diff --git a/.github/linters/.eslintrc.yml b/.github/linters/.eslintrc.yml new file mode 100644 index 000000000..e8c576c87 --- /dev/null +++ b/.github/linters/.eslintrc.yml @@ -0,0 +1,73 @@ +--- +############################# +############################# +## JavaScript Linter rules ## +############################# +############################# + +############ +# Env Vars # +############ +env: + browser: true + es6: true + jest: true + +############### +# Global Vars # +############### +globals: + Atomics: readonly + SharedArrayBuffer: readonly + +############### +# Parser vars # +############### +parser: "@typescript-eslint/parser" +parserOptions: + ecmaVersion: 2018 + sourceType: module + +########### +# Plugins # +########### +plugins: + - "@typescript-eslint" + +######### +# Rules # +######### +rules: { } + +############################## +# Overrides for JSON parsing # +############################## +overrides: + # JSON files + - files: + - "*.json" + extends: + - plugin:jsonc/recommended-with-json + parser: jsonc-eslint-parser + parserOptions: + jsonSyntax: JSONC + rules: + "jsonc/no-comments": "warn" + + # JSONC files + - files: + - "*.jsonc" + extends: + - plugin:jsonc/recommended-with-jsonc + parser: jsonc-eslint-parser + parserOptions: + jsonSyntax: JSONC + + # JSON5 files + - files: + - "*.json5" + extends: + - plugin:jsonc/recommended-with-json5 + parser: jsonc-eslint-parser + parserOptions: + jsonSyntax: JSON5 diff --git a/.github/linters/.markdown-lint.yml b/.github/linters/.markdown-lint.yml index 764e93077..d51b179c9 100644 --- a/.github/linters/.markdown-lint.yml +++ b/.github/linters/.markdown-lint.yml @@ -32,4 +32,4 @@ MD036: false # Emphasis used instead of a heading ################# # Rules by tags # ################# -blank_lines: false # Error on blank lines \ No newline at end of file +blank_lines: false # Error on blank lines diff --git a/.github/scripts/EnterpriseScaleLibraryTools/EnterpriseScaleLibraryTools.psm1 b/.github/scripts/EnterpriseScaleLibraryTools/EnterpriseScaleLibraryTools.psm1 index f479a6a41..d333a7431 100644 --- a/.github/scripts/EnterpriseScaleLibraryTools/EnterpriseScaleLibraryTools.psm1 +++ b/.github/scripts/EnterpriseScaleLibraryTools/EnterpriseScaleLibraryTools.psm1 @@ -502,7 +502,7 @@ class ArmTemplateResource : ESLTBase { [Object] ToTemplateFile() { if ($this.type -eq "Microsoft.Authorization/policyAssignments") { $this.properties.scope = "`${current_scope_resource_id}" - $this.properties.policyDefinitionId = "`${varTargetManagementGroupResourceID}/" + $this.properties.policyDefinitionId = "`${varTargetManagementGroupResourceId}/" $this.location = "`${default_location}" } if ($this.type -eq "Microsoft.Authorization/policyDefinitions") { @@ -513,7 +513,7 @@ class ArmTemplateResource : ESLTBase { foreach ($policyDefinition in $this.properties.policyDefinitions) { $regexMatches = [ArmTemplateResource]::regexExtractProviderId.Matches($policyDefinition.policyDefinitionId) if ($regexMatches.Index -gt 0) { - $policyDefinition.policyDefinitionId = "`${varTargetManagementGroupResourceID}$($regexMatches.Value)" + $policyDefinition.policyDefinitionId = "`${varTargetManagementGroupResourceId}$($regexMatches.Value)" } else { $policyDefinition.policyDefinitionId = $regexMatches.Value diff --git a/.github/scripts/Invoke-PolicyToBicep-China.ps1 b/.github/scripts/Invoke-PolicyToBicep-China.ps1 index dc397a7e1..2c57e45eb 100644 --- a/.github/scripts/Invoke-PolicyToBicep-China.ps1 +++ b/.github/scripts/Invoke-PolicyToBicep-China.ps1 @@ -96,9 +96,9 @@ Get-ChildItem -Recurse -Path "./infra-as-code/bicep/modules/policy/definitions/l if (($policySetDefinitionsOutputForBicep.Count) -ne 0) { $policySetDefinitionsOutputForBicep.Keys | Sort-Object | ForEach-Object { $definitionReferenceId = $_ - $definitionID = $($policySetDefinitionsOutputForBicep[$_]) + $definitionId = $($policySetDefinitionsOutputForBicep[$_]) # Add nested array of objects to each Policy Set/Initiative Definition in the Bicep variable - Add-Content -Path "./infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/_mc_policySetDefinitionsBicepInput.txt" -Encoding "utf8" -Value "`t`t{`r`n`t`t`tdefinitionReferenceID: '$definitionReferenceId'`r`n`t`t`tdefinitionID: '$definitionID'`r`n`t`t`tdefinitionParameters: json(loadTextContent('lib/china/policy_set_definitions/$parametersFileName')).$definitionReferenceId.parameters`r`n`t`t}" + Add-Content -Path "./infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/_mc_policySetDefinitionsBicepInput.txt" -Encoding "utf8" -Value "`t`t{`r`n`t`t`tdefinitionReferenceId: '$definitionReferenceId'`r`n`t`t`tdefinitionId: '$definitionId'`r`n`t`t`tdefinitionParameters: json(loadTextContent('lib/china/policy_set_definitions/$parametersFileName')).$definitionReferenceId.parameters`r`n`t`t}" } } @@ -128,7 +128,7 @@ Get-ChildItem -Recurse -Path "./infra-as-code/bicep/modules/policy/assignments/l $policyAssignmentNameNoHyphens = $policyAssignmentName.replace("-","") Write-Information "==> Adding '$policyAssignmentName' to '$PWD/_policyAssignmentsBicepInput.txt'" -InformationAction Continue - Add-Content -Path "./infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/_policyAssignmentsBicepInput.txt" -Encoding "utf8" -Value "var varPolicyAssignment$policyAssignmentNameNoHyphens = {`r`n`tdefinitionID: '$policyAssignmentDefinitionID'`r`n`tlibDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/$fileName'))`r`n}`r`n" + Add-Content -Path "./infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/_policyAssignmentsBicepInput.txt" -Encoding "utf8" -Value "var varPolicyAssignment$policyAssignmentNameNoHyphens = {`r`n`tdefinitionId: '$policyAssignmentDefinitionID'`r`n`tlibDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/$fileName'))`r`n}`r`n" } $policyAssignmentCount = Get-ChildItem -Recurse -Path "./infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments" -Filter "*.json" | Measure-Object diff --git a/.github/scripts/Invoke-PolicyToBicep.ps1 b/.github/scripts/Invoke-PolicyToBicep.ps1 index 60f2ce23a..5ca46aa4d 100644 --- a/.github/scripts/Invoke-PolicyToBicep.ps1 +++ b/.github/scripts/Invoke-PolicyToBicep.ps1 @@ -96,9 +96,9 @@ Get-ChildItem -Recurse -Path "./infra-as-code/bicep/modules/policy/definitions/l if (($policySetDefinitionsOutputForBicep.Count) -ne 0) { $policySetDefinitionsOutputForBicep.Keys | Sort-Object | ForEach-Object { $definitionReferenceId = $_ - $definitionID = $($policySetDefinitionsOutputForBicep[$_]) + $definitionId = $($policySetDefinitionsOutputForBicep[$_]) # Add nested array of objects to each Policy Set/Initiative Definition in the Bicep variable - Add-Content -Path "./infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/_policySetDefinitionsBicepInput.txt" -Encoding "utf8" -Value "`t`t{`r`n`t`t`tdefinitionReferenceID: '$definitionReferenceId'`r`n`t`t`tdefinitionID: '$definitionID'`r`n`t`t`tdefinitionParameters: json(loadTextContent('lib/policy_set_definitions/$parametersFileName')).$definitionReferenceId.parameters`r`n`t`t}" + Add-Content -Path "./infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/_policySetDefinitionsBicepInput.txt" -Encoding "utf8" -Value "`t`t{`r`n`t`t`tdefinitionReferenceId: '$definitionReferenceId'`r`n`t`t`tdefinitionId: '$definitionId'`r`n`t`t`tdefinitionParameters: json(loadTextContent('lib/policy_set_definitions/$parametersFileName')).$definitionReferenceId.parameters`r`n`t`t}" } } @@ -128,7 +128,7 @@ Get-ChildItem -Recurse -Path "./infra-as-code/bicep/modules/policy/assignments/l $policyAssignmentNameNoHyphens = $policyAssignmentName.replace("-","") Write-Information "==> Adding '$policyAssignmentName' to '$PWD/_policyAssignmentsBicepInput.txt'" -InformationAction Continue - Add-Content -Path "./infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/_policyAssignmentsBicepInput.txt" -Encoding "utf8" -Value "var varPolicyAssignment$policyAssignmentNameNoHyphens = {`r`n`tdefinitionID: '$policyAssignmentDefinitionID'`r`n`tlibDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/$fileName'))`r`n}`r`n" + Add-Content -Path "./infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/_policyAssignmentsBicepInput.txt" -Encoding "utf8" -Value "var varPolicyAssignment$policyAssignmentNameNoHyphens = {`r`n`tdefinitionId: '$policyAssignmentDefinitionID'`r`n`tlibDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/$fileName'))`r`n}`r`n" } $policyAssignmentCount = Get-ChildItem -Recurse -Path "./infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments" -Filter "*.json" | Measure-Object diff --git a/.github/workflows/bicep-build-to-validate.yml b/.github/workflows/bicep-build-to-validate.yml index 2ea2d3f6f..28406cdf2 100644 --- a/.github/workflows/bicep-build-to-validate.yml +++ b/.github/workflows/bicep-build-to-validate.yml @@ -22,7 +22,7 @@ jobs: - name: Bicep Build & Lint All Modules shell: pwsh run: | - Get-ChildItem -Recurse -Filter '*.bicep' -Exclude 'callModuleFromACR.example.bicep','orch-hubSpoke.bicep' | ForEach-Object { + Get-ChildItem -Recurse -Filter '*.bicep' -Exclude 'callModuleFromACR.example.bicep','orchHubSpoke.bicep' | ForEach-Object { Write-Information "==> Attempting Bicep Build For File: $_" -InformationAction Continue $output = bicep build $_.FullName 2>&1 if ($LastExitCode -ne 0) diff --git a/docs/wiki/Contributing.md b/docs/wiki/Contributing.md index aba72289f..ef6e5caf0 100644 --- a/docs/wiki/Contributing.md +++ b/docs/wiki/Contributing.md @@ -70,13 +70,15 @@ Throughout the development of Bicep code you should follow the [Bicep Best Pract ### Bicep Code Styling -- Camel Casing must be used for all elements: +- Strict `camelCasing` must be used for all elements: - Symbolic names for: - Parameters - Variables - Resource - Modules - Outputs +- All `par` and `out` values in Bicep templates should include full product name instead of `camelCased` abbreviation, for example: `parExpressRouteGwName` instead of `parErGwName` +- Services with "Azure" in the name are abbreviated "Az", for example: `parAzBastionName` instead of `parAzureBastionName` - Use [parameter decorators](https://docs.microsoft.com/azure/azure-resource-manager/bicep/parameters#decorators) to ensure integrity of user inputs are complete and therefore enable successful deployment - Only use the [`@secure()` parameter decorator](https://docs.microsoft.com/azure/azure-resource-manager/bicep/parameters#secure-parameters) for inputs. Never for outputs as this is not stored securely and will be stored/shown as plain-text! - Comments should be provided where additional information/description of what is happening is required, except when a decorator like `@description('Example description')` is providing adequate coverage @@ -233,4 +235,11 @@ To author Bicep modules that are in-line with the requirements for this project, } ``` - - The Bicep module file & parameters file, complete with default values. + - The Bicep module file + - A `parameters` folder that will contain the parameters files for the module + - Parameters `...all.json` and `...min.json` files based on file naming convention below + - Parameter files should be named according to the convention: `..parameters..json` +   - `` denotes the current module (and scope when necessary), for example: `roleAssignmentManagementGroup` +   - `` denotes a set of parameters with similar characteristics, for example: `securityGroup` +   - `parameters` constant to denote the file as a parameters file +   - `.json` denotes whether a parameter file contains all possible parameters or only minimum necessary for deployment diff --git a/docs/wiki/PipelinesADO.md b/docs/wiki/PipelinesADO.md index edbb5dc48..119349752 100644 --- a/docs/wiki/PipelinesADO.md +++ b/docs/wiki/PipelinesADO.md @@ -57,8 +57,8 @@ jobs: scriptLocation: 'inlineScript' inlineScript: | az deployment mg create \ - --template-file infra-as-code/bicep/modules/policy/definitions/custom-policy-definitions.bicep \ - --parameters @infra-as-code/bicep/modules/policy/definitions/custom-policy-definitions.parameters.example.json \ + --template-file infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep \ + --parameters @infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.all.json \ --location $(Location) \ --management-group-id $(ManagementGroupPrefix) \ --name create_policy_defs-$(RunNumber) @@ -73,7 +73,7 @@ jobs: inlineScript: | az deployment mg create \ --template-file infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep \ - --parameters @infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.parameters.example.json \ + --parameters @infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.all.json \ --location $(Location) \ --management-group-id $(ManagementGroupPrefix) \ --name create_rbac_roles-$(RunNumber) @@ -105,7 +105,7 @@ jobs: az deployment group create \ --resource-group $(LoggingResourceGroupName) \ --template-file infra-as-code/bicep/modules/logging/logging.bicep \ - --parameters @infra-as-code/bicep/modules/logging/logging.parameters.example.json \ + --parameters @infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json \ --name create_logging-$(RunNumber) - task: AzureCLI@2 @@ -135,7 +135,7 @@ jobs: az deployment group create \ --resource-group $(HubNetworkResourceGroupName) \ --template-file infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep \ - --parameters @infra-as-code/bicep/modules/hubNetworking/hubNetworking.parameters.example.json \ + --parameters @infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json \ --name create_hub_network-$(RunNumber) - task: AzureCLI@2 @@ -148,7 +148,7 @@ jobs: inlineScript: | az deployment mg create \ --template-file infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.bicep \ - --parameters @infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.parameters.service-principal.example.json \ + --parameters @infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.servicePrincipal.parameters.all.json \ --location $(Location) \ --management-group-id $(RoleAssignmentManagementGroupId) \ --name create_role_assignment-$(RunNumber) @@ -163,7 +163,7 @@ jobs: inlineScript: | az deployment mg create \ --template-file infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.bicep \ - --parameters @infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.parameters.example.json \ + --parameters @infra-as-code/bicep/modules/subscriptionPlacement/parameters/subscriptionPlacement.parameters.all.json \ --location $(Location) \ --management-group-id $(ManagementGroupPrefix) \ --name create_subscription_placement-$(RunNumber) @@ -178,7 +178,7 @@ jobs: inlineScript: | az deployment mg create \ --template-file infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep \ - --parameters @infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.parameters.example.json \ + --parameters @infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json \ --location $(Location) \ --management-group-id $(ManagementGroupPrefix) \ --name create_policy_assignments-$(RunNumber) @@ -210,6 +210,6 @@ jobs: az deployment group create \ --resource-group $(SpokeNetworkResourceGroupName) \ --template-file infra-as-code/bicep/modules/spokeNetworking/spokeNetworking.bicep \ - --parameters @infra-as-code/bicep/modules/spokeNetworking/spokeNetworking.parameters.example.json \ + --parameters @infra-as-code/bicep/modules/spokeNetworking/parameters/spokeNetworking.parameters.all.json \ --name create_spoke_network-$(RunNumber) ``` \ No newline at end of file diff --git a/docs/wiki/PipelinesGitHub.md b/docs/wiki/PipelinesGitHub.md index 6de080926..ad0fd6e9b 100644 --- a/docs/wiki/PipelinesGitHub.md +++ b/docs/wiki/PipelinesGitHub.md @@ -55,8 +55,8 @@ jobs: scope: managementgroup managementGroupId: ${{ env.ManagementGroupPrefix }} region: ${{ env.Location }} - template: infra-as-code/bicep/modules/policy/definitions/custom-policy-definitions.bicep - parameters: infra-as-code/bicep/modules/policy/definitions/custom-policy-definitions.parameters.example.json + template: infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep + parameters: infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.all.json deploymentName: create_policy_defs-${{ env.runNumber }} failOnStdErr: false @@ -68,7 +68,7 @@ jobs: managementGroupId: ${{ env.ManagementGroupPrefix }} region: ${{ env.Location }} template: infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep - parameters: infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.parameters.example.json + parameters: infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.all.json deploymentName: create_rbac_roles-${{ env.runNumber }} failOnStdErr: false @@ -91,7 +91,7 @@ jobs: subscriptionId: ${{ env.LoggingSubId }} resourceGroupName: ${{ env.LoggingResourceGroupName }} template: infra-as-code/bicep/modules/logging/logging.bicep - parameters: infra-as-code/bicep/modules/logging/logging.parameters.example.json + parameters: infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json deploymentName: create_logging-${{ env.runNumber }} failOnStdErr: false @@ -114,7 +114,7 @@ jobs: subscriptionId: ${{ env.HubNetworkSubId }} resourceGroupName: ${{ env.HubNetworkResourceGroupName }} template: infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep - parameters: infra-as-code/bicep/modules/hubNetworking/hubNetworking.parameters.example.json + parameters: infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json deploymentName: create_hub_network-${{ env.runNumber }} failOnStdErr: false @@ -126,7 +126,7 @@ jobs: managementGroupId: ${{ env.RoleAssignmentManagementGroupId }} region: ${{ env.Location }} template: infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.bicep - parameters: infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.parameters.service-principal.example.json + parameters: infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.servicePrincipal.parameters.all.json deploymentName: create_role_assignment-${{ env.runNumber }} failOnStdErr: false @@ -138,7 +138,7 @@ jobs: managementGroupId: ${{ env.ManagementGroupPrefix }} region: ${{ env.Location }} template: infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.bicep - parameters: infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.parameters.example.json + parameters: infra-as-code/bicep/modules/subscriptionPlacement/parameters/subscriptionPlacement.parameters.all.json deploymentName: create_subscription_placement-${{ env.runNumber }} failOnStdErr: false @@ -150,7 +150,7 @@ jobs: managementGroupId: ${{ env.ManagementGroupPrefix }} region: ${{ env.Location }} template: infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep - parameters: infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.parameters.example.json + parameters: infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json deploymentName: create_policy_assignments-${{ env.runNumber }} failOnStdErr: false @@ -173,7 +173,7 @@ jobs: subscriptionId: ${{ env.SpokeNetworkSubId }} resourceGroupName: ${{ env.SpokeNetworkResourceGroupName }} template: infra-as-code/bicep/modules/spokeNetworking/spokeNetworking.bicep - parameters: infra-as-code/bicep/modules/spokeNetworking/spokeNetworking.parameters.example.json + parameters: infra-as-code/bicep/modules/spokeNetworking/parameters/spokeNetworking.parameters.all.json deploymentName: create_spoke_network-${{ env.runNumber }} failOnStdErr: false ``` \ No newline at end of file diff --git a/infra-as-code/bicep/CRML/containerRegistry/README.md b/infra-as-code/bicep/CRML/containerRegistry/README.md index fd546e215..f363c1960 100644 --- a/infra-as-code/bicep/CRML/containerRegistry/README.md +++ b/infra-as-code/bicep/CRML/containerRegistry/README.md @@ -42,7 +42,7 @@ az group create --location eastus2 \ az deployment group create \ --resource-group Bicep_Acr \ --template-file infra-as-code/bicep/CRML/containerRegistry/containerRegistry.bicep \ - --parameters @infra-as-code/bicep/CRML/containerRegistry/containerRegistry.parameters.example.json + --parameters @infra-as-code/bicep/CRML/containerRegistry/parameters/containerRegistry.parameters.all.json ``` ### PowerShell @@ -53,7 +53,7 @@ New-AzResourceGroup -Name 'Bicep_ACR' ` New-AzResourceGroupDeployment ` -TemplateFile infra-as-code/bicep/CRML/containerRegistry/containerRegistry.bicep ` - -TemplateParameterFile infra-as-code/bicep/CRML/containerRegistry/containerRegistry.parameters.example.json + -TemplateParameterFile infra-as-code/bicep/CRML/containerRegistry/parameters/containerRegistry.parameters.all.json ``` ## Bicep Visualizer diff --git a/infra-as-code/bicep/CRML/containerRegistry/containerRegistry.parameters.example.json b/infra-as-code/bicep/CRML/containerRegistry/parameters/containerRegistry.parameters.all.json similarity index 100% rename from infra-as-code/bicep/CRML/containerRegistry/containerRegistry.parameters.example.json rename to infra-as-code/bicep/CRML/containerRegistry/parameters/containerRegistry.parameters.all.json diff --git a/infra-as-code/bicep/CRML/subscriptionAlias/README.md b/infra-as-code/bicep/CRML/subscriptionAlias/README.md index e70770fd1..24200fca2 100644 --- a/infra-as-code/bicep/CRML/subscriptionAlias/README.md +++ b/infra-as-code/bicep/CRML/subscriptionAlias/README.md @@ -41,7 +41,7 @@ In this example, the Subscription is created upon an EA Account through a tenant ```bash az deployment tenant create \ --template-file infra-as-code/bicep/CRML/subscriptionAlias/subscriptionAlias.bicep \ - --parameters @infra-as-code/bicep/CRML/subscriptionAlias/parameters/subscriptionAlias.parameters.minimum.example.json \ + --parameters @infra-as-code/bicep/CRML/subscriptionAlias/parameters/subscriptionAlias.parameters.all.json \ --location eastus ``` @@ -50,7 +50,7 @@ az deployment tenant create \ ```powershell New-AzTenantDeployment ` -TemplateFile infra-as-code/bicep/CRML/subscriptionAlias/subscriptionAlias.bicep ` - -TemplateParameterFile infra-as-code/bicep/CRML/subscriptionAlias/parameters/subscriptionAlias.parameters.minimum.example.json ` + -TemplateParameterFile infra-as-code/bicep/CRML/subscriptionAlias/parameters/subscriptionAlias.parameters.all.json ` -Location eastus ``` diff --git a/infra-as-code/bicep/CRML/subscriptionAlias/parameters/subscriptionAlias.parameters.example.json b/infra-as-code/bicep/CRML/subscriptionAlias/parameters/subscriptionAlias.parameters.all.json similarity index 100% rename from infra-as-code/bicep/CRML/subscriptionAlias/parameters/subscriptionAlias.parameters.example.json rename to infra-as-code/bicep/CRML/subscriptionAlias/parameters/subscriptionAlias.parameters.all.json diff --git a/infra-as-code/bicep/CRML/subscriptionAlias/parameters/subscriptionAlias.parameters.minimum.example.json b/infra-as-code/bicep/CRML/subscriptionAlias/parameters/subscriptionAlias.parameters.min.json similarity index 100% rename from infra-as-code/bicep/CRML/subscriptionAlias/parameters/subscriptionAlias.parameters.minimum.example.json rename to infra-as-code/bicep/CRML/subscriptionAlias/parameters/subscriptionAlias.parameters.min.json diff --git a/infra-as-code/bicep/modules/customRoleDefinitions/README.md b/infra-as-code/bicep/modules/customRoleDefinitions/README.md index fa72f6f1b..3aed7d069 100644 --- a/infra-as-code/bicep/modules/customRoleDefinitions/README.md +++ b/infra-as-code/bicep/modules/customRoleDefinitions/README.md @@ -37,12 +37,12 @@ There are two different sets of deployment; one for deploying to Azure global re | Azure Cloud | Bicep template | Input parameters file | | -------------- | ------------------------------ | ------------------------------------------------- | - | Global regions | customRoleDefinitions.bicep | custom-policy-definitions.parameters.example.json | - | China regions | mc-customRoleDefinitions.bicep | custom-policy-definitions.parameters.example.json | + | Global regions | customRoleDefinitions.bicep | parameters/customRoleDefinitions.parameters.all.json | + | China regions | mc-customRoleDefinitions.bicep | parameters/customRoleDefinitions.parameters.all.json | In this example, the custom roles will be deployed to the `alz` management group (the intermediate root management group). -Input parameter file `customRoleDefinitions.parameters.example.json` defines the assignable scope for the roles. In this case, it will be the same management group (i.e. `alz`) as the one specified for the deployment operation. There is no change in the input parameter file for different Azure clouds because there is no change to the intermediate root management group. +Input parameter file `parameters/customRoleDefinitions.parameters.all.json` defines the assignable scope for the roles. In this case, it will be the same management group (i.e. `alz`) as the one specified for the deployment operation. There is no change in the input parameter file for different Azure clouds because there is no change to the intermediate root management group. > For the examples below we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice. @@ -51,7 +51,7 @@ Input parameter file `customRoleDefinitions.parameters.example.json` defines the # For Azure global regions az deployment mg create \ --template-file infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep \ - --parameters @infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.parameters.example.json \ + --parameters @infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.all.json \ --location eastus \ --management-group-id alz ``` @@ -60,7 +60,7 @@ OR # For Azure China regions az deployment mg create \ --template-file infra-as-code/bicep/modules/customRoleDefinitions/mc-customRoleDefinitions.bicep \ - --parameters @infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.parameters.example.json \ + --parameters @infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.all.json \ --location chinaeast2 \ --management-group-id alz ``` @@ -71,7 +71,7 @@ az deployment mg create \ # For Azure global regions New-AzManagementGroupDeployment ` -TemplateFile infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep ` - -TemplateParameterFile infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.parameters.example.json ` + -TemplateParameterFile infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.all.json ` -Location eastus ` -ManagementGroupId alz ``` @@ -80,7 +80,7 @@ OR # For Azure China regions New-AzManagementGroupDeployment ` -TemplateFile infra-as-code/bicep/modules/customRoleDefinitions/mc-customRoleDefinitions.bicep ` - -TemplateParameterFile infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.parameters.example.json ` + -TemplateParameterFile infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.all.json ` -Location chinaeast2 ` -ManagementGroupId alz ``` diff --git a/infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep b/infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep index 5e7fbb1da..240f4ecde 100644 --- a/infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep +++ b/infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep @@ -9,28 +9,28 @@ param parTelemetryOptOut bool = false // Customer Usage Attribution Id var varCuaid = '032d0904-3d50-45ef-a6c1-baa9d82e23ff' -module modRolesSubscriptionOwnerRole 'definitions/caf-subscription-owner-role.bicep' = { +module modRolesSubscriptionOwnerRole 'definitions/cafSubscriptionOwnerRole.bicep' = { name: 'deploy-subscription-owner-role' params: { parAssignableScopeManagementGroupId: parAssignableScopeManagementGroupId } } -module modRolesApplicationOwnerRole 'definitions/caf-application-owner-role.bicep' = { +module modRolesApplicationOwnerRole 'definitions/cafApplicationOwnerRole.bicep' = { name: 'deploy-application-owner-role' params: { parAssignableScopeManagementGroupId: parAssignableScopeManagementGroupId } } -module modRolesNetworkManagementRole 'definitions/caf-network-management-role.bicep' = { +module modRolesNetworkManagementRole 'definitions/cafNetworkManagementRole.bicep' = { name: 'deploy-network-management-role' params: { parAssignableScopeManagementGroupId: parAssignableScopeManagementGroupId } } -module modRolesSecurityOperationsRole 'definitions/caf-security-operations-role.bicep' = { +module modRolesSecurityOperationsRole 'definitions/cafSecurityOperationsRole.bicep' = { name: 'deploy-security-operations-role' params: { parAssignableScopeManagementGroupId: parAssignableScopeManagementGroupId diff --git a/infra-as-code/bicep/modules/customRoleDefinitions/definitions/caf-application-owner-role.bicep b/infra-as-code/bicep/modules/customRoleDefinitions/definitions/cafApplicationOwnerRole.bicep similarity index 100% rename from infra-as-code/bicep/modules/customRoleDefinitions/definitions/caf-application-owner-role.bicep rename to infra-as-code/bicep/modules/customRoleDefinitions/definitions/cafApplicationOwnerRole.bicep diff --git a/infra-as-code/bicep/modules/customRoleDefinitions/definitions/caf-network-management-role.bicep b/infra-as-code/bicep/modules/customRoleDefinitions/definitions/cafNetworkManagementRole.bicep similarity index 100% rename from infra-as-code/bicep/modules/customRoleDefinitions/definitions/caf-network-management-role.bicep rename to infra-as-code/bicep/modules/customRoleDefinitions/definitions/cafNetworkManagementRole.bicep diff --git a/infra-as-code/bicep/modules/customRoleDefinitions/definitions/caf-security-operations-role.bicep b/infra-as-code/bicep/modules/customRoleDefinitions/definitions/cafSecurityOperationsRole.bicep similarity index 100% rename from infra-as-code/bicep/modules/customRoleDefinitions/definitions/caf-security-operations-role.bicep rename to infra-as-code/bicep/modules/customRoleDefinitions/definitions/cafSecurityOperationsRole.bicep diff --git a/infra-as-code/bicep/modules/customRoleDefinitions/definitions/caf-subscription-owner-role.bicep b/infra-as-code/bicep/modules/customRoleDefinitions/definitions/cafSubscriptionOwnerRole.bicep similarity index 100% rename from infra-as-code/bicep/modules/customRoleDefinitions/definitions/caf-subscription-owner-role.bicep rename to infra-as-code/bicep/modules/customRoleDefinitions/definitions/cafSubscriptionOwnerRole.bicep diff --git a/infra-as-code/bicep/modules/customRoleDefinitions/definitions/china/mc-caf-network-management-role.bicep b/infra-as-code/bicep/modules/customRoleDefinitions/definitions/china/mc-cafNetworkManagementRole.bicep similarity index 100% rename from infra-as-code/bicep/modules/customRoleDefinitions/definitions/china/mc-caf-network-management-role.bicep rename to infra-as-code/bicep/modules/customRoleDefinitions/definitions/china/mc-cafNetworkManagementRole.bicep diff --git a/infra-as-code/bicep/modules/customRoleDefinitions/definitions/china/mc-caf-security-operations-role.bicep b/infra-as-code/bicep/modules/customRoleDefinitions/definitions/china/mc-cafSecurityOperationsRole.bicep similarity index 100% rename from infra-as-code/bicep/modules/customRoleDefinitions/definitions/china/mc-caf-security-operations-role.bicep rename to infra-as-code/bicep/modules/customRoleDefinitions/definitions/china/mc-cafSecurityOperationsRole.bicep diff --git a/infra-as-code/bicep/modules/customRoleDefinitions/mc-customRoleDefinitions.bicep b/infra-as-code/bicep/modules/customRoleDefinitions/mc-customRoleDefinitions.bicep index 47713abfc..0172691aa 100644 --- a/infra-as-code/bicep/modules/customRoleDefinitions/mc-customRoleDefinitions.bicep +++ b/infra-as-code/bicep/modules/customRoleDefinitions/mc-customRoleDefinitions.bicep @@ -3,34 +3,47 @@ targetScope = 'managementGroup' @description('The management group scope to which the role can be assigned. This management group ID will be used for the assignableScopes property in the role definition.') param parAssignableScopeManagementGroupId string = 'alz' -module modRolesSubscriptionOwnerRole 'definitions/caf-subscription-owner-role.bicep' = { +@description('Set Parameter to true to Opt-out of deployment telemetry') +param parTelemetryOptOut bool = false + +// Customer Usage Attribution Id +var varCuaid = '032d0904-3d50-45ef-a6c1-baa9d82e23ff' + +module modRolesSubscriptionOwnerRole 'definitions/cafSubscriptionOwnerRole.bicep' = { name: 'deploy-subscription-owner-role' params: { parAssignableScopeManagementGroupId: parAssignableScopeManagementGroupId } } -module modRolesApplicationOwnerRole 'definitions/caf-application-owner-role.bicep' = { +module modRolesApplicationOwnerRole 'definitions/cafApplicationOwnerRole.bicep' = { name: 'deploy-application-owner-role' params: { parAssignableScopeManagementGroupId: parAssignableScopeManagementGroupId } } -module modRolesNetworkManagementRole 'definitions/china/mc-caf-network-management-role.bicep' = { +module modRolesNetworkManagementRole 'definitions/china/mc-cafNetworkManagementRole.bicep' = { name: 'deploy-network-management-role' params: { parAssignableScopeManagementGroupId: parAssignableScopeManagementGroupId } } -module modRolesSecurityOperationsRole 'definitions/china/mc-caf-security-operations-role.bicep' = { +module modRolesSecurityOperationsRole 'definitions/china/mc-cafSecurityOperationsRole.bicep' = { name: 'deploy-security-operations-role' params: { parAssignableScopeManagementGroupId: parAssignableScopeManagementGroupId } } +// Optional Deployment for Customer Usage Attribution +module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdManagementGroup.bicep' = if (!parTelemetryOptOut) { + #disable-next-line no-loc-expr-outside-params //Only to ensure telemetry data is stored in same location as deployment. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information + name: 'pid-${varCuaid}-${uniqueString(deployment().location)}' + params: {} +} + output outRolesSubscriptionOwnerRoleId string = modRolesSubscriptionOwnerRole.outputs.outRoleDefinitionId output outRolesApplicationOwnerRoleId string = modRolesApplicationOwnerRole.outputs.outRoleDefinitionId output outRolesNetworkManagementRoleId string = modRolesNetworkManagementRole.outputs.outRoleDefinitionId diff --git a/infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.parameters.example.json b/infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.all.json similarity index 100% rename from infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.parameters.example.json rename to infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.all.json diff --git a/infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.min.json b/infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.min.json new file mode 100644 index 000000000..c0c35c39e --- /dev/null +++ b/infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.min.json @@ -0,0 +1,12 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parAssignableScopeManagementGroupId": { + "value": "alz" + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/hubNetworking/README.md b/infra-as-code/bicep/modules/hubNetworking/README.md index 9942ec487..5d9674881 100644 --- a/infra-as-code/bicep/modules/hubNetworking/README.md +++ b/infra-as-code/bicep/modules/hubNetworking/README.md @@ -19,33 +19,44 @@ The module requires the following inputs: | Parameter | Type | Default | Description | Requirement | Example | | --------------------------------- | ------ | ---------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------- | ---------------------------------------------- | | parLocation | string | `resourceGroup().location` | The Azure Region to deploy the resources into | None | `eastus` | - | parBastionEnabled | bool | true | Switch to enable deployment of Bastion Service | None | true | + | parAzBastionEnabled | bool | true | Switch to enable deployment of Bastion Service | None | true | | parDdosEnabled | bool | true | Switch to enable deployment of distributed denial of service attacks service | None | true | - | parAzureFirewallEnabled | bool | true | Switch to enable deployment of Azure Firewall | None | true | + | parAzFirewallEnabled | bool | true | Switch to enable deployment of Azure Firewall | None | true | | parPrivateDnsZonesEnabled | bool | true | Switch to enable deployment of Azure Private DNS Zones | None | true | | parPrivateDnsZonesResourceGroup | string | `resourceGroup().name` | Target Resource Group Name for Azure Private DNS Zones | 1-90 char | `Hub_PrivateDNS_POC` - Must already be present | - | parPrivateDnsZones | array | See example parameters file [`hubNetworking.parameters.json`](hubNetworking.parameters.example.json) | Array of DNS Zones to provision in Hub Virtual Network. Default: All known Azure Private DNS Zones except for: `privatelink.batch.azure.com`, `privatelink.azmk8s.io` and `privatelink.siterecovery.windowsazure.com` as these are region specific and `privatelink.{dnsPrefix}.database.windows.net` as the DNS Prefix is individual, which you can add to the parameters file with the required region and DNS Prefix in the zone name that you wish to deploy for. For more details on private DNS Zones please refer to the above link. | None | See Default | + | parPrivateDnsZones | array | See example parameters file [`parameters/hubNetworking.parameters.all.json`](parameters/hubNetworking.parameters.all.json) | Array of DNS Zones to provision in Hub Virtual Network. Default: All known Azure Private DNS Zones except for: `privatelink.batch.azure.com`, `privatelink.azmk8s.io` and `privatelink.siterecovery.windowsazure.com` as these are region specific and `privatelink.{dnsPrefix}.database.windows.net` as the DNS Prefix is individual, which you can add to the parameters file with the required region and DNS Prefix in the zone name that you wish to deploy for. For more details on private DNS Zones please refer to the above link. | None | See Default | | parCompanyPrefix | string | alz | Prefix value which will be pre-appended to all resource names | 1-10 char | alz | - | parDdosPlanName | string | ${parCompanyPrefix}-ddos-plan | Name which will be associated with distributed denial of service protection plan | 1-80 char | alz-ddos-plan | - | parBastionName | string | ${parCompanyPrefix}-bastion | Name which will be associated with Bastion Service. | 1-80 char | alz-bastion | - | parBastionSku | string | Standard | SKU or Tier of Bastion Service to deploy | Standard or Basic | Standard | - | parPublicIPSku | string | Standard | SKU or Tier of Public IP to deploy | Standard or Basic | Standard | + | parDdosPlanName | string | `${parCompanyPrefix}-ddos-plan` | Name which will be associated with distributed denial of service protection plan | 1-80 char | alz-ddos-plan | + | parAzBastionName | string | `${parCompanyPrefix}-bastion` | Name which will be associated with Bastion Service. | 1-80 char | alz-bastion | + | parAzBastionSku | string | Standard | SKU or Tier of Bastion Service to deploy | Standard or Basic | Standard | + | parPublicIpSku | string | Standard | SKU or Tier of Public IP to deploy | Standard or Basic | Standard | | parTags | object | Empty Array [] | List of tags (Key Value Pairs) to be applied to resources | None | environment: 'development' | | parHubNetworkAddressPrefix | string | 10.10.0.0/16 | CIDR range for Hub Network | CIDR Notation | 10.10.0.0/16 | | parHubNetworkName | string | `${parCompanyPrefix}-hub-${parLocation}` | Name prefix for Virtual Network. Prefix will be appended with the region. | 2-50 char | alz-hub-eastus | - | parAzureFirewallName | string | `${parCompanyPrefix}-azfw-${parLocation}` | Name associated with Azure Firewall | 1-80 char | alz-azfw-eastus | - | parFirewallPoliciesName | string | `${parCompanyPrefix}-azfwpolicy-${resourceGroup().location}` | Name associated with Azure Firewall Policy | 1-80 char | alz-azfwpolicy-eastus | - | parAzureFirewallTier | string | Standard | Tier associated with the Firewall to be deployed. | Standard or Premium | Premium | - | parAzureFirewallAvailabilityZones | array | Empty Array [] | Availability Zones to deploy the Azure Firewall across. Region must support Availability Zones to use. If it does not then leave empty. | None | `['1']` or `['1' ,'2', '3']` | + | parAzFirewallName | string | `${parCompanyPrefix}-azfw-${parLocation}` | Name associated with Azure Firewall | 1-80 char | alz-azfw-eastus | + | parAzFirewallPoliciesName | string | `${parCompanyPrefix}-azfwpolicy-${resourceGroup().location}` | Name associated with Azure Firewall Policy | 1-80 char | alz-azfwpolicy-eastus | + | parAzFirewallTier | string | Standard | Tier associated with the Firewall to be deployed. | Standard or Premium | Premium | + | parAzFirewallAvailabilityZones | array | Empty Array [] | Availability Zones to deploy the Azure Firewall across. Region must support Availability Zones to use. If it does not then leave empty. | None | `['1']` or `['1' ,'2', '3']` | | parHubRouteTableName | string | `${parCompanyPrefix}-hub-routetable` | Name of route table to be associated with Hub Network | 1-80 char | alz-hub-routetable | - | parVpnGatewayConfig | object | See example parameters file [`hubNetworking.parameters.json`](hubNetworking.parameters.example.json) | Configuration for VPN virtual network gateway to be deployed. If a VPN virtual network gateway is not desired an empty object should be used as the input parameter in the parameter file, i.e. "parVpnGatewayConfig": {"value": {} }''' | None | See Default | - | parExpressRouteGatewayConfig | object | See example parameters file [`hubNetworking.parameters.json`](hubNetworking.parameters.example.json) | Configuration for ExpressRoute virtual network gateway to be deployed. If a ExpressRoute virtual network gateway is not desired an empty object should be used as the input parameter in the parameter file, i.e. "parExpressRouteGatewayConfig": {"value": {} }''' | None | See Default | - | parSubnets | array | See example parameters file [`hubNetworking.parameters.json`](hubNetworking.parameters.example.json) | Array of objects to provide for a dynamic set of subnets | Must provide array of objects | See Default | - | parDNSServerIPArray | array | Empty Array [] | Array of DNS Server IP addresses for VNet. | None | `['10.10.1.4', '10.10.2.4']` | - | parNetworkDNSEnableProxy | bool | true | Switch which enables DNS Proxy to be enabled on the Azure Firewall | None | true | - | parDisableBGPRoutePropagation | bool | false | Switch which allows BGP Propagation to be disabled on the route tables | None | false | + | parVpnGatewayConfig | object | See example parameters file [`parameters/hubNetworking.parameters.all.json`](parameters/hubNetworking.parameters.all.json) | Configuration for VPN virtual network gateway to be deployed. If a VPN virtual network gateway is not desired an empty object should be used as the input parameter in the parameter file, i.e. "parVpnGatewayConfig": {"value": {} }''' | None | See Default | + | parExpressRouteGatewayConfig | object | See example parameters file [`parameters/hubNetworking.parameters.all.json`](parameters/hubNetworking.parameters.all.json) | Configuration for ExpressRoute virtual network gateway to be deployed. If a ExpressRoute virtual network gateway is not desired an empty object should be used as the input parameter in the parameter file, i.e. "parExpressRouteGatewayConfig": {"value": {} }''' | None | See Default | + | parSubnets | array | See example parameters file [`parameters/hubNetworking.parameters.all.json`](parameters/hubNetworking.parameters.all.json) | Array of objects to provide for a dynamic set of subnets | Must provide array of objects | See Default | + | parDnsServerIps | array | Empty Array [] | Array of DNS Server IP addresses for VNet. | None | `['10.10.1.4', '10.10.2.4']` | + | parAzFirewallDnsProxyEnabled | bool | true | Switch which enables DNS Proxy to be enabled on the Azure Firewall | None | true | + | parDisableBgpRoutePropagation | bool | false | Switch which allows BGP Propagation to be disabled on the route tables | None | false | | parTelemetryOptOut | bool | false | Set Parameter to true to Opt-out of deployment telemetry | None | false | +> NOTE: When deploying using the `parameters/hubNetworking.parameters.all.json` you must update the `parPrivateDnsZones` parameter by replacing the `xxxxxx` placeholders with the deployment region. Failure to do so will cause these services to be unreachable over private endpoints. +> For example, if deploying to East US the following zone entries: +> - `privatelink.xxxxxx.azmk8s.io` +> - `privatelink.xxxxxx.backup.windowsazure.com` +> - `privatelink.xxxxxx.batch.azure.com` +> +> Will become: +> - `privatelink.eastus.azmk8s.io` +> - `privatelink.eastus.backup.windowsazure.com` +> - `privatelink.eastus.batch.azure.com` + ## Outputs @@ -53,8 +64,8 @@ The module will generate the following outputs: | Output | Type | Example | | ------------------------- | ------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| outAzureFirewallPrivateIP | string | 192.168.100.1 | -| outAzureFirewallName | string | MyAzureFirewall | +| outAzFirewallPrivateIp | string | 192.168.100.1 | +| outAzFirewallName | string | MyAzureFirewall | | outDdosPlanResourceId | string | /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/HUB_Networking_POC/providers/Microsoft.Network/ddosProtectionPlans/alz-ddos-plan | | outPrivateDnsZones | array | `["name": "privatelink.azurecr.io", "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/net-lz-spk-eastus-rg/providers/Microsoft.Network/privateDnsZones/privatelink.azurecr.io"]` | @@ -69,8 +80,8 @@ There are two different sets of input parameters; one for deploying to Azure glo | Azure Cloud | Bicep template | Input parameters file | | -------------- | ------------------- | ---------------------------------------- | - | Global regions | hubNetworking.bicep | hubNetworking.parameters.example.json | - | China regions | hubNetworking.bicep | mc-hubNetworking.parameters.example.json | + | Global regions | hubNetworking.bicep | parameters/hubNetworking.parameters.all.json | + | China regions | hubNetworking.bicep | parameters/mc-hubNetworking.parameters.all.json | > For the examples below we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice. @@ -87,7 +98,7 @@ az group create --location eastus \ az deployment group create \ --resource-group HUB_Networking_POC \ --template-file infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep \ - --parameters @infra-as-code/bicep/modules/hubNetworking/hubNetworking.parameters.example.json + --parameters @infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json ``` OR ```bash @@ -102,7 +113,7 @@ az group create --location chinaeast2 \ az deployment group create \ --resource-group HUB_Networking_POC \ --template-file infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep \ - --parameters @infra-as-code/bicep/modules/hubNetworking/mc-hubNetworking.parameters.example.json + --parameters @infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.all.json ``` ### PowerShell @@ -119,7 +130,7 @@ New-AzResourceGroup -Name 'Hub_Networking_POC' ` New-AzResourceGroupDeployment ` -TemplateFile infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep ` - -TemplateParameterFile infra-as-code/bicep/modules/hubNetworking/hubNetworking.parameters.example.json ` + -TemplateParameterFile infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json ` -ResourceGroupName 'Hub_Networking_POC' ``` OR @@ -135,10 +146,16 @@ New-AzResourceGroup -Name 'Hub_Networking_POC' ` New-AzResourceGroupDeployment ` -TemplateFile infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep ` - -TemplateParameterFile infra-as-code/bicep/modules/hubNetworking/mc-hubNetworking.parameters.example.json ` + -TemplateParameterFile infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.all.json ` -ResourceGroupName 'Hub_Networking_POC' ``` +## Example Output in Azure global regions + +![Example Deployment Output](media/exampleDeploymentOutput.png "Example Deployment Output in Azure global regions") + +## Example Output in Azure China regions +![Example Deployment Output](media/mc-exampleDeploymentOutput.png "Example Deployment Output in Azure China") ## Bicep Visualizer -![Bicep Visualizer](media/hubNetworkingBicepVisualizer.png "Bicep Visualizer") +![Bicep Visualizer](media/bicepVisualizer.png "Bicep Visualizer") diff --git a/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep b/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep index f98245335..6faedc2d6 100644 --- a/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep +++ b/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep @@ -27,45 +27,45 @@ param parSubnets array = [ ] @description('Array of DNS Server IP addresses for VNet. Default: Empty Array') -param parDNSServerIPArray array = [] +param parDnsServerIps array = [] @description('Public IP Address SKU. Default: Standard') @allowed([ 'Basic' 'Standard' ]) -param parPublicIPSku string = 'Standard' +param parPublicIpSku string = 'Standard' -@description('Switch which allows Bastion deployment to be disabled. Default: true') -param parBastionEnabled bool = true +@description('Switch to enable/disable Azure Bastion deployment. Default: true') +param parAzBastionEnabled bool = true @description('Name Associated with Bastion Service: Default: {parCompanyPrefix}-bastion') -param parBastionName string = '${parCompanyPrefix}-bastion' +param parAzBastionName string = '${parCompanyPrefix}-bastion' @description('Azure Bastion SKU or Tier to deploy. Currently two options exist Basic and Standard. Default: Standard') -param parBastionSku string = 'Standard' +param parAzBastionSku string = 'Standard' -@description('Switch which allows DDOS deployment to be disabled. Default: true') +@description('Switch to enable/disable DDoS Standard deployment. Default: true') param parDdosEnabled bool = true -@description('DDOS Plan Name. Default: {parCompanyPrefix}-ddos-plan') +@description('DDoS Plan Name. Default: {parCompanyPrefix}-ddos-plan') param parDdosPlanName string = '${parCompanyPrefix}-ddos-plan' -@description('Switch which allows Azure Firewall deployment to be disabled. Default: true') -param parAzureFirewallEnabled bool = true +@description('Switch to enable/disable Azure Firewall deployment. Default: true') +param parAzFirewallEnabled bool = true @description('Azure Firewall Name. Default: {parCompanyPrefix}-azure-firewall ') -param parAzureFirewallName string = '${parCompanyPrefix}-azfw-${parLocation}' +param parAzFirewallName string = '${parCompanyPrefix}-azfw-${parLocation}' @description('Azure Firewall Policies Name. Default: {parCompanyPrefix}-fwpol-{parLocation}') -param parFirewallPoliciesName string = '${parCompanyPrefix}-azfwpolicy-${parLocation}' +param parAzFirewallPoliciesName string = '${parCompanyPrefix}-azfwpolicy-${parLocation}' @description('Azure Firewall Tier associated with the Firewall to deploy. Default: Standard ') @allowed([ 'Standard' 'Premium' ]) -param parAzureFirewallTier string = 'Standard' +param parAzFirewallTier string = 'Standard' @allowed([ '1' @@ -73,18 +73,18 @@ param parAzureFirewallTier string = 'Standard' '3' ]) @description('Availability Zones to deploy the Azure Firewall across. Region must support Availability Zones to use. If it does not then leave empty.') -param parAzureFirewallAvailabilityZones array = [] +param parAzFirewallAvailabilityZones array = [] -@description('Switch which enables DNS Proxy to be enabled on the Azure Firewall. Default: true') -param parNetworkDNSEnableProxy bool = true +@description('Switch to enable/disable Azure Firewall DNS Proxy. Default: true') +param parAzFirewallDnsProxyEnabled bool = true @description('Name of Route table to create for the default route of Hub. Default: {parCompanyPrefix}-hub-routetable') param parHubRouteTableName string = '${parCompanyPrefix}-hub-routetable' -@description('Switch which allows BGP Propagation to be disabled on the route tables: Default: false') -param parDisableBGPRoutePropagation bool = false +@description('Switch to enable/disable BGP Propagation on route table. Default: false') +param parDisableBgpRoutePropagation bool = false -@description('Switch which allows and deploys Private DNS Zones. Default: true') +@description('Switch to enable/disable Private DNS Zones deployment. Default: true') param parPrivateDnsZonesEnabled bool = true @description('Resource Group Name for Private DNS Zones. Default: same resource group') @@ -153,9 +153,9 @@ param parPrivateDnsZones array = [ }''') param parVpnGatewayConfig object = { name: '${parCompanyPrefix}-Vpn-Gateway' - gatewaytype: 'Vpn' + gatewayType: 'Vpn' sku: 'VpnGw1' - vpntype: 'RouteBased' + vpnType: 'RouteBased' generation: 'Generation1' enableBgp: false activeActive: false @@ -176,9 +176,9 @@ param parVpnGatewayConfig object = { }''') param parExpressRouteGatewayConfig object = { name: '${parCompanyPrefix}-ExpressRoute-Gateway' - gatewaytype: 'ExpressRoute' + gatewayType: 'ExpressRoute' sku: 'ErGw1AZ' - vpntype: 'RouteBased' + vpnType: 'RouteBased' vpnGatewayGeneration: 'None' enableBgp: false activeActive: false @@ -206,13 +206,13 @@ var varSubnetProperties = [for subnet in parSubnets: { } }] -var varVpnGWConfig = ((!empty(parVpnGatewayConfig)) ? parVpnGatewayConfig : json('{"name": "noconfigVpn"}')) +var varVpnGwConfig = ((!empty(parVpnGatewayConfig)) ? parVpnGatewayConfig : json('{"name": "noconfigVpn"}')) -var varErGWConfig = ((!empty(parExpressRouteGatewayConfig)) ? parExpressRouteGatewayConfig : json('{"name": "noconfigEr"}')) +var varErGwConfig = ((!empty(parExpressRouteGatewayConfig)) ? parExpressRouteGatewayConfig : json('{"name": "noconfigEr"}')) var varGwConfig = [ - varVpnGWConfig - varErGWConfig + varVpnGwConfig + varErGwConfig ] // Customer Usage Attribution Id @@ -225,7 +225,7 @@ resource resDdosProtectionPlan 'Microsoft.Network/ddosProtectionPlans@2021-02-01 } //DDos Protection plan will only be enabled if parDdosEnabled is true. -resource resHubVirtualNetwork 'Microsoft.Network/virtualNetworks@2021-02-01' = { +resource resHubVnet 'Microsoft.Network/virtualNetworks@2021-02-01' = { name: parHubNetworkName location: parLocation tags: parTags @@ -236,7 +236,7 @@ resource resHubVirtualNetwork 'Microsoft.Network/virtualNetworks@2021-02-01' = { ] } dhcpOptions: { - dnsServers: parDNSServerIPArray + dnsServers: parDnsServerIps } subnets: varSubnetProperties enableDdosProtection: parDdosEnabled @@ -246,17 +246,17 @@ resource resHubVirtualNetwork 'Microsoft.Network/virtualNetworks@2021-02-01' = { } } -module modBastionPublicIP '../publicIp/publicIp.bicep' = if (parBastionEnabled) { +module modBastionPublicIp '../publicIp/publicIp.bicep' = if (parAzBastionEnabled) { name: 'deploy-Bastion-Public-IP' params: { parLocation: parLocation - parPublicIPName: '${parBastionName}-PublicIP' - parPublicIPSku: { - name: parPublicIPSku + parPublicIpName: '${parAzBastionName}-PublicIp' + parPublicIpSku: { + name: parPublicIpSku } - parPublicIPProperties: { - publicIPAddressVersion: 'IPv4' - publicIPAllocationMethod: 'Static' + parPublicIpProperties: { + publicIpAddressVersion: 'IPv4' + publicIpAllocationMethod: 'Static' } parTags: parTags parTelemetryOptOut: parTelemetryOptOut @@ -264,19 +264,19 @@ module modBastionPublicIP '../publicIp/publicIp.bicep' = if (parBastionEnabled) } resource resBastionSubnetRef 'Microsoft.Network/virtualNetworks/subnets@2021-02-01' existing = { - parent: resHubVirtualNetwork + parent: resHubVnet name: 'AzureBastionSubnet' } // AzureBastionSubnet is required to deploy Bastion service. This subnet must exist in the parsubnets array if you enable Bastion Service. // There is a minimum subnet requirement of /27 prefix. // If you are deploying standard this needs to be larger. https://docs.microsoft.com/en-us/azure/bastion/configuration-settings#subnet -resource resBastion 'Microsoft.Network/bastionHosts@2021-02-01' = if (parBastionEnabled) { +resource resBastion 'Microsoft.Network/bastionHosts@2021-02-01' = if (parAzBastionEnabled) { location: parLocation - name: parBastionName + name: parAzBastionName tags: parTags sku: { - name: parBastionSku + name: parAzBastionSku } properties: { dnsName: uniqueString(resourceGroup().id) @@ -288,7 +288,7 @@ resource resBastion 'Microsoft.Network/bastionHosts@2021-02-01' = if (parBastion id: resBastionSubnetRef.id } publicIPAddress: { - id: parBastionEnabled ? modBastionPublicIP.outputs.outPublicIPID : '' + id: parAzBastionEnabled ? modBastionPublicIp.outputs.outPublicIpId : '' } } } @@ -297,21 +297,21 @@ resource resBastion 'Microsoft.Network/bastionHosts@2021-02-01' = if (parBastion } resource resGatewaySubnetRef 'Microsoft.Network/virtualNetworks/subnets@2021-02-01' existing = { - parent: resHubVirtualNetwork + parent: resHubVnet name: 'GatewaySubnet' } -module modGatewayPublicIP '../publicIp/publicIp.bicep' = [for (gateway, i) in varGwConfig: if ((gateway.name != 'noconfigVpn') && (gateway.name != 'noconfigEr')) { +module modGatewayPublicIp '../publicIp/publicIp.bicep' = [for (gateway, i) in varGwConfig: if ((gateway.name != 'noconfigVpn') && (gateway.name != 'noconfigEr')) { name: 'deploy-Gateway-Public-IP-${i}' params: { parLocation: parLocation - parPublicIPName: '${gateway.name}-PublicIP' - parPublicIPProperties: { - publicIPAddressVersion: 'IPv4' - publicIPAllocationMethod: 'Static' + parPublicIpName: '${gateway.name}-PublicIp' + parPublicIpProperties: { + publicIpAddressVersion: 'IPv4' + publicIpAllocationMethod: 'Static' } - parPublicIPSku: { - name: parPublicIPSku + parPublicIpSku: { + name: parPublicIpSku } parTags: parTags parTelemetryOptOut: parTelemetryOptOut @@ -331,18 +331,18 @@ resource resGateway 'Microsoft.Network/virtualNetworkGateways@2021-02-01' = [for bgpSettings: (gateway.enableBgp) ? gateway.bgpSettings : null gatewayType: gateway.gatewayType vpnGatewayGeneration: (gateway.gatewayType == 'VPN') ? gateway.generation : 'None' - vpnType: gateway.vpntype + vpnType: gateway.vpnType sku: { name: gateway.sku tier: gateway.sku } ipConfigurations: [ { - id: resHubVirtualNetwork.id + id: resHubVnet.id name: 'vnetGatewayConfig' properties: { publicIPAddress: { - id: (((gateway.name != 'noconfigVpn') && (gateway.name != 'noconfigEr')) ? modGatewayPublicIP[i].outputs.outPublicIPID : 'na') + id: (((gateway.name != 'noconfigVpn') && (gateway.name != 'noconfigEr')) ? modGatewayPublicIp[i].outputs.outPublicIpId : 'na') } subnet: { id: resGatewaySubnetRef.id @@ -354,49 +354,49 @@ resource resGateway 'Microsoft.Network/virtualNetworkGateways@2021-02-01' = [for }] resource resAzureFirewallSubnetRef 'Microsoft.Network/virtualNetworks/subnets@2021-02-01' existing = { - parent: resHubVirtualNetwork + parent: resHubVnet name: 'AzureFirewallSubnet' } -module modAzureFirewallPublicIP '../publicIp/publicIp.bicep' = if (parAzureFirewallEnabled) { +module modAzureFirewallPublicIp '../publicIp/publicIp.bicep' = if (parAzFirewallEnabled) { name: 'deploy-Firewall-Public-IP' params: { parLocation: parLocation - parAvailabilityZones: parAzureFirewallAvailabilityZones - parPublicIPName: '${parAzureFirewallName}-PublicIP' - parPublicIPProperties: { - publicIPAddressVersion: 'IPv4' - publicIPAllocationMethod: 'Static' + parAvailabilityZones: parAzFirewallAvailabilityZones + parPublicIpName: '${parAzFirewallName}-PublicIp' + parPublicIpProperties: { + publicIpAddressVersion: 'IPv4' + publicIpAllocationMethod: 'Static' } - parPublicIPSku: { - name: parPublicIPSku + parPublicIpSku: { + name: parPublicIpSku } parTags: parTags parTelemetryOptOut: parTelemetryOptOut } } -resource resFirewallPolicies 'Microsoft.Network/firewallPolicies@2021-05-01' = if (parAzureFirewallEnabled) { - name: parFirewallPoliciesName +resource resFirewallPolicies 'Microsoft.Network/firewallPolicies@2021-05-01' = if (parAzFirewallEnabled) { + name: parAzFirewallPoliciesName location: parLocation tags: parTags properties: { dnsSettings: { - enableProxy: parNetworkDNSEnableProxy + enableProxy: parAzFirewallDnsProxyEnabled } sku: { - tier: parAzureFirewallTier + tier: parAzFirewallTier } } } // AzureFirewallSubnet is required to deploy Azure Firewall . This subnet must exist in the parsubnets array if you deploy. // There is a minimum subnet requirement of /26 prefix. -resource resAzureFirewall 'Microsoft.Network/azureFirewalls@2021-05-01' = if (parAzureFirewallEnabled) { - name: parAzureFirewallName +resource resAzureFirewall 'Microsoft.Network/azureFirewalls@2021-05-01' = if (parAzFirewallEnabled) { + name: parAzFirewallName location: parLocation tags: parTags - zones: (!empty(parAzureFirewallAvailabilityZones) ? parAzureFirewallAvailabilityZones : json('null')) + zones: (!empty(parAzFirewallAvailabilityZones) ? parAzFirewallAvailabilityZones : json('null')) properties: { ipConfigurations: [ { @@ -406,14 +406,14 @@ resource resAzureFirewall 'Microsoft.Network/azureFirewalls@2021-05-01' = if (pa id: resAzureFirewallSubnetRef.id } publicIPAddress: { - id: parAzureFirewallEnabled ? modAzureFirewallPublicIP.outputs.outPublicIPID : '' + id: parAzFirewallEnabled ? modAzureFirewallPublicIp.outputs.outPublicIpId : '' } } } ] sku: { name: 'AZFW_VNet' - tier: parAzureFirewallTier + tier: parAzFirewallTier } firewallPolicy: { id: resFirewallPolicies.id @@ -422,7 +422,7 @@ resource resAzureFirewall 'Microsoft.Network/azureFirewalls@2021-05-01' = if (pa } //If Azure Firewall is enabled we will deploy a RouteTable to redirect Traffic to the Firewall. -resource resHubRouteTable 'Microsoft.Network/routeTables@2021-02-01' = if (parAzureFirewallEnabled) { +resource resHubRouteTable 'Microsoft.Network/routeTables@2021-02-01' = if (parAzFirewallEnabled) { name: parHubRouteTableName location: parLocation tags: parTags @@ -433,11 +433,11 @@ resource resHubRouteTable 'Microsoft.Network/routeTables@2021-02-01' = if (parAz properties: { addressPrefix: '0.0.0.0/0' nextHopType: 'VirtualAppliance' - nextHopIpAddress: parAzureFirewallEnabled ? resAzureFirewall.properties.ipConfigurations[0].properties.privateIPAddress : '' + nextHopIpAddress: parAzFirewallEnabled ? resAzureFirewall.properties.ipConfigurations[0].properties.privateIPAddress : '' } } ] - disableBgpRoutePropagation: parDisableBGPRoutePropagation + disableBgpRoutePropagation: parDisableBgpRoutePropagation } } @@ -447,7 +447,7 @@ module modPrivateDnsZones '../privateDnsZones/privateDnsZones.bicep' = if (parPr params: { parLocation: parLocation parTags: parTags - parVirtualNetworkIdToLink: resHubVirtualNetwork.id + parVirtualNetworkIdToLink: resHubVnet.id parPrivateDnsZones: parPrivateDnsZones } } @@ -460,13 +460,13 @@ module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdRes } //If Azure Firewall is enabled we will deploy a RouteTable to redirect Traffic to the Firewall. -output outAzureFirewallPrivateIP string = parAzureFirewallEnabled ? resAzureFirewall.properties.ipConfigurations[0].properties.privateIPAddress : '' +output outAzFirewallPrivateIp string = parAzFirewallEnabled ? resAzureFirewall.properties.ipConfigurations[0].properties.privateIPAddress : '' //If Azure Firewall is enabled we will deploy a RouteTable to redirect Traffic to the Firewall. -output outAzureFirewallName string = parAzureFirewallEnabled ? parAzureFirewallName : '' +output outAzFirewallName string = parAzFirewallEnabled ? parAzFirewallName : '' output outPrivateDnsZones array = (parPrivateDnsZonesEnabled ? modPrivateDnsZones.outputs.outPrivateDnsZones : []) -output outDdosPlanResourceID string = resDdosProtectionPlan.id -output outHubVirtualNetworkName string = resHubVirtualNetwork.name -output outHubVirtualNetworkID string = resHubVirtualNetwork.id +output outDdosPlanResourceId string = resDdosProtectionPlan.id +output outHubVirtualNetworkName string = resHubVnet.name +output outHubVirtualNetworkId string = resHubVnet.id diff --git a/infra-as-code/bicep/modules/hubNetworking/mc-hubNetworking.parameters.example.json b/infra-as-code/bicep/modules/hubNetworking/mc-hubNetworking.parameters.example.json deleted file mode 100644 index 1b46df4f5..000000000 --- a/infra-as-code/bicep/modules/hubNetworking/mc-hubNetworking.parameters.example.json +++ /dev/null @@ -1,160 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "parLocation": { - "value": "chinaeast2 " - }, - "parCompanyPrefix": { - "value": "alz" - }, - "parHubNetworkName": { - "value": "alz-hub-chinaeast2" - }, - "parHubNetworkAddressPrefix": { - "value": "10.20.0.0/16" - }, - "parSubnets": { - "value": [ - { - "name": "AzureBastionSubnet", - "ipAddressRange": "10.20.0.0/24" - }, - { - "name": "GatewaySubnet", - "ipAddressRange": "10.20.254.0/24" - }, - { - "name": "AzureFirewallSubnet", - "ipAddressRange": "10.20.255.0/24" - } - ] - }, - "parDNSServerIPArray": { - "value": [] - }, - "parPublicIPSku": { - "value": "Standard" - }, - "parBastionEnabled": { - "value": true - }, - "parBastionName": { - "value": "alz-bastion" - }, - "parBastionSku": { - "value": "Standard" - }, - "parDdosEnabled": { - "value": false - }, - "parDdosPlanName": { - "value": "alz-ddos-plan" - }, - "parAzureFirewallEnabled": { - "value": true - }, - "parAzureFirewallName": { - "value": "alz-azfw-chinaeast2" - }, - "parAzureFirewallTier": { - "value": "Standard" - }, - "parAzureFirewallAvailabilityZones": { - "value": [] - }, - "parNetworkDNSEnableProxy": { - "value": true - }, - "parHubRouteTableName": { - "value": "alz-hub-routetable" - }, - "parDisableBGPRoutePropagation": { - "value": false - }, - "parPrivateDnsZonesEnabled": { - "value": true - }, - "parPrivateDnsZones": { - "value": [ - "privatelink.azure-automation.cn", - "privatelink.database.chinacloudapi.cn", - "privatelink.blob.core.chinacloudapi.cn", - "privatelink.table.core.chinacloudapi.cn", - "privatelink.queue.core.chinacloudapi.cn", - "privatelink.file.core.chinacloudapi.cn", - "privatelink.web.core.chinacloudapi.cn", - "privatelink.dfs.core.chinacloudapi.cn", - "privatelink.documents.azure.cn", - "privatelink.mongo.cosmos.azure.cn", - "privatelink.cassandra.cosmos.azure.cn", - "privatelink.gremlin.cosmos.azure.cn", - "privatelink.table.cosmos.azure.cn", - "privatelink.postgres.database.chinacloudapi.cn", - "privatelink.mysql.database.chinacloudapi.cn", - "privatelink.mariadb.database.chinacloudapi.cn", - "privatelink.vaultcore.azure.cn", - "privatelink.servicebus.chinacloudapi.cn", - "privatelink.azure-devices.cn", - "privatelink.eventgrid.azure.cn", - "privatelink.chinacloudsites.cn", - "privatelink.api.ml.azure.cn", - "privatelink.notebooks.chinacloudapi.cn", - "privatelink.signalr.azure.cn", - "privatelink.azurehdinsight.cn", - "privatelink.afs.azure.cn", - "privatelink.datafactory.azure.cn", - "privatelink.adf.azure.cn", - "privatelink.redis.cache.chinacloudapi.cn" - ] - }, - "parVpnGatewayConfig": { - "value": { - "name": "alz-Vpn-Gateway", - "gatewaytype": "Vpn", - "sku": "VpnGw1", - "vpntype": "RouteBased", - "generation": "Generation1", - "enableBgp": false, - "activeActive": false, - "enableBgpRouteTranslationForNat": false, - "enableDnsForwarding": false, - "asn": "65515", - "bgpPeeringAddress": "", - "bgpsettings": { - "asn": "65515", - "bgpPeeringAddress": "", - "peerWeight": "5" - } - } - }, - "parExpressRouteGatewayConfig": { - "value": { - "name": "alz-ExpressRoute-Gateway", - "gatewaytype": "ExpressRoute", - "sku": "Standard", - "vpntype": "RouteBased", - "generation": "None", - "enableBgp": false, - "activeActive": false, - "enableBgpRouteTranslationForNat": false, - "enableDnsForwarding": false, - "asn": "65515", - "bgpPeeringAddress": "", - "bgpsettings": { - "asn": "65515", - "bgpPeeringAddress": "", - "peerWeight": "5" - } - } - }, - "parTags": { - "value": { - "Environment": "POC" - } - }, - "parTelemetryOptOut": { - "value": false - } - } -} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/hubNetworking/media/hubNetworkingBicepVisualizer.png b/infra-as-code/bicep/modules/hubNetworking/media/bicepVisualizer.png similarity index 100% rename from infra-as-code/bicep/modules/hubNetworking/media/hubNetworkingBicepVisualizer.png rename to infra-as-code/bicep/modules/hubNetworking/media/bicepVisualizer.png diff --git a/infra-as-code/bicep/modules/hubNetworking/media/hubNetworkExampleDeploymentOutput.png b/infra-as-code/bicep/modules/hubNetworking/media/exampleDeploymentOutput.png similarity index 100% rename from infra-as-code/bicep/modules/hubNetworking/media/hubNetworkExampleDeploymentOutput.png rename to infra-as-code/bicep/modules/hubNetworking/media/exampleDeploymentOutput.png diff --git a/infra-as-code/bicep/modules/hubNetworking/media/mc-hubNetworkExampleDeploymentOutput.png b/infra-as-code/bicep/modules/hubNetworking/media/mc-exampleDeploymentOutput.png old mode 100755 new mode 100644 similarity index 100% rename from infra-as-code/bicep/modules/hubNetworking/media/mc-hubNetworkExampleDeploymentOutput.png rename to infra-as-code/bicep/modules/hubNetworking/media/mc-exampleDeploymentOutput.png diff --git a/infra-as-code/bicep/modules/hubNetworking/hubNetworking.parameters.example.json b/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json similarity index 83% rename from infra-as-code/bicep/modules/hubNetworking/hubNetworking.parameters.example.json rename to infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json index 7cb1a6314..5d29208b0 100644 --- a/infra-as-code/bicep/modules/hubNetworking/hubNetworking.parameters.example.json +++ b/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json @@ -30,19 +30,19 @@ } ] }, - "parDNSServerIPArray": { + "parDnsServerIps": { "value": [] }, - "parPublicIPSku": { + "parPublicIpSku": { "value": "Standard" }, - "parBastionEnabled": { + "parAzBastionEnabled": { "value": true }, - "parBastionName": { + "parAzBastionName": { "value": "alz-bastion" }, - "parBastionSku": { + "parAzBastionSku": { "value": "Standard" }, "parDdosEnabled": { @@ -51,25 +51,28 @@ "parDdosPlanName": { "value": "alz-ddos-plan" }, - "parAzureFirewallEnabled": { + "parAzFirewallEnabled": { "value": true }, - "parAzureFirewallName": { + "parAzFirewallName": { "value": "alz-azfw-eastus" }, - "parAzureFirewallTier": { + "parAzFirewallPoliciesName": { + "value": "alz-azfwpolicy-eastus" + }, + "parAzFirewallTier": { "value": "Standard" }, - "parAzureFirewallAvailabilityZones": { + "parAzFirewallAvailabilityZones": { "value": [] }, - "parNetworkDNSEnableProxy": { + "parAzFirewallDnsProxyEnabled": { "value": true }, "parHubRouteTableName": { "value": "alz-hub-routetable" }, - "parDisableBGPRoutePropagation": { + "parDisableBgpRoutePropagation": { "value": false }, "parPrivateDnsZonesEnabled": { @@ -125,15 +128,18 @@ "privatelink.azurehdinsight.net", "privatelink.media.azure.net", "privatelink.his.arc.azure.com", - "privatelink.guestconfiguration.azure.com" + "privatelink.guestconfiguration.azure.com", + "privatelink.xxxxxx.azmk8s.io", // Replace xxxxxx with target region (i.e. eastus) + "privatelink.xxxxxx.backup.windowsazure.com", // Replace xxxxxx with target region (i.e. eastus) + "privatelink.xxxxxx.batch.azure.com" // Replace xxxxxx with target region (i.e. eastus), ] }, "parVpnGatewayConfig": { "value": { "name": "alz-Vpn-Gateway", - "gatewaytype": "Vpn", + "gatewayType": "Vpn", "sku": "VpnGw1", - "vpntype": "RouteBased", + "vpnType": "RouteBased", "generation": "Generation1", "enableBgp": false, "activeActive": false, @@ -151,9 +157,9 @@ "parExpressRouteGatewayConfig": { "value": { "name": "alz-ExpressRoute-Gateway", - "gatewaytype": "ExpressRoute", + "gatewayType": "ExpressRoute", "sku": "ErGw1AZ", - "vpntype": "RouteBased", + "vpnType": "RouteBased", "generation": "None", "enableBgp": false, "activeActive": false, diff --git a/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.min.json b/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.min.json new file mode 100644 index 000000000..cb8f7bde8 --- /dev/null +++ b/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.min.json @@ -0,0 +1,101 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parHubNetworkAddressPrefix": { + "value": "10.20.0.0/16" + }, + "parSubnets": { + "value": [ + { + "name": "AzureBastionSubnet", + "ipAddressRange": "10.20.0.0/24" + }, + { + "name": "GatewaySubnet", + "ipAddressRange": "10.20.254.0/24" + }, + { + "name": "AzureFirewallSubnet", + "ipAddressRange": "10.20.255.0/24" + } + ] + }, + "parDnsServerIps": { + "value": [] + }, + "parPublicIpSku": { + "value": "Standard" + }, + "parAzBastionEnabled": { + "value": true + }, + "parAzBastionSku": { + "value": "Standard" + }, + "parDdosEnabled": { + "value": true + }, + "parAzFirewallEnabled": { + "value": true + }, + "parAzFirewallTier": { + "value": "Standard" + }, + "parAzFirewallAvailabilityZones": { + "value": [] + }, + "parAzFirewallDnsProxyEnabled": { + "value": true + }, + "parDisableBgpRoutePropagation": { + "value": false + }, + "parPrivateDnsZonesEnabled": { + "value": true + }, + "parVpnGatewayConfig": { + "value": { + "name": "alz-Vpn-Gateway", + "gatewayType": "Vpn", + "sku": "VpnGw1", + "vpnType": "RouteBased", + "generation": "Generation1", + "enableBgp": false, + "activeActive": false, + "enableBgpRouteTranslationForNat": false, + "enableDnsForwarding": false, + "asn": "65515", + "bgpPeeringAddress": "", + "bgpsettings": { + "asn": "65515", + "bgpPeeringAddress": "", + "peerWeight": "5" + } + } + }, + "parExpressRouteGatewayConfig": { + "value": { + "name": "alz-ExpressRoute-Gateway", + "gatewayType": "ExpressRoute", + "sku": "ErGw1AZ", + "vpnType": "RouteBased", + "generation": "None", + "enableBgp": false, + "activeActive": false, + "enableBgpRouteTranslationForNat": false, + "enableDnsForwarding": false, + "asn": "65515", + "bgpPeeringAddress": "", + "bgpsettings": { + "asn": "65515", + "bgpPeeringAddress": "", + "peerWeight": "5" + } + } + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.all.json b/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.all.json new file mode 100644 index 000000000..4d5ccb6c2 --- /dev/null +++ b/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.all.json @@ -0,0 +1,163 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parLocation": { + "value": "chinaeast2" + }, + "parCompanyPrefix": { + "value": "alz" + }, + "parHubNetworkName": { + "value": "alz-hub-chinaeast2" + }, + "parHubNetworkAddressPrefix": { + "value": "10.20.0.0/16" + }, + "parSubnets": { + "value": [ + { + "name": "AzureBastionSubnet", + "ipAddressRange": "10.20.0.0/24" + }, + { + "name": "GatewaySubnet", + "ipAddressRange": "10.20.254.0/24" + }, + { + "name": "AzureFirewallSubnet", + "ipAddressRange": "10.20.255.0/24" + } + ] + }, + "parDnsServerIps": { + "value": [] + }, + "parPublicIpSku": { + "value": "Standard" + }, + "parAzBastionEnabled": { + "value": true + }, + "parAzBastionName": { + "value": "alz-bastion" + }, + "parAzBastionSku": { + "value": "Standard" + }, + "parDdosEnabled": { + "value": false + }, + "parDdosPlanName": { + "value": "alz-ddos-plan" + }, + "parAzFirewallEnabled": { + "value": true + }, + "parAzFirewallName": { + "value": "alz-azfw-chinaeast2" + }, + "parAzFirewallPoliciesName": { + "value": "alz-azfwpolicy-chinaeast2" + }, + "parAzFirewallTier": { + "value": "Standard" + }, + "parAzFirewallAvailabilityZones": { + "value": [] + }, + "parAzFirewallDnsProxyEnabled": { + "value": true + }, + "parHubRouteTableName": { + "value": "alz-hub-routetable" + }, + "parDisableBgpRoutePropagation": { + "value": false + }, + "parPrivateDnsZonesEnabled": { + "value": true + }, + "parPrivateDnsZones": { + "value": [ + "privatelink.azure-automation.cn", + "privatelink.database.chinacloudapi.cn", + "privatelink.blob.core.chinacloudapi.cn", + "privatelink.table.core.chinacloudapi.cn", + "privatelink.queue.core.chinacloudapi.cn", + "privatelink.file.core.chinacloudapi.cn", + "privatelink.web.core.chinacloudapi.cn", + "privatelink.dfs.core.chinacloudapi.cn", + "privatelink.documents.azure.cn", + "privatelink.mongo.cosmos.azure.cn", + "privatelink.cassandra.cosmos.azure.cn", + "privatelink.gremlin.cosmos.azure.cn", + "privatelink.table.cosmos.azure.cn", + "privatelink.postgres.database.chinacloudapi.cn", + "privatelink.mysql.database.chinacloudapi.cn", + "privatelink.mariadb.database.chinacloudapi.cn", + "privatelink.vaultcore.azure.cn", + "privatelink.servicebus.chinacloudapi.cn", + "privatelink.azure-devices.cn", + "privatelink.eventgrid.azure.cn", + "privatelink.chinacloudsites.cn", + "privatelink.api.ml.azure.cn", + "privatelink.notebooks.chinacloudapi.cn", + "privatelink.signalr.azure.cn", + "privatelink.azurehdinsight.cn", + "privatelink.afs.azure.cn", + "privatelink.datafactory.azure.cn", + "privatelink.adf.azure.cn", + "privatelink.redis.cache.chinacloudapi.cn" + ] + }, + "parVpnGatewayConfig": { + "value": { + "name": "alz-Vpn-Gateway", + "gatewayType": "Vpn", + "sku": "VpnGw1", + "vpnType": "RouteBased", + "generation": "Generation1", + "enableBgp": false, + "activeActive": false, + "enableBgpRouteTranslationForNat": false, + "enableDnsForwarding": false, + "asn": "65515", + "bgpPeeringAddress": "", + "bgpsettings": { + "asn": "65515", + "bgpPeeringAddress": "", + "peerWeight": "5" + } + } + }, + "parExpressRouteGatewayConfig": { + "value": { + "name": "alz-ExpressRoute-Gateway", + "gatewayType": "ExpressRoute", + "sku": "Standard", + "vpnType": "RouteBased", + "generation": "None", + "enableBgp": false, + "activeActive": false, + "enableBgpRouteTranslationForNat": false, + "enableDnsForwarding": false, + "asn": "65515", + "bgpPeeringAddress": "", + "bgpsettings": { + "asn": "65515", + "bgpPeeringAddress": "", + "peerWeight": "5" + } + } + }, + "parTags": { + "value": { + "Environment": "POC" + } + }, + "parTelemetryOptOut": { + "value": false + } + } + } \ No newline at end of file diff --git a/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.min.json b/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.min.json new file mode 100644 index 000000000..bd8c18688 --- /dev/null +++ b/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.min.json @@ -0,0 +1,137 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parLocation": { + "value": "chinaeast2" + }, + "parHubNetworkAddressPrefix": { + "value": "10.20.0.0/16" + }, + "parSubnets": { + "value": [ + { + "name": "AzureBastionSubnet", + "ipAddressRange": "10.20.0.0/24" + }, + { + "name": "GatewaySubnet", + "ipAddressRange": "10.20.254.0/24" + }, + { + "name": "AzureFirewallSubnet", + "ipAddressRange": "10.20.255.0/24" + } + ] + }, + "parDnsServerIps": { + "value": [] + }, + "parPublicIpSku": { + "value": "Standard" + }, + "parAzBastionEnabled": { + "value": true + }, + "parAzBastionSku": { + "value": "Standard" + }, + "parDdosEnabled": { + "value": false + }, + "parAzFirewallEnabled": { + "value": true + }, + "parAzFirewallTier": { + "value": "Standard" + }, + "parAzFirewallAvailabilityZones": { + "value": [] + }, + "parAzFirewallDnsProxyEnabled": { + "value": true + }, + "parDisableBgpRoutePropagation": { + "value": false + }, + "parPrivateDnsZonesEnabled": { + "value": true + }, + "parPrivateDnsZones": { + "value": [ + "privatelink.azure-automation.cn", + "privatelink.database.chinacloudapi.cn", + "privatelink.blob.core.chinacloudapi.cn", + "privatelink.table.core.chinacloudapi.cn", + "privatelink.queue.core.chinacloudapi.cn", + "privatelink.file.core.chinacloudapi.cn", + "privatelink.web.core.chinacloudapi.cn", + "privatelink.dfs.core.chinacloudapi.cn", + "privatelink.documents.azure.cn", + "privatelink.mongo.cosmos.azure.cn", + "privatelink.cassandra.cosmos.azure.cn", + "privatelink.gremlin.cosmos.azure.cn", + "privatelink.table.cosmos.azure.cn", + "privatelink.postgres.database.chinacloudapi.cn", + "privatelink.mysql.database.chinacloudapi.cn", + "privatelink.mariadb.database.chinacloudapi.cn", + "privatelink.vaultcore.azure.cn", + "privatelink.servicebus.chinacloudapi.cn", + "privatelink.azure-devices.cn", + "privatelink.eventgrid.azure.cn", + "privatelink.chinacloudsites.cn", + "privatelink.api.ml.azure.cn", + "privatelink.notebooks.chinacloudapi.cn", + "privatelink.signalr.azure.cn", + "privatelink.azurehdinsight.cn", + "privatelink.afs.azure.cn", + "privatelink.datafactory.azure.cn", + "privatelink.adf.azure.cn", + "privatelink.redis.cache.chinacloudapi.cn" + ] + }, + "parVpnGatewayConfig": { + "value": { + "name": "alz-Vpn-Gateway", + "gatewayType": "Vpn", + "sku": "VpnGw1", + "vpnType": "RouteBased", + "generation": "Generation1", + "enableBgp": false, + "activeActive": false, + "enableBgpRouteTranslationForNat": false, + "enableDnsForwarding": false, + "asn": "65515", + "bgpPeeringAddress": "", + "bgpsettings": { + "asn": "65515", + "bgpPeeringAddress": "", + "peerWeight": "5" + } + } + }, + "parExpressRouteGatewayConfig": { + "value": { + "name": "alz-ExpressRoute-Gateway", + "gatewayType": "ExpressRoute", + "sku": "Standard", + "vpnType": "RouteBased", + "generation": "None", + "enableBgp": false, + "activeActive": false, + "enableBgpRouteTranslationForNat": false, + "enableDnsForwarding": false, + "asn": "65515", + "bgpPeeringAddress": "", + "bgpsettings": { + "asn": "65515", + "bgpPeeringAddress": "", + "peerWeight": "5" + } + } + }, + "parTelemetryOptOut": { + "value": false + } + } + } \ No newline at end of file diff --git a/infra-as-code/bicep/modules/logging/README.md b/infra-as-code/bicep/modules/logging/README.md index 809f88fbf..201ca645d 100644 --- a/infra-as-code/bicep/modules/logging/README.md +++ b/infra-as-code/bicep/modules/logging/README.md @@ -52,13 +52,13 @@ The module will generate the following outputs: ## Deployment -In this example, a Log Analytics Workspace and Automation Account will be deployed to the resource group `alz-logging`. The inputs for this module are defined in `logging.parameters.example.json`. +In this example, a Log Analytics Workspace and Automation Account will be deployed to the resource group `alz-logging`. The inputs for this module are defined in `logging.parameters.all.json`. There are separate input parameters files depending on which Azure cloud you are deploying because this module deploys resources into an existing resource group under the specified region. There is no change to the Bicep template file. | Azure Cloud | Bicep template | Input parameters file | | -------------- | -------------- | ---------------------------------- | -| Global regions | logging.bicep | logging.parameters.example.json | -| China regions | logging.bicep | mc-logging.parameters.example.json | +| Global regions | logging.bicep | parameters/logging.parameters.all.json | +| China regions | logging.bicep | parameters/mc-logging.parameters.all.json | > For the examples below we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice. > If the deployment failed due an error that your alz-log-analytics/Automation resource of type 'Microsoft.OperationalInsights/workspaces/linkedServices' was not found, please retry the deployment step and it would succeed. @@ -78,7 +78,7 @@ az group create \ # Deploy Module az deployment group create \ --template-file infra-as-code/bicep/modules/logging/logging.bicep \ - --parameters @infra-as-code/bicep/modules/logging/logging.parameters.example.json \ + --parameters @infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json \ --resource-group alz-logging ``` OR @@ -96,7 +96,7 @@ az group create \ # Deploy Module az deployment group create \ --template-file infra-as-code/bicep/modules/logging/logging.bicep \ - --parameters @infra-as-code/bicep/modules/logging/mc-logging.parameters.example.json \ + --parameters @infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.all.json \ --resource-group alz-logging ``` @@ -116,7 +116,7 @@ New-AzResourceGroup ` New-AzResourceGroupDeployment ` -TemplateFile infra-as-code/bicep/modules/logging/logging.bicep ` - -TemplateParameterFile infra-as-code/bicep/modules/logging/logging.parameters.example.json ` + -TemplateParameterFile infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json ` -ResourceGroup alz-logging ``` OR @@ -134,7 +134,7 @@ New-AzResourceGroup ` New-AzResourceGroupDeployment ` -TemplateFile infra-as-code/bicep/modules/logging/logging.bicep ` - -TemplateParameterFile infra-as-code/bicep/modules/logging/mc-logging.parameters.example.json ` + -TemplateParameterFile infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.all.json ` -ResourceGroup alz-logging ``` diff --git a/infra-as-code/bicep/modules/logging/logging.bicep b/infra-as-code/bicep/modules/logging/logging.bicep index 07e988e36..11730795f 100644 --- a/infra-as-code/bicep/modules/logging/logging.bicep +++ b/infra-as-code/bicep/modules/logging/logging.bicep @@ -22,7 +22,6 @@ param parLogAnalyticsWorkspaceSkuName string = 'PerGB2018' @description('Number of days of log retention for Log Analytics Workspace. - DEFAULT VALUE: 365') param parLogAnalyticsWorkspaceLogRetentionInDays int = 365 - @allowed([ 'AgentHealthAssessment' 'AntiMalware' diff --git a/infra-as-code/bicep/modules/logging/logging.parameters.example.json b/infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json similarity index 100% rename from infra-as-code/bicep/modules/logging/logging.parameters.example.json rename to infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json diff --git a/infra-as-code/bicep/modules/logging/parameters/logging.parameters.min.json b/infra-as-code/bicep/modules/logging/parameters/logging.parameters.min.json new file mode 100644 index 000000000..887819dcf --- /dev/null +++ b/infra-as-code/bicep/modules/logging/parameters/logging.parameters.min.json @@ -0,0 +1,32 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parLogAnalyticsWorkspaceLogRetentionInDays": { + "value": 365 + }, + "parLogAnalyticsWorkspaceLocation": { + "value": "eastus" + }, + "parLogAnalyticsWorkspaceSolutions": { + "value": [ + "AgentHealthAssessment", + "AntiMalware", + "AzureActivity", + "ChangeTracking", + "Security", + "SecurityInsights", + "ServiceMap", + "SQLAssessment", + "Updates", + "VMInsights" + ] + }, + "parAutomationAccountLocation": { + "value": "eastus2" + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/logging/mc-logging.parameters.example.json b/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.all.json similarity index 94% rename from infra-as-code/bicep/modules/logging/mc-logging.parameters.example.json rename to infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.all.json index d0b1cebc9..bbaa410a5 100644 --- a/infra-as-code/bicep/modules/logging/mc-logging.parameters.example.json +++ b/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.all.json @@ -38,6 +38,9 @@ "value": { "Environment": "POC" } + }, + "parTelemetryOptOut": { + "value": false } } } \ No newline at end of file diff --git a/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.min.json b/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.min.json new file mode 100644 index 000000000..b9d350025 --- /dev/null +++ b/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.min.json @@ -0,0 +1,32 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parLogAnalyticsWorkspaceLocation": { + "value": "chinaeast2" + }, + "parLogAnalyticsWorkspaceLogRetentionInDays": { + "value": 365 + }, + "parLogAnalyticsWorkspaceSolutions": { + "value": [ + "AgentHealthAssessment", + "AntiMalware", + "AzureActivity", + "ChangeTracking", + "Security", + "SecurityInsights", + "ServiceMap", + "SQLAssessment", + "Updates", + "VMInsights" + ] + }, + "parAutomationAccountLocation": { + "value": "chinaeast2" + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/managementGroups/README.md b/infra-as-code/bicep/modules/managementGroups/README.md index 05b255818..97f0ec15e 100644 --- a/infra-as-code/bicep/modules/managementGroups/README.md +++ b/infra-as-code/bicep/modules/managementGroups/README.md @@ -28,28 +28,28 @@ The module requires the following inputs: The module will generate the following outputs: -| Output | Type | Example | -| ----------------------------- | ------ | -------------------------------------------------------------------------- | -| outTopLevelMGId | string | /providers/Microsoft.Management/managementGroups/alz | -| outPlatformMGId | string | /providers/Microsoft.Management/managementGroups/alz-platform | -| outPlatformManagementMGId | string | /providers/Microsoft.Management/managementGroups/alz-platform-management | -| outPlatformConnectivityMGId | string | /providers/Microsoft.Management/managementGroups/alz-platform-connectivity | -| outPlatformIdentityMGId | string | /providers/Microsoft.Management/managementGroups/alz-platform-identity | -| outLandingZonesMGId | string | /providers/Microsoft.Management/managementGroups/alz-landingzones | -| outLandingZonesCorpMGId | string | /providers/Microsoft.Management/managementGroups/alz-landingzones-corp | -| outLandingZonesOnlineMGId | string | /providers/Microsoft.Management/managementGroups/alz-landingzones-online | -| outSandboxMGId | string | /providers/Microsoft.Management/managementGroups/alz-sandbox | -| outDecommissionedMGId | string | /providers/Microsoft.Management/managementGroups/alz-decommissioned | -| outTopLevelMGName | string | alz | -| outPlatformMGName | string | alz-platform | -| outPlatformManagementMGName | string | alz-platform-management | -| outPlatformConnectivityMGName | string | alz-platform-connectivity | -| outPlatformIdentityMGName | string | alz-platform-identity | -| outLandingZonesMGName | string | alz-landingzones | -| outLandingZonesCorpMGName | string | alz-landingzones-corp | -| outLandingZonesOnlineMGName | string | alz-landingzones-online | -| outSandboxMGName | string | alz-sandbox | -| outDecommissionedMGName | string | alz-decommissioned | +| Output | Type | Example | +| ------------------------------------------ | ------ | -------------------------------------------------------------------------- | +| outTopLevelManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz | +| outPlatformManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz-platform | +| outPlatformManagementManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz-platform-management | +| outPlatformConnectivityManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz-platform-connectivity | +| outPlatformIdentityManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz-platform-identity | +| outLandingZonesManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz-landingzones | +| outLandingZonesCorpManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz-landingzones-corp | +| outLandingZonesOnlineManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz-landingzones-online | +| outSandboxManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz-sandbox | +| outDecommissionedManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz-decommissioned | +| outTopLevelManagementGroupName | string | alz | +| outPlatformManagementGroupName | string | alz-platform | +| outPlatformManagementManagementGroupName | string | alz-platform-management | +| outPlatformConnectivityManagementGroupName | string | alz-platform-connectivity | +| outPlatformIdentityManagementGroupName | string | alz-platform-identity | +| outLandingZonesManagementGroupName | string | alz-landingzones | +| outLandingZonesCorpManagementGroupName | string | alz-landingzones-corp | +| outLandingZonesOnlineManagementGroupName | string | alz-landingzones-online | +| outSandboxManagementGroupName | string | alz-sandbox | +| outDecommissionedManagementGroupName | string | alz-decommissioned | ## Deployment @@ -62,7 +62,7 @@ In this example, the management groups are created at the `Tenant Root Group` th # For Azure global regions az deployment tenant create \ --template-file infra-as-code/bicep/modules/managementGroups/managementGroups.bicep \ - --parameters @infra-as-code/bicep/modules/managementGroups/managementGroups.parameters.example.json \ + --parameters @infra-as-code/bicep/modules/managementGroups/parameters/managementGroups.parameters.all.json \ --location eastus ``` OR @@ -70,7 +70,7 @@ OR # For Azure China regions az deployment tenant create \ --template-file infra-as-code/bicep/modules/managementGroups/managementGroups.bicep \ - --parameters @infra-as-code/bicep/modules/managementGroups/managementGroups.parameters.example.json \ + --parameters @infra-as-code/bicep/modules/managementGroups/parameters/managementGroups.parameters.all.json \ --location chinaeast2 ``` @@ -80,7 +80,7 @@ az deployment tenant create \ # For Azure global regions New-AzTenantDeployment ` -TemplateFile infra-as-code/bicep/modules/managementGroups/managementGroups.bicep ` - -TemplateParameterFile infra-as-code/bicep/modules/managementGroups/managementGroups.parameters.example.json ` + -TemplateParameterFile infra-as-code/bicep/modules/managementGroups/parameters/managementGroups.parameters.all.json ` -Location eastus ``` OR @@ -88,7 +88,7 @@ OR # For Azure China regions New-AzTenantDeployment ` -TemplateFile infra-as-code/bicep/modules/managementGroups/managementGroups.bicep ` - -TemplateParameterFile infra-as-code/bicep/modules/managementGroups/managementGroups.parameters.example.json ` + -TemplateParameterFile infra-as-code/bicep/modules/managementGroups/parameters/managementGroups.parameters.all.json ` -Location chinaeast2 ``` diff --git a/infra-as-code/bicep/modules/managementGroups/managementGroups.bicep b/infra-as-code/bicep/modules/managementGroups/managementGroups.bicep index 8e9a943aa..4a2c72bda 100644 --- a/infra-as-code/bicep/modules/managementGroups/managementGroups.bicep +++ b/infra-as-code/bicep/modules/managementGroups/managementGroups.bicep @@ -13,50 +13,50 @@ param parTopLevelManagementGroupDisplayName string = 'Azure Landing Zones' param parTelemetryOptOut bool = false // Platform and Child Management Groups -var varPlatformMG = { +var varPlatformMg = { name: '${parTopLevelManagementGroupPrefix}-platform' displayName: 'Platform' } -var varPlatformManagementMG = { +var varPlatformManagementMg = { name: '${parTopLevelManagementGroupPrefix}-platform-management' displayName: 'Management' } -var varPlatformConnectivityMG = { +var varPlatformConnectivityMg = { name: '${parTopLevelManagementGroupPrefix}-platform-connectivity' displayName: 'Connectivity' } -var varPlatformIdentityMG = { +var varPlatformIdentityMg = { name: '${parTopLevelManagementGroupPrefix}-platform-identity' displayName: 'Identity' } // Landing Zones & Child Management Groups -var varLandingZoneMG = { +var varLandingZoneMg = { name: '${parTopLevelManagementGroupPrefix}-landingzones' displayName: 'Landing Zones' } -var varLandingZoneCorpMG = { +var varLandingZoneCorpMg = { name: '${parTopLevelManagementGroupPrefix}-landingzones-corp' displayName: 'Corp' } -var varLandingZoneOnlineMG = { +var varLandingZoneOnlineMg = { name: '${parTopLevelManagementGroupPrefix}-landingzones-online' displayName: 'Online' } // Sandbox Management Group -var varSandboxManagementGroup = { +var varSandboxMg = { name: '${parTopLevelManagementGroupPrefix}-sandbox' displayName: 'Sandbox' } // Decomissioned Management Group -var varDecommissionedManagementGroup = { +var varDecommissionedMg = { name: '${parTopLevelManagementGroupPrefix}-decommissioned' displayName: 'Decommissioned' } @@ -65,7 +65,7 @@ var varDecommissionedManagementGroup = { var varCuaid = '9b7965a0-d77c-41d6-85ef-ec3dfea4845b' // Level 1 -resource resTopLevelMG 'Microsoft.Management/managementGroups@2021-04-01' = { +resource resTopLevelMg 'Microsoft.Management/managementGroups@2021-04-01' = { name: parTopLevelManagementGroupPrefix properties: { displayName: parTopLevelManagementGroupDisplayName @@ -73,111 +73,111 @@ resource resTopLevelMG 'Microsoft.Management/managementGroups@2021-04-01' = { } // Level 2 -resource resPlatformMG 'Microsoft.Management/managementGroups@2021-04-01' = { - name: varPlatformMG.name +resource resPlatformMg 'Microsoft.Management/managementGroups@2021-04-01' = { + name: varPlatformMg.name properties: { - displayName: varPlatformMG.displayName + displayName: varPlatformMg.displayName details: { parent: { - id: resTopLevelMG.id + id: resTopLevelMg.id } } } } -resource resLandingZonesMG 'Microsoft.Management/managementGroups@2021-04-01' = { - name: varLandingZoneMG.name +resource resLandingZonesMg 'Microsoft.Management/managementGroups@2021-04-01' = { + name: varLandingZoneMg.name properties: { - displayName: varLandingZoneMG.displayName + displayName: varLandingZoneMg.displayName details: { parent: { - id: resTopLevelMG.id + id: resTopLevelMg.id } } } } -resource resSandboxMG 'Microsoft.Management/managementGroups@2021-04-01' = { - name: varSandboxManagementGroup.name +resource resSandboxMg 'Microsoft.Management/managementGroups@2021-04-01' = { + name: varSandboxMg.name properties: { - displayName: varSandboxManagementGroup.displayName + displayName: varSandboxMg.displayName details: { parent: { - id: resTopLevelMG.id + id: resTopLevelMg.id } } } } -resource resDecommissionedMG 'Microsoft.Management/managementGroups@2021-04-01' = { - name: varDecommissionedManagementGroup.name +resource resDecommissionedMg 'Microsoft.Management/managementGroups@2021-04-01' = { + name: varDecommissionedMg.name properties: { - displayName: varDecommissionedManagementGroup.displayName + displayName: varDecommissionedMg.displayName details: { parent: { - id: resTopLevelMG.id + id: resTopLevelMg.id } } } } // Level 3 - Child Management Groups under Platform MG -resource resPlatformManagementMG 'Microsoft.Management/managementGroups@2021-04-01' = { - name: varPlatformManagementMG.name +resource resPlatformManagementMg 'Microsoft.Management/managementGroups@2021-04-01' = { + name: varPlatformManagementMg.name properties: { - displayName: varPlatformManagementMG.displayName + displayName: varPlatformManagementMg.displayName details: { parent: { - id: resPlatformMG.id + id: resPlatformMg.id } } } } -resource resPlatformConnectivityMG 'Microsoft.Management/managementGroups@2021-04-01' = { - name: varPlatformConnectivityMG.name +resource resPlatformConnectivityMg 'Microsoft.Management/managementGroups@2021-04-01' = { + name: varPlatformConnectivityMg.name properties: { - displayName: varPlatformConnectivityMG.displayName + displayName: varPlatformConnectivityMg.displayName details: { parent: { - id: resPlatformMG.id + id: resPlatformMg.id } } } } -resource resPlatformIdentityMG 'Microsoft.Management/managementGroups@2021-04-01' = { - name: varPlatformIdentityMG.name +resource resPlatformIdentityMg 'Microsoft.Management/managementGroups@2021-04-01' = { + name: varPlatformIdentityMg.name properties: { - displayName: varPlatformIdentityMG.displayName + displayName: varPlatformIdentityMg.displayName details: { parent: { - id: resPlatformMG.id + id: resPlatformMg.id } } } } // Level 3 - Child Management Groups under Landing Zones MG -resource resLandingZonesCorpMG 'Microsoft.Management/managementGroups@2021-04-01' = { - name: varLandingZoneCorpMG.name +resource resLandingZonesCorpMg 'Microsoft.Management/managementGroups@2021-04-01' = { + name: varLandingZoneCorpMg.name properties: { - displayName: varLandingZoneCorpMG.displayName + displayName: varLandingZoneCorpMg.displayName details: { parent: { - id: resLandingZonesMG.id + id: resLandingZonesMg.id } } } } -resource resLandingZonesOnlineMG 'Microsoft.Management/managementGroups@2021-04-01' = { - name: varLandingZoneOnlineMG.name +resource resLandingZonesOnlineMg 'Microsoft.Management/managementGroups@2021-04-01' = { + name: varLandingZoneOnlineMg.name properties: { - displayName: varLandingZoneOnlineMG.displayName + displayName: varLandingZoneOnlineMg.displayName details: { parent: { - id: resLandingZonesMG.id + id: resLandingZonesMg.id } } } @@ -191,33 +191,33 @@ module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdTen } // Output Management Group IDs -output outTopLevelMGId string = resTopLevelMG.id +output outTopLevelManagementGroupId string = resTopLevelMg.id -output outPlatformMGId string = resPlatformMG.id -output outPlatformManagementMGId string = resPlatformManagementMG.id -output outPlatformConnectivityMGId string = resPlatformConnectivityMG.id -output outPlatformIdentityMGId string = resPlatformIdentityMG.id +output outPlatformManagementGroupId string = resPlatformMg.id +output outPlatformManagementManagementGroupId string = resPlatformManagementMg.id +output outPlatformConnectivityManagementGroupId string = resPlatformConnectivityMg.id +output outPlatformIdentityManagementGroupId string = resPlatformIdentityMg.id -output outLandingZonesMGId string = resLandingZonesMG.id -output outLandingZonesCorpMGId string = resLandingZonesCorpMG.id -output outLandingZonesOnlineMGId string = resLandingZonesOnlineMG.id +output outLandingZonesManagementGroupId string = resLandingZonesMg.id +output outLandingZonesCorpManagementGroupId string = resLandingZonesCorpMg.id +output outLandingZonesOnlineManagementGroupId string = resLandingZonesOnlineMg.id -output outSandboxMGId string = resSandboxMG.id +output outSandboxManagementGroupId string = resSandboxMg.id -output outDecommissionedMGId string = resDecommissionedMG.id +output outDecommissionedManagementGroupId string = resDecommissionedMg.id // Output Management Group Names -output outTopLevelMGName string = resTopLevelMG.name +output outTopLevelManagementGroupName string = resTopLevelMg.name -output outPlatformMGName string = resPlatformMG.name -output outPlatformManagementMGName string = resPlatformManagementMG.name -output outPlatformConnectivityMGName string = resPlatformConnectivityMG.name -output outPlatformIdentityMGName string = resPlatformIdentityMG.name +output outPlatformManagementGroupName string = resPlatformMg.name +output outPlatformManagementManagementGroupName string = resPlatformManagementMg.name +output outPlatformConnectivityManagementGroupName string = resPlatformConnectivityMg.name +output outPlatformIdentityManagementGroupName string = resPlatformIdentityMg.name -output outLandingZonesMGName string = resLandingZonesMG.name -output outLandingZonesCorpMGName string = resLandingZonesCorpMG.name -output outLandingZonesOnlineMGName string = resLandingZonesOnlineMG.name +output outLandingZonesManagementGroupName string = resLandingZonesMg.name +output outLandingZonesCorpManagementGroupName string = resLandingZonesCorpMg.name +output outLandingZonesOnlineManagementGroupName string = resLandingZonesOnlineMg.name -output outSandboxMGName string = resSandboxMG.name +output outSandboxManagementGroupName string = resSandboxMg.name -output outDecommissionedMGName string = resDecommissionedMG.name +output outDecommissionedManagementGroupName string = resDecommissionedMg.name diff --git a/infra-as-code/bicep/modules/managementGroups/managementGroups.parameters.example.json b/infra-as-code/bicep/modules/managementGroups/parameters/managementGroups.parameters.all.json similarity index 100% rename from infra-as-code/bicep/modules/managementGroups/managementGroups.parameters.example.json rename to infra-as-code/bicep/modules/managementGroups/parameters/managementGroups.parameters.all.json diff --git a/infra-as-code/bicep/modules/managementGroups/parameters/managementGroups.parameters.min.json b/infra-as-code/bicep/modules/managementGroups/parameters/managementGroups.parameters.min.json new file mode 100644 index 000000000..04dfd1df2 --- /dev/null +++ b/infra-as-code/bicep/modules/managementGroups/parameters/managementGroups.parameters.min.json @@ -0,0 +1,9 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/assignments/README.md b/infra-as-code/bicep/modules/policy/assignments/README.md index 671d60b68..48ce053e0 100644 --- a/infra-as-code/bicep/modules/policy/assignments/README.md +++ b/infra-as-code/bicep/modules/policy/assignments/README.md @@ -18,16 +18,16 @@ The module requires the following inputs: | parPolicyAssignmentName | The name of the policy assignment. | Mandatory input. Can only be a maximum of 24 characters in length as per: [Naming rules and restrictions for Azure resources](https://docs.microsoft.com/azure/azure-resource-manager/management/resource-name-rules#microsoftauthorization) | `Deny-Public-IP` | None | | parPolicyAssignmentDisplayName | The display name of the policy assignment | Mandatory input | `Deny the creation of Public IPs` | None | | parPolicyAssignmentDescription | The description of the policy assignment | Mandatory input | `This policy denies creation of Public IPs under the assigned scope.` | None | - | parPolicyAssignmentDefinitionID | The policy definition ID (full resource ID) for the policy to be assigned. | Mandatory input | `/providers/Microsoft.Authorization/policyDefinitions/9d0a794f-1444-4c96-9534-e35fc8c39c91` (built-in) or `/providers/Microsoft.Management/managementgroups/alz/providers/Microsoft.Authorization/policyDefinitions/Deny-Public-IP` (custom) | None | + | parPolicyAssignmentDefinitionId | The policy definition ID (full resource ID) for the policy to be assigned. | Mandatory input | `/providers/Microsoft.Authorization/policyDefinitions/9d0a794f-1444-4c96-9534-e35fc8c39c91` (built-in) or `/providers/Microsoft.Management/managementgroups/alz/providers/Microsoft.Authorization/policyDefinitions/Deny-Public-IP` (custom) | None | | parPolicyAssignmentParameters | An object containing the parameter values for the policy to be assigned. | Mandatory input | `{"value":{"emailSecurityContact":{"value":"security_contact@replace_me"}}}` | `{}` | | parPolicyAssignmentParameterOverrides | An object containing parameter values that override those provided to parPolicyAssignmentParameters, usually via a JSON file and json(loadTextContent(FILE_PATH)). This is only useful when wanting to take values from a source like a JSON file for the majority of the parameters but override specific parameter inputs from other sources or hardcoded. If duplicate parameters exist between parPolicyAssignmentParameters & parPolicyAssignmentParameterOverrides, inputs provided to parPolicyAssignmentParameterOverrides will win. | Not mandatory | `{"value":{"emailSecurityContact":{"value":"different_contact@replace_me"}}}` | `{}` | | parPolicyAssignmentNonComplianceMessages | An array containing object/s for the non-compliance messages for the policy to be assigned. See [Non-compliance messages](https://docs.microsoft.com/azure/governance/policy/concepts/assignment-structure#non-compliance-messages) for more details on use. | Mandatory input | `[{"message":"Default message"}]` | `[]` | | parPolicyAssignmentNotScopes | An array containing a list of scope Resource IDs to be excluded for the policy assignment. | Mandatory input | `["/providers/Microsoft.Management/managementgroups/alz","/providers/Microsoft.Management/managementgroups/alz-sandbox"]` | `[]` | | parPolicyAssignmentEnforcementMode | The enforcement mode for the policy assignment. See [Enforcement Mode](https://aka.ms/EnforcementMode) for more details on use. | Not mandatory. Will only allow values of `Default` or `DoNotEnforce` | `Default` | `Default` | | parPolicyAssignmentIdentityType | The type of identity to be created and associated with the policy assignment. Only required for `Modify` and `DeployIfNotExists` policy effects | Not mandatory. Will only allow values of `None` or `SystemAssigned` | `None` | - | parPolicyAssignmentIdentityRoleAssignmentsAdditionalMGs | An array containing a list of additional Management Group IDs (as the Management Group deployed to is included automatically) that the System-assigned Managed Identity, associated to the policy assignment, will be assigned to additionally. | Not mandatory | `["alz","alz-sandbox"]` | `[]` | + | parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs | An array containing a list of additional Management Group IDs (as the Management Group deployed to is included automatically) that the System-assigned Managed Identity, associated to the policy assignment, will be assigned to additionally. | Not mandatory | `["alz","alz-sandbox"]` | `[]` | | parPolicyAssignmentIdentityRoleAssignmentsSubs | An array containing a list of Subscription IDs that the System-assigned Managed Identity associated to the policy assignment will be assigned to in addition to the Management Group the policy is deployed/assigned to. | Not mandatory | `["d4417fe6-3370-48e2-ab38-c7b926526fe7","fbec3ec1-292a-4207-831c-bd62fdb7b468"]` | `[]` | - | parPolicyAssignmentIdentityRoleDefinitionIDs | An array containing a list of RBAC role definition IDs to be assigned to the Managed Identity that is created and associated with the policy assignment. Only required for `Modify` and `DeployIfNotExists` policy effects | Not mandatory. But required for a `Modify` and `DeployIfNotExists` policy effect assignment. | `alz` | `[]` | + | parPolicyAssignmentIdentityRoleDefinitionIds | An array containing a list of RBAC role definition IDs to be assigned to the Managed Identity that is created and associated with the policy assignment. Only required for `Modify` and `DeployIfNotExists` policy effects | Not mandatory. But required for a `Modify` and `DeployIfNotExists` policy effect assignment. | `alz` | `[]` | | parTelemetryOptOut | Set Parameter to true to Opt-out of deployment telemetry | Mandatory input, default: `false` | `false` | `false` | @@ -49,7 +49,7 @@ In this example, the `Deny-PublicIP` custom policy definition will be deployed/a # For Azure global regions az deployment mg create \ --template-file infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep \ - --parameters @infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.parameters.example-deny.json \ + --parameters @infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.deny.parameters.all.json \ --location eastus \ --management-group-id alz-landingzones ``` @@ -58,7 +58,7 @@ OR # For Azure China regions az deployment mg create \ --template-file infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep \ - --parameters @infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.parameters.example-deny.json \ + --parameters @infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.deny.parameters.all.json \ --location chinaeast2 \ --management-group-id alz-landingzones ``` @@ -69,7 +69,7 @@ az deployment mg create \ # For Azure global regions New-AzManagementGroupDeployment ` -TemplateFile infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep ` - -TemplateParameterFile infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.parameters.example-deny.json ` + -TemplateParameterFile infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.deny.parameters.all.json ` -Location eastus ` -ManagementGroupId 'alz-landingzones' ``` @@ -78,7 +78,7 @@ OR # For Azure China regions New-AzManagementGroupDeployment ` -TemplateFile infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep ` - -TemplateParameterFile infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.parameters.example-deny.json ` + -TemplateParameterFile infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.deny.parameters.all.json ` -Location chinaeast2 ` -ManagementGroupId 'alz-landingzones' ``` @@ -89,18 +89,18 @@ There are two different sets of input parameters files; one for deploying to Azu | Azure Cloud | Bicep template | Input parameters file | | -------------- | ------------------------------------- | --------------------------------------------------------------- | - | Global regions | policyAssignmentManagementGroup.bicep | policyAssignmentManagementGroup.parameters.example-dine.json | - | China regions | policyAssignmentManagementGroup.bicep | mc-policyAssignmentManagementGroup.parameters.example-dine.json | + | Global regions | policyAssignmentManagementGroup.bicep | parameters/policyAssignmentManagementGroup.dine.parameters.all.json | + | China regions | policyAssignmentManagementGroup.bicep | parameters/mc-policyAssignmentManagementGroup.dine.parameters.all.json | -In this example, the `Deploy-MDFC-Config` custom policy definition will be deployed/assigned to the `alz-landingzones` management group (intermediate root management group). And the managed identity associated with the policy will also be assigned to the `alz-platform` management group, as defined in the parameter file: `policyAssignmentManagementGroup.parameters.example-dine.json` or `mc-policyAssignmentManagementGroup.parameters.example-dine.json` +In this example, the `Deploy-MDFC-Config` custom policy definition will be deployed/assigned to the `alz-landingzones` management group (intermediate root management group). And the managed identity associated with the policy will also be assigned to the `alz-platform` management group, as defined in the parameter file: `parameters/policyAssignmentManagementGroup.dine.parameters.all.json` or `parameters/mc-policyAssignmentManagementGroup.dine.parameters.all.json` #### Azure CLI - DINE ```bash # For Azure global regions az deployment mg create \ --template-file infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep \ - --parameters @infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.parameters.example-dine.json \ + --parameters @infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.dine.parameters.all.json \ --location eastus \ --management-group-id alz-landingzones ``` @@ -109,7 +109,7 @@ OR # For Azure China regions az deployment mg create \ --template-file infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep \ - --parameters @infra-as-code/bicep/modules/policy/assignments/mc-policyAssignmentManagementGroup.parameters.example-dine.json \ + --parameters @infra-as-code/bicep/modules/policy/assignments/parameters/mc-policyAssignmentManagementGroup.dine.parameters.all.json \ --location chinaeast2 \ --management-group-id alz-landingzones ``` @@ -120,7 +120,7 @@ az deployment mg create \ # For Azure global regions New-AzManagementGroupDeployment ` -TemplateFile infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep ` - -TemplateParameterFile infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.parameters.example-dine.json ` + -TemplateParameterFile infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.dine.parameters.all.json ` -Location eastus ` -ManagementGroupId 'alz-landingzones' ``` @@ -129,7 +129,7 @@ OR # For Azure China regions New-AzManagementGroupDeployment ` -TemplateFile infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep ` - -TemplateParameterFile infra-as-code/bicep/modules/policy/assignments/mc-policyAssignmentManagementGroup.parameters.example-dine.json ` + -TemplateParameterFile infra-as-code/bicep/modules/policy/assignments/parameters/mc-policyAssignmentManagementGroup.dine.parameters.all.json ` -Location chinaeast2 ` -ManagementGroupId 'alz-landingzones' ``` diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/README.md b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/README.md index 43b6c7834..8a17b51c3 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/README.md +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/README.md @@ -14,10 +14,10 @@ The module requires the following inputs: | ---------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------- | | parTopLevelManagementGroupPrefix | Prefix for the management group hierarchy. | Yes | `alz` | `alz` | | parLogAnalyticsWorkSpaceAndAutomationAccountLocation | The region where the Log Analytics Workspace & Automation Account are deployed. | Yes | `eastus` | `eastus` | - | parLogAnalyticsWorkspaceResourceID | Log Analytics Workspace Resource ID | Yes | `/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-logging/providers/Microsoft.OperationalInsights/workspaces/alz-log-analytics` | None | + | parLogAnalyticsWorkspaceResourceId | Log Analytics Workspace Resource ID | Yes | `/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-logging/providers/Microsoft.OperationalInsights/workspaces/alz-log-analytics` | None | | parLogAnalyticsWorkspaceLogRetentionInDays | Number of days of log retention for Log Analytics Workspace | Yes | `365` | `365` | | parAutomationAccountName | Automation Account name | Yes | `alz-automation-account` | `alz-automation-account` | - | parMSDFCEmailSecurityContact | An e-mail address that you want Microsoft Defender for Cloud alerts to be sent to. | Yes | `security_contact@replace_me.com` | `security_contact@replace_me.com` | + | parMsDefenderForCloudEmailSecurityContact | An e-mail address that you want Microsoft Defender for Cloud alerts to be sent to. | Yes | `security_contact@replace_me.com` | `security_contact@replace_me.com` | | parDdosProtectionPlanId | ID of the DDoS Protection Plan which will be applied to the Virtual Networks. If left empty, the policy Enable-DDoS-VNET will not be assigned at connectivity or landing zone Management Groups to avoid VNET deployment issues. | Yes | `/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/Hub_Networking_POC/providers/Microsoft.Network/ddosProtectionPlans/alz-ddos-plan` | (empty string) | | parTelemetryOptOut | Set Parameter to true to Opt-out of deployment telemetry | Yes | `false` | `false` | @@ -39,7 +39,7 @@ The module does not generate any outputs. # For Azure global regions az deployment mg create \ --template-file infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep \ - --parameters @infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.parameters.example.json \ + --parameters @infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json \ --location eastus \ --management-group-id alz ``` @@ -48,7 +48,7 @@ OR # For Azure China regions az deployment mg create \ --template-file infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep \ - --parameters @infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.parameters.example.json \ + --parameters @infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json \ --location chinaeast2 \ --management-group-id alz ``` @@ -59,7 +59,7 @@ az deployment mg create \ # For Azure global regions New-AzManagementGroupDeployment ` -TemplateFile infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep ` - -TemplateParameterFile infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.parameters.example.json ` + -TemplateParameterFile infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json ` -Location eastus ` -ManagementGroupId alz ``` @@ -68,7 +68,7 @@ OR # For Azure China regions New-AzManagementGroupDeployment ` -TemplateFile infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep ` - -TemplateParameterFile infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.parameters.example.json ` + -TemplateParameterFile infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json ` -Location chinaeast2 ` -ManagementGroupId alz ``` diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep index f9062ffad..7fafafeb1 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep @@ -7,7 +7,7 @@ param parTopLevelManagementGroupPrefix string = 'alz' param parLogAnalyticsWorkSpaceAndAutomationAccountLocation string = 'eastus' @description('Log Analytics Workspace Resource ID. - DEFAULT VALUE: Empty String ') -param parLogAnalyticsWorkspaceResourceID string = '' +param parLogAnalyticsWorkspaceResourceId string = '' @description('Number of days of log retention for Log Analytics Workspace. - DEFAULT VALUE: 365') param parLogAnalyticsWorkspaceLogRetentionInDays string = '365' @@ -16,7 +16,7 @@ param parLogAnalyticsWorkspaceLogRetentionInDays string = '365' param parAutomationAccountName string = 'alz-automation-account' @description('An e-mail address that you want Microsoft Defender for Cloud alerts to be sent to.') -param parMSDFCEmailSecurityContact string = 'security_contact@replace_me.com' +param parMsDefenderForCloudEmailSecurityContact string = 'security_contact@replace_me.com' @description('ID of the DdosProtectionPlan which will be applied to the Virtual Networks. If left empty, the policy Enable-DDoS-VNET will not be assigned at connectivity or landing zone Management Groups to avoid VNET deployment issues. Default: Empty String') param parDdosProtectionPlanId string = '' @@ -24,9 +24,9 @@ param parDdosProtectionPlanId string = '' @description('Set Parameter to true to Opt-out of deployment telemetry') param parTelemetryOptOut bool = false -var varLogAnalyticsWorkspaceName = split(parLogAnalyticsWorkspaceResourceID, '/')[8] +var varLogAnalyticsWorkspaceName = split(parLogAnalyticsWorkspaceResourceId, '/')[8] -var varLogAnalyticsWorkspaceResourceGroupName = split(parLogAnalyticsWorkspaceResourceID, '/')[4] +var varLogAnalyticsWorkspaceResourceGroupName = split(parLogAnalyticsWorkspaceResourceId, '/')[4] // Customer Usage Attribution Id var varCuaid = '98cef979-5a6b-403b-83c7-10c8f04ac9a2' @@ -40,171 +40,171 @@ var varDeploymentNameWrappers = { } var varModuleDeploymentNames = { - modPolicyAssignmentIntRootDeployMDFCConfig: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployMDFCConfig-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIntRootDeployMdfcConfig: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployMDFCConfig-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentIntRootDeployAzActivityLog: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployAzActivityLog-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentIntRootDeployASCMonitoring: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployASCMonitoring-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIntRootDeployAscMonitoring: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployASCMonitoring-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentIntRootDeployResourceDiag: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployResoruceDiag-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentIntRootDeployVMMonitoring: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMMonitoring-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentIntRootDeployVMSSMonitoring: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMSSMonitoring-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentConnEnableDDoSVNET: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enableDDoSVNET-conn-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentIdentDenyPublicIP: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPublicIP-ident-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentIdentDenyRDPFromInternet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyRDPFromInet-ident-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentIdentDenySubnetWithoutNSG: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denySubnetNoNSG-ident-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentIdentDeployVMBackup: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMBackup-ident-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIntRootDeployVmMonitoring: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMMonitoring-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIntRootDeployVmssMonitoring: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMSSMonitoring-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentConnEnableDdosVnet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enableDDoSVNET-conn-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIdentDenyPublicIp: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPublicIP-ident-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIdentDenyRdpFromInternet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyRDPFromInet-ident-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIdentDenySubnetWithoutNsg: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denySubnetNoNSG-ident-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIdentDeployVmBackup: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMBackup-ident-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentMgmtDeployLogAnalytics: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployLAW-mgmt-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLZsDenyIPForwarding: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyIPForward-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLZsDenyPublicIP: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPublicIP-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLZsDenyRDPFromInternet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyRDPFromInet-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLZsDenySubnetWithoutNSG: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denySubnetNoNSG-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLZsDeployVMBackup: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMBackup-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLZsEnableDDoSVNET: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enableDDoSVNET-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLZsDenyStorageHttp: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyStorageHttp-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLZsDeployAKSPolicy: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployAKSPolicy-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLZsDenyPrivEscalationAKS: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPrivEscAKS-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLZsDenyPrivContainersAKS: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPrivConAKS-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLZsEnforceAKSHTTPS: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceAKSHTTPS-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLZsEnforceTLSSSL: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceTLSSSL-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLZsDeploySQLDBAuditing: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deploySQLDBAudit-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLZsDeploySQLThreat: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deploySQLThreat-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLZsDenyPublicEndpoints: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPublicEndpoints-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLZsDeployPrivateDNSZones: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployPrivateDNS-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLZsDenyDataBPip: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyDataBPip-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLZsDenyDataBSku: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyDataBSku-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLZsDenyDataBVnet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyDataBVnet-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDenyIpForwarding: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyIPForward-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDenyPublicIp: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPublicIP-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDenyRdpFromInternet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyRDPFromInet-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDenySubnetWithoutNsg: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denySubnetNoNSG-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDeployVmBackup: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMBackup-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsEnableDdosVnet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enableDDoSVNET-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDenyStorageHttp: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyStorageHttp-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDeployAksPolicy: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployAKSPolicy-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDenyPrivEscalationAks: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPrivEscAKS-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDenyPrivContainersAks: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPrivConAKS-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsEnforceAksHttps: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceAKSHTTPS-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsEnforceTlsSsl: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceTLSSSL-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDeploySqlDbAuditing: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deploySQLDBAudit-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDeploySqlThreat: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deploySQLThreat-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDenyPublicEndpoints: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPublicEndpoints-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDeployPrivateDnsZones: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployPrivateDNS-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDenyDataBPip: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyDataBPip-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDenyDataBSku: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyDataBSku-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDenyDataBVnet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyDataBVnet-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) } // Policy Assignments Modules Variables var varPolicyAssignmentDenyDataBPip = { - definitionID: '${varTopLevelManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-NoPublicIp' + definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-NoPublicIp' libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_public_ip.tmpl.json')) } var varPolicyAssignmentDenyDataBSku = { - definitionID: '${varTopLevelManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-Sku' + definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-Sku' libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_sku.tmpl.json')) } var varPolicyAssignmentDenyDataBVnet = { - definitionID: '${varTopLevelManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-VirtualNetwork' + definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-VirtualNetwork' libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_vnet.tmpl.json')) } -var varPolicyAssignmentEnforceAKSHTTPS = { - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d' +var varPolicyAssignmentEnforceAksHttps = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d' libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_http_ingress_aks.tmpl.json')) } -var varPolicyAssignmentDenyIPForwarding = { - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900' +var varPolicyAssignmentDenyIpForwarding = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900' libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_ip_forwarding.tmpl.json')) } -var varPolicyAssignmentDenyPrivContainersAKS = { - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4' +var varPolicyAssignmentDenyPrivContainersAks = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4' libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_priv_containers_aks.tmpl.json')) } -var varPolicyAssignmentDenyPrivEscalationAKS = { - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99' +var varPolicyAssignmentDenyPrivEscalationAks = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99' libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_priv_escalation_aks.tmpl.json')) } var varPolicyAssignmentDenyPublicEndpoints = { - definitionID: '${varTopLevelManagementGroupResourceID}/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints' + definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints' libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_endpoints.tmpl.json')) } -var varPolicyAssignmentDenyPublicIP = { - definitionID: '${varTopLevelManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP' +var varPolicyAssignmentDenyPublicIp = { + definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP' libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json')) } -var varPolicyAssignmentDenyRDPFromInternet = { - definitionID: '${varTopLevelManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet' +var varPolicyAssignmentDenyRdpFromInternet = { + definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet' libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_rdp_from_internet.tmpl.json')) } -var varPolicyAssignmentDenyStoragehttp = { - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9' +var varPolicyAssignmentDenyStorageHttp = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9' libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_storage_http.tmpl.json')) } var varPolicyAssignmentDenySubnetWithoutNsg = { - definitionID: '${varTopLevelManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg' + definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg' libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_subnet_without_nsg.tmpl.json')) } -var varPolicyAssignmentDeployAKSPolicy = { - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7' +var varPolicyAssignmentDeployAksPolicy = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7' libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json')) } -var varPolicyAssignmentDeployASCMonitoring = { - definitionID: '/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8' +var varPolicyAssignmentDeployAscMonitoring = { + definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8' libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json')) } var varPolicyAssignmentDeployAzActivityLog = { - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/2465583e-4e78-4c15-b6be-a36cbc7c8b0f' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/2465583e-4e78-4c15-b6be-a36cbc7c8b0f' libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_azactivity_log.tmpl.json')) } var varPolicyAssignmentDeployLogAnalytics = { - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/8e3e61b3-0b32-22d5-4edf-55f87fdb5955' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8e3e61b3-0b32-22d5-4edf-55f87fdb5955' libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_log_analytics.tmpl.json')) } -var varPolicyAssignmentDeployMDFCConfig = { - definitionID: '${varTopLevelManagementGroupResourceID}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config' +var varPolicyAssignmentDeployMdfcConfig = { + definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config' libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_config.tmpl.json')) } var varPolicyAssignmentDeployResourceDiag = { - definitionID: '${varTopLevelManagementGroupResourceID}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics' + definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics' libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_resource_diag.tmpl.json')) } -var varPolicyAssignmentDeploySQLDBAuditing = { - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9' +var varPolicyAssignmentDeploySqlDbAuditing = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9' libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_db_auditing.tmpl.json')) } -var varPolicyAssignmentDeploySQLThreat = { - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5' +var varPolicyAssignmentDeploySqlThreat = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5' libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_threat.tmpl.json')) } -var varPolicyAssignmentDeployVMBackup = { - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86' +var varPolicyAssignmentDeployVmBackup = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86' libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_backup.tmpl.json')) } -var varPolicyAssignmentDeployVMMonitoring = { - definitionID: '/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a' +var varPolicyAssignmentDeployVmMonitoring = { + definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a' libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitoring.tmpl.json')) } -var varPolicyAssignmentDeployVMSSMonitoring = { - definitionID: '/providers/Microsoft.Authorization/policySetDefinitions/75714362-cae7-409e-9b99-a8e5075b7fad' +var varPolicyAssignmentDeployVmssMonitoring = { + definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/75714362-cae7-409e-9b99-a8e5075b7fad' libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitoring.tmpl.json')) } -var varPolicyAssignmentEnableDDoSVNET = { - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d' +var varPolicyAssignmentEnableDdosVnet = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d' libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enable_ddos_vnet.tmpl.json')) } -var varPolicyAssignmentEnforceTLSSSL = { - definitionID: '${varTopLevelManagementGroupResourceID}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit' +var varPolicyAssignmentEnforceTlsSsl = { + definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit' libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_tls_ssl.tmpl.json')) } // RBAC Role Definitions Variables - Used For Policy Assignments -var varRBACRoleDefinitionIDs = { +var varRbacRoleDefinitionIds = { owner: '8e3af657-a8ff-443c-a75c-2fe8c4bcb635' contributor: 'b24988ac-6180-42a0-ab88-20f7382dd24c' networkContributor: '4d97b98b-1d4f-4787-a291-c67834d212e7' @@ -212,7 +212,7 @@ var varRBACRoleDefinitionIDs = { } // Managment Groups Varaibles - Used For Policy Assignments -var varManagementGroupIDs = { +var varManagementGroupIds = { intRoot: parTopLevelManagementGroupPrefix platform: '${parTopLevelManagementGroupPrefix}-platform' platformManagement: '${parTopLevelManagementGroupPrefix}-platform-management' @@ -225,7 +225,7 @@ var varManagementGroupIDs = { sandbox: '${parTopLevelManagementGroupPrefix}-sandbox' } -var varTopLevelManagementGroupResourceID = '/providers/Microsoft.Management/managementGroups/${varManagementGroupIDs.intRoot}' +var varTopLevelManagementGroupResourceId = '/providers/Microsoft.Management/managementGroups/${varManagementGroupIds.intRoot}' // **Scope** targetScope = 'managementGroup' @@ -239,53 +239,53 @@ module modCustomerUsageAttribution '../../../../CRML/customerUsageAttribution/cu // Modules - Policy Assignments - Intermediate Root Management Group // Module - Policy Assignment - Deploy-MDFC-Config -module modPolicyAssignmentIntRootDeployMDFCConfig '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - scope: managementGroup(varManagementGroupIDs.intRoot) - name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployMDFCConfig +module modPolicyAssignmentIntRootDeployMdfcConfig '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIds.intRoot) + name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployMdfcConfig params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentDeployMDFCConfig.definitionID - parPolicyAssignmentName: varPolicyAssignmentDeployMDFCConfig.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDeployMDFCConfig.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDeployMDFCConfig.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDeployMDFCConfig.libDefinition.properties.parameters + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployMdfcConfig.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployMdfcConfig.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployMdfcConfig.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployMdfcConfig.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployMdfcConfig.libDefinition.properties.parameters parPolicyAssignmentParameterOverrides: { emailSecurityContact: { - value: parMSDFCEmailSecurityContact + value: parMsDefenderForCloudEmailSecurityContact } ascExportResourceGroupLocation: { value: parLogAnalyticsWorkSpaceAndAutomationAccountLocation } logAnalytics: { - value: parLogAnalyticsWorkspaceResourceID + value: parLogAnalyticsWorkspaceResourceId } } - parPolicyAssignmentIdentityType: varPolicyAssignmentDeployMDFCConfig.libDefinition.identity.type - parPolicyAssignmentIdentityRoleDefinitionIDs: [ - varRBACRoleDefinitionIDs.owner + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployMdfcConfig.libDefinition.identity.type + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.owner ] - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployMDFCConfig.libDefinition.properties.enforcementMode + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployMdfcConfig.libDefinition.properties.enforcementMode parTelemetryOptOut: parTelemetryOptOut } } // Module - Policy Assignment - Deploy-AzActivity-Log module modPolicyAssignmentIntRootDeployAzActivityLog '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - scope: managementGroup(varManagementGroupIDs.intRoot) + scope: managementGroup(varManagementGroupIds.intRoot) name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployAzActivityLog params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentDeployAzActivityLog.definitionID + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployAzActivityLog.definitionId parPolicyAssignmentName: varPolicyAssignmentDeployAzActivityLog.libDefinition.name parPolicyAssignmentDisplayName: varPolicyAssignmentDeployAzActivityLog.libDefinition.properties.displayName parPolicyAssignmentDescription: varPolicyAssignmentDeployAzActivityLog.libDefinition.properties.description parPolicyAssignmentParameters: varPolicyAssignmentDeployAzActivityLog.libDefinition.properties.parameters parPolicyAssignmentParameterOverrides: { logAnalytics: { - value: parLogAnalyticsWorkspaceResourceID + value: parLogAnalyticsWorkspaceResourceId } } parPolicyAssignmentIdentityType: varPolicyAssignmentDeployAzActivityLog.libDefinition.identity.type - parPolicyAssignmentIdentityRoleDefinitionIDs: [ - varRBACRoleDefinitionIDs.owner + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.owner ] parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployAzActivityLog.libDefinition.properties.enforcementMode parTelemetryOptOut: parTelemetryOptOut @@ -293,91 +293,91 @@ module modPolicyAssignmentIntRootDeployAzActivityLog '../../../policy/assignment } // Module - Policy Assignment - Deploy-ASC-Monitoring -module modPolicyAssignmentIntRootDeployASCMonitoring '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +module modPolicyAssignmentIntRootDeployAscMonitoring '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { // dependsOn: [ // modCustomPolicyDefinitions // ] - scope: managementGroup(varManagementGroupIDs.intRoot) - name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployASCMonitoring + scope: managementGroup(varManagementGroupIds.intRoot) + name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployAscMonitoring params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentDeployASCMonitoring.definitionID - parPolicyAssignmentName: varPolicyAssignmentDeployASCMonitoring.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDeployASCMonitoring.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDeployASCMonitoring.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDeployASCMonitoring.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDeployASCMonitoring.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployASCMonitoring.libDefinition.properties.enforcementMode + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployAscMonitoring.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployAscMonitoring.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployAscMonitoring.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployAscMonitoring.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployAscMonitoring.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployAscMonitoring.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployAscMonitoring.libDefinition.properties.enforcementMode parTelemetryOptOut: parTelemetryOptOut } } // // Module - Policy Assignment - Deploy-Resource-Diag module modPolicyAssignmentIntRootDeployResourceDiag '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - scope: managementGroup(varManagementGroupIDs.intRoot) + scope: managementGroup(varManagementGroupIds.intRoot) name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployResourceDiag params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentDeployResourceDiag.definitionID + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployResourceDiag.definitionId parPolicyAssignmentName: varPolicyAssignmentDeployResourceDiag.libDefinition.name parPolicyAssignmentDisplayName: varPolicyAssignmentDeployResourceDiag.libDefinition.properties.displayName parPolicyAssignmentDescription: varPolicyAssignmentDeployResourceDiag.libDefinition.properties.description parPolicyAssignmentParameters: varPolicyAssignmentDeployResourceDiag.libDefinition.properties.parameters parPolicyAssignmentParameterOverrides: { logAnalytics: { - value: parLogAnalyticsWorkspaceResourceID + value: parLogAnalyticsWorkspaceResourceId } } parPolicyAssignmentIdentityType: varPolicyAssignmentDeployResourceDiag.libDefinition.identity.type parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployResourceDiag.libDefinition.properties.enforcementMode - parPolicyAssignmentIdentityRoleDefinitionIDs: [ - varRBACRoleDefinitionIDs.owner + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.owner ] parTelemetryOptOut: parTelemetryOptOut } } // Module - Policy Assignment - Deploy-VM-Monitoring -module modPolicyAssignmentIntRootDeployVMMonitoring '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - scope: managementGroup(varManagementGroupIDs.intRoot) - name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployVMMonitoring +module modPolicyAssignmentIntRootDeployVmMonitoring '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIds.intRoot) + name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployVmMonitoring params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentDeployVMMonitoring.definitionID - parPolicyAssignmentName: varPolicyAssignmentDeployVMMonitoring.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.parameters + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVmMonitoring.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployVmMonitoring.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVmMonitoring.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployVmMonitoring.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployVmMonitoring.libDefinition.properties.parameters parPolicyAssignmentParameterOverrides: { logAnalytics_1: { - value: parLogAnalyticsWorkspaceResourceID + value: parLogAnalyticsWorkspaceResourceId } } - parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMMonitoring.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.enforcementMode - parPolicyAssignmentIdentityRoleDefinitionIDs: [ - varRBACRoleDefinitionIDs.owner + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVmMonitoring.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployVmMonitoring.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.owner ] parTelemetryOptOut: parTelemetryOptOut } } // Module - Policy Assignment - Deploy-VMSS-Monitoring -module modPolicyAssignmentIntRootDeployVMSSMonitoring '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - scope: managementGroup(varManagementGroupIDs.intRoot) - name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployVMSSMonitoring +module modPolicyAssignmentIntRootDeployVmssMonitoring '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIds.intRoot) + name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployVmssMonitoring params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentDeployVMSSMonitoring.definitionID - parPolicyAssignmentName: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.parameters + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVmssMonitoring.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployVmssMonitoring.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVmssMonitoring.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployVmssMonitoring.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployVmssMonitoring.libDefinition.properties.parameters parPolicyAssignmentParameterOverrides: { logAnalytics_1: { - value: parLogAnalyticsWorkspaceResourceID + value: parLogAnalyticsWorkspaceResourceId } } - parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.enforcementMode - parPolicyAssignmentIdentityRoleDefinitionIDs: [ - varRBACRoleDefinitionIDs.owner + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVmssMonitoring.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployVmssMonitoring.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.owner ] parTelemetryOptOut: parTelemetryOptOut } @@ -385,24 +385,24 @@ module modPolicyAssignmentIntRootDeployVMSSMonitoring '../../../policy/assignmen // // Modules - Policy Assignments - Connectivity Management Group // Module - Policy Assignment - Enable-DDoS-VNET -module modPolicyAssignmentConnEnableDDoSVNET '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!empty(parDdosProtectionPlanId)) { - scope: managementGroup(varManagementGroupIDs.platformConnectivity) - name: varModuleDeploymentNames.modPolicyAssignmentConnEnableDDoSVNET +module modPolicyAssignmentConnEnableDdosVnet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!empty(parDdosProtectionPlanId)) { + scope: managementGroup(varManagementGroupIds.platformConnectivity) + name: varModuleDeploymentNames.modPolicyAssignmentConnEnableDdosVnet params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentEnableDDoSVNET.definitionID - parPolicyAssignmentName: varPolicyAssignmentEnableDDoSVNET.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.parameters + parPolicyAssignmentDefinitionId: varPolicyAssignmentEnableDdosVnet.definitionId + parPolicyAssignmentName: varPolicyAssignmentEnableDdosVnet.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentEnableDdosVnet.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentEnableDdosVnet.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentEnableDdosVnet.libDefinition.properties.parameters parPolicyAssignmentParameterOverrides: { ddosPlan: { value: parDdosProtectionPlanId } } - parPolicyAssignmentIdentityType: varPolicyAssignmentEnableDDoSVNET.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.enforcementMode - parPolicyAssignmentIdentityRoleDefinitionIDs: [ - varRBACRoleDefinitionIDs.networkContributor + parPolicyAssignmentIdentityType: varPolicyAssignmentEnableDdosVnet.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentEnableDdosVnet.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.networkContributor ] parTelemetryOptOut: parTelemetryOptOut } @@ -410,43 +410,43 @@ module modPolicyAssignmentConnEnableDDoSVNET '../../../policy/assignments/policy // Modules - Policy Assignments - Identity Management Group // Module - Policy Assignment - Deny-Public-IP -module modPolicyAssignmentIdentDenyPublicIP '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - scope: managementGroup(varManagementGroupIDs.platformIdentity) - name: varModuleDeploymentNames.modPolicyAssignmentIdentDenyPublicIP +module modPolicyAssignmentIdentDenyPublicIp '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIds.platformIdentity) + name: varModuleDeploymentNames.modPolicyAssignmentIdentDenyPublicIp params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentDenyPublicIP.definitionID - parPolicyAssignmentName: varPolicyAssignmentDenyPublicIP.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDenyPublicIP.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDenyPublicIP.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDenyPublicIP.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDenyPublicIP.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenyPublicIP.libDefinition.properties.enforcementMode + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyPublicIp.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyPublicIp.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyPublicIp.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyPublicIp.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyPublicIp.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyPublicIp.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenyPublicIp.libDefinition.properties.enforcementMode parTelemetryOptOut: parTelemetryOptOut } } // Module - Policy Assignment - Deny-RDP-From-Internet -module modPolicyAssignmentIdentDenyRDPFromInternet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - scope: managementGroup(varManagementGroupIDs.platformIdentity) - name: varModuleDeploymentNames.modPolicyAssignmentIdentDenyRDPFromInternet +module modPolicyAssignmentIdentDenyRdpFromInternet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIds.platformIdentity) + name: varModuleDeploymentNames.modPolicyAssignmentIdentDenyRdpFromInternet params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentDenyRDPFromInternet.definitionID - parPolicyAssignmentName: varPolicyAssignmentDenyRDPFromInternet.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDenyRDPFromInternet.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDenyRDPFromInternet.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDenyRDPFromInternet.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDenyRDPFromInternet.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenyRDPFromInternet.libDefinition.properties.enforcementMode + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyRdpFromInternet.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyRdpFromInternet.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyRdpFromInternet.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyRdpFromInternet.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyRdpFromInternet.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyRdpFromInternet.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenyRdpFromInternet.libDefinition.properties.enforcementMode parTelemetryOptOut: parTelemetryOptOut } } // Module - Policy Assignment - Deny-Subnet-Without-Nsg -module modPolicyAssignmentIdentDenySubnetWithoutNSG '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - scope: managementGroup(varManagementGroupIDs.platformIdentity) - name: varModuleDeploymentNames.modPolicyAssignmentIdentDenySubnetWithoutNSG +module modPolicyAssignmentIdentDenySubnetWithoutNsg '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIds.platformIdentity) + name: varModuleDeploymentNames.modPolicyAssignmentIdentDenySubnetWithoutNsg params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentDenySubnetWithoutNsg.definitionID + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenySubnetWithoutNsg.definitionId parPolicyAssignmentName: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.name parPolicyAssignmentDisplayName: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.displayName parPolicyAssignmentDescription: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.description @@ -458,19 +458,19 @@ module modPolicyAssignmentIdentDenySubnetWithoutNSG '../../../policy/assignments } // Module - Policy Assignment - Deploy-VM-Backup -module modPolicyAssignmentIdentDeployVMBackup '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - scope: managementGroup(varManagementGroupIDs.platformIdentity) - name: varModuleDeploymentNames.modPolicyAssignmentIdentDeployVMBackup +module modPolicyAssignmentIdentDeployVmBackup '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIds.platformIdentity) + name: varModuleDeploymentNames.modPolicyAssignmentIdentDeployVmBackup params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentDeployVMBackup.definitionID - parPolicyAssignmentName: varPolicyAssignmentDeployVMBackup.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMBackup.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDeployVMBackup.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDeployVMBackup.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMBackup.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployVMBackup.libDefinition.properties.enforcementMode - parPolicyAssignmentIdentityRoleDefinitionIDs: [ - varRBACRoleDefinitionIDs.owner + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVmBackup.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployVmBackup.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVmBackup.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployVmBackup.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployVmBackup.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVmBackup.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployVmBackup.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.owner ] parTelemetryOptOut: parTelemetryOptOut } @@ -479,10 +479,10 @@ module modPolicyAssignmentIdentDeployVMBackup '../../../policy/assignments/polic // Modules - Policy Assignments - Management Management Group // Module - Policy Assignment - Deploy-Log-Analytics module modPolicyAssignmentMgmtDeployLogAnalytics '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - scope: managementGroup(varManagementGroupIDs.platformManagement) + scope: managementGroup(varManagementGroupIds.platformManagement) name: varModuleDeploymentNames.modPolicyAssignmentMgmtDeployLogAnalytics params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentDeployLogAnalytics.definitionID + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployLogAnalytics.definitionId parPolicyAssignmentName: varPolicyAssignmentDeployLogAnalytics.libDefinition.name parPolicyAssignmentDisplayName: varPolicyAssignmentDeployLogAnalytics.libDefinition.properties.displayName parPolicyAssignmentDescription: varPolicyAssignmentDeployLogAnalytics.libDefinition.properties.description @@ -509,8 +509,8 @@ module modPolicyAssignmentMgmtDeployLogAnalytics '../../../policy/assignments/po } parPolicyAssignmentIdentityType: varPolicyAssignmentDeployLogAnalytics.libDefinition.identity.type parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployLogAnalytics.libDefinition.properties.enforcementMode - parPolicyAssignmentIdentityRoleDefinitionIDs: [ - varRBACRoleDefinitionIDs.owner + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.owner ] parTelemetryOptOut: parTelemetryOptOut } @@ -518,43 +518,43 @@ module modPolicyAssignmentMgmtDeployLogAnalytics '../../../policy/assignments/po // Modules - Policy Assignments - Landing Zones Management Group // Module - Policy Assignment - Deny-IP-Forwarding -module modPolicyAssignmentLZsDenyIPForwarding '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - scope: managementGroup(varManagementGroupIDs.landingZones) - name: varModuleDeploymentNames.modPolicyAssignmentLZsDenyIPForwarding +module modPolicyAssignmentLzsDenyIpForwarding '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyIpForwarding params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentDenyIPForwarding.definitionID - parPolicyAssignmentName: varPolicyAssignmentDenyIPForwarding.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDenyIPForwarding.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDenyIPForwarding.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDenyIPForwarding.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDenyIPForwarding.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenyIPForwarding.libDefinition.properties.enforcementMode + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyIpForwarding.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyIpForwarding.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyIpForwarding.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyIpForwarding.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyIpForwarding.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyIpForwarding.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenyIpForwarding.libDefinition.properties.enforcementMode parTelemetryOptOut: parTelemetryOptOut } } // Module - Policy Assignment - Deny-RDP-From-Internet -module modPolicyAssignmentLZstDenyRDPFromInternet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - scope: managementGroup(varManagementGroupIDs.landingZones) - name: varModuleDeploymentNames.modPolicyAssignmentLZsDenyRDPFromInternet +module modPolicyAssignmentLzsDenyRdpFromInternet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyRdpFromInternet params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentDenyRDPFromInternet.definitionID - parPolicyAssignmentName: varPolicyAssignmentDenyRDPFromInternet.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDenyRDPFromInternet.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDenyRDPFromInternet.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDenyRDPFromInternet.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDenyRDPFromInternet.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenyRDPFromInternet.libDefinition.properties.enforcementMode + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyRdpFromInternet.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyRdpFromInternet.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyRdpFromInternet.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyRdpFromInternet.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyRdpFromInternet.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyRdpFromInternet.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenyRdpFromInternet.libDefinition.properties.enforcementMode parTelemetryOptOut: parTelemetryOptOut } } // Module - Policy Assignment - Deny-Subnet-Without-Nsg -module modPolicyAssignmentLZsDenySubnetWithoutNSG '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - scope: managementGroup(varManagementGroupIDs.landingZones) - name: varModuleDeploymentNames.modPolicyAssignmentLZsDenySubnetWithoutNSG +module modPolicyAssignmentLzsDenySubnetWithoutNsg '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDenySubnetWithoutNsg params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentDenySubnetWithoutNsg.definitionID + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenySubnetWithoutNsg.definitionId parPolicyAssignmentName: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.name parPolicyAssignmentDisplayName: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.displayName parPolicyAssignmentDescription: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.description @@ -566,180 +566,180 @@ module modPolicyAssignmentLZsDenySubnetWithoutNSG '../../../policy/assignments/p } // Module - Policy Assignment - Deploy-VM-Backup -module modPolicyAssignmentLZsDeployVMBackup '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - scope: managementGroup(varManagementGroupIDs.landingZones) - name: varModuleDeploymentNames.modPolicyAssignmentLZsDeployVMBackup +module modPolicyAssignmentLzsDeployVmBackup '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDeployVmBackup params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentDeployVMBackup.definitionID - parPolicyAssignmentName: varPolicyAssignmentDeployVMBackup.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMBackup.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDeployVMBackup.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDeployVMBackup.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMBackup.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployVMBackup.libDefinition.properties.enforcementMode - parPolicyAssignmentIdentityRoleDefinitionIDs: [ - varRBACRoleDefinitionIDs.owner + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVmBackup.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployVmBackup.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVmBackup.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployVmBackup.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployVmBackup.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVmBackup.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployVmBackup.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.owner ] parTelemetryOptOut: parTelemetryOptOut } } // Module - Policy Assignment - Enable-DDoS-VNET -module modPolicyAssignmentLZsEnableDDoSVNET '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!empty(parDdosProtectionPlanId)) { - scope: managementGroup(varManagementGroupIDs.landingZones) - name: varModuleDeploymentNames.modPolicyAssignmentLZsEnableDDoSVNET +module modPolicyAssignmentLzsEnableDdosVnet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!empty(parDdosProtectionPlanId)) { + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsEnableDdosVnet params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentEnableDDoSVNET.definitionID - parPolicyAssignmentName: varPolicyAssignmentEnableDDoSVNET.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.parameters + parPolicyAssignmentDefinitionId: varPolicyAssignmentEnableDdosVnet.definitionId + parPolicyAssignmentName: varPolicyAssignmentEnableDdosVnet.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentEnableDdosVnet.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentEnableDdosVnet.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentEnableDdosVnet.libDefinition.properties.parameters parPolicyAssignmentParameterOverrides: { ddosPlan: { value: parDdosProtectionPlanId } } - parPolicyAssignmentIdentityType: varPolicyAssignmentEnableDDoSVNET.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.enforcementMode - parPolicyAssignmentIdentityRoleDefinitionIDs: [ - varRBACRoleDefinitionIDs.networkContributor + parPolicyAssignmentIdentityType: varPolicyAssignmentEnableDdosVnet.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentEnableDdosVnet.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.networkContributor ] parTelemetryOptOut: parTelemetryOptOut } } // Module - Policy Assignment - Deny-Storage-http -module modPolicyAssignmentLZsDenyStorageHttp '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - scope: managementGroup(varManagementGroupIDs.landingZones) - name: varModuleDeploymentNames.modPolicyAssignmentLZsDenyStorageHttp +module modPolicyAssignmentLzsDenyStorageHttp '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyStorageHttp params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentDenyStoragehttp.definitionID - parPolicyAssignmentName: varPolicyAssignmentDenyStoragehttp.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDenyStoragehttp.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDenyStoragehttp.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDenyStoragehttp.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDenyStoragehttp.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenyStoragehttp.libDefinition.properties.enforcementMode + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyStorageHttp.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyStorageHttp.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyStorageHttp.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyStorageHttp.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyStorageHttp.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyStorageHttp.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenyStorageHttp.libDefinition.properties.enforcementMode parTelemetryOptOut: parTelemetryOptOut } } // Module - Policy Assignment - Deploy-AKS-Policy -module modPolicyAssignmentLZsDeployAKSPolicy '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - scope: managementGroup(varManagementGroupIDs.landingZones) - name: varModuleDeploymentNames.modPolicyAssignmentLZsDeployAKSPolicy +module modPolicyAssignmentLzsDeployAksPolicy '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDeployAksPolicy params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentDeployAKSPolicy.definitionID - parPolicyAssignmentName: varPolicyAssignmentDeployAKSPolicy.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDeployAKSPolicy.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDeployAKSPolicy.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDeployAKSPolicy.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDeployAKSPolicy.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployAKSPolicy.libDefinition.properties.enforcementMode - parPolicyAssignmentIdentityRoleDefinitionIDs: [ - varRBACRoleDefinitionIDs.aksContributor + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployAksPolicy.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployAksPolicy.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployAksPolicy.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployAksPolicy.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployAksPolicy.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployAksPolicy.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployAksPolicy.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.aksContributor ] parTelemetryOptOut: parTelemetryOptOut } } // Module - Policy Assignment - Deny-Priv-Escalation-AKS -module modPolicyAssignmentLZsDenyPrivEscalationAKS '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - scope: managementGroup(varManagementGroupIDs.landingZones) - name: varModuleDeploymentNames.modPolicyAssignmentLZsDenyPrivEscalationAKS +module modPolicyAssignmentLzsDenyPrivEscalationAks '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyPrivEscalationAks params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentDenyPrivEscalationAKS.definitionID - parPolicyAssignmentName: varPolicyAssignmentDenyPrivEscalationAKS.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDenyPrivEscalationAKS.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDenyPrivEscalationAKS.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDenyPrivEscalationAKS.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDenyPrivEscalationAKS.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenyPrivEscalationAKS.libDefinition.properties.enforcementMode + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyPrivEscalationAks.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyPrivEscalationAks.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyPrivEscalationAks.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyPrivEscalationAks.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyPrivEscalationAks.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyPrivEscalationAks.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenyPrivEscalationAks.libDefinition.properties.enforcementMode parTelemetryOptOut: parTelemetryOptOut } } // Module - Policy Assignment - Deny-Priv-Containers-AKS -module modPolicyAssignmentLZsDenyPrivContainersAKS '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - scope: managementGroup(varManagementGroupIDs.landingZones) - name: varModuleDeploymentNames.modPolicyAssignmentLZsDenyPrivContainersAKS +module modPolicyAssignmentLzsDenyPrivContainersAks '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyPrivContainersAks params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentDenyPrivContainersAKS.definitionID - parPolicyAssignmentName: varPolicyAssignmentDenyPrivContainersAKS.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDenyPrivContainersAKS.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDenyPrivContainersAKS.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDenyPrivContainersAKS.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDenyPrivContainersAKS.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenyPrivContainersAKS.libDefinition.properties.enforcementMode + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyPrivContainersAks.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyPrivContainersAks.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyPrivContainersAks.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyPrivContainersAks.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyPrivContainersAks.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyPrivContainersAks.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenyPrivContainersAks.libDefinition.properties.enforcementMode parTelemetryOptOut: parTelemetryOptOut } } // Module - Policy Assignment - Enforce-AKS-HTTPS -module modPolicyAssignmentLZsEnforceAKSHTTPS '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - scope: managementGroup(varManagementGroupIDs.landingZones) - name: varModuleDeploymentNames.modPolicyAssignmentLZsEnforceAKSHTTPS +module modPolicyAssignmentLzsEnforceAksHttps '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsEnforceAksHttps params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentEnforceAKSHTTPS.definitionID - parPolicyAssignmentName: varPolicyAssignmentEnforceAKSHTTPS.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentEnforceAKSHTTPS.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentEnforceAKSHTTPS.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentEnforceAKSHTTPS.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceAKSHTTPS.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentEnforceAKSHTTPS.libDefinition.properties.enforcementMode + parPolicyAssignmentDefinitionId: varPolicyAssignmentEnforceAksHttps.definitionId + parPolicyAssignmentName: varPolicyAssignmentEnforceAksHttps.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentEnforceAksHttps.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentEnforceAksHttps.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentEnforceAksHttps.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceAksHttps.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentEnforceAksHttps.libDefinition.properties.enforcementMode parTelemetryOptOut: parTelemetryOptOut } } // Module - Policy Assignment - Enforce-TLS-SSL -module modPolicyAssignmentLZsEnforceTLSSSL '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - scope: managementGroup(varManagementGroupIDs.landingZones) - name: varModuleDeploymentNames.modPolicyAssignmentLZsEnforceTLSSSL +module modPolicyAssignmentLzsEnforceTlsSsl '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsEnforceTlsSsl params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentEnforceTLSSSL.definitionID - parPolicyAssignmentName: varPolicyAssignmentEnforceTLSSSL.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentEnforceTLSSSL.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentEnforceTLSSSL.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentEnforceTLSSSL.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceTLSSSL.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentEnforceTLSSSL.libDefinition.properties.enforcementMode + parPolicyAssignmentDefinitionId: varPolicyAssignmentEnforceTlsSsl.definitionId + parPolicyAssignmentName: varPolicyAssignmentEnforceTlsSsl.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentEnforceTlsSsl.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentEnforceTlsSsl.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentEnforceTlsSsl.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceTlsSsl.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentEnforceTlsSsl.libDefinition.properties.enforcementMode parTelemetryOptOut: parTelemetryOptOut } } // Module - Policy Assignment - Deploy-SQL-DB-Auditing -module modPolicyAssignmentLZsDeploySQLDBAuditing '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - scope: managementGroup(varManagementGroupIDs.landingZones) - name: varModuleDeploymentNames.modPolicyAssignmentLZsDeploySQLDBAuditing +module modPolicyAssignmentLzsDeploySqlDbAuditing '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDeploySqlDbAuditing params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentDeploySQLDBAuditing.definitionID - parPolicyAssignmentName: varPolicyAssignmentDeploySQLDBAuditing.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDeploySQLDBAuditing.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDeploySQLDBAuditing.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDeploySQLDBAuditing.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDeploySQLDBAuditing.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeploySQLDBAuditing.libDefinition.properties.enforcementMode - parPolicyAssignmentIdentityRoleDefinitionIDs: [ - varRBACRoleDefinitionIDs.owner + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeploySqlDbAuditing.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeploySqlDbAuditing.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeploySqlDbAuditing.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeploySqlDbAuditing.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeploySqlDbAuditing.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeploySqlDbAuditing.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeploySqlDbAuditing.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.owner ] parTelemetryOptOut: parTelemetryOptOut } } // Module - Policy Assignment - Deploy-SQL-Threat -module modPolicyAssignmentLZsDeploySQLThreat '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - scope: managementGroup(varManagementGroupIDs.landingZones) - name: varModuleDeploymentNames.modPolicyAssignmentLZsDeploySQLThreat +module modPolicyAssignmentLzsDeploySqlThreat '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDeploySqlThreat params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentDeploySQLThreat.definitionID - parPolicyAssignmentName: varPolicyAssignmentDeploySQLThreat.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDeploySQLThreat.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDeploySQLThreat.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDeploySQLThreat.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDeploySQLThreat.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeploySQLThreat.libDefinition.properties.enforcementMode - parPolicyAssignmentIdentityRoleDefinitionIDs: [ - varRBACRoleDefinitionIDs.owner + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeploySqlThreat.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeploySqlThreat.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeploySqlThreat.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeploySqlThreat.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeploySqlThreat.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeploySqlThreat.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeploySqlThreat.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.owner ] parTelemetryOptOut: parTelemetryOptOut } @@ -747,11 +747,11 @@ module modPolicyAssignmentLZsDeploySQLThreat '../../../policy/assignments/policy // Modules - Policy Assignments - Corp Management Group // Module - Policy Assignment - Deny-Public-Endpoints -module modPolicyAssignmentLZsDenyPublicEndpoints '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - scope: managementGroup(varManagementGroupIDs.landingZonesCorp) - name: varModuleDeploymentNames.modPolicyAssignmentLZsDenyPublicEndpoints +module modPolicyAssignmentLzsDenyPublicEndpoints '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIds.landingZonesCorp) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyPublicEndpoints params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentDenyPublicEndpoints.definitionID + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyPublicEndpoints.definitionId parPolicyAssignmentName: varPolicyAssignmentDenyPublicEndpoints.libDefinition.name parPolicyAssignmentDisplayName: varPolicyAssignmentDenyPublicEndpoints.libDefinition.properties.displayName parPolicyAssignmentDescription: varPolicyAssignmentDenyPublicEndpoints.libDefinition.properties.description @@ -763,27 +763,27 @@ module modPolicyAssignmentLZsDenyPublicEndpoints '../../../policy/assignments/po } // Module - Policy Assignment - Deny-Public-IP -module modPolicyAssignmentLZsDenyPublicIP '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - scope: managementGroup(varManagementGroupIDs.landingZonesCorp) - name: varModuleDeploymentNames.modPolicyAssignmentLZsDenyPublicIP +module modPolicyAssignmentLzsDenyPublicIp '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIds.landingZonesCorp) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyPublicIp params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentDenyPublicIP.definitionID - parPolicyAssignmentName: varPolicyAssignmentDenyPublicIP.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDenyPublicIP.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDenyPublicIP.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDenyPublicIP.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDenyPublicIP.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenyPublicIP.libDefinition.properties.enforcementMode + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyPublicIp.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyPublicIp.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyPublicIp.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyPublicIp.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyPublicIp.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyPublicIp.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenyPublicIp.libDefinition.properties.enforcementMode parTelemetryOptOut: parTelemetryOptOut } } // Module - Policy Assignment - Deny-DataB-Pip -module modPolicyAssignmentLZsDenyDataBPip '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - scope: managementGroup(varManagementGroupIDs.landingZonesCorp) - name: varModuleDeploymentNames.modPolicyAssignmentLZsDenyDataBPip +module modPolicyAssignmentLzsDenyDataBPip '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIds.landingZonesCorp) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyDataBPip params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentDenyDataBPip.definitionID + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyDataBPip.definitionId parPolicyAssignmentName: varPolicyAssignmentDenyDataBPip.libDefinition.name parPolicyAssignmentDisplayName: varPolicyAssignmentDenyDataBPip.libDefinition.properties.displayName parPolicyAssignmentDescription: varPolicyAssignmentDenyDataBPip.libDefinition.properties.description @@ -795,11 +795,11 @@ module modPolicyAssignmentLZsDenyDataBPip '../../../policy/assignments/policyAss } // Module - Policy Assignment - Deny-DataB-Sku -module modPolicyAssignmentLZsDenyDataBSku '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - scope: managementGroup(varManagementGroupIDs.landingZonesCorp) - name: varModuleDeploymentNames.modPolicyAssignmentLZsDenyDataBSku +module modPolicyAssignmentLzsDenyDataBSku '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIds.landingZonesCorp) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyDataBSku params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentDenyDataBSku.definitionID + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyDataBSku.definitionId parPolicyAssignmentName: varPolicyAssignmentDenyDataBSku.libDefinition.name parPolicyAssignmentDisplayName: varPolicyAssignmentDenyDataBSku.libDefinition.properties.displayName parPolicyAssignmentDescription: varPolicyAssignmentDenyDataBSku.libDefinition.properties.description @@ -811,11 +811,11 @@ module modPolicyAssignmentLZsDenyDataBSku '../../../policy/assignments/policyAss } // Module - Policy Assignment - Deny-DataB-Vnet -module modPolicyAssignmentLZsDenyDataBVnet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - scope: managementGroup(varManagementGroupIDs.landingZonesCorp) - name: varModuleDeploymentNames.modPolicyAssignmentLZsDenyDataBVnet +module modPolicyAssignmentLzsDenyDataBVnet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIds.landingZonesCorp) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyDataBVnet params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentDenyDataBVnet.definitionID + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyDataBVnet.definitionId parPolicyAssignmentName: varPolicyAssignmentDenyDataBVnet.libDefinition.name parPolicyAssignmentDisplayName: varPolicyAssignmentDenyDataBVnet.libDefinition.properties.displayName parPolicyAssignmentDescription: varPolicyAssignmentDenyDataBVnet.libDefinition.properties.description diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.parameters.example.json b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json similarity index 91% rename from infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.parameters.example.json rename to infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json index 1c2b936d4..38449d2d7 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.parameters.example.json +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json @@ -8,7 +8,7 @@ "parLogAnalyticsWorkSpaceAndAutomationAccountLocation": { "value": "eastus" }, - "parLogAnalyticsWorkspaceResourceID": { + "parLogAnalyticsWorkspaceResourceId": { "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-logging/providers/Microsoft.OperationalInsights/workspaces/alz-log-analytics" }, "parLogAnalyticsWorkspaceLogRetentionInDays": { @@ -17,7 +17,7 @@ "parAutomationAccountName": { "value": "alz-automation-account" }, - "parMSDFCEmailSecurityContact": { + "parMsDefenderForCloudEmailSecurityContact": { "value": "security_contact@replace_me.com" }, "parDdosProtectionPlanId": { diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.min.json b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.min.json new file mode 100644 index 000000000..38449d2d7 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.min.json @@ -0,0 +1,30 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parTopLevelManagementGroupPrefix": { + "value": "alz" + }, + "parLogAnalyticsWorkSpaceAndAutomationAccountLocation": { + "value": "eastus" + }, + "parLogAnalyticsWorkspaceResourceId": { + "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-logging/providers/Microsoft.OperationalInsights/workspaces/alz-log-analytics" + }, + "parLogAnalyticsWorkspaceLogRetentionInDays": { + "value": "365" + }, + "parAutomationAccountName": { + "value": "alz-automation-account" + }, + "parMsDefenderForCloudEmailSecurityContact": { + "value": "security_contact@replace_me.com" + }, + "parDdosProtectionPlanId": { + "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/Hub_Networking_POC/providers/Microsoft.Network/ddosProtectionPlans/alz-ddos-plan" + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/README.md b/infra-as-code/bicep/modules/policy/assignments/lib/README.md index e2d1dbf26..ccaf90f48 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/README.md +++ b/infra-as-code/bicep/modules/policy/assignments/lib/README.md @@ -8,7 +8,7 @@ This directory contains the default policy assignments we make as part of the Az For example: ```bicep -var varPolicyAssignmentDenyPublicIP = json(loadTextContent('infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json')) +var varPolicyAssignmentDenyPublicIp = json(loadTextContent('infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json')) ``` Or you can use the export available in `_policyAssignmentsBicepInput.txt` to copy and paste into a variable to then use to assign policies but manage their properties from the JSON files, like below: @@ -17,13 +17,13 @@ Or you can use the export available in `_policyAssignmentsBicepInput.txt` to cop targetScope = 'tenant' @description('The management group scope to which the policy assignments are to be created at. DEFAULT VALUE = "alz"') -param parTargetManagementGroupID string = 'alz' +param parTargetManagementGroupId string = 'alz' -var varTargetManagementGroupResourceID = tenantResourceId('Microsoft.Management/managementGroups', parTargetManagementGroupID) +var varTargetManagementGroupResourceId = tenantResourceId('Microsoft.Management/managementGroups', parTargetManagementGroupId) -var varPolicyAssignmentDenyPublicIP = { +var varPolicyAssignmentDenyPublicIp = { name: 'Deny-Public-IP' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json')) } @@ -31,10 +31,10 @@ module modPolicyAssignmentDenyPublicIP '../../policyAssignments/policyAssignment name: 'PolicyAssignmentDenyPublicIP' scope: managementGroup('alz') params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentDenyPublicIP.definitionID - parPolicyAssignmentDescription: varPolicyAssignmentDenyPublicIP.libDefinition.properties.description - parPolicyAssignmentDisplayName: varPolicyAssignmentDenyPublicIP.libDefinition.properties.displayName - parPolicyAssignmentName: varPolicyAssignmentDenyPublicIP.libDefinition.name + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyPublicIp.definitionId + parPolicyAssignmentDescription: varPolicyAssignmentDenyPublicIp.libDefinition.properties.description + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyPublicIp.libDefinition.properties.displayName + parPolicyAssignmentName: varPolicyAssignmentDenyPublicIp.libDefinition.name } } ``` diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/_policyAssignmentsBicepInput.txt b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/_policyAssignmentsBicepInput.txt index 9aa83b81e..675682648 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/_policyAssignmentsBicepInput.txt +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/_policyAssignmentsBicepInput.txt @@ -1,170 +1,170 @@ var varPolicyAssignmentDenyAppGWWithoutWAF = { - definitionID: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGW-Without-WAF' + definitionId: '${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGW-Without-WAF' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_appgw_without_waf.tmpl.json')) } - + var varPolicyAssignmentDenyDataBPip = { - definitionID: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-NoPublicIp' + definitionId: '${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-NoPublicIp' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_public_ip.tmpl.json')) } - + var varPolicyAssignmentDenyDataBSku = { - definitionID: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-Sku' + definitionId: '${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-Sku' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_sku.tmpl.json')) } - + var varPolicyAssignmentDenyDataBVnet = { - definitionID: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-VirtualNetwork' + definitionId: '${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-VirtualNetwork' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_vnet.tmpl.json')) } - + var varPolicyAssignmentEnforceAKSHTTPS = { - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_http_ingress_aks.tmpl.json')) } - + var varPolicyAssignmentDenyIPForwarding = { - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_ip_forwarding.tmpl.json')) } - + var varPolicyAssignmentDenyPrivContainersAKS = { - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_priv_containers_aks.tmpl.json')) } - + var varPolicyAssignmentDenyPrivEscalationAKS = { - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_priv_escalation_aks.tmpl.json')) } - + var varPolicyAssignmentDenyPublicEndpoints = { - definitionID: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints' + definitionId: '${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_endpoints.tmpl.json')) } - + var varPolicyAssignmentDenyPublicIP = { - definitionID: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP' + definitionId: '${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json')) } - + var varPolicyAssignmentDenyRDPFromInternet = { - definitionID: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet' + definitionId: '${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_rdp_from_internet.tmpl.json')) } - + var varPolicyAssignmentDenyResourceLocations = { - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_resource_locations.tmpl.json')) } - + var varPolicyAssignmentDenyResourceTypes = { - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_resource_types.tmpl.json')) } - + var varPolicyAssignmentDenyRSGLocations = { - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_rsg_locations.tmpl.json')) } - + var varPolicyAssignmentDenyStoragehttp = { - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_storage_http.tmpl.json')) } - + var varPolicyAssignmentDenySubnetWithoutNsg = { - definitionID: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg' + definitionId: '${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_subnet_without_nsg.tmpl.json')) } - + var varPolicyAssignmentDenySubnetWithoutUdr = { - definitionID: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr' + definitionId: '${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_subnet_without_udr.tmpl.json')) } - + var varPolicyAssignmentDeployAKSPolicy = { - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json')) } - + var varPolicyAssignmentDeployASCMonitoring = { - definitionID: '/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8' + definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json')) } - + var varPolicyAssignmentDeployAzActivityLog = { - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/2465583e-4e78-4c15-b6be-a36cbc7c8b0f' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/2465583e-4e78-4c15-b6be-a36cbc7c8b0f' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_azactivity_log.tmpl.json')) } - + var varPolicyAssignmentDeployLogAnalytics = { - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/8e3e61b3-0b32-22d5-4edf-55f87fdb5955' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8e3e61b3-0b32-22d5-4edf-55f87fdb5955' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_log_analytics.tmpl.json')) } - + var varPolicyAssignmentDeployLXArcMonitoring = { - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/9d2b61b4-1d14-4a63-be30-d4498e7ad2cf' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/9d2b61b4-1d14-4a63-be30-d4498e7ad2cf' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_lx_arc_monitoring.tmpl.json')) } - + var varPolicyAssignmentDeployMDFCConfig = { - definitionID: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config' + definitionId: '${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_config.tmpl.json')) } - + var varPolicyAssignmentDeployPrivateDNSZones = { - definitionID: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones' + definitionId: '${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json')) } - + var varPolicyAssignmentDeployResourceDiag = { - definitionID: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics' + definitionId: '${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_resource_diag.tmpl.json')) } - + var varPolicyAssignmentDeploySQLDBAuditing = { - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_db_auditing.tmpl.json')) } - + var varPolicyAssignmentDeploySQLSecurity = { - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_security.tmpl.json')) } - + var varPolicyAssignmentDeploySQLThreat = { - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_threat.tmpl.json')) } - + var varPolicyAssignmentDeployVMBackup = { - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_backup.tmpl.json')) } - + var varPolicyAssignmentDeployVMMonitoring = { - definitionID: '/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a' + definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitoring.tmpl.json')) } - + var varPolicyAssignmentDeployVMSSMonitoring = { - definitionID: '/providers/Microsoft.Authorization/policySetDefinitions/75714362-cae7-409e-9b99-a8e5075b7fad' + definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/75714362-cae7-409e-9b99-a8e5075b7fad' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitoring.tmpl.json')) } - + var varPolicyAssignmentDeployWSArcMonitoring = { - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/69af7d4a-7b18-4044-93a9-2651498ef203' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/69af7d4a-7b18-4044-93a9-2651498ef203' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_ws_arc_monitoring.tmpl.json')) } - + var varPolicyAssignmentEnableDDoSVNET = { - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_enable_ddos_vnet.tmpl.json')) } - + var varPolicyAssignmentEnforceTLSSSL = { - definitionID: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit' + definitionId: '${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_tls_ssl.tmpl.json')) } - + diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_appgw_without_waf.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_appgw_without_waf.tmpl.json index 51d876afc..09a758de0 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_appgw_without_waf.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_appgw_without_waf.tmpl.json @@ -11,7 +11,7 @@ "value": "deny" } }, - "policyDefinitionId": "${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGW-Without-WAF", + "policyDefinitionId": "${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGW-Without-WAF", "scope": null, "enforcementMode": "Default" }, diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_public_ip.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_public_ip.tmpl.json index b42572af9..7a52dd388 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_public_ip.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_public_ip.tmpl.json @@ -11,7 +11,7 @@ "value": "Deny" } }, - "policyDefinitionId": "${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-NoPublicIp", + "policyDefinitionId": "${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-NoPublicIp", "scope": null, "enforcementMode": "Default" }, diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_sku.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_sku.tmpl.json index 3feb3fa11..37b27724a 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_sku.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_sku.tmpl.json @@ -11,7 +11,7 @@ "value": "Deny" } }, - "policyDefinitionId": "${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-Sku", + "policyDefinitionId": "${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-Sku", "scope": null, "enforcementMode": "Default" }, diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_vnet.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_vnet.tmpl.json index ea59de248..7a907de28 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_vnet.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_vnet.tmpl.json @@ -11,7 +11,7 @@ "value": "Deny" } }, - "policyDefinitionId": "${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-VirtualNetwork", + "policyDefinitionId": "${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-VirtualNetwork", "scope": null, "enforcementMode": "Default" }, diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_endpoints.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_endpoints.tmpl.json index 54ff4c37d..f86f0b558 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_endpoints.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_endpoints.tmpl.json @@ -7,7 +7,7 @@ "displayName": "Public network access should be disabled for PaaS services", "notScopes": [], "parameters": {}, - "policyDefinitionId": "${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints", + "policyDefinitionId": "${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints", "scope": null, "enforcementMode": "Default" }, diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json index d3cda6189..9b2188ff0 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json @@ -11,7 +11,7 @@ "value": "Deny" } }, - "policyDefinitionId": "${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP", + "policyDefinitionId": "${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP", "scope": null, "enforcementMode": "Default" }, diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_rdp_from_internet.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_rdp_from_internet.tmpl.json index b3218f79d..c94836899 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_rdp_from_internet.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_rdp_from_internet.tmpl.json @@ -11,7 +11,7 @@ "value": "Deny" } }, - "policyDefinitionId": "${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet", + "policyDefinitionId": "${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet", "scope": null, "enforcementMode": "Default" }, diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_subnet_without_nsg.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_subnet_without_nsg.tmpl.json index 1caa90b39..7e8e5a127 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_subnet_without_nsg.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_subnet_without_nsg.tmpl.json @@ -11,7 +11,7 @@ "value": "Deny" } }, - "policyDefinitionId": "${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg", + "policyDefinitionId": "${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg", "scope": null, "enforcementMode": "Default" }, diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_subnet_without_udr.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_subnet_without_udr.tmpl.json index 609a19095..382e086ed 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_subnet_without_udr.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_subnet_without_udr.tmpl.json @@ -11,7 +11,7 @@ "value": "Deny" } }, - "policyDefinitionId": "${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr", + "policyDefinitionId": "${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr", "scope": null, "enforcementMode": "Default" }, diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_config.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_config.tmpl.json index be6d7771c..9204537a6 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_config.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_config.tmpl.json @@ -50,7 +50,7 @@ "value": "DeployIfNotExists" } }, - "policyDefinitionId": "${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config", + "policyDefinitionId": "${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config", "scope": null, "enforcementMode": "Default" }, diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json index f2ac12f7e..d36d791f9 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json @@ -71,7 +71,7 @@ "value": "${private_dns_zone_prefix}privatelink.search.windows.net" } }, - "policyDefinitionId": "${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones", + "policyDefinitionId": "${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones", "scope": null, "enforcementMode": "Default" }, diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_resource_diag.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_resource_diag.tmpl.json index e441e2a55..d06e194fc 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_resource_diag.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_resource_diag.tmpl.json @@ -11,7 +11,7 @@ "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/${parTopLevelManagementGroupPrefix}-mgmt/providers/Microsoft.OperationalInsights/workspaces/${parTopLevelManagementGroupPrefix}-la" } }, - "policyDefinitionId": "${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics", + "policyDefinitionId": "${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics", "scope": null, "enforcementMode": "Default" }, diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_tls_ssl.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_tls_ssl.tmpl.json index 2b91e3b63..f6d16678c 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_tls_ssl.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_tls_ssl.tmpl.json @@ -7,7 +7,7 @@ "displayName": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", "notScopes": [], "parameters": {}, - "policyDefinitionId": "${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit", + "policyDefinitionId": "${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit", "scope": null, "enforcementMode": "Default" }, diff --git a/infra-as-code/bicep/modules/policy/assignments/mc-policyAssignmentManagementGroup.parameters.example-dine.json b/infra-as-code/bicep/modules/policy/assignments/parameters/mc-policyAssignmentManagementGroup.dine.parameters.all.json similarity index 86% rename from infra-as-code/bicep/modules/policy/assignments/mc-policyAssignmentManagementGroup.parameters.example-dine.json rename to infra-as-code/bicep/modules/policy/assignments/parameters/mc-policyAssignmentManagementGroup.dine.parameters.all.json index c09179d78..dbd0dcd68 100644 --- a/infra-as-code/bicep/modules/policy/assignments/mc-policyAssignmentManagementGroup.parameters.example-dine.json +++ b/infra-as-code/bicep/modules/policy/assignments/parameters/mc-policyAssignmentManagementGroup.dine.parameters.all.json @@ -11,7 +11,7 @@ "parPolicyAssignmentDescription": { "value": "Deploy Microsoft Defender for Cloud and Security Contacts" }, - "parPolicyAssignmentDefinitionID": { + "parPolicyAssignmentDefinitionId": { "value": "/providers/Microsoft.Management/managementGroups/alz/providers/Microsoft.Authorization/policySetDefinitions/Deploy-ASCDF-Config" }, "parPolicyAssignmentParameters": { @@ -36,6 +36,9 @@ } } }, + "parPolicyAssignmentParameterOverrides": { + "value": {} + }, "parPolicyAssignmentNonComplianceMessages": { "value": [] }, @@ -48,7 +51,7 @@ "parPolicyAssignmentIdentityType": { "value": "SystemAssigned" }, - "parPolicyAssignmentIdentityRoleAssignmentsAdditionalMGs": { + "parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs": { "value": [ "alz-platform" ] @@ -56,10 +59,13 @@ "parPolicyAssignmentIdentityRoleAssignmentsSubs": { "value": [] }, - "parPolicyAssignmentIdentityRoleDefinitionIDs": { + "parPolicyAssignmentIdentityRoleDefinitionIds": { "value": [ "8e3af657-a8ff-443c-a75c-2fe8c4bcb635" ] + }, + "parTelemetryOptOut": { + "value": false } } } \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/assignments/parameters/mc-policyAssignmentManagementGroup.dine.parameters.min.json b/infra-as-code/bicep/modules/policy/assignments/parameters/mc-policyAssignmentManagementGroup.dine.parameters.min.json new file mode 100644 index 000000000..9a4f27e29 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/assignments/parameters/mc-policyAssignmentManagementGroup.dine.parameters.min.json @@ -0,0 +1,49 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parPolicyAssignmentName": { + "value": "Deploy-ASCDF-Config" + }, + "parPolicyAssignmentDisplayName": { + "value": "Deploy Microsoft Defender for Cloud configuration" + }, + "parPolicyAssignmentDescription": { + "value": "Deploy Microsoft Defender for Cloud and Security Contacts" + }, + "parPolicyAssignmentDefinitionId": { + "value": "/providers/Microsoft.Management/managementGroups/alz/providers/Microsoft.Authorization/policySetDefinitions/Deploy-ASCDF-Config" + }, + "parPolicyAssignmentParameters": { + "value": { + "emailSecurityContact": { + "value": "security_contact@replace_me" + }, + "logAnalytics": { + "value": "alz-log-analytics" + }, + "ascExportResourceGroupName": { + "value": "alz-asc-export" + }, + "ascExportResourceGroupLocation": { + "value": "${parDefaultRegion}" + }, + "enableAscForServers": { + "value": "Disabled" + }, + "enableAscForSql": { + "value": "Disabled" + } + } + }, + "parPolicyAssignmentNonComplianceMessages": { + "value": [] + }, + "parPolicyAssignmentNotScopes": { + "value": [] + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.parameters.example-deny.json b/infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.deny.parameters.all.json similarity index 89% rename from infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.parameters.example-deny.json rename to infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.deny.parameters.all.json index a28624518..475e38c9e 100644 --- a/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.parameters.example-deny.json +++ b/infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.deny.parameters.all.json @@ -11,7 +11,7 @@ "parPolicyAssignmentDescription": { "value": "This policy denies creation of Public IPs under the assigned scope." }, - "parPolicyAssignmentDefinitionID": { + "parPolicyAssignmentDefinitionId": { "value": "/providers/Microsoft.Management/managementGroups/alz/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP" }, "parPolicyAssignmentParameters": { @@ -32,13 +32,13 @@ "parPolicyAssignmentIdentityType": { "value": "None" }, - "parPolicyAssignmentIdentityRoleAssignmentsAdditionalMGs": { + "parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs": { "value": [] }, "parPolicyAssignmentIdentityRoleAssignmentsSubs": { "value": [] }, - "parPolicyAssignmentIdentityRoleDefinitionIDs": { + "parPolicyAssignmentIdentityRoleDefinitionIds": { "value": [] }, "parTelemetryOptOut": { diff --git a/infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.deny.parameters.min.json b/infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.deny.parameters.min.json new file mode 100644 index 000000000..6025094e5 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.deny.parameters.min.json @@ -0,0 +1,30 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parPolicyAssignmentName": { + "value": "Deny-PublicIP" + }, + "parPolicyAssignmentDisplayName": { + "value": "Deny the creation of public IP" + }, + "parPolicyAssignmentDescription": { + "value": "This policy denies creation of Public IPs under the assigned scope." + }, + "parPolicyAssignmentDefinitionId": { + "value": "/providers/Microsoft.Management/managementGroups/alz/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP" + }, + "parPolicyAssignmentParameters": { + "value": {} + }, + "parPolicyAssignmentNonComplianceMessages": { + "value": [] + }, + "parPolicyAssignmentNotScopes": { + "value": [] + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.parameters.example-dine.json b/infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.dine.parameters.all.json similarity index 94% rename from infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.parameters.example-dine.json rename to infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.dine.parameters.all.json index bbdb84285..f9e527474 100644 --- a/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.parameters.example-dine.json +++ b/infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.dine.parameters.all.json @@ -11,7 +11,7 @@ "parPolicyAssignmentDescription": { "value": "Deploy Microsoft Defender for Cloud configuration and Security Contacts" }, - "parPolicyAssignmentDefinitionID": { + "parPolicyAssignmentDefinitionId": { "value": "/providers/Microsoft.Management/managementGroups/alz/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config" }, "parPolicyAssignmentParameters": { @@ -75,7 +75,7 @@ "parPolicyAssignmentIdentityType": { "value": "SystemAssigned" }, - "parPolicyAssignmentIdentityRoleAssignmentsAdditionalMGs": { + "parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs": { "value": [ "alz-platform" ] @@ -83,7 +83,7 @@ "parPolicyAssignmentIdentityRoleAssignmentsSubs": { "value": [] }, - "parPolicyAssignmentIdentityRoleDefinitionIDs": { + "parPolicyAssignmentIdentityRoleDefinitionIds": { "value": [ "8e3af657-a8ff-443c-a75c-2fe8c4bcb635" ] diff --git a/infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.dine.parameters.min.json b/infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.dine.parameters.min.json new file mode 100644 index 000000000..fc8572a5d --- /dev/null +++ b/infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.dine.parameters.min.json @@ -0,0 +1,73 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parPolicyAssignmentName": { + "value": "Deploy-MDFC-Config" + }, + "parPolicyAssignmentDisplayName": { + "value": "Deploy Microsoft Defender for Cloud configuration" + }, + "parPolicyAssignmentDescription": { + "value": "Deploy Microsoft Defender for Cloud configuration and Security Contacts" + }, + "parPolicyAssignmentDefinitionId": { + "value": "/providers/Microsoft.Management/managementGroups/alz/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config" + }, + "parPolicyAssignmentParameters": { + "value": { + "emailSecurityContact": { + "value": "security_contact@replace_me" + }, + "logAnalytics": { + "value": "alz-la" + }, + "ascExportResourceGroupName": { + "value": "alz-asc-export" + }, + "ascExportResourceGroupLocation": { + "value": "${parDefaultRegion}" + }, + "enableAscForServers": { + "value": "DeployIfNotExists" + }, + "enableAscForSql": { + "value": "Disabled" + }, + "enableAscForAppServices": { + "value": "DeployIfNotExists" + }, + "enableAscForStorage": { + "value": "DeployIfNotExists" + }, + "enableAscForContainers": { + "value": "DeployIfNotExists" + }, + "enableAscForKeyVault": { + "value": "DeployIfNotExists" + }, + "enableAscForSqlOnVm": { + "value": "Disabled" + }, + "enableAscForArm": { + "value": "DeployIfNotExists" + }, + "enableAscForDns": { + "value": "DeployIfNotExists" + }, + "enableAscForOssDb": { + "value": "Disabled" + } + } + }, + "parPolicyAssignmentNonComplianceMessages": { + "value": [] + }, + "parPolicyAssignmentNotScopes": { + "value": [] + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep b/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep index a37b5f728..ed9753f36 100644 --- a/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep +++ b/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep @@ -12,7 +12,7 @@ param parPolicyAssignmentDisplayName string param parPolicyAssignmentDescription string @description('The policy definition ID for the policy to be assigned. e.g. "/providers/Microsoft.Authorization/policyDefinitions/9d0a794f-1444-4c96-9534-e35fc8c39c91" or "/providers/Microsoft.Management/managementgroups/alz/providers/Microsoft.Authorization/policyDefinitions/Deny-Public-IP"') -param parPolicyAssignmentDefinitionID string +param parPolicyAssignmentDefinitionId string @description('An object containing the parameter values for the policy to be assigned. DEFAULT VALUE = {}') param parPolicyAssignmentParameters object = {} @@ -41,13 +41,13 @@ param parPolicyAssignmentEnforcementMode string = 'Default' param parPolicyAssignmentIdentityType string = 'None' @description('An array containing a list of additional Management Group IDs (as the Management Group deployed to is included automatically) that the System-assigned Managed Identity, associated to the policy assignment, will be assigned to additionally. e.g. [\'alz\', \'alz-sandbox\' ]. DEFAULT VALUE = [ ]') -param parPolicyAssignmentIdentityRoleAssignmentsAdditionalMGs array = [] +param parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs array = [] @description('An array containing a list of Subscription IDs that the System-assigned Managed Identity associated to the policy assignment will be assigned to in addition to the Management Group the policy is deployed/assigned to. e.g. [\'8200b669-cbc6-4e6c-b6d8-f4797f924074\', \'7d58dc5d-93dc-43cd-94fc-57da2e74af0d\' ]. DEFAULT VALUE = []') param parPolicyAssignmentIdentityRoleAssignmentsSubs array = [] @description('An array containing a list of RBAC role definition IDs to be assigned to the Managed Identity that is created and associated with the policy assignment. Only required for Modify and DeployIfNotExists policy effects. e.g. [\'/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\']. DEFAULT VALUE = []') -param parPolicyAssignmentIdentityRoleDefinitionIDs array = [] +param parPolicyAssignmentIdentityRoleDefinitionIds array = [] @description('Set Parameter to true to Opt-out of deployment telemetry') param parTelemetryOptOut bool = false @@ -56,7 +56,7 @@ var varPolicyAssignmentParametersMerged = union(parPolicyAssignmentParameters, p var varPolicyIdentity = parPolicyAssignmentIdentityType == 'SystemAssigned' ? 'SystemAssigned' : 'None' -var varPolicyAssignmentIdentityRoleAssignmentsMGsConverged = parPolicyAssignmentIdentityType == 'SystemAssigned' ? union(parPolicyAssignmentIdentityRoleAssignmentsAdditionalMGs, (array(managementGroup().name))) : [] +var varPolicyAssignmentIdentityRoleAssignmentsMgsConverged = parPolicyAssignmentIdentityType == 'SystemAssigned' ? union(parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs, (array(managementGroup().name))) : [] // Customer Usage Attribution Id var varCuaid = '78001e36-9738-429c-a343-45cc84e8a527' @@ -66,7 +66,7 @@ resource resPolicyAssignment 'Microsoft.Authorization/policyAssignments@2020-09- properties: { displayName: parPolicyAssignmentDisplayName description: parPolicyAssignmentDescription - policyDefinitionId: parPolicyAssignmentDefinitionID + policyDefinitionId: parPolicyAssignmentDefinitionId parameters: varPolicyAssignmentParametersMerged nonComplianceMessages: parPolicyAssignmentNonComplianceMessages notScopes: parPolicyAssignmentNotScopes @@ -80,10 +80,10 @@ resource resPolicyAssignment 'Microsoft.Authorization/policyAssignments@2020-09- } // Handle Managed Identity RBAC Assignments to Management Group scopes based on parameter inputs, if they are not empty and a policy assignment with an identity is required. -module modPolicyIdentityRoleAssignmentMGsMany '../../roleAssignments/roleAssignmentManagementGroupMany.bicep' = [for roles in parPolicyAssignmentIdentityRoleDefinitionIDs: if ((varPolicyIdentity == 'SystemAssigned') && !empty(parPolicyAssignmentIdentityRoleDefinitionIDs)) { +module modPolicyIdentityRoleAssignmentMgsMany '../../roleAssignments/roleAssignmentManagementGroupMany.bicep' = [for roles in parPolicyAssignmentIdentityRoleDefinitionIds: if ((varPolicyIdentity == 'SystemAssigned') && !empty(parPolicyAssignmentIdentityRoleDefinitionIds)) { name: 'rbac-assign-mg-policy-${parPolicyAssignmentName}-${uniqueString(parPolicyAssignmentName, roles)}' params: { - parManagementGroupIds: varPolicyAssignmentIdentityRoleAssignmentsMGsConverged + parManagementGroupIds: varPolicyAssignmentIdentityRoleAssignmentsMgsConverged parAssigneeObjectId: resPolicyAssignment.identity.principalId parAssigneePrincipalType: 'ServicePrincipal' parRoleDefinitionId: roles @@ -91,7 +91,7 @@ module modPolicyIdentityRoleAssignmentMGsMany '../../roleAssignments/roleAssignm }] // Handle Managed Identity RBAC Assignments to Subscription scopes based on parameter inputs, if they are not empty and a policy assignment with an identity is required. -module modPolicyIdentityRoleAssignmentSubsMany '../../roleAssignments/roleAssignmentSubscriptionMany.bicep' = [for roles in parPolicyAssignmentIdentityRoleDefinitionIDs: if ((varPolicyIdentity == 'SystemAssigned') && !empty(parPolicyAssignmentIdentityRoleDefinitionIDs) && !empty(parPolicyAssignmentIdentityRoleAssignmentsSubs)) { +module modPolicyIdentityRoleAssignmentSubsMany '../../roleAssignments/roleAssignmentSubscriptionMany.bicep' = [for roles in parPolicyAssignmentIdentityRoleDefinitionIds: if ((varPolicyIdentity == 'SystemAssigned') && !empty(parPolicyAssignmentIdentityRoleDefinitionIds) && !empty(parPolicyAssignmentIdentityRoleAssignmentsSubs)) { name: 'rbac-assign-sub-policy-${parPolicyAssignmentName}-${uniqueString(parPolicyAssignmentName, roles)}' params: { parSubscriptionIds: parPolicyAssignmentIdentityRoleAssignmentsSubs diff --git a/infra-as-code/bicep/modules/policy/definitions/README.md b/infra-as-code/bicep/modules/policy/definitions/README.md index 3258a2f88..17b50e1a0 100644 --- a/infra-as-code/bicep/modules/policy/definitions/README.md +++ b/infra-as-code/bicep/modules/policy/definitions/README.md @@ -18,7 +18,7 @@ The module requires the following inputs: | Parameter | Description | Requirement | Example | | -------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------- | ------- | - | parTargetManagementGroupID | The management group scope to which the the policy definitions will be stored/deployed to. This management group must already exist before deploying this bicep module. | Mandatory input | `alz` | + | parTargetManagementGroupId | The management group scope to which the the policy definitions will be stored/deployed to. This management group must already exist before deploying this bicep module. | Mandatory input | `alz` | | parTelemetryOptOut | Set Parameter to true to Opt-out of deployment telemetry | Mandatory input, default: `false` | `false` | ## Outputs @@ -31,12 +31,12 @@ There are two different sets of deployment; one for deploying to Azure global re | Azure Cloud | Bicep template | Input parameters file | | -------------- | ---------------------------------- | ------------------------------------------------- | - | Global regions | custom-policy-definitions.bicep | custom-policy-definitions.parameters.example.json | - | China regions | mc-custom-policy-definitions.bicep | custom-policy-definitions.parameters.example.json | + | Global regions | customPolicyDefinitions.bicep | parameters/customPolicyDefinitions.parameters.all.json | + | China regions | mc-customPolicyDefinitions.bicep | parameters/customPolicyDefinitions.parameters.all.json | In this example, the custom policy definitions and policy set definitions will be deployed to the `alz` management group (the intermediate root management group). -The input parameter file `custom-policy-definitions.parameters.example.json` defines the target management group to which the custom policy definitions will be deployed to. In this case, it will be the same management group (i.e. `alz`) as the one specified for the deployment operation. There is no change in the input parameter file for different Azure clouds because there is no change to the intermediate root management group. +The input parameter file `parameters/customPolicyDefinitions.parameters.all.json` defines the target management group to which the custom policy definitions will be deployed to. In this case, it will be the same management group (i.e. `alz`) as the one specified for the deployment operation. There is no change in the input parameter file for different Azure clouds because there is no change to the intermediate root management group. > For the examples below we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice. > If the deployment provisioning state has failed due to policy definitions could not be found, this is often due to a known replication delay. Please re-run the deployment step below, and the deployment should succeed. @@ -46,8 +46,8 @@ The input parameter file `custom-policy-definitions.parameters.example.json` def ```bash # For Azure global regions az deployment mg create \ - --template-file infra-as-code/bicep/modules/policy/definitions/custom-policy-definitions.bicep \ - --parameters @infra-as-code/bicep/modules/policy/definitions/custom-policy-definitions.parameters.example.json \ + --template-file infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep \ + --parameters @infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.all.json \ --location eastus \ --management-group-id alz ``` @@ -55,8 +55,8 @@ OR ```bash # For Azure China regions az deployment mg create \ - --template-file infra-as-code/bicep/modules/policy/definitions/mc-custom-policy-definitions.bicep \ - --parameters @infra-as-code/bicep/modules/policy/definitions/custom-policy-definitions.parameters.example.json \ + --template-file infra-as-code/bicep/modules/policy/definitions/mc-customPolicyDefinitions.bicep \ + --parameters @infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.all.json \ --location chinaeast2 \ --management-group-id alz ``` @@ -66,8 +66,8 @@ az deployment mg create \ ```powershell # For Azure global regions New-AzManagementGroupDeployment ` - -TemplateFile infra-as-code/bicep/modules/policy/definitions/custom-policy-definitions.bicep ` - -TemplateParameterFile infra-as-code/bicep/modules/policy/definitions/custom-policy-definitions.parameters.example.json ` + -TemplateFile infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep ` + -TemplateParameterFile infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.all.json ` -Location eastus ` -ManagementGroupId alz ``` @@ -75,14 +75,14 @@ OR ```powershell # For Azure China regions New-AzManagementGroupDeployment ` - -TemplateFile infra-as-code/bicep/modules/policy/definitions/mc-custom-policy-definitions.bicep ` - -TemplateParameterFile infra-as-code/bicep/modules/policy/definitions/custom-policy-definitions.parameters.example.json ` + -TemplateFile infra-as-code/bicep/modules/policy/definitions/mc-customPolicyDefinitions.bicep ` + -TemplateParameterFile infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.all.json ` -Location chinaeast2 ` -ManagementGroupId alz ``` -![Example Deployment Output](media/example-deployment-output.png "Example Deployment Output") +![Example Deployment Output](media/exampleDeploymentOutput.png "Example Deployment Output") ## Bicep Visualizer -![Bicep Visualizer](media/bicep-visualizer.png "Bicep Visualizer") +![Bicep Visualizer](media/bicepVisualizer.png "Bicep Visualizer") diff --git a/infra-as-code/bicep/modules/policy/definitions/custom-policy-definitions.bicep b/infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep similarity index 77% rename from infra-as-code/bicep/modules/policy/definitions/custom-policy-definitions.bicep rename to infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep index eea6caca4..dc026ea4c 100644 --- a/infra-as-code/bicep/modules/policy/definitions/custom-policy-definitions.bicep +++ b/infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep @@ -1,12 +1,12 @@ targetScope = 'managementGroup' @description('The management group scope to which the policy definitions are to be created at. DEFAULT VALUE = "alz"') -param parTargetManagementGroupID string = 'alz' +param parTargetManagementGroupId string = 'alz' @description('Set Parameter to true to Opt-out of deployment telemetry') param parTelemetryOptOut bool = false -var varTargetManagementGroupResourceID = tenantResourceId('Microsoft.Management/managementGroups', parTargetManagementGroupID) +var varTargetManagementGroupResourceId = tenantResourceId('Microsoft.Management/managementGroups', parTargetManagementGroupId) // This variable contains a number of objects that load in the custom Azure Policy Defintions that are provided as part of the ESLZ/ALZ reference implementation - this is automatically created in the file 'infra-as-code\bicep\modules\policy\lib\policy_definitions\_policyDefinitionsBicepInput.txt' via a GitHub action, that runs on a daily schedule, and is then manually copied into this variable. var varCustomPolicyDefinitionsArray = [ @@ -431,53 +431,53 @@ var varCustomPolicySetDefinitionsArray = [ libSetDefinition: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deny_publicpaasendpoints.json')) libSetChildDefinitions: [ { - definitionReferenceID: 'ACRDenyPaasPublicIP' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f' + definitionReferenceId: 'ACRDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deny_publicpaasendpoints.parameters.json')).ACRDenyPaasPublicIP.parameters } { - definitionReferenceID: 'AFSDenyPaasPublicIP' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7' + definitionReferenceId: 'AFSDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deny_publicpaasendpoints.parameters.json')).AFSDenyPaasPublicIP.parameters } { - definitionReferenceID: 'AKSDenyPaasPublicIP' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8' + definitionReferenceId: 'AKSDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deny_publicpaasendpoints.parameters.json')).AKSDenyPaasPublicIP.parameters } { - definitionReferenceID: 'BatchDenyPublicIP' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488' + definitionReferenceId: 'BatchDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deny_publicpaasendpoints.parameters.json')).BatchDenyPublicIP.parameters } { - definitionReferenceID: 'CosmosDenyPaasPublicIP' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a' + definitionReferenceId: 'CosmosDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deny_publicpaasendpoints.parameters.json')).CosmosDenyPaasPublicIP.parameters } { - definitionReferenceID: 'KeyVaultDenyPaasPublicIP' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490' + definitionReferenceId: 'KeyVaultDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deny_publicpaasendpoints.parameters.json')).KeyVaultDenyPaasPublicIP.parameters } { - definitionReferenceID: 'MySQLFlexDenyPublicIP' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052' + definitionReferenceId: 'MySQLFlexDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deny_publicpaasendpoints.parameters.json')).MySQLFlexDenyPublicIP.parameters } { - definitionReferenceID: 'PostgreSQLFlexDenyPublicIP' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48' + definitionReferenceId: 'PostgreSQLFlexDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deny_publicpaasendpoints.parameters.json')).PostgreSQLFlexDenyPublicIP.parameters } { - definitionReferenceID: 'SqlServerDenyPaasPublicIP' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780' + definitionReferenceId: 'SqlServerDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deny_publicpaasendpoints.parameters.json')).SqlServerDenyPaasPublicIP.parameters } { - definitionReferenceID: 'StorageDenyPaasPublicIP' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c' + definitionReferenceId: 'StorageDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deny_publicpaasendpoints.parameters.json')).StorageDenyPaasPublicIP.parameters } ] @@ -487,313 +487,313 @@ var varCustomPolicySetDefinitionsArray = [ libSetDefinition: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.json')) libSetChildDefinitions: [ { - definitionReferenceID: 'ACIDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI' + definitionReferenceId: 'ACIDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).ACIDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'ACRDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR' + definitionReferenceId: 'ACRDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).ACRDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'AKSDeployDiagnosticLogDeployLogAnalytics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8' + definitionReferenceId: 'AKSDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).AKSDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'AnalysisServiceDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService' + definitionReferenceId: 'AnalysisServiceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).AnalysisServiceDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'APIforFHIRDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR' + definitionReferenceId: 'APIforFHIRDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).APIforFHIRDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'APIMgmtDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt' + definitionReferenceId: 'APIMgmtDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).APIMgmtDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway' + definitionReferenceId: 'ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'AppServiceDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm' + definitionReferenceId: 'AppServiceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).AppServiceDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'AppServiceWebappDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website' + definitionReferenceId: 'AppServiceWebappDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).AppServiceWebappDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'AutomationDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA' + definitionReferenceId: 'AutomationDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).AutomationDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'BatchDeployDiagnosticLogDeployLogAnalytics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5' + definitionReferenceId: 'BatchDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).BatchDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'CDNEndpointsDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints' + definitionReferenceId: 'CDNEndpointsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).CDNEndpointsDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'CognitiveServicesDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices' + definitionReferenceId: 'CognitiveServicesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).CognitiveServicesDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'CosmosDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB' + definitionReferenceId: 'CosmosDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).CosmosDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'DatabricksDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks' + definitionReferenceId: 'DatabricksDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).DatabricksDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster' + definitionReferenceId: 'DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'DataFactoryDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory' + definitionReferenceId: 'DataFactoryDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).DataFactoryDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics' + definitionReferenceId: 'DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'DataLakeStoreDeployDiagnosticLogDeployLogAnalytics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03' + definitionReferenceId: 'DataLakeStoreDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).DataLakeStoreDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'EventGridSubDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub' + definitionReferenceId: 'EventGridSubDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).EventGridSubDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'EventGridTopicDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic' + definitionReferenceId: 'EventGridTopicDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).EventGridTopicDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'EventHubDeployDiagnosticLogDeployLogAnalytics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579' + definitionReferenceId: 'EventHubDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).EventHubDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'EventSystemTopicDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic' + definitionReferenceId: 'EventSystemTopicDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).EventSystemTopicDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'ExpressRouteDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute' + definitionReferenceId: 'ExpressRouteDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).ExpressRouteDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'FirewallDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall' + definitionReferenceId: 'FirewallDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).FirewallDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'FrontDoorDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor' + definitionReferenceId: 'FrontDoorDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).FrontDoorDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'FunctionAppDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function' + definitionReferenceId: 'FunctionAppDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).FunctionAppDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'HDInsightDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight' + definitionReferenceId: 'HDInsightDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).HDInsightDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'IotHubDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub' + definitionReferenceId: 'IotHubDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).IotHubDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'KeyVaultDeployDiagnosticLogDeployLogAnalytics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47' + definitionReferenceId: 'KeyVaultDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).KeyVaultDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'LoadBalancerDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer' + definitionReferenceId: 'LoadBalancerDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).LoadBalancerDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'LogicAppsISEDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE' + definitionReferenceId: 'LogicAppsISEDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).LogicAppsISEDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'LogicAppsWFDeployDiagnosticLogDeployLogAnalytics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721' + definitionReferenceId: 'LogicAppsWFDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).LogicAppsWFDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'MariaDBDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB' + definitionReferenceId: 'MariaDBDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).MariaDBDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'MediaServiceDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService' + definitionReferenceId: 'MediaServiceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).MediaServiceDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'MlWorkspaceDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace' + definitionReferenceId: 'MlWorkspaceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).MlWorkspaceDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'MySQLDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL' + definitionReferenceId: 'MySQLDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).MySQLDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'NetworkNICDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC' + definitionReferenceId: 'NetworkNICDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).NetworkNICDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648' + definitionReferenceId: 'NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups' + definitionReferenceId: 'NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'PostgreSQLDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL' + definitionReferenceId: 'PostgreSQLDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).PostgreSQLDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded' + definitionReferenceId: 'PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'RecoveryVaultDeployDiagnosticLogDeployLogAnalytics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3' + definitionReferenceId: 'RecoveryVaultDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).RecoveryVaultDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'RedisCacheDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache' + definitionReferenceId: 'RedisCacheDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).RedisCacheDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'RelayDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay' + definitionReferenceId: 'RelayDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).RelayDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'SearchServicesDeployDiagnosticLogDeployLogAnalytics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d' + definitionReferenceId: 'SearchServicesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).SearchServicesDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'ServiceBusDeployDiagnosticLogDeployLogAnalytics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e' + definitionReferenceId: 'ServiceBusDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).ServiceBusDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'SignalRDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR' + definitionReferenceId: 'SignalRDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).SignalRDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'SQLDatabaseDeployDiagnosticLogDeployLogAnalytics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84' + definitionReferenceId: 'SQLDatabaseDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).SQLDatabaseDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools' + definitionReferenceId: 'SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'SQLMDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI' + definitionReferenceId: 'SQLMDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).SQLMDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'StorageAccountDeployDiagnosticLogDeployLogAnalytics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474' + definitionReferenceId: 'StorageAccountDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).StorageAccountDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673' + definitionReferenceId: 'StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights' + definitionReferenceId: 'TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'TrafficManagerDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager' + definitionReferenceId: 'TrafficManagerDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).TrafficManagerDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'VirtualMachinesDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM' + definitionReferenceId: 'VirtualMachinesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).VirtualMachinesDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'VirtualNetworkDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork' + definitionReferenceId: 'VirtualNetworkDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).VirtualNetworkDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'VMSSDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS' + definitionReferenceId: 'VMSSDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).VMSSDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'VNetGWDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW' + definitionReferenceId: 'VNetGWDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).VNetGWDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'WVDAppGroupDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup' + definitionReferenceId: 'WVDAppGroupDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).WVDAppGroupDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools' + definitionReferenceId: 'WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace' + definitionReferenceId: 'WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics.parameters } ] @@ -803,63 +803,63 @@ var varCustomPolicySetDefinitionsArray = [ libSetDefinition: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config.json')) libSetChildDefinitions: [ { - definitionReferenceID: 'ascExport' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9' + definitionReferenceId: 'ascExport' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config.parameters.json')).ascExport.parameters } { - definitionReferenceID: 'defenderForAppServices' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d' + definitionReferenceId: 'defenderForAppServices' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config.parameters.json')).defenderForAppServices.parameters } { - definitionReferenceID: 'defenderForArm' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9' + definitionReferenceId: 'defenderForArm' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config.parameters.json')).defenderForArm.parameters } { - definitionReferenceID: 'defenderforContainers' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f' + definitionReferenceId: 'defenderforContainers' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config.parameters.json')).defenderforContainers.parameters } { - definitionReferenceID: 'defenderForDns' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f' + definitionReferenceId: 'defenderForDns' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config.parameters.json')).defenderForDns.parameters } { - definitionReferenceID: 'defenderForKeyVaults' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7' + definitionReferenceId: 'defenderForKeyVaults' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config.parameters.json')).defenderForKeyVaults.parameters } { - definitionReferenceID: 'defenderForOssDb' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a' + definitionReferenceId: 'defenderForOssDb' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config.parameters.json')).defenderForOssDb.parameters } { - definitionReferenceID: 'defenderForSqlPaas' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491' + definitionReferenceId: 'defenderForSqlPaas' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config.parameters.json')).defenderForSqlPaas.parameters } { - definitionReferenceID: 'defenderForSqlServerVirtualMachines' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3' + definitionReferenceId: 'defenderForSqlServerVirtualMachines' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config.parameters.json')).defenderForSqlServerVirtualMachines.parameters } { - definitionReferenceID: 'defenderForStorageAccounts' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3' + definitionReferenceId: 'defenderForStorageAccounts' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config.parameters.json')).defenderForStorageAccounts.parameters } { - definitionReferenceID: 'defenderForVM' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222' + definitionReferenceId: 'defenderForVM' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config.parameters.json')).defenderForVM.parameters } { - definitionReferenceID: 'securityEmailContact' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts' + definitionReferenceId: 'securityEmailContact' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config.parameters.json')).securityEmailContact.parameters } ] @@ -869,103 +869,103 @@ var varCustomPolicySetDefinitionsArray = [ libSetDefinition: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.json')) libSetChildDefinitions: [ { - definitionReferenceID: 'DINE-Private-DNS-Azure-ACR' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32' + definitionReferenceId: 'DINE-Private-DNS-Azure-ACR' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-ACR'].parameters } { - definitionReferenceID: 'DINE-Private-DNS-Azure-App' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df' + definitionReferenceId: 'DINE-Private-DNS-Azure-App' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-App'].parameters } { - definitionReferenceID: 'DINE-Private-DNS-Azure-AppServices' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452' + definitionReferenceId: 'DINE-Private-DNS-Azure-AppServices' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-AppServices'].parameters } { - definitionReferenceID: 'DINE-Private-DNS-Azure-Batch' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8' + definitionReferenceId: 'DINE-Private-DNS-Azure-Batch' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-Batch'].parameters } { - definitionReferenceID: 'DINE-Private-DNS-Azure-CognitiveSearch' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009' + definitionReferenceId: 'DINE-Private-DNS-Azure-CognitiveSearch' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-CognitiveSearch'].parameters } { - definitionReferenceID: 'DINE-Private-DNS-Azure-CognitiveServices' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091' + definitionReferenceId: 'DINE-Private-DNS-Azure-CognitiveServices' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-CognitiveServices'].parameters } { - definitionReferenceID: 'DINE-Private-DNS-Azure-DiskAccess' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a' + definitionReferenceId: 'DINE-Private-DNS-Azure-DiskAccess' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-DiskAccess'].parameters } { - definitionReferenceID: 'DINE-Private-DNS-Azure-EventGridDomains' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d' + definitionReferenceId: 'DINE-Private-DNS-Azure-EventGridDomains' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-EventGridDomains'].parameters } { - definitionReferenceID: 'DINE-Private-DNS-Azure-EventGridTopics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483' + definitionReferenceId: 'DINE-Private-DNS-Azure-EventGridTopics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-EventGridTopics'].parameters } { - definitionReferenceID: 'DINE-Private-DNS-Azure-EventHubNamespace' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6' + definitionReferenceId: 'DINE-Private-DNS-Azure-EventHubNamespace' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-EventHubNamespace'].parameters } { - definitionReferenceID: 'DINE-Private-DNS-Azure-File-Sync' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475' + definitionReferenceId: 'DINE-Private-DNS-Azure-File-Sync' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-File-Sync'].parameters } { - definitionReferenceID: 'DINE-Private-DNS-Azure-IoT' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8' + definitionReferenceId: 'DINE-Private-DNS-Azure-IoT' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-IoT'].parameters } { - definitionReferenceID: 'DINE-Private-DNS-Azure-IoTHubs' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02' + definitionReferenceId: 'DINE-Private-DNS-Azure-IoTHubs' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-IoTHubs'].parameters } { - definitionReferenceID: 'DINE-Private-DNS-Azure-KeyVault' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4' + definitionReferenceId: 'DINE-Private-DNS-Azure-KeyVault' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-KeyVault'].parameters } { - definitionReferenceID: 'DINE-Private-DNS-Azure-MachineLearningWorkspace' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb' + definitionReferenceId: 'DINE-Private-DNS-Azure-MachineLearningWorkspace' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-MachineLearningWorkspace'].parameters } { - definitionReferenceID: 'DINE-Private-DNS-Azure-RedisCache' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2' + definitionReferenceId: 'DINE-Private-DNS-Azure-RedisCache' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-RedisCache'].parameters } { - definitionReferenceID: 'DINE-Private-DNS-Azure-ServiceBusNamespace' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564' + definitionReferenceId: 'DINE-Private-DNS-Azure-ServiceBusNamespace' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-ServiceBusNamespace'].parameters } { - definitionReferenceID: 'DINE-Private-DNS-Azure-SignalR' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e' + definitionReferenceId: 'DINE-Private-DNS-Azure-SignalR' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-SignalR'].parameters } { - definitionReferenceID: 'DINE-Private-DNS-Azure-Site-Recovery' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2' + definitionReferenceId: 'DINE-Private-DNS-Azure-Site-Recovery' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-Site-Recovery'].parameters } { - definitionReferenceID: 'DINE-Private-DNS-Azure-Web' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a' + definitionReferenceId: 'DINE-Private-DNS-Azure-Web' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-Web'].parameters } ] @@ -975,23 +975,23 @@ var varCustomPolicySetDefinitionsArray = [ libSetDefinition: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_sql_security.json')) libSetChildDefinitions: [ { - definitionReferenceID: 'SqlDbAuditingSettingsDeploySqlSecurity' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings' + definitionReferenceId: 'SqlDbAuditingSettingsDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_sql_security.parameters.json')).SqlDbAuditingSettingsDeploySqlSecurity.parameters } { - definitionReferenceID: 'SqlDbSecurityAlertPoliciesDeploySqlSecurity' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies' + definitionReferenceId: 'SqlDbSecurityAlertPoliciesDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_sql_security.parameters.json')).SqlDbSecurityAlertPoliciesDeploySqlSecurity.parameters } { - definitionReferenceID: 'SqlDbTdeDeploySqlSecurity' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde' + definitionReferenceId: 'SqlDbTdeDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_sql_security.parameters.json')).SqlDbTdeDeploySqlSecurity.parameters } { - definitionReferenceID: 'SqlDbVulnerabilityAssessmentsDeploySqlSecurity' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments' + definitionReferenceId: 'SqlDbVulnerabilityAssessmentsDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_sql_security.parameters.json')).SqlDbVulnerabilityAssessmentsDeploySqlSecurity.parameters } ] @@ -1001,78 +1001,78 @@ var varCustomPolicySetDefinitionsArray = [ libSetDefinition: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.json')) libSetChildDefinitions: [ { - definitionReferenceID: 'ACRCmkDeny' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580' + definitionReferenceId: 'ACRCmkDeny' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.parameters.json')).ACRCmkDeny.parameters } { - definitionReferenceID: 'AksCmkDeny' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67' + definitionReferenceId: 'AksCmkDeny' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.parameters.json')).AksCmkDeny.parameters } { - definitionReferenceID: 'AzureBatchCMKEffect' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a' + definitionReferenceId: 'AzureBatchCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.parameters.json')).AzureBatchCMKEffect.parameters } { - definitionReferenceID: 'CognitiveServicesCMK' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d' + definitionReferenceId: 'CognitiveServicesCMK' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.parameters.json')).CognitiveServicesCMK.parameters } { - definitionReferenceID: 'CosmosCMKEffect' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f' + definitionReferenceId: 'CosmosCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.parameters.json')).CosmosCMKEffect.parameters } { - definitionReferenceID: 'DataBoxCMKEffect' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae' + definitionReferenceId: 'DataBoxCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.parameters.json')).DataBoxCMKEffect.parameters } { - definitionReferenceID: 'EncryptedVMDisksEffect' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d' + definitionReferenceId: 'EncryptedVMDisksEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.parameters.json')).EncryptedVMDisksEffect.parameters } { - definitionReferenceID: 'HealthcareAPIsCMKEffect' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119' + definitionReferenceId: 'HealthcareAPIsCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.parameters.json')).HealthcareAPIsCMKEffect.parameters } { - definitionReferenceID: 'MySQLCMKEffect' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833' + definitionReferenceId: 'MySQLCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.parameters.json')).MySQLCMKEffect.parameters } { - definitionReferenceID: 'PostgreSQLCMKEffect' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274' + definitionReferenceId: 'PostgreSQLCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.parameters.json')).PostgreSQLCMKEffect.parameters } { - definitionReferenceID: 'SqlServerTDECMKEffect' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd' + definitionReferenceId: 'SqlServerTDECMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.parameters.json')).SqlServerTDECMKEffect.parameters } { - definitionReferenceID: 'StorageCMKEffect' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25' + definitionReferenceId: 'StorageCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.parameters.json')).StorageCMKEffect.parameters } { - definitionReferenceID: 'StreamAnalyticsCMKEffect' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7' + definitionReferenceId: 'StreamAnalyticsCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.parameters.json')).StreamAnalyticsCMKEffect.parameters } { - definitionReferenceID: 'SynapseWorkspaceCMKEffect' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385' + definitionReferenceId: 'SynapseWorkspaceCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.parameters.json')).SynapseWorkspaceCMKEffect.parameters } { - definitionReferenceID: 'WorkspaceCMK' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8' + definitionReferenceId: 'WorkspaceCMK' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.parameters.json')).WorkspaceCMK.parameters } ] @@ -1082,113 +1082,113 @@ var varCustomPolicySetDefinitionsArray = [ libSetDefinition: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.json')) libSetChildDefinitions: [ { - definitionReferenceID: 'AKSIngressHttpsOnlyEffect' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d' + definitionReferenceId: 'AKSIngressHttpsOnlyEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.parameters.json')).AKSIngressHttpsOnlyEffect.parameters } { - definitionReferenceID: 'APIAppServiceHttpsEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http' + definitionReferenceId: 'APIAppServiceHttpsEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.parameters.json')).APIAppServiceHttpsEffect.parameters } { - definitionReferenceID: 'APIAppServiceLatestTlsEffect' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e' + definitionReferenceId: 'APIAppServiceLatestTlsEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.parameters.json')).APIAppServiceLatestTlsEffect.parameters } { - definitionReferenceID: 'AppServiceHttpEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly' + definitionReferenceId: 'AppServiceHttpEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.parameters.json')).AppServiceHttpEffect.parameters } { - definitionReferenceID: 'AppServiceminTlsVersion' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS' + definitionReferenceId: 'AppServiceminTlsVersion' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.parameters.json')).AppServiceminTlsVersion.parameters } { - definitionReferenceID: 'FunctionLatestTlsEffect' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193' + definitionReferenceId: 'FunctionLatestTlsEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.parameters.json')).FunctionLatestTlsEffect.parameters } { - definitionReferenceID: 'FunctionServiceHttpsEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http' + definitionReferenceId: 'FunctionServiceHttpsEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.parameters.json')).FunctionServiceHttpsEffect.parameters } { - definitionReferenceID: 'MySQLEnableSSLDeployEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement' + definitionReferenceId: 'MySQLEnableSSLDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.parameters.json')).MySQLEnableSSLDeployEffect.parameters } { - definitionReferenceID: 'MySQLEnableSSLEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http' + definitionReferenceId: 'MySQLEnableSSLEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.parameters.json')).MySQLEnableSSLEffect.parameters } { - definitionReferenceID: 'PostgreSQLEnableSSLDeployEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement' + definitionReferenceId: 'PostgreSQLEnableSSLDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.parameters.json')).PostgreSQLEnableSSLDeployEffect.parameters } { - definitionReferenceID: 'PostgreSQLEnableSSLEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http' + definitionReferenceId: 'PostgreSQLEnableSSLEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.parameters.json')).PostgreSQLEnableSSLEffect.parameters } { - definitionReferenceID: 'RedisDenyhttps' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http' + definitionReferenceId: 'RedisDenyhttps' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.parameters.json')).RedisDenyhttps.parameters } { - definitionReferenceID: 'RedisdisableNonSslPort' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort' + definitionReferenceId: 'RedisdisableNonSslPort' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.parameters.json')).RedisdisableNonSslPort.parameters } { - definitionReferenceID: 'RedisTLSDeployEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement' + definitionReferenceId: 'RedisTLSDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.parameters.json')).RedisTLSDeployEffect.parameters } { - definitionReferenceID: 'SQLManagedInstanceTLSDeployEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS' + definitionReferenceId: 'SQLManagedInstanceTLSDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.parameters.json')).SQLManagedInstanceTLSDeployEffect.parameters } { - definitionReferenceID: 'SQLManagedInstanceTLSEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS' + definitionReferenceId: 'SQLManagedInstanceTLSEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.parameters.json')).SQLManagedInstanceTLSEffect.parameters } { - definitionReferenceID: 'SQLServerTLSDeployEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS' + definitionReferenceId: 'SQLServerTLSDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.parameters.json')).SQLServerTLSDeployEffect.parameters } { - definitionReferenceID: 'SQLServerTLSEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS' + definitionReferenceId: 'SQLServerTLSEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.parameters.json')).SQLServerTLSEffect.parameters } { - definitionReferenceID: 'StorageDeployHttpsEnabledEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement' + definitionReferenceId: 'StorageDeployHttpsEnabledEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.parameters.json')).StorageDeployHttpsEnabledEffect.parameters } { - definitionReferenceID: 'StorageHttpsEnabledEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS' + definitionReferenceId: 'StorageHttpsEnabledEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.parameters.json')).StorageHttpsEnabledEffect.parameters } { - definitionReferenceID: 'WebAppServiceHttpsEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http' + definitionReferenceId: 'WebAppServiceHttpsEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.parameters.json')).WebAppServiceHttpsEffect.parameters } { - definitionReferenceID: 'WebAppServiceLatestTlsEffect' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b' + definitionReferenceId: 'WebAppServiceLatestTlsEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.parameters.json')).WebAppServiceLatestTlsEffect.parameters } ] @@ -1223,8 +1223,8 @@ resource resPolicySetDefinitions 'Microsoft.Authorization/policySetDefinitions@2 parameters: policySet.libSetDefinition.properties.parameters policyType: policySet.libSetDefinition.properties.policyType policyDefinitions: [for policySetDef in policySet.libSetChildDefinitions: { - policyDefinitionReferenceId: policySetDef.definitionReferenceID - policyDefinitionId: policySetDef.definitionID + policyDefinitionReferenceId: policySetDef.definitionReferenceId + policyDefinitionId: policySetDef.definitionId parameters: policySetDef.definitionParameters }] policyDefinitionGroups: policySet.libSetDefinition.properties.policyDefinitionGroups diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/_mc_policySetDefinitionsBicepInput.txt b/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/_mc_policySetDefinitionsBicepInput.txt index 409df7485..a73189b1c 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/_mc_policySetDefinitionsBicepInput.txt +++ b/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/_mc_policySetDefinitionsBicepInput.txt @@ -1,712 +1,712 @@ { name: 'Deny-PublicPaaSEndpoints' libSetDefinition: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.json')) - libSetChildDefinitions: [ + libSetChildDefinitions: [ { - definitionReferenceID: 'ACRDenyPaasPublicIP' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f' + definitionReferenceId: 'ACRDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.parameters.json')).ACRDenyPaasPublicIP.parameters - } + } { - definitionReferenceID: 'AFSDenyPaasPublicIP' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-AFSPaasPublicIP' + definitionReferenceId: 'AFSDenyPaasPublicIP' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AFSPaasPublicIP' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.parameters.json')).AFSDenyPaasPublicIP.parameters - } + } { - definitionReferenceID: 'AKSDenyPaasPublicIP' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8' + definitionReferenceId: 'AKSDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.parameters.json')).AKSDenyPaasPublicIP.parameters - } + } { - definitionReferenceID: 'BatchDenyPublicIP' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488' + definitionReferenceId: 'BatchDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.parameters.json')).BatchDenyPublicIP.parameters - } + } { - definitionReferenceID: 'CosmosDenyPaasPublicIP' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a' + definitionReferenceId: 'CosmosDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.parameters.json')).CosmosDenyPaasPublicIP.parameters - } + } { - definitionReferenceID: 'KeyVaultDenyPaasPublicIP' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-KeyVaultPaasPublicIP' + definitionReferenceId: 'KeyVaultDenyPaasPublicIP' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-KeyVaultPaasPublicIP' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.parameters.json')).KeyVaultDenyPaasPublicIP.parameters - } + } { - definitionReferenceID: 'SqlServerDenyPaasPublicIP' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780' + definitionReferenceId: 'SqlServerDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.parameters.json')).SqlServerDenyPaasPublicIP.parameters - } + } { - definitionReferenceID: 'StorageDenyPaasPublicIP' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c' + definitionReferenceId: 'StorageDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.parameters.json')).StorageDenyPaasPublicIP.parameters - } + } ] -} +} { name: 'Deploy-ASCDF-Config' libSetDefinition: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_ascdf_config.json')) - libSetChildDefinitions: [ + libSetChildDefinitions: [ { - definitionReferenceID: 'ascExport' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9' + definitionReferenceId: 'ascExport' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_ascdf_config.parameters.json')).ascExport.parameters - } + } { - definitionReferenceID: 'defenderForSqlPaas' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491' + definitionReferenceId: 'defenderForSqlPaas' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_ascdf_config.parameters.json')).defenderForSqlPaas.parameters - } + } { - definitionReferenceID: 'defenderForVM' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222' + definitionReferenceId: 'defenderForVM' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_ascdf_config.parameters.json')).defenderForVM.parameters - } + } { - definitionReferenceID: 'securityEmailContact' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts' + definitionReferenceId: 'securityEmailContact' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_ascdf_config.parameters.json')).securityEmailContact.parameters - } + } ] -} +} { name: 'Deploy-Diagnostics-LogAnalytics' libSetDefinition: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.json')) - libSetChildDefinitions: [ + libSetChildDefinitions: [ { - definitionReferenceID: 'ACIDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI' + definitionReferenceId: 'ACIDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).ACIDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'ACRDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR' + definitionReferenceId: 'ACRDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).ACRDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'AKSDeployDiagnosticLogDeployLogAnalytics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8' + definitionReferenceId: 'AKSDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).AKSDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'AnalysisServiceDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService' + definitionReferenceId: 'AnalysisServiceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).AnalysisServiceDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'APIforFHIRDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR' + definitionReferenceId: 'APIforFHIRDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).APIforFHIRDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'APIMgmtDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt' + definitionReferenceId: 'APIMgmtDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).APIMgmtDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway' + definitionReferenceId: 'ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'AppServiceDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm' + definitionReferenceId: 'AppServiceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).AppServiceDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'AppServiceWebappDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website' + definitionReferenceId: 'AppServiceWebappDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).AppServiceWebappDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'AutomationDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA' + definitionReferenceId: 'AutomationDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).AutomationDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'BatchDeployDiagnosticLogDeployLogAnalytics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5' + definitionReferenceId: 'BatchDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).BatchDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'CDNEndpointsDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints' + definitionReferenceId: 'CDNEndpointsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).CDNEndpointsDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'CognitiveServicesDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices' + definitionReferenceId: 'CognitiveServicesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).CognitiveServicesDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'CosmosDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB' + definitionReferenceId: 'CosmosDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).CosmosDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'DatabricksDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks' + definitionReferenceId: 'DatabricksDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).DatabricksDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster' + definitionReferenceId: 'DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'DataFactoryDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory' + definitionReferenceId: 'DataFactoryDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).DataFactoryDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics' + definitionReferenceId: 'DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'DataLakeStoreDeployDiagnosticLogDeployLogAnalytics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03' + definitionReferenceId: 'DataLakeStoreDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).DataLakeStoreDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'EventGridSubDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub' + definitionReferenceId: 'EventGridSubDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).EventGridSubDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'EventGridTopicDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic' + definitionReferenceId: 'EventGridTopicDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).EventGridTopicDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'EventHubDeployDiagnosticLogDeployLogAnalytics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579' + definitionReferenceId: 'EventHubDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).EventHubDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'EventSystemTopicDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic' + definitionReferenceId: 'EventSystemTopicDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).EventSystemTopicDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'ExpressRouteDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute' + definitionReferenceId: 'ExpressRouteDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).ExpressRouteDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'FirewallDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall' + definitionReferenceId: 'FirewallDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).FirewallDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'FrontDoorDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor' + definitionReferenceId: 'FrontDoorDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).FrontDoorDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'FunctionAppDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function' + definitionReferenceId: 'FunctionAppDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).FunctionAppDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'HDInsightDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight' + definitionReferenceId: 'HDInsightDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).HDInsightDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'IotHubDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub' + definitionReferenceId: 'IotHubDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).IotHubDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'KeyVaultDeployDiagnosticLogDeployLogAnalytics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47' + definitionReferenceId: 'KeyVaultDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).KeyVaultDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'LoadBalancerDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer' + definitionReferenceId: 'LoadBalancerDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).LoadBalancerDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'LogicAppsISEDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE' + definitionReferenceId: 'LogicAppsISEDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).LogicAppsISEDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'LogicAppsWFDeployDiagnosticLogDeployLogAnalytics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721' + definitionReferenceId: 'LogicAppsWFDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).LogicAppsWFDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'MariaDBDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB' + definitionReferenceId: 'MariaDBDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).MariaDBDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'MediaServiceDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService' + definitionReferenceId: 'MediaServiceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).MediaServiceDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'MlWorkspaceDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace' + definitionReferenceId: 'MlWorkspaceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).MlWorkspaceDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'MySQLDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL' + definitionReferenceId: 'MySQLDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).MySQLDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'NetworkNICDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC' + definitionReferenceId: 'NetworkNICDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).NetworkNICDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648' + definitionReferenceId: 'NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups' + definitionReferenceId: 'NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'PostgreSQLDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL' + definitionReferenceId: 'PostgreSQLDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).PostgreSQLDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded' + definitionReferenceId: 'PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'RecoveryVaultDeployDiagnosticLogDeployLogAnalytics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3' + definitionReferenceId: 'RecoveryVaultDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).RecoveryVaultDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'RedisCacheDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache' + definitionReferenceId: 'RedisCacheDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).RedisCacheDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'RelayDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay' + definitionReferenceId: 'RelayDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).RelayDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'SearchServicesDeployDiagnosticLogDeployLogAnalytics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d' + definitionReferenceId: 'SearchServicesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).SearchServicesDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'ServiceBusDeployDiagnosticLogDeployLogAnalytics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e' + definitionReferenceId: 'ServiceBusDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).ServiceBusDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'SignalRDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR' + definitionReferenceId: 'SignalRDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).SignalRDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'SQLDatabaseDeployDiagnosticLogDeployLogAnalytics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84' + definitionReferenceId: 'SQLDatabaseDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).SQLDatabaseDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools' + definitionReferenceId: 'SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'SQLMDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI' + definitionReferenceId: 'SQLMDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).SQLMDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'StorageAccountDeployDiagnosticLogDeployLogAnalytics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474' + definitionReferenceId: 'StorageAccountDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).StorageAccountDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673' + definitionReferenceId: 'StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights' + definitionReferenceId: 'TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'TrafficManagerDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager' + definitionReferenceId: 'TrafficManagerDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).TrafficManagerDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'VirtualMachinesDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM' + definitionReferenceId: 'VirtualMachinesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).VirtualMachinesDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'VirtualNetworkDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork' + definitionReferenceId: 'VirtualNetworkDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).VirtualNetworkDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'VMSSDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS' + definitionReferenceId: 'VMSSDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).VMSSDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'VNetGWDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW' + definitionReferenceId: 'VNetGWDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).VNetGWDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'WVDAppGroupDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup' + definitionReferenceId: 'WVDAppGroupDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).WVDAppGroupDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools' + definitionReferenceId: 'WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace' + definitionReferenceId: 'WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics.parameters - } + } ] -} +} { name: 'Deploy-Private-DNS-Zones' libSetDefinition: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.json')) - libSetChildDefinitions: [ + libSetChildDefinitions: [ { - definitionReferenceID: 'Deploy-Private-DNS-Azure-File-Sync' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-File-Sync' + definitionReferenceId: 'Deploy-Private-DNS-Azure-File-Sync' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-File-Sync' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).Deploy-Private-DNS-Azure-File-Sync.parameters - } + } { - definitionReferenceID: 'Deploy-Private-DNS-Azure-KeyVault' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-KeyVault' + definitionReferenceId: 'Deploy-Private-DNS-Azure-KeyVault' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-KeyVault' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).Deploy-Private-DNS-Azure-KeyVault.parameters - } + } { - definitionReferenceID: 'Deploy-Private-DNS-Azure-Web' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-Web' + definitionReferenceId: 'Deploy-Private-DNS-Azure-Web' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-Web' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).Deploy-Private-DNS-Azure-Web.parameters - } + } { - definitionReferenceID: 'DINE-Private-DNS-Azure-ACR' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32' + definitionReferenceId: 'DINE-Private-DNS-Azure-ACR' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-ACR.parameters - } + } { - definitionReferenceID: 'DINE-Private-DNS-Azure-App' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df' + definitionReferenceId: 'DINE-Private-DNS-Azure-App' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-App.parameters - } + } { - definitionReferenceID: 'DINE-Private-DNS-Azure-AppServices' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452' + definitionReferenceId: 'DINE-Private-DNS-Azure-AppServices' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-AppServices.parameters - } + } { - definitionReferenceID: 'DINE-Private-DNS-Azure-Batch' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8' + definitionReferenceId: 'DINE-Private-DNS-Azure-Batch' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-Batch.parameters - } + } { - definitionReferenceID: 'DINE-Private-DNS-Azure-CognitiveSearch' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009' + definitionReferenceId: 'DINE-Private-DNS-Azure-CognitiveSearch' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-CognitiveSearch.parameters - } + } { - definitionReferenceID: 'DINE-Private-DNS-Azure-CognitiveServices' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091' + definitionReferenceId: 'DINE-Private-DNS-Azure-CognitiveServices' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-CognitiveServices.parameters - } + } { - definitionReferenceID: 'DINE-Private-DNS-Azure-DiskAccess' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a' + definitionReferenceId: 'DINE-Private-DNS-Azure-DiskAccess' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-DiskAccess.parameters - } + } { - definitionReferenceID: 'DINE-Private-DNS-Azure-EventGridDomains' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d' + definitionReferenceId: 'DINE-Private-DNS-Azure-EventGridDomains' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-EventGridDomains.parameters - } + } { - definitionReferenceID: 'DINE-Private-DNS-Azure-EventGridTopics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483' + definitionReferenceId: 'DINE-Private-DNS-Azure-EventGridTopics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-EventGridTopics.parameters - } + } { - definitionReferenceID: 'DINE-Private-DNS-Azure-EventHubNamespace' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6' + definitionReferenceId: 'DINE-Private-DNS-Azure-EventHubNamespace' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-EventHubNamespace.parameters - } + } { - definitionReferenceID: 'DINE-Private-DNS-Azure-IoT' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8' + definitionReferenceId: 'DINE-Private-DNS-Azure-IoT' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-IoT.parameters - } + } { - definitionReferenceID: 'DINE-Private-DNS-Azure-IoTHubs' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02' + definitionReferenceId: 'DINE-Private-DNS-Azure-IoTHubs' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-IoTHubs.parameters - } + } { - definitionReferenceID: 'DINE-Private-DNS-Azure-MachineLearningWorkspace' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb' + definitionReferenceId: 'DINE-Private-DNS-Azure-MachineLearningWorkspace' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-MachineLearningWorkspace.parameters - } + } { - definitionReferenceID: 'DINE-Private-DNS-Azure-RedisCache' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2' + definitionReferenceId: 'DINE-Private-DNS-Azure-RedisCache' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-RedisCache.parameters - } + } { - definitionReferenceID: 'DINE-Private-DNS-Azure-ServiceBusNamespace' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564' + definitionReferenceId: 'DINE-Private-DNS-Azure-ServiceBusNamespace' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-ServiceBusNamespace.parameters - } + } { - definitionReferenceID: 'DINE-Private-DNS-Azure-SignalR' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e' + definitionReferenceId: 'DINE-Private-DNS-Azure-SignalR' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-SignalR.parameters - } + } { - definitionReferenceID: 'DINE-Private-DNS-Azure-Site-Recovery' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2' + definitionReferenceId: 'DINE-Private-DNS-Azure-Site-Recovery' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-Site-Recovery.parameters - } + } ] -} +} { name: 'Deploy-Sql-Security' libSetDefinition: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_sql_security.json')) - libSetChildDefinitions: [ + libSetChildDefinitions: [ { - definitionReferenceID: 'SqlDbAuditingSettingsDeploySqlSecurity' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings' + definitionReferenceId: 'SqlDbAuditingSettingsDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_sql_security.parameters.json')).SqlDbAuditingSettingsDeploySqlSecurity.parameters - } + } { - definitionReferenceID: 'SqlDbSecurityAlertPoliciesDeploySqlSecurity' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies' + definitionReferenceId: 'SqlDbSecurityAlertPoliciesDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_sql_security.parameters.json')).SqlDbSecurityAlertPoliciesDeploySqlSecurity.parameters - } + } { - definitionReferenceID: 'SqlDbTdeDeploySqlSecurity' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde' + definitionReferenceId: 'SqlDbTdeDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_sql_security.parameters.json')).SqlDbTdeDeploySqlSecurity.parameters - } + } { - definitionReferenceID: 'SqlDbVulnerabilityAssessmentsDeploySqlSecurity' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments' + definitionReferenceId: 'SqlDbVulnerabilityAssessmentsDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_sql_security.parameters.json')).SqlDbVulnerabilityAssessmentsDeploySqlSecurity.parameters - } + } ] -} +} { name: 'Enforce-Encryption-CMK' libSetDefinition: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.json')) - libSetChildDefinitions: [ + libSetChildDefinitions: [ { - definitionReferenceID: 'ACRCmkDeny' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580' + definitionReferenceId: 'ACRCmkDeny' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).ACRCmkDeny.parameters - } + } { - definitionReferenceID: 'AksCmkDeny' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67' + definitionReferenceId: 'AksCmkDeny' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).AksCmkDeny.parameters - } + } { - definitionReferenceID: 'AzureBatchCMKEffect' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a' + definitionReferenceId: 'AzureBatchCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).AzureBatchCMKEffect.parameters - } + } { - definitionReferenceID: 'CognitiveServicesCMK' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d' + definitionReferenceId: 'CognitiveServicesCMK' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).CognitiveServicesCMK.parameters - } + } { - definitionReferenceID: 'CosmosCMKEffect' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f' + definitionReferenceId: 'CosmosCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).CosmosCMKEffect.parameters - } + } { - definitionReferenceID: 'DataBoxCMKEffect' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae' + definitionReferenceId: 'DataBoxCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).DataBoxCMKEffect.parameters - } + } { - definitionReferenceID: 'EncryptedVMDisksEffect' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d' + definitionReferenceId: 'EncryptedVMDisksEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).EncryptedVMDisksEffect.parameters - } + } { - definitionReferenceID: 'MySQLCMKEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQLCMKEffect' + definitionReferenceId: 'MySQLCMKEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQLCMKEffect' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).MySQLCMKEffect.parameters - } + } { - definitionReferenceID: 'PostgreSQLCMKEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQLCMKEffect' + definitionReferenceId: 'PostgreSQLCMKEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQLCMKEffect' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).PostgreSQLCMKEffect.parameters - } + } { - definitionReferenceID: 'SqlServerTDECMKEffect' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd' + definitionReferenceId: 'SqlServerTDECMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).SqlServerTDECMKEffect.parameters - } + } { - definitionReferenceID: 'StorageCMKEffect' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25' + definitionReferenceId: 'StorageCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).StorageCMKEffect.parameters - } + } { - definitionReferenceID: 'StreamAnalyticsCMKEffect' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7' + definitionReferenceId: 'StreamAnalyticsCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).StreamAnalyticsCMKEffect.parameters - } + } { - definitionReferenceID: 'SynapseWorkspaceCMKEffect' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385' + definitionReferenceId: 'SynapseWorkspaceCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).SynapseWorkspaceCMKEffect.parameters - } + } { - definitionReferenceID: 'WorkspaceCMK' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8' + definitionReferenceId: 'WorkspaceCMK' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).WorkspaceCMK.parameters - } + } ] -} +} { name: 'Enforce-EncryptTransit' libSetDefinition: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.json')) - libSetChildDefinitions: [ + libSetChildDefinitions: [ { - definitionReferenceID: 'AKSIngressHttpsOnlyEffect' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d' + definitionReferenceId: 'AKSIngressHttpsOnlyEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).AKSIngressHttpsOnlyEffect.parameters - } + } { - definitionReferenceID: 'APIAppServiceHttpsEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http' + definitionReferenceId: 'APIAppServiceHttpsEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).APIAppServiceHttpsEffect.parameters - } + } { - definitionReferenceID: 'APIAppServiceLatestTlsEffect' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e' + definitionReferenceId: 'APIAppServiceLatestTlsEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).APIAppServiceLatestTlsEffect.parameters - } + } { - definitionReferenceID: 'AppServiceHttpEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly' + definitionReferenceId: 'AppServiceHttpEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).AppServiceHttpEffect.parameters - } + } { - definitionReferenceID: 'AppServiceminTlsVersion' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS' + definitionReferenceId: 'AppServiceminTlsVersion' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).AppServiceminTlsVersion.parameters - } + } { - definitionReferenceID: 'FunctionLatestTlsEffect' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193' + definitionReferenceId: 'FunctionLatestTlsEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).FunctionLatestTlsEffect.parameters - } + } { - definitionReferenceID: 'FunctionServiceHttpsEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http' + definitionReferenceId: 'FunctionServiceHttpsEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).FunctionServiceHttpsEffect.parameters - } + } { - definitionReferenceID: 'MySQLEnableSSLDeployEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement' + definitionReferenceId: 'MySQLEnableSSLDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).MySQLEnableSSLDeployEffect.parameters - } + } { - definitionReferenceID: 'MySQLEnableSSLEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http' + definitionReferenceId: 'MySQLEnableSSLEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).MySQLEnableSSLEffect.parameters - } + } { - definitionReferenceID: 'PostgreSQLEnableSSLDeployEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement' + definitionReferenceId: 'PostgreSQLEnableSSLDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).PostgreSQLEnableSSLDeployEffect.parameters - } + } { - definitionReferenceID: 'PostgreSQLEnableSSLEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http' + definitionReferenceId: 'PostgreSQLEnableSSLEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).PostgreSQLEnableSSLEffect.parameters - } + } { - definitionReferenceID: 'RedisDenyhttps' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http' + definitionReferenceId: 'RedisDenyhttps' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).RedisDenyhttps.parameters - } + } { - definitionReferenceID: 'RedisdisableNonSslPort' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort' + definitionReferenceId: 'RedisdisableNonSslPort' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).RedisdisableNonSslPort.parameters - } + } { - definitionReferenceID: 'RedisTLSDeployEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement' + definitionReferenceId: 'RedisTLSDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).RedisTLSDeployEffect.parameters - } + } { - definitionReferenceID: 'SQLManagedInstanceTLSDeployEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS' + definitionReferenceId: 'SQLManagedInstanceTLSDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).SQLManagedInstanceTLSDeployEffect.parameters - } + } { - definitionReferenceID: 'SQLManagedInstanceTLSEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS' + definitionReferenceId: 'SQLManagedInstanceTLSEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).SQLManagedInstanceTLSEffect.parameters - } + } { - definitionReferenceID: 'SQLServerTLSDeployEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS' + definitionReferenceId: 'SQLServerTLSDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).SQLServerTLSDeployEffect.parameters - } + } { - definitionReferenceID: 'SQLServerTLSEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS' + definitionReferenceId: 'SQLServerTLSEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).SQLServerTLSEffect.parameters - } + } { - definitionReferenceID: 'StorageDeployHttpsEnabledEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement' + definitionReferenceId: 'StorageDeployHttpsEnabledEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).StorageDeployHttpsEnabledEffect.parameters - } + } { - definitionReferenceID: 'StorageHttpsEnabledEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS' + definitionReferenceId: 'StorageHttpsEnabledEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).StorageHttpsEnabledEffect.parameters - } + } { - definitionReferenceID: 'WebAppServiceHttpsEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http' + definitionReferenceId: 'WebAppServiceHttpsEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).WebAppServiceHttpsEffect.parameters - } + } { - definitionReferenceID: 'WebAppServiceLatestTlsEffect' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b' + definitionReferenceId: 'WebAppServiceLatestTlsEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).WebAppServiceLatestTlsEffect.parameters - } + } ] -} +} diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.json b/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.json index 2109f76cd..b607ecc64 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.json @@ -127,7 +127,7 @@ }, { "policyDefinitionReferenceId": "KeyVaultDenyPaasPublicIP", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-KeyVaultPaasPublicIP", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-KeyVaultPaasPublicIP", "parameters": { "effect": { "value": "[[parameters('KeyVaultPublicIpDenyEffect')]" @@ -177,7 +177,7 @@ }, { "policyDefinitionReferenceId": "AFSDenyPaasPublicIP", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-AFSPaasPublicIP", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AFSPaasPublicIP", "parameters": { "effect": { "value": "[[parameters('AFSPublicIpDenyEffect')]" diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_ascdf_config.json b/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_ascdf_config.json index 304705fcd..92d65a169 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_ascdf_config.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_ascdf_config.json @@ -79,7 +79,7 @@ }, { "policyDefinitionReferenceId": "securityEmailContact", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts", "parameters": { "emailSecurityContact": { "value": "[[parameters('emailSecurityContact')]" diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.json b/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.json index 64a44eea1..48e1ddadd 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.json @@ -777,7 +777,7 @@ }, { "policyDefinitionReferenceId": "WVDAppGroupDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -793,7 +793,7 @@ }, { "policyDefinitionReferenceId": "WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -809,7 +809,7 @@ }, { "policyDefinitionReferenceId": "WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -825,7 +825,7 @@ }, { "policyDefinitionReferenceId": "ACIDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -841,7 +841,7 @@ }, { "policyDefinitionReferenceId": "ACRDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -873,7 +873,7 @@ }, { "policyDefinitionReferenceId": "AnalysisServiceDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -889,7 +889,7 @@ }, { "policyDefinitionReferenceId": "APIforFHIRDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -905,7 +905,7 @@ }, { "policyDefinitionReferenceId": "APIMgmtDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -921,7 +921,7 @@ }, { "policyDefinitionReferenceId": "ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -937,7 +937,7 @@ }, { "policyDefinitionReferenceId": "AutomationDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -969,7 +969,7 @@ }, { "policyDefinitionReferenceId": "CDNEndpointsDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -985,7 +985,7 @@ }, { "policyDefinitionReferenceId": "CognitiveServicesDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1001,7 +1001,7 @@ }, { "policyDefinitionReferenceId": "CosmosDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1017,7 +1017,7 @@ }, { "policyDefinitionReferenceId": "DatabricksDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1033,7 +1033,7 @@ }, { "policyDefinitionReferenceId": "DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1049,7 +1049,7 @@ }, { "policyDefinitionReferenceId": "DataFactoryDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1081,7 +1081,7 @@ }, { "policyDefinitionReferenceId": "DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1097,7 +1097,7 @@ }, { "policyDefinitionReferenceId": "EventGridSubDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1113,7 +1113,7 @@ }, { "policyDefinitionReferenceId": "EventGridTopicDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1145,7 +1145,7 @@ }, { "policyDefinitionReferenceId": "EventSystemTopicDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1161,7 +1161,7 @@ }, { "policyDefinitionReferenceId": "ExpressRouteDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1177,7 +1177,7 @@ }, { "policyDefinitionReferenceId": "FirewallDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1193,7 +1193,7 @@ }, { "policyDefinitionReferenceId": "FrontDoorDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1209,7 +1209,7 @@ }, { "policyDefinitionReferenceId": "FunctionAppDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1225,7 +1225,7 @@ }, { "policyDefinitionReferenceId": "HDInsightDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1241,7 +1241,7 @@ }, { "policyDefinitionReferenceId": "IotHubDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1273,7 +1273,7 @@ }, { "policyDefinitionReferenceId": "LoadBalancerDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1289,7 +1289,7 @@ }, { "policyDefinitionReferenceId": "LogicAppsISEDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1321,7 +1321,7 @@ }, { "policyDefinitionReferenceId": "MariaDBDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1337,7 +1337,7 @@ }, { "policyDefinitionReferenceId": "MediaServiceDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1353,7 +1353,7 @@ }, { "policyDefinitionReferenceId": "MlWorkspaceDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1369,7 +1369,7 @@ }, { "policyDefinitionReferenceId": "MySQLDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1385,7 +1385,7 @@ }, { "policyDefinitionReferenceId": "NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1401,7 +1401,7 @@ }, { "policyDefinitionReferenceId": "NetworkNICDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1417,7 +1417,7 @@ }, { "policyDefinitionReferenceId": "PostgreSQLDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1433,7 +1433,7 @@ }, { "policyDefinitionReferenceId": "PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1481,7 +1481,7 @@ }, { "policyDefinitionReferenceId": "RedisCacheDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1497,7 +1497,7 @@ }, { "policyDefinitionReferenceId": "RelayDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1545,7 +1545,7 @@ }, { "policyDefinitionReferenceId": "SignalRDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1577,7 +1577,7 @@ }, { "policyDefinitionReferenceId": "SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1593,7 +1593,7 @@ }, { "policyDefinitionReferenceId": "SQLMDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1625,7 +1625,7 @@ }, { "policyDefinitionReferenceId": "TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1641,7 +1641,7 @@ }, { "policyDefinitionReferenceId": "TrafficManagerDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1657,7 +1657,7 @@ }, { "policyDefinitionReferenceId": "VirtualNetworkDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1673,7 +1673,7 @@ }, { "policyDefinitionReferenceId": "VirtualMachinesDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1689,7 +1689,7 @@ }, { "policyDefinitionReferenceId": "VMSSDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1705,7 +1705,7 @@ }, { "policyDefinitionReferenceId": "VNetGWDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1721,7 +1721,7 @@ }, { "policyDefinitionReferenceId": "AppServiceDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1737,7 +1737,7 @@ }, { "policyDefinitionReferenceId": "AppServiceWebappDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.json b/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.json index 2695e208f..c43720088 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.json @@ -200,7 +200,7 @@ "policyDefinitions": [ { "policyDefinitionReferenceId": "Deploy-Private-DNS-Azure-File-Sync", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-File-Sync", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-File-Sync", "parameters": { "privateDnsZoneId": { "value": "[[parameters('azureFileprivateDnsZoneId')]" @@ -213,7 +213,7 @@ }, { "policyDefinitionReferenceId": "Deploy-Private-DNS-Azure-Web", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-Web", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-Web", "parameters": { "privateDnsZoneId": { "value": "[[parameters('azureWebPrivateDnsZoneId')]" @@ -278,7 +278,7 @@ }, { "policyDefinitionReferenceId": "Deploy-Private-DNS-Azure-KeyVault", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-KeyVault", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-KeyVault", "parameters": { "privateDnsZoneId": { "value": "[[parameters('azureKeyVaultPrivateDnsZoneId')]" diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_sql_security.json b/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_sql_security.json index a87cebcf0..0b98e01f6 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_sql_security.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_sql_security.json @@ -78,7 +78,7 @@ "policyDefinitions": [ { "policyDefinitionReferenceId": "SqlDbTdeDeploySqlSecurity", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde", "parameters": { "effect": { "value": "[[parameters('SqlDbTdeDeploySqlSecurityEffect')]" @@ -88,7 +88,7 @@ }, { "policyDefinitionReferenceId": "SqlDbSecurityAlertPoliciesDeploySqlSecurity", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies", "parameters": { "effect": { "value": "[[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]" @@ -98,7 +98,7 @@ }, { "policyDefinitionReferenceId": "SqlDbAuditingSettingsDeploySqlSecurity", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings", "parameters": { "effect": { "value": "[[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]" @@ -108,7 +108,7 @@ }, { "policyDefinitionReferenceId": "SqlDbVulnerabilityAssessmentsDeploySqlSecurity", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments", "parameters": { "effect": { "value": "[[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]" diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.json b/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.json index c97d65e9e..4d1f870dc 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.json @@ -283,7 +283,7 @@ }, { "policyDefinitionReferenceId": "MySQLCMKEffect", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQLCMKEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQLCMKEffect", "parameters": { "effect": { "value": "[[parameters('MySQLCMKEffect')]" @@ -293,7 +293,7 @@ }, { "policyDefinitionReferenceId": "PostgreSQLCMKEffect", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQLCMKEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQLCMKEffect", "parameters": { "effect": { "value": "[[parameters('PostgreSQLCMKEffect')]" diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.json b/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.json index 09216ffe7..aa6f52584 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.json @@ -371,7 +371,7 @@ "policyDefinitions": [ { "policyDefinitionReferenceId": "AppServiceHttpEffect", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly", "parameters": { "effect": { "value": "[[parameters('AppServiceHttpEffect')]" @@ -381,7 +381,7 @@ }, { "policyDefinitionReferenceId": "AppServiceminTlsVersion", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS", "parameters": { "effect": { "value": "[[parameters('AppServiceTlsVersionEffect')]" @@ -424,7 +424,7 @@ }, { "policyDefinitionReferenceId": "APIAppServiceHttpsEffect", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http", "parameters": { "effect": { "value": "[[parameters('APIAppServiceHttpsEffect')]" @@ -434,7 +434,7 @@ }, { "policyDefinitionReferenceId": "FunctionServiceHttpsEffect", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http", "parameters": { "effect": { "value": "[[parameters('FunctionServiceHttpsEffect')]" @@ -444,7 +444,7 @@ }, { "policyDefinitionReferenceId": "WebAppServiceHttpsEffect", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http", "parameters": { "effect": { "value": "[[parameters('WebAppServiceHttpsEffect')]" @@ -464,7 +464,7 @@ }, { "policyDefinitionReferenceId": "MySQLEnableSSLDeployEffect", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement", "parameters": { "effect": { "value": "[[parameters('MySQLEnableSSLDeployEffect')]" @@ -477,7 +477,7 @@ }, { "policyDefinitionReferenceId": "MySQLEnableSSLEffect", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http", "parameters": { "effect": { "value": "[[parameters('MySQLEnableSSLEffect')]" @@ -490,7 +490,7 @@ }, { "policyDefinitionReferenceId": "PostgreSQLEnableSSLDeployEffect", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement", "parameters": { "effect": { "value": "[[parameters('PostgreSQLEnableSSLDeployEffect')]" @@ -503,7 +503,7 @@ }, { "policyDefinitionReferenceId": "PostgreSQLEnableSSLEffect", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http", "parameters": { "effect": { "value": "[[parameters('PostgreSQLEnableSSLEffect')]" @@ -516,7 +516,7 @@ }, { "policyDefinitionReferenceId": "RedisTLSDeployEffect", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement", "parameters": { "effect": { "value": "[[parameters('RedisTLSDeployEffect')]" @@ -529,7 +529,7 @@ }, { "policyDefinitionReferenceId": "RedisdisableNonSslPort", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort", "parameters": { "effect": { "value": "[[parameters('RedisTLSDeployEffect')]" @@ -539,7 +539,7 @@ }, { "policyDefinitionReferenceId": "RedisDenyhttps", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http", "parameters": { "effect": { "value": "[[parameters('RedisTLSEffect')]" @@ -552,7 +552,7 @@ }, { "policyDefinitionReferenceId": "SQLManagedInstanceTLSDeployEffect", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS", "parameters": { "effect": { "value": "[[parameters('SQLManagedInstanceTLSDeployEffect')]" @@ -565,7 +565,7 @@ }, { "policyDefinitionReferenceId": "SQLManagedInstanceTLSEffect", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS", "parameters": { "effect": { "value": "[[parameters('SQLManagedInstanceTLSEffect')]" @@ -578,7 +578,7 @@ }, { "policyDefinitionReferenceId": "SQLServerTLSDeployEffect", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS", "parameters": { "effect": { "value": "[[parameters('SQLServerTLSDeployEffect')]" @@ -591,7 +591,7 @@ }, { "policyDefinitionReferenceId": "SQLServerTLSEffect", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS", "parameters": { "effect": { "value": "[[parameters('SQLServerTLSEffect')]" @@ -604,7 +604,7 @@ }, { "policyDefinitionReferenceId": "StorageHttpsEnabledEffect", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS", "parameters": { "effect": { "value": "[[parameters('StorageHttpsEnabledEffect')]" @@ -617,7 +617,7 @@ }, { "policyDefinitionReferenceId": "StorageDeployHttpsEnabledEffect", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement", "parameters": { "effect": { "value": "[[parameters('StorageDeployHttpsEnabledEffect')]" diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/_policySetDefinitionsBicepInput.txt b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/_policySetDefinitionsBicepInput.txt index d649160bc..5a3e6b870 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/_policySetDefinitionsBicepInput.txt +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/_policySetDefinitionsBicepInput.txt @@ -1,767 +1,767 @@ { name: 'Deny-PublicPaaSEndpoints' libSetDefinition: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deny_publicpaasendpoints.json')) - libSetChildDefinitions: [ + libSetChildDefinitions: [ { - definitionReferenceID: 'ACRDenyPaasPublicIP' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f' + definitionReferenceId: 'ACRDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deny_publicpaasendpoints.parameters.json')).ACRDenyPaasPublicIP.parameters - } + } { - definitionReferenceID: 'AFSDenyPaasPublicIP' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7' + definitionReferenceId: 'AFSDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deny_publicpaasendpoints.parameters.json')).AFSDenyPaasPublicIP.parameters - } + } { - definitionReferenceID: 'AKSDenyPaasPublicIP' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8' + definitionReferenceId: 'AKSDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deny_publicpaasendpoints.parameters.json')).AKSDenyPaasPublicIP.parameters - } + } { - definitionReferenceID: 'BatchDenyPublicIP' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488' + definitionReferenceId: 'BatchDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deny_publicpaasendpoints.parameters.json')).BatchDenyPublicIP.parameters - } + } { - definitionReferenceID: 'CosmosDenyPaasPublicIP' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a' + definitionReferenceId: 'CosmosDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deny_publicpaasendpoints.parameters.json')).CosmosDenyPaasPublicIP.parameters - } + } { - definitionReferenceID: 'KeyVaultDenyPaasPublicIP' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490' + definitionReferenceId: 'KeyVaultDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deny_publicpaasendpoints.parameters.json')).KeyVaultDenyPaasPublicIP.parameters - } + } { - definitionReferenceID: 'MySQLFlexDenyPublicIP' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052' + definitionReferenceId: 'MySQLFlexDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deny_publicpaasendpoints.parameters.json')).MySQLFlexDenyPublicIP.parameters - } + } { - definitionReferenceID: 'PostgreSQLFlexDenyPublicIP' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48' + definitionReferenceId: 'PostgreSQLFlexDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deny_publicpaasendpoints.parameters.json')).PostgreSQLFlexDenyPublicIP.parameters - } + } { - definitionReferenceID: 'SqlServerDenyPaasPublicIP' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780' + definitionReferenceId: 'SqlServerDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deny_publicpaasendpoints.parameters.json')).SqlServerDenyPaasPublicIP.parameters - } + } { - definitionReferenceID: 'StorageDenyPaasPublicIP' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c' + definitionReferenceId: 'StorageDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deny_publicpaasendpoints.parameters.json')).StorageDenyPaasPublicIP.parameters - } + } ] -} +} { name: 'Deploy-Diagnostics-LogAnalytics' libSetDefinition: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.json')) - libSetChildDefinitions: [ + libSetChildDefinitions: [ { - definitionReferenceID: 'ACIDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI' + definitionReferenceId: 'ACIDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).ACIDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'ACRDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR' + definitionReferenceId: 'ACRDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).ACRDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'AKSDeployDiagnosticLogDeployLogAnalytics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8' + definitionReferenceId: 'AKSDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).AKSDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'AnalysisServiceDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService' + definitionReferenceId: 'AnalysisServiceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).AnalysisServiceDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'APIforFHIRDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR' + definitionReferenceId: 'APIforFHIRDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).APIforFHIRDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'APIMgmtDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt' + definitionReferenceId: 'APIMgmtDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).APIMgmtDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway' + definitionReferenceId: 'ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'AppServiceDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm' + definitionReferenceId: 'AppServiceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).AppServiceDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'AppServiceWebappDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website' + definitionReferenceId: 'AppServiceWebappDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).AppServiceWebappDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'AutomationDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA' + definitionReferenceId: 'AutomationDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).AutomationDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'BatchDeployDiagnosticLogDeployLogAnalytics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5' + definitionReferenceId: 'BatchDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).BatchDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'CDNEndpointsDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints' + definitionReferenceId: 'CDNEndpointsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).CDNEndpointsDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'CognitiveServicesDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices' + definitionReferenceId: 'CognitiveServicesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).CognitiveServicesDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'CosmosDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB' + definitionReferenceId: 'CosmosDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).CosmosDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'DatabricksDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks' + definitionReferenceId: 'DatabricksDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).DatabricksDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster' + definitionReferenceId: 'DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'DataFactoryDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory' + definitionReferenceId: 'DataFactoryDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).DataFactoryDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics' + definitionReferenceId: 'DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'DataLakeStoreDeployDiagnosticLogDeployLogAnalytics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03' + definitionReferenceId: 'DataLakeStoreDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).DataLakeStoreDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'EventGridSubDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub' + definitionReferenceId: 'EventGridSubDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).EventGridSubDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'EventGridTopicDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic' + definitionReferenceId: 'EventGridTopicDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).EventGridTopicDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'EventHubDeployDiagnosticLogDeployLogAnalytics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579' + definitionReferenceId: 'EventHubDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).EventHubDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'EventSystemTopicDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic' + definitionReferenceId: 'EventSystemTopicDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).EventSystemTopicDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'ExpressRouteDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute' + definitionReferenceId: 'ExpressRouteDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).ExpressRouteDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'FirewallDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall' + definitionReferenceId: 'FirewallDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).FirewallDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'FrontDoorDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor' + definitionReferenceId: 'FrontDoorDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).FrontDoorDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'FunctionAppDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function' + definitionReferenceId: 'FunctionAppDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).FunctionAppDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'HDInsightDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight' + definitionReferenceId: 'HDInsightDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).HDInsightDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'IotHubDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub' + definitionReferenceId: 'IotHubDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).IotHubDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'KeyVaultDeployDiagnosticLogDeployLogAnalytics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47' + definitionReferenceId: 'KeyVaultDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).KeyVaultDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'LoadBalancerDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer' + definitionReferenceId: 'LoadBalancerDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).LoadBalancerDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'LogicAppsISEDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE' + definitionReferenceId: 'LogicAppsISEDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).LogicAppsISEDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'LogicAppsWFDeployDiagnosticLogDeployLogAnalytics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721' + definitionReferenceId: 'LogicAppsWFDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).LogicAppsWFDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'MariaDBDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB' + definitionReferenceId: 'MariaDBDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).MariaDBDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'MediaServiceDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService' + definitionReferenceId: 'MediaServiceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).MediaServiceDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'MlWorkspaceDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace' + definitionReferenceId: 'MlWorkspaceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).MlWorkspaceDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'MySQLDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL' + definitionReferenceId: 'MySQLDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).MySQLDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'NetworkNICDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC' + definitionReferenceId: 'NetworkNICDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).NetworkNICDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648' + definitionReferenceId: 'NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups' + definitionReferenceId: 'NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'PostgreSQLDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL' + definitionReferenceId: 'PostgreSQLDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).PostgreSQLDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded' + definitionReferenceId: 'PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'RecoveryVaultDeployDiagnosticLogDeployLogAnalytics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3' + definitionReferenceId: 'RecoveryVaultDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).RecoveryVaultDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'RedisCacheDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache' + definitionReferenceId: 'RedisCacheDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).RedisCacheDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'RelayDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay' + definitionReferenceId: 'RelayDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).RelayDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'SearchServicesDeployDiagnosticLogDeployLogAnalytics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d' + definitionReferenceId: 'SearchServicesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).SearchServicesDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'ServiceBusDeployDiagnosticLogDeployLogAnalytics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e' + definitionReferenceId: 'ServiceBusDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).ServiceBusDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'SignalRDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR' + definitionReferenceId: 'SignalRDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).SignalRDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'SQLDatabaseDeployDiagnosticLogDeployLogAnalytics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84' + definitionReferenceId: 'SQLDatabaseDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).SQLDatabaseDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools' + definitionReferenceId: 'SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'SQLMDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI' + definitionReferenceId: 'SQLMDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).SQLMDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'StorageAccountDeployDiagnosticLogDeployLogAnalytics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474' + definitionReferenceId: 'StorageAccountDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).StorageAccountDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673' + definitionReferenceId: 'StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights' + definitionReferenceId: 'TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'TrafficManagerDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager' + definitionReferenceId: 'TrafficManagerDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).TrafficManagerDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'VirtualMachinesDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM' + definitionReferenceId: 'VirtualMachinesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).VirtualMachinesDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'VirtualNetworkDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork' + definitionReferenceId: 'VirtualNetworkDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).VirtualNetworkDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'VMSSDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS' + definitionReferenceId: 'VMSSDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).VMSSDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'VNetGWDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW' + definitionReferenceId: 'VNetGWDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).VNetGWDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'WVDAppGroupDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup' + definitionReferenceId: 'WVDAppGroupDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).WVDAppGroupDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools' + definitionReferenceId: 'WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics.parameters - } + } { - definitionReferenceID: 'WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace' + definitionReferenceId: 'WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics.parameters - } + } ] -} +} { name: 'Deploy-MDFC-Config' libSetDefinition: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config.json')) - libSetChildDefinitions: [ + libSetChildDefinitions: [ { - definitionReferenceID: 'ascExport' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9' + definitionReferenceId: 'ascExport' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config.parameters.json')).ascExport.parameters - } + } { - definitionReferenceID: 'defenderForAppServices' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d' + definitionReferenceId: 'defenderForAppServices' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config.parameters.json')).defenderForAppServices.parameters - } + } { - definitionReferenceID: 'defenderForArm' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9' + definitionReferenceId: 'defenderForArm' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config.parameters.json')).defenderForArm.parameters - } + } { - definitionReferenceID: 'defenderforContainers' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f' + definitionReferenceId: 'defenderforContainers' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config.parameters.json')).defenderforContainers.parameters - } + } { - definitionReferenceID: 'defenderForDns' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f' + definitionReferenceId: 'defenderForDns' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config.parameters.json')).defenderForDns.parameters - } + } { - definitionReferenceID: 'defenderForKeyVaults' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7' + definitionReferenceId: 'defenderForKeyVaults' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config.parameters.json')).defenderForKeyVaults.parameters - } + } { - definitionReferenceID: 'defenderForOssDb' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a' + definitionReferenceId: 'defenderForOssDb' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config.parameters.json')).defenderForOssDb.parameters - } + } { - definitionReferenceID: 'defenderForSqlPaas' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491' + definitionReferenceId: 'defenderForSqlPaas' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config.parameters.json')).defenderForSqlPaas.parameters - } + } { - definitionReferenceID: 'defenderForSqlServerVirtualMachines' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3' + definitionReferenceId: 'defenderForSqlServerVirtualMachines' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config.parameters.json')).defenderForSqlServerVirtualMachines.parameters - } + } { - definitionReferenceID: 'defenderForStorageAccounts' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3' + definitionReferenceId: 'defenderForStorageAccounts' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config.parameters.json')).defenderForStorageAccounts.parameters - } + } { - definitionReferenceID: 'defenderForVM' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222' + definitionReferenceId: 'defenderForVM' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config.parameters.json')).defenderForVM.parameters - } + } { - definitionReferenceID: 'securityEmailContact' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts' + definitionReferenceId: 'securityEmailContact' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config.parameters.json')).securityEmailContact.parameters - } + } ] -} +} { name: 'Deploy-Private-DNS-Zones' libSetDefinition: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.json')) - libSetChildDefinitions: [ + libSetChildDefinitions: [ { - definitionReferenceID: 'DINE-Private-DNS-Azure-ACR' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32' + definitionReferenceId: 'DINE-Private-DNS-Azure-ACR' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-ACR.parameters - } + } { - definitionReferenceID: 'DINE-Private-DNS-Azure-App' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df' + definitionReferenceId: 'DINE-Private-DNS-Azure-App' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-App.parameters - } + } { - definitionReferenceID: 'DINE-Private-DNS-Azure-AppServices' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452' + definitionReferenceId: 'DINE-Private-DNS-Azure-AppServices' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-AppServices.parameters - } + } { - definitionReferenceID: 'DINE-Private-DNS-Azure-Batch' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8' + definitionReferenceId: 'DINE-Private-DNS-Azure-Batch' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-Batch.parameters - } + } { - definitionReferenceID: 'DINE-Private-DNS-Azure-CognitiveSearch' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009' + definitionReferenceId: 'DINE-Private-DNS-Azure-CognitiveSearch' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-CognitiveSearch.parameters - } + } { - definitionReferenceID: 'DINE-Private-DNS-Azure-CognitiveServices' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091' + definitionReferenceId: 'DINE-Private-DNS-Azure-CognitiveServices' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-CognitiveServices.parameters - } + } { - definitionReferenceID: 'DINE-Private-DNS-Azure-DiskAccess' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a' + definitionReferenceId: 'DINE-Private-DNS-Azure-DiskAccess' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-DiskAccess.parameters - } + } { - definitionReferenceID: 'DINE-Private-DNS-Azure-EventGridDomains' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d' + definitionReferenceId: 'DINE-Private-DNS-Azure-EventGridDomains' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-EventGridDomains.parameters - } + } { - definitionReferenceID: 'DINE-Private-DNS-Azure-EventGridTopics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483' + definitionReferenceId: 'DINE-Private-DNS-Azure-EventGridTopics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-EventGridTopics.parameters - } + } { - definitionReferenceID: 'DINE-Private-DNS-Azure-EventHubNamespace' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6' + definitionReferenceId: 'DINE-Private-DNS-Azure-EventHubNamespace' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-EventHubNamespace.parameters - } + } { - definitionReferenceID: 'DINE-Private-DNS-Azure-File-Sync' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475' + definitionReferenceId: 'DINE-Private-DNS-Azure-File-Sync' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-File-Sync.parameters - } + } { - definitionReferenceID: 'DINE-Private-DNS-Azure-IoT' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8' + definitionReferenceId: 'DINE-Private-DNS-Azure-IoT' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-IoT.parameters - } + } { - definitionReferenceID: 'DINE-Private-DNS-Azure-IoTHubs' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02' + definitionReferenceId: 'DINE-Private-DNS-Azure-IoTHubs' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-IoTHubs.parameters - } + } { - definitionReferenceID: 'DINE-Private-DNS-Azure-KeyVault' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4' + definitionReferenceId: 'DINE-Private-DNS-Azure-KeyVault' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-KeyVault.parameters - } + } { - definitionReferenceID: 'DINE-Private-DNS-Azure-MachineLearningWorkspace' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb' + definitionReferenceId: 'DINE-Private-DNS-Azure-MachineLearningWorkspace' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-MachineLearningWorkspace.parameters - } + } { - definitionReferenceID: 'DINE-Private-DNS-Azure-RedisCache' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2' + definitionReferenceId: 'DINE-Private-DNS-Azure-RedisCache' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-RedisCache.parameters - } + } { - definitionReferenceID: 'DINE-Private-DNS-Azure-ServiceBusNamespace' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564' + definitionReferenceId: 'DINE-Private-DNS-Azure-ServiceBusNamespace' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-ServiceBusNamespace.parameters - } + } { - definitionReferenceID: 'DINE-Private-DNS-Azure-SignalR' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e' + definitionReferenceId: 'DINE-Private-DNS-Azure-SignalR' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-SignalR.parameters - } + } { - definitionReferenceID: 'DINE-Private-DNS-Azure-Site-Recovery' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2' + definitionReferenceId: 'DINE-Private-DNS-Azure-Site-Recovery' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-Site-Recovery.parameters - } + } { - definitionReferenceID: 'DINE-Private-DNS-Azure-Web' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a' + definitionReferenceId: 'DINE-Private-DNS-Azure-Web' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.parameters.json')).DINE-Private-DNS-Azure-Web.parameters - } + } ] -} +} { name: 'Deploy-Sql-Security' libSetDefinition: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_sql_security.json')) - libSetChildDefinitions: [ + libSetChildDefinitions: [ { - definitionReferenceID: 'SqlDbAuditingSettingsDeploySqlSecurity' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings' + definitionReferenceId: 'SqlDbAuditingSettingsDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_sql_security.parameters.json')).SqlDbAuditingSettingsDeploySqlSecurity.parameters - } + } { - definitionReferenceID: 'SqlDbSecurityAlertPoliciesDeploySqlSecurity' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies' + definitionReferenceId: 'SqlDbSecurityAlertPoliciesDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_sql_security.parameters.json')).SqlDbSecurityAlertPoliciesDeploySqlSecurity.parameters - } + } { - definitionReferenceID: 'SqlDbTdeDeploySqlSecurity' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde' + definitionReferenceId: 'SqlDbTdeDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_sql_security.parameters.json')).SqlDbTdeDeploySqlSecurity.parameters - } + } { - definitionReferenceID: 'SqlDbVulnerabilityAssessmentsDeploySqlSecurity' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments' + definitionReferenceId: 'SqlDbVulnerabilityAssessmentsDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_sql_security.parameters.json')).SqlDbVulnerabilityAssessmentsDeploySqlSecurity.parameters - } + } ] -} +} { name: 'Enforce-Encryption-CMK' libSetDefinition: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.json')) - libSetChildDefinitions: [ + libSetChildDefinitions: [ { - definitionReferenceID: 'ACRCmkDeny' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580' + definitionReferenceId: 'ACRCmkDeny' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.parameters.json')).ACRCmkDeny.parameters - } + } { - definitionReferenceID: 'AksCmkDeny' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67' + definitionReferenceId: 'AksCmkDeny' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.parameters.json')).AksCmkDeny.parameters - } + } { - definitionReferenceID: 'AzureBatchCMKEffect' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a' + definitionReferenceId: 'AzureBatchCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.parameters.json')).AzureBatchCMKEffect.parameters - } + } { - definitionReferenceID: 'CognitiveServicesCMK' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d' + definitionReferenceId: 'CognitiveServicesCMK' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.parameters.json')).CognitiveServicesCMK.parameters - } + } { - definitionReferenceID: 'CosmosCMKEffect' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f' + definitionReferenceId: 'CosmosCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.parameters.json')).CosmosCMKEffect.parameters - } + } { - definitionReferenceID: 'DataBoxCMKEffect' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae' + definitionReferenceId: 'DataBoxCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.parameters.json')).DataBoxCMKEffect.parameters - } + } { - definitionReferenceID: 'EncryptedVMDisksEffect' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d' + definitionReferenceId: 'EncryptedVMDisksEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.parameters.json')).EncryptedVMDisksEffect.parameters - } + } { - definitionReferenceID: 'HealthcareAPIsCMKEffect' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119' + definitionReferenceId: 'HealthcareAPIsCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.parameters.json')).HealthcareAPIsCMKEffect.parameters - } + } { - definitionReferenceID: 'MySQLCMKEffect' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833' + definitionReferenceId: 'MySQLCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.parameters.json')).MySQLCMKEffect.parameters - } + } { - definitionReferenceID: 'PostgreSQLCMKEffect' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274' + definitionReferenceId: 'PostgreSQLCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.parameters.json')).PostgreSQLCMKEffect.parameters - } + } { - definitionReferenceID: 'SqlServerTDECMKEffect' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd' + definitionReferenceId: 'SqlServerTDECMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.parameters.json')).SqlServerTDECMKEffect.parameters - } + } { - definitionReferenceID: 'StorageCMKEffect' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25' + definitionReferenceId: 'StorageCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.parameters.json')).StorageCMKEffect.parameters - } + } { - definitionReferenceID: 'StreamAnalyticsCMKEffect' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7' + definitionReferenceId: 'StreamAnalyticsCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.parameters.json')).StreamAnalyticsCMKEffect.parameters - } + } { - definitionReferenceID: 'SynapseWorkspaceCMKEffect' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385' + definitionReferenceId: 'SynapseWorkspaceCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.parameters.json')).SynapseWorkspaceCMKEffect.parameters - } + } { - definitionReferenceID: 'WorkspaceCMK' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8' + definitionReferenceId: 'WorkspaceCMK' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.parameters.json')).WorkspaceCMK.parameters - } + } ] -} +} { name: 'Enforce-EncryptTransit' libSetDefinition: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.json')) - libSetChildDefinitions: [ + libSetChildDefinitions: [ { - definitionReferenceID: 'AKSIngressHttpsOnlyEffect' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d' + definitionReferenceId: 'AKSIngressHttpsOnlyEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.parameters.json')).AKSIngressHttpsOnlyEffect.parameters - } + } { - definitionReferenceID: 'APIAppServiceHttpsEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http' + definitionReferenceId: 'APIAppServiceHttpsEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.parameters.json')).APIAppServiceHttpsEffect.parameters - } + } { - definitionReferenceID: 'APIAppServiceLatestTlsEffect' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e' + definitionReferenceId: 'APIAppServiceLatestTlsEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.parameters.json')).APIAppServiceLatestTlsEffect.parameters - } + } { - definitionReferenceID: 'AppServiceHttpEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly' + definitionReferenceId: 'AppServiceHttpEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.parameters.json')).AppServiceHttpEffect.parameters - } + } { - definitionReferenceID: 'AppServiceminTlsVersion' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS' + definitionReferenceId: 'AppServiceminTlsVersion' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.parameters.json')).AppServiceminTlsVersion.parameters - } + } { - definitionReferenceID: 'FunctionLatestTlsEffect' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193' + definitionReferenceId: 'FunctionLatestTlsEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.parameters.json')).FunctionLatestTlsEffect.parameters - } + } { - definitionReferenceID: 'FunctionServiceHttpsEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http' + definitionReferenceId: 'FunctionServiceHttpsEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.parameters.json')).FunctionServiceHttpsEffect.parameters - } + } { - definitionReferenceID: 'MySQLEnableSSLDeployEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement' + definitionReferenceId: 'MySQLEnableSSLDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.parameters.json')).MySQLEnableSSLDeployEffect.parameters - } + } { - definitionReferenceID: 'MySQLEnableSSLEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http' + definitionReferenceId: 'MySQLEnableSSLEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.parameters.json')).MySQLEnableSSLEffect.parameters - } + } { - definitionReferenceID: 'PostgreSQLEnableSSLDeployEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement' + definitionReferenceId: 'PostgreSQLEnableSSLDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.parameters.json')).PostgreSQLEnableSSLDeployEffect.parameters - } + } { - definitionReferenceID: 'PostgreSQLEnableSSLEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http' + definitionReferenceId: 'PostgreSQLEnableSSLEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.parameters.json')).PostgreSQLEnableSSLEffect.parameters - } + } { - definitionReferenceID: 'RedisDenyhttps' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http' + definitionReferenceId: 'RedisDenyhttps' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.parameters.json')).RedisDenyhttps.parameters - } + } { - definitionReferenceID: 'RedisdisableNonSslPort' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort' + definitionReferenceId: 'RedisdisableNonSslPort' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.parameters.json')).RedisdisableNonSslPort.parameters - } + } { - definitionReferenceID: 'RedisTLSDeployEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement' + definitionReferenceId: 'RedisTLSDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.parameters.json')).RedisTLSDeployEffect.parameters - } + } { - definitionReferenceID: 'SQLManagedInstanceTLSDeployEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS' + definitionReferenceId: 'SQLManagedInstanceTLSDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.parameters.json')).SQLManagedInstanceTLSDeployEffect.parameters - } + } { - definitionReferenceID: 'SQLManagedInstanceTLSEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS' + definitionReferenceId: 'SQLManagedInstanceTLSEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.parameters.json')).SQLManagedInstanceTLSEffect.parameters - } + } { - definitionReferenceID: 'SQLServerTLSDeployEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS' + definitionReferenceId: 'SQLServerTLSDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.parameters.json')).SQLServerTLSDeployEffect.parameters - } + } { - definitionReferenceID: 'SQLServerTLSEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS' + definitionReferenceId: 'SQLServerTLSEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.parameters.json')).SQLServerTLSEffect.parameters - } + } { - definitionReferenceID: 'StorageDeployHttpsEnabledEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement' + definitionReferenceId: 'StorageDeployHttpsEnabledEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.parameters.json')).StorageDeployHttpsEnabledEffect.parameters - } + } { - definitionReferenceID: 'StorageHttpsEnabledEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS' + definitionReferenceId: 'StorageHttpsEnabledEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.parameters.json')).StorageHttpsEnabledEffect.parameters - } + } { - definitionReferenceID: 'WebAppServiceHttpsEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http' + definitionReferenceId: 'WebAppServiceHttpsEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.parameters.json')).WebAppServiceHttpsEffect.parameters - } + } { - definitionReferenceID: 'WebAppServiceLatestTlsEffect' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b' + definitionReferenceId: 'WebAppServiceLatestTlsEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b' definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.parameters.json')).WebAppServiceLatestTlsEffect.parameters - } + } ] -} +} diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.json index 64a44eea1..48e1ddadd 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.json @@ -777,7 +777,7 @@ }, { "policyDefinitionReferenceId": "WVDAppGroupDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -793,7 +793,7 @@ }, { "policyDefinitionReferenceId": "WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -809,7 +809,7 @@ }, { "policyDefinitionReferenceId": "WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -825,7 +825,7 @@ }, { "policyDefinitionReferenceId": "ACIDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -841,7 +841,7 @@ }, { "policyDefinitionReferenceId": "ACRDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -873,7 +873,7 @@ }, { "policyDefinitionReferenceId": "AnalysisServiceDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -889,7 +889,7 @@ }, { "policyDefinitionReferenceId": "APIforFHIRDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -905,7 +905,7 @@ }, { "policyDefinitionReferenceId": "APIMgmtDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -921,7 +921,7 @@ }, { "policyDefinitionReferenceId": "ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -937,7 +937,7 @@ }, { "policyDefinitionReferenceId": "AutomationDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -969,7 +969,7 @@ }, { "policyDefinitionReferenceId": "CDNEndpointsDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -985,7 +985,7 @@ }, { "policyDefinitionReferenceId": "CognitiveServicesDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1001,7 +1001,7 @@ }, { "policyDefinitionReferenceId": "CosmosDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1017,7 +1017,7 @@ }, { "policyDefinitionReferenceId": "DatabricksDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1033,7 +1033,7 @@ }, { "policyDefinitionReferenceId": "DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1049,7 +1049,7 @@ }, { "policyDefinitionReferenceId": "DataFactoryDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1081,7 +1081,7 @@ }, { "policyDefinitionReferenceId": "DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1097,7 +1097,7 @@ }, { "policyDefinitionReferenceId": "EventGridSubDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1113,7 +1113,7 @@ }, { "policyDefinitionReferenceId": "EventGridTopicDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1145,7 +1145,7 @@ }, { "policyDefinitionReferenceId": "EventSystemTopicDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1161,7 +1161,7 @@ }, { "policyDefinitionReferenceId": "ExpressRouteDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1177,7 +1177,7 @@ }, { "policyDefinitionReferenceId": "FirewallDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1193,7 +1193,7 @@ }, { "policyDefinitionReferenceId": "FrontDoorDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1209,7 +1209,7 @@ }, { "policyDefinitionReferenceId": "FunctionAppDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1225,7 +1225,7 @@ }, { "policyDefinitionReferenceId": "HDInsightDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1241,7 +1241,7 @@ }, { "policyDefinitionReferenceId": "IotHubDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1273,7 +1273,7 @@ }, { "policyDefinitionReferenceId": "LoadBalancerDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1289,7 +1289,7 @@ }, { "policyDefinitionReferenceId": "LogicAppsISEDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1321,7 +1321,7 @@ }, { "policyDefinitionReferenceId": "MariaDBDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1337,7 +1337,7 @@ }, { "policyDefinitionReferenceId": "MediaServiceDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1353,7 +1353,7 @@ }, { "policyDefinitionReferenceId": "MlWorkspaceDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1369,7 +1369,7 @@ }, { "policyDefinitionReferenceId": "MySQLDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1385,7 +1385,7 @@ }, { "policyDefinitionReferenceId": "NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1401,7 +1401,7 @@ }, { "policyDefinitionReferenceId": "NetworkNICDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1417,7 +1417,7 @@ }, { "policyDefinitionReferenceId": "PostgreSQLDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1433,7 +1433,7 @@ }, { "policyDefinitionReferenceId": "PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1481,7 +1481,7 @@ }, { "policyDefinitionReferenceId": "RedisCacheDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1497,7 +1497,7 @@ }, { "policyDefinitionReferenceId": "RelayDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1545,7 +1545,7 @@ }, { "policyDefinitionReferenceId": "SignalRDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1577,7 +1577,7 @@ }, { "policyDefinitionReferenceId": "SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1593,7 +1593,7 @@ }, { "policyDefinitionReferenceId": "SQLMDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1625,7 +1625,7 @@ }, { "policyDefinitionReferenceId": "TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1641,7 +1641,7 @@ }, { "policyDefinitionReferenceId": "TrafficManagerDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1657,7 +1657,7 @@ }, { "policyDefinitionReferenceId": "VirtualNetworkDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1673,7 +1673,7 @@ }, { "policyDefinitionReferenceId": "VirtualMachinesDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1689,7 +1689,7 @@ }, { "policyDefinitionReferenceId": "VMSSDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1705,7 +1705,7 @@ }, { "policyDefinitionReferenceId": "VNetGWDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1721,7 +1721,7 @@ }, { "policyDefinitionReferenceId": "AppServiceDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" @@ -1737,7 +1737,7 @@ }, { "policyDefinitionReferenceId": "AppServiceWebappDeployDiagnosticLogDeployLogAnalytics", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website", "parameters": { "logAnalytics": { "value": "[[parameters('logAnalytics')]" diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config.json index 61bae4446..e50218ca5 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config.json @@ -215,7 +215,7 @@ }, { "policyDefinitionReferenceId": "securityEmailContact", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts", "parameters": { "emailSecurityContact": { "value": "[[parameters('emailSecurityContact')]" diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_deploy_sql_security.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_deploy_sql_security.json index a87cebcf0..0b98e01f6 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_deploy_sql_security.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_deploy_sql_security.json @@ -78,7 +78,7 @@ "policyDefinitions": [ { "policyDefinitionReferenceId": "SqlDbTdeDeploySqlSecurity", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde", "parameters": { "effect": { "value": "[[parameters('SqlDbTdeDeploySqlSecurityEffect')]" @@ -88,7 +88,7 @@ }, { "policyDefinitionReferenceId": "SqlDbSecurityAlertPoliciesDeploySqlSecurity", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies", "parameters": { "effect": { "value": "[[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]" @@ -98,7 +98,7 @@ }, { "policyDefinitionReferenceId": "SqlDbAuditingSettingsDeploySqlSecurity", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings", "parameters": { "effect": { "value": "[[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]" @@ -108,7 +108,7 @@ }, { "policyDefinitionReferenceId": "SqlDbVulnerabilityAssessmentsDeploySqlSecurity", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments", "parameters": { "effect": { "value": "[[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]" diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.json index 09216ffe7..aa6f52584 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.json @@ -371,7 +371,7 @@ "policyDefinitions": [ { "policyDefinitionReferenceId": "AppServiceHttpEffect", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly", "parameters": { "effect": { "value": "[[parameters('AppServiceHttpEffect')]" @@ -381,7 +381,7 @@ }, { "policyDefinitionReferenceId": "AppServiceminTlsVersion", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS", "parameters": { "effect": { "value": "[[parameters('AppServiceTlsVersionEffect')]" @@ -424,7 +424,7 @@ }, { "policyDefinitionReferenceId": "APIAppServiceHttpsEffect", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http", "parameters": { "effect": { "value": "[[parameters('APIAppServiceHttpsEffect')]" @@ -434,7 +434,7 @@ }, { "policyDefinitionReferenceId": "FunctionServiceHttpsEffect", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http", "parameters": { "effect": { "value": "[[parameters('FunctionServiceHttpsEffect')]" @@ -444,7 +444,7 @@ }, { "policyDefinitionReferenceId": "WebAppServiceHttpsEffect", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http", "parameters": { "effect": { "value": "[[parameters('WebAppServiceHttpsEffect')]" @@ -464,7 +464,7 @@ }, { "policyDefinitionReferenceId": "MySQLEnableSSLDeployEffect", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement", "parameters": { "effect": { "value": "[[parameters('MySQLEnableSSLDeployEffect')]" @@ -477,7 +477,7 @@ }, { "policyDefinitionReferenceId": "MySQLEnableSSLEffect", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http", "parameters": { "effect": { "value": "[[parameters('MySQLEnableSSLEffect')]" @@ -490,7 +490,7 @@ }, { "policyDefinitionReferenceId": "PostgreSQLEnableSSLDeployEffect", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement", "parameters": { "effect": { "value": "[[parameters('PostgreSQLEnableSSLDeployEffect')]" @@ -503,7 +503,7 @@ }, { "policyDefinitionReferenceId": "PostgreSQLEnableSSLEffect", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http", "parameters": { "effect": { "value": "[[parameters('PostgreSQLEnableSSLEffect')]" @@ -516,7 +516,7 @@ }, { "policyDefinitionReferenceId": "RedisTLSDeployEffect", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement", "parameters": { "effect": { "value": "[[parameters('RedisTLSDeployEffect')]" @@ -529,7 +529,7 @@ }, { "policyDefinitionReferenceId": "RedisdisableNonSslPort", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort", "parameters": { "effect": { "value": "[[parameters('RedisTLSDeployEffect')]" @@ -539,7 +539,7 @@ }, { "policyDefinitionReferenceId": "RedisDenyhttps", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http", "parameters": { "effect": { "value": "[[parameters('RedisTLSEffect')]" @@ -552,7 +552,7 @@ }, { "policyDefinitionReferenceId": "SQLManagedInstanceTLSDeployEffect", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS", "parameters": { "effect": { "value": "[[parameters('SQLManagedInstanceTLSDeployEffect')]" @@ -565,7 +565,7 @@ }, { "policyDefinitionReferenceId": "SQLManagedInstanceTLSEffect", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS", "parameters": { "effect": { "value": "[[parameters('SQLManagedInstanceTLSEffect')]" @@ -578,7 +578,7 @@ }, { "policyDefinitionReferenceId": "SQLServerTLSDeployEffect", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS", "parameters": { "effect": { "value": "[[parameters('SQLServerTLSDeployEffect')]" @@ -591,7 +591,7 @@ }, { "policyDefinitionReferenceId": "SQLServerTLSEffect", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS", "parameters": { "effect": { "value": "[[parameters('SQLServerTLSEffect')]" @@ -604,7 +604,7 @@ }, { "policyDefinitionReferenceId": "StorageHttpsEnabledEffect", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS", "parameters": { "effect": { "value": "[[parameters('StorageHttpsEnabledEffect')]" @@ -617,7 +617,7 @@ }, { "policyDefinitionReferenceId": "StorageDeployHttpsEnabledEffect", - "policyDefinitionId": "${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement", "parameters": { "effect": { "value": "[[parameters('StorageDeployHttpsEnabledEffect')]" diff --git a/infra-as-code/bicep/modules/policy/definitions/mc-custom-policy-definitions.bicep b/infra-as-code/bicep/modules/policy/definitions/mc-customPolicyDefinitions.bicep similarity index 78% rename from infra-as-code/bicep/modules/policy/definitions/mc-custom-policy-definitions.bicep rename to infra-as-code/bicep/modules/policy/definitions/mc-customPolicyDefinitions.bicep index 45dbed100..91d8f4ef8 100644 --- a/infra-as-code/bicep/modules/policy/definitions/mc-custom-policy-definitions.bicep +++ b/infra-as-code/bicep/modules/policy/definitions/mc-customPolicyDefinitions.bicep @@ -1,9 +1,12 @@ targetScope = 'managementGroup' @description('The management group scope to which the policy definitions are to be created at. DEFAULT VALUE = "alz"') -param parTargetManagementGroupID string = 'alz' +param parTargetManagementGroupId string = 'alz' -var varTargetManagementGroupResourceID = tenantResourceId('Microsoft.Management/managementGroups', parTargetManagementGroupID) +@description('Set Parameter to true to Opt-out of deployment telemetry') +param parTelemetryOptOut bool = false + +var varTargetManagementGroupResourceId = tenantResourceId('Microsoft.Management/managementGroups', parTargetManagementGroupId) // This variable contains a number of objects that load in the custom Azure Policy Defintions that are provided as part of the ESLZ/ALZ reference implementation - this is automatically created in the file 'infra-as-code\bicep\modules\policy\lib\policy_definitions\_policyDefinitionsBicepInput.txt' via a GitHub action, that runs on a daily schedule, and is then manually copied into this variable. var varCustomPolicyDefinitionsArray = [ @@ -404,43 +407,43 @@ var varCustomPolicySetDefinitionsArray = [ libSetDefinition: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.json')) libSetChildDefinitions: [ { - definitionReferenceID: 'ACRDenyPaasPublicIP' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f' + definitionReferenceId: 'ACRDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.parameters.json')).ACRDenyPaasPublicIP.parameters } { - definitionReferenceID: 'AFSDenyPaasPublicIP' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-AFSPaasPublicIP' + definitionReferenceId: 'AFSDenyPaasPublicIP' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AFSPaasPublicIP' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.parameters.json')).AFSDenyPaasPublicIP.parameters } { - definitionReferenceID: 'AKSDenyPaasPublicIP' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8' + definitionReferenceId: 'AKSDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.parameters.json')).AKSDenyPaasPublicIP.parameters } { - definitionReferenceID: 'BatchDenyPublicIP' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488' + definitionReferenceId: 'BatchDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.parameters.json')).BatchDenyPublicIP.parameters } { - definitionReferenceID: 'CosmosDenyPaasPublicIP' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a' + definitionReferenceId: 'CosmosDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.parameters.json')).CosmosDenyPaasPublicIP.parameters } { - definitionReferenceID: 'KeyVaultDenyPaasPublicIP' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-KeyVaultPaasPublicIP' + definitionReferenceId: 'KeyVaultDenyPaasPublicIP' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-KeyVaultPaasPublicIP' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.parameters.json')).KeyVaultDenyPaasPublicIP.parameters } { - definitionReferenceID: 'SqlServerDenyPaasPublicIP' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780' + definitionReferenceId: 'SqlServerDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.parameters.json')).SqlServerDenyPaasPublicIP.parameters } { - definitionReferenceID: 'StorageDenyPaasPublicIP' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c' + definitionReferenceId: 'StorageDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.parameters.json')).StorageDenyPaasPublicIP.parameters } ] @@ -450,23 +453,23 @@ var varCustomPolicySetDefinitionsArray = [ libSetDefinition: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_ascdf_config.json')) libSetChildDefinitions: [ { - definitionReferenceID: 'ascExport' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9' + definitionReferenceId: 'ascExport' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_ascdf_config.parameters.json')).ascExport.parameters } { - definitionReferenceID: 'defenderForSqlPaas' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491' + definitionReferenceId: 'defenderForSqlPaas' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_ascdf_config.parameters.json')).defenderForSqlPaas.parameters } { - definitionReferenceID: 'defenderForVM' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222' + definitionReferenceId: 'defenderForVM' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_ascdf_config.parameters.json')).defenderForVM.parameters } { - definitionReferenceID: 'securityEmailContact' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts' + definitionReferenceId: 'securityEmailContact' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_ascdf_config.parameters.json')).securityEmailContact.parameters } ] @@ -476,313 +479,313 @@ var varCustomPolicySetDefinitionsArray = [ libSetDefinition: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.json')) libSetChildDefinitions: [ { - definitionReferenceID: 'ACIDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI' + definitionReferenceId: 'ACIDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).ACIDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'ACRDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR' + definitionReferenceId: 'ACRDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).ACRDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'AKSDeployDiagnosticLogDeployLogAnalytics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8' + definitionReferenceId: 'AKSDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).AKSDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'AnalysisServiceDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService' + definitionReferenceId: 'AnalysisServiceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).AnalysisServiceDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'APIforFHIRDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR' + definitionReferenceId: 'APIforFHIRDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).APIforFHIRDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'APIMgmtDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt' + definitionReferenceId: 'APIMgmtDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).APIMgmtDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway' + definitionReferenceId: 'ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'AppServiceDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm' + definitionReferenceId: 'AppServiceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).AppServiceDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'AppServiceWebappDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website' + definitionReferenceId: 'AppServiceWebappDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).AppServiceWebappDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'AutomationDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA' + definitionReferenceId: 'AutomationDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).AutomationDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'BatchDeployDiagnosticLogDeployLogAnalytics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5' + definitionReferenceId: 'BatchDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).BatchDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'CDNEndpointsDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints' + definitionReferenceId: 'CDNEndpointsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).CDNEndpointsDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'CognitiveServicesDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices' + definitionReferenceId: 'CognitiveServicesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).CognitiveServicesDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'CosmosDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB' + definitionReferenceId: 'CosmosDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).CosmosDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'DatabricksDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks' + definitionReferenceId: 'DatabricksDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).DatabricksDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster' + definitionReferenceId: 'DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'DataFactoryDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory' + definitionReferenceId: 'DataFactoryDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).DataFactoryDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics' + definitionReferenceId: 'DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'DataLakeStoreDeployDiagnosticLogDeployLogAnalytics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03' + definitionReferenceId: 'DataLakeStoreDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).DataLakeStoreDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'EventGridSubDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub' + definitionReferenceId: 'EventGridSubDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).EventGridSubDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'EventGridTopicDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic' + definitionReferenceId: 'EventGridTopicDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).EventGridTopicDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'EventHubDeployDiagnosticLogDeployLogAnalytics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579' + definitionReferenceId: 'EventHubDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).EventHubDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'EventSystemTopicDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic' + definitionReferenceId: 'EventSystemTopicDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).EventSystemTopicDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'ExpressRouteDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute' + definitionReferenceId: 'ExpressRouteDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).ExpressRouteDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'FirewallDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall' + definitionReferenceId: 'FirewallDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).FirewallDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'FrontDoorDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor' + definitionReferenceId: 'FrontDoorDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).FrontDoorDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'FunctionAppDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function' + definitionReferenceId: 'FunctionAppDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).FunctionAppDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'HDInsightDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight' + definitionReferenceId: 'HDInsightDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).HDInsightDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'IotHubDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub' + definitionReferenceId: 'IotHubDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).IotHubDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'KeyVaultDeployDiagnosticLogDeployLogAnalytics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47' + definitionReferenceId: 'KeyVaultDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).KeyVaultDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'LoadBalancerDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer' + definitionReferenceId: 'LoadBalancerDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).LoadBalancerDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'LogicAppsISEDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE' + definitionReferenceId: 'LogicAppsISEDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).LogicAppsISEDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'LogicAppsWFDeployDiagnosticLogDeployLogAnalytics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721' + definitionReferenceId: 'LogicAppsWFDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).LogicAppsWFDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'MariaDBDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB' + definitionReferenceId: 'MariaDBDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).MariaDBDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'MediaServiceDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService' + definitionReferenceId: 'MediaServiceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).MediaServiceDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'MlWorkspaceDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace' + definitionReferenceId: 'MlWorkspaceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).MlWorkspaceDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'MySQLDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL' + definitionReferenceId: 'MySQLDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).MySQLDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'NetworkNICDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC' + definitionReferenceId: 'NetworkNICDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).NetworkNICDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648' + definitionReferenceId: 'NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups' + definitionReferenceId: 'NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'PostgreSQLDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL' + definitionReferenceId: 'PostgreSQLDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).PostgreSQLDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded' + definitionReferenceId: 'PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'RecoveryVaultDeployDiagnosticLogDeployLogAnalytics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3' + definitionReferenceId: 'RecoveryVaultDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).RecoveryVaultDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'RedisCacheDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache' + definitionReferenceId: 'RedisCacheDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).RedisCacheDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'RelayDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay' + definitionReferenceId: 'RelayDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).RelayDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'SearchServicesDeployDiagnosticLogDeployLogAnalytics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d' + definitionReferenceId: 'SearchServicesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).SearchServicesDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'ServiceBusDeployDiagnosticLogDeployLogAnalytics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e' + definitionReferenceId: 'ServiceBusDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).ServiceBusDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'SignalRDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR' + definitionReferenceId: 'SignalRDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).SignalRDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'SQLDatabaseDeployDiagnosticLogDeployLogAnalytics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84' + definitionReferenceId: 'SQLDatabaseDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).SQLDatabaseDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools' + definitionReferenceId: 'SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'SQLMDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI' + definitionReferenceId: 'SQLMDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).SQLMDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'StorageAccountDeployDiagnosticLogDeployLogAnalytics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474' + definitionReferenceId: 'StorageAccountDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).StorageAccountDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673' + definitionReferenceId: 'StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights' + definitionReferenceId: 'TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'TrafficManagerDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager' + definitionReferenceId: 'TrafficManagerDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).TrafficManagerDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'VirtualMachinesDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM' + definitionReferenceId: 'VirtualMachinesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).VirtualMachinesDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'VirtualNetworkDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork' + definitionReferenceId: 'VirtualNetworkDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).VirtualNetworkDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'VMSSDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS' + definitionReferenceId: 'VMSSDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).VMSSDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'VNetGWDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW' + definitionReferenceId: 'VNetGWDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).VNetGWDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'WVDAppGroupDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup' + definitionReferenceId: 'WVDAppGroupDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).WVDAppGroupDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools' + definitionReferenceId: 'WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics.parameters } { - definitionReferenceID: 'WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace' + definitionReferenceId: 'WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.parameters.json')).WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics.parameters } ] @@ -792,103 +795,103 @@ var varCustomPolicySetDefinitionsArray = [ libSetDefinition: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.json')) libSetChildDefinitions: [ { - definitionReferenceID: 'Deploy-Private-DNS-Azure-File-Sync' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-File-Sync' + definitionReferenceId: 'Deploy-Private-DNS-Azure-File-Sync' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-File-Sync' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['Deploy-Private-DNS-Azure-File-Sync'].parameters } { - definitionReferenceID: 'Deploy-Private-DNS-Azure-KeyVault' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-KeyVault' + definitionReferenceId: 'Deploy-Private-DNS-Azure-KeyVault' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-KeyVault' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['Deploy-Private-DNS-Azure-KeyVault'].parameters } { - definitionReferenceID: 'Deploy-Private-DNS-Azure-Web' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-Web' + definitionReferenceId: 'Deploy-Private-DNS-Azure-Web' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-Web' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['Deploy-Private-DNS-Azure-Web'].parameters } { - definitionReferenceID: 'DINE-Private-DNS-Azure-ACR' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32' + definitionReferenceId: 'DINE-Private-DNS-Azure-ACR' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-ACR'].parameters } { - definitionReferenceID: 'DINE-Private-DNS-Azure-App' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df' + definitionReferenceId: 'DINE-Private-DNS-Azure-App' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-App'].parameters } { - definitionReferenceID: 'DINE-Private-DNS-Azure-AppServices' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452' + definitionReferenceId: 'DINE-Private-DNS-Azure-AppServices' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-AppServices'].parameters } { - definitionReferenceID: 'DINE-Private-DNS-Azure-Batch' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8' + definitionReferenceId: 'DINE-Private-DNS-Azure-Batch' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-Batch'].parameters } { - definitionReferenceID: 'DINE-Private-DNS-Azure-CognitiveSearch' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009' + definitionReferenceId: 'DINE-Private-DNS-Azure-CognitiveSearch' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-CognitiveSearch'].parameters } { - definitionReferenceID: 'DINE-Private-DNS-Azure-CognitiveServices' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091' + definitionReferenceId: 'DINE-Private-DNS-Azure-CognitiveServices' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-CognitiveServices'].parameters } { - definitionReferenceID: 'DINE-Private-DNS-Azure-DiskAccess' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a' + definitionReferenceId: 'DINE-Private-DNS-Azure-DiskAccess' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-DiskAccess'].parameters } { - definitionReferenceID: 'DINE-Private-DNS-Azure-EventGridDomains' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d' + definitionReferenceId: 'DINE-Private-DNS-Azure-EventGridDomains' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-EventGridDomains'].parameters } { - definitionReferenceID: 'DINE-Private-DNS-Azure-EventGridTopics' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483' + definitionReferenceId: 'DINE-Private-DNS-Azure-EventGridTopics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-EventGridTopics'].parameters } { - definitionReferenceID: 'DINE-Private-DNS-Azure-EventHubNamespace' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6' + definitionReferenceId: 'DINE-Private-DNS-Azure-EventHubNamespace' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-EventHubNamespace'].parameters } { - definitionReferenceID: 'DINE-Private-DNS-Azure-IoT' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8' + definitionReferenceId: 'DINE-Private-DNS-Azure-IoT' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-IoT'].parameters } { - definitionReferenceID: 'DINE-Private-DNS-Azure-IoTHubs' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02' + definitionReferenceId: 'DINE-Private-DNS-Azure-IoTHubs' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-IoTHubs'].parameters } { - definitionReferenceID: 'DINE-Private-DNS-Azure-MachineLearningWorkspace' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb' + definitionReferenceId: 'DINE-Private-DNS-Azure-MachineLearningWorkspace' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-MachineLearningWorkspace'].parameters } { - definitionReferenceID: 'DINE-Private-DNS-Azure-RedisCache' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2' + definitionReferenceId: 'DINE-Private-DNS-Azure-RedisCache' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-RedisCache'].parameters } { - definitionReferenceID: 'DINE-Private-DNS-Azure-ServiceBusNamespace' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564' + definitionReferenceId: 'DINE-Private-DNS-Azure-ServiceBusNamespace' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-ServiceBusNamespace'].parameters } { - definitionReferenceID: 'DINE-Private-DNS-Azure-SignalR' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e' + definitionReferenceId: 'DINE-Private-DNS-Azure-SignalR' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-SignalR'].parameters } { - definitionReferenceID: 'DINE-Private-DNS-Azure-Site-Recovery' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2' + definitionReferenceId: 'DINE-Private-DNS-Azure-Site-Recovery' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.parameters.json'))['DINE-Private-DNS-Azure-Site-Recovery'].parameters } ] @@ -898,23 +901,23 @@ var varCustomPolicySetDefinitionsArray = [ libSetDefinition: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_sql_security.json')) libSetChildDefinitions: [ { - definitionReferenceID: 'SqlDbAuditingSettingsDeploySqlSecurity' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings' + definitionReferenceId: 'SqlDbAuditingSettingsDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_sql_security.parameters.json')).SqlDbAuditingSettingsDeploySqlSecurity.parameters } { - definitionReferenceID: 'SqlDbSecurityAlertPoliciesDeploySqlSecurity' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies' + definitionReferenceId: 'SqlDbSecurityAlertPoliciesDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_sql_security.parameters.json')).SqlDbSecurityAlertPoliciesDeploySqlSecurity.parameters } { - definitionReferenceID: 'SqlDbTdeDeploySqlSecurity' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde' + definitionReferenceId: 'SqlDbTdeDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_sql_security.parameters.json')).SqlDbTdeDeploySqlSecurity.parameters } { - definitionReferenceID: 'SqlDbVulnerabilityAssessmentsDeploySqlSecurity' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments' + definitionReferenceId: 'SqlDbVulnerabilityAssessmentsDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_sql_security.parameters.json')).SqlDbVulnerabilityAssessmentsDeploySqlSecurity.parameters } ] @@ -924,73 +927,73 @@ var varCustomPolicySetDefinitionsArray = [ libSetDefinition: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.json')) libSetChildDefinitions: [ { - definitionReferenceID: 'ACRCmkDeny' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580' + definitionReferenceId: 'ACRCmkDeny' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).ACRCmkDeny.parameters } { - definitionReferenceID: 'AksCmkDeny' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67' + definitionReferenceId: 'AksCmkDeny' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).AksCmkDeny.parameters } { - definitionReferenceID: 'AzureBatchCMKEffect' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a' + definitionReferenceId: 'AzureBatchCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).AzureBatchCMKEffect.parameters } { - definitionReferenceID: 'CognitiveServicesCMK' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d' + definitionReferenceId: 'CognitiveServicesCMK' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).CognitiveServicesCMK.parameters } { - definitionReferenceID: 'CosmosCMKEffect' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f' + definitionReferenceId: 'CosmosCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).CosmosCMKEffect.parameters } { - definitionReferenceID: 'DataBoxCMKEffect' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae' + definitionReferenceId: 'DataBoxCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).DataBoxCMKEffect.parameters } { - definitionReferenceID: 'EncryptedVMDisksEffect' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d' + definitionReferenceId: 'EncryptedVMDisksEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).EncryptedVMDisksEffect.parameters } { - definitionReferenceID: 'MySQLCMKEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQLCMKEffect' + definitionReferenceId: 'MySQLCMKEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQLCMKEffect' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).MySQLCMKEffect.parameters } { - definitionReferenceID: 'PostgreSQLCMKEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQLCMKEffect' + definitionReferenceId: 'PostgreSQLCMKEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQLCMKEffect' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).PostgreSQLCMKEffect.parameters } { - definitionReferenceID: 'SqlServerTDECMKEffect' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd' + definitionReferenceId: 'SqlServerTDECMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).SqlServerTDECMKEffect.parameters } { - definitionReferenceID: 'StorageCMKEffect' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25' + definitionReferenceId: 'StorageCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).StorageCMKEffect.parameters } { - definitionReferenceID: 'StreamAnalyticsCMKEffect' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7' + definitionReferenceId: 'StreamAnalyticsCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).StreamAnalyticsCMKEffect.parameters } { - definitionReferenceID: 'SynapseWorkspaceCMKEffect' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385' + definitionReferenceId: 'SynapseWorkspaceCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).SynapseWorkspaceCMKEffect.parameters } { - definitionReferenceID: 'WorkspaceCMK' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8' + definitionReferenceId: 'WorkspaceCMK' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.parameters.json')).WorkspaceCMK.parameters } ] @@ -1000,120 +1003,122 @@ var varCustomPolicySetDefinitionsArray = [ libSetDefinition: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.json')) libSetChildDefinitions: [ { - definitionReferenceID: 'AKSIngressHttpsOnlyEffect' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d' + definitionReferenceId: 'AKSIngressHttpsOnlyEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).AKSIngressHttpsOnlyEffect.parameters } { - definitionReferenceID: 'APIAppServiceHttpsEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http' + definitionReferenceId: 'APIAppServiceHttpsEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).APIAppServiceHttpsEffect.parameters } { - definitionReferenceID: 'APIAppServiceLatestTlsEffect' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e' + definitionReferenceId: 'APIAppServiceLatestTlsEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).APIAppServiceLatestTlsEffect.parameters } { - definitionReferenceID: 'AppServiceHttpEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly' + definitionReferenceId: 'AppServiceHttpEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).AppServiceHttpEffect.parameters } { - definitionReferenceID: 'AppServiceminTlsVersion' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS' + definitionReferenceId: 'AppServiceminTlsVersion' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).AppServiceminTlsVersion.parameters } { - definitionReferenceID: 'FunctionLatestTlsEffect' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193' + definitionReferenceId: 'FunctionLatestTlsEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).FunctionLatestTlsEffect.parameters } { - definitionReferenceID: 'FunctionServiceHttpsEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http' + definitionReferenceId: 'FunctionServiceHttpsEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).FunctionServiceHttpsEffect.parameters } { - definitionReferenceID: 'MySQLEnableSSLDeployEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement' + definitionReferenceId: 'MySQLEnableSSLDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).MySQLEnableSSLDeployEffect.parameters } { - definitionReferenceID: 'MySQLEnableSSLEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http' + definitionReferenceId: 'MySQLEnableSSLEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).MySQLEnableSSLEffect.parameters } { - definitionReferenceID: 'PostgreSQLEnableSSLDeployEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement' + definitionReferenceId: 'PostgreSQLEnableSSLDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).PostgreSQLEnableSSLDeployEffect.parameters } { - definitionReferenceID: 'PostgreSQLEnableSSLEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http' + definitionReferenceId: 'PostgreSQLEnableSSLEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).PostgreSQLEnableSSLEffect.parameters } { - definitionReferenceID: 'RedisDenyhttps' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http' + definitionReferenceId: 'RedisDenyhttps' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).RedisDenyhttps.parameters } { - definitionReferenceID: 'RedisdisableNonSslPort' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort' + definitionReferenceId: 'RedisdisableNonSslPort' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).RedisdisableNonSslPort.parameters } { - definitionReferenceID: 'RedisTLSDeployEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement' + definitionReferenceId: 'RedisTLSDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).RedisTLSDeployEffect.parameters } { - definitionReferenceID: 'SQLManagedInstanceTLSDeployEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS' + definitionReferenceId: 'SQLManagedInstanceTLSDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).SQLManagedInstanceTLSDeployEffect.parameters } { - definitionReferenceID: 'SQLManagedInstanceTLSEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS' + definitionReferenceId: 'SQLManagedInstanceTLSEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).SQLManagedInstanceTLSEffect.parameters } { - definitionReferenceID: 'SQLServerTLSDeployEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS' + definitionReferenceId: 'SQLServerTLSDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).SQLServerTLSDeployEffect.parameters } { - definitionReferenceID: 'SQLServerTLSEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS' + definitionReferenceId: 'SQLServerTLSEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).SQLServerTLSEffect.parameters } { - definitionReferenceID: 'StorageDeployHttpsEnabledEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement' + definitionReferenceId: 'StorageDeployHttpsEnabledEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).StorageDeployHttpsEnabledEffect.parameters } { - definitionReferenceID: 'StorageHttpsEnabledEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS' + definitionReferenceId: 'StorageHttpsEnabledEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).StorageHttpsEnabledEffect.parameters } { - definitionReferenceID: 'WebAppServiceHttpsEffect' - definitionID: '${varTargetManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http' + definitionReferenceId: 'WebAppServiceHttpsEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).WebAppServiceHttpsEffect.parameters } { - definitionReferenceID: 'WebAppServiceLatestTlsEffect' - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b' + definitionReferenceId: 'WebAppServiceLatestTlsEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b' definitionParameters: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.parameters.json')).WebAppServiceLatestTlsEffect.parameters } ] } - ] +// Customer Usage Attribution Id +var varCuaid = '2b136786-9881-412e-84ba-f4c2822e1ac9' + resource resPolicyDefinitions 'Microsoft.Authorization/policyDefinitions@2020-09-01' = [for policy in varCustomPolicyDefinitionsArray: { name: policy.libDefinition.name properties: { @@ -1139,10 +1144,16 @@ resource resPolicySetDefinitions 'Microsoft.Authorization/policySetDefinitions@2 parameters: policySet.libSetDefinition.properties.parameters policyType: policySet.libSetDefinition.properties.policyType policyDefinitions: [for policySetDef in policySet.libSetChildDefinitions: { - policyDefinitionReferenceId: policySetDef.definitionReferenceID - policyDefinitionId: policySetDef.definitionID + policyDefinitionReferenceId: policySetDef.definitionReferenceId + policyDefinitionId: policySetDef.definitionId parameters: policySetDef.definitionParameters }] policyDefinitionGroups: policySet.libSetDefinition.properties.policyDefinitionGroups } }] + +module modCustomerUsageAttribution '../../../CRML/customerUsageAttribution/cuaIdManagementGroup.bicep' = if (!parTelemetryOptOut) { + #disable-next-line no-loc-expr-outside-params //Only to ensure telemetry data is stored in same location as deployment. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information + name: 'pid-${varCuaid}-${uniqueString(deployment().location)}' + params: {} +} diff --git a/infra-as-code/bicep/modules/policy/definitions/media/bicep-visualizer.png b/infra-as-code/bicep/modules/policy/definitions/media/bicepVisualizer.png similarity index 100% rename from infra-as-code/bicep/modules/policy/definitions/media/bicep-visualizer.png rename to infra-as-code/bicep/modules/policy/definitions/media/bicepVisualizer.png diff --git a/infra-as-code/bicep/modules/policy/definitions/media/example-deployment-output.png b/infra-as-code/bicep/modules/policy/definitions/media/exampleDeploymentOutput.png similarity index 100% rename from infra-as-code/bicep/modules/policy/definitions/media/example-deployment-output.png rename to infra-as-code/bicep/modules/policy/definitions/media/exampleDeploymentOutput.png diff --git a/infra-as-code/bicep/modules/policy/definitions/custom-policy-definitions.parameters.example.json b/infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.all.json similarity index 87% rename from infra-as-code/bicep/modules/policy/definitions/custom-policy-definitions.parameters.example.json rename to infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.all.json index a6cc9318f..d30044fcd 100644 --- a/infra-as-code/bicep/modules/policy/definitions/custom-policy-definitions.parameters.example.json +++ b/infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.all.json @@ -2,7 +2,7 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", "contentVersion": "1.0.0.0", "parameters": { - "parTargetManagementGroupID": { + "parTargetManagementGroupId": { "value": "alz" }, "parTelemetryOptOut": { diff --git a/infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.min.json b/infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.min.json new file mode 100644 index 000000000..fc8925036 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.min.json @@ -0,0 +1,9 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/privateDnsZones/README.md b/infra-as-code/bicep/modules/privateDnsZones/README.md index 66eb0949f..2c5fcd6f9 100644 --- a/infra-as-code/bicep/modules/privateDnsZones/README.md +++ b/infra-as-code/bicep/modules/privateDnsZones/README.md @@ -14,7 +14,7 @@ The module requires the following inputs: | Parameter | Type | Default | Description | Requirement | Example | | ------------------------- | ------ | ---------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ | | parLocation | string | `resourceGroup().location` | The Azure Region to deploy the resources into | None | `eastus` | - | parPrivateDnsZones | array | See example parameters file [`privateDnsZones.parameters.example.json`](privateDnsZones.parameters.example.json) | Array of DNS Zones to provision in Hub Virtual Network. Default: All known Azure Private DNS Zones - See [DNS Zones](#dns-zones) for more info | None | See Default | + | parPrivateDnsZones | array | See example parameters file [`privateDnsZones.parameters.all.json`](parameters/privateDnsZones.parameters.all.json) | Array of DNS Zones to provision in Hub Virtual Network. Default: All known Azure Private DNS Zones - See [DNS Zones](#dns-zones) for more info | None | See Default | | parTags | object | Empty Array [] | List of tags (Key Value Pairs) to be applied to resources | None | environment: 'development' | | parVirtualNetworkIdToLink | string | Empty String | Resource ID of VNet for Private DNS Zone VNet Links | Valid Resource ID of the Virtual Network | /subscriptions/[your platform connectivity subscription ID]/resourceGroups/Hub_PrivateDNS_POC/providers/Microsoft.Network/virtualNetworks/alz-hub-eastus | | parTelemetryOptOut | bool | false | Set Parameter to true to Opt-out of deployment telemetry | None | false | @@ -29,7 +29,7 @@ The following DNS Zones are region specific and will be deployed with the provid - `privatelink.azmk8s.io` - `privatelink.siterecovery.windowsazure.com` -**Note:** The region specific zones are not included in the example parameters files. +**Note:** The region specific zones are included in the parameters files with the region set as `xxxxxx`. For these zones to deploy properly, replace `xxxxxx` with the target region. For example: `privatelink.xxxxxx.azmk8s.io` would become `privatelink.eastus.azmk8s.io` for a deployment targeting the East US region. ### Prefixed DNS Zone @@ -61,8 +61,8 @@ There are two different sets of input parameters; one for deploying to Azure glo | Azure Cloud | Bicep template | Input parameters file | | -------------- | --------------------- | ------------------------------------------ | - | Global regions | privateDnsZones.bicep | privateDnsZones.parameters.example.json | - | China regions | privateDnsZones.bicep | mc-privateDnsZones.parameters.example.json | + | Global regions | privateDnsZones.bicep | parameters/privateDnsZones.parameters.all.json | + | China regions | privateDnsZones.bicep | parameters/mc-privateDnsZones.parameters.all.json | > For the examples below we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice. @@ -79,7 +79,7 @@ az group create --location eastus \ az deployment group create \ --resource-group Hub_PrivateDNS_POC \ --template-file infra-as-code/bicep/modules/privateDnsZones/privateDnsZones.bicep \ - --parameters @infra-as-code/bicep/modules/privateDnsZones/privateDnsZones.parameters.example.json + --parameters @infra-as-code/bicep/modules/privateDnsZones/parameters/privateDnsZones.parameters.all.json ``` OR ```bash @@ -94,7 +94,7 @@ az group create --location chinaeast2 \ az deployment group create \ --resource-group Hub_PrivateDNS_POC \ --template-file infra-as-code/bicep/modules/privateDnsZones/privateDnsZones.bicep \ - --parameters @infra-as-code/bicep/modules/privateDnsZones/mc-privateDnsZones.parameters.example.json + --parameters @infra-as-code/bicep/modules/privateDnsZones/parameters/mc-privateDnsZones.parameters.all.json ``` ### PowerShell @@ -111,7 +111,7 @@ New-AzResourceGroup -Name 'Hub_PrivateDNS_POC' ` New-AzResourceGroupDeployment ` -TemplateFile infra-as-code/bicep/modules/privateDnsZones/privateDnsZones.bicep ` - -TemplateParameterFile infra-as-code/bicep/modules/privateDnsZones/privateDnsZones.parameters.example.json ` + -TemplateParameterFile infra-as-code/bicep/modules/privateDnsZones/parameters/privateDnsZones.parameters.all.json ` -ResourceGroupName 'Hub_PrivateDNS_POC' ``` OR @@ -127,13 +127,13 @@ New-AzResourceGroup -Name 'Hub_PrivateDNS_POC' ` New-AzResourceGroupDeployment ` -TemplateFile infra-as-code/bicep/modules/privateDnsZones/privateDnsZones.bicep ` - -TemplateParameterFile infra-as-code/bicep/modules/privateDnsZones/mc-privateDnsZones.parameters.example.json + -TemplateParameterFile infra-as-code/bicep/modules/privateDnsZones/parameters/mc-privateDnsZones.parameters.all.json -ResourceGroupName 'Hub_PrivateDNS_POC' ``` ## Example Output in Azure global regions -![Example Deployment Output](media/privateDnsZonesExampleDeploymentOutput.png "Example Deployment Output in Azure global regions") +![Example Deployment Output](media/exampleDeploymentOutput.png "Example Deployment Output in Azure global regions") ## Bicep Visualizer -![Bicep Visualizer](media/privateDnsZonesBicepVisualizer.png "Bicep Visualizer") +![Bicep Visualizer](media/bicepVisualizer.png "Bicep Visualizer") diff --git a/infra-as-code/bicep/modules/privateDnsZones/media/privateDnsZonesBicepVisualizer.png b/infra-as-code/bicep/modules/privateDnsZones/media/bicepVisualizer.png similarity index 100% rename from infra-as-code/bicep/modules/privateDnsZones/media/privateDnsZonesBicepVisualizer.png rename to infra-as-code/bicep/modules/privateDnsZones/media/bicepVisualizer.png diff --git a/infra-as-code/bicep/modules/privateDnsZones/media/privateDnsZonesExampleDeploymentOutput.png b/infra-as-code/bicep/modules/privateDnsZones/media/exampleDeploymentOutput.png similarity index 100% rename from infra-as-code/bicep/modules/privateDnsZones/media/privateDnsZonesExampleDeploymentOutput.png rename to infra-as-code/bicep/modules/privateDnsZones/media/exampleDeploymentOutput.png diff --git a/infra-as-code/bicep/modules/privateDnsZones/mc-privateDnsZones.parameters.example.json b/infra-as-code/bicep/modules/privateDnsZones/parameters/mc-privateDnsZones.parameters.all.json similarity index 94% rename from infra-as-code/bicep/modules/privateDnsZones/mc-privateDnsZones.parameters.example.json rename to infra-as-code/bicep/modules/privateDnsZones/parameters/mc-privateDnsZones.parameters.all.json index dfbe83ef3..659f7c1f1 100644 --- a/infra-as-code/bicep/modules/privateDnsZones/mc-privateDnsZones.parameters.example.json +++ b/infra-as-code/bicep/modules/privateDnsZones/parameters/mc-privateDnsZones.parameters.all.json @@ -3,7 +3,7 @@ "contentVersion": "1.0.0.0", "parameters": { "parLocation": { - "value": "eastus" + "value": "chinaeast2" }, "parPrivateDnsZones": { "value": [ @@ -38,11 +38,6 @@ "privatelink.redis.cache.chinacloudapi.cn" ] }, - "parTags": { - "value": { - "Environment": "POC" - } - }, "parVirtualNetworkIdToLink": { "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/xxxxxxxxxxx/providers/Microsoft.Network/virtualNetworks/xxxxxxxxxxx" }, diff --git a/infra-as-code/bicep/modules/privateDnsZones/parameters/mc-privateDnsZones.parameters.min.json b/infra-as-code/bicep/modules/privateDnsZones/parameters/mc-privateDnsZones.parameters.min.json new file mode 100644 index 000000000..659f7c1f1 --- /dev/null +++ b/infra-as-code/bicep/modules/privateDnsZones/parameters/mc-privateDnsZones.parameters.min.json @@ -0,0 +1,48 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parLocation": { + "value": "chinaeast2" + }, + "parPrivateDnsZones": { + "value": [ + "privatelink.azure-automation.cn", + "privatelink.database.chinacloudapi.cn", + "privatelink.blob.core.chinacloudapi.cn", + "privatelink.table.core.chinacloudapi.cn", + "privatelink.queue.core.chinacloudapi.cn", + "privatelink.file.core.chinacloudapi.cn", + "privatelink.web.core.chinacloudapi.cn", + "privatelink.dfs.core.chinacloudapi.cn", + "privatelink.documents.azure.cn", + "privatelink.mongo.cosmos.azure.cn", + "privatelink.cassandra.cosmos.azure.cn", + "privatelink.gremlin.cosmos.azure.cn", + "privatelink.table.cosmos.azure.cn", + "privatelink.postgres.database.chinacloudapi.cn", + "privatelink.mysql.database.chinacloudapi.cn", + "privatelink.mariadb.database.chinacloudapi.cn", + "privatelink.vaultcore.azure.cn", + "privatelink.servicebus.chinacloudapi.cn", + "privatelink.azure-devices.cn", + "privatelink.eventgrid.azure.cn", + "privatelink.chinacloudsites.cn", + "privatelink.api.ml.azure.cn", + "privatelink.notebooks.chinacloudapi.cn", + "privatelink.signalr.azure.cn", + "privatelink.azurehdinsight.cn", + "privatelink.afs.azure.cn", + "privatelink.datafactory.azure.cn", + "privatelink.adf.azure.cn", + "privatelink.redis.cache.chinacloudapi.cn" + ] + }, + "parVirtualNetworkIdToLink": { + "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/xxxxxxxxxxx/providers/Microsoft.Network/virtualNetworks/xxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/privateDnsZones/privateDnsZones.parameters.example.json b/infra-as-code/bicep/modules/privateDnsZones/parameters/privateDnsZones.parameters.all.json similarity index 90% rename from infra-as-code/bicep/modules/privateDnsZones/privateDnsZones.parameters.example.json rename to infra-as-code/bicep/modules/privateDnsZones/parameters/privateDnsZones.parameters.all.json index 8d3da1691..a10cae046 100644 --- a/infra-as-code/bicep/modules/privateDnsZones/privateDnsZones.parameters.example.json +++ b/infra-as-code/bicep/modules/privateDnsZones/parameters/privateDnsZones.parameters.all.json @@ -23,11 +23,14 @@ "privatelink.cassandra.cosmos.azure.com", "privatelink.gremlin.cosmos.azure.com", "privatelink.table.cosmos.azure.com", + "privatelink.xxxxxx.batch.azure.com", // Replace xxxxxx with target region (i.e. eastus) "privatelink.postgres.database.azure.com", "privatelink.mysql.database.azure.com", "privatelink.mariadb.database.azure.com", "privatelink.vaultcore.azure.net", "privatelink.managedhsm.azure.net", + "privatelink.xxxxxx.azmk8s.io", // Replace xxxxxx with target region (i.e. eastus) + "privatelink.xxxxxx.backup.windowsazure.com", // Replace xxxxxx with target region (i.e. eastus) "privatelink.siterecovery.windowsazure.com", "privatelink.servicebus.windows.net", "privatelink.azure-devices.net", diff --git a/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.parameters.example.json b/infra-as-code/bicep/modules/privateDnsZones/parameters/privateDnsZones.parameters.min.json similarity index 77% rename from infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.parameters.example.json rename to infra-as-code/bicep/modules/privateDnsZones/parameters/privateDnsZones.parameters.min.json index 0a66f1d92..d8446a465 100644 --- a/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.parameters.example.json +++ b/infra-as-code/bicep/modules/privateDnsZones/parameters/privateDnsZones.parameters.min.json @@ -2,42 +2,6 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", "contentVersion": "1.0.0.0", "parameters": { - "parVirtualHubEnabled": { - "value": true - }, - "parVPNGatewayEnabled": { - "value": true - }, - "parERGatewayEnabled": { - "value": true - }, - "parAzureFirewallEnabled": { - "value": true - }, - "parNetworkDNSEnableProxy": { - "value": true - }, - "parDdosEnabled": { - "value": true - }, - "parDdosPlanName": { - "value": "alz-ddos-plan" - }, - "parCompanyPrefix": { - "value": "alz" - }, - "parVhubAddressPrefix": { - "value": "10.100.0.0/23" - }, - "parAzureFirewallTier": { - "value": "Standard" - }, - "parAzureFirewallAvailabilityZones": { - "value": [] - }, - "parPrivateDnsZonesEnabled": { - "value": true - }, "parPrivateDnsZones": { "value": [ "privatelink.azure-automation.net", @@ -56,11 +20,14 @@ "privatelink.cassandra.cosmos.azure.com", "privatelink.gremlin.cosmos.azure.com", "privatelink.table.cosmos.azure.com", + "privatelink.xxxxxx.batch.azure.com", // Replace xxxxxx with target region (i.e. eastus) "privatelink.postgres.database.azure.com", "privatelink.mysql.database.azure.com", "privatelink.mariadb.database.azure.com", "privatelink.vaultcore.azure.net", "privatelink.managedhsm.azure.net", + "privatelink.xxxxxx.azmk8s.io", // Replace xxxxxx with target region (i.e. eastus) + "privatelink.xxxxxx.backup.windowsazure.com", // Replace xxxxxx with target region (i.e. eastus) "privatelink.siterecovery.windowsazure.com", "privatelink.servicebus.windows.net", "privatelink.azure-devices.net", @@ -91,6 +58,9 @@ "privatelink.guestconfiguration.azure.com" ] }, + "parVirtualNetworkIdToLink": { + "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/xxxxxxxxxxx/providers/Microsoft.Network/virtualNetworks/xxxxxxxxxxx" + }, "parTelemetryOptOut": { "value": false } diff --git a/infra-as-code/bicep/modules/publicIp/README.md b/infra-as-code/bicep/modules/publicIp/README.md index 529ad2309..6e175173e 100644 --- a/infra-as-code/bicep/modules/publicIp/README.md +++ b/infra-as-code/bicep/modules/publicIp/README.md @@ -12,10 +12,10 @@ The module requires the following inputs: | Parameter | Type | Default | Description | Requirement | Example | | --------------------- | ------ | ------------------------ | ---------------------------------------------------------------------------------------------------------------------------------- | ------------------ | ------------------------------------ | - | parPublicIPName | string | none | Name associated with the Public IP to be created | 1-80 char | alz-bastion-PublicIP | - | parPublicIPSku | object | none | SKU of IP to deploy to Azure | Standard or Basic | Standard | - | parPublicIPProperties | object | none | N/A | | parLocation | string | resourceGroup().location | Location where Public IP address will be deployed | Valid Azure Region | `eastus2` | + | parPublicIpName | string | none | Name associated with the Public IP to be created | 1-80 char | alz-bastion-PublicIp | + | parPublicIpSku | object | none | SKU of IP to deploy to Azure | Standard or Basic | Standard | + | parPublicIpProperties | object | none | N/A | | parAvailabilityZones | array | Empty Array `[]` | Availability Zones to deploy the Public IP across. Region must support Availability Zones to use. If it does not then leave empty. | none | `[]` or `['1']` or `['1' ,'2', '3']` | | parTags | object | none | Tags to be appended to resource after it is created | none | {"Environment" : "Development"} | | parTelemetryOptOut | bool | `false` | Set Parameter to true to Opt-out of deployment telemetry | none | `false` | @@ -26,7 +26,7 @@ The module will generate the following outputs: | Output | Type | Example | | ------------- | ------ | -------------------------------------------------------------------------------------------------------------------------------------------------------- | -| outPublicIPID | string | /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/HUB_Networking_POC/providers/Microsoft.Network/publicIPAddresses/alz-bastion-PublicIP | +| outPublicIpId | string | /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/HUB_Networking_POC/providers/Microsoft.Network/publicIPAddresses/alz-bastion-PublicIp | ## Deployment diff --git a/infra-as-code/bicep/modules/publicIp/parameters/publicIp.parameters.all.json b/infra-as-code/bicep/modules/publicIp/parameters/publicIp.parameters.all.json new file mode 100644 index 000000000..2deb62569 --- /dev/null +++ b/infra-as-code/bicep/modules/publicIp/parameters/publicIp.parameters.all.json @@ -0,0 +1,37 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parLocation": { + "value": "eastus" + }, + "parPublicIpName": { + "value": "alz" + }, + "parPublicIpSku": { + "value": { + "name": "Standard", + "tier": "Regional" + } + }, + "parPublicIpProperties": { + "value": { + "publicIpAddressVersion": "IPv4", + "publicIpAllocationMethod": "Dynamic", + "deleteOption": "Delete", + "idleTimeoutInMinutes": 4 + } + }, + "parAvailabilityZones": { + "value": [] + }, + "parTags": { + "value": { + "Environment": "POC" + } + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/publicIp/parameters/publicIp.parameters.min.json b/infra-as-code/bicep/modules/publicIp/parameters/publicIp.parameters.min.json new file mode 100644 index 000000000..85fc1f5e6 --- /dev/null +++ b/infra-as-code/bicep/modules/publicIp/parameters/publicIp.parameters.min.json @@ -0,0 +1,26 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parPublicIpName": { + "value": "alz" + }, + "parPublicIpSku": { + "value": { + "name": "Standard", + "tier": "Regional" + } + }, + "parPublicIpProperties": { + "value": { + "publicIpAddressVersion": "IPv4", + "publicIpAllocationMethod": "Dynamic", + "deleteOption": "Delete", + "idleTimeoutInMinutes": 4 + } + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/publicIp/publicIp.bicep b/infra-as-code/bicep/modules/publicIp/publicIp.bicep index 7eb81ef28..6866f470d 100644 --- a/infra-as-code/bicep/modules/publicIp/publicIp.bicep +++ b/infra-as-code/bicep/modules/publicIp/publicIp.bicep @@ -1,14 +1,14 @@ +@description('Azure Region to deploy Public IP Address to. Default: Current Resource Group') +param parLocation string = resourceGroup().location + @description('Name of Public IP to create in Azure. Default: None') -param parPublicIPName string +param parPublicIpName string @description('Public IP Address SKU. Default: None') -param parPublicIPSku object +param parPublicIpSku object @description('Properties of Public IP to be deployed. Default: None') -param parPublicIPProperties object - -@description('Azure Region to deploy Public IP Address to. Default: Current Resource Group') -param parLocation string = resourceGroup().location +param parPublicIpProperties object @allowed([ '1' @@ -19,7 +19,7 @@ param parLocation string = resourceGroup().location param parAvailabilityZones array = [] @description('Tags to be applied to resource when deployed. Default: None') -param parTags object +param parTags object = {} @description('Set Parameter to true to Opt-out of deployment telemetry') param parTelemetryOptOut bool = false @@ -27,22 +27,20 @@ param parTelemetryOptOut bool = false // Customer Usage Attribution Id var varCuaid = '3f85b84c-6bad-4c42-86bf-11c233241c22' -resource resPublicIP 'Microsoft.Network/publicIPAddresses@2021-05-01' ={ - name: parPublicIPName +resource resPublicIp 'Microsoft.Network/publicIPAddresses@2021-05-01' ={ + name: parPublicIpName tags: parTags location: parLocation zones: parAvailabilityZones - sku: parPublicIPSku - properties: parPublicIPProperties + sku: parPublicIpSku + properties: parPublicIpProperties } // Optional Deployment for Customer Usage Attribution module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdResourceGroup.bicep' = if (!parTelemetryOptOut) { #disable-next-line no-loc-expr-outside-params //Only to ensure telemetry data is stored in same location as deployment. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information - name: 'pid-${varCuaid}-${uniqueString(resourceGroup().location, parPublicIPName)}' + name: 'pid-${varCuaid}-${uniqueString(resourceGroup().location, parPublicIpName)}' params: {} } -output outPublicIPID string = resPublicIP.id - - +output outPublicIpId string = resPublicIp.id diff --git a/infra-as-code/bicep/modules/resourceGroup/README.md b/infra-as-code/bicep/modules/resourceGroup/README.md index fe208054d..c74618e75 100644 --- a/infra-as-code/bicep/modules/resourceGroup/README.md +++ b/infra-as-code/bicep/modules/resourceGroup/README.md @@ -12,7 +12,7 @@ The module requires the following inputs: | Parameter | Type | Default | Description | Requirement | Example | | ------------------------ | ------ | ------- | -------------------------------------------------------- | -------------------------------------------- | ------- | - | parResourceGroupLocation | string | None | Location where Resource Group will be deployed | Valid Azure Region | eastus2 | + | parLocation | string | None | Location where Resource Group will be deployed | Valid Azure Region | eastus2 | | parResourceGroupName | string | None | Name of Resource Group to create in the specified region | 2-64 char, letters, numbers, and underscores | Hub | | parTags | object | Empty object `{}` | Array of Tags to be applied to Resource Group | None | `{"key": "value"}` | | parTelemetryOptOut | bool | `false` | Set Parameter to true to Opt-out of deployment telemetry | none | `false` | diff --git a/infra-as-code/bicep/modules/resourceGroup/parameters/resourceGroup.parameters.all.json b/infra-as-code/bicep/modules/resourceGroup/parameters/resourceGroup.parameters.all.json new file mode 100644 index 000000000..8843775c5 --- /dev/null +++ b/infra-as-code/bicep/modules/resourceGroup/parameters/resourceGroup.parameters.all.json @@ -0,0 +1,20 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parLocation": { + "value": "eastus" + }, + "parResourceGroupName": { + "value": "alz-rg" + }, + "parTags": { + "value": { + "Environment": "POC" + } + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/resourceGroup/parameters/resourceGroup.parameters.min.json b/infra-as-code/bicep/modules/resourceGroup/parameters/resourceGroup.parameters.min.json new file mode 100644 index 000000000..b273c06b5 --- /dev/null +++ b/infra-as-code/bicep/modules/resourceGroup/parameters/resourceGroup.parameters.min.json @@ -0,0 +1,15 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parLocation": { + "value": "eastus" + }, + "parResourceGroupName": { + "value": "alz-rg" + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/roleAssignments/README.md b/infra-as-code/bicep/modules/roleAssignments/README.md index 9e1e6fb60..7bbb7bee5 100644 --- a/infra-as-code/bicep/modules/roleAssignments/README.md +++ b/infra-as-code/bicep/modules/roleAssignments/README.md @@ -104,7 +104,7 @@ Connect-AzureAD ## Deployment -In this example, the built-in Reader role will be assigned to a Service Principal account at the `alz-platform` management group scope. The inputs for this module are defined in `roleAssignmentManagementGroup.parameters.*.example.json`. +In this example, the built-in Reader role will be assigned to a Service Principal account at the `alz-platform` management group scope. The inputs for this module are defined in `parameters/roleAssignmentManagementGroup.*.parameters.all.json`. > For the examples below we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice. @@ -114,7 +114,7 @@ In this example, the built-in Reader role will be assigned to a Service Principa # For Azure global regions az deployment mg create \ --template-file infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.bicep \ - --parameters @infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.parameters.service-principal.example.json \ + --parameters @infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.servicePrincipal.parameters.all.json \ --management-group-id alz-platform \ --location eastus ``` @@ -123,7 +123,7 @@ OR # For Azure China regions az deployment mg create \ --template-file infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.bicep \ - --parameters @infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.parameters.service-principal.example.json \ + --parameters @infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.servicePrincipal.parameters.all.json \ --management-group-id alz-platform \ --location chinaeast2 ``` @@ -134,7 +134,7 @@ az deployment mg create \ # For Azure global regions New-AzManagementGroupDeployment ` -TemplateFile infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.bicep ` - -TemplateParameterFile infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.parameters.service-principal.example.json ` + -TemplateParameterFile infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.servicePrincipal.parameters.all.json ` -ManagementGroupId alz-platform ` -Location eastus ``` @@ -143,7 +143,7 @@ OR # For Azure China regions New-AzManagementGroupDeployment ` -TemplateFile infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.bicep ` - -TemplateParameterFile infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.parameters.service-principal.example.json ` + -TemplateParameterFile infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.servicePrincipal.parameters.all.json ` -ManagementGroupId alz-platform ` -Location chinaeast2 ``` @@ -152,16 +152,16 @@ New-AzManagementGroupDeployment ` ### Single Management Group Role Assignment -![Bicep Visualizer - Single Management Group Role Assignment](media/bicep-visualizer-mg.PNG "Bicep Visualizer - Single Management Group Role Assignment") +![Bicep Visualizer - Single Management Group Role Assignment](media/bicepVisualizerMg.png "Bicep Visualizer - Single Management Group Role Assignment") ### Many Management Group Role Assignments -![Bicep Visualizer - Many Management Group Role Assignments](media/bicep-visualizer-mg-many.PNG "Bicep Visualizer - Many Management Group Role Assignments") +![Bicep Visualizer - Many Management Group Role Assignments](media/bicepVisualizerMgMany.png "Bicep Visualizer - Many Management Group Role Assignments") ### Single Subscription Role Assignment -![Bicep Visualizer - Single Subscription Role Assignment](media/bicep-visualizer-sub.PNG "Bicep Visualizer - Single Subscription Role Assignment") +![Bicep Visualizer - Single Subscription Role Assignment](media/bicepVisualizerSub.png "Bicep Visualizer - Single Subscription Role Assignment") ### Many Subscription Role Assignments -![Bicep Visualizer - Many Subscription Role Assignments](media/bicep-visualizer-sub-many.PNG "Bicep Visualizer - Many Subscription Role Assignments") +![Bicep Visualizer - Many Subscription Role Assignments](media/bicepVisualizerSubMany.png "Bicep Visualizer - Many Subscription Role Assignments") diff --git a/infra-as-code/bicep/modules/roleAssignments/media/bicep-visualizer-mg.PNG b/infra-as-code/bicep/modules/roleAssignments/media/bicepVisualizerMg.png similarity index 100% rename from infra-as-code/bicep/modules/roleAssignments/media/bicep-visualizer-mg.PNG rename to infra-as-code/bicep/modules/roleAssignments/media/bicepVisualizerMg.png diff --git a/infra-as-code/bicep/modules/roleAssignments/media/bicep-visualizer-mg-many.PNG b/infra-as-code/bicep/modules/roleAssignments/media/bicepVisualizerMgMany.png similarity index 100% rename from infra-as-code/bicep/modules/roleAssignments/media/bicep-visualizer-mg-many.PNG rename to infra-as-code/bicep/modules/roleAssignments/media/bicepVisualizerMgMany.png diff --git a/infra-as-code/bicep/modules/roleAssignments/media/bicep-visualizer-sub.PNG b/infra-as-code/bicep/modules/roleAssignments/media/bicepVisualizerSub.png similarity index 100% rename from infra-as-code/bicep/modules/roleAssignments/media/bicep-visualizer-sub.PNG rename to infra-as-code/bicep/modules/roleAssignments/media/bicepVisualizerSub.png diff --git a/infra-as-code/bicep/modules/roleAssignments/media/bicep-visualizer-sub-many.PNG b/infra-as-code/bicep/modules/roleAssignments/media/bicepVisualizerSubMany.png similarity index 100% rename from infra-as-code/bicep/modules/roleAssignments/media/bicep-visualizer-sub-many.PNG rename to infra-as-code/bicep/modules/roleAssignments/media/bicepVisualizerSubMany.png diff --git a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.parameters.managed-identity.example.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.managedIdentity.parameters.all.json similarity index 100% rename from infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.parameters.managed-identity.example.json rename to infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.managedIdentity.parameters.all.json diff --git a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscription.parameters.managed-identity.example.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.managedIdentity.parameters.min.json similarity index 100% rename from infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscription.parameters.managed-identity.example.json rename to infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.managedIdentity.parameters.min.json diff --git a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.parameters.security-group.example.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.securityGroup.parameters.all.json similarity index 100% rename from infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.parameters.security-group.example.json rename to infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.securityGroup.parameters.all.json diff --git a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscription.parameters.security-group.example.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.securityGroup.parameters.min.json similarity index 100% rename from infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscription.parameters.security-group.example.json rename to infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.securityGroup.parameters.min.json diff --git a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.parameters.service-principal.example.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.servicePrincipal.parameters.all.json similarity index 100% rename from infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.parameters.service-principal.example.json rename to infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.servicePrincipal.parameters.all.json diff --git a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscription.parameters.service-principal.example.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.servicePrincipal.parameters.min.json similarity index 100% rename from infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscription.parameters.service-principal.example.json rename to infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.servicePrincipal.parameters.min.json diff --git a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroupMany.parameters.service-principal.example.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.managedIdentity.parameters.all.json similarity index 90% rename from infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroupMany.parameters.service-principal.example.json rename to infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.managedIdentity.parameters.all.json index b47593fdf..1e52c0bdd 100644 --- a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroupMany.parameters.service-principal.example.json +++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.managedIdentity.parameters.all.json @@ -16,6 +16,9 @@ }, "parAssigneeObjectId": { "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false } } } \ No newline at end of file diff --git a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroupMany.parameters.managed-identity.example.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.managedIdentity.parameters.min.json similarity index 90% rename from infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroupMany.parameters.managed-identity.example.json rename to infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.managedIdentity.parameters.min.json index b47593fdf..1e52c0bdd 100644 --- a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroupMany.parameters.managed-identity.example.json +++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.managedIdentity.parameters.min.json @@ -16,6 +16,9 @@ }, "parAssigneeObjectId": { "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false } } } \ No newline at end of file diff --git a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroupMany.parameters.security-group.example.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.securityGroup.parameters.all.json similarity index 90% rename from infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroupMany.parameters.security-group.example.json rename to infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.securityGroup.parameters.all.json index 084251985..11fd45b44 100644 --- a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroupMany.parameters.security-group.example.json +++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.securityGroup.parameters.all.json @@ -16,6 +16,9 @@ }, "parAssigneeObjectId": { "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false } } } \ No newline at end of file diff --git a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.securityGroup.parameters.min.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.securityGroup.parameters.min.json new file mode 100644 index 000000000..11fd45b44 --- /dev/null +++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.securityGroup.parameters.min.json @@ -0,0 +1,24 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parManagementGroupIds": { + "value": [ + "alz-platform-connectivity", + "alz-platform-identity" + ] + }, + "parRoleDefinitionId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parAssigneePrincipalType": { + "value": "Group" + }, + "parAssigneeObjectId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.servicePrincipal.parameters.all.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.servicePrincipal.parameters.all.json new file mode 100644 index 000000000..1e52c0bdd --- /dev/null +++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.servicePrincipal.parameters.all.json @@ -0,0 +1,24 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parManagementGroupIds": { + "value": [ + "alz-platform-connectivity", + "alz-platform-identity" + ] + }, + "parRoleDefinitionId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parAssigneePrincipalType": { + "value": "ServicePrincipal" + }, + "parAssigneeObjectId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.servicePrincipal.parameters.min.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.servicePrincipal.parameters.min.json new file mode 100644 index 000000000..1e52c0bdd --- /dev/null +++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.servicePrincipal.parameters.min.json @@ -0,0 +1,24 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parManagementGroupIds": { + "value": [ + "alz-platform-connectivity", + "alz-platform-identity" + ] + }, + "parRoleDefinitionId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parAssigneePrincipalType": { + "value": "ServicePrincipal" + }, + "parAssigneeObjectId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.managedIdentity.parameters.all.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.managedIdentity.parameters.all.json new file mode 100644 index 000000000..12c90c3de --- /dev/null +++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.managedIdentity.parameters.all.json @@ -0,0 +1,21 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parRoleAssignmentNameGuid": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parRoleDefinitionId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parAssigneePrincipalType": { + "value": "ServicePrincipal" + }, + "parAssigneeObjectId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.managedIdentity.parameters.min.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.managedIdentity.parameters.min.json new file mode 100644 index 000000000..4501e72e4 --- /dev/null +++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.managedIdentity.parameters.min.json @@ -0,0 +1,18 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parRoleDefinitionId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parAssigneePrincipalType": { + "value": "ServicePrincipal" + }, + "parAssigneeObjectId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.securityGroup.parameters.all.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.securityGroup.parameters.all.json new file mode 100644 index 000000000..8851ff752 --- /dev/null +++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.securityGroup.parameters.all.json @@ -0,0 +1,21 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parRoleAssignmentNameGuid": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parRoleDefinitionId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parAssigneePrincipalType": { + "value": "Group" + }, + "parAssigneeObjectId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.securityGroup.parameters.min.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.securityGroup.parameters.min.json new file mode 100644 index 000000000..bc5415eb9 --- /dev/null +++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.securityGroup.parameters.min.json @@ -0,0 +1,18 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parRoleDefinitionId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parAssigneePrincipalType": { + "value": "Group" + }, + "parAssigneeObjectId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.servicePrincipal.parameters.all.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.servicePrincipal.parameters.all.json new file mode 100644 index 000000000..12c90c3de --- /dev/null +++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.servicePrincipal.parameters.all.json @@ -0,0 +1,21 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parRoleAssignmentNameGuid": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parRoleDefinitionId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parAssigneePrincipalType": { + "value": "ServicePrincipal" + }, + "parAssigneeObjectId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.servicePrincipal.parameters.min.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.servicePrincipal.parameters.min.json new file mode 100644 index 000000000..4501e72e4 --- /dev/null +++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.servicePrincipal.parameters.min.json @@ -0,0 +1,18 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parRoleDefinitionId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parAssigneePrincipalType": { + "value": "ServicePrincipal" + }, + "parAssigneeObjectId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscriptionMany.parameters.service-principal.example.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.managedIdentity.parameters.all.json similarity index 90% rename from infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscriptionMany.parameters.service-principal.example.json rename to infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.managedIdentity.parameters.all.json index adf86b9ae..bae222003 100644 --- a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscriptionMany.parameters.service-principal.example.json +++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.managedIdentity.parameters.all.json @@ -16,6 +16,9 @@ }, "parAssigneeObjectId": { "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false } } } \ No newline at end of file diff --git a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscriptionMany.parameters.managed-identity.example.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.managedIdentity.parameters.min.json similarity index 90% rename from infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscriptionMany.parameters.managed-identity.example.json rename to infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.managedIdentity.parameters.min.json index adf86b9ae..bae222003 100644 --- a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscriptionMany.parameters.managed-identity.example.json +++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.managedIdentity.parameters.min.json @@ -16,6 +16,9 @@ }, "parAssigneeObjectId": { "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false } } } \ No newline at end of file diff --git a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscriptionMany.parameters.security-group.example.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.securityGroup.parameters.all.json similarity index 90% rename from infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscriptionMany.parameters.security-group.example.json rename to infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.securityGroup.parameters.all.json index f89a72bc6..034a798b5 100644 --- a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscriptionMany.parameters.security-group.example.json +++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.securityGroup.parameters.all.json @@ -16,6 +16,9 @@ }, "parAssigneeObjectId": { "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false } } } \ No newline at end of file diff --git a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.securityGroup.parameters.min.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.securityGroup.parameters.min.json new file mode 100644 index 000000000..034a798b5 --- /dev/null +++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.securityGroup.parameters.min.json @@ -0,0 +1,24 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parSubscriptionIds": { + "value": [ + "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + ] + }, + "parRoleDefinitionId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parAssigneePrincipalType": { + "value": "Group" + }, + "parAssigneeObjectId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.servicePrincipal.parameters.all.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.servicePrincipal.parameters.all.json new file mode 100644 index 000000000..bae222003 --- /dev/null +++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.servicePrincipal.parameters.all.json @@ -0,0 +1,24 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parSubscriptionIds": { + "value": [ + "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + ] + }, + "parRoleDefinitionId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parAssigneePrincipalType": { + "value": "ServicePrincipal" + }, + "parAssigneeObjectId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.servicePrincipal.parameters.min.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.servicePrincipal.parameters.min.json new file mode 100644 index 000000000..bae222003 --- /dev/null +++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.servicePrincipal.parameters.min.json @@ -0,0 +1,24 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parSubscriptionIds": { + "value": [ + "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + ] + }, + "parRoleDefinitionId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parAssigneePrincipalType": { + "value": "ServicePrincipal" + }, + "parAssigneeObjectId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroupMany.bicep b/infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroupMany.bicep index 5d92ff59d..411174156 100644 --- a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroupMany.bicep +++ b/infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroupMany.bicep @@ -16,6 +16,9 @@ param parAssigneePrincipalType string @description('Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID') param parAssigneeObjectId string +@description('Set Parameter to true to Opt-out of deployment telemetry') +param parTelemetryOptOut bool = false + module modRoleAssignment 'roleAssignmentManagementGroup.bicep' = [for parManagementGroupId in parManagementGroupIds: { name: 'rbac-assign-${uniqueString(parManagementGroupId, parAssigneeObjectId, parRoleDefinitionId)}' scope: managementGroup(parManagementGroupId) @@ -24,5 +27,6 @@ module modRoleAssignment 'roleAssignmentManagementGroup.bicep' = [for parManagem parAssigneeObjectId: parAssigneeObjectId parAssigneePrincipalType: parAssigneePrincipalType parRoleDefinitionId: parRoleDefinitionId + parTelemetryOptOut: parTelemetryOptOut } }] diff --git a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscriptionMany.bicep b/infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscriptionMany.bicep index 86efe58ab..f75bc02c6 100644 --- a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscriptionMany.bicep +++ b/infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscriptionMany.bicep @@ -16,6 +16,9 @@ param parAssigneePrincipalType string @description('Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID') param parAssigneeObjectId string +@description('Set Parameter to true to Opt-out of deployment telemetry') +param parTelemetryOptOut bool = false + module modRoleAssignment 'roleAssignmentSubscription.bicep' = [for subscriptionId in parSubscriptionIds: { name: 'rbac-assign-${uniqueString(subscriptionId, parAssigneeObjectId, parRoleDefinitionId)}' scope: subscription(subscriptionId) @@ -24,5 +27,6 @@ module modRoleAssignment 'roleAssignmentSubscription.bicep' = [for subscriptionI parAssigneeObjectId: parAssigneeObjectId parAssigneePrincipalType: parAssigneePrincipalType parRoleDefinitionId: parRoleDefinitionId + parTelemetryOptOut: parTelemetryOptOut } }] diff --git a/infra-as-code/bicep/modules/spokeNetworking/README.md b/infra-as-code/bicep/modules/spokeNetworking/README.md index f98a1fcdd..ccfb75edf 100644 --- a/infra-as-code/bicep/modules/spokeNetworking/README.md +++ b/infra-as-code/bicep/modules/spokeNetworking/README.md @@ -16,13 +16,13 @@ The module requires the following inputs: | Parameter | Type | Default | Description | Requirement | Example | | ---------------------------- | ------ | -------------------------- | ------------------------------------------------------------------- | ----------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- | | parLocation | string | `resourceGroup().location` | The Azure Region to deploy the resources into | None | `eastus` | - | parBGPRoutePropagation | bool | false | Switch to enable BGP Route Propagation on VNet Route Table | None | false | + | parDisableBgpRoutePropagation | bool | false | Switch which allows BGP Propagation to be disabled on the route table | None | false | | parTags | object | Empty object `{}` | Array of Tags to be applied to all resources in the Spoke Network | None | `{"key": "value"}` | | parDdosProtectionPlanId | string | Empty string `''` | Existing DDoS Protection plan to utilize | None | `/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/Hub_Networking_POC/providers/Microsoft.Network/ddosProtectionPlans/alz-ddos-plan` | | parSpokeNetworkAddressPrefix | string | '10.11.0.0/16' | CIDR for Spoke Network | None | '10.11.0.0/16' | | parSpokeNetworkName | string | 'vnet-spoke' | The Name of the Spoke Virtual Network. | None | 'vnet-spoke' | - | parDnsServerIPs | array | Empty array `[]` | DNS Servers to use for VNet DNS Resolution | None | `['10.10.1.4', '10.20.1.5']` | - | parNextHopIPAddress | string | Empty string `''` | IP Address where network traffic should route to leverage DNS Proxy | None | '192.168.50.4' | + | parDnsServerIps | array | Empty array `[]` | DNS Servers to use for VNet DNS Resolution | None | `['10.10.1.4', '10.20.1.5']` | + | parNextHopIpAddress | string | Empty string `''` | IP Address where network traffic should route to leverage DNS Proxy | None | '192.168.50.4' | | parSpokeToHubRouteTableName | string | 'rtb-spoke-to-hub' | Name of Route table to create for the default route of Hub. | None | 'rtb-spoke-to-hub ' | | parTelemetryOptOut | bool | false | Set Parameter to true to Opt-out of deployment telemetry | None | false | @@ -56,7 +56,7 @@ az group create --location eastus \ az deployment group create \ --resource-group Spoke_Networking_POC \ --template-file infra-as-code/bicep/modules/spokeNetworking/spokeNetworking.bicep \ - --parameters @infra-as-code/bicep/modules/spokeNetworking/spokeNetworking.parameters.example.json + --parameters @infra-as-code/bicep/modules/spokeNetworking/parameters/spokeNetworking.parameters.all.json ``` OR ```bash @@ -71,7 +71,7 @@ az group create --location chinaeast2 \ az deployment group create \ --resource-group Spoke_Networking_POC \ --template-file infra-as-code/bicep/modules/spokeNetworking/spokeNetworking.bicep \ - --parameters @infra-as-code/bicep/modules/spokeNetworking/spokeNetworking.parameters.example.json + --parameters @infra-as-code/bicep/modules/spokeNetworking/parameters/spokeNetworking.parameters.all.json ``` ### PowerShell @@ -88,7 +88,7 @@ New-AzResourceGroup -Name 'Spoke_Networking_POC' ` New-AzResourceGroupDeployment ` -TemplateFile infra-as-code/bicep/modules/spokeNetworking/spokeNetworking.bicep ` - -TemplateParameterFile infra-as-code/bicep/modules/spokeNetworking/spokeNetworking.parameters.example.json ` + -TemplateParameterFile infra-as-code/bicep/modules/spokeNetworking/parameters/spokeNetworking.parameters.all.json ` -ResourceGroupName 'Spoke_Networking_POC' ``` OR @@ -104,20 +104,14 @@ New-AzResourceGroup -Name 'Spoke_Networking_POC' ` New-AzResourceGroupDeployment ` -TemplateFile infra-as-code/bicep/modules/spokeNetworking/spokeNetworking.bicep ` - -TemplateParameterFile infra-as-code/bicep/modules/spokeNetworking/spokeNetworking.parameters.example.json + -TemplateParameterFile infra-as-code/bicep/modules/spokeNetworking/parameters/spokeNetworking.parameters.all.json ` -ResourceGroupName 'Spoke_Networking_POC' ``` ## Example Output in Azure global regions -![Example Deployment Output](media/spokeNetworkExampleDeploymentOutput.png "Example Deployment Output in Azure global regions") +![Example Deployment Output](media/exampleDeploymentOutput.png "Example Deployment Output in Azure global regions") ## Bicep Visualizer ![Bicep Visualizer](media/bicepVisualizer.png "Bicep Visualizer") - - - - - - diff --git a/infra-as-code/bicep/modules/spokeNetworking/media/spokeNetworkExampleDeploymentOutput.png b/infra-as-code/bicep/modules/spokeNetworking/media/exampleDeploymentOutput.png similarity index 100% rename from infra-as-code/bicep/modules/spokeNetworking/media/spokeNetworkExampleDeploymentOutput.png rename to infra-as-code/bicep/modules/spokeNetworking/media/exampleDeploymentOutput.png diff --git a/infra-as-code/bicep/modules/spokeNetworking/spokeNetworking.parameters.example.json b/infra-as-code/bicep/modules/spokeNetworking/parameters/spokeNetworking.parameters.all.json similarity index 87% rename from infra-as-code/bicep/modules/spokeNetworking/spokeNetworking.parameters.example.json rename to infra-as-code/bicep/modules/spokeNetworking/parameters/spokeNetworking.parameters.all.json index 4a316e46b..1e4adbf63 100644 --- a/infra-as-code/bicep/modules/spokeNetworking/spokeNetworking.parameters.example.json +++ b/infra-as-code/bicep/modules/spokeNetworking/parameters/spokeNetworking.parameters.all.json @@ -5,7 +5,7 @@ "parLocation": { "value": "eastus" }, - "parBGPRoutePropagation": { + "parDisableBgpRoutePropagation": { "value": false }, "parDdosProtectionPlanId": { @@ -17,10 +17,10 @@ "parSpokeNetworkName": { "value": "vnet-spoke" }, - "parDnsServerIPs": { + "parDnsServerIps": { "value": [] }, - "parNextHopIPAddress": { + "parNextHopIpAddress": { "value": "" }, "parSpokeToHubRouteTableName": { @@ -30,7 +30,7 @@ "value": { "Environment": "POC" } - }, + }, "parTelemetryOptOut": { "value": false } diff --git a/infra-as-code/bicep/modules/spokeNetworking/parameters/spokeNetworking.parameters.min.json b/infra-as-code/bicep/modules/spokeNetworking/parameters/spokeNetworking.parameters.min.json new file mode 100644 index 000000000..a6a793508 --- /dev/null +++ b/infra-as-code/bicep/modules/spokeNetworking/parameters/spokeNetworking.parameters.min.json @@ -0,0 +1,24 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parDisableBgpRoutePropagation": { + "value": false + }, + "parDdosProtectionPlanId": { + "value": "" + }, + "parSpokeNetworkAddressPrefix": { + "value": "10.11.0.0/16" + }, + "parDnsServerIps": { + "value": [] + }, + "parNextHopIpAddress": { + "value": "" + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/spokeNetworking/spokeNetworking.bicep b/infra-as-code/bicep/modules/spokeNetworking/spokeNetworking.bicep index 26e405590..85c277af4 100644 --- a/infra-as-code/bicep/modules/spokeNetworking/spokeNetworking.bicep +++ b/infra-as-code/bicep/modules/spokeNetworking/spokeNetworking.bicep @@ -1,11 +1,8 @@ @description('The Azure Region to deploy the resources into. Default: resourceGroup().location') param parLocation string = resourceGroup().location -@description('Switch which allows BGP Route Propagation to be disabled on the route table. Default: false') -param parBGPRoutePropagation bool = false - -@description('Tags you would like to be applied to all resources in this module. Default: Empty Object') -param parTags object = {} +@description('Switch to enable/disable BGP Propagation on route table. Default: false') +param parDisableBgpRoutePropagation bool = false @description('Id of the DdosProtectionPlan which will be applied to the Virtual Network. Default: Empty String') param parDdosProtectionPlanId string = '' @@ -17,14 +14,17 @@ param parSpokeNetworkAddressPrefix string = '10.11.0.0/16' param parSpokeNetworkName string = 'vnet-spoke' @description('Array of DNS Server IP addresses for VNet. Default: Empty Array') -param parDnsServerIPs array = [] +param parDnsServerIps array = [] @description('IP Address where network traffic should route to leveraged with DNS Proxy. Default: Empty String') -param parNextHopIPAddress string = '' +param parNextHopIpAddress string = '' @description('Name of Route table to create for the default route of Hub. Default: rtb-spoke-to-hub') param parSpokeToHubRouteTableName string = 'rtb-spoke-to-hub' +@description('Tags you would like to be applied to all resources in this module. Default: Empty Object') +param parTags object = {} + @description('Set Parameter to true to Opt-out of deployment telemetry. Default: false') param parTelemetryOptOut bool = false @@ -32,7 +32,7 @@ param parTelemetryOptOut bool = false var varCuaid = '0c428583-f2a1-4448-975c-2d6262fd193a' //If Ddos parameter is true Ddos will be Enabled on the Virtual Network -//If Azure Firewall is enabled and Network Dns Proxy is enabled dns will be configured to point to AzureFirewall +//If Azure Firewall is enabled and Network DNS Proxy is enabled DNS will be configured to point to AzureFirewall resource resSpokeVirtualNetwork 'Microsoft.Network/virtualNetworks@2021-02-01' = { name: parSpokeNetworkName location: parLocation @@ -47,13 +47,13 @@ resource resSpokeVirtualNetwork 'Microsoft.Network/virtualNetworks@2021-02-01' = ddosProtectionPlan: (!empty(parDdosProtectionPlanId) ? true : false) ? { id: parDdosProtectionPlanId } : null - dhcpOptions: (!empty(parDnsServerIPs) ? true : false) ? { - dnsServers: parDnsServerIPs + dhcpOptions: (!empty(parDnsServerIps) ? true : false) ? { + dnsServers: parDnsServerIps } : null } } -resource resSpokeToHubRouteTable 'Microsoft.Network/routeTables@2021-02-01' = if (!empty(parNextHopIPAddress)) { +resource resSpokeToHubRouteTable 'Microsoft.Network/routeTables@2021-02-01' = if (!empty(parNextHopIpAddress)) { name: parSpokeToHubRouteTableName location: parLocation tags: parTags @@ -64,11 +64,11 @@ resource resSpokeToHubRouteTable 'Microsoft.Network/routeTables@2021-02-01' = if properties: { addressPrefix: '0.0.0.0/0' nextHopType: 'VirtualAppliance' - nextHopIpAddress: parNextHopIPAddress + nextHopIpAddress: parNextHopIpAddress } } ] - disableBgpRoutePropagation: parBGPRoutePropagation + disableBgpRoutePropagation: parDisableBgpRoutePropagation } } diff --git a/infra-as-code/bicep/modules/subscriptionPlacement/README.md b/infra-as-code/bicep/modules/subscriptionPlacement/README.md index 775ef100f..12e240804 100644 --- a/infra-as-code/bicep/modules/subscriptionPlacement/README.md +++ b/infra-as-code/bicep/modules/subscriptionPlacement/README.md @@ -17,7 +17,7 @@ The module requires the following required input parameters. ## Deployment -In this example, the subscriptions `34b63c8f-1782-42e6-8fb9-ba6ee8b99735` and `4f9f8765-911a-4a6d-af60-4bc0473268c0` will be moved to `alz-platform-connectivity` management group. The inputs for this module are defined in `subscriptionPlacement.parameters.example.json`. +In this example, the subscriptions `34b63c8f-1782-42e6-8fb9-ba6ee8b99735` and `4f9f8765-911a-4a6d-af60-4bc0473268c0` will be moved to `alz-platform-connectivity` management group. The inputs for this module are defined in `parameters/subscriptionPlacement.parameters.all.json`. > For the examples below we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice. @@ -26,7 +26,7 @@ In this example, the subscriptions `34b63c8f-1782-42e6-8fb9-ba6ee8b99735` and `4 # For Azure global regions az deployment mg create \ --template-file infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.bicep \ - --parameters @infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.parameters.example.json \ + --parameters @infra-as-code/bicep/modules/subscriptionPlacement/parameters/subscriptionPlacement.parameters.all.json \ --location eastus \ --management-group-id alz ``` @@ -35,7 +35,7 @@ OR # For Azure China regions az deployment mg create \ --template-file infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.bicep \ - --parameters @infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.parameters.example.json \ + --parameters @infra-as-code/bicep/modules/subscriptionPlacement/parameters/subscriptionPlacement.parameters.all.json \ --location chinaeast2 \ --management-group-id alz ``` @@ -46,7 +46,7 @@ az deployment mg create \ # For Azure global regions New-AzManagementGroupDeployment ` -TemplateFile infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.bicep ` - -TemplateParameterFile infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.parameters.example.json ` + -TemplateParameterFile infra-as-code/bicep/modules/subscriptionPlacement/parameters/subscriptionPlacement.parameters.all.json ` -Location eastus ` -ManagementGroupId alz ``` @@ -55,7 +55,7 @@ OR # For Azure China regions New-AzManagementGroupDeployment ` -TemplateFile infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.bicep ` - -TemplateParameterFile infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.parameters.example.json ` + -TemplateParameterFile infra-as-code/bicep/modules/subscriptionPlacement/parameters/subscriptionPlacement.parameters.all.json ` -Location chinaeast2 ` -ManagementGroupId alz ``` diff --git a/infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.parameters.example.json b/infra-as-code/bicep/modules/subscriptionPlacement/parameters/subscriptionPlacement.parameters.all.json similarity index 100% rename from infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.parameters.example.json rename to infra-as-code/bicep/modules/subscriptionPlacement/parameters/subscriptionPlacement.parameters.all.json diff --git a/infra-as-code/bicep/modules/subscriptionPlacement/parameters/subscriptionPlacement.parameters.min.json b/infra-as-code/bicep/modules/subscriptionPlacement/parameters/subscriptionPlacement.parameters.min.json new file mode 100644 index 000000000..2ed01fb87 --- /dev/null +++ b/infra-as-code/bicep/modules/subscriptionPlacement/parameters/subscriptionPlacement.parameters.min.json @@ -0,0 +1,17 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parTargetManagementGroupId": { + "value": "alz-platform-connectivity" + }, + "parSubscriptionIds": { + "value": [ + "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + ] + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/unstable/orchestration/hubSpoke/orch-hubSpoke.bicep b/infra-as-code/bicep/modules/unstable/orchestration/hubSpoke/orchHubSpoke.bicep similarity index 57% rename from infra-as-code/bicep/modules/unstable/orchestration/hubSpoke/orch-hubSpoke.bicep rename to infra-as-code/bicep/modules/unstable/orchestration/hubSpoke/orchHubSpoke.bicep index da815ba60..631e3aecf 100644 --- a/infra-as-code/bicep/modules/unstable/orchestration/hubSpoke/orch-hubSpoke.bicep +++ b/infra-as-code/bicep/modules/unstable/orchestration/hubSpoke/orchHubSpoke.bicep @@ -81,26 +81,26 @@ param parLogAnalyticsWorkspaceSolutions array = [ param parAutomationAccountName string = 'alz-automation-account' // Hub Networking Module Parameters -@description('Switch which allows Bastion deployment to be disabled. Default: true') -param parBastionEnabled bool = true +@description('Switch to enable/disable Azure Bastion deployment. Default: true') +param parAzBastionEnabled bool = true -@description('Switch which allows DDOS deployment to be disabled. Default: true') +@description('Switch to enable/disable DDoS Standard deployment. Default: true') param parDdosEnabled bool = true -@description('DDOS Plan Name. Default: {parTopLevelManagementGroupPrefix}-ddos-plan') +@description('DDoS Plan Name. Default: {parTopLevelManagementGroupPrefix}-ddos-plan') param parDdosPlanName string = '${parTopLevelManagementGroupPrefix}-ddos-plan' -@description('Switch which allows Azure Firewall deployment to be disabled. Default: true') -param parAzureFirewallEnabled bool = true +@description('Switch to enable/disable Azure Firewall deployment. Default: true') +param parAzFirewallEnabled bool = true -@description('Switch which allos DNS Proxy to be enabled on the virtual network. Default: true') -param parNetworkDNSEnableProxy bool = true +@description('Switch to enable/disable Azure Firewall DNS Proxy. Default: true') +param parAzFirewallDnsProxyEnabled bool = true -@description('Switch which allows BGP Propagation to be disabled on the routes: Default: false') -param parDisableBGPRoutePropagation bool = false +@description('Switch to enable/disable BGP Propagation on route table. Default: false') +param parDisableBgpRoutePropagation bool = false -@description('Switch which allows Private DNS Zones to be disabled. Default: true') -param parPrivateDNSZonesEnabled bool = true +@description('Switch to enable/disable Private DNS Zones deployment. Default: true') +param parPrivateDnsZonesEnabled bool = true //ASN must be 65515 if deploying VPN & ER for co-existence to work: https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-coexist-resource-manager#limits-and-limitations @description('''Configuration for VPN virtual network gateway to be deployed. If a VPN virtual network gateway is not desired an empty object should be used as the input parameter in the parameter file, i.e. @@ -109,9 +109,9 @@ param parPrivateDNSZonesEnabled bool = true }''') param parVpnGatewayConfig object = { name: '${parTopLevelManagementGroupPrefix}-Vpn-Gateway' - gatewaytype: 'Vpn' + gatewayType: 'Vpn' sku: 'VpnGw1' - vpntype: 'RouteBased' + vpnType: 'RouteBased' generation: 'Generation1' enableBgp: false activeActive: false @@ -132,9 +132,9 @@ param parVpnGatewayConfig object = { }''') param parExpressRouteGatewayConfig object = { name: '${parTopLevelManagementGroupPrefix}-ExpressRoute-Gateway' - gatewaytype: 'ExpressRoute' + gatewayType: 'ExpressRoute' sku: 'ErGw1AZ' - vpntype: 'RouteBased' + vpnType: 'RouteBased' vpnGatewayGeneration: 'None' enableBgp: false activeActive: false @@ -150,14 +150,14 @@ param parExpressRouteGatewayConfig object = { } @description('Azure Bastion SKU or Tier to deploy. Currently two options exist Basic and Standard. Default: Standard') -param parBastionSku string = 'Standard' +param parAzBastionSku string = 'Standard' @description('Public IP Address SKU. Default: Standard') @allowed([ 'Basic' 'Standard' ]) -param parPublicIPSku string = 'Standard' +param parPublicIpSku string = 'Standard' @description('Tags you would like to be applied to all resources in this module. Default: empty array') param parTags object = {} @@ -169,14 +169,14 @@ param parHubNetworkAddressPrefix string = '10.10.0.0/16' param parHubNetworkName string = '${parTopLevelManagementGroupPrefix}-hub-${parLocation}' @description('Azure Firewall Name. Default: {parTopLevelManagementGroupPrefix}-azure-firewall ') -param parAzureFirewallName string = '${parTopLevelManagementGroupPrefix}-azure-firewall' +param parAzFirewallName string = '${parTopLevelManagementGroupPrefix}-azure-firewall' @description('Azure Firewall Tier associated with the Firewall to deploy. Default: Standard ') @allowed([ 'Standard' 'Premium' ]) -param parAzureFirewallTier string = 'Standard' +param parAzFirewallTier string = 'Standard' @description('Name of Route table to create for the default route of Hub. Default: {parTopLevelManagementGroupPrefix}-hub-routetable') param parHubRouteTableName string = '${parTopLevelManagementGroupPrefix}-hub-routetable' @@ -198,7 +198,7 @@ param parSubnets array = [ ] @description('Name Associated with Bastion Service: Default: {parTopLevelManagementGroupPrefix}-bastion') -param parBastionName string = '${parTopLevelManagementGroupPrefix}-bastion' +param parAzBastionName string = '${parTopLevelManagementGroupPrefix}-bastion' @description('Array of DNS Zones to provision in Hub Virtual Network. Default: All known Azure Privatezones') param parPrivateDnsZones array = [ @@ -247,18 +247,18 @@ param parPrivateDnsZones array = [ ] @description('Array of DNS Server IP addresses for VNet. Default: Empty Array') -param parDNSServerIPArray array = [] +param parDnsServerIps array = [] // Policy Assignments Module Parameters @description('An e-mail address that you want Azure Security Center alerts to be sent to.') -param parASCEmailSecurityContact string +param parAscEmailSecurityContact string // Spoke Networking Module Parameters @description('The Name of the Spoke Virtual Network. Default: vnet-spoke') param parSpokeNetworkName string = 'vnet-spoke' -@description('Switch which allows BGP Route Propogation to be disabled on the route table') -param parBGPRoutePropogation bool = false +@description('Switch which allows BGP Route Propagation to be disabled on the route table') +param parDisableBgpRoutePropagation bool = false @description('Name of Route table to create for the default route of Hub. Default: rtb-spoke-to-hub') param parSpoketoHubRouteTableName string = 'rtb-spoke-to-hub' @@ -293,34 +293,34 @@ var varModuleDeploymentNames = { modSubscriptionPlacementIdentity: take('${varDeploymentNameWrappers.basePrefix}-sub-place-idnt-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modSubscriptionPlacementCorp: take('${varDeploymentNameWrappers.basePrefix}-sub-place-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modSubscriptionPlacementOnline: take('${varDeploymentNameWrappers.basePrefix}-sub-place-online-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentIntRootDeployASCDFConfig: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployASCDFConfig-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIntRootDeployAscDfConfig: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployASCDFConfig-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentIntRootDeployAzActivityLog: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployAzActivityLog-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentIntRootDeployASCMonitoring: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployASCMonitoring-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIntRootDeployAscMonitoring: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployASCMonitoring-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentIntRootDeployResourceDiag: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployResoruceDiag-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentIntRootDeployVMMonitoring: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMMonitoring-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentIntRootDeployVMSSMonitoring: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMSSMonitoring-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentConnEnableDDoSVNET: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enableDDoSVNET-conn-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentIdentDenyPublicIP: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPublicIP-ident-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentIdentDenyRDPFromInternet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyRDPFromInet-ident-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentIdentDenySubnetWithoutNSG: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denySubnetNoNSG-ident-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentIdentDeployVMBackup: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMBackup-ident-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIntRootDeployVmMonitoring: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMMonitoring-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIntRootDeployVmssMonitoring: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMSSMonitoring-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentConnEnableDdosVnet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enableDDoSVNET-conn-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIdentDenyPublicIp: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPublicIP-ident-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIdentDenyRdpFromInternet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyRDPFromInet-ident-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIdentDenySubnetWithoutNsg: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denySubnetNoNSG-ident-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIdentDeployVmBackup: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMBackup-ident-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentMgmtDeployLogAnalytics: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployLAW-mgmt-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLZsDenyIPForwarding: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyIPForward-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLZsDenyPublicIP: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPublicIP-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLZsDenyRDPFromInternet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyRDPFromInet-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLZsDenySubnetWithoutNSG: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denySubnetNoNSG-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLZsDeployVMBackup: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMBackup-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLZsEnableDDoSVNET: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enableDDoSVNET-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLZsDenyStorageHttp: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyStorageHttp-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLZsDeployAKSPolicy: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployAKSPolicy-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLZsDenyPrivEscalationAKS: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPrivEscAKS-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLZsDenyPrivContainersAKS: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPrivConAKS-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLZsEnforceAKSHTTPS: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceAKSHTTPS-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLZsEnforceTLSSSL: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceTLSSSL-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLZsDeploySQLDBAuditing: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deploySQLDBAudit-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLZsDeploySQLThreat: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deploySQLThreat-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLZsDenyPublicEndpoints: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPublicEndpoints-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLZsDeployPrivateDNSZones: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployPrivateDNS-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDenyIpForwarding: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyIPForward-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDenyPublicIp: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPublicIP-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDenyRdpFromInternet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyRDPFromInet-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDenySubnetWithoutNsg: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denySubnetNoNSG-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDeployVmBackup: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMBackup-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsEnableDdosVnet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enableDDoSVNET-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDenyStorageHttp: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyStorageHttp-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDeployAksPolicy: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployAKSPolicy-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDenyPrivEscalationAks: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPrivEscAKS-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDenyPrivContainersAks: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPrivConAKS-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsEnforceAksHttps: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceAKSHTTPS-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsEnforceTlsSsl: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceTLSSSL-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDeploySqlDbAuditing: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deploySQLDBAudit-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDeploySqlThreat: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deploySQLThreat-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDenyPublicEndpoints: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPublicEndpoints-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDeployPrivateDnsZones: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployPrivateDNS-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modResourceGroupForSpokeNetworking: take('${varDeploymentNameWrappers.basePrefix}-rsgSpokeNetworking-${varDeploymentNameWrappers.baseSuffixCorpSubscriptions}', 61) modSpokeNetworking: take('${varDeploymentNameWrappers.basePrefix}-modSpokeNetworking-${varDeploymentNameWrappers.baseSuffixCorpSubscriptions}', 61) modSpokePeeringToHub: take('${varDeploymentNameWrappers.basePrefix}-modSpokePeeringToHub-${varDeploymentNameWrappers.baseSuffixCorpSubscriptions}', 61) @@ -328,163 +328,163 @@ var varModuleDeploymentNames = { } // Policy Assignments Modules Variables -var varPolicyAssignmentDenyAppGWWithoutWAF = { - definitionID: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGW-Without-WAF' - libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_appgw_without_waf.tmpl.json')) +var varPolicyAssignmentDenyAppGwWithoutWaf = { + definitionId: '${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGW-Without-WAF' + libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_appgw_without_waf.tmpl.json')) } -var varPolicyAssignmentEnforceAKSHTTPS = { - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d' - libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_http_ingress_aks.tmpl.json')) +var varPolicyAssignmentEnforceAksHttps = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d' + libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_http_ingress_aks.tmpl.json')) } -var varPolicyAssignmentDenyIPForwarding = { - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900' - libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_ip_forwarding.tmpl.json')) +var varPolicyAssignmentDenyIpForwarding = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900' + libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_ip_forwarding.tmpl.json')) } -var varPolicyAssignmentDenyPrivContainersAKS = { - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4' - libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_priv_containers_aks.tmpl.json')) +var varPolicyAssignmentDenyPrivContainersAks = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4' + libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_priv_containers_aks.tmpl.json')) } -var varPolicyAssignmentDenyPrivEscalationAKS = { - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99' - libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_priv_escalation_aks.tmpl.json')) +var varPolicyAssignmentDenyPrivEscalationAks = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99' + libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_priv_escalation_aks.tmpl.json')) } var varPolicyAssignmentDenyPublicEndpoints = { - definitionID: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints' - libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_endpoints.tmpl.json')) + definitionId: '${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints' + libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_endpoints.tmpl.json')) } -var varPolicyAssignmentDenyPublicIP = { - definitionID: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP' - libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json')) +var varPolicyAssignmentDenyPublicIp = { + definitionId: '${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP' + libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json')) } -var varPolicyAssignmentDenyRDPFromInternet = { - definitionID: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet' - libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_rdp_from_internet.tmpl.json')) +var varPolicyAssignmentDenyRdpFromInternet = { + definitionId: '${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet' + libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_rdp_from_internet.tmpl.json')) } var varPolicyAssignmentDenyResourceLocations = { - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c' - libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_resource_locations.tmpl.json')) + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c' + libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_resource_locations.tmpl.json')) } var varPolicyAssignmentDenyResourceTypes = { - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749' - libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_resource_types.tmpl.json')) + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749' + libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_resource_types.tmpl.json')) } -var varPolicyAssignmentDenyRSGLocations = { - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988' - libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_rsg_locations.tmpl.json')) +var varPolicyAssignmentDenyRsgLocations = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988' + libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_rsg_locations.tmpl.json')) } -var varPolicyAssignmentDenyStoragehttp = { - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9' - libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_storage_http.tmpl.json')) +var varPolicyAssignmentDenyStorageHttp = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9' + libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_storage_http.tmpl.json')) } var varPolicyAssignmentDenySubnetWithoutNsg = { - definitionID: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg' - libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_subnet_without_nsg.tmpl.json')) + definitionId: '${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg' + libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_subnet_without_nsg.tmpl.json')) } var varPolicyAssignmentDenySubnetWithoutUdr = { - definitionID: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr' - libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_subnet_without_udr.tmpl.json')) + definitionId: '${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr' + libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_subnet_without_udr.tmpl.json')) } -var varPolicyAssignmentDeployAKSPolicy = { - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7' - libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json')) +var varPolicyAssignmentDeployAksPolicy = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7' + libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json')) } -var varPolicyAssignmentDeployASCMonitoring = { - definitionID: '/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8' - libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json')) +var varPolicyAssignmentDeployAscMonitoring = { + definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8' + libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json')) } -var varPolicyAssignmentDeployASCDFConfig = { - definitionID: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-ASCDF-Config' - libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_ascdf_config.tmpl.json')) -} +// var varPolicyAssignmentDeployASCDFConfig = { +// definitionId: '${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-ASCDF-Config' +// libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_ascdf_config.tmpl.json')) +// } var varPolicyAssignmentDeployAzActivityLog = { - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/2465583e-4e78-4c15-b6be-a36cbc7c8b0f' - libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_azactivity_log.tmpl.json')) + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/2465583e-4e78-4c15-b6be-a36cbc7c8b0f' + libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_azactivity_log.tmpl.json')) } var varPolicyAssignmentDeployLogAnalytics = { - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/8e3e61b3-0b32-22d5-4edf-55f87fdb5955' - libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_log_analytics.tmpl.json')) + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8e3e61b3-0b32-22d5-4edf-55f87fdb5955' + libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_log_analytics.tmpl.json')) } -var varPolicyAssignmentDeployLXArcMonitoring = { - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/9d2b61b4-1d14-4a63-be30-d4498e7ad2cf' - libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_lx_arc_monitoring.tmpl.json')) +var varPolicyAssignmentDeployLxArcMonitoring = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/9d2b61b4-1d14-4a63-be30-d4498e7ad2cf' + libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_lx_arc_monitoring.tmpl.json')) } -var varPolicyAssignmentDeployPrivateDNSZones = { - definitionID: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones' - libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json')) +var varPolicyAssignmentDeployPrivateDnzZones = { + definitionId: '${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones' + libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json')) } var varPolicyAssignmentDeployResourceDiag = { - definitionID: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics' - libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_resource_diag.tmpl.json')) + definitionId: '${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics' + libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_resource_diag.tmpl.json')) } -var varPolicyAssignmentDeploySQLDBAuditing = { - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9' - libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_db_auditing.tmpl.json')) +var varPolicyAssignmentDeploySqlDbAuditing = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9' + libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_db_auditing.tmpl.json')) } -var varPolicyAssignmentDeploySQLSecurity = { - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f' - libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_security.tmpl.json')) +var varPolicyAssignmentDeploySqlSecurity = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f' + libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_security.tmpl.json')) } -var varPolicyAssignmentDeploySQLThreat = { - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5' - libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_threat.tmpl.json')) +var varPolicyAssignmentDeploySqlThreat = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5' + libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_threat.tmpl.json')) } -var varPolicyAssignmentDeployVMBackup = { - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86' - libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_backup.tmpl.json')) +var varPolicyAssignmentDeployVmBackup = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86' + libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_backup.tmpl.json')) } -var varPolicyAssignmentDeployVMMonitoring = { - definitionID: '/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a' - libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitoring.tmpl.json')) +var varPolicyAssignmentDeployVmMonitoring = { + definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a' + libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitoring.tmpl.json')) } -var varPolicyAssignmentDeployVMSSMonitoring = { - definitionID: '/providers/Microsoft.Authorization/policySetDefinitions/75714362-cae7-409e-9b99-a8e5075b7fad' - libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitoring.tmpl.json')) +var varPolicyAssignmentDeployVmssMonitoring = { + definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/75714362-cae7-409e-9b99-a8e5075b7fad' + libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitoring.tmpl.json')) } -var varPolicyAssignmentDeployWSArcMonitoring = { - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/69af7d4a-7b18-4044-93a9-2651498ef203' - libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_ws_arc_monitoring.tmpl.json')) +var varPolicyAssignmentDeployWsArcMonitoring = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/69af7d4a-7b18-4044-93a9-2651498ef203' + libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_ws_arc_monitoring.tmpl.json')) } -var varPolicyAssignmentEnableDDoSVNET = { - definitionID: '/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d' - libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_enable_ddos_vnet.tmpl.json')) +var varPolicyAssignmentEnableDdosVnet = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d' + libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enable_ddos_vnet.tmpl.json')) } -var varPolicyAssignmentEnforceTLSSSL = { - definitionID: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit' - libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_tls_ssl.tmpl.json')) +var varPolicyAssignmentEnforceTlsSsl = { + definitionId: '${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit' + libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_tls_ssl.tmpl.json')) } // RBAC Role Definitions Variables - Used For Policy Assignments -var varRBACRoleDefinitionIDs = { +var varRbacRoleDefinitionIds = { owner: '8e3af657-a8ff-443c-a75c-2fe8c4bcb635' contributor: 'b24988ac-6180-42a0-ab88-20f7382dd24c' networkContributor: '4d97b98b-1d4f-4787-a291-c67834d212e7' @@ -492,7 +492,7 @@ var varRBACRoleDefinitionIDs = { } // Managment Groups Varaibles - Used For Policy Assignments -var varManagementGroupIDs = { +var varManagementGroupIds = { intRoot: parTopLevelManagementGroupPrefix platform: '${parTopLevelManagementGroupPrefix}-platform' platformManagement: '${parTopLevelManagementGroupPrefix}-platform-management' @@ -510,13 +510,13 @@ targetScope = 'tenant' // **Modules** // Module - Customer Usage Attribution - Telemtry -module modCustomerUsageAttribution '../../../CRML/customerUsageAttribution/cuaIdTenant.bicep' = if (!parTelemetryOptOut) { +module modCustomerUsageAttribution '../../../../CRML/customerUsageAttribution/cuaIdTenant.bicep' = if (!parTelemetryOptOut) { name: 'pid-${varCuaid}-${uniqueString(deployment().location)}' params: {} } // Module - Management Groups -module modManagementGroups '../../managementGroups/managementGroups.bicep' = { +module modManagementGroups '../../../managementGroups/managementGroups.bicep' = { scope: tenant() name: varModuleDeploymentNames.modManagementGroups params: { @@ -527,11 +527,11 @@ module modManagementGroups '../../managementGroups/managementGroups.bicep' = { } // Module - Custom RBAC Role Definitions - https://github.com/Azure/bicep/issues/5371 -module modCustomRBACRoleDefinitions '../../customRoleDefinitions/customRoleDefinitions.bicep' = { +module modCustomRBACRoleDefinitions '../../../customRoleDefinitions/customRoleDefinitions.bicep' = { dependsOn: [ modManagementGroups ] - scope: managementGroup(varManagementGroupIDs.intRoot) + scope: managementGroup(varManagementGroupIds.intRoot) name: varModuleDeploymentNames.modCustomRBACRoleDefinitions params: { parAssignableScopeManagementGroupId: parTopLevelManagementGroupPrefix @@ -540,28 +540,28 @@ module modCustomRBACRoleDefinitions '../../customRoleDefinitions/customRoleDefin } // Module - Custom Policy Definitions and Initiatives -module modCustomPolicyDefinitions '../../policy/definitions/custom-policy-definitions.bicep' = { - scope: managementGroup(varManagementGroupIDs.intRoot) +module modCustomPolicyDefinitions '../../../policy/definitions/customPolicyDefinitions.bicep' = { + scope: managementGroup(varManagementGroupIds.intRoot) name: varModuleDeploymentNames.modCustomPolicyDefinitions params: { - parTargetManagementGroupID: modManagementGroups.outputs.outTopLevelMGName + parTargetManagementGroupId: modManagementGroups.outputs.outTopLevelManagementGroupName parTelemetryOptOut: parTelemetryOptOut } } // Resource - Resource Group - For Logging - https://github.com/Azure/bicep/issues/5151 & https://github.com/Azure/bicep/issues/4992 -module modResourceGroupForLogging '../../resourceGroup/resourceGroup.bicep' = { +module modResourceGroupForLogging '../../../resourceGroup/resourceGroup.bicep' = { scope: subscription(parManagementSubscriptionId) name: varModuleDeploymentNames.modResourceGroupForLogging params: { - parResourceGroupLocation: parLocation + parLocation: parLocation parResourceGroupName: parResourceGroupNameForLogging parTelemetryOptOut: parTelemetryOptOut } } // Module - Logging, Automation & Sentinel -module modLogging '../../logging/logging.bicep' = { +module modLogging '../../../logging/logging.bicep' = { dependsOn: [ modResourceGroupForLogging ] @@ -579,57 +579,57 @@ module modLogging '../../logging/logging.bicep' = { } // Resource - Resource Group - For Hub Networking - https://github.com/Azure/bicep/issues/5151 -module modResourceGroupForHubNetworking '../../resourceGroup/resourceGroup.bicep' = { +module modResourceGroupForHubNetworking '../../../resourceGroup/resourceGroup.bicep' = { scope: subscription(parConnectivitySubscriptionId) name: varModuleDeploymentNames.modResourceGroupForHubNetworking params: { - parResourceGroupLocation: parLocation + parLocation: parLocation parResourceGroupName: parResourceGroupNameForHubNetworking parTelemetryOptOut: parTelemetryOptOut } } // Module - Hub Virtual Networking -module modHubNetworking '../../hubNetworking/hubNetworking.bicep' = { +module modHubNetworking '../../../hubNetworking/hubNetworking.bicep' = { dependsOn: [ modResourceGroupForHubNetworking ] scope: resourceGroup(parConnectivitySubscriptionId, parResourceGroupNameForHubNetworking) name: varModuleDeploymentNames.modHubNetworking params: { - parBastionEnabled: parBastionEnabled - parDDoSEnabled: parDDoSEnabled - parDDoSPlanName: parDDoSPlanName - parAzureFirewallEnabled: parAzureFirewallEnabled - parNetworkDNSEnableProxy: parNetworkDNSEnableProxy - parDisableBGPRoutePropagation: parDisableBGPRoutePropagation - parPrivateDNSZonesEnabled: parPrivateDNSZonesEnabled + parAzBastionEnabled: parAzBastionEnabled + parDdosEnabled: parDdosEnabled + parDdosPlanName: parDdosPlanName + parAzFirewallEnabled: parAzFirewallEnabled + parAzFirewallDnsProxyEnabled: parAzFirewallDnsProxyEnabled + parDisableBgpRoutePropagation: parDisableBgpRoutePropagation + parPrivateDnsZonesEnabled: parPrivateDnsZonesEnabled parExpressRouteGatewayConfig: parExpressRouteGatewayConfig parVpnGatewayConfig: parVpnGatewayConfig parCompanyPrefix: parTopLevelManagementGroupPrefix - parBastionSku: parBastionSku - parPublicIPSku: parPublicIPSku + parAzBastionSku: parAzBastionSku + parPublicIpSku: parPublicIpSku parTags: parTags parHubNetworkAddressPrefix: parHubNetworkAddressPrefix parHubNetworkName: parHubNetworkName - parAzureFirewallName: parAzureFirewallName - parAzureFirewallTier: parAzureFirewallTier + parAzFirewallName: parAzFirewallName + parAzFirewallTier: parAzFirewallTier parHubRouteTableName: parHubRouteTableName parSubnets: parSubnets - parBastionName: parBastionName + parAzBastionName: parAzBastionName parPrivateDnsZones: parPrivateDnsZones - parDNSServerIPArray: parDNSServerIPArray + parDnsServerIps: parDnsServerIps parTelemetryOptOut: parTelemetryOptOut } } // Subscription Placements Into Management Group Hierarchy // Module - Subscription Placement - Management -module modSubscriptionPlacementManagement '../../subscriptionPlacement/subscriptionPlacement.bicep' = { - scope: managementGroup(varManagementGroupIDs.platformManagement) +module modSubscriptionPlacementManagement '../../../subscriptionPlacement/subscriptionPlacement.bicep' = { + scope: managementGroup(varManagementGroupIds.platformManagement) name: varModuleDeploymentNames.modSubscriptionPlacementManagement params: { - parTargetManagementGroupId: modManagementGroups.outputs.outPlatformManagementMGName + parTargetManagementGroupId: modManagementGroups.outputs.outPlatformManagementManagementGroupName parSubscriptionIds: [ parManagementSubscriptionId ] @@ -638,11 +638,11 @@ module modSubscriptionPlacementManagement '../../subscriptionPlacement/subscript } // Module - Subscription Placement - Connectivity -module modSubscriptionPlacementConnectivity '../../subscriptionPlacement/subscriptionPlacement.bicep' = { - scope: managementGroup(varManagementGroupIDs.platformConnectivity) +module modSubscriptionPlacementConnectivity '../../../subscriptionPlacement/subscriptionPlacement.bicep' = { + scope: managementGroup(varManagementGroupIds.platformConnectivity) name: varModuleDeploymentNames.modSubscriptionPlacementConnectivity params: { - parTargetManagementGroupId: modManagementGroups.outputs.outPlatformConnectivityMGName + parTargetManagementGroupId: modManagementGroups.outputs.outPlatformConnectivityManagementGroupName parSubscriptionIds: [ parConnectivitySubscriptionId ] @@ -651,11 +651,11 @@ module modSubscriptionPlacementConnectivity '../../subscriptionPlacement/subscri } // Module - Subscription Placement - Identity -module modSubscriptionPlacementIdentity '../../subscriptionPlacement/subscriptionPlacement.bicep' = { - scope: managementGroup(varManagementGroupIDs.platformIdentity) +module modSubscriptionPlacementIdentity '../../../subscriptionPlacement/subscriptionPlacement.bicep' = { + scope: managementGroup(varManagementGroupIds.platformIdentity) name: varModuleDeploymentNames.modSubscriptionPlacementIdentity params: { - parTargetManagementGroupId: modManagementGroups.outputs.outPlatformIdentityMGName + parTargetManagementGroupId: modManagementGroups.outputs.outPlatformIdentityManagementGroupName parSubscriptionIds: [ parIdentitySubscriptionId ] @@ -664,11 +664,11 @@ module modSubscriptionPlacementIdentity '../../subscriptionPlacement/subscriptio } // Module - Subscription Placement - Corp -module modSubscriptionPlacementCorp '../../subscriptionPlacement/subscriptionPlacement.bicep' = if (!empty(parCorpSubscriptionIds)) { - scope: managementGroup(varManagementGroupIDs.landingZonesCorp) +module modSubscriptionPlacementCorp '../../../subscriptionPlacement/subscriptionPlacement.bicep' = if (!empty(parCorpSubscriptionIds)) { + scope: managementGroup(varManagementGroupIds.landingZonesCorp) name: varModuleDeploymentNames.modSubscriptionPlacementCorp params: { - parTargetManagementGroupId: modManagementGroups.outputs.outLandingZonesCorpMGName + parTargetManagementGroupId: modManagementGroups.outputs.outLandingZonesCorpManagementGroupName parSubscriptionIds: [ parCorpSubscriptionIds ] @@ -677,11 +677,11 @@ module modSubscriptionPlacementCorp '../../subscriptionPlacement/subscriptionPla } // Module - Subscription Placement - Online -module modSubscriptionPlacementOnline '../../subscriptionPlacement/subscriptionPlacement.bicep' = if (!empty(parOnlineSubscriptionIds)) { - scope: managementGroup(varManagementGroupIDs.landingZonesOnline) +module modSubscriptionPlacementOnline '../../../subscriptionPlacement/subscriptionPlacement.bicep' = if (!empty(parOnlineSubscriptionIds)) { + scope: managementGroup(varManagementGroupIds.landingZonesOnline) name: varModuleDeploymentNames.modSubscriptionPlacementOnline params: { - parTargetManagementGroupId: modManagementGroups.outputs.outLandingZonesOnlineMGName + parTargetManagementGroupId: modManagementGroups.outputs.outLandingZonesOnlineManagementGroupName parSubscriptionIds: [ parOnlineSubscriptionIds ] @@ -691,47 +691,47 @@ module modSubscriptionPlacementOnline '../../subscriptionPlacement/subscriptionP // Modules - Policy Assignments - Intermediate Root Management Group // Module - Policy Assignment - Deploy-ASCDF-Config -module modPolicyAssignmentIntRootDeployASCDFConfig '../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - dependsOn: [ - modCustomPolicyDefinitions - ] - scope: managementGroup(varManagementGroupIDs.intRoot) - name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployASCDFConfig - params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentDeployASCDFConfig.definitionID - parPolicyAssignmentName: varPolicyAssignmentDeployASCDFConfig.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDeployASCDFConfig.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDeployASCDFConfig.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDeployASCDFConfig.libDefinition.properties.parameters - parPolicyAssignmentParameterOverrides: { - emailSecurityContact: { - value: parASCEmailSecurityContact - } - ascExportResourceGroupLocation: { - value: parLocation - } - logAnalytics: { - value: modLogging.outputs.outLogAnalyticsWorkspaceId - } - } - parPolicyAssignmentIdentityType: varPolicyAssignmentDeployASCDFConfig.libDefinition.identity.type - parPolicyAssignmentIdentityRoleDefinitionIDs: [ - varRBACRoleDefinitionIDs.owner - ] - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployASCDFConfig.libDefinition.properties.enforcementMode - parTelemetryOptOut: parTelemetryOptOut - } -} +// module modPolicyAssignmentIntRootDeployAscDfConfig '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +// dependsOn: [ +// modCustomPolicyDefinitions +// ] +// scope: managementGroup(varManagementGroupIds.intRoot) +// name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployAscDfConfig +// params: { +// parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployASCDFConfig.definitionId +// parPolicyAssignmentName: varPolicyAssignmentDeployASCDFConfig.libDefinition.name +// parPolicyAssignmentDisplayName: varPolicyAssignmentDeployASCDFConfig.libDefinition.properties.displayName +// parPolicyAssignmentDescription: varPolicyAssignmentDeployASCDFConfig.libDefinition.properties.description +// parPolicyAssignmentParameters: varPolicyAssignmentDeployASCDFConfig.libDefinition.properties.parameters +// parPolicyAssignmentParameterOverrides: { +// emailSecurityContact: { +// value: parAscEmailSecurityContact +// } +// ascExportResourceGroupLocation: { +// value: parLocation +// } +// logAnalytics: { +// value: modLogging.outputs.outLogAnalyticsWorkspaceId +// } +// } +// parPolicyAssignmentIdentityType: varPolicyAssignmentDeployASCDFConfig.libDefinition.identity.type +// parPolicyAssignmentIdentityRoleDefinitionIds: [ +// varRbacRoleDefinitionIds.owner +// ] +// parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployASCDFConfig.libDefinition.properties.enforcementMode +// parTelemetryOptOut: parTelemetryOptOut +// } +// } // Module - Policy Assignment - Deploy-AzActivity-Log -module modPolicyAssignmentIntRootDeployAzActivityLog '../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +module modPolicyAssignmentIntRootDeployAzActivityLog '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { dependsOn: [ modCustomPolicyDefinitions ] - scope: managementGroup(varManagementGroupIDs.intRoot) + scope: managementGroup(varManagementGroupIds.intRoot) name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployAzActivityLog params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentDeployAzActivityLog.definitionID + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployAzActivityLog.definitionId parPolicyAssignmentName: varPolicyAssignmentDeployAzActivityLog.libDefinition.name parPolicyAssignmentDisplayName: varPolicyAssignmentDeployAzActivityLog.libDefinition.properties.displayName parPolicyAssignmentDescription: varPolicyAssignmentDeployAzActivityLog.libDefinition.properties.description @@ -742,8 +742,8 @@ module modPolicyAssignmentIntRootDeployAzActivityLog '../../policy/assignments/p } } parPolicyAssignmentIdentityType: varPolicyAssignmentDeployAzActivityLog.libDefinition.identity.type - parPolicyAssignmentIdentityRoleDefinitionIDs: [ - varRBACRoleDefinitionIDs.owner + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.owner ] parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployAzActivityLog.libDefinition.properties.enforcementMode parTelemetryOptOut: parTelemetryOptOut @@ -751,33 +751,33 @@ module modPolicyAssignmentIntRootDeployAzActivityLog '../../policy/assignments/p } // Module - Policy Assignment - Deploy-ASC-Monitoring - https://github.com/Azure/bicep/issues/5371 -module modPolicyAssignmentIntRootDeployASCMonitoring '../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +module modPolicyAssignmentIntRootDeployAscMonitoring '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { // dependsOn: [ // modCustomPolicyDefinitions // ] - scope: managementGroup(varManagementGroupIDs.intRoot) - name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployASCMonitoring + scope: managementGroup(varManagementGroupIds.intRoot) + name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployAscMonitoring params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentDeployASCMonitoring.definitionID - parPolicyAssignmentName: varPolicyAssignmentDeployASCMonitoring.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDeployASCMonitoring.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDeployASCMonitoring.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDeployASCMonitoring.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDeployASCMonitoring.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployASCMonitoring.libDefinition.properties.enforcementMode + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployAscMonitoring.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployAscMonitoring.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployAscMonitoring.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployAscMonitoring.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployAscMonitoring.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployAscMonitoring.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployAscMonitoring.libDefinition.properties.enforcementMode parTelemetryOptOut: parTelemetryOptOut } } // // Module - Policy Assignment - Deploy-Resource-Diag -module modPolicyAssignmentIntRootDeployResourceDiag '../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +module modPolicyAssignmentIntRootDeployResourceDiag '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { dependsOn: [ modCustomPolicyDefinitions ] - scope: managementGroup(varManagementGroupIDs.intRoot) + scope: managementGroup(varManagementGroupIds.intRoot) name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployResourceDiag params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentDeployResourceDiag.definitionID + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployResourceDiag.definitionId parPolicyAssignmentName: varPolicyAssignmentDeployResourceDiag.libDefinition.name parPolicyAssignmentDisplayName: varPolicyAssignmentDeployResourceDiag.libDefinition.properties.displayName parPolicyAssignmentDescription: varPolicyAssignmentDeployResourceDiag.libDefinition.properties.description @@ -789,62 +789,62 @@ module modPolicyAssignmentIntRootDeployResourceDiag '../../policy/assignments/po } parPolicyAssignmentIdentityType: varPolicyAssignmentDeployResourceDiag.libDefinition.identity.type parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployResourceDiag.libDefinition.properties.enforcementMode - parPolicyAssignmentIdentityRoleDefinitionIDs: [ - varRBACRoleDefinitionIDs.owner + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.owner ] parTelemetryOptOut: parTelemetryOptOut } } // Module - Policy Assignment - Deploy-VM-Monitoring -module modPolicyAssignmentIntRootDeployVMMonitoring '../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +module modPolicyAssignmentIntRootDeployVmMonitoring '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { dependsOn: [ modCustomPolicyDefinitions ] - scope: managementGroup(varManagementGroupIDs.intRoot) - name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployVMMonitoring + scope: managementGroup(varManagementGroupIds.intRoot) + name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployVmMonitoring params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentDeployVMMonitoring.definitionID - parPolicyAssignmentName: varPolicyAssignmentDeployVMMonitoring.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.parameters + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVmMonitoring.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployVmMonitoring.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVmMonitoring.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployVmMonitoring.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployVmMonitoring.libDefinition.properties.parameters parPolicyAssignmentParameterOverrides: { logAnalytics_1: { value: modLogging.outputs.outLogAnalyticsWorkspaceId } } - parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMMonitoring.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.enforcementMode - parPolicyAssignmentIdentityRoleDefinitionIDs: [ - varRBACRoleDefinitionIDs.owner + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVmMonitoring.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployVmMonitoring.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.owner ] parTelemetryOptOut: parTelemetryOptOut } } // Module - Policy Assignment - Deploy-VMSS-Monitoring -module modPolicyAssignmentIntRootDeployVMSSMonitoring '../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +module modPolicyAssignmentIntRootDeployVmssMonitoring '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { dependsOn: [ modCustomPolicyDefinitions ] - scope: managementGroup(varManagementGroupIDs.intRoot) - name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployVMSSMonitoring + scope: managementGroup(varManagementGroupIds.intRoot) + name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployVmssMonitoring params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentDeployVMSSMonitoring.definitionID - parPolicyAssignmentName: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.parameters + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVmssMonitoring.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployVmssMonitoring.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVmssMonitoring.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployVmssMonitoring.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployVmssMonitoring.libDefinition.properties.parameters parPolicyAssignmentParameterOverrides: { logAnalytics_1: { value: modLogging.outputs.outLogAnalyticsWorkspaceId } } - parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.enforcementMode - parPolicyAssignmentIdentityRoleDefinitionIDs: [ - varRBACRoleDefinitionIDs.owner + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVmssMonitoring.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployVmssMonitoring.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.owner ] parTelemetryOptOut: parTelemetryOptOut } @@ -852,27 +852,27 @@ module modPolicyAssignmentIntRootDeployVMSSMonitoring '../../policy/assignments/ // // Modules - Policy Assignments - Connectivity Management Group // Module - Policy Assignment - Enable-DDoS-VNET -module modPolicyAssignmentConnEnableDDoSVNET '../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +module modPolicyAssignmentConnEnableDdosVnet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { dependsOn: [ modCustomPolicyDefinitions ] - scope: managementGroup(varManagementGroupIDs.platformConnectivity) - name: varModuleDeploymentNames.modPolicyAssignmentConnEnableDDoSVNET + scope: managementGroup(varManagementGroupIds.platformConnectivity) + name: varModuleDeploymentNames.modPolicyAssignmentConnEnableDdosVnet params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentEnableDDoSVNET.definitionID - parPolicyAssignmentName: varPolicyAssignmentEnableDDoSVNET.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.parameters + parPolicyAssignmentDefinitionId: varPolicyAssignmentEnableDdosVnet.definitionId + parPolicyAssignmentName: varPolicyAssignmentEnableDdosVnet.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentEnableDdosVnet.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentEnableDdosVnet.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentEnableDdosVnet.libDefinition.properties.parameters parPolicyAssignmentParameterOverrides: { ddosPlan: { - value: modHubNetworking.outputs.outDdosPlanResourceID + value: modHubNetworking.outputs.outDdosPlanResourceId } } - parPolicyAssignmentIdentityType: varPolicyAssignmentEnableDDoSVNET.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.enforcementMode - parPolicyAssignmentIdentityRoleDefinitionIDs: [ - varRBACRoleDefinitionIDs.networkContributor + parPolicyAssignmentIdentityType: varPolicyAssignmentEnableDdosVnet.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentEnableDdosVnet.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.networkContributor ] parTelemetryOptOut: parTelemetryOptOut } @@ -880,52 +880,52 @@ module modPolicyAssignmentConnEnableDDoSVNET '../../policy/assignments/policyAss // Modules - Policy Assignments - Identity Management Group // Module - Policy Assignment - Deny-Public-IP -module modPolicyAssignmentIdentDenyPublicIP '../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +module modPolicyAssignmentIdentDenyPublicIp '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { dependsOn: [ modCustomPolicyDefinitions ] - scope: managementGroup(varManagementGroupIDs.platformIdentity) - name: varModuleDeploymentNames.modPolicyAssignmentIdentDenyPublicIP + scope: managementGroup(varManagementGroupIds.platformIdentity) + name: varModuleDeploymentNames.modPolicyAssignmentIdentDenyPublicIp params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentDenyPublicIP.definitionID - parPolicyAssignmentName: varPolicyAssignmentDenyPublicIP.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDenyPublicIP.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDenyPublicIP.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDenyPublicIP.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDenyPublicIP.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenyPublicIP.libDefinition.properties.enforcementMode + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyPublicIp.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyPublicIp.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyPublicIp.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyPublicIp.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyPublicIp.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyPublicIp.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenyPublicIp.libDefinition.properties.enforcementMode parTelemetryOptOut: parTelemetryOptOut } } // Module - Policy Assignment - Deny-RDP-From-Internet -module modPolicyAssignmentIdentDenyRDPFromInternet '../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +module modPolicyAssignmentIdentDenyRdpFromInternet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { dependsOn: [ modCustomPolicyDefinitions ] - scope: managementGroup(varManagementGroupIDs.platformIdentity) - name: varModuleDeploymentNames.modPolicyAssignmentIdentDenyRDPFromInternet + scope: managementGroup(varManagementGroupIds.platformIdentity) + name: varModuleDeploymentNames.modPolicyAssignmentIdentDenyRdpFromInternet params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentDenyRDPFromInternet.definitionID - parPolicyAssignmentName: varPolicyAssignmentDenyRDPFromInternet.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDenyRDPFromInternet.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDenyRDPFromInternet.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDenyRDPFromInternet.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDenyRDPFromInternet.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenyRDPFromInternet.libDefinition.properties.enforcementMode + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyRdpFromInternet.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyRdpFromInternet.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyRdpFromInternet.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyRdpFromInternet.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyRdpFromInternet.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyRdpFromInternet.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenyRdpFromInternet.libDefinition.properties.enforcementMode parTelemetryOptOut: parTelemetryOptOut } } // Module - Policy Assignment - Deny-Subnet-Without-Nsg -module modPolicyAssignmentIdentDenySubnetWithoutNSG '../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +module modPolicyAssignmentIdentDenySubnetWithoutNsg '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { dependsOn: [ modCustomPolicyDefinitions ] - scope: managementGroup(varManagementGroupIDs.platformIdentity) - name: varModuleDeploymentNames.modPolicyAssignmentIdentDenySubnetWithoutNSG + scope: managementGroup(varManagementGroupIds.platformIdentity) + name: varModuleDeploymentNames.modPolicyAssignmentIdentDenySubnetWithoutNsg params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentDenySubnetWithoutNsg.definitionID + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenySubnetWithoutNsg.definitionId parPolicyAssignmentName: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.name parPolicyAssignmentDisplayName: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.displayName parPolicyAssignmentDescription: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.description @@ -937,22 +937,22 @@ module modPolicyAssignmentIdentDenySubnetWithoutNSG '../../policy/assignments/po } // Module - Policy Assignment - Deploy-VM-Backup - https://github.com/Azure/bicep/issues/5371 -module modPolicyAssignmentIdentDeployVMBackup '../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +module modPolicyAssignmentIdentDeployVmBackup '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { dependsOn: [ modCustomPolicyDefinitions ] - scope: managementGroup(varManagementGroupIDs.platformIdentity) - name: varModuleDeploymentNames.modPolicyAssignmentIdentDeployVMBackup + scope: managementGroup(varManagementGroupIds.platformIdentity) + name: varModuleDeploymentNames.modPolicyAssignmentIdentDeployVmBackup params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentDeployVMBackup.definitionID - parPolicyAssignmentName: varPolicyAssignmentDeployVMBackup.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMBackup.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDeployVMBackup.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDeployVMBackup.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMBackup.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployVMBackup.libDefinition.properties.enforcementMode - parPolicyAssignmentIdentityRoleDefinitionIDs: [ - varRBACRoleDefinitionIDs.owner + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVmBackup.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployVmBackup.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVmBackup.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployVmBackup.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployVmBackup.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVmBackup.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployVmBackup.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.owner ] parTelemetryOptOut: parTelemetryOptOut } @@ -960,14 +960,14 @@ module modPolicyAssignmentIdentDeployVMBackup '../../policy/assignments/policyAs // Modules - Policy Assignments - Management Management Group - https://github.com/Azure/bicep/issues/5371 // Module - Policy Assignment - Deploy-Log-Analytics - ISSUES -module modPolicyAssignmentMgmtDeployLogAnalytics '../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +module modPolicyAssignmentMgmtDeployLogAnalytics '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { dependsOn: [ modCustomPolicyDefinitions ] - scope: managementGroup(varManagementGroupIDs.platformIdentity) + scope: managementGroup(varManagementGroupIds.platformIdentity) name: varModuleDeploymentNames.modPolicyAssignmentMgmtDeployLogAnalytics params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentDeployLogAnalytics.definitionID + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployLogAnalytics.definitionId parPolicyAssignmentName: varPolicyAssignmentDeployLogAnalytics.libDefinition.name parPolicyAssignmentDisplayName: varPolicyAssignmentDeployLogAnalytics.libDefinition.properties.displayName parPolicyAssignmentDescription: varPolicyAssignmentDeployLogAnalytics.libDefinition.properties.description @@ -994,8 +994,8 @@ module modPolicyAssignmentMgmtDeployLogAnalytics '../../policy/assignments/polic } parPolicyAssignmentIdentityType: varPolicyAssignmentDeployLogAnalytics.libDefinition.identity.type parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployLogAnalytics.libDefinition.properties.enforcementMode - parPolicyAssignmentIdentityRoleDefinitionIDs: [ - varRBACRoleDefinitionIDs.owner + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.owner ] parTelemetryOptOut: parTelemetryOptOut } @@ -1003,71 +1003,71 @@ module modPolicyAssignmentMgmtDeployLogAnalytics '../../policy/assignments/polic // Modules - Policy Assignments - Landing Zones Management Group - https://github.com/Azure/bicep/issues/5371 // Module - Policy Assignment - Deny-IP-Forwarding - ISSUES -module modPolicyAssignmentLZsDenyIPForwarding '../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +module modPolicyAssignmentLzsDenyIpForwarding '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { dependsOn: [ modCustomPolicyDefinitions ] - scope: managementGroup(varManagementGroupIDs.landingZones) - name: varModuleDeploymentNames.modPolicyAssignmentLZsDenyIPForwarding + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyIpForwarding params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentDenyIPForwarding.definitionID - parPolicyAssignmentName: varPolicyAssignmentDenyIPForwarding.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDenyIPForwarding.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDenyIPForwarding.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDenyIPForwarding.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDenyIPForwarding.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenyIPForwarding.libDefinition.properties.enforcementMode + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyIpForwarding.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyIpForwarding.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyIpForwarding.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyIpForwarding.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyIpForwarding.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyIpForwarding.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenyIpForwarding.libDefinition.properties.enforcementMode parTelemetryOptOut: parTelemetryOptOut } } // Module - Policy Assignment - Deny-Public-IP - NOT DONE IN ARM????? -module modPolicyAssignmentLZsDenyPublicIP '../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +module modPolicyAssignmentLzsDenyPublicIp '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { dependsOn: [ modCustomPolicyDefinitions ] - scope: managementGroup(varManagementGroupIDs.landingZones) - name: varModuleDeploymentNames.modPolicyAssignmentLZsDenyPublicIP + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyPublicIp params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentDenyPublicIP.definitionID - parPolicyAssignmentName: varPolicyAssignmentDenyPublicIP.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDenyPublicIP.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDenyPublicIP.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDenyPublicIP.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDenyPublicIP.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenyPublicIP.libDefinition.properties.enforcementMode + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyPublicIp.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyPublicIp.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyPublicIp.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyPublicIp.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyPublicIp.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyPublicIp.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenyPublicIp.libDefinition.properties.enforcementMode parTelemetryOptOut: parTelemetryOptOut } } // Module - Policy Assignment - Deny-RDP-From-Internet -module modPolicyAssignmentLZstDenyRDPFromInternet '../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +module modPolicyAssignmentLzsDenyRdpFromInternet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { dependsOn: [ modCustomPolicyDefinitions ] - scope: managementGroup(varManagementGroupIDs.landingZones) - name: varModuleDeploymentNames.modPolicyAssignmentLZsDenyRDPFromInternet + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyRdpFromInternet params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentDenyRDPFromInternet.definitionID - parPolicyAssignmentName: varPolicyAssignmentDenyRDPFromInternet.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDenyRDPFromInternet.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDenyRDPFromInternet.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDenyRDPFromInternet.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDenyRDPFromInternet.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenyRDPFromInternet.libDefinition.properties.enforcementMode + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyRdpFromInternet.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyRdpFromInternet.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyRdpFromInternet.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyRdpFromInternet.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyRdpFromInternet.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyRdpFromInternet.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenyRdpFromInternet.libDefinition.properties.enforcementMode parTelemetryOptOut: parTelemetryOptOut } } // Module - Policy Assignment - Deny-Subnet-Without-Nsg -module modPolicyAssignmentLZsDenySubnetWithoutNSG '../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +module modPolicyAssignmentLzsDenySubnetWithoutNsg '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { dependsOn: [ modCustomPolicyDefinitions ] - scope: managementGroup(varManagementGroupIDs.landingZones) - name: varModuleDeploymentNames.modPolicyAssignmentLZsDenySubnetWithoutNSG + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDenySubnetWithoutNsg params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentDenySubnetWithoutNsg.definitionID + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenySubnetWithoutNsg.definitionId parPolicyAssignmentName: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.name parPolicyAssignmentDisplayName: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.displayName parPolicyAssignmentDescription: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.description @@ -1079,210 +1079,210 @@ module modPolicyAssignmentLZsDenySubnetWithoutNSG '../../policy/assignments/poli } // Module - Policy Assignment - Deploy-VM-Backup - https://github.com/Azure/bicep/issues/5371 -module modPolicyAssignmentLZsDeployVMBackup '../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +module modPolicyAssignmentLzsDeployVmBackup '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { dependsOn: [ modCustomPolicyDefinitions ] - scope: managementGroup(varManagementGroupIDs.landingZones) - name: varModuleDeploymentNames.modPolicyAssignmentLZsDeployVMBackup + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDeployVmBackup params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentDeployVMBackup.definitionID - parPolicyAssignmentName: varPolicyAssignmentDeployVMBackup.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMBackup.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDeployVMBackup.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDeployVMBackup.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMBackup.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployVMBackup.libDefinition.properties.enforcementMode - parPolicyAssignmentIdentityRoleDefinitionIDs: [ - varRBACRoleDefinitionIDs.owner + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVmBackup.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployVmBackup.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVmBackup.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployVmBackup.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployVmBackup.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVmBackup.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployVmBackup.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.owner ] parTelemetryOptOut: parTelemetryOptOut } } // Module - Policy Assignment - Enable-DDoS-VNET -module modPolicyAssignmentLZsEnableDDoSVNET '../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +module modPolicyAssignmentLzsEnableDdosVnet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { dependsOn: [ modCustomPolicyDefinitions ] - scope: managementGroup(varManagementGroupIDs.platformConnectivity) - name: varModuleDeploymentNames.modPolicyAssignmentLZsEnableDDoSVNET + scope: managementGroup(varManagementGroupIds.platformConnectivity) + name: varModuleDeploymentNames.modPolicyAssignmentLzsEnableDdosVnet params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentEnableDDoSVNET.definitionID - parPolicyAssignmentName: varPolicyAssignmentEnableDDoSVNET.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.parameters + parPolicyAssignmentDefinitionId: varPolicyAssignmentEnableDdosVnet.definitionId + parPolicyAssignmentName: varPolicyAssignmentEnableDdosVnet.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentEnableDdosVnet.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentEnableDdosVnet.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentEnableDdosVnet.libDefinition.properties.parameters parPolicyAssignmentParameterOverrides: { ddosPlan: { - value: modHubNetworking.outputs.outDDoSPlanResourceID + value: modHubNetworking.outputs.outDdosPlanResourceId } } - parPolicyAssignmentIdentityType: varPolicyAssignmentEnableDDoSVNET.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.enforcementMode - parPolicyAssignmentIdentityRoleDefinitionIDs: [ - varRBACRoleDefinitionIDs.networkContributor + parPolicyAssignmentIdentityType: varPolicyAssignmentEnableDdosVnet.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentEnableDdosVnet.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.networkContributor ] parTelemetryOptOut: parTelemetryOptOut } } // Module - Policy Assignment - Deny-Storage-http - https://github.com/Azure/bicep/issues/5371 -module modPolicyAssignmentLZsDenyStorageHttp '../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +module modPolicyAssignmentLzsDenyStorageHttp '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { dependsOn: [ modCustomPolicyDefinitions ] - scope: managementGroup(varManagementGroupIDs.landingZones) - name: varModuleDeploymentNames.modPolicyAssignmentLZsDenyStorageHttp + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyStorageHttp params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentDenyStoragehttp.definitionID - parPolicyAssignmentName: varPolicyAssignmentDenyStoragehttp.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDenyStoragehttp.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDenyStoragehttp.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDenyStoragehttp.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDenyStoragehttp.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenyStoragehttp.libDefinition.properties.enforcementMode + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyStorageHttp.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyStorageHttp.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyStorageHttp.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyStorageHttp.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyStorageHttp.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyStorageHttp.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenyStorageHttp.libDefinition.properties.enforcementMode parTelemetryOptOut: parTelemetryOptOut } } // Module - Policy Assignment - Deploy-AKS-Policy - https://github.com/Azure/bicep/issues/5371 -module modPolicyAssignmentLZsDeployAKSPolicy '../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +module modPolicyAssignmentLzsDeployAksPolicy '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { dependsOn: [ modCustomPolicyDefinitions ] - scope: managementGroup(varManagementGroupIDs.landingZones) - name: varModuleDeploymentNames.modPolicyAssignmentLZsDeployAKSPolicy + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDeployAksPolicy params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentDeployAKSPolicy.definitionID - parPolicyAssignmentName: varPolicyAssignmentDeployAKSPolicy.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDeployAKSPolicy.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDeployAKSPolicy.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDeployAKSPolicy.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDeployAKSPolicy.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployAKSPolicy.libDefinition.properties.enforcementMode - parPolicyAssignmentIdentityRoleDefinitionIDs: [ - varRBACRoleDefinitionIDs.aksContributor + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployAksPolicy.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployAksPolicy.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployAksPolicy.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployAksPolicy.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployAksPolicy.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployAksPolicy.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployAksPolicy.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.aksContributor ] parTelemetryOptOut: parTelemetryOptOut } } // Module - Policy Assignment - Deny-Priv-Escalation-AKS - https://github.com/Azure/bicep/issues/5371 -module modPolicyAssignmentLZsDenyPrivEscalationAKS '../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +module modPolicyAssignmentLzsDenyPrivEscalationAks '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { dependsOn: [ modCustomPolicyDefinitions ] - scope: managementGroup(varManagementGroupIDs.landingZones) - name: varModuleDeploymentNames.modPolicyAssignmentLZsDenyPrivEscalationAKS + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyPrivEscalationAks params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentDenyPrivEscalationAKS.definitionID - parPolicyAssignmentName: varPolicyAssignmentDenyPrivEscalationAKS.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDenyPrivEscalationAKS.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDenyPrivEscalationAKS.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDenyPrivEscalationAKS.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDenyPrivEscalationAKS.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenyPrivEscalationAKS.libDefinition.properties.enforcementMode + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyPrivEscalationAks.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyPrivEscalationAks.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyPrivEscalationAks.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyPrivEscalationAks.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyPrivEscalationAks.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyPrivEscalationAks.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenyPrivEscalationAks.libDefinition.properties.enforcementMode parTelemetryOptOut: parTelemetryOptOut } } // Module - Policy Assignment - Deny-Priv-Containers-AKS - https://github.com/Azure/bicep/issues/5371 -module modPolicyAssignmentLZsDenyPrivContainersAKS '../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +module modPolicyAssignmentLzsDenyPrivContainersAks '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { dependsOn: [ modCustomPolicyDefinitions ] - scope: managementGroup(varManagementGroupIDs.landingZones) - name: varModuleDeploymentNames.modPolicyAssignmentLZsDenyPrivContainersAKS + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyPrivContainersAks params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentDenyPrivContainersAKS.definitionID - parPolicyAssignmentName: varPolicyAssignmentDenyPrivContainersAKS.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDenyPrivContainersAKS.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDenyPrivContainersAKS.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDenyPrivContainersAKS.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDenyPrivContainersAKS.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenyPrivContainersAKS.libDefinition.properties.enforcementMode + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyPrivContainersAks.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyPrivContainersAks.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyPrivContainersAks.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyPrivContainersAks.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyPrivContainersAks.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyPrivContainersAks.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenyPrivContainersAks.libDefinition.properties.enforcementMode parTelemetryOptOut: parTelemetryOptOut } } // Module - Policy Assignment - Enforce-AKS-HTTPS - https://github.com/Azure/bicep/issues/5371 -module modPolicyAssignmentLZsEnforceAKSHTTPS '../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +module modPolicyAssignmentLzsEnforceAksHttps '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { dependsOn: [ modCustomPolicyDefinitions ] - scope: managementGroup(varManagementGroupIDs.landingZones) - name: varModuleDeploymentNames.modPolicyAssignmentLZsEnforceAKSHTTPS + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsEnforceAksHttps params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentEnforceAKSHTTPS.definitionID - parPolicyAssignmentName: varPolicyAssignmentEnforceAKSHTTPS.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentEnforceAKSHTTPS.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentEnforceAKSHTTPS.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentEnforceAKSHTTPS.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceAKSHTTPS.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentEnforceAKSHTTPS.libDefinition.properties.enforcementMode + parPolicyAssignmentDefinitionId: varPolicyAssignmentEnforceAksHttps.definitionId + parPolicyAssignmentName: varPolicyAssignmentEnforceAksHttps.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentEnforceAksHttps.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentEnforceAksHttps.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentEnforceAksHttps.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceAksHttps.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentEnforceAksHttps.libDefinition.properties.enforcementMode parTelemetryOptOut: parTelemetryOptOut } } // Module - Policy Assignment - Enforce-TLS-SSL -module modPolicyAssignmentLZsEnforceTLSSSL '../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +module modPolicyAssignmentLzsEnforceTlsSsl '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { dependsOn: [ modCustomPolicyDefinitions ] - scope: managementGroup(varManagementGroupIDs.landingZones) - name: varModuleDeploymentNames.modPolicyAssignmentLZsEnforceTLSSSL + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsEnforceTlsSsl params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentEnforceTLSSSL.definitionID - parPolicyAssignmentName: varPolicyAssignmentEnforceTLSSSL.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentEnforceTLSSSL.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentEnforceTLSSSL.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentEnforceTLSSSL.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceTLSSSL.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentEnforceTLSSSL.libDefinition.properties.enforcementMode + parPolicyAssignmentDefinitionId: varPolicyAssignmentEnforceTlsSsl.definitionId + parPolicyAssignmentName: varPolicyAssignmentEnforceTlsSsl.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentEnforceTlsSsl.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentEnforceTlsSsl.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentEnforceTlsSsl.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceTlsSsl.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentEnforceTlsSsl.libDefinition.properties.enforcementMode parTelemetryOptOut: parTelemetryOptOut } } // Module - Policy Assignment - Deploy-SQL-DB-Auditing - https://github.com/Azure/bicep/issues/5371 -module modPolicyAssignmentLZsDeploySQLDBAuditing '../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +module modPolicyAssignmentLzsDeploySqlDbAuditing '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { dependsOn: [ modCustomPolicyDefinitions ] - scope: managementGroup(varManagementGroupIDs.landingZones) - name: varModuleDeploymentNames.modPolicyAssignmentLZsDeploySQLDBAuditing + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDeploySqlDbAuditing params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentDeploySQLDBAuditing.definitionID - parPolicyAssignmentName: varPolicyAssignmentDeploySQLDBAuditing.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDeploySQLDBAuditing.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDeploySQLDBAuditing.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDeploySQLDBAuditing.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDeploySQLDBAuditing.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeploySQLDBAuditing.libDefinition.properties.enforcementMode - parPolicyAssignmentIdentityRoleDefinitionIDs: [ - varRBACRoleDefinitionIDs.owner + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeploySqlDbAuditing.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeploySqlDbAuditing.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeploySqlDbAuditing.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeploySqlDbAuditing.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeploySqlDbAuditing.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeploySqlDbAuditing.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeploySqlDbAuditing.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.owner ] parTelemetryOptOut: parTelemetryOptOut } } // Module - Policy Assignment - Deploy-SQL-Threat - https://github.com/Azure/bicep/issues/5371 -module modPolicyAssignmentLZsDeploySQLThreat '../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +module modPolicyAssignmentLzsDeploySqlThreat '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { dependsOn: [ modCustomPolicyDefinitions ] - scope: managementGroup(varManagementGroupIDs.landingZones) - name: varModuleDeploymentNames.modPolicyAssignmentLZsDeploySQLThreat + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDeploySqlThreat params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentDeploySQLThreat.definitionID - parPolicyAssignmentName: varPolicyAssignmentDeploySQLThreat.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDeploySQLThreat.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDeploySQLThreat.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDeploySQLThreat.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDeploySQLThreat.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeploySQLThreat.libDefinition.properties.enforcementMode - parPolicyAssignmentIdentityRoleDefinitionIDs: [ - varRBACRoleDefinitionIDs.owner + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeploySqlThreat.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeploySqlThreat.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeploySqlThreat.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeploySqlThreat.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeploySqlThreat.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeploySqlThreat.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeploySqlThreat.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.owner ] parTelemetryOptOut: parTelemetryOptOut } @@ -1290,14 +1290,14 @@ module modPolicyAssignmentLZsDeploySQLThreat '../../policy/assignments/policyAss // Modules - Policy Assignments - Corp Management Group // Module - Policy Assignment - Deny-Public-Endpoints -module modPolicyAssignmentLZsDenyPublicEndpoints '../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +module modPolicyAssignmentLzsDenyPublicEndpoints '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { dependsOn: [ modCustomPolicyDefinitions ] - scope: managementGroup(varManagementGroupIDs.landingZones) - name: varModuleDeploymentNames.modPolicyAssignmentLZsDenyPublicEndpoints + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyPublicEndpoints params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentDenyPublicEndpoints.definitionID + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyPublicEndpoints.definitionId parPolicyAssignmentName: varPolicyAssignmentDenyPublicEndpoints.libDefinition.name parPolicyAssignmentDisplayName: varPolicyAssignmentDenyPublicEndpoints.libDefinition.properties.displayName parPolicyAssignmentDescription: varPolicyAssignmentDenyPublicEndpoints.libDefinition.properties.description @@ -1309,18 +1309,18 @@ module modPolicyAssignmentLZsDenyPublicEndpoints '../../policy/assignments/polic } // Module - Policy Assignment - Deploy-Private-DNS-Zones -module modPolicyAssignmentLZsDeployPrivateDNSZones '../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +module modPolicyAssignmentLzsDeployPrivateDnsZones '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { dependsOn: [ modCustomPolicyDefinitions ] - scope: managementGroup(varManagementGroupIDs.landingZones) - name: varModuleDeploymentNames.modPolicyAssignmentLZsDeployPrivateDNSZones + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDeployPrivateDnsZones params: { - parPolicyAssignmentDefinitionID: varPolicyAssignmentDeployPrivateDNSZones.definitionID - parPolicyAssignmentName: varPolicyAssignmentDeployPrivateDNSZones.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDeployPrivateDNSZones.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDeployPrivateDNSZones.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDeployPrivateDNSZones.libDefinition.properties.parameters + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployPrivateDnzZones.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployPrivateDnzZones.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployPrivateDnzZones.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployPrivateDnzZones.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployPrivateDnzZones.libDefinition.properties.parameters parPolicyAssignmentParameterOverrides: { azureFilePrivateDnsZoneId: { value: modHubNetworking.outputs.outPrivateDnsZones[29].id @@ -1383,52 +1383,52 @@ module modPolicyAssignmentLZsDeployPrivateDNSZones '../../policy/assignments/pol value: modHubNetworking.outputs.outPrivateDnsZones[41].id } } - parPolicyAssignmentIdentityType: varPolicyAssignmentDeployPrivateDNSZones.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployPrivateDNSZones.libDefinition.properties.enforcementMode - parPolicyAssignmentIdentityRoleDefinitionIDs: [ - varRBACRoleDefinitionIDs.networkContributor + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployPrivateDnzZones.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployPrivateDnzZones.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.networkContributor ] parTelemetryOptOut: parTelemetryOptOut } } // Resource - Resource Group - For Spoke Networking - https://github.com/Azure/bicep/issues/5151 -module modResourceGroupForSpokeNetworking '../../resourceGroup/resourceGroup.bicep' = [for (corpSub, i) in parCorpSubscriptionIds: if (!empty(parCorpSubscriptionIds)) { +module modResourceGroupForSpokeNetworking '../../../resourceGroup/resourceGroup.bicep' = [for (corpSub, i) in parCorpSubscriptionIds: if (!empty(parCorpSubscriptionIds)) { scope: subscription(corpSub.subID) name: '${varModuleDeploymentNames.modResourceGroupForSpokeNetworking}-${i}' params: { - parResourceGroupLocation: parLocation + parLocation: parLocation parResourceGroupName: parResourceGroupNameForSpokeNetworking parTelemetryOptOut: parTelemetryOptOut } }] // Module - Corp Spoke Virtual Networks -module modSpokeNetworking '../../spokeNetworking/spokeNetworking.bicep' = [for (corpSub, i) in parCorpSubscriptionIds: if (!empty(parCorpSubscriptionIds)) { +module modSpokeNetworking '../../../spokeNetworking/spokeNetworking.bicep' = [for (corpSub, i) in parCorpSubscriptionIds: if (!empty(parCorpSubscriptionIds)) { scope: resourceGroup(corpSub.subID, parResourceGroupNameForSpokeNetworking) name: '${varModuleDeploymentNames.modSpokeNetworking}-${i}' params: { parSpokeNetworkName: '${take('vnet-spoke-corp-${uniqueString(corpSub.subID)}', 64)}' parSpokeNetworkAddressPrefix: corpSub.vnetCIDR parDdosEnabled: parDDoSEnabled - parDdosProtectionPlanId: modHubNetworking.outputs.outDDoSPlanResourceID - parNetworkDNSEnableProxy: parNetworkDNSEnableProxy - parHubNVAEnabled: parAzureFirewallEnabled - parDNSServerIPArray: parDNSServerIPArray - parNextHopIPAddress: parAzureFirewallEnabled ? modHubNetworking.outputs.outAzureFirewallPrivateIP : '' + parDdosProtectionPlanId: modHubNetworking.outputs.outDdosPlanResourceId + parAzFirewallDnsProxyEnabled: parAzFirewallDnsProxyEnabled + parHubNVAEnabled: parAzFirewallEnabled + parDnsServerIps: parDnsServerIps + parNextHopIpAddress: parAzFirewallEnabled ? modHubNetworking.outputs.outAzFirewallPrivateIp : '' parSpoketoHubRouteTableName: parSpoketoHubRouteTableName - parBGPRoutePropogation: parBGPRoutePropogation + parDisableBgpRoutePropagation: parDisableBgpRoutePropagation parTags: parTags parTelemetryOptOut: parTelemetryOptOut } }] // Module - Corp Spoke Virtual Network Peering - Spoke To Hub -module modSpokePeeringToHub '../../virtualNetworkPeer/virtualNetworkPeer.bicep' = [for (corpSub, i) in parCorpSubscriptionIds: if (!empty(parCorpSubscriptionIds)) { +module modSpokePeeringToHub '../../../virtualNetworkPeer/virtualNetworkPeer.bicep' = [for (corpSub, i) in parCorpSubscriptionIds: if (!empty(parCorpSubscriptionIds)) { scope: resourceGroup(corpSub.subID, parResourceGroupNameForSpokeNetworking) name: '${varModuleDeploymentNames.modSpokePeeringToHub}-${i}' params: { - parDestinationVirtualNetworkID: modHubNetworking.outputs.outHubVirtualNetworkID + parDestinationVirtualNetworkId: modHubNetworking.outputs.outHubVirtualNetworkId parDestinationVirtualNetworkName: modHubNetworking.outputs.outHubVirtualNetworkName parSourceVirtualNetworkName: '${take('vnet-spoke-corp-${uniqueString(corpSub.subID)}', 64)}' parAllowForwardedTraffic: true @@ -1443,7 +1443,7 @@ module modSpokePeeringFromHub '../../virtualNetworkPeer/virtualNetworkPeer.bicep scope: resourceGroup(parConnectivitySubscriptionId, parResourceGroupNameForHubNetworking) name: '${varModuleDeploymentNames.modSpokePeeringFromHub}-${i}' params: { - parDestinationVirtualNetworkID: '/subscriptions/${corpSub.subID}/resourceGroups/${parResourceGroupNameForSpokeNetworking}/providers/Microsoft.Network/virtualNetworks/${take('vnet-spoke-corp-${uniqueString(corpSub.subID)}', 64)}' + parDestinationVirtualNetworkId: '/subscriptions/${corpSub.subID}/resourceGroups/${parResourceGroupNameForSpokeNetworking}/providers/Microsoft.Network/virtualNetworks/${take('vnet-spoke-corp-${uniqueString(corpSub.subID)}', 64)}' parDestinationVirtualNetworkName: '${take('vnet-spoke-corp-${uniqueString(corpSub.subID)}', 64)}' parSourceVirtualNetworkName: modHubNetworking.outputs.outHubVirtualNetworkName parAllowForwardedTraffic: true diff --git a/infra-as-code/bicep/modules/unstable/orchestration/hubSpoke/orch-hubSpoke.parameters.json b/infra-as-code/bicep/modules/unstable/orchestration/hubSpoke/parameters/orchHubSpoke.parameters.all.json similarity index 91% rename from infra-as-code/bicep/modules/unstable/orchestration/hubSpoke/orch-hubSpoke.parameters.json rename to infra-as-code/bicep/modules/unstable/orchestration/hubSpoke/parameters/orchHubSpoke.parameters.all.json index 669c0cabd..39b9c1fe1 100644 --- a/infra-as-code/bicep/modules/unstable/orchestration/hubSpoke/orch-hubSpoke.parameters.json +++ b/infra-as-code/bicep/modules/unstable/orchestration/hubSpoke/parameters/orchHubSpoke.parameters.all.json @@ -58,7 +58,7 @@ "parAutomationAccountName": { "value": "alz-automation-account" }, - "parBastionEnabled": { + "parAzBastionEnabled": { "value": true }, "parDDoSEnabled": { @@ -67,24 +67,24 @@ "parDDoSPlanName": { "value": "ddos-connectivity" }, - "parAzureFirewallEnabled": { + "parAzFirewallEnabled": { "value": true }, - "parNetworkDNSEnableProxy": { + "parAzFirewallDnsProxyEnabled": { "value": true }, - "parDisableBGPRoutePropagation": { + "parDisableBgpRoutePropagation": { "value": false }, - "parPrivateDNSZonesEnabled": { + "parPrivateDnsZonesEnabled": { "value": true }, "parVpnGatewayConfig": { "value": { "name": "alz-vpn-gateway", - "gatewaytype": "Vpn", + "gatewayType": "Vpn", "sku": "VpnGw1", - "vpntype": "RouteBased", + "vpnType": "RouteBased", "generation": "Generation1", "enableBgp": false, "activeActive": false, @@ -102,9 +102,9 @@ "parExpressRouteGatewayConfig": { "value": { "name": "alz-er-gateway", - "gatewaytype": "ExpressRoute", + "gatewayType": "ExpressRoute", "sku": "ErGw1AZ", - "vpntype": "RouteBased", + "vpnType": "RouteBased", "vpnGatewayGeneration": "None", "enableBgp": false, "activeActive": false, @@ -119,10 +119,10 @@ } } }, - "parBastionSku": { + "parAzBastionSku": { "value": "Standard" }, - "parPublicIPSku": { + "parPublicIpSku": { "value": "Standard" }, "parTags": { @@ -134,10 +134,10 @@ "parHubNetworkName": { "value": "vnet-hub" }, - "parAzureFirewallName": { + "parAzFirewallName": { "value": "azfw-hub" }, - "parAzureFirewallTier": { + "parAzFirewallTier": { "value": "Standard" }, "parHubRouteTableName": { @@ -159,7 +159,7 @@ } ] }, - "parBastionName": { + "parAzBastionName": { "value": "bst-hub" }, "parPrivateDnsZones": { @@ -208,18 +208,15 @@ "privatelink.search.windows.net" ] }, - "parDNSServerIPArray": { + "parDnsServerIps": { "value": [] }, - "parASCEmailSecurityContact": { + "parAscEmailSecurityContact": { "value": "replace_me@security_contact.com" }, "parSpokeNetworkName": { "value": "vnet-spoke" }, - "parBGPRoutePropogation": { - "value": false - }, "parSpoketoHubRouteTableName": { "value": "rtb-spoke-to-hub" }, diff --git a/infra-as-code/bicep/modules/vnetPeering/README.md b/infra-as-code/bicep/modules/vnetPeering/README.md index 32b951d0d..237f9a33e 100644 --- a/infra-as-code/bicep/modules/vnetPeering/README.md +++ b/infra-as-code/bicep/modules/vnetPeering/README.md @@ -45,66 +45,66 @@ During the deployment step, we will take parameters provided in the example para | Azure Cloud | Bicep template | Input parameters file | | -------------- | ------------------- | ---------------------------------------- | - | All regions | vnetPeering.bicep | vnetPeering.parameters.example.json | + | All regions | vnetPeering.bicep | parameters/vnetPeering.parameters.all.json | > For the examples below we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice. ### Azure CLI ```bash # For Azure global regions -# Set your Connectivity subscription ID as the the current subscription -$ConnectivitySubscriptionId="[your Connectivity subscription ID]" -az account set --subscription $ConnectivitySubscriptionId +# Set your Corp Connected Landing Zone subscription ID as the the current subscription +LandingZoneSubscriptionId="[your Landing Zone subscription ID]" +az account set --subscription $LandingZoneSubscriptionId az deployment group create \ --resource-group Spoke_Networking_POC \ --template-file infra-as-code/bicep/modules/vnetPeering/vnetPeering.bicep \ - --parameters @infra-as-code/bicep/modules/vnetPeering/vnetPeering.parameters.example.json + --parameters @infra-as-code/bicep/modules/vnetPeering/parameters/vnetPeering.parameters.all.json ``` OR ```bash # For Azure China regions # Set your Corp Connected Landing Zone subscription ID as the the current subscription -$ConnectivitySubscriptionId="[your Connectivity subscription ID]" -az account set --subscription $ConnectivitySubscriptionId +LandingZoneSubscriptionId="[your Landing Zone subscription ID]" +az account set --subscription $LandingZoneSubscriptionId az deployment group create \ --resource-group Spoke_Networking_POC \ --template-file infra-as-code/bicep/modules/vnetPeering/vnetPeering.bicep \ - --parameters @infra-as-code/bicep/modules/vnetPeering/vnetPeering.parameters.example.json + --parameters @infra-as-code/bicep/modules/vnetPeering/parameters/vnetPeering.parameters.all.json ``` ### PowerShell ```powershell # For Azure global regions -# Set your Connectivity subscription ID as the the current subscription -$ConnectivitySubscriptionId = "[your Connectivity subscription ID]" +# Set your Corp Connected Landing Zone subscription ID as the the current subscription +$LandingZoneSubscriptionId = "[your Landing Zone subscription ID]" -Select-AzSubscription -SubscriptionId $ConnectivitySubscriptionId +Select-AzSubscription -SubscriptionId $LandingZoneSubscriptionId New-AzResourceGroupDeployment ` -ResourceGroupName Spoke_Networking_POC ` -TemplateFile infra-as-code/bicep/modules/vnetPeering/vnetPeering.bicep ` - -TemplateParameterFile infra-as-code/bicep/modules/vnetPeering/vnetPeering.parameters.example.json + -TemplateParameterFile infra-as-code/bicep/modules/vnetPeering/parameters/vnetPeering.parameters.all.json ``` OR ```powershell # For Azure China regions -# Set your Connectivity subscription ID as the the current subscription -$ConnectivitySubscriptionId = "[your Connectivity subscription ID]" +# Set your Corp Connected Landing Zone subscription ID as the the current subscription +$LandingZoneSubscriptionId = "[your Landing Zone subscription ID]" -Select-AzSubscription -SubscriptionId $ConnectivitySubscriptionId +Select-AzSubscription -SubscriptionId $LandingZoneSubscriptionId New-AzResourceGroupDeployment ` -ResourceGroupName Spoke_Networking_POC ` -TemplateFile infra-as-code/bicep/modules/vnetPeering/vnetPeering.bicep ` - -TemplateParameterFile infra-as-code/bicep/modules/vnetPeering/vnetPeering.parameters.example.json + -TemplateParameterFile infra-as-code/bicep/modules/vnetPeering/parameters/vnetPeering.parameters.all.json ``` ## Example output in Azure global regions -![Example Deployment Output](media/vnetPeeringExampleDeploymentOutput.png "Example Deployment Output in Azure global regions") +![Example Deployment Output](media/exampleDeploymentOutput.png "Example Deployment Output in Azure global regions") ## Bicep Visualizer diff --git a/infra-as-code/bicep/modules/vnetPeering/media/vnetPeeringExampleDeploymentOutput.png b/infra-as-code/bicep/modules/vnetPeering/media/exampleDeploymentOutput.png similarity index 100% rename from infra-as-code/bicep/modules/vnetPeering/media/vnetPeeringExampleDeploymentOutput.png rename to infra-as-code/bicep/modules/vnetPeering/media/exampleDeploymentOutput.png diff --git a/infra-as-code/bicep/modules/vnetPeering/vnetPeering.parameters.example.json b/infra-as-code/bicep/modules/vnetPeering/parameters/vnetPeering.parameters.all.json similarity index 100% rename from infra-as-code/bicep/modules/vnetPeering/vnetPeering.parameters.example.json rename to infra-as-code/bicep/modules/vnetPeering/parameters/vnetPeering.parameters.all.json diff --git a/infra-as-code/bicep/modules/vnetPeering/parameters/vnetPeering.parameters.min.json b/infra-as-code/bicep/modules/vnetPeering/parameters/vnetPeering.parameters.min.json new file mode 100644 index 000000000..90e26b482 --- /dev/null +++ b/infra-as-code/bicep/modules/vnetPeering/parameters/vnetPeering.parameters.min.json @@ -0,0 +1,30 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parDestinationVirtualNetworkId": { + "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/HUB_Networking_POC/providers/Microsoft.Network/virtualNetworks/alz-hub-eastus" + }, + "parSourceVirtualNetworkName": { + "value": "vnet-spoke" + }, + "parDestinationVirtualNetworkName": { + "value": "alz-hub-eastus" + }, + "parAllowVirtualNetworkAccess": { + "value": true + }, + "parAllowForwardedTraffic": { + "value": true + }, + "parAllowGatewayTransit": { + "value": false + }, + "parUseRemoteGateways": { + "value": false + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/infra-as-code/bicep/modules/vnetPeeringVwan/README.md b/infra-as-code/bicep/modules/vnetPeeringVwan/README.md index 9861e7f9f..b372e03fa 100644 --- a/infra-as-code/bicep/modules/vnetPeeringVwan/README.md +++ b/infra-as-code/bicep/modules/vnetPeeringVwan/README.md @@ -14,7 +14,7 @@ The module requires the following inputs: | Parameter | Type | Default | Description | Requirement | Example | | ---------------------------- | ------ | ---------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------- | ---------------------------- | - | parVirtualHubResourceId | string | None | Resource ID for Virtual WAN Hub. | 2-50 char | `/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-vwan-eastus/providers/Microsoft.Network/virtualHubs/alz-vhub-eastus` | + | parVirtualWanHubResourceId | string | None | Resource ID for Virtual WAN Hub. | 2-50 char | `/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-vwan-eastus/providers/Microsoft.Network/virtualHubs/alz-vhub-eastus` | | parRemoteVirtualNetworkResourceId | string | None | Resource ID for remote spoke virtual network. | 2-50 char | `/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/spokevnet-rg/providers/Microsoft.Network/virtualNetworks/vnet-spoke` | | parTelemetryOptOut | bool | `false` | Set Parameter to true to Opt-out of deployment telemetry | None | `false` | @@ -33,32 +33,32 @@ In this example, the remote spoke Vnet will be peered with the Vwan Virtual Hub | Azure Cloud | Bicep template | Input parameters file | | -------------- | ------------------- | ---------------------------------------- | - | All regions | vnetPeeringVwan.bicep | vnetPeeringVwan.parameters.example.json | + | All regions | vnetPeeringVwan.bicep | parameters/vnetPeeringVwan.parameters.all.json | > For the examples below we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice. ### Azure CLI ```bash # For Azure global regions -# Set your Connectivity subscription ID as the the current subscription -$ConnectivitySubscriptionId="[your Connectivity subscription ID]" +# Set your Corp Connected Landing Zone subscription ID as the the current subscription +$ConnectivitySubscriptionId="[your Landing Zone subscription ID]" az account set --subscription $ConnectivitySubscriptionId az deployment sub create \ --template-file infra-as-code/bicep/modules/vnetPeeringVwan/vnetPeeringVwan.bicep \ - --parameters @infra-as-code/bicep/modules/vnetPeeringVwan/vnetPeeringVwan.parameters.example.json \ + --parameters @infra-as-code/bicep/modules/vnetPeeringVwan/parameters/vnetPeeringVwan.parameters.all.json \ --location eastus ``` OR ```bash # For Azure China regions # Set your Corp Connected Landing Zone subscription ID as the the current subscription -$ConnectivitySubscriptionId="[your Connectivity subscription ID]" +$ConnectivitySubscriptionId="[your Landing Zone subscription ID]" az account set --subscription $ConnectivitySubscriptionId az deployment sub create \ --template-file infra-as-code/bicep/modules/vnetPeeringVwan/vnetPeeringVwan.bicep \ - --parameters @infra-as-code/bicep/modules/vnetPeeringVwan/vnetPeeringVwan.parameters.example.json \ + --parameters @infra-as-code/bicep/modules/vnetPeeringVwan/parameters/vnetPeeringVwan.parameters.all.json \ --location chinaeast2 ``` @@ -66,33 +66,33 @@ az deployment sub create \ ```powershell # For Azure global regions -# Set your Connectivity subscription ID as the the current subscription -$ConnectivitySubscriptionId = "[your Connectivity subscription ID]" +# Set your Corp Connected Landing Zone subscription ID as the the current subscription +$ConnectivitySubscriptionId = "[your Landing Zone subscription ID]" Select-AzSubscription -SubscriptionId $ConnectivitySubscriptionId New-AzDeployment ` -TemplateFile infra-as-code/bicep/modules/vnetPeeringVwan/vnetPeeringVwan.bicep ` - -TemplateParameterFile infra-as-code/bicep/modules/vnetPeeringVwan/vnetPeeringVwan.parameters.example.json ` + -TemplateParameterFile infra-as-code/bicep/modules/vnetPeeringVwan/parameters/vnetPeeringVwan.parameters.all.json ` -Location 'eastus' ``` OR ```powershell # For Azure China regions -# Set your Connectivity subscription ID as the the current subscription -$ConnectivitySubscriptionId = "[your Connectivity subscription ID]" +# Set your Corp Connected Landing Zone subscription ID as the the current subscription +$ConnectivitySubscriptionId = "[your Landing Zone subscription ID]" Select-AzSubscription -SubscriptionId $ConnectivitySubscriptionId New-AzDeployment ` -TemplateFile infra-as-code/bicep/modules/vnetPeeringVwan/vnetPeeringVwan.bicep ` - -TemplateParameterFile infra-as-code/bicep/modules/vnetPeeringVwan/vnetPeeringVwan.parameters.example.json ` + -TemplateParameterFile infra-as-code/bicep/modules/vnetPeeringVwan/parameters/vnetPeeringVwan.parameters.all.json ` -Location 'chinaeast2' ``` ## Example Output in Azure global regions -![Example Deployment Output](media/vnetPeeringVwanExampleDeploymentOutput.png "Example Deployment Output in Azure global regions") +![Example Deployment Output](media/exampleDeploymentOutput.png "Example Deployment Output in Azure global regions") ## Bicep Visualizer -![Bicep Visualizer](media/vnetPeeringVwanBicepVisualizer.png "Bicep Visualizer") +![Bicep Visualizer](media/bicepVisualizer.png "Bicep Visualizer") diff --git a/infra-as-code/bicep/modules/vnetPeeringVwan/hubVirtualNetworkConnection.bicep b/infra-as-code/bicep/modules/vnetPeeringVwan/hubVirtualNetworkConnection.bicep index 26d8e47de..1e64bb7fb 100644 --- a/infra-as-code/bicep/modules/vnetPeeringVwan/hubVirtualNetworkConnection.bicep +++ b/infra-as-code/bicep/modules/vnetPeeringVwan/hubVirtualNetworkConnection.bicep @@ -1,16 +1,16 @@ @description('Virtual WAN Hub resource ID. No default') -param parVirtualHubResourceId string +param parVirtualWanHubResourceId string @description('Remote Spoke virtual network resource ID. No default') param parRemoteVirtualNetworkResourceId string -var varVwanHubName = split(parVirtualHubResourceId, '/')[8] +var varVwanHubName = split(parVirtualWanHubResourceId, '/')[8] var varSpokeVnetName = split(parRemoteVirtualNetworkResourceId, '/')[8] var varVnetPeeringVwanName = '${varVwanHubName}/${varSpokeVnetName}-vhc' -resource resVnetPeeringVwan 'Microsoft.Network/virtualHubs/hubVirtualNetworkConnections@2021-05-01' = if (!empty(parVirtualHubResourceId) && !empty(parRemoteVirtualNetworkResourceId)) { +resource resVnetPeeringVwan 'Microsoft.Network/virtualHubs/hubVirtualNetworkConnections@2021-05-01' = if (!empty(parVirtualWanHubResourceId) && !empty(parRemoteVirtualNetworkResourceId)) { name: varVnetPeeringVwanName properties: { remoteVirtualNetwork: { diff --git a/infra-as-code/bicep/modules/vnetPeeringVwan/media/vnetPeeringVwanBicepVisualizer.png b/infra-as-code/bicep/modules/vnetPeeringVwan/media/bicepVisualizer.png old mode 100755 new mode 100644 similarity index 100% rename from infra-as-code/bicep/modules/vnetPeeringVwan/media/vnetPeeringVwanBicepVisualizer.png rename to infra-as-code/bicep/modules/vnetPeeringVwan/media/bicepVisualizer.png diff --git a/infra-as-code/bicep/modules/vnetPeeringVwan/media/vnetPeeringVwanExampleDeploymentOutput.png b/infra-as-code/bicep/modules/vnetPeeringVwan/media/exampleDeploymentOutput.png old mode 100755 new mode 100644 similarity index 100% rename from infra-as-code/bicep/modules/vnetPeeringVwan/media/vnetPeeringVwanExampleDeploymentOutput.png rename to infra-as-code/bicep/modules/vnetPeeringVwan/media/exampleDeploymentOutput.png diff --git a/infra-as-code/bicep/modules/vnetPeeringVwan/vnetPeeringVwan.parameters.example.json b/infra-as-code/bicep/modules/vnetPeeringVwan/parameters/vnetPeeringVwan.parameters.all.json similarity index 93% rename from infra-as-code/bicep/modules/vnetPeeringVwan/vnetPeeringVwan.parameters.example.json rename to infra-as-code/bicep/modules/vnetPeeringVwan/parameters/vnetPeeringVwan.parameters.all.json index ad4ca18b1..a20679aad 100644 --- a/infra-as-code/bicep/modules/vnetPeeringVwan/vnetPeeringVwan.parameters.example.json +++ b/infra-as-code/bicep/modules/vnetPeeringVwan/parameters/vnetPeeringVwan.parameters.all.json @@ -2,7 +2,7 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", "contentVersion": "1.0.0.0", "parameters": { - "parVirtualHubResourceId": { + "parVirtualWanHubResourceId": { "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-vwan-eastus/providers/Microsoft.Network/virtualHubs/alz-vhub-eastus" }, "parRemoteVirtualNetworkResourceId": { @@ -12,4 +12,4 @@ "value": false } } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/vnetPeeringVwan/parameters/vnetPeeringVwan.parameters.min.json b/infra-as-code/bicep/modules/vnetPeeringVwan/parameters/vnetPeeringVwan.parameters.min.json new file mode 100644 index 000000000..a20679aad --- /dev/null +++ b/infra-as-code/bicep/modules/vnetPeeringVwan/parameters/vnetPeeringVwan.parameters.min.json @@ -0,0 +1,15 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parVirtualWanHubResourceId": { + "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-vwan-eastus/providers/Microsoft.Network/virtualHubs/alz-vhub-eastus" + }, + "parRemoteVirtualNetworkResourceId": { + "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/spokevnet-rg/providers/Microsoft.Network/virtualNetworks/vnet-spoke" + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/infra-as-code/bicep/modules/vnetPeeringVwan/vnetPeeringVwan.bicep b/infra-as-code/bicep/modules/vnetPeeringVwan/vnetPeeringVwan.bicep index 1d33ca2b5..9bce6876a 100644 --- a/infra-as-code/bicep/modules/vnetPeeringVwan/vnetPeeringVwan.bicep +++ b/infra-as-code/bicep/modules/vnetPeeringVwan/vnetPeeringVwan.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' @description('Virtual WAN Hub resource ID. No default') -param parVirtualHubResourceId string +param parVirtualWanHubResourceId string @description('Remote Spoke virtual network resource ID. No default') param parRemoteVirtualNetworkResourceId string @@ -12,20 +12,20 @@ param parTelemetryOptOut bool = false // Customer Usage Attribution Id var varCuaid = '7b5e6db2-1e8c-4b01-8eee-e1830073a63d' -var varVwanSubscriptionId = split(parVirtualHubResourceId, '/')[2] +var varVwanSubscriptionId = split(parVirtualWanHubResourceId, '/')[2] -var varVwanResourceGroup = split(parVirtualHubResourceId, '/')[4] +var varVwanResourceGroup = split(parVirtualWanHubResourceId, '/')[4] var varSpokeVnetName = split(parRemoteVirtualNetworkResourceId, '/')[8] var varModhubVirtualNetworkConnectionDeploymentName = take('deploy-vnet-peering-vwan-${varSpokeVnetName}', 64) // The hubVirtualNetworkConnection resource is implemented as a separate module because the deployment scope could be on a different subscription and resource group -module modhubVirtualNetworkConnection 'hubVirtualNetworkConnection.bicep' = if (!empty(parVirtualHubResourceId) && !empty(parRemoteVirtualNetworkResourceId)) { +module modhubVirtualNetworkConnection 'hubVirtualNetworkConnection.bicep' = if (!empty(parVirtualWanHubResourceId) && !empty(parRemoteVirtualNetworkResourceId)) { scope: resourceGroup(varVwanSubscriptionId, varVwanResourceGroup) name: varModhubVirtualNetworkConnectionDeploymentName params: { - parVirtualHubResourceId: parVirtualHubResourceId + parVirtualWanHubResourceId: parVirtualWanHubResourceId parRemoteVirtualNetworkResourceId: parRemoteVirtualNetworkResourceId } } diff --git a/infra-as-code/bicep/modules/vwanConnectivity/README.md b/infra-as-code/bicep/modules/vwanConnectivity/README.md index 4083bb957..f5b60918e 100644 --- a/infra-as-code/bicep/modules/vwanConnectivity/README.md +++ b/infra-as-code/bicep/modules/vwanConnectivity/README.md @@ -19,43 +19,54 @@ The module requires the following inputs: | Parameter | Type | Default | Description | Requirement | Example | | --------------------------------- | ------ | ------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------- | + | parLocation | string | `resourceGroup().location` | The Azure Region to deploy the resources into | None | `eastus` | | parVirtualHubEnabled | bool | true | Switch to enable deployment of Virtual Hub | None | true | - | parVPNGatewayEnabled | bool | true | Switch to enable deployment of VPN Gateway service | Virtual Hub | true | - | parERGatewayEnabled | bool | true | Switch to enable deployment of ExpressRoute Gateway | Virtual Hub | true | - | parAzureFirewallEnabled | bool | true | Switch to enable deployment of Azure Firewall | Virtual Hub | true | - | parNetworkDNSEnableProxy | bool | true | Switch to enable DNS proxy for Azure Firewall policies | Azure Firewall | true | + | parVpnGatewayEnabled | bool | true | Switch to enable deployment of VPN Gateway service | Virtual Hub | true | + | parExpressRouteGatewayEnabled | bool | true | Switch to enable deployment of ExpressRoute Gateway | Virtual Hub | true | + | parAzFirewallEnabled | bool | true | Switch to enable deployment of Azure Firewall | Virtual Hub | true | + | parAzFirewallDnsProxyEnabled | bool | true | Switch to enable DNS proxy for Azure Firewall policies | Azure Firewall | true | | parDdosEnabled | bool | true | Switch to enable deployment of distributed denial of service attacks service | None | true | | parPrivateDnsZonesEnabled | bool | true | Switch to enable deployment of Azure Private DNS Zones | None | true | | parPrivateDnsZonesResourceGroup | string | `resourceGroup().name` | Target Resource Group Name for Azure Private DNS Zones | 1-90 char | `Hub_PrivateDNS_POC` - Must already be present | - | parPrivateDnsZones | array | See example parameters file [`vwanConnectivity.parameters.example.json`](vwanConnectivity.parameters.example.json) | Array of DNS Zones to provision in Hub Virtual Network. Default: All known Azure Private DNS Zones except for: `privatelink.batch.azure.com`, `privatelink.azmk8s.io` and `privatelink.siterecovery.windowsazure.com` as these are region specific and `privatelink.{dnsPrefix}.database.windows.net` as the DNS Prefix is individual, which you can add to the parameters file with the required region and DNS Prefix in the zone name that you wish to deploy for. For more details on private DNS Zones please refer to the above link. | None | See Default | + | parPrivateDnsZones | array | See example parameters file [`parameters/vwanConnectivity.parameters.all.json`](parameters/vwanConnectivity.parameters.all.json) | Array of DNS Zones to provision in Hub Virtual Network. Default: All known Azure Private DNS Zones except for: `privatelink.batch.azure.com`, `privatelink.azmk8s.io` and `privatelink.siterecovery.windowsazure.com` as these are region specific and `privatelink.{dnsPrefix}.database.windows.net` as the DNS Prefix is individual, which you can add to the parameters file with the required region and DNS Prefix in the zone name that you wish to deploy for. For more details on private DNS Zones please refer to the above link. | None | See Default | | parVirtualNetworkIdToLink | string | Empty String `''` | Resource ID of VNet for Private DNS Zone VNet Links | None or Valid Resource ID of the Virtual Network | `/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/xxxxxxxxxxx/providers/Microsoft.Network/virtualNetworks/xxxxxxxxxxx` | | parCompanyPrefix | string | alz | Prefix value which will be pre-appended to all resource names | 1-10 char | alz | | parTags | object | Empty Array [] | List of tags (Key Value Pairs) to be applied to resources | None | environment: 'POC' | - | parVhubAddressPrefix | string | 10.100.0.0/23 | CIDR range for the Virtual WAN's Virtual Hub Network | CIDR Notation | 10.100.0.0/23 | - | parAzureFirewallTier | string | Standard | Tier associated with the Firewall to be deployed. | Standard or Premium | Standard | - | parVWanName | string | ${parCompanyPrefix}-vwan-${resourceGroup().location} | Name prefix for Virtual WAN. Prefix will be appended with the region. | 2-50 char | alz-vwan-eastus | - | parVHubName | string | ${parCompanyPrefix}-vhub-${resourceGroup().location} | Name prefix for Virtual Hub. Prefix will be appended with the region. | 2-50 char | alz-vhub-eastus | - | parVPNGwName | string | ${parCompanyPrefix}-vpngw-${resourceGroup().location} | Name prefix for VPN Gateway. Prefix will be appended with the region. | 2-50 char | alz-vpngw-eastus | - | parERGwName | string | ${parCompanyPrefix}-ergw-${resourceGroup().location} | Name prefix for ExpressRoute Gateway. Prefix will be appended with the region. | 2-50 char | alz-ergw-eastus | - | parAzureFirewallName | string | ${parCompanyPrefix}-fw-${resourceGroup().location} | Name associated with Azure Firewall | 1-80 char | alz-fw-eastus | - | parFirewallPoliciesName | string | ${parCompanyPrefix}-azfwpolicy-${resourceGroup().location} | Name associated with Azure Firewall Policy | 1-80 char | alz-azfwpolicy-eastus | - | parAzureFirewallAvailabilityZones | array | Empty Array [] | Availability Zones to deploy the Azure Firewall across. Region must support Availability Zones to use. If it does not then leave empty. | None | `['1']` or `['1' ,'2', '3']` | - | parDdosPlanName | string | ${parCompanyPrefix}-ddos-plan | Name which will be associated with distributed denial of service protection plan | 1-80 char | alz-ddos-plan | - | parLocation | string | `resourceGroup().location` | The Azure Region to deploy the resources into | None | `eastus` | - | parVPNGwScaleUnit | int | 1 | The scale unit for the VPN Gateway | None | 1 | - | parERGwScaleUnit | int | 1 | The scale unit for the ExpressRoute Gateway | None | 1 | + | parVirtualHubAddressPrefix | string | 10.100.0.0/23 | CIDR range for the Virtual WAN's Virtual Hub Network | CIDR Notation | 10.100.0.0/23 | + | parAzFirewallTier | string | Standard | Tier associated with the Firewall to be deployed. | Standard or Premium | Standard | + | parVirtualWanName | string | `${parCompanyPrefix}-vwan-${resourceGroup().location}` | Name prefix for Virtual WAN. Prefix will be appended with the region. | 2-50 char | alz-vwan-eastus | + | parVirtualWanHubName | string | `${parCompanyPrefix}-vhub-${resourceGroup().location}` | Name prefix for Virtual Hub. Prefix will be appended with the region. | 2-50 char | alz-vhub-eastus | + | parVpnGatewayName | string | `${parCompanyPrefix}-vpngw-${resourceGroup().location}` | Name prefix for VPN Gateway. Prefix will be appended with the region. | 2-50 char | alz-vpngw-eastus | + | parExpressRouteGatewayName | string | `${parCompanyPrefix}-ergw-${resourceGroup().location}` | Name prefix for ExpressRoute Gateway. Prefix will be appended with the region. | 2-50 char | alz-ergw-eastus | + | parAzFirewallName | string | `${parCompanyPrefix}-fw-${resourceGroup().location}` | Name associated with Azure Firewall | 1-80 char | alz-fw-eastus | + | parAzFirewallPoliciesName | string | `${parCompanyPrefix}-azfwpolicy-${resourceGroup().location}` | Name associated with Azure Firewall Policy | 1-80 char | alz-azfwpolicy-eastus | + | parAzFirewallAvailabilityZones | array | Empty Array [] | Availability Zones to deploy the Azure Firewall across. Region must support Availability Zones to use. If it does not then leave empty. | None | `['1']` or `['1' ,'2', '3']` | + | parDdosPlanName | string | `${parCompanyPrefix}-ddos-plan` | Name which will be associated with distributed denial of service protection plan | 1-80 char | alz-ddos-plan | + | parVpnGatewayScaleUnit | int | 1 | The scale unit for the VPN Gateway | None | 1 | + | parExpressRouteGatewayScaleUnit | int | 1 | The scale unit for the ExpressRoute Gateway | None | 1 | | parTelemetryOptOut | bool | false | Set Parameter to true to Opt-out of deployment telemetry | None | false | +> NOTE: When deploying using the `parameters/vwanConnectivity.parameters.all.json` you must update the `parPrivateDnsZones` parameter by replacing the `xxxxxx` placeholders with the deployment region. Failure to do so will cause these services to be unreachable over private endpoints. +> For example, if deploying to East US the following zone entries: +> - `privatelink.xxxxxx.azmk8s.io` +> - `privatelink.xxxxxx.backup.windowsazure.com` +> - `privatelink.xxxxxx.batch.azure.com` +> +> Will become: +> - `privatelink.eastus.azmk8s.io` +> - `privatelink.eastus.backup.windowsazure.com` +> - `privatelink.eastus.batch.azure.com` + ## Outputs The module will generate the following outputs: | Output | Type | Example | | --------------------- | ------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| outVirtualWANName | string | alz-vwan-eastus | -| outVirtualWANID | string | /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-vwan-eastus/providers/Microsoft.Network/virtualWans/alz-vwan-eastus | +| outVirtualWanName | string | alz-vwan-eastus | +| outVirtualWanId | string | /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-vwan-eastus/providers/Microsoft.Network/virtualWans/alz-vwan-eastus | | outVirtualHubName | string | alz-vhub-eastus | -| outVirtualHubID | string | /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-vwan-eastus/providers/Microsoft.Network/virtualHubs/alz-vhub-eastus | +| outVirtualHubId | string | /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-vwan-eastus/providers/Microsoft.Network/virtualHubs/alz-vhub-eastus | | outDdosPlanResourceId | string | /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-vwan-eastus/providers/Microsoft.Network/ddosProtectionPlans/alz-ddos-plan | | outPrivateDnsZones | array | `["name": "privatelink.azurecr.io", "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/net-lz-spk-eastus-rg/providers/Microsoft.Network/privateDnsZones/privatelink.azurecr.io"]` | ## Deployment @@ -64,8 +75,8 @@ In this example, the resources required for Virtual WAN connectivity will be dep | Azure Cloud | Bicep template | Input parameters file | | -------------- | ---------------------- | ------------------------------------------------- | - | Global regions | vwanConnectivity.bicep | vwanConnectivity.bicep.parameters.example.json | - | China regions | vwanConnectivity.bicep | mc-vwanConnectivity.bicep.parameters.example.json | + | Global regions | vwanConnectivity.bicep | parameters/vwanConnectivity.parameters.all.json | + | China regions | vwanConnectivity.bicep | parameters/mc-vwanConnectivity.parameters.all.json | > For the examples below we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice. @@ -82,7 +93,7 @@ az group create --location eastus \ az deployment group create \ --resource-group alz-vwan-eastus \ --template-file infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep \ - --parameters @infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.parameters.example.json + --parameters @infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.all.json ``` OR ```bash @@ -97,7 +108,7 @@ az group create --location chinaeast2 \ az deployment group create \ --resource-group alz-vwan-chinaeast2 \ --template-file infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep \ - --parameters @infra-as-code/bicep/modules/vwanConnectivity/mc-vwanConnectivity.parameters.example.json + --parameters @infra-as-code/bicep/modules/vwanConnectivity/parameters/mc-vwanConnectivity.parameters.all.json ``` ### PowerShell @@ -114,7 +125,7 @@ New-AzResourceGroup -Name 'alz-vwan-eastus' ` New-AzResourceGroupDeployment ` -TemplateFile infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep ` - -TemplateParameterFile infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.parameters.example.json ` + -TemplateParameterFile infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.all.json ` -ResourceGroupName 'alz-vwan-eastus' ``` OR @@ -130,20 +141,20 @@ New-AzResourceGroup -Name 'alz-vwan-chinaeast2' ` New-AzResourceGroupDeployment ` -TemplateFile infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep ` - -TemplateParameterFile infra-as-code/bicep/modules/vwanConnectivity/mc-vwanConnectivity.parameters.example.json ` + -TemplateParameterFile infra-as-code/bicep/modules/vwanConnectivity/parameters/mc-vwanConnectivity.parameters.all.json ` -ResourceGroupName 'alz-vwan-chinaeast2' ``` ## Example Output in Azure global regions -![Example Deployment Output](media/vwanConnectivityExampleDeploymentOutput.png "Example Deployment Output in Azure global regions") +![Example Deployment Output](media/exampleDeploymentOutputConnectivity.png "Example Deployment Output in Azure global regions") -![Example Virtual WAN Deployment Output](media/vwanExampleDeploymentOutput.png "Example Virtual WAN Deployment Output in Azure global regions") +![Example Virtual WAN Deployment Output](media/exampleDeploymentOutput.png "Example Virtual WAN Deployment Output in Azure global regions") ## Example Output in Azure China regions -![Example Deployment Output](media/mc-vwanConnectivityExampleDeploymentOutput.png "Example Deployment Output in Azure China") +![Example Deployment Output](media/mc-exampleDeploymentOutputConnectivity.png "Example Deployment Output in Azure China") -![Example Virtual WAN Deployment Output](media/mc-vwanExampleDeploymentOutput.png "Example Virtual WAN Deployment Output in Azure China") +![Example Virtual WAN Deployment Output](media/mc-exampleDeploymentOutput.png "Example Virtual WAN Deployment Output in Azure China") ## Bicep Visualizer -![Bicep Visualizer](media/vwanConnectivityBicepVisualizer.png "Bicep Visualizer") +![Bicep Visualizer](media/bicepVisualizer.png "Bicep Visualizer") diff --git a/infra-as-code/bicep/modules/vwanConnectivity/media/vwanConnectivityBicepVisualizer.png b/infra-as-code/bicep/modules/vwanConnectivity/media/bicepVisualizer.png old mode 100755 new mode 100644 similarity index 100% rename from infra-as-code/bicep/modules/vwanConnectivity/media/vwanConnectivityBicepVisualizer.png rename to infra-as-code/bicep/modules/vwanConnectivity/media/bicepVisualizer.png diff --git a/infra-as-code/bicep/modules/vwanConnectivity/media/vwanExampleDeploymentOutput.png b/infra-as-code/bicep/modules/vwanConnectivity/media/exampleDeploymentOutput.png old mode 100755 new mode 100644 similarity index 100% rename from infra-as-code/bicep/modules/vwanConnectivity/media/vwanExampleDeploymentOutput.png rename to infra-as-code/bicep/modules/vwanConnectivity/media/exampleDeploymentOutput.png diff --git a/infra-as-code/bicep/modules/vwanConnectivity/media/vwanConnectivityExampleDeploymentOutput.png b/infra-as-code/bicep/modules/vwanConnectivity/media/exampleDeploymentOutputConnectivity.png old mode 100755 new mode 100644 similarity index 100% rename from infra-as-code/bicep/modules/vwanConnectivity/media/vwanConnectivityExampleDeploymentOutput.png rename to infra-as-code/bicep/modules/vwanConnectivity/media/exampleDeploymentOutputConnectivity.png diff --git a/infra-as-code/bicep/modules/vwanConnectivity/media/mc-vwanExampleDeploymentOutput.png b/infra-as-code/bicep/modules/vwanConnectivity/media/mc-exampleDeploymentOutput.png old mode 100755 new mode 100644 similarity index 100% rename from infra-as-code/bicep/modules/vwanConnectivity/media/mc-vwanExampleDeploymentOutput.png rename to infra-as-code/bicep/modules/vwanConnectivity/media/mc-exampleDeploymentOutput.png diff --git a/infra-as-code/bicep/modules/vwanConnectivity/media/mc-vwanConnectivityExampleDeploymentOutput.png b/infra-as-code/bicep/modules/vwanConnectivity/media/mc-exampleDeploymentOutputConnectivity.png old mode 100755 new mode 100644 similarity index 100% rename from infra-as-code/bicep/modules/vwanConnectivity/media/mc-vwanConnectivityExampleDeploymentOutput.png rename to infra-as-code/bicep/modules/vwanConnectivity/media/mc-exampleDeploymentOutputConnectivity.png diff --git a/infra-as-code/bicep/modules/vwanConnectivity/parameters/mc-vwanConnectivity.parameters.all.json b/infra-as-code/bicep/modules/vwanConnectivity/parameters/mc-vwanConnectivity.parameters.all.json new file mode 100644 index 000000000..26bfd7f76 --- /dev/null +++ b/infra-as-code/bicep/modules/vwanConnectivity/parameters/mc-vwanConnectivity.parameters.all.json @@ -0,0 +1,113 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parLocation": { + "value": "chinaeast2" + }, + "parCompanyPrefix": { + "value": "alz" + }, + "parVirtualHubAddressPrefix": { + "value": "10.100.0.0/23" + }, + "parAzFirewallTier": { + "value": "Standard" + }, + "parVirtualHubEnabled": { + "value": true + }, + "parVpnGatewayEnabled": { + "value": true + }, + "parExpressRouteGatewayEnabled": { + "value": true + }, + "parAzFirewallEnabled": { + "value": true + }, + "parAzFirewallDnsProxyEnabled": { + "value": true + }, + "parVirtualWanName": { + "value": "alz-vwan-chinaeast2" + }, + "parVirtualWanHubName": { + "value": "alz-vhub-chinaeast2" + }, + "parVpnGatewayName": { + "value": "alz-vpngw-chinaeast2" + }, + "parExpressRouteGatewayName": { + "value": "alz-ergw-chinaeast2" + }, + "parAzFirewallName": { + "value": "alz-fw-chinaeast2" + }, + "parAzFirewallAvailabilityZones": { + "value": [] + }, + "parAzFirewallPoliciesName": { + "value": "alz-azfwpolicy-chinaeast2" + }, + "parVpnGatewayScaleUnit": { + "value": 1 + }, + "parExpressRouteGatewayScaleUnit": { + "value": 1 + }, + "parDdosEnabled": { + "value": false + }, + "parDdosPlanName": { + "value": "alz-ddos-plan" + }, + "parPrivateDnsZonesEnabled": { + "value": true + }, + "parPrivateDnsZones": { + "value": [ + "privatelink.azure-automation.cn", + "privatelink.database.chinacloudapi.cn", + "privatelink.blob.core.chinacloudapi.cn", + "privatelink.table.core.chinacloudapi.cn", + "privatelink.queue.core.chinacloudapi.cn", + "privatelink.file.core.chinacloudapi.cn", + "privatelink.web.core.chinacloudapi.cn", + "privatelink.dfs.core.chinacloudapi.cn", + "privatelink.documents.azure.cn", + "privatelink.mongo.cosmos.azure.cn", + "privatelink.cassandra.cosmos.azure.cn", + "privatelink.gremlin.cosmos.azure.cn", + "privatelink.table.cosmos.azure.cn", + "privatelink.postgres.database.chinacloudapi.cn", + "privatelink.mysql.database.chinacloudapi.cn", + "privatelink.mariadb.database.chinacloudapi.cn", + "privatelink.vaultcore.azure.cn", + "privatelink.servicebus.chinacloudapi.cn", + "privatelink.azure-devices.cn", + "privatelink.eventgrid.azure.cn", + "privatelink.chinacloudsites.cn", + "privatelink.api.ml.azure.cn", + "privatelink.notebooks.chinacloudapi.cn", + "privatelink.signalr.azure.cn", + "privatelink.azurehdinsight.cn", + "privatelink.afs.azure.cn", + "privatelink.datafactory.azure.cn", + "privatelink.adf.azure.cn", + "privatelink.redis.cache.chinacloudapi.cn" + ] + }, + "parVirtualNetworkIdToLink": { + "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/HUB_Networking_POC/providers/Microsoft.Network/virtualNetworks/alz-hub-eastus" + }, + "parTags": { + "value": { + "Environment": "POC" + } + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/vwanConnectivity/mc-vwanConnectivity.parameters.example.json b/infra-as-code/bicep/modules/vwanConnectivity/parameters/mc-vwanConnectivity.parameters.min.json similarity index 77% rename from infra-as-code/bicep/modules/vwanConnectivity/mc-vwanConnectivity.parameters.example.json rename to infra-as-code/bicep/modules/vwanConnectivity/parameters/mc-vwanConnectivity.parameters.min.json index 29ae9e78c..be5ca881a 100644 --- a/infra-as-code/bicep/modules/vwanConnectivity/mc-vwanConnectivity.parameters.example.json +++ b/infra-as-code/bicep/modules/vwanConnectivity/parameters/mc-vwanConnectivity.parameters.min.json @@ -2,41 +2,44 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", "contentVersion": "1.0.0.0", "parameters": { + "parLocation": { + "value": "chinaeast2" + }, + "parCompanyPrefix": { + "value": "alz" + }, + "parVirtualHubAddressPrefix": { + "value": "10.100.0.0/23" + }, + "parAzFirewallTier": { + "value": "Standard" + }, "parVirtualHubEnabled": { "value": true }, - "parVPNGatewayEnabled": { + "parVpnGatewayEnabled": { "value": true }, - "parERGatewayEnabled": { + "parExpressRouteGatewayEnabled": { "value": true }, - "parAzureFirewallEnabled": { + "parAzFirewallEnabled": { "value": true }, - "parNetworkDNSEnableProxy": { + "parAzFirewallDnsProxyEnabled": { "value": true }, - "parDdosEnabled": { - "value": false - }, - "parDdosPlanName": { - "value": "alz-ddos-plan" - }, - "parCompanyPrefix": { - "value": "alz" + "parAzFirewallAvailabilityZones": { + "value": [] }, - "parPublicIPSku": { - "value": "Standard" + "parVpnGatewayScaleUnit": { + "value": 1 }, - "parVhubAddressPrefix": { - "value": "10.100.0.0/23" + "parExpressRouteGatewayScaleUnit": { + "value": 1 }, - "parAzureFirewallTier": { - "value": "Standard" - }, - "parAzureFirewallAvailabilityZones": { - "value": [] + "parDdosEnabled": { + "value": false }, "parPrivateDnsZonesEnabled": { "value": true @@ -74,6 +77,9 @@ "privatelink.redis.cache.chinacloudapi.cn" ] }, + "parVirtualNetworkIdToLink": { + "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/HUB_Networking_POC/providers/Microsoft.Network/virtualNetworks/alz-hub-eastus" + }, "parTelemetryOptOut": { "value": false } diff --git a/infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.all.json b/infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.all.json new file mode 100644 index 000000000..3766e169a --- /dev/null +++ b/infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.all.json @@ -0,0 +1,136 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parLocation": { + "value": "eastus" + }, + "parCompanyPrefix": { + "value": "alz" + }, + "parVirtualHubAddressPrefix": { + "value": "10.100.0.0/23" + }, + "parAzFirewallTier": { + "value": "Standard" + }, + "parVirtualHubEnabled": { + "value": true + }, + "parVpnGatewayEnabled": { + "value": true + }, + "parExpressRouteGatewayEnabled": { + "value": true + }, + "parAzFirewallEnabled": { + "value": true + }, + "parAzFirewallDnsProxyEnabled": { + "value": true + }, + "parVirtualWanName": { + "value": "alz-vwan-eastus" + }, + "parVirtualWanHubName": { + "value": "alz-vhub-eastus" + }, + "parVpnGatewayName": { + "value": "alz-vpngw-eastus" + }, + "parExpressRouteGatewayName": { + "value": "alz-ergw-eastus" + }, + "parAzFirewallName": { + "value": "alz-fw-eastus" + }, + "parAzFirewallAvailabilityZones": { + "value": [] + }, + "parAzFirewallPoliciesName": { + "value": "alz-azfwpolicy-eastus" + }, + "parVpnGatewayScaleUnit": { + "value": 1 + }, + "parExpressRouteGatewayScaleUnit": { + "value": 1 + }, + "parDdosEnabled": { + "value": true + }, + "parDdosPlanName": { + "value": "alz-ddos-plan" + }, + "parPrivateDnsZonesEnabled": { + "value": true + }, + "parPrivateDnsZones": { + "value": [ + "privatelink.azure-automation.net", + "privatelink.database.windows.net", + "privatelink.sql.azuresynapse.net", + "privatelink.dev.azuresynapse.net", + "privatelink.azuresynapse.net", + "privatelink.blob.core.windows.net", + "privatelink.table.core.windows.net", + "privatelink.queue.core.windows.net", + "privatelink.file.core.windows.net", + "privatelink.web.core.windows.net", + "privatelink.dfs.core.windows.net", + "privatelink.documents.azure.com", + "privatelink.mongo.cosmos.azure.com", + "privatelink.cassandra.cosmos.azure.com", + "privatelink.gremlin.cosmos.azure.com", + "privatelink.table.cosmos.azure.com", + "privatelink.postgres.database.azure.com", + "privatelink.mysql.database.azure.com", + "privatelink.mariadb.database.azure.com", + "privatelink.vaultcore.azure.net", + "privatelink.managedhsm.azure.net", + "privatelink.siterecovery.windowsazure.com", + "privatelink.servicebus.windows.net", + "privatelink.azure-devices.net", + "privatelink.eventgrid.azure.net", + "privatelink.azurewebsites.net", + "privatelink.api.azureml.ms", + "privatelink.notebooks.azure.net", + "privatelink.service.signalr.net", + "privatelink.monitor.azure.com", + "privatelink.oms.opinsights.azure.com", + "privatelink.ods.opinsights.azure.com", + "privatelink.agentsvc.azure-automation.net", + "privatelink.afs.azure.net", + "privatelink.datafactory.azure.net", + "privatelink.adf.azure.com", + "privatelink.redis.cache.windows.net", + "privatelink.redisenterprise.cache.azure.net", + "privatelink.purview.azure.com", + "privatelink.purviewstudio.azure.com", + "privatelink.digitaltwins.azure.net", + "privatelink.azconfig.io", + "privatelink.cognitiveservices.azure.com", + "privatelink.azurecr.io", + "privatelink.search.windows.net", + "privatelink.azurehdinsight.net", + "privatelink.media.azure.net", + "privatelink.his.arc.azure.com", + "privatelink.guestconfiguration.azure.com", + "privatelink.xxxxxx.azmk8s.io", // Replace xxxxxx with target region (i.e. eastus) + "privatelink.xxxxxx.backup.windowsazure.com", // Replace xxxxxx with target region (i.e. eastus) + "privatelink.xxxxxx.batch.azure.com" // Replace xxxxxx with target region (i.e. eastus), + ] + }, + "parVirtualNetworkIdToLink": { + "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/HUB_Networking_POC/providers/Microsoft.Network/virtualNetworks/alz-hub-eastus" + }, + "parTags": { + "value": { + "Environment": "POC" + } + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.min.json b/infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.min.json new file mode 100644 index 000000000..f382d84de --- /dev/null +++ b/infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.min.json @@ -0,0 +1,51 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parCompanyPrefix": { + "value": "alz" + }, + "parVirtualHubAddressPrefix": { + "value": "10.100.0.0/23" + }, + "parAzFirewallTier": { + "value": "Standard" + }, + "parVirtualHubEnabled": { + "value": true + }, + "parVpnGatewayEnabled": { + "value": true + }, + "parExpressRouteGatewayEnabled": { + "value": true + }, + "parAzFirewallEnabled": { + "value": true + }, + "parAzFirewallDnsProxyEnabled": { + "value": true + }, + "parAzFirewallAvailabilityZones": { + "value": [] + }, + "parVpnGatewayScaleUnit": { + "value": 1 + }, + "parExpressRouteGatewayScaleUnit": { + "value": 1 + }, + "parDdosEnabled": { + "value": true + }, + "parPrivateDnsZonesEnabled": { + "value": true + }, + "parVirtualNetworkIdToLink": { + "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/HUB_Networking_POC/providers/Microsoft.Network/virtualNetworks/alz-hub-eastus" + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep b/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep index bceddd1c6..e8f1ea0f1 100644 --- a/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep +++ b/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep @@ -1,48 +1,48 @@ +@description('Region in which the resource group was created. Default: {resourceGroup().location}') +param parLocation string = resourceGroup().location + @description('Prefix value which will be prepended to all resource names. Default: alz') param parCompanyPrefix string = 'alz' @description('The IP address range in CIDR notation for the vWAN virtual Hub to use. Default: 10.100.0.0/23') -param parVhubAddressPrefix string = '10.100.0.0/23' +param parVirtualHubAddressPrefix string = '10.100.0.0/23' @description('Azure Firewall Tier associated with the Firewall to deploy. Default: Standard ') @allowed([ 'Standard' 'Premium' ]) -param parAzureFirewallTier string = 'Standard' - -@description('Tags you would like to be applied to all resources in this module. Default: empty array') -param parTags object = {} +param parAzFirewallTier string = 'Standard' -@description('Switch which allows Virtual Hub. Default: true') +@description('Switch to enable/disable Virtual Hub deployment. Default: true') param parVirtualHubEnabled bool = true -@description('Switch which allows VPN Gateway. Default: false') -param parVPNGatewayEnabled bool = true +@description('Switch to enable/disable VPN Gateway deployment. Default: false') +param parVpnGatewayEnabled bool = true -@description('Switch which allows ExpressRoute Gateway. Default: false') -param parERGatewayEnabled bool = true +@description('Switch to enable/disable ExpressRoute Gateway deployment. Default: false') +param parExpressRouteGatewayEnabled bool = true -@description('Switch which allows Azure Firewall deployment to be disabled. Default: false') -param parAzureFirewallEnabled bool = true +@description('Switch to enable/disable Azure Firewall deployment. Default: false') +param parAzFirewallEnabled bool = true -@description('Switch which enables DNS proxy for Azure Firewall policies. Default: false') -param parNetworkDNSEnableProxy bool = true +@description('Switch to enable/disable Azure Firewall DNS Proxy. Default: false') +param parAzFirewallDnsProxyEnabled bool = true @description('Prefix Used for Virtual WAN. Default: {parCompanyPrefix}-vwan-{parLocation}') -param parVWanName string = '${parCompanyPrefix}-vwan-${parLocation}' +param parVirtualWanName string = '${parCompanyPrefix}-vwan-${parLocation}' -@description('Prefix Used for Virtual Hub. Default: {parCompanyPrefix}-hub-{parLocation}') -param parVHubName string = '${parCompanyPrefix}-vhub-${parLocation}' +@description('Prefix Used for Virtual WAN Hub. Default: {parCompanyPrefix}-hub-{parLocation}') +param parVirtualWanHubName string = '${parCompanyPrefix}-vhub-${parLocation}' @description('Prefix Used for VPN Gateway. Default: {parCompanyPrefix}-vpngw-{parLocation}') -param parVPNGwName string = '${parCompanyPrefix}-vpngw-${parLocation}' +param parVpnGatewayName string = '${parCompanyPrefix}-vpngw-${parLocation}' @description('Prefix Used for ExpressRoute Gateway. Default: {parCompanyPrefix}-ergw-{parLocation}') -param parERGwName string = '${parCompanyPrefix}-ergw-${parLocation}' +param parExpressRouteGatewayName string = '${parCompanyPrefix}-ergw-${parLocation}' @description('Azure Firewall Name. Default: {parCompanyPrefix}-fw-{parLocation}') -param parAzureFirewallName string = '${parCompanyPrefix}-fw-${parLocation}' +param parAzFirewallName string = '${parCompanyPrefix}-fw-${parLocation}' @allowed([ '1' @@ -50,27 +50,24 @@ param parAzureFirewallName string = '${parCompanyPrefix}-fw-${parLocation}' '3' ]) @description('Availability Zones to deploy the Azure Firewall across. Region must support Availability Zones to use. If it does not then leave empty.') -param parAzureFirewallAvailabilityZones array = [] +param parAzFirewallAvailabilityZones array = [] @description('Azure Firewall Policies Name. Default: {parCompanyPrefix}-fwpol-{parLocation}') -param parFirewallPoliciesName string = '${parCompanyPrefix}-azfwpolicy-${parLocation}' - -@description('Region in which the resource group was created. Default: {resourceGroup().location}') -param parLocation string = resourceGroup().location +param parAzFirewallPoliciesName string = '${parCompanyPrefix}-azfwpolicy-${parLocation}' @description('The scale unit for this VPN Gateway: Default: 1') -param parVPNGwScaleUnit int = 1 +param parVpnGatewayScaleUnit int = 1 @description('The scale unit for this ExpressRoute Gateway: Default: 1') -param parERGwScaleUnit int = 1 +param parExpressRouteGatewayScaleUnit int = 1 -@description('Switch which allows DDOS deployment to be disabled. Default: true') +@description('Switch to enable/disable DDoS Standard deployment. Default: true') param parDdosEnabled bool = true -@description('DDOS Plan Name. Default: {parCompanyPrefix}-ddos-plan') +@description('DDoS Plan Name. Default: {parCompanyPrefix}-ddos-plan') param parDdosPlanName string = '${parCompanyPrefix}-ddos-plan' -@description('Switch which allows and deploys Private DNS Zones. Default: true') +@description('Switch to enable/disable Private DNS Zones deployment. Default: true') param parPrivateDnsZonesEnabled bool = true @description('Resource Group Name for Private DNS Zones. Default: same resource group') @@ -135,6 +132,9 @@ param parPrivateDnsZones array = [ @description('Resource ID of VNet for Private DNS Zone VNet Links') param parVirtualNetworkIdToLink string = '' +@description('Tags you would like to be applied to all resources in this module. Default: empty array') +param parTags object = {} + @description('Set Parameter to true to Opt-out of deployment telemetry') param parTelemetryOptOut bool = false @@ -142,8 +142,8 @@ param parTelemetryOptOut bool = false var varCuaid = '7f94f23b-7a59-4a5c-9a8d-2a253a566f61' // Virtual WAN resource -resource resVWAN 'Microsoft.Network/virtualWans@2021-05-01' = { - name: parVWanName +resource resVwan 'Microsoft.Network/virtualWans@2021-05-01' = { + name: parVirtualWanName location: parLocation tags: parTags properties: { @@ -154,21 +154,21 @@ resource resVWAN 'Microsoft.Network/virtualWans@2021-05-01' = { } } -resource resVHub 'Microsoft.Network/virtualHubs@2021-05-01' = if (parVirtualHubEnabled && !empty(parVhubAddressPrefix)) { - name: parVHubName +resource resVhub 'Microsoft.Network/virtualHubs@2021-05-01' = if (parVirtualHubEnabled && !empty(parVirtualHubAddressPrefix)) { + name: parVirtualWanHubName location: parLocation tags: parTags properties: { - addressPrefix: parVhubAddressPrefix + addressPrefix: parVirtualHubAddressPrefix sku: 'Standard' virtualWan: { - id: resVWAN.id + id: resVwan.id } } } -resource resVHubRouteTable 'Microsoft.Network/virtualHubs/hubRouteTables@2021-05-01' = if (parVirtualHubEnabled && parAzureFirewallEnabled) { - parent: resVHub +resource resVhubRouteTable 'Microsoft.Network/virtualHubs/hubRouteTables@2021-05-01' = if (parVirtualHubEnabled && parAzFirewallEnabled) { + parent: resVhub name: 'defaultRouteTable' properties: { labels: [ @@ -181,15 +181,15 @@ resource resVHubRouteTable 'Microsoft.Network/virtualHubs/hubRouteTables@2021-05 '0.0.0.0/0' ] destinationType: 'CIDR' - nextHop: (parVirtualHubEnabled && parAzureFirewallEnabled) ? resAzureFirewall.id : '' + nextHop: (parVirtualHubEnabled && parAzFirewallEnabled) ? resAzureFirewall.id : '' nextHopType: 'ResourceID' } ] } } -resource resVPNGateway 'Microsoft.Network/vpnGateways@2021-05-01' = if (parVirtualHubEnabled && parVPNGatewayEnabled) { - name: parVPNGwName +resource resVpnGateway 'Microsoft.Network/vpnGateways@2021-05-01' = if (parVirtualHubEnabled && parVpnGatewayEnabled) { + name: parVpnGatewayName location: parLocation tags: parTags properties: { @@ -199,47 +199,47 @@ resource resVPNGateway 'Microsoft.Network/vpnGateways@2021-05-01' = if (parVirtu peerWeight: 5 } virtualHub: { - id: resVHub.id + id: resVhub.id } - vpnGatewayScaleUnit: parVPNGwScaleUnit + vpnGatewayScaleUnit: parVpnGatewayScaleUnit } } -resource resERGateway 'Microsoft.Network/expressRouteGateways@2021-05-01' = if (parVirtualHubEnabled && parERGatewayEnabled) { - name: parERGwName +resource resErGateway 'Microsoft.Network/expressRouteGateways@2021-05-01' = if (parVirtualHubEnabled && parExpressRouteGatewayEnabled) { + name: parExpressRouteGatewayName location: parLocation tags: parTags properties: { virtualHub: { - id: resVHub.id + id: resVhub.id } autoScaleConfiguration: { bounds: { - min: parERGwScaleUnit + min: parExpressRouteGatewayScaleUnit } } } } -resource resFirewallPolicies 'Microsoft.Network/firewallPolicies@2021-05-01' = if (parVirtualHubEnabled && parAzureFirewallEnabled) { - name: parFirewallPoliciesName +resource resFirewallPolicies 'Microsoft.Network/firewallPolicies@2021-05-01' = if (parVirtualHubEnabled && parAzFirewallEnabled) { + name: parAzFirewallPoliciesName location: parLocation tags: parTags properties: { dnsSettings: { - enableProxy: parNetworkDNSEnableProxy + enableProxy: parAzFirewallDnsProxyEnabled } sku: { - tier: parAzureFirewallTier + tier: parAzFirewallTier } } } -resource resAzureFirewall 'Microsoft.Network/azureFirewalls@2021-02-01' = if (parVirtualHubEnabled && parAzureFirewallEnabled) { - name: parAzureFirewallName +resource resAzureFirewall 'Microsoft.Network/azureFirewalls@2021-02-01' = if (parVirtualHubEnabled && parAzFirewallEnabled) { + name: parAzFirewallName location: parLocation tags: parTags - zones: (!empty(parAzureFirewallAvailabilityZones) ? parAzureFirewallAvailabilityZones : json('null')) + zones: (!empty(parAzFirewallAvailabilityZones) ? parAzFirewallAvailabilityZones : json('null')) properties: { hubIPAddresses: { publicIPs: { @@ -248,16 +248,16 @@ resource resAzureFirewall 'Microsoft.Network/azureFirewalls@2021-02-01' = if (pa } sku: { name: 'AZFW_Hub' - tier: parAzureFirewallTier + tier: parAzFirewallTier } virtualHub: { - id: parVirtualHubEnabled ? resVHub.id : '' + id: parVirtualHubEnabled ? resVhub.id : '' } additionalProperties: { - 'Network.DNS.EnableProxy': '${parNetworkDNSEnableProxy}' + 'Network.DNS.EnableProxy': '${parAzFirewallDnsProxyEnabled}' } firewallPolicy: { - id: (parVirtualHubEnabled && parAzureFirewallEnabled) ? resFirewallPolicies.id : '' + id: (parVirtualHubEnabled && parAzFirewallEnabled) ? resFirewallPolicies.id : '' } } } @@ -288,15 +288,15 @@ module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdRes } // Output Virtual WAN name and ID -output outVirtualWANName string = resVWAN.name -output outVirtualWANID string = resVWAN.id +output outVirtualWanName string = resVwan.name +output outVirtualWanId string = resVwan.id -// Output Virtual Hub name and ID -output outVirtualHubName string = resVHub.name -output outVirtualHubID string = resVHub.id +// Output Virtual WAN Hub name and ID +output outVirtualHubName string = resVhub.name +output outVirtualHubId string = resVhub.id // Output DDoS Plan ID -output outDdosPlanResourceID string = resDdosProtectionPlan.id +output outDdosPlanResourceId string = resDdosProtectionPlan.id // Output Private DNS Zones output outPrivateDnsZones array = (parPrivateDnsZonesEnabled ? modPrivateDnsZones.outputs.outPrivateDnsZones : []) diff --git a/infra-as-code/bicep/orchestration/hubPeeredSpoke/README.md b/infra-as-code/bicep/orchestration/hubPeeredSpoke/README.md index 9524e1040..81e5504a2 100644 --- a/infra-as-code/bicep/orchestration/hubPeeredSpoke/README.md +++ b/infra-as-code/bicep/orchestration/hubPeeredSpoke/README.md @@ -4,7 +4,7 @@ This module acts as an orchestration module that create and configures a spoke n Module deploys the following resources: -- Subscription placement in Management Group hierarchy - if parPeeredVnetSubscriptionMGPlacement is specified +- Subscription placement in Management Group hierarchy - if parPeeredVnetSubscriptionMgPlacement is specified - Virtual Network (Spoke VNet) - UDR - if parNextHopIPAddress and resource id of hub virtual network object is specified - Hub to Spoke peering - if resource id of hub virtual network object is specified in parHubVirtualNetworkID @@ -24,18 +24,18 @@ The module requires the following inputs: | parPeeredVnetSubscriptionId | string | Empty string `''` | Subscription Id to the Virtual Network Hub object | None | `xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx` | | parTags | object | Empty object `{}` | Array of Tags to be applied to all resources in module | None | `{"key": "value"}` | | parTelemetryOptOut | bool | false | Set Parameter to true to Opt-out of deployment telemetry | None | false | - | parPeeredVnetSubscriptionMGPlacement | string | Empty string `''` | The location (MG hierarchy) to place the subscription in | None | `'alz-platform-landingZonesCorp'` | + | parPeeredVnetSubscriptionMgPlacement | string | Empty string `''` | The location (MG hierarchy) to place the subscription in | None | `'alz-platform-landingZonesCorp'` | | parResourceGroupNameForSpokeNetworking | string | `$parTopLevelManagementGroupPrefix-$parRegion-spoke-networking` | Name of Resource Group to be created to contain resources | None | `Hub_Networking_POC` | | parDdosProtectionPlanId | string | Empty string `''` | Existing DDoS Protection plan to utilize | None | `/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/Hub_Networking_POC/providers/Microsoft.Network/ddosProtectionPlans/alz-Ddos-Plan` | | parSpokeNetworkName | string | `vnet-spoke` | The Name of the Spoke Virtual Network. | None | `vnet-spoke` | | parSpokeNetworkAddressPrefix | string | `10.11.0.0/16` | CIDR for Spoke Network | None | `10.11.0.0/16` | - | parDNSServerIPArray | array | Empty array `[]` | Array IP DNS Servers to use for VNet DNS Resolution | None | `['10.10.1.4', '10.20.1.5']` | - | parNextHopIPAddress | string | Empty string `''` | IP Address where network traffic should route to | None | `192.168.50.4` | - | parBGPRoutePrapogation | bool | false | Switch to enable BGP Route Propagation on VNet Route Table | None | false | + | parDnsServerIps | array | Empty array `[]` | Array IP DNS Servers to use for VNet DNS Resolution | None | `['10.10.1.4', '10.20.1.5']` | + | parNextHopIpAddress | string | Empty string `''` | IP Address where network traffic should route to | None | `192.168.50.4` | + | parDisableBgpRoutePropagation | bool | false | Switch to enable BGP Route Propagation on VNet Route Table | None | false | | parSpokeToHubRouteTableName | string | 'rtb-spoke-to-hub' | Name of Route table to create for the default route of Hub | None | `rtb-spoke-to-hub` | - | parHubVirtualNetworkID | string | Empty string `''` | Virtual Network ID of Hub Virtual Network, or Azure Virtuel WAN hub ID | None | `/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/Hub_Networking_POC/providers/Microsoft.Network/virtualNetworks/alz-vnet-hub-northeurope` + | parHubVirtualNetworkId | string | Empty string `''` | Virtual Network ID of Hub Virtual Network, or Azure Virtuel WAN hub ID | None | `/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/Hub_Networking_POC/providers/Microsoft.Network/virtualNetworks/alz-vnet-hub-northeurope` | parAllowSpokeForwardedTraffic | bool | false | Switch to enable/disable forwarded Traffic from outside spoke network | None | false | - | parAllowHubVPNGatewayTransit | bool | false | Switch to enable/disable VPN Gateway for the hub network peering | None | false | + | parAllowHubVpnGatewayTransit | bool | false | Switch to enable/disable VPN Gateway for the hub network peering | None | false | ## Outputs @@ -44,7 +44,7 @@ The module will generate the following outputs: | Output | Type | Example | | --------------------------- | ------ | --------------------------------------------------------------------------------------------------------------------------------------------------- | | outSpokeVirtualNetworkName | string | `vnet-spoke` | -| outSpokeVirtualNetworkid | string | `/subscriptions/xxxxxxxx-xxxx-xxxx-xxxxx-xxxxxxxxx/resourceGroups/Hub_Networking_POC/providers/Microsoft.Network/virtualNetworks/vnet-spoke` | +| outSpokeVirtualNetworkId | string | `/subscriptions/xxxxxxxx-xxxx-xxxx-xxxxx-xxxxxxxxx/resourceGroups/Hub_Networking_POC/providers/Microsoft.Network/virtualNetworks/vnet-spoke` | ## Deployment @@ -58,29 +58,27 @@ In this example, the spoke resources will be deployed to the resource group spec ```bash # For Azure global regions # Set Azure Corp Landing zone subscription ID as the the current subscription -$LandingZoneSubscriptionId="[your landing zone subscription ID]" -$Location="[your landing zone subscription ID]" -$TopLevelManagemetGroupID="alz" +LandingZoneSubscriptionId="[your landing zone subscription ID]" az account set --subscription $LandingZoneSubscriptionId az deployment mg create \ - --location $Location --management-group-id $TopLevelManagemetGroupID \ - --template-file .\infra-as-code\bicep\orchestration\hubPeeredSpoke\hubPeeredSpoke.bicep \ - --parameters @infra-as-code\bicep\orchestration\hubPeeredSpoke\hubPeeredSpoke.parameters.example.json + --template-file infra-as-code/bicep/orchestration/hubPeeredSpoke/hubPeeredSpoke.bicep \ + --parameters @infra-as-code/bicep/orchestration/hubPeeredSpoke/parameters/hubPeeredSpoke.parameters.all.json \ + --location eastus \ + --management-group-id alz ``` OR ```bash # For Azure China regions # Set Azure Corp Landing zone subscription ID as the the current subscription -$LandingZoneSubscriptionId="[your landing zone subscription ID]" -$Location="[your landing zone subscription ID]" -$TopLevelManagemetGroupID="alz" +LandingZoneSubscriptionId="[your landing zone subscription ID]" az account set --subscription $LandingZoneSubscriptionId az deployment mg create \ - --location $Location --management-group-id $TopLevelManagemetGroupID \ - --template-file .\infra-as-code\bicep\orchestration\hubPeeredSpoke\hubPeeredSpoke.bicep \ - --parameters @infra-as-code\bicep\orchestration\hubPeeredSpoke\hubPeeredSpoke.parameters.example.json + --template-file infra-as-code/bicep/orchestration/hubPeeredSpoke/hubPeeredSpoke.bicep \ + --parameters @infra-as-code/bicep/orchestration/hubPeeredSpoke/parameters/hubPeeredSpoke.parameters.all.json \ + --location chinaeast2 \ + --management-group-id alz ``` ### PowerShell @@ -89,30 +87,28 @@ az deployment mg create \ # For Azure global regions # Set Azure Corp Landing zone subscription ID as the the current subscription $LandingZoneSubscriptionId="[your landing zone subscription ID]" -$Location="[your landing zone subscription ID]" -$TopLevelManagemetGroupID="alz" - Select-AzSubscription -SubscriptionId $LandingZoneSubscriptionId New-AzManagementGroupDeployment ` - -Location $Location -ManagementGroupId $TopLevelManagemetGroupID ` - -TemplateFile infra-as-code\bicep\orchestration\hubPeeredSpoke\hubPeeredSpoke.bicep ` - -TemplateParameterFile infra-as-code\bicep\orchestration\hubPeeredSpoke\hubPeeredSpoke.parameters.example.json ` + -TemplateFile infra-as-code/bicep/orchestration/hubPeeredSpoke/hubPeeredSpoke.bicep ` + -TemplateParameterFile infra-as-code/bicep/orchestration/hubPeeredSpoke/parameters/hubPeeredSpoke.parameters.all.json ` + -Location eastus ` + -ManagementGroupId alz ``` OR ```powershell # For Azure China regions # Set Platform connectivity subscription ID as the the current subscription $LandingZoneSubscriptionId="[your landing zone subscription ID]" -$Location="[your landing zone subscription ID]" $TopLevelManagemetGroupID="alz" Select-AzSubscription -SubscriptionId $LandingZoneSubscriptionId New-AzManagementGroupDeployment ` - -Location $Location -ManagementGroupId $TopLevelManagemetGroupID ` - -TemplateFile infra-as-code\bicep\orchestration\hubPeeredSpoke\hubPeeredSpoke.bicep ` - -TemplateParameterFile infra-as-code\bicep\orchestration\hubPeeredSpoke\hubPeeredSpoke.parameters.example.json ` + -TemplateFile infra-as-code/bicep/orchestration/hubPeeredSpoke/hubPeeredSpoke.bicep ` + -TemplateParameterFile infra-as-code/bicep/orchestration/hubPeeredSpoke/parameters/hubPeeredSpoke.parameters.all.json ` + -Location chinaeast2 ` + -ManagementGroupId alz ``` diff --git a/infra-as-code/bicep/orchestration/hubPeeredSpoke/hubPeeredSpoke.bicep b/infra-as-code/bicep/orchestration/hubPeeredSpoke/hubPeeredSpoke.bicep index 324222b9b..a49b7b8f7 100644 --- a/infra-as-code/bicep/orchestration/hubPeeredSpoke/hubPeeredSpoke.bicep +++ b/infra-as-code/bicep/orchestration/hubPeeredSpoke/hubPeeredSpoke.bicep @@ -38,16 +38,16 @@ param parSpokeNetworkName string = 'vnet-spoke' param parSpokeNetworkAddressPrefix string = '10.11.0.0/16' @description('Array of DNS Server IP addresses for VNet. Default: Empty Array') -param parDnsServerIpArray array = [] +param parDnsServerIps array = [] @description('IP Address where network traffic should route to. Default: Empty string') param parNextHopIpAddress string = '' @description('Switch which allows BGP Route Propogation to be disabled on the route table') -param parBgpRoutePropagation bool = false +param parDisableBgpRoutePropagation bool = false @description('Name of Route table to create for the default route of Hub. Default: rtb-spoke-to-hub') -param parSpoketoHubRouteTableName string = 'rtb-spoke-to-hub' +param parSpokeToHubRouteTableName string = 'rtb-spoke-to-hub' // Peering Modules Parameters @description('Virtual Network ID of Hub Virtual Network, or Azure Virtuel WAN hub ID. No default') @@ -138,10 +138,10 @@ module modSpokeNetworking '../../modules/spokeNetworking/spokeNetworking.bicep' parSpokeNetworkName: parSpokeNetworkName parSpokeNetworkAddressPrefix: parSpokeNetworkAddressPrefix parDdosProtectionPlanId: parDdosProtectionPlanId - parDnsServerIPs: parDnsServerIpArray - parNextHopIPAddress: varNextHopIPAddress - parSpokeToHubRouteTableName: parSpoketoHubRouteTableName - parBGPRoutePropagation: parBgpRoutePropagation + parDnsServerIps: parDnsServerIps + parNextHopIpAddress: varNextHopIPAddress + parSpokeToHubRouteTableName: parSpokeToHubRouteTableName + parDisableBgpRoutePropagation: parDisableBgpRoutePropagation parTags: parTags parTelemetryOptOut: parTelemetryOptOut parLocation: parLocation @@ -180,10 +180,10 @@ module modhubVirtualNetworkConnection '../../modules/vnetPeeringVwan/hubVirtualN scope: resourceGroup(varVirtualHubSubscriptionId, varVirtualHubResourceGroup) name: varModuleDeploymentNames.modVnetPeeringVwan params: { - parVirtualHubResourceId: varVirtualHubResourceId + parVirtualWanHubResourceId: varVirtualHubResourceId parRemoteVirtualNetworkResourceId: modSpokeNetworking.outputs.outSpokeVirtualNetworkId } } output outSpokeVirtualNetworkName string = modSpokeNetworking.outputs.outSpokeVirtualNetworkName -output outSpokeVirtualNetworkid string = modSpokeNetworking.outputs.outSpokeVirtualNetworkId +output outSpokeVirtualNetworkId string = modSpokeNetworking.outputs.outSpokeVirtualNetworkId diff --git a/infra-as-code/bicep/orchestration/hubPeeredSpoke/hubPeeredSpoke.parameters.example.json b/infra-as-code/bicep/orchestration/hubPeeredSpoke/parameters/hubPeeredSpoke.parameters.all.json similarity index 93% rename from infra-as-code/bicep/orchestration/hubPeeredSpoke/hubPeeredSpoke.parameters.example.json rename to infra-as-code/bicep/orchestration/hubPeeredSpoke/parameters/hubPeeredSpoke.parameters.all.json index 366a2b3ec..ed8931576 100644 --- a/infra-as-code/bicep/orchestration/hubPeeredSpoke/hubPeeredSpoke.parameters.example.json +++ b/infra-as-code/bicep/orchestration/hubPeeredSpoke/parameters/hubPeeredSpoke.parameters.all.json @@ -23,13 +23,13 @@ "parSpokeNetworkAddressPrefix": { "value": "10.202.0.0/24" }, - "parDnsServerIpArray": { + "parDnsServerIps": { "value": [] }, "parNextHopIpAddress": { "value": "10.20.255.4" }, - "parBgpRoutePropagation": { + "parDisableBgpRoutePropagation": { "value": false }, "parSpoketoHubRouteTableName": { @@ -50,7 +50,7 @@ } }, "parTelemetryOptOut": { - "value": true + "value": false } } - } \ No newline at end of file + } diff --git a/infra-as-code/bicep/orchestration/hubPeeredSpoke/hubPeeredSpoke.vwan.parameters.example.json b/infra-as-code/bicep/orchestration/hubPeeredSpoke/parameters/hubPeeredSpoke.vwan.parameters.all.json similarity index 93% rename from infra-as-code/bicep/orchestration/hubPeeredSpoke/hubPeeredSpoke.vwan.parameters.example.json rename to infra-as-code/bicep/orchestration/hubPeeredSpoke/parameters/hubPeeredSpoke.vwan.parameters.all.json index d39037718..498ad20ee 100644 --- a/infra-as-code/bicep/orchestration/hubPeeredSpoke/hubPeeredSpoke.vwan.parameters.example.json +++ b/infra-as-code/bicep/orchestration/hubPeeredSpoke/parameters/hubPeeredSpoke.vwan.parameters.all.json @@ -23,13 +23,13 @@ "parSpokeNetworkAddressPrefix": { "value": "10.202.0.0/24" }, - "parDnsServerIpArray": { + "parDnsServerIps": { "value": [] }, "parNextHopIpAddress": { "value": "10.20.255.4" }, - "parBgpRoutePropagation": { + "parDisableBgpRoutePropagation": { "value": false }, "parSpoketoHubRouteTableName": { @@ -50,7 +50,7 @@ } }, "parTelemetryOptOut": { - "value": true + "value": false } } - } \ No newline at end of file + } diff --git a/tests/pipelines/bicep-build-to-validate.yml b/tests/pipelines/bicep-build-to-validate.yml index adf6372ff..082653b2a 100644 --- a/tests/pipelines/bicep-build-to-validate.yml +++ b/tests/pipelines/bicep-build-to-validate.yml @@ -27,7 +27,7 @@ jobs: script: | git_diff1=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/managementGroups/managementGroups.bicep) git_diff2=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep) - git_diff3=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/policy/definitions/custom-policy-definitions.bicep) + git_diff3=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep) git_diff4=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep) git_diff5=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep) git_diff6=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.bicep) @@ -107,7 +107,7 @@ jobs: inputs: targetType: 'inline' script: | - subid=$(az deployment tenant create --name "deploy-$(SubscriptionName)" --location $(Location) --template-file infra-as-code/bicep/CRML/subscriptionAlias/subscriptionAlias.bicep --parameters @infra-as-code/bicep/CRML/subscriptionAlias/parameters/subscriptionAlias.parameters.minimum.example.json --parameters parSubscriptionBillingScope=$(ALZ-AZURE-SECRET-EA-BILLING-ACCOUNT) parSubscriptionName=$(SubscriptionName) | jq .properties.outputs.outSubscriptionId.value | tr -d '"') + subid=$(az deployment tenant create --name "deploy-$(SubscriptionName)" --location $(Location) --template-file infra-as-code/bicep/CRML/subscriptionAlias/subscriptionAlias.bicep --parameters @infra-as-code/bicep/CRML/subscriptionAlias/parameters/subscriptionAlias.parameters.min.json --parameters parSubscriptionBillingScope=$(ALZ-AZURE-SECRET-EA-BILLING-ACCOUNT) parSubscriptionName=$(SubscriptionName) | jq .properties.outputs.outSubscriptionId.value | tr -d '"') echo $subId echo "##vso[task.setvariable variable=subscriptionId]$subid" echo "##vso[task.setvariable variable=IsDeployed;isoutput=true]$subid" @@ -141,7 +141,7 @@ jobs: inputs: targetType: 'inline' script: | - az deployment tenant create --template-file infra-as-code/bicep/modules/managementGroups/managementGroups.bicep --parameters @infra-as-code/bicep/modules/managementGroups/managementGroups.parameters.example.json parTopLevelManagementGroupPrefix=$(ManagementGroupPrefix) --location $(Location) + az deployment tenant create --template-file infra-as-code/bicep/modules/managementGroups/managementGroups.bicep --parameters @infra-as-code/bicep/modules/managementGroups/parameters/managementGroups.parameters.min.json parTopLevelManagementGroupPrefix=$(ManagementGroupPrefix) --location $(Location) - task: Bash@3 displayName: Az CLI Deploy Custom Role Definitions for PR @@ -150,7 +150,7 @@ jobs: inputs: targetType: 'inline' script: | - az deployment mg create --template-file infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep --parameters @infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.parameters.example.json parAssignableScopeManagementGroupId=$(ManagementGroupPrefix) --location $(Location) --management-group-id $(ManagementGroupPrefix) + az deployment mg create --template-file infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep --parameters @infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.min.json parAssignableScopeManagementGroupId=$(ManagementGroupPrefix) --location $(Location) --management-group-id $(ManagementGroupPrefix) - task: Bash@3 displayName: Az CLI Deploy Custom Policy Definitions for PR @@ -159,7 +159,7 @@ jobs: inputs: targetType: 'inline' script: | - az deployment mg create --template-file infra-as-code/bicep/modules/policy/definitions/custom-policy-definitions.bicep --parameters @infra-as-code/bicep/modules/policy/definitions/custom-policy-definitions.parameters.example.json parTargetManagementGroupID=$(ManagementGroupPrefix) --location $(Location) --management-group-id $(ManagementGroupPrefix) + az deployment mg create --template-file infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep --parameters @infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.min.json parTargetManagementGroupId=$(ManagementGroupPrefix) --location $(Location) --management-group-id $(ManagementGroupPrefix) - task: Bash@3 displayName: Az CLI Deploy Logging for PR @@ -168,7 +168,7 @@ jobs: inputs: targetType: 'inline' script: | - az deployment group create --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/logging/logging.bicep --parameters @infra-as-code/bicep/modules/logging/logging.parameters.example.json + az deployment group create --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/logging/logging.bicep --parameters @infra-as-code/bicep/modules/logging/parameters/logging.parameters.min.json - task: Bash@3 displayName: Az CLI Subscription Placement for PR @@ -177,7 +177,7 @@ jobs: inputs: targetType: 'inline' script: | - az deployment mg create --template-file infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.bicep --parameters @infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.parameters.example.json parTargetManagementGroupId=$(ManagementGroupPrefix)-platform-connectivity parSubscriptionIds='["$(subscriptionId)"]' --location $(Location) --management-group-id $(ManagementGroupPrefix) + az deployment mg create --template-file infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.bicep --parameters @infra-as-code/bicep/modules/subscriptionPlacement/parameters/subscriptionPlacement.parameters.min.json parTargetManagementGroupId=$(ManagementGroupPrefix)-platform-connectivity parSubscriptionIds='["$(subscriptionId)"]' --location $(Location) --management-group-id $(ManagementGroupPrefix) - task: AzurePowerShell@5 displayName: Az PwSh alzDefaultPolicyAssignments for PR @@ -187,7 +187,7 @@ jobs: azureSubscription: 'azserviceconnection' ScriptType: 'FilePath' ScriptPath: '.github/scripts/Set-AlzDefaultPolicyAssignment.ps1' - ScriptArguments: '-ManagementGroupId "$(ManagementGroupPrefix)-platform" -parLocation $(Location) -templateFile ./infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep -parameterFile .\infra-as-code\bicep\modules\policy\assignments\alzDefaults\alzDefaultPolicyAssignments.parameters.example.json -parTopLevelManagementGroupPrefix $(ManagementGroupPrefix) -parLogAnalyticsWorkSpaceAndAutomationAccountLocation $(Location) -parLogAnalyticsWorkspaceResourceID "/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.OperationalInsights/workspaces/alz-log-analytics" -parDdosProtectionPlanId "/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/ddosProtectionPlans/alz-ddos-plan"' + ScriptArguments: '-ManagementGroupId "$(ManagementGroupPrefix)-platform" -parLocation $(Location) -templateFile ./infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep -parameterFile .\infra-as-code\bicep\modules\policy\assignments\alzDefaults\parameters\alzDefaultPolicyAssignments.parameters.min.json -parTopLevelManagementGroupPrefix $(ManagementGroupPrefix) -parLogAnalyticsWorkSpaceAndAutomationAccountLocation $(Location) -parLogAnalyticsWorkspaceResourceId "/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.OperationalInsights/workspaces/alz-log-analytics" -parDdosProtectionPlanId "/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/ddosProtectionPlans/alz-ddos-plan"' azurePowerShellVersion: 'LatestVersion' pwsh: true @@ -198,7 +198,7 @@ jobs: inputs: targetType: 'inline' script: | - az deployment group create --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep --parameters @infra-as-code/bicep/modules/hubNetworking/hubNetworking.parameters.example.json + az deployment group create --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep --parameters @infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.min.json - task: Bash@3 displayName: Az CLI Deploy vWan Networking for PR @@ -207,7 +207,7 @@ jobs: inputs: targetType: 'inline' script: | - az deployment group create --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep --parameters @infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.parameters.example.json + az deployment group create --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep --parameters @infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.min.json - task: Bash@3 displayName: Az CLI Deploy Spoke Networking for PR @@ -216,7 +216,7 @@ jobs: inputs: targetType: 'inline' script: | - az deployment group create --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/spokeNetworking/spokeNetworking.bicep + az deployment group create --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/spokeNetworking/spokeNetworking.bicep --parameters @infra-as-code/bicep/modules/spokeNetworking/parameters/spokeNetworking.parameters.min.json - task: Bash@3 displayName: Az CLI Deploy vWan Network connection for PR @@ -225,7 +225,7 @@ jobs: inputs: targetType: 'inline' script: | - az deployment sub create --location $(Location) --template-file infra-as-code/bicep/modules/vnetPeeringVwan/vnetPeeringVwan.bicep --parameters @infra-as-code/bicep/modules/vnetPeeringVwan/vnetPeeringVwan.parameters.example.json parVirtualHubResourceId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualHubs/alz-vhub-$(Location)" parRemoteVirtualNetworkResourceId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualNetworks/vnet-spoke" + az deployment sub create --location $(Location) --template-file infra-as-code/bicep/modules/vnetPeeringVwan/vnetPeeringVwan.bicep --parameters @infra-as-code/bicep/modules/vnetPeeringVwan/parameters/vnetPeeringVwan.parameters.min.json parVirtualWanHubResourceId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualHubs/alz-vhub-$(Location)" parRemoteVirtualNetworkResourceId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualNetworks/vnet-spoke" - task: Bash@3 displayName: Az CLI Deploy vNet Peer for PR spoke to hub @@ -234,7 +234,7 @@ jobs: inputs: targetType: 'inline' script: | - az deployment group create --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/vnetPeering/vnetPeering.bicep --parameters @infra-as-code/bicep/modules/vnetPeering/vnetPeering.parameters.example.json parDestinationVirtualNetworkId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualNetworks/alz-hub-eastus" + az deployment group create --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/vnetPeering/vnetPeering.bicep --parameters @infra-as-code/bicep/modules/vnetPeering/parameters/vnetPeering.parameters.min.json parDestinationVirtualNetworkId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualNetworks/alz-hub-eastus" - task: Bash@3 displayName: Az CLI Deploy vNet Peer for PR hub to spoke @@ -243,7 +243,7 @@ jobs: inputs: targetType: 'inline' script: | - az deployment group create --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/vnetPeering/vnetPeering.bicep --parameters @infra-as-code/bicep/modules/vnetPeering/vnetPeering.parameters.example.json parDestinationVirtualNetworkId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualNetworks/vnet-spoke" parSourceVirtualNetworkName="alz-hub-eastus" parDestinationVirtualNetworkName="vnet-spoke" + az deployment group create --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/vnetPeering/vnetPeering.bicep --parameters @infra-as-code/bicep/modules/vnetPeering/parameters/vnetPeering.parameters.min.json parDestinationVirtualNetworkId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualNetworks/vnet-spoke" parSourceVirtualNetworkName="alz-hub-eastus" parDestinationVirtualNetworkName="vnet-spoke" - job: bicep_cleanup dependsOn: bicep_deploy