From 1f707ad9668c12a0b895dead1e41bc516bbf9fcd Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Thu, 3 Oct 2024 16:51:57 +0400 Subject: [PATCH 001/226] Add checkbox for deploying Azure Virtual Network Manager --- eslzArm/eslz-portal.json | 5 + .../avnmConfiguration.json | 139 ++++++++++++++++++ 2 files changed, 144 insertions(+) create mode 100644 eslzArm/subscriptionTemplates/avnmConfiguration.json diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json index da822df35c..e5000a3ae2 100644 --- a/eslzArm/eslz-portal.json +++ b/eslzArm/eslz-portal.json @@ -1388,6 +1388,11 @@ }, "visible": true }, + { + "name": "deployAVNM", + "type": "Microsoft.Common.CheckBox", + "label": "Deploy Azure Virtual Network Manager." + }, { "name": "esNwNVANote", "type": "Microsoft.Common.InfoBox", diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json new file mode 100644 index 0000000000..a88d277989 --- /dev/null +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -0,0 +1,139 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "maxLength": 10, + "metadata": { + "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale." + } + }, + "resourceGroupName": { + "type": "string", + "defaultValue": "[concat(parameters('topLevelManagementGroupPrefix'), '-avnm-rg')]" + }, + "location": { + "type": "string", + "metadata": { + "displayName": "location", + "description": "Location of the HUB" + }, + "defaultValue": "[deployment().location]" + }, + "connectivitySubscriptionId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Provide the subscription id for the dedicated connectivity subscription." + } + }, + "managementGrounpScopeId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Provide the management group scope id for the dedicated connectivity subscription." + } + }, + "enableHub": { + "type": "string", + "allowedValues": [ + "vhub", + "No" + ], + "defaultValue": "No", + "metadata": { + "description": "Select whether the virtual network hub should be deployed or not." + } + }, + "connectivityTopology": { + "type": "string", + "defaultValue": "hubAndSpoke", + "allowedValues": [ + "mesh", + "hubAndSpoke", + "meshWithHubAndSpoke" + ], + "metadata": { + "description": "Defines how spokes will connect to each other and how spokes will connect the hub. Valid values: \"mesh\", \"hubAndSpoke\", \"meshWithHubAndSpoke\"; default value: \"meshWithHubAndSpoke\"" + } + }, + "networkGroupMembershipType": { + "type": "string", + "defaultValue": "static", + "allowedValues": [ + "static", + "dynamic" + ], + "metadata": { + "description": "Connectivity group membership type. Valid values: \"static\", \"dynamic\"; default: \"static\"" + } + } + }, + "variables": { + "rgName": "[parameters('resourceGroupName')]", + "resourceDeploymentName": "[concat('alz-', parameters('resourceGroupName'), '-avnm')]", + "avnmName": "[concat(parameters('topLevelManagementGroupPrefix'), '-avnm')]" + }, + "resources": [ + { + // Conditionally deploy avnm + "condition": "[and(equals(parameters('enableHub'), 'vhub'), not(empty(parameters('connectivitySubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "location": "[parameters('location')]", + "name": "[concat('alz-', parameters('location'), '-', substring(uniqueString(parameters('connectivitySubscriptionId')),0,6), '-connectivityAVNM')]", + "subscriptionId": "[parameters('connectivitySubscriptionId')]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2019-10-01", + "location": "[parameters('location')]", + "name": "[variables('rgName')]", + "properties": {} + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('resourceDeploymentName')]", + "resourceGroup": "[variables('rgName')]", + "dependsOn": [ + "[concat('Microsoft.Resources/resourceGroups/', variables('rgName'))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "resources": [ + { + "name": "[variables('avnmName')]", + "type": "Microsoft.Network/networkManagers", + "apiVersion": "2023-11-01", + "location": "[parameters('location')]", + "properties": { + "networkManagerScopeAccesses": [ "SecurityAdmin" ], + "networkManagerScopes": { + "managementGroups": "[parameters('managementGrounpScopeId')]", + "subscriptions": [] + } + } + } + ] + } + } + } + ] + } + } + } + ], + "outputs": {} +} \ No newline at end of file From 4d488e08408cdb5a7ba0c9f9ea2f8750291b88ee Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Thu, 3 Oct 2024 17:07:55 +0400 Subject: [PATCH 002/226] Update Azure Virtual Network Manager deployment checkbox label --- eslzArm/eslz-portal.json | 3 +- eslzArm/eslzArm.json | 53 +++++++++++++++++++ .../avnmConfiguration.json | 2 +- 3 files changed, 56 insertions(+), 2 deletions(-) diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json index e5000a3ae2..8b06c470de 100644 --- a/eslzArm/eslz-portal.json +++ b/eslzArm/eslz-portal.json @@ -1391,7 +1391,7 @@ { "name": "deployAVNM", "type": "Microsoft.Common.CheckBox", - "label": "Deploy Azure Virtual Network Manager." + "label": "Deploy Azure Virtual Network Manager" }, { "name": "esNwNVANote", @@ -9323,6 +9323,7 @@ "erRegionalOrAz": "[steps('connectivity').erRegionalOrAz]", "expressRouteScaleUnit": "[steps('connectivity').expressRouteScaleUnit]", "enableHub": "[steps('connectivity').enableHub]", + "deployAVNM": "[steps('connectivity').deployAVNM]", "enableAzFw": "[steps('connectivity').enableAzFw]", "enableAzFwDnsProxy": "[if(equals(steps('connectivity').firewallSku, 'Basic'), 'No', steps('connectivity').enableAzFwDnsProxy)]", "firewallSku": "[steps('connectivity').firewallSku]", diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index 0f8b64a859..d6dbe883c1 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -363,6 +363,14 @@ "type": "string", "defaultValue": "[deployment().location]" }, + "deployAVNM": { + "type": "bool", + "defaultValue": false, + "allowedValues": [ + true, + false + ] + }, "enableDdoS": { "type": "string", "defaultValue": "No", @@ -1666,6 +1674,7 @@ "roleDefinitions": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/roleDefinitions/customRoleDefinitions.json')]", "policyDefinitions": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyDefinitions/policies.json')]", "initiativeDefinitions": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyDefinitions/initiatives.json')]", + "avnmConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/avnmConfiguration.json')]", "vnetConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/hubspoke-connectivity.json')]", "vwanConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/vwan-connectivity.json')]", "nvaConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/nvahubspoke-connectivity.json')]", @@ -1801,6 +1810,7 @@ "atpOssDbPolicyDeploymentName": "[take(concat('alz-AtpOssDb', variables('deploymentSuffix')), 64)]", "atpSqlDbPolicyDeploymentName": "[take(concat('alz-AtpSqlDb', variables('deploymentSuffix')), 64)]", "ascGovPolicyDeploymentName": "[take(concat('alz-Gov-ASC', variables('deploymentSuffix')), 64)]", + "avnmConnectivityHubDeploymentName": "[take(concat('alz-AVNM', variables('deploymentSuffix')), 64)]", "vnetConnectivityHubDeploymentName": "[take(concat('alz-HubSpoke', variables('deploymentSuffix')), 64)]", "vwanConnectivityHubDeploymentName": "[take(concat('alz-VWanHub', variables('deploymentSuffix')), 64)]", "vnetConnectivityHub2DeploymentName": "[take(concat('alz-HubSpoke2', variables('deploymentSuffix')), 64)]", @@ -5100,6 +5110,49 @@ } } }, + { + // Creating the virtual network hub (hub and spoke) + "condition": "[and(not(empty(parameters('connectivitySubscriptionId'))), parameters('deployAVNM'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "scope": "[variables('scopes').connectivityManagementGroup]", + "name": "[variables('deploymentNames').avnmConnectivityHubDeploymentName]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').connectivitySubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosDeploymentName)]" + ], + "location": "[deployment().location]", + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').avnmConnectivityHub]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "enableHub": { + "value": "vhub" //[parameters('enableHub')] + }, + "location": { + "value": "[parameters('connectivityLocation')]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + }, + "managementGrounpScopeId": { + "value": "[variables('scopes').eslzRootManagementGroup]" + } + + } + } + }, { // Creating resource group for Private DNS Zones "condition": "[and(equals(parameters('enablePrivateDnsZones'), 'Yes'), not(empty(parameters('connectivitySubscriptionId'))))]", diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index a88d277989..e1effe645e 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -60,7 +60,7 @@ }, "networkGroupMembershipType": { "type": "string", - "defaultValue": "static", + "defaultValue": "dynamic", "allowedValues": [ "static", "dynamic" From 913230a7dab7581b1bd1b00efb4280d2c3b4c413 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Thu, 3 Oct 2024 18:02:34 +0400 Subject: [PATCH 003/226] Update Azure Virtual Network Manager deployment checkbox label and visibility --- eslzArm/eslz-portal.json | 3 ++- eslzArm/eslzArm.json | 2 +- eslzArm/subscriptionTemplates/avnmConfiguration.json | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json index 8b06c470de..fe8ce215e1 100644 --- a/eslzArm/eslz-portal.json +++ b/eslzArm/eslz-portal.json @@ -1391,7 +1391,8 @@ { "name": "deployAVNM", "type": "Microsoft.Common.CheckBox", - "label": "Deploy Azure Virtual Network Manager" + "label": "Deploy Azure Virtual Network Manager", + "visible": "[equals(steps('connectivity').enableHub, 'vhub')]" }, { "name": "esNwNVANote", diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index d6dbe883c1..81ec8b5db1 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -5111,7 +5111,7 @@ } }, { - // Creating the virtual network hub (hub and spoke) + // Deploy AVNM (hub and spoke) "condition": "[and(not(empty(parameters('connectivitySubscriptionId'))), parameters('deployAVNM'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index e1effe645e..ae766426f6 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -121,7 +121,7 @@ "properties": { "networkManagerScopeAccesses": [ "SecurityAdmin" ], "networkManagerScopes": { - "managementGroups": "[parameters('managementGrounpScopeId')]", + "managementGroups": [], "subscriptions": [] } } From 39eab3fa6d5522806ff2745f1926a5bb608d5f83 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Fri, 4 Oct 2024 17:19:15 +0400 Subject: [PATCH 004/226] Update Azure Virtual Network Manager deployment checkbox label and visibility --- eslzArm/eslzArm.json | 8 +- .../avnmConfiguration.json | 148 ++++++++---------- 2 files changed, 65 insertions(+), 91 deletions(-) diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index 81ec8b5db1..669be4f4d2 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -5138,18 +5138,14 @@ "value": "[parameters('enterpriseScaleCompanyPrefix')]" }, "enableHub": { - "value": "vhub" //[parameters('enableHub')] + "value": "[parameters('enableHub')]" }, "location": { - "value": "[parameters('connectivityLocation')]" + "value": "[deployment().location]" }, "connectivitySubscriptionId": { "value": "[parameters('connectivitySubscriptionId')]" - }, - "managementGrounpScopeId": { - "value": "[variables('scopes').eslzRootManagementGroup]" } - } } }, diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index ae766426f6..ac763496fd 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -1,5 +1,5 @@ { - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "topLevelManagementGroupPrefix": { @@ -9,10 +9,6 @@ "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale." } }, - "resourceGroupName": { - "type": "string", - "defaultValue": "[concat(parameters('topLevelManagementGroupPrefix'), '-avnm-rg')]" - }, "location": { "type": "string", "metadata": { @@ -28,13 +24,6 @@ "description": "Provide the subscription id for the dedicated connectivity subscription." } }, - "managementGrounpScopeId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Provide the management group scope id for the dedicated connectivity subscription." - } - }, "enableHub": { "type": "string", "allowedValues": [ @@ -45,92 +34,81 @@ "metadata": { "description": "Select whether the virtual network hub should be deployed or not." } - }, - "connectivityTopology": { - "type": "string", - "defaultValue": "hubAndSpoke", - "allowedValues": [ - "mesh", - "hubAndSpoke", - "meshWithHubAndSpoke" - ], - "metadata": { - "description": "Defines how spokes will connect to each other and how spokes will connect the hub. Valid values: \"mesh\", \"hubAndSpoke\", \"meshWithHubAndSpoke\"; default value: \"meshWithHubAndSpoke\"" - } - }, - "networkGroupMembershipType": { - "type": "string", - "defaultValue": "dynamic", - "allowedValues": [ - "static", - "dynamic" - ], - "metadata": { - "description": "Connectivity group membership type. Valid values: \"static\", \"dynamic\"; default: \"static\"" - } } }, "variables": { - "rgName": "[parameters('resourceGroupName')]", - "resourceDeploymentName": "[concat('alz-', parameters('resourceGroupName'), '-avnm')]", - "avnmName": "[concat(parameters('topLevelManagementGroupPrefix'), '-avnm')]" + "rgName": "[concat(parameters('topLevelManagementGroupPrefix'), '-vnethub-', parameters('location'))]" }, "resources": [ { // Conditionally deploy avnm "condition": "[and(equals(parameters('enableHub'), 'vhub'), not(empty(parameters('connectivitySubscriptionId'))))]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2019-10-01", - "location": "[parameters('location')]", - "name": "[concat('alz-', parameters('location'), '-', substring(uniqueString(parameters('connectivitySubscriptionId')),0,6), '-connectivityAVNM')]", - "subscriptionId": "[parameters('connectivitySubscriptionId')]", + "apiVersion": "2022-09-01", + "name": "avnm", + "resourceGroup": "[variables('rgName')]", "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + } + }, "template": { - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": {}, - "resources": [ - { - "type": "Microsoft.Resources/resourceGroups", - "apiVersion": "2019-10-01", - "location": "[parameters('location')]", - "name": "[variables('rgName')]", - "properties": {} - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2019-10-01", - "name": "[variables('resourceDeploymentName')]", - "resourceGroup": "[variables('rgName')]", - "dependsOn": [ - "[concat('Microsoft.Resources/resourceGroups/', variables('rgName'))]" - ], - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": {}, - "resources": [ - { - "name": "[variables('avnmName')]", - "type": "Microsoft.Network/networkManagers", - "apiVersion": "2023-11-01", - "location": "[parameters('location')]", - "properties": { - "networkManagerScopeAccesses": [ "SecurityAdmin" ], - "networkManagerScopes": { - "managementGroups": [], - "subscriptions": [] - } - } - } - ] - } - } + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": {}, + "parameters": { + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/networkManagers", + "apiVersion": "2022-09-01", + "name": "[format('avnm-{0}', parameters('location'))]", + "location": "[parameters('location')]", + "properties": { + "networkManagerScopeAccesses": [ + "SecurityAdmin" + ], + "networkManagerScopes": { + "subscriptions": [ + "[format('/subscriptions/{0}', subscription().subscriptionId)]" + ], + "managementGroups": [] } - ] + }, + "metadata": { + "description": "This is the Azure Virtual Network Manager which will be used to implement the connected group for spoke-to-spoke connectivity." + } + }, + { + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2022-09-01", + "name": "[format('{0}/{1}', format('avnm-{0}', parameters('location')), format('ng-{0}-static', parameters('location')))]", + "properties": { + "description": "Network Group - Static" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', format('avnm-{0}', parameters('location')))]" + ], + "metadata": { + "description": "This is the static network group for the spoke VNETs, and hub when topology is mesh." + } + } + ], + "outputs": { + "networkManagerName": { + "type": "string", + "value": "[format('avnm-{0}', parameters('location'))]" + } + } } } } From d05e1435024a2ef08a2c9714c29c3c1e9cec1b25 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Fri, 4 Oct 2024 17:25:12 +0400 Subject: [PATCH 005/226] Update Azure Virtual Network Manager deployment to include VNet Connectivity Hub deployment --- eslzArm/eslzArm.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index 669be4f4d2..1372d34ac7 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -4917,7 +4917,8 @@ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosDeploymentName)]" + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]" ], "location": "[deployment().location]", "properties": { From 4f2578f5da4d9b1df4f4da0536d51edc4945a04a Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Fri, 4 Oct 2024 18:10:12 +0400 Subject: [PATCH 006/226] . --- eslzArm/subscriptionTemplates/avnmConfiguration.json | 1 + 1 file changed, 1 insertion(+) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index ac763496fd..d5b7368336 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -47,6 +47,7 @@ "apiVersion": "2022-09-01", "name": "avnm", "resourceGroup": "[variables('rgName')]", + "location": "[parameters('location')]", "properties": { "expressionEvaluationOptions": { "scope": "inner" From 3eb19c3d429e36a7d1e6903f686f5eea248abddb Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Fri, 4 Oct 2024 18:30:15 +0400 Subject: [PATCH 007/226] . --- eslzArm/eslzArm.json | 3 ++ .../avnmConfiguration.json | 29 ++++++++++++++----- 2 files changed, 25 insertions(+), 7 deletions(-) diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index 1372d34ac7..ca56223059 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -5146,6 +5146,9 @@ }, "connectivitySubscriptionId": { "value": "[parameters('connectivitySubscriptionId')]" + }, + "managementGroupScope": { + "value": "[variables('scopes').eslzRootManagementGroup]" } } } diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index d5b7368336..78a8f6cca0 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -34,6 +34,13 @@ "metadata": { "description": "Select whether the virtual network hub should be deployed or not." } + }, + "managementGroupScope": { + "type": "string", + "defaultValue": "/providers/Microsoft.Management/managementGroups/contoso", + "metadata": { + "description": "Management group scope for AVNM." + } } }, "variables": { @@ -54,9 +61,12 @@ }, "mode": "Incremental", "parameters": { - "location": { - "value": "[parameters('location')]" - } + "location": { + "value": "[parameters('location')]" + }, + "mgmtScope": { + "value": "[parameters('managementGroupScope')]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", @@ -64,7 +74,10 @@ "metadata": {}, "parameters": { "location": { - "type": "string" + "type": "string" + }, + "mgmtScope": { + "type": "string" } }, "variables": {}, @@ -79,10 +92,12 @@ "SecurityAdmin" ], "networkManagerScopes": { - "subscriptions": [ - "[format('/subscriptions/{0}', subscription().subscriptionId)]" + "subscriptions": [ + "[format('/subscriptions/{0}', subscription().subscriptionId)]" ], - "managementGroups": [] + "managementGroups": [ + "[parameters('mgmtScope')]" + ] } }, "metadata": { From 7758a7e07b457faaf6f352de10fb6da7a0325086 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Fri, 4 Oct 2024 18:34:59 +0400 Subject: [PATCH 008/226] . --- eslzArm/subscriptionTemplates/avnmConfiguration.json | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 78a8f6cca0..7829f438d3 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -47,6 +47,12 @@ "rgName": "[concat(parameters('topLevelManagementGroupPrefix'), '-vnethub-', parameters('location'))]" }, "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2022-09-01", + "name": "[variables('rgName')]", + "location": "[parameters('location')]" + }, { // Conditionally deploy avnm "condition": "[and(equals(parameters('enableHub'), 'vhub'), not(empty(parameters('connectivitySubscriptionId'))))]", From fc9e01ad1b7070e1f4f923d9d53a4464e4f92eeb Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Fri, 4 Oct 2024 19:08:37 +0400 Subject: [PATCH 009/226] . --- eslzArm/subscriptionTemplates/avnmConfiguration.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 7829f438d3..0647a47cc2 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -44,7 +44,7 @@ } }, "variables": { - "rgName": "[concat(parameters('topLevelManagementGroupPrefix'), '-vnethub-', parameters('location'))]" + "rgName": "[concat(parameters('topLevelManagementGroupPrefix'), '-avnm-', parameters('location'))]" }, "resources": [ { From d5ac3cd3ca70e9f5bf1e79984860a3c3f2fecff0 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Fri, 4 Oct 2024 19:35:14 +0400 Subject: [PATCH 010/226] . --- .../avnmConfiguration.json | 23 +++++++++++-------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 0647a47cc2..22a86c43a8 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -1,5 +1,5 @@ { - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "topLevelManagementGroupPrefix": { @@ -47,19 +47,12 @@ "rgName": "[concat(parameters('topLevelManagementGroupPrefix'), '-avnm-', parameters('location'))]" }, "resources": [ - { - "type": "Microsoft.Resources/resourceGroups", - "apiVersion": "2022-09-01", - "name": "[variables('rgName')]", - "location": "[parameters('location')]" - }, { // Conditionally deploy avnm "condition": "[and(equals(parameters('enableHub'), 'vhub'), not(empty(parameters('connectivitySubscriptionId'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "avnm", - "resourceGroup": "[variables('rgName')]", "location": "[parameters('location')]", "properties": { "expressionEvaluationOptions": { @@ -86,9 +79,19 @@ "type": "string" } }, - "variables": {}, + "variables": { + "rgName": { + "type": "string" + } + }, "resources": [ - { + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2022-09-01", + "name": "[variables('rgName')]", + "location": "[parameters('location')]" + }, + { "type": "Microsoft.Network/networkManagers", "apiVersion": "2022-09-01", "name": "[format('avnm-{0}', parameters('location'))]", From f054bdeecfcf030c25b99db588743f1662553745 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Fri, 4 Oct 2024 19:56:16 +0400 Subject: [PATCH 011/226] . --- eslzArm/subscriptionTemplates/avnmConfiguration.json | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 22a86c43a8..b5836d0e4a 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -67,6 +67,11 @@ "value": "[parameters('managementGroupScope')]" } }, + "variables": { + "rgName": { + "value": "[variables('rgName')]" + } + }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", From 03335bd9292a8b6c0d7a96224dd45cc84a5ae071 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 7 Oct 2024 11:53:11 +0400 Subject: [PATCH 012/226] . --- .../avnmConfiguration.json | 159 ++++++++---------- 1 file changed, 73 insertions(+), 86 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index b5836d0e4a..6f6c883bfb 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -2,7 +2,7 @@ "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { - "topLevelManagementGroupPrefix": { + "topLevelManagementGroupPrefix": { "type": "string", "maxLength": 10, "metadata": { @@ -44,101 +44,88 @@ } }, "variables": { - "rgName": "[concat(parameters('topLevelManagementGroupPrefix'), '-avnm-', parameters('location'))]" + "rgName": "[concat(parameters('topLevelManagementGroupPrefix'), '-avnm-', parameters('location'))]", + "resourceDeploymentName": "[take(concat(deployment().name, '-avnm', parameters('location')), 64)]" }, "resources": [ { - // Conditionally deploy avnm + // Conditionally deploy virtual network hub "condition": "[and(equals(parameters('enableHub'), 'vhub'), not(empty(parameters('connectivitySubscriptionId'))))]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "avnm", + "apiVersion": "2019-10-01", "location": "[parameters('location')]", + "name": "[concat('alz-', parameters('location'), '-', substring(uniqueString(parameters('connectivitySubscriptionId')),0,6), '-connectivityAVNM')]", + "subscriptionId": "[parameters('connectivitySubscriptionId')]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, "mode": "Incremental", - "parameters": { - "location": { - "value": "[parameters('location')]" - }, - "mgmtScope": { - "value": "[parameters('managementGroupScope')]" - } - }, - "variables": { - "rgName": { - "value": "[variables('rgName')]" - } - }, "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": {}, - "parameters": { - "location": { - "type": "string" - }, - "mgmtScope": { - "type": "string" - } - }, - "variables": { - "rgName": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.Resources/resourceGroups", - "apiVersion": "2022-09-01", - "name": "[variables('rgName')]", - "location": "[parameters('location')]" - }, - { - "type": "Microsoft.Network/networkManagers", - "apiVersion": "2022-09-01", - "name": "[format('avnm-{0}', parameters('location'))]", - "location": "[parameters('location')]", - "properties": { - "networkManagerScopeAccesses": [ - "SecurityAdmin" - ], - "networkManagerScopes": { - "subscriptions": [ - "[format('/subscriptions/{0}', subscription().subscriptionId)]" - ], - "managementGroups": [ - "[parameters('mgmtScope')]" - ] + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2019-10-01", + "location": "[parameters('location')]", + "name": "[variables('rgName')]", + "properties": {} + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('resourceDeploymentName')]", + "resourceGroup": "[variables('rgName')]", + "dependsOn": [ + "[concat('Microsoft.Resources/resourceGroups/', variables('rgName'))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "resources": [ + { + "type": "Microsoft.Network/networkManagers", + "apiVersion": "2022-09-01", + "name": "[format('avnm-{0}', parameters('location'))]", + "location": "[parameters('location')]", + "properties": { + "networkManagerScopeAccesses": [ + "SecurityAdmin" + ], + "networkManagerScopes": { + "subscriptions": [ + "[format('/subscriptions/{0}', subscription().subscriptionId)]" + ], + "managementGroups": [ + "[parameters('managementGroupScope')]" + ] + } + }, + "metadata": { + "description": "This is the Azure Virtual Network Manager which will be used to implement the connected group for spoke-to-spoke connectivity." + } + }, + { + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2022-09-01", + "name": "[format('{0}/{1}', format('avnm-{0}', parameters('location')), format('ng-{0}-static', parameters('location')))]", + "properties": { + "description": "Network Group - Static" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', format('avnm-{0}', parameters('location')))]" + ], + "metadata": { + "description": "This is the static network group for the spoke VNETs, and hub when topology is mesh." + } + } + ] + } + } } - }, - "metadata": { - "description": "This is the Azure Virtual Network Manager which will be used to implement the connected group for spoke-to-spoke connectivity." - } - }, - { - "type": "Microsoft.Network/networkManagers/networkGroups", - "apiVersion": "2022-09-01", - "name": "[format('{0}/{1}', format('avnm-{0}', parameters('location')), format('ng-{0}-static', parameters('location')))]", - "properties": { - "description": "Network Group - Static" - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/networkManagers', format('avnm-{0}', parameters('location')))]" - ], - "metadata": { - "description": "This is the static network group for the spoke VNETs, and hub when topology is mesh." - } - } - ], - "outputs": { - "networkManagerName": { - "type": "string", - "value": "[format('avnm-{0}', parameters('location'))]" - } - } + ] } } } From d10fdbdb1004d1a53e37e07fb607281ee1f55289 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 7 Oct 2024 13:20:46 +0400 Subject: [PATCH 013/226] . --- eslzArm/subscriptionTemplates/avnmConfiguration.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 6f6c883bfb..9c99e156e2 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -55,7 +55,7 @@ "apiVersion": "2019-10-01", "location": "[parameters('location')]", "name": "[concat('alz-', parameters('location'), '-', substring(uniqueString(parameters('connectivitySubscriptionId')),0,6), '-connectivityAVNM')]", - "subscriptionId": "[parameters('connectivitySubscriptionId')]", + //"subscriptionId": "[parameters('connectivitySubscriptionId')]", "properties": { "mode": "Incremental", "template": { From 9d2250936d5aa7cae2011b260c1ceb6513fb0bbf Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 7 Oct 2024 13:44:29 +0400 Subject: [PATCH 014/226] . --- eslzArm/eslzArm.json | 2 +- eslzArm/subscriptionTemplates/avnmConfiguration.json | 9 +++++---- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index ca56223059..19ba062a76 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -5142,7 +5142,7 @@ "value": "[parameters('enableHub')]" }, "location": { - "value": "[deployment().location]" + "value": "[parameters('connectivityLocation')]" }, "connectivitySubscriptionId": { "value": "[parameters('connectivitySubscriptionId')]" diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 9c99e156e2..d3ceea6ad2 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -5,6 +5,7 @@ "topLevelManagementGroupPrefix": { "type": "string", "maxLength": 10, + "defaultValue": "eslz", "metadata": { "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale." } @@ -37,7 +38,7 @@ }, "managementGroupScope": { "type": "string", - "defaultValue": "/providers/Microsoft.Management/managementGroups/contoso", + "defaultValue": "", "metadata": { "description": "Management group scope for AVNM." } @@ -55,7 +56,7 @@ "apiVersion": "2019-10-01", "location": "[parameters('location')]", "name": "[concat('alz-', parameters('location'), '-', substring(uniqueString(parameters('connectivitySubscriptionId')),0,6), '-connectivityAVNM')]", - //"subscriptionId": "[parameters('connectivitySubscriptionId')]", + "subscriptionId": "[parameters('connectivitySubscriptionId')]", "properties": { "mode": "Incremental", "template": { @@ -92,11 +93,11 @@ "location": "[parameters('location')]", "properties": { "networkManagerScopeAccesses": [ - "SecurityAdmin" + "SecurityAdmin" ], "networkManagerScopes": { "subscriptions": [ - "[format('/subscriptions/{0}', subscription().subscriptionId)]" + //"[format('/subscriptions/{0}', subscription().subscriptionId)]" ], "managementGroups": [ "[parameters('managementGroupScope')]" From 589ea76e0bc5d4c37747745238ff49d449f53a62 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 7 Oct 2024 14:29:20 +0400 Subject: [PATCH 015/226] . --- eslzArm/subscriptionTemplates/avnmConfiguration.json | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index d3ceea6ad2..a324a15470 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -96,11 +96,9 @@ "SecurityAdmin" ], "networkManagerScopes": { - "subscriptions": [ - //"[format('/subscriptions/{0}', subscription().subscriptionId)]" - ], + "subscriptions": [], "managementGroups": [ - "[parameters('managementGroupScope')]" + //"[parameters('managementGroupScope')]" ] } }, From 0e27b0bd68051ca5f314ba47e21109a7870d09ca Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 7 Oct 2024 15:00:30 +0400 Subject: [PATCH 016/226] . --- .../subscriptionTemplates/avnmConfiguration.json | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index a324a15470..57de85d3bb 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -105,20 +105,6 @@ "metadata": { "description": "This is the Azure Virtual Network Manager which will be used to implement the connected group for spoke-to-spoke connectivity." } - }, - { - "type": "Microsoft.Network/networkManagers/networkGroups", - "apiVersion": "2022-09-01", - "name": "[format('{0}/{1}', format('avnm-{0}', parameters('location')), format('ng-{0}-static', parameters('location')))]", - "properties": { - "description": "Network Group - Static" - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/networkManagers', format('avnm-{0}', parameters('location')))]" - ], - "metadata": { - "description": "This is the static network group for the spoke VNETs, and hub when topology is mesh." - } } ] } From 38abcd62a38255490dcb59ef46f4a2f90683b5bc Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 7 Oct 2024 15:31:52 +0400 Subject: [PATCH 017/226] . --- .../avnmConfiguration copy.json | 133 ++++++++++++++++++ 1 file changed, 133 insertions(+) create mode 100644 eslzArm/subscriptionTemplates/avnmConfiguration copy.json diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration copy.json b/eslzArm/subscriptionTemplates/avnmConfiguration copy.json new file mode 100644 index 0000000000..a324a15470 --- /dev/null +++ b/eslzArm/subscriptionTemplates/avnmConfiguration copy.json @@ -0,0 +1,133 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "maxLength": 10, + "defaultValue": "eslz", + "metadata": { + "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale." + } + }, + "location": { + "type": "string", + "metadata": { + "displayName": "location", + "description": "Location of the HUB" + }, + "defaultValue": "[deployment().location]" + }, + "connectivitySubscriptionId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Provide the subscription id for the dedicated connectivity subscription." + } + }, + "enableHub": { + "type": "string", + "allowedValues": [ + "vhub", + "No" + ], + "defaultValue": "No", + "metadata": { + "description": "Select whether the virtual network hub should be deployed or not." + } + }, + "managementGroupScope": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Management group scope for AVNM." + } + } + }, + "variables": { + "rgName": "[concat(parameters('topLevelManagementGroupPrefix'), '-avnm-', parameters('location'))]", + "resourceDeploymentName": "[take(concat(deployment().name, '-avnm', parameters('location')), 64)]" + }, + "resources": [ + { + // Conditionally deploy virtual network hub + "condition": "[and(equals(parameters('enableHub'), 'vhub'), not(empty(parameters('connectivitySubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "location": "[parameters('location')]", + "name": "[concat('alz-', parameters('location'), '-', substring(uniqueString(parameters('connectivitySubscriptionId')),0,6), '-connectivityAVNM')]", + "subscriptionId": "[parameters('connectivitySubscriptionId')]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2019-10-01", + "location": "[parameters('location')]", + "name": "[variables('rgName')]", + "properties": {} + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('resourceDeploymentName')]", + "resourceGroup": "[variables('rgName')]", + "dependsOn": [ + "[concat('Microsoft.Resources/resourceGroups/', variables('rgName'))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "resources": [ + { + "type": "Microsoft.Network/networkManagers", + "apiVersion": "2022-09-01", + "name": "[format('avnm-{0}', parameters('location'))]", + "location": "[parameters('location')]", + "properties": { + "networkManagerScopeAccesses": [ + "SecurityAdmin" + ], + "networkManagerScopes": { + "subscriptions": [], + "managementGroups": [ + //"[parameters('managementGroupScope')]" + ] + } + }, + "metadata": { + "description": "This is the Azure Virtual Network Manager which will be used to implement the connected group for spoke-to-spoke connectivity." + } + }, + { + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2022-09-01", + "name": "[format('{0}/{1}', format('avnm-{0}', parameters('location')), format('ng-{0}-static', parameters('location')))]", + "properties": { + "description": "Network Group - Static" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', format('avnm-{0}', parameters('location')))]" + ], + "metadata": { + "description": "This is the static network group for the spoke VNETs, and hub when topology is mesh." + } + } + ] + } + } + } + ] + } + } + } + ], + "outputs": {} +} \ No newline at end of file From 34d5987893f3bc4ff74aa682aa9fc103c564f882 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 7 Oct 2024 16:59:32 +0400 Subject: [PATCH 018/226] . --- eslzArm/eslz-portal.json | 5 +++-- eslzArm/subscriptionTemplates/avnmConfiguration.json | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json index fe8ce215e1..34f3024300 100644 --- a/eslzArm/eslz-portal.json +++ b/eslzArm/eslz-portal.json @@ -1391,8 +1391,9 @@ { "name": "deployAVNM", "type": "Microsoft.Common.CheckBox", - "label": "Deploy Azure Virtual Network Manager", - "visible": "[equals(steps('connectivity').enableHub, 'vhub')]" + "label": "Deploy Azure Virtual Network Manager - PREVIEW", + "toolTip": "If selected, Azure Virtual Network Manager will be deployed to manage your virtual networks. Currently, ALZ will only enable Security Admin Rules role by default", + "visible": "[or(equals(steps('connectivity').enableHub, 'vhub'), equals(steps('connectivity').enableHub, 'nva'))]" }, { "name": "esNwNVANote", diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 57de85d3bb..3af482258a 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -51,7 +51,7 @@ "resources": [ { // Conditionally deploy virtual network hub - "condition": "[and(equals(parameters('enableHub'), 'vhub'), not(empty(parameters('connectivitySubscriptionId'))))]", + "condition": "[and(or(equals(parameters('enableHub'), 'vhub'), equals(parameters('enableHub'), 'nva')), not(empty(parameters('connectivitySubscriptionId'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2019-10-01", "location": "[parameters('location')]", From 2144f00ef12f89e8390c0f01cba6fad22ce5324a Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 7 Oct 2024 17:41:22 +0400 Subject: [PATCH 019/226] . --- eslzArm/subscriptionTemplates/avnmConfiguration.json | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 3af482258a..4c3c7ac0cd 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -97,10 +97,7 @@ ], "networkManagerScopes": { "subscriptions": [], - "managementGroups": [ - //"[parameters('managementGroupScope')]" - ] - } + "managementGroups": [] } }, "metadata": { "description": "This is the Azure Virtual Network Manager which will be used to implement the connected group for spoke-to-spoke connectivity." From bd77582b4a0776f9665faedebddbd6f152e8e294 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 7 Oct 2024 18:14:27 +0400 Subject: [PATCH 020/226] . --- eslzArm/subscriptionTemplates/avnmConfiguration.json | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 4c3c7ac0cd..a85ba98cc8 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -97,7 +97,10 @@ ], "networkManagerScopes": { "subscriptions": [], - "managementGroups": [] } + "managementGroups": [ + "[[parameters('managementGroupScope')]" + ] + } }, "metadata": { "description": "This is the Azure Virtual Network Manager which will be used to implement the connected group for spoke-to-spoke connectivity." From 96fbf79379051b54e9208feb5aacad49d5473946 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 7 Oct 2024 18:15:17 +0400 Subject: [PATCH 021/226] . --- .../subscriptionTemplates/avnmConfiguration.json | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index a85ba98cc8..cfd6716e53 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -105,6 +105,20 @@ "metadata": { "description": "This is the Azure Virtual Network Manager which will be used to implement the connected group for spoke-to-spoke connectivity." } + }, + { + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2022-09-01", + "name": "[format('{0}/{1}', format('avnm-{0}', parameters('location')), format('ng-{0}-static', parameters('location')))]", + "properties": { + "description": "Network Group - Static" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', format('avnm-{0}', parameters('location')))]" + ], + "metadata": { + "description": "This is the static network group for the spoke VNETs, and hub when topology is mesh." + } } ] } From dc42eeff965be5576fc817dd7773bad6b01fcbfc Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 7 Oct 2024 19:05:32 +0400 Subject: [PATCH 022/226] . --- eslzArm/subscriptionTemplates/avnmConfiguration.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index cfd6716e53..5e056f5d01 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -96,9 +96,11 @@ "SecurityAdmin" ], "networkManagerScopes": { - "subscriptions": [], + "subscriptions": [ + "[parameters('connectivitySubscriptionId')]" + ], "managementGroups": [ - "[[parameters('managementGroupScope')]" + "[parameters('managementGroupScope')]" ] } }, From d7de66a15615950d4b25e47c85bab4bc13109424 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 7 Oct 2024 19:43:10 +0400 Subject: [PATCH 023/226] Refactor connectivitySubscriptionId format in avnmConfiguration.json --- eslzArm/subscriptionTemplates/avnmConfiguration.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 5e056f5d01..a03f8ca18c 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -97,7 +97,7 @@ ], "networkManagerScopes": { "subscriptions": [ - "[parameters('connectivitySubscriptionId')]" + "[format('/subscriptions/{0}', parameters('connectivitySubscriptionId'))]" ], "managementGroups": [ "[parameters('managementGroupScope')]" From 80f5e9ed4a3bc116eb6cc06a8ee0dfb8bf861ff2 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 7 Oct 2024 19:53:29 +0400 Subject: [PATCH 024/226] Refactor connectivitySubscriptionId format in avnmConfiguration.json --- eslzArm/subscriptionTemplates/avnmConfiguration.json | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index a03f8ca18c..5a7c960c2f 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -99,9 +99,7 @@ "subscriptions": [ "[format('/subscriptions/{0}', parameters('connectivitySubscriptionId'))]" ], - "managementGroups": [ - "[parameters('managementGroupScope')]" - ] + "managementGroups": [] } }, "metadata": { From 9fae88d8b6332fa9c586d0accc426378468c012b Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Tue, 8 Oct 2024 10:44:28 +0400 Subject: [PATCH 025/226] . --- .../subscriptionTemplates/avnmConfiguration.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 5a7c960c2f..b4dee07599 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -29,6 +29,8 @@ "type": "string", "allowedValues": [ "vhub", + "vwan", + "nva", "No" ], "defaultValue": "No", @@ -119,6 +121,20 @@ "metadata": { "description": "This is the static network group for the spoke VNETs, and hub when topology is mesh." } + }, + { + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2022-09-01", + "name": "[format('{0}/{1}', format('avnm-{0}', parameters('location')), format('ng-{0}-dynamic', parameters('location')))]", + "properties": { + "description": "Network Group - Dynamic" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', format('avnm-{0}', parameters('location')))]" + ], + "metadata": { + "description": "This is the dynamic network group for the spoke VNETs, and hub when topology is mesh." + } } ] } From 9ebab5c389146ae7f0114ce7bf212460c5227f53 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Tue, 8 Oct 2024 11:27:50 +0400 Subject: [PATCH 026/226] . --- .../avnmConfiguration copy.json | 133 ------------------ .../avnmConfiguration.json | 8 +- 2 files changed, 4 insertions(+), 137 deletions(-) delete mode 100644 eslzArm/subscriptionTemplates/avnmConfiguration copy.json diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration copy.json b/eslzArm/subscriptionTemplates/avnmConfiguration copy.json deleted file mode 100644 index a324a15470..0000000000 --- a/eslzArm/subscriptionTemplates/avnmConfiguration copy.json +++ /dev/null @@ -1,133 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "topLevelManagementGroupPrefix": { - "type": "string", - "maxLength": 10, - "defaultValue": "eslz", - "metadata": { - "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale." - } - }, - "location": { - "type": "string", - "metadata": { - "displayName": "location", - "description": "Location of the HUB" - }, - "defaultValue": "[deployment().location]" - }, - "connectivitySubscriptionId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Provide the subscription id for the dedicated connectivity subscription." - } - }, - "enableHub": { - "type": "string", - "allowedValues": [ - "vhub", - "No" - ], - "defaultValue": "No", - "metadata": { - "description": "Select whether the virtual network hub should be deployed or not." - } - }, - "managementGroupScope": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Management group scope for AVNM." - } - } - }, - "variables": { - "rgName": "[concat(parameters('topLevelManagementGroupPrefix'), '-avnm-', parameters('location'))]", - "resourceDeploymentName": "[take(concat(deployment().name, '-avnm', parameters('location')), 64)]" - }, - "resources": [ - { - // Conditionally deploy virtual network hub - "condition": "[and(equals(parameters('enableHub'), 'vhub'), not(empty(parameters('connectivitySubscriptionId'))))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2019-10-01", - "location": "[parameters('location')]", - "name": "[concat('alz-', parameters('location'), '-', substring(uniqueString(parameters('connectivitySubscriptionId')),0,6), '-connectivityAVNM')]", - "subscriptionId": "[parameters('connectivitySubscriptionId')]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": {}, - "resources": [ - { - "type": "Microsoft.Resources/resourceGroups", - "apiVersion": "2019-10-01", - "location": "[parameters('location')]", - "name": "[variables('rgName')]", - "properties": {} - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2019-10-01", - "name": "[variables('resourceDeploymentName')]", - "resourceGroup": "[variables('rgName')]", - "dependsOn": [ - "[concat('Microsoft.Resources/resourceGroups/', variables('rgName'))]" - ], - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": {}, - "resources": [ - { - "type": "Microsoft.Network/networkManagers", - "apiVersion": "2022-09-01", - "name": "[format('avnm-{0}', parameters('location'))]", - "location": "[parameters('location')]", - "properties": { - "networkManagerScopeAccesses": [ - "SecurityAdmin" - ], - "networkManagerScopes": { - "subscriptions": [], - "managementGroups": [ - //"[parameters('managementGroupScope')]" - ] - } - }, - "metadata": { - "description": "This is the Azure Virtual Network Manager which will be used to implement the connected group for spoke-to-spoke connectivity." - } - }, - { - "type": "Microsoft.Network/networkManagers/networkGroups", - "apiVersion": "2022-09-01", - "name": "[format('{0}/{1}', format('avnm-{0}', parameters('location')), format('ng-{0}-static', parameters('location')))]", - "properties": { - "description": "Network Group - Static" - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/networkManagers', format('avnm-{0}', parameters('location')))]" - ], - "metadata": { - "description": "This is the static network group for the spoke VNETs, and hub when topology is mesh." - } - } - ] - } - } - } - ] - } - } - } - ], - "outputs": {} -} \ No newline at end of file diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index b4dee07599..5c87678a8a 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -98,10 +98,10 @@ "SecurityAdmin" ], "networkManagerScopes": { - "subscriptions": [ - "[format('/subscriptions/{0}', parameters('connectivitySubscriptionId'))]" - ], - "managementGroups": [] + "subscriptions": [], + "managementGroups": [ + "[parameters('managementGroupScope')]" + ] } }, "metadata": { From 07f88b2e6f02fa6061746740f4994700f6af323b Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Tue, 8 Oct 2024 12:19:18 +0400 Subject: [PATCH 027/226] . --- eslzArm/eslzArm.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index 19ba062a76..84d2f50722 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -5148,7 +5148,7 @@ "value": "[parameters('connectivitySubscriptionId')]" }, "managementGroupScope": { - "value": "[variables('scopes').eslzRootManagementGroup]" + "value": "[variables('mgmtGroups').eslzRoot]" } } } From 151767c75bae42476e96d77f02d8d8cdae86d80b Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Tue, 8 Oct 2024 12:42:29 +0400 Subject: [PATCH 028/226] . --- eslzArm/subscriptionTemplates/avnmConfiguration.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 5c87678a8a..60c9586393 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -100,7 +100,7 @@ "networkManagerScopes": { "subscriptions": [], "managementGroups": [ - "[parameters('managementGroupScope')]" + "[tenantResourceId('Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]" ] } }, From 326446a24e9a1714b45fd0ba716b7abb295f3425 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Tue, 8 Oct 2024 13:24:35 +0400 Subject: [PATCH 029/226] . --- eslzArm/subscriptionTemplates/avnmConfiguration.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 60c9586393..9c86b5569b 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -98,9 +98,11 @@ "SecurityAdmin" ], "networkManagerScopes": { - "subscriptions": [], + "subscriptions": [ + "[format('/subscriptions/{0}', parameters('connectivitySubscriptionId'))]" + ], "managementGroups": [ - "[tenantResourceId('Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]" + "[format('/providers/Microsoft.Management/managementGroups/(0}', parameters('topLevelManagementGroupPrefix'))]" ] } }, From 6d0802dee696b7e6be7779647bb62816fb79b342 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Tue, 8 Oct 2024 13:57:16 +0400 Subject: [PATCH 030/226] . --- eslzArm/subscriptionTemplates/avnmConfiguration.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 9c86b5569b..f4ae28bc97 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -102,7 +102,7 @@ "[format('/subscriptions/{0}', parameters('connectivitySubscriptionId'))]" ], "managementGroups": [ - "[format('/providers/Microsoft.Management/managementGroups/(0}', parameters('topLevelManagementGroupPrefix'))]" + "[format('/providers/Microsoft.Management/managementGroups/{0}', parameters('topLevelManagementGroupPrefix'))]" ] } }, From a1cc2c531d70984b54146f15be95ee24c505a400 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Wed, 9 Oct 2024 10:41:07 +0400 Subject: [PATCH 031/226] . --- eslzArm/eslzArm.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index 84d2f50722..19ba062a76 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -5148,7 +5148,7 @@ "value": "[parameters('connectivitySubscriptionId')]" }, "managementGroupScope": { - "value": "[variables('mgmtGroups').eslzRoot]" + "value": "[variables('scopes').eslzRootManagementGroup]" } } } From c98b4b29186bc8c82e1009cc4f03a7130531ff48 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 14 Oct 2024 11:42:44 +0400 Subject: [PATCH 032/226] Breaking changes --- eslzArm/eslzArm.json | 2 +- .../avnmConfiguration.json | 124 +++++++++++++++++- 2 files changed, 124 insertions(+), 2 deletions(-) diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index 19ba062a76..75057689d0 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -5112,7 +5112,7 @@ } }, { - // Deploy AVNM (hub and spoke) + // Deploy AVNM "condition": "[and(not(empty(parameters('connectivitySubscriptionId'))), parameters('deployAVNM'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index f4ae28bc97..bdc498e408 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -73,6 +73,128 @@ "name": "[variables('rgName')]", "properties": {} }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[concat(variables('resourceDeploymentName'), '-id')]", + "resourceGroup": "[variables('rgName')]", + "dependsOn": [ + "[concat('Microsoft.Resources/resourceGroups/', variables('rgName'))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "resources": [ + { + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "apiVersion": "2022-01-31-preview", + "name": "[format('uai-{0}', parameters('location'))]", + "location": "[parameters('location')]", + "metadata": { + "description": "This user assigned identity is used by the Deployment Script resource to interact with Azure resources." + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(resourceGroup().id, format('uai-{0}', parameters('location')))]", + "properties": { + "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", + "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-{0}', parameters('location'))), '2022-01-31-preview').principalId]", + "principalType": "ServicePrincipal" + }, + "dependsOn": [ + "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-{0}', parameters('location')))]" + ], + "metadata": { + "description": "This role assignment grants the user assigned identity the Contributor role on the management group." + } + } + ], + "outputs": { + "userAssignedIdentityId": { + "type": "string", + "value": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-{0}', parameters('location')))]" + } + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[concat(variables('resourceDeploymentName'), '-ds')]", + "resourceGroup": "[variables('rgName')]", + "dependsOn": [ + "[concat('Microsoft.Resources/resourceGroups/', variables('rgName'))]" + ], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "userAssignedIdentityId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, variables('rgName')), 'Microsoft.Resources/deployments', concat(variables('resourceDeploymentName'), '-id')), '2022-09-01').outputs.userAssignedIdentityId.value]" + }, + "deploymentScriptName": { + "value": "[format('ds-{0}-mgScopeConfigs', parameters('location'))]" + }, + "managementGroupScope": { + "value": "[parameters('topLevelManagementGroupPrefix')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "userAssignedIdentityId": { + "type": "string" + }, + "deploymentScriptName": { + "type": "string" + }, + "managementGroupScope": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Resources/deploymentScripts", + "apiVersion": "2020-10-01", + "name": "[parameters('deploymentScriptName')]", + "location": "[parameters('location')]", + "kind": "AzurePowerShell", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[format('{0}', parameters('userAssignedIdentityId'))]": {} + } + }, + "properties": { + "azPowerShellVersion": "8.3", + "retentionInterval": "PT1H", + "timeout": "PT1H", + "arguments": "[format('-mgmtGroupId \"{0}\"', parameters('managementGroupScope'))]", + "scriptContent": "Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$mgmtGroupId/providers/Microsoft.Network/register?api-version=2021-04-01\"" + }, + "metadata": { + "description": "Create a Deployment Script resource to perform the commit/deployment of the Network Manager connectivity configuration." + } + } + ] + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2019-10-01", @@ -107,7 +229,7 @@ } }, "metadata": { - "description": "This is the Azure Virtual Network Manager which will be used to implement the connected group for spoke-to-spoke connectivity." + "description": "This is the Azure Virtual Network Manager which will be used to configure Security Admin Rules." } }, { From 22809edfcdb5206e925ce57a085de25b16f693bb Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 14 Oct 2024 13:18:04 +0400 Subject: [PATCH 033/226] . --- .../avnmConfiguration copy.json | 273 ++++++++++++++++++ 1 file changed, 273 insertions(+) create mode 100644 eslzArm/subscriptionTemplates/avnmConfiguration copy.json diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration copy.json b/eslzArm/subscriptionTemplates/avnmConfiguration copy.json new file mode 100644 index 0000000000..bdc498e408 --- /dev/null +++ b/eslzArm/subscriptionTemplates/avnmConfiguration copy.json @@ -0,0 +1,273 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "maxLength": 10, + "defaultValue": "eslz", + "metadata": { + "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale." + } + }, + "location": { + "type": "string", + "metadata": { + "displayName": "location", + "description": "Location of the HUB" + }, + "defaultValue": "[deployment().location]" + }, + "connectivitySubscriptionId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Provide the subscription id for the dedicated connectivity subscription." + } + }, + "enableHub": { + "type": "string", + "allowedValues": [ + "vhub", + "vwan", + "nva", + "No" + ], + "defaultValue": "No", + "metadata": { + "description": "Select whether the virtual network hub should be deployed or not." + } + }, + "managementGroupScope": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Management group scope for AVNM." + } + } + }, + "variables": { + "rgName": "[concat(parameters('topLevelManagementGroupPrefix'), '-avnm-', parameters('location'))]", + "resourceDeploymentName": "[take(concat(deployment().name, '-avnm', parameters('location')), 64)]" + }, + "resources": [ + { + // Conditionally deploy virtual network hub + "condition": "[and(or(equals(parameters('enableHub'), 'vhub'), equals(parameters('enableHub'), 'nva')), not(empty(parameters('connectivitySubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "location": "[parameters('location')]", + "name": "[concat('alz-', parameters('location'), '-', substring(uniqueString(parameters('connectivitySubscriptionId')),0,6), '-connectivityAVNM')]", + "subscriptionId": "[parameters('connectivitySubscriptionId')]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2019-10-01", + "location": "[parameters('location')]", + "name": "[variables('rgName')]", + "properties": {} + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[concat(variables('resourceDeploymentName'), '-id')]", + "resourceGroup": "[variables('rgName')]", + "dependsOn": [ + "[concat('Microsoft.Resources/resourceGroups/', variables('rgName'))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "resources": [ + { + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "apiVersion": "2022-01-31-preview", + "name": "[format('uai-{0}', parameters('location'))]", + "location": "[parameters('location')]", + "metadata": { + "description": "This user assigned identity is used by the Deployment Script resource to interact with Azure resources." + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(resourceGroup().id, format('uai-{0}', parameters('location')))]", + "properties": { + "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", + "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-{0}', parameters('location'))), '2022-01-31-preview').principalId]", + "principalType": "ServicePrincipal" + }, + "dependsOn": [ + "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-{0}', parameters('location')))]" + ], + "metadata": { + "description": "This role assignment grants the user assigned identity the Contributor role on the management group." + } + } + ], + "outputs": { + "userAssignedIdentityId": { + "type": "string", + "value": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-{0}', parameters('location')))]" + } + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[concat(variables('resourceDeploymentName'), '-ds')]", + "resourceGroup": "[variables('rgName')]", + "dependsOn": [ + "[concat('Microsoft.Resources/resourceGroups/', variables('rgName'))]" + ], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "userAssignedIdentityId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, variables('rgName')), 'Microsoft.Resources/deployments', concat(variables('resourceDeploymentName'), '-id')), '2022-09-01').outputs.userAssignedIdentityId.value]" + }, + "deploymentScriptName": { + "value": "[format('ds-{0}-mgScopeConfigs', parameters('location'))]" + }, + "managementGroupScope": { + "value": "[parameters('topLevelManagementGroupPrefix')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "userAssignedIdentityId": { + "type": "string" + }, + "deploymentScriptName": { + "type": "string" + }, + "managementGroupScope": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Resources/deploymentScripts", + "apiVersion": "2020-10-01", + "name": "[parameters('deploymentScriptName')]", + "location": "[parameters('location')]", + "kind": "AzurePowerShell", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[format('{0}', parameters('userAssignedIdentityId'))]": {} + } + }, + "properties": { + "azPowerShellVersion": "8.3", + "retentionInterval": "PT1H", + "timeout": "PT1H", + "arguments": "[format('-mgmtGroupId \"{0}\"', parameters('managementGroupScope'))]", + "scriptContent": "Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$mgmtGroupId/providers/Microsoft.Network/register?api-version=2021-04-01\"" + }, + "metadata": { + "description": "Create a Deployment Script resource to perform the commit/deployment of the Network Manager connectivity configuration." + } + } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('resourceDeploymentName')]", + "resourceGroup": "[variables('rgName')]", + "dependsOn": [ + "[concat('Microsoft.Resources/resourceGroups/', variables('rgName'))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "resources": [ + { + "type": "Microsoft.Network/networkManagers", + "apiVersion": "2022-09-01", + "name": "[format('avnm-{0}', parameters('location'))]", + "location": "[parameters('location')]", + "properties": { + "networkManagerScopeAccesses": [ + "SecurityAdmin" + ], + "networkManagerScopes": { + "subscriptions": [ + "[format('/subscriptions/{0}', parameters('connectivitySubscriptionId'))]" + ], + "managementGroups": [ + "[format('/providers/Microsoft.Management/managementGroups/{0}', parameters('topLevelManagementGroupPrefix'))]" + ] + } + }, + "metadata": { + "description": "This is the Azure Virtual Network Manager which will be used to configure Security Admin Rules." + } + }, + { + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2022-09-01", + "name": "[format('{0}/{1}', format('avnm-{0}', parameters('location')), format('ng-{0}-static', parameters('location')))]", + "properties": { + "description": "Network Group - Static" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', format('avnm-{0}', parameters('location')))]" + ], + "metadata": { + "description": "This is the static network group for the spoke VNETs, and hub when topology is mesh." + } + }, + { + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2022-09-01", + "name": "[format('{0}/{1}', format('avnm-{0}', parameters('location')), format('ng-{0}-dynamic', parameters('location')))]", + "properties": { + "description": "Network Group - Dynamic" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', format('avnm-{0}', parameters('location')))]" + ], + "metadata": { + "description": "This is the dynamic network group for the spoke VNETs, and hub when topology is mesh." + } + } + ] + } + } + } + ] + } + } + } + ], + "outputs": {} +} \ No newline at end of file From 6f73943c5e707eaa2bfd45b847f6d7dcfdab1aa5 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 14 Oct 2024 14:47:23 +0400 Subject: [PATCH 034/226] . --- .../avnmConfiguration.json | 125 +----------------- 1 file changed, 1 insertion(+), 124 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index bdc498e408..6c4fa4b151 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -73,128 +73,6 @@ "name": "[variables('rgName')]", "properties": {} }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2019-10-01", - "name": "[concat(variables('resourceDeploymentName'), '-id')]", - "resourceGroup": "[variables('rgName')]", - "dependsOn": [ - "[concat('Microsoft.Resources/resourceGroups/', variables('rgName'))]" - ], - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": {}, - "resources": [ - { - "type": "Microsoft.ManagedIdentity/userAssignedIdentities", - "apiVersion": "2022-01-31-preview", - "name": "[format('uai-{0}', parameters('location'))]", - "location": "[parameters('location')]", - "metadata": { - "description": "This user assigned identity is used by the Deployment Script resource to interact with Azure resources." - } - }, - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "name": "[guid(resourceGroup().id, format('uai-{0}', parameters('location')))]", - "properties": { - "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", - "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-{0}', parameters('location'))), '2022-01-31-preview').principalId]", - "principalType": "ServicePrincipal" - }, - "dependsOn": [ - "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-{0}', parameters('location')))]" - ], - "metadata": { - "description": "This role assignment grants the user assigned identity the Contributor role on the management group." - } - } - ], - "outputs": { - "userAssignedIdentityId": { - "type": "string", - "value": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-{0}', parameters('location')))]" - } - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2019-10-01", - "name": "[concat(variables('resourceDeploymentName'), '-ds')]", - "resourceGroup": "[variables('rgName')]", - "dependsOn": [ - "[concat('Microsoft.Resources/resourceGroups/', variables('rgName'))]" - ], - "properties": { - "mode": "Incremental", - "expressionEvaluationOptions": { - "scope": "inner" - }, - "parameters": { - "location": { - "value": "[parameters('location')]" - }, - "userAssignedIdentityId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, variables('rgName')), 'Microsoft.Resources/deployments', concat(variables('resourceDeploymentName'), '-id')), '2022-09-01').outputs.userAssignedIdentityId.value]" - }, - "deploymentScriptName": { - "value": "[format('ds-{0}-mgScopeConfigs', parameters('location'))]" - }, - "managementGroupScope": { - "value": "[parameters('topLevelManagementGroupPrefix')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "location": { - "type": "string" - }, - "userAssignedIdentityId": { - "type": "string" - }, - "deploymentScriptName": { - "type": "string" - }, - "managementGroupScope": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.Resources/deploymentScripts", - "apiVersion": "2020-10-01", - "name": "[parameters('deploymentScriptName')]", - "location": "[parameters('location')]", - "kind": "AzurePowerShell", - "identity": { - "type": "UserAssigned", - "userAssignedIdentities": { - "[format('{0}', parameters('userAssignedIdentityId'))]": {} - } - }, - "properties": { - "azPowerShellVersion": "8.3", - "retentionInterval": "PT1H", - "timeout": "PT1H", - "arguments": "[format('-mgmtGroupId \"{0}\"', parameters('managementGroupScope'))]", - "scriptContent": "Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$mgmtGroupId/providers/Microsoft.Network/register?api-version=2021-04-01\"" - }, - "metadata": { - "description": "Create a Deployment Script resource to perform the commit/deployment of the Network Manager connectivity configuration." - } - } - ] - } - } - }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2019-10-01", @@ -224,12 +102,11 @@ "[format('/subscriptions/{0}', parameters('connectivitySubscriptionId'))]" ], "managementGroups": [ - "[format('/providers/Microsoft.Management/managementGroups/{0}', parameters('topLevelManagementGroupPrefix'))]" ] } }, "metadata": { - "description": "This is the Azure Virtual Network Manager which will be used to configure Security Admin Rules." + "description": "This is the Azure Virtual Network Manager which will be used to implement the connected group for spoke-to-spoke connectivity." } }, { From 14f5b0f4d11c96562328620abdd482fa5cf2fe09 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 14 Oct 2024 15:24:18 +0400 Subject: [PATCH 035/226] . --- .../avnmConfiguration.json | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 6c4fa4b151..627617b02a 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -88,6 +88,31 @@ "contentVersion": "1.0.0.0", "parameters": {}, "resources": [ + { + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "apiVersion": "2022-01-31-preview", + "name": "[format('uai-{0}', parameters('location'))]", + "location": "[parameters('location')]", + "metadata": { + "description": "This user assigned identity is used by the Deployment Script resource to interact with Azure resources." + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(resourceGroup().id, format('uai-{0}', parameters('location')))]", + "properties": { + "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", + "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-{0}', parameters('location'))), '2022-01-31-preview').principalId]", + "principalType": "ServicePrincipal" + }, + "dependsOn": [ + "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-{0}', parameters('location')))]" + ], + "metadata": { + "description": "This role assignment grants the user assigned identity the Contributor role on the management group." + } + }, { "type": "Microsoft.Network/networkManagers", "apiVersion": "2022-09-01", From dae3cc11648f0c27354dda18456e0676ce878fa1 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 14 Oct 2024 16:51:58 +0400 Subject: [PATCH 036/226] . --- eslzArm/subscriptionTemplates/avnmConfiguration.json | 3 +++ 1 file changed, 3 insertions(+) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 627617b02a..339ad4345f 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -130,6 +130,9 @@ ] } }, + "dependsOn": [ + "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-{0}', parameters('location')))]" + ], "metadata": { "description": "This is the Azure Virtual Network Manager which will be used to implement the connected group for spoke-to-spoke connectivity." } From c0159580ff4301edb73155921c12d2d44723d3aa Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 14 Oct 2024 17:29:28 +0400 Subject: [PATCH 037/226] . --- eslzArm/subscriptionTemplates/avnmConfiguration.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 339ad4345f..9c10fbee50 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -126,8 +126,7 @@ "subscriptions": [ "[format('/subscriptions/{0}', parameters('connectivitySubscriptionId'))]" ], - "managementGroups": [ - ] + "managementGroups": [] } }, "dependsOn": [ From 326a53ae51b403f2b252e41108313cd970b20436 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 14 Oct 2024 18:36:00 +0400 Subject: [PATCH 038/226] . --- eslzArm/subscriptionTemplates/avnmConfiguration.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 9c10fbee50..f2710070ca 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -90,7 +90,7 @@ "resources": [ { "type": "Microsoft.ManagedIdentity/userAssignedIdentities", - "apiVersion": "2022-01-31-preview", + "apiVersion": "2023-01-31", "name": "[format('uai-{0}', parameters('location'))]", "location": "[parameters('location')]", "metadata": { From 2845314910978651daf52ee7fee660616b65408d Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 14 Oct 2024 20:45:13 +0400 Subject: [PATCH 039/226] . --- eslzArm/subscriptionTemplates/avnmConfiguration.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index f2710070ca..41de2efd64 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -103,7 +103,7 @@ "name": "[guid(resourceGroup().id, format('uai-{0}', parameters('location')))]", "properties": { "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", - "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-{0}', parameters('location'))), '2022-01-31-preview').principalId]", + "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-{0}', parameters('location'))), '2023-01-31').principalId]", "principalType": "ServicePrincipal" }, "dependsOn": [ From 60175db9bcc0e399a48c5a06394b2acdf4a2da57 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Tue, 15 Oct 2024 08:11:24 +0400 Subject: [PATCH 040/226] . --- eslzArm/subscriptionTemplates/avnmConfiguration.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 41de2efd64..213e0ccb58 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -103,7 +103,7 @@ "name": "[guid(resourceGroup().id, format('uai-{0}', parameters('location')))]", "properties": { "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", - "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-{0}', parameters('location'))), '2023-01-31').principalId]", + "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-{0}', parameters('location')))).principalId]", "principalType": "ServicePrincipal" }, "dependsOn": [ From 6688a8881a30d7314e708a51a023d23a554228cd Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Tue, 15 Oct 2024 09:39:04 +0400 Subject: [PATCH 041/226] . --- eslzArm/subscriptionTemplates/avnmConfiguration.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 213e0ccb58..41de2efd64 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -103,7 +103,7 @@ "name": "[guid(resourceGroup().id, format('uai-{0}', parameters('location')))]", "properties": { "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", - "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-{0}', parameters('location')))).principalId]", + "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-{0}', parameters('location'))), '2023-01-31').principalId]", "principalType": "ServicePrincipal" }, "dependsOn": [ From 7d4f9b0bb7375f5d844156d9d7b7aee251720a88 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Tue, 15 Oct 2024 12:47:22 +0400 Subject: [PATCH 042/226] . --- eslzArm/subscriptionTemplates/avnmConfiguration.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 41de2efd64..097e93fc75 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -103,7 +103,7 @@ "name": "[guid(resourceGroup().id, format('uai-{0}', parameters('location')))]", "properties": { "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", - "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-{0}', parameters('location'))), '2023-01-31').principalId]", + "principalId": "[reference(format('uai-{0}', parameters('location'))).principalId]", "principalType": "ServicePrincipal" }, "dependsOn": [ From a1432718828a7903c1c5fe21b5bc24782d956d8e Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Tue, 15 Oct 2024 12:52:03 +0400 Subject: [PATCH 043/226] . --- eslzArm/subscriptionTemplates/avnmConfiguration.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 097e93fc75..a9fea1b308 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -91,7 +91,7 @@ { "type": "Microsoft.ManagedIdentity/userAssignedIdentities", "apiVersion": "2023-01-31", - "name": "[format('uai-{0}', parameters('location'))]", + "name": "'uai-1'", "location": "[parameters('location')]", "metadata": { "description": "This user assigned identity is used by the Deployment Script resource to interact with Azure resources." @@ -103,7 +103,7 @@ "name": "[guid(resourceGroup().id, format('uai-{0}', parameters('location')))]", "properties": { "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", - "principalId": "[reference(format('uai-{0}', parameters('location'))).principalId]", + "principalId": "[reference('uai-1').principalId]", "principalType": "ServicePrincipal" }, "dependsOn": [ From 9063b81fbfab01afb03db914d497c7b7ecb4f9a4 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Tue, 15 Oct 2024 12:53:40 +0400 Subject: [PATCH 044/226] . --- eslzArm/subscriptionTemplates/avnmConfiguration.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index a9fea1b308..41de2efd64 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -91,7 +91,7 @@ { "type": "Microsoft.ManagedIdentity/userAssignedIdentities", "apiVersion": "2023-01-31", - "name": "'uai-1'", + "name": "[format('uai-{0}', parameters('location'))]", "location": "[parameters('location')]", "metadata": { "description": "This user assigned identity is used by the Deployment Script resource to interact with Azure resources." @@ -103,7 +103,7 @@ "name": "[guid(resourceGroup().id, format('uai-{0}', parameters('location')))]", "properties": { "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", - "principalId": "[reference('uai-1').principalId]", + "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-{0}', parameters('location'))), '2023-01-31').principalId]", "principalType": "ServicePrincipal" }, "dependsOn": [ From 9dc501c29859197cac45dbcb90dc87d95fbdf776 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Tue, 15 Oct 2024 12:59:29 +0400 Subject: [PATCH 045/226] . --- eslzArm/subscriptionTemplates/avnmConfiguration.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 41de2efd64..0f3ef1530a 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -103,8 +103,7 @@ "name": "[guid(resourceGroup().id, format('uai-{0}', parameters('location')))]", "properties": { "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", - "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-{0}', parameters('location'))), '2023-01-31').principalId]", - "principalType": "ServicePrincipal" + "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-{0}', parameters('location'))), '2023-01-31').principalId]" }, "dependsOn": [ "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-{0}', parameters('location')))]" From 235349ff3b5dbc83ea171029a68b5e345ebb99c1 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Tue, 15 Oct 2024 13:49:53 +0400 Subject: [PATCH 046/226] Dropping apiVersion --- eslzArm/subscriptionTemplates/avnmConfiguration.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 0f3ef1530a..b36e2af4bb 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -90,7 +90,7 @@ "resources": [ { "type": "Microsoft.ManagedIdentity/userAssignedIdentities", - "apiVersion": "2023-01-31", + "apiVersion": "2018-11-30", "name": "[format('uai-{0}', parameters('location'))]", "location": "[parameters('location')]", "metadata": { @@ -99,11 +99,11 @@ }, { "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", + "apiVersion": "2018-09-01-preview", "name": "[guid(resourceGroup().id, format('uai-{0}', parameters('location')))]", "properties": { "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", - "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-{0}', parameters('location'))), '2023-01-31').principalId]" + "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-{0}', parameters('location'))), '2018-11-30').principalId]" }, "dependsOn": [ "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-{0}', parameters('location')))]" From c03526297b0c110105a559f8b9631aec5e5b875b Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Tue, 15 Oct 2024 17:34:00 +0400 Subject: [PATCH 047/226] . --- .../subscriptionTemplates/avnmConfiguration.json | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index b36e2af4bb..b497b31a65 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -97,21 +97,6 @@ "description": "This user assigned identity is used by the Deployment Script resource to interact with Azure resources." } }, - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2018-09-01-preview", - "name": "[guid(resourceGroup().id, format('uai-{0}', parameters('location')))]", - "properties": { - "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", - "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-{0}', parameters('location'))), '2018-11-30').principalId]" - }, - "dependsOn": [ - "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-{0}', parameters('location')))]" - ], - "metadata": { - "description": "This role assignment grants the user assigned identity the Contributor role on the management group." - } - }, { "type": "Microsoft.Network/networkManagers", "apiVersion": "2022-09-01", From 7495803c74e327f07687b4d65f863aca27a1e453 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Wed, 16 Oct 2024 14:18:09 +0400 Subject: [PATCH 048/226] . --- .../subscriptionTemplates/avnmConfiguration.json | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index b497b31a65..b36e2af4bb 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -97,6 +97,21 @@ "description": "This user assigned identity is used by the Deployment Script resource to interact with Azure resources." } }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2018-09-01-preview", + "name": "[guid(resourceGroup().id, format('uai-{0}', parameters('location')))]", + "properties": { + "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", + "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-{0}', parameters('location'))), '2018-11-30').principalId]" + }, + "dependsOn": [ + "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-{0}', parameters('location')))]" + ], + "metadata": { + "description": "This role assignment grants the user assigned identity the Contributor role on the management group." + } + }, { "type": "Microsoft.Network/networkManagers", "apiVersion": "2022-09-01", From 7928989c6ded5b055cc2c52100b85a3ba7e0bda3 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Wed, 16 Oct 2024 15:29:42 +0400 Subject: [PATCH 049/226] . --- .../avnmConfiguration.json | 36 ++++++++++++++++++- 1 file changed, 35 insertions(+), 1 deletion(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index b36e2af4bb..d8c8aa44f8 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -61,10 +61,44 @@ "subscriptionId": "[parameters('connectivitySubscriptionId')]", "properties": { "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + } + }, + "variables": { + "rgname": { + "value": "[variables('rgName')]" + }, + "resourceDeploymentName": { + "value": "[variables('resourceDeploymentName')]" + } + }, "template": { "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", "contentVersion": "1.0.0.0", - "parameters": {}, + "parameters": { + "location": { + "type": "string" + }, + "connectivitySubscriptionId": { + "type": "string" + } + }, + "variables": { + "rgName": { + "type": "string" + }, + "resourceDeploymentName": { + "type": "string" + } + }, "resources": [ { "type": "Microsoft.Resources/resourceGroups", From fc72d1b9467a1b1f5a352d07d545f22835bc28d4 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Wed, 16 Oct 2024 15:36:17 +0400 Subject: [PATCH 050/226] . --- .../avnmConfiguration.json | 55 +++++++------------ 1 file changed, 19 insertions(+), 36 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index d8c8aa44f8..8c87eedb2b 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -61,44 +61,9 @@ "subscriptionId": "[parameters('connectivitySubscriptionId')]", "properties": { "mode": "Incremental", - "expressionEvaluationOptions": { - "scope": "inner" - }, - "parameters": { - "location": { - "value": "[parameters('location')]" - }, - "connectivitySubscriptionId": { - "value": "[parameters('connectivitySubscriptionId')]" - } - }, - "variables": { - "rgname": { - "value": "[variables('rgName')]" - }, - "resourceDeploymentName": { - "value": "[variables('resourceDeploymentName')]" - } - }, "template": { "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", "contentVersion": "1.0.0.0", - "parameters": { - "location": { - "type": "string" - }, - "connectivitySubscriptionId": { - "type": "string" - } - }, - "variables": { - "rgName": { - "type": "string" - }, - "resourceDeploymentName": { - "type": "string" - } - }, "resources": [ { "type": "Microsoft.Resources/resourceGroups", @@ -117,10 +82,28 @@ ], "properties": { "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + } + }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", - "parameters": {}, + "parameters": { + "location": { + "type": "string" + }, + "connectivitySubscriptionId": { + "type": "string" + } + }, "resources": [ { "type": "Microsoft.ManagedIdentity/userAssignedIdentities", From 934df7ffbd465c924e69545316ce12d8d80517f2 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Wed, 16 Oct 2024 15:37:55 +0400 Subject: [PATCH 051/226] . --- eslzArm/subscriptionTemplates/avnmConfiguration.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 8c87eedb2b..129b69ed5e 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -107,7 +107,7 @@ "resources": [ { "type": "Microsoft.ManagedIdentity/userAssignedIdentities", - "apiVersion": "2018-11-30", + "apiVersion": "2023-01-31", "name": "[format('uai-{0}', parameters('location'))]", "location": "[parameters('location')]", "metadata": { @@ -116,11 +116,11 @@ }, { "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2018-09-01-preview", + "apiVersion": "2022-04-01", "name": "[guid(resourceGroup().id, format('uai-{0}', parameters('location')))]", "properties": { "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", - "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-{0}', parameters('location'))), '2018-11-30').principalId]" + "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-{0}', parameters('location'))), '2023-01-31').principalId]" }, "dependsOn": [ "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-{0}', parameters('location')))]" From cff9ccd259f37dcd2275809a74a920ba7c37e544 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Wed, 16 Oct 2024 17:45:32 +0400 Subject: [PATCH 052/226] . --- .../avnmConfiguration.json | 33 ++++++++++++------- 1 file changed, 22 insertions(+), 11 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 129b69ed5e..9f2fd4208e 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -82,17 +82,22 @@ ], "properties": { "mode": "Incremental", - "expressionEvaluationOptions": { - "scope": "inner" - }, - "parameters": { - "location": { - "value": "[parameters('location')]" - }, - "connectivitySubscriptionId": { - "value": "[parameters('connectivitySubscriptionId')]" - } + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "location": { + "value": "[parameters('location')]" }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + } + }, + "variables": { + "rgName": { + "value": "[variables('rgName')]" + } + }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", @@ -104,6 +109,11 @@ "type": "string" } }, + "variables": { + "rgName": { + "type": "string" + } + }, "resources": [ { "type": "Microsoft.ManagedIdentity/userAssignedIdentities", @@ -120,7 +130,8 @@ "name": "[guid(resourceGroup().id, format('uai-{0}', parameters('location')))]", "properties": { "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", - "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-{0}', parameters('location'))), '2023-01-31').principalId]" + "principalId": "[reference(resourceId(parameters('connectivitySubscriptionId'), variables('rgName'),'Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-{0}', parameters('location'))), '2023-01-31').principalId]", + "principalType": "ServicePrincipal" }, "dependsOn": [ "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-{0}', parameters('location')))]" From ff854a4cb2ad0732f853da4f880a73704fef9fae Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Wed, 16 Oct 2024 18:51:59 +0400 Subject: [PATCH 053/226] . --- eslzArm/prerequisites/ds-prereqs.ps1 | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 eslzArm/prerequisites/ds-prereqs.ps1 diff --git a/eslzArm/prerequisites/ds-prereqs.ps1 b/eslzArm/prerequisites/ds-prereqs.ps1 new file mode 100644 index 0000000000..e0a989c040 --- /dev/null +++ b/eslzArm/prerequisites/ds-prereqs.ps1 @@ -0,0 +1,10 @@ +# Parameter help description +param( + [Parameter(Mandatory=$true, HelpMessage="Enter the ESLZ root name.")] + [string] + $eslzRootName + +) + +# Register Microsoft.Network resource provider with eslzRoot +Invoke-AzRestMethod -Method POST -Uri "https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01" \ No newline at end of file From 9f88db3e1fbc4768df9ffed83a2a13e114e43019 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Thu, 17 Oct 2024 10:58:14 +0400 Subject: [PATCH 054/226] . --- .../subscriptionTemplates/avnmConfiguration.json | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 9f2fd4208e..f2c71ea2d4 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -124,22 +124,6 @@ "description": "This user assigned identity is used by the Deployment Script resource to interact with Azure resources." } }, - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "name": "[guid(resourceGroup().id, format('uai-{0}', parameters('location')))]", - "properties": { - "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", - "principalId": "[reference(resourceId(parameters('connectivitySubscriptionId'), variables('rgName'),'Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-{0}', parameters('location'))), '2023-01-31').principalId]", - "principalType": "ServicePrincipal" - }, - "dependsOn": [ - "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-{0}', parameters('location')))]" - ], - "metadata": { - "description": "This role assignment grants the user assigned identity the Contributor role on the management group." - } - }, { "type": "Microsoft.Network/networkManagers", "apiVersion": "2022-09-01", From c68c1d5565bc95fc173f09b10c0dc2f22a37f141 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Thu, 17 Oct 2024 11:18:55 +0400 Subject: [PATCH 055/226] . --- .../subscriptionTemplates/avnmConfiguration.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index f2c71ea2d4..9f2fd4208e 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -124,6 +124,22 @@ "description": "This user assigned identity is used by the Deployment Script resource to interact with Azure resources." } }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(resourceGroup().id, format('uai-{0}', parameters('location')))]", + "properties": { + "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", + "principalId": "[reference(resourceId(parameters('connectivitySubscriptionId'), variables('rgName'),'Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-{0}', parameters('location'))), '2023-01-31').principalId]", + "principalType": "ServicePrincipal" + }, + "dependsOn": [ + "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-{0}', parameters('location')))]" + ], + "metadata": { + "description": "This role assignment grants the user assigned identity the Contributor role on the management group." + } + }, { "type": "Microsoft.Network/networkManagers", "apiVersion": "2022-09-01", From a762b52db6c3a8acae17529c74db521b7510d2fb Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Thu, 17 Oct 2024 18:07:58 +0400 Subject: [PATCH 056/226] . NOT WORKING --- .../avnmConfiguration.json | 60 +++++++++++++++++++ 1 file changed, 60 insertions(+) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 9f2fd4208e..6fc6a6cbc1 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -190,6 +190,66 @@ "metadata": { "description": "This is the dynamic network group for the spoke VNETs, and hub when topology is mesh." } + }, + { + "type": "Microsoft.Network/networkManagers/securityAdminConfigurations", + "apiVersion": "2023-11-01", + "name": "[format('{0}/{1}', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')))]", + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', format('avnm-{0}', parameters('location')))]" + ], + "properties": { + "applyOnNetworkIntentPolicyBasedServices": [ "None" ], + "description": "ALZ Security Admin Configuration" + } + }, + { + "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections", + "apiVersion": "2022-09-01", + "name": "[format('{0}/{1}/{2}', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')), 'rc-ALZ')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')))]" + ], + "properties": { + "appliesToGroups": [ + { + "networkGroupId": "[resourceId('Microsoft.Network/networkManagers/networkGroups', format('avnm-{0}', parameters('location')), format('ng-{0}-static', parameters('location')))]" + } + ] + } + }, + { + "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules", + "apiVersion": "2023-11-01", + "name": "[format('{0}/{1}/{2}/{3}', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')), 'rc-ALZ', 'DenyDangerousInbound')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')), 'rc-ALZ')]" + ], + "kind": "Custom", + "properties": { + "description": "Deny dangerous VM inbound traffic", + "priority": 500, + "source": { + "addressPrefixes": [ + "*" + ] + }, + "destination": { + "addressPrefixes": [ + "*" + ] + }, + "destinationPortRanges": [ + "22", + "3389" + ], + "protocols": [ + "TCP", + "UDP" + ], + "direction": "Inbound", + "access": "Deny" + } } ] } From acfb38c1e0e92b708adfd6a1b0701e6e528432c5 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Thu, 17 Oct 2024 18:08:52 +0400 Subject: [PATCH 057/226] Stripping all UAI bits --- .../avnmConfiguration.json | 35 ------------------- 1 file changed, 35 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 6fc6a6cbc1..aebe507cb3 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -93,11 +93,6 @@ "value": "[parameters('connectivitySubscriptionId')]" } }, - "variables": { - "rgName": { - "value": "[variables('rgName')]" - } - }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", @@ -109,37 +104,7 @@ "type": "string" } }, - "variables": { - "rgName": { - "type": "string" - } - }, "resources": [ - { - "type": "Microsoft.ManagedIdentity/userAssignedIdentities", - "apiVersion": "2023-01-31", - "name": "[format('uai-{0}', parameters('location'))]", - "location": "[parameters('location')]", - "metadata": { - "description": "This user assigned identity is used by the Deployment Script resource to interact with Azure resources." - } - }, - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "name": "[guid(resourceGroup().id, format('uai-{0}', parameters('location')))]", - "properties": { - "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", - "principalId": "[reference(resourceId(parameters('connectivitySubscriptionId'), variables('rgName'),'Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-{0}', parameters('location'))), '2023-01-31').principalId]", - "principalType": "ServicePrincipal" - }, - "dependsOn": [ - "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-{0}', parameters('location')))]" - ], - "metadata": { - "description": "This role assignment grants the user assigned identity the Contributor role on the management group." - } - }, { "type": "Microsoft.Network/networkManagers", "apiVersion": "2022-09-01", From daff2f39100b35993e366ce765ccab1da07e25f9 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Thu, 17 Oct 2024 18:24:24 +0400 Subject: [PATCH 058/226] . --- eslzArm/subscriptionTemplates/avnmConfiguration.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index aebe507cb3..a4754ef851 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -122,7 +122,7 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-{0}', parameters('location')))]" + ], "metadata": { "description": "This is the Azure Virtual Network Manager which will be used to implement the connected group for spoke-to-spoke connectivity." From a7ba7676f7f0905c2b7ee3a01cc3180c292aa66a Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Tue, 5 Nov 2024 12:47:48 +0400 Subject: [PATCH 059/226] . --- eslzArm/subscriptionTemplates/avnmConfiguration.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index a4754ef851..b2f0735471 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -47,7 +47,7 @@ } }, "variables": { - "rgName": "[concat(parameters('topLevelManagementGroupPrefix'), '-avnm-', parameters('location'))]", + "rgName": "[concat(parameters('topLevelManagementGroupPrefix'), '-avnm')]", "resourceDeploymentName": "[take(concat(deployment().name, '-avnm', parameters('location')), 64)]" }, "resources": [ From bb02449e1ac18ebfe09333e6ca93b3460c70c8ab Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Wed, 13 Nov 2024 17:06:44 +0400 Subject: [PATCH 060/226] . --- .../prerequisites/deployPrerequisites.json | 182 ++++++++++++++++++ eslzArm/prerequisites/ds-prereqs.ps1 | 5 +- eslzArm/prerequisites/dsSleep.json | 30 +++ 3 files changed, 216 insertions(+), 1 deletion(-) create mode 100644 eslzArm/prerequisites/deployPrerequisites.json create mode 100644 eslzArm/prerequisites/dsSleep.json diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json new file mode 100644 index 0000000000..e936e9e745 --- /dev/null +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -0,0 +1,182 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceGroupName": { + "type": "string", + "defaultValue": "rg-alz-prereqs", + "metadata": { + "description": "The resource group name where the AVNM and VNET resources will be created" + } + }, + "location": { + "type": "string", + "minLength": 6, + "metadata": { + "description": "The location of this regional hub. All resources will be deployed to this region." + } + }, + "eslzRootName": { + "type": "string", + "metadata": { + "description": "The name of the Enterprise Scale Landing Zone root resource." + } + } + }, + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2022-09-01", + "name": "[parameters('resourceGroupName')]", + "location": "[parameters('location')]" + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "alz-prequisites-identity", + "resourceGroup": "[parameters('resourceGroupName')]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "apiVersion": "2022-01-31-preview", + "name": "[format('uai-prereq-{0}', parameters('location'))]", + "location": "[parameters('location')]", + "metadata": { + "description": "This user assigned identity is used by the Deployment Script resource to interact with Azure resources." + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(resourceGroup().id, format('uai-prereq-{0}', parameters('location')))]", + "properties": { + "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location'))), '2022-01-31-preview').principalId]", + "principalType": "ServicePrincipal" + }, + "dependsOn": [ + "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location')))]" + ], + "metadata": { + "description": "This role assignment grants the user assigned identity the Contributor role on the resource group." + } + } + ], + "outputs": { + "userAssignedIdentityId": { + "type": "string", + "value": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location')))]" + } + } + } + }, + "dependsOn": [ + "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('ds-{0}-prereqs', parameters('location'))]", + "resourceGroup": "[parameters('resourceGroupName')]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "userAssignedIdentityId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prequisites-identity'), '2022-09-01').outputs.userAssignedIdentityId.value]" + }, + "eslzRootName": { + "value": "[parameters('eslzRootName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "eslzRootName":{ + "type": "string" + }, + "userAssignedIdentityId": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Resources/deploymentScripts", + "apiVersion": "2020-10-01", + "name": "alz-deploymentscript", + "location": "[parameters('location')]", + "kind": "AzurePowerShell", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[format('{0}', parameters('userAssignedIdentityId'))]": {} + } + }, + "properties": { + "azPowerShellVersion": "12.3", + "retentionInterval": "PT1H", + "timeout": "PT1H", + "arguments": "[format('-eslzRootName \"{0}\"', parameters('eslzRootName'))]", + "scriptContent": " + param( + [Parameter(Mandatory=$true, HelpMessage=\"Enter the ESLZ root name.\")] + [string] + $eslzRootName + ) + + $result = Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" + Write-Output $result + $DeploymentScriptOutputs = @{} + $DeploymentScriptOutputs['text'] = $result.StatusCode + " + }, + "metadata": { + "description": "Create a Deployment Script resource to perform the prequisites." + } + } + ], + "outputs": { + "result": { + "value": "[reference('alz-deploymentscript').outputs.text]", + "type": "string" + } + } + } + }, + "dependsOn": [ + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prequisites-identity')]", + "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]" + ] + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/prerequisites/ds-prereqs.ps1 b/eslzArm/prerequisites/ds-prereqs.ps1 index e0a989c040..eba06b83ec 100644 --- a/eslzArm/prerequisites/ds-prereqs.ps1 +++ b/eslzArm/prerequisites/ds-prereqs.ps1 @@ -1,9 +1,12 @@ +<# + Script to deploy pre-requisites needed for the deployment of the Azure Landing Zone +#> + # Parameter help description param( [Parameter(Mandatory=$true, HelpMessage="Enter the ESLZ root name.")] [string] $eslzRootName - ) # Register Microsoft.Network resource provider with eslzRoot diff --git a/eslzArm/prerequisites/dsSleep.json b/eslzArm/prerequisites/dsSleep.json new file mode 100644 index 0000000000..4aee02dba9 --- /dev/null +++ b/eslzArm/prerequisites/dsSleep.json @@ -0,0 +1,30 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "utcNow": { + "type": "string", + "defaultValue": "[utcNow()]" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Resources/deploymentScripts", + "apiVersion": "2020-10-01", + "name": "alz-sleep", + "location": "uksouth", + "kind": "AzurePowerShell", + "properties": { + "forceUpdateTag": "[parameters('utcNow')]", + "azPowerShellVersion": "12.3", + "timeout": "PT1H", + "arguments": "", + "scriptContent": " Write-Output Sleeping for: 30 minutes ....\n Start-Sleep -Duration (New-TimeSpan -Minutes 15) \n Write-Output Sleep over - resuming ....\n ", + "cleanupPreference": "OnSuccess", + "retentionInterval": "P1D" + } + } + ], + "outputs": {} +} \ No newline at end of file From b402ffe407dddb5a7bbeab3f6da20a33b4c10cca Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Wed, 13 Nov 2024 17:31:13 +0400 Subject: [PATCH 061/226] . --- eslzArm/eslzArm.json | 32 +++++++++++++++++++++++++++++++- 1 file changed, 31 insertions(+), 1 deletion(-) diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index 2fdafadec9..26300779ec 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -1697,6 +1697,7 @@ "roleDefinitions": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/roleDefinitions/customRoleDefinitions.json')]", "policyDefinitions": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyDefinitions/policies.json')]", "initiativeDefinitions": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyDefinitions/initiatives.json')]", + "preRequisites": "[uri(deployment().properties.templateLink.uri, 'prerequisites/deployPrerequisites.json')]", "avnmConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/avnmConfiguration.json')]", "vnetConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/hubspoke-connectivity.json')]", "vwanConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/vwan-connectivity.json')]", @@ -2454,6 +2455,33 @@ } } }, + { + // ALZ Pre-Requisites + "condition": "[not(empty(parameters('managementSubscriptionId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "alz-prerequisites", + "subscriptionId": "[parameters('managementSubscriptionId')]", + "location": "[deployment().location]", + "dependsOn": [ + "[variables('deploymentNames').initiativeDeploymentName]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').preRequisites]" + }, + "parameters": { + "location": { + "value": "[deployment().location]" + }, + "eslzRootGroup": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + } + } + } + }, /* The following deployments will organize the dedicated platform subscriptions into their respective management groups */ @@ -2538,6 +2566,7 @@ } } }, + /* The following deployments will optionally configure the governance, security, and monitoring for the Azure platform and landing zones */ @@ -5200,7 +5229,8 @@ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosDeploymentName)]" + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosDeploymentName)]", + "alz-prerequisites" ], "location": "[deployment().location]", "properties": { From 143240e8a9b5351d24d8d4fe8a2e2fdd5bc3677d Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Wed, 13 Nov 2024 17:42:47 +0400 Subject: [PATCH 062/226] Oops --- eslzArm/eslzArm.json | 22 +++++++++++++++++++++- eslzArm/prerequisites/dsSleep.json | 2 +- 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index 26300779ec..c42e8fd4cd 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -1698,6 +1698,7 @@ "policyDefinitions": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyDefinitions/policies.json')]", "initiativeDefinitions": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyDefinitions/initiatives.json')]", "preRequisites": "[uri(deployment().properties.templateLink.uri, 'prerequisites/deployPrerequisites.json')]", + "alzSleep": "[uri(deployment().properties.templateLink.uri, 'prerequisites/dsSleep.json')]", "avnmConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/avnmConfiguration.json')]", "vnetConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/hubspoke-connectivity.json')]", "vwanConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/vwan-connectivity.json')]", @@ -2428,6 +2429,25 @@ } } }, + { + // Azure's untold story version 2.0 + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "alz-sleep", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('enterpriseScaleCompanyPrefix'))]", + "dependsOn": [ + "[variables('deploymentNames').initiativeDeploymentName]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').alzSleep]" + }, + "parameters": {} + } + }, { // One of Azure's untold stories..... "type": "Microsoft.Resources/deployments", @@ -2476,7 +2496,7 @@ "location": { "value": "[deployment().location]" }, - "eslzRootGroup": { + "eslzRootName": { "value": "[parameters('enterpriseScaleCompanyPrefix')]" } } diff --git a/eslzArm/prerequisites/dsSleep.json b/eslzArm/prerequisites/dsSleep.json index 4aee02dba9..90277b0bb9 100644 --- a/eslzArm/prerequisites/dsSleep.json +++ b/eslzArm/prerequisites/dsSleep.json @@ -20,7 +20,7 @@ "azPowerShellVersion": "12.3", "timeout": "PT1H", "arguments": "", - "scriptContent": " Write-Output Sleeping for: 30 minutes ....\n Start-Sleep -Duration (New-TimeSpan -Minutes 15) \n Write-Output Sleep over - resuming ....\n ", + "scriptContent": " Write-Output Sleeping for: 30 minutes ....\n Start-Sleep -Duration (New-TimeSpan -Minutes 20) \n Write-Output Sleep over - resuming ....\n ", "cleanupPreference": "OnSuccess", "retentionInterval": "P1D" } From 70eb937873b7cad2fad533ac6b68a231f82de84e Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Wed, 13 Nov 2024 21:02:36 +0400 Subject: [PATCH 063/226] . --- eslzArm/prerequisites/deployPrerequisites.json | 6 ------ 1 file changed, 6 deletions(-) diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index e936e9e745..0591be8fa6 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -155,8 +155,6 @@ $result = Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" Write-Output $result - $DeploymentScriptOutputs = @{} - $DeploymentScriptOutputs['text'] = $result.StatusCode " }, "metadata": { @@ -165,10 +163,6 @@ } ], "outputs": { - "result": { - "value": "[reference('alz-deploymentscript').outputs.text]", - "type": "string" - } } } }, From 29b6a788646b83ebd0d5021f49733d0ba7a96e03 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Thu, 14 Nov 2024 14:49:07 +0400 Subject: [PATCH 064/226] . --- eslzArm/eslzArm.json | 48 +------------ .../prerequisites/deployPrerequisites.json | 8 ++- .../avnmConfiguration.json | 68 +++++++++---------- 3 files changed, 40 insertions(+), 84 deletions(-) diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index c42e8fd4cd..ce30d5c3e3 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -2429,58 +2429,12 @@ } } }, - { - // Azure's untold story version 2.0 - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "alz-sleep", - "location": "[deployment().location]", - "scope": "[concat('Microsoft.Management/managementGroups/', parameters('enterpriseScaleCompanyPrefix'))]", - "dependsOn": [ - "[variables('deploymentNames').initiativeDeploymentName]" - ], - "properties": { - "mode": "Incremental", - "templateLink": { - "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').alzSleep]" - }, - "parameters": {} - } - }, - { - // One of Azure's untold stories..... - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "[concat('preparingToLaunch', copyIndex())]", - "location": "[deployment().location]", - "scope": "[concat('Microsoft.Management/managementGroups/', parameters('enterpriseScaleCompanyPrefix'))]", - "dependsOn": [ - "[variables('deploymentNames').initiativeDeploymentName]" - ], - "copy": { - "batchSize": 1, - "count": "[parameters('delayCount')]", - "mode": "Serial", - "name": "policyCompletion" - }, - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": {}, - "resources": [], - "outputs": {} - } - } - }, { // ALZ Pre-Requisites "condition": "[not(empty(parameters('managementSubscriptionId')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-06-01", - "name": "alz-prerequisites", + "name": "policyCompletion", "subscriptionId": "[parameters('managementSubscriptionId')]", "location": "[deployment().location]", "dependsOn": [ diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index 0591be8fa6..8cf0cd2239 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -154,7 +154,10 @@ ) $result = Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" - Write-Output $result + #Write-Output $result + + #Sleep for 30 minutes to wait for Management Groups to load to cache before assignments + Start-Sleep -Duration (New-TimeSpan -Minutes 30) " }, "metadata": { @@ -162,8 +165,7 @@ } } ], - "outputs": { - } + "outputs": {} } }, "dependsOn": [ diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index b2f0735471..a6c404c2fb 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -180,41 +180,41 @@ { "networkGroupId": "[resourceId('Microsoft.Network/networkManagers/networkGroups', format('avnm-{0}', parameters('location')), format('ng-{0}-static', parameters('location')))]" } + ] - } - }, - { - "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules", - "apiVersion": "2023-11-01", - "name": "[format('{0}/{1}/{2}/{3}', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')), 'rc-ALZ', 'DenyDangerousInbound')]", - "dependsOn": [ - "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')), 'rc-ALZ')]" - ], - "kind": "Custom", - "properties": { - "description": "Deny dangerous VM inbound traffic", - "priority": 500, - "source": { - "addressPrefixes": [ - "*" - ] - }, - "destination": { - "addressPrefixes": [ - "*" - ] - }, - "destinationPortRanges": [ - "22", - "3389" - ], - "protocols": [ - "TCP", - "UDP" - ], - "direction": "Inbound", - "access": "Deny" - } + }, + "resources": [ + { + "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules", + "apiVersion": "2023-11-01", + "name": "DenyMgmtInbound", + "kind": "Custom", + "properties": { + "description": "Deny dangerous VM inbound traffic", + "priority": 500, + "source": { + "addressPrefixes": [ + "*" + ] + }, + "destination": { + "addressPrefixes": [ + "*" + ] + }, + "destinationPortRanges": [ + "22", + "3389" + ], + "protocols": [ + "TCP", + "UDP" + ], + "direction": "Inbound", + "access": "Deny" + } + } + ] } ] } From e0cd962500ce47a466660dcf8fba406efca18d00 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Thu, 14 Nov 2024 14:58:09 +0400 Subject: [PATCH 065/226] . --- eslzArm/eslzArm.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index ce30d5c3e3..65c1fcf3eb 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -2430,7 +2430,7 @@ } }, { - // ALZ Pre-Requisites + // ALZ Pre-Requisites and Azure's Untold Story... "condition": "[not(empty(parameters('managementSubscriptionId')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-06-01", @@ -5204,7 +5204,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosDeploymentName)]", - "alz-prerequisites" + "policyCompletion" ], "location": "[deployment().location]", "properties": { From 1622f8ed2b06ef296e63e5fb7b0cde8c3fa87223 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Thu, 14 Nov 2024 15:03:07 +0400 Subject: [PATCH 066/226] . --- eslzArm/eslzArm.json | 148 +++++++++--------- .../prerequisites/deployPrerequisites.json | 2 +- 2 files changed, 75 insertions(+), 75 deletions(-) diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index 65c1fcf3eb..a413e479cc 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -2434,7 +2434,7 @@ "condition": "[not(empty(parameters('managementSubscriptionId')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-06-01", - "name": "policyCompletion", + "name": "alz-prerequisites", "subscriptionId": "[parameters('managementSubscriptionId')]", "location": "[deployment().location]", "dependsOn": [ @@ -2554,7 +2554,7 @@ "subscriptionId": "[parameters('managementSubscriptionId')]", "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -2717,7 +2717,7 @@ "location": "[deployment().location]", "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -2822,7 +2822,7 @@ "location": "[deployment().location]", "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", - "policyCompletion", + "alz-prerequisites", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]" ], @@ -2859,7 +2859,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -2906,7 +2906,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -2953,7 +2953,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3000,7 +3000,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3047,7 +3047,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3094,7 +3094,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3141,7 +3141,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3188,7 +3188,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3235,7 +3235,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3282,7 +3282,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3329,7 +3329,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3376,7 +3376,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3423,7 +3423,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3470,7 +3470,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3517,7 +3517,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3564,7 +3564,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3611,7 +3611,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3658,7 +3658,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3705,7 +3705,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3752,7 +3752,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3802,7 +3802,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3849,7 +3849,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3896,7 +3896,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3943,7 +3943,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3990,7 +3990,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -4037,7 +4037,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -4084,7 +4084,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -4322,7 +4322,7 @@ "scope": "[variables('scopes').eslzRootManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -4346,7 +4346,7 @@ "scope": "[variables('scopes').eslzRootManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -4370,7 +4370,7 @@ "scope": "[variables('scopes').eslzRootManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -4394,7 +4394,7 @@ "scope": "[variables('scopes').eslzRootManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -4700,7 +4700,7 @@ "scope": "[variables('scopes').eslzRootManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -4770,7 +4770,7 @@ "scope": "[variables('scopes').platformManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -5204,7 +5204,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosDeploymentName)]", - "policyCompletion" + "alz-prerequisites" ], "location": "[deployment().location]", "properties": { @@ -5729,7 +5729,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]", "dnsZones", "dnsZonesLite", - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6021,7 +6021,7 @@ "scope": "[variables('scopes').platformManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6054,7 +6054,7 @@ "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6417,7 +6417,7 @@ "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6474,7 +6474,7 @@ "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6498,7 +6498,7 @@ "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6522,7 +6522,7 @@ "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6546,7 +6546,7 @@ "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6573,7 +6573,7 @@ "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6597,7 +6597,7 @@ "scope": "[variables('scopes').corpManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6624,7 +6624,7 @@ "scope": "[variables('scopes').corpManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6648,7 +6648,7 @@ "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6674,7 +6674,7 @@ "scope": "[variables('scopes').platformManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6700,7 +6700,7 @@ "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6727,7 +6727,7 @@ "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6751,7 +6751,7 @@ "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6778,7 +6778,7 @@ "scope": "[variables('scopes').platformManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6805,7 +6805,7 @@ "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6832,7 +6832,7 @@ "scope": "[variables('scopes').platformManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6859,7 +6859,7 @@ "scope": "[variables('scopes').corpManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6883,7 +6883,7 @@ "scope": "[variables('scopes').corpManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6913,7 +6913,7 @@ "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6937,7 +6937,7 @@ "scope": "[variables('scopes').eslzRootManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6964,7 +6964,7 @@ "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -7084,7 +7084,7 @@ "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -7111,7 +7111,7 @@ "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -7138,7 +7138,7 @@ "scope": "[variables('scopes').decommissionedManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -7165,7 +7165,7 @@ "scope": "[variables('scopes').sandboxManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -7195,7 +7195,7 @@ "scope": "[variables('scopes').identityManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -7222,7 +7222,7 @@ "scope": "[variables('scopes').identityManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion", + "alz-prerequisites", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').identitySubscriptionPlacement)]" ], "properties": { @@ -7247,7 +7247,7 @@ "scope": "[variables('scopes').identityManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion", + "alz-prerequisites", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').identitySubscriptionPlacement)]" ], "properties": { @@ -7275,7 +7275,7 @@ "scope": "[variables('scopes').identityManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion", + "alz-prerequisites", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').identitySubscriptionPlacement)]" ], "properties": { @@ -7772,7 +7772,7 @@ "subscriptionId": "[parameters('singlePlatformSubscriptionId')]", "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', variables('esliteDeploymentNames').platformLiteSubscriptionPlacement)]", - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -7851,7 +7851,7 @@ "location": "[deployment().location]", "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]", - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -8929,7 +8929,7 @@ "scope": "[variables('scopes').platformManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion", + "alz-prerequisites", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]" ], "properties": { @@ -8960,7 +8960,7 @@ "scope": "[variables('scopes').platformManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion", + "alz-prerequisites", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]" ], "properties": { diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index 8cf0cd2239..4c8a07a8af 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -157,7 +157,7 @@ #Write-Output $result #Sleep for 30 minutes to wait for Management Groups to load to cache before assignments - Start-Sleep -Duration (New-TimeSpan -Minutes 30) + Start-Sleep -Duration (New-TimeSpan -Minutes 5) " }, "metadata": { From 3f4809693586b8ec3a74185c6ead01a5609f5d62 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Thu, 14 Nov 2024 15:21:43 +0400 Subject: [PATCH 067/226] Fix to rule name in AVNM --- eslzArm/subscriptionTemplates/avnmConfiguration.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index a6c404c2fb..9aa78836ce 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -187,7 +187,7 @@ { "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules", "apiVersion": "2023-11-01", - "name": "DenyMgmtInbound", + "name": "[format('{0}/{1}/{2}/{3}', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')), 'rc-ALZ', 'DenyMgmtInbound')]", "kind": "Custom", "properties": { "description": "Deny dangerous VM inbound traffic", From 6db5db5b2cb341f9a80ca9b61a2a47ad5a74c1ef Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Thu, 14 Nov 2024 16:10:14 +0400 Subject: [PATCH 068/226] . --- eslzArm/subscriptionTemplates/avnmConfiguration.json | 3 +++ 1 file changed, 3 insertions(+) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 9aa78836ce..2ed6a4c29f 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -188,6 +188,9 @@ "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules", "apiVersion": "2023-11-01", "name": "[format('{0}/{1}/{2}/{3}', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')), 'rc-ALZ', 'DenyMgmtInbound')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')), 'rc-ALZ')]" + ], "kind": "Custom", "properties": { "description": "Deny dangerous VM inbound traffic", From ec047c37f6847675bf3be3178d5ce6debd8da9ae Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Thu, 14 Nov 2024 16:19:51 +0400 Subject: [PATCH 069/226] Increasing sleep --- eslzArm/prerequisites/deployPrerequisites.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index 4c8a07a8af..c9aa73e39a 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -157,7 +157,7 @@ #Write-Output $result #Sleep for 30 minutes to wait for Management Groups to load to cache before assignments - Start-Sleep -Duration (New-TimeSpan -Minutes 5) + Start-Sleep -Duration (New-TimeSpan -Minutes 10) " }, "metadata": { From a155d7788ec37a70c2d52cce3e9dec4cfc643b5d Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Thu, 14 Nov 2024 16:21:45 +0400 Subject: [PATCH 070/226] Deleting unneeded files --- eslzArm/prerequisites/dsSleep.json | 30 -- .../avnmConfiguration copy.json | 273 ------------------ 2 files changed, 303 deletions(-) delete mode 100644 eslzArm/prerequisites/dsSleep.json delete mode 100644 eslzArm/subscriptionTemplates/avnmConfiguration copy.json diff --git a/eslzArm/prerequisites/dsSleep.json b/eslzArm/prerequisites/dsSleep.json deleted file mode 100644 index 90277b0bb9..0000000000 --- a/eslzArm/prerequisites/dsSleep.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "utcNow": { - "type": "string", - "defaultValue": "[utcNow()]" - } - }, - "variables": {}, - "resources": [ - { - "type": "Microsoft.Resources/deploymentScripts", - "apiVersion": "2020-10-01", - "name": "alz-sleep", - "location": "uksouth", - "kind": "AzurePowerShell", - "properties": { - "forceUpdateTag": "[parameters('utcNow')]", - "azPowerShellVersion": "12.3", - "timeout": "PT1H", - "arguments": "", - "scriptContent": " Write-Output Sleeping for: 30 minutes ....\n Start-Sleep -Duration (New-TimeSpan -Minutes 20) \n Write-Output Sleep over - resuming ....\n ", - "cleanupPreference": "OnSuccess", - "retentionInterval": "P1D" - } - } - ], - "outputs": {} -} \ No newline at end of file diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration copy.json b/eslzArm/subscriptionTemplates/avnmConfiguration copy.json deleted file mode 100644 index bdc498e408..0000000000 --- a/eslzArm/subscriptionTemplates/avnmConfiguration copy.json +++ /dev/null @@ -1,273 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "topLevelManagementGroupPrefix": { - "type": "string", - "maxLength": 10, - "defaultValue": "eslz", - "metadata": { - "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale." - } - }, - "location": { - "type": "string", - "metadata": { - "displayName": "location", - "description": "Location of the HUB" - }, - "defaultValue": "[deployment().location]" - }, - "connectivitySubscriptionId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Provide the subscription id for the dedicated connectivity subscription." - } - }, - "enableHub": { - "type": "string", - "allowedValues": [ - "vhub", - "vwan", - "nva", - "No" - ], - "defaultValue": "No", - "metadata": { - "description": "Select whether the virtual network hub should be deployed or not." - } - }, - "managementGroupScope": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Management group scope for AVNM." - } - } - }, - "variables": { - "rgName": "[concat(parameters('topLevelManagementGroupPrefix'), '-avnm-', parameters('location'))]", - "resourceDeploymentName": "[take(concat(deployment().name, '-avnm', parameters('location')), 64)]" - }, - "resources": [ - { - // Conditionally deploy virtual network hub - "condition": "[and(or(equals(parameters('enableHub'), 'vhub'), equals(parameters('enableHub'), 'nva')), not(empty(parameters('connectivitySubscriptionId'))))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2019-10-01", - "location": "[parameters('location')]", - "name": "[concat('alz-', parameters('location'), '-', substring(uniqueString(parameters('connectivitySubscriptionId')),0,6), '-connectivityAVNM')]", - "subscriptionId": "[parameters('connectivitySubscriptionId')]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": {}, - "resources": [ - { - "type": "Microsoft.Resources/resourceGroups", - "apiVersion": "2019-10-01", - "location": "[parameters('location')]", - "name": "[variables('rgName')]", - "properties": {} - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2019-10-01", - "name": "[concat(variables('resourceDeploymentName'), '-id')]", - "resourceGroup": "[variables('rgName')]", - "dependsOn": [ - "[concat('Microsoft.Resources/resourceGroups/', variables('rgName'))]" - ], - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": {}, - "resources": [ - { - "type": "Microsoft.ManagedIdentity/userAssignedIdentities", - "apiVersion": "2022-01-31-preview", - "name": "[format('uai-{0}', parameters('location'))]", - "location": "[parameters('location')]", - "metadata": { - "description": "This user assigned identity is used by the Deployment Script resource to interact with Azure resources." - } - }, - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "name": "[guid(resourceGroup().id, format('uai-{0}', parameters('location')))]", - "properties": { - "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", - "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-{0}', parameters('location'))), '2022-01-31-preview').principalId]", - "principalType": "ServicePrincipal" - }, - "dependsOn": [ - "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-{0}', parameters('location')))]" - ], - "metadata": { - "description": "This role assignment grants the user assigned identity the Contributor role on the management group." - } - } - ], - "outputs": { - "userAssignedIdentityId": { - "type": "string", - "value": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-{0}', parameters('location')))]" - } - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2019-10-01", - "name": "[concat(variables('resourceDeploymentName'), '-ds')]", - "resourceGroup": "[variables('rgName')]", - "dependsOn": [ - "[concat('Microsoft.Resources/resourceGroups/', variables('rgName'))]" - ], - "properties": { - "mode": "Incremental", - "expressionEvaluationOptions": { - "scope": "inner" - }, - "parameters": { - "location": { - "value": "[parameters('location')]" - }, - "userAssignedIdentityId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, variables('rgName')), 'Microsoft.Resources/deployments', concat(variables('resourceDeploymentName'), '-id')), '2022-09-01').outputs.userAssignedIdentityId.value]" - }, - "deploymentScriptName": { - "value": "[format('ds-{0}-mgScopeConfigs', parameters('location'))]" - }, - "managementGroupScope": { - "value": "[parameters('topLevelManagementGroupPrefix')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "location": { - "type": "string" - }, - "userAssignedIdentityId": { - "type": "string" - }, - "deploymentScriptName": { - "type": "string" - }, - "managementGroupScope": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.Resources/deploymentScripts", - "apiVersion": "2020-10-01", - "name": "[parameters('deploymentScriptName')]", - "location": "[parameters('location')]", - "kind": "AzurePowerShell", - "identity": { - "type": "UserAssigned", - "userAssignedIdentities": { - "[format('{0}', parameters('userAssignedIdentityId'))]": {} - } - }, - "properties": { - "azPowerShellVersion": "8.3", - "retentionInterval": "PT1H", - "timeout": "PT1H", - "arguments": "[format('-mgmtGroupId \"{0}\"', parameters('managementGroupScope'))]", - "scriptContent": "Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$mgmtGroupId/providers/Microsoft.Network/register?api-version=2021-04-01\"" - }, - "metadata": { - "description": "Create a Deployment Script resource to perform the commit/deployment of the Network Manager connectivity configuration." - } - } - ] - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2019-10-01", - "name": "[variables('resourceDeploymentName')]", - "resourceGroup": "[variables('rgName')]", - "dependsOn": [ - "[concat('Microsoft.Resources/resourceGroups/', variables('rgName'))]" - ], - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": {}, - "resources": [ - { - "type": "Microsoft.Network/networkManagers", - "apiVersion": "2022-09-01", - "name": "[format('avnm-{0}', parameters('location'))]", - "location": "[parameters('location')]", - "properties": { - "networkManagerScopeAccesses": [ - "SecurityAdmin" - ], - "networkManagerScopes": { - "subscriptions": [ - "[format('/subscriptions/{0}', parameters('connectivitySubscriptionId'))]" - ], - "managementGroups": [ - "[format('/providers/Microsoft.Management/managementGroups/{0}', parameters('topLevelManagementGroupPrefix'))]" - ] - } - }, - "metadata": { - "description": "This is the Azure Virtual Network Manager which will be used to configure Security Admin Rules." - } - }, - { - "type": "Microsoft.Network/networkManagers/networkGroups", - "apiVersion": "2022-09-01", - "name": "[format('{0}/{1}', format('avnm-{0}', parameters('location')), format('ng-{0}-static', parameters('location')))]", - "properties": { - "description": "Network Group - Static" - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/networkManagers', format('avnm-{0}', parameters('location')))]" - ], - "metadata": { - "description": "This is the static network group for the spoke VNETs, and hub when topology is mesh." - } - }, - { - "type": "Microsoft.Network/networkManagers/networkGroups", - "apiVersion": "2022-09-01", - "name": "[format('{0}/{1}', format('avnm-{0}', parameters('location')), format('ng-{0}-dynamic', parameters('location')))]", - "properties": { - "description": "Network Group - Dynamic" - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/networkManagers', format('avnm-{0}', parameters('location')))]" - ], - "metadata": { - "description": "This is the dynamic network group for the spoke VNETs, and hub when topology is mesh." - } - } - ] - } - } - } - ] - } - } - } - ], - "outputs": {} -} \ No newline at end of file From 3fa87c2884f77be3b3a51dffad079547b32fc9cf Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Thu, 14 Nov 2024 18:59:59 +0400 Subject: [PATCH 071/226] Nesting AVNM resources --- .../avnmConfiguration.json | 93 ++++++++++--------- 1 file changed, 48 insertions(+), 45 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 2ed6a4c29f..566ab993c7 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -166,59 +166,62 @@ "properties": { "applyOnNetworkIntentPolicyBasedServices": [ "None" ], "description": "ALZ Security Admin Configuration" - } - }, - { - "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections", - "apiVersion": "2022-09-01", - "name": "[format('{0}/{1}/{2}', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')), 'rc-ALZ')]", - "dependsOn": [ - "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')))]" - ], - "properties": { - "appliesToGroups": [ - { - "networkGroupId": "[resourceId('Microsoft.Network/networkManagers/networkGroups', format('avnm-{0}', parameters('location')), format('ng-{0}-static', parameters('location')))]" - } - - ] }, "resources": [ { - "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules", - "apiVersion": "2023-11-01", - "name": "[format('{0}/{1}/{2}/{3}', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')), 'rc-ALZ', 'DenyMgmtInbound')]", + "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections", + "apiVersion": "2022-09-01", + "name": "[format('{0}/{1}/{2}', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')), 'rc-ALZ')]", "dependsOn": [ - "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')), 'rc-ALZ')]" + "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')))]" ], - "kind": "Custom", "properties": { - "description": "Deny dangerous VM inbound traffic", - "priority": 500, - "source": { - "addressPrefixes": [ - "*" - ] - }, - "destination": { - "addressPrefixes": [ - "*" - ] - }, - "destinationPortRanges": [ - "22", - "3389" - ], - "protocols": [ - "TCP", - "UDP" - ], - "direction": "Inbound", - "access": "Deny" - } - } + "appliesToGroups": [ + { + "networkGroupId": "[resourceId('Microsoft.Network/networkManagers/networkGroups', format('avnm-{0}', parameters('location')), format('ng-{0}-static', parameters('location')))]" + } + + ] + }, + "resources": [ + { + "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules", + "apiVersion": "2023-11-01", + "name": "[format('{0}/{1}/{2}/{3}', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')), 'rc-ALZ', 'DenyMgmtInbound')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')), 'rc-ALZ')]" + ], + "kind": "Custom", + "properties": { + "description": "Deny dangerous VM inbound traffic", + "priority": 500, + "source": { + "addressPrefixes": [ + "*" + ] + }, + "destination": { + "addressPrefixes": [ + "*" + ] + }, + "destinationPortRanges": [ + "22", + "3389" + ], + "protocols": [ + "TCP", + "UDP" + ], + "direction": "Inbound", + "access": "Deny" + } + } + ] + } ] } + ] } } From 5c94d6814534a0e8de6cd86e309f0bbea4e6cbc3 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Thu, 14 Nov 2024 20:08:19 +0400 Subject: [PATCH 072/226] Updating API versions for AVNM --- eslzArm/subscriptionTemplates/avnmConfiguration.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 566ab993c7..5fa77d6c87 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -107,7 +107,7 @@ "resources": [ { "type": "Microsoft.Network/networkManagers", - "apiVersion": "2022-09-01", + "apiVersion": "2024-03-01", "name": "[format('avnm-{0}', parameters('location'))]", "location": "[parameters('location')]", "properties": { @@ -130,7 +130,7 @@ }, { "type": "Microsoft.Network/networkManagers/networkGroups", - "apiVersion": "2022-09-01", + "apiVersion": "2024-03-01", "name": "[format('{0}/{1}', format('avnm-{0}', parameters('location')), format('ng-{0}-static', parameters('location')))]", "properties": { "description": "Network Group - Static" @@ -144,7 +144,7 @@ }, { "type": "Microsoft.Network/networkManagers/networkGroups", - "apiVersion": "2022-09-01", + "apiVersion": "2024-03-01", "name": "[format('{0}/{1}', format('avnm-{0}', parameters('location')), format('ng-{0}-dynamic', parameters('location')))]", "properties": { "description": "Network Group - Dynamic" @@ -170,7 +170,7 @@ "resources": [ { "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections", - "apiVersion": "2022-09-01", + "apiVersion": "2024-03-01", "name": "[format('{0}/{1}/{2}', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')), 'rc-ALZ')]", "dependsOn": [ "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')))]" @@ -186,7 +186,7 @@ "resources": [ { "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules", - "apiVersion": "2023-11-01", + "apiVersion": "2024-03-01", "name": "[format('{0}/{1}/{2}/{3}', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')), 'rc-ALZ', 'DenyMgmtInbound')]", "dependsOn": [ "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')), 'rc-ALZ')]" From 12777d12936c10f25996e0886b1a45a4f6559015 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Thu, 14 Nov 2024 21:35:10 +0400 Subject: [PATCH 073/226] Refactor AVNM configuration: remove unused policy, update dependencies, and enhance security rules --- .../avnmConfiguration.json | 30 ++++++++----------- 1 file changed, 12 insertions(+), 18 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 5fa77d6c87..b7522ccaaa 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -164,7 +164,6 @@ "[resourceId('Microsoft.Network/networkManagers', format('avnm-{0}', parameters('location')))]" ], "properties": { - "applyOnNetworkIntentPolicyBasedServices": [ "None" ], "description": "ALZ Security Admin Configuration" }, "resources": [ @@ -173,7 +172,9 @@ "apiVersion": "2024-03-01", "name": "[format('{0}/{1}/{2}', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')), 'rc-ALZ')]", "dependsOn": [ - "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')))]" + "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')))]", + "[resourceId('Microsoft.Network/networkManagers/networkGroups', format('avnm-{0}', parameters('location')), format('ng-{0}-static', parameters('location')))]", + "[resourceId('Microsoft.Network/networkManagers/networkGroups', format('avnm-{0}', parameters('location')), format('ng-{0}-dynamic', parameters('location')))]" ], "properties": { "appliesToGroups": [ @@ -193,26 +194,19 @@ ], "kind": "Custom", "properties": { - "description": "Deny dangerous VM inbound traffic", - "priority": 500, - "source": { - "addressPrefixes": [ - "*" - ] - }, - "destination": { - "addressPrefixes": [ - "*" - ] - }, + "description": "Deny VM Management inbound traffic", + "priority": 1000, + "sources": [ + { + "addressPrefixType": "ServiceTag", + "addressPrefix": "Internet" + } + ], "destinationPortRanges": [ "22", "3389" ], - "protocols": [ - "TCP", - "UDP" - ], + "protocol": "Any", "direction": "Inbound", "access": "Deny" } From d18c59bb54575e1520745e80111f8f4a45f5f82c Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Fri, 15 Nov 2024 11:26:33 +0400 Subject: [PATCH 074/226] Enhance AVNM configuration: add memberType for network groups and streamline security rule definitions --- .../avnmConfiguration.json | 94 +++++++++---------- 1 file changed, 46 insertions(+), 48 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index b7522ccaaa..d14ed19c28 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -133,6 +133,7 @@ "apiVersion": "2024-03-01", "name": "[format('{0}/{1}', format('avnm-{0}', parameters('location')), format('ng-{0}-static', parameters('location')))]", "properties": { + "memberType": "VirtualNetwork", "description": "Network Group - Static" }, "dependsOn": [ @@ -147,6 +148,7 @@ "apiVersion": "2024-03-01", "name": "[format('{0}/{1}', format('avnm-{0}', parameters('location')), format('ng-{0}-dynamic', parameters('location')))]", "properties": { + "memberType": "VirtualNetwork", "description": "Network Group - Dynamic" }, "dependsOn": [ @@ -165,55 +167,51 @@ ], "properties": { "description": "ALZ Security Admin Configuration" - }, - "resources": [ - { - "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections", - "apiVersion": "2024-03-01", - "name": "[format('{0}/{1}/{2}', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')), 'rc-ALZ')]", - "dependsOn": [ - "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')))]", - "[resourceId('Microsoft.Network/networkManagers/networkGroups', format('avnm-{0}', parameters('location')), format('ng-{0}-static', parameters('location')))]", - "[resourceId('Microsoft.Network/networkManagers/networkGroups', format('avnm-{0}', parameters('location')), format('ng-{0}-dynamic', parameters('location')))]" - ], - "properties": { - "appliesToGroups": [ - { - "networkGroupId": "[resourceId('Microsoft.Network/networkManagers/networkGroups', format('avnm-{0}', parameters('location')), format('ng-{0}-static', parameters('location')))]" - } + } + }, + { + "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}/{2}', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')), 'rc-ALZ')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')))]", + "[resourceId('Microsoft.Network/networkManagers/networkGroups', format('avnm-{0}', parameters('location')), format('ng-{0}-static', parameters('location')))]", + "[resourceId('Microsoft.Network/networkManagers/networkGroups', format('avnm-{0}', parameters('location')), format('ng-{0}-dynamic', parameters('location')))]" + ], + "properties": { + "appliesToGroups": [ + { + "networkGroupId": "[resourceId('Microsoft.Network/networkManagers/networkGroups', format('avnm-{0}', parameters('location')), format('ng-{0}-static', parameters('location')))]" + } - ] - }, - "resources": [ - { - "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules", - "apiVersion": "2024-03-01", - "name": "[format('{0}/{1}/{2}/{3}', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')), 'rc-ALZ', 'DenyMgmtInbound')]", - "dependsOn": [ - "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')), 'rc-ALZ')]" - ], - "kind": "Custom", - "properties": { - "description": "Deny VM Management inbound traffic", - "priority": 1000, - "sources": [ - { - "addressPrefixType": "ServiceTag", - "addressPrefix": "Internet" - } - ], - "destinationPortRanges": [ - "22", - "3389" - ], - "protocol": "Any", - "direction": "Inbound", - "access": "Deny" - } - } - ] - } - ] + ] + } + }, + { + "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}/{2}/{3}', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')), 'rc-ALZ', 'DenyMgmtInbound')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')), 'rc-ALZ')]" + ], + "kind": "Custom", + "properties": { + "description": "Deny VM Management inbound traffic", + "priority": 1000, + "sources": [ + { + "addressPrefixType": "ServiceTag", + "addressPrefix": "Internet" + } + ], + "destinationPortRanges": [ + "22", + "3389" + ], + "protocol": "Any", + "direction": "Inbound", + "access": "Deny" + } } ] From 93c0c1fb095e6a48c6bb4319765c9fad4a0904f9 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Fri, 15 Nov 2024 13:24:43 +0400 Subject: [PATCH 075/226] Changing to subscription scope AVNM deployment --- eslzArm/eslzArm.json | 9 +- .../avnmConfiguration1.json | 196 ++++++++++++++++++ 2 files changed, 199 insertions(+), 6 deletions(-) create mode 100644 eslzArm/subscriptionTemplates/avnmConfiguration1.json diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index a413e479cc..c20cdb0738 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -1699,7 +1699,7 @@ "initiativeDefinitions": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyDefinitions/initiatives.json')]", "preRequisites": "[uri(deployment().properties.templateLink.uri, 'prerequisites/deployPrerequisites.json')]", "alzSleep": "[uri(deployment().properties.templateLink.uri, 'prerequisites/dsSleep.json')]", - "avnmConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/avnmConfiguration.json')]", + "avnmConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/avnmConfiguration1.json')]", "vnetConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/hubspoke-connectivity.json')]", "vwanConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/vwan-connectivity.json')]", "nvaConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/nvahubspoke-connectivity.json')]", @@ -5191,10 +5191,10 @@ }, { // Deploy AVNM - "condition": "[and(not(empty(parameters('connectivitySubscriptionId'))), parameters('deployAVNM'))]", + "condition": "[and(or(equals(parameters('enableHub'), 'vhub'), equals(parameters('enableHub'), 'nva')), not(empty(parameters('connectivitySubscriptionId'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "scope": "[variables('scopes').connectivityManagementGroup]", + "subscriptionId": "[parameters('connectivitySubscriptionId')]", "name": "[variables('deploymentNames').avnmConnectivityHubDeploymentName]", "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').connectivitySubscriptionPlacement)]", @@ -5217,9 +5217,6 @@ "topLevelManagementGroupPrefix": { "value": "[parameters('enterpriseScaleCompanyPrefix')]" }, - "enableHub": { - "value": "[parameters('enableHub')]" - }, "location": { "value": "[parameters('connectivityLocation')]" }, diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration1.json b/eslzArm/subscriptionTemplates/avnmConfiguration1.json new file mode 100644 index 0000000000..f16bd550fb --- /dev/null +++ b/eslzArm/subscriptionTemplates/avnmConfiguration1.json @@ -0,0 +1,196 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "maxLength": 10, + "defaultValue": "eslz", + "metadata": { + "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale." + } + }, + "location": { + "type": "string", + "metadata": { + "displayName": "location", + "description": "Location of the HUB" + }, + "defaultValue": "[deployment().location]" + }, + "connectivitySubscriptionId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Provide the subscription id for the dedicated connectivity subscription." + } + }, + "managementGroupScope": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Management group scope for AVNM." + } + } + }, + "variables": { + "rgName": "[concat(parameters('topLevelManagementGroupPrefix'), '-avnm')]", + "resourceDeploymentName": "[take(concat(deployment().name, '-avnm', parameters('location')), 64)]" + }, + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2019-10-01", + "location": "[parameters('location')]", + "name": "[variables('rgName')]", + "properties": {} + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('resourceDeploymentName')]", + "resourceGroup": "[variables('rgName')]", + "dependsOn": [ + "[concat('Microsoft.Resources/resourceGroups/', variables('rgName'))]" + ], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "connectivitySubscriptionId": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Network/networkManagers", + "apiVersion": "2024-03-01", + "name": "[format('avnm-{0}', parameters('location'))]", + "location": "[parameters('location')]", + "properties": { + "networkManagerScopeAccesses": [ + "SecurityAdmin" + ], + "networkManagerScopes": { + "subscriptions": [ + "[format('/subscriptions/{0}', parameters('connectivitySubscriptionId'))]" + ], + "managementGroups": [] + } + }, + "dependsOn": [ + + ], + "metadata": { + "description": "This is the Azure Virtual Network Manager which will be used to implement the connected group for spoke-to-spoke connectivity." + } + }, + { + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}', format('avnm-{0}', parameters('location')), format('ng-{0}-static', parameters('location')))]", + "properties": { + "memberType": "VirtualNetwork", + "description": "Network Group - Static" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', format('avnm-{0}', parameters('location')))]" + ], + "metadata": { + "description": "This is the static network group for the spoke VNETs, and hub when topology is mesh." + } + }, + { + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}', format('avnm-{0}', parameters('location')), format('ng-{0}-dynamic', parameters('location')))]", + "properties": { + "memberType": "VirtualNetwork", + "description": "Network Group - Dynamic" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', format('avnm-{0}', parameters('location')))]" + ], + "metadata": { + "description": "This is the dynamic network group for the spoke VNETs, and hub when topology is mesh." + } + }, + { + "type": "Microsoft.Network/networkManagers/securityAdminConfigurations", + "apiVersion": "2023-11-01", + "name": "[format('{0}/{1}', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')))]", + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', format('avnm-{0}', parameters('location')))]" + ], + "properties": { + "description": "ALZ Security Admin Configuration" + } + }, + { + "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}/{2}', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')), 'rc-ALZ')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')))]", + "[resourceId('Microsoft.Network/networkManagers/networkGroups', format('avnm-{0}', parameters('location')), format('ng-{0}-static', parameters('location')))]", + "[resourceId('Microsoft.Network/networkManagers/networkGroups', format('avnm-{0}', parameters('location')), format('ng-{0}-dynamic', parameters('location')))]" + ], + "properties": { + "appliesToGroups": [ + { + "networkGroupId": "[resourceId('Microsoft.Network/networkManagers/networkGroups', format('avnm-{0}', parameters('location')), format('ng-{0}-static', parameters('location')))]" + } + + ] + } + }, + { + "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}/{2}/{3}', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')), 'rc-ALZ', 'DenyMgmtInbound')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')), 'rc-ALZ')]" + ], + "kind": "Custom", + "properties": { + "description": "Deny VM Management inbound traffic", + "priority": 1000, + "sources": [ + { + "addressPrefixType": "ServiceTag", + "addressPrefix": "Internet" + } + ], + "destinationPortRanges": [ + "22", + "3389" + ], + "protocol": "Any", + "direction": "Inbound", + "access": "Deny" + } + } + + ] + } + } + } + ], + "outputs": {} +} \ No newline at end of file From 9f59349c72839d3e8a544cee2573ffd245e9d8e8 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Fri, 15 Nov 2024 13:52:36 +0400 Subject: [PATCH 076/226] Remove obsolete avnmConfiguration1.json and update reference to avnmConfiguration.json in deployment template --- eslzArm/eslzArm.json | 2 +- .../avnmConfiguration.json | 295 ++++++++---------- .../avnmConfiguration1.json | 196 ------------ 3 files changed, 134 insertions(+), 359 deletions(-) delete mode 100644 eslzArm/subscriptionTemplates/avnmConfiguration1.json diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index c20cdb0738..41edb58439 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -1699,7 +1699,7 @@ "initiativeDefinitions": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyDefinitions/initiatives.json')]", "preRequisites": "[uri(deployment().properties.templateLink.uri, 'prerequisites/deployPrerequisites.json')]", "alzSleep": "[uri(deployment().properties.templateLink.uri, 'prerequisites/dsSleep.json')]", - "avnmConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/avnmConfiguration1.json')]", + "avnmConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/avnmConfiguration.json')]", "vnetConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/hubspoke-connectivity.json')]", "vwanConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/vwan-connectivity.json')]", "nvaConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/nvahubspoke-connectivity.json')]", diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index d14ed19c28..4adab8f2b2 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -1,5 +1,5 @@ { - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "topLevelManagementGroupPrefix": { @@ -25,19 +25,6 @@ "description": "Provide the subscription id for the dedicated connectivity subscription." } }, - "enableHub": { - "type": "string", - "allowedValues": [ - "vhub", - "vwan", - "nva", - "No" - ], - "defaultValue": "No", - "metadata": { - "description": "Select whether the virtual network hub should be deployed or not." - } - }, "managementGroupScope": { "type": "string", "defaultValue": "", @@ -52,172 +39,156 @@ }, "resources": [ { - // Conditionally deploy virtual network hub - "condition": "[and(or(equals(parameters('enableHub'), 'vhub'), equals(parameters('enableHub'), 'nva')), not(empty(parameters('connectivitySubscriptionId'))))]", - "type": "Microsoft.Resources/deployments", + "type": "Microsoft.Resources/resourceGroups", "apiVersion": "2019-10-01", "location": "[parameters('location')]", - "name": "[concat('alz-', parameters('location'), '-', substring(uniqueString(parameters('connectivitySubscriptionId')),0,6), '-connectivityAVNM')]", - "subscriptionId": "[parameters('connectivitySubscriptionId')]", + "name": "[variables('rgName')]", + "properties": {} + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('resourceDeploymentName')]", + "resourceGroup": "[variables('rgName')]", + "dependsOn": [ + "[concat('Microsoft.Resources/resourceGroups/', variables('rgName'))]" + ], "properties": { "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + } + }, "template": { - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "connectivitySubscriptionId": { + "type": "string" + } + }, "resources": [ { - "type": "Microsoft.Resources/resourceGroups", - "apiVersion": "2019-10-01", + "type": "Microsoft.Network/networkManagers", + "apiVersion": "2024-03-01", + "name": "[format('avnm-{0}', parameters('location'))]", "location": "[parameters('location')]", - "name": "[variables('rgName')]", - "properties": {} + "properties": { + "networkManagerScopeAccesses": [ + "SecurityAdmin" + ], + "networkManagerScopes": { + "subscriptions": [ + "[format('/subscriptions/{0}', parameters('connectivitySubscriptionId'))]" + ], + "managementGroups": [ + "[parameters('managementGroupScope')]" + ] + } + }, + "dependsOn": [ + + ], + "metadata": { + "description": "This is the Azure Virtual Network Manager which will be used to implement the connected group for spoke-to-spoke connectivity." + } + }, + { + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}', format('avnm-{0}', parameters('location')), format('ng-{0}-static', parameters('location')))]", + "properties": { + "memberType": "VirtualNetwork", + "description": "Network Group - Static" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', format('avnm-{0}', parameters('location')))]" + ], + "metadata": { + "description": "This is the static network group for the spoke VNETs, and hub when topology is mesh." + } + }, + { + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}', format('avnm-{0}', parameters('location')), format('ng-{0}-dynamic', parameters('location')))]", + "properties": { + "memberType": "VirtualNetwork", + "description": "Network Group - Dynamic" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', format('avnm-{0}', parameters('location')))]" + ], + "metadata": { + "description": "This is the dynamic network group for the spoke VNETs, and hub when topology is mesh." + } }, { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2019-10-01", - "name": "[variables('resourceDeploymentName')]", - "resourceGroup": "[variables('rgName')]", + "type": "Microsoft.Network/networkManagers/securityAdminConfigurations", + "apiVersion": "2023-11-01", + "name": "[format('{0}/{1}', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')))]", "dependsOn": [ - "[concat('Microsoft.Resources/resourceGroups/', variables('rgName'))]" + "[resourceId('Microsoft.Network/networkManagers', format('avnm-{0}', parameters('location')))]" ], "properties": { - "mode": "Incremental", - "expressionEvaluationOptions": { - "scope": "inner" - }, - "parameters": { - "location": { - "value": "[parameters('location')]" - }, - "connectivitySubscriptionId": { - "value": "[parameters('connectivitySubscriptionId')]" + "description": "ALZ Security Admin Configuration" + } + }, + { + "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}/{2}', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')), 'rc-ALZ')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')))]", + "[resourceId('Microsoft.Network/networkManagers/networkGroups', format('avnm-{0}', parameters('location')), format('ng-{0}-static', parameters('location')))]", + "[resourceId('Microsoft.Network/networkManagers/networkGroups', format('avnm-{0}', parameters('location')), format('ng-{0}-dynamic', parameters('location')))]" + ], + "properties": { + "appliesToGroups": [ + { + "networkGroupId": "[resourceId('Microsoft.Network/networkManagers/networkGroups', format('avnm-{0}', parameters('location')), format('ng-{0}-static', parameters('location')))]" } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "location": { - "type": "string" - }, - "connectivitySubscriptionId": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.Network/networkManagers", - "apiVersion": "2024-03-01", - "name": "[format('avnm-{0}', parameters('location'))]", - "location": "[parameters('location')]", - "properties": { - "networkManagerScopeAccesses": [ - "SecurityAdmin" - ], - "networkManagerScopes": { - "subscriptions": [ - "[format('/subscriptions/{0}', parameters('connectivitySubscriptionId'))]" - ], - "managementGroups": [] - } - }, - "dependsOn": [ - - ], - "metadata": { - "description": "This is the Azure Virtual Network Manager which will be used to implement the connected group for spoke-to-spoke connectivity." - } - }, - { - "type": "Microsoft.Network/networkManagers/networkGroups", - "apiVersion": "2024-03-01", - "name": "[format('{0}/{1}', format('avnm-{0}', parameters('location')), format('ng-{0}-static', parameters('location')))]", - "properties": { - "memberType": "VirtualNetwork", - "description": "Network Group - Static" - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/networkManagers', format('avnm-{0}', parameters('location')))]" - ], - "metadata": { - "description": "This is the static network group for the spoke VNETs, and hub when topology is mesh." - } - }, - { - "type": "Microsoft.Network/networkManagers/networkGroups", - "apiVersion": "2024-03-01", - "name": "[format('{0}/{1}', format('avnm-{0}', parameters('location')), format('ng-{0}-dynamic', parameters('location')))]", - "properties": { - "memberType": "VirtualNetwork", - "description": "Network Group - Dynamic" - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/networkManagers', format('avnm-{0}', parameters('location')))]" - ], - "metadata": { - "description": "This is the dynamic network group for the spoke VNETs, and hub when topology is mesh." - } - }, - { - "type": "Microsoft.Network/networkManagers/securityAdminConfigurations", - "apiVersion": "2023-11-01", - "name": "[format('{0}/{1}', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')))]", - "dependsOn": [ - "[resourceId('Microsoft.Network/networkManagers', format('avnm-{0}', parameters('location')))]" - ], - "properties": { - "description": "ALZ Security Admin Configuration" - } - }, - { - "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections", - "apiVersion": "2024-03-01", - "name": "[format('{0}/{1}/{2}', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')), 'rc-ALZ')]", - "dependsOn": [ - "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')))]", - "[resourceId('Microsoft.Network/networkManagers/networkGroups', format('avnm-{0}', parameters('location')), format('ng-{0}-static', parameters('location')))]", - "[resourceId('Microsoft.Network/networkManagers/networkGroups', format('avnm-{0}', parameters('location')), format('ng-{0}-dynamic', parameters('location')))]" - ], - "properties": { - "appliesToGroups": [ - { - "networkGroupId": "[resourceId('Microsoft.Network/networkManagers/networkGroups', format('avnm-{0}', parameters('location')), format('ng-{0}-static', parameters('location')))]" - } - ] - } - }, - { - "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules", - "apiVersion": "2024-03-01", - "name": "[format('{0}/{1}/{2}/{3}', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')), 'rc-ALZ', 'DenyMgmtInbound')]", - "dependsOn": [ - "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')), 'rc-ALZ')]" - ], - "kind": "Custom", - "properties": { - "description": "Deny VM Management inbound traffic", - "priority": 1000, - "sources": [ - { - "addressPrefixType": "ServiceTag", - "addressPrefix": "Internet" - } - ], - "destinationPortRanges": [ - "22", - "3389" - ], - "protocol": "Any", - "direction": "Inbound", - "access": "Deny" - } - } - - ] - } + ] + } + }, + { + "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}/{2}/{3}', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')), 'rc-ALZ', 'DenyMgmtInbound')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')), 'rc-ALZ')]" + ], + "kind": "Custom", + "properties": { + "description": "Deny VM Management inbound traffic", + "priority": 1000, + "sources": [ + { + "addressPrefixType": "ServiceTag", + "addressPrefix": "Internet" + } + ], + "destinationPortRanges": [ + "22", + "3389" + ], + "protocol": "Any", + "direction": "Inbound", + "access": "Deny" } } + ] } } diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration1.json b/eslzArm/subscriptionTemplates/avnmConfiguration1.json deleted file mode 100644 index f16bd550fb..0000000000 --- a/eslzArm/subscriptionTemplates/avnmConfiguration1.json +++ /dev/null @@ -1,196 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "topLevelManagementGroupPrefix": { - "type": "string", - "maxLength": 10, - "defaultValue": "eslz", - "metadata": { - "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale." - } - }, - "location": { - "type": "string", - "metadata": { - "displayName": "location", - "description": "Location of the HUB" - }, - "defaultValue": "[deployment().location]" - }, - "connectivitySubscriptionId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Provide the subscription id for the dedicated connectivity subscription." - } - }, - "managementGroupScope": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Management group scope for AVNM." - } - } - }, - "variables": { - "rgName": "[concat(parameters('topLevelManagementGroupPrefix'), '-avnm')]", - "resourceDeploymentName": "[take(concat(deployment().name, '-avnm', parameters('location')), 64)]" - }, - "resources": [ - { - "type": "Microsoft.Resources/resourceGroups", - "apiVersion": "2019-10-01", - "location": "[parameters('location')]", - "name": "[variables('rgName')]", - "properties": {} - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2019-10-01", - "name": "[variables('resourceDeploymentName')]", - "resourceGroup": "[variables('rgName')]", - "dependsOn": [ - "[concat('Microsoft.Resources/resourceGroups/', variables('rgName'))]" - ], - "properties": { - "mode": "Incremental", - "expressionEvaluationOptions": { - "scope": "inner" - }, - "parameters": { - "location": { - "value": "[parameters('location')]" - }, - "connectivitySubscriptionId": { - "value": "[parameters('connectivitySubscriptionId')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "location": { - "type": "string" - }, - "connectivitySubscriptionId": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.Network/networkManagers", - "apiVersion": "2024-03-01", - "name": "[format('avnm-{0}', parameters('location'))]", - "location": "[parameters('location')]", - "properties": { - "networkManagerScopeAccesses": [ - "SecurityAdmin" - ], - "networkManagerScopes": { - "subscriptions": [ - "[format('/subscriptions/{0}', parameters('connectivitySubscriptionId'))]" - ], - "managementGroups": [] - } - }, - "dependsOn": [ - - ], - "metadata": { - "description": "This is the Azure Virtual Network Manager which will be used to implement the connected group for spoke-to-spoke connectivity." - } - }, - { - "type": "Microsoft.Network/networkManagers/networkGroups", - "apiVersion": "2024-03-01", - "name": "[format('{0}/{1}', format('avnm-{0}', parameters('location')), format('ng-{0}-static', parameters('location')))]", - "properties": { - "memberType": "VirtualNetwork", - "description": "Network Group - Static" - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/networkManagers', format('avnm-{0}', parameters('location')))]" - ], - "metadata": { - "description": "This is the static network group for the spoke VNETs, and hub when topology is mesh." - } - }, - { - "type": "Microsoft.Network/networkManagers/networkGroups", - "apiVersion": "2024-03-01", - "name": "[format('{0}/{1}', format('avnm-{0}', parameters('location')), format('ng-{0}-dynamic', parameters('location')))]", - "properties": { - "memberType": "VirtualNetwork", - "description": "Network Group - Dynamic" - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/networkManagers', format('avnm-{0}', parameters('location')))]" - ], - "metadata": { - "description": "This is the dynamic network group for the spoke VNETs, and hub when topology is mesh." - } - }, - { - "type": "Microsoft.Network/networkManagers/securityAdminConfigurations", - "apiVersion": "2023-11-01", - "name": "[format('{0}/{1}', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')))]", - "dependsOn": [ - "[resourceId('Microsoft.Network/networkManagers', format('avnm-{0}', parameters('location')))]" - ], - "properties": { - "description": "ALZ Security Admin Configuration" - } - }, - { - "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections", - "apiVersion": "2024-03-01", - "name": "[format('{0}/{1}/{2}', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')), 'rc-ALZ')]", - "dependsOn": [ - "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')))]", - "[resourceId('Microsoft.Network/networkManagers/networkGroups', format('avnm-{0}', parameters('location')), format('ng-{0}-static', parameters('location')))]", - "[resourceId('Microsoft.Network/networkManagers/networkGroups', format('avnm-{0}', parameters('location')), format('ng-{0}-dynamic', parameters('location')))]" - ], - "properties": { - "appliesToGroups": [ - { - "networkGroupId": "[resourceId('Microsoft.Network/networkManagers/networkGroups', format('avnm-{0}', parameters('location')), format('ng-{0}-static', parameters('location')))]" - } - - ] - } - }, - { - "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules", - "apiVersion": "2024-03-01", - "name": "[format('{0}/{1}/{2}/{3}', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')), 'rc-ALZ', 'DenyMgmtInbound')]", - "dependsOn": [ - "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')), 'rc-ALZ')]" - ], - "kind": "Custom", - "properties": { - "description": "Deny VM Management inbound traffic", - "priority": 1000, - "sources": [ - { - "addressPrefixType": "ServiceTag", - "addressPrefix": "Internet" - } - ], - "destinationPortRanges": [ - "22", - "3389" - ], - "protocol": "Any", - "direction": "Inbound", - "access": "Deny" - } - } - - ] - } - } - } - ], - "outputs": {} -} \ No newline at end of file From 39541bf7e3c29a97d345cdef83a9c2670e1f52f9 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Fri, 15 Nov 2024 13:57:31 +0400 Subject: [PATCH 077/226] Add managementGroupScope parameter to AVNM configuration --- eslzArm/subscriptionTemplates/avnmConfiguration.json | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 4adab8f2b2..6e5432fa79 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -64,6 +64,9 @@ }, "connectivitySubscriptionId": { "value": "[parameters('connectivitySubscriptionId')]" + }, + "managementGroupScope": { + "value": "[parameters('managementGroupScope')]" } }, "template": { @@ -75,6 +78,9 @@ }, "connectivitySubscriptionId": { "type": "string" + }, + "managementGroupScope": { + "type": "string" } }, "resources": [ From bf22332c720701dc5e0201bd3ec621b3de49f83d Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Fri, 15 Nov 2024 14:30:00 +0400 Subject: [PATCH 078/226] Remove unused ds-prereqs.ps1 script, clean up deployPrerequisites.json, and update avnmConfiguration.json for improved clarity --- eslzArm/prerequisites/deployPrerequisites.json | 1 - eslzArm/prerequisites/ds-prereqs.ps1 | 13 ------------- .../subscriptionTemplates/avnmConfiguration.json | 2 +- 3 files changed, 1 insertion(+), 15 deletions(-) delete mode 100644 eslzArm/prerequisites/ds-prereqs.ps1 diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index c9aa73e39a..02d1588b1b 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -154,7 +154,6 @@ ) $result = Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" - #Write-Output $result #Sleep for 30 minutes to wait for Management Groups to load to cache before assignments Start-Sleep -Duration (New-TimeSpan -Minutes 10) diff --git a/eslzArm/prerequisites/ds-prereqs.ps1 b/eslzArm/prerequisites/ds-prereqs.ps1 deleted file mode 100644 index eba06b83ec..0000000000 --- a/eslzArm/prerequisites/ds-prereqs.ps1 +++ /dev/null @@ -1,13 +0,0 @@ -<# - Script to deploy pre-requisites needed for the deployment of the Azure Landing Zone -#> - -# Parameter help description -param( - [Parameter(Mandatory=$true, HelpMessage="Enter the ESLZ root name.")] - [string] - $eslzRootName -) - -# Register Microsoft.Network resource provider with eslzRoot -Invoke-AzRestMethod -Method POST -Uri "https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01" \ No newline at end of file diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 6e5432fa79..b8af561504 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -95,7 +95,7 @@ ], "networkManagerScopes": { "subscriptions": [ - "[format('/subscriptions/{0}', parameters('connectivitySubscriptionId'))]" + ], "managementGroups": [ "[parameters('managementGroupScope')]" From 05d3531ed0cd07c4b72fb65c0a1c24695f229d83 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Fri, 15 Nov 2024 14:47:32 +0400 Subject: [PATCH 079/226] Another cleanup --- eslzArm/eslzArm.json | 3 --- .../subscriptionTemplates/avnmConfiguration.json | 13 ------------- 2 files changed, 16 deletions(-) diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index 41edb58439..95882cf64e 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -5220,9 +5220,6 @@ "location": { "value": "[parameters('connectivityLocation')]" }, - "connectivitySubscriptionId": { - "value": "[parameters('connectivitySubscriptionId')]" - }, "managementGroupScope": { "value": "[variables('scopes').eslzRootManagementGroup]" } diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index b8af561504..185d5ea6a7 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -18,13 +18,6 @@ }, "defaultValue": "[deployment().location]" }, - "connectivitySubscriptionId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Provide the subscription id for the dedicated connectivity subscription." - } - }, "managementGroupScope": { "type": "string", "defaultValue": "", @@ -62,9 +55,6 @@ "location": { "value": "[parameters('location')]" }, - "connectivitySubscriptionId": { - "value": "[parameters('connectivitySubscriptionId')]" - }, "managementGroupScope": { "value": "[parameters('managementGroupScope')]" } @@ -76,9 +66,6 @@ "location": { "type": "string" }, - "connectivitySubscriptionId": { - "type": "string" - }, "managementGroupScope": { "type": "string" } From e9651cf6a3a05f1cdd39dbe3bc0ccd1b0a87ffcb Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Fri, 15 Nov 2024 15:39:00 +0400 Subject: [PATCH 080/226] Delaying the MG RP registration --- eslzArm/prerequisites/deployPrerequisites.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index 02d1588b1b..ca30188d51 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -153,10 +153,10 @@ $eslzRootName ) - $result = Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" - #Sleep for 30 minutes to wait for Management Groups to load to cache before assignments Start-Sleep -Duration (New-TimeSpan -Minutes 10) + + $result = Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" " }, "metadata": { From 478b468b5abc6b2fec7e7bb8d2bedca74d807394 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Fri, 15 Nov 2024 16:16:31 +0400 Subject: [PATCH 081/226] AMBA deployment dependency on wait (prereqs) --- eslzArm/eslzArm.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index 95882cf64e..033c655913 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -2234,7 +2234,8 @@ "scope": "[concat('Microsoft.Management/managementGroups/', parameters('enterpriseScaleCompanyPrefix'))]", "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]", + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -2339,7 +2340,8 @@ "location": "[deployment().location]", "scope": "[concat('Microsoft.Management/managementGroups/', parameters('enterpriseScaleCompanyPrefix'))]", "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]", + "alz-prerequisites" ], "properties": { "mode": "Incremental", From 7f3de4f7e7e54fecd12eb3211684c1bf78d1e28e Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Fri, 15 Nov 2024 18:30:33 +0400 Subject: [PATCH 082/226] Eish 30 minutes --- eslzArm/prerequisites/deployPrerequisites.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index ca30188d51..8bdf9f648f 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -154,7 +154,7 @@ ) #Sleep for 30 minutes to wait for Management Groups to load to cache before assignments - Start-Sleep -Duration (New-TimeSpan -Minutes 10) + Start-Sleep -Duration (New-TimeSpan -Minutes 30) $result = Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" " From ccdffbd20b1e3323c4a3ad94091577d99e406448 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 18 Nov 2024 12:23:33 +0400 Subject: [PATCH 083/226] Doc updates --- docs/wiki/Whats-new.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md index 177d9d058c..c77ae707c0 100644 --- a/docs/wiki/Whats-new.md +++ b/docs/wiki/Whats-new.md @@ -50,6 +50,9 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones: ### 🔃 Policy Refresh Q2 FY25 +- [PREVIEW] Added ability to deploy Virtual Network Manager through the portal accelerator with support for Security Admin. +- [Important] To support the configuration of AVNM, we've had to included a deployment script to configure the Microsoft.Network resource provider on the intermediate root management group. + - Additionally, due to performance improvements of ARM, we've also had to change the "wait" process in the portal accelerator. We are now using the same deployment script with a "Start-Sleep" PowerShell command which is far more reliable. - Fixed a Portal Accelerator bug that results in failed deployment when choosing not to deploy policies to the Identity management group. - Updated the display name of the many `Effect` parameters to clearly identify the policy it applies to in the initiative [Enforce recommended guardrails for Azure Key Vault](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-KeyVault.html). - Updated the policy and policySet definition API version `2023-04-01` to supporting policy versioning. In this repo, this is used in the master policies.json and initiatives.json files, that are built from individual policy and initiative files in the src folder. From 2722f2cb194f4420286eb0915d22dfcf1c704345 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 18 Nov 2024 12:33:36 +0400 Subject: [PATCH 084/226] Adding additional default rules --- .../avnmConfiguration.json | 90 +++++++++++++++++++ 1 file changed, 90 insertions(+) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 185d5ea6a7..5651c47043 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -180,6 +180,96 @@ "direction": "Inbound", "access": "Deny" } + }, + { + "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}/{2}/{3}', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')), 'rc-ALZ', 'DenyHighRiskInboundTCP')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')), 'rc-ALZ')]" + ], + "kind": "Custom", + "properties": { + "description": "Deny high-risk TCP inbound traffic", + "priority": 1001, + "sources": [ + { + "addressPrefixType": "ServiceTag", + "addressPrefix": "Internet" + } + ], + "destinationPortRanges": [ + "20", + "21", + "23", + "119", + "161", + "445", + "512", + "514", + "873", + "5800", + "5900" + ], + "protocol": "TCP", + "direction": "Inbound", + "access": "Deny" + } + }, + { + "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}/{2}/{3}', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')), 'rc-ALZ', 'DenyHighRiskInboundUDP')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')), 'rc-ALZ')]" + ], + "kind": "Custom", + "properties": { + "description": "Deny high-risk UDP inbound traffic", + "priority": 1002, + "sources": [ + { + "addressPrefixType": "ServiceTag", + "addressPrefix": "Internet" + } + ], + "destinationPortRanges": [ + "69", + "11211" + ], + "protocol": "UDP", + "direction": "Inbound", + "access": "Deny" + } + }, + { + "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}/{2}/{3}', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')), 'rc-ALZ', 'DenyHighRiskInboundANY')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')), 'rc-ALZ')]" + ], + "kind": "Custom", + "properties": { + "description": "Deny high-risk ANY inbound traffic", + "priority": 1003, + "sources": [ + { + "addressPrefixType": "ServiceTag", + "addressPrefix": "Internet" + } + ], + "destinationPortRanges": [ + "111", + "135", + "162", + "593", + "2049" + ], + "protocol": "Any", + "direction": "Inbound", + "access": "Deny" + } } ] From 8f9842af55ceea14cbb07ed35bc041cd715dd950 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 18 Nov 2024 12:35:05 +0400 Subject: [PATCH 085/226] . --- docs/wiki/Whats-new.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md index c77ae707c0..db0966c433 100644 --- a/docs/wiki/Whats-new.md +++ b/docs/wiki/Whats-new.md @@ -50,7 +50,7 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones: ### 🔃 Policy Refresh Q2 FY25 -- [PREVIEW] Added ability to deploy Virtual Network Manager through the portal accelerator with support for Security Admin. +- [PREVIEW] Added ability to deploy Virtual Network Manager through the portal accelerator with support for Security Admin, including default rules blocking high-risk ports [read more](https://learn.microsoft.com/en-us/azure/virtual-network-manager/concept-security-admins). - [Important] To support the configuration of AVNM, we've had to included a deployment script to configure the Microsoft.Network resource provider on the intermediate root management group. - Additionally, due to performance improvements of ARM, we've also had to change the "wait" process in the portal accelerator. We are now using the same deployment script with a "Start-Sleep" PowerShell command which is far more reliable. - Fixed a Portal Accelerator bug that results in failed deployment when choosing not to deploy policies to the Identity management group. From 5745ec879a80901b0858eaf575367ef21503c362 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 18 Nov 2024 12:38:35 +0400 Subject: [PATCH 086/226] . --- docs/wiki/Whats-new.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md index db0966c433..3b388f1d83 100644 --- a/docs/wiki/Whats-new.md +++ b/docs/wiki/Whats-new.md @@ -50,8 +50,8 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones: ### 🔃 Policy Refresh Q2 FY25 -- [PREVIEW] Added ability to deploy Virtual Network Manager through the portal accelerator with support for Security Admin, including default rules blocking high-risk ports [read more](https://learn.microsoft.com/en-us/azure/virtual-network-manager/concept-security-admins). -- [Important] To support the configuration of AVNM, we've had to included a deployment script to configure the Microsoft.Network resource provider on the intermediate root management group. +- [PREVIEW] Added ability to deploy Virtual Network Manager through the portal accelerator with support for Security Admin feature, including default rules blocking high-risk ports [read more](https://learn.microsoft.com/en-us/azure/virtual-network-manager/concept-security-admins). +- [Important] To support the configuration of AVNM, we've had to included a deployment script to configure the Microsoft.Network resource provider on the intermediate root management group. This deployment script and required User-Assigned Identity are created in a resource group in the Management subscription. - Additionally, due to performance improvements of ARM, we've also had to change the "wait" process in the portal accelerator. We are now using the same deployment script with a "Start-Sleep" PowerShell command which is far more reliable. - Fixed a Portal Accelerator bug that results in failed deployment when choosing not to deploy policies to the Identity management group. - Updated the display name of the many `Effect` parameters to clearly identify the policy it applies to in the initiative [Enforce recommended guardrails for Azure Key Vault](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-KeyVault.html). From 91366ed13290a3b41566bf5dc3334b748b3d376a Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Thu, 21 Nov 2024 18:59:20 +0400 Subject: [PATCH 087/226] Fix typos and improve descriptions in deployPrerequisites.json --- eslzArm/prerequisites/deployPrerequisites.json | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index 8bdf9f648f..af4ca2d298 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -6,14 +6,14 @@ "type": "string", "defaultValue": "rg-alz-prereqs", "metadata": { - "description": "The resource group name where the AVNM and VNET resources will be created" + "description": "The resource group name where the AVNM resources will be created" } }, "location": { "type": "string", "minLength": 6, "metadata": { - "description": "The location of this regional hub. All resources will be deployed to this region." + "description": "The location of this AVNM instance. All resources will be deployed to this region." } }, "eslzRootName": { @@ -33,7 +33,7 @@ { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "alz-prequisites-identity", + "name": "alz-prerequisites-identity", "resourceGroup": "[parameters('resourceGroupName')]", "properties": { "expressionEvaluationOptions": { @@ -152,15 +152,17 @@ [string] $eslzRootName ) + + Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" #Sleep for 30 minutes to wait for Management Groups to load to cache before assignments Start-Sleep -Duration (New-TimeSpan -Minutes 30) - $result = Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" + Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" " }, "metadata": { - "description": "Create a Deployment Script resource to perform the prequisites." + "description": "Create a Deployment Script resource to perform the prerequisites." } } ], @@ -168,7 +170,7 @@ } }, "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prequisites-identity')]", + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prerequisites-identity')]", "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]" ] } From f4359bbdee0baafdcded2f18def7e5af6d32f487 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Thu, 21 Nov 2024 19:01:15 +0400 Subject: [PATCH 088/226] . --- eslzArm/prerequisites/deployPrerequisites.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index af4ca2d298..66fae101c2 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -156,7 +156,7 @@ Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" #Sleep for 30 minutes to wait for Management Groups to load to cache before assignments - Start-Sleep -Duration (New-TimeSpan -Minutes 30) + Start-Sleep -Duration (New-TimeSpan -Minutes 10) Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" " From 414002b1d57224e19455b43f29def531defe3b05 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Thu, 21 Nov 2024 19:07:50 +0400 Subject: [PATCH 089/226] Add connectivitySubscriptionId parameter to ARM templates --- eslzArm/eslzArm.json | 3 +++ .../subscriptionTemplates/avnmConfiguration.json | 14 ++++++++++++-- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index 3d29628c94..1f05d11613 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -5224,6 +5224,9 @@ }, "managementGroupScope": { "value": "[variables('scopes').eslzRootManagementGroup]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" } } } diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 5651c47043..08e4b5cd47 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -2,7 +2,7 @@ "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { - "topLevelManagementGroupPrefix": { + "topLevelManagementGroupPrefix": { "type": "string", "maxLength": 10, "defaultValue": "eslz", @@ -24,6 +24,13 @@ "metadata": { "description": "Management group scope for AVNM." } + }, + "connectivitySubscriptionId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Subscription ID for the connectivity subscription." + } } }, "variables": { @@ -57,6 +64,9 @@ }, "managementGroupScope": { "value": "[parameters('managementGroupScope')]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" } }, "template": { @@ -82,7 +92,7 @@ ], "networkManagerScopes": { "subscriptions": [ - + "[format('/subscriptions/{0}', parameters('connectivitySubscriptionId'))]" ], "managementGroups": [ "[parameters('managementGroupScope')]" From b601769b9d7de88c945503bb3365ecdd4532b8e2 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Thu, 21 Nov 2024 21:12:15 +0400 Subject: [PATCH 090/226] . --- eslzArm/subscriptionTemplates/avnmConfiguration.json | 3 +++ 1 file changed, 3 insertions(+) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 08e4b5cd47..43f780a637 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -78,6 +78,9 @@ }, "managementGroupScope": { "type": "string" + }, + "connectivitySubscriptionId": { + "type": "string" } }, "resources": [ From 556252cd6dd9b77218a62595f6cb3c8d567402ca Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Fri, 22 Nov 2024 13:24:58 +0400 Subject: [PATCH 091/226] . --- eslzArm/prerequisites/deployPrerequisites.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index 66fae101c2..d743b7b715 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -90,7 +90,7 @@ } }, "dependsOn": [ - "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]" + "[concat('Microsoft.Resources/resourceGroups/', parameters('resourceGroupName'))]" ] }, { @@ -171,7 +171,7 @@ }, "dependsOn": [ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prerequisites-identity')]", - "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]" + "[concat('Microsoft.Resources/resourceGroups/', parameters('resourceGroupName'))]" ] } ], From b48cb4432174dab11fbfaa2996813989103900f2 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Fri, 22 Nov 2024 13:36:39 +0400 Subject: [PATCH 092/226] Rename deployment identity and update references in deployPrerequisites.json --- eslzArm/prerequisites/deployPrerequisites.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index d743b7b715..ce1f7cde03 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -33,7 +33,7 @@ { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "alz-prerequisites-identity", + "name": "alz-prerequisites-uai", "resourceGroup": "[parameters('resourceGroupName')]", "properties": { "expressionEvaluationOptions": { @@ -90,7 +90,7 @@ } }, "dependsOn": [ - "[concat('Microsoft.Resources/resourceGroups/', parameters('resourceGroupName'))]" + "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]" ] }, { @@ -108,7 +108,7 @@ "value": "[parameters('location')]" }, "userAssignedIdentityId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prequisites-identity'), '2022-09-01').outputs.userAssignedIdentityId.value]" + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai'), '2022-09-01').outputs.userAssignedIdentityId.value]" }, "eslzRootName": { "value": "[parameters('eslzRootName')]" @@ -170,8 +170,8 @@ } }, "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prerequisites-identity')]", - "[concat('Microsoft.Resources/resourceGroups/', parameters('resourceGroupName'))]" + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai')]", + "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]" ] } ], From 056a3703e105eca62d0d2595a912140c69ba3e6d Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Fri, 22 Nov 2024 14:56:48 +0400 Subject: [PATCH 093/226] . --- .../avnmConfiguration.json | 43 ++++++++++--------- 1 file changed, 23 insertions(+), 20 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 43f780a637..608992d600 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -87,7 +87,7 @@ { "type": "Microsoft.Network/networkManagers", "apiVersion": "2024-03-01", - "name": "[format('avnm-{0}', parameters('location'))]", + "name": "avnm", "location": "[parameters('location')]", "properties": { "networkManagerScopeAccesses": [ @@ -112,13 +112,13 @@ { "type": "Microsoft.Network/networkManagers/networkGroups", "apiVersion": "2024-03-01", - "name": "[format('{0}/{1}', format('avnm-{0}', parameters('location')), format('ng-{0}-static', parameters('location')))]", + "name": "[format('{0}/{1}', 'avnm', format('ng-{0}-static', parameters('location')))]", "properties": { "memberType": "VirtualNetwork", "description": "Network Group - Static" }, "dependsOn": [ - "[resourceId('Microsoft.Network/networkManagers', format('avnm-{0}', parameters('location')))]" + "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" ], "metadata": { "description": "This is the static network group for the spoke VNETs, and hub when topology is mesh." @@ -127,13 +127,13 @@ { "type": "Microsoft.Network/networkManagers/networkGroups", "apiVersion": "2024-03-01", - "name": "[format('{0}/{1}', format('avnm-{0}', parameters('location')), format('ng-{0}-dynamic', parameters('location')))]", + "name": "[format('{0}/{1}', 'avnm', format('ng-{0}-dynamic', parameters('location')))]", "properties": { "memberType": "VirtualNetwork", "description": "Network Group - Dynamic" }, "dependsOn": [ - "[resourceId('Microsoft.Network/networkManagers', format('avnm-{0}', parameters('location')))]" + "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" ], "metadata": { "description": "This is the dynamic network group for the spoke VNETs, and hub when topology is mesh." @@ -142,9 +142,9 @@ { "type": "Microsoft.Network/networkManagers/securityAdminConfigurations", "apiVersion": "2023-11-01", - "name": "[format('{0}/{1}', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')))]", + "name": "[format('{0}/{1}', 'avnm', format('sac-{0}', parameters('location')))]", "dependsOn": [ - "[resourceId('Microsoft.Network/networkManagers', format('avnm-{0}', parameters('location')))]" + "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" ], "properties": { "description": "ALZ Security Admin Configuration" @@ -153,16 +153,19 @@ { "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections", "apiVersion": "2024-03-01", - "name": "[format('{0}/{1}/{2}', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')), 'rc-ALZ')]", + "name": "[format('{0}/{1}/{2}', 'avnm', format('sac-{0}', parameters('location')), 'rc-ALZ')]", "dependsOn": [ - "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')))]", - "[resourceId('Microsoft.Network/networkManagers/networkGroups', format('avnm-{0}', parameters('location')), format('ng-{0}-static', parameters('location')))]", - "[resourceId('Microsoft.Network/networkManagers/networkGroups', format('avnm-{0}', parameters('location')), format('ng-{0}-dynamic', parameters('location')))]" + "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations', 'avnm', format('sac-{0}', parameters('location')))]", + "[resourceId('Microsoft.Network/networkManagers/networkGroups', 'avnm', format('ng-{0}-static', parameters('location')))]", + "[resourceId('Microsoft.Network/networkManagers/networkGroups', 'avnm', format('ng-{0}-dynamic', parameters('location')))]" ], "properties": { "appliesToGroups": [ { - "networkGroupId": "[resourceId('Microsoft.Network/networkManagers/networkGroups', format('avnm-{0}', parameters('location')), format('ng-{0}-static', parameters('location')))]" + "networkGroupId": "[resourceId('Microsoft.Network/networkManagers/networkGroups', 'avnm', format('ng-{0}-static', parameters('location')))]" + }, + { + "networkGroupId": "[resourceId('Microsoft.Network/networkManagers/networkGroups', 'avnm', format('ng-{0}-dynamic', parameters('location')))]" } ] @@ -171,9 +174,9 @@ { "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules", "apiVersion": "2024-03-01", - "name": "[format('{0}/{1}/{2}/{3}', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')), 'rc-ALZ', 'DenyMgmtInbound')]", + "name": "[format('{0}/{1}/{2}/{3}', 'avnm', format('sac-{0}', parameters('location')), 'rc-ALZ', 'DenyMgmtInbound')]", "dependsOn": [ - "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')), 'rc-ALZ')]" + "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections', 'avnm', format('sac-{0}', parameters('location')), 'rc-ALZ')]" ], "kind": "Custom", "properties": { @@ -197,9 +200,9 @@ { "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules", "apiVersion": "2024-03-01", - "name": "[format('{0}/{1}/{2}/{3}', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')), 'rc-ALZ', 'DenyHighRiskInboundTCP')]", + "name": "[format('{0}/{1}/{2}/{3}', 'avnm', format('sac-{0}', parameters('location')), 'rc-ALZ', 'DenyHighRiskInboundTCP')]", "dependsOn": [ - "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')), 'rc-ALZ')]" + "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections', 'avnm', format('sac-{0}', parameters('location')), 'rc-ALZ')]" ], "kind": "Custom", "properties": { @@ -232,9 +235,9 @@ { "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules", "apiVersion": "2024-03-01", - "name": "[format('{0}/{1}/{2}/{3}', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')), 'rc-ALZ', 'DenyHighRiskInboundUDP')]", + "name": "[format('{0}/{1}/{2}/{3}', 'avnm', format('sac-{0}', parameters('location')), 'rc-ALZ', 'DenyHighRiskInboundUDP')]", "dependsOn": [ - "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')), 'rc-ALZ')]" + "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections', 'avnm', format('sac-{0}', parameters('location')), 'rc-ALZ')]" ], "kind": "Custom", "properties": { @@ -258,9 +261,9 @@ { "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules", "apiVersion": "2024-03-01", - "name": "[format('{0}/{1}/{2}/{3}', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')), 'rc-ALZ', 'DenyHighRiskInboundANY')]", + "name": "[format('{0}/{1}/{2}/{3}', 'avnm', format('sac-{0}', parameters('location')), 'rc-ALZ', 'DenyHighRiskInboundANY')]", "dependsOn": [ - "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections', format('avnm-{0}', parameters('location')), format('sac-{0}', parameters('location')), 'rc-ALZ')]" + "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections', 'avnm', format('sac-{0}', parameters('location')), 'rc-ALZ')]" ], "kind": "Custom", "properties": { From eaf0d042fd99e0184b44bda0c0e5693f1c80b028 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Fri, 22 Nov 2024 16:45:44 +0400 Subject: [PATCH 094/226] . --- eslzArm/subscriptionTemplates/avnmConfiguration.json | 3 --- 1 file changed, 3 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 608992d600..282f540d02 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -94,9 +94,6 @@ "SecurityAdmin" ], "networkManagerScopes": { - "subscriptions": [ - "[format('/subscriptions/{0}', parameters('connectivitySubscriptionId'))]" - ], "managementGroups": [ "[parameters('managementGroupScope')]" ] From c1cf9e6034e51ca4da27cedd17793bcdd533c4fc Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 25 Nov 2024 15:19:03 +0400 Subject: [PATCH 095/226] . --- eslzArm/eslzArm.json | 4 +- .../avnmConfiguration.json | 57 +++++++++++++++++-- 2 files changed, 55 insertions(+), 6 deletions(-) diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index 1f05d11613..ed866e1920 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -5225,8 +5225,8 @@ "managementGroupScope": { "value": "[variables('scopes').eslzRootManagementGroup]" }, - "connectivitySubscriptionId": { - "value": "[parameters('connectivitySubscriptionId')]" + "managementSubscriptionId": { + "value": "[parameters('managementSubscriptionId')]" } } } diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 282f540d02..b4bce57403 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -25,7 +25,7 @@ "description": "Management group scope for AVNM." } }, - "connectivitySubscriptionId": { + "managementSubscriptionId": { "type": "string", "defaultValue": "", "metadata": { @@ -65,8 +65,11 @@ "managementGroupScope": { "value": "[parameters('managementGroupScope')]" }, - "connectivitySubscriptionId": { - "value": "[parameters('connectivitySubscriptionId')]" + "managementSubscriptionId": { + "value": "[parameters('managementSubscriptionId')]" + }, + "userAssignedIdentityId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('managementSubscriptionId'), 'rg-alz-prereqs'), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai'), '2022-09-01').outputs.userAssignedIdentityId.value]" } }, "template": { @@ -79,10 +82,16 @@ "managementGroupScope": { "type": "string" }, - "connectivitySubscriptionId": { + "managementSubscriptionId": { + "type": "string" + }, + "userAssignedIdentityId": { "type": "string" } }, + "variables": { + "rgName": "[variables('rgName')]" + }, "resources": [ { "type": "Microsoft.Network/networkManagers", @@ -283,6 +292,46 @@ "direction": "Inbound", "access": "Deny" } + }, + { + "type": "Microsoft.Resources/deploymentScripts", + "apiVersion": "2020-10-01", + "name": "alz-deploymentscript-config", + "location": "[parameters('location')]", + "kind": "AzurePowerShell", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[format('{0}', parameters('userAssignedIdentityId'))]": {} + } + }, + "properties": { + "azPowerShellVersion": "12.3", + "retentionInterval": "PT1H", + "timeout": "PT1H", + "arguments": "[format('-regions \"{0}\" -rgname \"{1}\" -configids \"{2}\"', parameters('location'), variables('rgName'), resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations', 'avnm', format('sac-{0}', parameters('location'))))]", + "scriptContent": " + param( + [Parameter(Mandatory=$true, HelpMessage=\"Location for deployment.\")] + [string] + $regions + + [Parameter(Mandatory=$true, HelpMessage=\"Resource Group Name.\")] + [string] + $rgname + + [Parameter(Mandatory=$true, HelpMessage=\"Configuration IDs.\")] + [string] + $configids + ) + + Deploy-AzNetworkManagerCommit -ResourceGroupName \"psResourceGroup\" -Name \"psNetworkManager\" -TargetLocation $regions -CommitType \"SecurityAdmin\" -ConfigurationId $configids + + " + }, + "metadata": { + "description": "Create a Deployment Script resource to perform the configuration deployment." + } } ] From e65668e97b162634729b485b4a1840099611e0ab Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 25 Nov 2024 15:36:17 +0400 Subject: [PATCH 096/226] . --- eslzArm/subscriptionTemplates/avnmConfiguration.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index b4bce57403..60a2a835a4 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -325,7 +325,7 @@ $configids ) - Deploy-AzNetworkManagerCommit -ResourceGroupName \"psResourceGroup\" -Name \"psNetworkManager\" -TargetLocation $regions -CommitType \"SecurityAdmin\" -ConfigurationId $configids + Deploy-AzNetworkManagerCommit -ResourceGroupName $rgname -Name \"psNetworkManager\" -TargetLocation $regions -CommitType \"SecurityAdmin\" -ConfigurationId $configids " }, From bfdc3443a725b2d7727e33ad058faeea681a360f Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 25 Nov 2024 15:53:14 +0400 Subject: [PATCH 097/226] . --- eslzArm/subscriptionTemplates/avnmPolicy.json | 89 +++++++++++++++++++ 1 file changed, 89 insertions(+) create mode 100644 eslzArm/subscriptionTemplates/avnmPolicy.json diff --git a/eslzArm/subscriptionTemplates/avnmPolicy.json b/eslzArm/subscriptionTemplates/avnmPolicy.json new file mode 100644 index 0000000000..44474f23f0 --- /dev/null +++ b/eslzArm/subscriptionTemplates/avnmPolicy.json @@ -0,0 +1,89 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "maxLength": 10, + "metadata": { + "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale." + } + }, + "location": { + "type": "string", + "metadata": { + "displayName": "location", + "description": "Location of the HUB" + }, + "defaultValue": "[deployment().location]" + }, + "networkGroupId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Provide the subscription id for the dedicated connectivity subscription." + } + } + }, + "variables": { + + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "name": "[uniqueString(resourceId('Microsoft.Network/networkManagers/networkGroups', 'avnm', format('ng-{0}-dynamic', parameters('location'))))]", + "properties": { + "description": "AVNM dynamic group membership Policy", + "displayName": "AVNM dynamic group membership Policy", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allof": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + }, + { + "allOf": [ + { + "value": "[resourceGroup().Name]", + "contains": "vnet" + } + ] + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[resourceId('Microsoft.Network/networkManagers/networkGroups', 'avnm', format('ng-{0}-dynamic', parameters('location')))]" + } + } + } + }, + "metadata": { + "description": "This is a Policy definition for dyanamic group membership" + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[uniqueString(parameters('networkGroupId'))]", + "properties": { + "description": "AVNM quickstart dynamic group membership Policy", + "displayName": "AVNM quickstart dynamic group membership Policy", + "enforcementMode": "Default", + "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(parameters('networkGroupId')))]" + }, + "dependsOn": [ + "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(parameters('networkGroupId')))]" + ], + "metadata": { + "description": "Assigns above policy for dynamic group membership" + } + } + + ], + "outputs": {} +} \ No newline at end of file From 645661272eded6e1b3632d6f9f8caa9c2088a621 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 25 Nov 2024 17:13:59 +0400 Subject: [PATCH 098/226] . --- eslzArm/eslzArm.json | 25 +++++++++++++++++++ .../avnmConfiguration.json | 7 +++++- eslzArm/subscriptionTemplates/avnmPolicy.json | 21 ++++++---------- 3 files changed, 38 insertions(+), 15 deletions(-) diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index ed866e1920..fe8491761e 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -1700,6 +1700,7 @@ "preRequisites": "[uri(deployment().properties.templateLink.uri, 'prerequisites/deployPrerequisites.json')]", "alzSleep": "[uri(deployment().properties.templateLink.uri, 'prerequisites/dsSleep.json')]", "avnmConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/avnmConfiguration.json')]", + "avnmPolicy": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/avnmPolicy.json')]", "vnetConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/hubspoke-connectivity.json')]", "vwanConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/vwan-connectivity.json')]", "nvaConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/nvahubspoke-connectivity.json')]", @@ -1837,6 +1838,7 @@ "atpSqlDbPolicyDeploymentName": "[take(concat('alz-AtpSqlDb', variables('deploymentSuffix')), 64)]", "ascGovPolicyDeploymentName": "[take(concat('alz-Gov-ASC', variables('deploymentSuffix')), 64)]", "avnmConnectivityHubDeploymentName": "[take(concat('alz-AVNM', variables('deploymentSuffix')), 64)]", + "avnmPolicyDeploymentName": "[take(concat('alz-AVNMPolicy', variables('deploymentSuffix')), 64)]", "vnetConnectivityHubDeploymentName": "[take(concat('alz-HubSpoke', variables('deploymentSuffix')), 64)]", "vwanConnectivityHubDeploymentName": "[take(concat('alz-VWanHub', variables('deploymentSuffix')), 64)]", "vnetConnectivityHub2DeploymentName": "[take(concat('alz-HubSpoke2', variables('deploymentSuffix')), 64)]", @@ -5231,6 +5233,29 @@ } } }, + { + // Deploying AVNM policy + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').avnmPolicyDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('enterpriseScaleCompanyPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').avnmConnectivityHubDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').avnmPolicy]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + } + } + } + }, { // Creating resource group for Private DNS Zones "condition": "[and(equals(parameters('enablePrivateDnsZones'), 'Yes'), not(empty(parameters('connectivitySubscriptionId'))))]", diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 60a2a835a4..947bf98e6c 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -72,6 +72,9 @@ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('managementSubscriptionId'), 'rg-alz-prereqs'), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai'), '2022-09-01').outputs.userAssignedIdentityId.value]" } }, + "variables": { + "rgName": "[variables('rgName')]" + }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", @@ -90,7 +93,9 @@ } }, "variables": { - "rgName": "[variables('rgName')]" + "rgName": { + "type": "string" + } }, "resources": [ { diff --git a/eslzArm/subscriptionTemplates/avnmPolicy.json b/eslzArm/subscriptionTemplates/avnmPolicy.json index 44474f23f0..1402b61e89 100644 --- a/eslzArm/subscriptionTemplates/avnmPolicy.json +++ b/eslzArm/subscriptionTemplates/avnmPolicy.json @@ -16,17 +16,10 @@ "description": "Location of the HUB" }, "defaultValue": "[deployment().location]" - }, - "networkGroupId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Provide the subscription id for the dedicated connectivity subscription." - } } }, "variables": { - + "networkGroupId": "[resourceId('Microsoft.Network/networkManagers/networkGroups', 'avnm', format('ng-{0}-dynamic', parameters('location')))]" }, "resources": [ { @@ -57,7 +50,7 @@ "then": { "effect": "addToNetworkGroup", "details": { - "networkGroupId": "[resourceId('Microsoft.Network/networkManagers/networkGroups', 'avnm', format('ng-{0}-dynamic', parameters('location')))]" + "networkGroupId": "[variables('networkGroupId')]" } } } @@ -69,15 +62,15 @@ { "type": "Microsoft.Authorization/policyAssignments", "apiVersion": "2022-06-01", - "name": "[uniqueString(parameters('networkGroupId'))]", + "name": "[uniqueString(variables('networkGroupId'))]", "properties": { - "description": "AVNM quickstart dynamic group membership Policy", - "displayName": "AVNM quickstart dynamic group membership Policy", + "description": "AVNM dynamic group membership Policy", + "displayName": "AVNM dynamic group membership Policy", "enforcementMode": "Default", - "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(parameters('networkGroupId')))]" + "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupId')))]" }, "dependsOn": [ - "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(parameters('networkGroupId')))]" + "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupId')))]" ], "metadata": { "description": "Assigns above policy for dynamic group membership" From f41cc3c2832936ca35366f97a8eadac2011e9f55 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 25 Nov 2024 18:38:10 +0400 Subject: [PATCH 099/226] . --- eslzArm/subscriptionTemplates/avnmConfiguration.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 947bf98e6c..efb8209448 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -73,7 +73,9 @@ } }, "variables": { - "rgName": "[variables('rgName')]" + "rgName": { + "value": "[variables('rgName')]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", @@ -307,7 +309,7 @@ "identity": { "type": "UserAssigned", "userAssignedIdentities": { - "[format('{0}', parameters('userAssignedIdentityId'))]": {} + "[format('{0}', parameters('userAssignedIdentityId'))]": {} } }, "properties": { From f909d3d39c82cfd1c5bdd46ecb438251d6452c69 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 25 Nov 2024 19:37:19 +0400 Subject: [PATCH 100/226] . --- eslzArm/subscriptionTemplates/avnmConfiguration.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index efb8209448..2ab19e3621 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -316,7 +316,7 @@ "azPowerShellVersion": "12.3", "retentionInterval": "PT1H", "timeout": "PT1H", - "arguments": "[format('-regions \"{0}\" -rgname \"{1}\" -configids \"{2}\"', parameters('location'), variables('rgName'), resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations', 'avnm', format('sac-{0}', parameters('location'))))]", + "arguments": "[format('-regions \"{0}\" -rgname \"{1}\" -configids \"{2}\"', parameters('location'), concat(parameters('topLevelManagementGroupPrefix'), '-avnm'), resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations', 'avnm', format('sac-{0}', parameters('location'))))]", "scriptContent": " param( [Parameter(Mandatory=$true, HelpMessage=\"Location for deployment.\")] From b66a425224b711c7307dde8d4afb6706e2e88663 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 25 Nov 2024 20:56:33 +0400 Subject: [PATCH 101/226] . --- eslzArm/subscriptionTemplates/avnmConfiguration.json | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 2ab19e3621..329f3db6cb 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -72,11 +72,6 @@ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('managementSubscriptionId'), 'rg-alz-prereqs'), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai'), '2022-09-01').outputs.userAssignedIdentityId.value]" } }, - "variables": { - "rgName": { - "value": "[variables('rgName')]" - } - }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", @@ -94,11 +89,6 @@ "type": "string" } }, - "variables": { - "rgName": { - "type": "string" - } - }, "resources": [ { "type": "Microsoft.Network/networkManagers", From ff6c2c34a789e1abca871259338947b1b1c1ccaa Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 25 Nov 2024 21:29:52 +0400 Subject: [PATCH 102/226] . --- eslzArm/subscriptionTemplates/avnmConfiguration.json | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 329f3db6cb..9549ebe8fa 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -70,6 +70,9 @@ }, "userAssignedIdentityId": { "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('managementSubscriptionId'), 'rg-alz-prereqs'), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai'), '2022-09-01').outputs.userAssignedIdentityId.value]" + }, + "rgName": { + "value": "[variables('rgName')]" } }, "template": { @@ -87,6 +90,9 @@ }, "userAssignedIdentityId": { "type": "string" + }, + "rgName": { + "type": "string" } }, "resources": [ @@ -306,7 +312,7 @@ "azPowerShellVersion": "12.3", "retentionInterval": "PT1H", "timeout": "PT1H", - "arguments": "[format('-regions \"{0}\" -rgname \"{1}\" -configids \"{2}\"', parameters('location'), concat(parameters('topLevelManagementGroupPrefix'), '-avnm'), resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations', 'avnm', format('sac-{0}', parameters('location'))))]", + "arguments": "[format('-regions \"{0}\" -rgname \"{1}\" -configids \"{2}\"', parameters('location'), parameters('rgName'), resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations', 'avnm', format('sac-{0}', parameters('location'))))]", "scriptContent": " param( [Parameter(Mandatory=$true, HelpMessage=\"Location for deployment.\")] From e6ec5af4140104fae7210cf324c4c06577007ca6 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 25 Nov 2024 22:03:16 +0400 Subject: [PATCH 103/226] . --- eslzArm/subscriptionTemplates/avnmConfiguration.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 9549ebe8fa..43739ea383 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -317,11 +317,11 @@ param( [Parameter(Mandatory=$true, HelpMessage=\"Location for deployment.\")] [string] - $regions + $regions, [Parameter(Mandatory=$true, HelpMessage=\"Resource Group Name.\")] [string] - $rgname + $rgname, [Parameter(Mandatory=$true, HelpMessage=\"Configuration IDs.\")] [string] From 7a26f644a2a56342cfa418010b5705cee310cd7a Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Tue, 26 Nov 2024 12:38:45 +0400 Subject: [PATCH 104/226] . --- eslzArm/subscriptionTemplates/avnmPolicy.json | 46 +++++++++---------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmPolicy.json b/eslzArm/subscriptionTemplates/avnmPolicy.json index 1402b61e89..ac2465c9b2 100644 --- a/eslzArm/subscriptionTemplates/avnmPolicy.json +++ b/eslzArm/subscriptionTemplates/avnmPolicy.json @@ -24,36 +24,36 @@ "resources": [ { "type": "Microsoft.Authorization/policyDefinitions", - "apiVersion": "2021-06-01", - "name": "[uniqueString(resourceId('Microsoft.Network/networkManagers/networkGroups', 'avnm', format('ng-{0}-dynamic', parameters('location'))))]", + "apiVersion": "2023-04-01", + "name": "[uniqueString(variables('networkGroupId'))]", "properties": { "description": "AVNM dynamic group membership Policy", "displayName": "AVNM dynamic group membership Policy", "mode": "Microsoft.Network.Data", "policyRule": { - "if": { - "allof": [ - { - "field": "type", - "equals": "Microsoft.Network/virtualNetworks" - }, - { - "allOf": [ - { - "value": "[resourceGroup().Name]", - "contains": "vnet" - } - ] + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + }, + { + "allOf": [ + { + "value": "[resourceGroup().Name]", + "contains": "vnet" + } + ] + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId')]" } - ] - }, - "then": { - "effect": "addToNetworkGroup", - "details": { - "networkGroupId": "[variables('networkGroupId')]" } } - } }, "metadata": { "description": "This is a Policy definition for dyanamic group membership" @@ -61,7 +61,7 @@ }, { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2023-04-01", "name": "[uniqueString(variables('networkGroupId'))]", "properties": { "description": "AVNM dynamic group membership Policy", From a6af993016e61990c62b2854f8260600df9098e9 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Tue, 26 Nov 2024 13:46:15 +0400 Subject: [PATCH 105/226] . --- eslzArm/subscriptionTemplates/avnmPolicy.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/subscriptionTemplates/avnmPolicy.json b/eslzArm/subscriptionTemplates/avnmPolicy.json index ac2465c9b2..ee1d23acd0 100644 --- a/eslzArm/subscriptionTemplates/avnmPolicy.json +++ b/eslzArm/subscriptionTemplates/avnmPolicy.json @@ -40,7 +40,7 @@ { "allOf": [ { - "value": "[resourceGroup().Name]", + "value": "[[resourceGroup().Name]", "contains": "vnet" } ] From fbbfb7eedfeb7de54dc37803a55689869aab781b Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Tue, 26 Nov 2024 13:57:35 +0400 Subject: [PATCH 106/226] . --- eslzArm/subscriptionTemplates/avnmPolicy.json | 8 -------- 1 file changed, 8 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmPolicy.json b/eslzArm/subscriptionTemplates/avnmPolicy.json index ee1d23acd0..6180c84eae 100644 --- a/eslzArm/subscriptionTemplates/avnmPolicy.json +++ b/eslzArm/subscriptionTemplates/avnmPolicy.json @@ -36,14 +36,6 @@ { "field": "type", "equals": "Microsoft.Network/virtualNetworks" - }, - { - "allOf": [ - { - "value": "[[resourceGroup().Name]", - "contains": "vnet" - } - ] } ] }, From 867f693463750c29022400d4a4339f03ab6a10e4 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Tue, 26 Nov 2024 15:11:17 +0400 Subject: [PATCH 107/226] . --- eslzArm/subscriptionTemplates/avnmConfiguration.json | 2 +- eslzArm/subscriptionTemplates/avnmPolicy.json | 8 +++++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 43739ea383..7c99aeef74 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -328,7 +328,7 @@ $configids ) - Deploy-AzNetworkManagerCommit -ResourceGroupName $rgname -Name \"psNetworkManager\" -TargetLocation $regions -CommitType \"SecurityAdmin\" -ConfigurationId $configids + Deploy-AzNetworkManagerCommit -ResourceGroupName $rgname -Name \"avnm\" -TargetLocation $regions -CommitType \"SecurityAdmin\" -ConfigurationId $configids " }, diff --git a/eslzArm/subscriptionTemplates/avnmPolicy.json b/eslzArm/subscriptionTemplates/avnmPolicy.json index 6180c84eae..9100d75b64 100644 --- a/eslzArm/subscriptionTemplates/avnmPolicy.json +++ b/eslzArm/subscriptionTemplates/avnmPolicy.json @@ -16,10 +16,16 @@ "description": "Location of the HUB" }, "defaultValue": "[deployment().location]" + }, + "connectivitySubscriptionId": { + "type": "string", + "metadata": { + "description": "Provide the subscriptionId you will place into the management group" + } } }, "variables": { - "networkGroupId": "[resourceId('Microsoft.Network/networkManagers/networkGroups', 'avnm', format('ng-{0}-dynamic', parameters('location')))]" + "networkGroupId": "[resourceId(parameters('connectivitySubscriptionId'), concat(parameters('topLevelManagementGroupPrefix'), '-avnm'), 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('ng-{0}-dynamic', parameters('location')))]" }, "resources": [ { From 9a862c1faae23fb37b379961ba611924c3e74b7e Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Tue, 26 Nov 2024 15:32:15 +0400 Subject: [PATCH 108/226] . --- eslzArm/eslzArm.json | 3 +++ 1 file changed, 3 insertions(+) diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index fe8491761e..014652a78c 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -5252,6 +5252,9 @@ "parameters": { "topLevelManagementGroupPrefix": { "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" } } } From 8baee6f0b94863f2efb981bb8f0f9b6e553d202d Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Tue, 26 Nov 2024 15:39:05 +0400 Subject: [PATCH 109/226] . --- eslzArm/subscriptionTemplates/avnmConfiguration.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 7c99aeef74..46bf527679 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -22,14 +22,14 @@ "type": "string", "defaultValue": "", "metadata": { - "description": "Management group scope for AVNM." + "description": "Management group scope for AVNM. Intermediate root management group is the default." } }, "managementSubscriptionId": { "type": "string", "defaultValue": "", "metadata": { - "description": "Subscription ID for the connectivity subscription." + "description": "Subscription ID for the management subscription. Used to get the user assigned identity." } } }, @@ -312,7 +312,7 @@ "azPowerShellVersion": "12.3", "retentionInterval": "PT1H", "timeout": "PT1H", - "arguments": "[format('-regions \"{0}\" -rgname \"{1}\" -configids \"{2}\"', parameters('location'), parameters('rgName'), resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations', 'avnm', format('sac-{0}', parameters('location'))))]", + "arguments": "[format('-regions \"{0}\" -rgname \"{1}\" -configids \"{2}\"', parameters('location'), parameters('rgName'), subscriptionResourceId('Microsoft.Network/networkManagers/securityAdminConfigurations', 'avnm', format('sac-{0}', parameters('location'))))]", "scriptContent": " param( [Parameter(Mandatory=$true, HelpMessage=\"Location for deployment.\")] From 8d3d9493f3ffd06e17c20305657b1e4028051c32 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Tue, 26 Nov 2024 16:12:42 +0400 Subject: [PATCH 110/226] . --- eslzArm/subscriptionTemplates/avnmConfiguration.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 46bf527679..f6cffe75e8 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -312,7 +312,7 @@ "azPowerShellVersion": "12.3", "retentionInterval": "PT1H", "timeout": "PT1H", - "arguments": "[format('-regions \"{0}\" -rgname \"{1}\" -configids \"{2}\"', parameters('location'), parameters('rgName'), subscriptionResourceId('Microsoft.Network/networkManagers/securityAdminConfigurations', 'avnm', format('sac-{0}', parameters('location'))))]", + "arguments": "[format('-regions \"{0}\" -rgname \"{1}\" -configids \"{2}\"', parameters('location'), parameters('rgName'), subscriptionResourceId(subscription().subscriptionId, 'Microsoft.Network/networkManagers/securityAdminConfigurations', 'avnm', format('sac-{0}', parameters('location'))))]", "scriptContent": " param( [Parameter(Mandatory=$true, HelpMessage=\"Location for deployment.\")] From 72c04221d854d6394cced9f028704737bfb8df98 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Tue, 26 Nov 2024 17:14:13 +0400 Subject: [PATCH 111/226] . --- eslzArm/subscriptionTemplates/avnmConfiguration.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index f6cffe75e8..571970d87a 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -312,7 +312,7 @@ "azPowerShellVersion": "12.3", "retentionInterval": "PT1H", "timeout": "PT1H", - "arguments": "[format('-regions \"{0}\" -rgname \"{1}\" -configids \"{2}\"', parameters('location'), parameters('rgName'), subscriptionResourceId(subscription().subscriptionId, 'Microsoft.Network/networkManagers/securityAdminConfigurations', 'avnm', format('sac-{0}', parameters('location'))))]", + "arguments": "[format('-regions \"{0}\" -rgname \"{1}\" -configids \"{2}\"', parameters('location'), parameters('rgName'), resourceId(subscription().subscriptionId, 'Microsoft.Network/networkManagers/securityAdminConfigurations', 'avnm', format('sac-{0}', parameters('location'))))]", "scriptContent": " param( [Parameter(Mandatory=$true, HelpMessage=\"Location for deployment.\")] From ee9e3b4f0ea68b34c48858c2739308ffbe5a031a Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Tue, 26 Nov 2024 17:19:01 +0400 Subject: [PATCH 112/226] . --- eslzArm/subscriptionTemplates/avnmConfiguration.json | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 571970d87a..76bb95ed96 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -29,8 +29,15 @@ "type": "string", "defaultValue": "", "metadata": { - "description": "Subscription ID for the management subscription. Used to get the user assigned identity." + "description": "SubscriptionId for the management subscription. Used to get the user assigned identity." } + }, + "connectivitySubscriptionId": { + "type": "string", + "metadata": { + "description": "SubscriptionId for the connectivity subscription." + }, + "defaultValue": "[subscription().subscriptionId]" } }, "variables": { From 393fb73822c212e1664260167ad8f58505e4474f Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Tue, 26 Nov 2024 18:40:24 +0400 Subject: [PATCH 113/226] . --- eslzArm/subscriptionTemplates/avnmConfiguration.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 76bb95ed96..ac376b831f 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -92,7 +92,7 @@ "managementGroupScope": { "type": "string" }, - "managementSubscriptionId": { + "connectivitySubscriptionId": { "type": "string" }, "userAssignedIdentityId": { @@ -319,7 +319,7 @@ "azPowerShellVersion": "12.3", "retentionInterval": "PT1H", "timeout": "PT1H", - "arguments": "[format('-regions \"{0}\" -rgname \"{1}\" -configids \"{2}\"', parameters('location'), parameters('rgName'), resourceId(subscription().subscriptionId, 'Microsoft.Network/networkManagers/securityAdminConfigurations', 'avnm', format('sac-{0}', parameters('location'))))]", + "arguments": "[format('-regions \"{0}\" -rgname \"{1}\" -configids \"{2}\"', parameters('location'), parameters('rgName'), subscriptionResourceId(parameters('connectivitySubscriptionId'), 'Microsoft.Network/networkManagers/securityAdminConfigurations', 'avnm', format('sac-{0}', parameters('location'))))]", "scriptContent": " param( [Parameter(Mandatory=$true, HelpMessage=\"Location for deployment.\")] From 1af27a68bf3a6471753fe5f48dcbc946de6f56f6 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Tue, 26 Nov 2024 19:04:49 +0400 Subject: [PATCH 114/226] . --- eslzArm/subscriptionTemplates/avnmConfiguration.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index ac376b831f..6117f3d870 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -72,8 +72,8 @@ "managementGroupScope": { "value": "[parameters('managementGroupScope')]" }, - "managementSubscriptionId": { - "value": "[parameters('managementSubscriptionId')]" + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" }, "userAssignedIdentityId": { "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('managementSubscriptionId'), 'rg-alz-prereqs'), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai'), '2022-09-01').outputs.userAssignedIdentityId.value]" From 9630af8edebe92f640d526c6857a8e4079fa5c1c Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Tue, 26 Nov 2024 19:36:43 +0400 Subject: [PATCH 115/226] . --- eslzArm/eslzArm.json | 3 +++ 1 file changed, 3 insertions(+) diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index 014652a78c..c31bf3c511 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -5229,6 +5229,9 @@ }, "managementSubscriptionId": { "value": "[parameters('managementSubscriptionId')]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" } } } From 7aaf59b42a16f06bf8a4546b102ba4cd3cbf549e Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Tue, 26 Nov 2024 21:03:14 +0400 Subject: [PATCH 116/226] . --- eslzArm/prerequisites/deployPrerequisites.json | 2 +- .../avnmConfiguration.json | 17 +++++++++-------- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index ce1f7cde03..ba6025f437 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -69,7 +69,7 @@ "apiVersion": "2022-04-01", "name": "[guid(resourceGroup().id, format('uai-prereq-{0}', parameters('location')))]", "properties": { - "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "roleDefinitionId": "[tenantResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location'))), '2022-01-31-preview').principalId]", "principalType": "ServicePrincipal" }, diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 6117f3d870..c57012ca6d 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -42,7 +42,8 @@ }, "variables": { "rgName": "[concat(parameters('topLevelManagementGroupPrefix'), '-avnm')]", - "resourceDeploymentName": "[take(concat(deployment().name, '-avnm', parameters('location')), 64)]" + "resourceDeploymentName": "[take(concat(deployment().name, '-avnm', parameters('location')), 64)]", + "configIds": "[subscriptionResourceId(parameters('connectivitySubscriptionId'), 'Microsoft.Network/networkManagers/securityAdminConfigurations', 'avnm', format('sac-{0}', parameters('location')))]" }, "resources": [ { @@ -72,14 +73,14 @@ "managementGroupScope": { "value": "[parameters('managementGroupScope')]" }, - "connectivitySubscriptionId": { - "value": "[parameters('connectivitySubscriptionId')]" - }, "userAssignedIdentityId": { "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('managementSubscriptionId'), 'rg-alz-prereqs'), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai'), '2022-09-01').outputs.userAssignedIdentityId.value]" }, "rgName": { "value": "[variables('rgName')]" + }, + "configIds": { + "value": "[variables('configIds')]" } }, "template": { @@ -92,14 +93,14 @@ "managementGroupScope": { "type": "string" }, - "connectivitySubscriptionId": { - "type": "string" - }, "userAssignedIdentityId": { "type": "string" }, "rgName": { "type": "string" + }, + "configIds": { + "type": "string" } }, "resources": [ @@ -319,7 +320,7 @@ "azPowerShellVersion": "12.3", "retentionInterval": "PT1H", "timeout": "PT1H", - "arguments": "[format('-regions \"{0}\" -rgname \"{1}\" -configids \"{2}\"', parameters('location'), parameters('rgName'), subscriptionResourceId(parameters('connectivitySubscriptionId'), 'Microsoft.Network/networkManagers/securityAdminConfigurations', 'avnm', format('sac-{0}', parameters('location'))))]", + "arguments": "[format('-regions \"{0}\" -rgname \"{1}\" -configids \"{2}\"', parameters('location'), parameters('rgName'), parameters('configIds'))]", "scriptContent": " param( [Parameter(Mandatory=$true, HelpMessage=\"Location for deployment.\")] From f5319dd145032438205b70227fcd6e460a24e91d Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Tue, 26 Nov 2024 21:08:52 +0400 Subject: [PATCH 117/226] . --- eslzArm/prerequisites/deployPrerequisites.json | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index ba6025f437..81520197ba 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -51,6 +51,9 @@ "parameters": { "location": { "type": "string" + }, + "eslzRootName": { + "type": "string" } }, "variables": {}, @@ -69,7 +72,7 @@ "apiVersion": "2022-04-01", "name": "[guid(resourceGroup().id, format('uai-prereq-{0}', parameters('location')))]", "properties": { - "roleDefinitionId": "[tenantResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "roleDefinitionId": "[managementGroupResourceId(parameters('eslzRootName'), 'Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location'))), '2022-01-31-preview').principalId]", "principalType": "ServicePrincipal" }, From fe5b429f2997000a6eada2f08eb77d4e2db69024 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Tue, 26 Nov 2024 21:31:20 +0400 Subject: [PATCH 118/226] . --- eslzArm/prerequisites/deployPrerequisites.json | 3 +++ 1 file changed, 3 insertions(+) diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index 81520197ba..dcd27bb908 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -43,6 +43,9 @@ "parameters": { "location": { "value": "[parameters('location')]" + }, + "eslzRootName": { + "value": "[parameters('eslzRootName')]" } }, "template": { From d4302682075b6d7a6a61bf8d59496570d87ca2fd Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Tue, 26 Nov 2024 22:21:35 +0400 Subject: [PATCH 119/226] . --- .../avnmConfiguration.json | 22 ++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index c57012ca6d..3750ab9c66 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -43,7 +43,7 @@ "variables": { "rgName": "[concat(parameters('topLevelManagementGroupPrefix'), '-avnm')]", "resourceDeploymentName": "[take(concat(deployment().name, '-avnm', parameters('location')), 64)]", - "configIds": "[subscriptionResourceId(parameters('connectivitySubscriptionId'), 'Microsoft.Network/networkManagers/securityAdminConfigurations', 'avnm', format('sac-{0}', parameters('location')))]" + "configIds": "[resourceId(parameters('connectivitySubscriptionId'), variables('rgName'), 'Microsoft.Network/networkManagers/securityAdminConfigurations', 'avnm', format('sac-{0}', parameters('location')))]" }, "resources": [ { @@ -81,6 +81,9 @@ }, "configIds": { "value": "[variables('configIds')]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" } }, "template": { @@ -101,6 +104,9 @@ }, "configIds": { "type": "string" + }, + "connectivitySubscriptionId": { + "type": "string" } }, "resources": [ @@ -320,7 +326,7 @@ "azPowerShellVersion": "12.3", "retentionInterval": "PT1H", "timeout": "PT1H", - "arguments": "[format('-regions \"{0}\" -rgname \"{1}\" -configids \"{2}\"', parameters('location'), parameters('rgName'), parameters('configIds'))]", + "arguments": "[format('-regions \"{0}\" -rgName \"{1}\" -configIds \"{2}\" -connectivitySubscriptionId', parameters('location'), parameters('rgName'), parameters('configIds'), parameters('connectivitySubscriptionId'))]", "scriptContent": " param( [Parameter(Mandatory=$true, HelpMessage=\"Location for deployment.\")] @@ -329,14 +335,20 @@ [Parameter(Mandatory=$true, HelpMessage=\"Resource Group Name.\")] [string] - $rgname, + $rgName, [Parameter(Mandatory=$true, HelpMessage=\"Configuration IDs.\")] [string] - $configids + $configIds, + + [Parameter(Mandatory=$true, HelpMessage=\"Connectivity subscription id.\")] + [string] + $connectivitySubscriptionId ) - Deploy-AzNetworkManagerCommit -ResourceGroupName $rgname -Name \"avnm\" -TargetLocation $regions -CommitType \"SecurityAdmin\" -ConfigurationId $configids + Select-AzSubscription -SubscriptionId $connectivitySubscriptionId + + Deploy-AzNetworkManagerCommit -ResourceGroupName $rgName -Name \"avnm\" -TargetLocation $regions -CommitType \"SecurityAdmin\" -ConfigurationId $configIds " }, From be802bb59d8c51fb819dda61ce88d51df53101b3 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Wed, 27 Nov 2024 08:18:07 +0400 Subject: [PATCH 120/226] . --- eslzArm/subscriptionTemplates/avnmConfiguration.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 3750ab9c66..27688548ea 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -326,7 +326,7 @@ "azPowerShellVersion": "12.3", "retentionInterval": "PT1H", "timeout": "PT1H", - "arguments": "[format('-regions \"{0}\" -rgName \"{1}\" -configIds \"{2}\" -connectivitySubscriptionId', parameters('location'), parameters('rgName'), parameters('configIds'), parameters('connectivitySubscriptionId'))]", + "arguments": "[format('-regions \"{0}\" -rgName \"{1}\" -configIds \"{2}\" -connSubId \"{3}\"', parameters('location'), parameters('rgName'), parameters('configIds'), parameters('connectivitySubscriptionId'))]", "scriptContent": " param( [Parameter(Mandatory=$true, HelpMessage=\"Location for deployment.\")] @@ -343,10 +343,10 @@ [Parameter(Mandatory=$true, HelpMessage=\"Connectivity subscription id.\")] [string] - $connectivitySubscriptionId + $connSubId ) - Select-AzSubscription -SubscriptionId $connectivitySubscriptionId + Select-AzSubscription -SubscriptionId $connSubId Deploy-AzNetworkManagerCommit -ResourceGroupName $rgName -Name \"avnm\" -TargetLocation $regions -CommitType \"SecurityAdmin\" -ConfigurationId $configIds From 5fb09f4614b3dc7863dbbb32ebcc25420e18dc95 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Wed, 27 Nov 2024 09:37:02 +0400 Subject: [PATCH 121/226] temp --- .../prerequisites/deployPrerequisites.json | 2 +- .../avnmConfiguration.json | 152 +++++++++++++++++- 2 files changed, 152 insertions(+), 2 deletions(-) diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index dcd27bb908..683e98a60e 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -75,7 +75,7 @@ "apiVersion": "2022-04-01", "name": "[guid(resourceGroup().id, format('uai-prereq-{0}', parameters('location')))]", "properties": { - "roleDefinitionId": "[managementGroupResourceId(parameters('eslzRootName'), 'Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "roleDefinitionId": "[subscriptionResourceId(parameters('eslzRootName'), 'Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location'))), '2022-01-31-preview').principalId]", "principalType": "ServicePrincipal" }, diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 27688548ea..2de37c69a7 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -360,7 +360,157 @@ ] } } - } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "alz-avnm-uai", + "resourceGroup": "[variables('rgName')]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "eslzRootName": { + "value": "[parameters('topLevelManagementGroupPrefix')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "eslzRootName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "apiVersion": "2022-01-31-preview", + "name": "[format('uai-avnm-{0}', parameters('location'))]", + "location": "[parameters('location')]", + "metadata": { + "description": "This user assigned identity is used by the Deployment Script resource to interact with Azure resources." + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(resourceGroup().id, format('uai-avnm-{0}', parameters('location')))]", + "properties": { + "roleDefinitionId": "[subscriptionResourceId(parameters('eslzRootName'), 'Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-avnm-{0}', parameters('location'))), '2022-01-31-preview').principalId]", + "principalType": "ServicePrincipal" + }, + "dependsOn": [ + "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-avnm-{0}', parameters('location')))]" + ], + "metadata": { + "description": "This role assignment grants the user assigned identity the Contributor role on the resource group." + } + } + ], + "outputs": { + "userAssignedIdentityId": { + "type": "string", + "value": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-avnm-{0}', parameters('location')))]" + } + } + } + }, + "dependsOn": [ + "[subscriptionResourceId('Microsoft.Resources/resourceGroups', variables('rgName'))]" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('ds-{0}-prereqs', parameters('location'))]", + "resourceGroup": "[parameters('resourceGroupName')]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "userAssignedIdentityId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai'), '2022-09-01').outputs.userAssignedIdentityId.value]" + }, + "eslzRootName": { + "value": "[parameters('eslzRootName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "eslzRootName":{ + "type": "string" + }, + "userAssignedIdentityId": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Resources/deploymentScripts", + "apiVersion": "2020-10-01", + "name": "alz-deploymentscript", + "location": "[parameters('location')]", + "kind": "AzurePowerShell", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[format('{0}', parameters('userAssignedIdentityId'))]": {} + } + }, + "properties": { + "azPowerShellVersion": "12.3", + "retentionInterval": "PT1H", + "timeout": "PT1H", + "arguments": "[format('-eslzRootName \"{0}\"', parameters('eslzRootName'))]", + "scriptContent": " + param( + [Parameter(Mandatory=$true, HelpMessage=\"Enter the ESLZ root name.\")] + [string] + $eslzRootName + ) + + Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" + + #Sleep for 30 minutes to wait for Management Groups to load to cache before assignments + Start-Sleep -Duration (New-TimeSpan -Minutes 10) + + Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" + " + }, + "metadata": { + "description": "Create a Deployment Script resource to perform the prerequisites." + } + } + ], + "outputs": {} + } + }, + "dependsOn": [ + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai')]", + "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]" + ] + } ], "outputs": {} } \ No newline at end of file From b5ba9f5b61cfc43d8218ece6672e44d3364c2f52 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Wed, 27 Nov 2024 09:55:29 +0400 Subject: [PATCH 122/226] . --- .../avnmConfiguration.json | 159 ++++++++---------- 1 file changed, 69 insertions(+), 90 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 2de37c69a7..b4b09b12d0 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -309,52 +309,6 @@ "direction": "Inbound", "access": "Deny" } - }, - { - "type": "Microsoft.Resources/deploymentScripts", - "apiVersion": "2020-10-01", - "name": "alz-deploymentscript-config", - "location": "[parameters('location')]", - "kind": "AzurePowerShell", - "identity": { - "type": "UserAssigned", - "userAssignedIdentities": { - "[format('{0}', parameters('userAssignedIdentityId'))]": {} - } - }, - "properties": { - "azPowerShellVersion": "12.3", - "retentionInterval": "PT1H", - "timeout": "PT1H", - "arguments": "[format('-regions \"{0}\" -rgName \"{1}\" -configIds \"{2}\" -connSubId \"{3}\"', parameters('location'), parameters('rgName'), parameters('configIds'), parameters('connectivitySubscriptionId'))]", - "scriptContent": " - param( - [Parameter(Mandatory=$true, HelpMessage=\"Location for deployment.\")] - [string] - $regions, - - [Parameter(Mandatory=$true, HelpMessage=\"Resource Group Name.\")] - [string] - $rgName, - - [Parameter(Mandatory=$true, HelpMessage=\"Configuration IDs.\")] - [string] - $configIds, - - [Parameter(Mandatory=$true, HelpMessage=\"Connectivity subscription id.\")] - [string] - $connSubId - ) - - Select-AzSubscription -SubscriptionId $connSubId - - Deploy-AzNetworkManagerCommit -ResourceGroupName $rgName -Name \"avnm\" -TargetLocation $regions -CommitType \"SecurityAdmin\" -ConfigurationId $configIds - - " - }, - "metadata": { - "description": "Create a Deployment Script resource to perform the configuration deployment." - } } ] @@ -434,22 +388,31 @@ "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "[format('ds-{0}-prereqs', parameters('location'))]", - "resourceGroup": "[parameters('resourceGroupName')]", + "resourceGroup": "[variables('rgName')]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" + "expressionEvaluationOptions": { + "scope": "inner" }, "mode": "Incremental", "parameters": { - "location": { - "value": "[parameters('location')]" - }, - "userAssignedIdentityId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai'), '2022-09-01').outputs.userAssignedIdentityId.value]" - }, - "eslzRootName": { - "value": "[parameters('eslzRootName')]" - } + "location": { + "value": "[parameters('location')]" + }, + "userAssignedIdentityId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, variables('rgName')), 'Microsoft.Resources/deployments', 'alz-avnm-uai'), '2022-09-01').outputs.userAssignedIdentityId.value]" + }, + "eslzRootName": { + "value": "[parameters('topLevelManagementGroupPrefix')]" + }, + "rgName": { + "value": "[variables('rgName')]" + }, + "configIds": { + "value": "[variables('configIds')]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", @@ -462,53 +425,69 @@ "type": "string" }, "userAssignedIdentityId": { - "type": "string" + "type": "string" + }, + "rgName": { + "type": "string" + }, + "configIds": { + "type": "string" + }, + "connectivitySubscriptionId": { + "type": "string" } }, "resources": [ { - "type": "Microsoft.Resources/deploymentScripts", - "apiVersion": "2020-10-01", - "name": "alz-deploymentscript", - "location": "[parameters('location')]", - "kind": "AzurePowerShell", - "identity": { - "type": "UserAssigned", - "userAssignedIdentities": { - "[format('{0}', parameters('userAssignedIdentityId'))]": {} + "type": "Microsoft.Resources/deploymentScripts", + "apiVersion": "2020-10-01", + "name": "alz-avnm-deploymentscript", + "location": "[parameters('location')]", + "kind": "AzurePowerShell", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[format('{0}', parameters('userAssignedIdentityId'))]": {} } }, "properties": { - "azPowerShellVersion": "12.3", - "retentionInterval": "PT1H", - "timeout": "PT1H", - "arguments": "[format('-eslzRootName \"{0}\"', parameters('eslzRootName'))]", - "scriptContent": " - param( - [Parameter(Mandatory=$true, HelpMessage=\"Enter the ESLZ root name.\")] - [string] - $eslzRootName - ) + "azPowerShellVersion": "12.3", + "retentionInterval": "PT1H", + "timeout": "PT1H", + "arguments": "[format('-regions \"{0}\" -rgName \"{1}\" -configIds \"{2}\" -connSubId \"{3}\"', parameters('location'), parameters('rgName'), parameters('configIds'), parameters('connectivitySubscriptionId'))]", + "scriptContent": " + param( + [Parameter(Mandatory=$true, HelpMessage=\"Location for deployment.\")] + [string] + $regions, - Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" - - #Sleep for 30 minutes to wait for Management Groups to load to cache before assignments - Start-Sleep -Duration (New-TimeSpan -Minutes 10) + [Parameter(Mandatory=$true, HelpMessage=\"Resource Group Name.\")] + [string] + $rgName, - Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" - " - }, - "metadata": { - "description": "Create a Deployment Script resource to perform the prerequisites." - } + [Parameter(Mandatory=$true, HelpMessage=\"Configuration IDs.\")] + [string] + $configIds, + + [Parameter(Mandatory=$true, HelpMessage=\"Connectivity subscription id.\")] + [string] + $connSubId + ) + + Select-AzSubscription -SubscriptionId $connSubId + + Deploy-AzNetworkManagerCommit -ResourceGroupName $rgName -Name \"avnm\" -TargetLocation $regions -CommitType \"SecurityAdmin\" -ConfigurationId $configIds + + " + } } ], "outputs": {} } }, "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai')]", - "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]" + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, variables('rgName')), 'Microsoft.Resources/deployments', variables('resourceDeploymentName'))]", + "[subscriptionResourceId('Microsoft.Resources/resourceGroups', variables('rgName'))]" ] } ], From 09f2a9f62cb99f31173b4096c477885581d97732 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Wed, 27 Nov 2024 10:01:01 +0400 Subject: [PATCH 123/226] . --- eslzArm/prerequisites/deployPrerequisites.json | 2 +- eslzArm/subscriptionTemplates/avnmConfiguration.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index 683e98a60e..a8814d014e 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -75,7 +75,7 @@ "apiVersion": "2022-04-01", "name": "[guid(resourceGroup().id, format('uai-prereq-{0}', parameters('location')))]", "properties": { - "roleDefinitionId": "[subscriptionResourceId(parameters('eslzRootName'), 'Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location'))), '2022-01-31-preview').principalId]", "principalType": "ServicePrincipal" }, diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index b4b09b12d0..71a0c8c904 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -360,7 +360,7 @@ "apiVersion": "2022-04-01", "name": "[guid(resourceGroup().id, format('uai-avnm-{0}', parameters('location')))]", "properties": { - "roleDefinitionId": "[subscriptionResourceId(parameters('eslzRootName'), 'Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-avnm-{0}', parameters('location'))), '2022-01-31-preview').principalId]", "principalType": "ServicePrincipal" }, From d4d4747e5c497a1b52ec56efd95f625f0a7ac2f4 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Wed, 27 Nov 2024 10:10:48 +0400 Subject: [PATCH 124/226] . --- eslzArm/prerequisites/deployPrerequisites.json | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index a8814d014e..a4eaac3622 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -43,9 +43,6 @@ "parameters": { "location": { "value": "[parameters('location')]" - }, - "eslzRootName": { - "value": "[parameters('eslzRootName')]" } }, "template": { @@ -54,9 +51,6 @@ "parameters": { "location": { "type": "string" - }, - "eslzRootName": { - "type": "string" } }, "variables": {}, @@ -138,7 +132,7 @@ { "type": "Microsoft.Resources/deploymentScripts", "apiVersion": "2020-10-01", - "name": "alz-deploymentscript", + "name": "alz-prereq-deploymentscript", "location": "[parameters('location')]", "kind": "AzurePowerShell", "identity": { From b340fac4f4e9eb60f546f844bda8842833fdbf8d Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Wed, 27 Nov 2024 11:50:50 +0400 Subject: [PATCH 125/226] . --- eslzArm/eslzArm.json | 6 +++- .../prerequisites/deployPrerequisites.json | 3 +- .../avnmConfiguration.json | 31 ++++++++++++------- 3 files changed, 27 insertions(+), 13 deletions(-) diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index c31bf3c511..3f50b78a52 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -5195,7 +5195,7 @@ }, { // Deploy AVNM - "condition": "[and(or(equals(parameters('enableHub'), 'vhub'), equals(parameters('enableHub'), 'nva')), not(empty(parameters('connectivitySubscriptionId'))))]", + "condition": "[and(parameters('deployAVNM'), or(equals(parameters('enableHub'), 'vhub'), equals(parameters('enableHub'), 'nva')), not(empty(parameters('connectivitySubscriptionId'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", "subscriptionId": "[parameters('connectivitySubscriptionId')]", @@ -5224,6 +5224,9 @@ "location": { "value": "[parameters('connectivityLocation')]" }, + "locationSecondary": { + "value": "[parameters('connectivityLocationSecondary')]" + }, "managementGroupScope": { "value": "[variables('scopes').eslzRootManagementGroup]" }, @@ -5238,6 +5241,7 @@ }, { // Deploying AVNM policy + "condition": "[and(parameters('deployAVNM'), or(equals(parameters('enableHub'), 'vhub'), equals(parameters('enableHub'), 'nva')), not(empty(parameters('connectivitySubscriptionId'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2019-10-01", "name": "[variables('deploymentNames').avnmPolicyDeploymentName]", diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index a4eaac3622..b6c2be196d 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -158,7 +158,8 @@ #Sleep for 30 minutes to wait for Management Groups to load to cache before assignments Start-Sleep -Duration (New-TimeSpan -Minutes 10) - Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" + $result = Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" + Write-Output 'Status Code: $result.StatusCode' " }, "metadata": { diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 71a0c8c904..c717864298 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -18,6 +18,14 @@ }, "defaultValue": "[deployment().location]" }, + "locationSecondary": { + "type": "string", + "metadata": { + "displayName": "locationSecondary", + "description": "Secondary location of the HUB for instances deploying in multiple regions" + }, + "defaultValue": "" + }, "managementGroupScope": { "type": "string", "defaultValue": "", @@ -398,12 +406,12 @@ "location": { "value": "[parameters('location')]" }, + "locationSecondary": { + "value": "[parameters('locationSecondary')]" + }, "userAssignedIdentityId": { "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, variables('rgName')), 'Microsoft.Resources/deployments', 'alz-avnm-uai'), '2022-09-01').outputs.userAssignedIdentityId.value]" }, - "eslzRootName": { - "value": "[parameters('topLevelManagementGroupPrefix')]" - }, "rgName": { "value": "[variables('rgName')]" }, @@ -421,8 +429,8 @@ "location": { "type": "string" }, - "eslzRootName":{ - "type": "string" + "locationSecondary": { + "type": "string" }, "userAssignedIdentityId": { "type": "string" @@ -454,26 +462,27 @@ "azPowerShellVersion": "12.3", "retentionInterval": "PT1H", "timeout": "PT1H", - "arguments": "[format('-regions \"{0}\" -rgName \"{1}\" -configIds \"{2}\" -connSubId \"{3}\"', parameters('location'), parameters('rgName'), parameters('configIds'), parameters('connectivitySubscriptionId'))]", + "arguments": "[format('-location \"{0}\" -locationSecond \"{1}\" -rgName \"{2}\" -configIds \"{3}\" -connSubId \"{4}\"', parameters('location'), parameters('locationSecondary'), parameters('rgName'), parameters('configIds'), parameters('connectivitySubscriptionId'))]", "scriptContent": " param( - [Parameter(Mandatory=$true, HelpMessage=\"Location for deployment.\")] [string] - $regions, + $location, + + [string] + $locationSecond, - [Parameter(Mandatory=$true, HelpMessage=\"Resource Group Name.\")] [string] $rgName, - [Parameter(Mandatory=$true, HelpMessage=\"Configuration IDs.\")] [string] $configIds, - [Parameter(Mandatory=$true, HelpMessage=\"Connectivity subscription id.\")] [string] $connSubId ) + $regions = @($location, $locationSecond) + Select-AzSubscription -SubscriptionId $connSubId Deploy-AzNetworkManagerCommit -ResourceGroupName $rgName -Name \"avnm\" -TargetLocation $regions -CommitType \"SecurityAdmin\" -ConfigurationId $configIds From 28f759576cfba8a56e8cee33b28614e73c0bc05e Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Wed, 27 Nov 2024 14:31:17 +0400 Subject: [PATCH 126/226] . --- eslzArm/prerequisites/deployPrerequisites.json | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index b6c2be196d..3cb2ed7a31 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -153,13 +153,18 @@ $eslzRootName ) - Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" - - #Sleep for 30 minutes to wait for Management Groups to load to cache before assignments + #Sleep for XX minutes to wait for Management Groups to load to cache before assignments Start-Sleep -Duration (New-TimeSpan -Minutes 10) - $result = Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" - Write-Output 'Status Code: $result.StatusCode' + $result = \"\" + $count = 0 + + do { + $result = Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" + $count++ + Start-Sleep -Seconds 5 + Write-Output 'Status Code: ' $result.StatusCode ' Count: ' $count + } while ($result.StatusCode -ne 200 -and $count -lt 10) " }, "metadata": { From e286875598edb2216c2abd5163ddda93ae6d5eac Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Wed, 27 Nov 2024 14:32:23 +0400 Subject: [PATCH 127/226] . --- eslzArm/prerequisites/deployPrerequisites.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index 3cb2ed7a31..7b4083ff15 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -162,7 +162,7 @@ do { $result = Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" $count++ - Start-Sleep -Seconds 5 + Start-Sleep -Seconds 30 Write-Output 'Status Code: ' $result.StatusCode ' Count: ' $count } while ($result.StatusCode -ne 200 -and $count -lt 10) " From 140b38e99eed102e4c246e14629b826f31aaae35 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Wed, 27 Nov 2024 16:49:09 +0400 Subject: [PATCH 128/226] . --- eslzArm/subscriptionTemplates/avnmConfiguration.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index c717864298..efa98a10b7 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -49,7 +49,7 @@ } }, "variables": { - "rgName": "[concat(parameters('topLevelManagementGroupPrefix'), '-avnm')]", + "rgName": "rg-alz-avnm", "resourceDeploymentName": "[take(concat(deployment().name, '-avnm', parameters('location')), 64)]", "configIds": "[resourceId(parameters('connectivitySubscriptionId'), variables('rgName'), 'Microsoft.Network/networkManagers/securityAdminConfigurations', 'avnm', format('sac-{0}', parameters('location')))]" }, From 27de017628424d2cf15113b762ad5ca9e7021029 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Wed, 27 Nov 2024 17:42:56 +0400 Subject: [PATCH 129/226] . --- .../avnmConfiguration.json | 54 +++++-------------- 1 file changed, 12 insertions(+), 42 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index efa98a10b7..eb24c60bc1 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -49,7 +49,7 @@ } }, "variables": { - "rgName": "rg-alz-avnm", + "rgName": "[concat(parameters('topLevelManagementGroupPrefix'), '-avnm')]", "resourceDeploymentName": "[take(concat(deployment().name, '-avnm', parameters('location')), 64)]", "configIds": "[resourceId(parameters('connectivitySubscriptionId'), variables('rgName'), 'Microsoft.Network/networkManagers/securityAdminConfigurations', 'avnm', format('sac-{0}', parameters('location')))]" }, @@ -80,18 +80,6 @@ }, "managementGroupScope": { "value": "[parameters('managementGroupScope')]" - }, - "userAssignedIdentityId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('managementSubscriptionId'), 'rg-alz-prereqs'), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai'), '2022-09-01').outputs.userAssignedIdentityId.value]" - }, - "rgName": { - "value": "[variables('rgName')]" - }, - "configIds": { - "value": "[variables('configIds')]" - }, - "connectivitySubscriptionId": { - "value": "[parameters('connectivitySubscriptionId')]" } }, "template": { @@ -103,18 +91,6 @@ }, "managementGroupScope": { "type": "string" - }, - "userAssignedIdentityId": { - "type": "string" - }, - "rgName": { - "type": "string" - }, - "configIds": { - "type": "string" - }, - "connectivitySubscriptionId": { - "type": "string" } }, "resources": [ @@ -330,16 +306,13 @@ "resourceGroup": "[variables('rgName')]", "properties": { "expressionEvaluationOptions": { - "scope": "inner" + "scope": "inner" }, "mode": "Incremental", "parameters": { - "location": { - "value": "[parameters('location')]" - }, - "eslzRootName": { - "value": "[parameters('topLevelManagementGroupPrefix')]" - } + "location": { + "value": "[parameters('location')]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", @@ -347,21 +320,18 @@ "parameters": { "location": { "type": "string" - }, - "eslzRootName": { - "type": "string" } }, "variables": {}, "resources": [ { - "type": "Microsoft.ManagedIdentity/userAssignedIdentities", - "apiVersion": "2022-01-31-preview", - "name": "[format('uai-avnm-{0}', parameters('location'))]", - "location": "[parameters('location')]", - "metadata": { - "description": "This user assigned identity is used by the Deployment Script resource to interact with Azure resources." - } + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "apiVersion": "2022-01-31-preview", + "name": "[format('uai-avnm-{0}', parameters('location'))]", + "location": "[parameters('location')]", + "metadata": { + "description": "This user assigned identity is used by the Deployment Script resource to interact with Azure resources." + } }, { "type": "Microsoft.Authorization/roleAssignments", From 6faf58c946bfb022f5bce12fc7fef355be63323c Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Fri, 29 Nov 2024 22:18:48 +0400 Subject: [PATCH 130/226] . --- eslzArm/prerequisites/deployPrerequisites.json | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index 7b4083ff15..a0638d4a47 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -153,6 +153,9 @@ $eslzRootName ) + #One initial call to register the provider for good measure + Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" + #Sleep for XX minutes to wait for Management Groups to load to cache before assignments Start-Sleep -Duration (New-TimeSpan -Minutes 10) @@ -163,7 +166,7 @@ $result = Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" $count++ Start-Sleep -Seconds 30 - Write-Output 'Status Code: ' $result.StatusCode ' Count: ' $count + #Write-Output 'Status Code: ' $result.StatusCode ' Count: ' $count } while ($result.StatusCode -ne 200 -and $count -lt 10) " }, From b6f811855b1cc623414bf74a7fcf9137b27b4d68 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Fri, 29 Nov 2024 22:49:49 +0400 Subject: [PATCH 131/226] . --- docs/wiki/Whats-new.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md index 849ddbf041..e2727ae3c1 100644 --- a/docs/wiki/Whats-new.md +++ b/docs/wiki/Whats-new.md @@ -53,8 +53,8 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones: ### 🔃 Policy Refresh Q2 FY25 - [PREVIEW] Added ability to deploy Virtual Network Manager through the portal accelerator with support for Security Admin feature, including default rules blocking high-risk ports [read more](https://learn.microsoft.com/en-us/azure/virtual-network-manager/concept-security-admins). -- [Important] To support the configuration of AVNM, we've had to included a deployment script to configure the Microsoft.Network resource provider on the intermediate root management group. This deployment script and required User-Assigned Identity are created in a resource group in the Management subscription. - - Additionally, due to performance improvements of ARM, we've also had to change the "wait" process in the portal accelerator. We are now using the same deployment script with a "Start-Sleep" PowerShell command which is far more reliable. + - [Important] To support the configuration of AVNM, we've had to included a deployment script to configure the Microsoft.Network resource provider on the intermediate root management group. This deployment script and required User-Assigned Identity are created in a resource group in the Management subscription. Please remove the user assigned identity in the resource group hosting the AVNM instance. + - Additionally, due to performance improvements of ARM, we've also had to change the "wait" process in the portal accelerator. We are now using the same deployment script with a "Start-Sleep" PowerShell command which is far more reliable. In the management subscription, you will find a resource group `rg-alz-prereqs` that you should remove (with contents). - *Policy Versioning Support* - all initiatives and assignments have been pinned to the current major version of built-in policies or initiatives deployed by ALZ. This ensures that all ALZ deployments will successfully deploy using the currently validated versions of ALZ built-in policies and initiatives. As these get updated the team will validate changes and impact before incrementing the recommended version. - Fixed a Portal Accelerator bug that results in failed deployment when choosing not to deploy policies to the Identity management group. - Updated the display name of the many `Effect` parameters to clearly identify the policy it applies to in the initiative [Enforce recommended guardrails for Azure Key Vault](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-KeyVault.html). From 732837b1b88bbb03c74e885d472cc52b0a00940a Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Fri, 6 Dec 2024 10:29:54 +0100 Subject: [PATCH 132/226] Registering resource providers --- eslzArm/prerequisites/deployPrerequisites.json | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index a0638d4a47..a74cc7705b 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -156,6 +156,14 @@ #One initial call to register the provider for good measure Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" + #Register resource providers + $subs = Search-AzGraph -Query \"ResourceContainers | where type =~ 'microsoft.resources/subscriptions'\" -ManagementGroup $eslzRootName + + foreach ($sub in $subs) { + Select-AzureRmSubscription -Subscription $sub.SubscriptionName + Get-AzureRmResourceProvider -ListAvailable | where {$_.RegistrationState -eq \"NotRegistered\"} | Register-AzureRmResourceProvider + } + #Sleep for XX minutes to wait for Management Groups to load to cache before assignments Start-Sleep -Duration (New-TimeSpan -Minutes 10) From 23188fbc4973548963cdd2fafef8ed53a559d63d Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Fri, 6 Dec 2024 10:40:09 +0100 Subject: [PATCH 133/226] . --- eslzArm/prerequisites/deployPrerequisites.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index a74cc7705b..303298373a 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -160,8 +160,8 @@ $subs = Search-AzGraph -Query \"ResourceContainers | where type =~ 'microsoft.resources/subscriptions'\" -ManagementGroup $eslzRootName foreach ($sub in $subs) { - Select-AzureRmSubscription -Subscription $sub.SubscriptionName - Get-AzureRmResourceProvider -ListAvailable | where {$_.RegistrationState -eq \"NotRegistered\"} | Register-AzureRmResourceProvider + Select-AzSubscription -Subscription $sub.SubscriptionName + Get-AzResourceProvider -ListAvailable | where {$_.RegistrationState -eq \"NotRegistered\"} | Register-AzResourceProvider } #Sleep for XX minutes to wait for Management Groups to load to cache before assignments From 9201629b8e1e9b229a02736c11fbc930a2600279 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Fri, 6 Dec 2024 11:05:10 +0100 Subject: [PATCH 134/226] . --- eslzArm/prerequisites/deployPrerequisites.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index 303298373a..1fa1b207d4 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -160,7 +160,7 @@ $subs = Search-AzGraph -Query \"ResourceContainers | where type =~ 'microsoft.resources/subscriptions'\" -ManagementGroup $eslzRootName foreach ($sub in $subs) { - Select-AzSubscription -Subscription $sub.SubscriptionName + Select-AzSubscription -SubscriptionId $sub.id Get-AzResourceProvider -ListAvailable | where {$_.RegistrationState -eq \"NotRegistered\"} | Register-AzResourceProvider } From 3f36e8ac5f15ac522046ae438f379c98a65a6d60 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Fri, 6 Dec 2024 11:10:18 +0100 Subject: [PATCH 135/226] . --- eslzArm/prerequisites/deployPrerequisites.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index 1fa1b207d4..3f3f5050fa 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -156,7 +156,7 @@ #One initial call to register the provider for good measure Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" - #Register resource providers + #Register all resource providers $subs = Search-AzGraph -Query \"ResourceContainers | where type =~ 'microsoft.resources/subscriptions'\" -ManagementGroup $eslzRootName foreach ($sub in $subs) { From 48f61129762070e1a6a9594b912598e0b1465b32 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Sun, 8 Dec 2024 13:31:42 +0400 Subject: [PATCH 136/226] . --- eslzArm/prerequisites/deployPrerequisites.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index 3f3f5050fa..3a6ea1afc7 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -158,10 +158,11 @@ #Register all resource providers $subs = Search-AzGraph -Query \"ResourceContainers | where type =~ 'microsoft.resources/subscriptions'\" -ManagementGroup $eslzRootName + $rps = @('Microsoft.Insights','Microsoft.AlertsManagement','Microsoft.OperationalInsights','Microsoft.OperationsManagement','Microsoft.Automation','Microsoft.AlertsManagement','Microsoft.Security','Microsoft.Network','Microsoft.EventGrid','Microsoft.ManagedIdentity','Microsoft.GuestConfiguration','Microsoft.Advisor','Microsoft.PolicyInsights') foreach ($sub in $subs) { Select-AzSubscription -SubscriptionId $sub.id - Get-AzResourceProvider -ListAvailable | where {$_.RegistrationState -eq \"NotRegistered\"} | Register-AzResourceProvider + Get-AzResourceProvider -ProviderNamespace $rps | where {$_.RegistrationState -eq \"NotRegistered\"} | Register-AzResourceProvider } #Sleep for XX minutes to wait for Management Groups to load to cache before assignments From eae349d3503df2542de2a79ce49ea20bb2ace6ca Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Sun, 8 Dec 2024 14:00:29 +0400 Subject: [PATCH 137/226] . --- eslzArm/prerequisites/deployPrerequisites.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index 3a6ea1afc7..4c97b6b2b8 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -175,7 +175,7 @@ $result = Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" $count++ Start-Sleep -Seconds 30 - #Write-Output 'Status Code: ' $result.StatusCode ' Count: ' $count + Write-Output 'MG RP Register - Status Code: ' $result.StatusCode ' Count: ' $count } while ($result.StatusCode -ne 200 -and $count -lt 10) " }, From c6e89e017c695f09645c367973f63570ed6e2709 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Sun, 8 Dec 2024 15:41:25 +0400 Subject: [PATCH 138/226] . --- eslzArm/prerequisites/deployPrerequisites.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index 4c97b6b2b8..245099cea0 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -142,7 +142,7 @@ } }, "properties": { - "azPowerShellVersion": "12.3", + "azPowerShellVersion": "13.0", "retentionInterval": "PT1H", "timeout": "PT1H", "arguments": "[format('-eslzRootName \"{0}\"', parameters('eslzRootName'))]", @@ -153,7 +153,7 @@ $eslzRootName ) - #One initial call to register the provider for good measure + #API call to register the Microsoft.Network provider against intermediate resource group for AVNM Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" #Register all resource providers @@ -166,7 +166,7 @@ } #Sleep for XX minutes to wait for Management Groups to load to cache before assignments - Start-Sleep -Duration (New-TimeSpan -Minutes 10) + Start-Sleep -Duration (New-TimeSpan -Minutes 20) $result = \"\" $count = 0 @@ -174,7 +174,7 @@ do { $result = Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" $count++ - Start-Sleep -Seconds 30 + Start-Sleep -Seconds 10 Write-Output 'MG RP Register - Status Code: ' $result.StatusCode ' Count: ' $count } while ($result.StatusCode -ne 200 -and $count -lt 10) " From 007be8a6e8bfe188a3e7397513eca899902912d8 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Sun, 8 Dec 2024 15:49:43 +0400 Subject: [PATCH 139/226] . --- eslzArm/prerequisites/deployPrerequisites.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index 245099cea0..9e6bb61bc0 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -142,7 +142,7 @@ } }, "properties": { - "azPowerShellVersion": "13.0", + "azPowerShellVersion": "12.3", "retentionInterval": "PT1H", "timeout": "PT1H", "arguments": "[format('-eslzRootName \"{0}\"', parameters('eslzRootName'))]", @@ -174,7 +174,7 @@ do { $result = Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" $count++ - Start-Sleep -Seconds 10 + Start-Sleep -Seconds 300 Write-Output 'MG RP Register - Status Code: ' $result.StatusCode ' Count: ' $count } while ($result.StatusCode -ne 200 -and $count -lt 10) " From 9a8bbc120e20c225552441ad661cb503c562e811 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Sun, 8 Dec 2024 17:03:17 +0400 Subject: [PATCH 140/226] . --- eslzArm/prerequisites/deployPrerequisites.json | 4 ++-- eslzArm/subscriptionTemplates/avnmConfiguration.json | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index 9e6bb61bc0..fb181bda8e 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -143,8 +143,8 @@ }, "properties": { "azPowerShellVersion": "12.3", - "retentionInterval": "PT1H", - "timeout": "PT1H", + "retentionInterval": "PT2H", + "timeout": "PT2H", "arguments": "[format('-eslzRootName \"{0}\"', parameters('eslzRootName'))]", "scriptContent": " param( diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index eb24c60bc1..b0224a014c 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -49,7 +49,7 @@ } }, "variables": { - "rgName": "[concat(parameters('topLevelManagementGroupPrefix'), '-avnm')]", + "rgName": "rg-alz-avnm", "resourceDeploymentName": "[take(concat(deployment().name, '-avnm', parameters('location')), 64)]", "configIds": "[resourceId(parameters('connectivitySubscriptionId'), variables('rgName'), 'Microsoft.Network/networkManagers/securityAdminConfigurations', 'avnm', format('sac-{0}', parameters('location')))]" }, From 2f5f0160f185b270dfc564e7d16e8e365ba6c473 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Sun, 8 Dec 2024 17:04:55 +0400 Subject: [PATCH 141/226] . --- eslzArm/prerequisites/deployPrerequisites.json | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index fb181bda8e..1e426a5838 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -156,15 +156,6 @@ #API call to register the Microsoft.Network provider against intermediate resource group for AVNM Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" - #Register all resource providers - $subs = Search-AzGraph -Query \"ResourceContainers | where type =~ 'microsoft.resources/subscriptions'\" -ManagementGroup $eslzRootName - $rps = @('Microsoft.Insights','Microsoft.AlertsManagement','Microsoft.OperationalInsights','Microsoft.OperationsManagement','Microsoft.Automation','Microsoft.AlertsManagement','Microsoft.Security','Microsoft.Network','Microsoft.EventGrid','Microsoft.ManagedIdentity','Microsoft.GuestConfiguration','Microsoft.Advisor','Microsoft.PolicyInsights') - - foreach ($sub in $subs) { - Select-AzSubscription -SubscriptionId $sub.id - Get-AzResourceProvider -ProviderNamespace $rps | where {$_.RegistrationState -eq \"NotRegistered\"} | Register-AzResourceProvider - } - #Sleep for XX minutes to wait for Management Groups to load to cache before assignments Start-Sleep -Duration (New-TimeSpan -Minutes 20) @@ -177,6 +168,15 @@ Start-Sleep -Seconds 300 Write-Output 'MG RP Register - Status Code: ' $result.StatusCode ' Count: ' $count } while ($result.StatusCode -ne 200 -and $count -lt 10) + + #Register all resource providers + $subs = Search-AzGraph -Query \"ResourceContainers | where type =~ 'microsoft.resources/subscriptions'\" -ManagementGroup $eslzRootName + $rps = @('Microsoft.Insights','Microsoft.AlertsManagement','Microsoft.OperationalInsights','Microsoft.OperationsManagement','Microsoft.Automation','Microsoft.AlertsManagement','Microsoft.Security','Microsoft.Network','Microsoft.EventGrid','Microsoft.ManagedIdentity','Microsoft.GuestConfiguration','Microsoft.Advisor','Microsoft.PolicyInsights') + + foreach ($sub in $subs) { + Select-AzSubscription -SubscriptionId $sub.id + Get-AzResourceProvider -ProviderNamespace $rps | where {$_.RegistrationState -eq \"NotRegistered\"} | Register-AzResourceProvider + } " }, "metadata": { From f77ecff9cc60b3992599ca2512ae36e414512679 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 9 Dec 2024 08:37:43 +0400 Subject: [PATCH 142/226] . --- eslzArm/prerequisites/deployPrerequisites.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index 1e426a5838..c18379b441 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -143,7 +143,7 @@ }, "properties": { "azPowerShellVersion": "12.3", - "retentionInterval": "PT2H", + "retentionInterval": "PT1H", "timeout": "PT2H", "arguments": "[format('-eslzRootName \"{0}\"', parameters('eslzRootName'))]", "scriptContent": " From 060b25d2d761c306c09e37a6a4c31ca402358998 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 9 Dec 2024 08:38:09 +0400 Subject: [PATCH 143/226] . --- eslzArm/prerequisites/deployPrerequisites.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index c18379b441..277c250d4c 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -165,7 +165,7 @@ do { $result = Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" $count++ - Start-Sleep -Seconds 300 + Start-Sleep -Seconds 30 Write-Output 'MG RP Register - Status Code: ' $result.StatusCode ' Count: ' $count } while ($result.StatusCode -ne 200 -and $count -lt 10) From 33f0dae323675af35ccc791f9e6a9b019b0167a9 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 9 Dec 2024 09:37:18 +0400 Subject: [PATCH 144/226] . --- eslzArm/prerequisites/deployPrerequisites.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index 277c250d4c..69c75eff6c 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -175,7 +175,7 @@ foreach ($sub in $subs) { Select-AzSubscription -SubscriptionId $sub.id - Get-AzResourceProvider -ProviderNamespace $rps | where {$_.RegistrationState -eq \"NotRegistered\"} | Register-AzResourceProvider + Get-AzResourceProvider -ProviderNamespace $rps | Register-AzResourceProvider } " }, From c49661cbac050871d0cc7776a3737045fb4615e6 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 9 Dec 2024 10:26:21 +0400 Subject: [PATCH 145/226] . --- eslzArm/prerequisites/deployPrerequisites.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index 69c75eff6c..59abac77f8 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -166,7 +166,7 @@ $result = Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" $count++ Start-Sleep -Seconds 30 - Write-Output 'MG RP Register - Status Code: ' $result.StatusCode ' Count: ' $count + Write-Host 'MG RP Register - Status Code: ' $result.StatusCode ' Count: ' $count } while ($result.StatusCode -ne 200 -and $count -lt 10) #Register all resource providers @@ -175,7 +175,8 @@ foreach ($sub in $subs) { Select-AzSubscription -SubscriptionId $sub.id - Get-AzResourceProvider -ProviderNamespace $rps | Register-AzResourceProvider + Write-Host 'Registering resource providers for subscription: ' $sub.id + Get-AzResourceProvider -ProviderNamespace $rps | where {$_.RegistrationState -ne \"Registered\"} | Register-AzResourceProvider } " }, From b81f3f130c8e932153a8722b88897003365678f8 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 9 Dec 2024 11:37:55 +0400 Subject: [PATCH 146/226] . --- eslzArm/prerequisites/deployPrerequisites.json | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index 59abac77f8..c210efa9f7 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -51,6 +51,9 @@ "parameters": { "location": { "type": "string" + }, + "eslzRootName": { + "type": "string" } }, "variables": {}, @@ -69,7 +72,7 @@ "apiVersion": "2022-04-01", "name": "[guid(resourceGroup().id, format('uai-prereq-{0}', parameters('location')))]", "properties": { - "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "roleDefinitionId": "[managementGroupResourceId(parameters('eslzRootName'), 'Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location'))), '2022-01-31-preview').principalId]", "principalType": "ServicePrincipal" }, @@ -154,7 +157,7 @@ ) #API call to register the Microsoft.Network provider against intermediate resource group for AVNM - Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" + #Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" #Sleep for XX minutes to wait for Management Groups to load to cache before assignments Start-Sleep -Duration (New-TimeSpan -Minutes 20) From 899c1e7d733d89060f29663130726fd6dfadc86b Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 9 Dec 2024 11:43:04 +0400 Subject: [PATCH 147/226] . --- eslzArm/prerequisites/deployPrerequisites.json | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index c210efa9f7..88d450a225 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -43,6 +43,9 @@ "parameters": { "location": { "value": "[parameters('location')]" + }, + "eslzRootName": { + "value": "[parameters('eslzRootName')]" } }, "template": { @@ -157,10 +160,10 @@ ) #API call to register the Microsoft.Network provider against intermediate resource group for AVNM - #Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" + Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" #Sleep for XX minutes to wait for Management Groups to load to cache before assignments - Start-Sleep -Duration (New-TimeSpan -Minutes 20) + Start-Sleep -Duration (New-TimeSpan -Minutes 10) $result = \"\" $count = 0 From b6986cac70bdbd3094a26d75494720fab9163b92 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 9 Dec 2024 12:26:41 +0400 Subject: [PATCH 148/226] . --- eslzArm/prerequisites/deployPrerequisites.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index 88d450a225..923e8d34d7 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -75,9 +75,10 @@ "apiVersion": "2022-04-01", "name": "[guid(resourceGroup().id, format('uai-prereq-{0}', parameters('location')))]", "properties": { - "roleDefinitionId": "[managementGroupResourceId(parameters('eslzRootName'), 'Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location'))), '2022-01-31-preview').principalId]", - "principalType": "ServicePrincipal" + "principalType": "ServicePrincipal", + "scope": "[resourceId('Microsoft.Management/managementGroups', parameters('eslzRootName'))]" }, "dependsOn": [ "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location')))]" From 6237af3e7a97e0c276bbc89ac9fa898879797479 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 9 Dec 2024 12:32:46 +0400 Subject: [PATCH 149/226] . --- eslzArm/prerequisites/deployPrerequisites.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index 923e8d34d7..61435ea803 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -77,8 +77,7 @@ "properties": { "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location'))), '2022-01-31-preview').principalId]", - "principalType": "ServicePrincipal", - "scope": "[resourceId('Microsoft.Management/managementGroups', parameters('eslzRootName'))]" + "principalType": "ServicePrincipal" }, "dependsOn": [ "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location')))]" From e3a4d7170274c52ad9c713f5616df09b4049ac06 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 9 Dec 2024 14:08:06 +0400 Subject: [PATCH 150/226] . --- eslzArm/prerequisites/deployPrerequisites.json | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index 61435ea803..3e2c53663b 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -85,6 +85,23 @@ "metadata": { "description": "This role assignment grants the user assigned identity the Contributor role on the resource group." } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(resourceGroup().id, format('uai-prereq-{0}-mg', parameters('location')))]", + "scope": "[format('/providers/Microsoft.Management/managementGroups/{0}', parameters('eslzRootName'))]", + "properties": { + "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", + "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location'))), '2022-01-31-preview').principalId]", + "principalType": "ServicePrincipal" + }, + "dependsOn": [ + "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location')))]" + ], + "metadata": { + "description": "This role assignment grants the user assigned identity the Contributor role on the resource group." + } } ], "outputs": { From 5b3de38ba3f5a0651261572b2462c1bece82dfac Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 9 Dec 2024 14:48:13 +0400 Subject: [PATCH 151/226] . --- eslzArm/prerequisites/deployPrerequisites.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index 3e2c53663b..cef1f2f3db 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -92,7 +92,7 @@ "name": "[guid(resourceGroup().id, format('uai-prereq-{0}-mg', parameters('location')))]", "scope": "[format('/providers/Microsoft.Management/managementGroups/{0}', parameters('eslzRootName'))]", "properties": { - "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location'))), '2022-01-31-preview').principalId]", "principalType": "ServicePrincipal" }, From e6f522c9bac1660653ab9a2edf4599d99cd4469b Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 9 Dec 2024 15:21:21 +0400 Subject: [PATCH 152/226] . --- eslzArm/prerequisites/deployPrerequisites.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index cef1f2f3db..b44d646a15 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -92,7 +92,7 @@ "name": "[guid(resourceGroup().id, format('uai-prereq-{0}-mg', parameters('location')))]", "scope": "[format('/providers/Microsoft.Management/managementGroups/{0}', parameters('eslzRootName'))]", "properties": { - "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location'))), '2022-01-31-preview').principalId]", "principalType": "ServicePrincipal" }, @@ -100,7 +100,7 @@ "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location')))]" ], "metadata": { - "description": "This role assignment grants the user assigned identity the Contributor role on the resource group." + "description": "This role assignment grants the user assigned identity the Contributor role." } } ], From fad86460f8a37ab0d1b3bc82603d0d08fc5c922b Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 9 Dec 2024 15:24:32 +0400 Subject: [PATCH 153/226] . --- eslzArm/prerequisites/deployPrerequisites.json | 1 - 1 file changed, 1 deletion(-) diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index b44d646a15..1ec7fe4c9d 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -90,7 +90,6 @@ "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", "name": "[guid(resourceGroup().id, format('uai-prereq-{0}-mg', parameters('location')))]", - "scope": "[format('/providers/Microsoft.Management/managementGroups/{0}', parameters('eslzRootName'))]", "properties": { "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location'))), '2022-01-31-preview').principalId]", From 5fa3ad27f507128bfb8506b230c8f463153d7311 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 9 Dec 2024 15:32:31 +0400 Subject: [PATCH 154/226] . --- eslzArm/prerequisites/deployPrerequisites.json | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index 1ec7fe4c9d..61435ea803 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -85,22 +85,6 @@ "metadata": { "description": "This role assignment grants the user assigned identity the Contributor role on the resource group." } - }, - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "name": "[guid(resourceGroup().id, format('uai-prereq-{0}-mg', parameters('location')))]", - "properties": { - "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", - "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location'))), '2022-01-31-preview').principalId]", - "principalType": "ServicePrincipal" - }, - "dependsOn": [ - "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location')))]" - ], - "metadata": { - "description": "This role assignment grants the user assigned identity the Contributor role." - } } ], "outputs": { From 17b9d2116ba4015b16b531c93673903ad9ea0d2b Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 9 Dec 2024 15:52:07 +0400 Subject: [PATCH 155/226] . --- eslzArm/eslzArm.json | 8 +- .../prerequisites/deployPrerequisites1.json | 228 ++++++++++++++++++ 2 files changed, 233 insertions(+), 3 deletions(-) create mode 100644 eslzArm/prerequisites/deployPrerequisites1.json diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index 63a34e276f..70065bc8cd 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -1697,8 +1697,7 @@ "roleDefinitions": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/roleDefinitions/customRoleDefinitions.json')]", "policyDefinitions": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyDefinitions/policies.json')]", "initiativeDefinitions": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyDefinitions/initiatives.json')]", - "preRequisites": "[uri(deployment().properties.templateLink.uri, 'prerequisites/deployPrerequisites.json')]", - "alzSleep": "[uri(deployment().properties.templateLink.uri, 'prerequisites/dsSleep.json')]", + "preRequisites": "[uri(deployment().properties.templateLink.uri, 'prerequisites/deployPrerequisites1.json')]", "avnmConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/avnmConfiguration.json')]", "avnmPolicy": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/avnmPolicy.json')]", "vnetConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/hubspoke-connectivity.json')]", @@ -2439,7 +2438,7 @@ "type": "Microsoft.Resources/deployments", "apiVersion": "2020-06-01", "name": "alz-prerequisites", - "subscriptionId": "[parameters('managementSubscriptionId')]", + "scope": "[variables('scopes').eslzRootManagementGroup]", "location": "[deployment().location]", "dependsOn": [ "[variables('deploymentNames').initiativeDeploymentName]" @@ -2456,6 +2455,9 @@ }, "eslzRootName": { "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "managementSubscriptionId": { + "value": "[parameters('managementSubscriptionId')]" } } } diff --git a/eslzArm/prerequisites/deployPrerequisites1.json b/eslzArm/prerequisites/deployPrerequisites1.json new file mode 100644 index 0000000000..6b3823a1c0 --- /dev/null +++ b/eslzArm/prerequisites/deployPrerequisites1.json @@ -0,0 +1,228 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceGroupName": { + "type": "string", + "defaultValue": "rg-alz-prereqs", + "metadata": { + "description": "The resource group name where the AVNM resources will be created" + } + }, + "location": { + "type": "string", + "minLength": 6, + "metadata": { + "description": "The location of this AVNM instance. All resources will be deployed to this region." + } + }, + "eslzRootName": { + "type": "string", + "metadata": { + "description": "The name of the Enterprise Scale Landing Zone root resource." + } + }, + "managementSubscriptionId": { + "type": "string", + "metadata": { + "description": "The subscription ID of the management subscription." + } + } + }, + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "alz-prerequisites-createRG", + "location": "[parameters('location')]", + "subscriptionId": "[parameters('managementSubscriptionId')]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2022-09-01", + "name": "[parameters('resourceGroupName')]", + "location": "[parameters('location')]" + } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "alz-prerequisites-uai", + "subscriptionId": "[parameters('managementSubscriptionId')]", + "resourceGroup": "[parameters('resourceGroupName')]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "eslzRootName": { + "value": "[parameters('eslzRootName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "eslzRootName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "apiVersion": "2022-01-31-preview", + "name": "[format('uai-prereq-{0}', parameters('location'))]", + "location": "[parameters('location')]", + "metadata": { + "description": "This user assigned identity is used by the Deployment Script resource to interact with Azure resources." + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(resourceGroup().id, format('uai-prereq-{0}', parameters('location')))]", + "properties": { + "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location'))), '2022-01-31-preview').principalId]", + "principalType": "ServicePrincipal" + }, + "dependsOn": [ + "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location')))]" + ], + "metadata": { + "description": "This role assignment grants the user assigned identity the Contributor role on the resource group." + } + } + ], + "outputs": { + "userAssignedIdentityId": { + "type": "string", + "value": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location')))]" + } + } + } + }, + "dependsOn": [ + "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('ds-{0}-prereqs', parameters('location'))]", + + "resourceGroup": "[parameters('resourceGroupName')]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "userAssignedIdentityId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai'), '2022-09-01').outputs.userAssignedIdentityId.value]" + }, + "eslzRootName": { + "value": "[parameters('eslzRootName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "eslzRootName":{ + "type": "string" + }, + "userAssignedIdentityId": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Resources/deploymentScripts", + "apiVersion": "2020-10-01", + "name": "alz-prereq-deploymentscript", + "location": "[parameters('location')]", + "kind": "AzurePowerShell", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[format('{0}', parameters('userAssignedIdentityId'))]": {} + } + }, + "properties": { + "azPowerShellVersion": "12.3", + "retentionInterval": "PT1H", + "timeout": "PT2H", + "arguments": "[format('-eslzRootName \"{0}\"', parameters('eslzRootName'))]", + "scriptContent": " + param( + [Parameter(Mandatory=$true, HelpMessage=\"Enter the ESLZ root name.\")] + [string] + $eslzRootName + ) + + #API call to register the Microsoft.Network provider against intermediate resource group for AVNM + Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" + + #Sleep for XX minutes to wait for Management Groups to load to cache before assignments + Start-Sleep -Duration (New-TimeSpan -Minutes 10) + + $result = \"\" + $count = 0 + + do { + $result = Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" + $count++ + Start-Sleep -Seconds 30 + Write-Host 'MG RP Register - Status Code: ' $result.StatusCode ' Count: ' $count + } while ($result.StatusCode -ne 200 -and $count -lt 10) + + #Register all resource providers + $subs = Search-AzGraph -Query \"ResourceContainers | where type =~ 'microsoft.resources/subscriptions'\" -ManagementGroup $eslzRootName + $rps = @('Microsoft.Insights','Microsoft.AlertsManagement','Microsoft.OperationalInsights','Microsoft.OperationsManagement','Microsoft.Automation','Microsoft.AlertsManagement','Microsoft.Security','Microsoft.Network','Microsoft.EventGrid','Microsoft.ManagedIdentity','Microsoft.GuestConfiguration','Microsoft.Advisor','Microsoft.PolicyInsights') + + foreach ($sub in $subs) { + Select-AzSubscription -SubscriptionId $sub.id + Write-Host 'Registering resource providers for subscription: ' $sub.id + Get-AzResourceProvider -ProviderNamespace $rps | where {$_.RegistrationState -ne \"Registered\"} | Register-AzResourceProvider + } + " + }, + "metadata": { + "description": "Create a Deployment Script resource to perform the prerequisites." + } + } + ], + "outputs": {} + } + }, + "dependsOn": [ + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai')]", + "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]" + ] + } + ], + "outputs": {} + } \ No newline at end of file From 9e7aeeea2c0413446323bbb394d1dcd0954f6541 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 9 Dec 2024 15:57:56 +0400 Subject: [PATCH 156/226] . --- eslzArm/prerequisites/deployPrerequisites1.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/prerequisites/deployPrerequisites1.json b/eslzArm/prerequisites/deployPrerequisites1.json index 6b3823a1c0..cee0401d45 100644 --- a/eslzArm/prerequisites/deployPrerequisites1.json +++ b/eslzArm/prerequisites/deployPrerequisites1.json @@ -39,7 +39,7 @@ "properties": { "mode": "Incremental", "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "$schema": "https://schema.management.azure.com/schemas//2018-05-01/subscriptionDeploymentTemplate.json#", "contentVersion": "1.0.0.0", "resources": [ { From 8ca5dfaafbc600022525cb5fedc5d72960b656df Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 9 Dec 2024 16:01:09 +0400 Subject: [PATCH 157/226] . --- eslzArm/prerequisites/deployPrerequisites1.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/prerequisites/deployPrerequisites1.json b/eslzArm/prerequisites/deployPrerequisites1.json index cee0401d45..8e7727abb7 100644 --- a/eslzArm/prerequisites/deployPrerequisites1.json +++ b/eslzArm/prerequisites/deployPrerequisites1.json @@ -39,7 +39,7 @@ "properties": { "mode": "Incremental", "template": { - "$schema": "https://schema.management.azure.com/schemas//2018-05-01/subscriptionDeploymentTemplate.json#", + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", "contentVersion": "1.0.0.0", "resources": [ { From 1fc7bad4aff047fcf2ce97e86b6ce398b632dfe8 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 9 Dec 2024 16:16:21 +0400 Subject: [PATCH 158/226] . --- eslzArm/prerequisites/deployPrerequisites1.json | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/eslzArm/prerequisites/deployPrerequisites1.json b/eslzArm/prerequisites/deployPrerequisites1.json index 8e7727abb7..03f2dffb11 100644 --- a/eslzArm/prerequisites/deployPrerequisites1.json +++ b/eslzArm/prerequisites/deployPrerequisites1.json @@ -39,7 +39,7 @@ "properties": { "mode": "Incremental", "template": { - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "resources": [ { @@ -119,14 +119,15 @@ } }, "dependsOn": [ - "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]" + "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]", + "alz-prerequisites-createRG" ] }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "[format('ds-{0}-prereqs', parameters('location'))]", - + "subscriptionId": "[parameters('managementSubscriptionId')]", "resourceGroup": "[parameters('resourceGroupName')]", "properties": { "expressionEvaluationOptions": { @@ -220,7 +221,8 @@ }, "dependsOn": [ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai')]", - "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]" + "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]", + "alz-prerequisites-createRG" ] } ], From b38b5b577da2c674dab63b26f7c539b6abf4e5d4 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 9 Dec 2024 16:34:32 +0400 Subject: [PATCH 159/226] . --- eslzArm/prerequisites/deployPrerequisites1.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/eslzArm/prerequisites/deployPrerequisites1.json b/eslzArm/prerequisites/deployPrerequisites1.json index 03f2dffb11..0622e0aa39 100644 --- a/eslzArm/prerequisites/deployPrerequisites1.json +++ b/eslzArm/prerequisites/deployPrerequisites1.json @@ -47,11 +47,7 @@ "apiVersion": "2022-09-01", "name": "[parameters('resourceGroupName')]", "location": "[parameters('location')]" - } - ] - } - } - }, + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -224,6 +220,10 @@ "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]", "alz-prerequisites-createRG" ] + } + ] + } + } } ], "outputs": {} From 617cd6e92068a4b9dbddafd2e1a0b4ffb53f87c4 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 9 Dec 2024 16:37:41 +0400 Subject: [PATCH 160/226] . --- eslzArm/prerequisites/deployPrerequisites1.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/eslzArm/prerequisites/deployPrerequisites1.json b/eslzArm/prerequisites/deployPrerequisites1.json index 0622e0aa39..bb9b7763df 100644 --- a/eslzArm/prerequisites/deployPrerequisites1.json +++ b/eslzArm/prerequisites/deployPrerequisites1.json @@ -52,7 +52,7 @@ "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "alz-prerequisites-uai", - "subscriptionId": "[parameters('managementSubscriptionId')]", + "resourceGroup": "[parameters('resourceGroupName')]", "properties": { "expressionEvaluationOptions": { @@ -123,7 +123,7 @@ "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "[format('ds-{0}-prereqs', parameters('location'))]", - "subscriptionId": "[parameters('managementSubscriptionId')]", + "resourceGroup": "[parameters('resourceGroupName')]", "properties": { "expressionEvaluationOptions": { From a65e24c03998cf655f7ec90fe8f9a18e587c0727 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 9 Dec 2024 16:42:44 +0400 Subject: [PATCH 161/226] . --- .../prerequisites/deployPrerequisites1.json | 350 +++++++++--------- 1 file changed, 174 insertions(+), 176 deletions(-) diff --git a/eslzArm/prerequisites/deployPrerequisites1.json b/eslzArm/prerequisites/deployPrerequisites1.json index bb9b7763df..35a1101f90 100644 --- a/eslzArm/prerequisites/deployPrerequisites1.json +++ b/eslzArm/prerequisites/deployPrerequisites1.json @@ -42,185 +42,183 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "resources": [ - { - "type": "Microsoft.Resources/resourceGroups", - "apiVersion": "2022-09-01", - "name": "[parameters('resourceGroupName')]", - "location": "[parameters('location')]" - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "alz-prerequisites-uai", - - "resourceGroup": "[parameters('resourceGroupName')]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "location": { - "value": "[parameters('location')]" - }, - "eslzRootName": { - "value": "[parameters('eslzRootName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "location": { - "type": "string" - }, - "eslzRootName": { - "type": "string" - } - }, - "variables": {}, - "resources": [ - { - "type": "Microsoft.ManagedIdentity/userAssignedIdentities", - "apiVersion": "2022-01-31-preview", - "name": "[format('uai-prereq-{0}', parameters('location'))]", - "location": "[parameters('location')]", - "metadata": { - "description": "This user assigned identity is used by the Deployment Script resource to interact with Azure resources." - } - }, - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "name": "[guid(resourceGroup().id, format('uai-prereq-{0}', parameters('location')))]", - "properties": { - "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location'))), '2022-01-31-preview').principalId]", - "principalType": "ServicePrincipal" + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2022-09-01", + "name": "[parameters('resourceGroupName')]", + "location": "[parameters('location')]" }, - "dependsOn": [ - "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location')))]" - ], - "metadata": { - "description": "This role assignment grants the user assigned identity the Contributor role on the resource group." - } - } - ], - "outputs": { - "userAssignedIdentityId": { - "type": "string", - "value": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location')))]" - } - } - } - }, - "dependsOn": [ - "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]", - "alz-prerequisites-createRG" - ] - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('ds-{0}-prereqs', parameters('location'))]", - - "resourceGroup": "[parameters('resourceGroupName')]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "location": { - "value": "[parameters('location')]" - }, - "userAssignedIdentityId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai'), '2022-09-01').outputs.userAssignedIdentityId.value]" - }, - "eslzRootName": { - "value": "[parameters('eslzRootName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "location": { - "type": "string" - }, - "eslzRootName":{ - "type": "string" - }, - "userAssignedIdentityId": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.Resources/deploymentScripts", - "apiVersion": "2020-10-01", - "name": "alz-prereq-deploymentscript", - "location": "[parameters('location')]", - "kind": "AzurePowerShell", - "identity": { - "type": "UserAssigned", - "userAssignedIdentities": { - "[format('{0}', parameters('userAssignedIdentityId'))]": {} - } + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "alz-prerequisites-uai", + "resourceGroup": "[parameters('resourceGroupName')]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "eslzRootName": { + "value": "[parameters('eslzRootName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "eslzRootName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "apiVersion": "2022-01-31-preview", + "name": "[format('uai-prereq-{0}', parameters('location'))]", + "location": "[parameters('location')]", + "metadata": { + "description": "This user assigned identity is used by the Deployment Script resource to interact with Azure resources." + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(resourceGroup().id, format('uai-prereq-{0}', parameters('location')))]", + "properties": { + "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location'))), '2022-01-31-preview').principalId]", + "principalType": "ServicePrincipal" + }, + "dependsOn": [ + "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location')))]" + ], + "metadata": { + "description": "This role assignment grants the user assigned identity the Contributor role on the resource group." + } + } + ], + "outputs": { + "userAssignedIdentityId": { + "type": "string", + "value": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location')))]" + } + } + } + }, + "dependsOn": [ + "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]", + "alz-prerequisites-createRG" + ] }, - "properties": { - "azPowerShellVersion": "12.3", - "retentionInterval": "PT1H", - "timeout": "PT2H", - "arguments": "[format('-eslzRootName \"{0}\"', parameters('eslzRootName'))]", - "scriptContent": " - param( - [Parameter(Mandatory=$true, HelpMessage=\"Enter the ESLZ root name.\")] - [string] - $eslzRootName - ) - - #API call to register the Microsoft.Network provider against intermediate resource group for AVNM - Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" - - #Sleep for XX minutes to wait for Management Groups to load to cache before assignments - Start-Sleep -Duration (New-TimeSpan -Minutes 10) - - $result = \"\" - $count = 0 - - do { - $result = Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" - $count++ - Start-Sleep -Seconds 30 - Write-Host 'MG RP Register - Status Code: ' $result.StatusCode ' Count: ' $count - } while ($result.StatusCode -ne 200 -and $count -lt 10) - - #Register all resource providers - $subs = Search-AzGraph -Query \"ResourceContainers | where type =~ 'microsoft.resources/subscriptions'\" -ManagementGroup $eslzRootName - $rps = @('Microsoft.Insights','Microsoft.AlertsManagement','Microsoft.OperationalInsights','Microsoft.OperationsManagement','Microsoft.Automation','Microsoft.AlertsManagement','Microsoft.Security','Microsoft.Network','Microsoft.EventGrid','Microsoft.ManagedIdentity','Microsoft.GuestConfiguration','Microsoft.Advisor','Microsoft.PolicyInsights') - - foreach ($sub in $subs) { - Select-AzSubscription -SubscriptionId $sub.id - Write-Host 'Registering resource providers for subscription: ' $sub.id - Get-AzResourceProvider -ProviderNamespace $rps | where {$_.RegistrationState -ne \"Registered\"} | Register-AzResourceProvider - } - " - }, - "metadata": { - "description": "Create a Deployment Script resource to perform the prerequisites." + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('ds-{0}-prereqs', parameters('location'))]", + "resourceGroup": "[parameters('resourceGroupName')]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "userAssignedIdentityId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai'), '2022-09-01').outputs.userAssignedIdentityId.value]" + }, + "eslzRootName": { + "value": "[parameters('eslzRootName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "eslzRootName":{ + "type": "string" + }, + "userAssignedIdentityId": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Resources/deploymentScripts", + "apiVersion": "2020-10-01", + "name": "alz-prereq-deploymentscript", + "location": "[parameters('location')]", + "kind": "AzurePowerShell", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[format('{0}', parameters('userAssignedIdentityId'))]": {} + } + }, + "properties": { + "azPowerShellVersion": "12.3", + "retentionInterval": "PT1H", + "timeout": "PT2H", + "arguments": "[format('-eslzRootName \"{0}\"', parameters('eslzRootName'))]", + "scriptContent": " + param( + [Parameter(Mandatory=$true, HelpMessage=\"Enter the ESLZ root name.\")] + [string] + $eslzRootName + ) + + #API call to register the Microsoft.Network provider against intermediate resource group for AVNM + Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" + + #Sleep for XX minutes to wait for Management Groups to load to cache before assignments + Start-Sleep -Duration (New-TimeSpan -Minutes 10) + + $result = \"\" + $count = 0 + + do { + $result = Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" + $count++ + Start-Sleep -Seconds 30 + Write-Host 'MG RP Register - Status Code: ' $result.StatusCode ' Count: ' $count + } while ($result.StatusCode -ne 200 -and $count -lt 10) + + #Register all resource providers + $subs = Search-AzGraph -Query \"ResourceContainers | where type =~ 'microsoft.resources/subscriptions'\" -ManagementGroup $eslzRootName + $rps = @('Microsoft.Insights','Microsoft.AlertsManagement','Microsoft.OperationalInsights','Microsoft.OperationsManagement','Microsoft.Automation','Microsoft.AlertsManagement','Microsoft.Security','Microsoft.Network','Microsoft.EventGrid','Microsoft.ManagedIdentity','Microsoft.GuestConfiguration','Microsoft.Advisor','Microsoft.PolicyInsights') + + foreach ($sub in $subs) { + Select-AzSubscription -SubscriptionId $sub.id + Write-Host 'Registering resource providers for subscription: ' $sub.id + Get-AzResourceProvider -ProviderNamespace $rps | where {$_.RegistrationState -ne \"Registered\"} | Register-AzResourceProvider + } + " + }, + "metadata": { + "description": "Create a Deployment Script resource to perform the prerequisites." + } + } + ], + "outputs": {} + } + }, + "dependsOn": [ + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai')]", + "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]", + "alz-prerequisites-createRG" + ] } - } - ], - "outputs": {} - } - }, - "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai')]", - "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]", - "alz-prerequisites-createRG" - ] - } ] } } From 5c9c058ec967a446cff651f1b4678225839ae0ca Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 9 Dec 2024 16:49:24 +0400 Subject: [PATCH 162/226] . --- .../prerequisites/deployPrerequisites1.json | 354 +++++++++--------- 1 file changed, 178 insertions(+), 176 deletions(-) diff --git a/eslzArm/prerequisites/deployPrerequisites1.json b/eslzArm/prerequisites/deployPrerequisites1.json index 35a1101f90..03f2dffb11 100644 --- a/eslzArm/prerequisites/deployPrerequisites1.json +++ b/eslzArm/prerequisites/deployPrerequisites1.json @@ -42,186 +42,188 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "resources": [ - { - "type": "Microsoft.Resources/resourceGroups", - "apiVersion": "2022-09-01", - "name": "[parameters('resourceGroupName')]", - "location": "[parameters('location')]" + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2022-09-01", + "name": "[parameters('resourceGroupName')]", + "location": "[parameters('location')]" + } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "alz-prerequisites-uai", + "subscriptionId": "[parameters('managementSubscriptionId')]", + "resourceGroup": "[parameters('resourceGroupName')]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "eslzRootName": { + "value": "[parameters('eslzRootName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "eslzRootName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "apiVersion": "2022-01-31-preview", + "name": "[format('uai-prereq-{0}', parameters('location'))]", + "location": "[parameters('location')]", + "metadata": { + "description": "This user assigned identity is used by the Deployment Script resource to interact with Azure resources." + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(resourceGroup().id, format('uai-prereq-{0}', parameters('location')))]", + "properties": { + "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location'))), '2022-01-31-preview').principalId]", + "principalType": "ServicePrincipal" }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "alz-prerequisites-uai", - "resourceGroup": "[parameters('resourceGroupName')]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "location": { - "value": "[parameters('location')]" - }, - "eslzRootName": { - "value": "[parameters('eslzRootName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "location": { - "type": "string" - }, - "eslzRootName": { - "type": "string" - } - }, - "variables": {}, - "resources": [ - { - "type": "Microsoft.ManagedIdentity/userAssignedIdentities", - "apiVersion": "2022-01-31-preview", - "name": "[format('uai-prereq-{0}', parameters('location'))]", - "location": "[parameters('location')]", - "metadata": { - "description": "This user assigned identity is used by the Deployment Script resource to interact with Azure resources." - } - }, - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "name": "[guid(resourceGroup().id, format('uai-prereq-{0}', parameters('location')))]", - "properties": { - "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location'))), '2022-01-31-preview').principalId]", - "principalType": "ServicePrincipal" - }, - "dependsOn": [ - "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location')))]" - ], - "metadata": { - "description": "This role assignment grants the user assigned identity the Contributor role on the resource group." - } - } - ], - "outputs": { - "userAssignedIdentityId": { - "type": "string", - "value": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location')))]" - } - } - } - }, - "dependsOn": [ - "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]", - "alz-prerequisites-createRG" - ] + "dependsOn": [ + "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location')))]" + ], + "metadata": { + "description": "This role assignment grants the user assigned identity the Contributor role on the resource group." + } + } + ], + "outputs": { + "userAssignedIdentityId": { + "type": "string", + "value": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location')))]" + } + } + } + }, + "dependsOn": [ + "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]", + "alz-prerequisites-createRG" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('ds-{0}-prereqs', parameters('location'))]", + "subscriptionId": "[parameters('managementSubscriptionId')]", + "resourceGroup": "[parameters('resourceGroupName')]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "userAssignedIdentityId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai'), '2022-09-01').outputs.userAssignedIdentityId.value]" + }, + "eslzRootName": { + "value": "[parameters('eslzRootName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "eslzRootName":{ + "type": "string" + }, + "userAssignedIdentityId": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Resources/deploymentScripts", + "apiVersion": "2020-10-01", + "name": "alz-prereq-deploymentscript", + "location": "[parameters('location')]", + "kind": "AzurePowerShell", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[format('{0}', parameters('userAssignedIdentityId'))]": {} + } }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('ds-{0}-prereqs', parameters('location'))]", - "resourceGroup": "[parameters('resourceGroupName')]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "location": { - "value": "[parameters('location')]" - }, - "userAssignedIdentityId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai'), '2022-09-01').outputs.userAssignedIdentityId.value]" - }, - "eslzRootName": { - "value": "[parameters('eslzRootName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "location": { - "type": "string" - }, - "eslzRootName":{ - "type": "string" - }, - "userAssignedIdentityId": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.Resources/deploymentScripts", - "apiVersion": "2020-10-01", - "name": "alz-prereq-deploymentscript", - "location": "[parameters('location')]", - "kind": "AzurePowerShell", - "identity": { - "type": "UserAssigned", - "userAssignedIdentities": { - "[format('{0}', parameters('userAssignedIdentityId'))]": {} - } - }, - "properties": { - "azPowerShellVersion": "12.3", - "retentionInterval": "PT1H", - "timeout": "PT2H", - "arguments": "[format('-eslzRootName \"{0}\"', parameters('eslzRootName'))]", - "scriptContent": " - param( - [Parameter(Mandatory=$true, HelpMessage=\"Enter the ESLZ root name.\")] - [string] - $eslzRootName - ) - - #API call to register the Microsoft.Network provider against intermediate resource group for AVNM - Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" - - #Sleep for XX minutes to wait for Management Groups to load to cache before assignments - Start-Sleep -Duration (New-TimeSpan -Minutes 10) - - $result = \"\" - $count = 0 - - do { - $result = Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" - $count++ - Start-Sleep -Seconds 30 - Write-Host 'MG RP Register - Status Code: ' $result.StatusCode ' Count: ' $count - } while ($result.StatusCode -ne 200 -and $count -lt 10) - - #Register all resource providers - $subs = Search-AzGraph -Query \"ResourceContainers | where type =~ 'microsoft.resources/subscriptions'\" -ManagementGroup $eslzRootName - $rps = @('Microsoft.Insights','Microsoft.AlertsManagement','Microsoft.OperationalInsights','Microsoft.OperationsManagement','Microsoft.Automation','Microsoft.AlertsManagement','Microsoft.Security','Microsoft.Network','Microsoft.EventGrid','Microsoft.ManagedIdentity','Microsoft.GuestConfiguration','Microsoft.Advisor','Microsoft.PolicyInsights') - - foreach ($sub in $subs) { - Select-AzSubscription -SubscriptionId $sub.id - Write-Host 'Registering resource providers for subscription: ' $sub.id - Get-AzResourceProvider -ProviderNamespace $rps | where {$_.RegistrationState -ne \"Registered\"} | Register-AzResourceProvider - } - " - }, - "metadata": { - "description": "Create a Deployment Script resource to perform the prerequisites." - } - } - ], - "outputs": {} - } - }, - "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai')]", - "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]", - "alz-prerequisites-createRG" - ] + "properties": { + "azPowerShellVersion": "12.3", + "retentionInterval": "PT1H", + "timeout": "PT2H", + "arguments": "[format('-eslzRootName \"{0}\"', parameters('eslzRootName'))]", + "scriptContent": " + param( + [Parameter(Mandatory=$true, HelpMessage=\"Enter the ESLZ root name.\")] + [string] + $eslzRootName + ) + + #API call to register the Microsoft.Network provider against intermediate resource group for AVNM + Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" + + #Sleep for XX minutes to wait for Management Groups to load to cache before assignments + Start-Sleep -Duration (New-TimeSpan -Minutes 10) + + $result = \"\" + $count = 0 + + do { + $result = Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" + $count++ + Start-Sleep -Seconds 30 + Write-Host 'MG RP Register - Status Code: ' $result.StatusCode ' Count: ' $count + } while ($result.StatusCode -ne 200 -and $count -lt 10) + + #Register all resource providers + $subs = Search-AzGraph -Query \"ResourceContainers | where type =~ 'microsoft.resources/subscriptions'\" -ManagementGroup $eslzRootName + $rps = @('Microsoft.Insights','Microsoft.AlertsManagement','Microsoft.OperationalInsights','Microsoft.OperationsManagement','Microsoft.Automation','Microsoft.AlertsManagement','Microsoft.Security','Microsoft.Network','Microsoft.EventGrid','Microsoft.ManagedIdentity','Microsoft.GuestConfiguration','Microsoft.Advisor','Microsoft.PolicyInsights') + + foreach ($sub in $subs) { + Select-AzSubscription -SubscriptionId $sub.id + Write-Host 'Registering resource providers for subscription: ' $sub.id + Get-AzResourceProvider -ProviderNamespace $rps | where {$_.RegistrationState -ne \"Registered\"} | Register-AzResourceProvider + } + " + }, + "metadata": { + "description": "Create a Deployment Script resource to perform the prerequisites." } - ] + } + ], + "outputs": {} } - } + }, + "dependsOn": [ + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai')]", + "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]", + "alz-prerequisites-createRG" + ] } ], "outputs": {} From d1f66dac9bad63569c467f7d8cb148f4d876f3bd Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 9 Dec 2024 16:52:42 +0400 Subject: [PATCH 163/226] . --- eslzArm/eslzArm.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index 70065bc8cd..ff628c3257 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -2441,7 +2441,8 @@ "scope": "[variables('scopes').eslzRootManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "[variables('deploymentNames').initiativeDeploymentName]" + "[variables('deploymentNames').initiativeDeploymentName]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]" ], "properties": { "mode": "Incremental", From 876bfb474e2496a931de5f27fcdd5a8669877bce Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 9 Dec 2024 16:56:27 +0400 Subject: [PATCH 164/226] . --- eslzArm/prerequisites/deployPrerequisites1.json | 2 -- 1 file changed, 2 deletions(-) diff --git a/eslzArm/prerequisites/deployPrerequisites1.json b/eslzArm/prerequisites/deployPrerequisites1.json index 03f2dffb11..918627dd64 100644 --- a/eslzArm/prerequisites/deployPrerequisites1.json +++ b/eslzArm/prerequisites/deployPrerequisites1.json @@ -119,7 +119,6 @@ } }, "dependsOn": [ - "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]", "alz-prerequisites-createRG" ] }, @@ -221,7 +220,6 @@ }, "dependsOn": [ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai')]", - "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]", "alz-prerequisites-createRG" ] } From 20b8bba843aa8ebf267ff2380094b371c030cdc5 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 9 Dec 2024 17:02:29 +0400 Subject: [PATCH 165/226] . --- eslzArm/prerequisites/deployPrerequisites1.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/prerequisites/deployPrerequisites1.json b/eslzArm/prerequisites/deployPrerequisites1.json index 918627dd64..c0a2fb2832 100644 --- a/eslzArm/prerequisites/deployPrerequisites1.json +++ b/eslzArm/prerequisites/deployPrerequisites1.json @@ -138,7 +138,7 @@ "value": "[parameters('location')]" }, "userAssignedIdentityId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai'), '2022-09-01').outputs.userAssignedIdentityId.value]" + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('managementSubscriptionId'), parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai'), '2022-09-01').outputs.userAssignedIdentityId.value]" }, "eslzRootName": { "value": "[parameters('eslzRootName')]" From 8ad18ad5697528bceccc2a6cf2682b63b6354422 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 9 Dec 2024 17:07:59 +0400 Subject: [PATCH 166/226] . --- eslzArm/prerequisites/deployPrerequisites1.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/eslzArm/prerequisites/deployPrerequisites1.json b/eslzArm/prerequisites/deployPrerequisites1.json index c0a2fb2832..9ab628961d 100644 --- a/eslzArm/prerequisites/deployPrerequisites1.json +++ b/eslzArm/prerequisites/deployPrerequisites1.json @@ -97,8 +97,9 @@ "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", "name": "[guid(resourceGroup().id, format('uai-prereq-{0}', parameters('location')))]", + "scope": "[format('/providers/Microsoft.Management/managementGroups/{0}', parameters('eslzRootName'))]", "properties": { - "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location'))), '2022-01-31-preview').principalId]", "principalType": "ServicePrincipal" }, From edd19bc2b05cbabfa1fec1712e9338d58e21b319 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 9 Dec 2024 17:16:11 +0400 Subject: [PATCH 167/226] . --- eslzArm/prerequisites/deployPrerequisites1.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/prerequisites/deployPrerequisites1.json b/eslzArm/prerequisites/deployPrerequisites1.json index 9ab628961d..98afc1f7ef 100644 --- a/eslzArm/prerequisites/deployPrerequisites1.json +++ b/eslzArm/prerequisites/deployPrerequisites1.json @@ -220,7 +220,7 @@ } }, "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai')]", + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('managementSubscriptionId'), parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai')]", "alz-prerequisites-createRG" ] } From 9ed7f9d9c11c068e4009ce8ba75b6c2ed6000c9a Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 9 Dec 2024 18:24:09 +0400 Subject: [PATCH 168/226] . --- eslzArm/prerequisites/deployPrerequisites1.json | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/eslzArm/prerequisites/deployPrerequisites1.json b/eslzArm/prerequisites/deployPrerequisites1.json index 98afc1f7ef..d4a4d7b895 100644 --- a/eslzArm/prerequisites/deployPrerequisites1.json +++ b/eslzArm/prerequisites/deployPrerequisites1.json @@ -47,16 +47,11 @@ "apiVersion": "2022-09-01", "name": "[parameters('resourceGroupName')]", "location": "[parameters('location')]" - } - ] - } - } - }, + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "alz-prerequisites-uai", - "subscriptionId": "[parameters('managementSubscriptionId')]", "resourceGroup": "[parameters('resourceGroupName')]", "properties": { "expressionEvaluationOptions": { @@ -127,7 +122,6 @@ "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "[format('ds-{0}-prereqs', parameters('location'))]", - "subscriptionId": "[parameters('managementSubscriptionId')]", "resourceGroup": "[parameters('resourceGroupName')]", "properties": { "expressionEvaluationOptions": { @@ -223,6 +217,10 @@ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('managementSubscriptionId'), parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai')]", "alz-prerequisites-createRG" ] + } + ] + } + } } ], "outputs": {} From 752d2d299783942b6cf9af6f799b14f557d2fda1 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 9 Dec 2024 18:31:53 +0400 Subject: [PATCH 169/226] . --- eslzArm/prerequisites/deployPrerequisites1.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/eslzArm/prerequisites/deployPrerequisites1.json b/eslzArm/prerequisites/deployPrerequisites1.json index d4a4d7b895..638f04630b 100644 --- a/eslzArm/prerequisites/deployPrerequisites1.json +++ b/eslzArm/prerequisites/deployPrerequisites1.json @@ -115,7 +115,8 @@ } }, "dependsOn": [ - "alz-prerequisites-createRG" + "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]", + "alz-prerequisites-createRG" ] }, { @@ -215,6 +216,7 @@ }, "dependsOn": [ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('managementSubscriptionId'), parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai')]", + "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]", "alz-prerequisites-createRG" ] } From b5f7d6e46d28c089fa58188c6bd9f54026b537cb Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 9 Dec 2024 18:36:09 +0400 Subject: [PATCH 170/226] . --- eslzArm/prerequisites/deployPrerequisites1.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/eslzArm/prerequisites/deployPrerequisites1.json b/eslzArm/prerequisites/deployPrerequisites1.json index 638f04630b..8927011264 100644 --- a/eslzArm/prerequisites/deployPrerequisites1.json +++ b/eslzArm/prerequisites/deployPrerequisites1.json @@ -115,7 +115,7 @@ } }, "dependsOn": [ - "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]", + "[subscriptionResourceId(parameters('managementSubscriptionId'),'Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]", "alz-prerequisites-createRG" ] }, @@ -216,7 +216,7 @@ }, "dependsOn": [ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('managementSubscriptionId'), parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai')]", - "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]", + "[subscriptionResourceId(parameters('managementSubscriptionId'),'Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]", "alz-prerequisites-createRG" ] } From e2b7ef74e07e2e0b5775c7c7694ecb0202f8b81b Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 9 Dec 2024 18:44:32 +0400 Subject: [PATCH 171/226] . --- .../prerequisites/deployPrerequisites1.json | 253 ++++++------------ 1 file changed, 76 insertions(+), 177 deletions(-) diff --git a/eslzArm/prerequisites/deployPrerequisites1.json b/eslzArm/prerequisites/deployPrerequisites1.json index 8927011264..f38a55d170 100644 --- a/eslzArm/prerequisites/deployPrerequisites1.json +++ b/eslzArm/prerequisites/deployPrerequisites1.json @@ -33,7 +33,7 @@ { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "alz-prerequisites-createRG", + "name": "alz-prerequisites", "location": "[parameters('location')]", "subscriptionId": "[parameters('managementSubscriptionId')]", "properties": { @@ -42,184 +42,83 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "resources": [ - { - "type": "Microsoft.Resources/resourceGroups", - "apiVersion": "2022-09-01", - "name": "[parameters('resourceGroupName')]", - "location": "[parameters('location')]" - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "alz-prerequisites-uai", - "resourceGroup": "[parameters('resourceGroupName')]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "location": { - "value": "[parameters('location')]" - }, - "eslzRootName": { - "value": "[parameters('eslzRootName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "location": { - "type": "string" - }, - "eslzRootName": { - "type": "string" - } - }, - "variables": {}, - "resources": [ - { - "type": "Microsoft.ManagedIdentity/userAssignedIdentities", - "apiVersion": "2022-01-31-preview", - "name": "[format('uai-prereq-{0}', parameters('location'))]", - "location": "[parameters('location')]", - "metadata": { - "description": "This user assigned identity is used by the Deployment Script resource to interact with Azure resources." - } - }, - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "name": "[guid(resourceGroup().id, format('uai-prereq-{0}', parameters('location')))]", - "scope": "[format('/providers/Microsoft.Management/managementGroups/{0}', parameters('eslzRootName'))]", - "properties": { - "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", - "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location'))), '2022-01-31-preview').principalId]", - "principalType": "ServicePrincipal" - }, - "dependsOn": [ - "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location')))]" - ], - "metadata": { - "description": "This role assignment grants the user assigned identity the Contributor role on the resource group." - } - } - ], - "outputs": { - "userAssignedIdentityId": { - "type": "string", - "value": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location')))]" - } - } - } - }, - "dependsOn": [ - "[subscriptionResourceId(parameters('managementSubscriptionId'),'Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]", - "alz-prerequisites-createRG" - ] - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('ds-{0}-prereqs', parameters('location'))]", - "resourceGroup": "[parameters('resourceGroupName')]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "location": { - "value": "[parameters('location')]" - }, - "userAssignedIdentityId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('managementSubscriptionId'), parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai'), '2022-09-01').outputs.userAssignedIdentityId.value]" - }, - "eslzRootName": { - "value": "[parameters('eslzRootName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "location": { - "type": "string" - }, - "eslzRootName":{ - "type": "string" - }, - "userAssignedIdentityId": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.Resources/deploymentScripts", - "apiVersion": "2020-10-01", - "name": "alz-prereq-deploymentscript", - "location": "[parameters('location')]", - "kind": "AzurePowerShell", - "identity": { - "type": "UserAssigned", - "userAssignedIdentities": { - "[format('{0}', parameters('userAssignedIdentityId'))]": {} - } + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2022-09-01", + "name": "[parameters('resourceGroupName')]", + "location": "[parameters('location')]" }, - "properties": { - "azPowerShellVersion": "12.3", - "retentionInterval": "PT1H", - "timeout": "PT2H", - "arguments": "[format('-eslzRootName \"{0}\"', parameters('eslzRootName'))]", - "scriptContent": " - param( - [Parameter(Mandatory=$true, HelpMessage=\"Enter the ESLZ root name.\")] - [string] - $eslzRootName - ) - - #API call to register the Microsoft.Network provider against intermediate resource group for AVNM - Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" - - #Sleep for XX minutes to wait for Management Groups to load to cache before assignments - Start-Sleep -Duration (New-TimeSpan -Minutes 10) - - $result = \"\" - $count = 0 - - do { - $result = Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" - $count++ - Start-Sleep -Seconds 30 - Write-Host 'MG RP Register - Status Code: ' $result.StatusCode ' Count: ' $count - } while ($result.StatusCode -ne 200 -and $count -lt 10) - - #Register all resource providers - $subs = Search-AzGraph -Query \"ResourceContainers | where type =~ 'microsoft.resources/subscriptions'\" -ManagementGroup $eslzRootName - $rps = @('Microsoft.Insights','Microsoft.AlertsManagement','Microsoft.OperationalInsights','Microsoft.OperationsManagement','Microsoft.Automation','Microsoft.AlertsManagement','Microsoft.Security','Microsoft.Network','Microsoft.EventGrid','Microsoft.ManagedIdentity','Microsoft.GuestConfiguration','Microsoft.Advisor','Microsoft.PolicyInsights') - - foreach ($sub in $subs) { - Select-AzSubscription -SubscriptionId $sub.id - Write-Host 'Registering resource providers for subscription: ' $sub.id - Get-AzResourceProvider -ProviderNamespace $rps | where {$_.RegistrationState -ne \"Registered\"} | Register-AzResourceProvider - } - " - }, - "metadata": { - "description": "Create a Deployment Script resource to perform the prerequisites." + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "alz-prerequisites-uai", + "resourceGroup": "[parameters('resourceGroupName')]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "eslzRootName": { + "value": "[parameters('eslzRootName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "eslzRootName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "apiVersion": "2022-01-31-preview", + "name": "[format('uai-prereq-{0}', parameters('location'))]", + "location": "[parameters('location')]", + "metadata": { + "description": "This user assigned identity is used by the Deployment Script resource to interact with Azure resources." + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(resourceGroup().id, format('uai-prereq-{0}', parameters('location')))]", + "scope": "[format('/providers/Microsoft.Management/managementGroups/{0}', parameters('eslzRootName'))]", + "properties": { + "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", + "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location'))), '2022-01-31-preview').principalId]", + "principalType": "ServicePrincipal" + }, + "dependsOn": [ + "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location')))]" + ], + "metadata": { + "description": "This role assignment grants the user assigned identity the Contributor role on the resource group." + } + } + ], + "outputs": { + "userAssignedIdentityId": { + "type": "string", + "value": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location')))]" + } + } + } + }, + "dependsOn": [ + "[subscriptionResourceId(parameters('managementSubscriptionId'),'Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]", + "alz-prerequisites-createRG" + ] } - } - ], - "outputs": {} - } - }, - "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('managementSubscriptionId'), parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai')]", - "[subscriptionResourceId(parameters('managementSubscriptionId'),'Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]", - "alz-prerequisites-createRG" - ] - } ] } } From f7a4cc1a1c02ef97835efd078ce32545bbcd0e13 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 9 Dec 2024 18:50:00 +0400 Subject: [PATCH 172/226] . --- .../prerequisites/deployPrerequisites1.json | 105 +++++++++++++++++- 1 file changed, 103 insertions(+), 2 deletions(-) diff --git a/eslzArm/prerequisites/deployPrerequisites1.json b/eslzArm/prerequisites/deployPrerequisites1.json index f38a55d170..5d517994c5 100644 --- a/eslzArm/prerequisites/deployPrerequisites1.json +++ b/eslzArm/prerequisites/deployPrerequisites1.json @@ -81,7 +81,7 @@ "resources": [ { "type": "Microsoft.ManagedIdentity/userAssignedIdentities", - "apiVersion": "2022-01-31-preview", + "apiVersion": "2023-07-31-preview", "name": "[format('uai-prereq-{0}', parameters('location'))]", "location": "[parameters('location')]", "metadata": { @@ -95,7 +95,7 @@ "scope": "[format('/providers/Microsoft.Management/managementGroups/{0}', parameters('eslzRootName'))]", "properties": { "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", - "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location'))), '2022-01-31-preview').principalId]", + "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location'))), '2023-07-31-preview').principalId]", "principalType": "ServicePrincipal" }, "dependsOn": [ @@ -118,6 +118,107 @@ "[subscriptionResourceId(parameters('managementSubscriptionId'),'Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]", "alz-prerequisites-createRG" ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('ds-{0}-prereqs', parameters('location'))]", + "resourceGroup": "[parameters('resourceGroupName')]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "userAssignedIdentityId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('managementSubscriptionId'), parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai'), '2022-09-01').outputs.userAssignedIdentityId.value]" + }, + "eslzRootName": { + "value": "[parameters('eslzRootName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "eslzRootName":{ + "type": "string" + }, + "userAssignedIdentityId": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Resources/deploymentScripts", + "apiVersion": "2020-10-01", + "name": "alz-prereq-deploymentscript", + "location": "[parameters('location')]", + "kind": "AzurePowerShell", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[format('{0}', parameters('userAssignedIdentityId'))]": {} + } + }, + "properties": { + "azPowerShellVersion": "12.3", + "retentionInterval": "PT1H", + "timeout": "PT2H", + "arguments": "[format('-eslzRootName \"{0}\"', parameters('eslzRootName'))]", + "scriptContent": " + param( + [Parameter(Mandatory=$true, HelpMessage=\"Enter the ESLZ root name.\")] + [string] + $eslzRootName + ) + + #API call to register the Microsoft.Network provider against intermediate resource group for AVNM + Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" + + #Sleep for XX minutes to wait for Management Groups to load to cache before assignments + Start-Sleep -Duration (New-TimeSpan -Minutes 10) + + $result = \"\" + $count = 0 + + do { + $result = Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" + $count++ + Start-Sleep -Seconds 30 + Write-Host 'MG RP Register - Status Code: ' $result.StatusCode ' Count: ' $count + } while ($result.StatusCode -ne 200 -and $count -lt 10) + + #Register all resource providers + $subs = Search-AzGraph -Query \"ResourceContainers | where type =~ 'microsoft.resources/subscriptions'\" -ManagementGroup $eslzRootName + $rps = @('Microsoft.Insights','Microsoft.AlertsManagement','Microsoft.OperationalInsights','Microsoft.OperationsManagement','Microsoft.Automation','Microsoft.AlertsManagement','Microsoft.Security','Microsoft.Network','Microsoft.EventGrid','Microsoft.ManagedIdentity','Microsoft.GuestConfiguration','Microsoft.Advisor','Microsoft.PolicyInsights') + + foreach ($sub in $subs) { + Select-AzSubscription -SubscriptionId $sub.id + Write-Host 'Registering resource providers for subscription: ' $sub.id + Get-AzResourceProvider -ProviderNamespace $rps | where {$_.RegistrationState -ne \"Registered\"} | Register-AzResourceProvider + } + " + }, + "metadata": { + "description": "Create a Deployment Script resource to perform the prerequisites." + } + } + ], + "outputs": {} + } + }, + "dependsOn": [ + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('managementSubscriptionId'), parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai')]", + "[subscriptionResourceId(parameters('managementSubscriptionId'),'Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]", + "alz-prerequisites-createRG" + ] } ] } From 288a2e0cebab9eebc7b4b265ed9911a1d03868a7 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 9 Dec 2024 19:57:29 +0400 Subject: [PATCH 173/226] . --- eslzArm/prerequisites/deployPrerequisites1.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/eslzArm/prerequisites/deployPrerequisites1.json b/eslzArm/prerequisites/deployPrerequisites1.json index 5d517994c5..f68f4e14ef 100644 --- a/eslzArm/prerequisites/deployPrerequisites1.json +++ b/eslzArm/prerequisites/deployPrerequisites1.json @@ -115,7 +115,7 @@ } }, "dependsOn": [ - "[subscriptionResourceId(parameters('managementSubscriptionId'),'Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]", + "[concat('Microsoft.Resources/resourceGroups/', parameters('resourceGroupName'))]", "alz-prerequisites-createRG" ] }, @@ -216,7 +216,7 @@ }, "dependsOn": [ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('managementSubscriptionId'), parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai')]", - "[subscriptionResourceId(parameters('managementSubscriptionId'),'Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]", + "[concat('Microsoft.Resources/resourceGroups/', parameters('resourceGroupName'))]", "alz-prerequisites-createRG" ] } From 76d2a07a33228b18070efc0a60316ee919dbbc49 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 9 Dec 2024 19:59:48 +0400 Subject: [PATCH 174/226] . --- eslzArm/prerequisites/deployPrerequisites1.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/prerequisites/deployPrerequisites1.json b/eslzArm/prerequisites/deployPrerequisites1.json index f68f4e14ef..c70af27619 100644 --- a/eslzArm/prerequisites/deployPrerequisites1.json +++ b/eslzArm/prerequisites/deployPrerequisites1.json @@ -39,7 +39,7 @@ "properties": { "mode": "Incremental", "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", "contentVersion": "1.0.0.0", "resources": [ { From 69c3a301fc45b42953896fbf1bc477f4748a0781 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 9 Dec 2024 20:07:29 +0400 Subject: [PATCH 175/226] . --- .../prerequisites/deployPrerequisites1.json | 50 +++++++++---------- 1 file changed, 24 insertions(+), 26 deletions(-) diff --git a/eslzArm/prerequisites/deployPrerequisites1.json b/eslzArm/prerequisites/deployPrerequisites1.json index c70af27619..36b0dc3637 100644 --- a/eslzArm/prerequisites/deployPrerequisites1.json +++ b/eslzArm/prerequisites/deployPrerequisites1.json @@ -70,12 +70,12 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { - "location": { - "type": "string" - }, - "eslzRootName": { - "type": "string" - } + "location": { + "type": "string" + }, + "eslzRootName": { + "type": "string" + } }, "variables": {}, "resources": [ @@ -85,7 +85,7 @@ "name": "[format('uai-prereq-{0}', parameters('location'))]", "location": "[parameters('location')]", "metadata": { - "description": "This user assigned identity is used by the Deployment Script resource to interact with Azure resources." + "description": "This user assigned identity is used by the Deployment Script resource to interact with Azure resources." } }, { @@ -94,15 +94,15 @@ "name": "[guid(resourceGroup().id, format('uai-prereq-{0}', parameters('location')))]", "scope": "[format('/providers/Microsoft.Management/managementGroups/{0}', parameters('eslzRootName'))]", "properties": { - "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", - "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location'))), '2023-07-31-preview').principalId]", - "principalType": "ServicePrincipal" + "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", + "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location'))), '2023-07-31-preview').principalId]", + "principalType": "ServicePrincipal" }, "dependsOn": [ - "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location')))]" + "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location')))]" ], "metadata": { - "description": "This role assignment grants the user assigned identity the Contributor role on the resource group." + "description": "This role assignment grants the user assigned identity the Contributor role on the resource group." } } ], @@ -115,8 +115,7 @@ } }, "dependsOn": [ - "[concat('Microsoft.Resources/resourceGroups/', parameters('resourceGroupName'))]", - "alz-prerequisites-createRG" + "[concat('Microsoft.Resources/resourceGroups/', parameters('resourceGroupName'))]" ] }, { @@ -144,15 +143,15 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { - "location": { - "type": "string" - }, - "eslzRootName":{ - "type": "string" - }, - "userAssignedIdentityId": { - "type": "string" - } + "location": { + "type": "string" + }, + "eslzRootName":{ + "type": "string" + }, + "userAssignedIdentityId": { + "type": "string" + } }, "resources": [ { @@ -215,9 +214,8 @@ } }, "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('managementSubscriptionId'), parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai')]", - "[concat('Microsoft.Resources/resourceGroups/', parameters('resourceGroupName'))]", - "alz-prerequisites-createRG" + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('managementSubscriptionId'), parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai')]", + "[concat('Microsoft.Resources/resourceGroups/', parameters('resourceGroupName'))]" ] } ] From 0a0981001b7c11abf66eb1b7b7c20c6daf656957 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 9 Dec 2024 20:12:35 +0400 Subject: [PATCH 176/226] hacked to pieces --- eslzArm/prerequisites/deployPrerequisites1.json | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/eslzArm/prerequisites/deployPrerequisites1.json b/eslzArm/prerequisites/deployPrerequisites1.json index 36b0dc3637..7cae06c523 100644 --- a/eslzArm/prerequisites/deployPrerequisites1.json +++ b/eslzArm/prerequisites/deployPrerequisites1.json @@ -91,7 +91,7 @@ { "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", - "name": "[guid(resourceGroup().id, format('uai-prereq-{0}', parameters('location')))]", + "name": "[guid(parameters('eslzRootName'), format('uai-prereq-{0}', parameters('location')))]", "scope": "[format('/providers/Microsoft.Management/managementGroups/{0}', parameters('eslzRootName'))]", "properties": { "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", @@ -115,7 +115,7 @@ } }, "dependsOn": [ - "[concat('Microsoft.Resources/resourceGroups/', parameters('resourceGroupName'))]" + "[format('/subscriptions/{0}/resourceGroups/{1}', parameters('managementSubscriptionId'), parameters('resourceGroupName'))]" ] }, { @@ -215,7 +215,8 @@ }, "dependsOn": [ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('managementSubscriptionId'), parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai')]", - "[concat('Microsoft.Resources/resourceGroups/', parameters('resourceGroupName'))]" + "[format('/subscriptions/{0}/resourceGroups/{1}', parameters('managementSubscriptionId'), parameters('resourceGroupName'))]" + ] } ] From 157d91a3e4bbc39f6f79b96a30a8361f0b8d94fe Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 9 Dec 2024 20:56:31 +0400 Subject: [PATCH 177/226] . --- eslzArm/prerequisites/deployPrerequisites1.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/eslzArm/prerequisites/deployPrerequisites1.json b/eslzArm/prerequisites/deployPrerequisites1.json index 7cae06c523..fe590344ab 100644 --- a/eslzArm/prerequisites/deployPrerequisites1.json +++ b/eslzArm/prerequisites/deployPrerequisites1.json @@ -82,7 +82,7 @@ { "type": "Microsoft.ManagedIdentity/userAssignedIdentities", "apiVersion": "2023-07-31-preview", - "name": "[format('uai-prereq-{0}', parameters('location'))]", + "name": "uai-prereq", "location": "[parameters('location')]", "metadata": { "description": "This user assigned identity is used by the Deployment Script resource to interact with Azure resources." @@ -91,15 +91,15 @@ { "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", - "name": "[guid(parameters('eslzRootName'), format('uai-prereq-{0}', parameters('location')))]", + "name": "[guid(parameters('eslzRootName'), 'uai-prereq')]", "scope": "[format('/providers/Microsoft.Management/managementGroups/{0}', parameters('eslzRootName'))]", "properties": { "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", - "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location'))), '2023-07-31-preview').principalId]", + "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'uai-prereq'), '2023-07-31-preview').principalId]", "principalType": "ServicePrincipal" }, "dependsOn": [ - "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location')))]" + "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'uai-prereq')]" ], "metadata": { "description": "This role assignment grants the user assigned identity the Contributor role on the resource group." @@ -109,7 +109,7 @@ "outputs": { "userAssignedIdentityId": { "type": "string", - "value": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location')))]" + "value": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'uai-prereq')]" } } } From 3e65358ccc2868d3d88c4317974576aecb70cdac Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 9 Dec 2024 23:15:25 +0400 Subject: [PATCH 178/226] test --- eslzArm/eslzArm.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index ff628c3257..6fe435965d 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -2438,7 +2438,7 @@ "type": "Microsoft.Resources/deployments", "apiVersion": "2020-06-01", "name": "alz-prerequisites", - "scope": "[variables('scopes').eslzRootManagementGroup]", + "scope": "[variables('scopes').managementManagementGroup]", "location": "[deployment().location]", "dependsOn": [ "[variables('deploymentNames').initiativeDeploymentName]", From 5bd9cd9cdc7a1b236225b7eed1f40272438a3bf4 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Tue, 10 Dec 2024 15:27:39 +0400 Subject: [PATCH 179/226] . --- eslzArm/eslzArm.json | 2 +- .../prerequisites/deployPrerequisites1.json | 210 ++++++++++-------- 2 files changed, 117 insertions(+), 95 deletions(-) diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index 6fe435965d..ff628c3257 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -2438,7 +2438,7 @@ "type": "Microsoft.Resources/deployments", "apiVersion": "2020-06-01", "name": "alz-prerequisites", - "scope": "[variables('scopes').managementManagementGroup]", + "scope": "[variables('scopes').eslzRootManagementGroup]", "location": "[deployment().location]", "dependsOn": [ "[variables('deploymentNames').initiativeDeploymentName]", diff --git a/eslzArm/prerequisites/deployPrerequisites1.json b/eslzArm/prerequisites/deployPrerequisites1.json index fe590344ab..b5a1b97d66 100644 --- a/eslzArm/prerequisites/deployPrerequisites1.json +++ b/eslzArm/prerequisites/deployPrerequisites1.json @@ -33,7 +33,7 @@ { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "alz-prerequisites", + "name": "alz-prerequisites-001", "location": "[parameters('location')]", "subscriptionId": "[parameters('managementSubscriptionId')]", "properties": { @@ -53,6 +53,9 @@ "apiVersion": "2022-09-01", "name": "alz-prerequisites-uai", "resourceGroup": "[parameters('resourceGroupName')]", + "dependsOn": [ + "[format('/subscriptions/{0}/resourceGroups/{1}', parameters('managementSubscriptionId'), parameters('resourceGroupName'))]" + ], "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -60,10 +63,13 @@ "mode": "Incremental", "parameters": { "location": { - "value": "[parameters('location')]" + "value": "[parameters('location')]" }, - "eslzRootName": { - "value": "[parameters('eslzRootName')]" + "managementSubscriptionId": { + "value": "[parameters('managementSubscriptionId')]" + }, + "resourceGroupName": { + "value": "[parameters('resourceGroupName')]" } }, "template": { @@ -73,70 +79,84 @@ "location": { "type": "string" }, - "eslzRootName": { + "managementSubscriptionId": { + "type": "string" + }, + "resourceGroupName": { "type": "string" } }, "variables": {}, "resources": [ - { - "type": "Microsoft.ManagedIdentity/userAssignedIdentities", - "apiVersion": "2023-07-31-preview", - "name": "uai-prereq", - "location": "[parameters('location')]", - "metadata": { - "description": "This user assigned identity is used by the Deployment Script resource to interact with Azure resources." + { + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "apiVersion": "2023-07-31-preview", + "name": "uai-alz-prereq", + "location": "[parameters('location')]" } - }, - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "name": "[guid(parameters('eslzRootName'), 'uai-prereq')]", - "scope": "[format('/providers/Microsoft.Management/managementGroups/{0}', parameters('eslzRootName'))]", - "properties": { - "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", - "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'uai-prereq'), '2023-07-31-preview').principalId]", - "principalType": "ServicePrincipal" - }, - "dependsOn": [ - "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'uai-prereq')]" - ], - "metadata": { - "description": "This role assignment grants the user assigned identity the Contributor role on the resource group." - } - } ], "outputs": { - "userAssignedIdentityId": { - "type": "string", - "value": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'uai-prereq')]" - } + "userAssignedIdentityId": { + "type": "string", + "value": "[resourceId(parameters('managementSubscriptionId'),parameters('resourceGroupName'),'Microsoft.ManagedIdentity/userAssignedIdentities', 'uai-alz-prereq')]" + } } } - }, - "dependsOn": [ - "[format('/subscriptions/{0}/resourceGroups/{1}', parameters('managementSubscriptionId'), parameters('resourceGroupName'))]" - ] - }, + } + } + ] + } + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(format('alz-prerequisites-002-{0}', parameters('location')))]", + "location": "[parameters('location')]", + "properties": { + "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", + "principalId": "[reference(resourceId(parameters('managementSubscriptionId'),parameters('resourceGroupName'),'Microsoft.ManagedIdentity/userAssignedIdentities', 'uai-alz-prereq'), '2023-07-31-preview').principalId]", + "principalType": "ServicePrincipal" + }, + "dependsOn": [ + "alz-prerequisites-001" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "alz-prerequisites-003", + "location": "[parameters('location')]", + "subscriptionId": "[parameters('managementSubscriptionId')]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('ds-{0}-prereqs', parameters('location'))]", + "name": "alz-prereq-ds", "resourceGroup": "[parameters('resourceGroupName')]", + "dependsOn": [], "properties": { - "expressionEvaluationOptions": { - "scope": "inner" + "expressionEvaluationOptions": { + "scope": "inner" }, "mode": "Incremental", "parameters": { "location": { "value": "[parameters('location')]" }, - "userAssignedIdentityId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('managementSubscriptionId'), parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai'), '2022-09-01').outputs.userAssignedIdentityId.value]" - }, "eslzRootName": { "value": "[parameters('eslzRootName')]" + }, + "managementSubscriptionId": { + "value": "[parameters('managementSubscriptionId')]" + }, + "resourceGroupName": { + "value": "[parameters('resourceGroupName')]" } }, "template": { @@ -149,7 +169,10 @@ "eslzRootName":{ "type": "string" }, - "userAssignedIdentityId": { + "managementSubscriptionId": { + "type": "string" + }, + "resourceGroupName": { "type": "string" } }, @@ -161,49 +184,49 @@ "location": "[parameters('location')]", "kind": "AzurePowerShell", "identity": { - "type": "UserAssigned", - "userAssignedIdentities": { - "[format('{0}', parameters('userAssignedIdentityId'))]": {} - } + "type": "UserAssigned", + "userAssignedIdentities": { + "[resourceId(parameters('managementSubscriptionId'),parameters('resourceGroupName'),'Microsoft.ManagedIdentity/userAssignedIdentities', 'uai-alz-prereq')]": {} + } }, "properties": { - "azPowerShellVersion": "12.3", - "retentionInterval": "PT1H", - "timeout": "PT2H", - "arguments": "[format('-eslzRootName \"{0}\"', parameters('eslzRootName'))]", - "scriptContent": " - param( - [Parameter(Mandatory=$true, HelpMessage=\"Enter the ESLZ root name.\")] - [string] - $eslzRootName - ) - - #API call to register the Microsoft.Network provider against intermediate resource group for AVNM - Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" - - #Sleep for XX minutes to wait for Management Groups to load to cache before assignments - Start-Sleep -Duration (New-TimeSpan -Minutes 10) - - $result = \"\" - $count = 0 - - do { - $result = Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" - $count++ - Start-Sleep -Seconds 30 - Write-Host 'MG RP Register - Status Code: ' $result.StatusCode ' Count: ' $count - } while ($result.StatusCode -ne 200 -and $count -lt 10) - - #Register all resource providers - $subs = Search-AzGraph -Query \"ResourceContainers | where type =~ 'microsoft.resources/subscriptions'\" -ManagementGroup $eslzRootName - $rps = @('Microsoft.Insights','Microsoft.AlertsManagement','Microsoft.OperationalInsights','Microsoft.OperationsManagement','Microsoft.Automation','Microsoft.AlertsManagement','Microsoft.Security','Microsoft.Network','Microsoft.EventGrid','Microsoft.ManagedIdentity','Microsoft.GuestConfiguration','Microsoft.Advisor','Microsoft.PolicyInsights') - - foreach ($sub in $subs) { - Select-AzSubscription -SubscriptionId $sub.id - Write-Host 'Registering resource providers for subscription: ' $sub.id - Get-AzResourceProvider -ProviderNamespace $rps | where {$_.RegistrationState -ne \"Registered\"} | Register-AzResourceProvider - } - " + "azPowerShellVersion": "12.3", + "retentionInterval": "PT1H", + "timeout": "PT2H", + "arguments": "[format('-eslzRootName \"{0}\"', parameters('eslzRootName'))]", + "scriptContent": " + param( + [Parameter(Mandatory=$true, HelpMessage=\"Enter the ESLZ root name.\")] + [string] + $eslzRootName + ) + + #API call to register the Microsoft.Network provider against intermediate resource group for AVNM + Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" + + #Sleep for XX minutes to wait for Management Groups to load to cache before assignments + Start-Sleep -Duration (New-TimeSpan -Minutes 10) + + $result = \"\" + $count = 0 + + do { + $result = Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" + $count++ + Start-Sleep -Seconds 30 + Write-Host 'MG RP Register - Status Code: ' $result.StatusCode ' Count: ' $count + } while ($result.StatusCode -ne 200 -and $count -lt 10) + + #Register all resource providers + $subs = Search-AzGraph -Query \"ResourceContainers | where type =~ 'microsoft.resources/subscriptions'\" -ManagementGroup $eslzRootName + $rps = @('Microsoft.Insights','Microsoft.AlertsManagement','Microsoft.OperationalInsights','Microsoft.OperationsManagement','Microsoft.Automation','Microsoft.AlertsManagement','Microsoft.Security','Microsoft.Network','Microsoft.EventGrid','Microsoft.ManagedIdentity','Microsoft.GuestConfiguration','Microsoft.Advisor','Microsoft.PolicyInsights') + + foreach ($sub in $subs) { + Select-AzSubscription -SubscriptionId $sub.id + Write-Host 'Registering resource providers for subscription: ' $sub.id + Get-AzResourceProvider -ProviderNamespace $rps | where {$_.RegistrationState -ne \"Registered\"} | Register-AzResourceProvider + } + " }, "metadata": { "description": "Create a Deployment Script resource to perform the prerequisites." @@ -212,16 +235,15 @@ ], "outputs": {} } - }, - "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('managementSubscriptionId'), parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai')]", - "[format('/subscriptions/{0}/resourceGroups/{1}', parameters('managementSubscriptionId'), parameters('resourceGroupName'))]" - - ] + } } ] } - } + }, + "dependsOn": [ + "alz-prerequisites-001", + "[guid(format('alz-prerequisites-002-{0}', parameters('location')))]" + ] } ], "outputs": {} From a5828a1c903b544738134e296f827ea4b2b743b4 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Tue, 10 Dec 2024 17:47:47 +0400 Subject: [PATCH 180/226] . --- eslzArm/eslzArm.json | 2 +- .../prerequisites/deployPrerequisites.json | 438 ++++++++++-------- .../prerequisites/deployPrerequisites1.json | 250 ---------- .../prerequisites/deployPrerequisites2.json | 204 ++++++++ eslzArm/subscriptionTemplates/avnmPolicy.json | 13 + 5 files changed, 461 insertions(+), 446 deletions(-) delete mode 100644 eslzArm/prerequisites/deployPrerequisites1.json create mode 100644 eslzArm/prerequisites/deployPrerequisites2.json diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index ff628c3257..e936239702 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -1697,7 +1697,7 @@ "roleDefinitions": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/roleDefinitions/customRoleDefinitions.json')]", "policyDefinitions": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyDefinitions/policies.json')]", "initiativeDefinitions": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyDefinitions/initiatives.json')]", - "preRequisites": "[uri(deployment().properties.templateLink.uri, 'prerequisites/deployPrerequisites1.json')]", + "preRequisites": "[uri(deployment().properties.templateLink.uri, 'prerequisites/deployPrerequisites.json')]", "avnmConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/avnmConfiguration.json')]", "avnmPolicy": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/avnmPolicy.json')]", "vnetConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/hubspoke-connectivity.json')]", diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index 61435ea803..ca6cf49232 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -1,204 +1,252 @@ { - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "resourceGroupName": { - "type": "string", - "defaultValue": "rg-alz-prereqs", - "metadata": { - "description": "The resource group name where the AVNM resources will be created" - } - }, - "location": { - "type": "string", - "minLength": 6, - "metadata": { - "description": "The location of this AVNM instance. All resources will be deployed to this region." - } - }, - "eslzRootName": { - "type": "string", - "metadata": { - "description": "The name of the Enterprise Scale Landing Zone root resource." + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceGroupName": { + "type": "string", + "defaultValue": "rg-alz-prereqs", + "metadata": { + "description": "The resource group name where the AVNM resources will be created" + } + }, + "location": { + "type": "string", + "minLength": 6, + "metadata": { + "description": "The location of this AVNM instance. All resources will be deployed to this region." + } + }, + "eslzRootName": { + "type": "string", + "metadata": { + "description": "The name of the Enterprise Scale Landing Zone root resource." + } + }, + "managementSubscriptionId": { + "type": "string", + "metadata": { + "description": "The subscription ID of the management subscription." + } } - } - }, - "resources": [ - { - "type": "Microsoft.Resources/resourceGroups", - "apiVersion": "2022-09-01", - "name": "[parameters('resourceGroupName')]", - "location": "[parameters('location')]" }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "alz-prerequisites-uai", - "resourceGroup": "[parameters('resourceGroupName')]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "location": { - "value": "[parameters('location')]" - }, - "eslzRootName": { - "value": "[parameters('eslzRootName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "location": { - "type": "string" - }, - "eslzRootName": { - "type": "string" - } - }, - "variables": {}, - "resources": [ - { - "type": "Microsoft.ManagedIdentity/userAssignedIdentities", - "apiVersion": "2022-01-31-preview", - "name": "[format('uai-prereq-{0}', parameters('location'))]", - "location": "[parameters('location')]", - "metadata": { - "description": "This user assigned identity is used by the Deployment Script resource to interact with Azure resources." - } - }, - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "name": "[guid(resourceGroup().id, format('uai-prereq-{0}', parameters('location')))]", - "properties": { - "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location'))), '2022-01-31-preview').principalId]", - "principalType": "ServicePrincipal" - }, - "dependsOn": [ - "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location')))]" - ], - "metadata": { - "description": "This role assignment grants the user assigned identity the Contributor role on the resource group." - } - } - ], - "outputs": { - "userAssignedIdentityId": { - "type": "string", - "value": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location')))]" - } + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "alz-prerequisites-001", + "location": "[parameters('location')]", + "subscriptionId": "[parameters('managementSubscriptionId')]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2022-09-01", + "name": "[parameters('resourceGroupName')]", + "location": "[parameters('location')]" + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "alz-prerequisites-uai", + "resourceGroup": "[parameters('resourceGroupName')]", + "dependsOn": [ + "[format('/subscriptions/{0}/resourceGroups/{1}', parameters('managementSubscriptionId'), parameters('resourceGroupName'))]" + ], + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "managementSubscriptionId": { + "value": "[parameters('managementSubscriptionId')]" + }, + "resourceGroupName": { + "value": "[parameters('resourceGroupName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "managementSubscriptionId": { + "type": "string" + }, + "resourceGroupName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "apiVersion": "2023-07-31-preview", + "name": "uai-alz-prereq", + "location": "[parameters('location')]" + } + ], + "outputs": { + "userAssignedIdentityId": { + "type": "string", + "value": "[resourceId(parameters('managementSubscriptionId'),parameters('resourceGroupName'),'Microsoft.ManagedIdentity/userAssignedIdentities', 'uai-alz-prereq')]" + } + } + } + } + } + ] } } }, - "dependsOn": [ - "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]" - ] - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('ds-{0}-prereqs', parameters('location'))]", - "resourceGroup": "[parameters('resourceGroupName')]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(format('alz-prerequisites-{0}-{1}', parameters('eslzRootName'), parameters('location')))]", + "location": "[parameters('location')]", + "properties": { + "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", + "principalId": "[reference(resourceId(parameters('managementSubscriptionId'),parameters('resourceGroupName'),'Microsoft.ManagedIdentity/userAssignedIdentities', 'uai-alz-prereq'), '2023-07-31-preview').principalId]", + "principalType": "ServicePrincipal" }, - "mode": "Incremental", - "parameters": { - "location": { - "value": "[parameters('location')]" - }, - "userAssignedIdentityId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai'), '2022-09-01').outputs.userAssignedIdentityId.value]" - }, - "eslzRootName": { - "value": "[parameters('eslzRootName')]" + "dependsOn": [ + "alz-prerequisites-001", + "[format('/subscriptions/{0}/resourceGroups/{1}', parameters('managementSubscriptionId'), parameters('resourceGroupName'))]" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "alz-prerequisites-003", + "location": "[parameters('location')]", + "subscriptionId": "[parameters('managementSubscriptionId')]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "alz-prereq-ds", + "resourceGroup": "[parameters('resourceGroupName')]", + "dependsOn": [], + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "eslzRootName": { + "value": "[parameters('eslzRootName')]" + }, + "managementSubscriptionId": { + "value": "[parameters('managementSubscriptionId')]" + }, + "resourceGroupName": { + "value": "[parameters('resourceGroupName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "eslzRootName":{ + "type": "string" + }, + "managementSubscriptionId": { + "type": "string" + }, + "resourceGroupName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Resources/deploymentScripts", + "apiVersion": "2020-10-01", + "name": "alz-prereq-deploymentscript", + "location": "[parameters('location')]", + "kind": "AzurePowerShell", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[resourceId(parameters('managementSubscriptionId'),parameters('resourceGroupName'),'Microsoft.ManagedIdentity/userAssignedIdentities', 'uai-alz-prereq')]": {} + } + }, + "properties": { + "azPowerShellVersion": "12.3", + "retentionInterval": "PT1H", + "timeout": "PT2H", + "arguments": "[format('-eslzRootName \"{0}\"', parameters('eslzRootName'))]", + "scriptContent": " + param( + [Parameter(Mandatory=$true, HelpMessage=\"Enter the ESLZ root name.\")] + [string] + $eslzRootName + ) + + #API call to register the Microsoft.Network provider against intermediate resource group for AVNM + Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" + + #Sleep for XX minutes to wait for Management Groups to load to cache before assignments + Start-Sleep -Duration (New-TimeSpan -Minutes 10) + + $result = \"\" + $count = 0 + + do { + $result = Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" + $count++ + Start-Sleep -Seconds 30 + Write-Host 'MG RP Register - Status Code: ' $result.StatusCode ' Count: ' $count + } while ($result.StatusCode -ne 200 -and $count -lt 10) + + #Register all resource providers + $subs = Search-AzGraph -Query \"ResourceContainers | where type =~ 'microsoft.resources/subscriptions'\" -ManagementGroup $eslzRootName + $rps = @('Microsoft.Insights','Microsoft.AlertsManagement','Microsoft.OperationalInsights','Microsoft.OperationsManagement','Microsoft.Automation','Microsoft.AlertsManagement','Microsoft.Security','Microsoft.Network','Microsoft.EventGrid','Microsoft.ManagedIdentity','Microsoft.GuestConfiguration','Microsoft.Advisor','Microsoft.PolicyInsights') + + foreach ($sub in $subs) { + Select-AzSubscription -SubscriptionId $sub.id + Write-Host 'Registering resource providers for subscription: ' $sub.id + Get-AzResourceProvider -ProviderNamespace $rps | where {$_.RegistrationState -ne \"Registered\"} | Register-AzResourceProvider + } + " + }, + "metadata": { + "description": "Create a Deployment Script resource to perform the prerequisites." + } + } + ], + "outputs": {} + } + } + } + ] } }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "location": { - "type": "string" - }, - "eslzRootName":{ - "type": "string" - }, - "userAssignedIdentityId": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.Resources/deploymentScripts", - "apiVersion": "2020-10-01", - "name": "alz-prereq-deploymentscript", - "location": "[parameters('location')]", - "kind": "AzurePowerShell", - "identity": { - "type": "UserAssigned", - "userAssignedIdentities": { - "[format('{0}', parameters('userAssignedIdentityId'))]": {} - } - }, - "properties": { - "azPowerShellVersion": "12.3", - "retentionInterval": "PT1H", - "timeout": "PT2H", - "arguments": "[format('-eslzRootName \"{0}\"', parameters('eslzRootName'))]", - "scriptContent": " - param( - [Parameter(Mandatory=$true, HelpMessage=\"Enter the ESLZ root name.\")] - [string] - $eslzRootName - ) - - #API call to register the Microsoft.Network provider against intermediate resource group for AVNM - Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" - - #Sleep for XX minutes to wait for Management Groups to load to cache before assignments - Start-Sleep -Duration (New-TimeSpan -Minutes 10) - - $result = \"\" - $count = 0 - - do { - $result = Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" - $count++ - Start-Sleep -Seconds 30 - Write-Host 'MG RP Register - Status Code: ' $result.StatusCode ' Count: ' $count - } while ($result.StatusCode -ne 200 -and $count -lt 10) - - #Register all resource providers - $subs = Search-AzGraph -Query \"ResourceContainers | where type =~ 'microsoft.resources/subscriptions'\" -ManagementGroup $eslzRootName - $rps = @('Microsoft.Insights','Microsoft.AlertsManagement','Microsoft.OperationalInsights','Microsoft.OperationsManagement','Microsoft.Automation','Microsoft.AlertsManagement','Microsoft.Security','Microsoft.Network','Microsoft.EventGrid','Microsoft.ManagedIdentity','Microsoft.GuestConfiguration','Microsoft.Advisor','Microsoft.PolicyInsights') - - foreach ($sub in $subs) { - Select-AzSubscription -SubscriptionId $sub.id - Write-Host 'Registering resource providers for subscription: ' $sub.id - Get-AzResourceProvider -ProviderNamespace $rps | where {$_.RegistrationState -ne \"Registered\"} | Register-AzResourceProvider - } - " - }, - "metadata": { - "description": "Create a Deployment Script resource to perform the prerequisites." - } - } - ], - "outputs": {} - } - }, - "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai')]", - "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]" - ] - } - ], - "outputs": {} -} \ No newline at end of file + "dependsOn": [ + "alz-prerequisites-001", + "[guid(format('alz-prerequisites-002-{0}', parameters('location')))]", + "[format('/subscriptions/{0}/resourceGroups/{1}', parameters('managementSubscriptionId'), parameters('resourceGroupName'))]" + ] + } + ], + "outputs": {} + } \ No newline at end of file diff --git a/eslzArm/prerequisites/deployPrerequisites1.json b/eslzArm/prerequisites/deployPrerequisites1.json deleted file mode 100644 index b5a1b97d66..0000000000 --- a/eslzArm/prerequisites/deployPrerequisites1.json +++ /dev/null @@ -1,250 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "resourceGroupName": { - "type": "string", - "defaultValue": "rg-alz-prereqs", - "metadata": { - "description": "The resource group name where the AVNM resources will be created" - } - }, - "location": { - "type": "string", - "minLength": 6, - "metadata": { - "description": "The location of this AVNM instance. All resources will be deployed to this region." - } - }, - "eslzRootName": { - "type": "string", - "metadata": { - "description": "The name of the Enterprise Scale Landing Zone root resource." - } - }, - "managementSubscriptionId": { - "type": "string", - "metadata": { - "description": "The subscription ID of the management subscription." - } - } - }, - "resources": [ - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "alz-prerequisites-001", - "location": "[parameters('location')]", - "subscriptionId": "[parameters('managementSubscriptionId')]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [ - { - "type": "Microsoft.Resources/resourceGroups", - "apiVersion": "2022-09-01", - "name": "[parameters('resourceGroupName')]", - "location": "[parameters('location')]" - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "alz-prerequisites-uai", - "resourceGroup": "[parameters('resourceGroupName')]", - "dependsOn": [ - "[format('/subscriptions/{0}/resourceGroups/{1}', parameters('managementSubscriptionId'), parameters('resourceGroupName'))]" - ], - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "location": { - "value": "[parameters('location')]" - }, - "managementSubscriptionId": { - "value": "[parameters('managementSubscriptionId')]" - }, - "resourceGroupName": { - "value": "[parameters('resourceGroupName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "location": { - "type": "string" - }, - "managementSubscriptionId": { - "type": "string" - }, - "resourceGroupName": { - "type": "string" - } - }, - "variables": {}, - "resources": [ - { - "type": "Microsoft.ManagedIdentity/userAssignedIdentities", - "apiVersion": "2023-07-31-preview", - "name": "uai-alz-prereq", - "location": "[parameters('location')]" - } - ], - "outputs": { - "userAssignedIdentityId": { - "type": "string", - "value": "[resourceId(parameters('managementSubscriptionId'),parameters('resourceGroupName'),'Microsoft.ManagedIdentity/userAssignedIdentities', 'uai-alz-prereq')]" - } - } - } - } - } - ] - } - } - }, - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "name": "[guid(format('alz-prerequisites-002-{0}', parameters('location')))]", - "location": "[parameters('location')]", - "properties": { - "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", - "principalId": "[reference(resourceId(parameters('managementSubscriptionId'),parameters('resourceGroupName'),'Microsoft.ManagedIdentity/userAssignedIdentities', 'uai-alz-prereq'), '2023-07-31-preview').principalId]", - "principalType": "ServicePrincipal" - }, - "dependsOn": [ - "alz-prerequisites-001" - ] - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "alz-prerequisites-003", - "location": "[parameters('location')]", - "subscriptionId": "[parameters('managementSubscriptionId')]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [ - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "alz-prereq-ds", - "resourceGroup": "[parameters('resourceGroupName')]", - "dependsOn": [], - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "location": { - "value": "[parameters('location')]" - }, - "eslzRootName": { - "value": "[parameters('eslzRootName')]" - }, - "managementSubscriptionId": { - "value": "[parameters('managementSubscriptionId')]" - }, - "resourceGroupName": { - "value": "[parameters('resourceGroupName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "location": { - "type": "string" - }, - "eslzRootName":{ - "type": "string" - }, - "managementSubscriptionId": { - "type": "string" - }, - "resourceGroupName": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.Resources/deploymentScripts", - "apiVersion": "2020-10-01", - "name": "alz-prereq-deploymentscript", - "location": "[parameters('location')]", - "kind": "AzurePowerShell", - "identity": { - "type": "UserAssigned", - "userAssignedIdentities": { - "[resourceId(parameters('managementSubscriptionId'),parameters('resourceGroupName'),'Microsoft.ManagedIdentity/userAssignedIdentities', 'uai-alz-prereq')]": {} - } - }, - "properties": { - "azPowerShellVersion": "12.3", - "retentionInterval": "PT1H", - "timeout": "PT2H", - "arguments": "[format('-eslzRootName \"{0}\"', parameters('eslzRootName'))]", - "scriptContent": " - param( - [Parameter(Mandatory=$true, HelpMessage=\"Enter the ESLZ root name.\")] - [string] - $eslzRootName - ) - - #API call to register the Microsoft.Network provider against intermediate resource group for AVNM - Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" - - #Sleep for XX minutes to wait for Management Groups to load to cache before assignments - Start-Sleep -Duration (New-TimeSpan -Minutes 10) - - $result = \"\" - $count = 0 - - do { - $result = Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" - $count++ - Start-Sleep -Seconds 30 - Write-Host 'MG RP Register - Status Code: ' $result.StatusCode ' Count: ' $count - } while ($result.StatusCode -ne 200 -and $count -lt 10) - - #Register all resource providers - $subs = Search-AzGraph -Query \"ResourceContainers | where type =~ 'microsoft.resources/subscriptions'\" -ManagementGroup $eslzRootName - $rps = @('Microsoft.Insights','Microsoft.AlertsManagement','Microsoft.OperationalInsights','Microsoft.OperationsManagement','Microsoft.Automation','Microsoft.AlertsManagement','Microsoft.Security','Microsoft.Network','Microsoft.EventGrid','Microsoft.ManagedIdentity','Microsoft.GuestConfiguration','Microsoft.Advisor','Microsoft.PolicyInsights') - - foreach ($sub in $subs) { - Select-AzSubscription -SubscriptionId $sub.id - Write-Host 'Registering resource providers for subscription: ' $sub.id - Get-AzResourceProvider -ProviderNamespace $rps | where {$_.RegistrationState -ne \"Registered\"} | Register-AzResourceProvider - } - " - }, - "metadata": { - "description": "Create a Deployment Script resource to perform the prerequisites." - } - } - ], - "outputs": {} - } - } - } - ] - } - }, - "dependsOn": [ - "alz-prerequisites-001", - "[guid(format('alz-prerequisites-002-{0}', parameters('location')))]" - ] - } - ], - "outputs": {} - } \ No newline at end of file diff --git a/eslzArm/prerequisites/deployPrerequisites2.json b/eslzArm/prerequisites/deployPrerequisites2.json new file mode 100644 index 0000000000..61435ea803 --- /dev/null +++ b/eslzArm/prerequisites/deployPrerequisites2.json @@ -0,0 +1,204 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceGroupName": { + "type": "string", + "defaultValue": "rg-alz-prereqs", + "metadata": { + "description": "The resource group name where the AVNM resources will be created" + } + }, + "location": { + "type": "string", + "minLength": 6, + "metadata": { + "description": "The location of this AVNM instance. All resources will be deployed to this region." + } + }, + "eslzRootName": { + "type": "string", + "metadata": { + "description": "The name of the Enterprise Scale Landing Zone root resource." + } + } + }, + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2022-09-01", + "name": "[parameters('resourceGroupName')]", + "location": "[parameters('location')]" + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "alz-prerequisites-uai", + "resourceGroup": "[parameters('resourceGroupName')]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "eslzRootName": { + "value": "[parameters('eslzRootName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "eslzRootName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "apiVersion": "2022-01-31-preview", + "name": "[format('uai-prereq-{0}', parameters('location'))]", + "location": "[parameters('location')]", + "metadata": { + "description": "This user assigned identity is used by the Deployment Script resource to interact with Azure resources." + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(resourceGroup().id, format('uai-prereq-{0}', parameters('location')))]", + "properties": { + "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location'))), '2022-01-31-preview').principalId]", + "principalType": "ServicePrincipal" + }, + "dependsOn": [ + "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location')))]" + ], + "metadata": { + "description": "This role assignment grants the user assigned identity the Contributor role on the resource group." + } + } + ], + "outputs": { + "userAssignedIdentityId": { + "type": "string", + "value": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location')))]" + } + } + } + }, + "dependsOn": [ + "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('ds-{0}-prereqs', parameters('location'))]", + "resourceGroup": "[parameters('resourceGroupName')]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "userAssignedIdentityId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai'), '2022-09-01').outputs.userAssignedIdentityId.value]" + }, + "eslzRootName": { + "value": "[parameters('eslzRootName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "eslzRootName":{ + "type": "string" + }, + "userAssignedIdentityId": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Resources/deploymentScripts", + "apiVersion": "2020-10-01", + "name": "alz-prereq-deploymentscript", + "location": "[parameters('location')]", + "kind": "AzurePowerShell", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[format('{0}', parameters('userAssignedIdentityId'))]": {} + } + }, + "properties": { + "azPowerShellVersion": "12.3", + "retentionInterval": "PT1H", + "timeout": "PT2H", + "arguments": "[format('-eslzRootName \"{0}\"', parameters('eslzRootName'))]", + "scriptContent": " + param( + [Parameter(Mandatory=$true, HelpMessage=\"Enter the ESLZ root name.\")] + [string] + $eslzRootName + ) + + #API call to register the Microsoft.Network provider against intermediate resource group for AVNM + Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" + + #Sleep for XX minutes to wait for Management Groups to load to cache before assignments + Start-Sleep -Duration (New-TimeSpan -Minutes 10) + + $result = \"\" + $count = 0 + + do { + $result = Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" + $count++ + Start-Sleep -Seconds 30 + Write-Host 'MG RP Register - Status Code: ' $result.StatusCode ' Count: ' $count + } while ($result.StatusCode -ne 200 -and $count -lt 10) + + #Register all resource providers + $subs = Search-AzGraph -Query \"ResourceContainers | where type =~ 'microsoft.resources/subscriptions'\" -ManagementGroup $eslzRootName + $rps = @('Microsoft.Insights','Microsoft.AlertsManagement','Microsoft.OperationalInsights','Microsoft.OperationsManagement','Microsoft.Automation','Microsoft.AlertsManagement','Microsoft.Security','Microsoft.Network','Microsoft.EventGrid','Microsoft.ManagedIdentity','Microsoft.GuestConfiguration','Microsoft.Advisor','Microsoft.PolicyInsights') + + foreach ($sub in $subs) { + Select-AzSubscription -SubscriptionId $sub.id + Write-Host 'Registering resource providers for subscription: ' $sub.id + Get-AzResourceProvider -ProviderNamespace $rps | where {$_.RegistrationState -ne \"Registered\"} | Register-AzResourceProvider + } + " + }, + "metadata": { + "description": "Create a Deployment Script resource to perform the prerequisites." + } + } + ], + "outputs": {} + } + }, + "dependsOn": [ + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai')]", + "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]" + ] + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/subscriptionTemplates/avnmPolicy.json b/eslzArm/subscriptionTemplates/avnmPolicy.json index 9100d75b64..8e7bcde1c0 100644 --- a/eslzArm/subscriptionTemplates/avnmPolicy.json +++ b/eslzArm/subscriptionTemplates/avnmPolicy.json @@ -73,6 +73,19 @@ "metadata": { "description": "Assigns above policy for dynamic group membership" } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "role-AVNM-NetworkGroup", + "dependsOn": [ + "[uniqueString(variables('networkGroupId'))]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', uniqueString(variables('networkGroupId'))), '2019-09-01', 'Full' ).identity.principalId)]" + } } ], From 238e3f55b979617c6b246a4d0e6091b3b0eaa050 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Tue, 10 Dec 2024 17:58:12 +0400 Subject: [PATCH 181/226] . --- eslzArm/subscriptionTemplates/avnmPolicy.json | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmPolicy.json b/eslzArm/subscriptionTemplates/avnmPolicy.json index 8e7bcde1c0..2110128f33 100644 --- a/eslzArm/subscriptionTemplates/avnmPolicy.json +++ b/eslzArm/subscriptionTemplates/avnmPolicy.json @@ -31,7 +31,7 @@ { "type": "Microsoft.Authorization/policyDefinitions", "apiVersion": "2023-04-01", - "name": "[uniqueString(variables('networkGroupId'))]", + "name": "AVNM-dynamic-group-membership", "properties": { "description": "AVNM dynamic group membership Policy", "displayName": "AVNM dynamic group membership Policy", @@ -65,10 +65,10 @@ "description": "AVNM dynamic group membership Policy", "displayName": "AVNM dynamic group membership Policy", "enforcementMode": "Default", - "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupId')))]" + "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', 'AVNM-dynamic-group-membership')]" }, "dependsOn": [ - "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupId')))]" + "[format('Microsoft.Authorization/policyDefinitions/{0}', 'AVNM-dynamic-group-membership')]" ], "metadata": { "description": "Assigns above policy for dynamic group membership" @@ -79,7 +79,8 @@ "apiVersion": "2019-04-01-preview", "name": "role-AVNM-NetworkGroup", "dependsOn": [ - "[uniqueString(variables('networkGroupId'))]" + "[uniqueString(variables('networkGroupId'))]", + "[format('Microsoft.Authorization/policyDefinitions/{0}', 'AVNM-dynamic-group-membership')]" ], "properties": { "principalType": "ServicePrincipal", From ef3d9618cbaf85e25c5d6b4213dc78c1d0be92d3 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Tue, 10 Dec 2024 18:05:12 +0400 Subject: [PATCH 182/226] . --- eslzArm/subscriptionTemplates/avnmPolicy.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmPolicy.json b/eslzArm/subscriptionTemplates/avnmPolicy.json index 2110128f33..5202657a98 100644 --- a/eslzArm/subscriptionTemplates/avnmPolicy.json +++ b/eslzArm/subscriptionTemplates/avnmPolicy.json @@ -60,7 +60,7 @@ { "type": "Microsoft.Authorization/policyAssignments", "apiVersion": "2023-04-01", - "name": "[uniqueString(variables('networkGroupId'))]", + "name": "Configure-AVNM-dynamic-group-membership", "properties": { "description": "AVNM dynamic group membership Policy", "displayName": "AVNM dynamic group membership Policy", @@ -76,10 +76,10 @@ }, { "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2019-04-01-preview", - "name": "role-AVNM-NetworkGroup", + "apiVersion": "2023-04-01", + "name": "[guid(concat(parameters('topLevelManagementGroupPrefix'), 'Configure-AVNM-dynamic-group-membership'))]", "dependsOn": [ - "[uniqueString(variables('networkGroupId'))]", + "Configure-AVNM-dynamic-group-membership", "[format('Microsoft.Authorization/policyDefinitions/{0}', 'AVNM-dynamic-group-membership')]" ], "properties": { From 8e580b19e589697253655a4f0075bba060237774 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Tue, 10 Dec 2024 18:14:19 +0400 Subject: [PATCH 183/226] . --- eslzArm/subscriptionTemplates/avnmPolicy.json | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmPolicy.json b/eslzArm/subscriptionTemplates/avnmPolicy.json index 5202657a98..f5d5b19b63 100644 --- a/eslzArm/subscriptionTemplates/avnmPolicy.json +++ b/eslzArm/subscriptionTemplates/avnmPolicy.json @@ -31,7 +31,7 @@ { "type": "Microsoft.Authorization/policyDefinitions", "apiVersion": "2023-04-01", - "name": "AVNM-dynamic-group-membership", + "name": "[uniqueString(variables('networkGroupId'))]", "properties": { "description": "AVNM dynamic group membership Policy", "displayName": "AVNM dynamic group membership Policy", @@ -60,15 +60,15 @@ { "type": "Microsoft.Authorization/policyAssignments", "apiVersion": "2023-04-01", - "name": "Configure-AVNM-dynamic-group-membership", + "name": "[guid(concat(parameters('topLevelManagementGroupPrefix'), 'Configure-AVNM-dynamic-group-membership'))]", "properties": { "description": "AVNM dynamic group membership Policy", "displayName": "AVNM dynamic group membership Policy", "enforcementMode": "Default", - "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', 'AVNM-dynamic-group-membership')]" + "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupId')))]" }, "dependsOn": [ - "[format('Microsoft.Authorization/policyDefinitions/{0}', 'AVNM-dynamic-group-membership')]" + "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupId')))]" ], "metadata": { "description": "Assigns above policy for dynamic group membership" @@ -77,18 +77,17 @@ { "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2023-04-01", - "name": "[guid(concat(parameters('topLevelManagementGroupPrefix'), 'Configure-AVNM-dynamic-group-membership'))]", + "name": "[guid(concat(parameters('topLevelManagementGroupPrefix'), 'Configure-AVNM-role'))]", "dependsOn": [ - "Configure-AVNM-dynamic-group-membership", - "[format('Microsoft.Authorization/policyDefinitions/{0}', 'AVNM-dynamic-group-membership')]" + "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupId')))]", + "[guid(concat(parameters('topLevelManagementGroupPrefix'), 'Configure-AVNM-dynamic-group-membership'))]" ], "properties": { "principalType": "ServicePrincipal", "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", - "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', uniqueString(variables('networkGroupId'))), '2019-09-01', 'Full' ).identity.principalId)]" + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', guid(concat(parameters('topLevelManagementGroupPrefix'), 'Configure-AVNM-dynamic-group-membership'))), '2019-09-01', 'Full' ).identity.principalId)]" } - } - + } ], "outputs": {} } \ No newline at end of file From e7f4f631fd1a7ad22eb89b384b43335330805db4 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Wed, 11 Dec 2024 11:58:56 +0400 Subject: [PATCH 184/226] Fix? --- eslzArm/prerequisites/deployPrerequisites.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index ca6cf49232..309f348325 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -243,7 +243,7 @@ }, "dependsOn": [ "alz-prerequisites-001", - "[guid(format('alz-prerequisites-002-{0}', parameters('location')))]", + "[guid(format('alz-prerequisites-{0}-{1}', parameters('eslzRootName'), parameters('location')))]", "[format('/subscriptions/{0}/resourceGroups/{1}', parameters('managementSubscriptionId'), parameters('resourceGroupName'))]" ] } From 27c8a2789ba571ed3702a9312b4f2a880dc7edc7 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Wed, 11 Dec 2024 12:01:07 +0400 Subject: [PATCH 185/226] . --- eslzArm/prerequisites/deployPrerequisites.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index 309f348325..7a5fc64d34 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -243,8 +243,7 @@ }, "dependsOn": [ "alz-prerequisites-001", - "[guid(format('alz-prerequisites-{0}-{1}', parameters('eslzRootName'), parameters('location')))]", - "[format('/subscriptions/{0}/resourceGroups/{1}', parameters('managementSubscriptionId'), parameters('resourceGroupName'))]" + "[guid(format('alz-prerequisites-{0}-{1}', parameters('eslzRootName'), parameters('location')))]" ] } ], From 82ea37a3d0bc81dd23ac4250c685235319b8462d Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Wed, 11 Dec 2024 12:03:40 +0400 Subject: [PATCH 186/226] . --- eslzArm/prerequisites/deployPrerequisites.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index 7a5fc64d34..f837c47734 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -119,8 +119,7 @@ "principalType": "ServicePrincipal" }, "dependsOn": [ - "alz-prerequisites-001", - "[format('/subscriptions/{0}/resourceGroups/{1}', parameters('managementSubscriptionId'), parameters('resourceGroupName'))]" + "alz-prerequisites-001" ] }, { From 6a54480f7a72d7df58bfb4923c3509176ed429a9 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Wed, 11 Dec 2024 12:26:24 +0400 Subject: [PATCH 187/226] . --- eslzArm/prerequisites/deployPrerequisites.json | 3 ++- eslzArm/subscriptionTemplates/avnmPolicy.json | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index f837c47734..7a5fc64d34 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -119,7 +119,8 @@ "principalType": "ServicePrincipal" }, "dependsOn": [ - "alz-prerequisites-001" + "alz-prerequisites-001", + "[format('/subscriptions/{0}/resourceGroups/{1}', parameters('managementSubscriptionId'), parameters('resourceGroupName'))]" ] }, { diff --git a/eslzArm/subscriptionTemplates/avnmPolicy.json b/eslzArm/subscriptionTemplates/avnmPolicy.json index f5d5b19b63..f0ca549bf8 100644 --- a/eslzArm/subscriptionTemplates/avnmPolicy.json +++ b/eslzArm/subscriptionTemplates/avnmPolicy.json @@ -54,7 +54,7 @@ } }, "metadata": { - "description": "This is a Policy definition for dyanamic group membership" + "description": "This is a Policy definition for dynamic group membership" } }, { From f3d38f422dbeb977d31dee6f55939afbb43b8ab4 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Wed, 11 Dec 2024 12:28:59 +0400 Subject: [PATCH 188/226] . --- eslzArm/prerequisites/deployPrerequisites.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index 7a5fc64d34..540114c87e 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -120,7 +120,7 @@ }, "dependsOn": [ "alz-prerequisites-001", - "[format('/subscriptions/{0}/resourceGroups/{1}', parameters('managementSubscriptionId'), parameters('resourceGroupName'))]" + "[resourceId(parameters('managementSubscriptionId'),parameters('resourceGroupName'),'Microsoft.ManagedIdentity/userAssignedIdentities', 'uai-alz-prereq')]" ] }, { From 1044a14ce832baeb75bcf0bf0369c0bfe9e91aea Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Wed, 11 Dec 2024 12:46:04 +0400 Subject: [PATCH 189/226] . --- eslzArm/prerequisites/deployPrerequisites.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index 540114c87e..240d1da1cd 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -120,7 +120,7 @@ }, "dependsOn": [ "alz-prerequisites-001", - "[resourceId(parameters('managementSubscriptionId'),parameters('resourceGroupName'),'Microsoft.ManagedIdentity/userAssignedIdentities', 'uai-alz-prereq')]" + "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]" ] }, { From d689b9339fa30bf687af5e48eb869934daedea99 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Wed, 11 Dec 2024 12:48:36 +0400 Subject: [PATCH 190/226] . --- eslzArm/prerequisites/deployPrerequisites.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index 240d1da1cd..f837c47734 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -119,8 +119,7 @@ "principalType": "ServicePrincipal" }, "dependsOn": [ - "alz-prerequisites-001", - "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]" + "alz-prerequisites-001" ] }, { From 4a67b2b2735301e90eac296d2c28519d2bdc9b35 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Wed, 11 Dec 2024 12:52:53 +0400 Subject: [PATCH 191/226] . --- eslzArm/prerequisites/deployPrerequisites.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index f837c47734..dd1b73f640 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -125,7 +125,7 @@ { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "alz-prerequisites-003", + "name": "alz-prerequisites-002", "location": "[parameters('location')]", "subscriptionId": "[parameters('managementSubscriptionId')]", "properties": { From 9e06d9cdc6983e2c8499e65b01161ea1903c2ae8 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Wed, 11 Dec 2024 14:20:39 +0400 Subject: [PATCH 192/226] Before Cleanup Co-authored-by: Jack Tracey --- .../prerequisites/deployPrerequisites.json | 118 +++++++++----- .../deployPrerequisites.parameters.json | 18 +++ eslzArm/prerequisites/rg.bicep | 19 +++ eslzArm/prerequisites/test.bicep | 22 +++ eslzArm/prerequisites/test.json | 146 ++++++++++++++++++ eslzArm/prerequisites/uai.bicep | 9 ++ 6 files changed, 293 insertions(+), 39 deletions(-) create mode 100644 eslzArm/prerequisites/deployPrerequisites.parameters.json create mode 100644 eslzArm/prerequisites/rg.bicep create mode 100644 eslzArm/prerequisites/test.bicep create mode 100644 eslzArm/prerequisites/test.json create mode 100644 eslzArm/prerequisites/uai.bicep diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index dd1b73f640..d229418d2e 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -37,10 +37,35 @@ "location": "[parameters('location')]", "subscriptionId": "[parameters('managementSubscriptionId')]", "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "managementSubscriptionId": { + "value": "[parameters('managementSubscriptionId')]" + }, + "resourceGroupName": { + "value": "[parameters('resourceGroupName')]" + } + }, "template": { "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "managementSubscriptionId": { + "type": "string" + }, + "resourceGroupName": { + "type": "string" + } + }, "resources": [ { "type": "Microsoft.Resources/resourceGroups", @@ -54,57 +79,72 @@ "name": "alz-prerequisites-uai", "resourceGroup": "[parameters('resourceGroupName')]", "dependsOn": [ - "[format('/subscriptions/{0}/resourceGroups/{1}', parameters('managementSubscriptionId'), parameters('resourceGroupName'))]" + "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]" ], "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "location": { - "value": "[parameters('location')]" - }, - "managementSubscriptionId": { - "value": "[parameters('managementSubscriptionId')]" + "expressionEvaluationOptions": { + "scope": "inner" }, - "resourceGroupName": { - "value": "[parameters('resourceGroupName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", + "mode": "Incremental", "parameters": { "location": { - "type": "string" + "value": "[parameters('location')]" }, "managementSubscriptionId": { - "type": "string" + "value": "[parameters('managementSubscriptionId')]" }, "resourceGroupName": { - "type": "string" + "value": "[parameters('resourceGroupName')]" } }, - "variables": {}, - "resources": [ - { - "type": "Microsoft.ManagedIdentity/userAssignedIdentities", - "apiVersion": "2023-07-31-preview", - "name": "uai-alz-prereq", - "location": "[parameters('location')]" - } - ], - "outputs": { - "userAssignedIdentityId": { - "type": "string", - "value": "[resourceId(parameters('managementSubscriptionId'),parameters('resourceGroupName'),'Microsoft.ManagedIdentity/userAssignedIdentities', 'uai-alz-prereq')]" + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "managementSubscriptionId": { + "type": "string" + }, + "resourceGroupName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "apiVersion": "2023-07-31-preview", + "name": "uai-alz-prereq", + "location": "[parameters('location')]" + } + ], + "outputs": { + "userAssignedIdentityId": { + "type": "string", + "value": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'uai-alz-prereq')]" + }, + "uaiPrincipalId": { + "type": "string", + "value": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'uai-alz-prereq'), '2023-07-31-preview').principalId]" + } } } } - } } - ] + ], + "outputs": { + "userAssignedIdentityId": { + "type": "string", + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai'), '2022-09-01').outputs.userAssignedIdentityId.value]" + }, + "uaiPrincipalId": { + "type": "string", + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai'), '2022-09-01').outputs.uaiPrincipalId.value]" + } + } + } } }, @@ -115,11 +155,11 @@ "location": "[parameters('location')]", "properties": { "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", - "principalId": "[reference(resourceId(parameters('managementSubscriptionId'),parameters('resourceGroupName'),'Microsoft.ManagedIdentity/userAssignedIdentities', 'uai-alz-prereq'), '2023-07-31-preview').principalId]", + "principalId": "[reference(subscriptionResourceId(parameters('managementSubscriptionId'), 'Microsoft.Resources/deployments', 'alz-prerequisites-001'), '2022-09-01').outputs.uaiPrincipalId.value]", "principalType": "ServicePrincipal" }, "dependsOn": [ - "alz-prerequisites-001" + "[subscriptionResourceId(parameters('managementSubscriptionId'), 'Microsoft.Resources/deployments', 'alz-prerequisites-001')]" ] }, { @@ -186,7 +226,7 @@ "identity": { "type": "UserAssigned", "userAssignedIdentities": { - "[resourceId(parameters('managementSubscriptionId'),parameters('resourceGroupName'),'Microsoft.ManagedIdentity/userAssignedIdentities', 'uai-alz-prereq')]": {} + "[reference(subscriptionResourceId(parameters('managementSubscriptionId'), 'Microsoft.Resources/deployments', 'alz-prerequisites-001'), '2022-09-01').outputs.userAssignedIdentityId.value]": {} } }, "properties": { diff --git a/eslzArm/prerequisites/deployPrerequisites.parameters.json b/eslzArm/prerequisites/deployPrerequisites.parameters.json new file mode 100644 index 0000000000..2c16e0e02a --- /dev/null +++ b/eslzArm/prerequisites/deployPrerequisites.parameters.json @@ -0,0 +1,18 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceGroupName": { + "value": "rg-alz-prereqs" + }, + "location": { + "value": "uksouth" // TODO: Fill in parameter value + }, + "eslzRootName": { + "value": "ALZ1" // TODO: Fill in parameter value + }, + "managementSubscriptionId": { + "value": "0f808fc8-eaf7-4731-bf31-8a318dcde228" // TODO: Fill in parameter value + } + } +} \ No newline at end of file diff --git a/eslzArm/prerequisites/rg.bicep b/eslzArm/prerequisites/rg.bicep new file mode 100644 index 0000000000..53a64df26c --- /dev/null +++ b/eslzArm/prerequisites/rg.bicep @@ -0,0 +1,19 @@ +targetScope = 'subscription' + +param location string + +resource rg 'Microsoft.Resources/resourceGroups@2024-07-01' = { + name: 'rg-alz-prereqs' + location: location +} + +module uaiDeployment 'uai.bicep' = { + scope: rg + name: 'uaiDeployment' + params: { + location: location + } +} + +output uaiResourceId string = uaiDeployment.outputs.uaiResourceId +output uaiPrincipalId string = uaiDeployment.outputs.uaiPrincipalId diff --git a/eslzArm/prerequisites/test.bicep b/eslzArm/prerequisites/test.bicep new file mode 100644 index 0000000000..7df9b896a4 --- /dev/null +++ b/eslzArm/prerequisites/test.bicep @@ -0,0 +1,22 @@ +targetScope = 'managementGroup' + +param location string = 'uksouth' +param eslzRootName string = 'ALZ1' +param managementSubscriptionId string = '0f808fc8-eaf7-4731-bf31-8a318dcde228' + +module alzPreReqsDeploy 'rg.bicep' = { + scope: subscription(managementSubscriptionId) + name: 'alzPreReqsDeploy' + params: { + location: location + } +} + +resource uaiRoleAsi 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid(eslzRootName, managementSubscriptionId, location) + properties: { + principalId: alzPreReqsDeploy.outputs.uaiPrincipalId + roleDefinitionId: '/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' + principalType: 'ServicePrincipal' + } +} diff --git a/eslzArm/prerequisites/test.json b/eslzArm/prerequisites/test.json new file mode 100644 index 0000000000..38ddd571f0 --- /dev/null +++ b/eslzArm/prerequisites/test.json @@ -0,0 +1,146 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.32.4.45862", + "templateHash": "4591170525781576280" + } + }, + "parameters": { + "location": { + "type": "string", + "defaultValue": "uksouth" + }, + "eslzRootName": { + "type": "string", + "defaultValue": "ALZ1" + }, + "managementSubscriptionId": { + "type": "string", + "defaultValue": "0f808fc8-eaf7-4731-bf31-8a318dcde228" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(parameters('eslzRootName'), parameters('managementSubscriptionId'), parameters('location'))]", + "properties": { + "principalId": "[reference(subscriptionResourceId(parameters('managementSubscriptionId'), 'Microsoft.Resources/deployments', 'alzPreReqsDeploy'), '2022-09-01').outputs.uaiPrincipalId.value]", + "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", + "principalType": "ServicePrincipal" + }, + "dependsOn": [ + "[subscriptionResourceId(parameters('managementSubscriptionId'), 'Microsoft.Resources/deployments', 'alzPreReqsDeploy')]" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "alzPreReqsDeploy", + "subscriptionId": "[parameters('managementSubscriptionId')]", + "location": "[deployment().location]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.32.4.45862", + "templateHash": "5158946764779715563" + } + }, + "parameters": { + "location": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2024-07-01", + "name": "rg-alz-prereqs", + "location": "[parameters('location')]" + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "uaiDeployment", + "resourceGroup": "rg-alz-prereqs", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.32.4.45862", + "templateHash": "8078331262112599049" + } + }, + "parameters": { + "location": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "apiVersion": "2023-07-31-preview", + "name": "uai-alz-prereq", + "location": "[parameters('location')]" + } + ], + "outputs": { + "uaiResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'uai-alz-prereq')]" + }, + "uaiPrincipalId": { + "type": "string", + "value": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'uai-alz-prereq'), '2023-07-31-preview').principalId]" + } + } + } + }, + "dependsOn": [ + "[subscriptionResourceId('Microsoft.Resources/resourceGroups', 'rg-alz-prereqs')]" + ] + } + ], + "outputs": { + "uaiResourceId": { + "type": "string", + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, 'rg-alz-prereqs'), 'Microsoft.Resources/deployments', 'uaiDeployment'), '2022-09-01').outputs.uaiResourceId.value]" + }, + "uaiPrincipalId": { + "type": "string", + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, 'rg-alz-prereqs'), 'Microsoft.Resources/deployments', 'uaiDeployment'), '2022-09-01').outputs.uaiPrincipalId.value]" + } + } + } + } + } + ] +} \ No newline at end of file diff --git a/eslzArm/prerequisites/uai.bicep b/eslzArm/prerequisites/uai.bicep new file mode 100644 index 0000000000..d30a833e2d --- /dev/null +++ b/eslzArm/prerequisites/uai.bicep @@ -0,0 +1,9 @@ +param location string + +resource uai 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-07-31-preview' = { + name: 'uai-alz-prereq' + location: location +} + +output uaiResourceId string = uai.id +output uaiPrincipalId string = uai.properties.principalId From 007d8e0e2ea8a3284cb21428ff056d98d56f90de Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Wed, 11 Dec 2024 15:43:35 +0400 Subject: [PATCH 193/226] . --- eslzArm/eslzArm.json | 2 +- .../deployPrerequisites.parameters.json | 18 --- eslzArm/prerequisites/rg.bicep | 19 --- eslzArm/prerequisites/test.bicep | 22 --- eslzArm/prerequisites/test.json | 146 ------------------ eslzArm/prerequisites/uai.bicep | 9 -- eslzArm/subscriptionTemplates/avnmPolicy.json | 6 +- 7 files changed, 6 insertions(+), 216 deletions(-) delete mode 100644 eslzArm/prerequisites/deployPrerequisites.parameters.json delete mode 100644 eslzArm/prerequisites/rg.bicep delete mode 100644 eslzArm/prerequisites/test.bicep delete mode 100644 eslzArm/prerequisites/test.json delete mode 100644 eslzArm/prerequisites/uai.bicep diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index e936239702..c0fb7b90ca 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -5249,7 +5249,7 @@ "apiVersion": "2019-10-01", "name": "[variables('deploymentNames').avnmPolicyDeploymentName]", "location": "[deployment().location]", - "scope": "[concat('Microsoft.Management/managementGroups/', parameters('enterpriseScaleCompanyPrefix'))]", + "scope": "[variables('scopes').eslzRootManagementGroup]", "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').avnmConnectivityHubDeploymentName)]" ], diff --git a/eslzArm/prerequisites/deployPrerequisites.parameters.json b/eslzArm/prerequisites/deployPrerequisites.parameters.json deleted file mode 100644 index 2c16e0e02a..0000000000 --- a/eslzArm/prerequisites/deployPrerequisites.parameters.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "resourceGroupName": { - "value": "rg-alz-prereqs" - }, - "location": { - "value": "uksouth" // TODO: Fill in parameter value - }, - "eslzRootName": { - "value": "ALZ1" // TODO: Fill in parameter value - }, - "managementSubscriptionId": { - "value": "0f808fc8-eaf7-4731-bf31-8a318dcde228" // TODO: Fill in parameter value - } - } -} \ No newline at end of file diff --git a/eslzArm/prerequisites/rg.bicep b/eslzArm/prerequisites/rg.bicep deleted file mode 100644 index 53a64df26c..0000000000 --- a/eslzArm/prerequisites/rg.bicep +++ /dev/null @@ -1,19 +0,0 @@ -targetScope = 'subscription' - -param location string - -resource rg 'Microsoft.Resources/resourceGroups@2024-07-01' = { - name: 'rg-alz-prereqs' - location: location -} - -module uaiDeployment 'uai.bicep' = { - scope: rg - name: 'uaiDeployment' - params: { - location: location - } -} - -output uaiResourceId string = uaiDeployment.outputs.uaiResourceId -output uaiPrincipalId string = uaiDeployment.outputs.uaiPrincipalId diff --git a/eslzArm/prerequisites/test.bicep b/eslzArm/prerequisites/test.bicep deleted file mode 100644 index 7df9b896a4..0000000000 --- a/eslzArm/prerequisites/test.bicep +++ /dev/null @@ -1,22 +0,0 @@ -targetScope = 'managementGroup' - -param location string = 'uksouth' -param eslzRootName string = 'ALZ1' -param managementSubscriptionId string = '0f808fc8-eaf7-4731-bf31-8a318dcde228' - -module alzPreReqsDeploy 'rg.bicep' = { - scope: subscription(managementSubscriptionId) - name: 'alzPreReqsDeploy' - params: { - location: location - } -} - -resource uaiRoleAsi 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid(eslzRootName, managementSubscriptionId, location) - properties: { - principalId: alzPreReqsDeploy.outputs.uaiPrincipalId - roleDefinitionId: '/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' - principalType: 'ServicePrincipal' - } -} diff --git a/eslzArm/prerequisites/test.json b/eslzArm/prerequisites/test.json deleted file mode 100644 index 38ddd571f0..0000000000 --- a/eslzArm/prerequisites/test.json +++ /dev/null @@ -1,146 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.32.4.45862", - "templateHash": "4591170525781576280" - } - }, - "parameters": { - "location": { - "type": "string", - "defaultValue": "uksouth" - }, - "eslzRootName": { - "type": "string", - "defaultValue": "ALZ1" - }, - "managementSubscriptionId": { - "type": "string", - "defaultValue": "0f808fc8-eaf7-4731-bf31-8a318dcde228" - } - }, - "resources": [ - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "name": "[guid(parameters('eslzRootName'), parameters('managementSubscriptionId'), parameters('location'))]", - "properties": { - "principalId": "[reference(subscriptionResourceId(parameters('managementSubscriptionId'), 'Microsoft.Resources/deployments', 'alzPreReqsDeploy'), '2022-09-01').outputs.uaiPrincipalId.value]", - "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", - "principalType": "ServicePrincipal" - }, - "dependsOn": [ - "[subscriptionResourceId(parameters('managementSubscriptionId'), 'Microsoft.Resources/deployments', 'alzPreReqsDeploy')]" - ] - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "alzPreReqsDeploy", - "subscriptionId": "[parameters('managementSubscriptionId')]", - "location": "[deployment().location]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "location": { - "value": "[parameters('location')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.32.4.45862", - "templateHash": "5158946764779715563" - } - }, - "parameters": { - "location": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.Resources/resourceGroups", - "apiVersion": "2024-07-01", - "name": "rg-alz-prereqs", - "location": "[parameters('location')]" - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "uaiDeployment", - "resourceGroup": "rg-alz-prereqs", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "location": { - "value": "[parameters('location')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.32.4.45862", - "templateHash": "8078331262112599049" - } - }, - "parameters": { - "location": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.ManagedIdentity/userAssignedIdentities", - "apiVersion": "2023-07-31-preview", - "name": "uai-alz-prereq", - "location": "[parameters('location')]" - } - ], - "outputs": { - "uaiResourceId": { - "type": "string", - "value": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'uai-alz-prereq')]" - }, - "uaiPrincipalId": { - "type": "string", - "value": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'uai-alz-prereq'), '2023-07-31-preview').principalId]" - } - } - } - }, - "dependsOn": [ - "[subscriptionResourceId('Microsoft.Resources/resourceGroups', 'rg-alz-prereqs')]" - ] - } - ], - "outputs": { - "uaiResourceId": { - "type": "string", - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, 'rg-alz-prereqs'), 'Microsoft.Resources/deployments', 'uaiDeployment'), '2022-09-01').outputs.uaiResourceId.value]" - }, - "uaiPrincipalId": { - "type": "string", - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, 'rg-alz-prereqs'), 'Microsoft.Resources/deployments', 'uaiDeployment'), '2022-09-01').outputs.uaiPrincipalId.value]" - } - } - } - } - } - ] -} \ No newline at end of file diff --git a/eslzArm/prerequisites/uai.bicep b/eslzArm/prerequisites/uai.bicep deleted file mode 100644 index d30a833e2d..0000000000 --- a/eslzArm/prerequisites/uai.bicep +++ /dev/null @@ -1,9 +0,0 @@ -param location string - -resource uai 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-07-31-preview' = { - name: 'uai-alz-prereq' - location: location -} - -output uaiResourceId string = uai.id -output uaiPrincipalId string = uai.properties.principalId diff --git a/eslzArm/subscriptionTemplates/avnmPolicy.json b/eslzArm/subscriptionTemplates/avnmPolicy.json index f0ca549bf8..6458a3842e 100644 --- a/eslzArm/subscriptionTemplates/avnmPolicy.json +++ b/eslzArm/subscriptionTemplates/avnmPolicy.json @@ -13,7 +13,7 @@ "type": "string", "metadata": { "displayName": "location", - "description": "Location of the HUB" + "description": "Location for all resources." }, "defaultValue": "[deployment().location]" }, @@ -61,6 +61,10 @@ "type": "Microsoft.Authorization/policyAssignments", "apiVersion": "2023-04-01", "name": "[guid(concat(parameters('topLevelManagementGroupPrefix'), 'Configure-AVNM-dynamic-group-membership'))]", + "location": "[parameters('location')]", + "identity": { + "type": "SystemAssigned" + }, "properties": { "description": "AVNM dynamic group membership Policy", "displayName": "AVNM dynamic group membership Policy", From 221dfa069ec34e3d9bec87f118cbaf76e9add701 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Wed, 11 Dec 2024 15:58:04 +0400 Subject: [PATCH 194/226] . --- eslzArm/subscriptionTemplates/avnmPolicy.json | 18 ++---------------- 1 file changed, 2 insertions(+), 16 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmPolicy.json b/eslzArm/subscriptionTemplates/avnmPolicy.json index 6458a3842e..a86f6e88b5 100644 --- a/eslzArm/subscriptionTemplates/avnmPolicy.json +++ b/eslzArm/subscriptionTemplates/avnmPolicy.json @@ -60,7 +60,7 @@ { "type": "Microsoft.Authorization/policyAssignments", "apiVersion": "2023-04-01", - "name": "[guid(concat(parameters('topLevelManagementGroupPrefix'), 'Configure-AVNM-dynamic-group-membership'))]", + "name": "[uniqueString(variables('networkGroupId'))]", "location": "[parameters('location')]", "identity": { "type": "SystemAssigned" @@ -77,21 +77,7 @@ "metadata": { "description": "Assigns above policy for dynamic group membership" } - }, - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2023-04-01", - "name": "[guid(concat(parameters('topLevelManagementGroupPrefix'), 'Configure-AVNM-role'))]", - "dependsOn": [ - "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupId')))]", - "[guid(concat(parameters('topLevelManagementGroupPrefix'), 'Configure-AVNM-dynamic-group-membership'))]" - ], - "properties": { - "principalType": "ServicePrincipal", - "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", - "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', guid(concat(parameters('topLevelManagementGroupPrefix'), 'Configure-AVNM-dynamic-group-membership'))), '2019-09-01', 'Full' ).identity.principalId)]" - } - } + } ], "outputs": {} } \ No newline at end of file From 22f91bca91d7180acb581aa21122c17237b24d89 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Wed, 11 Dec 2024 17:50:01 +0400 Subject: [PATCH 195/226] . --- eslzArm/subscriptionTemplates/avnmPolicy.json | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmPolicy.json b/eslzArm/subscriptionTemplates/avnmPolicy.json index a86f6e88b5..6325d84ec5 100644 --- a/eslzArm/subscriptionTemplates/avnmPolicy.json +++ b/eslzArm/subscriptionTemplates/avnmPolicy.json @@ -25,7 +25,7 @@ } }, "variables": { - "networkGroupId": "[resourceId(parameters('connectivitySubscriptionId'), concat(parameters('topLevelManagementGroupPrefix'), '-avnm'), 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('ng-{0}-dynamic', parameters('location')))]" + "networkGroupId": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('ng-{0}-dynamic', parameters('location')))]" }, "resources": [ { @@ -78,6 +78,5 @@ "description": "Assigns above policy for dynamic group membership" } } - ], - "outputs": {} + ] } \ No newline at end of file From df3ed28e80049aa2bd22cf89399e1f7e3eb83293 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Wed, 11 Dec 2024 20:43:25 +0400 Subject: [PATCH 196/226] . --- eslzArm/prerequisites/deployPrerequisites.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index d229418d2e..c730a87769 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -262,8 +262,8 @@ $rps = @('Microsoft.Insights','Microsoft.AlertsManagement','Microsoft.OperationalInsights','Microsoft.OperationsManagement','Microsoft.Automation','Microsoft.AlertsManagement','Microsoft.Security','Microsoft.Network','Microsoft.EventGrid','Microsoft.ManagedIdentity','Microsoft.GuestConfiguration','Microsoft.Advisor','Microsoft.PolicyInsights') foreach ($sub in $subs) { - Select-AzSubscription -SubscriptionId $sub.id - Write-Host 'Registering resource providers for subscription: ' $sub.id + Write-Host 'Registering resource providers for subscription: ' $sub.subscriptionId + Select-AzSubscription -SubscriptionId $sub.subscriptionId Get-AzResourceProvider -ProviderNamespace $rps | where {$_.RegistrationState -ne \"Registered\"} | Register-AzResourceProvider } " From c480e78ccfb2798b9703a39b4cb516efd5ccf268 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Wed, 11 Dec 2024 21:46:57 +0400 Subject: [PATCH 197/226] . --- .../prerequisites/deployPrerequisites.json | 30 +++++++++---------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index c730a87769..5b397b93a9 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -243,21 +243,8 @@ #API call to register the Microsoft.Network provider against intermediate resource group for AVNM Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" - - #Sleep for XX minutes to wait for Management Groups to load to cache before assignments - Start-Sleep -Duration (New-TimeSpan -Minutes 10) - - $result = \"\" - $count = 0 - - do { - $result = Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" - $count++ - Start-Sleep -Seconds 30 - Write-Host 'MG RP Register - Status Code: ' $result.StatusCode ' Count: ' $count - } while ($result.StatusCode -ne 200 -and $count -lt 10) - - #Register all resource providers + + #Register all resource providers required for ALZ $subs = Search-AzGraph -Query \"ResourceContainers | where type =~ 'microsoft.resources/subscriptions'\" -ManagementGroup $eslzRootName $rps = @('Microsoft.Insights','Microsoft.AlertsManagement','Microsoft.OperationalInsights','Microsoft.OperationsManagement','Microsoft.Automation','Microsoft.AlertsManagement','Microsoft.Security','Microsoft.Network','Microsoft.EventGrid','Microsoft.ManagedIdentity','Microsoft.GuestConfiguration','Microsoft.Advisor','Microsoft.PolicyInsights') @@ -266,6 +253,19 @@ Select-AzSubscription -SubscriptionId $sub.subscriptionId Get-AzResourceProvider -ProviderNamespace $rps | where {$_.RegistrationState -ne \"Registered\"} | Register-AzResourceProvider } + + #Sleep for XX minutes to wait for Management Groups to load to cache before assignments + Start-Sleep -Duration (New-TimeSpan -Minutes 10) + + #$result = \"\" + #$count = 0 + + #do { + # $result = Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" + # $count++ + # Start-Sleep -Seconds 30 + # Write-Host 'MG RP Register - Status Code: ' $result.StatusCode ' Count: ' $count + #} while ($result.StatusCode -ne 200 -and $count -lt 10) " }, "metadata": { From 99d1a4b1af0fd5a005c6d5f560f3b970e374af63 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Fri, 13 Dec 2024 12:21:40 +0400 Subject: [PATCH 198/226] Update Whats-new.md with AVNM deployment script details and ARM performance improvements --- docs/wiki/Whats-new.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md index e2727ae3c1..000370585d 100644 --- a/docs/wiki/Whats-new.md +++ b/docs/wiki/Whats-new.md @@ -53,8 +53,9 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones: ### 🔃 Policy Refresh Q2 FY25 - [PREVIEW] Added ability to deploy Virtual Network Manager through the portal accelerator with support for Security Admin feature, including default rules blocking high-risk ports [read more](https://learn.microsoft.com/en-us/azure/virtual-network-manager/concept-security-admins). - - [Important] To support the configuration of AVNM, we've had to included a deployment script to configure the Microsoft.Network resource provider on the intermediate root management group. This deployment script and required User-Assigned Identity are created in a resource group in the Management subscription. Please remove the user assigned identity in the resource group hosting the AVNM instance. - - Additionally, due to performance improvements of ARM, we've also had to change the "wait" process in the portal accelerator. We are now using the same deployment script with a "Start-Sleep" PowerShell command which is far more reliable. In the management subscription, you will find a resource group `rg-alz-prereqs` that you should remove (with contents). + - [Important] To support the configuration of AVNM, we've had to included a deployment script to configure the Microsoft.Network resource provider on the intermediate root management group. This deployment script and required User-Assigned Managed Identity are created in a resource group in the Management subscription. Please remove the user assigned identity in the resource group hosting the AVNM instance. + - [Important] Due to performance improvements of ARM, we've also had to change the "wait" process in the portal accelerator (waiting for Management Groups to be registered so we can do policy assignments). We are now using the same deployment script with a "Start-Sleep" PowerShell command which is far more reliable. In the management subscription, you will find a resource group `rg-alz-prereqs` that you should remove (with contents) as the identity has Contributor rights on the Intermediate Management Group. + - [Important] A deployment script and User-Assigned Managed Identity is needed in the `rg-alz-avnm` resource group in the Connectivity subscription to register the Security Admin configuration with selected deployment regions. You should delete this identity after deployment. - *Policy Versioning Support* - all initiatives and assignments have been pinned to the current major version of built-in policies or initiatives deployed by ALZ. This ensures that all ALZ deployments will successfully deploy using the currently validated versions of ALZ built-in policies and initiatives. As these get updated the team will validate changes and impact before incrementing the recommended version. - Fixed a Portal Accelerator bug that results in failed deployment when choosing not to deploy policies to the Identity management group. - Updated the display name of the many `Effect` parameters to clearly identify the policy it applies to in the initiative [Enforce recommended guardrails for Azure Key Vault](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-KeyVault.html). From 0f3de4adb642126683cc105bce14a0697c6f48b6 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Fri, 13 Dec 2024 18:43:03 +0400 Subject: [PATCH 199/226] Cleanup and removing AVNM locations --- eslzArm/eslzArm.json | 6 --- .../avnmConfiguration.json | 51 +++++++------------ eslzArm/subscriptionTemplates/avnmPolicy.json | 2 +- 3 files changed, 19 insertions(+), 40 deletions(-) diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index c0fb7b90ca..aa3f2fe4d6 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -5221,9 +5221,6 @@ "uri": "[variables('deploymentUris').avnmConnectivityHub]" }, "parameters": { - "topLevelManagementGroupPrefix": { - "value": "[parameters('enterpriseScaleCompanyPrefix')]" - }, "location": { "value": "[parameters('connectivityLocation')]" }, @@ -5233,9 +5230,6 @@ "managementGroupScope": { "value": "[variables('scopes').eslzRootManagementGroup]" }, - "managementSubscriptionId": { - "value": "[parameters('managementSubscriptionId')]" - }, "connectivitySubscriptionId": { "value": "[parameters('connectivitySubscriptionId')]" } diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index b0224a014c..bcf29e737e 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -2,14 +2,6 @@ "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { - "topLevelManagementGroupPrefix": { - "type": "string", - "maxLength": 10, - "defaultValue": "eslz", - "metadata": { - "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale." - } - }, "location": { "type": "string", "metadata": { @@ -33,13 +25,6 @@ "description": "Management group scope for AVNM. Intermediate root management group is the default." } }, - "managementSubscriptionId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "SubscriptionId for the management subscription. Used to get the user assigned identity." - } - }, "connectivitySubscriptionId": { "type": "string", "metadata": { @@ -51,7 +36,7 @@ "variables": { "rgName": "rg-alz-avnm", "resourceDeploymentName": "[take(concat(deployment().name, '-avnm', parameters('location')), 64)]", - "configIds": "[resourceId(parameters('connectivitySubscriptionId'), variables('rgName'), 'Microsoft.Network/networkManagers/securityAdminConfigurations', 'avnm', format('sac-{0}', parameters('location')))]" + "configIds": "[resourceId(parameters('connectivitySubscriptionId'), variables('rgName'), 'Microsoft.Network/networkManagers/securityAdminConfigurations', 'avnm', 'sac-alz')]" }, "resources": [ { @@ -119,7 +104,7 @@ { "type": "Microsoft.Network/networkManagers/networkGroups", "apiVersion": "2024-03-01", - "name": "[format('{0}/{1}', 'avnm', format('ng-{0}-static', parameters('location')))]", + "name": "[format('{0}/{1}', 'avnm', 'ng-static']", "properties": { "memberType": "VirtualNetwork", "description": "Network Group - Static" @@ -134,7 +119,7 @@ { "type": "Microsoft.Network/networkManagers/networkGroups", "apiVersion": "2024-03-01", - "name": "[format('{0}/{1}', 'avnm', format('ng-{0}-dynamic', parameters('location')))]", + "name": "[format('{0}/{1}', 'avnm', 'ng-dynamic')]", "properties": { "memberType": "VirtualNetwork", "description": "Network Group - Dynamic" @@ -149,7 +134,7 @@ { "type": "Microsoft.Network/networkManagers/securityAdminConfigurations", "apiVersion": "2023-11-01", - "name": "[format('{0}/{1}', 'avnm', format('sac-{0}', parameters('location')))]", + "name": "[format('{0}/{1}', 'avnm', 'sac-alz')]", "dependsOn": [ "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" ], @@ -160,19 +145,19 @@ { "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections", "apiVersion": "2024-03-01", - "name": "[format('{0}/{1}/{2}', 'avnm', format('sac-{0}', parameters('location')), 'rc-ALZ')]", + "name": "[format('{0}/{1}/{2}', 'avnm', 'sac-alz', 'rc-ALZ')]", "dependsOn": [ - "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations', 'avnm', format('sac-{0}', parameters('location')))]", - "[resourceId('Microsoft.Network/networkManagers/networkGroups', 'avnm', format('ng-{0}-static', parameters('location')))]", - "[resourceId('Microsoft.Network/networkManagers/networkGroups', 'avnm', format('ng-{0}-dynamic', parameters('location')))]" + "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations', 'avnm', 'sac-alz')]", + "[resourceId('Microsoft.Network/networkManagers/networkGroups', 'avnm', 'ng-static']", + "[resourceId('Microsoft.Network/networkManagers/networkGroups', 'avnm', 'ng-dynamic')]" ], "properties": { "appliesToGroups": [ { - "networkGroupId": "[resourceId('Microsoft.Network/networkManagers/networkGroups', 'avnm', format('ng-{0}-static', parameters('location')))]" + "networkGroupId": "[resourceId('Microsoft.Network/networkManagers/networkGroups', 'avnm', 'ng-static']" }, { - "networkGroupId": "[resourceId('Microsoft.Network/networkManagers/networkGroups', 'avnm', format('ng-{0}-dynamic', parameters('location')))]" + "networkGroupId": "[resourceId('Microsoft.Network/networkManagers/networkGroups', 'avnm', 'ng-dynamic')]" } ] @@ -181,9 +166,9 @@ { "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules", "apiVersion": "2024-03-01", - "name": "[format('{0}/{1}/{2}/{3}', 'avnm', format('sac-{0}', parameters('location')), 'rc-ALZ', 'DenyMgmtInbound')]", + "name": "[format('{0}/{1}/{2}/{3}', 'avnm', 'sac-alz', 'rc-ALZ', 'DenyMgmtInbound')]", "dependsOn": [ - "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections', 'avnm', format('sac-{0}', parameters('location')), 'rc-ALZ')]" + "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections', 'avnm', 'sac-alz', 'rc-ALZ')]" ], "kind": "Custom", "properties": { @@ -207,9 +192,9 @@ { "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules", "apiVersion": "2024-03-01", - "name": "[format('{0}/{1}/{2}/{3}', 'avnm', format('sac-{0}', parameters('location')), 'rc-ALZ', 'DenyHighRiskInboundTCP')]", + "name": "[format('{0}/{1}/{2}/{3}', 'avnm', 'sac-alz', 'rc-ALZ', 'DenyHighRiskInboundTCP')]", "dependsOn": [ - "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections', 'avnm', format('sac-{0}', parameters('location')), 'rc-ALZ')]" + "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections', 'avnm', 'sac-alz', 'rc-ALZ')]" ], "kind": "Custom", "properties": { @@ -242,9 +227,9 @@ { "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules", "apiVersion": "2024-03-01", - "name": "[format('{0}/{1}/{2}/{3}', 'avnm', format('sac-{0}', parameters('location')), 'rc-ALZ', 'DenyHighRiskInboundUDP')]", + "name": "[format('{0}/{1}/{2}/{3}', 'avnm', 'sac-alz', 'rc-ALZ', 'DenyHighRiskInboundUDP')]", "dependsOn": [ - "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections', 'avnm', format('sac-{0}', parameters('location')), 'rc-ALZ')]" + "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections', 'avnm', 'sac-alz', 'rc-ALZ')]" ], "kind": "Custom", "properties": { @@ -268,9 +253,9 @@ { "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules", "apiVersion": "2024-03-01", - "name": "[format('{0}/{1}/{2}/{3}', 'avnm', format('sac-{0}', parameters('location')), 'rc-ALZ', 'DenyHighRiskInboundANY')]", + "name": "[format('{0}/{1}/{2}/{3}', 'avnm', 'sac-alz', 'rc-ALZ', 'DenyHighRiskInboundANY')]", "dependsOn": [ - "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections', 'avnm', format('sac-{0}', parameters('location')), 'rc-ALZ')]" + "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections', 'avnm', 'sac-alz', 'rc-ALZ')]" ], "kind": "Custom", "properties": { diff --git a/eslzArm/subscriptionTemplates/avnmPolicy.json b/eslzArm/subscriptionTemplates/avnmPolicy.json index 6325d84ec5..c01a3313c2 100644 --- a/eslzArm/subscriptionTemplates/avnmPolicy.json +++ b/eslzArm/subscriptionTemplates/avnmPolicy.json @@ -25,7 +25,7 @@ } }, "variables": { - "networkGroupId": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('ng-{0}-dynamic', parameters('location')))]" + "networkGroupId": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', 'ng-dynamic')]" }, "resources": [ { From a2e6e21ab3b24a5ffc77df721ed2e53a0a9a8499 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Fri, 13 Dec 2024 19:08:46 +0400 Subject: [PATCH 200/226] . --- eslzArm/subscriptionTemplates/avnmConfiguration.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index bcf29e737e..9c901cbbb4 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -104,7 +104,7 @@ { "type": "Microsoft.Network/networkManagers/networkGroups", "apiVersion": "2024-03-01", - "name": "[format('{0}/{1}', 'avnm', 'ng-static']", + "name": "[format('{0}/{1}', 'avnm', 'ng-static')]", "properties": { "memberType": "VirtualNetwork", "description": "Network Group - Static" @@ -148,13 +148,13 @@ "name": "[format('{0}/{1}/{2}', 'avnm', 'sac-alz', 'rc-ALZ')]", "dependsOn": [ "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations', 'avnm', 'sac-alz')]", - "[resourceId('Microsoft.Network/networkManagers/networkGroups', 'avnm', 'ng-static']", + "[resourceId('Microsoft.Network/networkManagers/networkGroups', 'avnm', 'ng-static')]", "[resourceId('Microsoft.Network/networkManagers/networkGroups', 'avnm', 'ng-dynamic')]" ], "properties": { "appliesToGroups": [ { - "networkGroupId": "[resourceId('Microsoft.Network/networkManagers/networkGroups', 'avnm', 'ng-static']" + "networkGroupId": "[resourceId('Microsoft.Network/networkManagers/networkGroups', 'avnm', 'ng-static')]" }, { "networkGroupId": "[resourceId('Microsoft.Network/networkManagers/networkGroups', 'avnm', 'ng-dynamic')]" From dce4dc8146a48c36fc73ba952ef41bf1cd02726b Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Tue, 17 Dec 2024 13:58:43 +0400 Subject: [PATCH 201/226] Remove obsolete deployPrerequisites2.json file --- docs/wiki/ALZ-Policies.md | 4 +- .../prerequisites/deployPrerequisites2.json | 204 ------------------ 2 files changed, 2 insertions(+), 206 deletions(-) delete mode 100644 eslzArm/prerequisites/deployPrerequisites2.json diff --git a/docs/wiki/ALZ-Policies.md b/docs/wiki/ALZ-Policies.md index 6dab86f385..dcafc15100 100644 --- a/docs/wiki/ALZ-Policies.md +++ b/docs/wiki/ALZ-Policies.md @@ -114,7 +114,7 @@ This management group contains all the platform child management groups, like ma | Assignment Name | Definition Name | Policy Type | Description | Effect(s) | | -------------------------------------------------------------------------- | -------------------------------------------------------------------------- | --------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------- | | **Enforce recommended guardrails for Azure Key Vault** | **Enforce recommended guardrails for Azure Key Vault** | `Policy Definition Set`, **Custom** | This policy initiative enforces minimum guardrails for Azure Key Vault:
  • Key vaults should have soft delete enabled (Deny)
  • Key vaults should have purge protection enabled (Deny)
  • Key Vault secrets should have an expiration date (Audit)
  • Key Vault keys should have an expiration date (Audit)
  • Azure Key Vault should have firewall enabled (Audit)
  • Certificates should have the specified lifetime action triggers (Audit)
  • Keys should have more than the specified number of days before expiration (Audit < 90 days)
  • Secrets should have more than the specified number of days before expiration (Audit < 90 days)
| Audit, Deny | -| **Enforce enhanced recovery and backup policies** | **Enforce enhanced recovery and backup policies** | `Policy Definition Set`, **Custom** | This policy initiative enforces minimum guardrails for Azure Key Vault:
  • Immutability must be enabled for backup vaults
  • Immutability must be enabled for Recovery Services vaults
  • Soft delete should be enabled for Backup Vaults
  • Multi-User Authorization (MUA) must be enabled for Backup Vaults
  • Multi-User Authorization (MUA) must be enabled for Recovery Services Vaults
| Audit | +| **Enforce enhanced recovery and backup policies** | **Enforce enhanced recovery and backup policies** | `Policy Definition Set`, **Custom** | This policy initiative enforces minimum guardrails for Recovery Services Vaults:
  • Immutability must be enabled for backup vaults
  • Immutability must be enabled for Recovery Services vaults
  • Soft delete should be enabled for Backup Vaults
  • Multi-User Authorization (MUA) must be enabled for Backup Vaults
  • Multi-User Authorization (MUA) must be enabled for Recovery Services Vaults
| Audit | | **Enable Azure Monitor for VMs**\* | **Enable Azure Monitor for VMs with Azure Monitoring Agent(AMA)** | `Policy Definition Set`, **Built-in** | This policy initiative installs the Azure Monitoring Agent (AMA) on the virtual machines (VMs) and enables Azure Monitor for them. Azure Monitor collects and analyzes data from the VMs, such as performance metrics, logs, and dependencies. | DeployIfNotExists, Disabled | | **Enable Azure Monitor for Virtual Machine Scale Sets**\* | **Enable Azure Monitor for VMSS with Azure Monitoring Agent(AMA)** | `Policy Definition Set`, **Built-in** | This policy initiative installs the Azure Monitoring Agent (AMA) on the virtual machines scale sets (VMSS) and enables Azure Monitor for them. Azure Monitor collects and analyzes data from the VMs, such as performance metrics, logs, and dependencies. | DeployIfNotExists, Disabled | | **Enable Azure Monitor for Hybrid Virtual Machines**\* | **Enable Azure Monitor for Hybrid VMs with AMA** | `Policy Definition Set`, **Built-in** | This policy initiative installs the Azure Monitoring Agent (AMA) on Arc-enabled servers (Hybrid) and enables Azure Monitor for them. Azure Monitor collects and analyzes data from the VMs, such as performance metrics, logs, and dependencies. | DeployIfNotExists, Disabled | @@ -235,7 +235,7 @@ The table below provides the specific **Custom** and **Built-in** **policy defin | ------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------ | | **Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit** | **Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit** | `Policy Definition Set`, **Custom** | Description TBC | Audit, AuditIfNotExists, DeployIfNotExists, Deny | | **Enforce recommended guardrails for Azure Key Vault** | **Enforce recommended guardrails for Azure Key Vault** | `Policy Definition Set`, **Custom** | This policy initiative enforces minimum guardrails for Azure Key Vault:
  • Key vaults should have soft delete enabled (Deny)
  • Key vaults should have purge protection enabled (Deny)
  • Key Vault secrets should have an expiration date (Audit)
  • Key Vault keys should have an expiration date (Audit)
  • Azure Key Vault should have firewall enabled (Audit)
  • Certificates should have the specified lifetime action triggers (Audit)
  • Keys should have more than the specified number of days before expiration (Audit < 90 days)
  • Secrets should have more than the specified number of days before expiration (Audit < 90 days)
| Audit, Deny | -| **Enforce enhanced recovery and backup policies** | **Enforce enhanced recovery and backup policies** | `Policy Definition Set`, **Custom** | This policy initiative enforces minimum guardrails for Azure Key Vault:
  • Immutability must be enabled for backup vaults
  • Immutability must be enabled for Recovery Services vaults
  • Soft delete should be enabled for Backup Vaults
  • Multi-User Authorization (MUA) must be enabled for Backup Vaults
  • Multi-User Authorization (MUA) must be enabled for Recovery Services Vaults
| Audit | +| **Enforce enhanced recovery and backup policies** | **Enforce enhanced recovery and backup policies** | `Policy Definition Set`, **Custom** | This policy initiative enforces minimum guardrails for Recovery Services Vaults:
  • Immutability must be enabled for backup vaults
  • Immutability must be enabled for Recovery Services vaults
  • Soft delete should be enabled for Backup Vaults
  • Multi-User Authorization (MUA) must be enabled for Backup Vaults
  • Multi-User Authorization (MUA) must be enabled for Recovery Services Vaults
| Audit | | **Enforce Azure Compute Security Benchmark compliance auditing** | **Enforce Azure Compute Security Benchmark compliance auditing** | `Policy Definition Set`, **Custom** | This policy initiative enables Azure Compute Security Basline compliance auditing for Windows and Linux virtual machines. | AuditIfNotExists | | **Management port access from the Internet should be blocked** | **Management port access from the Internet should be blocked** | `Policy Definition`, **Custom** | This policy denies any network security rule that allows management port access from Internet (Default port 22, 3389). | Deny | | **Subnets should have a Network Security Group** | **Subnets should have a Network Security Group** | `Policy Definition`, **Custom** | This policy denies the creation of a subnet without a Network Security Group. NSG help to protect traffic across subnet-level. | Deny | diff --git a/eslzArm/prerequisites/deployPrerequisites2.json b/eslzArm/prerequisites/deployPrerequisites2.json deleted file mode 100644 index 61435ea803..0000000000 --- a/eslzArm/prerequisites/deployPrerequisites2.json +++ /dev/null @@ -1,204 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "resourceGroupName": { - "type": "string", - "defaultValue": "rg-alz-prereqs", - "metadata": { - "description": "The resource group name where the AVNM resources will be created" - } - }, - "location": { - "type": "string", - "minLength": 6, - "metadata": { - "description": "The location of this AVNM instance. All resources will be deployed to this region." - } - }, - "eslzRootName": { - "type": "string", - "metadata": { - "description": "The name of the Enterprise Scale Landing Zone root resource." - } - } - }, - "resources": [ - { - "type": "Microsoft.Resources/resourceGroups", - "apiVersion": "2022-09-01", - "name": "[parameters('resourceGroupName')]", - "location": "[parameters('location')]" - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "alz-prerequisites-uai", - "resourceGroup": "[parameters('resourceGroupName')]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "location": { - "value": "[parameters('location')]" - }, - "eslzRootName": { - "value": "[parameters('eslzRootName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "location": { - "type": "string" - }, - "eslzRootName": { - "type": "string" - } - }, - "variables": {}, - "resources": [ - { - "type": "Microsoft.ManagedIdentity/userAssignedIdentities", - "apiVersion": "2022-01-31-preview", - "name": "[format('uai-prereq-{0}', parameters('location'))]", - "location": "[parameters('location')]", - "metadata": { - "description": "This user assigned identity is used by the Deployment Script resource to interact with Azure resources." - } - }, - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "name": "[guid(resourceGroup().id, format('uai-prereq-{0}', parameters('location')))]", - "properties": { - "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location'))), '2022-01-31-preview').principalId]", - "principalType": "ServicePrincipal" - }, - "dependsOn": [ - "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location')))]" - ], - "metadata": { - "description": "This role assignment grants the user assigned identity the Contributor role on the resource group." - } - } - ], - "outputs": { - "userAssignedIdentityId": { - "type": "string", - "value": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-prereq-{0}', parameters('location')))]" - } - } - } - }, - "dependsOn": [ - "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]" - ] - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('ds-{0}-prereqs', parameters('location'))]", - "resourceGroup": "[parameters('resourceGroupName')]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "location": { - "value": "[parameters('location')]" - }, - "userAssignedIdentityId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai'), '2022-09-01').outputs.userAssignedIdentityId.value]" - }, - "eslzRootName": { - "value": "[parameters('eslzRootName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "location": { - "type": "string" - }, - "eslzRootName":{ - "type": "string" - }, - "userAssignedIdentityId": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.Resources/deploymentScripts", - "apiVersion": "2020-10-01", - "name": "alz-prereq-deploymentscript", - "location": "[parameters('location')]", - "kind": "AzurePowerShell", - "identity": { - "type": "UserAssigned", - "userAssignedIdentities": { - "[format('{0}', parameters('userAssignedIdentityId'))]": {} - } - }, - "properties": { - "azPowerShellVersion": "12.3", - "retentionInterval": "PT1H", - "timeout": "PT2H", - "arguments": "[format('-eslzRootName \"{0}\"', parameters('eslzRootName'))]", - "scriptContent": " - param( - [Parameter(Mandatory=$true, HelpMessage=\"Enter the ESLZ root name.\")] - [string] - $eslzRootName - ) - - #API call to register the Microsoft.Network provider against intermediate resource group for AVNM - Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" - - #Sleep for XX minutes to wait for Management Groups to load to cache before assignments - Start-Sleep -Duration (New-TimeSpan -Minutes 10) - - $result = \"\" - $count = 0 - - do { - $result = Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" - $count++ - Start-Sleep -Seconds 30 - Write-Host 'MG RP Register - Status Code: ' $result.StatusCode ' Count: ' $count - } while ($result.StatusCode -ne 200 -and $count -lt 10) - - #Register all resource providers - $subs = Search-AzGraph -Query \"ResourceContainers | where type =~ 'microsoft.resources/subscriptions'\" -ManagementGroup $eslzRootName - $rps = @('Microsoft.Insights','Microsoft.AlertsManagement','Microsoft.OperationalInsights','Microsoft.OperationsManagement','Microsoft.Automation','Microsoft.AlertsManagement','Microsoft.Security','Microsoft.Network','Microsoft.EventGrid','Microsoft.ManagedIdentity','Microsoft.GuestConfiguration','Microsoft.Advisor','Microsoft.PolicyInsights') - - foreach ($sub in $subs) { - Select-AzSubscription -SubscriptionId $sub.id - Write-Host 'Registering resource providers for subscription: ' $sub.id - Get-AzResourceProvider -ProviderNamespace $rps | where {$_.RegistrationState -ne \"Registered\"} | Register-AzResourceProvider - } - " - }, - "metadata": { - "description": "Create a Deployment Script resource to perform the prerequisites." - } - } - ], - "outputs": {} - } - }, - "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai')]", - "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]" - ] - } - ], - "outputs": {} -} \ No newline at end of file From 3d447e0371a88b12514e317a8da23e6f143cd91c Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Wed, 18 Dec 2024 14:25:18 +0400 Subject: [PATCH 202/226] 2ndIdentityFix --- eslzArm/eslz-portal.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json index 5da8d2aaf4..90e96433c8 100644 --- a/eslzArm/eslz-portal.json +++ b/eslzArm/eslz-portal.json @@ -4518,7 +4518,7 @@ } ] }, - "visible": "[and(equals(steps('identity').esIdentityConnectivity, 'Yes'), not(equals(steps('connectivity').enableHub,'No')))]" + "visible": "[and(equals(steps('identity').esIdentityConnectivity, 'Yes'), not(equals(steps('connectivity').enableHub,'No')), equals(steps('core').deploySecondaryRegion, 'Yes'))]" }, { "name": "identityAddressPrefixSecondary", From 6846f588289eed9d78b2cfbd8aec90c870f3bc4a Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Wed, 18 Dec 2024 14:28:24 +0400 Subject: [PATCH 203/226] . --- eslzArm/eslz-portal.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json index 90e96433c8..1b8a4c7e9f 100644 --- a/eslzArm/eslz-portal.json +++ b/eslzArm/eslz-portal.json @@ -4518,7 +4518,7 @@ } ] }, - "visible": "[and(equals(steps('identity').esIdentityConnectivity, 'Yes'), not(equals(steps('connectivity').enableHub,'No')), equals(steps('core').deploySecondaryRegion, 'Yes'))]" + "visible": "[and(not(equals(steps('connectivity').enableHub,'No')), equals(steps('core').deploySecondaryRegion, 'Yes'))]" }, { "name": "identityAddressPrefixSecondary", From 5bc595a34b0b532735197348f82c7be086323ce4 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Wed, 18 Dec 2024 15:02:50 +0400 Subject: [PATCH 204/226] . --- .../avnmConfiguration.json | 46 +++++++++++++------ eslzArm/subscriptionTemplates/avnmPolicy.json | 2 +- 2 files changed, 34 insertions(+), 14 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 9c901cbbb4..1772e5e008 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -63,6 +63,9 @@ "location": { "value": "[parameters('location')]" }, + "locationSecondary": { + "value": "[parameters('locationSecondary')]" + }, "managementGroupScope": { "value": "[parameters('managementGroupScope')]" } @@ -74,6 +77,9 @@ "location": { "type": "string" }, + "locationSecondary": { + "type": "string" + }, "managementGroupScope": { "type": "string" } @@ -104,32 +110,42 @@ { "type": "Microsoft.Network/networkManagers/networkGroups", "apiVersion": "2024-03-01", - "name": "[format('{0}/{1}', 'avnm', 'ng-static')]", + "name": "[format('{0}/{1}', 'avnm', 'avnm-ng-all')]", "properties": { "memberType": "VirtualNetwork", - "description": "Network Group - Static" + "description": "Network Group - All Landing Zone virtual networks" }, "dependsOn": [ "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" ], "metadata": { - "description": "This is the static network group for the spoke VNETs, and hub when topology is mesh." + "description": "This is the dynamic network group for all ALZ VNETs." } }, { "type": "Microsoft.Network/networkManagers/networkGroups", "apiVersion": "2024-03-01", - "name": "[format('{0}/{1}', 'avnm', 'ng-dynamic')]", + "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-{0}', parameters('location')))]", "properties": { "memberType": "VirtualNetwork", - "description": "Network Group - Dynamic" + "description": "[format('Network Group - Region - {0}', parameters('location'))]" }, "dependsOn": [ "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" - ], - "metadata": { - "description": "This is the dynamic network group for the spoke VNETs, and hub when topology is mesh." - } + ] + }, + { + "condition": "[not(empty(parameters('locationSecondary')))]", + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-{0}', parameters('locationSecondary')))]", + "properties": { + "memberType": "VirtualNetwork", + "description": "[format('Network Group - Region - {0}', parameters('locationSecondary'))]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" + ] }, { "type": "Microsoft.Network/networkManagers/securityAdminConfigurations", @@ -148,16 +164,20 @@ "name": "[format('{0}/{1}/{2}', 'avnm', 'sac-alz', 'rc-ALZ')]", "dependsOn": [ "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations', 'avnm', 'sac-alz')]", - "[resourceId('Microsoft.Network/networkManagers/networkGroups', 'avnm', 'ng-static')]", - "[resourceId('Microsoft.Network/networkManagers/networkGroups', 'avnm', 'ng-dynamic')]" + "[resourceId('Microsoft.Network/networkManagers/networkGroups', 'avnm', 'avnm-ng-all')]", + "[resourceId('Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-{0}', parameters('location')))]", + "[resourceId('Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-{0}', parameters('locationSecondary')))]" ], "properties": { "appliesToGroups": [ { - "networkGroupId": "[resourceId('Microsoft.Network/networkManagers/networkGroups', 'avnm', 'ng-static')]" + "networkGroupId": "[resourceId('Microsoft.Network/networkManagers/networkGroups', 'avnm', 'avnm-ng-all')]" + }, + { + "networkGroupId": "[resourceId('Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-{0}', parameters('location')))]" }, { - "networkGroupId": "[resourceId('Microsoft.Network/networkManagers/networkGroups', 'avnm', 'ng-dynamic')]" + "networkGroupId": "[resourceId('Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-{0}', parameters('locationSecondary')))]" } ] diff --git a/eslzArm/subscriptionTemplates/avnmPolicy.json b/eslzArm/subscriptionTemplates/avnmPolicy.json index c01a3313c2..3ecee00c42 100644 --- a/eslzArm/subscriptionTemplates/avnmPolicy.json +++ b/eslzArm/subscriptionTemplates/avnmPolicy.json @@ -25,7 +25,7 @@ } }, "variables": { - "networkGroupId": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', 'ng-dynamic')]" + "networkGroupId": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', 'avnm-ng-all')]" }, "resources": [ { From 08b76ba8196826ca6d6d5b8ce3a8606a10333928 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Wed, 18 Dec 2024 15:11:56 +0400 Subject: [PATCH 205/226] . --- .../avnmConfiguration.json | 179 +++++++++++++++++- 1 file changed, 177 insertions(+), 2 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 1772e5e008..16194f0346 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -128,7 +128,7 @@ "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-{0}', parameters('location')))]", "properties": { "memberType": "VirtualNetwork", - "description": "[format('Network Group - Region - {0}', parameters('location'))]" + "description": "[format('Network Group - {0}', parameters('location'))]" }, "dependsOn": [ "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" @@ -141,7 +141,182 @@ "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-{0}', parameters('locationSecondary')))]", "properties": { "memberType": "VirtualNetwork", - "description": "[format('Network Group - Region - {0}', parameters('locationSecondary'))]" + "description": "[format('Network Group - {0}', parameters('locationSecondary'))]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" + ] + }, + { + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-corp-{0}', parameters('location')))]", + "properties": { + "memberType": "VirtualNetwork", + "description": "[format('Network Group - Corp - {0}', parameters('location'))]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" + ] + }, + { + "condition": "[not(empty(parameters('locationSecondary')))]", + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-corp-{0}', parameters('locationSecondary')))]", + "properties": { + "memberType": "VirtualNetwork", + "description": "[format('Network Group - Corp - {0}', parameters('locationSecondary'))]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" + ] + }, + { + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-online-{0}', parameters('location')))]", + "properties": { + "memberType": "VirtualNetwork", + "description": "[format('Network Group - Online - {0}', parameters('location'))]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" + ] + }, + { + "condition": "[not(empty(parameters('locationSecondary')))]", + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-online-{0}', parameters('locationSecondary')))]", + "properties": { + "memberType": "VirtualNetwork", + "description": "[format('Network Group - Online - {0}', parameters('locationSecondary'))]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" + ] + }, + { + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-identity-{0}', parameters('location')))]", + "properties": { + "memberType": "VirtualNetwork", + "description": "[format('Network Group - Identity - {0}', parameters('location'))]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" + ] + }, + { + "condition": "[not(empty(parameters('locationSecondary')))]", + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-identity-{0}', parameters('locationSecondary')))]", + "properties": { + "memberType": "VirtualNetwork", + "description": "[format('Network Group - Identity - {0}', parameters('locationSecondary'))]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" + ] + }, + { + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-management-{0}', parameters('location')))]", + "properties": { + "memberType": "VirtualNetwork", + "description": "[format('Network Group - Management - {0}', parameters('location'))]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" + ] + }, + { + "condition": "[not(empty(parameters('locationSecondary')))]", + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-management-{0}', parameters('locationSecondary')))]", + "properties": { + "memberType": "VirtualNetwork", + "description": "[format('Network Group - Management - {0}', parameters('locationSecondary'))]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" + ] + }, + { + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-connectivity-{0}', parameters('location')))]", + "properties": { + "memberType": "VirtualNetwork", + "description": "[format('Network Group - Connectivity - {0}', parameters('location'))]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" + ] + }, + { + "condition": "[not(empty(parameters('locationSecondary')))]", + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-connectivity-{0}', parameters('locationSecondary')))]", + "properties": { + "memberType": "VirtualNetwork", + "description": "[format('Network Group - Connectivity - {0}', parameters('locationSecondary'))]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" + ] + }, + { + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-sandbox-{0}', parameters('location')))]", + "properties": { + "memberType": "VirtualNetwork", + "description": "[format('Network Group - Sandbox - {0}', parameters('location'))]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" + ] + }, + { + "condition": "[not(empty(parameters('locationSecondary')))]", + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-sandbox-{0}', parameters('locationSecondary')))]", + "properties": { + "memberType": "VirtualNetwork", + "description": "[format('Network Group - Sandbox - {0}', parameters('locationSecondary'))]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" + ] + }, + { + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-decommissioned-{0}', parameters('location')))]", + "properties": { + "memberType": "VirtualNetwork", + "description": "[format('Network Group - Decommissioned - {0}', parameters('location'))]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" + ] + }, + { + "condition": "[not(empty(parameters('locationSecondary')))]", + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-decommissioned-{0}', parameters('locationSecondary')))]", + "properties": { + "memberType": "VirtualNetwork", + "description": "[format('Network Group - Decommissioned - {0}', parameters('locationSecondary'))]" }, "dependsOn": [ "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" From a72cefd899f50584fc88616821619a255767b386 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Wed, 18 Dec 2024 16:55:08 +0400 Subject: [PATCH 206/226] . --- eslzArm/eslzArm.json | 3 + eslzArm/subscriptionTemplates/avnmPolicy.json | 173 ++++++++++++++++-- 2 files changed, 160 insertions(+), 16 deletions(-) diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index aa3f2fe4d6..8234f78016 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -5259,6 +5259,9 @@ }, "connectivitySubscriptionId": { "value": "[parameters('connectivitySubscriptionId')]" + }, + "locationSecondary": { + "value": "[parameters('connectivityLocationSecondary')]" } } } diff --git a/eslzArm/subscriptionTemplates/avnmPolicy.json b/eslzArm/subscriptionTemplates/avnmPolicy.json index 3ecee00c42..89f77f7b6e 100644 --- a/eslzArm/subscriptionTemplates/avnmPolicy.json +++ b/eslzArm/subscriptionTemplates/avnmPolicy.json @@ -13,28 +13,68 @@ "type": "string", "metadata": { "displayName": "location", - "description": "Location for all resources." + "description": "Primary region for all resources." }, "defaultValue": "[deployment().location]" }, + "locationSecondary": { + "type": "string", + "metadata": { + "displayName": "location", + "description": "Secondary region for all resources." + }, + "defaultValue": "" + }, "connectivitySubscriptionId": { "type": "string", "metadata": { "description": "Provide the subscriptionId you will place into the management group" } + }, + "managementGroups": { + "type": "array", + "metadata": { + "description": "Management Groups list" + }, + "defaultValue": [ + "sandbox", + "online", + "corp", + "identity", + "management", + "connectivity", + "decommissioned" + ] + } }, "variables": { - "networkGroupId": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', 'avnm-ng-all')]" + "networkGroupIdAll": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', 'avnm-ng-all')]", + "networkGroupIdRegion1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-{0}', parameters('location')))]", + "networkGroupIdRegion2": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-{0}', parameters('locationSecondary')))]", + "networkGroupIdCorp1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-corp-{0}', parameters('location')))]", + "networkGroupIdCorp2": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-corp-{0}', parameters('locationSecondary')))]", + "networkGroupIdOnline1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-online-{0}', parameters('location')))]", + "networkGroupIdOnline2": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-online-{0}', parameters('locationSecondary')))]", + "networkGroupIdIdentity1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-identity-{0}', parameters('location')))]", + "networkGroupIdIdentity2": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-identity-{0}', parameters('locationSecondary')))]", + "networkGroupIdManagement1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-management-{0}', parameters('location')))]", + "networkGroupIdManagement2": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-management-{0}', parameters('locationSecondary')))]", + "networkGroupIdConnectivity1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-connectivity-{0}', parameters('location')))]", + "networkGroupIdConnectivity2": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-connectivity-{0}', parameters('locationSecondary')))]", + "networkGroupIdSandbox1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-sandbox-{0}', parameters('location')))]", + "networkGroupIdSandbox2": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-sandbox-{0}', parameters('locationSecondary')))]", + "networkGroupIdDecommissioned1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-decommissioned-{0}', parameters('location')))]", + "networkGroupIdDecommissioned2": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-decommissioned-{0}', parameters('locationSecondary')))]" }, "resources": [ { "type": "Microsoft.Authorization/policyDefinitions", "apiVersion": "2023-04-01", - "name": "[uniqueString(variables('networkGroupId'))]", + "name": "[uniqueString(variables('networkGroupIdAll'))]", "properties": { - "description": "AVNM dynamic group membership Policy", - "displayName": "AVNM dynamic group membership Policy", + "description": "AVNM intermediate root group membership Policy", + "displayName": "AVNM intermediate root group membership Policy", "mode": "Microsoft.Network.Data", "policyRule": { "if": { @@ -48,35 +88,136 @@ "then": { "effect": "addToNetworkGroup", "details": { - "networkGroupId": "[variables('networkGroupId')]" + "networkGroupId": "[variables('networkGroupIdAll')]" } } } - }, - "metadata": { - "description": "This is a Policy definition for dynamic group membership" } }, { "type": "Microsoft.Authorization/policyAssignments", "apiVersion": "2023-04-01", - "name": "[uniqueString(variables('networkGroupId'))]", + "name": "[uniqueString(variables('networkGroupIdAll'))]", "location": "[parameters('location')]", "identity": { "type": "SystemAssigned" }, + "properties": { + "description": "AVNM intermediate root group membership Policy", + "displayName": "AVNM intermediate root group membership Policy", + "enforcementMode": "Default", + "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdAll')))]" + }, + "dependsOn": [ + "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdAll')))]" + ] + }, + { + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "AVNMRegionalGroupMembershipPolicy", "properties": { "description": "AVNM dynamic group membership Policy", "displayName": "AVNM dynamic group membership Policy", + "mode": "Microsoft.Network.Data", + "parameters": { + "networkGroupId": { + "type": "String", + "metadata": { + "displayName": "Network Group ID", + "description": "The ID of the network group to add the virtual network to." + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[[parameters('networkGroupId')]" + } + } + } + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "testAVNMregional1", + "location": "[parameters('location')]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "AVNM intermediate root group membership Policy", + "displayName": "AVNM intermediate root group membership Policy", "enforcementMode": "Default", - "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupId')))]" + "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', 'AVNMRegionalGroupMembershipPolicy')]", + "resourceSelectors": [ + { + "name": "Regions", + "selectors": [ + { + "kind": "resourceLocation", + "in": [ + "[parameters('location')]" + ] + } + ] + } + ], + "parameters": { + "networkGroupId": { + "value": "[variables('networkGroupIdRegion1')]" + } + } }, "dependsOn": [ - "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupId')))]" - ], - "metadata": { - "description": "Assigns above policy for dynamic group membership" - } + "Microsoft.Authorization/policyDefinitions/AVNMRegionalGroupMembershipPolicy'" + ] + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "testAVNMregional2", + "location": "[parameters('location')]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "AVNM intermediate root group membership Policy", + "displayName": "AVNM intermediate root group membership Policy", + "enforcementMode": "Default", + "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', 'AVNMRegionalGroupMembershipPolicy')]", + "resourceSelectors": [ + { + "name": "Regions", + "selectors": [ + { + "kind": "resourceLocation", + "in": [ + "[parameters('locationSecondary')]" + ] + } + ] + } + ], + "parameters": { + "networkGroupId": { + "value": "[variables('networkGroupIdRegion2')]" + } + } + }, + "dependsOn": [ + "Microsoft.Authorization/policyDefinitions/AVNMRegionalGroupMembershipPolicy'" + ] } ] } \ No newline at end of file From de0a747d3ea75a3766e79c108c088b42049e0f67 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Wed, 18 Dec 2024 17:00:46 +0400 Subject: [PATCH 207/226] . --- eslzArm/subscriptionTemplates/avnmPolicy.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmPolicy.json b/eslzArm/subscriptionTemplates/avnmPolicy.json index 89f77f7b6e..d3eed03878 100644 --- a/eslzArm/subscriptionTemplates/avnmPolicy.json +++ b/eslzArm/subscriptionTemplates/avnmPolicy.json @@ -180,7 +180,7 @@ } }, "dependsOn": [ - "Microsoft.Authorization/policyDefinitions/AVNMRegionalGroupMembershipPolicy'" + "AVNMRegionalGroupMembershipPolicy'" ] }, { @@ -216,7 +216,7 @@ } }, "dependsOn": [ - "Microsoft.Authorization/policyDefinitions/AVNMRegionalGroupMembershipPolicy'" + "AVNMRegionalGroupMembershipPolicy'" ] } ] From a898a5d9e70e767b86127b5fcb3f3d3e4029ebf4 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Wed, 18 Dec 2024 17:03:20 +0400 Subject: [PATCH 208/226] . --- eslzArm/subscriptionTemplates/avnmPolicy.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmPolicy.json b/eslzArm/subscriptionTemplates/avnmPolicy.json index d3eed03878..d87864af84 100644 --- a/eslzArm/subscriptionTemplates/avnmPolicy.json +++ b/eslzArm/subscriptionTemplates/avnmPolicy.json @@ -180,7 +180,7 @@ } }, "dependsOn": [ - "AVNMRegionalGroupMembershipPolicy'" + "AVNMRegionalGroupMembershipPolicy" ] }, { @@ -216,7 +216,7 @@ } }, "dependsOn": [ - "AVNMRegionalGroupMembershipPolicy'" + "AVNMRegionalGroupMembershipPolicy" ] } ] From cbda13c414be5c3ecca866416b190462478514e2 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Wed, 18 Dec 2024 17:37:09 +0400 Subject: [PATCH 209/226] . --- eslzArm/subscriptionTemplates/avnmPolicy.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/subscriptionTemplates/avnmPolicy.json b/eslzArm/subscriptionTemplates/avnmPolicy.json index d87864af84..a18c1e25a4 100644 --- a/eslzArm/subscriptionTemplates/avnmPolicy.json +++ b/eslzArm/subscriptionTemplates/avnmPolicy.json @@ -141,7 +141,7 @@ "then": { "effect": "addToNetworkGroup", "details": { - "networkGroupId": "[[parameters('networkGroupId')]" + "networkGroupId": "[parameters('networkGroupId')]" } } } From fe1c629438ff0b3c019992dc5bfad56f9cfaa56e Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Thu, 19 Dec 2024 17:20:23 +0400 Subject: [PATCH 210/226] . --- .../avnmConfiguration.json | 32 +- eslzArm/subscriptionTemplates/avnmPolicy.json | 1076 ++++++++++++++++- .../avnmPolicy.parameters.json | 18 + 3 files changed, 1058 insertions(+), 68 deletions(-) create mode 100644 eslzArm/subscriptionTemplates/avnmPolicy.parameters.json diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 16194f0346..6d60f1d424 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -514,20 +514,20 @@ } }, { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "name": "[guid(resourceGroup().id, format('uai-avnm-{0}', parameters('location')))]", - "properties": { - "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-avnm-{0}', parameters('location'))), '2022-01-31-preview').principalId]", - "principalType": "ServicePrincipal" - }, - "dependsOn": [ - "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-avnm-{0}', parameters('location')))]" - ], - "metadata": { - "description": "This role assignment grants the user assigned identity the Contributor role on the resource group." - } + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(resourceGroup().id, format('uai-avnm-{0}', parameters('location')))]", + "properties": { + "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-avnm-{0}', parameters('location'))), '2022-01-31-preview').principalId]", + "principalType": "ServicePrincipal" + }, + "dependsOn": [ + "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-avnm-{0}', parameters('location')))]" + ], + "metadata": { + "description": "This role assignment grants the user assigned identity the Contributor role on the resource group." + } } ], "outputs": { @@ -577,10 +577,10 @@ "contentVersion": "1.0.0.0", "parameters": { "location": { - "type": "string" + "type": "string" }, "locationSecondary": { - "type": "string" + "type": "string" }, "userAssignedIdentityId": { "type": "string" diff --git a/eslzArm/subscriptionTemplates/avnmPolicy.json b/eslzArm/subscriptionTemplates/avnmPolicy.json index a18c1e25a4..c9f60c2e8b 100644 --- a/eslzArm/subscriptionTemplates/avnmPolicy.json +++ b/eslzArm/subscriptionTemplates/avnmPolicy.json @@ -30,22 +30,6 @@ "metadata": { "description": "Provide the subscriptionId you will place into the management group" } - }, - "managementGroups": { - "type": "array", - "metadata": { - "description": "Management Groups list" - }, - "defaultValue": [ - "sandbox", - "online", - "corp", - "identity", - "management", - "connectivity", - "decommissioned" - ] - } }, "variables": { @@ -115,20 +99,69 @@ { "type": "Microsoft.Authorization/policyDefinitions", "apiVersion": "2023-04-01", - "name": "AVNMRegionalGroupMembershipPolicy", + "name": "[uniqueString(variables('networkGroupIdRegion1'))]", "properties": { - "description": "AVNM dynamic group membership Policy", - "displayName": "AVNM dynamic group membership Policy", + "description": "AVNM intermediate root group membership Policy", + "displayName": "AVNM intermediate root group membership Policy", "mode": "Microsoft.Network.Data", - "parameters": { - "networkGroupId": { - "type": "String", - "metadata": { - "displayName": "Network Group ID", - "description": "The ID of the network group to add the virtual network to." + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupIdRegion1')]" } } - }, + } + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(variables('networkGroupIdRegion1'))]", + "location": "[parameters('location')]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "AVNM intermediate root group membership Policy", + "displayName": "AVNM intermediate root group membership Policy", + "enforcementMode": "Default", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('location')]" + ] + } + ] + } + ], + "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdRegion1')))]" + }, + "dependsOn": [ + "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdRegion1')))]" + ] + }, + { + "condition": "[not(empty(parameters('locationSecondary')))]", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[uniqueString(variables('networkGroupIdRegion2'))]", + "properties": { + "description": "AVNM intermediate root group membership Policy", + "displayName": "AVNM intermediate root group membership Policy", + "mode": "Microsoft.Network.Data", "policyRule": { "if": { "allOf": [ @@ -141,17 +174,18 @@ "then": { "effect": "addToNetworkGroup", "details": { - "networkGroupId": "[parameters('networkGroupId')]" + "networkGroupId": "[variables('networkGroupIdRegion2')]" } } } } }, { + "condition": "[not(empty(parameters('locationSecondary')))]", "type": "Microsoft.Authorization/policyAssignments", "apiVersion": "2023-04-01", - "name": "testAVNMregional1", - "location": "[parameters('location')]", + "name": "[uniqueString(variables('networkGroupIdRegion2'))]", + "location": "[parameters('locationSecondary')]", "identity": { "type": "SystemAssigned" }, @@ -159,34 +193,454 @@ "description": "AVNM intermediate root group membership Policy", "displayName": "AVNM intermediate root group membership Policy", "enforcementMode": "Default", - "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', 'AVNMRegionalGroupMembershipPolicy')]", "resourceSelectors": [ { - "name": "Regions", - "selectors": [ + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('locationSecondary')]" + ] + } + ] + } + ], + "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdRegion2')))]" + }, + "dependsOn": [ + "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdRegion2')))]" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[format('AvnmAssignment-{0}-corp', parameters('topLevelManagementGroupPrefix'))]", + "scope": "[format('Microsoft.Management/managementGroups/{0}-corp', parameters('topLevelManagementGroupPrefix'))]", + "location": "[deployment().location]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "locationSecondary": { + "value": "[parameters('locationSecondary')]" + } + }, + "variables": { + "networkGroupIdCorp1": { + "value": "[variables('networkGroupIdCorp1')]" + }, + "networkGroupIdCorp2": { + "value": "[variables('networkGroupIdCorp2')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "locationSecondary": { + "type": "string" + } + }, + "variables": { + "networkGroupIdCorp1": { + "type": "string" + }, + "networkGroupIdCorp2": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[uniqueString(variables('networkGroupIdCorp1'))]", + "properties": { + "description": "AVNM Corp management group membership Policy", + "displayName": "AVNM Corp management group membership Policy", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupIdCorp1')]" + } + } + } + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(variables('networkGroupIdCorp1'))]", + "location": "[parameters('location')]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "AVNM Corp management group membership Policy", + "displayName": "AVNM Corp management group membership Policy", + "enforcementMode": "Default", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('location')]" + ] + } + ] + } + ], + "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdCorp1')))]" + }, + "dependsOn": [ + "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdCorp1')))]" + ] + }, + { + "condition": "[not(empty(parameters('locationSecondary')))]", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[uniqueString(variables('networkGroupIdCorp2'))]", + "properties": { + "description": "AVNM Corp management group membership Policy", + "displayName": "AVNM Corp management group membership Policy", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupIdCorp2')]" + } + } + } + } + }, { - "kind": "resourceLocation", - "in": [ - "[parameters('location')]" + "condition": "[not(empty(parameters('locationSecondary')))]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(variables('networkGroupIdCorp2'))]", + "location": "[parameters('locationSecondary')]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "AVNM intermediate root group membership Policy", + "displayName": "AVNM intermediate root group membership Policy", + "enforcementMode": "Default", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('locationSecondary')]" + ] + } + ] + } + ], + "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdCorp2')))]" + }, + "dependsOn": [ + "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdCorp2')))]" ] } + ] + } + } + }, + // { + // "type": "Microsoft.Authorization/policyDefinitions", + // "apiVersion": "2023-04-01", + // "name": "[uniqueString(variables('networkGroupIdCorp1'))]", + // "properties": { + // "description": "AVNM intermediate root group membership Policy", + // "displayName": "AVNM intermediate root group membership Policy", + // "mode": "Microsoft.Network.Data", + // "policyRule": { + // "if": { + // "allOf": [ + // { + // "field": "type", + // "equals": "Microsoft.Network/virtualNetworks" + // } + // ] + // }, + // "then": { + // "effect": "addToNetworkGroup", + // "details": { + // "networkGroupId": "[variables('networkGroupIdCorp1')]" + // } + // } + // } + // } + // }, + // { + // "type": "Microsoft.Authorization/policyAssignments", + // "apiVersion": "2023-04-01", + // "name": "[uniqueString(variables('networkGroupIdCorp1'))]", + // "location": "[parameters('location')]", + // "identity": { + // "type": "SystemAssigned" + // }, + // "properties": { + // "description": "AVNM intermediate root group membership Policy", + // "displayName": "AVNM intermediate root group membership Policy", + // "enforcementMode": "Default", + // "resourceSelectors": [ + // { + // "name": "regionalResource", + // "selectors": [ + // { + // "kind": "ResourceLocation", + // "in": [ + // "[parameters('location')]" + // ] + // } + // ] + // } + // ], + // "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdCorp1')))]" + // }, + // "dependsOn": [ + // "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdCorp1')))]" + // ] + // }, + // { + // "condition": "[not(empty(parameters('locationSecondary')))]", + // "type": "Microsoft.Authorization/policyDefinitions", + // "apiVersion": "2023-04-01", + // "name": "[uniqueString(variables('networkGroupIdCorp2'))]", + // "properties": { + // "description": "AVNM intermediate root group membership Policy", + // "displayName": "AVNM intermediate root group membership Policy", + // "mode": "Microsoft.Network.Data", + // "policyRule": { + // "if": { + // "allOf": [ + // { + // "field": "type", + // "equals": "Microsoft.Network/virtualNetworks" + // } + // ] + // }, + // "then": { + // "effect": "addToNetworkGroup", + // "details": { + // "networkGroupId": "[variables('networkGroupIdCorp2')]" + // } + // } + // } + // } + // }, + // { + // "condition": "[not(empty(parameters('locationSecondary')))]", + // "type": "Microsoft.Authorization/policyAssignments", + // "apiVersion": "2023-04-01", + // "name": "[uniqueString(variables('networkGroupIdCorp2'))]", + // "location": "[parameters('locationSecondary')]", + // "identity": { + // "type": "SystemAssigned" + // }, + // "properties": { + // "description": "AVNM intermediate root group membership Policy", + // "displayName": "AVNM intermediate root group membership Policy", + // "enforcementMode": "Default", + // "resourceSelectors": [ + // { + // "name": "regionalResource", + // "selectors": [ + // { + // "kind": "ResourceLocation", + // "in": [ + // "[parameters('locationSecondary')]" + // ] + // } + // ] + // } + // ], + // "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdCorp2')))]" + // }, + // "dependsOn": [ + // "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdCorp2')))]" + // ] + // }, + { + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[uniqueString(variables('networkGroupIdOnline1'))]", + "properties": { + "description": "AVNM intermediate root group membership Policy", + "displayName": "AVNM intermediate root group membership Policy", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupIdOnline1')]" + } + } + } + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(variables('networkGroupIdOnline1'))]", + "location": "[parameters('location')]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "AVNM intermediate root group membership Policy", + "displayName": "AVNM intermediate root group membership Policy", + "enforcementMode": "Default", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('location')]" ] + } + ] } ], - "parameters": { - "networkGroupId": { - "value": "[variables('networkGroupIdRegion1')]" + "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdOnline1')))]" + }, + "dependsOn": [ + "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdOnline1')))]" + ] + }, + { + "condition": "[not(empty(parameters('locationSecondary')))]", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[uniqueString(variables('networkGroupIdOnline2'))]", + "properties": { + "description": "AVNM intermediate root group membership Policy", + "displayName": "AVNM intermediate root group membership Policy", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupIdOnline2')]" + } } } + } + }, + { + "condition": "[not(empty(parameters('locationSecondary')))]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(variables('networkGroupIdOnline2'))]", + "location": "[parameters('locationSecondary')]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "AVNM intermediate root group membership Policy", + "displayName": "AVNM intermediate root group membership Policy", + "enforcementMode": "Default", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('locationSecondary')]" + ] + } + ] + } + ], + "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdOnline2')))]" }, "dependsOn": [ - "AVNMRegionalGroupMembershipPolicy" + "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdOnline2')))]" ] }, + { + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[uniqueString(variables('networkGroupIdIdentity1'))]", + "properties": { + "description": "AVNM intermediate root group membership Policy", + "displayName": "AVNM intermediate root group membership Policy", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupIdIdentity1')]" + } + } + } + } + }, { "type": "Microsoft.Authorization/policyAssignments", "apiVersion": "2023-04-01", - "name": "testAVNMregional2", + "name": "[uniqueString(variables('networkGroupIdIdentity1'))]", "location": "[parameters('location')]", "identity": { "type": "SystemAssigned" @@ -195,28 +649,546 @@ "description": "AVNM intermediate root group membership Policy", "displayName": "AVNM intermediate root group membership Policy", "enforcementMode": "Default", - "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', 'AVNMRegionalGroupMembershipPolicy')]", "resourceSelectors": [ { - "name": "Regions", - "selectors": [ - { - "kind": "resourceLocation", - "in": [ - "[parameters('locationSecondary')]" - ] + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('location')]" + ] + } + ] + } + ], + "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdIdentity1')))]" + }, + "dependsOn": [ + "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdIdentity1')))]" + ] + }, + { + "condition": "[not(empty(parameters('locationSecondary')))]", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[uniqueString(variables('networkGroupIdIdentity2'))]", + "properties": { + "description": "AVNM intermediate root group membership Policy", + "displayName": "AVNM intermediate root group membership Policy", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupIdIdentity2')]" } + } + } + } + }, + { + "condition": "[not(empty(parameters('locationSecondary')))]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(variables('networkGroupIdIdentity2'))]", + "location": "[parameters('locationSecondary')]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "AVNM intermediate root group membership Policy", + "displayName": "AVNM intermediate root group membership Policy", + "enforcementMode": "Default", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('locationSecondary')]" ] + } + ] } ], - "parameters": { - "networkGroupId": { - "value": "[variables('networkGroupIdRegion2')]" + "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdIdentity2')))]" + }, + "dependsOn": [ + "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdIdentity2')))]" + ] + }, + { + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[uniqueString(variables('networkGroupIdManagement1'))]", + "properties": { + "description": "AVNM intermediate root group membership Policy", + "displayName": "AVNM intermediate root group membership Policy", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupIdManagement1')]" + } } } + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(variables('networkGroupIdManagement1'))]", + "location": "[parameters('location')]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "AVNM intermediate root group membership Policy", + "displayName": "AVNM intermediate root group membership Policy", + "enforcementMode": "Default", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('location')]" + ] + } + ] + } + ], + "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdManagement1')))]" + }, + "dependsOn": [ + "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdManagement1')))]" + ] + }, + { + "condition": "[not(empty(parameters('locationSecondary')))]", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[uniqueString(variables('networkGroupIdManagement2'))]", + "properties": { + "description": "AVNM intermediate root group membership Policy", + "displayName": "AVNM intermediate root group membership Policy", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupIdManagement2')]" + } + } + } + } + }, + { + "condition": "[not(empty(parameters('locationSecondary')))]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(variables('networkGroupIdManagement2'))]", + "location": "[parameters('locationSecondary')]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "AVNM intermediate root group membership Policy", + "displayName": "AVNM intermediate root group membership Policy", + "enforcementMode": "Default", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('locationSecondary')]" + ] + } + ] + } + ], + "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdManagement2')))]" + }, + "dependsOn": [ + "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdManagement2')))]" + ] + }, + { + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[uniqueString(variables('networkGroupIdConnectivity1'))]", + "properties": { + "description": "AVNM intermediate root group membership Policy", + "displayName": "AVNM intermediate root group membership Policy", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupIdConnectivity1')]" + } + } + } + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(variables('networkGroupIdConnectivity1'))]", + "location": "[parameters('location')]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "AVNM intermediate root group membership Policy", + "displayName": "AVNM intermediate root group membership Policy", + "enforcementMode": "Default", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('location')]" + ] + } + ] + } + ], + "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdConnectivity1')))]" + }, + "dependsOn": [ + "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdConnectivity1')))]" + ] + }, + { + "condition": "[not(empty(parameters('locationSecondary')))]", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[uniqueString(variables('networkGroupIdConnectivity2'))]", + "properties": { + "description": "AVNM intermediate root group membership Policy", + "displayName": "AVNM intermediate root group membership Policy", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupIdConnectivity2')]" + } + } + } + } + }, + { + "condition": "[not(empty(parameters('locationSecondary')))]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(variables('networkGroupIdConnectivity2'))]", + "location": "[parameters('locationSecondary')]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "AVNM intermediate root group membership Policy", + "displayName": "AVNM intermediate root group membership Policy", + "enforcementMode": "Default", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('locationSecondary')]" + ] + } + ] + } + ], + "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdConnectivity2')))]" + }, + "dependsOn": [ + "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdConnectivity2')))]" + ] + }, + { + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[uniqueString(variables('networkGroupIdSandbox1'))]", + "properties": { + "description": "AVNM intermediate root group membership Policy", + "displayName": "AVNM intermediate root group membership Policy", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupIdSandbox1')]" + } + } + } + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(variables('networkGroupIdSandbox1'))]", + "location": "[parameters('location')]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "AVNM intermediate root group membership Policy", + "displayName": "AVNM intermediate root group membership Policy", + "enforcementMode": "Default", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('location')]" + ] + } + ] + } + ], + "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdSandbox1')))]" + }, + "dependsOn": [ + "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdSandbox1')))]" + ] + }, + { + "condition": "[not(empty(parameters('locationSecondary')))]", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[uniqueString(variables('networkGroupIdSandbox2'))]", + "properties": { + "description": "AVNM intermediate root group membership Policy", + "displayName": "AVNM intermediate root group membership Policy", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupIdSandbox2')]" + } + } + } + } + }, + { + "condition": "[not(empty(parameters('locationSecondary')))]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(variables('networkGroupIdSandbox2'))]", + "location": "[parameters('locationSecondary')]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "AVNM intermediate root group membership Policy", + "displayName": "AVNM intermediate root group membership Policy", + "enforcementMode": "Default", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('locationSecondary')]" + ] + } + ] + } + ], + "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdSandbox2')))]" + }, + "dependsOn": [ + "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdSandbox2')))]" + ] + }, + { + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[uniqueString(variables('networkGroupIdDecommissioned1'))]", + "properties": { + "description": "AVNM intermediate root group membership Policy", + "displayName": "AVNM intermediate root group membership Policy", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupIdDecommissioned1')]" + } + } + } + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(variables('networkGroupIdDecommissioned1'))]", + "location": "[parameters('location')]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "AVNM intermediate root group membership Policy", + "displayName": "AVNM intermediate root group membership Policy", + "enforcementMode": "Default", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('location')]" + ] + } + ] + } + ], + "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdDecommissioned1')))]" + }, + "dependsOn": [ + "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdDecommissioned1')))]" + ] + }, + { + "condition": "[not(empty(parameters('locationSecondary')))]", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[uniqueString(variables('networkGroupIdDecommissioned2'))]", + "properties": { + "description": "AVNM intermediate root group membership Policy", + "displayName": "AVNM intermediate root group membership Policy", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupIdDecommissioned2')]" + } + } + } + } + }, + { + "condition": "[not(empty(parameters('locationSecondary')))]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(variables('networkGroupIdDecommissioned2'))]", + "location": "[parameters('locationSecondary')]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "AVNM intermediate root group membership Policy", + "displayName": "AVNM intermediate root group membership Policy", + "enforcementMode": "Default", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('locationSecondary')]" + ] + } + ] + } + ], + "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdDecommissioned2')))]" }, "dependsOn": [ - "AVNMRegionalGroupMembershipPolicy" + "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdDecommissioned2')))]" ] } ] diff --git a/eslzArm/subscriptionTemplates/avnmPolicy.parameters.json b/eslzArm/subscriptionTemplates/avnmPolicy.parameters.json new file mode 100644 index 0000000000..848d217fa1 --- /dev/null +++ b/eslzArm/subscriptionTemplates/avnmPolicy.parameters.json @@ -0,0 +1,18 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "ALZ1" + }, + "location": { + "value": "swedencentral" + }, + "locationSecondary": { + "value": "uksouth" + }, + "connectivitySubscriptionId": { + "value": "4d635c54-e5db-4c3e-8bb3-e58cf8907241" + } + } +} \ No newline at end of file From 399bee684a5ca077ec52f8ee07f7c4dd47926abb Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Fri, 20 Dec 2024 11:49:30 +0400 Subject: [PATCH 211/226] . --- eslzArm/subscriptionTemplates/avnmPolicy.json | 1956 ++++++++++------- 1 file changed, 1130 insertions(+), 826 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmPolicy.json b/eslzArm/subscriptionTemplates/avnmPolicy.json index c9f60c2e8b..2f02695525 100644 --- a/eslzArm/subscriptionTemplates/avnmPolicy.json +++ b/eslzArm/subscriptionTemplates/avnmPolicy.json @@ -214,171 +214,475 @@ }, { "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "[format('AvnmAssignment-{0}-corp', parameters('topLevelManagementGroupPrefix'))]", - "scope": "[format('Microsoft.Management/managementGroups/{0}-corp', parameters('topLevelManagementGroupPrefix'))]", + "apiVersion": "2022-09-01", + "name": "policyCorp", + "scope": "[format('Microsoft.Management/managementGroups/{0}', format('{0}-corp', parameters('topLevelManagementGroupPrefix')))]", "location": "[deployment().location]", "properties": { "expressionEvaluationOptions": { - "scope": "inner" + "scope": "inner" }, "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "locationSecondary": { + "value": "[parameters('locationSecondary')]" + }, + "mgmtGroup": { + "value": "[format('{0}-corp', parameters('topLevelManagementGroupPrefix'))]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.32.4.45862", + "templateHash": "15861206698474595241" + } + }, "parameters": { "location": { - "value": "[parameters('location')]" + "type": "string" }, "locationSecondary": { - "value": "[parameters('locationSecondary')]" + "type": "string" + }, + "mgmtGroup": { + "type": "string" + }, + "connectivitySubscriptionId": { + "type": "string" } }, "variables": { - "networkGroupIdCorp1": { - "value": "[variables('networkGroupIdCorp1')]" + "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-corp-{0}', parameters('location')))]", + "networkGroupId2": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-corp-{0}', parameters('locationSecondary')))]" + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location'))]", + "properties": { + "policyType": "Custom", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId1')]" + } + } + } + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}1', parameters('mgmtGroup')))]", + "properties": { + "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('location')]" + ] + } + ] + } + ] + }, + "dependsOn": [ + "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]" + ] + }, + { + "condition": "[not(empty(parameters('locationSecondary')))]", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary'))]", + "properties": { + "policyType": "Custom", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId2')]" + } + } + } + } }, - "networkGroupIdCorp2": { - "value": "[variables('networkGroupIdCorp2')]" + { + "condition": "[not(empty(parameters('locationSecondary')))]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}2', parameters('mgmtGroup')))]", + "properties": { + "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary')))]", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('locationSecondary')]" + ] + } + ] + } + ] + }, + "dependsOn": [ + "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary')))]" + ] } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "policyOnline", + "scope": "[format('Microsoft.Management/managementGroups/{0}', format('{0}-online', parameters('topLevelManagementGroupPrefix')))]", + "location": "[deployment().location]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "locationSecondary": { + "value": "[parameters('locationSecondary')]" + }, + "mgmtGroup": { + "value": "[format('{0}-online', parameters('topLevelManagementGroupPrefix'))]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + } }, "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "location": { - "type": "string" - }, - "locationSecondary": { - "type": "string" - } + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.32.4.45862", + "templateHash": "15861206698474595241" + } + }, + "parameters": { + "location": { + "type": "string" + }, + "locationSecondary": { + "type": "string" + }, + "mgmtGroup": { + "type": "string" }, - "variables": { - "networkGroupIdCorp1": { - "type": "string" + "connectivitySubscriptionId": { + "type": "string" + } + }, + "variables": { + "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-online-{0}', parameters('location')))]", + "networkGroupId2": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-online-{0}', parameters('locationSecondary')))]" + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location'))]", + "properties": { + "policyType": "Custom", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] }, - "networkGroupIdCorp2": { - "type": "string" + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId1')]" + } + } } + } }, - "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}1', parameters('mgmtGroup')))]", + "properties": { + "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]", + "resourceSelectors": [ { - "type": "Microsoft.Authorization/policyDefinitions", - "apiVersion": "2023-04-01", - "name": "[uniqueString(variables('networkGroupIdCorp1'))]", - "properties": { - "description": "AVNM Corp management group membership Policy", - "displayName": "AVNM Corp management group membership Policy", - "mode": "Microsoft.Network.Data", - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Network/virtualNetworks" - } - ] - }, - "then": { - "effect": "addToNetworkGroup", - "details": { - "networkGroupId": "[variables('networkGroupIdCorp1')]" - } - } - } + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('location')]" + ] + } + ] + } + ] + }, + "dependsOn": [ + "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]" + ] + }, + { + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary'))]", + "properties": { + "policyType": "Custom", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" } + ] }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId2')]" + } + } + } + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}2', parameters('mgmtGroup')))]", + "properties": { + "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary')))]", + "resourceSelectors": [ { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2023-04-01", - "name": "[uniqueString(variables('networkGroupIdCorp1'))]", - "location": "[parameters('location')]", - "identity": { - "type": "SystemAssigned" - }, - "properties": { - "description": "AVNM Corp management group membership Policy", - "displayName": "AVNM Corp management group membership Policy", - "enforcementMode": "Default", - "resourceSelectors": [ - { - "name": "regionalResource", - "selectors": [ - { - "kind": "ResourceLocation", - "in": [ - "[parameters('location')]" - ] - } - ] - } - ], - "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdCorp1')))]" - }, - "dependsOn": [ - "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdCorp1')))]" + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('locationSecondary')]" + ] + } + ] + } + ] + }, + "dependsOn": [ + "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary')))]" + ] + } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "policyIdentity", + "scope": "[format('Microsoft.Management/managementGroups/{0}', format('{0}-identity', parameters('topLevelManagementGroupPrefix')))]", + "location": "[deployment().location]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "locationSecondary": { + "value": "[parameters('locationSecondary')]" + }, + "mgmtGroup": { + "value": "[format('{0}-identity', parameters('topLevelManagementGroupPrefix'))]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.32.4.45862", + "templateHash": "15861206698474595241" + } + }, + "parameters": { + "location": { + "type": "string" + }, + "locationSecondary": { + "type": "string" + }, + "mgmtGroup": { + "type": "string" + }, + "connectivitySubscriptionId": { + "type": "string" + } + }, + "variables": { + "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-identity-{0}', parameters('location')))]", + "networkGroupId2": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-identity-{0}', parameters('locationSecondary')))]" + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location'))]", + "properties": { + "policyType": "Custom", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } ] }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId1')]" + } + } + } + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}1', parameters('mgmtGroup')))]", + "properties": { + "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]", + "resourceSelectors": [ { - "condition": "[not(empty(parameters('locationSecondary')))]", - "type": "Microsoft.Authorization/policyDefinitions", - "apiVersion": "2023-04-01", - "name": "[uniqueString(variables('networkGroupIdCorp2'))]", - "properties": { - "description": "AVNM Corp management group membership Policy", - "displayName": "AVNM Corp management group membership Policy", - "mode": "Microsoft.Network.Data", - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Network/virtualNetworks" - } - ] - }, - "then": { - "effect": "addToNetworkGroup", - "details": { - "networkGroupId": "[variables('networkGroupIdCorp2')]" - } - } - } + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('location')]" + ] + } + ] + } + ] + }, + "dependsOn": [ + "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]" + ] + }, + { + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary'))]", + "properties": { + "policyType": "Custom", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" } + ] }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId2')]" + } + } + } + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}2', parameters('mgmtGroup')))]", + "properties": { + "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary')))]", + "resourceSelectors": [ { - "condition": "[not(empty(parameters('locationSecondary')))]", - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2023-04-01", - "name": "[uniqueString(variables('networkGroupIdCorp2'))]", - "location": "[parameters('locationSecondary')]", - "identity": { - "type": "SystemAssigned" - }, - "properties": { - "description": "AVNM intermediate root group membership Policy", - "displayName": "AVNM intermediate root group membership Policy", - "enforcementMode": "Default", - "resourceSelectors": [ - { - "name": "regionalResource", - "selectors": [ - { - "kind": "ResourceLocation", - "in": [ - "[parameters('locationSecondary')]" - ] - } - ] - } - ], - "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdCorp2')))]" - }, - "dependsOn": [ - "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdCorp2')))]" + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('locationSecondary')]" + ] + } ] } + ] + }, + "dependsOn": [ + "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary')))]" ] + } + ] } } - }, + } + // { // "type": "Microsoft.Authorization/policyDefinitions", // "apiVersion": "2023-04-01", @@ -495,701 +799,701 @@ // "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdCorp2')))]" // ] // }, - { - "type": "Microsoft.Authorization/policyDefinitions", - "apiVersion": "2023-04-01", - "name": "[uniqueString(variables('networkGroupIdOnline1'))]", - "properties": { - "description": "AVNM intermediate root group membership Policy", - "displayName": "AVNM intermediate root group membership Policy", - "mode": "Microsoft.Network.Data", - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Network/virtualNetworks" - } - ] - }, - "then": { - "effect": "addToNetworkGroup", - "details": { - "networkGroupId": "[variables('networkGroupIdOnline1')]" - } - } - } - } - }, - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2023-04-01", - "name": "[uniqueString(variables('networkGroupIdOnline1'))]", - "location": "[parameters('location')]", - "identity": { - "type": "SystemAssigned" - }, - "properties": { - "description": "AVNM intermediate root group membership Policy", - "displayName": "AVNM intermediate root group membership Policy", - "enforcementMode": "Default", - "resourceSelectors": [ - { - "name": "regionalResource", - "selectors": [ - { - "kind": "ResourceLocation", - "in": [ - "[parameters('location')]" - ] - } - ] - } - ], - "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdOnline1')))]" - }, - "dependsOn": [ - "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdOnline1')))]" - ] - }, - { - "condition": "[not(empty(parameters('locationSecondary')))]", - "type": "Microsoft.Authorization/policyDefinitions", - "apiVersion": "2023-04-01", - "name": "[uniqueString(variables('networkGroupIdOnline2'))]", - "properties": { - "description": "AVNM intermediate root group membership Policy", - "displayName": "AVNM intermediate root group membership Policy", - "mode": "Microsoft.Network.Data", - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Network/virtualNetworks" - } - ] - }, - "then": { - "effect": "addToNetworkGroup", - "details": { - "networkGroupId": "[variables('networkGroupIdOnline2')]" - } - } - } - } - }, - { - "condition": "[not(empty(parameters('locationSecondary')))]", - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2023-04-01", - "name": "[uniqueString(variables('networkGroupIdOnline2'))]", - "location": "[parameters('locationSecondary')]", - "identity": { - "type": "SystemAssigned" - }, - "properties": { - "description": "AVNM intermediate root group membership Policy", - "displayName": "AVNM intermediate root group membership Policy", - "enforcementMode": "Default", - "resourceSelectors": [ - { - "name": "regionalResource", - "selectors": [ - { - "kind": "ResourceLocation", - "in": [ - "[parameters('locationSecondary')]" - ] - } - ] - } - ], - "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdOnline2')))]" - }, - "dependsOn": [ - "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdOnline2')))]" - ] - }, - { - "type": "Microsoft.Authorization/policyDefinitions", - "apiVersion": "2023-04-01", - "name": "[uniqueString(variables('networkGroupIdIdentity1'))]", - "properties": { - "description": "AVNM intermediate root group membership Policy", - "displayName": "AVNM intermediate root group membership Policy", - "mode": "Microsoft.Network.Data", - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Network/virtualNetworks" - } - ] - }, - "then": { - "effect": "addToNetworkGroup", - "details": { - "networkGroupId": "[variables('networkGroupIdIdentity1')]" - } - } - } - } - }, - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2023-04-01", - "name": "[uniqueString(variables('networkGroupIdIdentity1'))]", - "location": "[parameters('location')]", - "identity": { - "type": "SystemAssigned" - }, - "properties": { - "description": "AVNM intermediate root group membership Policy", - "displayName": "AVNM intermediate root group membership Policy", - "enforcementMode": "Default", - "resourceSelectors": [ - { - "name": "regionalResource", - "selectors": [ - { - "kind": "ResourceLocation", - "in": [ - "[parameters('location')]" - ] - } - ] - } - ], - "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdIdentity1')))]" - }, - "dependsOn": [ - "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdIdentity1')))]" - ] - }, - { - "condition": "[not(empty(parameters('locationSecondary')))]", - "type": "Microsoft.Authorization/policyDefinitions", - "apiVersion": "2023-04-01", - "name": "[uniqueString(variables('networkGroupIdIdentity2'))]", - "properties": { - "description": "AVNM intermediate root group membership Policy", - "displayName": "AVNM intermediate root group membership Policy", - "mode": "Microsoft.Network.Data", - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Network/virtualNetworks" - } - ] - }, - "then": { - "effect": "addToNetworkGroup", - "details": { - "networkGroupId": "[variables('networkGroupIdIdentity2')]" - } - } - } - } - }, - { - "condition": "[not(empty(parameters('locationSecondary')))]", - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2023-04-01", - "name": "[uniqueString(variables('networkGroupIdIdentity2'))]", - "location": "[parameters('locationSecondary')]", - "identity": { - "type": "SystemAssigned" - }, - "properties": { - "description": "AVNM intermediate root group membership Policy", - "displayName": "AVNM intermediate root group membership Policy", - "enforcementMode": "Default", - "resourceSelectors": [ - { - "name": "regionalResource", - "selectors": [ - { - "kind": "ResourceLocation", - "in": [ - "[parameters('locationSecondary')]" - ] - } - ] - } - ], - "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdIdentity2')))]" - }, - "dependsOn": [ - "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdIdentity2')))]" - ] - }, - { - "type": "Microsoft.Authorization/policyDefinitions", - "apiVersion": "2023-04-01", - "name": "[uniqueString(variables('networkGroupIdManagement1'))]", - "properties": { - "description": "AVNM intermediate root group membership Policy", - "displayName": "AVNM intermediate root group membership Policy", - "mode": "Microsoft.Network.Data", - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Network/virtualNetworks" - } - ] - }, - "then": { - "effect": "addToNetworkGroup", - "details": { - "networkGroupId": "[variables('networkGroupIdManagement1')]" - } - } - } - } - }, - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2023-04-01", - "name": "[uniqueString(variables('networkGroupIdManagement1'))]", - "location": "[parameters('location')]", - "identity": { - "type": "SystemAssigned" - }, - "properties": { - "description": "AVNM intermediate root group membership Policy", - "displayName": "AVNM intermediate root group membership Policy", - "enforcementMode": "Default", - "resourceSelectors": [ - { - "name": "regionalResource", - "selectors": [ - { - "kind": "ResourceLocation", - "in": [ - "[parameters('location')]" - ] - } - ] - } - ], - "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdManagement1')))]" - }, - "dependsOn": [ - "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdManagement1')))]" - ] - }, - { - "condition": "[not(empty(parameters('locationSecondary')))]", - "type": "Microsoft.Authorization/policyDefinitions", - "apiVersion": "2023-04-01", - "name": "[uniqueString(variables('networkGroupIdManagement2'))]", - "properties": { - "description": "AVNM intermediate root group membership Policy", - "displayName": "AVNM intermediate root group membership Policy", - "mode": "Microsoft.Network.Data", - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Network/virtualNetworks" - } - ] - }, - "then": { - "effect": "addToNetworkGroup", - "details": { - "networkGroupId": "[variables('networkGroupIdManagement2')]" - } - } - } - } - }, - { - "condition": "[not(empty(parameters('locationSecondary')))]", - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2023-04-01", - "name": "[uniqueString(variables('networkGroupIdManagement2'))]", - "location": "[parameters('locationSecondary')]", - "identity": { - "type": "SystemAssigned" - }, - "properties": { - "description": "AVNM intermediate root group membership Policy", - "displayName": "AVNM intermediate root group membership Policy", - "enforcementMode": "Default", - "resourceSelectors": [ - { - "name": "regionalResource", - "selectors": [ - { - "kind": "ResourceLocation", - "in": [ - "[parameters('locationSecondary')]" - ] - } - ] - } - ], - "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdManagement2')))]" - }, - "dependsOn": [ - "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdManagement2')))]" - ] - }, - { - "type": "Microsoft.Authorization/policyDefinitions", - "apiVersion": "2023-04-01", - "name": "[uniqueString(variables('networkGroupIdConnectivity1'))]", - "properties": { - "description": "AVNM intermediate root group membership Policy", - "displayName": "AVNM intermediate root group membership Policy", - "mode": "Microsoft.Network.Data", - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Network/virtualNetworks" - } - ] - }, - "then": { - "effect": "addToNetworkGroup", - "details": { - "networkGroupId": "[variables('networkGroupIdConnectivity1')]" - } - } - } - } - }, - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2023-04-01", - "name": "[uniqueString(variables('networkGroupIdConnectivity1'))]", - "location": "[parameters('location')]", - "identity": { - "type": "SystemAssigned" - }, - "properties": { - "description": "AVNM intermediate root group membership Policy", - "displayName": "AVNM intermediate root group membership Policy", - "enforcementMode": "Default", - "resourceSelectors": [ - { - "name": "regionalResource", - "selectors": [ - { - "kind": "ResourceLocation", - "in": [ - "[parameters('location')]" - ] - } - ] - } - ], - "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdConnectivity1')))]" - }, - "dependsOn": [ - "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdConnectivity1')))]" - ] - }, - { - "condition": "[not(empty(parameters('locationSecondary')))]", - "type": "Microsoft.Authorization/policyDefinitions", - "apiVersion": "2023-04-01", - "name": "[uniqueString(variables('networkGroupIdConnectivity2'))]", - "properties": { - "description": "AVNM intermediate root group membership Policy", - "displayName": "AVNM intermediate root group membership Policy", - "mode": "Microsoft.Network.Data", - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Network/virtualNetworks" - } - ] - }, - "then": { - "effect": "addToNetworkGroup", - "details": { - "networkGroupId": "[variables('networkGroupIdConnectivity2')]" - } - } - } - } - }, - { - "condition": "[not(empty(parameters('locationSecondary')))]", - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2023-04-01", - "name": "[uniqueString(variables('networkGroupIdConnectivity2'))]", - "location": "[parameters('locationSecondary')]", - "identity": { - "type": "SystemAssigned" - }, - "properties": { - "description": "AVNM intermediate root group membership Policy", - "displayName": "AVNM intermediate root group membership Policy", - "enforcementMode": "Default", - "resourceSelectors": [ - { - "name": "regionalResource", - "selectors": [ - { - "kind": "ResourceLocation", - "in": [ - "[parameters('locationSecondary')]" - ] - } - ] - } - ], - "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdConnectivity2')))]" - }, - "dependsOn": [ - "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdConnectivity2')))]" - ] - }, - { - "type": "Microsoft.Authorization/policyDefinitions", - "apiVersion": "2023-04-01", - "name": "[uniqueString(variables('networkGroupIdSandbox1'))]", - "properties": { - "description": "AVNM intermediate root group membership Policy", - "displayName": "AVNM intermediate root group membership Policy", - "mode": "Microsoft.Network.Data", - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Network/virtualNetworks" - } - ] - }, - "then": { - "effect": "addToNetworkGroup", - "details": { - "networkGroupId": "[variables('networkGroupIdSandbox1')]" - } - } - } - } - }, - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2023-04-01", - "name": "[uniqueString(variables('networkGroupIdSandbox1'))]", - "location": "[parameters('location')]", - "identity": { - "type": "SystemAssigned" - }, - "properties": { - "description": "AVNM intermediate root group membership Policy", - "displayName": "AVNM intermediate root group membership Policy", - "enforcementMode": "Default", - "resourceSelectors": [ - { - "name": "regionalResource", - "selectors": [ - { - "kind": "ResourceLocation", - "in": [ - "[parameters('location')]" - ] - } - ] - } - ], - "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdSandbox1')))]" - }, - "dependsOn": [ - "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdSandbox1')))]" - ] - }, - { - "condition": "[not(empty(parameters('locationSecondary')))]", - "type": "Microsoft.Authorization/policyDefinitions", - "apiVersion": "2023-04-01", - "name": "[uniqueString(variables('networkGroupIdSandbox2'))]", - "properties": { - "description": "AVNM intermediate root group membership Policy", - "displayName": "AVNM intermediate root group membership Policy", - "mode": "Microsoft.Network.Data", - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Network/virtualNetworks" - } - ] - }, - "then": { - "effect": "addToNetworkGroup", - "details": { - "networkGroupId": "[variables('networkGroupIdSandbox2')]" - } - } - } - } - }, - { - "condition": "[not(empty(parameters('locationSecondary')))]", - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2023-04-01", - "name": "[uniqueString(variables('networkGroupIdSandbox2'))]", - "location": "[parameters('locationSecondary')]", - "identity": { - "type": "SystemAssigned" - }, - "properties": { - "description": "AVNM intermediate root group membership Policy", - "displayName": "AVNM intermediate root group membership Policy", - "enforcementMode": "Default", - "resourceSelectors": [ - { - "name": "regionalResource", - "selectors": [ - { - "kind": "ResourceLocation", - "in": [ - "[parameters('locationSecondary')]" - ] - } - ] - } - ], - "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdSandbox2')))]" - }, - "dependsOn": [ - "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdSandbox2')))]" - ] - }, - { - "type": "Microsoft.Authorization/policyDefinitions", - "apiVersion": "2023-04-01", - "name": "[uniqueString(variables('networkGroupIdDecommissioned1'))]", - "properties": { - "description": "AVNM intermediate root group membership Policy", - "displayName": "AVNM intermediate root group membership Policy", - "mode": "Microsoft.Network.Data", - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Network/virtualNetworks" - } - ] - }, - "then": { - "effect": "addToNetworkGroup", - "details": { - "networkGroupId": "[variables('networkGroupIdDecommissioned1')]" - } - } - } - } - }, - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2023-04-01", - "name": "[uniqueString(variables('networkGroupIdDecommissioned1'))]", - "location": "[parameters('location')]", - "identity": { - "type": "SystemAssigned" - }, - "properties": { - "description": "AVNM intermediate root group membership Policy", - "displayName": "AVNM intermediate root group membership Policy", - "enforcementMode": "Default", - "resourceSelectors": [ - { - "name": "regionalResource", - "selectors": [ - { - "kind": "ResourceLocation", - "in": [ - "[parameters('location')]" - ] - } - ] - } - ], - "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdDecommissioned1')))]" - }, - "dependsOn": [ - "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdDecommissioned1')))]" - ] - }, - { - "condition": "[not(empty(parameters('locationSecondary')))]", - "type": "Microsoft.Authorization/policyDefinitions", - "apiVersion": "2023-04-01", - "name": "[uniqueString(variables('networkGroupIdDecommissioned2'))]", - "properties": { - "description": "AVNM intermediate root group membership Policy", - "displayName": "AVNM intermediate root group membership Policy", - "mode": "Microsoft.Network.Data", - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Network/virtualNetworks" - } - ] - }, - "then": { - "effect": "addToNetworkGroup", - "details": { - "networkGroupId": "[variables('networkGroupIdDecommissioned2')]" - } - } - } - } - }, - { - "condition": "[not(empty(parameters('locationSecondary')))]", - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2023-04-01", - "name": "[uniqueString(variables('networkGroupIdDecommissioned2'))]", - "location": "[parameters('locationSecondary')]", - "identity": { - "type": "SystemAssigned" - }, - "properties": { - "description": "AVNM intermediate root group membership Policy", - "displayName": "AVNM intermediate root group membership Policy", - "enforcementMode": "Default", - "resourceSelectors": [ - { - "name": "regionalResource", - "selectors": [ - { - "kind": "ResourceLocation", - "in": [ - "[parameters('locationSecondary')]" - ] - } - ] - } - ], - "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdDecommissioned2')))]" - }, - "dependsOn": [ - "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdDecommissioned2')))]" - ] - } + // { + // "type": "Microsoft.Authorization/policyDefinitions", + // "apiVersion": "2023-04-01", + // "name": "[uniqueString(variables('networkGroupIdOnline1'))]", + // "properties": { + // "description": "AVNM intermediate root group membership Policy", + // "displayName": "AVNM intermediate root group membership Policy", + // "mode": "Microsoft.Network.Data", + // "policyRule": { + // "if": { + // "allOf": [ + // { + // "field": "type", + // "equals": "Microsoft.Network/virtualNetworks" + // } + // ] + // }, + // "then": { + // "effect": "addToNetworkGroup", + // "details": { + // "networkGroupId": "[variables('networkGroupIdOnline1')]" + // } + // } + // } + // } + // }, + // { + // "type": "Microsoft.Authorization/policyAssignments", + // "apiVersion": "2023-04-01", + // "name": "[uniqueString(variables('networkGroupIdOnline1'))]", + // "location": "[parameters('location')]", + // "identity": { + // "type": "SystemAssigned" + // }, + // "properties": { + // "description": "AVNM intermediate root group membership Policy", + // "displayName": "AVNM intermediate root group membership Policy", + // "enforcementMode": "Default", + // "resourceSelectors": [ + // { + // "name": "regionalResource", + // "selectors": [ + // { + // "kind": "ResourceLocation", + // "in": [ + // "[parameters('location')]" + // ] + // } + // ] + // } + // ], + // "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdOnline1')))]" + // }, + // "dependsOn": [ + // "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdOnline1')))]" + // ] + // }, + // { + // "condition": "[not(empty(parameters('locationSecondary')))]", + // "type": "Microsoft.Authorization/policyDefinitions", + // "apiVersion": "2023-04-01", + // "name": "[uniqueString(variables('networkGroupIdOnline2'))]", + // "properties": { + // "description": "AVNM intermediate root group membership Policy", + // "displayName": "AVNM intermediate root group membership Policy", + // "mode": "Microsoft.Network.Data", + // "policyRule": { + // "if": { + // "allOf": [ + // { + // "field": "type", + // "equals": "Microsoft.Network/virtualNetworks" + // } + // ] + // }, + // "then": { + // "effect": "addToNetworkGroup", + // "details": { + // "networkGroupId": "[variables('networkGroupIdOnline2')]" + // } + // } + // } + // } + // }, + // { + // "condition": "[not(empty(parameters('locationSecondary')))]", + // "type": "Microsoft.Authorization/policyAssignments", + // "apiVersion": "2023-04-01", + // "name": "[uniqueString(variables('networkGroupIdOnline2'))]", + // "location": "[parameters('locationSecondary')]", + // "identity": { + // "type": "SystemAssigned" + // }, + // "properties": { + // "description": "AVNM intermediate root group membership Policy", + // "displayName": "AVNM intermediate root group membership Policy", + // "enforcementMode": "Default", + // "resourceSelectors": [ + // { + // "name": "regionalResource", + // "selectors": [ + // { + // "kind": "ResourceLocation", + // "in": [ + // "[parameters('locationSecondary')]" + // ] + // } + // ] + // } + // ], + // "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdOnline2')))]" + // }, + // "dependsOn": [ + // "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdOnline2')))]" + // ] + // }, + // { + // "type": "Microsoft.Authorization/policyDefinitions", + // "apiVersion": "2023-04-01", + // "name": "[uniqueString(variables('networkGroupIdIdentity1'))]", + // "properties": { + // "description": "AVNM intermediate root group membership Policy", + // "displayName": "AVNM intermediate root group membership Policy", + // "mode": "Microsoft.Network.Data", + // "policyRule": { + // "if": { + // "allOf": [ + // { + // "field": "type", + // "equals": "Microsoft.Network/virtualNetworks" + // } + // ] + // }, + // "then": { + // "effect": "addToNetworkGroup", + // "details": { + // "networkGroupId": "[variables('networkGroupIdIdentity1')]" + // } + // } + // } + // } + // }, + // { + // "type": "Microsoft.Authorization/policyAssignments", + // "apiVersion": "2023-04-01", + // "name": "[uniqueString(variables('networkGroupIdIdentity1'))]", + // "location": "[parameters('location')]", + // "identity": { + // "type": "SystemAssigned" + // }, + // "properties": { + // "description": "AVNM intermediate root group membership Policy", + // "displayName": "AVNM intermediate root group membership Policy", + // "enforcementMode": "Default", + // "resourceSelectors": [ + // { + // "name": "regionalResource", + // "selectors": [ + // { + // "kind": "ResourceLocation", + // "in": [ + // "[parameters('location')]" + // ] + // } + // ] + // } + // ], + // "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdIdentity1')))]" + // }, + // "dependsOn": [ + // "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdIdentity1')))]" + // ] + // }, + // { + // "condition": "[not(empty(parameters('locationSecondary')))]", + // "type": "Microsoft.Authorization/policyDefinitions", + // "apiVersion": "2023-04-01", + // "name": "[uniqueString(variables('networkGroupIdIdentity2'))]", + // "properties": { + // "description": "AVNM intermediate root group membership Policy", + // "displayName": "AVNM intermediate root group membership Policy", + // "mode": "Microsoft.Network.Data", + // "policyRule": { + // "if": { + // "allOf": [ + // { + // "field": "type", + // "equals": "Microsoft.Network/virtualNetworks" + // } + // ] + // }, + // "then": { + // "effect": "addToNetworkGroup", + // "details": { + // "networkGroupId": "[variables('networkGroupIdIdentity2')]" + // } + // } + // } + // } + // }, + // { + // "condition": "[not(empty(parameters('locationSecondary')))]", + // "type": "Microsoft.Authorization/policyAssignments", + // "apiVersion": "2023-04-01", + // "name": "[uniqueString(variables('networkGroupIdIdentity2'))]", + // "location": "[parameters('locationSecondary')]", + // "identity": { + // "type": "SystemAssigned" + // }, + // "properties": { + // "description": "AVNM intermediate root group membership Policy", + // "displayName": "AVNM intermediate root group membership Policy", + // "enforcementMode": "Default", + // "resourceSelectors": [ + // { + // "name": "regionalResource", + // "selectors": [ + // { + // "kind": "ResourceLocation", + // "in": [ + // "[parameters('locationSecondary')]" + // ] + // } + // ] + // } + // ], + // "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdIdentity2')))]" + // }, + // "dependsOn": [ + // "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdIdentity2')))]" + // ] + // }, + // { + // "type": "Microsoft.Authorization/policyDefinitions", + // "apiVersion": "2023-04-01", + // "name": "[uniqueString(variables('networkGroupIdManagement1'))]", + // "properties": { + // "description": "AVNM intermediate root group membership Policy", + // "displayName": "AVNM intermediate root group membership Policy", + // "mode": "Microsoft.Network.Data", + // "policyRule": { + // "if": { + // "allOf": [ + // { + // "field": "type", + // "equals": "Microsoft.Network/virtualNetworks" + // } + // ] + // }, + // "then": { + // "effect": "addToNetworkGroup", + // "details": { + // "networkGroupId": "[variables('networkGroupIdManagement1')]" + // } + // } + // } + // } + // }, + // { + // "type": "Microsoft.Authorization/policyAssignments", + // "apiVersion": "2023-04-01", + // "name": "[uniqueString(variables('networkGroupIdManagement1'))]", + // "location": "[parameters('location')]", + // "identity": { + // "type": "SystemAssigned" + // }, + // "properties": { + // "description": "AVNM intermediate root group membership Policy", + // "displayName": "AVNM intermediate root group membership Policy", + // "enforcementMode": "Default", + // "resourceSelectors": [ + // { + // "name": "regionalResource", + // "selectors": [ + // { + // "kind": "ResourceLocation", + // "in": [ + // "[parameters('location')]" + // ] + // } + // ] + // } + // ], + // "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdManagement1')))]" + // }, + // "dependsOn": [ + // "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdManagement1')))]" + // ] + // }, + // { + // "condition": "[not(empty(parameters('locationSecondary')))]", + // "type": "Microsoft.Authorization/policyDefinitions", + // "apiVersion": "2023-04-01", + // "name": "[uniqueString(variables('networkGroupIdManagement2'))]", + // "properties": { + // "description": "AVNM intermediate root group membership Policy", + // "displayName": "AVNM intermediate root group membership Policy", + // "mode": "Microsoft.Network.Data", + // "policyRule": { + // "if": { + // "allOf": [ + // { + // "field": "type", + // "equals": "Microsoft.Network/virtualNetworks" + // } + // ] + // }, + // "then": { + // "effect": "addToNetworkGroup", + // "details": { + // "networkGroupId": "[variables('networkGroupIdManagement2')]" + // } + // } + // } + // } + // }, + // { + // "condition": "[not(empty(parameters('locationSecondary')))]", + // "type": "Microsoft.Authorization/policyAssignments", + // "apiVersion": "2023-04-01", + // "name": "[uniqueString(variables('networkGroupIdManagement2'))]", + // "location": "[parameters('locationSecondary')]", + // "identity": { + // "type": "SystemAssigned" + // }, + // "properties": { + // "description": "AVNM intermediate root group membership Policy", + // "displayName": "AVNM intermediate root group membership Policy", + // "enforcementMode": "Default", + // "resourceSelectors": [ + // { + // "name": "regionalResource", + // "selectors": [ + // { + // "kind": "ResourceLocation", + // "in": [ + // "[parameters('locationSecondary')]" + // ] + // } + // ] + // } + // ], + // "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdManagement2')))]" + // }, + // "dependsOn": [ + // "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdManagement2')))]" + // ] + // }, + // { + // "type": "Microsoft.Authorization/policyDefinitions", + // "apiVersion": "2023-04-01", + // "name": "[uniqueString(variables('networkGroupIdConnectivity1'))]", + // "properties": { + // "description": "AVNM intermediate root group membership Policy", + // "displayName": "AVNM intermediate root group membership Policy", + // "mode": "Microsoft.Network.Data", + // "policyRule": { + // "if": { + // "allOf": [ + // { + // "field": "type", + // "equals": "Microsoft.Network/virtualNetworks" + // } + // ] + // }, + // "then": { + // "effect": "addToNetworkGroup", + // "details": { + // "networkGroupId": "[variables('networkGroupIdConnectivity1')]" + // } + // } + // } + // } + // }, + // { + // "type": "Microsoft.Authorization/policyAssignments", + // "apiVersion": "2023-04-01", + // "name": "[uniqueString(variables('networkGroupIdConnectivity1'))]", + // "location": "[parameters('location')]", + // "identity": { + // "type": "SystemAssigned" + // }, + // "properties": { + // "description": "AVNM intermediate root group membership Policy", + // "displayName": "AVNM intermediate root group membership Policy", + // "enforcementMode": "Default", + // "resourceSelectors": [ + // { + // "name": "regionalResource", + // "selectors": [ + // { + // "kind": "ResourceLocation", + // "in": [ + // "[parameters('location')]" + // ] + // } + // ] + // } + // ], + // "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdConnectivity1')))]" + // }, + // "dependsOn": [ + // "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdConnectivity1')))]" + // ] + // }, + // { + // "condition": "[not(empty(parameters('locationSecondary')))]", + // "type": "Microsoft.Authorization/policyDefinitions", + // "apiVersion": "2023-04-01", + // "name": "[uniqueString(variables('networkGroupIdConnectivity2'))]", + // "properties": { + // "description": "AVNM intermediate root group membership Policy", + // "displayName": "AVNM intermediate root group membership Policy", + // "mode": "Microsoft.Network.Data", + // "policyRule": { + // "if": { + // "allOf": [ + // { + // "field": "type", + // "equals": "Microsoft.Network/virtualNetworks" + // } + // ] + // }, + // "then": { + // "effect": "addToNetworkGroup", + // "details": { + // "networkGroupId": "[variables('networkGroupIdConnectivity2')]" + // } + // } + // } + // } + // }, + // { + // "condition": "[not(empty(parameters('locationSecondary')))]", + // "type": "Microsoft.Authorization/policyAssignments", + // "apiVersion": "2023-04-01", + // "name": "[uniqueString(variables('networkGroupIdConnectivity2'))]", + // "location": "[parameters('locationSecondary')]", + // "identity": { + // "type": "SystemAssigned" + // }, + // "properties": { + // "description": "AVNM intermediate root group membership Policy", + // "displayName": "AVNM intermediate root group membership Policy", + // "enforcementMode": "Default", + // "resourceSelectors": [ + // { + // "name": "regionalResource", + // "selectors": [ + // { + // "kind": "ResourceLocation", + // "in": [ + // "[parameters('locationSecondary')]" + // ] + // } + // ] + // } + // ], + // "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdConnectivity2')))]" + // }, + // "dependsOn": [ + // "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdConnectivity2')))]" + // ] + // }, + // { + // "type": "Microsoft.Authorization/policyDefinitions", + // "apiVersion": "2023-04-01", + // "name": "[uniqueString(variables('networkGroupIdSandbox1'))]", + // "properties": { + // "description": "AVNM intermediate root group membership Policy", + // "displayName": "AVNM intermediate root group membership Policy", + // "mode": "Microsoft.Network.Data", + // "policyRule": { + // "if": { + // "allOf": [ + // { + // "field": "type", + // "equals": "Microsoft.Network/virtualNetworks" + // } + // ] + // }, + // "then": { + // "effect": "addToNetworkGroup", + // "details": { + // "networkGroupId": "[variables('networkGroupIdSandbox1')]" + // } + // } + // } + // } + // }, + // { + // "type": "Microsoft.Authorization/policyAssignments", + // "apiVersion": "2023-04-01", + // "name": "[uniqueString(variables('networkGroupIdSandbox1'))]", + // "location": "[parameters('location')]", + // "identity": { + // "type": "SystemAssigned" + // }, + // "properties": { + // "description": "AVNM intermediate root group membership Policy", + // "displayName": "AVNM intermediate root group membership Policy", + // "enforcementMode": "Default", + // "resourceSelectors": [ + // { + // "name": "regionalResource", + // "selectors": [ + // { + // "kind": "ResourceLocation", + // "in": [ + // "[parameters('location')]" + // ] + // } + // ] + // } + // ], + // "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdSandbox1')))]" + // }, + // "dependsOn": [ + // "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdSandbox1')))]" + // ] + // }, + // { + // "condition": "[not(empty(parameters('locationSecondary')))]", + // "type": "Microsoft.Authorization/policyDefinitions", + // "apiVersion": "2023-04-01", + // "name": "[uniqueString(variables('networkGroupIdSandbox2'))]", + // "properties": { + // "description": "AVNM intermediate root group membership Policy", + // "displayName": "AVNM intermediate root group membership Policy", + // "mode": "Microsoft.Network.Data", + // "policyRule": { + // "if": { + // "allOf": [ + // { + // "field": "type", + // "equals": "Microsoft.Network/virtualNetworks" + // } + // ] + // }, + // "then": { + // "effect": "addToNetworkGroup", + // "details": { + // "networkGroupId": "[variables('networkGroupIdSandbox2')]" + // } + // } + // } + // } + // }, + // { + // "condition": "[not(empty(parameters('locationSecondary')))]", + // "type": "Microsoft.Authorization/policyAssignments", + // "apiVersion": "2023-04-01", + // "name": "[uniqueString(variables('networkGroupIdSandbox2'))]", + // "location": "[parameters('locationSecondary')]", + // "identity": { + // "type": "SystemAssigned" + // }, + // "properties": { + // "description": "AVNM intermediate root group membership Policy", + // "displayName": "AVNM intermediate root group membership Policy", + // "enforcementMode": "Default", + // "resourceSelectors": [ + // { + // "name": "regionalResource", + // "selectors": [ + // { + // "kind": "ResourceLocation", + // "in": [ + // "[parameters('locationSecondary')]" + // ] + // } + // ] + // } + // ], + // "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdSandbox2')))]" + // }, + // "dependsOn": [ + // "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdSandbox2')))]" + // ] + // }, + // { + // "type": "Microsoft.Authorization/policyDefinitions", + // "apiVersion": "2023-04-01", + // "name": "[uniqueString(variables('networkGroupIdDecommissioned1'))]", + // "properties": { + // "description": "AVNM intermediate root group membership Policy", + // "displayName": "AVNM intermediate root group membership Policy", + // "mode": "Microsoft.Network.Data", + // "policyRule": { + // "if": { + // "allOf": [ + // { + // "field": "type", + // "equals": "Microsoft.Network/virtualNetworks" + // } + // ] + // }, + // "then": { + // "effect": "addToNetworkGroup", + // "details": { + // "networkGroupId": "[variables('networkGroupIdDecommissioned1')]" + // } + // } + // } + // } + // }, + // { + // "type": "Microsoft.Authorization/policyAssignments", + // "apiVersion": "2023-04-01", + // "name": "[uniqueString(variables('networkGroupIdDecommissioned1'))]", + // "location": "[parameters('location')]", + // "identity": { + // "type": "SystemAssigned" + // }, + // "properties": { + // "description": "AVNM intermediate root group membership Policy", + // "displayName": "AVNM intermediate root group membership Policy", + // "enforcementMode": "Default", + // "resourceSelectors": [ + // { + // "name": "regionalResource", + // "selectors": [ + // { + // "kind": "ResourceLocation", + // "in": [ + // "[parameters('location')]" + // ] + // } + // ] + // } + // ], + // "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdDecommissioned1')))]" + // }, + // "dependsOn": [ + // "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdDecommissioned1')))]" + // ] + // }, + // { + // "condition": "[not(empty(parameters('locationSecondary')))]", + // "type": "Microsoft.Authorization/policyDefinitions", + // "apiVersion": "2023-04-01", + // "name": "[uniqueString(variables('networkGroupIdDecommissioned2'))]", + // "properties": { + // "description": "AVNM intermediate root group membership Policy", + // "displayName": "AVNM intermediate root group membership Policy", + // "mode": "Microsoft.Network.Data", + // "policyRule": { + // "if": { + // "allOf": [ + // { + // "field": "type", + // "equals": "Microsoft.Network/virtualNetworks" + // } + // ] + // }, + // "then": { + // "effect": "addToNetworkGroup", + // "details": { + // "networkGroupId": "[variables('networkGroupIdDecommissioned2')]" + // } + // } + // } + // } + // }, + // { + // "condition": "[not(empty(parameters('locationSecondary')))]", + // "type": "Microsoft.Authorization/policyAssignments", + // "apiVersion": "2023-04-01", + // "name": "[uniqueString(variables('networkGroupIdDecommissioned2'))]", + // "location": "[parameters('locationSecondary')]", + // "identity": { + // "type": "SystemAssigned" + // }, + // "properties": { + // "description": "AVNM intermediate root group membership Policy", + // "displayName": "AVNM intermediate root group membership Policy", + // "enforcementMode": "Default", + // "resourceSelectors": [ + // { + // "name": "regionalResource", + // "selectors": [ + // { + // "kind": "ResourceLocation", + // "in": [ + // "[parameters('locationSecondary')]" + // ] + // } + // ] + // } + // ], + // "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdDecommissioned2')))]" + // }, + // "dependsOn": [ + // "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdDecommissioned2')))]" + // ] + // } ] } \ No newline at end of file From d2c711ad6710a7f5858fae2e502b96f0f13d3d1a Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Fri, 20 Dec 2024 11:58:23 +0400 Subject: [PATCH 212/226] . --- eslzArm/subscriptionTemplates/avnmPolicy.json | 1743 ++++++++--------- 1 file changed, 783 insertions(+), 960 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmPolicy.json b/eslzArm/subscriptionTemplates/avnmPolicy.json index 2f02695525..1db2813365 100644 --- a/eslzArm/subscriptionTemplates/avnmPolicy.json +++ b/eslzArm/subscriptionTemplates/avnmPolicy.json @@ -425,102 +425,104 @@ }, "resources": [ { - "type": "Microsoft.Authorization/policyDefinitions", - "apiVersion": "2023-04-01", - "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location'))]", - "properties": { - "policyType": "Custom", - "mode": "Microsoft.Network.Data", - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Network/virtualNetworks" + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location'))]", + "properties": { + "policyType": "Custom", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId1')]" + } } - ] - }, - "then": { - "effect": "addToNetworkGroup", - "details": { - "networkGroupId": "[variables('networkGroupId1')]" } } - } - } }, { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2023-04-01", - "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}1', parameters('mgmtGroup')))]", - "properties": { - "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]", - "resourceSelectors": [ - { - "name": "regionalResource", - "selectors": [ + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}1', parameters('mgmtGroup')))]", + "properties": { + "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]", + "resourceSelectors": [ { - "kind": "ResourceLocation", - "in": [ - "[parameters('location')]" + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('location')]" + ] + } ] } ] - } + }, + "dependsOn": [ + "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]" ] }, - "dependsOn": [ - "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]" - ] - }, { - "type": "Microsoft.Authorization/policyDefinitions", - "apiVersion": "2023-04-01", - "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary'))]", - "properties": { - "policyType": "Custom", - "mode": "Microsoft.Network.Data", - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Network/virtualNetworks" + "condition": "[not(empty(parameters('locationSecondary')))]", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary'))]", + "properties": { + "policyType": "Custom", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId2')]" + } } - ] - }, - "then": { - "effect": "addToNetworkGroup", - "details": { - "networkGroupId": "[variables('networkGroupId2')]" } } - } - } }, { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2023-04-01", - "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}2', parameters('mgmtGroup')))]", - "properties": { - "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary')))]", - "resourceSelectors": [ - { - "name": "regionalResource", - "selectors": [ + "condition": "[not(empty(parameters('locationSecondary')))]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}2', parameters('mgmtGroup')))]", + "properties": { + "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary')))]", + "resourceSelectors": [ { - "kind": "ResourceLocation", - "in": [ - "[parameters('locationSecondary')]" + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('locationSecondary')]" + ] + } ] } ] - } + }, + "dependsOn": [ + "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary')))]" ] - }, - "dependsOn": [ - "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary')))]" - ] } ] } @@ -581,919 +583,740 @@ }, "resources": [ { - "type": "Microsoft.Authorization/policyDefinitions", - "apiVersion": "2023-04-01", - "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location'))]", - "properties": { - "policyType": "Custom", - "mode": "Microsoft.Network.Data", - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Network/virtualNetworks" + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location'))]", + "properties": { + "policyType": "Custom", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId1')]" + } } - ] - }, - "then": { - "effect": "addToNetworkGroup", - "details": { - "networkGroupId": "[variables('networkGroupId1')]" } } - } - } }, { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2023-04-01", - "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}1', parameters('mgmtGroup')))]", - "properties": { - "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]", - "resourceSelectors": [ - { - "name": "regionalResource", - "selectors": [ + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}1', parameters('mgmtGroup')))]", + "properties": { + "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]", + "resourceSelectors": [ { - "kind": "ResourceLocation", - "in": [ - "[parameters('location')]" + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('location')]" + ] + } ] } ] - } + }, + "dependsOn": [ + "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]" ] }, - "dependsOn": [ - "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]" - ] - }, { - "type": "Microsoft.Authorization/policyDefinitions", - "apiVersion": "2023-04-01", - "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary'))]", - "properties": { - "policyType": "Custom", - "mode": "Microsoft.Network.Data", - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Network/virtualNetworks" + "condition": "[not(empty(parameters('locationSecondary')))]", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary'))]", + "properties": { + "policyType": "Custom", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId2')]" + } } - ] - }, - "then": { - "effect": "addToNetworkGroup", - "details": { - "networkGroupId": "[variables('networkGroupId2')]" } } - } - } }, { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2023-04-01", - "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}2', parameters('mgmtGroup')))]", - "properties": { - "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary')))]", - "resourceSelectors": [ - { - "name": "regionalResource", - "selectors": [ + "condition": "[not(empty(parameters('locationSecondary')))]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}2', parameters('mgmtGroup')))]", + "properties": { + "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary')))]", + "resourceSelectors": [ { - "kind": "ResourceLocation", - "in": [ - "[parameters('locationSecondary')]" + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('locationSecondary')]" + ] + } ] } ] - } + }, + "dependsOn": [ + "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary')))]" ] + } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "policyManagement", + "scope": "[format('Microsoft.Management/managementGroups/{0}', format('{0}-management', parameters('topLevelManagementGroupPrefix')))]", + "location": "[deployment().location]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "locationSecondary": { + "value": "[parameters('locationSecondary')]" + }, + "mgmtGroup": { + "value": "[format('{0}-management', parameters('topLevelManagementGroupPrefix'))]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.32.4.45862", + "templateHash": "15861206698474595241" + } + }, + "parameters": { + "location": { + "type": "string" }, - "dependsOn": [ - "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary')))]" - ] + "locationSecondary": { + "type": "string" + }, + "mgmtGroup": { + "type": "string" + }, + "connectivitySubscriptionId": { + "type": "string" + } + }, + "variables": { + "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-management-{0}', parameters('location')))]", + "networkGroupId2": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-management-{0}', parameters('locationSecondary')))]" + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location'))]", + "properties": { + "policyType": "Custom", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId1')]" + } + } + } + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}1', parameters('mgmtGroup')))]", + "properties": { + "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('location')]" + ] + } + ] + } + ] + }, + "dependsOn": [ + "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]" + ] + }, + { + "condition": "[not(empty(parameters('locationSecondary')))]", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary'))]", + "properties": { + "policyType": "Custom", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId2')]" + } + } + } + } + }, + { + "condition": "[not(empty(parameters('locationSecondary')))]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}2', parameters('mgmtGroup')))]", + "properties": { + "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary')))]", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('locationSecondary')]" + ] + } + ] + } + ] + }, + "dependsOn": [ + "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary')))]" + ] + } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "policyConnectivity", + "scope": "[format('Microsoft.Management/managementGroups/{0}', format('{0}-connectivity', parameters('topLevelManagementGroupPrefix')))]", + "location": "[deployment().location]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "locationSecondary": { + "value": "[parameters('locationSecondary')]" + }, + "mgmtGroup": { + "value": "[format('{0}-connectivity', parameters('topLevelManagementGroupPrefix'))]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.32.4.45862", + "templateHash": "15861206698474595241" + } + }, + "parameters": { + "location": { + "type": "string" + }, + "locationSecondary": { + "type": "string" + }, + "mgmtGroup": { + "type": "string" + }, + "connectivitySubscriptionId": { + "type": "string" + } + }, + "variables": { + "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-connectivity-{0}', parameters('location')))]", + "networkGroupId2": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-connectivity-{0}', parameters('locationSecondary')))]" + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location'))]", + "properties": { + "policyType": "Custom", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId1')]" + } + } + } + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}1', parameters('mgmtGroup')))]", + "properties": { + "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('location')]" + ] + } + ] + } + ] + }, + "dependsOn": [ + "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]" + ] + }, + { + "condition": "[not(empty(parameters('locationSecondary')))]", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary'))]", + "properties": { + "policyType": "Custom", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId2')]" + } + } + } + } + }, + { + "condition": "[not(empty(parameters('locationSecondary')))]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}2', parameters('mgmtGroup')))]", + "properties": { + "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary')))]", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('locationSecondary')]" + ] + } + ] + } + ] + }, + "dependsOn": [ + "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary')))]" + ] + } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "policySandbox", + "scope": "[format('Microsoft.Management/managementGroups/{0}', format('{0}-sandbox', parameters('topLevelManagementGroupPrefix')))]", + "location": "[deployment().location]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "locationSecondary": { + "value": "[parameters('locationSecondary')]" + }, + "mgmtGroup": { + "value": "[format('{0}-sandbox', parameters('topLevelManagementGroupPrefix'))]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.32.4.45862", + "templateHash": "15861206698474595241" + } + }, + "parameters": { + "location": { + "type": "string" + }, + "locationSecondary": { + "type": "string" + }, + "mgmtGroup": { + "type": "string" + }, + "connectivitySubscriptionId": { + "type": "string" + } + }, + "variables": { + "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-sandbox-{0}', parameters('location')))]", + "networkGroupId2": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-sandbox-{0}', parameters('locationSecondary')))]" + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location'))]", + "properties": { + "policyType": "Custom", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId1')]" + } + } + } + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}1', parameters('mgmtGroup')))]", + "properties": { + "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('location')]" + ] + } + ] + } + ] + }, + "dependsOn": [ + "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]" + ] + }, + { + "condition": "[not(empty(parameters('locationSecondary')))]", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary'))]", + "properties": { + "policyType": "Custom", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId2')]" + } + } + } + } + }, + { + "condition": "[not(empty(parameters('locationSecondary')))]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}2', parameters('mgmtGroup')))]", + "properties": { + "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary')))]", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('locationSecondary')]" + ] + } + ] + } + ] + }, + "dependsOn": [ + "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary')))]" + ] + } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "policyDecommissioned", + "scope": "[format('Microsoft.Management/managementGroups/{0}', format('{0}-decommissioned', parameters('topLevelManagementGroupPrefix')))]", + "location": "[deployment().location]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "locationSecondary": { + "value": "[parameters('locationSecondary')]" + }, + "mgmtGroup": { + "value": "[format('{0}-decommissioned', parameters('topLevelManagementGroupPrefix'))]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.32.4.45862", + "templateHash": "15861206698474595241" + } + }, + "parameters": { + "location": { + "type": "string" + }, + "locationSecondary": { + "type": "string" + }, + "mgmtGroup": { + "type": "string" + }, + "connectivitySubscriptionId": { + "type": "string" + } + }, + "variables": { + "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-decommissioned-{0}', parameters('location')))]", + "networkGroupId2": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-decommissioned-{0}', parameters('locationSecondary')))]" + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location'))]", + "properties": { + "policyType": "Custom", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId1')]" + } + } + } + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}1', parameters('mgmtGroup')))]", + "properties": { + "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('location')]" + ] + } + ] + } + ] + }, + "dependsOn": [ + "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]" + ] + }, + { + "condition": "[not(empty(parameters('locationSecondary')))]", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary'))]", + "properties": { + "policyType": "Custom", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId2')]" + } + } + } + } + }, + { + "condition": "[not(empty(parameters('locationSecondary')))]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}2', parameters('mgmtGroup')))]", + "properties": { + "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary')))]", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('locationSecondary')]" + ] + } + ] + } + ] + }, + "dependsOn": [ + "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary')))]" + ] } ] } } } - - // { - // "type": "Microsoft.Authorization/policyDefinitions", - // "apiVersion": "2023-04-01", - // "name": "[uniqueString(variables('networkGroupIdCorp1'))]", - // "properties": { - // "description": "AVNM intermediate root group membership Policy", - // "displayName": "AVNM intermediate root group membership Policy", - // "mode": "Microsoft.Network.Data", - // "policyRule": { - // "if": { - // "allOf": [ - // { - // "field": "type", - // "equals": "Microsoft.Network/virtualNetworks" - // } - // ] - // }, - // "then": { - // "effect": "addToNetworkGroup", - // "details": { - // "networkGroupId": "[variables('networkGroupIdCorp1')]" - // } - // } - // } - // } - // }, - // { - // "type": "Microsoft.Authorization/policyAssignments", - // "apiVersion": "2023-04-01", - // "name": "[uniqueString(variables('networkGroupIdCorp1'))]", - // "location": "[parameters('location')]", - // "identity": { - // "type": "SystemAssigned" - // }, - // "properties": { - // "description": "AVNM intermediate root group membership Policy", - // "displayName": "AVNM intermediate root group membership Policy", - // "enforcementMode": "Default", - // "resourceSelectors": [ - // { - // "name": "regionalResource", - // "selectors": [ - // { - // "kind": "ResourceLocation", - // "in": [ - // "[parameters('location')]" - // ] - // } - // ] - // } - // ], - // "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdCorp1')))]" - // }, - // "dependsOn": [ - // "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdCorp1')))]" - // ] - // }, - // { - // "condition": "[not(empty(parameters('locationSecondary')))]", - // "type": "Microsoft.Authorization/policyDefinitions", - // "apiVersion": "2023-04-01", - // "name": "[uniqueString(variables('networkGroupIdCorp2'))]", - // "properties": { - // "description": "AVNM intermediate root group membership Policy", - // "displayName": "AVNM intermediate root group membership Policy", - // "mode": "Microsoft.Network.Data", - // "policyRule": { - // "if": { - // "allOf": [ - // { - // "field": "type", - // "equals": "Microsoft.Network/virtualNetworks" - // } - // ] - // }, - // "then": { - // "effect": "addToNetworkGroup", - // "details": { - // "networkGroupId": "[variables('networkGroupIdCorp2')]" - // } - // } - // } - // } - // }, - // { - // "condition": "[not(empty(parameters('locationSecondary')))]", - // "type": "Microsoft.Authorization/policyAssignments", - // "apiVersion": "2023-04-01", - // "name": "[uniqueString(variables('networkGroupIdCorp2'))]", - // "location": "[parameters('locationSecondary')]", - // "identity": { - // "type": "SystemAssigned" - // }, - // "properties": { - // "description": "AVNM intermediate root group membership Policy", - // "displayName": "AVNM intermediate root group membership Policy", - // "enforcementMode": "Default", - // "resourceSelectors": [ - // { - // "name": "regionalResource", - // "selectors": [ - // { - // "kind": "ResourceLocation", - // "in": [ - // "[parameters('locationSecondary')]" - // ] - // } - // ] - // } - // ], - // "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdCorp2')))]" - // }, - // "dependsOn": [ - // "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdCorp2')))]" - // ] - // }, - // { - // "type": "Microsoft.Authorization/policyDefinitions", - // "apiVersion": "2023-04-01", - // "name": "[uniqueString(variables('networkGroupIdOnline1'))]", - // "properties": { - // "description": "AVNM intermediate root group membership Policy", - // "displayName": "AVNM intermediate root group membership Policy", - // "mode": "Microsoft.Network.Data", - // "policyRule": { - // "if": { - // "allOf": [ - // { - // "field": "type", - // "equals": "Microsoft.Network/virtualNetworks" - // } - // ] - // }, - // "then": { - // "effect": "addToNetworkGroup", - // "details": { - // "networkGroupId": "[variables('networkGroupIdOnline1')]" - // } - // } - // } - // } - // }, - // { - // "type": "Microsoft.Authorization/policyAssignments", - // "apiVersion": "2023-04-01", - // "name": "[uniqueString(variables('networkGroupIdOnline1'))]", - // "location": "[parameters('location')]", - // "identity": { - // "type": "SystemAssigned" - // }, - // "properties": { - // "description": "AVNM intermediate root group membership Policy", - // "displayName": "AVNM intermediate root group membership Policy", - // "enforcementMode": "Default", - // "resourceSelectors": [ - // { - // "name": "regionalResource", - // "selectors": [ - // { - // "kind": "ResourceLocation", - // "in": [ - // "[parameters('location')]" - // ] - // } - // ] - // } - // ], - // "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdOnline1')))]" - // }, - // "dependsOn": [ - // "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdOnline1')))]" - // ] - // }, - // { - // "condition": "[not(empty(parameters('locationSecondary')))]", - // "type": "Microsoft.Authorization/policyDefinitions", - // "apiVersion": "2023-04-01", - // "name": "[uniqueString(variables('networkGroupIdOnline2'))]", - // "properties": { - // "description": "AVNM intermediate root group membership Policy", - // "displayName": "AVNM intermediate root group membership Policy", - // "mode": "Microsoft.Network.Data", - // "policyRule": { - // "if": { - // "allOf": [ - // { - // "field": "type", - // "equals": "Microsoft.Network/virtualNetworks" - // } - // ] - // }, - // "then": { - // "effect": "addToNetworkGroup", - // "details": { - // "networkGroupId": "[variables('networkGroupIdOnline2')]" - // } - // } - // } - // } - // }, - // { - // "condition": "[not(empty(parameters('locationSecondary')))]", - // "type": "Microsoft.Authorization/policyAssignments", - // "apiVersion": "2023-04-01", - // "name": "[uniqueString(variables('networkGroupIdOnline2'))]", - // "location": "[parameters('locationSecondary')]", - // "identity": { - // "type": "SystemAssigned" - // }, - // "properties": { - // "description": "AVNM intermediate root group membership Policy", - // "displayName": "AVNM intermediate root group membership Policy", - // "enforcementMode": "Default", - // "resourceSelectors": [ - // { - // "name": "regionalResource", - // "selectors": [ - // { - // "kind": "ResourceLocation", - // "in": [ - // "[parameters('locationSecondary')]" - // ] - // } - // ] - // } - // ], - // "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdOnline2')))]" - // }, - // "dependsOn": [ - // "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdOnline2')))]" - // ] - // }, - // { - // "type": "Microsoft.Authorization/policyDefinitions", - // "apiVersion": "2023-04-01", - // "name": "[uniqueString(variables('networkGroupIdIdentity1'))]", - // "properties": { - // "description": "AVNM intermediate root group membership Policy", - // "displayName": "AVNM intermediate root group membership Policy", - // "mode": "Microsoft.Network.Data", - // "policyRule": { - // "if": { - // "allOf": [ - // { - // "field": "type", - // "equals": "Microsoft.Network/virtualNetworks" - // } - // ] - // }, - // "then": { - // "effect": "addToNetworkGroup", - // "details": { - // "networkGroupId": "[variables('networkGroupIdIdentity1')]" - // } - // } - // } - // } - // }, - // { - // "type": "Microsoft.Authorization/policyAssignments", - // "apiVersion": "2023-04-01", - // "name": "[uniqueString(variables('networkGroupIdIdentity1'))]", - // "location": "[parameters('location')]", - // "identity": { - // "type": "SystemAssigned" - // }, - // "properties": { - // "description": "AVNM intermediate root group membership Policy", - // "displayName": "AVNM intermediate root group membership Policy", - // "enforcementMode": "Default", - // "resourceSelectors": [ - // { - // "name": "regionalResource", - // "selectors": [ - // { - // "kind": "ResourceLocation", - // "in": [ - // "[parameters('location')]" - // ] - // } - // ] - // } - // ], - // "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdIdentity1')))]" - // }, - // "dependsOn": [ - // "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdIdentity1')))]" - // ] - // }, - // { - // "condition": "[not(empty(parameters('locationSecondary')))]", - // "type": "Microsoft.Authorization/policyDefinitions", - // "apiVersion": "2023-04-01", - // "name": "[uniqueString(variables('networkGroupIdIdentity2'))]", - // "properties": { - // "description": "AVNM intermediate root group membership Policy", - // "displayName": "AVNM intermediate root group membership Policy", - // "mode": "Microsoft.Network.Data", - // "policyRule": { - // "if": { - // "allOf": [ - // { - // "field": "type", - // "equals": "Microsoft.Network/virtualNetworks" - // } - // ] - // }, - // "then": { - // "effect": "addToNetworkGroup", - // "details": { - // "networkGroupId": "[variables('networkGroupIdIdentity2')]" - // } - // } - // } - // } - // }, - // { - // "condition": "[not(empty(parameters('locationSecondary')))]", - // "type": "Microsoft.Authorization/policyAssignments", - // "apiVersion": "2023-04-01", - // "name": "[uniqueString(variables('networkGroupIdIdentity2'))]", - // "location": "[parameters('locationSecondary')]", - // "identity": { - // "type": "SystemAssigned" - // }, - // "properties": { - // "description": "AVNM intermediate root group membership Policy", - // "displayName": "AVNM intermediate root group membership Policy", - // "enforcementMode": "Default", - // "resourceSelectors": [ - // { - // "name": "regionalResource", - // "selectors": [ - // { - // "kind": "ResourceLocation", - // "in": [ - // "[parameters('locationSecondary')]" - // ] - // } - // ] - // } - // ], - // "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdIdentity2')))]" - // }, - // "dependsOn": [ - // "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdIdentity2')))]" - // ] - // }, - // { - // "type": "Microsoft.Authorization/policyDefinitions", - // "apiVersion": "2023-04-01", - // "name": "[uniqueString(variables('networkGroupIdManagement1'))]", - // "properties": { - // "description": "AVNM intermediate root group membership Policy", - // "displayName": "AVNM intermediate root group membership Policy", - // "mode": "Microsoft.Network.Data", - // "policyRule": { - // "if": { - // "allOf": [ - // { - // "field": "type", - // "equals": "Microsoft.Network/virtualNetworks" - // } - // ] - // }, - // "then": { - // "effect": "addToNetworkGroup", - // "details": { - // "networkGroupId": "[variables('networkGroupIdManagement1')]" - // } - // } - // } - // } - // }, - // { - // "type": "Microsoft.Authorization/policyAssignments", - // "apiVersion": "2023-04-01", - // "name": "[uniqueString(variables('networkGroupIdManagement1'))]", - // "location": "[parameters('location')]", - // "identity": { - // "type": "SystemAssigned" - // }, - // "properties": { - // "description": "AVNM intermediate root group membership Policy", - // "displayName": "AVNM intermediate root group membership Policy", - // "enforcementMode": "Default", - // "resourceSelectors": [ - // { - // "name": "regionalResource", - // "selectors": [ - // { - // "kind": "ResourceLocation", - // "in": [ - // "[parameters('location')]" - // ] - // } - // ] - // } - // ], - // "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdManagement1')))]" - // }, - // "dependsOn": [ - // "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdManagement1')))]" - // ] - // }, - // { - // "condition": "[not(empty(parameters('locationSecondary')))]", - // "type": "Microsoft.Authorization/policyDefinitions", - // "apiVersion": "2023-04-01", - // "name": "[uniqueString(variables('networkGroupIdManagement2'))]", - // "properties": { - // "description": "AVNM intermediate root group membership Policy", - // "displayName": "AVNM intermediate root group membership Policy", - // "mode": "Microsoft.Network.Data", - // "policyRule": { - // "if": { - // "allOf": [ - // { - // "field": "type", - // "equals": "Microsoft.Network/virtualNetworks" - // } - // ] - // }, - // "then": { - // "effect": "addToNetworkGroup", - // "details": { - // "networkGroupId": "[variables('networkGroupIdManagement2')]" - // } - // } - // } - // } - // }, - // { - // "condition": "[not(empty(parameters('locationSecondary')))]", - // "type": "Microsoft.Authorization/policyAssignments", - // "apiVersion": "2023-04-01", - // "name": "[uniqueString(variables('networkGroupIdManagement2'))]", - // "location": "[parameters('locationSecondary')]", - // "identity": { - // "type": "SystemAssigned" - // }, - // "properties": { - // "description": "AVNM intermediate root group membership Policy", - // "displayName": "AVNM intermediate root group membership Policy", - // "enforcementMode": "Default", - // "resourceSelectors": [ - // { - // "name": "regionalResource", - // "selectors": [ - // { - // "kind": "ResourceLocation", - // "in": [ - // "[parameters('locationSecondary')]" - // ] - // } - // ] - // } - // ], - // "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdManagement2')))]" - // }, - // "dependsOn": [ - // "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdManagement2')))]" - // ] - // }, - // { - // "type": "Microsoft.Authorization/policyDefinitions", - // "apiVersion": "2023-04-01", - // "name": "[uniqueString(variables('networkGroupIdConnectivity1'))]", - // "properties": { - // "description": "AVNM intermediate root group membership Policy", - // "displayName": "AVNM intermediate root group membership Policy", - // "mode": "Microsoft.Network.Data", - // "policyRule": { - // "if": { - // "allOf": [ - // { - // "field": "type", - // "equals": "Microsoft.Network/virtualNetworks" - // } - // ] - // }, - // "then": { - // "effect": "addToNetworkGroup", - // "details": { - // "networkGroupId": "[variables('networkGroupIdConnectivity1')]" - // } - // } - // } - // } - // }, - // { - // "type": "Microsoft.Authorization/policyAssignments", - // "apiVersion": "2023-04-01", - // "name": "[uniqueString(variables('networkGroupIdConnectivity1'))]", - // "location": "[parameters('location')]", - // "identity": { - // "type": "SystemAssigned" - // }, - // "properties": { - // "description": "AVNM intermediate root group membership Policy", - // "displayName": "AVNM intermediate root group membership Policy", - // "enforcementMode": "Default", - // "resourceSelectors": [ - // { - // "name": "regionalResource", - // "selectors": [ - // { - // "kind": "ResourceLocation", - // "in": [ - // "[parameters('location')]" - // ] - // } - // ] - // } - // ], - // "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdConnectivity1')))]" - // }, - // "dependsOn": [ - // "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdConnectivity1')))]" - // ] - // }, - // { - // "condition": "[not(empty(parameters('locationSecondary')))]", - // "type": "Microsoft.Authorization/policyDefinitions", - // "apiVersion": "2023-04-01", - // "name": "[uniqueString(variables('networkGroupIdConnectivity2'))]", - // "properties": { - // "description": "AVNM intermediate root group membership Policy", - // "displayName": "AVNM intermediate root group membership Policy", - // "mode": "Microsoft.Network.Data", - // "policyRule": { - // "if": { - // "allOf": [ - // { - // "field": "type", - // "equals": "Microsoft.Network/virtualNetworks" - // } - // ] - // }, - // "then": { - // "effect": "addToNetworkGroup", - // "details": { - // "networkGroupId": "[variables('networkGroupIdConnectivity2')]" - // } - // } - // } - // } - // }, - // { - // "condition": "[not(empty(parameters('locationSecondary')))]", - // "type": "Microsoft.Authorization/policyAssignments", - // "apiVersion": "2023-04-01", - // "name": "[uniqueString(variables('networkGroupIdConnectivity2'))]", - // "location": "[parameters('locationSecondary')]", - // "identity": { - // "type": "SystemAssigned" - // }, - // "properties": { - // "description": "AVNM intermediate root group membership Policy", - // "displayName": "AVNM intermediate root group membership Policy", - // "enforcementMode": "Default", - // "resourceSelectors": [ - // { - // "name": "regionalResource", - // "selectors": [ - // { - // "kind": "ResourceLocation", - // "in": [ - // "[parameters('locationSecondary')]" - // ] - // } - // ] - // } - // ], - // "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdConnectivity2')))]" - // }, - // "dependsOn": [ - // "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdConnectivity2')))]" - // ] - // }, - // { - // "type": "Microsoft.Authorization/policyDefinitions", - // "apiVersion": "2023-04-01", - // "name": "[uniqueString(variables('networkGroupIdSandbox1'))]", - // "properties": { - // "description": "AVNM intermediate root group membership Policy", - // "displayName": "AVNM intermediate root group membership Policy", - // "mode": "Microsoft.Network.Data", - // "policyRule": { - // "if": { - // "allOf": [ - // { - // "field": "type", - // "equals": "Microsoft.Network/virtualNetworks" - // } - // ] - // }, - // "then": { - // "effect": "addToNetworkGroup", - // "details": { - // "networkGroupId": "[variables('networkGroupIdSandbox1')]" - // } - // } - // } - // } - // }, - // { - // "type": "Microsoft.Authorization/policyAssignments", - // "apiVersion": "2023-04-01", - // "name": "[uniqueString(variables('networkGroupIdSandbox1'))]", - // "location": "[parameters('location')]", - // "identity": { - // "type": "SystemAssigned" - // }, - // "properties": { - // "description": "AVNM intermediate root group membership Policy", - // "displayName": "AVNM intermediate root group membership Policy", - // "enforcementMode": "Default", - // "resourceSelectors": [ - // { - // "name": "regionalResource", - // "selectors": [ - // { - // "kind": "ResourceLocation", - // "in": [ - // "[parameters('location')]" - // ] - // } - // ] - // } - // ], - // "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdSandbox1')))]" - // }, - // "dependsOn": [ - // "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdSandbox1')))]" - // ] - // }, - // { - // "condition": "[not(empty(parameters('locationSecondary')))]", - // "type": "Microsoft.Authorization/policyDefinitions", - // "apiVersion": "2023-04-01", - // "name": "[uniqueString(variables('networkGroupIdSandbox2'))]", - // "properties": { - // "description": "AVNM intermediate root group membership Policy", - // "displayName": "AVNM intermediate root group membership Policy", - // "mode": "Microsoft.Network.Data", - // "policyRule": { - // "if": { - // "allOf": [ - // { - // "field": "type", - // "equals": "Microsoft.Network/virtualNetworks" - // } - // ] - // }, - // "then": { - // "effect": "addToNetworkGroup", - // "details": { - // "networkGroupId": "[variables('networkGroupIdSandbox2')]" - // } - // } - // } - // } - // }, - // { - // "condition": "[not(empty(parameters('locationSecondary')))]", - // "type": "Microsoft.Authorization/policyAssignments", - // "apiVersion": "2023-04-01", - // "name": "[uniqueString(variables('networkGroupIdSandbox2'))]", - // "location": "[parameters('locationSecondary')]", - // "identity": { - // "type": "SystemAssigned" - // }, - // "properties": { - // "description": "AVNM intermediate root group membership Policy", - // "displayName": "AVNM intermediate root group membership Policy", - // "enforcementMode": "Default", - // "resourceSelectors": [ - // { - // "name": "regionalResource", - // "selectors": [ - // { - // "kind": "ResourceLocation", - // "in": [ - // "[parameters('locationSecondary')]" - // ] - // } - // ] - // } - // ], - // "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdSandbox2')))]" - // }, - // "dependsOn": [ - // "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdSandbox2')))]" - // ] - // }, - // { - // "type": "Microsoft.Authorization/policyDefinitions", - // "apiVersion": "2023-04-01", - // "name": "[uniqueString(variables('networkGroupIdDecommissioned1'))]", - // "properties": { - // "description": "AVNM intermediate root group membership Policy", - // "displayName": "AVNM intermediate root group membership Policy", - // "mode": "Microsoft.Network.Data", - // "policyRule": { - // "if": { - // "allOf": [ - // { - // "field": "type", - // "equals": "Microsoft.Network/virtualNetworks" - // } - // ] - // }, - // "then": { - // "effect": "addToNetworkGroup", - // "details": { - // "networkGroupId": "[variables('networkGroupIdDecommissioned1')]" - // } - // } - // } - // } - // }, - // { - // "type": "Microsoft.Authorization/policyAssignments", - // "apiVersion": "2023-04-01", - // "name": "[uniqueString(variables('networkGroupIdDecommissioned1'))]", - // "location": "[parameters('location')]", - // "identity": { - // "type": "SystemAssigned" - // }, - // "properties": { - // "description": "AVNM intermediate root group membership Policy", - // "displayName": "AVNM intermediate root group membership Policy", - // "enforcementMode": "Default", - // "resourceSelectors": [ - // { - // "name": "regionalResource", - // "selectors": [ - // { - // "kind": "ResourceLocation", - // "in": [ - // "[parameters('location')]" - // ] - // } - // ] - // } - // ], - // "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdDecommissioned1')))]" - // }, - // "dependsOn": [ - // "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdDecommissioned1')))]" - // ] - // }, - // { - // "condition": "[not(empty(parameters('locationSecondary')))]", - // "type": "Microsoft.Authorization/policyDefinitions", - // "apiVersion": "2023-04-01", - // "name": "[uniqueString(variables('networkGroupIdDecommissioned2'))]", - // "properties": { - // "description": "AVNM intermediate root group membership Policy", - // "displayName": "AVNM intermediate root group membership Policy", - // "mode": "Microsoft.Network.Data", - // "policyRule": { - // "if": { - // "allOf": [ - // { - // "field": "type", - // "equals": "Microsoft.Network/virtualNetworks" - // } - // ] - // }, - // "then": { - // "effect": "addToNetworkGroup", - // "details": { - // "networkGroupId": "[variables('networkGroupIdDecommissioned2')]" - // } - // } - // } - // } - // }, - // { - // "condition": "[not(empty(parameters('locationSecondary')))]", - // "type": "Microsoft.Authorization/policyAssignments", - // "apiVersion": "2023-04-01", - // "name": "[uniqueString(variables('networkGroupIdDecommissioned2'))]", - // "location": "[parameters('locationSecondary')]", - // "identity": { - // "type": "SystemAssigned" - // }, - // "properties": { - // "description": "AVNM intermediate root group membership Policy", - // "displayName": "AVNM intermediate root group membership Policy", - // "enforcementMode": "Default", - // "resourceSelectors": [ - // { - // "name": "regionalResource", - // "selectors": [ - // { - // "kind": "ResourceLocation", - // "in": [ - // "[parameters('locationSecondary')]" - // ] - // } - // ] - // } - // ], - // "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdDecommissioned2')))]" - // }, - // "dependsOn": [ - // "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdDecommissioned2')))]" - // ] - // } ] } \ No newline at end of file From 677d672024d974fa042610f4d2ec3fc5975d04d4 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Fri, 20 Dec 2024 12:30:48 +0400 Subject: [PATCH 213/226] . --- eslzArm/subscriptionTemplates/avnmPolicy.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmPolicy.json b/eslzArm/subscriptionTemplates/avnmPolicy.json index 1db2813365..33aef542ef 100644 --- a/eslzArm/subscriptionTemplates/avnmPolicy.json +++ b/eslzArm/subscriptionTemplates/avnmPolicy.json @@ -1006,7 +1006,7 @@ "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "policySandbox", - "scope": "[format('Microsoft.Management/managementGroups/{0}', format('{0}-sandbox', parameters('topLevelManagementGroupPrefix')))]", + "scope": "[format('Microsoft.Management/managementGroups/{0}', format('{0}-sandboxes', parameters('topLevelManagementGroupPrefix')))]", "location": "[deployment().location]", "properties": { "expressionEvaluationOptions": { @@ -1021,7 +1021,7 @@ "value": "[parameters('locationSecondary')]" }, "mgmtGroup": { - "value": "[format('{0}-sandbox', parameters('topLevelManagementGroupPrefix'))]" + "value": "[format('{0}-sandboxes', parameters('topLevelManagementGroupPrefix'))]" }, "connectivitySubscriptionId": { "value": "[parameters('connectivitySubscriptionId')]" From e090fd7675edd4ccd0a10763d5a0e7c45e133722 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Fri, 20 Dec 2024 12:35:22 +0400 Subject: [PATCH 214/226] . --- eslzArm/subscriptionTemplates/avnmPolicy.json | 16 +--------------- 1 file changed, 1 insertion(+), 15 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmPolicy.json b/eslzArm/subscriptionTemplates/avnmPolicy.json index 33aef542ef..ced05f79bf 100644 --- a/eslzArm/subscriptionTemplates/avnmPolicy.json +++ b/eslzArm/subscriptionTemplates/avnmPolicy.json @@ -35,21 +35,7 @@ "variables": { "networkGroupIdAll": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', 'avnm-ng-all')]", "networkGroupIdRegion1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-{0}', parameters('location')))]", - "networkGroupIdRegion2": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-{0}', parameters('locationSecondary')))]", - "networkGroupIdCorp1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-corp-{0}', parameters('location')))]", - "networkGroupIdCorp2": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-corp-{0}', parameters('locationSecondary')))]", - "networkGroupIdOnline1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-online-{0}', parameters('location')))]", - "networkGroupIdOnline2": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-online-{0}', parameters('locationSecondary')))]", - "networkGroupIdIdentity1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-identity-{0}', parameters('location')))]", - "networkGroupIdIdentity2": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-identity-{0}', parameters('locationSecondary')))]", - "networkGroupIdManagement1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-management-{0}', parameters('location')))]", - "networkGroupIdManagement2": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-management-{0}', parameters('locationSecondary')))]", - "networkGroupIdConnectivity1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-connectivity-{0}', parameters('location')))]", - "networkGroupIdConnectivity2": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-connectivity-{0}', parameters('locationSecondary')))]", - "networkGroupIdSandbox1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-sandbox-{0}', parameters('location')))]", - "networkGroupIdSandbox2": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-sandbox-{0}', parameters('locationSecondary')))]", - "networkGroupIdDecommissioned1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-decommissioned-{0}', parameters('location')))]", - "networkGroupIdDecommissioned2": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-decommissioned-{0}', parameters('locationSecondary')))]" + "networkGroupIdRegion2": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-{0}', parameters('locationSecondary')))]" }, "resources": [ { From 39ea238b295ad073aadbe9f59be30caf4a34fa85 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Fri, 20 Dec 2024 12:35:37 +0400 Subject: [PATCH 215/226] . --- eslzArm/subscriptionTemplates/avnmPolicy.json | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/eslzArm/subscriptionTemplates/avnmPolicy.json b/eslzArm/subscriptionTemplates/avnmPolicy.json index ced05f79bf..33aef542ef 100644 --- a/eslzArm/subscriptionTemplates/avnmPolicy.json +++ b/eslzArm/subscriptionTemplates/avnmPolicy.json @@ -35,7 +35,21 @@ "variables": { "networkGroupIdAll": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', 'avnm-ng-all')]", "networkGroupIdRegion1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-{0}', parameters('location')))]", - "networkGroupIdRegion2": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-{0}', parameters('locationSecondary')))]" + "networkGroupIdRegion2": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-{0}', parameters('locationSecondary')))]", + "networkGroupIdCorp1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-corp-{0}', parameters('location')))]", + "networkGroupIdCorp2": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-corp-{0}', parameters('locationSecondary')))]", + "networkGroupIdOnline1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-online-{0}', parameters('location')))]", + "networkGroupIdOnline2": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-online-{0}', parameters('locationSecondary')))]", + "networkGroupIdIdentity1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-identity-{0}', parameters('location')))]", + "networkGroupIdIdentity2": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-identity-{0}', parameters('locationSecondary')))]", + "networkGroupIdManagement1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-management-{0}', parameters('location')))]", + "networkGroupIdManagement2": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-management-{0}', parameters('locationSecondary')))]", + "networkGroupIdConnectivity1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-connectivity-{0}', parameters('location')))]", + "networkGroupIdConnectivity2": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-connectivity-{0}', parameters('locationSecondary')))]", + "networkGroupIdSandbox1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-sandbox-{0}', parameters('location')))]", + "networkGroupIdSandbox2": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-sandbox-{0}', parameters('locationSecondary')))]", + "networkGroupIdDecommissioned1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-decommissioned-{0}', parameters('location')))]", + "networkGroupIdDecommissioned2": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-decommissioned-{0}', parameters('locationSecondary')))]" }, "resources": [ { From cb47ed8ad4bfbd36965d5740c596b5e86101eb7e Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Fri, 20 Dec 2024 15:56:24 +0400 Subject: [PATCH 216/226] . --- eslzArm/subscriptionTemplates/avnmPolicy.json | 687 ++++++++---------- 1 file changed, 312 insertions(+), 375 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmPolicy.json b/eslzArm/subscriptionTemplates/avnmPolicy.json index 33aef542ef..a2a459a38a 100644 --- a/eslzArm/subscriptionTemplates/avnmPolicy.json +++ b/eslzArm/subscriptionTemplates/avnmPolicy.json @@ -35,21 +35,7 @@ "variables": { "networkGroupIdAll": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', 'avnm-ng-all')]", "networkGroupIdRegion1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-{0}', parameters('location')))]", - "networkGroupIdRegion2": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-{0}', parameters('locationSecondary')))]", - "networkGroupIdCorp1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-corp-{0}', parameters('location')))]", - "networkGroupIdCorp2": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-corp-{0}', parameters('locationSecondary')))]", - "networkGroupIdOnline1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-online-{0}', parameters('location')))]", - "networkGroupIdOnline2": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-online-{0}', parameters('locationSecondary')))]", - "networkGroupIdIdentity1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-identity-{0}', parameters('location')))]", - "networkGroupIdIdentity2": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-identity-{0}', parameters('locationSecondary')))]", - "networkGroupIdManagement1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-management-{0}', parameters('location')))]", - "networkGroupIdManagement2": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-management-{0}', parameters('locationSecondary')))]", - "networkGroupIdConnectivity1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-connectivity-{0}', parameters('location')))]", - "networkGroupIdConnectivity2": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-connectivity-{0}', parameters('locationSecondary')))]", - "networkGroupIdSandbox1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-sandbox-{0}', parameters('location')))]", - "networkGroupIdSandbox2": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-sandbox-{0}', parameters('locationSecondary')))]", - "networkGroupIdDecommissioned1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-decommissioned-{0}', parameters('location')))]", - "networkGroupIdDecommissioned2": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-decommissioned-{0}', parameters('locationSecondary')))]" + "networkGroupIdRegion2": "[if(empty(parameters('locationSecondary')), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-{0}', parameters('locationSecondary'))))]" }, "resources": [ { @@ -220,50 +206,43 @@ "location": "[deployment().location]", "properties": { "expressionEvaluationOptions": { - "scope": "inner" + "scope": "inner" }, "mode": "Incremental", "parameters": { - "location": { - "value": "[parameters('location')]" - }, - "locationSecondary": { - "value": "[parameters('locationSecondary')]" - }, - "mgmtGroup": { - "value": "[format('{0}-corp', parameters('topLevelManagementGroupPrefix'))]" - }, - "connectivitySubscriptionId": { - "value": "[parameters('connectivitySubscriptionId')]" - } + "location": { + "value": "[parameters('location')]" + }, + "locationSecondary": { + "value": "[parameters('locationSecondary')]" + }, + "mgmtGroup": { + "value": "[format('{0}-corp', parameters('topLevelManagementGroupPrefix'))]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.32.4.45862", - "templateHash": "15861206698474595241" - } - }, "parameters": { "location": { - "type": "string" + "type": "string" }, "locationSecondary": { - "type": "string" + "type": "string" }, "mgmtGroup": { - "type": "string" + "type": "string" }, "connectivitySubscriptionId": { - "type": "string" + "type": "string" } }, "variables": { "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-corp-{0}', parameters('location')))]", - "networkGroupId2": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-corp-{0}', parameters('locationSecondary')))]" + "networkGroupId2": "[if(empty(parameters('locationSecondary')), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-corp-{0}', parameters('locationSecondary'))))]" }, "resources": [ { @@ -274,21 +253,21 @@ "policyType": "Custom", "mode": "Microsoft.Network.Data", "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Network/virtualNetworks" - } - ] - }, - "then": { - "effect": "addToNetworkGroup", - "details": { - "networkGroupId": "[variables('networkGroupId1')]" + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId1')]" + } } } - } } }, { @@ -301,12 +280,12 @@ { "name": "regionalResource", "selectors": [ - { - "kind": "ResourceLocation", - "in": [ - "[parameters('location')]" - ] - } + { + "kind": "ResourceLocation", + "in": [ + "[parameters('location')]" + ] + } ] } ] @@ -324,21 +303,21 @@ "policyType": "Custom", "mode": "Microsoft.Network.Data", "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Network/virtualNetworks" - } - ] - }, - "then": { - "effect": "addToNetworkGroup", - "details": { - "networkGroupId": "[variables('networkGroupId2')]" + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId2')]" + } } } - } } }, { @@ -355,7 +334,7 @@ { "kind": "ResourceLocation", "in": [ - "[parameters('locationSecondary')]" + "[parameters('locationSecondary')]" ] } ] @@ -378,7 +357,7 @@ "location": "[deployment().location]", "properties": { "expressionEvaluationOptions": { - "scope": "inner" + "scope": "inner" }, "mode": "Incremental", "parameters": { @@ -398,30 +377,23 @@ "template": { "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.32.4.45862", - "templateHash": "15861206698474595241" - } - }, "parameters": { "location": { - "type": "string" + "type": "string" }, "locationSecondary": { - "type": "string" + "type": "string" }, "mgmtGroup": { - "type": "string" + "type": "string" }, "connectivitySubscriptionId": { - "type": "string" + "type": "string" } }, "variables": { "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-online-{0}', parameters('location')))]", - "networkGroupId2": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-online-{0}', parameters('locationSecondary')))]" + "networkGroupId2": "[if(empty(parameters('locationSecondary')), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-online-{0}', parameters('locationSecondary'))))]" }, "resources": [ { @@ -432,21 +404,21 @@ "policyType": "Custom", "mode": "Microsoft.Network.Data", "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Network/virtualNetworks" - } - ] - }, - "then": { - "effect": "addToNetworkGroup", - "details": { - "networkGroupId": "[variables('networkGroupId1')]" + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId1')]" + } } } - } } }, { @@ -459,12 +431,12 @@ { "name": "regionalResource", "selectors": [ - { - "kind": "ResourceLocation", - "in": [ - "[parameters('location')]" - ] - } + { + "kind": "ResourceLocation", + "in": [ + "[parameters('location')]" + ] + } ] } ] @@ -536,50 +508,43 @@ "location": "[deployment().location]", "properties": { "expressionEvaluationOptions": { - "scope": "inner" + "scope": "inner" }, "mode": "Incremental", "parameters": { - "location": { - "value": "[parameters('location')]" - }, - "locationSecondary": { - "value": "[parameters('locationSecondary')]" - }, - "mgmtGroup": { - "value": "[format('{0}-identity', parameters('topLevelManagementGroupPrefix'))]" - }, - "connectivitySubscriptionId": { - "value": "[parameters('connectivitySubscriptionId')]" - } + "location": { + "value": "[parameters('location')]" + }, + "locationSecondary": { + "value": "[parameters('locationSecondary')]" + }, + "mgmtGroup": { + "value": "[format('{0}-identity', parameters('topLevelManagementGroupPrefix'))]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.32.4.45862", - "templateHash": "15861206698474595241" - } - }, "parameters": { "location": { - "type": "string" + "type": "string" }, "locationSecondary": { - "type": "string" + "type": "string" }, "mgmtGroup": { - "type": "string" + "type": "string" }, "connectivitySubscriptionId": { - "type": "string" + "type": "string" } }, "variables": { "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-identity-{0}', parameters('location')))]", - "networkGroupId2": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-identity-{0}', parameters('locationSecondary')))]" + "networkGroupId2": "[if(empty(parameters('locationSecondary')), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-identity-{0}', parameters('locationSecondary'))))]" }, "resources": [ { @@ -590,21 +555,21 @@ "policyType": "Custom", "mode": "Microsoft.Network.Data", "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Network/virtualNetworks" - } - ] - }, - "then": { - "effect": "addToNetworkGroup", - "details": { - "networkGroupId": "[variables('networkGroupId1')]" + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId1')]" + } } } - } } }, { @@ -617,12 +582,12 @@ { "name": "regionalResource", "selectors": [ - { - "kind": "ResourceLocation", - "in": [ - "[parameters('location')]" - ] - } + { + "kind": "ResourceLocation", + "in": [ + "[parameters('location')]" + ] + } ] } ] @@ -640,21 +605,21 @@ "policyType": "Custom", "mode": "Microsoft.Network.Data", "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Network/virtualNetworks" - } - ] - }, - "then": { - "effect": "addToNetworkGroup", - "details": { - "networkGroupId": "[variables('networkGroupId2')]" + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId2')]" + } } } - } } }, { @@ -671,7 +636,7 @@ { "kind": "ResourceLocation", "in": [ - "[parameters('locationSecondary')]" + "[parameters('locationSecondary')]" ] } ] @@ -694,50 +659,43 @@ "location": "[deployment().location]", "properties": { "expressionEvaluationOptions": { - "scope": "inner" + "scope": "inner" }, "mode": "Incremental", "parameters": { - "location": { - "value": "[parameters('location')]" - }, - "locationSecondary": { - "value": "[parameters('locationSecondary')]" - }, - "mgmtGroup": { - "value": "[format('{0}-management', parameters('topLevelManagementGroupPrefix'))]" - }, - "connectivitySubscriptionId": { - "value": "[parameters('connectivitySubscriptionId')]" - } + "location": { + "value": "[parameters('location')]" + }, + "locationSecondary": { + "value": "[parameters('locationSecondary')]" + }, + "mgmtGroup": { + "value": "[format('{0}-management', parameters('topLevelManagementGroupPrefix'))]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.32.4.45862", - "templateHash": "15861206698474595241" - } - }, "parameters": { "location": { - "type": "string" + "type": "string" }, "locationSecondary": { - "type": "string" + "type": "string" }, "mgmtGroup": { - "type": "string" + "type": "string" }, "connectivitySubscriptionId": { - "type": "string" + "type": "string" } }, "variables": { "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-management-{0}', parameters('location')))]", - "networkGroupId2": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-management-{0}', parameters('locationSecondary')))]" + "networkGroupId2": "[if(empty(parameters('locationSecondary')), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-management-{0}', parameters('locationSecondary'))))]" }, "resources": [ { @@ -748,21 +706,21 @@ "policyType": "Custom", "mode": "Microsoft.Network.Data", "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Network/virtualNetworks" - } - ] - }, - "then": { - "effect": "addToNetworkGroup", - "details": { - "networkGroupId": "[variables('networkGroupId1')]" + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId1')]" + } } } - } } }, { @@ -775,12 +733,12 @@ { "name": "regionalResource", "selectors": [ - { - "kind": "ResourceLocation", - "in": [ - "[parameters('location')]" - ] - } + { + "kind": "ResourceLocation", + "in": [ + "[parameters('location')]" + ] + } ] } ] @@ -798,21 +756,21 @@ "policyType": "Custom", "mode": "Microsoft.Network.Data", "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Network/virtualNetworks" - } - ] - }, - "then": { - "effect": "addToNetworkGroup", - "details": { - "networkGroupId": "[variables('networkGroupId2')]" + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId2')]" + } } } - } } }, { @@ -829,7 +787,7 @@ { "kind": "ResourceLocation", "in": [ - "[parameters('locationSecondary')]" + "[parameters('locationSecondary')]" ] } ] @@ -872,30 +830,23 @@ "template": { "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.32.4.45862", - "templateHash": "15861206698474595241" - } - }, "parameters": { "location": { - "type": "string" + "type": "string" }, "locationSecondary": { - "type": "string" + "type": "string" }, "mgmtGroup": { - "type": "string" + "type": "string" }, "connectivitySubscriptionId": { - "type": "string" + "type": "string" } }, "variables": { "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-connectivity-{0}', parameters('location')))]", - "networkGroupId2": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-connectivity-{0}', parameters('locationSecondary')))]" + "networkGroupId2": "[if(empty(parameters('locationSecondary')), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-connectivity-{0}', parameters('locationSecondary'))))]" }, "resources": [ { @@ -906,21 +857,21 @@ "policyType": "Custom", "mode": "Microsoft.Network.Data", "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Network/virtualNetworks" - } - ] - }, - "then": { - "effect": "addToNetworkGroup", - "details": { - "networkGroupId": "[variables('networkGroupId1')]" + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId1')]" + } } } - } } }, { @@ -933,12 +884,12 @@ { "name": "regionalResource", "selectors": [ - { - "kind": "ResourceLocation", - "in": [ - "[parameters('location')]" - ] - } + { + "kind": "ResourceLocation", + "in": [ + "[parameters('location')]" + ] + } ] } ] @@ -956,21 +907,21 @@ "policyType": "Custom", "mode": "Microsoft.Network.Data", "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Network/virtualNetworks" - } - ] - }, - "then": { - "effect": "addToNetworkGroup", - "details": { - "networkGroupId": "[variables('networkGroupId2')]" + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId2')]" + } } } - } } }, { @@ -987,7 +938,7 @@ { "kind": "ResourceLocation", "in": [ - "[parameters('locationSecondary')]" + "[parameters('locationSecondary')]" ] } ] @@ -1030,30 +981,23 @@ "template": { "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.32.4.45862", - "templateHash": "15861206698474595241" - } - }, "parameters": { "location": { - "type": "string" + "type": "string" }, "locationSecondary": { - "type": "string" + "type": "string" }, "mgmtGroup": { - "type": "string" + "type": "string" }, "connectivitySubscriptionId": { - "type": "string" + "type": "string" } }, "variables": { "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-sandbox-{0}', parameters('location')))]", - "networkGroupId2": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-sandbox-{0}', parameters('locationSecondary')))]" + "networkGroupId2": "[if(empty(parameters('locationSecondary')), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-sandbox-{0}', parameters('locationSecondary'))))]" }, "resources": [ { @@ -1064,21 +1008,21 @@ "policyType": "Custom", "mode": "Microsoft.Network.Data", "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Network/virtualNetworks" - } - ] - }, - "then": { - "effect": "addToNetworkGroup", - "details": { - "networkGroupId": "[variables('networkGroupId1')]" + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId1')]" + } } } - } } }, { @@ -1088,17 +1032,17 @@ "properties": { "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]", "resourceSelectors": [ - { - "name": "regionalResource", - "selectors": [ { - "kind": "ResourceLocation", - "in": [ - "[parameters('location')]" + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('location')]" + ] + } ] } - ] - } ] }, "dependsOn": [ @@ -1114,21 +1058,21 @@ "policyType": "Custom", "mode": "Microsoft.Network.Data", "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Network/virtualNetworks" - } - ] - }, - "then": { - "effect": "addToNetworkGroup", - "details": { - "networkGroupId": "[variables('networkGroupId2')]" + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId2')]" + } } } - } } }, { @@ -1139,17 +1083,17 @@ "properties": { "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary')))]", "resourceSelectors": [ - { - "name": "regionalResource", - "selectors": [ { - "kind": "ResourceLocation", - "in": [ - "[parameters('locationSecondary')]" + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('locationSecondary')]" + ] + } ] } - ] - } ] }, "dependsOn": [ @@ -1168,50 +1112,43 @@ "location": "[deployment().location]", "properties": { "expressionEvaluationOptions": { - "scope": "inner" + "scope": "inner" }, "mode": "Incremental", "parameters": { - "location": { - "value": "[parameters('location')]" - }, - "locationSecondary": { - "value": "[parameters('locationSecondary')]" - }, - "mgmtGroup": { - "value": "[format('{0}-decommissioned', parameters('topLevelManagementGroupPrefix'))]" - }, - "connectivitySubscriptionId": { - "value": "[parameters('connectivitySubscriptionId')]" - } + "location": { + "value": "[parameters('location')]" + }, + "locationSecondary": { + "value": "[parameters('locationSecondary')]" + }, + "mgmtGroup": { + "value": "[format('{0}-decommissioned', parameters('topLevelManagementGroupPrefix'))]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.32.4.45862", - "templateHash": "15861206698474595241" - } - }, "parameters": { "location": { - "type": "string" + "type": "string" }, "locationSecondary": { - "type": "string" + "type": "string" }, "mgmtGroup": { - "type": "string" + "type": "string" }, "connectivitySubscriptionId": { - "type": "string" + "type": "string" } }, "variables": { "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-decommissioned-{0}', parameters('location')))]", - "networkGroupId2": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-decommissioned-{0}', parameters('locationSecondary')))]" + "networkGroupId2": "[if(empty(parameters('locationSecondary')), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-decommissioned-{0}', parameters('locationSecondary'))))]" }, "resources": [ { @@ -1222,21 +1159,21 @@ "policyType": "Custom", "mode": "Microsoft.Network.Data", "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Network/virtualNetworks" - } - ] - }, - "then": { - "effect": "addToNetworkGroup", - "details": { - "networkGroupId": "[variables('networkGroupId1')]" + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId1')]" + } } } - } } }, { @@ -1249,12 +1186,12 @@ { "name": "regionalResource", "selectors": [ - { - "kind": "ResourceLocation", - "in": [ - "[parameters('location')]" - ] - } + { + "kind": "ResourceLocation", + "in": [ + "[parameters('location')]" + ] + } ] } ] @@ -1274,16 +1211,16 @@ "policyRule": { "if": { "allOf": [ - { - "field": "type", - "equals": "Microsoft.Network/virtualNetworks" - } + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } ] }, "then": { "effect": "addToNetworkGroup", "details": { - "networkGroupId": "[variables('networkGroupId2')]" + "networkGroupId": "[variables('networkGroupId2')]" } } } @@ -1300,12 +1237,12 @@ { "name": "regionalResource", "selectors": [ - { - "kind": "ResourceLocation", - "in": [ - "[parameters('locationSecondary')]" - ] - } + { + "kind": "ResourceLocation", + "in": [ + "[parameters('locationSecondary')]" + ] + } ] } ] From 2617f33870b5acb034230f6457f1d2ca2d5acef7 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Fri, 20 Dec 2024 16:35:30 +0400 Subject: [PATCH 217/226] . --- eslzArm/eslzArm.json | 33 +- eslzArm/subscriptionTemplates/avnmPolicy.json | 46 +- .../avnmPolicySingle.json | 785 ++++++++++++++++++ 3 files changed, 839 insertions(+), 25 deletions(-) create mode 100644 eslzArm/subscriptionTemplates/avnmPolicySingle.json diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index 8234f78016..f6ab09138f 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -1700,6 +1700,7 @@ "preRequisites": "[uri(deployment().properties.templateLink.uri, 'prerequisites/deployPrerequisites.json')]", "avnmConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/avnmConfiguration.json')]", "avnmPolicy": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/avnmPolicy.json')]", + "avnmPolicySingle": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/avnmPolicySingle.json')]", "vnetConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/hubspoke-connectivity.json')]", "vwanConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/vwan-connectivity.json')]", "nvaConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/nvahubspoke-connectivity.json')]", @@ -1838,6 +1839,7 @@ "ascGovPolicyDeploymentName": "[take(concat('alz-Gov-ASC', variables('deploymentSuffix')), 64)]", "avnmConnectivityHubDeploymentName": "[take(concat('alz-AVNM', variables('deploymentSuffix')), 64)]", "avnmPolicyDeploymentName": "[take(concat('alz-AVNMPolicy', variables('deploymentSuffix')), 64)]", + "avnmPolicySingleDeploymentName": "[take(concat('alz-AVNMPolicySingle', variables('deploymentSuffix')), 64)]", "vnetConnectivityHubDeploymentName": "[take(concat('alz-HubSpoke', variables('deploymentSuffix')), 64)]", "vwanConnectivityHubDeploymentName": "[take(concat('alz-VWanHub', variables('deploymentSuffix')), 64)]", "vnetConnectivityHub2DeploymentName": "[take(concat('alz-HubSpoke2', variables('deploymentSuffix')), 64)]", @@ -5237,8 +5239,8 @@ } }, { - // Deploying AVNM policy - "condition": "[and(parameters('deployAVNM'), or(equals(parameters('enableHub'), 'vhub'), equals(parameters('enableHub'), 'nva')), not(empty(parameters('connectivitySubscriptionId'))))]", + // Deploying AVNM policy - multi-region + "condition": "[and(parameters('deployAVNM'), equals(parameters('enableSecondaryRegion'), 'yes'), or(equals(parameters('enableHub'), 'vhub'), equals(parameters('enableHub'), 'nva')), not(empty(parameters('connectivitySubscriptionId'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2019-10-01", "name": "[variables('deploymentNames').avnmPolicyDeploymentName]", @@ -5266,6 +5268,33 @@ } } }, + { + // Deploying AVNM policy single region + "condition": "[and(parameters('deployAVNM'), equals(parameters('enableSecondaryRegion'), 'no'), or(equals(parameters('enableHub'), 'vhub'), equals(parameters('enableHub'), 'nva')), not(empty(parameters('connectivitySubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').avnmPolicySingleDeploymentName]", + "location": "[deployment().location]", + "scope": "[variables('scopes').eslzRootManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').avnmConnectivityHubDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').avnmPolicySingle]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + } + } + } + }, { // Creating resource group for Private DNS Zones "condition": "[and(equals(parameters('enablePrivateDnsZones'), 'Yes'), not(empty(parameters('connectivitySubscriptionId'))))]", diff --git a/eslzArm/subscriptionTemplates/avnmPolicy.json b/eslzArm/subscriptionTemplates/avnmPolicy.json index a2a459a38a..97db8ca5f3 100644 --- a/eslzArm/subscriptionTemplates/avnmPolicy.json +++ b/eslzArm/subscriptionTemplates/avnmPolicy.json @@ -1209,21 +1209,21 @@ "policyType": "Custom", "mode": "Microsoft.Network.Data", "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Network/virtualNetworks" + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId2')]" } - ] - }, - "then": { - "effect": "addToNetworkGroup", - "details": { - "networkGroupId": "[variables('networkGroupId2')]" } } - } } }, { @@ -1234,17 +1234,17 @@ "properties": { "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary')))]", "resourceSelectors": [ - { - "name": "regionalResource", - "selectors": [ - { - "kind": "ResourceLocation", - "in": [ - "[parameters('locationSecondary')]" - ] - } - ] - } + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('locationSecondary')]" + ] + } + ] + } ] }, "dependsOn": [ diff --git a/eslzArm/subscriptionTemplates/avnmPolicySingle.json b/eslzArm/subscriptionTemplates/avnmPolicySingle.json new file mode 100644 index 0000000000..e3317e8e2c --- /dev/null +++ b/eslzArm/subscriptionTemplates/avnmPolicySingle.json @@ -0,0 +1,785 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "maxLength": 10, + "metadata": { + "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale." + } + }, + "location": { + "type": "string", + "metadata": { + "displayName": "location", + "description": "Primary region for all resources." + }, + "defaultValue": "[deployment().location]" + }, + "connectivitySubscriptionId": { + "type": "string", + "metadata": { + "description": "Provide the subscriptionId you will place into the management group" + } + } + }, + "variables": { + "networkGroupIdAll": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', 'avnm-ng-all')]", + "networkGroupIdRegion1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-{0}', parameters('location')))]" + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[uniqueString(variables('networkGroupIdAll'))]", + "properties": { + "description": "AVNM intermediate root group membership Policy", + "displayName": "AVNM intermediate root group membership Policy", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupIdAll')]" + } + } + } + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(variables('networkGroupIdAll'))]", + "location": "[parameters('location')]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "AVNM intermediate root group membership Policy", + "displayName": "AVNM intermediate root group membership Policy", + "enforcementMode": "Default", + "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdAll')))]" + }, + "dependsOn": [ + "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdAll')))]" + ] + }, + { + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[uniqueString(variables('networkGroupIdRegion1'))]", + "properties": { + "description": "AVNM intermediate root group membership Policy", + "displayName": "AVNM intermediate root group membership Policy", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupIdRegion1')]" + } + } + } + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(variables('networkGroupIdRegion1'))]", + "location": "[parameters('location')]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "AVNM intermediate root group membership Policy", + "displayName": "AVNM intermediate root group membership Policy", + "enforcementMode": "Default", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('location')]" + ] + } + ] + } + ], + "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdRegion1')))]" + }, + "dependsOn": [ + "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdRegion1')))]" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "policyCorp", + "scope": "[format('Microsoft.Management/managementGroups/{0}', format('{0}-corp', parameters('topLevelManagementGroupPrefix')))]", + "location": "[deployment().location]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "mgmtGroup": { + "value": "[format('{0}-corp', parameters('topLevelManagementGroupPrefix'))]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "mgmtGroup": { + "type": "string" + }, + "connectivitySubscriptionId": { + "type": "string" + } + }, + "variables": { + "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-corp-{0}', parameters('location')))]" + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location'))]", + "properties": { + "policyType": "Custom", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId1')]" + } + } + } + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}1', parameters('mgmtGroup')))]", + "properties": { + "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('location')]" + ] + } + ] + } + ] + }, + "dependsOn": [ + "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]" + ] + } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "policyOnline", + "scope": "[format('Microsoft.Management/managementGroups/{0}', format('{0}-online', parameters('topLevelManagementGroupPrefix')))]", + "location": "[deployment().location]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "mgmtGroup": { + "value": "[format('{0}-online', parameters('topLevelManagementGroupPrefix'))]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "mgmtGroup": { + "type": "string" + }, + "connectivitySubscriptionId": { + "type": "string" + } + }, + "variables": { + "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-online-{0}', parameters('location')))]" + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location'))]", + "properties": { + "policyType": "Custom", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId1')]" + } + } + } + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}1', parameters('mgmtGroup')))]", + "properties": { + "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('location')]" + ] + } + ] + } + ] + }, + "dependsOn": [ + "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]" + ] + } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "policyIdentity", + "scope": "[format('Microsoft.Management/managementGroups/{0}', format('{0}-identity', parameters('topLevelManagementGroupPrefix')))]", + "location": "[deployment().location]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "mgmtGroup": { + "value": "[format('{0}-identity', parameters('topLevelManagementGroupPrefix'))]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "mgmtGroup": { + "type": "string" + }, + "connectivitySubscriptionId": { + "type": "string" + } + }, + "variables": { + "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-identity-{0}', parameters('location')))]" + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location'))]", + "properties": { + "policyType": "Custom", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId1')]" + } + } + } + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}1', parameters('mgmtGroup')))]", + "properties": { + "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('location')]" + ] + } + ] + } + ] + }, + "dependsOn": [ + "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]" + ] + } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "policyManagement", + "scope": "[format('Microsoft.Management/managementGroups/{0}', format('{0}-management', parameters('topLevelManagementGroupPrefix')))]", + "location": "[deployment().location]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "mgmtGroup": { + "value": "[format('{0}-management', parameters('topLevelManagementGroupPrefix'))]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "mgmtGroup": { + "type": "string" + }, + "connectivitySubscriptionId": { + "type": "string" + } + }, + "variables": { + "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-management-{0}', parameters('location')))]" + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location'))]", + "properties": { + "policyType": "Custom", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId1')]" + } + } + } + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}1', parameters('mgmtGroup')))]", + "properties": { + "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('location')]" + ] + } + ] + } + ] + }, + "dependsOn": [ + "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]" + ] + } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "policyConnectivity", + "scope": "[format('Microsoft.Management/managementGroups/{0}', format('{0}-connectivity', parameters('topLevelManagementGroupPrefix')))]", + "location": "[deployment().location]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "mgmtGroup": { + "value": "[format('{0}-connectivity', parameters('topLevelManagementGroupPrefix'))]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "mgmtGroup": { + "type": "string" + }, + "connectivitySubscriptionId": { + "type": "string" + } + }, + "variables": { + "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-connectivity-{0}', parameters('location')))]" + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location'))]", + "properties": { + "policyType": "Custom", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId1')]" + } + } + } + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}1', parameters('mgmtGroup')))]", + "properties": { + "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('location')]" + ] + } + ] + } + ] + }, + "dependsOn": [ + "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]" + ] + } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "policySandbox", + "scope": "[format('Microsoft.Management/managementGroups/{0}', format('{0}-sandboxes', parameters('topLevelManagementGroupPrefix')))]", + "location": "[deployment().location]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "mgmtGroup": { + "value": "[format('{0}-sandboxes', parameters('topLevelManagementGroupPrefix'))]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "mgmtGroup": { + "type": "string" + }, + "connectivitySubscriptionId": { + "type": "string" + } + }, + "variables": { + "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-sandbox-{0}', parameters('location')))]" + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location'))]", + "properties": { + "policyType": "Custom", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId1')]" + } + } + } + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}1', parameters('mgmtGroup')))]", + "properties": { + "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('location')]" + ] + } + ] + } + ] + }, + "dependsOn": [ + "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]" + ] + } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "policyDecommissioned", + "scope": "[format('Microsoft.Management/managementGroups/{0}', format('{0}-decommissioned', parameters('topLevelManagementGroupPrefix')))]", + "location": "[deployment().location]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "mgmtGroup": { + "value": "[format('{0}-decommissioned', parameters('topLevelManagementGroupPrefix'))]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "mgmtGroup": { + "type": "string" + }, + "connectivitySubscriptionId": { + "type": "string" + } + }, + "variables": { + "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-decommissioned-{0}', parameters('location')))]" + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location'))]", + "properties": { + "policyType": "Custom", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId1')]" + } + } + } + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}1', parameters('mgmtGroup')))]", + "properties": { + "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('location')]" + ] + } + ] + } + ] + }, + "dependsOn": [ + "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]" + ] + } + ] + } + } + } + ] +} \ No newline at end of file From 5cc84ab92ba3ddd57ad26ec6980f09acc862ae7c Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Fri, 20 Dec 2024 17:41:14 +0400 Subject: [PATCH 218/226] . --- eslzArm/eslzArm.json | 35 +- .../avnmConfiguration.json | 52 +- eslzArm/subscriptionTemplates/avnmPolicy.json | 173 ++-- .../avnmPolicySingle.json | 785 ------------------ 4 files changed, 161 insertions(+), 884 deletions(-) delete mode 100644 eslzArm/subscriptionTemplates/avnmPolicySingle.json diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index f6ab09138f..ab3a1d4147 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -1700,7 +1700,6 @@ "preRequisites": "[uri(deployment().properties.templateLink.uri, 'prerequisites/deployPrerequisites.json')]", "avnmConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/avnmConfiguration.json')]", "avnmPolicy": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/avnmPolicy.json')]", - "avnmPolicySingle": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/avnmPolicySingle.json')]", "vnetConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/hubspoke-connectivity.json')]", "vwanConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/vwan-connectivity.json')]", "nvaConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/nvahubspoke-connectivity.json')]", @@ -1839,7 +1838,6 @@ "ascGovPolicyDeploymentName": "[take(concat('alz-Gov-ASC', variables('deploymentSuffix')), 64)]", "avnmConnectivityHubDeploymentName": "[take(concat('alz-AVNM', variables('deploymentSuffix')), 64)]", "avnmPolicyDeploymentName": "[take(concat('alz-AVNMPolicy', variables('deploymentSuffix')), 64)]", - "avnmPolicySingleDeploymentName": "[take(concat('alz-AVNMPolicySingle', variables('deploymentSuffix')), 64)]", "vnetConnectivityHubDeploymentName": "[take(concat('alz-HubSpoke', variables('deploymentSuffix')), 64)]", "vwanConnectivityHubDeploymentName": "[take(concat('alz-VWanHub', variables('deploymentSuffix')), 64)]", "vnetConnectivityHub2DeploymentName": "[take(concat('alz-HubSpoke2', variables('deploymentSuffix')), 64)]", @@ -5234,13 +5232,16 @@ }, "connectivitySubscriptionId": { "value": "[parameters('connectivitySubscriptionId')]" + }, + "enableSecondaryRegion": { + "value": "[parameters('enableSecondaryRegion')]" } } } }, { // Deploying AVNM policy - multi-region - "condition": "[and(parameters('deployAVNM'), equals(parameters('enableSecondaryRegion'), 'yes'), or(equals(parameters('enableHub'), 'vhub'), equals(parameters('enableHub'), 'nva')), not(empty(parameters('connectivitySubscriptionId'))))]", + "condition": "[and(parameters('deployAVNM'), or(equals(parameters('enableHub'), 'vhub'), equals(parameters('enableHub'), 'nva')), not(empty(parameters('connectivitySubscriptionId'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2019-10-01", "name": "[variables('deploymentNames').avnmPolicyDeploymentName]", @@ -5264,33 +5265,9 @@ }, "locationSecondary": { "value": "[parameters('connectivityLocationSecondary')]" - } - } - } - }, - { - // Deploying AVNM policy single region - "condition": "[and(parameters('deployAVNM'), equals(parameters('enableSecondaryRegion'), 'no'), or(equals(parameters('enableHub'), 'vhub'), equals(parameters('enableHub'), 'nva')), not(empty(parameters('connectivitySubscriptionId'))))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2019-10-01", - "name": "[variables('deploymentNames').avnmPolicySingleDeploymentName]", - "location": "[deployment().location]", - "scope": "[variables('scopes').eslzRootManagementGroup]", - "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').avnmConnectivityHubDeploymentName)]" - ], - "properties": { - "mode": "Incremental", - "templateLink": { - "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').avnmPolicySingle]" - }, - "parameters": { - "topLevelManagementGroupPrefix": { - "value": "[parameters('enterpriseScaleCompanyPrefix')]" }, - "connectivitySubscriptionId": { - "value": "[parameters('connectivitySubscriptionId')]" + "enableSecondaryRegion": { + "value": "[parameters('enableSecondaryRegion')]" } } } diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 6d60f1d424..929ed95847 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -31,6 +31,13 @@ "description": "SubscriptionId for the connectivity subscription." }, "defaultValue": "[subscription().subscriptionId]" + }, + "enableSecondaryRegion": { + "type": "string", + "metadata": { + "description": "Enable secondary region for instances deploying in multiple regions" + }, + "defaultValue": "no" } }, "variables": { @@ -68,6 +75,9 @@ }, "managementGroupScope": { "value": "[parameters('managementGroupScope')]" + }, + "enableSecondaryRegion": { + "value": "[parameters('enableSecondaryRegion')]" } }, "template": { @@ -82,6 +92,9 @@ }, "managementGroupScope": { "type": "string" + }, + "enableSecondaryRegion": { + "type": "string" } }, "resources": [ @@ -135,7 +148,7 @@ ] }, { - "condition": "[not(empty(parameters('locationSecondary')))]", + "condition": "[equals(parameters('enableSecondaryRegion'), 'yes')]", "type": "Microsoft.Network/networkManagers/networkGroups", "apiVersion": "2024-03-01", "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-{0}', parameters('locationSecondary')))]", @@ -160,7 +173,7 @@ ] }, { - "condition": "[not(empty(parameters('locationSecondary')))]", + "condition": "[equals(parameters('enableSecondaryRegion'), 'yes')]", "type": "Microsoft.Network/networkManagers/networkGroups", "apiVersion": "2024-03-01", "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-corp-{0}', parameters('locationSecondary')))]", @@ -185,7 +198,7 @@ ] }, { - "condition": "[not(empty(parameters('locationSecondary')))]", + "condition": "[equals(parameters('enableSecondaryRegion'), 'yes')]", "type": "Microsoft.Network/networkManagers/networkGroups", "apiVersion": "2024-03-01", "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-online-{0}', parameters('locationSecondary')))]", @@ -210,7 +223,7 @@ ] }, { - "condition": "[not(empty(parameters('locationSecondary')))]", + "condition": "[equals(parameters('enableSecondaryRegion'), 'yes')]", "type": "Microsoft.Network/networkManagers/networkGroups", "apiVersion": "2024-03-01", "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-identity-{0}', parameters('locationSecondary')))]", @@ -235,7 +248,7 @@ ] }, { - "condition": "[not(empty(parameters('locationSecondary')))]", + "condition": "[equals(parameters('enableSecondaryRegion'), 'yes')]", "type": "Microsoft.Network/networkManagers/networkGroups", "apiVersion": "2024-03-01", "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-management-{0}', parameters('locationSecondary')))]", @@ -260,7 +273,7 @@ ] }, { - "condition": "[not(empty(parameters('locationSecondary')))]", + "condition": "[equals(parameters('enableSecondaryRegion'), 'yes')]", "type": "Microsoft.Network/networkManagers/networkGroups", "apiVersion": "2024-03-01", "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-connectivity-{0}', parameters('locationSecondary')))]", @@ -285,7 +298,7 @@ ] }, { - "condition": "[not(empty(parameters('locationSecondary')))]", + "condition": "[equals(parameters('enableSecondaryRegion'), 'yes')]", "type": "Microsoft.Network/networkManagers/networkGroups", "apiVersion": "2024-03-01", "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-sandbox-{0}', parameters('locationSecondary')))]", @@ -310,7 +323,7 @@ ] }, { - "condition": "[not(empty(parameters('locationSecondary')))]", + "condition": "[equals(parameters('enableSecondaryRegion'), 'yes')]", "type": "Microsoft.Network/networkManagers/networkGroups", "apiVersion": "2024-03-01", "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-decommissioned-{0}', parameters('locationSecondary')))]", @@ -334,6 +347,7 @@ } }, { + "condition": "[equals(parameters('enableSecondaryRegion'), 'yes')]", "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections", "apiVersion": "2024-03-01", "name": "[format('{0}/{1}/{2}', 'avnm', 'sac-alz', 'rc-ALZ')]", @@ -358,6 +372,28 @@ ] } }, + { + "condition": "[not(equals(parameters('enableSecondaryRegion'), 'no'))]", + "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}/{2}', 'avnm', 'sac-alz', 'rc-ALZ')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations', 'avnm', 'sac-alz')]", + "[resourceId('Microsoft.Network/networkManagers/networkGroups', 'avnm', 'avnm-ng-all')]", + "[resourceId('Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-{0}', parameters('location')))]" + ], + "properties": { + "appliesToGroups": [ + { + "networkGroupId": "[resourceId('Microsoft.Network/networkManagers/networkGroups', 'avnm', 'avnm-ng-all')]" + }, + { + "networkGroupId": "[resourceId('Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-{0}', parameters('location')))]" + } + + ] + } + }, { "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules", "apiVersion": "2024-03-01", diff --git a/eslzArm/subscriptionTemplates/avnmPolicy.json b/eslzArm/subscriptionTemplates/avnmPolicy.json index 97db8ca5f3..a8fabf506d 100644 --- a/eslzArm/subscriptionTemplates/avnmPolicy.json +++ b/eslzArm/subscriptionTemplates/avnmPolicy.json @@ -30,12 +30,19 @@ "metadata": { "description": "Provide the subscriptionId you will place into the management group" } + }, + "enableSecondaryRegion": { + "type": "string", + "metadata": { + "description": "Enable secondary region for instances deploying in multiple regions" + }, + "defaultValue": "no" } }, "variables": { "networkGroupIdAll": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', 'avnm-ng-all')]", "networkGroupIdRegion1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-{0}', parameters('location')))]", - "networkGroupIdRegion2": "[if(empty(parameters('locationSecondary')), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-{0}', parameters('locationSecondary'))))]" + "networkGroupIdRegion2": "[if(equals(parameters('enableSecondaryRegion'), 'no'), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-{0}', parameters('locationSecondary'))))]" }, "resources": [ { @@ -140,7 +147,7 @@ ] }, { - "condition": "[not(empty(parameters('locationSecondary')))]", + "condition": "[equals(parameters('enableSecondaryRegion'), 'yes')]", "type": "Microsoft.Authorization/policyDefinitions", "apiVersion": "2023-04-01", "name": "[uniqueString(variables('networkGroupIdRegion2'))]", @@ -167,7 +174,7 @@ } }, { - "condition": "[not(empty(parameters('locationSecondary')))]", + "condition": "[equals(parameters('enableSecondaryRegion'), 'yes')]", "type": "Microsoft.Authorization/policyAssignments", "apiVersion": "2023-04-01", "name": "[uniqueString(variables('networkGroupIdRegion2'))]", @@ -221,6 +228,9 @@ }, "connectivitySubscriptionId": { "value": "[parameters('connectivitySubscriptionId')]" + }, + "enableSecondaryRegion": { + "value": "[parameters('enableSecondaryRegion')]" } }, "template": { @@ -238,11 +248,14 @@ }, "connectivitySubscriptionId": { "type": "string" + }, + "enableSecondaryRegion": { + "type": "string" } }, "variables": { "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-corp-{0}', parameters('location')))]", - "networkGroupId2": "[if(empty(parameters('locationSecondary')), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-corp-{0}', parameters('locationSecondary'))))]" + "networkGroupId2": "[if(equals(parameters('enableSecondaryRegion'), 'no'), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-corp-{0}', parameters('locationSecondary'))))]" }, "resources": [ { @@ -295,7 +308,7 @@ ] }, { - "condition": "[not(empty(parameters('locationSecondary')))]", + "condition": "[equals(parameters('enableSecondaryRegion'), 'yes')]", "type": "Microsoft.Authorization/policyDefinitions", "apiVersion": "2023-04-01", "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary'))]", @@ -321,7 +334,7 @@ } }, { - "condition": "[not(empty(parameters('locationSecondary')))]", + "condition": "[equals(parameters('enableSecondaryRegion'), 'yes')]", "type": "Microsoft.Authorization/policyAssignments", "apiVersion": "2023-04-01", "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}2', parameters('mgmtGroup')))]", @@ -361,18 +374,21 @@ }, "mode": "Incremental", "parameters": { - "location": { - "value": "[parameters('location')]" - }, - "locationSecondary": { - "value": "[parameters('locationSecondary')]" - }, - "mgmtGroup": { - "value": "[format('{0}-online', parameters('topLevelManagementGroupPrefix'))]" - }, - "connectivitySubscriptionId": { - "value": "[parameters('connectivitySubscriptionId')]" - } + "location": { + "value": "[parameters('location')]" + }, + "locationSecondary": { + "value": "[parameters('locationSecondary')]" + }, + "mgmtGroup": { + "value": "[format('{0}-online', parameters('topLevelManagementGroupPrefix'))]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + }, + "enableSecondaryRegion": { + "value": "[parameters('enableSecondaryRegion')]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", @@ -389,11 +405,14 @@ }, "connectivitySubscriptionId": { "type": "string" + }, + "enableSecondaryRegion": { + "type": "string" } }, "variables": { "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-online-{0}', parameters('location')))]", - "networkGroupId2": "[if(empty(parameters('locationSecondary')), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-online-{0}', parameters('locationSecondary'))))]" + "networkGroupId2": "[if(equals(parameters('enableSecondaryRegion'), 'no'), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-online-{0}', parameters('locationSecondary'))))]" }, "resources": [ { @@ -446,7 +465,7 @@ ] }, { - "condition": "[not(empty(parameters('locationSecondary')))]", + "condition": "[equals(parameters('enableSecondaryRegion'), 'yes')]", "type": "Microsoft.Authorization/policyDefinitions", "apiVersion": "2023-04-01", "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary'))]", @@ -472,7 +491,7 @@ } }, { - "condition": "[not(empty(parameters('locationSecondary')))]", + "condition": "[equals(parameters('enableSecondaryRegion'), 'yes')]", "type": "Microsoft.Authorization/policyAssignments", "apiVersion": "2023-04-01", "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}2', parameters('mgmtGroup')))]", @@ -523,6 +542,9 @@ }, "connectivitySubscriptionId": { "value": "[parameters('connectivitySubscriptionId')]" + }, + "enableSecondaryRegion": { + "value": "[parameters('enableSecondaryRegion')]" } }, "template": { @@ -540,11 +562,14 @@ }, "connectivitySubscriptionId": { "type": "string" + }, + "enableSecondaryRegion": { + "type": "string" } }, "variables": { "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-identity-{0}', parameters('location')))]", - "networkGroupId2": "[if(empty(parameters('locationSecondary')), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-identity-{0}', parameters('locationSecondary'))))]" + "networkGroupId2": "[if(equals(parameters('enableSecondaryRegion'), 'no'), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-identity-{0}', parameters('locationSecondary'))))]" }, "resources": [ { @@ -597,7 +622,7 @@ ] }, { - "condition": "[not(empty(parameters('locationSecondary')))]", + "condition": "[equals(parameters('enableSecondaryRegion'), 'yes')]", "type": "Microsoft.Authorization/policyDefinitions", "apiVersion": "2023-04-01", "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary'))]", @@ -623,7 +648,7 @@ } }, { - "condition": "[not(empty(parameters('locationSecondary')))]", + "condition": "[equals(parameters('enableSecondaryRegion'), 'yes')]", "type": "Microsoft.Authorization/policyAssignments", "apiVersion": "2023-04-01", "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}2', parameters('mgmtGroup')))]", @@ -674,6 +699,9 @@ }, "connectivitySubscriptionId": { "value": "[parameters('connectivitySubscriptionId')]" + }, + "enableSecondaryRegion": { + "value": "[parameters('enableSecondaryRegion')]" } }, "template": { @@ -691,11 +719,14 @@ }, "connectivitySubscriptionId": { "type": "string" + }, + "enableSecondaryRegion": { + "type": "string" } }, "variables": { "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-management-{0}', parameters('location')))]", - "networkGroupId2": "[if(empty(parameters('locationSecondary')), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-management-{0}', parameters('locationSecondary'))))]" + "networkGroupId2": "[if(equals(parameters('enableSecondaryRegion'), 'no'), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-management-{0}', parameters('locationSecondary'))))]" }, "resources": [ { @@ -748,7 +779,7 @@ ] }, { - "condition": "[not(empty(parameters('locationSecondary')))]", + "condition": "[equals(parameters('enableSecondaryRegion'), 'yes')]", "type": "Microsoft.Authorization/policyDefinitions", "apiVersion": "2023-04-01", "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary'))]", @@ -774,7 +805,7 @@ } }, { - "condition": "[not(empty(parameters('locationSecondary')))]", + "condition": "[equals(parameters('enableSecondaryRegion'), 'yes')]", "type": "Microsoft.Authorization/policyAssignments", "apiVersion": "2023-04-01", "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}2', parameters('mgmtGroup')))]", @@ -810,22 +841,25 @@ "location": "[deployment().location]", "properties": { "expressionEvaluationOptions": { - "scope": "inner" + "scope": "inner" }, "mode": "Incremental", "parameters": { - "location": { - "value": "[parameters('location')]" - }, - "locationSecondary": { - "value": "[parameters('locationSecondary')]" - }, - "mgmtGroup": { - "value": "[format('{0}-connectivity', parameters('topLevelManagementGroupPrefix'))]" - }, - "connectivitySubscriptionId": { - "value": "[parameters('connectivitySubscriptionId')]" - } + "location": { + "value": "[parameters('location')]" + }, + "locationSecondary": { + "value": "[parameters('locationSecondary')]" + }, + "mgmtGroup": { + "value": "[format('{0}-connectivity', parameters('topLevelManagementGroupPrefix'))]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + }, + "enableSecondaryRegion": { + "value": "[parameters('enableSecondaryRegion')]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", @@ -842,11 +876,14 @@ }, "connectivitySubscriptionId": { "type": "string" + }, + "enableSecondaryRegion": { + "type": "string" } }, "variables": { "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-connectivity-{0}', parameters('location')))]", - "networkGroupId2": "[if(empty(parameters('locationSecondary')), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-connectivity-{0}', parameters('locationSecondary'))))]" + "networkGroupId2": "[if(equals(parameters('enableSecondaryRegion'), 'no'), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-connectivity-{0}', parameters('locationSecondary'))))]" }, "resources": [ { @@ -899,7 +936,7 @@ ] }, { - "condition": "[not(empty(parameters('locationSecondary')))]", + "condition": "[equals(parameters('enableSecondaryRegion'), 'yes')]", "type": "Microsoft.Authorization/policyDefinitions", "apiVersion": "2023-04-01", "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary'))]", @@ -925,7 +962,7 @@ } }, { - "condition": "[not(empty(parameters('locationSecondary')))]", + "condition": "[equals(parameters('enableSecondaryRegion'), 'yes')]", "type": "Microsoft.Authorization/policyAssignments", "apiVersion": "2023-04-01", "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}2', parameters('mgmtGroup')))]", @@ -961,22 +998,25 @@ "location": "[deployment().location]", "properties": { "expressionEvaluationOptions": { - "scope": "inner" + "scope": "inner" }, "mode": "Incremental", "parameters": { - "location": { - "value": "[parameters('location')]" - }, - "locationSecondary": { - "value": "[parameters('locationSecondary')]" - }, - "mgmtGroup": { - "value": "[format('{0}-sandboxes', parameters('topLevelManagementGroupPrefix'))]" - }, - "connectivitySubscriptionId": { - "value": "[parameters('connectivitySubscriptionId')]" - } + "location": { + "value": "[parameters('location')]" + }, + "locationSecondary": { + "value": "[parameters('locationSecondary')]" + }, + "mgmtGroup": { + "value": "[format('{0}-sandboxes', parameters('topLevelManagementGroupPrefix'))]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + }, + "enableSecondaryRegion": { + "value": "[parameters('enableSecondaryRegion')]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", @@ -993,11 +1033,14 @@ }, "connectivitySubscriptionId": { "type": "string" + }, + "enableSecondaryRegion": { + "type": "string" } }, "variables": { "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-sandbox-{0}', parameters('location')))]", - "networkGroupId2": "[if(empty(parameters('locationSecondary')), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-sandbox-{0}', parameters('locationSecondary'))))]" + "networkGroupId2": "[if(equals(parameters('enableSecondaryRegion'), 'no'), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-sandbox-{0}', parameters('locationSecondary'))))]" }, "resources": [ { @@ -1050,7 +1093,7 @@ ] }, { - "condition": "[not(empty(parameters('locationSecondary')))]", + "condition": "[equals(parameters('enableSecondaryRegion'), 'yes')]", "type": "Microsoft.Authorization/policyDefinitions", "apiVersion": "2023-04-01", "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary'))]", @@ -1076,7 +1119,7 @@ } }, { - "condition": "[not(empty(parameters('locationSecondary')))]", + "condition": "[equals(parameters('enableSecondaryRegion'), 'yes')]", "type": "Microsoft.Authorization/policyAssignments", "apiVersion": "2023-04-01", "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}2', parameters('mgmtGroup')))]", @@ -1127,6 +1170,9 @@ }, "connectivitySubscriptionId": { "value": "[parameters('connectivitySubscriptionId')]" + }, + "enableSecondaryRegion": { + "value": "[parameters('enableSecondaryRegion')]" } }, "template": { @@ -1144,11 +1190,14 @@ }, "connectivitySubscriptionId": { "type": "string" + }, + "enableSecondaryRegion": { + "type": "string" } }, "variables": { "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-decommissioned-{0}', parameters('location')))]", - "networkGroupId2": "[if(empty(parameters('locationSecondary')), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-decommissioned-{0}', parameters('locationSecondary'))))]" + "networkGroupId2": "[if(equals(parameters('enableSecondaryRegion'), 'no'), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-decommissioned-{0}', parameters('locationSecondary'))))]" }, "resources": [ { @@ -1201,7 +1250,7 @@ ] }, { - "condition": "[not(empty(parameters('locationSecondary')))]", + "condition": "[equals(parameters('enableSecondaryRegion'), 'yes')]", "type": "Microsoft.Authorization/policyDefinitions", "apiVersion": "2023-04-01", "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary'))]", @@ -1227,7 +1276,7 @@ } }, { - "condition": "[not(empty(parameters('locationSecondary')))]", + "condition": "[equals(parameters('enableSecondaryRegion'), 'yes')]", "type": "Microsoft.Authorization/policyAssignments", "apiVersion": "2023-04-01", "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}2', parameters('mgmtGroup')))]", diff --git a/eslzArm/subscriptionTemplates/avnmPolicySingle.json b/eslzArm/subscriptionTemplates/avnmPolicySingle.json deleted file mode 100644 index e3317e8e2c..0000000000 --- a/eslzArm/subscriptionTemplates/avnmPolicySingle.json +++ /dev/null @@ -1,785 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "topLevelManagementGroupPrefix": { - "type": "string", - "maxLength": 10, - "metadata": { - "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale." - } - }, - "location": { - "type": "string", - "metadata": { - "displayName": "location", - "description": "Primary region for all resources." - }, - "defaultValue": "[deployment().location]" - }, - "connectivitySubscriptionId": { - "type": "string", - "metadata": { - "description": "Provide the subscriptionId you will place into the management group" - } - } - }, - "variables": { - "networkGroupIdAll": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', 'avnm-ng-all')]", - "networkGroupIdRegion1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-{0}', parameters('location')))]" - }, - "resources": [ - { - "type": "Microsoft.Authorization/policyDefinitions", - "apiVersion": "2023-04-01", - "name": "[uniqueString(variables('networkGroupIdAll'))]", - "properties": { - "description": "AVNM intermediate root group membership Policy", - "displayName": "AVNM intermediate root group membership Policy", - "mode": "Microsoft.Network.Data", - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Network/virtualNetworks" - } - ] - }, - "then": { - "effect": "addToNetworkGroup", - "details": { - "networkGroupId": "[variables('networkGroupIdAll')]" - } - } - } - } - }, - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2023-04-01", - "name": "[uniqueString(variables('networkGroupIdAll'))]", - "location": "[parameters('location')]", - "identity": { - "type": "SystemAssigned" - }, - "properties": { - "description": "AVNM intermediate root group membership Policy", - "displayName": "AVNM intermediate root group membership Policy", - "enforcementMode": "Default", - "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdAll')))]" - }, - "dependsOn": [ - "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdAll')))]" - ] - }, - { - "type": "Microsoft.Authorization/policyDefinitions", - "apiVersion": "2023-04-01", - "name": "[uniqueString(variables('networkGroupIdRegion1'))]", - "properties": { - "description": "AVNM intermediate root group membership Policy", - "displayName": "AVNM intermediate root group membership Policy", - "mode": "Microsoft.Network.Data", - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Network/virtualNetworks" - } - ] - }, - "then": { - "effect": "addToNetworkGroup", - "details": { - "networkGroupId": "[variables('networkGroupIdRegion1')]" - } - } - } - } - }, - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2023-04-01", - "name": "[uniqueString(variables('networkGroupIdRegion1'))]", - "location": "[parameters('location')]", - "identity": { - "type": "SystemAssigned" - }, - "properties": { - "description": "AVNM intermediate root group membership Policy", - "displayName": "AVNM intermediate root group membership Policy", - "enforcementMode": "Default", - "resourceSelectors": [ - { - "name": "regionalResource", - "selectors": [ - { - "kind": "ResourceLocation", - "in": [ - "[parameters('location')]" - ] - } - ] - } - ], - "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdRegion1')))]" - }, - "dependsOn": [ - "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdRegion1')))]" - ] - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "policyCorp", - "scope": "[format('Microsoft.Management/managementGroups/{0}', format('{0}-corp', parameters('topLevelManagementGroupPrefix')))]", - "location": "[deployment().location]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "location": { - "value": "[parameters('location')]" - }, - "mgmtGroup": { - "value": "[format('{0}-corp', parameters('topLevelManagementGroupPrefix'))]" - }, - "connectivitySubscriptionId": { - "value": "[parameters('connectivitySubscriptionId')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "location": { - "type": "string" - }, - "mgmtGroup": { - "type": "string" - }, - "connectivitySubscriptionId": { - "type": "string" - } - }, - "variables": { - "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-corp-{0}', parameters('location')))]" - }, - "resources": [ - { - "type": "Microsoft.Authorization/policyDefinitions", - "apiVersion": "2023-04-01", - "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location'))]", - "properties": { - "policyType": "Custom", - "mode": "Microsoft.Network.Data", - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Network/virtualNetworks" - } - ] - }, - "then": { - "effect": "addToNetworkGroup", - "details": { - "networkGroupId": "[variables('networkGroupId1')]" - } - } - } - } - }, - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2023-04-01", - "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}1', parameters('mgmtGroup')))]", - "properties": { - "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]", - "resourceSelectors": [ - { - "name": "regionalResource", - "selectors": [ - { - "kind": "ResourceLocation", - "in": [ - "[parameters('location')]" - ] - } - ] - } - ] - }, - "dependsOn": [ - "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]" - ] - } - ] - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "policyOnline", - "scope": "[format('Microsoft.Management/managementGroups/{0}', format('{0}-online', parameters('topLevelManagementGroupPrefix')))]", - "location": "[deployment().location]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "location": { - "value": "[parameters('location')]" - }, - "mgmtGroup": { - "value": "[format('{0}-online', parameters('topLevelManagementGroupPrefix'))]" - }, - "connectivitySubscriptionId": { - "value": "[parameters('connectivitySubscriptionId')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "location": { - "type": "string" - }, - "mgmtGroup": { - "type": "string" - }, - "connectivitySubscriptionId": { - "type": "string" - } - }, - "variables": { - "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-online-{0}', parameters('location')))]" - }, - "resources": [ - { - "type": "Microsoft.Authorization/policyDefinitions", - "apiVersion": "2023-04-01", - "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location'))]", - "properties": { - "policyType": "Custom", - "mode": "Microsoft.Network.Data", - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Network/virtualNetworks" - } - ] - }, - "then": { - "effect": "addToNetworkGroup", - "details": { - "networkGroupId": "[variables('networkGroupId1')]" - } - } - } - } - }, - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2023-04-01", - "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}1', parameters('mgmtGroup')))]", - "properties": { - "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]", - "resourceSelectors": [ - { - "name": "regionalResource", - "selectors": [ - { - "kind": "ResourceLocation", - "in": [ - "[parameters('location')]" - ] - } - ] - } - ] - }, - "dependsOn": [ - "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]" - ] - } - ] - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "policyIdentity", - "scope": "[format('Microsoft.Management/managementGroups/{0}', format('{0}-identity', parameters('topLevelManagementGroupPrefix')))]", - "location": "[deployment().location]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "location": { - "value": "[parameters('location')]" - }, - "mgmtGroup": { - "value": "[format('{0}-identity', parameters('topLevelManagementGroupPrefix'))]" - }, - "connectivitySubscriptionId": { - "value": "[parameters('connectivitySubscriptionId')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "location": { - "type": "string" - }, - "mgmtGroup": { - "type": "string" - }, - "connectivitySubscriptionId": { - "type": "string" - } - }, - "variables": { - "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-identity-{0}', parameters('location')))]" - }, - "resources": [ - { - "type": "Microsoft.Authorization/policyDefinitions", - "apiVersion": "2023-04-01", - "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location'))]", - "properties": { - "policyType": "Custom", - "mode": "Microsoft.Network.Data", - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Network/virtualNetworks" - } - ] - }, - "then": { - "effect": "addToNetworkGroup", - "details": { - "networkGroupId": "[variables('networkGroupId1')]" - } - } - } - } - }, - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2023-04-01", - "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}1', parameters('mgmtGroup')))]", - "properties": { - "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]", - "resourceSelectors": [ - { - "name": "regionalResource", - "selectors": [ - { - "kind": "ResourceLocation", - "in": [ - "[parameters('location')]" - ] - } - ] - } - ] - }, - "dependsOn": [ - "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]" - ] - } - ] - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "policyManagement", - "scope": "[format('Microsoft.Management/managementGroups/{0}', format('{0}-management', parameters('topLevelManagementGroupPrefix')))]", - "location": "[deployment().location]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "location": { - "value": "[parameters('location')]" - }, - "mgmtGroup": { - "value": "[format('{0}-management', parameters('topLevelManagementGroupPrefix'))]" - }, - "connectivitySubscriptionId": { - "value": "[parameters('connectivitySubscriptionId')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "location": { - "type": "string" - }, - "mgmtGroup": { - "type": "string" - }, - "connectivitySubscriptionId": { - "type": "string" - } - }, - "variables": { - "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-management-{0}', parameters('location')))]" - }, - "resources": [ - { - "type": "Microsoft.Authorization/policyDefinitions", - "apiVersion": "2023-04-01", - "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location'))]", - "properties": { - "policyType": "Custom", - "mode": "Microsoft.Network.Data", - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Network/virtualNetworks" - } - ] - }, - "then": { - "effect": "addToNetworkGroup", - "details": { - "networkGroupId": "[variables('networkGroupId1')]" - } - } - } - } - }, - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2023-04-01", - "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}1', parameters('mgmtGroup')))]", - "properties": { - "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]", - "resourceSelectors": [ - { - "name": "regionalResource", - "selectors": [ - { - "kind": "ResourceLocation", - "in": [ - "[parameters('location')]" - ] - } - ] - } - ] - }, - "dependsOn": [ - "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]" - ] - } - ] - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "policyConnectivity", - "scope": "[format('Microsoft.Management/managementGroups/{0}', format('{0}-connectivity', parameters('topLevelManagementGroupPrefix')))]", - "location": "[deployment().location]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "location": { - "value": "[parameters('location')]" - }, - "mgmtGroup": { - "value": "[format('{0}-connectivity', parameters('topLevelManagementGroupPrefix'))]" - }, - "connectivitySubscriptionId": { - "value": "[parameters('connectivitySubscriptionId')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "location": { - "type": "string" - }, - "mgmtGroup": { - "type": "string" - }, - "connectivitySubscriptionId": { - "type": "string" - } - }, - "variables": { - "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-connectivity-{0}', parameters('location')))]" - }, - "resources": [ - { - "type": "Microsoft.Authorization/policyDefinitions", - "apiVersion": "2023-04-01", - "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location'))]", - "properties": { - "policyType": "Custom", - "mode": "Microsoft.Network.Data", - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Network/virtualNetworks" - } - ] - }, - "then": { - "effect": "addToNetworkGroup", - "details": { - "networkGroupId": "[variables('networkGroupId1')]" - } - } - } - } - }, - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2023-04-01", - "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}1', parameters('mgmtGroup')))]", - "properties": { - "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]", - "resourceSelectors": [ - { - "name": "regionalResource", - "selectors": [ - { - "kind": "ResourceLocation", - "in": [ - "[parameters('location')]" - ] - } - ] - } - ] - }, - "dependsOn": [ - "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]" - ] - } - ] - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "policySandbox", - "scope": "[format('Microsoft.Management/managementGroups/{0}', format('{0}-sandboxes', parameters('topLevelManagementGroupPrefix')))]", - "location": "[deployment().location]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "location": { - "value": "[parameters('location')]" - }, - "mgmtGroup": { - "value": "[format('{0}-sandboxes', parameters('topLevelManagementGroupPrefix'))]" - }, - "connectivitySubscriptionId": { - "value": "[parameters('connectivitySubscriptionId')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "location": { - "type": "string" - }, - "mgmtGroup": { - "type": "string" - }, - "connectivitySubscriptionId": { - "type": "string" - } - }, - "variables": { - "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-sandbox-{0}', parameters('location')))]" - }, - "resources": [ - { - "type": "Microsoft.Authorization/policyDefinitions", - "apiVersion": "2023-04-01", - "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location'))]", - "properties": { - "policyType": "Custom", - "mode": "Microsoft.Network.Data", - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Network/virtualNetworks" - } - ] - }, - "then": { - "effect": "addToNetworkGroup", - "details": { - "networkGroupId": "[variables('networkGroupId1')]" - } - } - } - } - }, - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2023-04-01", - "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}1', parameters('mgmtGroup')))]", - "properties": { - "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]", - "resourceSelectors": [ - { - "name": "regionalResource", - "selectors": [ - { - "kind": "ResourceLocation", - "in": [ - "[parameters('location')]" - ] - } - ] - } - ] - }, - "dependsOn": [ - "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]" - ] - } - ] - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "policyDecommissioned", - "scope": "[format('Microsoft.Management/managementGroups/{0}', format('{0}-decommissioned', parameters('topLevelManagementGroupPrefix')))]", - "location": "[deployment().location]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "location": { - "value": "[parameters('location')]" - }, - "mgmtGroup": { - "value": "[format('{0}-decommissioned', parameters('topLevelManagementGroupPrefix'))]" - }, - "connectivitySubscriptionId": { - "value": "[parameters('connectivitySubscriptionId')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "location": { - "type": "string" - }, - "mgmtGroup": { - "type": "string" - }, - "connectivitySubscriptionId": { - "type": "string" - } - }, - "variables": { - "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-decommissioned-{0}', parameters('location')))]" - }, - "resources": [ - { - "type": "Microsoft.Authorization/policyDefinitions", - "apiVersion": "2023-04-01", - "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location'))]", - "properties": { - "policyType": "Custom", - "mode": "Microsoft.Network.Data", - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Network/virtualNetworks" - } - ] - }, - "then": { - "effect": "addToNetworkGroup", - "details": { - "networkGroupId": "[variables('networkGroupId1')]" - } - } - } - } - }, - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2023-04-01", - "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}1', parameters('mgmtGroup')))]", - "properties": { - "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]", - "resourceSelectors": [ - { - "name": "regionalResource", - "selectors": [ - { - "kind": "ResourceLocation", - "in": [ - "[parameters('location')]" - ] - } - ] - } - ] - }, - "dependsOn": [ - "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]" - ] - } - ] - } - } - } - ] -} \ No newline at end of file From e1cba7f7ea86f0cfed69daa00618cd99702fdcef Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 6 Jan 2025 14:09:59 +0400 Subject: [PATCH 219/226] . --- .../avnmConfiguration.json | 20 +++++----- eslzArm/subscriptionTemplates/avnmPolicy.json | 38 +++++++++---------- 2 files changed, 29 insertions(+), 29 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 929ed95847..702e13a2ed 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -148,7 +148,7 @@ ] }, { - "condition": "[equals(parameters('enableSecondaryRegion'), 'yes')]", + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", "type": "Microsoft.Network/networkManagers/networkGroups", "apiVersion": "2024-03-01", "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-{0}', parameters('locationSecondary')))]", @@ -173,7 +173,7 @@ ] }, { - "condition": "[equals(parameters('enableSecondaryRegion'), 'yes')]", + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", "type": "Microsoft.Network/networkManagers/networkGroups", "apiVersion": "2024-03-01", "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-corp-{0}', parameters('locationSecondary')))]", @@ -198,7 +198,7 @@ ] }, { - "condition": "[equals(parameters('enableSecondaryRegion'), 'yes')]", + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", "type": "Microsoft.Network/networkManagers/networkGroups", "apiVersion": "2024-03-01", "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-online-{0}', parameters('locationSecondary')))]", @@ -223,7 +223,7 @@ ] }, { - "condition": "[equals(parameters('enableSecondaryRegion'), 'yes')]", + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", "type": "Microsoft.Network/networkManagers/networkGroups", "apiVersion": "2024-03-01", "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-identity-{0}', parameters('locationSecondary')))]", @@ -248,7 +248,7 @@ ] }, { - "condition": "[equals(parameters('enableSecondaryRegion'), 'yes')]", + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", "type": "Microsoft.Network/networkManagers/networkGroups", "apiVersion": "2024-03-01", "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-management-{0}', parameters('locationSecondary')))]", @@ -273,7 +273,7 @@ ] }, { - "condition": "[equals(parameters('enableSecondaryRegion'), 'yes')]", + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", "type": "Microsoft.Network/networkManagers/networkGroups", "apiVersion": "2024-03-01", "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-connectivity-{0}', parameters('locationSecondary')))]", @@ -298,7 +298,7 @@ ] }, { - "condition": "[equals(parameters('enableSecondaryRegion'), 'yes')]", + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", "type": "Microsoft.Network/networkManagers/networkGroups", "apiVersion": "2024-03-01", "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-sandbox-{0}', parameters('locationSecondary')))]", @@ -323,7 +323,7 @@ ] }, { - "condition": "[equals(parameters('enableSecondaryRegion'), 'yes')]", + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", "type": "Microsoft.Network/networkManagers/networkGroups", "apiVersion": "2024-03-01", "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-decommissioned-{0}', parameters('locationSecondary')))]", @@ -347,7 +347,7 @@ } }, { - "condition": "[equals(parameters('enableSecondaryRegion'), 'yes')]", + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections", "apiVersion": "2024-03-01", "name": "[format('{0}/{1}/{2}', 'avnm', 'sac-alz', 'rc-ALZ')]", @@ -373,7 +373,7 @@ } }, { - "condition": "[not(equals(parameters('enableSecondaryRegion'), 'no'))]", + "condition": "[not(equals(parameters('enableSecondaryRegion'), 'No'))]", "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections", "apiVersion": "2024-03-01", "name": "[format('{0}/{1}/{2}', 'avnm', 'sac-alz', 'rc-ALZ')]", diff --git a/eslzArm/subscriptionTemplates/avnmPolicy.json b/eslzArm/subscriptionTemplates/avnmPolicy.json index a8fabf506d..7dbefad90d 100644 --- a/eslzArm/subscriptionTemplates/avnmPolicy.json +++ b/eslzArm/subscriptionTemplates/avnmPolicy.json @@ -147,7 +147,7 @@ ] }, { - "condition": "[equals(parameters('enableSecondaryRegion'), 'yes')]", + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", "type": "Microsoft.Authorization/policyDefinitions", "apiVersion": "2023-04-01", "name": "[uniqueString(variables('networkGroupIdRegion2'))]", @@ -174,7 +174,7 @@ } }, { - "condition": "[equals(parameters('enableSecondaryRegion'), 'yes')]", + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", "type": "Microsoft.Authorization/policyAssignments", "apiVersion": "2023-04-01", "name": "[uniqueString(variables('networkGroupIdRegion2'))]", @@ -308,7 +308,7 @@ ] }, { - "condition": "[equals(parameters('enableSecondaryRegion'), 'yes')]", + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", "type": "Microsoft.Authorization/policyDefinitions", "apiVersion": "2023-04-01", "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary'))]", @@ -334,7 +334,7 @@ } }, { - "condition": "[equals(parameters('enableSecondaryRegion'), 'yes')]", + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", "type": "Microsoft.Authorization/policyAssignments", "apiVersion": "2023-04-01", "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}2', parameters('mgmtGroup')))]", @@ -465,7 +465,7 @@ ] }, { - "condition": "[equals(parameters('enableSecondaryRegion'), 'yes')]", + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", "type": "Microsoft.Authorization/policyDefinitions", "apiVersion": "2023-04-01", "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary'))]", @@ -491,7 +491,7 @@ } }, { - "condition": "[equals(parameters('enableSecondaryRegion'), 'yes')]", + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", "type": "Microsoft.Authorization/policyAssignments", "apiVersion": "2023-04-01", "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}2', parameters('mgmtGroup')))]", @@ -622,7 +622,7 @@ ] }, { - "condition": "[equals(parameters('enableSecondaryRegion'), 'yes')]", + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", "type": "Microsoft.Authorization/policyDefinitions", "apiVersion": "2023-04-01", "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary'))]", @@ -648,7 +648,7 @@ } }, { - "condition": "[equals(parameters('enableSecondaryRegion'), 'yes')]", + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", "type": "Microsoft.Authorization/policyAssignments", "apiVersion": "2023-04-01", "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}2', parameters('mgmtGroup')))]", @@ -779,7 +779,7 @@ ] }, { - "condition": "[equals(parameters('enableSecondaryRegion'), 'yes')]", + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", "type": "Microsoft.Authorization/policyDefinitions", "apiVersion": "2023-04-01", "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary'))]", @@ -805,7 +805,7 @@ } }, { - "condition": "[equals(parameters('enableSecondaryRegion'), 'yes')]", + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", "type": "Microsoft.Authorization/policyAssignments", "apiVersion": "2023-04-01", "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}2', parameters('mgmtGroup')))]", @@ -883,7 +883,7 @@ }, "variables": { "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-connectivity-{0}', parameters('location')))]", - "networkGroupId2": "[if(equals(parameters('enableSecondaryRegion'), 'no'), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-connectivity-{0}', parameters('locationSecondary'))))]" + "networkGroupId2": "[if(equals(parameters('enableSecondaryRegion'), 'No'), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-connectivity-{0}', parameters('locationSecondary'))))]" }, "resources": [ { @@ -936,7 +936,7 @@ ] }, { - "condition": "[equals(parameters('enableSecondaryRegion'), 'yes')]", + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", "type": "Microsoft.Authorization/policyDefinitions", "apiVersion": "2023-04-01", "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary'))]", @@ -962,7 +962,7 @@ } }, { - "condition": "[equals(parameters('enableSecondaryRegion'), 'yes')]", + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", "type": "Microsoft.Authorization/policyAssignments", "apiVersion": "2023-04-01", "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}2', parameters('mgmtGroup')))]", @@ -1040,7 +1040,7 @@ }, "variables": { "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-sandbox-{0}', parameters('location')))]", - "networkGroupId2": "[if(equals(parameters('enableSecondaryRegion'), 'no'), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-sandbox-{0}', parameters('locationSecondary'))))]" + "networkGroupId2": "[if(equals(parameters('enableSecondaryRegion'), 'No'), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-sandbox-{0}', parameters('locationSecondary'))))]" }, "resources": [ { @@ -1093,7 +1093,7 @@ ] }, { - "condition": "[equals(parameters('enableSecondaryRegion'), 'yes')]", + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", "type": "Microsoft.Authorization/policyDefinitions", "apiVersion": "2023-04-01", "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary'))]", @@ -1119,7 +1119,7 @@ } }, { - "condition": "[equals(parameters('enableSecondaryRegion'), 'yes')]", + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", "type": "Microsoft.Authorization/policyAssignments", "apiVersion": "2023-04-01", "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}2', parameters('mgmtGroup')))]", @@ -1197,7 +1197,7 @@ }, "variables": { "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-decommissioned-{0}', parameters('location')))]", - "networkGroupId2": "[if(equals(parameters('enableSecondaryRegion'), 'no'), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-decommissioned-{0}', parameters('locationSecondary'))))]" + "networkGroupId2": "[if(equals(parameters('enableSecondaryRegion'), 'No'), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-decommissioned-{0}', parameters('locationSecondary'))))]" }, "resources": [ { @@ -1250,7 +1250,7 @@ ] }, { - "condition": "[equals(parameters('enableSecondaryRegion'), 'yes')]", + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", "type": "Microsoft.Authorization/policyDefinitions", "apiVersion": "2023-04-01", "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary'))]", @@ -1276,7 +1276,7 @@ } }, { - "condition": "[equals(parameters('enableSecondaryRegion'), 'yes')]", + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", "type": "Microsoft.Authorization/policyAssignments", "apiVersion": "2023-04-01", "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}2', parameters('mgmtGroup')))]", From f7f0c22fc4343ccca572986fabb8641c0bbc9354 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 6 Jan 2025 14:36:14 +0400 Subject: [PATCH 220/226] . --- eslzArm/eslzArm.json | 2 +- eslzArm/subscriptionTemplates/avnmConfiguration.json | 2 +- eslzArm/subscriptionTemplates/avnmPolicy.json | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index ab3a1d4147..e158ae00ba 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -5240,7 +5240,7 @@ } }, { - // Deploying AVNM policy - multi-region + // Deploying AVNM policy - to add virtual networks to AVNM network groups "condition": "[and(parameters('deployAVNM'), or(equals(parameters('enableHub'), 'vhub'), equals(parameters('enableHub'), 'nva')), not(empty(parameters('connectivitySubscriptionId'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2019-10-01", diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 702e13a2ed..827c161b29 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -373,7 +373,7 @@ } }, { - "condition": "[not(equals(parameters('enableSecondaryRegion'), 'No'))]", + "condition": "[equals(parameters('enableSecondaryRegion'), 'No')]", "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections", "apiVersion": "2024-03-01", "name": "[format('{0}/{1}/{2}', 'avnm', 'sac-alz', 'rc-ALZ')]", diff --git a/eslzArm/subscriptionTemplates/avnmPolicy.json b/eslzArm/subscriptionTemplates/avnmPolicy.json index 7dbefad90d..a1475f9e10 100644 --- a/eslzArm/subscriptionTemplates/avnmPolicy.json +++ b/eslzArm/subscriptionTemplates/avnmPolicy.json @@ -36,7 +36,7 @@ "metadata": { "description": "Enable secondary region for instances deploying in multiple regions" }, - "defaultValue": "no" + "defaultValue": "No" } }, "variables": { From f019cf8295464612e69812a5b1bd3e5d48dfcd30 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 6 Jan 2025 14:54:53 +0400 Subject: [PATCH 221/226] . --- eslzArm/subscriptionTemplates/avnmPolicy.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/eslzArm/subscriptionTemplates/avnmPolicy.json b/eslzArm/subscriptionTemplates/avnmPolicy.json index a1475f9e10..597d30b18f 100644 --- a/eslzArm/subscriptionTemplates/avnmPolicy.json +++ b/eslzArm/subscriptionTemplates/avnmPolicy.json @@ -42,7 +42,7 @@ "variables": { "networkGroupIdAll": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', 'avnm-ng-all')]", "networkGroupIdRegion1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-{0}', parameters('location')))]", - "networkGroupIdRegion2": "[if(equals(parameters('enableSecondaryRegion'), 'no'), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-{0}', parameters('locationSecondary'))))]" + "networkGroupIdRegion2": "[if(equals(parameters('enableSecondaryRegion'), 'No'), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-{0}', parameters('locationSecondary'))))]" }, "resources": [ { @@ -255,7 +255,7 @@ }, "variables": { "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-corp-{0}', parameters('location')))]", - "networkGroupId2": "[if(equals(parameters('enableSecondaryRegion'), 'no'), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-corp-{0}', parameters('locationSecondary'))))]" + "networkGroupId2": "[if(equals(parameters('enableSecondaryRegion'), 'No'), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-corp-{0}', parameters('locationSecondary'))))]" }, "resources": [ { @@ -412,7 +412,7 @@ }, "variables": { "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-online-{0}', parameters('location')))]", - "networkGroupId2": "[if(equals(parameters('enableSecondaryRegion'), 'no'), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-online-{0}', parameters('locationSecondary'))))]" + "networkGroupId2": "[if(equals(parameters('enableSecondaryRegion'), 'No'), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-online-{0}', parameters('locationSecondary'))))]" }, "resources": [ { @@ -569,7 +569,7 @@ }, "variables": { "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-identity-{0}', parameters('location')))]", - "networkGroupId2": "[if(equals(parameters('enableSecondaryRegion'), 'no'), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-identity-{0}', parameters('locationSecondary'))))]" + "networkGroupId2": "[if(equals(parameters('enableSecondaryRegion'), 'No'), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-identity-{0}', parameters('locationSecondary'))))]" }, "resources": [ { @@ -726,7 +726,7 @@ }, "variables": { "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-management-{0}', parameters('location')))]", - "networkGroupId2": "[if(equals(parameters('enableSecondaryRegion'), 'no'), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-management-{0}', parameters('locationSecondary'))))]" + "networkGroupId2": "[if(equals(parameters('enableSecondaryRegion'), 'No'), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-management-{0}', parameters('locationSecondary'))))]" }, "resources": [ { From fc830d6f162fe8711a2a4fea35cf9fdd63e92e87 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 6 Jan 2025 15:29:35 +0400 Subject: [PATCH 222/226] . --- eslzArm/prerequisites/deployPrerequisites.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index 5b397b93a9..46febcc7f4 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -255,7 +255,7 @@ } #Sleep for XX minutes to wait for Management Groups to load to cache before assignments - Start-Sleep -Duration (New-TimeSpan -Minutes 10) + Start-Sleep -Duration (New-TimeSpan -Minutes 15) #$result = \"\" #$count = 0 From c88c96a22ba5047c472db60a3db4ce897acaeae6 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Thu, 9 Jan 2025 14:56:11 +0400 Subject: [PATCH 223/226] Cleanup --- .../avnmPolicy.parameters.json | 18 ------------------ 1 file changed, 18 deletions(-) delete mode 100644 eslzArm/subscriptionTemplates/avnmPolicy.parameters.json diff --git a/eslzArm/subscriptionTemplates/avnmPolicy.parameters.json b/eslzArm/subscriptionTemplates/avnmPolicy.parameters.json deleted file mode 100644 index 848d217fa1..0000000000 --- a/eslzArm/subscriptionTemplates/avnmPolicy.parameters.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "topLevelManagementGroupPrefix": { - "value": "ALZ1" - }, - "location": { - "value": "swedencentral" - }, - "locationSecondary": { - "value": "uksouth" - }, - "connectivitySubscriptionId": { - "value": "4d635c54-e5db-4c3e-8bb3-e58cf8907241" - } - } -} \ No newline at end of file From e7b4404f0c7b4dec6f772a7d2b9032100741012e Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Thu, 9 Jan 2025 17:59:13 +0400 Subject: [PATCH 224/226] Cleanup and addressing feedback --- eslzArm/eslzArm.json | 6 +- .../prerequisites/deployPrerequisites.json | 34 +----- .../avnmConfiguration.json | 115 ++++++++++-------- 3 files changed, 68 insertions(+), 87 deletions(-) diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index e158ae00ba..bf41ea57fb 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -382,11 +382,7 @@ }, "deployAVNM": { "type": "bool", - "defaultValue": false, - "allowedValues": [ - true, - false - ] + "defaultValue": false }, "enableDdoS": { "type": "string", diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index 46febcc7f4..c31c80a53f 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -11,7 +11,6 @@ }, "location": { "type": "string", - "minLength": 6, "metadata": { "description": "The location of this AVNM instance. All resources will be deployed to this region." } @@ -59,9 +58,6 @@ "location": { "type": "string" }, - "managementSubscriptionId": { - "type": "string" - }, "resourceGroupName": { "type": "string" } @@ -89,12 +85,6 @@ "parameters": { "location": { "value": "[parameters('location')]" - }, - "managementSubscriptionId": { - "value": "[parameters('managementSubscriptionId')]" - }, - "resourceGroupName": { - "value": "[parameters('resourceGroupName')]" } }, "template": { @@ -103,12 +93,6 @@ "parameters": { "location": { "type": "string" - }, - "managementSubscriptionId": { - "type": "string" - }, - "resourceGroupName": { - "type": "string" } }, "variables": {}, @@ -194,9 +178,6 @@ }, "managementSubscriptionId": { "value": "[parameters('managementSubscriptionId')]" - }, - "resourceGroupName": { - "value": "[parameters('resourceGroupName')]" } }, "template": { @@ -211,9 +192,6 @@ }, "managementSubscriptionId": { "type": "string" - }, - "resourceGroupName": { - "type": "string" } }, "resources": [ @@ -254,18 +232,8 @@ Get-AzResourceProvider -ProviderNamespace $rps | where {$_.RegistrationState -ne \"Registered\"} | Register-AzResourceProvider } - #Sleep for XX minutes to wait for Management Groups to load to cache before assignments + #Sleep for 15 minutes to wait for Management Groups to load to cache before policy assignments Start-Sleep -Duration (New-TimeSpan -Minutes 15) - - #$result = \"\" - #$count = 0 - - #do { - # $result = Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" - # $count++ - # Start-Sleep -Seconds 30 - # Write-Host 'MG RP Register - Status Code: ' $result.StatusCode ' Count: ' $count - #} while ($result.StatusCode -ne 200 -and $count -lt 10) " }, "metadata": { diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 827c161b29..52b110c333 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -145,7 +145,10 @@ }, "dependsOn": [ "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" - ] + ], + "metadata": { + "description": "This is the dynamic network group for all ALZ VNETs in the primary region." + } }, { "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", @@ -158,7 +161,10 @@ }, "dependsOn": [ "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" - ] + ], + "metadata": { + "description": "This is the dynamic network group for all ALZ VNETs in the secondary region, if selected." + } }, { "type": "Microsoft.Network/networkManagers/networkGroups", @@ -170,7 +176,10 @@ }, "dependsOn": [ "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" - ] + ], + "metadata": { + "description": "This is the dynamic network group for all ALZ CORP VNETs in the primary region." + } }, { "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", @@ -183,7 +192,10 @@ }, "dependsOn": [ "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" - ] + ], + "metadata": { + "description": "This is the dynamic network group for all ALZ CORP VNETs in the secondary region, if selected." + } }, { "type": "Microsoft.Network/networkManagers/networkGroups", @@ -195,7 +207,10 @@ }, "dependsOn": [ "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" - ] + ], + "metadata": { + "description": "This is the dynamic network group for all ALZ ONLINE VNETs in the primary region." + } }, { "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", @@ -208,7 +223,10 @@ }, "dependsOn": [ "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" - ] + ], + "metadata": { + "description": "This is the dynamic network group for all ALZ ONLINE VNETs in the secondary region, if selected." + } }, { "type": "Microsoft.Network/networkManagers/networkGroups", @@ -220,7 +238,10 @@ }, "dependsOn": [ "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" - ] + ], + "metadata": { + "description": "This is the dynamic network group for all ALZ IDENTITY VNETs in the primary region." + } }, { "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", @@ -233,7 +254,10 @@ }, "dependsOn": [ "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" - ] + ], + "metadata": { + "description": "This is the dynamic network group for all ALZ IDENTITY VNETs in the secondary region, if selected." + } }, { "type": "Microsoft.Network/networkManagers/networkGroups", @@ -245,7 +269,10 @@ }, "dependsOn": [ "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" - ] + ], + "metadata": { + "description": "This is the dynamic network group for all ALZ MANAGEMENT VNETs in the primary region." + } }, { "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", @@ -258,7 +285,10 @@ }, "dependsOn": [ "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" - ] + ], + "metadata": { + "description": "This is the dynamic network group for all ALZ MANAGEMENT VNETs in the secondary region, if selected." + } }, { "type": "Microsoft.Network/networkManagers/networkGroups", @@ -270,7 +300,10 @@ }, "dependsOn": [ "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" - ] + ], + "metadata": { + "description": "This is the dynamic network group for all ALZ CONNECTIVITY VNETs in the primary region." + } }, { "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", @@ -283,7 +316,10 @@ }, "dependsOn": [ "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" - ] + ], + "metadata": { + "description": "This is the dynamic network group for all ALZ CONNECTIVITY VNETs in the secondary region, if selected." + } }, { "type": "Microsoft.Network/networkManagers/networkGroups", @@ -295,7 +331,10 @@ }, "dependsOn": [ "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" - ] + ], + "metadata": { + "description": "This is the dynamic network group for all ALZ SANDBOX VNETs in the primary region." + } }, { "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", @@ -308,7 +347,10 @@ }, "dependsOn": [ "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" - ] + ], + "metadata": { + "description": "This is the dynamic network group for all ALZ SANDBOX VNETs in the secondary region, if selected." + } }, { "type": "Microsoft.Network/networkManagers/networkGroups", @@ -320,7 +362,10 @@ }, "dependsOn": [ "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" - ] + ], + "metadata": { + "description": "This is the dynamic network group for all ALZ DECOMMISSIONED VNETs in the primary region." + } }, { "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", @@ -333,7 +378,10 @@ }, "dependsOn": [ "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" - ] + ], + "metadata": { + "description": "This is the dynamic network group for all ALZ DECOMMISSIONED VNETs in the secondary region, if selected." + } }, { "type": "Microsoft.Network/networkManagers/securityAdminConfigurations", @@ -353,44 +401,13 @@ "name": "[format('{0}/{1}/{2}', 'avnm', 'sac-alz', 'rc-ALZ')]", "dependsOn": [ "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations', 'avnm', 'sac-alz')]", - "[resourceId('Microsoft.Network/networkManagers/networkGroups', 'avnm', 'avnm-ng-all')]", - "[resourceId('Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-{0}', parameters('location')))]", - "[resourceId('Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-{0}', parameters('locationSecondary')))]" - ], - "properties": { - "appliesToGroups": [ - { - "networkGroupId": "[resourceId('Microsoft.Network/networkManagers/networkGroups', 'avnm', 'avnm-ng-all')]" - }, - { - "networkGroupId": "[resourceId('Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-{0}', parameters('location')))]" - }, - { - "networkGroupId": "[resourceId('Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-{0}', parameters('locationSecondary')))]" - } - - ] - } - }, - { - "condition": "[equals(parameters('enableSecondaryRegion'), 'No')]", - "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections", - "apiVersion": "2024-03-01", - "name": "[format('{0}/{1}/{2}', 'avnm', 'sac-alz', 'rc-ALZ')]", - "dependsOn": [ - "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations', 'avnm', 'sac-alz')]", - "[resourceId('Microsoft.Network/networkManagers/networkGroups', 'avnm', 'avnm-ng-all')]", - "[resourceId('Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-{0}', parameters('location')))]" + "[resourceId('Microsoft.Network/networkManagers/networkGroups', 'avnm', 'avnm-ng-all')]" ], "properties": { "appliesToGroups": [ { "networkGroupId": "[resourceId('Microsoft.Network/networkManagers/networkGroups', 'avnm', 'avnm-ng-all')]" - }, - { - "networkGroupId": "[resourceId('Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-{0}', parameters('location')))]" } - ] } }, @@ -403,7 +420,7 @@ ], "kind": "Custom", "properties": { - "description": "Deny VM Management inbound traffic", + "description": "Deny VM Management inbound traffic, similar to the ALZ policy https://www.azadvertizer.net/azpolicyadvertizer/Deny-MgmtPorts-From-Internet.html", "priority": 1000, "sources": [ { From 332d2c94732054c1e1296941f9d2d3f5139d3816 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Thu, 9 Jan 2025 18:13:35 +0400 Subject: [PATCH 225/226] Fix --- eslzArm/prerequisites/deployPrerequisites.json | 3 --- 1 file changed, 3 deletions(-) diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json index c31c80a53f..2b99f596ef 100644 --- a/eslzArm/prerequisites/deployPrerequisites.json +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -44,9 +44,6 @@ "location": { "value": "[parameters('location')]" }, - "managementSubscriptionId": { - "value": "[parameters('managementSubscriptionId')]" - }, "resourceGroupName": { "value": "[parameters('resourceGroupName')]" } From 82a6e2f1098cc3f2bb3d3d58e49b89e7279f4c36 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Thu, 9 Jan 2025 19:09:45 +0400 Subject: [PATCH 226/226] Oops --- eslzArm/subscriptionTemplates/avnmConfiguration.json | 1 - 1 file changed, 1 deletion(-) diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json index 52b110c333..ddd431c93a 100644 --- a/eslzArm/subscriptionTemplates/avnmConfiguration.json +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -395,7 +395,6 @@ } }, { - "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections", "apiVersion": "2024-03-01", "name": "[format('{0}/{1}/{2}', 'avnm', 'sac-alz', 'rc-ALZ')]",