diff --git a/docs/wiki/ALZ-Policies.md b/docs/wiki/ALZ-Policies.md index 6dab86f38..dcafc1510 100644 --- a/docs/wiki/ALZ-Policies.md +++ b/docs/wiki/ALZ-Policies.md @@ -114,7 +114,7 @@ This management group contains all the platform child management groups, like ma | Assignment Name | Definition Name | Policy Type | Description | Effect(s) | | -------------------------------------------------------------------------- | -------------------------------------------------------------------------- | --------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------- | | **Enforce recommended guardrails for Azure Key Vault** | **Enforce recommended guardrails for Azure Key Vault** | `Policy Definition Set`, **Custom** | This policy initiative enforces minimum guardrails for Azure Key Vault: | Audit, Deny | -| **Enforce enhanced recovery and backup policies** | **Enforce enhanced recovery and backup policies** | `Policy Definition Set`, **Custom** | This policy initiative enforces minimum guardrails for Azure Key Vault: | Audit | +| **Enforce enhanced recovery and backup policies** | **Enforce enhanced recovery and backup policies** | `Policy Definition Set`, **Custom** | This policy initiative enforces minimum guardrails for Recovery Services Vaults: | Audit | | **Enable Azure Monitor for VMs**\* | **Enable Azure Monitor for VMs with Azure Monitoring Agent(AMA)** | `Policy Definition Set`, **Built-in** | This policy initiative installs the Azure Monitoring Agent (AMA) on the virtual machines (VMs) and enables Azure Monitor for them. Azure Monitor collects and analyzes data from the VMs, such as performance metrics, logs, and dependencies. | DeployIfNotExists, Disabled | | **Enable Azure Monitor for Virtual Machine Scale Sets**\* | **Enable Azure Monitor for VMSS with Azure Monitoring Agent(AMA)** | `Policy Definition Set`, **Built-in** | This policy initiative installs the Azure Monitoring Agent (AMA) on the virtual machines scale sets (VMSS) and enables Azure Monitor for them. Azure Monitor collects and analyzes data from the VMs, such as performance metrics, logs, and dependencies. | DeployIfNotExists, Disabled | | **Enable Azure Monitor for Hybrid Virtual Machines**\* | **Enable Azure Monitor for Hybrid VMs with AMA** | `Policy Definition Set`, **Built-in** | This policy initiative installs the Azure Monitoring Agent (AMA) on Arc-enabled servers (Hybrid) and enables Azure Monitor for them. Azure Monitor collects and analyzes data from the VMs, such as performance metrics, logs, and dependencies. | DeployIfNotExists, Disabled | @@ -235,7 +235,7 @@ The table below provides the specific **Custom** and **Built-in** **policy defin | ------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------ | | **Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit** | **Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit** | `Policy Definition Set`, **Custom** | Description TBC | Audit, AuditIfNotExists, DeployIfNotExists, Deny | | **Enforce recommended guardrails for Azure Key Vault** | **Enforce recommended guardrails for Azure Key Vault** | `Policy Definition Set`, **Custom** | This policy initiative enforces minimum guardrails for Azure Key Vault: | Audit, Deny | -| **Enforce enhanced recovery and backup policies** | **Enforce enhanced recovery and backup policies** | `Policy Definition Set`, **Custom** | This policy initiative enforces minimum guardrails for Azure Key Vault: | Audit | +| **Enforce enhanced recovery and backup policies** | **Enforce enhanced recovery and backup policies** | `Policy Definition Set`, **Custom** | This policy initiative enforces minimum guardrails for Recovery Services Vaults: | Audit | | **Enforce Azure Compute Security Benchmark compliance auditing** | **Enforce Azure Compute Security Benchmark compliance auditing** | `Policy Definition Set`, **Custom** | This policy initiative enables Azure Compute Security Basline compliance auditing for Windows and Linux virtual machines. | AuditIfNotExists | | **Management port access from the Internet should be blocked** | **Management port access from the Internet should be blocked** | `Policy Definition`, **Custom** | This policy denies any network security rule that allows management port access from Internet (Default port 22, 3389). | Deny | | **Subnets should have a Network Security Group** | **Subnets should have a Network Security Group** | `Policy Definition`, **Custom** | This policy denies the creation of a subnet without a Network Security Group. NSG help to protect traffic across subnet-level. | Deny | diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md index 09eec818e..20f4c18dd 100644 --- a/docs/wiki/Whats-new.md +++ b/docs/wiki/Whats-new.md @@ -52,6 +52,10 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones: ### 🔃 Policy Refresh Q2 FY25 +- [PREVIEW] Added ability to deploy Virtual Network Manager through the portal accelerator with support for Security Admin feature, including default rules blocking high-risk ports [read more](https://learn.microsoft.com/en-us/azure/virtual-network-manager/concept-security-admins). + - [Important] To support the configuration of AVNM, we've had to included a deployment script to configure the Microsoft.Network resource provider on the intermediate root management group. This deployment script and required User-Assigned Managed Identity are created in a resource group in the Management subscription. Please remove the user assigned identity in the resource group hosting the AVNM instance. + - [Important] Due to performance improvements of ARM, we've also had to change the "wait" process in the portal accelerator (waiting for Management Groups to be registered so we can do policy assignments). We are now using the same deployment script with a "Start-Sleep" PowerShell command which is far more reliable. In the management subscription, you will find a resource group `rg-alz-prereqs` that you should remove (with contents) as the identity has Contributor rights on the Intermediate Management Group. + - [Important] A deployment script and User-Assigned Managed Identity is needed in the `rg-alz-avnm` resource group in the Connectivity subscription to register the Security Admin configuration with selected deployment regions. You should delete this identity after deployment. - *Policy Versioning Support* - all initiatives and assignments have been pinned to the current major version of built-in policies or initiatives deployed by ALZ. This ensures that all ALZ deployments will successfully deploy using the currently validated versions of ALZ built-in policies and initiatives. As these get updated the team will validate changes and impact before incrementing the recommended version. - Fixed a Portal Accelerator bug that results in failed deployment when choosing not to deploy policies to the Identity management group. - Updated the display name of the many `Effect` parameters to clearly identify the policy it applies to in the initiative [Enforce recommended guardrails for Azure Key Vault](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-KeyVault.html). diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json index 1bc6f1ef7..1b8a4c7e9 100644 --- a/eslzArm/eslz-portal.json +++ b/eslzArm/eslz-portal.json @@ -1438,6 +1438,13 @@ }, "visible": true }, + { + "name": "deployAVNM", + "type": "Microsoft.Common.CheckBox", + "label": "Deploy Azure Virtual Network Manager - PREVIEW", + "toolTip": "If selected, Azure Virtual Network Manager will be deployed to manage your virtual networks. Currently, ALZ will only enable Security Admin Rules role by default", + "visible": "[or(equals(steps('connectivity').enableHub, 'vhub'), equals(steps('connectivity').enableHub, 'nva'))]" + }, { "name": "esNwNVANote", "type": "Microsoft.Common.InfoBox", @@ -4511,7 +4518,7 @@ } ] }, - "visible": "[and(equals(steps('identity').esIdentityConnectivity, 'Yes'), not(equals(steps('connectivity').enableHub,'No')))]" + "visible": "[and(not(equals(steps('connectivity').enableHub,'No')), equals(steps('core').deploySecondaryRegion, 'Yes'))]" }, { "name": "identityAddressPrefixSecondary", @@ -9499,6 +9506,7 @@ "erRegionalOrAz": "[steps('connectivity').erRegionalOrAz]", "expressRouteScaleUnit": "[steps('connectivity').expressRouteScaleUnit]", "enableHub": "[steps('connectivity').enableHub]", + "deployAVNM": "[steps('connectivity').deployAVNM]", "enableAzFw": "[steps('connectivity').enableAzFw]", "enableAzFwDnsProxy": "[if(equals(steps('connectivity').firewallSku, 'Basic'), 'No', steps('connectivity').enableAzFwDnsProxy)]", "firewallSku": "[steps('connectivity').firewallSku]", diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index 0c3ed6760..bf41ea57f 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -380,6 +380,10 @@ "type": "string", "defaultValue": "[deployment().location]" }, + "deployAVNM": { + "type": "bool", + "defaultValue": false + }, "enableDdoS": { "type": "string", "defaultValue": "No", @@ -1689,6 +1693,9 @@ "roleDefinitions": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/roleDefinitions/customRoleDefinitions.json')]", "policyDefinitions": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyDefinitions/policies.json')]", "initiativeDefinitions": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyDefinitions/initiatives.json')]", + "preRequisites": "[uri(deployment().properties.templateLink.uri, 'prerequisites/deployPrerequisites.json')]", + "avnmConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/avnmConfiguration.json')]", + "avnmPolicy": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/avnmPolicy.json')]", "vnetConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/hubspoke-connectivity.json')]", "vwanConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/vwan-connectivity.json')]", "nvaConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/nvahubspoke-connectivity.json')]", @@ -1825,6 +1832,8 @@ "atpOssDbPolicyDeploymentName": "[take(concat('alz-AtpOssDb', variables('deploymentSuffix')), 64)]", "atpSqlDbPolicyDeploymentName": "[take(concat('alz-AtpSqlDb', variables('deploymentSuffix')), 64)]", "ascGovPolicyDeploymentName": "[take(concat('alz-Gov-ASC', variables('deploymentSuffix')), 64)]", + "avnmConnectivityHubDeploymentName": "[take(concat('alz-AVNM', variables('deploymentSuffix')), 64)]", + "avnmPolicyDeploymentName": "[take(concat('alz-AVNMPolicy', variables('deploymentSuffix')), 64)]", "vnetConnectivityHubDeploymentName": "[take(concat('alz-HubSpoke', variables('deploymentSuffix')), 64)]", "vwanConnectivityHubDeploymentName": "[take(concat('alz-VWanHub', variables('deploymentSuffix')), 64)]", "vnetConnectivityHub2DeploymentName": "[take(concat('alz-HubSpoke2', variables('deploymentSuffix')), 64)]", @@ -2222,7 +2231,8 @@ "scope": "[concat('Microsoft.Management/managementGroups/', parameters('enterpriseScaleCompanyPrefix'))]", "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]", + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -2327,7 +2337,8 @@ "location": "[deployment().location]", "scope": "[concat('Microsoft.Management/managementGroups/', parameters('enterpriseScaleCompanyPrefix'))]", "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]", + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -2418,29 +2429,33 @@ } }, { - // One of Azure's untold stories..... + // ALZ Pre-Requisites and Azure's Untold Story... + "condition": "[not(empty(parameters('managementSubscriptionId')))]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "[concat('preparingToLaunch', copyIndex())]", + "apiVersion": "2020-06-01", + "name": "alz-prerequisites", + "scope": "[variables('scopes').eslzRootManagementGroup]", "location": "[deployment().location]", - "scope": "[concat('Microsoft.Management/managementGroups/', parameters('enterpriseScaleCompanyPrefix'))]", "dependsOn": [ - "[variables('deploymentNames').initiativeDeploymentName]" + "[variables('deploymentNames').initiativeDeploymentName]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]" ], - "copy": { - "batchSize": 1, - "count": "[parameters('delayCount')]", - "mode": "Serial", - "name": "policyCompletion" - }, "properties": { "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "templateLink": { "contentVersion": "1.0.0.0", - "parameters": {}, - "resources": [], - "outputs": {} + "uri": "[variables('deploymentUris').preRequisites]" + }, + "parameters": { + "location": { + "value": "[deployment().location]" + }, + "eslzRootName": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "managementSubscriptionId": { + "value": "[parameters('managementSubscriptionId')]" + } } } }, @@ -2528,6 +2543,7 @@ } } }, + /* The following deployments will optionally configure the governance, security, and monitoring for the Azure platform and landing zones */ @@ -2541,7 +2557,7 @@ "subscriptionId": "[parameters('managementSubscriptionId')]", "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -2704,7 +2720,7 @@ "location": "[deployment().location]", "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -2809,7 +2825,7 @@ "location": "[deployment().location]", "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", - "policyCompletion", + "alz-prerequisites", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]" ], @@ -2846,7 +2862,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -2893,7 +2909,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -2940,7 +2956,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -2987,7 +3003,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3034,7 +3050,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3081,7 +3097,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3128,7 +3144,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3175,7 +3191,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3222,7 +3238,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3269,7 +3285,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3316,7 +3332,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3363,7 +3379,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3410,7 +3426,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3457,7 +3473,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3504,7 +3520,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3551,7 +3567,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3598,7 +3614,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3645,7 +3661,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3692,7 +3708,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3739,7 +3755,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3789,7 +3805,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3836,7 +3852,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3883,7 +3899,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3930,7 +3946,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3977,7 +3993,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -4024,7 +4040,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -4071,7 +4087,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -4309,7 +4325,7 @@ "scope": "[variables('scopes').eslzRootManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -4333,7 +4349,7 @@ "scope": "[variables('scopes').eslzRootManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -4357,7 +4373,7 @@ "scope": "[variables('scopes').eslzRootManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -4381,7 +4397,7 @@ "scope": "[variables('scopes').eslzRootManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -4687,7 +4703,7 @@ "scope": "[variables('scopes').eslzRootManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -4757,7 +4773,7 @@ "scope": "[variables('scopes').platformManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -4982,7 +4998,8 @@ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosDeploymentName)]" + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]" ], "location": "[deployment().location]", "properties": { @@ -5175,6 +5192,82 @@ } } }, + { + // Deploy AVNM + "condition": "[and(parameters('deployAVNM'), or(equals(parameters('enableHub'), 'vhub'), equals(parameters('enableHub'), 'nva')), not(empty(parameters('connectivitySubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "subscriptionId": "[parameters('connectivitySubscriptionId')]", + "name": "[variables('deploymentNames').avnmConnectivityHubDeploymentName]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').connectivitySubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosDeploymentName)]", + "alz-prerequisites" + ], + "location": "[deployment().location]", + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').avnmConnectivityHub]" + }, + "parameters": { + "location": { + "value": "[parameters('connectivityLocation')]" + }, + "locationSecondary": { + "value": "[parameters('connectivityLocationSecondary')]" + }, + "managementGroupScope": { + "value": "[variables('scopes').eslzRootManagementGroup]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + }, + "enableSecondaryRegion": { + "value": "[parameters('enableSecondaryRegion')]" + } + } + } + }, + { + // Deploying AVNM policy - to add virtual networks to AVNM network groups + "condition": "[and(parameters('deployAVNM'), or(equals(parameters('enableHub'), 'vhub'), equals(parameters('enableHub'), 'nva')), not(empty(parameters('connectivitySubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').avnmPolicyDeploymentName]", + "location": "[deployment().location]", + "scope": "[variables('scopes').eslzRootManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').avnmConnectivityHubDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').avnmPolicy]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + }, + "locationSecondary": { + "value": "[parameters('connectivityLocationSecondary')]" + }, + "enableSecondaryRegion": { + "value": "[parameters('enableSecondaryRegion')]" + } + } + } + }, { // Creating resource group for Private DNS Zones "condition": "[and(equals(parameters('enablePrivateDnsZones'), 'Yes'), not(empty(parameters('connectivitySubscriptionId'))))]", @@ -5672,7 +5765,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]", "dnsZones", "dnsZonesLite", - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -5964,7 +6057,7 @@ "scope": "[variables('scopes').platformManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -5997,7 +6090,7 @@ "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6360,7 +6453,7 @@ "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6417,7 +6510,7 @@ "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6441,7 +6534,7 @@ "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6465,7 +6558,7 @@ "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6489,7 +6582,7 @@ "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6516,7 +6609,7 @@ "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6540,7 +6633,7 @@ "scope": "[variables('scopes').corpManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6567,7 +6660,7 @@ "scope": "[variables('scopes').corpManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6591,7 +6684,7 @@ "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6617,7 +6710,7 @@ "scope": "[variables('scopes').platformManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6643,7 +6736,7 @@ "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6670,7 +6763,7 @@ "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6694,7 +6787,7 @@ "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6721,7 +6814,7 @@ "scope": "[variables('scopes').platformManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6748,7 +6841,7 @@ "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6775,7 +6868,7 @@ "scope": "[variables('scopes').platformManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6802,7 +6895,7 @@ "scope": "[variables('scopes').corpManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6826,7 +6919,7 @@ "scope": "[variables('scopes').corpManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6856,7 +6949,7 @@ "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6880,7 +6973,7 @@ "scope": "[variables('scopes').eslzRootManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6907,7 +7000,7 @@ "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -7027,7 +7120,7 @@ "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -7054,7 +7147,7 @@ "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -7081,7 +7174,7 @@ "scope": "[variables('scopes').decommissionedManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -7108,7 +7201,7 @@ "scope": "[variables('scopes').sandboxManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -7138,7 +7231,7 @@ "scope": "[variables('scopes').identityManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -7165,7 +7258,7 @@ "scope": "[variables('scopes').identityManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion", + "alz-prerequisites", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').identitySubscriptionPlacement)]" ], "properties": { @@ -7190,7 +7283,7 @@ "scope": "[variables('scopes').identityManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion", + "alz-prerequisites", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').identitySubscriptionPlacement)]" ], "properties": { @@ -7218,7 +7311,7 @@ "scope": "[variables('scopes').identityManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion", + "alz-prerequisites", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').identitySubscriptionPlacement)]" ], "properties": { @@ -7715,7 +7808,7 @@ "subscriptionId": "[parameters('singlePlatformSubscriptionId')]", "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', variables('esliteDeploymentNames').platformLiteSubscriptionPlacement)]", - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -7794,7 +7887,7 @@ "location": "[deployment().location]", "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]", - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -8872,7 +8965,7 @@ "scope": "[variables('scopes').platformManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion", + "alz-prerequisites", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]" ], "properties": { @@ -8903,7 +8996,7 @@ "scope": "[variables('scopes').platformManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion", + "alz-prerequisites", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]" ], "properties": { diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json new file mode 100644 index 000000000..2b99f596e --- /dev/null +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -0,0 +1,255 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceGroupName": { + "type": "string", + "defaultValue": "rg-alz-prereqs", + "metadata": { + "description": "The resource group name where the AVNM resources will be created" + } + }, + "location": { + "type": "string", + "metadata": { + "description": "The location of this AVNM instance. All resources will be deployed to this region." + } + }, + "eslzRootName": { + "type": "string", + "metadata": { + "description": "The name of the Enterprise Scale Landing Zone root resource." + } + }, + "managementSubscriptionId": { + "type": "string", + "metadata": { + "description": "The subscription ID of the management subscription." + } + } + }, + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "alz-prerequisites-001", + "location": "[parameters('location')]", + "subscriptionId": "[parameters('managementSubscriptionId')]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "resourceGroupName": { + "value": "[parameters('resourceGroupName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "resourceGroupName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2022-09-01", + "name": "[parameters('resourceGroupName')]", + "location": "[parameters('location')]" + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "alz-prerequisites-uai", + "resourceGroup": "[parameters('resourceGroupName')]", + "dependsOn": [ + "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]" + ], + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "apiVersion": "2023-07-31-preview", + "name": "uai-alz-prereq", + "location": "[parameters('location')]" + } + ], + "outputs": { + "userAssignedIdentityId": { + "type": "string", + "value": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'uai-alz-prereq')]" + }, + "uaiPrincipalId": { + "type": "string", + "value": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'uai-alz-prereq'), '2023-07-31-preview').principalId]" + } + } + } + } + } + ], + "outputs": { + "userAssignedIdentityId": { + "type": "string", + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai'), '2022-09-01').outputs.userAssignedIdentityId.value]" + }, + "uaiPrincipalId": { + "type": "string", + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai'), '2022-09-01').outputs.uaiPrincipalId.value]" + } + } + + } + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(format('alz-prerequisites-{0}-{1}', parameters('eslzRootName'), parameters('location')))]", + "location": "[parameters('location')]", + "properties": { + "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", + "principalId": "[reference(subscriptionResourceId(parameters('managementSubscriptionId'), 'Microsoft.Resources/deployments', 'alz-prerequisites-001'), '2022-09-01').outputs.uaiPrincipalId.value]", + "principalType": "ServicePrincipal" + }, + "dependsOn": [ + "[subscriptionResourceId(parameters('managementSubscriptionId'), 'Microsoft.Resources/deployments', 'alz-prerequisites-001')]" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "alz-prerequisites-002", + "location": "[parameters('location')]", + "subscriptionId": "[parameters('managementSubscriptionId')]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "alz-prereq-ds", + "resourceGroup": "[parameters('resourceGroupName')]", + "dependsOn": [], + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "eslzRootName": { + "value": "[parameters('eslzRootName')]" + }, + "managementSubscriptionId": { + "value": "[parameters('managementSubscriptionId')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "eslzRootName":{ + "type": "string" + }, + "managementSubscriptionId": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Resources/deploymentScripts", + "apiVersion": "2020-10-01", + "name": "alz-prereq-deploymentscript", + "location": "[parameters('location')]", + "kind": "AzurePowerShell", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[reference(subscriptionResourceId(parameters('managementSubscriptionId'), 'Microsoft.Resources/deployments', 'alz-prerequisites-001'), '2022-09-01').outputs.userAssignedIdentityId.value]": {} + } + }, + "properties": { + "azPowerShellVersion": "12.3", + "retentionInterval": "PT1H", + "timeout": "PT2H", + "arguments": "[format('-eslzRootName \"{0}\"', parameters('eslzRootName'))]", + "scriptContent": " + param( + [Parameter(Mandatory=$true, HelpMessage=\"Enter the ESLZ root name.\")] + [string] + $eslzRootName + ) + + #API call to register the Microsoft.Network provider against intermediate resource group for AVNM + Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" + + #Register all resource providers required for ALZ + $subs = Search-AzGraph -Query \"ResourceContainers | where type =~ 'microsoft.resources/subscriptions'\" -ManagementGroup $eslzRootName + $rps = @('Microsoft.Insights','Microsoft.AlertsManagement','Microsoft.OperationalInsights','Microsoft.OperationsManagement','Microsoft.Automation','Microsoft.AlertsManagement','Microsoft.Security','Microsoft.Network','Microsoft.EventGrid','Microsoft.ManagedIdentity','Microsoft.GuestConfiguration','Microsoft.Advisor','Microsoft.PolicyInsights') + + foreach ($sub in $subs) { + Write-Host 'Registering resource providers for subscription: ' $sub.subscriptionId + Select-AzSubscription -SubscriptionId $sub.subscriptionId + Get-AzResourceProvider -ProviderNamespace $rps | where {$_.RegistrationState -ne \"Registered\"} | Register-AzResourceProvider + } + + #Sleep for 15 minutes to wait for Management Groups to load to cache before policy assignments + Start-Sleep -Duration (New-TimeSpan -Minutes 15) + " + }, + "metadata": { + "description": "Create a Deployment Script resource to perform the prerequisites." + } + } + ], + "outputs": {} + } + } + } + ] + } + }, + "dependsOn": [ + "alz-prerequisites-001", + "[guid(format('alz-prerequisites-{0}-{1}', parameters('eslzRootName'), parameters('location')))]" + ] + } + ], + "outputs": {} + } \ No newline at end of file diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json new file mode 100644 index 000000000..ddd431c93 --- /dev/null +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -0,0 +1,706 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string", + "metadata": { + "displayName": "location", + "description": "Location of the HUB" + }, + "defaultValue": "[deployment().location]" + }, + "locationSecondary": { + "type": "string", + "metadata": { + "displayName": "locationSecondary", + "description": "Secondary location of the HUB for instances deploying in multiple regions" + }, + "defaultValue": "" + }, + "managementGroupScope": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Management group scope for AVNM. Intermediate root management group is the default." + } + }, + "connectivitySubscriptionId": { + "type": "string", + "metadata": { + "description": "SubscriptionId for the connectivity subscription." + }, + "defaultValue": "[subscription().subscriptionId]" + }, + "enableSecondaryRegion": { + "type": "string", + "metadata": { + "description": "Enable secondary region for instances deploying in multiple regions" + }, + "defaultValue": "no" + } + }, + "variables": { + "rgName": "rg-alz-avnm", + "resourceDeploymentName": "[take(concat(deployment().name, '-avnm', parameters('location')), 64)]", + "configIds": "[resourceId(parameters('connectivitySubscriptionId'), variables('rgName'), 'Microsoft.Network/networkManagers/securityAdminConfigurations', 'avnm', 'sac-alz')]" + }, + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2019-10-01", + "location": "[parameters('location')]", + "name": "[variables('rgName')]", + "properties": {} + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('resourceDeploymentName')]", + "resourceGroup": "[variables('rgName')]", + "dependsOn": [ + "[concat('Microsoft.Resources/resourceGroups/', variables('rgName'))]" + ], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "locationSecondary": { + "value": "[parameters('locationSecondary')]" + }, + "managementGroupScope": { + "value": "[parameters('managementGroupScope')]" + }, + "enableSecondaryRegion": { + "value": "[parameters('enableSecondaryRegion')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "locationSecondary": { + "type": "string" + }, + "managementGroupScope": { + "type": "string" + }, + "enableSecondaryRegion": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Network/networkManagers", + "apiVersion": "2024-03-01", + "name": "avnm", + "location": "[parameters('location')]", + "properties": { + "networkManagerScopeAccesses": [ + "SecurityAdmin" + ], + "networkManagerScopes": { + "managementGroups": [ + "[parameters('managementGroupScope')]" + ] + } + }, + "dependsOn": [ + + ], + "metadata": { + "description": "This is the Azure Virtual Network Manager which will be used to implement the connected group for spoke-to-spoke connectivity." + } + }, + { + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}', 'avnm', 'avnm-ng-all')]", + "properties": { + "memberType": "VirtualNetwork", + "description": "Network Group - All Landing Zone virtual networks" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" + ], + "metadata": { + "description": "This is the dynamic network group for all ALZ VNETs." + } + }, + { + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-{0}', parameters('location')))]", + "properties": { + "memberType": "VirtualNetwork", + "description": "[format('Network Group - {0}', parameters('location'))]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" + ], + "metadata": { + "description": "This is the dynamic network group for all ALZ VNETs in the primary region." + } + }, + { + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-{0}', parameters('locationSecondary')))]", + "properties": { + "memberType": "VirtualNetwork", + "description": "[format('Network Group - {0}', parameters('locationSecondary'))]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" + ], + "metadata": { + "description": "This is the dynamic network group for all ALZ VNETs in the secondary region, if selected." + } + }, + { + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-corp-{0}', parameters('location')))]", + "properties": { + "memberType": "VirtualNetwork", + "description": "[format('Network Group - Corp - {0}', parameters('location'))]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" + ], + "metadata": { + "description": "This is the dynamic network group for all ALZ CORP VNETs in the primary region." + } + }, + { + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-corp-{0}', parameters('locationSecondary')))]", + "properties": { + "memberType": "VirtualNetwork", + "description": "[format('Network Group - Corp - {0}', parameters('locationSecondary'))]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" + ], + "metadata": { + "description": "This is the dynamic network group for all ALZ CORP VNETs in the secondary region, if selected." + } + }, + { + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-online-{0}', parameters('location')))]", + "properties": { + "memberType": "VirtualNetwork", + "description": "[format('Network Group - Online - {0}', parameters('location'))]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" + ], + "metadata": { + "description": "This is the dynamic network group for all ALZ ONLINE VNETs in the primary region." + } + }, + { + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-online-{0}', parameters('locationSecondary')))]", + "properties": { + "memberType": "VirtualNetwork", + "description": "[format('Network Group - Online - {0}', parameters('locationSecondary'))]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" + ], + "metadata": { + "description": "This is the dynamic network group for all ALZ ONLINE VNETs in the secondary region, if selected." + } + }, + { + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-identity-{0}', parameters('location')))]", + "properties": { + "memberType": "VirtualNetwork", + "description": "[format('Network Group - Identity - {0}', parameters('location'))]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" + ], + "metadata": { + "description": "This is the dynamic network group for all ALZ IDENTITY VNETs in the primary region." + } + }, + { + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-identity-{0}', parameters('locationSecondary')))]", + "properties": { + "memberType": "VirtualNetwork", + "description": "[format('Network Group - Identity - {0}', parameters('locationSecondary'))]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" + ], + "metadata": { + "description": "This is the dynamic network group for all ALZ IDENTITY VNETs in the secondary region, if selected." + } + }, + { + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-management-{0}', parameters('location')))]", + "properties": { + "memberType": "VirtualNetwork", + "description": "[format('Network Group - Management - {0}', parameters('location'))]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" + ], + "metadata": { + "description": "This is the dynamic network group for all ALZ MANAGEMENT VNETs in the primary region." + } + }, + { + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-management-{0}', parameters('locationSecondary')))]", + "properties": { + "memberType": "VirtualNetwork", + "description": "[format('Network Group - Management - {0}', parameters('locationSecondary'))]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" + ], + "metadata": { + "description": "This is the dynamic network group for all ALZ MANAGEMENT VNETs in the secondary region, if selected." + } + }, + { + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-connectivity-{0}', parameters('location')))]", + "properties": { + "memberType": "VirtualNetwork", + "description": "[format('Network Group - Connectivity - {0}', parameters('location'))]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" + ], + "metadata": { + "description": "This is the dynamic network group for all ALZ CONNECTIVITY VNETs in the primary region." + } + }, + { + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-connectivity-{0}', parameters('locationSecondary')))]", + "properties": { + "memberType": "VirtualNetwork", + "description": "[format('Network Group - Connectivity - {0}', parameters('locationSecondary'))]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" + ], + "metadata": { + "description": "This is the dynamic network group for all ALZ CONNECTIVITY VNETs in the secondary region, if selected." + } + }, + { + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-sandbox-{0}', parameters('location')))]", + "properties": { + "memberType": "VirtualNetwork", + "description": "[format('Network Group - Sandbox - {0}', parameters('location'))]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" + ], + "metadata": { + "description": "This is the dynamic network group for all ALZ SANDBOX VNETs in the primary region." + } + }, + { + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-sandbox-{0}', parameters('locationSecondary')))]", + "properties": { + "memberType": "VirtualNetwork", + "description": "[format('Network Group - Sandbox - {0}', parameters('locationSecondary'))]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" + ], + "metadata": { + "description": "This is the dynamic network group for all ALZ SANDBOX VNETs in the secondary region, if selected." + } + }, + { + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-decommissioned-{0}', parameters('location')))]", + "properties": { + "memberType": "VirtualNetwork", + "description": "[format('Network Group - Decommissioned - {0}', parameters('location'))]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" + ], + "metadata": { + "description": "This is the dynamic network group for all ALZ DECOMMISSIONED VNETs in the primary region." + } + }, + { + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-decommissioned-{0}', parameters('locationSecondary')))]", + "properties": { + "memberType": "VirtualNetwork", + "description": "[format('Network Group - Decommissioned - {0}', parameters('locationSecondary'))]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" + ], + "metadata": { + "description": "This is the dynamic network group for all ALZ DECOMMISSIONED VNETs in the secondary region, if selected." + } + }, + { + "type": "Microsoft.Network/networkManagers/securityAdminConfigurations", + "apiVersion": "2023-11-01", + "name": "[format('{0}/{1}', 'avnm', 'sac-alz')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" + ], + "properties": { + "description": "ALZ Security Admin Configuration" + } + }, + { + "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}/{2}', 'avnm', 'sac-alz', 'rc-ALZ')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations', 'avnm', 'sac-alz')]", + "[resourceId('Microsoft.Network/networkManagers/networkGroups', 'avnm', 'avnm-ng-all')]" + ], + "properties": { + "appliesToGroups": [ + { + "networkGroupId": "[resourceId('Microsoft.Network/networkManagers/networkGroups', 'avnm', 'avnm-ng-all')]" + } + ] + } + }, + { + "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}/{2}/{3}', 'avnm', 'sac-alz', 'rc-ALZ', 'DenyMgmtInbound')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections', 'avnm', 'sac-alz', 'rc-ALZ')]" + ], + "kind": "Custom", + "properties": { + "description": "Deny VM Management inbound traffic, similar to the ALZ policy https://www.azadvertizer.net/azpolicyadvertizer/Deny-MgmtPorts-From-Internet.html", + "priority": 1000, + "sources": [ + { + "addressPrefixType": "ServiceTag", + "addressPrefix": "Internet" + } + ], + "destinationPortRanges": [ + "22", + "3389" + ], + "protocol": "Any", + "direction": "Inbound", + "access": "Deny" + } + }, + { + "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}/{2}/{3}', 'avnm', 'sac-alz', 'rc-ALZ', 'DenyHighRiskInboundTCP')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections', 'avnm', 'sac-alz', 'rc-ALZ')]" + ], + "kind": "Custom", + "properties": { + "description": "Deny high-risk TCP inbound traffic", + "priority": 1001, + "sources": [ + { + "addressPrefixType": "ServiceTag", + "addressPrefix": "Internet" + } + ], + "destinationPortRanges": [ + "20", + "21", + "23", + "119", + "161", + "445", + "512", + "514", + "873", + "5800", + "5900" + ], + "protocol": "TCP", + "direction": "Inbound", + "access": "Deny" + } + }, + { + "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}/{2}/{3}', 'avnm', 'sac-alz', 'rc-ALZ', 'DenyHighRiskInboundUDP')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections', 'avnm', 'sac-alz', 'rc-ALZ')]" + ], + "kind": "Custom", + "properties": { + "description": "Deny high-risk UDP inbound traffic", + "priority": 1002, + "sources": [ + { + "addressPrefixType": "ServiceTag", + "addressPrefix": "Internet" + } + ], + "destinationPortRanges": [ + "69", + "11211" + ], + "protocol": "UDP", + "direction": "Inbound", + "access": "Deny" + } + }, + { + "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}/{2}/{3}', 'avnm', 'sac-alz', 'rc-ALZ', 'DenyHighRiskInboundANY')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections', 'avnm', 'sac-alz', 'rc-ALZ')]" + ], + "kind": "Custom", + "properties": { + "description": "Deny high-risk ANY inbound traffic", + "priority": 1003, + "sources": [ + { + "addressPrefixType": "ServiceTag", + "addressPrefix": "Internet" + } + ], + "destinationPortRanges": [ + "111", + "135", + "162", + "593", + "2049" + ], + "protocol": "Any", + "direction": "Inbound", + "access": "Deny" + } + } + + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "alz-avnm-uai", + "resourceGroup": "[variables('rgName')]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "apiVersion": "2022-01-31-preview", + "name": "[format('uai-avnm-{0}', parameters('location'))]", + "location": "[parameters('location')]", + "metadata": { + "description": "This user assigned identity is used by the Deployment Script resource to interact with Azure resources." + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(resourceGroup().id, format('uai-avnm-{0}', parameters('location')))]", + "properties": { + "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-avnm-{0}', parameters('location'))), '2022-01-31-preview').principalId]", + "principalType": "ServicePrincipal" + }, + "dependsOn": [ + "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-avnm-{0}', parameters('location')))]" + ], + "metadata": { + "description": "This role assignment grants the user assigned identity the Contributor role on the resource group." + } + } + ], + "outputs": { + "userAssignedIdentityId": { + "type": "string", + "value": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-avnm-{0}', parameters('location')))]" + } + } + } + }, + "dependsOn": [ + "[subscriptionResourceId('Microsoft.Resources/resourceGroups', variables('rgName'))]" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('ds-{0}-prereqs', parameters('location'))]", + "resourceGroup": "[variables('rgName')]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "locationSecondary": { + "value": "[parameters('locationSecondary')]" + }, + "userAssignedIdentityId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, variables('rgName')), 'Microsoft.Resources/deployments', 'alz-avnm-uai'), '2022-09-01').outputs.userAssignedIdentityId.value]" + }, + "rgName": { + "value": "[variables('rgName')]" + }, + "configIds": { + "value": "[variables('configIds')]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "locationSecondary": { + "type": "string" + }, + "userAssignedIdentityId": { + "type": "string" + }, + "rgName": { + "type": "string" + }, + "configIds": { + "type": "string" + }, + "connectivitySubscriptionId": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Resources/deploymentScripts", + "apiVersion": "2020-10-01", + "name": "alz-avnm-deploymentscript", + "location": "[parameters('location')]", + "kind": "AzurePowerShell", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[format('{0}', parameters('userAssignedIdentityId'))]": {} + } + }, + "properties": { + "azPowerShellVersion": "12.3", + "retentionInterval": "PT1H", + "timeout": "PT1H", + "arguments": "[format('-location \"{0}\" -locationSecond \"{1}\" -rgName \"{2}\" -configIds \"{3}\" -connSubId \"{4}\"', parameters('location'), parameters('locationSecondary'), parameters('rgName'), parameters('configIds'), parameters('connectivitySubscriptionId'))]", + "scriptContent": " + param( + [string] + $location, + + [string] + $locationSecond, + + [string] + $rgName, + + [string] + $configIds, + + [string] + $connSubId + ) + + $regions = @($location, $locationSecond) + + Select-AzSubscription -SubscriptionId $connSubId + + Deploy-AzNetworkManagerCommit -ResourceGroupName $rgName -Name \"avnm\" -TargetLocation $regions -CommitType \"SecurityAdmin\" -ConfigurationId $configIds + + " + } + } + ], + "outputs": {} + } + }, + "dependsOn": [ + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, variables('rgName')), 'Microsoft.Resources/deployments', variables('resourceDeploymentName'))]", + "[subscriptionResourceId('Microsoft.Resources/resourceGroups', variables('rgName'))]" + ] + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/subscriptionTemplates/avnmPolicy.json b/eslzArm/subscriptionTemplates/avnmPolicy.json new file mode 100644 index 000000000..597d30b18 --- /dev/null +++ b/eslzArm/subscriptionTemplates/avnmPolicy.json @@ -0,0 +1,1308 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "maxLength": 10, + "metadata": { + "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale." + } + }, + "location": { + "type": "string", + "metadata": { + "displayName": "location", + "description": "Primary region for all resources." + }, + "defaultValue": "[deployment().location]" + }, + "locationSecondary": { + "type": "string", + "metadata": { + "displayName": "location", + "description": "Secondary region for all resources." + }, + "defaultValue": "" + }, + "connectivitySubscriptionId": { + "type": "string", + "metadata": { + "description": "Provide the subscriptionId you will place into the management group" + } + }, + "enableSecondaryRegion": { + "type": "string", + "metadata": { + "description": "Enable secondary region for instances deploying in multiple regions" + }, + "defaultValue": "No" + } + }, + "variables": { + "networkGroupIdAll": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', 'avnm-ng-all')]", + "networkGroupIdRegion1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-{0}', parameters('location')))]", + "networkGroupIdRegion2": "[if(equals(parameters('enableSecondaryRegion'), 'No'), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-{0}', parameters('locationSecondary'))))]" + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[uniqueString(variables('networkGroupIdAll'))]", + "properties": { + "description": "AVNM intermediate root group membership Policy", + "displayName": "AVNM intermediate root group membership Policy", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupIdAll')]" + } + } + } + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(variables('networkGroupIdAll'))]", + "location": "[parameters('location')]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "AVNM intermediate root group membership Policy", + "displayName": "AVNM intermediate root group membership Policy", + "enforcementMode": "Default", + "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdAll')))]" + }, + "dependsOn": [ + "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdAll')))]" + ] + }, + { + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[uniqueString(variables('networkGroupIdRegion1'))]", + "properties": { + "description": "AVNM intermediate root group membership Policy", + "displayName": "AVNM intermediate root group membership Policy", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupIdRegion1')]" + } + } + } + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(variables('networkGroupIdRegion1'))]", + "location": "[parameters('location')]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "AVNM intermediate root group membership Policy", + "displayName": "AVNM intermediate root group membership Policy", + "enforcementMode": "Default", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('location')]" + ] + } + ] + } + ], + "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdRegion1')))]" + }, + "dependsOn": [ + "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdRegion1')))]" + ] + }, + { + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[uniqueString(variables('networkGroupIdRegion2'))]", + "properties": { + "description": "AVNM intermediate root group membership Policy", + "displayName": "AVNM intermediate root group membership Policy", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupIdRegion2')]" + } + } + } + } + }, + { + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(variables('networkGroupIdRegion2'))]", + "location": "[parameters('locationSecondary')]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "AVNM intermediate root group membership Policy", + "displayName": "AVNM intermediate root group membership Policy", + "enforcementMode": "Default", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('locationSecondary')]" + ] + } + ] + } + ], + "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdRegion2')))]" + }, + "dependsOn": [ + "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdRegion2')))]" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "policyCorp", + "scope": "[format('Microsoft.Management/managementGroups/{0}', format('{0}-corp', parameters('topLevelManagementGroupPrefix')))]", + "location": "[deployment().location]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "locationSecondary": { + "value": "[parameters('locationSecondary')]" + }, + "mgmtGroup": { + "value": "[format('{0}-corp', parameters('topLevelManagementGroupPrefix'))]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + }, + "enableSecondaryRegion": { + "value": "[parameters('enableSecondaryRegion')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "locationSecondary": { + "type": "string" + }, + "mgmtGroup": { + "type": "string" + }, + "connectivitySubscriptionId": { + "type": "string" + }, + "enableSecondaryRegion": { + "type": "string" + } + }, + "variables": { + "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-corp-{0}', parameters('location')))]", + "networkGroupId2": "[if(equals(parameters('enableSecondaryRegion'), 'No'), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-corp-{0}', parameters('locationSecondary'))))]" + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location'))]", + "properties": { + "policyType": "Custom", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId1')]" + } + } + } + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}1', parameters('mgmtGroup')))]", + "properties": { + "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('location')]" + ] + } + ] + } + ] + }, + "dependsOn": [ + "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]" + ] + }, + { + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary'))]", + "properties": { + "policyType": "Custom", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId2')]" + } + } + } + } + }, + { + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}2', parameters('mgmtGroup')))]", + "properties": { + "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary')))]", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('locationSecondary')]" + ] + } + ] + } + ] + }, + "dependsOn": [ + "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary')))]" + ] + } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "policyOnline", + "scope": "[format('Microsoft.Management/managementGroups/{0}', format('{0}-online', parameters('topLevelManagementGroupPrefix')))]", + "location": "[deployment().location]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "locationSecondary": { + "value": "[parameters('locationSecondary')]" + }, + "mgmtGroup": { + "value": "[format('{0}-online', parameters('topLevelManagementGroupPrefix'))]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + }, + "enableSecondaryRegion": { + "value": "[parameters('enableSecondaryRegion')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "locationSecondary": { + "type": "string" + }, + "mgmtGroup": { + "type": "string" + }, + "connectivitySubscriptionId": { + "type": "string" + }, + "enableSecondaryRegion": { + "type": "string" + } + }, + "variables": { + "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-online-{0}', parameters('location')))]", + "networkGroupId2": "[if(equals(parameters('enableSecondaryRegion'), 'No'), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-online-{0}', parameters('locationSecondary'))))]" + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location'))]", + "properties": { + "policyType": "Custom", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId1')]" + } + } + } + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}1', parameters('mgmtGroup')))]", + "properties": { + "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('location')]" + ] + } + ] + } + ] + }, + "dependsOn": [ + "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]" + ] + }, + { + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary'))]", + "properties": { + "policyType": "Custom", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId2')]" + } + } + } + } + }, + { + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}2', parameters('mgmtGroup')))]", + "properties": { + "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary')))]", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('locationSecondary')]" + ] + } + ] + } + ] + }, + "dependsOn": [ + "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary')))]" + ] + } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "policyIdentity", + "scope": "[format('Microsoft.Management/managementGroups/{0}', format('{0}-identity', parameters('topLevelManagementGroupPrefix')))]", + "location": "[deployment().location]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "locationSecondary": { + "value": "[parameters('locationSecondary')]" + }, + "mgmtGroup": { + "value": "[format('{0}-identity', parameters('topLevelManagementGroupPrefix'))]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + }, + "enableSecondaryRegion": { + "value": "[parameters('enableSecondaryRegion')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "locationSecondary": { + "type": "string" + }, + "mgmtGroup": { + "type": "string" + }, + "connectivitySubscriptionId": { + "type": "string" + }, + "enableSecondaryRegion": { + "type": "string" + } + }, + "variables": { + "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-identity-{0}', parameters('location')))]", + "networkGroupId2": "[if(equals(parameters('enableSecondaryRegion'), 'No'), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-identity-{0}', parameters('locationSecondary'))))]" + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location'))]", + "properties": { + "policyType": "Custom", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId1')]" + } + } + } + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}1', parameters('mgmtGroup')))]", + "properties": { + "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('location')]" + ] + } + ] + } + ] + }, + "dependsOn": [ + "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]" + ] + }, + { + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary'))]", + "properties": { + "policyType": "Custom", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId2')]" + } + } + } + } + }, + { + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}2', parameters('mgmtGroup')))]", + "properties": { + "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary')))]", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('locationSecondary')]" + ] + } + ] + } + ] + }, + "dependsOn": [ + "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary')))]" + ] + } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "policyManagement", + "scope": "[format('Microsoft.Management/managementGroups/{0}', format('{0}-management', parameters('topLevelManagementGroupPrefix')))]", + "location": "[deployment().location]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "locationSecondary": { + "value": "[parameters('locationSecondary')]" + }, + "mgmtGroup": { + "value": "[format('{0}-management', parameters('topLevelManagementGroupPrefix'))]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + }, + "enableSecondaryRegion": { + "value": "[parameters('enableSecondaryRegion')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "locationSecondary": { + "type": "string" + }, + "mgmtGroup": { + "type": "string" + }, + "connectivitySubscriptionId": { + "type": "string" + }, + "enableSecondaryRegion": { + "type": "string" + } + }, + "variables": { + "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-management-{0}', parameters('location')))]", + "networkGroupId2": "[if(equals(parameters('enableSecondaryRegion'), 'No'), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-management-{0}', parameters('locationSecondary'))))]" + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location'))]", + "properties": { + "policyType": "Custom", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId1')]" + } + } + } + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}1', parameters('mgmtGroup')))]", + "properties": { + "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('location')]" + ] + } + ] + } + ] + }, + "dependsOn": [ + "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]" + ] + }, + { + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary'))]", + "properties": { + "policyType": "Custom", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId2')]" + } + } + } + } + }, + { + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}2', parameters('mgmtGroup')))]", + "properties": { + "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary')))]", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('locationSecondary')]" + ] + } + ] + } + ] + }, + "dependsOn": [ + "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary')))]" + ] + } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "policyConnectivity", + "scope": "[format('Microsoft.Management/managementGroups/{0}', format('{0}-connectivity', parameters('topLevelManagementGroupPrefix')))]", + "location": "[deployment().location]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "locationSecondary": { + "value": "[parameters('locationSecondary')]" + }, + "mgmtGroup": { + "value": "[format('{0}-connectivity', parameters('topLevelManagementGroupPrefix'))]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + }, + "enableSecondaryRegion": { + "value": "[parameters('enableSecondaryRegion')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "locationSecondary": { + "type": "string" + }, + "mgmtGroup": { + "type": "string" + }, + "connectivitySubscriptionId": { + "type": "string" + }, + "enableSecondaryRegion": { + "type": "string" + } + }, + "variables": { + "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-connectivity-{0}', parameters('location')))]", + "networkGroupId2": "[if(equals(parameters('enableSecondaryRegion'), 'No'), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-connectivity-{0}', parameters('locationSecondary'))))]" + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location'))]", + "properties": { + "policyType": "Custom", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId1')]" + } + } + } + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}1', parameters('mgmtGroup')))]", + "properties": { + "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('location')]" + ] + } + ] + } + ] + }, + "dependsOn": [ + "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]" + ] + }, + { + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary'))]", + "properties": { + "policyType": "Custom", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId2')]" + } + } + } + } + }, + { + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}2', parameters('mgmtGroup')))]", + "properties": { + "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary')))]", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('locationSecondary')]" + ] + } + ] + } + ] + }, + "dependsOn": [ + "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary')))]" + ] + } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "policySandbox", + "scope": "[format('Microsoft.Management/managementGroups/{0}', format('{0}-sandboxes', parameters('topLevelManagementGroupPrefix')))]", + "location": "[deployment().location]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "locationSecondary": { + "value": "[parameters('locationSecondary')]" + }, + "mgmtGroup": { + "value": "[format('{0}-sandboxes', parameters('topLevelManagementGroupPrefix'))]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + }, + "enableSecondaryRegion": { + "value": "[parameters('enableSecondaryRegion')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "locationSecondary": { + "type": "string" + }, + "mgmtGroup": { + "type": "string" + }, + "connectivitySubscriptionId": { + "type": "string" + }, + "enableSecondaryRegion": { + "type": "string" + } + }, + "variables": { + "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-sandbox-{0}', parameters('location')))]", + "networkGroupId2": "[if(equals(parameters('enableSecondaryRegion'), 'No'), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-sandbox-{0}', parameters('locationSecondary'))))]" + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location'))]", + "properties": { + "policyType": "Custom", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId1')]" + } + } + } + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}1', parameters('mgmtGroup')))]", + "properties": { + "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('location')]" + ] + } + ] + } + ] + }, + "dependsOn": [ + "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]" + ] + }, + { + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary'))]", + "properties": { + "policyType": "Custom", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId2')]" + } + } + } + } + }, + { + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}2', parameters('mgmtGroup')))]", + "properties": { + "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary')))]", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('locationSecondary')]" + ] + } + ] + } + ] + }, + "dependsOn": [ + "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary')))]" + ] + } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "policyDecommissioned", + "scope": "[format('Microsoft.Management/managementGroups/{0}', format('{0}-decommissioned', parameters('topLevelManagementGroupPrefix')))]", + "location": "[deployment().location]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "locationSecondary": { + "value": "[parameters('locationSecondary')]" + }, + "mgmtGroup": { + "value": "[format('{0}-decommissioned', parameters('topLevelManagementGroupPrefix'))]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + }, + "enableSecondaryRegion": { + "value": "[parameters('enableSecondaryRegion')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "locationSecondary": { + "type": "string" + }, + "mgmtGroup": { + "type": "string" + }, + "connectivitySubscriptionId": { + "type": "string" + }, + "enableSecondaryRegion": { + "type": "string" + } + }, + "variables": { + "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-decommissioned-{0}', parameters('location')))]", + "networkGroupId2": "[if(equals(parameters('enableSecondaryRegion'), 'No'), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-decommissioned-{0}', parameters('locationSecondary'))))]" + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location'))]", + "properties": { + "policyType": "Custom", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId1')]" + } + } + } + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}1', parameters('mgmtGroup')))]", + "properties": { + "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('location')]" + ] + } + ] + } + ] + }, + "dependsOn": [ + "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]" + ] + }, + { + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary'))]", + "properties": { + "policyType": "Custom", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId2')]" + } + } + } + } + }, + { + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}2', parameters('mgmtGroup')))]", + "properties": { + "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary')))]", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('locationSecondary')]" + ] + } + ] + } + ] + }, + "dependsOn": [ + "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary')))]" + ] + } + ] + } + } + } + ] +} \ No newline at end of file