "[parameters('networkSecurityGroupId')]" + } } } ], "outputs": { - "privateIPAddress": { + "id": { "type": "string", - "value": "[reference(resourceId('Microsoft.Network/azureFirewalls', parameters('name')), '2021-02-01').ipConfigurations[0].properties.privateIPAddress]" + "value": "[resourceId('Microsoft.Network/networkInterfaces', parameters('name'))]" + }, + "name": { + "type": "string", + "value": "[parameters('name')]" } } } } - } - ] - } - }, - "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))]", - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-log-storage-hub-{0}', parameters('deploymentNameSuffix')))]", - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]" - ] - }, - { - "copy": { - "name": "spokeDiagnostics", - "count": "[length(variables('spokes'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('deploy-diagnostic-logging-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))]", - "subscriptionId": "[variables('spokes')[copyIndex()].subscriptionId]", - "resourceGroup": "[variables('spokes')[copyIndex()].resourceGroupName]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "hubStorageAccountResourceId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-log-storage-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))), '2022-09-01').outputs.ResourceId.value]" - }, - "logAnalyticsWorkspaceResourceId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.id.value]" - }, - "networkSecurityGroupDiagnosticsLogs": { - "value": "[variables('spokes')[copyIndex()].NetworkSecurityGroupDiagnosticsLogs]" - }, - "networkSecurityGroupDiagnosticsMetrics": { - "value": "[variables('spokes')[copyIndex()].NetworkSecurityGroupDiagnosticsMetrics]" - }, - "networkSecurityGroupName": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))), '2022-09-01').outputs.networkSecurityGroupName.value]" - }, - "virtualNetworkDiagnosticsLogs": { - "value": "[variables('spokes')[copyIndex()].VirtualNetworkDiagnosticsLogs]" - }, - "virtualNetworkDiagnosticsMetrics": { - "value": "[variables('spokes')[copyIndex()].VirtualNetworkDiagnosticsMetrics]" - }, - "virtualNetworkName": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))), '2022-09-01').outputs.virtualNetworkName.value]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "1181334419264940080" - } - }, - "parameters": { - "hubStorageAccountResourceId": { - "type": "string" - }, - "logAnalyticsWorkspaceResourceId": { - "type": "string" - }, - "networkSecurityGroupDiagnosticsLogs": { - "type": "array" - }, - "networkSecurityGroupDiagnosticsMetrics": { - "type": "array" - }, - "networkSecurityGroupName": { - "type": "string" }, - "virtualNetworkDiagnosticsLogs": { - "type": "array" - }, - "virtualNetworkDiagnosticsMetrics": { - "type": "array" - }, - "virtualNetworkName": { - "type": "string" - } - }, - "resources": [ { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "networkSecurityGroupDiagnostics", + "name": "remoteAccess-windowsVirtualMachine", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { - "logAnalyticsWorkspaceResourceId": { - "value": "[parameters('logAnalyticsWorkspaceResourceId')]" + "adminPassword": { + "value": "[parameters('windowsVmAdminPassword')]" }, - "logs": { - "value": "[parameters('networkSecurityGroupDiagnosticsLogs')]" + "adminUsername": { + "value": "[parameters('windowsVmAdminUsername')]" }, - "logStorageAccountResourceId": { - "value": "[parameters('hubStorageAccountResourceId')]" + "createOption": { + "value": "[parameters('windowsVmCreateOption')]" }, - "metrics": { - "value": "[parameters('networkSecurityGroupDiagnosticsMetrics')]" + "diskEncryptionSetResourceId": { + "value": "[parameters('diskEncryptionSetResourceId')]" + }, + "diskName": { + "value": "[parameters('windowsDiskName')]" + }, + "hybridUseBenefit": { + "value": "[parameters('hybridUseBenefit')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "logAnalyticsWorkspaceId": { + "value": "[parameters('logAnalyticsWorkspaceId')]" }, "name": { - "value": "[parameters('networkSecurityGroupName')]" + "value": "[parameters('windowsVmName')]" + }, + "networkInterfaceName": { + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'remoteAccess-windowsNetworkInterface'), '2022-09-01').outputs.name.value]" + }, + "offer": { + "value": "[parameters('windowsVmOffer')]" + }, + "publisher": { + "value": "[parameters('windowsVmPublisher')]" + }, + "size": { + "value": "[parameters('windowsVmSize')]" + }, + "sku": { + "value": "[parameters('windowsVmSku')]" + }, + "storageAccountType": { + "value": "[parameters('windowsVmStorageAccountType')]" + }, + "tags": { + "value": "[parameters('tags')]" + }, + "version": { + "value": "[parameters('windowsVmVersion')]" } }, "template": { @@ -6224,261 +6237,291 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "7786315125053139576" + "templateHash": "5793129099305307535" } }, "parameters": { - "name": { + "adminPassword": { + "type": "securestring", + "minLength": 12 + }, + "adminUsername": { "type": "string" }, - "logAnalyticsWorkspaceResourceId": { + "createOption": { "type": "string" }, - "logs": { - "type": "array" + "dataDisks": { + "type": "array", + "defaultValue": [] }, - "logStorageAccountResourceId": { + "diskEncryptionSetResourceId": { "type": "string" }, - "metrics": { - "type": "array" - } - }, - "resources": [ - { - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2017-05-01-preview", - "scope": "[format('Microsoft.Network/networkSecurityGroups/{0}', parameters('name'))]", - "name": "[format('{0}-diagnostics', parameters('name'))]", - "properties": { - "storageAccountId": "[parameters('logStorageAccountResourceId')]", - "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", - "logs": "[parameters('logs')]", - "metrics": "[parameters('metrics')]" - } - } - ] - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "virtualNetworkDiagnostics", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "logAnalyticsWorkspaceResourceId": { - "value": "[parameters('logAnalyticsWorkspaceResourceId')]" - }, - "logs": { - "value": "[parameters('virtualNetworkDiagnosticsLogs')]" - }, - "logStorageAccountResourceId": { - "value": "[parameters('hubStorageAccountResourceId')]" - }, - "metrics": { - "value": "[parameters('virtualNetworkDiagnosticsMetrics')]" - }, - "name": { - "value": "[parameters('virtualNetworkName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "15623637455522175927" - } - }, - "parameters": { - "logAnalyticsWorkspaceResourceId": { + "diskName": { "type": "string" }, - "logs": { - "type": "array" + "hybridUseBenefit": { + "type": "bool" }, - "logStorageAccountResourceId": { + "location": { "type": "string" }, - "metrics": { - "type": "array" + "logAnalyticsWorkspaceId": { + "type": "string" }, "name": { "type": "string" + }, + "networkInterfaceName": { + "type": "string" + }, + "offer": { + "type": "string" + }, + "publisher": { + "type": "string" + }, + "size": { + "type": "string" + }, + "sku": { + "type": "string" + }, + "storageAccountType": { + "type": "string" + }, + "tags": { + "type": "object", + "defaultValue": {} + }, + "version": { + "type": "string" } }, "resources": [ { - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2017-05-01-preview", - "scope": "[format('Microsoft.Network/virtualNetworks/{0}', parameters('name'))]", - "name": "[format('{0}-diagnostics', parameters('name'))]", + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "2021-04-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "identity": { + "type": "SystemAssigned" + }, "properties": { - "storageAccountId": "[parameters('logStorageAccountResourceId')]", - "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", - "logs": "[parameters('logs')]", - "metrics": "[parameters('metrics')]" + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": false + } + }, + "hardwareProfile": { + "vmSize": "[parameters('size')]" + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', parameters('networkInterfaceName'))]", + "properties": { + "deleteOption": "Delete" + } + } + ] + }, + "osProfile": { + "computerName": "[take(parameters('name'), 15)]", + "adminUsername": "[parameters('adminUsername')]", + "adminPassword": "[parameters('adminPassword')]" + }, + "securityProfile": { + "uefiSettings": { + "secureBootEnabled": true, + "vTpmEnabled": true + }, + "securityType": "trustedLaunch", + "encryptionAtHost": true + }, + "storageProfile": { + "imageReference": { + "publisher": "[parameters('publisher')]", + "offer": "[parameters('offer')]", + "sku": "[parameters('sku')]", + "version": "[parameters('version')]" + }, + "osDisk": { + "caching": "ReadWrite", + "createOption": "[parameters('createOption')]", + "deleteOption": "Delete", + "managedDisk": { + "diskEncryptionSet": { + "id": "[parameters('diskEncryptionSetResourceId')]" + }, + "storageAccountType": "[parameters('storageAccountType')]" + }, + "name": "[parameters('diskName')]", + "osType": "Windows" + }, + "dataDisks": "[parameters('dataDisks')]" + }, + "licenseType": "[if(parameters('hybridUseBenefit'), 'Windows_Server', null())]" } + }, + { + "type": "Microsoft.Compute/virtualMachines/extensions", + "apiVersion": "2021-03-01", + "name": "[format('{0}/{1}', parameters('name'), 'GuestAttestation')]", + "location": "[parameters('location')]", + "properties": { + "publisher": "Microsoft.Azure.Security.WindowsAttestation", + "type": "GuestAttestation", + "typeHandlerVersion": "1.0", + "autoUpgradeMinorVersion": true, + "settings": { + "AttestationConfig": { + "MaaSettings": { + "maaEndpoint": "", + "maaTenantName": "GuestAttestation" + }, + "AscSettings": { + "ascReportingEndpoint": "", + "ascReportingFrequency": "" + }, + "useCustomToken": "false", + "disableAlerts": "false" + } + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" + ] + }, + { + "type": "Microsoft.Compute/virtualMachines/extensions", + "apiVersion": "2021-04-01", + "name": "[format('{0}/{1}', parameters('name'), 'DependencyAgentWindows')]", + "location": "[parameters('location')]", + "properties": { + "publisher": "Microsoft.Azure.Monitoring.DependencyAgent", + "type": "DependencyAgentWindows", + "typeHandlerVersion": "9.5", + "autoUpgradeMinorVersion": true + }, + "dependsOn": [ + "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" + ] + }, + { + "type": "Microsoft.Compute/virtualMachines/extensions", + "apiVersion": "2021-04-01", + "name": "[format('{0}/{1}', parameters('name'), 'AzurePolicyforWindows')]", + "location": "[parameters('location')]", + "properties": { + "publisher": "Microsoft.GuestConfiguration", + "type": "ConfigurationforWindows", + "typeHandlerVersion": "1.0", + "autoUpgradeMinorVersion": true, + "enableAutomaticUpgrade": true + }, + "dependsOn": [ + "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" + ] + }, + { + "type": "Microsoft.Compute/virtualMachines/extensions", + "apiVersion": "2021-04-01", + "name": "[format('{0}/{1}', parameters('name'), 'MMAExtension')]", + "location": "[parameters('location')]", + "properties": { + "publisher": "Microsoft.EnterpriseCloud.Monitoring", + "type": "MicrosoftMonitoringAgent", + "typeHandlerVersion": "1.0", + "settings": { + "workspaceId": "[reference(parameters('logAnalyticsWorkspaceId'), '2015-11-01-preview').customerId]", + "stopOnMultipleConnections": true + }, + "protectedSettings": { + "workspaceKey": "[listKeys(parameters('logAnalyticsWorkspaceId'), '2015-11-01-preview').primarySharedKey]" + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" + ] + }, + { + "type": "Microsoft.Compute/virtualMachines/extensions", + "apiVersion": "2021-04-01", + "name": "[format('{0}/{1}', parameters('name'), 'Microsoft.Azure.NetworkWatcher')]", + "location": "[parameters('location')]", + "properties": { + "publisher": "Microsoft.Azure.NetworkWatcher", + "type": "NetworkWatcherAgentWindows", + "typeHandlerVersion": "1.4" + }, + "dependsOn": [ + "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" + ] } ] } - } + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', 'remoteAccess-windowsNetworkInterface')]" + ] } ] } }, "dependsOn": [ + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-azure-monitor-{0}', parameters('deploymentNameSuffix')))]", + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))]", "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]", - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix')))]", - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix')))]", - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-log-storage-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix')))]" + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix')))]" ] }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('activity-logs-hub-{0}', parameters('deploymentNameSuffix'))]", + "name": "[format('deploy-log-storage-hub-{0}', parameters('deploymentNameSuffix'))]", "subscriptionId": "[parameters('hubSubscriptionId')]", - "location": "[deployment().location]", + "resourceGroup": "[variables('hubResourceGroupName')]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { - "diagnosticSettingName": { - "value": "[format('log-hub-sub-activity-to-{0}', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.name.value)]" - }, - "logAnalyticsWorkspaceId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.id.value]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "3850477028148266020" - } + "blobsPrivateDnsZoneResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.blobPrivateDnsZoneId.value]" }, - "parameters": { - "diagnosticSettingName": { - "type": "string" - }, - "logAnalyticsWorkspaceId": { - "type": "string" - }, - "supportedClouds": { - "type": "array", - "defaultValue": [ - "AzureCloud", - "AzureUSGovernment" - ] - } + "keyVaultUri": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.keyVaultUri.value]" }, - "resources": [ - { - "condition": "[contains(parameters('supportedClouds'), environment().name)]", - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2017-05-01-preview", - "name": "[parameters('diagnosticSettingName')]", - "properties": { - "workspaceId": "[parameters('logAnalyticsWorkspaceId')]", - "logs": [ - { - "category": "Administrative", - "enabled": true - }, - { - "category": "Security", - "enabled": true - }, - { - "category": "ServiceHealth", - "enabled": true - }, - { - "category": "Alert", - "enabled": true - }, - { - "category": "Recommendation", - "enabled": true - }, - { - "category": "Policy", - "enabled": true - }, - { - "category": "Autoscale", - "enabled": true - }, - { - "category": "ResourceHealth", - "enabled": true - } - ] - } - } - ] - } - }, - "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))]", - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]" - ] - }, - { - "condition": "[contains(parameters('supportedClouds'), environment().name)]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('deploy-azure-monitor-private-link-{0}', parameters('deploymentNameSuffix'))]", - "subscriptionId": "[parameters('operationsSubscriptionId')]", - "resourceGroup": "[variables('operationsResourceGroupName')]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "logAnalyticsWorkspaceName": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.name.value]" + "location": { + "value": "[parameters('location')]" }, - "logAnalyticsWorkspaceResourceId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.id.value]" + "logStorageAccountName": { + "value": "[variables('hubLogStorageAccountName')]" }, - "monitorPrivateDnsZoneId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.monitorPrivateDnsZoneId.value]" + "logStorageSkuName": { + "value": "[parameters('logStorageSkuName')]" }, - "omsPrivateDnsZoneId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.omsPrivateDnsZoneId.value]" + "resourcePrefix": { + "value": "[parameters('resourcePrefix')]" }, - "odsPrivateDnsZoneId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.odsPrivateDnsZoneId.value]" + "storageEncryptionKeyName": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.storageKeyName.value]" }, - "agentsvcPrivateDnsZoneId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.agentsvcPrivateDnsZoneId.value]" + "subnetResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.subnetResourceId.value]" }, - "location": { - "value": "[parameters('location')]" + "tablesPrivateDnsZoneResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.tablePrivateDnsZoneId.value]" }, "tags": { - "value": "[parameters('tags')]" - }, - "resourcePrefix": { - "value": "[parameters('resourcePrefix')]" + "value": "[variables('calculatedTags')]" }, - "subnetResourceId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[1].subscriptionId, variables('spokes')[1].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[1].name, parameters('deploymentNameSuffix'))), '2022-09-01').outputs.subnetResourceId.value]" + "userAssignedIdentityResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.userAssignedIdentityResourceId.value]" } }, "template": { @@ -6488,348 +6531,332 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "8449324246862763859" + "templateHash": "3711120774165826362" } }, "parameters": { - "agentsvcPrivateDnsZoneId": { + "blobsPrivateDnsZoneResourceId": { "type": "string" }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]" - }, - "logAnalyticsWorkspaceName": { + "keyVaultUri": { "type": "string" }, - "logAnalyticsWorkspaceResourceId": { + "logStorageAccountName": { "type": "string" }, - "monitorPrivateDnsZoneId": { + "logStorageSkuName": { "type": "string" }, - "odsPrivateDnsZoneId": { + "location": { "type": "string" }, - "omsPrivateDnsZoneId": { + "resourcePrefix": { "type": "string" }, - "resourcePrefix": { + "storageEncryptionKeyName": { "type": "string" }, "subnetResourceId": { "type": "string" }, + "tablesPrivateDnsZoneResourceId": { + "type": "string" + }, "tags": { "type": "object" + }, + "userAssignedIdentityResourceId": { + "type": "string" } }, - "variables": { - "privateEndpointName": "[replace(parameters('logAnalyticsWorkspaceName'), parameters('resourcePrefix'), format('{0}-pe', parameters('resourcePrefix')))]", - "privateEndpointNetworkInterfaceName": "[replace(parameters('logAnalyticsWorkspaceName'), parameters('resourcePrefix'), format('{0}-nic', parameters('resourcePrefix')))]", - "privateLinkScopeName": "[replace(parameters('logAnalyticsWorkspaceName'), parameters('resourcePrefix'), format('{0}-pls', parameters('resourcePrefix')))]" - }, "resources": [ { - "type": "microsoft.insights/privateLinkScopes", - "apiVersion": "2021-09-01", - "name": "[variables('privateLinkScopeName')]", - "location": "global", - "properties": { - "accessModeSettings": { - "ingestionAccessMode": "Private", - "queryAccessMode": "Private" - } - } - }, - { - "type": "Microsoft.Insights/privateLinkScopes/scopedResources", - "apiVersion": "2021-09-01", - "name": "[format('{0}/{1}', variables('privateLinkScopeName'), parameters('logAnalyticsWorkspaceName'))]", - "properties": { - "linkedResourceId": "[parameters('logAnalyticsWorkspaceResourceId')]" - }, - "dependsOn": [ - "[resourceId('microsoft.insights/privateLinkScopes', variables('privateLinkScopeName'))]" - ] - }, - { - "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2023-04-01", - "name": "[variables('privateEndpointName')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "customNetworkInterfaceName": "[variables('privateEndpointNetworkInterfaceName')]", - "privateLinkServiceConnections": [ - { - "name": "[variables('privateEndpointNetworkInterfaceName')]", - "properties": { - "privateLinkServiceId": "[resourceId('microsoft.insights/privateLinkScopes', variables('privateLinkScopeName'))]", - "groupIds": [ - "azuremonitor" - ] - } - } - ], - "subnet": { - "id": "[parameters('subnetResourceId')]" - } - }, - "dependsOn": [ - "[resourceId('microsoft.insights/privateLinkScopes', variables('privateLinkScopeName'))]", - "[resourceId('Microsoft.Insights/privateLinkScopes/scopedResources', variables('privateLinkScopeName'), parameters('logAnalyticsWorkspaceName'))]" - ] - }, - { - "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', variables('privateEndpointName'), variables('privateEndpointName'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "storage", "properties": { - "privateDnsZoneConfigs": [ - { - "name": "monitor", - "properties": { - "privateDnsZoneId": "[parameters('monitorPrivateDnsZoneId')]" - } + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "blobsPrivateDnsZoneResourceId": { + "value": "[parameters('blobsPrivateDnsZoneResourceId')]" }, - { - "name": "oms", - "properties": { - "privateDnsZoneId": "[parameters('omsPrivateDnsZoneId')]" - } + "userAssignedIdentityResourceId": { + "value": "[parameters('userAssignedIdentityResourceId')]" }, - { - "name": "ods", - "properties": { - "privateDnsZoneId": "[parameters('odsPrivateDnsZoneId')]" - } + "keyVaultUri": { + "value": "[parameters('keyVaultUri')]" }, - { - "name": "agentsvc", - "properties": { - "privateDnsZoneId": "[parameters('agentsvcPrivateDnsZoneId')]" + "location": { + "value": "[parameters('location')]" + }, + "resourcePrefix": { + "value": "[parameters('resourcePrefix')]" + }, + "skuName": { + "value": "[parameters('logStorageSkuName')]" + }, + "storageAccountName": { + "value": "[parameters('logStorageAccountName')]" + }, + "storageEncryptionKeyName": { + "value": "[parameters('storageEncryptionKeyName')]" + }, + "subnetResourceId": { + "value": "[parameters('subnetResourceId')]" + }, + "tablesPrivateDnsZoneResourceId": { + "value": "[parameters('tablesPrivateDnsZoneResourceId')]" + }, + "tags": { + "value": "[parameters('tags')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "234191582863282012" + } + }, + "parameters": { + "blobsPrivateDnsZoneResourceId": { + "type": "string" + }, + "keyVaultUri": { + "type": "string" + }, + "location": { + "type": "string" + }, + "resourcePrefix": { + "type": "string" + }, + "skuName": { + "type": "string" + }, + "storageAccountName": { + "type": "string" + }, + "storageEncryptionKeyName": { + "type": "string" + }, + "subnetResourceId": { + "type": "string" + }, + "tablesPrivateDnsZoneResourceId": { + "type": "string" + }, + "tags": { + "type": "object" + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "variables": { + "zones": [ + "[parameters('blobsPrivateDnsZoneResourceId')]", + "[parameters('tablesPrivateDnsZoneResourceId')]" + ] + }, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2023-01-01", + "name": "[parameters('storageAccountName')]", + "location": "[parameters('location')]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[format('{0}', parameters('userAssignedIdentityResourceId'))]": {} + } + }, + "kind": "StorageV2", + "sku": { + "name": "[parameters('skuName')]" + }, + "tags": "[parameters('tags')]", + "properties": { + "accessTier": "Hot", + "allowBlobPublicAccess": false, + "allowCrossTenantReplication": false, + "allowedCopyScope": "PrivateLink", + "allowSharedKeyAccess": true, + "defaultToOAuthAuthentication": false, + "dnsEndpointType": "Standard", + "encryption": { + "identity": { + "userAssignedIdentity": "[parameters('userAssignedIdentityResourceId')]" + }, + "keySource": "Microsoft.KeyVault", + "keyvaultproperties": { + "keyvaulturi": "[parameters('keyVaultUri')]", + "keyname": "[parameters('storageEncryptionKeyName')]" + }, + "requireInfrastructureEncryption": true, + "services": { + "blob": { + "keyType": "Account", + "enabled": true + }, + "file": { + "keyType": "Account", + "enabled": true + }, + "queue": { + "keyType": "Account", + "enabled": true + }, + "table": { + "keyType": "Account", + "enabled": true + } + } + }, + "minimumTlsVersion": "TLS1_2", + "networkAcls": { + "bypass": "AzureServices", + "virtualNetworkRules": [], + "ipRules": [], + "defaultAction": "Deny" + }, + "publicNetworkAccess": "Disabled", + "supportsHttpsTrafficOnly": true + } + }, + { + "copy": { + "name": "privateEndpoints", + "count": "[length(variables('zones'))]" + }, + "type": "Microsoft.Network/privateEndpoints", + "apiVersion": "2023-04-01", + "name": "[format('{0}-{1}', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe-', parameters('resourcePrefix'))), split(split(variables('zones')[copyIndex()], '/')[8], '.')[1])]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": { + "customNetworkInterfaceName": "[format('{0}-{1}', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-nic-', parameters('resourcePrefix'))), split(split(variables('zones')[copyIndex()], '/')[8], '.')[1])]", + "privateLinkServiceConnections": [ + { + "name": "[format('{0}-{1}', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-nic-', parameters('resourcePrefix'))), split(split(variables('zones')[copyIndex()], '/')[8], '.')[1])]", + "properties": { + "privateLinkServiceId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]", + "groupIds": [ + "[split(split(variables('zones')[copyIndex()], '/')[8], '.')[1]]" + ] + } + } + ], + "subnet": { + "id": "[parameters('subnetResourceId')]" + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]" + ] + }, + { + "copy": { + "name": "privateDnsZoneGroups", + "count": "[length(variables('zones'))]" + }, + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "apiVersion": "2021-08-01", + "name": "[format('{0}/{1}', format('{0}-{1}', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe-', parameters('resourcePrefix'))), split(split(variables('zones')[copyIndex()], '/')[8], '.')[1]), parameters('storageAccountName'))]", + "properties": { + "privateDnsZoneConfigs": [ + { + "name": "ipconfig1", + "properties": { + "privateDnsZoneId": "[variables('zones')[copyIndex()]]" + } + } + ] + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/privateEndpoints', format('{0}-{1}', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe-', parameters('resourcePrefix'))), split(split(variables('zones')[copyIndex()], '/')[8], '.')[1]))]" + ] + } + ], + "outputs": { + "id": { + "type": "string", + "value": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]" } } - ] - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', variables('privateEndpointName'))]" - ] + } + } } - ] + ], + "outputs": { + "storageAccountResourceId": { + "type": "string", + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'storage'), '2022-09-01').outputs.id.value]" + } + } } }, "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]", + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))]", + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix')))]", "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix')))]", - "spokeNetworks" + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-remote-access-{0}', parameters('deploymentNameSuffix')))]" ] }, { "copy": { - "name": "spokeSubscriptionActivityLogging", + "name": "spokeStorage", "count": "[length(variables('spokes'))]" }, - "condition": "[not(equals(variables('spokes')[copyIndex()].subscriptionId, parameters('hubSubscriptionId')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('activity-logs-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))]", + "name": "[format('deploy-log-storage-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))]", "subscriptionId": "[variables('spokes')[copyIndex()].subscriptionId]", - "location": "[deployment().location]", + "resourceGroup": "[variables('spokes')[copyIndex()].resourceGroupName]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { - "diagnosticSettingName": { - "value": "[format('log-{0}-sub-activity-to-{1}', variables('spokes')[copyIndex()].name, reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.name.value)]" + "blobsPrivateDnsZoneResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.blobPrivateDnsZoneId.value]" }, - "logAnalyticsWorkspaceId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.id.value]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "3850477028148266020" - } + "keyVaultUri": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.keyVaultUri.value]" }, - "parameters": { - "diagnosticSettingName": { - "type": "string" - }, - "logAnalyticsWorkspaceId": { - "type": "string" - }, - "supportedClouds": { - "type": "array", - "defaultValue": [ - "AzureCloud", - "AzureUSGovernment" - ] - } + "location": { + "value": "[parameters('location')]" }, - "resources": [ - { - "condition": "[contains(parameters('supportedClouds'), environment().name)]", - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2017-05-01-preview", - "name": "[parameters('diagnosticSettingName')]", - "properties": { - "workspaceId": "[parameters('logAnalyticsWorkspaceId')]", - "logs": [ - { - "category": "Administrative", - "enabled": true - }, - { - "category": "Security", - "enabled": true - }, - { - "category": "ServiceHealth", - "enabled": true - }, - { - "category": "Alert", - "enabled": true - }, - { - "category": "Recommendation", - "enabled": true - }, - { - "category": "Policy", - "enabled": true - }, - { - "category": "Autoscale", - "enabled": true - }, - { - "category": "ResourceHealth", - "enabled": true - } - ] - } - } - ] - } - }, - "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]", - "spokeNetworks" - ] - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('deploy-diagnostic-logging-{0}', parameters('deploymentNameSuffix'))]", - "subscriptionId": "[parameters('operationsSubscriptionId')]", - "resourceGroup": "[variables('operationsResourceGroupName')]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "diagnosticStorageAccountName": { - "value": "[variables('operationsLogStorageAccountName')]" + "logStorageAccountName": { + "value": "[variables('spokes')[copyIndex()].logStorageAccountName]" }, - "logAnalyticsWorkspaceName": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.name.value]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "6866155279282592403" - } + "logStorageSkuName": { + "value": "[parameters('logStorageSkuName')]" }, - "parameters": { - "diagnosticStorageAccountName": { - "type": "string" - }, - "logAnalyticsWorkspaceName": { - "type": "string" - }, - "supportedClouds": { - "type": "array", - "defaultValue": [ - "AzureCloud", - "AzureUSGovernment" - ] - } + "resourcePrefix": { + "value": "[parameters('resourcePrefix')]" }, - "resources": [ - { - "condition": "[contains(parameters('supportedClouds'), environment().name)]", - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2017-05-01-preview", - "scope": "[format('Microsoft.OperationalInsights/workspaces/{0}', parameters('logAnalyticsWorkspaceName'))]", - "name": "enable-log-analytics-diagnostics", - "properties": { - "workspaceId": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))]", - "storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('diagnosticStorageAccountName'))]", - "logs": [ - { - "category": "Audit", - "enabled": true - } - ], - "metrics": [ - { - "category": "AllMetrics", - "enabled": true - } - ] - } - } - ] - } - }, - "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]", - "spokeStorage" - ] - }, - { - "condition": "[parameters('deployPolicy')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('assign-policy-hub-{0}', parameters('deploymentNameSuffix'))]", - "subscriptionId": "[parameters('hubSubscriptionId')]", - "resourceGroup": "[variables('hubResourceGroupName')]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "builtInAssignment": { - "value": "[parameters('policy')]" + "storageEncryptionKeyName": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.storageKeyName.value]" }, - "logAnalyticsWorkspaceName": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.name.value]" + "subnetResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))), '2022-09-01').outputs.subnetResourceId.value]" }, - "logAnalyticsWorkspaceResourceGroupName": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.resourceGroupName.value]" + "tablesPrivateDnsZoneResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.tablePrivateDnsZoneId.value]" }, - "operationsSubscriptionId": { - "value": "[parameters('operationsSubscriptionId')]" + "tags": { + "value": "[parameters('tags')]" }, - "location": { - "value": "[parameters('location')]" + "userAssignedIdentityResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.userAssignedIdentityResourceId.value]" } }, "template": { @@ -6839,179 +6866,87 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "16693295535307781768" + "templateHash": "6037549614709568341" } }, "parameters": { - "builtInAssignment": { - "type": "string", - "defaultValue": "NISTRev4", - "allowedValues": [ - "NISTRev4", - "NISTRev5", - "IL5", - "CMMC" - ], - "metadata": { - "description": "[NISTRev4/NISTRev5/IL5/CMMC] Built-in policy assignments to assign, default is NISTRev4. IL5 is only available for AzureUsGovernment and will switch to NISTRev4 if tried in AzureCloud." - } + "blobsPrivateDnsZoneResourceId": { + "type": "string" }, - "logAnalyticsWorkspaceName": { + "keyVaultUri": { "type": "string" }, - "logAnalyticsWorkspaceResourceGroupName": { + "location": { "type": "string" }, - "operationsSubscriptionId": { + "logStorageAccountName": { "type": "string" }, - "deployRemediation": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Starts a policy remediation for the VM Agent policies in hub RG. Set to false by default since this is time consuming in deployment." - } + "logStorageSkuName": { + "type": "string" }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "The location of this resource" - } + "resourcePrefix": { + "type": "string" + }, + "storageEncryptionKeyName": { + "type": "string" + }, + "subnetResourceId": { + "type": "string" + }, + "tablesPrivateDnsZoneResourceId": { + "type": "string" + }, + "tags": { + "type": "object" + }, + "userAssignedIdentityResourceId": { + "type": "string" } }, - "variables": { - "$fxv#0": " {\r\n \"listOfMembersToExcludeFromWindowsVMAdministratorsGroup\": \r\n {\r\n \"value\": \"admin\"\r\n },\r\n \"listOfMembersToIncludeInWindowsVMAdministratorsGroup\": \r\n {\r\n \"value\": \"azureuser\"\r\n },\r\n \"logAnalyticsWorkspaceIdforVMReporting\": \r\n {\r\n \"value\": \"\"\r\n },\r\n \"IncludeArcMachines\": \r\n {\r\n \"value\": \"true\"\r\n },\r\n \"MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112\": \r\n {\r\n \"value\": \"1.2\"\r\n },\r\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\": \r\n {\r\n \"value\": \"Compliant\"\r\n },\r\n \"requiredRetentionDays\": \r\n {\r\n \"value\": \"365\"\r\n },\r\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\": \r\n {\r\n \"value\": \"NetworkWatcherRG\"\r\n }\r\n }", - "$fxv#1": " {\r\n \"IncludeArcMachines\": \r\n {\r\n \"value\": \"true\"\r\n },\r\n \"MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112\": \r\n {\r\n \"value\": \"1.2\"\r\n },\r\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\": \r\n {\r\n \"value\": \"Compliant\"\r\n },\r\n \"requiredRetentionDays\": \r\n {\r\n \"value\": \"365\"\r\n },\r\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\": \r\n {\r\n \"value\": \"NetworkWatcherRG\"\r\n }\r\n }", - "$fxv#2": "{\r\n \"IncludeArcMachines\" : { \r\n \"value\" : \"false\"\r\n },\r\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\" : { \r\n \"value\" : \"Compliant\"\r\n },\r\n \"MinimumTLSVersionForWindowsServers\" : { \r\n \"value\" : \"1.2\"\r\n },\r\n \"requiredRetentionDays\" : { \r\n \"value\" : \"365\"\r\n },\r\n \"effect-febd0533-8e55-448f-b837-bd0e06f16469\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"allowedContainerImagesRegex-febd0533-8e55-448f-b837-bd0e06f16469\" : { \r\n \"value\" : \"^(.+){0}$\"\r\n },\r\n \"effect-95edb821-ddaf-4404-9732-666045e056b4\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-440b515e-a580-421e-abeb-b159a61ddcbc\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-233a2a17-77ca-4fb1-9b6b-69223d272a44\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"cpuLimit-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \r\n \"value\" : \"0\"\r\n },\r\n \"memoryLimit-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \r\n \"value\" : \"0\"\r\n },\r\n \"effect-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"runAsUserRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \r\n \"value\" : \"MustRunAsNonRoot\"\r\n },\r\n \"runAsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \r\n \"value\" : \"RunAsAny\"\r\n },\r\n \"supplementalGroupsRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \r\n \"value\" : \"RunAsAny\"\r\n },\r\n \"fsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \r\n \"value\" : \"RunAsAny\"\r\n },\r\n \"effect-1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-df49d893-a74c-421d-bc95-c663042e5b80\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-c26596ff-4d70-4e6a-9a30-c2506bd2f80c\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-511f5417-5d12-434d-ab2e-816901e72a5e\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-82985f06-dc18-4a48-bc1c-b9f4f0098cfe\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-098fc59e-46c7-4d99-9b16-64990e543d75\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"NetworkWatcherResourceGroupName\" : { \r\n \"value\" : \"NetworkWatcherRG\"\r\n },\r\n \"setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \r\n \"value\" : \"enabled\"\r\n },\r\n \"aadAuthenticationInServiceFabricMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-71ef260a-8f18-47b7-abcb-62d0673d94dc\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-d9da03a1-f3c3-412a-9709-947156872263\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-617c02be-7f02-4efd-8836-3180d47b6c68\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-c349d81b-9985-44ae-a8da-ff98d108ede8\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-3657f5a0-770e-44a3-b44e-9431ba1e9735\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-b4ac1030-89c5-4697-8e00-28b5ba6a8811\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-ea0dfaed-95fb-448c-934e-d6e713ce393d\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-f4b53539-8df9-40e4-86c6-6b607703bd4e\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-41425d9f-d1a5-499a-9932-f8ed8453932c\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-fc4d8e41-e223-45ea-9bf5-eada37891d87\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-86efb160-8de7-451d-bc08-5d475b0aadae\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-4ec52d6d-beb7-40c4-9a9e-fe753254690e\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-64d314f6-6062-4780-a861-c23e8951bee5\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-fa298e57-9444-42ba-bf04-86e8470e32c7\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1f905d99-2ab7-462c-a6b0-f709acca6c8f\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-ba769a63-b8cc-4b2d-abf6-ac33c7204be8\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-81e74cea-30fd-40d5-802f-d72103c2aaaa\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-0aa61e00-0a01-4a3c-9945-e93cffedf0e6\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-47031206-ce96-41f8-861b-6a915f3de284\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-51522a96-0869-4791-82f3-981000c2c67f\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-b5ec538c-daa0-4006-8596-35468b9148e8\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-56a5ee18-2ae6-4810-86f7-18e39ce5629b\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-2e94d99a-8a36-4563-bc77-810d8893b671\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1f68a601-6e6d-4e42-babf-3f643a047ea2\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-f7d52b2d-e161-4dfa-a82b-55e564167385\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-ca91455f-eace-4f96-be59-e6e2c35b4816\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-702dd420-7fcc-42c5-afe8-4026edd20fe0\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"diagnosticsLogsInRedisCacheMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"secureTransferToStorageAccountMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-d0793b48-0edc-4296-a390-4c75d1bdfd71\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-7d092e0a-7acd-40d2-a975-dca21cae48c4\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"disableUnrestrictedNetworkToStorageAccountMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-55615ac9-af46-4a59-874e-391cc3dfb490\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1b8ca024-1d5c-4dec-8995-b1a932b41780\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-037eea7a-bd0a-46c5-9a66-03aea78705d3\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-53503636-bcc9-4748-9663-5348217f160f\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-40cec1dd-a100-4920-b15b-3024fe8901ab\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-a049bf77-880b-470f-ba6d-9f21c530cf83\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-ee980b6d-0eca-4501-8d54-f6290fd512c3\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1d84d5fb-01f6-4d12-ba4f-4a26081d403d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-37e0d2fe-28a5-43d6-a273-67d37d1f5606\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"identityDesignateMoreThanOneOwnerMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"diskEncryptionMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"emailNotificationToSubscriptionOwnerHighSeverityAlertsEnabledEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"functionAppDisableRemoteDebuggingMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"sqlDbEncryptionMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"vulnerabilityAssessmentOnManagedInstanceMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensurePHPVersionLatestForAPIAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"aadAuthenticationInSqlServerMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"vmssEndpointProtectionMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"vmssOsVulnerabilitiesMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"adaptiveApplicationControlsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"geoRedundantBackupShouldBeEnabledForAzureDatabaseForPostgreSQLEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"ensureJavaVersionLatestForWebAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityDesignateLessThanOwnersMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"securityContactEmailAddressForSubscriptionEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"webAppRestrictCORSAccessMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityRemoveDeprecatedAccountMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"functionAppEnforceHttpsMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"ensurePythonVersionLatestForWebAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensurePythonVersionLatestForFunctionAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensurePHPVersionLatestForWebAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensurePythonVersionLatestForAPIAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"geoRedundantBackupShouldBeEnabledForAzureDatabaseForMySQLEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"systemUpdatesMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensureJavaVersionLatestForAPIAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensureHTTPVersionLatestForWebAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"apiAppRequireLatestTlsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityEnableMFAForWritePermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensureHTTPVersionLatestForAPIAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensureJavaVersionLatestForFunctionAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"nextGenerationFirewallMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"useRbacRulesMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"webAppEnforceHttpsMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"sqlServerAuditingMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"vnetEnableDDoSProtectionMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityEnableMFAForOwnerPermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"sqlServerAdvancedDataSecurityMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"sqlManagedInstanceAdvancedDataSecurityMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"endpointProtectionMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"jitNetworkAccessMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"apiAppEnforceHttpsMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"geoRedundantStorageShouldBeEnabledForStorageAccountsEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"vmssSystemUpdatesMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"webAppDisableRemoteDebuggingMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"systemConfigurationsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensureHTTPVersionLatestForFunctionAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityEnableMFAForReadPermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"containerBenchmarkMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"apiAppDisableRemoteDebuggingMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"vulnerabilityAssessmentOnServerMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"webAppRequireLatestTlsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"functionAppRequireLatestTlsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"kubernetesServiceVersionUpToDateMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"sqlDbVulnerabilityAssesmentMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"membersToIncludeInLocalAdministratorsGroup\" : { \r\n \"value\" : \"\"\r\n },\r\n \"membersToExcludeInLocalAdministratorsGroup\" : { \r\n \"value\" : \"\"\r\n },\r\n \"logAnalyticsWorkspaceIDForVMAgents\" : { \r\n \"value\" : \"\"\r\n },\r\n \"PHPLatestVersionForAppServices\" : { \r\n \"value\" : \"7.4\"\r\n },\r\n \"JavaLatestVersionForAppServices\" : { \r\n \"value\" : \"11\"\r\n },\r\n \"WindowsPythonLatestVersionForAppServices\" : { \r\n \"value\" : \"3.6\"\r\n },\r\n \"LinuxPythonLatestVersionForAppServices\" : { \r\n \"value\" : \"3.9\"\r\n },\r\n \"ensureDotNetFrameworkLatestForFunctionAppEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"sqlManagedInstanceAdvancedDataSecurityEmailsMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"vulnerabilityAssessmentMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"ensureDotNetFrameworkLatestForWebAppEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"sqlServerAdvancedDataSecurityEmailsMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"microsoftIaaSAntimalwareExtensionShouldBeDeployedOnWindowsServersEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"securityCenterStandardPricingTierShouldBeSelectedEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"theLogAnalyticsAgentShouldBeInstalledOnVirtualMachinesEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"ensurePHPVersionLatestForFunctionAppEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"sqlManagedInstanceAdvancedDataSecurityEmailAdminsMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"securityContactPhoneNumberShouldBeProvidedForSubscriptionEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"threatDetectionTypesOnManagedInstanceMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"ensureDotNetFrameworkLatestForAPIAppEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"sqlServerAdvancedDataSecurityEmailAdminsMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"threatDetectionTypesOnServerMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"theLogAnalyticsAgentShouldBeInstalledOnVirtualMachineScaleSetsEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n }\r\n}", - "$fxv#3": "{\r\n \"logAnalyticsWorkspaceId-f47b5582-33ec-4c5c-87c0-b010a6b2e917\" : { \r\n \"value\" : \"\"\r\n },\r\n \"effect-09024ccc-0c5f-475e-9457-b7c0d9ed487b\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"MembersToExclude-69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f\" :{\r\n \"value\": \"\"\r\n },\r\n \"MembersToInclude-30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7\": {\r\n \"value\": \"\"\r\n },\r\n \"effect-0961003e-5a0a-4549-abde-af6a37f2724d\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-0b15565f-aa9e-48ba-8619-45960f2c314d\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-0e60b895-3786-45da-8377-9c6b4b6ac5f9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-17k78e20-9358-41c9-923c-fb736d382a12\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"PHPLatestVersion\" : { \r\n \"value\" : \"7.3\"\r\n },\r\n \"effect-22bee202-a82f-4305-9a2a-6d7f44d4dedb\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-26a828e1-e88f-464e-bbb3-c134a282b9de\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-34c877ad-507e-4c82-993e-3452a6e0ad3c\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-404c3081-a854-4457-ae30-26a93ef643f9\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-47a6b606-51aa-4496-8bb7-64b11cf66adc\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-496223c3-ad65-4ecd-878a-bae78737e9ed\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"JavaLatestVersion\" : { \r\n \"value\" : \"11\"\r\n },\r\n \"effect-4f11b553-d42e-4e3a-89be-32ca364cad4c\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-5c607a2e-c700-4744-8254-d77e7c9eb5e4\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-5f76cf89-fbf2-47fd-a3f4-b891fa780b60\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-6b1cbf55-e8b6-442f-ba4c-7246b6381474\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-7008174a-fd10-4ef0-817e-fc820a951d73\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"LinuxPythonLatestVersion\" : { \r\n \"value\" : \"3.8\"\r\n },\r\n \"effect-7238174a-fd10-4ef0-817e-fc820a951d73\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-7261b898-8a84-4db8-9e04-18527132abb3\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-74c3584d-afae-46f7-a20a-6f8adba71a16\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-86b3d65f-7626-441e-b690-81a8b71cff60\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-88999f4c-376a-45c8-bcb3-4058f713cf39\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-8c122334-9d20-4eb8-89ea-ac9a705b74ae\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-9297c21d-2ed6-4474-b48f-163f75654ce3\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-991310cd-e9f3-47bc-b7b6-f57b557d07db\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-9b597639-28e4-48eb-b506-56b05d366257\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-9daedab3-fb2d-461e-b861-71790eead4f6\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-a4af4a39-4135-47fb-b175-47fbdf85311d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \r\n \"value\" : \"enabled\"\r\n },\r\n \"effect-a70ca396-0a34-413a-88e1-b956c1e683be\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-aa633080-8b72-40c4-a2d7-d00c03e80bed\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-af6cd1bd-1635-48cb-bde7-5b15693900b9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\" : { \r\n \"value\" : \"NetworkWatcherRG\"\r\n },\r\n \"effect-b7ddfbdc-1260-477d-91fd-98bd9be789a6\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-c3f317a7-a95c-4547-b7e7-11017ebdf2fe\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-cb510bfd-1cba-4d9f-a230-cb0976f4bb71\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e2c1c086-2d84-4019-bff3-c44ccd95113c\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e3576e28-8b17-4677-84c3-db2990658d64\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e8cbc669-f12d-49eb-93e7-9273119e9933\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-ebb62a0c-3560-49e1-89ed-27e074e9f8ad\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-efbde977-ba53-4479-b8e9-10b957924fbf\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-f8456c1c-aa66-4dfb-861a-25d127b775c9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-f9d614c5-c173-4d56-95a7-b4437057d193\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-fb893a29-21bb-418c-a157-e99480ec364c\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-feedbf84-6b99-488c-acc2-71c829aa5ffc\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-3b980d31-7904-4bb7-8575-5665739a8052\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-6e2593d9-add6-4083-9c9b-4b7d2188c899\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-12430be1-6cc8-4527-a9a8-e3d38f250096\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"modeRequirement-12430be1-6cc8-4527-a9a8-e3d38f250096\" : { \r\n \"value\" : \"Detection\"\r\n },\r\n \"effect-425bea59-a659-4cbb-8d31-34499bd030b8\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"modeRequirement-425bea59-a659-4cbb-8d31-34499bd030b8\" : { \r\n \"value\" : \"Detection\"\r\n },\r\n \"effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-013e242c-8828-4970-87b3-ab247555486d\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-d38fc420-0735-4ef3-ac11-c806f651a570\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-a1181c5f-672a-477a-979a-7d58aa086233\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-308fbb08-4ab8-4e67-9b29-592e93fb94fa\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-4da35fc9-c9e7-4960-aec9-797fe7d9051d\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-523b5cd1-3e23-492f-a539-13118b6d1e3a\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-7fe3b40f-802b-4cdd-8bd4-fd799c948cc2\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-c25d9a16-bc35-4e15-a7e5-9db606bf9ed4\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b0f33259-77d7-4c9e-aac6-3aabcfae693c\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-037eea7a-bd0a-46c5-9a66-03aea78705d3\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-0820b7b9-23aa-4725-a1ce-ae4558f718e5\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-2c89a2e5-7285-40fe-afe0-ae8654b92fab\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-5744710e-cc2f-4ee8-8809-3b11e89f4bc9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-c9d007d0-c057-4772-b18c-01e546713bcd\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-d0793b48-0edc-4296-a390-4c75d1bdfd71\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-e372f825-a257-4fb8-9175-797a8a8627d6\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-d158790f-bfb0-486c-8631-2dc6b4e8e6af\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-e802a67a-daf5-4436-9ea6-f6d821dd0c5d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-a451c1ef-c6ca-483d-87ed-f49761e3ffb5\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftSql-servers-firewallRules-delete\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-delete\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftClassicNetwork-networkSecurityGroups-delete\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-securityRules-delete\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftClassicNetwork-networkSecurityGroups-securityRules-delete\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-ae89ebca-1c92-4898-ac2c-9f63decb045c\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-d26f7642-7545-4e18-9b75-8c9bbdee3a9a\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-1a4e592a-6a6e-44a5-9814-e36264ca96e7\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-7796937f-307b-4598-941c-67d3a05ebfe7\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-c5447c04-a4d7-4ba8-a263-c9ee321a6858\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-41388f1c-2db0-4c25-95b2-35d7f5ccbfa9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b02aacc0-b073-424e-8298-42b22829ee0a\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-0ec47710-77ff-4a3d-9181-6aa50af424d0\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-48af4db5-9b8b-401c-8e74-076be876a430\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-82339799-d096-41ae-8538-b108becf0970\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1b7aa243-30e4-4c9e-bca8-d0d3022b634a\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-bb91dfba-c30d-4263-9add-9c2384e659a6\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e71308d3-144b-4262-b144-efdc3cc90517\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-2bdd0062-9d75-436e-89df-487dd8e4b3c7\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-6fac406b-40ca-413b-bf8e-0bf964659c25\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-81e74cea-30fd-40d5-802f-d72103c2aaaa\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-c349d81b-9985-44ae-a8da-ff98d108ede8\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-f4b53539-8df9-40e4-86c6-6b607703bd4e\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-048248b0-55cd-46da-b1ff-39efd52db260\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-0d134df8-db83-46fb-ad72-fe0c9428c8dd\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-2c89a2e5-7285-40fe-afe0-ae8654b92fb2\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-3657f5a0-770e-44a3-b44e-9431ba1e9735\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-617c02be-7f02-4efd-8836-3180d47b6c68\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-f7d52b2d-e161-4dfa-a82b-55e564167385\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-c43e4a30-77cb-48ab-a4dd-93f175c63b57\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1f314764-cb73-4fc9-b863-8eca98ac36e9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-123a3936-f020-408a-ba0c-47873faf1534\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n }\r\n}\r\n", - "modifiedAssignment": "[if(and(equals(toLower(environment().name), toLower('AzureCloud')), equals(toLower(parameters('builtInAssignment')), toLower('IL5'))), 'NISTRev4', parameters('builtInAssignment'))]", - "assignmentName": "[format('{0} {1}', variables('modifiedAssignment'), resourceGroup().name)]", - "agentVmssAssignmentName": "[format('Deploy VMSS Agents {0}', resourceGroup().name)]", - "agentVmAssignmentName": "[format('Deploy VM Agents {0}', resourceGroup().name)]", - "contributorRoleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "lawsReaderRoleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]" - }, "resources": [ { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2020-09-01", - "name": "[variables('assignmentName')]", - "location": "[parameters('location')]", - "properties": { - "policyDefinitionId": "[createObject('NISTRev4', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f', 'parameters', json(replace(variables('$fxv#0'), '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'NISTRev5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f', 'parameters', json(variables('$fxv#1'))), 'IL5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/f9a961fa-3241-4b20-adc4-bbf8ad9d7197', 'parameters', json(replace(variables('$fxv#2'), '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'CMMC', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/b5629c75-5c77-4422-87b9-2509e680f8de', 'parameters', json(replace(variables('$fxv#3'), '', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName')), '2021-06-01').customerId))))[variables('modifiedAssignment')].id]", - "parameters": "[createObject('NISTRev4', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f', 'parameters', json(replace(variables('$fxv#0'), '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'NISTRev5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f', 'parameters', json(variables('$fxv#1'))), 'IL5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/f9a961fa-3241-4b20-adc4-bbf8ad9d7197', 'parameters', json(replace(variables('$fxv#2'), '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'CMMC', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/b5629c75-5c77-4422-87b9-2509e680f8de', 'parameters', json(replace(variables('$fxv#3'), '', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName')), '2021-06-01').customerId))))[variables('modifiedAssignment')].parameters]" - }, - "identity": { - "type": "SystemAssigned" - } - }, - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2020-09-01", - "name": "[variables('agentVmssAssignmentName')]", - "location": "[parameters('location')]", - "properties": { - "policyDefinitionId": "[tenantResourceId('Microsoft.Authorization/policySetDefinitions', '75714362-cae7-409e-9b99-a8e5075b7fad')]", - "parameters": { - "logAnalytics_1": { - "value": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))]" - } - } - }, - "identity": { - "type": "SystemAssigned" - } - }, - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2020-09-01", - "name": "[variables('agentVmAssignmentName')]", - "location": "[parameters('location')]", - "properties": { - "policyDefinitionId": "[tenantResourceId('Microsoft.Authorization/policySetDefinitions', '55f3eceb-5573-4f18-9695-226972c6d74a')]", - "parameters": { - "logAnalytics_1": { - "value": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))]" - } - } - }, - "identity": { - "type": "SystemAssigned" - } - }, - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2020-04-01-preview", - "name": "[guid(variables('contributorRoleDefinitionId'), variables('assignmentName'))]", - "properties": { - "roleDefinitionId": "[variables('contributorRoleDefinitionId')]", - "principalId": "[if(empty(variables('modifiedAssignment')), '', reference(resourceId('Microsoft.Authorization/policyAssignments', variables('assignmentName')), '2020-09-01', 'full').identity.principalId)]", - "principalType": "ServicePrincipal" - }, - "dependsOn": [ - "[resourceId('Microsoft.Authorization/policyAssignments', variables('assignmentName'))]" - ] - }, - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2020-04-01-preview", - "name": "[guid(variables('contributorRoleDefinitionId'), variables('agentVmssAssignmentName'))]", - "properties": { - "roleDefinitionId": "[variables('contributorRoleDefinitionId')]", - "principalId": "[reference(resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmssAssignmentName')), '2020-09-01', 'full').identity.principalId]", - "principalType": "ServicePrincipal" - }, - "dependsOn": [ - "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmssAssignmentName'))]" - ] - }, - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2020-04-01-preview", - "name": "[guid(variables('contributorRoleDefinitionId'), variables('agentVmAssignmentName'))]", - "properties": { - "roleDefinitionId": "[variables('contributorRoleDefinitionId')]", - "principalId": "[reference(resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName')), '2020-09-01', 'full').identity.principalId]", - "principalType": "ServicePrincipal" - }, - "dependsOn": [ - "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName'))]" - ] - }, - { - "condition": "[parameters('deployRemediation')]", - "type": "Microsoft.PolicyInsights/remediations", - "apiVersion": "2019-07-01", - "name": "VM-Agent-Policy-Remediation", - "properties": { - "policyAssignmentId": "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName'))]", - "resourceDiscoveryMode": "ReEvaluateCompliance" - }, - "dependsOn": [ - "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName'))]" - ] - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('Assign-Laws-Role-Policy-{0}', resourceGroup().name)]", - "subscriptionId": "[parameters('operationsSubscriptionId')]", - "resourceGroup": "[parameters('logAnalyticsWorkspaceResourceGroupName')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "storage", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { - "targetResourceId": { - "value": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))]" + "blobsPrivateDnsZoneResourceId": { + "value": "[parameters('blobsPrivateDnsZoneResourceId')]" }, - "roleDefinitionId": { - "value": "[variables('lawsReaderRoleDefinitionId')]" + "keyVaultUri": { + "value": "[parameters('keyVaultUri')]" }, - "principalId": { - "value": "[reference(resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName')), '2020-09-01', 'full').identity.principalId]" + "location": { + "value": "[parameters('location')]" + }, + "resourcePrefix": { + "value": "[parameters('resourcePrefix')]" + }, + "skuName": { + "value": "[parameters('logStorageSkuName')]" + }, + "storageAccountName": { + "value": "[parameters('logStorageAccountName')]" + }, + "storageEncryptionKeyName": { + "value": "[parameters('storageEncryptionKeyName')]" + }, + "subnetResourceId": { + "value": "[parameters('subnetResourceId')]" + }, + "tablesPrivateDnsZoneResourceId": { + "value": "[parameters('tablesPrivateDnsZoneResourceId')]" + }, + "tags": { + "value": "[parameters('tags')]" + }, + "userAssignedIdentityResourceId": { + "value": "[parameters('userAssignedIdentityResourceId')]" } }, "template": { @@ -7021,91 +6956,250 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "8686326864657481429" + "templateHash": "234191582863282012" } }, "parameters": { - "targetResourceId": { + "blobsPrivateDnsZoneResourceId": { "type": "string" }, - "roleDefinitionId": { + "keyVaultUri": { "type": "string" }, - "principalId": { + "location": { "type": "string" }, - "principalType": { - "type": "string", - "defaultValue": "ServicePrincipal", - "allowedValues": [ - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ] + "resourcePrefix": { + "type": "string" }, - "description": { - "type": "string", - "defaultValue": "" + "skuName": { + "type": "string" + }, + "storageAccountName": { + "type": "string" + }, + "storageEncryptionKeyName": { + "type": "string" + }, + "subnetResourceId": { + "type": "string" + }, + "tablesPrivateDnsZoneResourceId": { + "type": "string" + }, + "tags": { + "type": "object" + }, + "userAssignedIdentityResourceId": { + "type": "string" } }, + "variables": { + "zones": [ + "[parameters('blobsPrivateDnsZoneResourceId')]", + "[parameters('tablesPrivateDnsZoneResourceId')]" + ] + }, "resources": [ { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2020-04-01-preview", - "name": "[guid(parameters('targetResourceId'), parameters('roleDefinitionId'), parameters('principalId'))]", + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2023-01-01", + "name": "[parameters('storageAccountName')]", + "location": "[parameters('location')]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[format('{0}', parameters('userAssignedIdentityResourceId'))]": {} + } + }, + "kind": "StorageV2", + "sku": { + "name": "[parameters('skuName')]" + }, + "tags": "[parameters('tags')]", "properties": { - "principalId": "[parameters('principalId')]", - "principalType": "[parameters('principalType')]", - "roleDefinitionId": "[parameters('roleDefinitionId')]", - "description": "[parameters('description')]" + "accessTier": "Hot", + "allowBlobPublicAccess": false, + "allowCrossTenantReplication": false, + "allowedCopyScope": "PrivateLink", + "allowSharedKeyAccess": true, + "defaultToOAuthAuthentication": false, + "dnsEndpointType": "Standard", + "encryption": { + "identity": { + "userAssignedIdentity": "[parameters('userAssignedIdentityResourceId')]" + }, + "keySource": "Microsoft.KeyVault", + "keyvaultproperties": { + "keyvaulturi": "[parameters('keyVaultUri')]", + "keyname": "[parameters('storageEncryptionKeyName')]" + }, + "requireInfrastructureEncryption": true, + "services": { + "blob": { + "keyType": "Account", + "enabled": true + }, + "file": { + "keyType": "Account", + "enabled": true + }, + "queue": { + "keyType": "Account", + "enabled": true + }, + "table": { + "keyType": "Account", + "enabled": true + } + } + }, + "minimumTlsVersion": "TLS1_2", + "networkAcls": { + "bypass": "AzureServices", + "virtualNetworkRules": [], + "ipRules": [], + "defaultAction": "Deny" + }, + "publicNetworkAccess": "Disabled", + "supportsHttpsTrafficOnly": true } - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName'))]" - ] - } - ] - } - }, - "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]" - ] - }, - { - "copy": { - "name": "spokePolicyAssignments", - "count": "[length(variables('spokes'))]" + }, + { + "copy": { + "name": "privateEndpoints", + "count": "[length(variables('zones'))]" + }, + "type": "Microsoft.Network/privateEndpoints", + "apiVersion": "2023-04-01", + "name": "[format('{0}-{1}', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe-', parameters('resourcePrefix'))), split(split(variables('zones')[copyIndex()], '/')[8], '.')[1])]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": { + "customNetworkInterfaceName": "[format('{0}-{1}', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-nic-', parameters('resourcePrefix'))), split(split(variables('zones')[copyIndex()], '/')[8], '.')[1])]", + "privateLinkServiceConnections": [ + { + "name": "[format('{0}-{1}', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-nic-', parameters('resourcePrefix'))), split(split(variables('zones')[copyIndex()], '/')[8], '.')[1])]", + "properties": { + "privateLinkServiceId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]", + "groupIds": [ + "[split(split(variables('zones')[copyIndex()], '/')[8], '.')[1]]" + ] + } + } + ], + "subnet": { + "id": "[parameters('subnetResourceId')]" + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]" + ] + }, + { + "copy": { + "name": "privateDnsZoneGroups", + "count": "[length(variables('zones'))]" + }, + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "apiVersion": "2021-08-01", + "name": "[format('{0}/{1}', format('{0}-{1}', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe-', parameters('resourcePrefix'))), split(split(variables('zones')[copyIndex()], '/')[8], '.')[1]), parameters('storageAccountName'))]", + "properties": { + "privateDnsZoneConfigs": [ + { + "name": "ipconfig1", + "properties": { + "privateDnsZoneId": "[variables('zones')[copyIndex()]]" + } + } + ] + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/privateEndpoints', format('{0}-{1}', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe-', parameters('resourcePrefix'))), split(split(variables('zones')[copyIndex()], '/')[8], '.')[1]))]" + ] + } + ], + "outputs": { + "id": { + "type": "string", + "value": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]" + } + } + } + } + } + ], + "outputs": { + "ResourceId": { + "type": "string", + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'storage'), '2022-09-01').outputs.id.value]" + } + } + } }, - "condition": "[parameters('deployPolicy')]", + "dependsOn": [ + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix')))]", + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix')))]", + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-remote-access-{0}', parameters('deploymentNameSuffix')))]", + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix')))]" + ] + }, + { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('assign-policy-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))]", - "subscriptionId": "[variables('spokes')[copyIndex()].subscriptionId]", - "resourceGroup": "[variables('spokes')[copyIndex()].resourceGroupName]", + "name": "[format('deploy-diagnostic-logging-hub-{0}', parameters('deploymentNameSuffix'))]", + "subscriptionId": "[parameters('hubSubscriptionId')]", + "resourceGroup": "[variables('hubResourceGroupName')]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { - "builtInAssignment": { - "value": "[parameters('policy')]" + "firewallDiagnosticsLogs": { + "value": "[parameters('firewallDiagnosticsLogs')]" }, - "logAnalyticsWorkspaceName": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.name.value]" + "firewallDiagnosticsMetrics": { + "value": "[parameters('firewallDiagnosticsMetrics')]" }, - "logAnalyticsWorkspaceResourceGroupName": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.resourceGroupName.value]" + "firewallName": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.firewallName.value]" }, - "operationsSubscriptionId": { - "value": "[parameters('operationsSubscriptionId')]" + "hubStorageAccountResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-log-storage-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.storageAccountResourceId.value]" }, - "location": { - "value": "[parameters('location')]" + "logAnalyticsWorkspaceResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.id.value]" + }, + "networkSecurityGroupDiagnosticsLogs": { + "value": "[parameters('hubNetworkSecurityGroupDiagnosticsLogs')]" + }, + "networkSecurityGroupDiagnosticsMetrics": { + "value": "[parameters('hubNetworkSecurityGroupDiagnosticsMetrics')]" + }, + "networkSecurityGroupName": { + "value": "[variables('hubNetworkSecurityGroupName')]" + }, + "publicIPAddressDiagnosticsLogs": { + "value": "[parameters('publicIPAddressDiagnosticsLogs')]" + }, + "publicIPAddressDiagnosticsMetrics": { + "value": "[parameters('publicIPAddressDiagnosticsMetrics')]" + }, + "publicIPAddressNames": { + "value": [ + "[variables('firewallClientPublicIPAddressName')]", + "[variables('firewallManagementPublicIPAddressName')]" + ] + }, + "virtualNetworkDiagnosticsLogs": { + "value": "[parameters('hubVirtualNetworkDiagnosticsLogs')]" + }, + "virtualNetworkDiagnosticsMetrics": { + "value": "[parameters('hubVirtualNetworkDiagnosticsMetrics')]" + }, + "virtualNetworkName": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.virtualNetworkName.value]" } }, "template": { @@ -7115,179 +7209,222 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "16693295535307781768" + "templateHash": "5804157384629948286" } }, "parameters": { - "builtInAssignment": { - "type": "string", - "defaultValue": "NISTRev4", - "allowedValues": [ - "NISTRev4", - "NISTRev5", - "IL5", - "CMMC" - ], - "metadata": { - "description": "[NISTRev4/NISTRev5/IL5/CMMC] Built-in policy assignments to assign, default is NISTRev4. IL5 is only available for AzureUsGovernment and will switch to NISTRev4 if tried in AzureCloud." - } + "firewallDiagnosticsLogs": { + "type": "array" }, - "logAnalyticsWorkspaceName": { + "firewallDiagnosticsMetrics": { + "type": "array" + }, + "firewallName": { "type": "string" }, - "logAnalyticsWorkspaceResourceGroupName": { + "hubStorageAccountResourceId": { "type": "string" }, - "operationsSubscriptionId": { + "logAnalyticsWorkspaceResourceId": { "type": "string" }, - "deployRemediation": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Starts a policy remediation for the VM Agent policies in hub RG. Set to false by default since this is time consuming in deployment." - } + "networkSecurityGroupDiagnosticsLogs": { + "type": "array" }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "The location of this resource" - } + "networkSecurityGroupDiagnosticsMetrics": { + "type": "array" + }, + "networkSecurityGroupName": { + "type": "string" + }, + "publicIPAddressDiagnosticsLogs": { + "type": "array" + }, + "publicIPAddressDiagnosticsMetrics": { + "type": "array" + }, + "publicIPAddressNames": { + "type": "array" + }, + "virtualNetworkDiagnosticsLogs": { + "type": "array" + }, + "virtualNetworkDiagnosticsMetrics": { + "type": "array" + }, + "virtualNetworkName": { + "type": "string" } }, - "variables": { - "$fxv#0": " {\r\n \"listOfMembersToExcludeFromWindowsVMAdministratorsGroup\": \r\n {\r\n \"value\": \"admin\"\r\n },\r\n \"listOfMembersToIncludeInWindowsVMAdministratorsGroup\": \r\n {\r\n \"value\": \"azureuser\"\r\n },\r\n \"logAnalyticsWorkspaceIdforVMReporting\": \r\n {\r\n \"value\": \"\"\r\n },\r\n \"IncludeArcMachines\": \r\n {\r\n \"value\": \"true\"\r\n },\r\n \"MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112\": \r\n {\r\n \"value\": \"1.2\"\r\n },\r\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\": \r\n {\r\n \"value\": \"Compliant\"\r\n },\r\n \"requiredRetentionDays\": \r\n {\r\n \"value\": \"365\"\r\n },\r\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\": \r\n {\r\n \"value\": \"NetworkWatcherRG\"\r\n }\r\n }", - "$fxv#1": " {\r\n \"IncludeArcMachines\": \r\n {\r\n \"value\": \"true\"\r\n },\r\n \"MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112\": \r\n {\r\n \"value\": \"1.2\"\r\n },\r\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\": \r\n {\r\n \"value\": \"Compliant\"\r\n },\r\n \"requiredRetentionDays\": \r\n {\r\n \"value\": \"365\"\r\n },\r\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\": \r\n {\r\n \"value\": \"NetworkWatcherRG\"\r\n }\r\n }", - "$fxv#2": "{\r\n \"IncludeArcMachines\" : { \r\n \"value\" : \"false\"\r\n },\r\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\" : { \r\n \"value\" : \"Compliant\"\r\n },\r\n \"MinimumTLSVersionForWindowsServers\" : { \r\n \"value\" : \"1.2\"\r\n },\r\n \"requiredRetentionDays\" : { \r\n \"value\" : \"365\"\r\n },\r\n \"effect-febd0533-8e55-448f-b837-bd0e06f16469\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"allowedContainerImagesRegex-febd0533-8e55-448f-b837-bd0e06f16469\" : { \r\n \"value\" : \"^(.+){0}$\"\r\n },\r\n \"effect-95edb821-ddaf-4404-9732-666045e056b4\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-440b515e-a580-421e-abeb-b159a61ddcbc\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-233a2a17-77ca-4fb1-9b6b-69223d272a44\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"cpuLimit-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \r\n \"value\" : \"0\"\r\n },\r\n \"memoryLimit-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \r\n \"value\" : \"0\"\r\n },\r\n \"effect-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"runAsUserRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \r\n \"value\" : \"MustRunAsNonRoot\"\r\n },\r\n \"runAsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \r\n \"value\" : \"RunAsAny\"\r\n },\r\n \"supplementalGroupsRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \r\n \"value\" : \"RunAsAny\"\r\n },\r\n \"fsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \r\n \"value\" : \"RunAsAny\"\r\n },\r\n \"effect-1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-df49d893-a74c-421d-bc95-c663042e5b80\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-c26596ff-4d70-4e6a-9a30-c2506bd2f80c\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-511f5417-5d12-434d-ab2e-816901e72a5e\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-82985f06-dc18-4a48-bc1c-b9f4f0098cfe\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-098fc59e-46c7-4d99-9b16-64990e543d75\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"NetworkWatcherResourceGroupName\" : { \r\n \"value\" : \"NetworkWatcherRG\"\r\n },\r\n \"setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \r\n \"value\" : \"enabled\"\r\n },\r\n \"aadAuthenticationInServiceFabricMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-71ef260a-8f18-47b7-abcb-62d0673d94dc\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-d9da03a1-f3c3-412a-9709-947156872263\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-617c02be-7f02-4efd-8836-3180d47b6c68\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-c349d81b-9985-44ae-a8da-ff98d108ede8\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-3657f5a0-770e-44a3-b44e-9431ba1e9735\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-b4ac1030-89c5-4697-8e00-28b5ba6a8811\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-ea0dfaed-95fb-448c-934e-d6e713ce393d\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-f4b53539-8df9-40e4-86c6-6b607703bd4e\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-41425d9f-d1a5-499a-9932-f8ed8453932c\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-fc4d8e41-e223-45ea-9bf5-eada37891d87\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-86efb160-8de7-451d-bc08-5d475b0aadae\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-4ec52d6d-beb7-40c4-9a9e-fe753254690e\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-64d314f6-6062-4780-a861-c23e8951bee5\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-fa298e57-9444-42ba-bf04-86e8470e32c7\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1f905d99-2ab7-462c-a6b0-f709acca6c8f\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-ba769a63-b8cc-4b2d-abf6-ac33c7204be8\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-81e74cea-30fd-40d5-802f-d72103c2aaaa\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-0aa61e00-0a01-4a3c-9945-e93cffedf0e6\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-47031206-ce96-41f8-861b-6a915f3de284\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-51522a96-0869-4791-82f3-981000c2c67f\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-b5ec538c-daa0-4006-8596-35468b9148e8\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-56a5ee18-2ae6-4810-86f7-18e39ce5629b\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-2e94d99a-8a36-4563-bc77-810d8893b671\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1f68a601-6e6d-4e42-babf-3f643a047ea2\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-f7d52b2d-e161-4dfa-a82b-55e564167385\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-ca91455f-eace-4f96-be59-e6e2c35b4816\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-702dd420-7fcc-42c5-afe8-4026edd20fe0\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"diagnosticsLogsInRedisCacheMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"secureTransferToStorageAccountMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-d0793b48-0edc-4296-a390-4c75d1bdfd71\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-7d092e0a-7acd-40d2-a975-dca21cae48c4\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"disableUnrestrictedNetworkToStorageAccountMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-55615ac9-af46-4a59-874e-391cc3dfb490\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1b8ca024-1d5c-4dec-8995-b1a932b41780\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-037eea7a-bd0a-46c5-9a66-03aea78705d3\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-53503636-bcc9-4748-9663-5348217f160f\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-40cec1dd-a100-4920-b15b-3024fe8901ab\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-a049bf77-880b-470f-ba6d-9f21c530cf83\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-ee980b6d-0eca-4501-8d54-f6290fd512c3\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1d84d5fb-01f6-4d12-ba4f-4a26081d403d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-37e0d2fe-28a5-43d6-a273-67d37d1f5606\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"identityDesignateMoreThanOneOwnerMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"diskEncryptionMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"emailNotificationToSubscriptionOwnerHighSeverityAlertsEnabledEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"functionAppDisableRemoteDebuggingMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"sqlDbEncryptionMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"vulnerabilityAssessmentOnManagedInstanceMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensurePHPVersionLatestForAPIAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"aadAuthenticationInSqlServerMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"vmssEndpointProtectionMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"vmssOsVulnerabilitiesMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"adaptiveApplicationControlsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"geoRedundantBackupShouldBeEnabledForAzureDatabaseForPostgreSQLEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"ensureJavaVersionLatestForWebAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityDesignateLessThanOwnersMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"securityContactEmailAddressForSubscriptionEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"webAppRestrictCORSAccessMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityRemoveDeprecatedAccountMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"functionAppEnforceHttpsMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"ensurePythonVersionLatestForWebAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensurePythonVersionLatestForFunctionAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensurePHPVersionLatestForWebAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensurePythonVersionLatestForAPIAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"geoRedundantBackupShouldBeEnabledForAzureDatabaseForMySQLEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"systemUpdatesMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensureJavaVersionLatestForAPIAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensureHTTPVersionLatestForWebAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"apiAppRequireLatestTlsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityEnableMFAForWritePermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensureHTTPVersionLatestForAPIAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensureJavaVersionLatestForFunctionAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"nextGenerationFirewallMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"useRbacRulesMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"webAppEnforceHttpsMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"sqlServerAuditingMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"vnetEnableDDoSProtectionMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityEnableMFAForOwnerPermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"sqlServerAdvancedDataSecurityMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"sqlManagedInstanceAdvancedDataSecurityMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"endpointProtectionMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"jitNetworkAccessMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"apiAppEnforceHttpsMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"geoRedundantStorageShouldBeEnabledForStorageAccountsEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"vmssSystemUpdatesMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"webAppDisableRemoteDebuggingMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"systemConfigurationsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensureHTTPVersionLatestForFunctionAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityEnableMFAForReadPermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"containerBenchmarkMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"apiAppDisableRemoteDebuggingMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"vulnerabilityAssessmentOnServerMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"webAppRequireLatestTlsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"functionAppRequireLatestTlsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"kubernetesServiceVersionUpToDateMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"sqlDbVulnerabilityAssesmentMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"membersToIncludeInLocalAdministratorsGroup\" : { \r\n \"value\" : \"\"\r\n },\r\n \"membersToExcludeInLocalAdministratorsGroup\" : { \r\n \"value\" : \"\"\r\n },\r\n \"logAnalyticsWorkspaceIDForVMAgents\" : { \r\n \"value\" : \"\"\r\n },\r\n \"PHPLatestVersionForAppServices\" : { \r\n \"value\" : \"7.4\"\r\n },\r\n \"JavaLatestVersionForAppServices\" : { \r\n \"value\" : \"11\"\r\n },\r\n \"WindowsPythonLatestVersionForAppServices\" : { \r\n \"value\" : \"3.6\"\r\n },\r\n \"LinuxPythonLatestVersionForAppServices\" : { \r\n \"value\" : \"3.9\"\r\n },\r\n \"ensureDotNetFrameworkLatestForFunctionAppEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"sqlManagedInstanceAdvancedDataSecurityEmailsMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"vulnerabilityAssessmentMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"ensureDotNetFrameworkLatestForWebAppEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"sqlServerAdvancedDataSecurityEmailsMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"microsoftIaaSAntimalwareExtensionShouldBeDeployedOnWindowsServersEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"securityCenterStandardPricingTierShouldBeSelectedEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"theLogAnalyticsAgentShouldBeInstalledOnVirtualMachinesEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"ensurePHPVersionLatestForFunctionAppEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"sqlManagedInstanceAdvancedDataSecurityEmailAdminsMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"securityContactPhoneNumberShouldBeProvidedForSubscriptionEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"threatDetectionTypesOnManagedInstanceMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"ensureDotNetFrameworkLatestForAPIAppEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"sqlServerAdvancedDataSecurityEmailAdminsMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"threatDetectionTypesOnServerMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"theLogAnalyticsAgentShouldBeInstalledOnVirtualMachineScaleSetsEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n }\r\n}", - "$fxv#3": "{\r\n \"logAnalyticsWorkspaceId-f47b5582-33ec-4c5c-87c0-b010a6b2e917\" : { \r\n \"value\" : \"\"\r\n },\r\n \"effect-09024ccc-0c5f-475e-9457-b7c0d9ed487b\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"MembersToExclude-69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f\" :{\r\n \"value\": \"\"\r\n },\r\n \"MembersToInclude-30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7\": {\r\n \"value\": \"\"\r\n },\r\n \"effect-0961003e-5a0a-4549-abde-af6a37f2724d\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-0b15565f-aa9e-48ba-8619-45960f2c314d\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-0e60b895-3786-45da-8377-9c6b4b6ac5f9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-17k78e20-9358-41c9-923c-fb736d382a12\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"PHPLatestVersion\" : { \r\n \"value\" : \"7.3\"\r\n },\r\n \"effect-22bee202-a82f-4305-9a2a-6d7f44d4dedb\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-26a828e1-e88f-464e-bbb3-c134a282b9de\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-34c877ad-507e-4c82-993e-3452a6e0ad3c\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-404c3081-a854-4457-ae30-26a93ef643f9\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-47a6b606-51aa-4496-8bb7-64b11cf66adc\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-496223c3-ad65-4ecd-878a-bae78737e9ed\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"JavaLatestVersion\" : { \r\n \"value\" : \"11\"\r\n },\r\n \"effect-4f11b553-d42e-4e3a-89be-32ca364cad4c\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-5c607a2e-c700-4744-8254-d77e7c9eb5e4\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-5f76cf89-fbf2-47fd-a3f4-b891fa780b60\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-6b1cbf55-e8b6-442f-ba4c-7246b6381474\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-7008174a-fd10-4ef0-817e-fc820a951d73\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"LinuxPythonLatestVersion\" : { \r\n \"value\" : \"3.8\"\r\n },\r\n \"effect-7238174a-fd10-4ef0-817e-fc820a951d73\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-7261b898-8a84-4db8-9e04-18527132abb3\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-74c3584d-afae-46f7-a20a-6f8adba71a16\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-86b3d65f-7626-441e-b690-81a8b71cff60\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-88999f4c-376a-45c8-bcb3-4058f713cf39\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-8c122334-9d20-4eb8-89ea-ac9a705b74ae\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-9297c21d-2ed6-4474-b48f-163f75654ce3\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-991310cd-e9f3-47bc-b7b6-f57b557d07db\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-9b597639-28e4-48eb-b506-56b05d366257\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-9daedab3-fb2d-461e-b861-71790eead4f6\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-a4af4a39-4135-47fb-b175-47fbdf85311d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \r\n \"value\" : \"enabled\"\r\n },\r\n \"effect-a70ca396-0a34-413a-88e1-b956c1e683be\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-aa633080-8b72-40c4-a2d7-d00c03e80bed\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-af6cd1bd-1635-48cb-bde7-5b15693900b9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\" : { \r\n \"value\" : \"NetworkWatcherRG\"\r\n },\r\n \"effect-b7ddfbdc-1260-477d-91fd-98bd9be789a6\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-c3f317a7-a95c-4547-b7e7-11017ebdf2fe\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-cb510bfd-1cba-4d9f-a230-cb0976f4bb71\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e2c1c086-2d84-4019-bff3-c44ccd95113c\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e3576e28-8b17-4677-84c3-db2990658d64\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e8cbc669-f12d-49eb-93e7-9273119e9933\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-ebb62a0c-3560-49e1-89ed-27e074e9f8ad\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-efbde977-ba53-4479-b8e9-10b957924fbf\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-f8456c1c-aa66-4dfb-861a-25d127b775c9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-f9d614c5-c173-4d56-95a7-b4437057d193\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-fb893a29-21bb-418c-a157-e99480ec364c\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-feedbf84-6b99-488c-acc2-71c829aa5ffc\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-3b980d31-7904-4bb7-8575-5665739a8052\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-6e2593d9-add6-4083-9c9b-4b7d2188c899\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-12430be1-6cc8-4527-a9a8-e3d38f250096\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"modeRequirement-12430be1-6cc8-4527-a9a8-e3d38f250096\" : { \r\n \"value\" : \"Detection\"\r\n },\r\n \"effect-425bea59-a659-4cbb-8d31-34499bd030b8\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"modeRequirement-425bea59-a659-4cbb-8d31-34499bd030b8\" : { \r\n \"value\" : \"Detection\"\r\n },\r\n \"effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-013e242c-8828-4970-87b3-ab247555486d\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-d38fc420-0735-4ef3-ac11-c806f651a570\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-a1181c5f-672a-477a-979a-7d58aa086233\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-308fbb08-4ab8-4e67-9b29-592e93fb94fa\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-4da35fc9-c9e7-4960-aec9-797fe7d9051d\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-523b5cd1-3e23-492f-a539-13118b6d1e3a\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-7fe3b40f-802b-4cdd-8bd4-fd799c948cc2\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-c25d9a16-bc35-4e15-a7e5-9db606bf9ed4\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b0f33259-77d7-4c9e-aac6-3aabcfae693c\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-037eea7a-bd0a-46c5-9a66-03aea78705d3\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-0820b7b9-23aa-4725-a1ce-ae4558f718e5\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-2c89a2e5-7285-40fe-afe0-ae8654b92fab\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-5744710e-cc2f-4ee8-8809-3b11e89f4bc9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-c9d007d0-c057-4772-b18c-01e546713bcd\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-d0793b48-0edc-4296-a390-4c75d1bdfd71\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-e372f825-a257-4fb8-9175-797a8a8627d6\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-d158790f-bfb0-486c-8631-2dc6b4e8e6af\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-e802a67a-daf5-4436-9ea6-f6d821dd0c5d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-a451c1ef-c6ca-483d-87ed-f49761e3ffb5\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftSql-servers-firewallRules-delete\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-delete\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftClassicNetwork-networkSecurityGroups-delete\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-securityRules-delete\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftClassicNetwork-networkSecurityGroups-securityRules-delete\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-ae89ebca-1c92-4898-ac2c-9f63decb045c\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-d26f7642-7545-4e18-9b75-8c9bbdee3a9a\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-1a4e592a-6a6e-44a5-9814-e36264ca96e7\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-7796937f-307b-4598-941c-67d3a05ebfe7\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-c5447c04-a4d7-4ba8-a263-c9ee321a6858\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-41388f1c-2db0-4c25-95b2-35d7f5ccbfa9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b02aacc0-b073-424e-8298-42b22829ee0a\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-0ec47710-77ff-4a3d-9181-6aa50af424d0\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-48af4db5-9b8b-401c-8e74-076be876a430\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-82339799-d096-41ae-8538-b108becf0970\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1b7aa243-30e4-4c9e-bca8-d0d3022b634a\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-bb91dfba-c30d-4263-9add-9c2384e659a6\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e71308d3-144b-4262-b144-efdc3cc90517\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-2bdd0062-9d75-436e-89df-487dd8e4b3c7\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-6fac406b-40ca-413b-bf8e-0bf964659c25\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-81e74cea-30fd-40d5-802f-d72103c2aaaa\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-c349d81b-9985-44ae-a8da-ff98d108ede8\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-f4b53539-8df9-40e4-86c6-6b607703bd4e\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-048248b0-55cd-46da-b1ff-39efd52db260\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-0d134df8-db83-46fb-ad72-fe0c9428c8dd\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-2c89a2e5-7285-40fe-afe0-ae8654b92fb2\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-3657f5a0-770e-44a3-b44e-9431ba1e9735\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-617c02be-7f02-4efd-8836-3180d47b6c68\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-f7d52b2d-e161-4dfa-a82b-55e564167385\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-c43e4a30-77cb-48ab-a4dd-93f175c63b57\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1f314764-cb73-4fc9-b863-8eca98ac36e9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-123a3936-f020-408a-ba0c-47873faf1534\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n }\r\n}\r\n", - "modifiedAssignment": "[if(and(equals(toLower(environment().name), toLower('AzureCloud')), equals(toLower(parameters('builtInAssignment')), toLower('IL5'))), 'NISTRev4', parameters('builtInAssignment'))]", - "assignmentName": "[format('{0} {1}', variables('modifiedAssignment'), resourceGroup().name)]", - "agentVmssAssignmentName": "[format('Deploy VMSS Agents {0}', resourceGroup().name)]", - "agentVmAssignmentName": "[format('Deploy VM Agents {0}', resourceGroup().name)]", - "contributorRoleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "lawsReaderRoleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]" - }, "resources": [ { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2020-09-01", - "name": "[variables('assignmentName')]", - "location": "[parameters('location')]", - "properties": { - "policyDefinitionId": "[createObject('NISTRev4', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f', 'parameters', json(replace(variables('$fxv#0'), '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'NISTRev5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f', 'parameters', json(variables('$fxv#1'))), 'IL5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/f9a961fa-3241-4b20-adc4-bbf8ad9d7197', 'parameters', json(replace(variables('$fxv#2'), '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'CMMC', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/b5629c75-5c77-4422-87b9-2509e680f8de', 'parameters', json(replace(variables('$fxv#3'), '', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName')), '2021-06-01').customerId))))[variables('modifiedAssignment')].id]", - "parameters": "[createObject('NISTRev4', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f', 'parameters', json(replace(variables('$fxv#0'), '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'NISTRev5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f', 'parameters', json(variables('$fxv#1'))), 'IL5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/f9a961fa-3241-4b20-adc4-bbf8ad9d7197', 'parameters', json(replace(variables('$fxv#2'), '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'CMMC', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/b5629c75-5c77-4422-87b9-2509e680f8de', 'parameters', json(replace(variables('$fxv#3'), '', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName')), '2021-06-01').customerId))))[variables('modifiedAssignment')].parameters]" - }, - "identity": { - "type": "SystemAssigned" - } - }, - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2020-09-01", - "name": "[variables('agentVmssAssignmentName')]", - "location": "[parameters('location')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "networkSecurityGroupDiagnostics", "properties": { - "policyDefinitionId": "[tenantResourceId('Microsoft.Authorization/policySetDefinitions', '75714362-cae7-409e-9b99-a8e5075b7fad')]", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", "parameters": { - "logAnalytics_1": { - "value": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))]" + "logAnalyticsWorkspaceResourceId": { + "value": "[parameters('logAnalyticsWorkspaceResourceId')]" + }, + "logs": { + "value": "[parameters('networkSecurityGroupDiagnosticsLogs')]" + }, + "logStorageAccountResourceId": { + "value": "[parameters('hubStorageAccountResourceId')]" + }, + "metrics": { + "value": "[parameters('networkSecurityGroupDiagnosticsMetrics')]" + }, + "name": { + "value": "[parameters('networkSecurityGroupName')]" } - } - }, - "identity": { - "type": "SystemAssigned" + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "7786315125053139576" + } + }, + "parameters": { + "name": { + "type": "string" + }, + "logAnalyticsWorkspaceResourceId": { + "type": "string" + }, + "logs": { + "type": "array" + }, + "logStorageAccountResourceId": { + "type": "string" + }, + "metrics": { + "type": "array" + } + }, + "resources": [ + { + "type": "Microsoft.Insights/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "scope": "[format('Microsoft.Network/networkSecurityGroups/{0}', parameters('name'))]", + "name": "[format('{0}-diagnostics', parameters('name'))]", + "properties": { + "storageAccountId": "[parameters('logStorageAccountResourceId')]", + "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", + "logs": "[parameters('logs')]", + "metrics": "[parameters('metrics')]" + } + } + ] + } } }, { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2020-09-01", - "name": "[variables('agentVmAssignmentName')]", - "location": "[parameters('location')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "virtualNetworkDiagnostics", "properties": { - "policyDefinitionId": "[tenantResourceId('Microsoft.Authorization/policySetDefinitions', '55f3eceb-5573-4f18-9695-226972c6d74a')]", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", "parameters": { - "logAnalytics_1": { - "value": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))]" + "logAnalyticsWorkspaceResourceId": { + "value": "[parameters('logAnalyticsWorkspaceResourceId')]" + }, + "logs": { + "value": "[parameters('virtualNetworkDiagnosticsLogs')]" + }, + "logStorageAccountResourceId": { + "value": "[parameters('hubStorageAccountResourceId')]" + }, + "metrics": { + "value": "[parameters('virtualNetworkDiagnosticsMetrics')]" + }, + "name": { + "value": "[parameters('virtualNetworkName')]" } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "15623637455522175927" + } + }, + "parameters": { + "logAnalyticsWorkspaceResourceId": { + "type": "string" + }, + "logs": { + "type": "array" + }, + "logStorageAccountResourceId": { + "type": "string" + }, + "metrics": { + "type": "array" + }, + "name": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Insights/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "scope": "[format('Microsoft.Network/virtualNetworks/{0}', parameters('name'))]", + "name": "[format('{0}-diagnostics', parameters('name'))]", + "properties": { + "storageAccountId": "[parameters('logStorageAccountResourceId')]", + "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", + "logs": "[parameters('logs')]", + "metrics": "[parameters('metrics')]" + } + } + ] } - }, - "identity": { - "type": "SystemAssigned" } }, { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2020-04-01-preview", - "name": "[guid(variables('contributorRoleDefinitionId'), variables('assignmentName'))]", - "properties": { - "roleDefinitionId": "[variables('contributorRoleDefinitionId')]", - "principalId": "[if(empty(variables('modifiedAssignment')), '', reference(resourceId('Microsoft.Authorization/policyAssignments', variables('assignmentName')), '2020-09-01', 'full').identity.principalId)]", - "principalType": "ServicePrincipal" - }, - "dependsOn": [ - "[resourceId('Microsoft.Authorization/policyAssignments', variables('assignmentName'))]" - ] - }, - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2020-04-01-preview", - "name": "[guid(variables('contributorRoleDefinitionId'), variables('agentVmssAssignmentName'))]", - "properties": { - "roleDefinitionId": "[variables('contributorRoleDefinitionId')]", - "principalId": "[reference(resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmssAssignmentName')), '2020-09-01', 'full').identity.principalId]", - "principalType": "ServicePrincipal" - }, - "dependsOn": [ - "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmssAssignmentName'))]" - ] - }, - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2020-04-01-preview", - "name": "[guid(variables('contributorRoleDefinitionId'), variables('agentVmAssignmentName'))]", - "properties": { - "roleDefinitionId": "[variables('contributorRoleDefinitionId')]", - "principalId": "[reference(resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName')), '2020-09-01', 'full').identity.principalId]", - "principalType": "ServicePrincipal" - }, - "dependsOn": [ - "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName'))]" - ] - }, - { - "condition": "[parameters('deployRemediation')]", - "type": "Microsoft.PolicyInsights/remediations", - "apiVersion": "2019-07-01", - "name": "VM-Agent-Policy-Remediation", - "properties": { - "policyAssignmentId": "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName'))]", - "resourceDiscoveryMode": "ReEvaluateCompliance" + "copy": { + "name": "publicIpAddressDiagnostics", + "count": "[length(parameters('publicIPAddressNames'))]" }, - "dependsOn": [ - "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName'))]" - ] - }, - { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('Assign-Laws-Role-Policy-{0}', resourceGroup().name)]", - "subscriptionId": "[parameters('operationsSubscriptionId')]", - "resourceGroup": "[parameters('logAnalyticsWorkspaceResourceGroupName')]", + "name": "[format('publicIPAddressDiagnostics_{0}', parameters('publicIPAddressNames')[copyIndex()])]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { - "targetResourceId": { - "value": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))]" + "hubStorageAccountResourceId": { + "value": "[parameters('hubStorageAccountResourceId')]" }, - "roleDefinitionId": { - "value": "[variables('lawsReaderRoleDefinitionId')]" + "logAnalyticsWorkspaceResourceId": { + "value": "[parameters('logAnalyticsWorkspaceResourceId')]" }, - "principalId": { - "value": "[reference(resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName')), '2020-09-01', 'full').identity.principalId]" + "name": { + "value": "[parameters('publicIPAddressNames')[copyIndex()]]" + }, + "publicIPAddressDiagnosticsLogs": { + "value": "[parameters('publicIPAddressDiagnosticsLogs')]" + }, + "publicIPAddressDiagnosticsMetrics": { + "value": "[parameters('publicIPAddressDiagnosticsMetrics')]" } }, "template": { @@ -7297,934 +7434,838 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "8686326864657481429" + "templateHash": "8851210835492653728" } }, "parameters": { - "targetResourceId": { + "hubStorageAccountResourceId": { "type": "string" }, - "roleDefinitionId": { + "logAnalyticsWorkspaceResourceId": { "type": "string" }, - "principalId": { + "name": { "type": "string" }, - "principalType": { - "type": "string", - "defaultValue": "ServicePrincipal", - "allowedValues": [ - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ] + "publicIPAddressDiagnosticsLogs": { + "type": "array" }, - "description": { - "type": "string", - "defaultValue": "" + "publicIPAddressDiagnosticsMetrics": { + "type": "array" } }, "resources": [ { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2020-04-01-preview", - "name": "[guid(parameters('targetResourceId'), parameters('roleDefinitionId'), parameters('principalId'))]", + "type": "Microsoft.Insights/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', parameters('name'))]", + "name": "[format('{0}-diagnostics', parameters('name'))]", "properties": { - "principalId": "[parameters('principalId')]", - "principalType": "[parameters('principalType')]", - "roleDefinitionId": "[parameters('roleDefinitionId')]", - "description": "[parameters('description')]" + "storageAccountId": "[parameters('hubStorageAccountResourceId')]", + "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", + "logs": "[parameters('publicIPAddressDiagnosticsLogs')]", + "metrics": "[parameters('publicIPAddressDiagnosticsMetrics')]" } } ] } - }, - "dependsOn": [ - "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName'))]" - ] - } - ] - } - }, - "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]" - ] - }, - { - "condition": "[parameters('deployDefender')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('set-hub-sub-defender-{0}', parameters('deploymentNameSuffix'))]", - "subscriptionId": "[parameters('hubSubscriptionId')]", - "location": "[deployment().location]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "logAnalyticsWorkspaceId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.id.value]" - }, - "emailSecurityContact": { - "value": "[parameters('emailSecurityContact')]" - }, - "defenderSkuTier": { - "value": "[parameters('defenderSkuTier')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "17349871984393503749" - } - }, - "parameters": { - "bundle": { - "type": "array", - "defaultValue": "[if(equals(environment().name, 'AzureCloud'), createArray('Api', 'AppServices', 'Arm', 'CloudPosture', 'Containers', 'CosmosDbs', 'KeyVaults', 'OpenSourceRelationalDatabases', 'SqlServers', 'SqlServerVirtualMachines', 'StorageAccounts', 'VirtualMachines'), if(equals(environment().name, 'AzureUSGovernment'), createArray('Arm', 'Containers', 'OpenSourceRelationalDatabases', 'SqlServers', 'SqlServerVirtualMachines', 'StorageAccounts', 'VirtualMachines'), createArray()))]" - }, - "enableAutoProvisioning": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Turn automatic deployment by Defender of the MMA (OMS VM extension) on or off" - } - }, - "logAnalyticsWorkspaceId": { - "type": "string", - "metadata": { - "description": "Specify the ID of your custom Log Analytics workspace to collect Defender data." - } - }, - "emailSecurityContact": { - "type": "string", - "metadata": { - "description": "Email address of the contact, in the form of john@doe.com" - } - }, - "policySetDescription": { - "type": "string", - "defaultValue": "The Microsoft Cloud Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Microsoft Cloud Security Benchmark v2, see https://aka.ms/azsecbm. This also serves as the Microsoft Defender for Cloud default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Microsoft Defender.", - "metadata": { - "description": "Policy Initiative description field" - } - }, - "defenderSkuTier": { - "type": "string", - "defaultValue": "Standard", - "metadata": { - "description": "[Standard/Free] The SKU for Defender. It defaults to \"Standard\"." - } - } - }, - "variables": { - "autoProvisioning": "[if(parameters('enableAutoProvisioning'), 'On', 'Off')]" - }, - "resources": [ - { - "copy": { - "name": "defenderPricing", - "count": "[length(parameters('bundle'))]", - "mode": "serial", - "batchSize": 1 - }, - "type": "Microsoft.Security/pricings", - "apiVersion": "2023-01-01", - "name": "[parameters('bundle')[copyIndex()]]", - "properties": { - "pricingTier": "[parameters('defenderSkuTier')]" - } - }, - { - "type": "Microsoft.Security/autoProvisioningSettings", - "apiVersion": "2019-01-01", - "name": "default", - "properties": { - "autoProvision": "[variables('autoProvisioning')]" - } - }, - { - "type": "Microsoft.Security/workspaceSettings", - "apiVersion": "2019-01-01", - "name": "default", - "properties": { - "workspaceId": "[parameters('logAnalyticsWorkspaceId')]", - "scope": "[subscription().id]" } }, { - "condition": "[not(empty(parameters('emailSecurityContact')))]", - "type": "Microsoft.Security/securityContacts", - "apiVersion": "2020-01-01-preview", - "name": "default", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "firewallDiagnostics", "properties": { - "notificationsByRole": { - "roles": [ - "AccountAdmin", - "Contributor", - "Owner", - "ServiceAdmin" - ], - "state": "On" + "expressionEvaluationOptions": { + "scope": "inner" }, - "alertNotifications": { - "state": "On" + "mode": "Incremental", + "parameters": { + "logAnalyticsWorkspaceResourceId": { + "value": "[parameters('logAnalyticsWorkspaceResourceId')]" + }, + "logs": { + "value": "[parameters('firewallDiagnosticsLogs')]" + }, + "logStorageAccountResourceId": { + "value": "[parameters('hubStorageAccountResourceId')]" + }, + "metrics": { + "value": "[parameters('firewallDiagnosticsMetrics')]" + }, + "name": { + "value": "[parameters('firewallName')]" + } }, - "emails": "[parameters('emailSecurityContact')]" - } - }, - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", - "name": "Microsoft Cloud Security Benchmark", - "properties": { - "displayName": "Defender Default", - "description": "[parameters('policySetDescription')]", - "enforcementMode": "DoNotEnforce", - "parameters": {}, - "policyDefinitionId": "[tenantResourceId('Microsoft.Authorization/policySetDefinitions', '1f3afdf9-d0c9-4c3d-847f-89da613e70a8')]" + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "9632306168160596389" + } + }, + "parameters": { + "logAnalyticsWorkspaceResourceId": { + "type": "string" + }, + "logs": { + "type": "array" + }, + "logStorageAccountResourceId": { + "type": "string" + }, + "metrics": { + "type": "array" + }, + "name": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Insights/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "scope": "[format('Microsoft.Network/azureFirewalls/{0}', parameters('name'))]", + "name": "[format('{0}-diagnostics', parameters('name'))]", + "properties": { + "storageAccountId": "[parameters('logStorageAccountResourceId')]", + "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", + "logs": "[parameters('logs')]", + "metrics": "[parameters('metrics')]" + } + } + ], + "outputs": { + "privateIPAddress": { + "type": "string", + "value": "[reference(resourceId('Microsoft.Network/azureFirewalls', parameters('name')), '2021-02-01').ipConfigurations[0].properties.privateIPAddress]" + } + } + } } } ] } }, "dependsOn": [ + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))]", + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-log-storage-hub-{0}', parameters('deploymentNameSuffix')))]", "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]" ] }, { "copy": { - "name": "spokeDefender", + "name": "spokeDiagnostics", "count": "[length(variables('spokes'))]" }, - "condition": "[and(parameters('deployDefender'), not(equals(variables('spokes')[copyIndex()].subscriptionId, parameters('hubSubscriptionId'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('set-{0}-sub-defender', variables('spokes')[copyIndex()].name)]", + "name": "[format('deploy-diagnostic-logging-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))]", "subscriptionId": "[variables('spokes')[copyIndex()].subscriptionId]", - "location": "[deployment().location]", + "resourceGroup": "[variables('spokes')[copyIndex()].resourceGroupName]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { - "logAnalyticsWorkspaceId": { + "hubStorageAccountResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-log-storage-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))), '2022-09-01').outputs.ResourceId.value]" + }, + "logAnalyticsWorkspaceResourceId": { "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.id.value]" }, - "emailSecurityContact": { - "value": "[parameters('emailSecurityContact')]" + "networkSecurityGroupDiagnosticsLogs": { + "value": "[variables('spokes')[copyIndex()].NetworkSecurityGroupDiagnosticsLogs]" }, - "defenderSkuTier": { - "value": "[parameters('defenderSkuTier')]" + "networkSecurityGroupDiagnosticsMetrics": { + "value": "[variables('spokes')[copyIndex()].NetworkSecurityGroupDiagnosticsMetrics]" + }, + "networkSecurityGroupName": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))), '2022-09-01').outputs.networkSecurityGroupName.value]" + }, + "virtualNetworkDiagnosticsLogs": { + "value": "[variables('spokes')[copyIndex()].VirtualNetworkDiagnosticsLogs]" + }, + "virtualNetworkDiagnosticsMetrics": { + "value": "[variables('spokes')[copyIndex()].VirtualNetworkDiagnosticsMetrics]" + }, + "virtualNetworkName": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))), '2022-09-01').outputs.virtualNetworkName.value]" } }, "template": { - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "17349871984393503749" + "templateHash": "1181334419264940080" } }, "parameters": { - "bundle": { - "type": "array", - "defaultValue": "[if(equals(environment().name, 'AzureCloud'), createArray('Api', 'AppServices', 'Arm', 'CloudPosture', 'Containers', 'CosmosDbs', 'KeyVaults', 'OpenSourceRelationalDatabases', 'SqlServers', 'SqlServerVirtualMachines', 'StorageAccounts', 'VirtualMachines'), if(equals(environment().name, 'AzureUSGovernment'), createArray('Arm', 'Containers', 'OpenSourceRelationalDatabases', 'SqlServers', 'SqlServerVirtualMachines', 'StorageAccounts', 'VirtualMachines'), createArray()))]" + "hubStorageAccountResourceId": { + "type": "string" }, - "enableAutoProvisioning": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Turn automatic deployment by Defender of the MMA (OMS VM extension) on or off" - } + "logAnalyticsWorkspaceResourceId": { + "type": "string" }, - "logAnalyticsWorkspaceId": { - "type": "string", - "metadata": { - "description": "Specify the ID of your custom Log Analytics workspace to collect Defender data." - } + "networkSecurityGroupDiagnosticsLogs": { + "type": "array" }, - "emailSecurityContact": { - "type": "string", - "metadata": { - "description": "Email address of the contact, in the form of john@doe.com" - } + "networkSecurityGroupDiagnosticsMetrics": { + "type": "array" }, - "policySetDescription": { - "type": "string", - "defaultValue": "The Microsoft Cloud Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Microsoft Cloud Security Benchmark v2, see https://aka.ms/azsecbm. This also serves as the Microsoft Defender for Cloud default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Microsoft Defender.", - "metadata": { - "description": "Policy Initiative description field" - } + "networkSecurityGroupName": { + "type": "string" }, - "defenderSkuTier": { - "type": "string", - "defaultValue": "Standard", - "metadata": { - "description": "[Standard/Free] The SKU for Defender. It defaults to \"Standard\"." - } + "virtualNetworkDiagnosticsLogs": { + "type": "array" + }, + "virtualNetworkDiagnosticsMetrics": { + "type": "array" + }, + "virtualNetworkName": { + "type": "string" } }, - "variables": { - "autoProvisioning": "[if(parameters('enableAutoProvisioning'), 'On', 'Off')]" - }, "resources": [ { - "copy": { - "name": "defenderPricing", - "count": "[length(parameters('bundle'))]", - "mode": "serial", - "batchSize": 1 - }, - "type": "Microsoft.Security/pricings", - "apiVersion": "2023-01-01", - "name": "[parameters('bundle')[copyIndex()]]", - "properties": { - "pricingTier": "[parameters('defenderSkuTier')]" - } - }, - { - "type": "Microsoft.Security/autoProvisioningSettings", - "apiVersion": "2019-01-01", - "name": "default", - "properties": { - "autoProvision": "[variables('autoProvisioning')]" - } - }, - { - "type": "Microsoft.Security/workspaceSettings", - "apiVersion": "2019-01-01", - "name": "default", - "properties": { - "workspaceId": "[parameters('logAnalyticsWorkspaceId')]", - "scope": "[subscription().id]" - } - }, - { - "condition": "[not(empty(parameters('emailSecurityContact')))]", - "type": "Microsoft.Security/securityContacts", - "apiVersion": "2020-01-01-preview", - "name": "default", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "networkSecurityGroupDiagnostics", "properties": { - "notificationsByRole": { - "roles": [ - "AccountAdmin", - "Contributor", - "Owner", - "ServiceAdmin" - ], - "state": "On" + "expressionEvaluationOptions": { + "scope": "inner" }, - "alertNotifications": { - "state": "On" + "mode": "Incremental", + "parameters": { + "logAnalyticsWorkspaceResourceId": { + "value": "[parameters('logAnalyticsWorkspaceResourceId')]" + }, + "logs": { + "value": "[parameters('networkSecurityGroupDiagnosticsLogs')]" + }, + "logStorageAccountResourceId": { + "value": "[parameters('hubStorageAccountResourceId')]" + }, + "metrics": { + "value": "[parameters('networkSecurityGroupDiagnosticsMetrics')]" + }, + "name": { + "value": "[parameters('networkSecurityGroupName')]" + } }, - "emails": "[parameters('emailSecurityContact')]" + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "7786315125053139576" + } + }, + "parameters": { + "name": { + "type": "string" + }, + "logAnalyticsWorkspaceResourceId": { + "type": "string" + }, + "logs": { + "type": "array" + }, + "logStorageAccountResourceId": { + "type": "string" + }, + "metrics": { + "type": "array" + } + }, + "resources": [ + { + "type": "Microsoft.Insights/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "scope": "[format('Microsoft.Network/networkSecurityGroups/{0}', parameters('name'))]", + "name": "[format('{0}-diagnostics', parameters('name'))]", + "properties": { + "storageAccountId": "[parameters('logStorageAccountResourceId')]", + "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", + "logs": "[parameters('logs')]", + "metrics": "[parameters('metrics')]" + } + } + ] + } } }, { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", - "name": "Microsoft Cloud Security Benchmark", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "virtualNetworkDiagnostics", "properties": { - "displayName": "Defender Default", - "description": "[parameters('policySetDescription')]", - "enforcementMode": "DoNotEnforce", - "parameters": {}, - "policyDefinitionId": "[tenantResourceId('Microsoft.Authorization/policySetDefinitions', '1f3afdf9-d0c9-4c3d-847f-89da613e70a8')]" + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "logAnalyticsWorkspaceResourceId": { + "value": "[parameters('logAnalyticsWorkspaceResourceId')]" + }, + "logs": { + "value": "[parameters('virtualNetworkDiagnosticsLogs')]" + }, + "logStorageAccountResourceId": { + "value": "[parameters('hubStorageAccountResourceId')]" + }, + "metrics": { + "value": "[parameters('virtualNetworkDiagnosticsMetrics')]" + }, + "name": { + "value": "[parameters('virtualNetworkName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "15623637455522175927" + } + }, + "parameters": { + "logAnalyticsWorkspaceResourceId": { + "type": "string" + }, + "logs": { + "type": "array" + }, + "logStorageAccountResourceId": { + "type": "string" + }, + "metrics": { + "type": "array" + }, + "name": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Insights/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "scope": "[format('Microsoft.Network/virtualNetworks/{0}', parameters('name'))]", + "name": "[format('{0}-diagnostics', parameters('name'))]", + "properties": { + "storageAccountId": "[parameters('logStorageAccountResourceId')]", + "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", + "logs": "[parameters('logs')]", + "metrics": "[parameters('metrics')]" + } + } + ] + } } } ] } }, "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]" + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]", + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix')))]", + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix')))]", + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-log-storage-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix')))]" ] }, { - "condition": "[parameters('deployRemoteAccess')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('deploy-remote-access-{0}', parameters('deploymentNameSuffix'))]", + "name": "[format('activity-logs-hub-{0}', parameters('deploymentNameSuffix'))]", "subscriptionId": "[parameters('hubSubscriptionId')]", - "resourceGroup": "[variables('hubResourceGroupName')]", + "location": "[deployment().location]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { - "bastionHostIPConfigurationName": { - "value": "[variables('bastionHostIPConfigurationName')]" - }, - "bastionHostName": { - "value": "[variables('bastionHostName')]" + "diagnosticSettingName": { + "value": "[format('log-hub-sub-activity-to-{0}', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.name.value)]" }, - "bastionHostPublicIPAddressAllocationMethod": { - "value": "[variables('bastionHostPublicIPAddressAllocationMethod')]" + "logAnalyticsWorkspaceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.id.value]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "3850477028148266020" + } }, - "bastionHostPublicIPAddressAvailabilityZones": { - "value": "[parameters('bastionHostPublicIPAddressAvailabilityZones')]" + "parameters": { + "diagnosticSettingName": { + "type": "string" + }, + "logAnalyticsWorkspaceId": { + "type": "string" + }, + "supportedClouds": { + "type": "array", + "defaultValue": [ + "AzureCloud", + "AzureUSGovernment" + ] + } }, - "bastionHostPublicIPAddressName": { - "value": "[variables('bastionHostPublicIPAddressName')]" - }, - "bastionHostPublicIPAddressSkuName": { - "value": "[variables('bastionHostPublicIPAddressSkuName')]" - }, - "bastionHostSubnetResourceId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.bastionHostSubnetResourceId.value]" - }, - "hubNetworkSecurityGroupResourceId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.networkSecurityGroupResourceId.value]" - }, - "hubSubnetResourceId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.subnetResourceId.value]" - }, - "linuxNetworkInterfaceIpConfigurationName": { - "value": "[variables('linuxNetworkInterfaceIpConfigurationName')]" - }, - "linuxNetworkInterfaceName": { - "value": "[variables('linuxNetworkInterfaceName')]" - }, - "linuxNetworkInterfacePrivateIPAddressAllocationMethod": { - "value": "[parameters('linuxNetworkInterfacePrivateIPAddressAllocationMethod')]" - }, - "linuxVmAdminPasswordOrKey": { - "value": "[parameters('linuxVmAdminPasswordOrKey')]" - }, - "linuxVmAdminUsername": { - "value": "[parameters('linuxVmAdminUsername')]" - }, - "linuxVmAuthenticationType": { - "value": "[parameters('linuxVmAuthenticationType')]" - }, - "linuxVmImageOffer": { - "value": "[parameters('linuxVmImageOffer')]" - }, - "linuxVmImagePublisher": { - "value": "[parameters('linuxVmImagePublisher')]" - }, - "linuxVmImageSku": { - "value": "[parameters('linuxVmImageSku')]" - }, - "linuxVmImageVersion": { - "value": "[parameters('linuxVmImageVersion')]" - }, - "linuxVmName": { - "value": "[variables('linuxVmName')]" - }, - "linuxVmOsDiskCreateOption": { - "value": "[parameters('linuxVmOsDiskCreateOption')]" - }, - "linuxVmOsDiskType": { - "value": "[parameters('linuxVmOsDiskType')]" - }, - "linuxVmSize": { - "value": "[parameters('linuxVmSize')]" - }, - "location": { - "value": "[parameters('location')]" + "resources": [ + { + "condition": "[contains(parameters('supportedClouds'), environment().name)]", + "type": "Microsoft.Insights/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[parameters('diagnosticSettingName')]", + "properties": { + "workspaceId": "[parameters('logAnalyticsWorkspaceId')]", + "logs": [ + { + "category": "Administrative", + "enabled": true + }, + { + "category": "Security", + "enabled": true + }, + { + "category": "ServiceHealth", + "enabled": true + }, + { + "category": "Alert", + "enabled": true + }, + { + "category": "Recommendation", + "enabled": true + }, + { + "category": "Policy", + "enabled": true + }, + { + "category": "Autoscale", + "enabled": true + }, + { + "category": "ResourceHealth", + "enabled": true + } + ] + } + } + ] + } + }, + "dependsOn": [ + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))]", + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]" + ] + }, + { + "copy": { + "name": "spokeSubscriptionActivityLogging", + "count": "[length(variables('spokes'))]" + }, + "condition": "[not(equals(variables('spokes')[copyIndex()].subscriptionId, parameters('hubSubscriptionId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('activity-logs-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))]", + "subscriptionId": "[variables('spokes')[copyIndex()].subscriptionId]", + "location": "[deployment().location]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "diagnosticSettingName": { + "value": "[format('log-{0}-sub-activity-to-{1}', variables('spokes')[copyIndex()].name, reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.name.value)]" }, "logAnalyticsWorkspaceId": { "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.id.value]" - }, - "tags": { - "value": "[parameters('tags')]" - }, - "windowsNetworkInterfaceIpConfigurationName": { - "value": "[variables('windowsNetworkInterfaceIpConfigurationName')]" - }, - "windowsNetworkInterfaceName": { - "value": "[variables('windowsNetworkInterfaceName')]" - }, - "windowsNetworkInterfacePrivateIPAddressAllocationMethod": { - "value": "[parameters('windowsNetworkInterfacePrivateIPAddressAllocationMethod')]" - }, - "windowsVmAdminPassword": { - "value": "[parameters('windowsVmAdminPassword')]" - }, - "windowsVmAdminUsername": { - "value": "[parameters('windowsVmAdminUsername')]" - }, - "windowsVmCreateOption": { - "value": "[parameters('windowsVmCreateOption')]" - }, - "windowsVmName": { - "value": "[variables('windowsVmName')]" - }, - "windowsVmOffer": { - "value": "[parameters('windowsVmOffer')]" - }, - "windowsVmPublisher": { - "value": "[parameters('windowsVmPublisher')]" - }, - "windowsVmSize": { - "value": "[parameters('windowsVmSize')]" - }, - "windowsVmSku": { - "value": "[parameters('windowsVmSku')]" - }, - "windowsVmStorageAccountType": { - "value": "[parameters('windowsVmStorageAccountType')]" - }, - "windowsVmVersion": { - "value": "[parameters('windowsVmVersion')]" - }, - "diskEncryptionSetResourceId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.diskEncryptionSetResourceId.value]" - }, - "hybridUseBenefit": { - "value": "[parameters('hybridUseBenefit')]" - }, - "linuxDiskName": { - "value": "[variables('linuxDiskName')]" - }, - "windowsDiskName": { - "value": "[variables('windowsDiskName')]" } }, "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "5778706831016165290" + "templateHash": "3850477028148266020" } }, "parameters": { - "bastionHostIPConfigurationName": { - "type": "string" - }, - "bastionHostName": { - "type": "string" - }, - "bastionHostPublicIPAddressAllocationMethod": { - "type": "string" - }, - "bastionHostPublicIPAddressAvailabilityZones": { - "type": "array" - }, - "bastionHostPublicIPAddressName": { - "type": "string" - }, - "bastionHostPublicIPAddressSkuName": { - "type": "string" - }, - "bastionHostSubnetResourceId": { - "type": "string" - }, - "diskEncryptionSetResourceId": { - "type": "string" - }, - "hubNetworkSecurityGroupResourceId": { - "type": "string" - }, - "hubSubnetResourceId": { - "type": "string" - }, - "hybridUseBenefit": { - "type": "bool" - }, - "linuxDiskName": { - "type": "string" - }, - "linuxNetworkInterfaceIpConfigurationName": { - "type": "string" - }, - "linuxNetworkInterfaceName": { - "type": "string" - }, - "linuxNetworkInterfacePrivateIPAddressAllocationMethod": { + "diagnosticSettingName": { "type": "string" }, - "linuxVmAdminPasswordOrKey": { - "type": "securestring", - "minLength": 12 - }, - "linuxVmAdminUsername": { + "logAnalyticsWorkspaceId": { "type": "string" }, - "linuxVmAuthenticationType": { - "type": "string", - "allowedValues": [ - "sshPublicKey", - "password" + "supportedClouds": { + "type": "array", + "defaultValue": [ + "AzureCloud", + "AzureUSGovernment" ] - }, - "linuxVmImageOffer": { - "type": "string" - }, - "linuxVmImagePublisher": { - "type": "string" - }, - "linuxVmImageSku": { - "type": "string" - }, - "linuxVmImageVersion": { - "type": "string" - }, - "linuxVmName": { - "type": "string" - }, - "linuxVmOsDiskCreateOption": { - "type": "string" - }, - "linuxVmOsDiskType": { - "type": "string" - }, - "linuxVmSize": { - "type": "string" - }, - "location": { - "type": "string" - }, - "logAnalyticsWorkspaceId": { - "type": "string" - }, - "tags": { - "type": "object" - }, - "windowsDiskName": { - "type": "string" - }, - "windowsNetworkInterfaceIpConfigurationName": { - "type": "string" - }, - "windowsNetworkInterfaceName": { - "type": "string" - }, - "windowsNetworkInterfacePrivateIPAddressAllocationMethod": { - "type": "string" - }, - "windowsVmAdminPassword": { - "type": "securestring", - "minLength": 12 - }, - "windowsVmAdminUsername": { - "type": "string" - }, - "windowsVmCreateOption": { - "type": "string" - }, - "windowsVmName": { - "type": "string" - }, - "windowsVmOffer": { - "type": "string" - }, - "windowsVmPublisher": { - "type": "string" - }, - "windowsVmSize": { - "type": "string" - }, - "windowsVmSku": { - "type": "string" - }, - "windowsVmStorageAccountType": { - "type": "string" - }, - "windowsVmVersion": { - "type": "string" } }, "resources": [ { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "remoteAccess-bastionHost", + "condition": "[contains(parameters('supportedClouds'), environment().name)]", + "type": "Microsoft.Insights/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[parameters('diagnosticSettingName')]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "bastionHostSubnetResourceId": { - "value": "[parameters('bastionHostSubnetResourceId')]" - }, - "ipConfigurationName": { - "value": "[parameters('bastionHostIPConfigurationName')]" + "workspaceId": "[parameters('logAnalyticsWorkspaceId')]", + "logs": [ + { + "category": "Administrative", + "enabled": true }, - "location": { - "value": "[parameters('location')]" + { + "category": "Security", + "enabled": true }, - "name": { - "value": "[parameters('bastionHostName')]" + { + "category": "ServiceHealth", + "enabled": true }, - "publicIPAddressAllocationMethod": { - "value": "[parameters('bastionHostPublicIPAddressAllocationMethod')]" + { + "category": "Alert", + "enabled": true }, - "publicIPAddressAvailabilityZones": { - "value": "[parameters('bastionHostPublicIPAddressAvailabilityZones')]" + { + "category": "Recommendation", + "enabled": true }, - "publicIPAddressName": { - "value": "[parameters('bastionHostPublicIPAddressName')]" + { + "category": "Policy", + "enabled": true }, - "publicIPAddressSkuName": { - "value": "[parameters('bastionHostPublicIPAddressSkuName')]" + { + "category": "Autoscale", + "enabled": true }, - "tags": { - "value": "[parameters('tags')]" + { + "category": "ResourceHealth", + "enabled": true } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "11993026043185066546" - } - }, - "parameters": { - "bastionHostSubnetResourceId": { - "type": "string" - }, - "ipConfigurationName": { - "type": "string" - }, - "location": { - "type": "string" - }, - "name": { - "type": "string" - }, - "publicIPAddressAllocationMethod": { - "type": "string" - }, - "publicIPAddressAvailabilityZones": { - "type": "array" - }, - "publicIPAddressName": { - "type": "string" - }, - "publicIPAddressSkuName": { - "type": "string" - }, - "tags": { - "type": "object" - } - }, - "resources": [ - { - "type": "Microsoft.Network/publicIPAddresses", - "apiVersion": "2021-02-01", - "name": "[parameters('publicIPAddressName')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "sku": { - "name": "[parameters('publicIPAddressSkuName')]" - }, - "properties": { - "publicIPAllocationMethod": "[parameters('publicIPAddressAllocationMethod')]" - }, - "zones": "[parameters('publicIPAddressAvailabilityZones')]" - }, - { - "type": "Microsoft.Network/bastionHosts", - "apiVersion": "2021-02-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "ipConfigurations": [ - { - "name": "[parameters('ipConfigurationName')]", - "properties": { - "subnet": { - "id": "[parameters('bastionHostSubnetResourceId')]" - }, - "publicIPAddress": { - "id": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIPAddressName'))]" - } - } - } - ] - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIPAddressName'))]" - ] - } - ] - } + ] } + } + ] + } + }, + "dependsOn": [ + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]", + "spokeNetworks" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('deploy-diagnostic-logging-{0}', parameters('deploymentNameSuffix'))]", + "subscriptionId": "[parameters('operationsSubscriptionId')]", + "resourceGroup": "[variables('operationsResourceGroupName')]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "diagnosticStorageAccountName": { + "value": "[variables('operationsLogStorageAccountName')]" + }, + "logAnalyticsWorkspaceName": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.name.value]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "6866155279282592403" + } + }, + "parameters": { + "diagnosticStorageAccountName": { + "type": "string" }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "remoteAccess-linuxNetworkInterface", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "ipConfigurationName": { - "value": "[parameters('linuxNetworkInterfaceIpConfigurationName')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "name": { - "value": "[parameters('linuxNetworkInterfaceName')]" - }, - "networkSecurityGroupId": { - "value": "[parameters('hubNetworkSecurityGroupResourceId')]" - }, - "privateIPAddressAllocationMethod": { - "value": "[parameters('linuxNetworkInterfacePrivateIPAddressAllocationMethod')]" - }, - "subnetId": { - "value": "[parameters('hubSubnetResourceId')]" - }, - "tags": { - "value": "[parameters('tags')]" + "logAnalyticsWorkspaceName": { + "type": "string" + }, + "supportedClouds": { + "type": "array", + "defaultValue": [ + "AzureCloud", + "AzureUSGovernment" + ] + } + }, + "resources": [ + { + "condition": "[contains(parameters('supportedClouds'), environment().name)]", + "type": "Microsoft.Insights/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "scope": "[format('Microsoft.OperationalInsights/workspaces/{0}', parameters('logAnalyticsWorkspaceName'))]", + "name": "enable-log-analytics-diagnostics", + "properties": { + "workspaceId": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))]", + "storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('diagnosticStorageAccountName'))]", + "logs": [ + { + "category": "Audit", + "enabled": true } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "16624262267285514706" - } - }, - "parameters": { - "name": { - "type": "string" - }, - "location": { - "type": "string" - }, - "tags": { - "type": "object", - "defaultValue": {} - }, - "ipConfigurationName": { - "type": "string" - }, - "subnetId": { - "type": "string" - }, - "networkSecurityGroupId": { - "type": "string" - }, - "privateIPAddressAllocationMethod": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.Network/networkInterfaces", - "apiVersion": "2021-02-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "ipConfigurations": [ - { - "name": "[parameters('ipConfigurationName')]", - "properties": { - "subnet": { - "id": "[parameters('subnetId')]" - }, - "privateIPAllocationMethod": "[parameters('privateIPAddressAllocationMethod')]" - } - } - ], - "networkSecurityGroup": { - "id": "[parameters('networkSecurityGroupId')]" - } - } - } - ], - "outputs": { - "id": { - "type": "string", - "value": "[resourceId('Microsoft.Network/networkInterfaces', parameters('name'))]" - }, - "name": { - "type": "string", - "value": "[parameters('name')]" - } + ], + "metrics": [ + { + "category": "AllMetrics", + "enabled": true } - } + ] + } + } + ] + } + }, + "dependsOn": [ + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]", + "spokeStorage" + ] + }, + { + "condition": "[parameters('deployPolicy')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('assign-policy-hub-{0}', parameters('deploymentNameSuffix'))]", + "subscriptionId": "[parameters('hubSubscriptionId')]", + "resourceGroup": "[variables('hubResourceGroupName')]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "builtInAssignment": { + "value": "[parameters('policy')]" + }, + "logAnalyticsWorkspaceName": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.name.value]" + }, + "logAnalyticsWorkspaceResourceGroupName": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.resourceGroupName.value]" + }, + "operationsSubscriptionId": { + "value": "[parameters('operationsSubscriptionId')]" + }, + "location": { + "value": "[parameters('location')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "16693295535307781768" + } + }, + "parameters": { + "builtInAssignment": { + "type": "string", + "defaultValue": "NISTRev4", + "allowedValues": [ + "NISTRev4", + "NISTRev5", + "IL5", + "CMMC" + ], + "metadata": { + "description": "[NISTRev4/NISTRev5/IL5/CMMC] Built-in policy assignments to assign, default is NISTRev4. IL5 is only available for AzureUsGovernment and will switch to NISTRev4 if tried in AzureCloud." + } + }, + "logAnalyticsWorkspaceName": { + "type": "string" + }, + "logAnalyticsWorkspaceResourceGroupName": { + "type": "string" + }, + "operationsSubscriptionId": { + "type": "string" + }, + "deployRemediation": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Starts a policy remediation for the VM Agent policies in hub RG. Set to false by default since this is time consuming in deployment." } }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location of this resource" + } + } + }, + "variables": { + "$fxv#0": " {\r\n \"listOfMembersToExcludeFromWindowsVMAdministratorsGroup\": \r\n {\r\n \"value\": \"admin\"\r\n },\r\n \"listOfMembersToIncludeInWindowsVMAdministratorsGroup\": \r\n {\r\n \"value\": \"azureuser\"\r\n },\r\n \"logAnalyticsWorkspaceIdforVMReporting\": \r\n {\r\n \"value\": \"\"\r\n },\r\n \"IncludeArcMachines\": \r\n {\r\n \"value\": \"true\"\r\n },\r\n \"MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112\": \r\n {\r\n \"value\": \"1.2\"\r\n },\r\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\": \r\n {\r\n \"value\": \"Compliant\"\r\n },\r\n \"requiredRetentionDays\": \r\n {\r\n \"value\": \"365\"\r\n },\r\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\": \r\n {\r\n \"value\": \"NetworkWatcherRG\"\r\n }\r\n }", + "$fxv#1": " {\r\n \"IncludeArcMachines\": \r\n {\r\n \"value\": \"true\"\r\n },\r\n \"MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112\": \r\n {\r\n \"value\": \"1.2\"\r\n },\r\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\": \r\n {\r\n \"value\": \"Compliant\"\r\n },\r\n \"requiredRetentionDays\": \r\n {\r\n \"value\": \"365\"\r\n },\r\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\": \r\n {\r\n \"value\": \"NetworkWatcherRG\"\r\n }\r\n }", + "$fxv#2": "{\r\n \"IncludeArcMachines\" : { \r\n \"value\" : \"false\"\r\n },\r\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\" : { \r\n \"value\" : \"Compliant\"\r\n },\r\n \"MinimumTLSVersionForWindowsServers\" : { \r\n \"value\" : \"1.2\"\r\n },\r\n \"requiredRetentionDays\" : { \r\n \"value\" : \"365\"\r\n },\r\n \"effect-febd0533-8e55-448f-b837-bd0e06f16469\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"allowedContainerImagesRegex-febd0533-8e55-448f-b837-bd0e06f16469\" : { \r\n \"value\" : \"^(.+){0}$\"\r\n },\r\n \"effect-95edb821-ddaf-4404-9732-666045e056b4\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-440b515e-a580-421e-abeb-b159a61ddcbc\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-233a2a17-77ca-4fb1-9b6b-69223d272a44\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"cpuLimit-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \r\n \"value\" : \"0\"\r\n },\r\n \"memoryLimit-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \r\n \"value\" : \"0\"\r\n },\r\n \"effect-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"runAsUserRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \r\n \"value\" : \"MustRunAsNonRoot\"\r\n },\r\n \"runAsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \r\n \"value\" : \"RunAsAny\"\r\n },\r\n \"supplementalGroupsRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \r\n \"value\" : \"RunAsAny\"\r\n },\r\n \"fsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \r\n \"value\" : \"RunAsAny\"\r\n },\r\n \"effect-1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-df49d893-a74c-421d-bc95-c663042e5b80\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-c26596ff-4d70-4e6a-9a30-c2506bd2f80c\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-511f5417-5d12-434d-ab2e-816901e72a5e\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-82985f06-dc18-4a48-bc1c-b9f4f0098cfe\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-098fc59e-46c7-4d99-9b16-64990e543d75\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"NetworkWatcherResourceGroupName\" : { \r\n \"value\" : \"NetworkWatcherRG\"\r\n },\r\n \"setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \r\n \"value\" : \"enabled\"\r\n },\r\n \"aadAuthenticationInServiceFabricMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-71ef260a-8f18-47b7-abcb-62d0673d94dc\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-d9da03a1-f3c3-412a-9709-947156872263\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-617c02be-7f02-4efd-8836-3180d47b6c68\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-c349d81b-9985-44ae-a8da-ff98d108ede8\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-3657f5a0-770e-44a3-b44e-9431ba1e9735\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-b4ac1030-89c5-4697-8e00-28b5ba6a8811\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-ea0dfaed-95fb-448c-934e-d6e713ce393d\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-f4b53539-8df9-40e4-86c6-6b607703bd4e\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-41425d9f-d1a5-499a-9932-f8ed8453932c\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-fc4d8e41-e223-45ea-9bf5-eada37891d87\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-86efb160-8de7-451d-bc08-5d475b0aadae\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-4ec52d6d-beb7-40c4-9a9e-fe753254690e\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-64d314f6-6062-4780-a861-c23e8951bee5\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-fa298e57-9444-42ba-bf04-86e8470e32c7\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1f905d99-2ab7-462c-a6b0-f709acca6c8f\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-ba769a63-b8cc-4b2d-abf6-ac33c7204be8\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-81e74cea-30fd-40d5-802f-d72103c2aaaa\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-0aa61e00-0a01-4a3c-9945-e93cffedf0e6\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-47031206-ce96-41f8-861b-6a915f3de284\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-51522a96-0869-4791-82f3-981000c2c67f\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-b5ec538c-daa0-4006-8596-35468b9148e8\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-56a5ee18-2ae6-4810-86f7-18e39ce5629b\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-2e94d99a-8a36-4563-bc77-810d8893b671\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1f68a601-6e6d-4e42-babf-3f643a047ea2\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-f7d52b2d-e161-4dfa-a82b-55e564167385\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-ca91455f-eace-4f96-be59-e6e2c35b4816\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-702dd420-7fcc-42c5-afe8-4026edd20fe0\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"diagnosticsLogsInRedisCacheMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"secureTransferToStorageAccountMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-d0793b48-0edc-4296-a390-4c75d1bdfd71\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-7d092e0a-7acd-40d2-a975-dca21cae48c4\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"disableUnrestrictedNetworkToStorageAccountMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-55615ac9-af46-4a59-874e-391cc3dfb490\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1b8ca024-1d5c-4dec-8995-b1a932b41780\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-037eea7a-bd0a-46c5-9a66-03aea78705d3\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-53503636-bcc9-4748-9663-5348217f160f\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-40cec1dd-a100-4920-b15b-3024fe8901ab\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-a049bf77-880b-470f-ba6d-9f21c530cf83\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-ee980b6d-0eca-4501-8d54-f6290fd512c3\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1d84d5fb-01f6-4d12-ba4f-4a26081d403d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-37e0d2fe-28a5-43d6-a273-67d37d1f5606\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"identityDesignateMoreThanOneOwnerMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"diskEncryptionMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"emailNotificationToSubscriptionOwnerHighSeverityAlertsEnabledEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"functionAppDisableRemoteDebuggingMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"sqlDbEncryptionMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"vulnerabilityAssessmentOnManagedInstanceMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensurePHPVersionLatestForAPIAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"aadAuthenticationInSqlServerMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"vmssEndpointProtectionMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"vmssOsVulnerabilitiesMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"adaptiveApplicationControlsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"geoRedundantBackupShouldBeEnabledForAzureDatabaseForPostgreSQLEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"ensureJavaVersionLatestForWebAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityDesignateLessThanOwnersMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"securityContactEmailAddressForSubscriptionEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"webAppRestrictCORSAccessMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityRemoveDeprecatedAccountMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"functionAppEnforceHttpsMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"ensurePythonVersionLatestForWebAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensurePythonVersionLatestForFunctionAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensurePHPVersionLatestForWebAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensurePythonVersionLatestForAPIAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"geoRedundantBackupShouldBeEnabledForAzureDatabaseForMySQLEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"systemUpdatesMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensureJavaVersionLatestForAPIAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensureHTTPVersionLatestForWebAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"apiAppRequireLatestTlsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityEnableMFAForWritePermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensureHTTPVersionLatestForAPIAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensureJavaVersionLatestForFunctionAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"nextGenerationFirewallMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"useRbacRulesMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"webAppEnforceHttpsMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"sqlServerAuditingMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"vnetEnableDDoSProtectionMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityEnableMFAForOwnerPermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"sqlServerAdvancedDataSecurityMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"sqlManagedInstanceAdvancedDataSecurityMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"endpointProtectionMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"jitNetworkAccessMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"apiAppEnforceHttpsMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"geoRedundantStorageShouldBeEnabledForStorageAccountsEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"vmssSystemUpdatesMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"webAppDisableRemoteDebuggingMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"systemConfigurationsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensureHTTPVersionLatestForFunctionAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityEnableMFAForReadPermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"containerBenchmarkMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"apiAppDisableRemoteDebuggingMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"vulnerabilityAssessmentOnServerMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"webAppRequireLatestTlsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"functionAppRequireLatestTlsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"kubernetesServiceVersionUpToDateMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"sqlDbVulnerabilityAssesmentMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"membersToIncludeInLocalAdministratorsGroup\" : { \r\n \"value\" : \"\"\r\n },\r\n \"membersToExcludeInLocalAdministratorsGroup\" : { \r\n \"value\" : \"\"\r\n },\r\n \"logAnalyticsWorkspaceIDForVMAgents\" : { \r\n \"value\" : \"\"\r\n },\r\n \"PHPLatestVersionForAppServices\" : { \r\n \"value\" : \"7.4\"\r\n },\r\n \"JavaLatestVersionForAppServices\" : { \r\n \"value\" : \"11\"\r\n },\r\n \"WindowsPythonLatestVersionForAppServices\" : { \r\n \"value\" : \"3.6\"\r\n },\r\n \"LinuxPythonLatestVersionForAppServices\" : { \r\n \"value\" : \"3.9\"\r\n },\r\n \"ensureDotNetFrameworkLatestForFunctionAppEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"sqlManagedInstanceAdvancedDataSecurityEmailsMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"vulnerabilityAssessmentMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"ensureDotNetFrameworkLatestForWebAppEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"sqlServerAdvancedDataSecurityEmailsMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"microsoftIaaSAntimalwareExtensionShouldBeDeployedOnWindowsServersEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"securityCenterStandardPricingTierShouldBeSelectedEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"theLogAnalyticsAgentShouldBeInstalledOnVirtualMachinesEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"ensurePHPVersionLatestForFunctionAppEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"sqlManagedInstanceAdvancedDataSecurityEmailAdminsMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"securityContactPhoneNumberShouldBeProvidedForSubscriptionEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"threatDetectionTypesOnManagedInstanceMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"ensureDotNetFrameworkLatestForAPIAppEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"sqlServerAdvancedDataSecurityEmailAdminsMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"threatDetectionTypesOnServerMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"theLogAnalyticsAgentShouldBeInstalledOnVirtualMachineScaleSetsEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n }\r\n}", + "$fxv#3": "{\r\n \"logAnalyticsWorkspaceId-f47b5582-33ec-4c5c-87c0-b010a6b2e917\" : { \r\n \"value\" : \"\"\r\n },\r\n \"effect-09024ccc-0c5f-475e-9457-b7c0d9ed487b\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"MembersToExclude-69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f\" :{\r\n \"value\": \"\"\r\n },\r\n \"MembersToInclude-30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7\": {\r\n \"value\": \"\"\r\n },\r\n \"effect-0961003e-5a0a-4549-abde-af6a37f2724d\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-0b15565f-aa9e-48ba-8619-45960f2c314d\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-0e60b895-3786-45da-8377-9c6b4b6ac5f9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-17k78e20-9358-41c9-923c-fb736d382a12\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"PHPLatestVersion\" : { \r\n \"value\" : \"7.3\"\r\n },\r\n \"effect-22bee202-a82f-4305-9a2a-6d7f44d4dedb\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-26a828e1-e88f-464e-bbb3-c134a282b9de\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-34c877ad-507e-4c82-993e-3452a6e0ad3c\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-404c3081-a854-4457-ae30-26a93ef643f9\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-47a6b606-51aa-4496-8bb7-64b11cf66adc\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-496223c3-ad65-4ecd-878a-bae78737e9ed\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"JavaLatestVersion\" : { \r\n \"value\" : \"11\"\r\n },\r\n \"effect-4f11b553-d42e-4e3a-89be-32ca364cad4c\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-5c607a2e-c700-4744-8254-d77e7c9eb5e4\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-5f76cf89-fbf2-47fd-a3f4-b891fa780b60\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-6b1cbf55-e8b6-442f-ba4c-7246b6381474\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-7008174a-fd10-4ef0-817e-fc820a951d73\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"LinuxPythonLatestVersion\" : { \r\n \"value\" : \"3.8\"\r\n },\r\n \"effect-7238174a-fd10-4ef0-817e-fc820a951d73\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-7261b898-8a84-4db8-9e04-18527132abb3\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-74c3584d-afae-46f7-a20a-6f8adba71a16\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-86b3d65f-7626-441e-b690-81a8b71cff60\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-88999f4c-376a-45c8-bcb3-4058f713cf39\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-8c122334-9d20-4eb8-89ea-ac9a705b74ae\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-9297c21d-2ed6-4474-b48f-163f75654ce3\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-991310cd-e9f3-47bc-b7b6-f57b557d07db\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-9b597639-28e4-48eb-b506-56b05d366257\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-9daedab3-fb2d-461e-b861-71790eead4f6\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-a4af4a39-4135-47fb-b175-47fbdf85311d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \r\n \"value\" : \"enabled\"\r\n },\r\n \"effect-a70ca396-0a34-413a-88e1-b956c1e683be\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-aa633080-8b72-40c4-a2d7-d00c03e80bed\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-af6cd1bd-1635-48cb-bde7-5b15693900b9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\" : { \r\n \"value\" : \"NetworkWatcherRG\"\r\n },\r\n \"effect-b7ddfbdc-1260-477d-91fd-98bd9be789a6\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-c3f317a7-a95c-4547-b7e7-11017ebdf2fe\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-cb510bfd-1cba-4d9f-a230-cb0976f4bb71\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e2c1c086-2d84-4019-bff3-c44ccd95113c\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e3576e28-8b17-4677-84c3-db2990658d64\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e8cbc669-f12d-49eb-93e7-9273119e9933\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-ebb62a0c-3560-49e1-89ed-27e074e9f8ad\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-efbde977-ba53-4479-b8e9-10b957924fbf\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-f8456c1c-aa66-4dfb-861a-25d127b775c9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-f9d614c5-c173-4d56-95a7-b4437057d193\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-fb893a29-21bb-418c-a157-e99480ec364c\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-feedbf84-6b99-488c-acc2-71c829aa5ffc\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-3b980d31-7904-4bb7-8575-5665739a8052\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-6e2593d9-add6-4083-9c9b-4b7d2188c899\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-12430be1-6cc8-4527-a9a8-e3d38f250096\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"modeRequirement-12430be1-6cc8-4527-a9a8-e3d38f250096\" : { \r\n \"value\" : \"Detection\"\r\n },\r\n \"effect-425bea59-a659-4cbb-8d31-34499bd030b8\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"modeRequirement-425bea59-a659-4cbb-8d31-34499bd030b8\" : { \r\n \"value\" : \"Detection\"\r\n },\r\n \"effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-013e242c-8828-4970-87b3-ab247555486d\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-d38fc420-0735-4ef3-ac11-c806f651a570\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-a1181c5f-672a-477a-979a-7d58aa086233\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-308fbb08-4ab8-4e67-9b29-592e93fb94fa\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-4da35fc9-c9e7-4960-aec9-797fe7d9051d\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-523b5cd1-3e23-492f-a539-13118b6d1e3a\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-7fe3b40f-802b-4cdd-8bd4-fd799c948cc2\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-c25d9a16-bc35-4e15-a7e5-9db606bf9ed4\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b0f33259-77d7-4c9e-aac6-3aabcfae693c\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-037eea7a-bd0a-46c5-9a66-03aea78705d3\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-0820b7b9-23aa-4725-a1ce-ae4558f718e5\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-2c89a2e5-7285-40fe-afe0-ae8654b92fab\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-5744710e-cc2f-4ee8-8809-3b11e89f4bc9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-c9d007d0-c057-4772-b18c-01e546713bcd\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-d0793b48-0edc-4296-a390-4c75d1bdfd71\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-e372f825-a257-4fb8-9175-797a8a8627d6\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-d158790f-bfb0-486c-8631-2dc6b4e8e6af\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-e802a67a-daf5-4436-9ea6-f6d821dd0c5d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-a451c1ef-c6ca-483d-87ed-f49761e3ffb5\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftSql-servers-firewallRules-delete\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-delete\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftClassicNetwork-networkSecurityGroups-delete\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-securityRules-delete\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftClassicNetwork-networkSecurityGroups-securityRules-delete\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-ae89ebca-1c92-4898-ac2c-9f63decb045c\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-d26f7642-7545-4e18-9b75-8c9bbdee3a9a\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-1a4e592a-6a6e-44a5-9814-e36264ca96e7\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-7796937f-307b-4598-941c-67d3a05ebfe7\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-c5447c04-a4d7-4ba8-a263-c9ee321a6858\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-41388f1c-2db0-4c25-95b2-35d7f5ccbfa9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b02aacc0-b073-424e-8298-42b22829ee0a\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-0ec47710-77ff-4a3d-9181-6aa50af424d0\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-48af4db5-9b8b-401c-8e74-076be876a430\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-82339799-d096-41ae-8538-b108becf0970\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1b7aa243-30e4-4c9e-bca8-d0d3022b634a\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-bb91dfba-c30d-4263-9add-9c2384e659a6\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e71308d3-144b-4262-b144-efdc3cc90517\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-2bdd0062-9d75-436e-89df-487dd8e4b3c7\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-6fac406b-40ca-413b-bf8e-0bf964659c25\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-81e74cea-30fd-40d5-802f-d72103c2aaaa\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-c349d81b-9985-44ae-a8da-ff98d108ede8\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-f4b53539-8df9-40e4-86c6-6b607703bd4e\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-048248b0-55cd-46da-b1ff-39efd52db260\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-0d134df8-db83-46fb-ad72-fe0c9428c8dd\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-2c89a2e5-7285-40fe-afe0-ae8654b92fb2\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-3657f5a0-770e-44a3-b44e-9431ba1e9735\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-617c02be-7f02-4efd-8836-3180d47b6c68\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-f7d52b2d-e161-4dfa-a82b-55e564167385\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-c43e4a30-77cb-48ab-a4dd-93f175c63b57\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1f314764-cb73-4fc9-b863-8eca98ac36e9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-123a3936-f020-408a-ba0c-47873faf1534\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n }\r\n}\r\n", + "modifiedAssignment": "[if(and(equals(toLower(environment().name), toLower('AzureCloud')), equals(toLower(parameters('builtInAssignment')), toLower('IL5'))), 'NISTRev4', parameters('builtInAssignment'))]", + "assignmentName": "[format('{0} {1}', variables('modifiedAssignment'), resourceGroup().name)]", + "agentVmssAssignmentName": "[format('Deploy VMSS Agents {0}', resourceGroup().name)]", + "agentVmAssignmentName": "[format('Deploy VM Agents {0}', resourceGroup().name)]", + "contributorRoleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "lawsReaderRoleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]" + }, + "resources": [ { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "remoteAccess-linuxVirtualMachine", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2020-09-01", + "name": "[variables('assignmentName')]", + "location": "[parameters('location')]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", + "policyDefinitionId": "[createObject('NISTRev4', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f', 'parameters', json(replace(variables('$fxv#0'), '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'NISTRev5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f', 'parameters', json(variables('$fxv#1'))), 'IL5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/f9a961fa-3241-4b20-adc4-bbf8ad9d7197', 'parameters', json(replace(variables('$fxv#2'), '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'CMMC', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/b5629c75-5c77-4422-87b9-2509e680f8de', 'parameters', json(replace(variables('$fxv#3'), '', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName')), '2021-06-01').customerId))))[variables('modifiedAssignment')].id]", + "parameters": "[createObject('NISTRev4', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f', 'parameters', json(replace(variables('$fxv#0'), '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'NISTRev5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f', 'parameters', json(variables('$fxv#1'))), 'IL5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/f9a961fa-3241-4b20-adc4-bbf8ad9d7197', 'parameters', json(replace(variables('$fxv#2'), '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'CMMC', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/b5629c75-5c77-4422-87b9-2509e680f8de', 'parameters', json(replace(variables('$fxv#3'), '', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName')), '2021-06-01').customerId))))[variables('modifiedAssignment')].parameters]" + }, + "identity": { + "type": "SystemAssigned" + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2020-09-01", + "name": "[variables('agentVmssAssignmentName')]", + "location": "[parameters('location')]", + "properties": { + "policyDefinitionId": "[tenantResourceId('Microsoft.Authorization/policySetDefinitions', '75714362-cae7-409e-9b99-a8e5075b7fad')]", "parameters": { - "adminPasswordOrKey": { - "value": "[parameters('linuxVmAdminPasswordOrKey')]" - }, - "adminUsername": { - "value": "[parameters('linuxVmAdminUsername')]" - }, - "authenticationType": { - "value": "[parameters('linuxVmAuthenticationType')]" - }, - "diskEncryptionSetResourceId": { - "value": "[parameters('diskEncryptionSetResourceId')]" - }, - "diskName": { - "value": "[parameters('linuxDiskName')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "logAnalyticsWorkspaceId": { - "value": "[parameters('logAnalyticsWorkspaceId')]" - }, - "name": { - "value": "[parameters('linuxVmName')]" - }, - "networkInterfaceName": { - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'remoteAccess-linuxNetworkInterface'), '2022-09-01').outputs.name.value]" - }, - "osDiskCreateOption": { - "value": "[parameters('linuxVmOsDiskCreateOption')]" - }, - "osDiskType": { - "value": "[parameters('linuxVmOsDiskType')]" - }, - "tags": { - "value": "[parameters('tags')]" - }, - "vmImageOffer": { - "value": "[parameters('linuxVmImageOffer')]" - }, - "vmImagePublisher": { - "value": "[parameters('linuxVmImagePublisher')]" - }, - "vmImageSku": { - "value": "[parameters('linuxVmImageSku')]" + "logAnalytics_1": { + "value": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))]" + } + } + }, + "identity": { + "type": "SystemAssigned" + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2020-09-01", + "name": "[variables('agentVmAssignmentName')]", + "location": "[parameters('location')]", + "properties": { + "policyDefinitionId": "[tenantResourceId('Microsoft.Authorization/policySetDefinitions', '55f3eceb-5573-4f18-9695-226972c6d74a')]", + "parameters": { + "logAnalytics_1": { + "value": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))]" + } + } + }, + "identity": { + "type": "SystemAssigned" + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[guid(variables('contributorRoleDefinitionId'), variables('assignmentName'))]", + "properties": { + "roleDefinitionId": "[variables('contributorRoleDefinitionId')]", + "principalId": "[if(empty(variables('modifiedAssignment')), '', reference(resourceId('Microsoft.Authorization/policyAssignments', variables('assignmentName')), '2020-09-01', 'full').identity.principalId)]", + "principalType": "ServicePrincipal" + }, + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('assignmentName'))]" + ] + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[guid(variables('contributorRoleDefinitionId'), variables('agentVmssAssignmentName'))]", + "properties": { + "roleDefinitionId": "[variables('contributorRoleDefinitionId')]", + "principalId": "[reference(resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmssAssignmentName')), '2020-09-01', 'full').identity.principalId]", + "principalType": "ServicePrincipal" + }, + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmssAssignmentName'))]" + ] + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[guid(variables('contributorRoleDefinitionId'), variables('agentVmAssignmentName'))]", + "properties": { + "roleDefinitionId": "[variables('contributorRoleDefinitionId')]", + "principalId": "[reference(resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName')), '2020-09-01', 'full').identity.principalId]", + "principalType": "ServicePrincipal" + }, + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName'))]" + ] + }, + { + "condition": "[parameters('deployRemediation')]", + "type": "Microsoft.PolicyInsights/remediations", + "apiVersion": "2019-07-01", + "name": "VM-Agent-Policy-Remediation", + "properties": { + "policyAssignmentId": "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName'))]", + "resourceDiscoveryMode": "ReEvaluateCompliance" + }, + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName'))]" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('Assign-Laws-Role-Policy-{0}', resourceGroup().name)]", + "subscriptionId": "[parameters('operationsSubscriptionId')]", + "resourceGroup": "[parameters('logAnalyticsWorkspaceResourceGroupName')]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "targetResourceId": { + "value": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))]" }, - "vmImageVersion": { - "value": "[parameters('linuxVmImageVersion')]" + "roleDefinitionId": { + "value": "[variables('lawsReaderRoleDefinitionId')]" }, - "vmSize": { - "value": "[parameters('linuxVmSize')]" + "principalId": { + "value": "[reference(resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName')), '2020-09-01', 'full').identity.principalId]" } }, "template": { @@ -8234,423 +8275,273 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "13448922027561695966" + "templateHash": "8686326864657481429" } }, "parameters": { - "adminPasswordOrKey": { - "type": "securestring", - "minLength": 12 - }, - "adminUsername": { - "type": "string" - }, - "authenticationType": { - "type": "string", - "allowedValues": [ - "sshPublicKey", - "password" - ] - }, - "diskEncryptionSetResourceId": { - "type": "string" - }, - "diskName": { - "type": "string" - }, - "location": { - "type": "string" - }, - "name": { - "type": "string" - }, - "networkInterfaceName": { - "type": "string" - }, - "osDiskCreateOption": { - "type": "string" - }, - "osDiskType": { - "type": "string" - }, - "tags": { - "type": "object" - }, - "vmImageOffer": { - "type": "string" - }, - "vmImagePublisher": { + "targetResourceId": { "type": "string" }, - "vmImageSku": { + "roleDefinitionId": { "type": "string" }, - "vmImageVersion": { + "principalId": { "type": "string" }, - "vmSize": { - "type": "string" + "principalType": { + "type": "string", + "defaultValue": "ServicePrincipal", + "allowedValues": [ + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ] }, - "logAnalyticsWorkspaceId": { - "type": "string" - } - }, - "variables": { - "linuxConfiguration": { - "disablePasswordAuthentication": true, - "ssh": { - "publicKeys": [ - { - "path": "[format('/home/{0}/.ssh/authorized_keys', parameters('adminUsername'))]", - "keyData": "[parameters('adminPasswordOrKey')]" - } - ] - } + "description": { + "type": "string", + "defaultValue": "" } }, "resources": [ { - "type": "Microsoft.Compute/virtualMachines", - "apiVersion": "2021-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[guid(parameters('targetResourceId'), parameters('roleDefinitionId'), parameters('principalId'))]", "properties": { - "diagnosticsProfile": { - "bootDiagnostics": { - "enabled": false - } - }, - "hardwareProfile": { - "vmSize": "[parameters('vmSize')]" - }, - "networkProfile": { - "networkInterfaces": [ - { - "id": "[resourceId('Microsoft.Network/networkInterfaces', parameters('networkInterfaceName'))]", - "properties": { - "deleteOption": "Delete" - } - } - ] - }, - "osProfile": { - "computerName": "[parameters('name')]", - "adminUsername": "[parameters('adminUsername')]", - "adminPassword": "[parameters('adminPasswordOrKey')]", - "linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), null(), variables('linuxConfiguration'))]" - }, - "securityProfile": { - "uefiSettings": { - "secureBootEnabled": true, - "vTpmEnabled": true - }, - "securityType": "trustedLaunch", - "encryptionAtHost": true - }, - "storageProfile": { - "osDisk": { - "caching": "ReadWrite", - "createOption": "[parameters('osDiskCreateOption')]", - "deleteOption": "Delete", - "managedDisk": { - "diskEncryptionSet": { - "id": "[parameters('diskEncryptionSetResourceId')]" - }, - "storageAccountType": "[parameters('osDiskType')]" - }, - "name": "[parameters('diskName')]", - "osType": "Linux" - }, - "imageReference": { - "publisher": "[parameters('vmImagePublisher')]", - "offer": "[parameters('vmImageOffer')]", - "sku": "[parameters('vmImageSku')]", - "version": "[parameters('vmImageVersion')]" - } - }, - "licenseType": null + "principalId": "[parameters('principalId')]", + "principalType": "[parameters('principalType')]", + "roleDefinitionId": "[parameters('roleDefinitionId')]", + "description": "[parameters('description')]" } - }, - { - "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2021-03-01", - "name": "[format('{0}/{1}', parameters('name'), 'GuestAttestation')]", - "location": "[parameters('location')]", - "properties": { - "publisher": "Microsoft.Azure.Security.LinuxAttestation", - "type": "GuestAttestation", - "typeHandlerVersion": "1.0", - "autoUpgradeMinorVersion": true, - "settings": { - "AttestationConfig": { - "MaaSettings": { - "maaEndpoint": "", - "maaTenantName": "GuestAttestation" - }, - "AscSettings": { - "ascReportingEndpoint": "", - "ascReportingFrequency": "" - }, - "useCustomToken": "false", - "disableAlerts": "false" - } - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" - ] - }, - { - "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2021-04-01", - "name": "[format('{0}/{1}', parameters('name'), 'AzurePolicyforLinux')]", - "location": "[parameters('location')]", - "properties": { - "publisher": "Microsoft.GuestConfiguration", - "type": "ConfigurationforLinux", - "typeHandlerVersion": "1.0", - "autoUpgradeMinorVersion": true, - "enableAutomaticUpgrade": true - }, - "dependsOn": [ - "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" - ] - }, - { - "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2021-04-01", - "name": "[format('{0}/{1}', parameters('name'), 'Microsoft.Azure.NetworkWatcher')]", - "location": "[parameters('location')]", - "properties": { - "publisher": "Microsoft.Azure.NetworkWatcher", - "type": "NetworkWatcherAgentLinux", - "typeHandlerVersion": "1.4" - }, - "dependsOn": [ - "[resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('name'), 'AzurePolicyforLinux')]", - "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" - ] - }, - { - "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2020-06-01", - "name": "[format('{0}/{1}', parameters('name'), 'OMSExtension')]", - "location": "[parameters('location')]", - "properties": { - "publisher": "Microsoft.EnterpriseCloud.Monitoring", - "type": "OmsAgentForLinux", - "typeHandlerVersion": "1.13", - "settings": { - "workspaceId": "[reference(parameters('logAnalyticsWorkspaceId'), '2015-11-01-preview').customerId]", - "stopOnMultipleConnections": true - }, - "protectedSettings": { - "workspaceKey": "[listKeys(parameters('logAnalyticsWorkspaceId'), '2015-11-01-preview').primarySharedKey]" - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('name'), 'Microsoft.Azure.NetworkWatcher')]", - "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" - ] - }, - { - "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2021-04-01", - "name": "[format('{0}/{1}', parameters('name'), 'DependencyAgentLinux')]", - "location": "[parameters('location')]", - "properties": { - "publisher": "Microsoft.Azure.Monitoring.DependencyAgent", - "type": "DependencyAgentLinux", - "typeHandlerVersion": "9.5", - "autoUpgradeMinorVersion": true - }, - "dependsOn": [ - "[resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('name'), 'OMSExtension')]", - "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" - ] - } - ], - "outputs": { - "adminUsername": { - "type": "string", - "value": "[parameters('adminUsername')]" - }, - "authenticationType": { - "type": "string", - "value": "[parameters('authenticationType')]" } - } + ] } }, "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', 'remoteAccess-linuxNetworkInterface')]" + "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName'))]" ] + } + ] + } + }, + "dependsOn": [ + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]" + ] + }, + { + "copy": { + "name": "spokePolicyAssignments", + "count": "[length(variables('spokes'))]" + }, + "condition": "[parameters('deployPolicy')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('assign-policy-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))]", + "subscriptionId": "[variables('spokes')[copyIndex()].subscriptionId]", + "resourceGroup": "[variables('spokes')[copyIndex()].resourceGroupName]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "builtInAssignment": { + "value": "[parameters('policy')]" + }, + "logAnalyticsWorkspaceName": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.name.value]" + }, + "logAnalyticsWorkspaceResourceGroupName": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.resourceGroupName.value]" + }, + "operationsSubscriptionId": { + "value": "[parameters('operationsSubscriptionId')]" + }, + "location": { + "value": "[parameters('location')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "16693295535307781768" + } + }, + "parameters": { + "builtInAssignment": { + "type": "string", + "defaultValue": "NISTRev4", + "allowedValues": [ + "NISTRev4", + "NISTRev5", + "IL5", + "CMMC" + ], + "metadata": { + "description": "[NISTRev4/NISTRev5/IL5/CMMC] Built-in policy assignments to assign, default is NISTRev4. IL5 is only available for AzureUsGovernment and will switch to NISTRev4 if tried in AzureCloud." + } + }, + "logAnalyticsWorkspaceName": { + "type": "string" + }, + "logAnalyticsWorkspaceResourceGroupName": { + "type": "string" + }, + "operationsSubscriptionId": { + "type": "string" }, + "deployRemediation": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Starts a policy remediation for the VM Agent policies in hub RG. Set to false by default since this is time consuming in deployment." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location of this resource" + } + } + }, + "variables": { + "$fxv#0": " {\r\n \"listOfMembersToExcludeFromWindowsVMAdministratorsGroup\": \r\n {\r\n \"value\": \"admin\"\r\n },\r\n \"listOfMembersToIncludeInWindowsVMAdministratorsGroup\": \r\n {\r\n \"value\": \"azureuser\"\r\n },\r\n \"logAnalyticsWorkspaceIdforVMReporting\": \r\n {\r\n \"value\": \"\"\r\n },\r\n \"IncludeArcMachines\": \r\n {\r\n \"value\": \"true\"\r\n },\r\n \"MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112\": \r\n {\r\n \"value\": \"1.2\"\r\n },\r\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\": \r\n {\r\n \"value\": \"Compliant\"\r\n },\r\n \"requiredRetentionDays\": \r\n {\r\n \"value\": \"365\"\r\n },\r\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\": \r\n {\r\n \"value\": \"NetworkWatcherRG\"\r\n }\r\n }", + "$fxv#1": " {\r\n \"IncludeArcMachines\": \r\n {\r\n \"value\": \"true\"\r\n },\r\n \"MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112\": \r\n {\r\n \"value\": \"1.2\"\r\n },\r\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\": \r\n {\r\n \"value\": \"Compliant\"\r\n },\r\n \"requiredRetentionDays\": \r\n {\r\n \"value\": \"365\"\r\n },\r\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\": \r\n {\r\n \"value\": \"NetworkWatcherRG\"\r\n }\r\n }", + "$fxv#2": "{\r\n \"IncludeArcMachines\" : { \r\n \"value\" : \"false\"\r\n },\r\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\" : { \r\n \"value\" : \"Compliant\"\r\n },\r\n \"MinimumTLSVersionForWindowsServers\" : { \r\n \"value\" : \"1.2\"\r\n },\r\n \"requiredRetentionDays\" : { \r\n \"value\" : \"365\"\r\n },\r\n \"effect-febd0533-8e55-448f-b837-bd0e06f16469\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"allowedContainerImagesRegex-febd0533-8e55-448f-b837-bd0e06f16469\" : { \r\n \"value\" : \"^(.+){0}$\"\r\n },\r\n \"effect-95edb821-ddaf-4404-9732-666045e056b4\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-440b515e-a580-421e-abeb-b159a61ddcbc\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-233a2a17-77ca-4fb1-9b6b-69223d272a44\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"cpuLimit-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \r\n \"value\" : \"0\"\r\n },\r\n \"memoryLimit-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \r\n \"value\" : \"0\"\r\n },\r\n \"effect-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"runAsUserRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \r\n \"value\" : \"MustRunAsNonRoot\"\r\n },\r\n \"runAsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \r\n \"value\" : \"RunAsAny\"\r\n },\r\n \"supplementalGroupsRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \r\n \"value\" : \"RunAsAny\"\r\n },\r\n \"fsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \r\n \"value\" : \"RunAsAny\"\r\n },\r\n \"effect-1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-df49d893-a74c-421d-bc95-c663042e5b80\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-c26596ff-4d70-4e6a-9a30-c2506bd2f80c\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-511f5417-5d12-434d-ab2e-816901e72a5e\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-82985f06-dc18-4a48-bc1c-b9f4f0098cfe\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-098fc59e-46c7-4d99-9b16-64990e543d75\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"NetworkWatcherResourceGroupName\" : { \r\n \"value\" : \"NetworkWatcherRG\"\r\n },\r\n \"setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \r\n \"value\" : \"enabled\"\r\n },\r\n \"aadAuthenticationInServiceFabricMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-71ef260a-8f18-47b7-abcb-62d0673d94dc\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-d9da03a1-f3c3-412a-9709-947156872263\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-617c02be-7f02-4efd-8836-3180d47b6c68\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-c349d81b-9985-44ae-a8da-ff98d108ede8\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-3657f5a0-770e-44a3-b44e-9431ba1e9735\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-b4ac1030-89c5-4697-8e00-28b5ba6a8811\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-ea0dfaed-95fb-448c-934e-d6e713ce393d\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-f4b53539-8df9-40e4-86c6-6b607703bd4e\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-41425d9f-d1a5-499a-9932-f8ed8453932c\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-fc4d8e41-e223-45ea-9bf5-eada37891d87\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-86efb160-8de7-451d-bc08-5d475b0aadae\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-4ec52d6d-beb7-40c4-9a9e-fe753254690e\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-64d314f6-6062-4780-a861-c23e8951bee5\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-fa298e57-9444-42ba-bf04-86e8470e32c7\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1f905d99-2ab7-462c-a6b0-f709acca6c8f\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-ba769a63-b8cc-4b2d-abf6-ac33c7204be8\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-81e74cea-30fd-40d5-802f-d72103c2aaaa\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-0aa61e00-0a01-4a3c-9945-e93cffedf0e6\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-47031206-ce96-41f8-861b-6a915f3de284\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-51522a96-0869-4791-82f3-981000c2c67f\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-b5ec538c-daa0-4006-8596-35468b9148e8\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-56a5ee18-2ae6-4810-86f7-18e39ce5629b\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-2e94d99a-8a36-4563-bc77-810d8893b671\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1f68a601-6e6d-4e42-babf-3f643a047ea2\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-f7d52b2d-e161-4dfa-a82b-55e564167385\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-ca91455f-eace-4f96-be59-e6e2c35b4816\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-702dd420-7fcc-42c5-afe8-4026edd20fe0\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"diagnosticsLogsInRedisCacheMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"secureTransferToStorageAccountMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-d0793b48-0edc-4296-a390-4c75d1bdfd71\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-7d092e0a-7acd-40d2-a975-dca21cae48c4\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"disableUnrestrictedNetworkToStorageAccountMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-55615ac9-af46-4a59-874e-391cc3dfb490\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1b8ca024-1d5c-4dec-8995-b1a932b41780\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-037eea7a-bd0a-46c5-9a66-03aea78705d3\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-53503636-bcc9-4748-9663-5348217f160f\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-40cec1dd-a100-4920-b15b-3024fe8901ab\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-a049bf77-880b-470f-ba6d-9f21c530cf83\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-ee980b6d-0eca-4501-8d54-f6290fd512c3\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1d84d5fb-01f6-4d12-ba4f-4a26081d403d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-37e0d2fe-28a5-43d6-a273-67d37d1f5606\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"identityDesignateMoreThanOneOwnerMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"diskEncryptionMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"emailNotificationToSubscriptionOwnerHighSeverityAlertsEnabledEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"functionAppDisableRemoteDebuggingMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"sqlDbEncryptionMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"vulnerabilityAssessmentOnManagedInstanceMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensurePHPVersionLatestForAPIAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"aadAuthenticationInSqlServerMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"vmssEndpointProtectionMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"vmssOsVulnerabilitiesMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"adaptiveApplicationControlsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"geoRedundantBackupShouldBeEnabledForAzureDatabaseForPostgreSQLEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"ensureJavaVersionLatestForWebAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityDesignateLessThanOwnersMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"securityContactEmailAddressForSubscriptionEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"webAppRestrictCORSAccessMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityRemoveDeprecatedAccountMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"functionAppEnforceHttpsMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"ensurePythonVersionLatestForWebAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensurePythonVersionLatestForFunctionAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensurePHPVersionLatestForWebAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensurePythonVersionLatestForAPIAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"geoRedundantBackupShouldBeEnabledForAzureDatabaseForMySQLEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"systemUpdatesMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensureJavaVersionLatestForAPIAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensureHTTPVersionLatestForWebAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"apiAppRequireLatestTlsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityEnableMFAForWritePermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensureHTTPVersionLatestForAPIAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensureJavaVersionLatestForFunctionAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"nextGenerationFirewallMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"useRbacRulesMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"webAppEnforceHttpsMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"sqlServerAuditingMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"vnetEnableDDoSProtectionMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityEnableMFAForOwnerPermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"sqlServerAdvancedDataSecurityMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"sqlManagedInstanceAdvancedDataSecurityMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"endpointProtectionMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"jitNetworkAccessMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"apiAppEnforceHttpsMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"geoRedundantStorageShouldBeEnabledForStorageAccountsEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"vmssSystemUpdatesMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"webAppDisableRemoteDebuggingMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"systemConfigurationsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensureHTTPVersionLatestForFunctionAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityEnableMFAForReadPermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"containerBenchmarkMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"apiAppDisableRemoteDebuggingMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"vulnerabilityAssessmentOnServerMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"webAppRequireLatestTlsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"functionAppRequireLatestTlsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"kubernetesServiceVersionUpToDateMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"sqlDbVulnerabilityAssesmentMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"membersToIncludeInLocalAdministratorsGroup\" : { \r\n \"value\" : \"\"\r\n },\r\n \"membersToExcludeInLocalAdministratorsGroup\" : { \r\n \"value\" : \"\"\r\n },\r\n \"logAnalyticsWorkspaceIDForVMAgents\" : { \r\n \"value\" : \"\"\r\n },\r\n \"PHPLatestVersionForAppServices\" : { \r\n \"value\" : \"7.4\"\r\n },\r\n \"JavaLatestVersionForAppServices\" : { \r\n \"value\" : \"11\"\r\n },\r\n \"WindowsPythonLatestVersionForAppServices\" : { \r\n \"value\" : \"3.6\"\r\n },\r\n \"LinuxPythonLatestVersionForAppServices\" : { \r\n \"value\" : \"3.9\"\r\n },\r\n \"ensureDotNetFrameworkLatestForFunctionAppEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"sqlManagedInstanceAdvancedDataSecurityEmailsMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"vulnerabilityAssessmentMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"ensureDotNetFrameworkLatestForWebAppEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"sqlServerAdvancedDataSecurityEmailsMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"microsoftIaaSAntimalwareExtensionShouldBeDeployedOnWindowsServersEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"securityCenterStandardPricingTierShouldBeSelectedEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"theLogAnalyticsAgentShouldBeInstalledOnVirtualMachinesEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"ensurePHPVersionLatestForFunctionAppEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"sqlManagedInstanceAdvancedDataSecurityEmailAdminsMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"securityContactPhoneNumberShouldBeProvidedForSubscriptionEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"threatDetectionTypesOnManagedInstanceMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"ensureDotNetFrameworkLatestForAPIAppEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"sqlServerAdvancedDataSecurityEmailAdminsMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"threatDetectionTypesOnServerMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"theLogAnalyticsAgentShouldBeInstalledOnVirtualMachineScaleSetsEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n }\r\n}", + "$fxv#3": "{\r\n \"logAnalyticsWorkspaceId-f47b5582-33ec-4c5c-87c0-b010a6b2e917\" : { \r\n \"value\" : \"\"\r\n },\r\n \"effect-09024ccc-0c5f-475e-9457-b7c0d9ed487b\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"MembersToExclude-69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f\" :{\r\n \"value\": \"\"\r\n },\r\n \"MembersToInclude-30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7\": {\r\n \"value\": \"\"\r\n },\r\n \"effect-0961003e-5a0a-4549-abde-af6a37f2724d\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-0b15565f-aa9e-48ba-8619-45960f2c314d\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-0e60b895-3786-45da-8377-9c6b4b6ac5f9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-17k78e20-9358-41c9-923c-fb736d382a12\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"PHPLatestVersion\" : { \r\n \"value\" : \"7.3\"\r\n },\r\n \"effect-22bee202-a82f-4305-9a2a-6d7f44d4dedb\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-26a828e1-e88f-464e-bbb3-c134a282b9de\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-34c877ad-507e-4c82-993e-3452a6e0ad3c\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-404c3081-a854-4457-ae30-26a93ef643f9\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-47a6b606-51aa-4496-8bb7-64b11cf66adc\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-496223c3-ad65-4ecd-878a-bae78737e9ed\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"JavaLatestVersion\" : { \r\n \"value\" : \"11\"\r\n },\r\n \"effect-4f11b553-d42e-4e3a-89be-32ca364cad4c\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-5c607a2e-c700-4744-8254-d77e7c9eb5e4\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-5f76cf89-fbf2-47fd-a3f4-b891fa780b60\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-6b1cbf55-e8b6-442f-ba4c-7246b6381474\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-7008174a-fd10-4ef0-817e-fc820a951d73\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"LinuxPythonLatestVersion\" : { \r\n \"value\" : \"3.8\"\r\n },\r\n \"effect-7238174a-fd10-4ef0-817e-fc820a951d73\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-7261b898-8a84-4db8-9e04-18527132abb3\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-74c3584d-afae-46f7-a20a-6f8adba71a16\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-86b3d65f-7626-441e-b690-81a8b71cff60\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-88999f4c-376a-45c8-bcb3-4058f713cf39\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-8c122334-9d20-4eb8-89ea-ac9a705b74ae\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-9297c21d-2ed6-4474-b48f-163f75654ce3\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-991310cd-e9f3-47bc-b7b6-f57b557d07db\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-9b597639-28e4-48eb-b506-56b05d366257\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-9daedab3-fb2d-461e-b861-71790eead4f6\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-a4af4a39-4135-47fb-b175-47fbdf85311d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \r\n \"value\" : \"enabled\"\r\n },\r\n \"effect-a70ca396-0a34-413a-88e1-b956c1e683be\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-aa633080-8b72-40c4-a2d7-d00c03e80bed\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-af6cd1bd-1635-48cb-bde7-5b15693900b9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\" : { \r\n \"value\" : \"NetworkWatcherRG\"\r\n },\r\n \"effect-b7ddfbdc-1260-477d-91fd-98bd9be789a6\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-c3f317a7-a95c-4547-b7e7-11017ebdf2fe\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-cb510bfd-1cba-4d9f-a230-cb0976f4bb71\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e2c1c086-2d84-4019-bff3-c44ccd95113c\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e3576e28-8b17-4677-84c3-db2990658d64\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e8cbc669-f12d-49eb-93e7-9273119e9933\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-ebb62a0c-3560-49e1-89ed-27e074e9f8ad\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-efbde977-ba53-4479-b8e9-10b957924fbf\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-f8456c1c-aa66-4dfb-861a-25d127b775c9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-f9d614c5-c173-4d56-95a7-b4437057d193\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-fb893a29-21bb-418c-a157-e99480ec364c\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-feedbf84-6b99-488c-acc2-71c829aa5ffc\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-3b980d31-7904-4bb7-8575-5665739a8052\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-6e2593d9-add6-4083-9c9b-4b7d2188c899\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-12430be1-6cc8-4527-a9a8-e3d38f250096\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"modeRequirement-12430be1-6cc8-4527-a9a8-e3d38f250096\" : { \r\n \"value\" : \"Detection\"\r\n },\r\n \"effect-425bea59-a659-4cbb-8d31-34499bd030b8\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"modeRequirement-425bea59-a659-4cbb-8d31-34499bd030b8\" : { \r\n \"value\" : \"Detection\"\r\n },\r\n \"effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-013e242c-8828-4970-87b3-ab247555486d\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-d38fc420-0735-4ef3-ac11-c806f651a570\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-a1181c5f-672a-477a-979a-7d58aa086233\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-308fbb08-4ab8-4e67-9b29-592e93fb94fa\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-4da35fc9-c9e7-4960-aec9-797fe7d9051d\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-523b5cd1-3e23-492f-a539-13118b6d1e3a\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-7fe3b40f-802b-4cdd-8bd4-fd799c948cc2\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-c25d9a16-bc35-4e15-a7e5-9db606bf9ed4\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b0f33259-77d7-4c9e-aac6-3aabcfae693c\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-037eea7a-bd0a-46c5-9a66-03aea78705d3\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-0820b7b9-23aa-4725-a1ce-ae4558f718e5\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-2c89a2e5-7285-40fe-afe0-ae8654b92fab\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-5744710e-cc2f-4ee8-8809-3b11e89f4bc9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-c9d007d0-c057-4772-b18c-01e546713bcd\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-d0793b48-0edc-4296-a390-4c75d1bdfd71\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-e372f825-a257-4fb8-9175-797a8a8627d6\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-d158790f-bfb0-486c-8631-2dc6b4e8e6af\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-e802a67a-daf5-4436-9ea6-f6d821dd0c5d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-a451c1ef-c6ca-483d-87ed-f49761e3ffb5\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftSql-servers-firewallRules-delete\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-delete\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftClassicNetwork-networkSecurityGroups-delete\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-securityRules-delete\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftClassicNetwork-networkSecurityGroups-securityRules-delete\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-ae89ebca-1c92-4898-ac2c-9f63decb045c\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-d26f7642-7545-4e18-9b75-8c9bbdee3a9a\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-1a4e592a-6a6e-44a5-9814-e36264ca96e7\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-7796937f-307b-4598-941c-67d3a05ebfe7\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-c5447c04-a4d7-4ba8-a263-c9ee321a6858\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-41388f1c-2db0-4c25-95b2-35d7f5ccbfa9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b02aacc0-b073-424e-8298-42b22829ee0a\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-0ec47710-77ff-4a3d-9181-6aa50af424d0\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-48af4db5-9b8b-401c-8e74-076be876a430\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-82339799-d096-41ae-8538-b108becf0970\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1b7aa243-30e4-4c9e-bca8-d0d3022b634a\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-bb91dfba-c30d-4263-9add-9c2384e659a6\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e71308d3-144b-4262-b144-efdc3cc90517\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-2bdd0062-9d75-436e-89df-487dd8e4b3c7\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-6fac406b-40ca-413b-bf8e-0bf964659c25\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-81e74cea-30fd-40d5-802f-d72103c2aaaa\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-c349d81b-9985-44ae-a8da-ff98d108ede8\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-f4b53539-8df9-40e4-86c6-6b607703bd4e\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-048248b0-55cd-46da-b1ff-39efd52db260\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-0d134df8-db83-46fb-ad72-fe0c9428c8dd\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-2c89a2e5-7285-40fe-afe0-ae8654b92fb2\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-3657f5a0-770e-44a3-b44e-9431ba1e9735\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-617c02be-7f02-4efd-8836-3180d47b6c68\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-f7d52b2d-e161-4dfa-a82b-55e564167385\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-c43e4a30-77cb-48ab-a4dd-93f175c63b57\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1f314764-cb73-4fc9-b863-8eca98ac36e9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-123a3936-f020-408a-ba0c-47873faf1534\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n }\r\n}\r\n", + "modifiedAssignment": "[if(and(equals(toLower(environment().name), toLower('AzureCloud')), equals(toLower(parameters('builtInAssignment')), toLower('IL5'))), 'NISTRev4', parameters('builtInAssignment'))]", + "assignmentName": "[format('{0} {1}', variables('modifiedAssignment'), resourceGroup().name)]", + "agentVmssAssignmentName": "[format('Deploy VMSS Agents {0}', resourceGroup().name)]", + "agentVmAssignmentName": "[format('Deploy VM Agents {0}', resourceGroup().name)]", + "contributorRoleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "lawsReaderRoleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]" + }, + "resources": [ { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "remoteAccess-windowsNetworkInterface", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2020-09-01", + "name": "[variables('assignmentName')]", + "location": "[parameters('location')]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "ipConfigurationName": { - "value": "[parameters('windowsNetworkInterfaceIpConfigurationName')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "name": { - "value": "[parameters('windowsNetworkInterfaceName')]" - }, - "networkSecurityGroupId": { - "value": "[parameters('hubNetworkSecurityGroupResourceId')]" - }, - "privateIPAddressAllocationMethod": { - "value": "[parameters('windowsNetworkInterfacePrivateIPAddressAllocationMethod')]" - }, - "subnetId": { - "value": "[parameters('hubSubnetResourceId')]" - }, - "tags": { - "value": "[parameters('tags')]" + "policyDefinitionId": "[createObject('NISTRev4', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f', 'parameters', json(replace(variables('$fxv#0'), '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'NISTRev5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f', 'parameters', json(variables('$fxv#1'))), 'IL5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/f9a961fa-3241-4b20-adc4-bbf8ad9d7197', 'parameters', json(replace(variables('$fxv#2'), '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'CMMC', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/b5629c75-5c77-4422-87b9-2509e680f8de', 'parameters', json(replace(variables('$fxv#3'), '', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName')), '2021-06-01').customerId))))[variables('modifiedAssignment')].id]", + "parameters": "[createObject('NISTRev4', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f', 'parameters', json(replace(variables('$fxv#0'), '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'NISTRev5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f', 'parameters', json(variables('$fxv#1'))), 'IL5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/f9a961fa-3241-4b20-adc4-bbf8ad9d7197', 'parameters', json(replace(variables('$fxv#2'), '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'CMMC', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/b5629c75-5c77-4422-87b9-2509e680f8de', 'parameters', json(replace(variables('$fxv#3'), '', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName')), '2021-06-01').customerId))))[variables('modifiedAssignment')].parameters]" + }, + "identity": { + "type": "SystemAssigned" + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2020-09-01", + "name": "[variables('agentVmssAssignmentName')]", + "location": "[parameters('location')]", + "properties": { + "policyDefinitionId": "[tenantResourceId('Microsoft.Authorization/policySetDefinitions', '75714362-cae7-409e-9b99-a8e5075b7fad')]", + "parameters": { + "logAnalytics_1": { + "value": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))]" } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "16624262267285514706" - } - }, - "parameters": { - "name": { - "type": "string" - }, - "location": { - "type": "string" - }, - "tags": { - "type": "object", - "defaultValue": {} - }, - "ipConfigurationName": { - "type": "string" - }, - "subnetId": { - "type": "string" - }, - "networkSecurityGroupId": { - "type": "string" - }, - "privateIPAddressAllocationMethod": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.Network/networkInterfaces", - "apiVersion": "2021-02-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "ipConfigurations": [ - { - "name": "[parameters('ipConfigurationName')]", - "properties": { - "subnet": { - "id": "[parameters('subnetId')]" - }, - "privateIPAllocationMethod": "[parameters('privateIPAddressAllocationMethod')]" - } - } - ], - "networkSecurityGroup": { - "id": "[parameters('networkSecurityGroupId')]" - } - } - } - ], - "outputs": { - "id": { - "type": "string", - "value": "[resourceId('Microsoft.Network/networkInterfaces', parameters('name'))]" - }, - "name": { - "type": "string", - "value": "[parameters('name')]" - } + } + }, + "identity": { + "type": "SystemAssigned" + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2020-09-01", + "name": "[variables('agentVmAssignmentName')]", + "location": "[parameters('location')]", + "properties": { + "policyDefinitionId": "[tenantResourceId('Microsoft.Authorization/policySetDefinitions', '55f3eceb-5573-4f18-9695-226972c6d74a')]", + "parameters": { + "logAnalytics_1": { + "value": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))]" } } + }, + "identity": { + "type": "SystemAssigned" } }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[guid(variables('contributorRoleDefinitionId'), variables('assignmentName'))]", + "properties": { + "roleDefinitionId": "[variables('contributorRoleDefinitionId')]", + "principalId": "[if(empty(variables('modifiedAssignment')), '', reference(resourceId('Microsoft.Authorization/policyAssignments', variables('assignmentName')), '2020-09-01', 'full').identity.principalId)]", + "principalType": "ServicePrincipal" + }, + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('assignmentName'))]" + ] + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[guid(variables('contributorRoleDefinitionId'), variables('agentVmssAssignmentName'))]", + "properties": { + "roleDefinitionId": "[variables('contributorRoleDefinitionId')]", + "principalId": "[reference(resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmssAssignmentName')), '2020-09-01', 'full').identity.principalId]", + "principalType": "ServicePrincipal" + }, + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmssAssignmentName'))]" + ] + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[guid(variables('contributorRoleDefinitionId'), variables('agentVmAssignmentName'))]", + "properties": { + "roleDefinitionId": "[variables('contributorRoleDefinitionId')]", + "principalId": "[reference(resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName')), '2020-09-01', 'full').identity.principalId]", + "principalType": "ServicePrincipal" + }, + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName'))]" + ] + }, + { + "condition": "[parameters('deployRemediation')]", + "type": "Microsoft.PolicyInsights/remediations", + "apiVersion": "2019-07-01", + "name": "VM-Agent-Policy-Remediation", + "properties": { + "policyAssignmentId": "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName'))]", + "resourceDiscoveryMode": "ReEvaluateCompliance" + }, + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName'))]" + ] + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "remoteAccess-windowsVirtualMachine", + "name": "[format('Assign-Laws-Role-Policy-{0}', resourceGroup().name)]", + "subscriptionId": "[parameters('operationsSubscriptionId')]", + "resourceGroup": "[parameters('logAnalyticsWorkspaceResourceGroupName')]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { - "adminPassword": { - "value": "[parameters('windowsVmAdminPassword')]" - }, - "adminUsername": { - "value": "[parameters('windowsVmAdminUsername')]" - }, - "createOption": { - "value": "[parameters('windowsVmCreateOption')]" - }, - "diskEncryptionSetResourceId": { - "value": "[parameters('diskEncryptionSetResourceId')]" - }, - "diskName": { - "value": "[parameters('windowsDiskName')]" - }, - "hybridUseBenefit": { - "value": "[parameters('hybridUseBenefit')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "logAnalyticsWorkspaceId": { - "value": "[parameters('logAnalyticsWorkspaceId')]" - }, - "name": { - "value": "[parameters('windowsVmName')]" - }, - "networkInterfaceName": { - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'remoteAccess-windowsNetworkInterface'), '2022-09-01').outputs.name.value]" - }, - "offer": { - "value": "[parameters('windowsVmOffer')]" - }, - "publisher": { - "value": "[parameters('windowsVmPublisher')]" - }, - "size": { - "value": "[parameters('windowsVmSize')]" - }, - "sku": { - "value": "[parameters('windowsVmSku')]" - }, - "storageAccountType": { - "value": "[parameters('windowsVmStorageAccountType')]" + "targetResourceId": { + "value": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))]" }, - "tags": { - "value": "[parameters('tags')]" + "roleDefinitionId": { + "value": "[variables('lawsReaderRoleDefinitionId')]" }, - "version": { - "value": "[parameters('windowsVmVersion')]" + "principalId": { + "value": "[reference(resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName')), '2020-09-01', 'full').identity.principalId]" } }, "template": { @@ -8660,245 +8551,356 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "5793129099305307535" + "templateHash": "8686326864657481429" } }, "parameters": { - "adminPassword": { - "type": "securestring", - "minLength": 12 - }, - "adminUsername": { + "targetResourceId": { "type": "string" }, - "createOption": { + "roleDefinitionId": { "type": "string" }, - "dataDisks": { - "type": "array", - "defaultValue": [] - }, - "diskEncryptionSetResourceId": { + "principalId": { "type": "string" }, - "diskName": { - "type": "string" + "principalType": { + "type": "string", + "defaultValue": "ServicePrincipal", + "allowedValues": [ + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ] }, - "hybridUseBenefit": { - "type": "bool" - }, - "location": { - "type": "string" - }, - "logAnalyticsWorkspaceId": { - "type": "string" - }, - "name": { - "type": "string" - }, - "networkInterfaceName": { - "type": "string" - }, - "offer": { - "type": "string" - }, - "publisher": { - "type": "string" - }, - "size": { - "type": "string" - }, - "sku": { - "type": "string" - }, - "storageAccountType": { - "type": "string" - }, - "tags": { - "type": "object", - "defaultValue": {} - }, - "version": { - "type": "string" + "description": { + "type": "string", + "defaultValue": "" } }, "resources": [ { - "type": "Microsoft.Compute/virtualMachines", - "apiVersion": "2021-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "identity": { - "type": "SystemAssigned" - }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[guid(parameters('targetResourceId'), parameters('roleDefinitionId'), parameters('principalId'))]", "properties": { - "diagnosticsProfile": { - "bootDiagnostics": { - "enabled": false - } - }, - "hardwareProfile": { - "vmSize": "[parameters('size')]" - }, - "networkProfile": { - "networkInterfaces": [ - { - "id": "[resourceId('Microsoft.Network/networkInterfaces', parameters('networkInterfaceName'))]", - "properties": { - "deleteOption": "Delete" - } - } - ] - }, - "osProfile": { - "computerName": "[take(parameters('name'), 15)]", - "adminUsername": "[parameters('adminUsername')]", - "adminPassword": "[parameters('adminPassword')]" - }, - "securityProfile": { - "uefiSettings": { - "secureBootEnabled": true, - "vTpmEnabled": true - }, - "securityType": "trustedLaunch", - "encryptionAtHost": true - }, - "storageProfile": { - "imageReference": { - "publisher": "[parameters('publisher')]", - "offer": "[parameters('offer')]", - "sku": "[parameters('sku')]", - "version": "[parameters('version')]" - }, - "osDisk": { - "caching": "ReadWrite", - "createOption": "[parameters('createOption')]", - "deleteOption": "Delete", - "managedDisk": { - "diskEncryptionSet": { - "id": "[parameters('diskEncryptionSetResourceId')]" - }, - "storageAccountType": "[parameters('storageAccountType')]" - }, - "name": "[parameters('diskName')]", - "osType": "Windows" - }, - "dataDisks": "[parameters('dataDisks')]" - }, - "licenseType": "[if(parameters('hybridUseBenefit'), 'Windows_Server', null())]" + "principalId": "[parameters('principalId')]", + "principalType": "[parameters('principalType')]", + "roleDefinitionId": "[parameters('roleDefinitionId')]", + "description": "[parameters('description')]" } - }, - { - "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2021-03-01", - "name": "[format('{0}/{1}', parameters('name'), 'GuestAttestation')]", - "location": "[parameters('location')]", - "properties": { - "publisher": "Microsoft.Azure.Security.WindowsAttestation", - "type": "GuestAttestation", - "typeHandlerVersion": "1.0", - "autoUpgradeMinorVersion": true, - "settings": { - "AttestationConfig": { - "MaaSettings": { - "maaEndpoint": "", - "maaTenantName": "GuestAttestation" - }, - "AscSettings": { - "ascReportingEndpoint": "", - "ascReportingFrequency": "" - }, - "useCustomToken": "false", - "disableAlerts": "false" - } - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" - ] - }, - { - "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2021-04-01", - "name": "[format('{0}/{1}', parameters('name'), 'DependencyAgentWindows')]", - "location": "[parameters('location')]", - "properties": { - "publisher": "Microsoft.Azure.Monitoring.DependencyAgent", - "type": "DependencyAgentWindows", - "typeHandlerVersion": "9.5", - "autoUpgradeMinorVersion": true - }, - "dependsOn": [ - "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" - ] - }, - { - "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2021-04-01", - "name": "[format('{0}/{1}', parameters('name'), 'AzurePolicyforWindows')]", - "location": "[parameters('location')]", - "properties": { - "publisher": "Microsoft.GuestConfiguration", - "type": "ConfigurationforWindows", - "typeHandlerVersion": "1.0", - "autoUpgradeMinorVersion": true, - "enableAutomaticUpgrade": true - }, - "dependsOn": [ - "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" - ] - }, - { - "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2021-04-01", - "name": "[format('{0}/{1}', parameters('name'), 'MMAExtension')]", - "location": "[parameters('location')]", - "properties": { - "publisher": "Microsoft.EnterpriseCloud.Monitoring", - "type": "MicrosoftMonitoringAgent", - "typeHandlerVersion": "1.0", - "settings": { - "workspaceId": "[reference(parameters('logAnalyticsWorkspaceId'), '2015-11-01-preview').customerId]", - "stopOnMultipleConnections": true - }, - "protectedSettings": { - "workspaceKey": "[listKeys(parameters('logAnalyticsWorkspaceId'), '2015-11-01-preview').primarySharedKey]" - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" - ] - }, - { - "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2021-04-01", - "name": "[format('{0}/{1}', parameters('name'), 'Microsoft.Azure.NetworkWatcher')]", - "location": "[parameters('location')]", - "properties": { - "publisher": "Microsoft.Azure.NetworkWatcher", - "type": "NetworkWatcherAgentWindows", - "typeHandlerVersion": "1.4" - }, - "dependsOn": [ - "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" - ] } ] } }, "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', 'remoteAccess-windowsNetworkInterface')]" + "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName'))]" ] } ] } }, "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-azure-monitor-private-link-{0}', parameters('deploymentNameSuffix')))]", - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))]", - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]", - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix')))]" + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]" + ] + }, + { + "condition": "[parameters('deployDefender')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('set-hub-sub-defender-{0}', parameters('deploymentNameSuffix'))]", + "subscriptionId": "[parameters('hubSubscriptionId')]", + "location": "[deployment().location]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "logAnalyticsWorkspaceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.id.value]" + }, + "emailSecurityContact": { + "value": "[parameters('emailSecurityContact')]" + }, + "defenderSkuTier": { + "value": "[parameters('defenderSkuTier')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "17349871984393503749" + } + }, + "parameters": { + "bundle": { + "type": "array", + "defaultValue": "[if(equals(environment().name, 'AzureCloud'), createArray('Api', 'AppServices', 'Arm', 'CloudPosture', 'Containers', 'CosmosDbs', 'KeyVaults', 'OpenSourceRelationalDatabases', 'SqlServers', 'SqlServerVirtualMachines', 'StorageAccounts', 'VirtualMachines'), if(equals(environment().name, 'AzureUSGovernment'), createArray('Arm', 'Containers', 'OpenSourceRelationalDatabases', 'SqlServers', 'SqlServerVirtualMachines', 'StorageAccounts', 'VirtualMachines'), createArray()))]" + }, + "enableAutoProvisioning": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Turn automatic deployment by Defender of the MMA (OMS VM extension) on or off" + } + }, + "logAnalyticsWorkspaceId": { + "type": "string", + "metadata": { + "description": "Specify the ID of your custom Log Analytics workspace to collect Defender data." + } + }, + "emailSecurityContact": { + "type": "string", + "metadata": { + "description": "Email address of the contact, in the form of john@doe.com" + } + }, + "policySetDescription": { + "type": "string", + "defaultValue": "The Microsoft Cloud Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Microsoft Cloud Security Benchmark v2, see https://aka.ms/azsecbm. This also serves as the Microsoft Defender for Cloud default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Microsoft Defender.", + "metadata": { + "description": "Policy Initiative description field" + } + }, + "defenderSkuTier": { + "type": "string", + "defaultValue": "Standard", + "metadata": { + "description": "[Standard/Free] The SKU for Defender. It defaults to \"Standard\"." + } + } + }, + "variables": { + "autoProvisioning": "[if(parameters('enableAutoProvisioning'), 'On', 'Off')]" + }, + "resources": [ + { + "copy": { + "name": "defenderPricing", + "count": "[length(parameters('bundle'))]", + "mode": "serial", + "batchSize": 1 + }, + "type": "Microsoft.Security/pricings", + "apiVersion": "2023-01-01", + "name": "[parameters('bundle')[copyIndex()]]", + "properties": { + "pricingTier": "[parameters('defenderSkuTier')]" + } + }, + { + "type": "Microsoft.Security/autoProvisioningSettings", + "apiVersion": "2019-01-01", + "name": "default", + "properties": { + "autoProvision": "[variables('autoProvisioning')]" + } + }, + { + "type": "Microsoft.Security/workspaceSettings", + "apiVersion": "2019-01-01", + "name": "default", + "properties": { + "workspaceId": "[parameters('logAnalyticsWorkspaceId')]", + "scope": "[subscription().id]" + } + }, + { + "condition": "[not(empty(parameters('emailSecurityContact')))]", + "type": "Microsoft.Security/securityContacts", + "apiVersion": "2020-01-01-preview", + "name": "default", + "properties": { + "notificationsByRole": { + "roles": [ + "AccountAdmin", + "Contributor", + "Owner", + "ServiceAdmin" + ], + "state": "On" + }, + "alertNotifications": { + "state": "On" + }, + "emails": "[parameters('emailSecurityContact')]" + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "Microsoft Cloud Security Benchmark", + "properties": { + "displayName": "Defender Default", + "description": "[parameters('policySetDescription')]", + "enforcementMode": "DoNotEnforce", + "parameters": {}, + "policyDefinitionId": "[tenantResourceId('Microsoft.Authorization/policySetDefinitions', '1f3afdf9-d0c9-4c3d-847f-89da613e70a8')]" + } + } + ] + } + }, + "dependsOn": [ + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]" + ] + }, + { + "copy": { + "name": "spokeDefender", + "count": "[length(variables('spokes'))]" + }, + "condition": "[and(parameters('deployDefender'), not(equals(variables('spokes')[copyIndex()].subscriptionId, parameters('hubSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('set-{0}-sub-defender', variables('spokes')[copyIndex()].name)]", + "subscriptionId": "[variables('spokes')[copyIndex()].subscriptionId]", + "location": "[deployment().location]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "logAnalyticsWorkspaceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.id.value]" + }, + "emailSecurityContact": { + "value": "[parameters('emailSecurityContact')]" + }, + "defenderSkuTier": { + "value": "[parameters('defenderSkuTier')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "17349871984393503749" + } + }, + "parameters": { + "bundle": { + "type": "array", + "defaultValue": "[if(equals(environment().name, 'AzureCloud'), createArray('Api', 'AppServices', 'Arm', 'CloudPosture', 'Containers', 'CosmosDbs', 'KeyVaults', 'OpenSourceRelationalDatabases', 'SqlServers', 'SqlServerVirtualMachines', 'StorageAccounts', 'VirtualMachines'), if(equals(environment().name, 'AzureUSGovernment'), createArray('Arm', 'Containers', 'OpenSourceRelationalDatabases', 'SqlServers', 'SqlServerVirtualMachines', 'StorageAccounts', 'VirtualMachines'), createArray()))]" + }, + "enableAutoProvisioning": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Turn automatic deployment by Defender of the MMA (OMS VM extension) on or off" + } + }, + "logAnalyticsWorkspaceId": { + "type": "string", + "metadata": { + "description": "Specify the ID of your custom Log Analytics workspace to collect Defender data." + } + }, + "emailSecurityContact": { + "type": "string", + "metadata": { + "description": "Email address of the contact, in the form of john@doe.com" + } + }, + "policySetDescription": { + "type": "string", + "defaultValue": "The Microsoft Cloud Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Microsoft Cloud Security Benchmark v2, see https://aka.ms/azsecbm. This also serves as the Microsoft Defender for Cloud default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Microsoft Defender.", + "metadata": { + "description": "Policy Initiative description field" + } + }, + "defenderSkuTier": { + "type": "string", + "defaultValue": "Standard", + "metadata": { + "description": "[Standard/Free] The SKU for Defender. It defaults to \"Standard\"." + } + } + }, + "variables": { + "autoProvisioning": "[if(parameters('enableAutoProvisioning'), 'On', 'Off')]" + }, + "resources": [ + { + "copy": { + "name": "defenderPricing", + "count": "[length(parameters('bundle'))]", + "mode": "serial", + "batchSize": 1 + }, + "type": "Microsoft.Security/pricings", + "apiVersion": "2023-01-01", + "name": "[parameters('bundle')[copyIndex()]]", + "properties": { + "pricingTier": "[parameters('defenderSkuTier')]" + } + }, + { + "type": "Microsoft.Security/autoProvisioningSettings", + "apiVersion": "2019-01-01", + "name": "default", + "properties": { + "autoProvision": "[variables('autoProvisioning')]" + } + }, + { + "type": "Microsoft.Security/workspaceSettings", + "apiVersion": "2019-01-01", + "name": "default", + "properties": { + "workspaceId": "[parameters('logAnalyticsWorkspaceId')]", + "scope": "[subscription().id]" + } + }, + { + "condition": "[not(empty(parameters('emailSecurityContact')))]", + "type": "Microsoft.Security/securityContacts", + "apiVersion": "2020-01-01-preview", + "name": "default", + "properties": { + "notificationsByRole": { + "roles": [ + "AccountAdmin", + "Contributor", + "Owner", + "ServiceAdmin" + ], + "state": "On" + }, + "alertNotifications": { + "state": "On" + }, + "emails": "[parameters('emailSecurityContact')]" + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "Microsoft Cloud Security Benchmark", + "properties": { + "displayName": "Defender Default", + "description": "[parameters('policySetDescription')]", + "enforcementMode": "DoNotEnforce", + "parameters": {}, + "policyDefinitionId": "[tenantResourceId('Microsoft.Authorization/policySetDefinitions', '1f3afdf9-d0c9-4c3d-847f-89da613e70a8')]" + } + } + ] + } + }, + "dependsOn": [ + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]" ] } ], diff --git a/src/bicep/modules/private-link.bicep b/src/bicep/modules/azure-monitor.bicep similarity index 100% rename from src/bicep/modules/private-link.bicep rename to src/bicep/modules/azure-monitor.bicep