diff --git a/.github/scripts/Get-AlzBicepResourceTypes.ps1 b/.github/scripts/Get-AlzBicepResourceTypes.ps1 index c362bacce..1b0f6fd0f 100644 --- a/.github/scripts/Get-AlzBicepResourceTypes.ps1 +++ b/.github/scripts/Get-AlzBicepResourceTypes.ps1 @@ -13,7 +13,7 @@ $resourceTypesFullList = @{} Get-ChildItem -Path '.\infra-as-code\bicep\modules' -Recurse -Filter '*.json' -Exclude 'callModuleFromACR.example.json', 'orchHubSpoke.json', '*parameters*.json', 'bicepconfig.json', '*policy_*.json' | ForEach-Object { Write-Information "==> Reading Built ARM Template JSON File: $_" -InformationAction Continue - $armTemplate = Get-Content $_.FullName | ConvertFrom-Json -Depth 20 + $armTemplate = Get-Content $_.FullName | ConvertFrom-Json -Depth 100 $armResourceTypes = $armTemplate.Resources $armResourceTypes | ForEach-Object { if (!$resourceTypesFullList.ContainsKey($_.Type)) { @@ -29,4 +29,4 @@ Write-Information "==> Remove nested deployments resource type" -InformationActi $resourceTypesFullList.Remove('Microsoft.Resources/Deployments') Write-Information "==> List of resource types in ALZ-Bicep modules" -InformationAction Continue -$resourceTypesFullList.Keys | Sort-Object \ No newline at end of file +$resourceTypesFullList.Keys | Sort-Object diff --git a/.github/scripts/Invoke-PolicyToBicep-China.ps1 b/.github/scripts/Invoke-PolicyToBicep-China.ps1 index e8d5e77f4..c247dcc8b 100644 --- a/.github/scripts/Invoke-PolicyToBicep-China.ps1 +++ b/.github/scripts/Invoke-PolicyToBicep-China.ps1 @@ -8,220 +8,220 @@ VERSION: 2.0.0 [CmdletBinding(SupportsShouldProcess)] param ( - [Parameter()] - [string] - $rootPath = "./infra-as-code/bicep/modules/policy", - [string] - $definitionsRoot = "definitions", - [string] - $definitionsPath = "lib/china/policy_definitions", - [string] - $definitionsLongPath = "$definitionsRoot/$definitionsPath", - [string] - $definitionsSetPath = "lib/china/policy_set_definitions", - [string] - $definitionsSetLongPath = "$definitionsRoot/$definitionsSetPath", - [string] - $assignmentsRoot = "assignments", - [string] - $assignmentsPath = "lib/china/policy_assignments", - [string] - $assignmentsLongPath = "$assignmentsRoot/$assignmentsPath", - [string] - $defintionsTxtFileName = "_mc_policyDefinitionsBicepInput.txt", - [string] - $defintionsSetTxtFileName = "_mc_policySetDefinitionsBicepInput.txt", - [string] - $assignmentsTxtFileName = "_mc_policyAssignmentsBicepInput.txt" + [Parameter()] + [string] + $rootPath = "./infra-as-code/bicep/modules/policy", + [string] + $definitionsRoot = "definitions", + [string] + $definitionsPath = "lib/china/policy_definitions", + [string] + $definitionsLongPath = "$definitionsRoot/$definitionsPath", + [string] + $definitionsSetPath = "lib/china/policy_set_definitions", + [string] + $definitionsSetLongPath = "$definitionsRoot/$definitionsSetPath", + [string] + $assignmentsRoot = "assignments", + [string] + $assignmentsPath = "lib/china/policy_assignments", + [string] + $assignmentsLongPath = "$assignmentsRoot/$assignmentsPath", + [string] + $defintionsTxtFileName = "_mc_policyDefinitionsBicepInput.txt", + [string] + $defintionsSetTxtFileName = "_mc_policySetDefinitionsBicepInput.txt", + [string] + $assignmentsTxtFileName = "_mc_policyAssignmentsBicepInput.txt" ) #region Policy Definitions function New-PolicyDefinitionsBicepInputTxtFile { - [CmdletBinding(SupportsShouldProcess)] - param() + [CmdletBinding(SupportsShouldProcess)] + param() - Write-Information "====> Creating/Emptying '$defintionsTxtFileName'" -InformationAction Continue - Set-Content -Path "$rootPath/$definitionsLongPath/$defintionsTxtFileName" -Value $null -Encoding "utf8" + Write-Information "====> Creating/Emptying '$defintionsTxtFileName'" -InformationAction Continue + Set-Content -Path "$rootPath/$definitionsLongPath/$defintionsTxtFileName" -Value $null -Encoding "utf8" - Write-Information "====> Looping Through Policy Definitions:" -InformationAction Continue - Get-ChildItem -Recurse -Path "$rootPath/$definitionsLongPath" -Filter "*.json" | ForEach-Object { - $policyDef = Get-Content $_.FullName | ConvertFrom-Json -Depth 100 + Write-Information "====> Looping Through Policy Definitions:" -InformationAction Continue + Get-ChildItem -Recurse -Path "$rootPath/$definitionsLongPath" -Filter "*.json" | ForEach-Object { + $policyDef = Get-Content $_.FullName | ConvertFrom-Json -Depth 100 - $policyDefinitionName = $policyDef.name - $fileName = $_.Name + $policyDefinitionName = $policyDef.name + $fileName = $_.Name - Write-Information "==> Adding '$policyDefinitionName' to '$PWD/$defintionsTxtFileName'" -InformationAction Continue - Add-Content -Path "$rootPath/$definitionsLongPath/$defintionsTxtFileName" -Encoding "utf8" -Value "{`r`n`tname: '$policyDefinitionName'`r`n`tlibDefinition: json(loadTextContent('$definitionsPath/$fileName'))`r`n}" - } + Write-Information "==> Adding '$policyDefinitionName' to '$PWD/$defintionsTxtFileName'" -InformationAction Continue + Add-Content -Path "$rootPath/$definitionsLongPath/$defintionsTxtFileName" -Encoding "utf8" -Value "{`r`n`tname: '$policyDefinitionName'`r`n`tlibDefinition: loadJsonContent('$definitionsPath/$fileName')`r`n}" + } - $policyDefCount = Get-ChildItem -Recurse -Path "$rootPath/$definitionsLongPath" -Filter "*.json" | Measure-Object - $policyDefCountString = $policyDefCount.Count - Write-Information "====> Policy Definitions Total: $policyDefCountString" -InformationAction Continue + $policyDefCount = Get-ChildItem -Recurse -Path "$rootPath/$definitionsLongPath" -Filter "*.json" | Measure-Object + $policyDefCountString = $policyDefCount.Count + Write-Information "====> Policy Definitions Total: $policyDefCountString" -InformationAction Continue } #endregion #region Policy Set Definitions function New-PolicySetDefinitionsBicepInputTxtFile { - [CmdletBinding(SupportsShouldProcess)] - param() - - Write-Information "====> Creating/Emptying '$defintionsSetTxtFileName'" -InformationAction Continue - Set-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Value $null -Encoding "utf8" - Add-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Value "var varCustomPolicySetDefinitionsArray = [" -Encoding "utf8" + [CmdletBinding(SupportsShouldProcess)] + param() - Write-Information "====> Looping Through Policy Set/Initiative Definition:" -InformationAction Continue + Write-Information "====> Creating/Emptying '$defintionsSetTxtFileName'" -InformationAction Continue + Set-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Value $null -Encoding "utf8" + Add-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Value "var varCustomPolicySetDefinitionsArray = [" -Encoding "utf8" - $policySetDefParamVarList = @() + Write-Information "====> Looping Through Policy Set/Initiative Definition:" -InformationAction Continue - Get-ChildItem -Recurse -Path "$rootPath/$definitionsSetLongPath" -Filter "*.json" -Exclude "*.parameters.json" | ForEach-Object { - $policyDef = Get-Content $_.FullName | ConvertFrom-Json -Depth 100 + $policySetDefParamVarList = @() - # Load child Policy Set/Initiative Definitions - $policyDefinitions = $policyDef.properties.policyDefinitions | Sort-Object -Property policyDefinitionReferenceId + Get-ChildItem -Recurse -Path "$rootPath/$definitionsSetLongPath" -Filter "*.json" -Exclude "*.parameters.json" | ForEach-Object { + $policyDef = Get-Content $_.FullName | ConvertFrom-Json -Depth 100 - $policyDefinitionName = $policyDef.name - $fileName = $_.Name + # Load child Policy Set/Initiative Definitions + $policyDefinitions = $policyDef.properties.policyDefinitions | Sort-Object -Property policyDefinitionReferenceId - # Construct file name for Policy Set/Initiative Definitions parameters files - $parametersFileName = $fileName.Substring(0, $fileName.Length - 5) + ".parameters.json" + $policyDefinitionName = $policyDef.name + $fileName = $_.Name - # Create Policy Set/Initiative Definitions parameter file - Write-Information "==> Creating/Emptying '$parametersFileName'" -InformationAction Continue - Set-Content -Path "$rootPath/$definitionsSetLongPath/$parametersFileName" -Value $null -Encoding "utf8" + # Construct file name for Policy Set/Initiative Definitions parameters files + $parametersFileName = $fileName.Substring(0, $fileName.Length - 5) + ".parameters.json" - # Loop through all Policy Set/Initiative Definitions Child Definitions and create parameters file for each of them - [System.Collections.Hashtable]$definitionParametersOutputJSONObject = [ordered]@{} - $policyDefinitions | Sort-Object | ForEach-Object { - $definitionReferenceId = $_.policyDefinitionReferenceId - $definitionParameters = $_.parameters + # Create Policy Set/Initiative Definitions parameter file + Write-Information "==> Creating/Emptying '$parametersFileName'" -InformationAction Continue + Set-Content -Path "$rootPath/$definitionsSetLongPath/$parametersFileName" -Value $null -Encoding "utf8" - if ($definitionParameters) { - $definitionParameters | Sort-Object | ForEach-Object { - [System.Collections.Hashtable]$definitionParametersOutputArray = [ordered]@{} - $definitionParametersOutputArray.Add("parameters", $_) - } - } - else { - [System.Collections.Hashtable]$definitionParametersOutputArray = [ordered]@{} - $definitionParametersOutputArray.Add("parameters", @{}) - } + # Loop through all Policy Set/Initiative Definitions Child Definitions and create parameters file for each of them + [System.Collections.Hashtable]$definitionParametersOutputJSONObject = [ordered]@{} + $policyDefinitions | Sort-Object | ForEach-Object { + $definitionReferenceId = $_.policyDefinitionReferenceId + $definitionParameters = $_.parameters - $definitionParametersOutputJSONObject.Add("$definitionReferenceId", $definitionParametersOutputArray) - } - Write-Information "==> Adding parameters to '$parametersFileName'" -InformationAction Continue - Add-Content -Path "$rootPath/$definitionsSetLongPath/$parametersFileName" -Value ($definitionParametersOutputJSONObject | ConvertTo-Json -Depth 10) -Encoding "utf8" - - # Sort parameters file alphabetically to remove false git diffs - Write-Information "==> Sorting parameters file '$parametersFileName' alphabetically" -InformationAction Continue - $definitionParametersOutputJSONObjectSorted = New-Object PSCustomObject - Get-Content -Raw -Path "$rootPath/$definitionsSetLongPath/$parametersFileName" | ConvertFrom-Json -pv fromPipe -Depth 10 | - Get-Member -Type NoteProperty | Sort-Object Name | ForEach-Object { - Add-Member -InputObject $definitionParametersOutputJSONObjectSorted -Type NoteProperty -Name $_.Name -Value $fromPipe.$($_.Name) + if ($definitionParameters) { + $definitionParameters | Sort-Object | ForEach-Object { + [System.Collections.Hashtable]$definitionParametersOutputArray = [ordered]@{} + $definitionParametersOutputArray.Add("parameters", $_) } - Set-Content -Path "$rootPath/$definitionsSetLongPath/$parametersFileName" -Value ($definitionParametersOutputJSONObjectSorted | ConvertTo-Json -Depth 10) -Encoding "utf8" + } + else { + [System.Collections.Hashtable]$definitionParametersOutputArray = [ordered]@{} + $definitionParametersOutputArray.Add("parameters", @{}) + } - # Check if variable exists before trying to clear it - if ($policySetDefinitionsOutputForBicep) { - Clear-Variable -Name policySetDefinitionsOutputForBicep -ErrorAction Continue - } + $definitionParametersOutputJSONObject.Add("$definitionReferenceId", $definitionParametersOutputArray) + } + Write-Information "==> Adding parameters to '$parametersFileName'" -InformationAction Continue + Add-Content -Path "$rootPath/$definitionsSetLongPath/$parametersFileName" -Value ($definitionParametersOutputJSONObject | ConvertTo-Json -Depth 10) -Encoding "utf8" + + # Sort parameters file alphabetically to remove false git diffs + Write-Information "==> Sorting parameters file '$parametersFileName' alphabetically" -InformationAction Continue + $definitionParametersOutputJSONObjectSorted = New-Object PSCustomObject + Get-Content -Raw -Path "$rootPath/$definitionsSetLongPath/$parametersFileName" | ConvertFrom-Json -pv fromPipe -Depth 10 | + Get-Member -Type NoteProperty | Sort-Object Name | ForEach-Object { + Add-Member -InputObject $definitionParametersOutputJSONObjectSorted -Type NoteProperty -Name $_.Name -Value $fromPipe.$($_.Name) + } + Set-Content -Path "$rootPath/$definitionsSetLongPath/$parametersFileName" -Value ($definitionParametersOutputJSONObjectSorted | ConvertTo-Json -Depth 10) -Encoding "utf8" + + # Check if variable exists before trying to clear it + if ($policySetDefinitionsOutputForBicep) { + Clear-Variable -Name policySetDefinitionsOutputForBicep -ErrorAction Continue + } + + # Create HashTable variable + [System.Collections.Hashtable]$policySetDefinitionsOutputForBicep = [ordered]@{} - # Create HashTable variable - [System.Collections.Hashtable]$policySetDefinitionsOutputForBicep = [ordered]@{} + # Loop through child Policy Set/Initiative Definitions if HashTable not == 0 + if (($policyDefinitions.Count) -ne 0) { + $policyDefinitions | Sort-Object | ForEach-Object { + $policySetDefinitionsOutputForBicep.Add($_.policyDefinitionReferenceId, $_.policyDefinitionId) + } + } - # Loop through child Policy Set/Initiative Definitions if HashTable not == 0 - if (($policyDefinitions.Count) -ne 0) { - $policyDefinitions | Sort-Object | ForEach-Object { - $policySetDefinitionsOutputForBicep.Add($_.policyDefinitionReferenceId, $_.policyDefinitionId) - } + # Add Policy Set/Initiative Definition Parameter Variables to Bicep Input File + $policySetDefParamVarTrimJsonExt = $parametersFileName.TrimEnd("json").Replace('.', '_') + $policySetDefParamVarCreation = "var" + ($policySetDefParamVarTrimJsonExt -replace '(?:^|_|-)(\p{L})', { $_.Groups[1].Value.ToUpper() }).TrimEnd('_') + $policySetDefParamVar = "var " + $policySetDefParamVarCreation + " = " + "loadJsonContent('$definitionsSetPath/$parametersFileName')" + $policySetDefParamVarList += $policySetDefParamVar + + # Start output file creation of Policy Set/Initiative Definitions for Bicep + Write-Information "==> Adding '$policyDefinitionName' to '$PWD/$defintionsSetTxtFileName'" -InformationAction Continue + Add-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Encoding "utf8" -Value "`t{`r`n`t`tname: '$policyDefinitionName'`r`n`t`tlibSetDefinition: loadJsonContent('$definitionsSetPath/$fileName')`r`n`t`tlibSetChildDefinitions: [" + + # Loop through child Policy Set/Initiative Definitions for Bicep output if HashTable not == 0 + if (($policySetDefinitionsOutputForBicep.Count) -ne 0) { + $policySetDefinitionsOutputForBicep.Keys | Sort-Object | ForEach-Object { + $definitionReferenceId = $_ + $definitionReferenceIdForParameters = $_ + $definitionId = $($policySetDefinitionsOutputForBicep[$_]) + + # If definitionReferenceId or definitionReferenceIdForParameters contains apostrophes, replace that apostrophe with a backslash and an apostrohphe for Bicep string escaping + if ($definitionReferenceId.Contains("'")) { + $definitionReferenceId = $definitionReferenceId.Replace("'", "\'") } - # Add Policy Set/Initiative Definition Parameter Variables to Bicep Input File - $policySetDefParamVarTrimJsonExt = $parametersFileName.TrimEnd("json").Replace('.', '_') - $policySetDefParamVarCreation = "var" + ($policySetDefParamVarTrimJsonExt -replace '(?:^|_|-)(\p{L})', { $_.Groups[1].Value.ToUpper() }).TrimEnd('_') - $policySetDefParamVar = "var " + $policySetDefParamVarCreation + " = " + "loadJsonContent('$definitionsSetPath/$parametersFileName')" - $policySetDefParamVarList += $policySetDefParamVar - - # Start output file creation of Policy Set/Initiative Definitions for Bicep - Write-Information "==> Adding '$policyDefinitionName' to '$PWD/$defintionsSetTxtFileName'" -InformationAction Continue - Add-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Encoding "utf8" -Value "`t{`r`n`t`tname: '$policyDefinitionName'`r`n`t`tlibSetDefinition: json(loadTextContent('$definitionsSetPath/$fileName'))`r`n`t`tlibSetChildDefinitions: [" - - # Loop through child Policy Set/Initiative Definitions for Bicep output if HashTable not == 0 - if (($policySetDefinitionsOutputForBicep.Count) -ne 0) { - $policySetDefinitionsOutputForBicep.Keys | Sort-Object | ForEach-Object { - $definitionReferenceId = $_ - $definitionReferenceIdForParameters = $_ - $definitionId = $($policySetDefinitionsOutputForBicep[$_]) - - # If definitionReferenceId or definitionReferenceIdForParameters contains apostrophes, replace that apostrophe with a backslash and an apostrohphe for Bicep string escaping - if ($definitionReferenceId.Contains("'")) { - $definitionReferenceId = $definitionReferenceId.Replace("'", "\'") - } - - if ($definitionReferenceIdForParameters.Contains("'")) { - $definitionReferenceIdForParameters = $definitionReferenceIdForParameters.Replace("'", "\'") - } - - # If definitionReferenceId contains, then wrap in definitionReferenceId value in [] to comply with bicep formatting - if ($definitionReferenceIdForParameters.Contains("-") -or $definitionReferenceIdForParameters.Contains(" ") -or $definitionReferenceIdForParameters.Contains("\'")) { - $definitionReferenceIdForParameters = "['$definitionReferenceIdForParameters']" - - # Add nested array of objects to each Policy Set/Initiative Definition in the Bicep variable, without the '.' before the definitionReferenceId to make it an accessor - Add-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Encoding "utf8" -Value "`t`t`t{`r`n`t`t`t`tdefinitionReferenceId: '$definitionReferenceId'`r`n`t`t`t`tdefinitionId: '$definitionId'`r`n`t`t`t`tdefinitionParameters: $policySetDefParamVarCreation$definitionReferenceIdForParameters.parameters`r`n`t`t`t}" - } - else { - # Add nested array of objects to each Policy Set/Initiative Definition in the Bicep variable - Add-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Encoding "utf8" -Value "`t`t`t{`r`n`t`t`t`tdefinitionReferenceId: '$definitionReferenceId'`r`n`t`t`t`tdefinitionId: '$definitionId'`r`n`t`t`t`tdefinitionParameters: $policySetDefParamVarCreation.$definitionReferenceIdForParameters.parameters`r`n`t`t`t}" - } - } + if ($definitionReferenceIdForParameters.Contains("'")) { + $definitionReferenceIdForParameters = $definitionReferenceIdForParameters.Replace("'", "\'") } - # Finish output file creation of Policy Set/Initiative Definitions for Bicep - Add-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Encoding "utf8" -Value "`t`t]`r`n`t}" + # If definitionReferenceId contains, then wrap in definitionReferenceId value in [] to comply with bicep formatting + if ($definitionReferenceIdForParameters.Contains("-") -or $definitionReferenceIdForParameters.Contains(" ") -or $definitionReferenceIdForParameters.Contains("\'")) { + $definitionReferenceIdForParameters = "['$definitionReferenceIdForParameters']" + # Add nested array of objects to each Policy Set/Initiative Definition in the Bicep variable, without the '.' before the definitionReferenceId to make it an accessor + Add-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Encoding "utf8" -Value "`t`t`t{`r`n`t`t`t`tdefinitionReferenceId: '$definitionReferenceId'`r`n`t`t`t`tdefinitionId: '$definitionId'`r`n`t`t`t`tdefinitionParameters: $policySetDefParamVarCreation$definitionReferenceIdForParameters.parameters`r`n`t`t`t}" + } + else { + # Add nested array of objects to each Policy Set/Initiative Definition in the Bicep variable + Add-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Encoding "utf8" -Value "`t`t`t{`r`n`t`t`t`tdefinitionReferenceId: '$definitionReferenceId'`r`n`t`t`t`tdefinitionId: '$definitionId'`r`n`t`t`t`tdefinitionParameters: $policySetDefParamVarCreation.$definitionReferenceIdForParameters.parameters`r`n`t`t`t}" + } + } } - Add-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Encoding "utf8" -Value "]`r`n" - # Add Policy Set/Initiative Definition Parameter Variables to Bicep Input File - Add-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Encoding "utf8" -Value "`r`n// Policy Set/Initiative Definition Parameter Variables`r`n" - $policySetDefParamVarList | ForEach-Object { - Add-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Encoding "utf8" -Value "$_`r`n" - } + # Finish output file creation of Policy Set/Initiative Definitions for Bicep + Add-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Encoding "utf8" -Value "`t`t]`r`n`t}" + + } + Add-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Encoding "utf8" -Value "]`r`n" - $policyDefCount = Get-ChildItem -Recurse -Path "$rootPath/$definitionsSetLongPath" -Filter "*.json" -Exclude "*.parameters.json" | Measure-Object - $policyDefCountString = $policyDefCount.Count - Write-Information "====> Policy Set/Initiative Definitions Total: $policyDefCountString" -InformationAction Continue + # Add Policy Set/Initiative Definition Parameter Variables to Bicep Input File + Add-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Encoding "utf8" -Value "`r`n// Policy Set/Initiative Definition Parameter Variables`r`n" + $policySetDefParamVarList | ForEach-Object { + Add-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Encoding "utf8" -Value "$_`r`n" + } + + $policyDefCount = Get-ChildItem -Recurse -Path "$rootPath/$definitionsSetLongPath" -Filter "*.json" -Exclude "*.parameters.json" | Measure-Object + $policyDefCountString = $policyDefCount.Count + Write-Information "====> Policy Set/Initiative Definitions Total: $policyDefCountString" -InformationAction Continue } #endregion #region # # Policy Asssignmts - separaee policy asnignments for Azure China due to different policy definitions - missing built-in policies, and featurests - separate policy assignments for Azure China due to different policy definitions - missing built-in policies, and features function New-PolicyAssignmentsBicepInputTxtFile { - [CmdletBinding(SupportsShouldProcess)] - param() + [CmdletBinding(SupportsShouldProcess)] + param() - Write-Information "====> Creating/Emptying '$assignmentsTxtFileName '" -InformationAction Continue - Set-Content -Path "$rootPath/$assignmentsLongPath/$assignmentsTxtFileName" -Value $null -Encoding "utf8" + Write-Information "====> Creating/Emptying '$assignmentsTxtFileName '" -InformationAction Continue + Set-Content -Path "$rootPath/$assignmentsLongPath/$assignmentsTxtFileName" -Value $null -Encoding "utf8" - Write-Information "====> Looping Through Policy Assignments:" -InformationAction Continue - Get-ChildItem -Recurse -Path "$rootPath/$assignmentsLongPath" -Filter "*.json" | ForEach-Object { - $policyAssignment = Get-Content $_.FullName | ConvertFrom-Json -Depth 100 + Write-Information "====> Looping Through Policy Assignments:" -InformationAction Continue + Get-ChildItem -Recurse -Path "$rootPath/$assignmentsLongPath" -Filter "*.json" | ForEach-Object { + $policyAssignment = Get-Content $_.FullName | ConvertFrom-Json -Depth 100 - $policyAssignmentName = $policyAssignment.name - $policyAssignmentDefinitionID = $policyAssignment.properties.policyDefinitionId - $fileName = $_.Name + $policyAssignmentName = $policyAssignment.name + $policyAssignmentDefinitionID = $policyAssignment.properties.policyDefinitionId + $fileName = $_.Name - # Remove hyphens from Policy Assignment Name - $policyAssignmentNameNoHyphens = $policyAssignmentName.replace("-", "") + # Remove hyphens from Policy Assignment Name + $policyAssignmentNameNoHyphens = $policyAssignmentName.replace("-", "") - Write-Information "==> Adding '$policyAssignmentName' to '$PWD/$assignmentsTxtFileName'" -InformationAction Continue - Add-Content -Path "$rootPath/$assignmentsLongPath/$assignmentsTxtFileName" -Encoding "utf8" -Value "var varPolicyAssignment$policyAssignmentNameNoHyphens = {`r`n`tdefinitionId: '$policyAssignmentDefinitionID'`r`n`tlibDefinition: json(loadTextContent('../../policy/$assignmentsLongPath/$fileName'))`r`n}`r`n" - } + Write-Information "==> Adding '$policyAssignmentName' to '$PWD/$assignmentsTxtFileName'" -InformationAction Continue + Add-Content -Path "$rootPath/$assignmentsLongPath/$assignmentsTxtFileName" -Encoding "utf8" -Value "var varPolicyAssignment$policyAssignmentNameNoHyphens = {`r`n`tdefinitionId: '$policyAssignmentDefinitionID'`r`n`tlibDefinition: loadJsonContent('../../policy/$assignmentsLongPath/$fileName')`r`n}`r`n" + } - $policyAssignmentCount = Get-ChildItem -Recurse -Path "$rootPath/$assignmentsLongPath" -Filter "*.json" | Measure-Object - $policyAssignmentCountString = $policyAssignmentCount.Count - Write-Information "====> Policy Assignments Total: $policyAssignmentCountString" -InformationAction Continue + $policyAssignmentCount = Get-ChildItem -Recurse -Path "$rootPath/$assignmentsLongPath" -Filter "*.json" | Measure-Object + $policyAssignmentCountString = $policyAssignmentCount.Count + Write-Information "====> Policy Assignments Total: $policyAssignmentCountString" -InformationAction Continue } #endregion New-PolicyDefinitionsBicepInputTxtFile New-PolicySetDefinitionsBicepInputTxtFile -New-PolicyAssignmentsBicepInputTxtFile \ No newline at end of file +New-PolicyAssignmentsBicepInputTxtFile diff --git a/.github/scripts/Invoke-PolicyToBicep.ps1 b/.github/scripts/Invoke-PolicyToBicep.ps1 index ccd2a8ace..acb28dccd 100644 --- a/.github/scripts/Invoke-PolicyToBicep.ps1 +++ b/.github/scripts/Invoke-PolicyToBicep.ps1 @@ -4,224 +4,224 @@ DESCRIPTION: This PowerShell script outputs the Name & Path to a Bicep structure AUTHOR/S: jtracey93, seseicht VERSION: 2.0.0 #> -[Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSReviewUnusedParameter", "", Justification="False Positive")] +[Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSReviewUnusedParameter", "", Justification = "False Positive")] [CmdletBinding(SupportsShouldProcess)] param ( - [Parameter()] - [string] - $rootPath = "./infra-as-code/bicep/modules/policy", - [string] - $definitionsRoot = "definitions", - [string] - $definitionsPath = "lib/policy_definitions", - [string] - $definitionsLongPath = "$definitionsRoot/$definitionsPath", - [string] - $definitionsSetPath = "lib/policy_set_definitions", - [string] - $definitionsSetLongPath = "$definitionsRoot/$definitionsSetPath", - [string] - $assignmentsRoot = "assignments", - [string] - $assignmentsPath = "lib/policy_assignments", - [string] - $assignmentsLongPath = "$assignmentsRoot/$assignmentsPath", - [string] - $defintionsTxtFileName = "_policyDefinitionsBicepInput.txt", - [string] - $defintionsSetTxtFileName = "_policySetDefinitionsBicepInput.txt", - [string] - $assignmentsTxtFileName = "_policyAssignmentsBicepInput.txt" + [Parameter()] + [string] + $rootPath = "./infra-as-code/bicep/modules/policy", + [string] + $definitionsRoot = "definitions", + [string] + $definitionsPath = "lib/policy_definitions", + [string] + $definitionsLongPath = "$definitionsRoot/$definitionsPath", + [string] + $definitionsSetPath = "lib/policy_set_definitions", + [string] + $definitionsSetLongPath = "$definitionsRoot/$definitionsSetPath", + [string] + $assignmentsRoot = "assignments", + [string] + $assignmentsPath = "lib/policy_assignments", + [string] + $assignmentsLongPath = "$assignmentsRoot/$assignmentsPath", + [string] + $defintionsTxtFileName = "_policyDefinitionsBicepInput.txt", + [string] + $defintionsSetTxtFileName = "_policySetDefinitionsBicepInput.txt", + [string] + $assignmentsTxtFileName = "_policyAssignmentsBicepInput.txt" ) #region Policy Definitions function New-PolicyDefinitionsBicepInputTxtFile { - [CmdletBinding(SupportsShouldProcess)] - param() + [CmdletBinding(SupportsShouldProcess)] + param() - Write-Information "====> Creating/Emptying '$defintionsTxtFileName'" -InformationAction Continue - Set-Content -Path "$rootPath/$definitionsLongPath/$defintionsTxtFileName" -Value $null -Encoding "utf8" + Write-Information "====> Creating/Emptying '$defintionsTxtFileName'" -InformationAction Continue + Set-Content -Path "$rootPath/$definitionsLongPath/$defintionsTxtFileName" -Value $null -Encoding "utf8" - Write-Information "====> Looping Through Policy Definitions:" -InformationAction Continue - Get-ChildItem -Recurse -Path "$rootPath/$definitionsLongPath" -Filter "*.json" | ForEach-Object { - $policyDef = Get-Content $_.FullName | ConvertFrom-Json -Depth 100 + Write-Information "====> Looping Through Policy Definitions:" -InformationAction Continue + Get-ChildItem -Recurse -Path "$rootPath/$definitionsLongPath" -Filter "*.json" | ForEach-Object { + $policyDef = Get-Content $_.FullName | ConvertFrom-Json -Depth 100 - $policyDefinitionName = $policyDef.name - $fileName = $_.Name + $policyDefinitionName = $policyDef.name + $fileName = $_.Name - Write-Information "==> Adding '$policyDefinitionName' to '$PWD/$defintionsTxtFileName'" -InformationAction Continue - Add-Content -Path "$rootPath/$definitionsLongPath/$defintionsTxtFileName" -Encoding "utf8" -Value "{`r`n`tname: '$policyDefinitionName'`r`n`tlibDefinition: json(loadTextContent('$definitionsPath/$fileName'))`r`n}" - } + Write-Information "==> Adding '$policyDefinitionName' to '$PWD/$defintionsTxtFileName'" -InformationAction Continue + Add-Content -Path "$rootPath/$definitionsLongPath/$defintionsTxtFileName" -Encoding "utf8" -Value "{`r`n`tname: '$policyDefinitionName'`r`n`tlibDefinition: loadJsonContent('$definitionsPath/$fileName')`r`n}" + } - $policyDefCount = Get-ChildItem -Recurse -Path "$rootPath/$definitionsLongPath" -Filter "*.json" | Measure-Object - $policyDefCountString = $policyDefCount.Count - Write-Information "====> Policy Definitions Total: $policyDefCountString" -InformationAction Continue + $policyDefCount = Get-ChildItem -Recurse -Path "$rootPath/$definitionsLongPath" -Filter "*.json" | Measure-Object + $policyDefCountString = $policyDefCount.Count + Write-Information "====> Policy Definitions Total: $policyDefCountString" -InformationAction Continue } #endregion #region Policy Set Definitions function New-PolicySetDefinitionsBicepInputTxtFile { - [CmdletBinding(SupportsShouldProcess)] - param() - - Write-Information "====> Creating/Emptying '$defintionsSetTxtFileName'" -InformationAction Continue - Set-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Value $null -Encoding "utf8" - Add-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Value "var varCustomPolicySetDefinitionsArray = [" -Encoding "utf8" + [CmdletBinding(SupportsShouldProcess)] + param() - Write-Information "====> Looping Through Policy Set/Initiative Definition:" -InformationAction Continue + Write-Information "====> Creating/Emptying '$defintionsSetTxtFileName'" -InformationAction Continue + Set-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Value $null -Encoding "utf8" + Add-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Value "var varCustomPolicySetDefinitionsArray = [" -Encoding "utf8" - $policySetDefParamVarList = @() + Write-Information "====> Looping Through Policy Set/Initiative Definition:" -InformationAction Continue - Get-ChildItem -Recurse -Path "$rootPath/$definitionsSetLongPath" -Filter "*.json" -Exclude "*.parameters.json" | ForEach-Object { - $policyDef = Get-Content $_.FullName | ConvertFrom-Json -Depth 100 + $policySetDefParamVarList = @() - # Load child Policy Set/Initiative Definitions - $policyDefinitions = $policyDef.properties.policyDefinitions | Sort-Object -Property policyDefinitionReferenceId + Get-ChildItem -Recurse -Path "$rootPath/$definitionsSetLongPath" -Filter "*.json" -Exclude "*.parameters.json" | ForEach-Object { + $policyDef = Get-Content $_.FullName | ConvertFrom-Json -Depth 100 - $policyDefinitionName = $policyDef.name - $fileName = $_.Name + # Load child Policy Set/Initiative Definitions + $policyDefinitions = $policyDef.properties.policyDefinitions | Sort-Object -Property policyDefinitionReferenceId - # Construct file name for Policy Set/Initiative Definitions parameters files - $parametersFileName = $fileName.Substring(0, $fileName.Length - 5) + ".parameters.json" + $policyDefinitionName = $policyDef.name + $fileName = $_.Name - # Create Policy Set/Initiative Definitions parameter file - Write-Information "==> Creating/Emptying '$parametersFileName'" -InformationAction Continue - Set-Content -Path "$rootPath/$definitionsSetLongPath/$parametersFileName" -Value $null -Encoding "utf8" + # Construct file name for Policy Set/Initiative Definitions parameters files + $parametersFileName = $fileName.Substring(0, $fileName.Length - 5) + ".parameters.json" - # Loop through all Policy Set/Initiative Definitions Child Definitions and create parameters file for each of them - [System.Collections.Hashtable]$definitionParametersOutputJSONObject = [ordered]@{} - $policyDefinitions | Sort-Object | ForEach-Object { - $definitionReferenceId = $_.policyDefinitionReferenceId - $definitionParameters = $_.parameters + # Create Policy Set/Initiative Definitions parameter file + Write-Information "==> Creating/Emptying '$parametersFileName'" -InformationAction Continue + Set-Content -Path "$rootPath/$definitionsSetLongPath/$parametersFileName" -Value $null -Encoding "utf8" - if ($definitionParameters) { - $definitionParameters | Sort-Object | ForEach-Object { - [System.Collections.Hashtable]$definitionParametersOutputArray = [ordered]@{} - $definitionParametersOutputArray.Add("parameters", $_) - } - } - else { - [System.Collections.Hashtable]$definitionParametersOutputArray = [ordered]@{} - $definitionParametersOutputArray.Add("parameters", @{}) - } + # Loop through all Policy Set/Initiative Definitions Child Definitions and create parameters file for each of them + [System.Collections.Hashtable]$definitionParametersOutputJSONObject = [ordered]@{} + $policyDefinitions | Sort-Object | ForEach-Object { + $definitionReferenceId = $_.policyDefinitionReferenceId + $definitionParameters = $_.parameters - $definitionParametersOutputJSONObject.Add("$definitionReferenceId", $definitionParametersOutputArray) - } - Write-Information "==> Adding parameters to '$parametersFileName'" -InformationAction Continue - Add-Content -Path "$rootPath/$definitionsSetLongPath/$parametersFileName" -Value ($definitionParametersOutputJSONObject | ConvertTo-Json -Depth 10) -Encoding "utf8" - - # Sort parameters file alphabetically to remove false git diffs - Write-Information "==> Sorting parameters file '$parametersFileName' alphabetically" -InformationAction Continue - $definitionParametersOutputJSONObjectSorted = New-Object PSCustomObject - Get-Content -Raw -Path "$rootPath/$definitionsSetLongPath/$parametersFileName" | ConvertFrom-Json -pv fromPipe -Depth 10 | - Get-Member -Type NoteProperty | Sort-Object Name | ForEach-Object { - Add-Member -InputObject $definitionParametersOutputJSONObjectSorted -Type NoteProperty -Name $_.Name -Value $fromPipe.$($_.Name) + if ($definitionParameters) { + $definitionParameters | Sort-Object | ForEach-Object { + [System.Collections.Hashtable]$definitionParametersOutputArray = [ordered]@{} + $definitionParametersOutputArray.Add("parameters", $_) } - Set-Content -Path "$rootPath/$definitionsSetLongPath/$parametersFileName" -Value ($definitionParametersOutputJSONObjectSorted | ConvertTo-Json -Depth 10) -Encoding "utf8" + } + else { + [System.Collections.Hashtable]$definitionParametersOutputArray = [ordered]@{} + $definitionParametersOutputArray.Add("parameters", @{}) + } - # Check if variable exists before trying to clear it - if ($policySetDefinitionsOutputForBicep) { - Clear-Variable -Name policySetDefinitionsOutputForBicep -ErrorAction Continue - } + $definitionParametersOutputJSONObject.Add("$definitionReferenceId", $definitionParametersOutputArray) + } + Write-Information "==> Adding parameters to '$parametersFileName'" -InformationAction Continue + Add-Content -Path "$rootPath/$definitionsSetLongPath/$parametersFileName" -Value ($definitionParametersOutputJSONObject | ConvertTo-Json -Depth 10) -Encoding "utf8" + + # Sort parameters file alphabetically to remove false git diffs + Write-Information "==> Sorting parameters file '$parametersFileName' alphabetically" -InformationAction Continue + $definitionParametersOutputJSONObjectSorted = New-Object PSCustomObject + Get-Content -Raw -Path "$rootPath/$definitionsSetLongPath/$parametersFileName" | ConvertFrom-Json -pv fromPipe -Depth 10 | + Get-Member -Type NoteProperty | Sort-Object Name | ForEach-Object { + Add-Member -InputObject $definitionParametersOutputJSONObjectSorted -Type NoteProperty -Name $_.Name -Value $fromPipe.$($_.Name) + } + Set-Content -Path "$rootPath/$definitionsSetLongPath/$parametersFileName" -Value ($definitionParametersOutputJSONObjectSorted | ConvertTo-Json -Depth 10) -Encoding "utf8" + + # Check if variable exists before trying to clear it + if ($policySetDefinitionsOutputForBicep) { + Clear-Variable -Name policySetDefinitionsOutputForBicep -ErrorAction Continue + } + + # Create HashTable variable + [System.Collections.Hashtable]$policySetDefinitionsOutputForBicep = [ordered]@{} - # Create HashTable variable - [System.Collections.Hashtable]$policySetDefinitionsOutputForBicep = [ordered]@{} + # Loop through child Policy Set/Initiative Definitions if HashTable not == 0 + if (($policyDefinitions.Count) -ne 0) { + $policyDefinitions | Sort-Object | ForEach-Object { + $policySetDefinitionsOutputForBicep.Add($_.policyDefinitionReferenceId, $_.policyDefinitionId) + } + } - # Loop through child Policy Set/Initiative Definitions if HashTable not == 0 - if (($policyDefinitions.Count) -ne 0) { - $policyDefinitions | Sort-Object | ForEach-Object { - $policySetDefinitionsOutputForBicep.Add($_.policyDefinitionReferenceId, $_.policyDefinitionId) - } + # Add Policy Set/Initiative Definition Parameter Variables to Bicep Input File + $policySetDefParamVarTrimJsonExt = $parametersFileName.TrimEnd("json").Replace('.', '_') + $policySetDefParamVarCreation = "var" + ($policySetDefParamVarTrimJsonExt -replace '(?:^|_|-)(\p{L})', { $_.Groups[1].Value.ToUpper() }).TrimEnd('_') + $policySetDefParamVar = "var " + $policySetDefParamVarCreation + " = " + "loadJsonContent('$definitionsSetPath/$parametersFileName')" + $policySetDefParamVarList += $policySetDefParamVar + + # Start output file creation of Policy Set/Initiative Definitions for Bicep + Write-Information "==> Adding '$policyDefinitionName' to '$PWD/$defintionsSetTxtFileName'" -InformationAction Continue + Add-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Encoding "utf8" -Value "`t{`r`n`t`tname: '$policyDefinitionName'`r`n`t`tlibSetDefinition: loadJsonContent('$definitionsSetPath/$fileName')`r`n`t`tlibSetChildDefinitions: [" + + # Loop through child Policy Set/Initiative Definitions for Bicep output if HashTable not == 0 + if (($policySetDefinitionsOutputForBicep.Count) -ne 0) { + $policySetDefinitionsOutputForBicep.Keys | Sort-Object | ForEach-Object { + $definitionReferenceId = $_ + $definitionReferenceIdForParameters = $_ + $definitionId = $($policySetDefinitionsOutputForBicep[$_]) + + # If definitionReferenceId or definitionReferenceIdForParameters contains apostrophes, replace that apostrophe with a backslash and an apostrohphe for Bicep string escaping + if ($definitionReferenceId.Contains("'")) { + $definitionReferenceId = $definitionReferenceId.Replace("'", "\'") } - # Add Policy Set/Initiative Definition Parameter Variables to Bicep Input File - $policySetDefParamVarTrimJsonExt = $parametersFileName.TrimEnd("json").Replace('.', '_') - $policySetDefParamVarCreation = "var" + ($policySetDefParamVarTrimJsonExt -replace '(?:^|_|-)(\p{L})', { $_.Groups[1].Value.ToUpper() }).TrimEnd('_') - $policySetDefParamVar = "var " + $policySetDefParamVarCreation + " = " + "loadJsonContent('$definitionsSetPath/$parametersFileName')" - $policySetDefParamVarList += $policySetDefParamVar - - # Start output file creation of Policy Set/Initiative Definitions for Bicep - Write-Information "==> Adding '$policyDefinitionName' to '$PWD/$defintionsSetTxtFileName'" -InformationAction Continue - Add-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Encoding "utf8" -Value "`t{`r`n`t`tname: '$policyDefinitionName'`r`n`t`tlibSetDefinition: json(loadTextContent('$definitionsSetPath/$fileName'))`r`n`t`tlibSetChildDefinitions: [" - - # Loop through child Policy Set/Initiative Definitions for Bicep output if HashTable not == 0 - if (($policySetDefinitionsOutputForBicep.Count) -ne 0) { - $policySetDefinitionsOutputForBicep.Keys | Sort-Object | ForEach-Object { - $definitionReferenceId = $_ - $definitionReferenceIdForParameters = $_ - $definitionId = $($policySetDefinitionsOutputForBicep[$_]) - - # If definitionReferenceId or definitionReferenceIdForParameters contains apostrophes, replace that apostrophe with a backslash and an apostrohphe for Bicep string escaping - if ($definitionReferenceId.Contains("'")) { - $definitionReferenceId = $definitionReferenceId.Replace("'", "\'") - } - - if ($definitionReferenceIdForParameters.Contains("'")) { - $definitionReferenceIdForParameters = $definitionReferenceIdForParameters.Replace("'", "\'") - } - - # If definitionReferenceId contains, then wrap in definitionReferenceId value in [] to comply with bicep formatting - if ($definitionReferenceIdForParameters.Contains("-") -or $definitionReferenceIdForParameters.Contains(" ") -or $definitionReferenceIdForParameters.Contains("\'") -or $definitionReferenceIdForParameters -match '^[0-9].+') { - $definitionReferenceIdForParameters = "['$definitionReferenceIdForParameters']" - - # Add nested array of objects to each Policy Set/Initiative Definition in the Bicep variable, without the '.' before the definitionReferenceId to make it an accessor - Add-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Encoding "utf8" -Value "`t`t`t{`r`n`t`t`t`tdefinitionReferenceId: '$definitionReferenceId'`r`n`t`t`t`tdefinitionId: '$definitionId'`r`n`t`t`t`tdefinitionParameters: $policySetDefParamVarCreation$definitionReferenceIdForParameters.parameters`r`n`t`t`t}" - } - else { - # Add nested array of objects to each Policy Set/Initiative Definition in the Bicep variable - Add-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Encoding "utf8" -Value "`t`t`t{`r`n`t`t`t`tdefinitionReferenceId: '$definitionReferenceId'`r`n`t`t`t`tdefinitionId: '$definitionId'`r`n`t`t`t`tdefinitionParameters: $policySetDefParamVarCreation.$definitionReferenceIdForParameters.parameters`r`n`t`t`t}" - } - } + if ($definitionReferenceIdForParameters.Contains("'")) { + $definitionReferenceIdForParameters = $definitionReferenceIdForParameters.Replace("'", "\'") } - # Finish output file creation of Policy Set/Initiative Definitions for Bicep - Add-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Encoding "utf8" -Value "`t`t]`r`n`t}" + # If definitionReferenceId contains, then wrap in definitionReferenceId value in [] to comply with bicep formatting + if ($definitionReferenceIdForParameters.Contains("-") -or $definitionReferenceIdForParameters.Contains(" ") -or $definitionReferenceIdForParameters.Contains("\'") -or $definitionReferenceIdForParameters -match '^[0-9].+') { + $definitionReferenceIdForParameters = "['$definitionReferenceIdForParameters']" + # Add nested array of objects to each Policy Set/Initiative Definition in the Bicep variable, without the '.' before the definitionReferenceId to make it an accessor + Add-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Encoding "utf8" -Value "`t`t`t{`r`n`t`t`t`tdefinitionReferenceId: '$definitionReferenceId'`r`n`t`t`t`tdefinitionId: '$definitionId'`r`n`t`t`t`tdefinitionParameters: $policySetDefParamVarCreation$definitionReferenceIdForParameters.parameters`r`n`t`t`t}" + } + else { + # Add nested array of objects to each Policy Set/Initiative Definition in the Bicep variable + Add-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Encoding "utf8" -Value "`t`t`t{`r`n`t`t`t`tdefinitionReferenceId: '$definitionReferenceId'`r`n`t`t`t`tdefinitionId: '$definitionId'`r`n`t`t`t`tdefinitionParameters: $policySetDefParamVarCreation.$definitionReferenceIdForParameters.parameters`r`n`t`t`t}" + } + } } - Add-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Encoding "utf8" -Value "]`r`n" - # Add Policy Set/Initiative Definition Parameter Variables to Bicep Input File - Add-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Encoding "utf8" -Value "`r`n// Policy Set/Initiative Definition Parameter Variables`r`n" - $policySetDefParamVarList | ForEach-Object { - Add-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Encoding "utf8" -Value "$_`r`n" - } + # Finish output file creation of Policy Set/Initiative Definitions for Bicep + Add-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Encoding "utf8" -Value "`t`t]`r`n`t}" + + } + Add-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Encoding "utf8" -Value "]`r`n" - $policyDefCount = Get-ChildItem -Recurse -Path "$rootPath/$definitionsSetLongPath" -Filter "*.json" -Exclude "*.parameters.json" | Measure-Object - $policyDefCountString = $policyDefCount.Count - Write-Information "====> Policy Set/Initiative Definitions Total: $policyDefCountString" -InformationAction Continue + # Add Policy Set/Initiative Definition Parameter Variables to Bicep Input File + Add-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Encoding "utf8" -Value "`r`n// Policy Set/Initiative Definition Parameter Variables`r`n" + $policySetDefParamVarList | ForEach-Object { + Add-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Encoding "utf8" -Value "$_`r`n" + } + + $policyDefCount = Get-ChildItem -Recurse -Path "$rootPath/$definitionsSetLongPath" -Filter "*.json" -Exclude "*.parameters.json" | Measure-Object + $policyDefCountString = $policyDefCount.Count + Write-Information "====> Policy Set/Initiative Definitions Total: $policyDefCountString" -InformationAction Continue } #endregion #region Policy Asssignments function New-PolicyAssignmentsBicepInputTxtFile { - [CmdletBinding(SupportsShouldProcess)] - param() + [CmdletBinding(SupportsShouldProcess)] + param() - Write-Information "====> Creating/Emptying '$assignmentsTxtFileName'" -InformationAction Continue - Set-Content -Path "$rootPath/$assignmentsLongPath/$assignmentsTxtFileName" -Value $null -Encoding "utf8" + Write-Information "====> Creating/Emptying '$assignmentsTxtFileName'" -InformationAction Continue + Set-Content -Path "$rootPath/$assignmentsLongPath/$assignmentsTxtFileName" -Value $null -Encoding "utf8" - Write-Information "====> Looping Through Policy Assignments:" -InformationAction Continue - Get-ChildItem -Recurse -Path "$rootPath/$assignmentsLongPath" -Filter "*.json" | ForEach-Object { - $policyAssignment = Get-Content $_.FullName | ConvertFrom-Json -Depth 100 + Write-Information "====> Looping Through Policy Assignments:" -InformationAction Continue + Get-ChildItem -Recurse -Path "$rootPath/$assignmentsLongPath" -Filter "*.json" | ForEach-Object { + $policyAssignment = Get-Content $_.FullName | ConvertFrom-Json -Depth 100 - $policyAssignmentName = $policyAssignment.name - $policyAssignmentDefinitionID = $policyAssignment.properties.policyDefinitionId - $fileName = $_.Name + $policyAssignmentName = $policyAssignment.name + $policyAssignmentDefinitionID = $policyAssignment.properties.policyDefinitionId + $fileName = $_.Name - # Remove hyphens from Policy Assignment Name - $policyAssignmentNameNoHyphens = $policyAssignmentName.replace("-", "") + # Remove hyphens from Policy Assignment Name + $policyAssignmentNameNoHyphens = $policyAssignmentName.replace("-", "") - Write-Information "==> Adding '$policyAssignmentName' to '$PWD/$assignmentsTxtFileName'" -InformationAction Continue - Add-Content -Path "$rootPath/$assignmentsLongPath/$assignmentsTxtFileName" -Encoding "utf8" -Value "var varPolicyAssignment$policyAssignmentNameNoHyphens = {`r`n`tdefinitionId: '$policyAssignmentDefinitionID'`r`n`tlibDefinition: json(loadTextContent('../../policy/$assignmentsLongPath/$fileName'))`r`n}`r`n" - } + Write-Information "==> Adding '$policyAssignmentName' to '$PWD/$assignmentsTxtFileName'" -InformationAction Continue + Add-Content -Path "$rootPath/$assignmentsLongPath/$assignmentsTxtFileName" -Encoding "utf8" -Value "var varPolicyAssignment$policyAssignmentNameNoHyphens = {`r`n`tdefinitionId: '$policyAssignmentDefinitionID'`r`n`tlibDefinition: loadJsonContent('../../policy/$assignmentsLongPath/$fileName')`r`n}`r`n" + } - $policyAssignmentCount = Get-ChildItem -Recurse -Path "$rootPath/$assignmentsLongPath" -Filter "*.json" | Measure-Object - $policyAssignmentCountString = $policyAssignmentCount.Count - Write-Information "====> Policy Assignments Total: $policyAssignmentCountString" -InformationAction Continue + $policyAssignmentCount = Get-ChildItem -Recurse -Path "$rootPath/$assignmentsLongPath" -Filter "*.json" | Measure-Object + $policyAssignmentCountString = $policyAssignmentCount.Count + Write-Information "====> Policy Assignments Total: $policyAssignmentCountString" -InformationAction Continue } #endregion New-PolicyDefinitionsBicepInputTxtFile New-PolicySetDefinitionsBicepInputTxtFile -New-PolicyAssignmentsBicepInputTxtFile \ No newline at end of file +New-PolicyAssignmentsBicepInputTxtFile diff --git a/.github/workflows/bicep-build-to-validate.yml b/.github/workflows/bicep-build-to-validate.yml index f53f84b05..e6fa9d4b6 100644 --- a/.github/workflows/bicep-build-to-validate.yml +++ b/.github/workflows/bicep-build-to-validate.yml @@ -77,7 +77,7 @@ jobs: Get-ChildItem -Path '.\infra-as-code\bicep\modules' -Recurse -Filter '*.json' -Exclude 'callModuleFromACR.example.json', 'orchHubSpoke.json', '*parameters*.json', 'bicepconfig.json', '*policy_*.json' | ForEach-Object { Write-Information "==> Reading Built ARM Template JSON File: $_" -InformationAction Continue - $armTemplate = Get-Content $_.FullName | ConvertFrom-Json -Depth 20 + $armTemplate = Get-Content $_.FullName | ConvertFrom-Json -Depth 100 $armResourceTypes = $armTemplate.Resources $armResourceTypes | ForEach-Object { if (!$resourceTypesFullList.ContainsKey($_.Type)) { diff --git a/README.md b/README.md index 5f62e1651..64208a436 100644 --- a/README.md +++ b/README.md @@ -65,7 +65,7 @@ We have created a short 3-part series of video on the Azure Enablement Show that This project welcomes contributions and suggestions. Please review our [Contributing guide][wiki_contributing] in the Wiki. Once your PR is created and submitted a member of the team will triage, review and discuss with you 👍 Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us -the rights to use your contribution. For details, visit the [Microsoft Contributor License Agreement page](https://cla.opensource.microsoft.com). +the rights to use your contribution. For details, visit the [Microsoft Contributor License Agreement page](https://opensource.microsoft.com/cla/). When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA. diff --git a/infra-as-code/bicep/modules/policy/assignments/README.md b/infra-as-code/bicep/modules/policy/assignments/README.md index 48ce053e0..fcee09ca1 100644 --- a/infra-as-code/bicep/modules/policy/assignments/README.md +++ b/infra-as-code/bicep/modules/policy/assignments/README.md @@ -20,7 +20,7 @@ The module requires the following inputs: | parPolicyAssignmentDescription | The description of the policy assignment | Mandatory input | `This policy denies creation of Public IPs under the assigned scope.` | None | | parPolicyAssignmentDefinitionId | The policy definition ID (full resource ID) for the policy to be assigned. | Mandatory input | `/providers/Microsoft.Authorization/policyDefinitions/9d0a794f-1444-4c96-9534-e35fc8c39c91` (built-in) or `/providers/Microsoft.Management/managementgroups/alz/providers/Microsoft.Authorization/policyDefinitions/Deny-Public-IP` (custom) | None | | parPolicyAssignmentParameters | An object containing the parameter values for the policy to be assigned. | Mandatory input | `{"value":{"emailSecurityContact":{"value":"security_contact@replace_me"}}}` | `{}` | - | parPolicyAssignmentParameterOverrides | An object containing parameter values that override those provided to parPolicyAssignmentParameters, usually via a JSON file and json(loadTextContent(FILE_PATH)). This is only useful when wanting to take values from a source like a JSON file for the majority of the parameters but override specific parameter inputs from other sources or hardcoded. If duplicate parameters exist between parPolicyAssignmentParameters & parPolicyAssignmentParameterOverrides, inputs provided to parPolicyAssignmentParameterOverrides will win. | Not mandatory | `{"value":{"emailSecurityContact":{"value":"different_contact@replace_me"}}}` | `{}` | + | parPolicyAssignmentParameterOverrides | An object containing parameter values that override those provided to parPolicyAssignmentParameters, usually via a JSON file and loadJsonContent(FILE_PATH). This is only useful when wanting to take values from a source like a JSON file for the majority of the parameters but override specific parameter inputs from other sources or hardcoded. If duplicate parameters exist between parPolicyAssignmentParameters & parPolicyAssignmentParameterOverrides, inputs provided to parPolicyAssignmentParameterOverrides will win. | Not mandatory | `{"value":{"emailSecurityContact":{"value":"different_contact@replace_me"}}}` | `{}` | | parPolicyAssignmentNonComplianceMessages | An array containing object/s for the non-compliance messages for the policy to be assigned. See [Non-compliance messages](https://docs.microsoft.com/azure/governance/policy/concepts/assignment-structure#non-compliance-messages) for more details on use. | Mandatory input | `[{"message":"Default message"}]` | `[]` | | parPolicyAssignmentNotScopes | An array containing a list of scope Resource IDs to be excluded for the policy assignment. | Mandatory input | `["/providers/Microsoft.Management/managementgroups/alz","/providers/Microsoft.Management/managementgroups/alz-sandbox"]` | `[]` | | parPolicyAssignmentEnforcementMode | The enforcement mode for the policy assignment. See [Enforcement Mode](https://aka.ms/EnforcementMode) for more details on use. | Not mandatory. Will only allow values of `Default` or `DoNotEnforce` | `Default` | `Default` | diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/README.md b/infra-as-code/bicep/modules/policy/assignments/lib/README.md index ccaf90f48..23bd6f855 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/README.md +++ b/infra-as-code/bicep/modules/policy/assignments/lib/README.md @@ -3,12 +3,12 @@ This directory contains the default policy assignments we make as part of the Azure Landing Zones (aka. Enterprise-scale) in JSON files. These can then be used in variables with the bicep functions of: - [`json()`](https://docs.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions-object#json) -- [`loadTextContent()`](https://docs.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions-files#loadtextcontent) +- [`loadJsonContent()`](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions-files#loadjsoncontent) For example: ```bicep -var varPolicyAssignmentDenyPublicIp = json(loadTextContent('infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json')) +var varPolicyAssignmentDenyPublicIp = loadJsonContent('infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json') ``` Or you can use the export available in `_policyAssignmentsBicepInput.txt` to copy and paste into a variable to then use to assign policies but manage their properties from the JSON files, like below: @@ -24,7 +24,7 @@ var varTargetManagementGroupResourceId = tenantResourceId('Microsoft.Management/ var varPolicyAssignmentDenyPublicIp = { name: 'Deny-Public-IP' definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP' - libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json')) + libDefinition: loadJsonContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json') } module modPolicyAssignmentDenyPublicIP '../../policyAssignments/policyAssignmentManagementGroup.bicep' = { @@ -40,5 +40,5 @@ module modPolicyAssignmentDenyPublicIP '../../policyAssignments/policyAssignment ``` > You do not have to use this method, but it is provided to you for ease and is used in the orchestration templates. -> +> > You may also extend the library and add your own assignment files in following the pattern shown in the examples above. diff --git a/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep b/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep index 227bba935..10370c97d 100644 --- a/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep +++ b/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep @@ -17,7 +17,7 @@ param parPolicyAssignmentDefinitionId string @description('An object containing the parameter values for the policy to be assigned. DEFAULT VALUE = {}') param parPolicyAssignmentParameters object = {} -@description('An object containing parameter values that override those provided to parPolicyAssignmentParameters, usually via a JSON file and json(loadTextContent(FILE_PATH)). This is only useful when wanting to take values from a source like a JSON file for the majority of the parameters but override specific parameter inputs from other sources or hardcoded. If duplicate parameters exist between parPolicyAssignmentParameters & parPolicyAssignmentParameterOverrides, inputs provided to parPolicyAssignmentParameterOverrides will win. DEFAULT VALUE = {}') +@description('An object containing parameter values that override those provided to parPolicyAssignmentParameters, usually via a JSON file and loadJsonContent(FILE_PATH). This is only useful when wanting to take values from a source like a JSON file for the majority of the parameters but override specific parameter inputs from other sources or hardcoded. If duplicate parameters exist between parPolicyAssignmentParameters & parPolicyAssignmentParameterOverrides, inputs provided to parPolicyAssignmentParameterOverrides will win. DEFAULT VALUE = {}') param parPolicyAssignmentParameterOverrides object = {} @description('An array containing object/s for the non-compliance messages for the policy to be assigned. See https://docs.microsoft.com/en-us/azure/governance/policy/concepts/assignment-structure#non-compliance-messages for more details on use. DEFAULT VALUE = []') @@ -64,7 +64,7 @@ var varCuaid = '78001e36-9738-429c-a343-45cc84e8a527' resource resPolicyAssignment 'Microsoft.Authorization/policyAssignments@2021-06-01' = { name: parPolicyAssignmentName properties: { - displayName: parPolicyAssignmentDisplayName + displayName: parPolicyAssignmentDisplayName description: parPolicyAssignmentDescription policyDefinitionId: parPolicyAssignmentDefinitionId parameters: varPolicyAssignmentParametersMerged diff --git a/infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep b/infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep index b6d43f1cb..6185969be 100644 --- a/infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep +++ b/infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep @@ -8,431 +8,431 @@ param parTelemetryOptOut bool = false var varTargetManagementGroupResourceId = tenantResourceId('Microsoft.Management/managementGroups', parTargetManagementGroupId) -// This variable contains a number of objects that load in the custom Azure Policy Defintions that are provided as part of the ESLZ/ALZ reference implementation - this is automatically created in the file 'infra-as-code\bicep\modules\policy\lib\policy_definitions\_policyDefinitionsBicepInput.txt' via a GitHub action, that runs on a daily schedule, and is then manually copied into this variable. +// This variable contains a number of objects that load in the custom Azure Policy Defintions that are provided as part of the ESLZ/ALZ reference implementation - this is automatically created in the file 'infra-as-code\bicep\modules\policy\lib\policy_definitions\_policyDefinitionsBicepInput.txt' via a GitHub action, that runs on a daily schedule, and is then manually copied into this variable. var varCustomPolicyDefinitionsArray = [ { name: 'Append-AppService-httpsonly' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_append_appservice_httpsonly.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_append_appservice_httpsonly.json') } { name: 'Append-AppService-latestTLS' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_append_appservice_latesttls.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_append_appservice_latesttls.json') } { name: 'Append-KV-SoftDelete' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_append_kv_softdelete.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_append_kv_softdelete.json') } { name: 'Append-Redis-disableNonSslPort' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_append_redis_disablenonsslport.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_append_redis_disablenonsslport.json') } { name: 'Append-Redis-sslEnforcement' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_append_redis_sslenforcement.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_append_redis_sslenforcement.json') } { name: 'Audit-MachineLearning-PrivateEndpointId' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_audit_machinelearning_privateendpointid.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_audit_machinelearning_privateendpointid.json') } { name: 'Deny-AA-child-resources' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deny_aa_child_resources.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deny_aa_child_resources.json') } { name: 'Deny-AppGW-Without-WAF' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deny_appgw_without_waf.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deny_appgw_without_waf.json') } { name: 'Deny-AppServiceApiApp-http' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deny_appserviceapiapp_http.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deny_appserviceapiapp_http.json') } { name: 'Deny-AppServiceFunctionApp-http' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deny_appservicefunctionapp_http.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deny_appservicefunctionapp_http.json') } { name: 'Deny-AppServiceWebApp-http' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deny_appservicewebapp_http.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deny_appservicewebapp_http.json') } { name: 'Deny-Databricks-NoPublicIp' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deny_databricks_nopublicip.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deny_databricks_nopublicip.json') } { name: 'Deny-Databricks-Sku' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deny_databricks_sku.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deny_databricks_sku.json') } { name: 'Deny-Databricks-VirtualNetwork' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deny_databricks_virtualnetwork.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deny_databricks_virtualnetwork.json') } { name: 'Deny-MachineLearning-Aks' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deny_machinelearning_aks.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deny_machinelearning_aks.json') } { name: 'Deny-MachineLearning-Compute-SubnetId' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deny_machinelearning_compute_subnetid.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deny_machinelearning_compute_subnetid.json') } { name: 'Deny-MachineLearning-Compute-VmSize' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deny_machinelearning_compute_vmsize.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deny_machinelearning_compute_vmsize.json') } { name: 'Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deny_machinelearning_computecluster_remoteloginportpublicaccess.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deny_machinelearning_computecluster_remoteloginportpublicaccess.json') } { name: 'Deny-MachineLearning-ComputeCluster-Scale' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deny_machinelearning_computecluster_scale.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deny_machinelearning_computecluster_scale.json') } { name: 'Deny-MachineLearning-HbiWorkspace' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deny_machinelearning_hbiworkspace.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deny_machinelearning_hbiworkspace.json') } { name: 'Deny-MachineLearning-PublicAccessWhenBehindVnet' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deny_machinelearning_publicaccesswhenbehindvnet.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deny_machinelearning_publicaccesswhenbehindvnet.json') } { name: 'Deny-MachineLearning-PublicNetworkAccess' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deny_machinelearning_publicnetworkaccess.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deny_machinelearning_publicnetworkaccess.json') } { name: 'Deny-MySql-http' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deny_mysql_http.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deny_mysql_http.json') } { name: 'Deny-PostgreSql-http' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deny_postgresql_http.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deny_postgresql_http.json') } { name: 'Deny-Private-DNS-Zones' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deny_private_dns_zones.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deny_private_dns_zones.json') } { name: 'Deny-PublicEndpoint-MariaDB' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deny_publicendpoint_mariadb.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deny_publicendpoint_mariadb.json') } { name: 'Deny-PublicIP' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deny_publicip.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deny_publicip.json') } { name: 'Deny-RDP-From-Internet' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deny_rdp_from_internet.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deny_rdp_from_internet.json') } { name: 'Deny-Redis-http' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deny_redis_http.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deny_redis_http.json') } { name: 'Deny-Sql-minTLS' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deny_sql_mintls.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deny_sql_mintls.json') } { name: 'Deny-SqlMi-minTLS' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deny_sqlmi_mintls.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deny_sqlmi_mintls.json') } { name: 'Deny-Storage-minTLS' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deny_storage_mintls.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deny_storage_mintls.json') } { name: 'Deny-Subnet-Without-Nsg' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deny_subnet_without_nsg.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deny_subnet_without_nsg.json') } { name: 'Deny-Subnet-Without-Udr' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deny_subnet_without_udr.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deny_subnet_without_udr.json') } { name: 'Deny-VNET-Peer-Cross-Sub' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deny_vnet_peer_cross_sub.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deny_vnet_peer_cross_sub.json') } { name: 'Deny-VNET-Peering-To-Non-Approved-VNETs' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deny_vnet_peering_to_non_approved_vnets.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deny_vnet_peering_to_non_approved_vnets.json') } { name: 'Deny-VNet-Peering' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deny_vnet_peering.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deny_vnet_peering.json') } { name: 'Deploy-ASC-SecurityContacts' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_asc_securitycontacts.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_asc_securitycontacts.json') } { name: 'Deploy-Budget' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_budget.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_budget.json') } { name: 'Deploy-Custom-Route-Table' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_custom_route_table.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_custom_route_table.json') } { name: 'Deploy-DDoSProtection' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_ddosprotection.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_ddosprotection.json') } { name: 'Deploy-Diagnostics-AA' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_aa.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_aa.json') } { name: 'Deploy-Diagnostics-ACI' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_aci.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_aci.json') } { name: 'Deploy-Diagnostics-ACR' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_acr.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_acr.json') } { name: 'Deploy-Diagnostics-AnalysisService' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_analysisservice.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_analysisservice.json') } { name: 'Deploy-Diagnostics-ApiForFHIR' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_apiforfhir.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_apiforfhir.json') } { name: 'Deploy-Diagnostics-APIMgmt' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_apimgmt.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_apimgmt.json') } { name: 'Deploy-Diagnostics-ApplicationGateway' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_applicationgateway.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_applicationgateway.json') } { name: 'Deploy-Diagnostics-AVDScalingPlans' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_avdscalingplans.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_avdscalingplans.json') } { name: 'Deploy-Diagnostics-Bastion' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_bastion.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_bastion.json') } { name: 'Deploy-Diagnostics-CDNEndpoints' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_cdnendpoints.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_cdnendpoints.json') } { name: 'Deploy-Diagnostics-CognitiveServices' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_cognitiveservices.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_cognitiveservices.json') } { name: 'Deploy-Diagnostics-CosmosDB' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_cosmosdb.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_cosmosdb.json') } { name: 'Deploy-Diagnostics-Databricks' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_databricks.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_databricks.json') } { name: 'Deploy-Diagnostics-DataExplorerCluster' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_dataexplorercluster.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_dataexplorercluster.json') } { name: 'Deploy-Diagnostics-DataFactory' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_datafactory.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_datafactory.json') } { name: 'Deploy-Diagnostics-DLAnalytics' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_dlanalytics.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_dlanalytics.json') } { name: 'Deploy-Diagnostics-EventGridSub' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_eventgridsub.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_eventgridsub.json') } { name: 'Deploy-Diagnostics-EventGridSystemTopic' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_eventgridsystemtopic.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_eventgridsystemtopic.json') } { name: 'Deploy-Diagnostics-EventGridTopic' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_eventgridtopic.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_eventgridtopic.json') } { name: 'Deploy-Diagnostics-ExpressRoute' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_expressroute.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_expressroute.json') } { name: 'Deploy-Diagnostics-Firewall' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_firewall.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_firewall.json') } { name: 'Deploy-Diagnostics-FrontDoor' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_frontdoor.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_frontdoor.json') } { name: 'Deploy-Diagnostics-Function' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_function.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_function.json') } { name: 'Deploy-Diagnostics-HDInsight' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_hdinsight.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_hdinsight.json') } { name: 'Deploy-Diagnostics-iotHub' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_iothub.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_iothub.json') } { name: 'Deploy-Diagnostics-LoadBalancer' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_loadbalancer.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_loadbalancer.json') } { name: 'Deploy-Diagnostics-LogicAppsISE' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_logicappsise.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_logicappsise.json') } { name: 'Deploy-Diagnostics-MariaDB' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_mariadb.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_mariadb.json') } { name: 'Deploy-Diagnostics-MediaService' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_mediaservice.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_mediaservice.json') } { name: 'Deploy-Diagnostics-MlWorkspace' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_mlworkspace.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_mlworkspace.json') } { name: 'Deploy-Diagnostics-MySQL' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_mysql.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_mysql.json') } { name: 'Deploy-Diagnostics-NetworkSecurityGroups' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_networksecuritygroups.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_networksecuritygroups.json') } { name: 'Deploy-Diagnostics-NIC' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_nic.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_nic.json') } { name: 'Deploy-Diagnostics-PostgreSQL' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_postgresql.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_postgresql.json') } { name: 'Deploy-Diagnostics-PowerBIEmbedded' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_powerbiembedded.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_powerbiembedded.json') } { name: 'Deploy-Diagnostics-RedisCache' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_rediscache.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_rediscache.json') } { name: 'Deploy-Diagnostics-Relay' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_relay.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_relay.json') } { name: 'Deploy-Diagnostics-SignalR' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_signalr.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_signalr.json') } { name: 'Deploy-Diagnostics-SQLElasticPools' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_sqlelasticpools.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_sqlelasticpools.json') } { name: 'Deploy-Diagnostics-SQLMI' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_sqlmi.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_sqlmi.json') } { name: 'Deploy-Diagnostics-TimeSeriesInsights' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_timeseriesinsights.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_timeseriesinsights.json') } { name: 'Deploy-Diagnostics-TrafficManager' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_trafficmanager.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_trafficmanager.json') } { name: 'Deploy-Diagnostics-VirtualNetwork' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_virtualnetwork.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_virtualnetwork.json') } { name: 'Deploy-Diagnostics-VM' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_vm.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_vm.json') } { name: 'Deploy-Diagnostics-VMSS' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_vmss.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_vmss.json') } { name: 'Deploy-Diagnostics-VNetGW' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_vnetgw.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_vnetgw.json') } { name: 'Deploy-Diagnostics-WebServerFarm' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_webserverfarm.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_webserverfarm.json') } { name: 'Deploy-Diagnostics-Website' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_website.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_website.json') } { name: 'Deploy-Diagnostics-WVDAppGroup' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_wvdappgroup.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_wvdappgroup.json') } { name: 'Deploy-Diagnostics-WVDHostPools' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_wvdhostpools.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_wvdhostpools.json') } { name: 'Deploy-Diagnostics-WVDWorkspace' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_wvdworkspace.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_wvdworkspace.json') } { name: 'Deploy-FirewallPolicy' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_firewallpolicy.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_firewallpolicy.json') } { name: 'Deploy-MySQL-sslEnforcement' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_mysql_sslenforcement.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_mysql_sslenforcement.json') } { name: 'Deploy-Nsg-FlowLogs-to-LA' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_nsg_flowlogs_to_la.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_nsg_flowlogs_to_la.json') } { name: 'Deploy-Nsg-FlowLogs' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_nsg_flowlogs.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_nsg_flowlogs.json') } { name: 'Deploy-PostgreSQL-sslEnforcement' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_postgresql_sslenforcement.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_postgresql_sslenforcement.json') } { name: 'Deploy-Sql-AuditingSettings' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_sql_auditingsettings.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_sql_auditingsettings.json') } { name: 'Deploy-SQL-minTLS' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_sql_mintls.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_sql_mintls.json') } { name: 'Deploy-Sql-SecurityAlertPolicies' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_sql_securityalertpolicies.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_sql_securityalertpolicies.json') } { name: 'Deploy-Sql-Tde' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_sql_tde.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_sql_tde.json') } { name: 'Deploy-Sql-vulnerabilityAssessments' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_sql_vulnerabilityassessments.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_sql_vulnerabilityassessments.json') } { name: 'Deploy-SqlMi-minTLS' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_sqlmi_mintls.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_sqlmi_mintls.json') } { name: 'Deploy-Storage-sslEnforcement' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_storage_sslenforcement.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_storage_sslenforcement.json') } { name: 'Deploy-VNET-HubSpoke' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_vnet_hubspoke.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_vnet_hubspoke.json') } { name: 'Deploy-Windows-DomainJoin' - libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_windows_domainjoin.json')) + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_deploy_windows_domainjoin.json') } ] @@ -440,7 +440,7 @@ var varCustomPolicyDefinitionsArray = [ var varCustomPolicySetDefinitionsArray = [ { name: 'Deny-PublicPaaSEndpoints' - libSetDefinition: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deny_publicpaasendpoints.json')) + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_deny_publicpaasendpoints.json') libSetChildDefinitions: [ { definitionReferenceId: 'ACRDenyPaasPublicIP' @@ -496,7 +496,7 @@ var varCustomPolicySetDefinitionsArray = [ } { name: 'Deploy-Diagnostics-LogAnalytics' - libSetDefinition: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.json')) + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.json') libSetChildDefinitions: [ { definitionReferenceId: 'ACIDeployDiagnosticLogDeployLogAnalytics' @@ -822,7 +822,7 @@ var varCustomPolicySetDefinitionsArray = [ } { name: 'Deploy-MDFC-Config' - libSetDefinition: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config.json')) + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config.json') libSetChildDefinitions: [ { definitionReferenceId: 'ascExport' @@ -888,7 +888,7 @@ var varCustomPolicySetDefinitionsArray = [ } { name: 'Deploy-Private-DNS-Zones' - libSetDefinition: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.json')) + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.json') libSetChildDefinitions: [ { definitionReferenceId: 'DINE-Private-DNS-Azure-ACR' @@ -994,7 +994,7 @@ var varCustomPolicySetDefinitionsArray = [ } { name: 'Deploy-Sql-Security' - libSetDefinition: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_sql_security.json')) + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_deploy_sql_security.json') libSetChildDefinitions: [ { definitionReferenceId: 'SqlDbAuditingSettingsDeploySqlSecurity' @@ -1020,7 +1020,7 @@ var varCustomPolicySetDefinitionsArray = [ } { name: 'Enforce-Encryption-CMK' - libSetDefinition: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.json')) + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.json') libSetChildDefinitions: [ { definitionReferenceId: 'ACRCmkDeny' @@ -1101,7 +1101,7 @@ var varCustomPolicySetDefinitionsArray = [ } { name: 'Enforce-EncryptTransit' - libSetDefinition: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.json')) + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.json') libSetChildDefinitions: [ { definitionReferenceId: 'AKSIngressHttpsOnlyEffect' diff --git a/infra-as-code/bicep/modules/policy/definitions/mc-customPolicyDefinitions.bicep b/infra-as-code/bicep/modules/policy/definitions/mc-customPolicyDefinitions.bicep index 25adee4a7..a3487bd53 100644 --- a/infra-as-code/bicep/modules/policy/definitions/mc-customPolicyDefinitions.bicep +++ b/infra-as-code/bicep/modules/policy/definitions/mc-customPolicyDefinitions.bicep @@ -8,403 +8,403 @@ param parTelemetryOptOut bool = false var varTargetManagementGroupResourceId = tenantResourceId('Microsoft.Management/managementGroups', parTargetManagementGroupId) -// This variable contains a number of objects that load in the custom Azure Policy Defintions that are provided as part of the ESLZ/ALZ reference implementation - this is automatically created in the file 'infra-as-code\bicep\modules\policy\lib\china\policy_definitions\_mc_policyDefinitionsBicepInput.txt' via a GitHub action, that runs on a daily schedule, and is then manually copied into this variable. +// This variable contains a number of objects that load in the custom Azure Policy Defintions that are provided as part of the ESLZ/ALZ reference implementation - this is automatically created in the file 'infra-as-code\bicep\modules\policy\lib\china\policy_definitions\_mc_policyDefinitionsBicepInput.txt' via a GitHub action, that runs on a daily schedule, and is then manually copied into this variable. var varCustomPolicyDefinitionsArray = [ { name: 'Append-AppService-httpsonly' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_append_appservice_httpsonly.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_append_appservice_httpsonly.json') } { name: 'Append-AppService-latestTLS' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_append_appservice_latesttls.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_append_appservice_latesttls.json') } { name: 'Append-KV-SoftDelete' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_append_kv_softdelete.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_append_kv_softdelete.json') } { name: 'Append-Redis-disableNonSslPort' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_append_redis_disablenonsslport.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_append_redis_disablenonsslport.json') } { name: 'Append-Redis-sslEnforcement' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_append_redis_sslenforcement.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_append_redis_sslenforcement.json') } { name: 'Deny-AFSPaasPublicIP' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_afspaaspublicip.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deny_afspaaspublicip.json') } { name: 'Deny-AppGW-Without-WAF' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_appgw_without_waf.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deny_appgw_without_waf.json') } { name: 'Deny-AppServiceApiApp-http' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_appserviceapiapp_http.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deny_appserviceapiapp_http.json') } { name: 'Deny-AppServiceFunctionApp-http' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_appservicefunctionapp_http.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deny_appservicefunctionapp_http.json') } { name: 'Deny-AppServiceWebApp-http' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_appservicewebapp_http.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deny_appservicewebapp_http.json') } { name: 'Deny-KeyVaultPaasPublicIP' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_keyvaultpaaspublicip.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deny_keyvaultpaaspublicip.json') } { name: 'Deny-MySql-http' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_mysql_http.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deny_mysql_http.json') } { name: 'Deny-PostgreSql-http' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_postgresql_http.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deny_postgresql_http.json') } { name: 'Deny-Private-DNS-Zones' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_private_dns_zones.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deny_private_dns_zones.json') } { name: 'Deny-PublicEndpoint-MariaDB' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_publicendpoint_mariadb.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deny_publicendpoint_mariadb.json') } { name: 'Deny-PublicIP' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_publicip.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deny_publicip.json') } { name: 'Deny-RDP-From-Internet' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_rdp_from_internet.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deny_rdp_from_internet.json') } { name: 'Deny-Redis-http' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_redis_http.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deny_redis_http.json') } { name: 'Deny-Sql-minTLS' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_sql_mintls.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deny_sql_mintls.json') } { name: 'Deny-SqlMi-minTLS' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_sqlmi_mintls.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deny_sqlmi_mintls.json') } { name: 'Deny-Storage-minTLS' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_storage_mintls.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deny_storage_mintls.json') } { name: 'Deny-Subnet-Without-Nsg' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_subnet_without_nsg.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deny_subnet_without_nsg.json') } { name: 'Deny-Subnet-Without-Udr' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_subnet_without_udr.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deny_subnet_without_udr.json') } { name: 'Deny-VNET-Peer-Cross-Sub' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_vnet_peer_cross_sub.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deny_vnet_peer_cross_sub.json') } { name: 'Deny-VNET-Peering-To-Non-Approved-VNETs' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_vnet_peering_to_non_approved_vnets.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deny_vnet_peering_to_non_approved_vnets.json') } { name: 'Deny-VNet-Peering' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deny_vnet_peering.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deny_vnet_peering.json') } { name: 'Deploy-ActivityLogs-to-LA-workspace' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_activitylogs_to_la_workspace.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_activitylogs_to_la_workspace.json') } { name: 'Deploy-ASC-SecurityContacts' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_asc_securitycontacts.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_asc_securitycontacts.json') } { name: 'Deploy-DDoSProtection' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_ddosprotection.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_ddosprotection.json') } { name: 'Deploy-Default-Udr' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_default_udr.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_default_udr.json') } { name: 'Deploy-Diagnostics-AA' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_aa.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_aa.json') } { name: 'Deploy-Diagnostics-ACI' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_aci.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_aci.json') } { name: 'Deploy-Diagnostics-ACR' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_acr.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_acr.json') } { name: 'Deploy-Diagnostics-AnalysisService' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_analysisservice.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_analysisservice.json') } { name: 'Deploy-Diagnostics-ApiForFHIR' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_apiforfhir.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_apiforfhir.json') } { name: 'Deploy-Diagnostics-APIMgmt' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_apimgmt.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_apimgmt.json') } { name: 'Deploy-Diagnostics-ApplicationGateway' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_applicationgateway.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_applicationgateway.json') } { name: 'Deploy-Diagnostics-Bastion' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_bastion.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_bastion.json') } { name: 'Deploy-Diagnostics-CDNEndpoints' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_cdnendpoints.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_cdnendpoints.json') } { name: 'Deploy-Diagnostics-CognitiveServices' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_cognitiveservices.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_cognitiveservices.json') } { name: 'Deploy-Diagnostics-CosmosDB' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_cosmosdb.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_cosmosdb.json') } { name: 'Deploy-Diagnostics-Databricks' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_databricks.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_databricks.json') } { name: 'Deploy-Diagnostics-DataExplorerCluster' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_dataexplorercluster.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_dataexplorercluster.json') } { name: 'Deploy-Diagnostics-DataFactory' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_datafactory.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_datafactory.json') } { name: 'Deploy-Diagnostics-DLAnalytics' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_dlanalytics.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_dlanalytics.json') } { name: 'Deploy-Diagnostics-EventGridSub' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_eventgridsub.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_eventgridsub.json') } { name: 'Deploy-Diagnostics-EventGridSystemTopic' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_eventgridsystemtopic.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_eventgridsystemtopic.json') } { name: 'Deploy-Diagnostics-EventGridTopic' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_eventgridtopic.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_eventgridtopic.json') } { name: 'Deploy-Diagnostics-ExpressRoute' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_expressroute.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_expressroute.json') } { name: 'Deploy-Diagnostics-Firewall' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_firewall.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_firewall.json') } { name: 'Deploy-Diagnostics-FrontDoor' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_frontdoor.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_frontdoor.json') } { name: 'Deploy-Diagnostics-Function' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_function.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_function.json') } { name: 'Deploy-Diagnostics-HDInsight' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_hdinsight.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_hdinsight.json') } { name: 'Deploy-Diagnostics-iotHub' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_iothub.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_iothub.json') } { name: 'Deploy-Diagnostics-LoadBalancer' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_loadbalancer.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_loadbalancer.json') } { name: 'Deploy-Diagnostics-LogicAppsISE' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_logicappsise.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_logicappsise.json') } { name: 'Deploy-Diagnostics-MariaDB' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_mariadb.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_mariadb.json') } { name: 'Deploy-Diagnostics-MediaService' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_mediaservice.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_mediaservice.json') } { name: 'Deploy-Diagnostics-MlWorkspace' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_mlworkspace.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_mlworkspace.json') } { name: 'Deploy-Diagnostics-MySQL' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_mysql.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_mysql.json') } { name: 'Deploy-Diagnostics-NetworkSecurityGroups' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_networksecuritygroups.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_networksecuritygroups.json') } { name: 'Deploy-Diagnostics-NIC' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_nic.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_nic.json') } { name: 'Deploy-Diagnostics-PostgreSQL' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_postgresql.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_postgresql.json') } { name: 'Deploy-Diagnostics-PowerBIEmbedded' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_powerbiembedded.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_powerbiembedded.json') } { name: 'Deploy-Diagnostics-RedisCache' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_rediscache.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_rediscache.json') } { name: 'Deploy-Diagnostics-Relay' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_relay.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_relay.json') } { name: 'Deploy-Diagnostics-SignalR' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_signalr.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_signalr.json') } { name: 'Deploy-Diagnostics-SQLElasticPools' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_sqlelasticpools.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_sqlelasticpools.json') } { name: 'Deploy-Diagnostics-SQLMI' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_sqlmi.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_sqlmi.json') } { name: 'Deploy-Diagnostics-TimeSeriesInsights' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_timeseriesinsights.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_timeseriesinsights.json') } { name: 'Deploy-Diagnostics-TrafficManager' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_trafficmanager.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_trafficmanager.json') } { name: 'Deploy-Diagnostics-VirtualNetwork' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_virtualnetwork.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_virtualnetwork.json') } { name: 'Deploy-Diagnostics-VM' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_vm.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_vm.json') } { name: 'Deploy-Diagnostics-VMSS' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_vmss.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_vmss.json') } { name: 'Deploy-Diagnostics-VNetGW' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_vnetgw.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_vnetgw.json') } { name: 'Deploy-Diagnostics-WebServerFarm' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_webserverfarm.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_webserverfarm.json') } { name: 'Deploy-Diagnostics-Website' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_website.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_website.json') } { name: 'Deploy-Diagnostics-WVDAppGroup' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_wvdappgroup.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_wvdappgroup.json') } { name: 'Deploy-Diagnostics-WVDHostPools' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_wvdhostpools.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_wvdhostpools.json') } { name: 'Deploy-Diagnostics-WVDWorkspace' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_wvdworkspace.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_diagnostics_wvdworkspace.json') } { name: 'Deploy-FirewallPolicy' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_firewallpolicy.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_firewallpolicy.json') } { name: 'Deploy-MySQL-sslEnforcement' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_mysql_sslenforcement.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_mysql_sslenforcement.json') } { name: 'Deploy-MySQLCMKEffect' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_mysqlcmkeffect.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_mysqlcmkeffect.json') } { name: 'Deploy-Nsg-FlowLogs-to-LA' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_nsg_flowlogs_to_la.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_nsg_flowlogs_to_la.json') } { name: 'Deploy-Nsg-FlowLogs' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_nsg_flowlogs.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_nsg_flowlogs.json') } { name: 'Deploy-PostgreSQL-sslEnforcement' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_postgresql_sslenforcement.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_postgresql_sslenforcement.json') } { name: 'Deploy-PostgreSQLCMKEffect' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_postgresqlcmkeffect.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_postgresqlcmkeffect.json') } { name: 'Deploy-Private-DNS-Azure-File-Sync' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_private_dns_azure_file_sync.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_private_dns_azure_file_sync.json') } { name: 'Deploy-Private-DNS-Azure-KeyVault' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_private_dns_azure_keyvault.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_private_dns_azure_keyvault.json') } { name: 'Deploy-Private-DNS-Azure-Web' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_private_dns_azure_web.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_private_dns_azure_web.json') } { name: 'Deploy-Sql-AuditingSettings' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_sql_auditingsettings.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_sql_auditingsettings.json') } { name: 'Deploy-SQL-minTLS' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_sql_mintls.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_sql_mintls.json') } { name: 'Deploy-Sql-SecurityAlertPolicies' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_sql_securityalertpolicies.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_sql_securityalertpolicies.json') } { name: 'Deploy-Sql-Tde' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_sql_tde.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_sql_tde.json') } { name: 'Deploy-Sql-vulnerabilityAssessments' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_sql_vulnerabilityassessments.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_sql_vulnerabilityassessments.json') } { name: 'Deploy-SqlMi-minTLS' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_sqlmi_mintls.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_sqlmi_mintls.json') } { name: 'Deploy-Storage-sslEnforcement' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_storage_sslenforcement.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_storage_sslenforcement.json') } { name: 'Deploy-VNET-HubSpoke' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_vnet_hubspoke.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_vnet_hubspoke.json') } { name: 'Deploy-Windows-DomainJoin' - libDefinition: json(loadTextContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_windows_domainjoin.json')) + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_deploy_windows_domainjoin.json') } ] @@ -412,7 +412,7 @@ var varCustomPolicyDefinitionsArray = [ var varCustomPolicySetDefinitionsArray = [ { name: 'Deny-PublicPaaSEndpoints' - libSetDefinition: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.json')) + libSetDefinition: loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deny_publicpaasendpoints.json') libSetChildDefinitions: [ { definitionReferenceId: 'ACRDenyPaasPublicIP' @@ -458,7 +458,7 @@ var varCustomPolicySetDefinitionsArray = [ } { name: 'Deploy-Diagnostics-LogAnalytics' - libSetDefinition: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.json')) + libSetDefinition: loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_diagnostics_loganalytics.json') libSetChildDefinitions: [ { definitionReferenceId: 'ACIDeployDiagnosticLogDeployLogAnalytics' @@ -779,7 +779,7 @@ var varCustomPolicySetDefinitionsArray = [ } { name: 'Deploy-MDFC-Config' - libSetDefinition: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_mdfc_config.json')) + libSetDefinition: loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_mdfc_config.json') libSetChildDefinitions: [ { definitionReferenceId: 'ascExport' @@ -810,7 +810,7 @@ var varCustomPolicySetDefinitionsArray = [ } { name: 'Deploy-Private-DNS-Zones' - libSetDefinition: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.json')) + libSetDefinition: loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_private_dns_zones.json') libSetChildDefinitions: [ { definitionReferenceId: 'Deploy-Private-DNS-Azure-File-Sync' @@ -916,7 +916,7 @@ var varCustomPolicySetDefinitionsArray = [ } { name: 'Deploy-Sql-Security' - libSetDefinition: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_sql_security.json')) + libSetDefinition: loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_deploy_sql_security.json') libSetChildDefinitions: [ { definitionReferenceId: 'SqlDbAuditingSettingsDeploySqlSecurity' @@ -942,7 +942,7 @@ var varCustomPolicySetDefinitionsArray = [ } { name: 'Enforce-Encryption-CMK' - libSetDefinition: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.json')) + libSetDefinition: loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encryption_cmk.json') libSetChildDefinitions: [ { definitionReferenceId: 'ACRCmkDeny' @@ -1018,7 +1018,7 @@ var varCustomPolicySetDefinitionsArray = [ } { name: 'Enforce-EncryptTransit' - libSetDefinition: json(loadTextContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.json')) + libSetDefinition: loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_enforce_encrypttransit.json') libSetChildDefinitions: [ { definitionReferenceId: 'AKSIngressHttpsOnlyEffect' diff --git a/infra-as-code/bicep/modules/unstable/orchestration/hubSpoke/README.md b/infra-as-code/bicep/modules/unstable/orchestration/hubSpoke/README.md deleted file mode 100644 index 0047835ed..000000000 --- a/infra-as-code/bicep/modules/unstable/orchestration/hubSpoke/README.md +++ /dev/null @@ -1,16 +0,0 @@ -# Module: Orchestration - Hub and Spoke (aka. Adventure Works) - -> 🚨⚠️🚨 **This module does not work today due to the following Bicep/ARM bugs, [5371](https://github.com/Azure/bicep/issues/5371) & [5412](https://github.com/Azure/bicep/issues/5412), that we are working with engineering teams to resolve ASAP** 🚨⚠️🚨 - -This module acts as an orchestration module that glues all the individual module deployments together the deliver the Azure Landing Zone Hub & Spoke architecture *(a.k.a. Adventure Works)* which is also described in the wiki on the [Deployment Flow article](https://github.com/Azure/ALZ-Bicep/wiki/DeploymentFlow). - -As the warning at the top of this `README.md` states this module does not actually work today as a single deployment due to some bugs in Bicep/ARM that we are working closely with the Bicep & ARM engineering teams to resolve. The bugs are for awareness: - -- [5371 - Deployment validation false positive validating tenant-level template deploying a managementGroup](https://github.com/Azure/bicep/issues/5371) -- [5412 - Multiple issues with json(loadTextContent('...')) resulting in large/bloated built ARM templates that can be larger than 4MB](https://github.com/Azure/bicep/issues/5412) - -## So why provide a non-working orchestration module? - -Good question! We decided to provide this orchestration module as an example even though it doesn't work itself as it still provides a great example of how to stitch a lot of the modules together. For example, how you use the logging module to deploy a Log Analytics Workspace and then get it's ID as an output and pass it into the required Policy Assignment Parameters. - -We also realise that many of you using these modules will not want to deploy them in a single deployment and will want to split modules up into multiple deployments/pipelines etc. Hence why it is not critical for this orchestration template to be working to prevent us from getting these modules out to you all👍 diff --git a/infra-as-code/bicep/modules/unstable/orchestration/hubSpoke/bicepconfig.json b/infra-as-code/bicep/modules/unstable/orchestration/hubSpoke/bicepconfig.json deleted file mode 100644 index 4a5463bb4..000000000 --- a/infra-as-code/bicep/modules/unstable/orchestration/hubSpoke/bicepconfig.json +++ /dev/null @@ -1,93 +0,0 @@ -{ - "analyzers": { - "core": { - "enabled": true, - "verbose": true, - "rules": { - "adminusername-should-not-be-literal": { - "level": "off" - }, - "no-hardcoded-env-urls": { - "level": "off", - "disallowedhosts": [ - "management.core.windows.net", - "gallery.azure.com", - "management.core.windows.net", - "management.azure.com", - "login.microsoftonline.com", - "graph.windows.net", - "trafficmanager.net", - "vault.azure.net", - "datalake.azure.net", - "azuredatalakestore.net", - "azuredatalakeanalytics.net", - "vault.azure.net", - "api.loganalytics.io", - "api.loganalytics.iov1", - "asazure.windows.net", - "region.asazure.windows.net", - "api.loganalytics.iov1", - "api.loganalytics.io", - "asazure.windows.net", - "region.asazure.windows.net", - "batch.core.windows.net" - ], - "excludedhosts": [ - "schema.management.azure.com" - ] - }, - "no-unnecessary-dependson": { - "level": "off" - }, - "no-unused-params": { - "level": "off" - }, - "no-unused-vars": { - "level": "off" - }, - "outputs-should-not-contain-secrets": { - "level": "off" - }, - "prefer-interpolation": { - "level": "off" - }, - "secure-parameter-default": { - "level": "off" - }, - "simplify-interpolation": { - "level": "off" - }, - "protect-commandtoexecute-secrets": { - "level": "off" - }, - "use-stable-vm-image": { - "level": "off" - }, - "artifacts-parameters":{ - "level": "error" - }, - "no-unused-existing-resources":{ - "level": "error" - }, - "prefer-unquoted-property-names":{ - "level": "error" - }, - "secure-params-in-nested-deploy":{ - "level": "error" - }, - "secure-secrets-in-params":{ - "level": "error" - }, - "use-recent-api-versions":{ - "level": "error" - }, - "use-resource-id-functions":{ - "level": "error" - }, - "use-stable-resource-identifiers":{ - "level": "error" - } - } - } - } -} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/unstable/orchestration/hubSpoke/orchHubSpoke.bicep b/infra-as-code/bicep/modules/unstable/orchestration/hubSpoke/orchHubSpoke.bicep deleted file mode 100644 index 631e3aecf..000000000 --- a/infra-as-code/bicep/modules/unstable/orchestration/hubSpoke/orchHubSpoke.bicep +++ /dev/null @@ -1,1454 +0,0 @@ -@description('The region to deploy all resoruces into. DEFAULTS TO = northeurope') -param parLocation string = 'northeurope' - -// Subscriptions Parameters -@description('The Subscription ID for the Management Subscription (must already exists)') -@maxLength(36) -param parManagementSubscriptionId string - -@description('The Subscription ID for the Connectivity Subscription (must already exists)') -@maxLength(36) -param parConnectivitySubscriptionId string - -@description('The Subscription ID for the Identity Subscription (must already exists)') -@maxLength(36) -param parIdentitySubscriptionId string - -@description('An array of objects containing the Subscription IDs & CIDR VNET Address Spaces for Subscriptions to be placed into the Corp Management Group and peered back to the Hub Virtual Network (must already exists)') -@maxLength(36) -param parCorpSubscriptionIds array = [] - -@description('The Subscription IDs for Subscriptions to be placed into the Online Management Group (must already exists)') -@maxLength(36) -param parOnlineSubscriptionIds array = [] - -// Resource Group Modules Parameters - Used multiple times -@description('Name of Resource Group to be created to contain management resources like the central log analytics workspace. Default: {parTopLevelManagementGroupPrefix}-logging') -param parResourceGroupNameForLogging string = '${parTopLevelManagementGroupPrefix}-logging' - -@description('Name of Resource Group to be created to contain hub networking resources like the virtual network and ddos standard plan. Default: {parTopLevelManagementGroupPrefix}-{parLocation}-hub-networking') -param parResourceGroupNameForHubNetworking string = '${parTopLevelManagementGroupPrefix}-${parLocation}-hub-networking' - -@description('Name of Resource Group to be created to contain spoke networking resources like the virtual network. Default: {parTopLevelManagementGroupPrefix}-{parLocation}-spoke-networking') -param parResourceGroupNameForSpokeNetworking string = '${parTopLevelManagementGroupPrefix}-${parLocation}-spoke-networking' - -// Management Group Module Parameters -@description('Prefix for the management group hierarchy. This management group will be created as part of the deployment.') -@minLength(2) -@maxLength(10) -param parTopLevelManagementGroupPrefix string = 'alz' - -@description('Display name for top level management group. This name will be applied to the management group prefix defined in parTopLevelManagementGroupPrefix parameter.') -@minLength(2) -param parTopLevelManagementGroupDisplayName string = 'Azure Landing Zones' - -// Logging Module Parameters -@description('Log Analytics Workspace name. - DEFAULT VALUE: alz-log-analytics') -param parLogAnalyticsWorkspaceName string = 'alz-log-analytics' - -@minValue(30) -@maxValue(730) -@description('Number of days of log retention for Log Analytics Workspace. - DEFAULT VALUE: 365') -param parLogAnalyticsWorkspaceLogRetentionInDays int = 365 - -@allowed([ - 'AgentHealthAssessment' - 'AntiMalware' - 'AzureActivity' - 'ChangeTracking' - 'Security' - 'SecurityInsights' - 'ServiceMap' - 'SQLAssessment' - 'Updates' - 'VMInsights' -]) -@description('Solutions that will be added to the Log Analytics Workspace. - DEFAULT VALUE: [AgentHealthAssessment, AntiMalware, AzureActivity, ChangeTracking, Security, SecurityInsights, ServiceMap, SQLAssessment, Updates, VMInsights]') -param parLogAnalyticsWorkspaceSolutions array = [ - 'AgentHealthAssessment' - 'AntiMalware' - 'AzureActivity' - 'ChangeTracking' - 'Security' - 'SecurityInsights' - 'ServiceMap' - 'SQLAssessment' - 'Updates' - 'VMInsights' -] - -@description('Automation account name. - DEFAULT VALUE: alz-automation-account') -param parAutomationAccountName string = 'alz-automation-account' - -// Hub Networking Module Parameters -@description('Switch to enable/disable Azure Bastion deployment. Default: true') -param parAzBastionEnabled bool = true - -@description('Switch to enable/disable DDoS Standard deployment. Default: true') -param parDdosEnabled bool = true - -@description('DDoS Plan Name. Default: {parTopLevelManagementGroupPrefix}-ddos-plan') -param parDdosPlanName string = '${parTopLevelManagementGroupPrefix}-ddos-plan' - -@description('Switch to enable/disable Azure Firewall deployment. Default: true') -param parAzFirewallEnabled bool = true - -@description('Switch to enable/disable Azure Firewall DNS Proxy. Default: true') -param parAzFirewallDnsProxyEnabled bool = true - -@description('Switch to enable/disable BGP Propagation on route table. Default: false') -param parDisableBgpRoutePropagation bool = false - -@description('Switch to enable/disable Private DNS Zones deployment. Default: true') -param parPrivateDnsZonesEnabled bool = true - -//ASN must be 65515 if deploying VPN & ER for co-existence to work: https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-coexist-resource-manager#limits-and-limitations -@description('''Configuration for VPN virtual network gateway to be deployed. If a VPN virtual network gateway is not desired an empty object should be used as the input parameter in the parameter file, i.e. -"parVpnGatewayConfig": { - "value": {} -}''') -param parVpnGatewayConfig object = { - name: '${parTopLevelManagementGroupPrefix}-Vpn-Gateway' - gatewayType: 'Vpn' - sku: 'VpnGw1' - vpnType: 'RouteBased' - generation: 'Generation1' - enableBgp: false - activeActive: false - enableBgpRouteTranslationForNat: false - enableDnsForwarding: false - asn: 65515 - bgpPeeringAddress: '' - bgpsettings: { - asn: 65515 - bgpPeeringAddress: '' - peerWeight: 5 - } - } - -@description('''Configuration for ExpressRoute virtual network gateway to be deployed. If a ExpressRoute virtual network gateway is not desired an empty object should be used as the input parameter in the parameter file, i.e. -"parExpressRouteGatewayConfig": { - "value": {} -}''') -param parExpressRouteGatewayConfig object = { - name: '${parTopLevelManagementGroupPrefix}-ExpressRoute-Gateway' - gatewayType: 'ExpressRoute' - sku: 'ErGw1AZ' - vpnType: 'RouteBased' - vpnGatewayGeneration: 'None' - enableBgp: false - activeActive: false - enableBgpRouteTranslationForNat: false - enableDnsForwarding: false - asn: '65515' - bgpPeeringAddress: '' - bgpsettings: { - asn: '65515' - bgpPeeringAddress: '' - peerWeight: '5' - } -} - -@description('Azure Bastion SKU or Tier to deploy. Currently two options exist Basic and Standard. Default: Standard') -param parAzBastionSku string = 'Standard' - -@description('Public IP Address SKU. Default: Standard') -@allowed([ - 'Basic' - 'Standard' -]) -param parPublicIpSku string = 'Standard' - -@description('Tags you would like to be applied to all resources in this module. Default: empty array') -param parTags object = {} - -@description('The IP address range for all virtual networks to use. Default: 10.10.0.0/16') -param parHubNetworkAddressPrefix string = '10.10.0.0/16' - -@description('Prefix Used for Hub Network. Default: {parTopLevelManagementGroupPrefix}-hub-{parLocation}') -param parHubNetworkName string = '${parTopLevelManagementGroupPrefix}-hub-${parLocation}' - -@description('Azure Firewall Name. Default: {parTopLevelManagementGroupPrefix}-azure-firewall ') -param parAzFirewallName string = '${parTopLevelManagementGroupPrefix}-azure-firewall' - -@description('Azure Firewall Tier associated with the Firewall to deploy. Default: Standard ') -@allowed([ - 'Standard' - 'Premium' -]) -param parAzFirewallTier string = 'Standard' - -@description('Name of Route table to create for the default route of Hub. Default: {parTopLevelManagementGroupPrefix}-hub-routetable') -param parHubRouteTableName string = '${parTopLevelManagementGroupPrefix}-hub-routetable' - -@description('The name and IP address range for each subnet in the virtual networks. Default: AzureBastionSubnet, GatewaySubnet, AzureFirewall Subnet') -param parSubnets array = [ - { - name: 'AzureBastionSubnet' - ipAddressRange: '10.10.15.0/24' - } - { - name: 'GatewaySubnet' - ipAddressRange: '10.10.252.0/24' - } - { - name: 'AzureFirewallSubnet' - ipAddressRange: '10.10.254.0/24' - } -] - -@description('Name Associated with Bastion Service: Default: {parTopLevelManagementGroupPrefix}-bastion') -param parAzBastionName string = '${parTopLevelManagementGroupPrefix}-bastion' - -@description('Array of DNS Zones to provision in Hub Virtual Network. Default: All known Azure Privatezones') -param parPrivateDnsZones array = [ - 'privatelink.azure-automation.net' - 'privatelink.database.windows.net' - 'privatelink.sql.azuresynapse.net' - 'privatelink.azuresynapse.net' - 'privatelink.blob.core.windows.net' - 'privatelink.table.core.windows.net' - 'privatelink.queue.core.windows.net' - 'privatelink.file.core.windows.net' - 'privatelink.web.core.windows.net' - 'privatelink.dfs.core.windows.net' - 'privatelink.documents.azure.com' - 'privatelink.mongo.cosmos.azure.com' - 'privatelink.cassandra.cosmos.azure.com' - 'privatelink.gremlin.cosmos.azure.com' - 'privatelink.table.cosmos.azure.com' - 'privatelink.${parLocation}.batch.azure.com' - 'privatelink.postgres.database.azure.com' - 'privatelink.mysql.database.azure.com' - 'privatelink.mariadb.database.azure.com' - 'privatelink.vaultcore.azure.net' - 'privatelink.${parLocation}.azmk8s.io' - '${parLocation}.privatelink.siterecovery.windowsazure.com' - 'privatelink.servicebus.windows.net' - 'privatelink.azure-devices.net' - 'privatelink.eventgrid.azure.net' - 'privatelink.azurewebsites.net' - 'privatelink.api.azureml.ms' - 'privatelink.notebooks.azure.net' - 'privatelink.service.signalr.net' - 'privatelink.afs.azure.net' - 'privatelink.datafactory.azure.net' - 'privatelink.adf.azure.com' - 'privatelink.redis.cache.windows.net' - 'privatelink.redisenterprise.cache.azure.net' - 'privatelink.purview.azure.com' - 'privatelink.digitaltwins.azure.net' - 'privatelink.azconfig.io' - 'privatelink.webpubsub.azure.com' - 'privatelink.azure-devices-provisioning.net' - 'privatelink.cognitiveservices.azure.com' - 'privatelink.azurecr.io' - 'privatelink.search.windows.net' -] - -@description('Array of DNS Server IP addresses for VNet. Default: Empty Array') -param parDnsServerIps array = [] - -// Policy Assignments Module Parameters -@description('An e-mail address that you want Azure Security Center alerts to be sent to.') -param parAscEmailSecurityContact string - -// Spoke Networking Module Parameters -@description('The Name of the Spoke Virtual Network. Default: vnet-spoke') -param parSpokeNetworkName string = 'vnet-spoke' - -@description('Switch which allows BGP Route Propagation to be disabled on the route table') -param parDisableBgpRoutePropagation bool = false - -@description('Name of Route table to create for the default route of Hub. Default: rtb-spoke-to-hub') -param parSpoketoHubRouteTableName string = 'rtb-spoke-to-hub' - -@description('Set Parameter to true to Opt-out of deployment telemetry') -param parTelemetryOptOut bool = false - -// Customer Usage Attribution Id -var varCuaid = '50ad3b1a-f72c-4de4-8293-8a6399991beb' - -// **Variables** -// Orchestration Module Variables -var varDeploymentNameWrappers = { - basePrefix: 'ALZBicep' - baseSuffixTenantAndManagementGroup: '${deployment().location}-${uniqueString(deployment().location, parTopLevelManagementGroupPrefix)}' - baseSuffixManagementSubscription: '${deployment().location}-${uniqueString(deployment().location, parTopLevelManagementGroupPrefix)}-${parManagementSubscriptionId}' - baseSuffixConnectivitySubscription: '${deployment().location}-${uniqueString(deployment().location, parTopLevelManagementGroupPrefix)}-${parConnectivitySubscriptionId}' - baseSuffixIdentitySubscription: '${deployment().location}-${uniqueString(deployment().location, parTopLevelManagementGroupPrefix)}-${parIdentitySubscriptionId}' - baseSuffixCorpSubscriptions: '${deployment().location}-${uniqueString(deployment().location, parTopLevelManagementGroupPrefix)}-corp-sub' -} - -var varModuleDeploymentNames = { - modManagementGroups: take('${varDeploymentNameWrappers.basePrefix}-mgs-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modCustomRBACRoleDefinitions: take('${varDeploymentNameWrappers.basePrefix}-rbacRoles-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modCustomPolicyDefinitions: take('${varDeploymentNameWrappers.basePrefix}-polDefs-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modResourceGroupForLogging: take('${varDeploymentNameWrappers.basePrefix}-rsgLogging-${varDeploymentNameWrappers.baseSuffixManagementSubscription}', 64) - modLogging: take('${varDeploymentNameWrappers.basePrefix}-logging-${varDeploymentNameWrappers.baseSuffixManagementSubscription}', 64) - modResourceGroupForHubNetworking: take('${varDeploymentNameWrappers.basePrefix}-rsgHubNetworking-${varDeploymentNameWrappers.baseSuffixConnectivitySubscription}', 64) - modHubNetworking: take('${varDeploymentNameWrappers.basePrefix}-hubNetworking-${varDeploymentNameWrappers.baseSuffixConnectivitySubscription}', 64) - modSubscriptionPlacementManagement: take('${varDeploymentNameWrappers.basePrefix}-sub-place-mgmt-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modSubscriptionPlacementConnectivity: take('${varDeploymentNameWrappers.basePrefix}-sub-place-conn-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modSubscriptionPlacementIdentity: take('${varDeploymentNameWrappers.basePrefix}-sub-place-idnt-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modSubscriptionPlacementCorp: take('${varDeploymentNameWrappers.basePrefix}-sub-place-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modSubscriptionPlacementOnline: take('${varDeploymentNameWrappers.basePrefix}-sub-place-online-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentIntRootDeployAscDfConfig: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployASCDFConfig-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentIntRootDeployAzActivityLog: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployAzActivityLog-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentIntRootDeployAscMonitoring: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployASCMonitoring-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentIntRootDeployResourceDiag: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployResoruceDiag-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentIntRootDeployVmMonitoring: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMMonitoring-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentIntRootDeployVmssMonitoring: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMSSMonitoring-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentConnEnableDdosVnet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enableDDoSVNET-conn-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentIdentDenyPublicIp: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPublicIP-ident-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentIdentDenyRdpFromInternet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyRDPFromInet-ident-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentIdentDenySubnetWithoutNsg: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denySubnetNoNSG-ident-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentIdentDeployVmBackup: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMBackup-ident-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentMgmtDeployLogAnalytics: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployLAW-mgmt-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLzsDenyIpForwarding: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyIPForward-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLzsDenyPublicIp: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPublicIP-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLzsDenyRdpFromInternet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyRDPFromInet-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLzsDenySubnetWithoutNsg: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denySubnetNoNSG-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLzsDeployVmBackup: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMBackup-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLzsEnableDdosVnet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enableDDoSVNET-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLzsDenyStorageHttp: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyStorageHttp-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLzsDeployAksPolicy: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployAKSPolicy-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLzsDenyPrivEscalationAks: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPrivEscAKS-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLzsDenyPrivContainersAks: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPrivConAKS-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLzsEnforceAksHttps: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceAKSHTTPS-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLzsEnforceTlsSsl: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceTLSSSL-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLzsDeploySqlDbAuditing: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deploySQLDBAudit-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLzsDeploySqlThreat: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deploySQLThreat-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLzsDenyPublicEndpoints: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPublicEndpoints-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLzsDeployPrivateDnsZones: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployPrivateDNS-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modResourceGroupForSpokeNetworking: take('${varDeploymentNameWrappers.basePrefix}-rsgSpokeNetworking-${varDeploymentNameWrappers.baseSuffixCorpSubscriptions}', 61) - modSpokeNetworking: take('${varDeploymentNameWrappers.basePrefix}-modSpokeNetworking-${varDeploymentNameWrappers.baseSuffixCorpSubscriptions}', 61) - modSpokePeeringToHub: take('${varDeploymentNameWrappers.basePrefix}-modSpokePeeringToHub-${varDeploymentNameWrappers.baseSuffixCorpSubscriptions}', 61) - modSpokePeeringFromHub: take('${varDeploymentNameWrappers.basePrefix}-modSpokePeeringToHub-${varDeploymentNameWrappers.baseSuffixCorpSubscriptions}', 61) -} - -// Policy Assignments Modules Variables -var varPolicyAssignmentDenyAppGwWithoutWaf = { - definitionId: '${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGW-Without-WAF' - libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_appgw_without_waf.tmpl.json')) -} - -var varPolicyAssignmentEnforceAksHttps = { - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d' - libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_http_ingress_aks.tmpl.json')) -} - -var varPolicyAssignmentDenyIpForwarding = { - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900' - libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_ip_forwarding.tmpl.json')) -} - -var varPolicyAssignmentDenyPrivContainersAks = { - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4' - libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_priv_containers_aks.tmpl.json')) -} - -var varPolicyAssignmentDenyPrivEscalationAks = { - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99' - libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_priv_escalation_aks.tmpl.json')) -} - -var varPolicyAssignmentDenyPublicEndpoints = { - definitionId: '${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints' - libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_endpoints.tmpl.json')) -} - -var varPolicyAssignmentDenyPublicIp = { - definitionId: '${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP' - libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json')) -} - -var varPolicyAssignmentDenyRdpFromInternet = { - definitionId: '${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet' - libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_rdp_from_internet.tmpl.json')) -} - -var varPolicyAssignmentDenyResourceLocations = { - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c' - libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_resource_locations.tmpl.json')) -} - -var varPolicyAssignmentDenyResourceTypes = { - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749' - libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_resource_types.tmpl.json')) -} - -var varPolicyAssignmentDenyRsgLocations = { - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988' - libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_rsg_locations.tmpl.json')) -} - -var varPolicyAssignmentDenyStorageHttp = { - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9' - libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_storage_http.tmpl.json')) -} - -var varPolicyAssignmentDenySubnetWithoutNsg = { - definitionId: '${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg' - libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_subnet_without_nsg.tmpl.json')) -} - -var varPolicyAssignmentDenySubnetWithoutUdr = { - definitionId: '${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr' - libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_subnet_without_udr.tmpl.json')) -} - -var varPolicyAssignmentDeployAksPolicy = { - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7' - libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json')) -} - -var varPolicyAssignmentDeployAscMonitoring = { - definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8' - libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json')) -} - -// var varPolicyAssignmentDeployASCDFConfig = { -// definitionId: '${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-ASCDF-Config' -// libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_ascdf_config.tmpl.json')) -// } - -var varPolicyAssignmentDeployAzActivityLog = { - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/2465583e-4e78-4c15-b6be-a36cbc7c8b0f' - libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_azactivity_log.tmpl.json')) -} - -var varPolicyAssignmentDeployLogAnalytics = { - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8e3e61b3-0b32-22d5-4edf-55f87fdb5955' - libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_log_analytics.tmpl.json')) -} - -var varPolicyAssignmentDeployLxArcMonitoring = { - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/9d2b61b4-1d14-4a63-be30-d4498e7ad2cf' - libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_lx_arc_monitoring.tmpl.json')) -} - -var varPolicyAssignmentDeployPrivateDnzZones = { - definitionId: '${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones' - libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json')) -} - -var varPolicyAssignmentDeployResourceDiag = { - definitionId: '${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics' - libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_resource_diag.tmpl.json')) -} - -var varPolicyAssignmentDeploySqlDbAuditing = { - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9' - libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_db_auditing.tmpl.json')) -} - -var varPolicyAssignmentDeploySqlSecurity = { - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f' - libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_security.tmpl.json')) -} - -var varPolicyAssignmentDeploySqlThreat = { - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5' - libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_threat.tmpl.json')) -} - -var varPolicyAssignmentDeployVmBackup = { - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86' - libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_backup.tmpl.json')) -} - -var varPolicyAssignmentDeployVmMonitoring = { - definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a' - libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitoring.tmpl.json')) -} - -var varPolicyAssignmentDeployVmssMonitoring = { - definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/75714362-cae7-409e-9b99-a8e5075b7fad' - libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitoring.tmpl.json')) -} - -var varPolicyAssignmentDeployWsArcMonitoring = { - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/69af7d4a-7b18-4044-93a9-2651498ef203' - libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_ws_arc_monitoring.tmpl.json')) -} - -var varPolicyAssignmentEnableDdosVnet = { - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d' - libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enable_ddos_vnet.tmpl.json')) -} - -var varPolicyAssignmentEnforceTlsSsl = { - definitionId: '${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit' - libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_tls_ssl.tmpl.json')) -} - -// RBAC Role Definitions Variables - Used For Policy Assignments -var varRbacRoleDefinitionIds = { - owner: '8e3af657-a8ff-443c-a75c-2fe8c4bcb635' - contributor: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - networkContributor: '4d97b98b-1d4f-4787-a291-c67834d212e7' - aksContributor: 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8' -} - -// Managment Groups Varaibles - Used For Policy Assignments -var varManagementGroupIds = { - intRoot: parTopLevelManagementGroupPrefix - platform: '${parTopLevelManagementGroupPrefix}-platform' - platformManagement: '${parTopLevelManagementGroupPrefix}-platform-management' - platformConnectivity: '${parTopLevelManagementGroupPrefix}-platform-connectivity' - platformIdentity: '${parTopLevelManagementGroupPrefix}-platform-identity' - landingZones: '${parTopLevelManagementGroupPrefix}-landingzones' - landingZonesCorp: '${parTopLevelManagementGroupPrefix}-landingzones-corp' - landingZonesOnline: '${parTopLevelManagementGroupPrefix}-landingzones-online' - decommissioned: '${parTopLevelManagementGroupPrefix}-decommissioned' - sandbox: '${parTopLevelManagementGroupPrefix}-sandbox' -} - -// **Scope** -targetScope = 'tenant' - -// **Modules** -// Module - Customer Usage Attribution - Telemtry -module modCustomerUsageAttribution '../../../../CRML/customerUsageAttribution/cuaIdTenant.bicep' = if (!parTelemetryOptOut) { - name: 'pid-${varCuaid}-${uniqueString(deployment().location)}' - params: {} -} - -// Module - Management Groups -module modManagementGroups '../../../managementGroups/managementGroups.bicep' = { - scope: tenant() - name: varModuleDeploymentNames.modManagementGroups - params: { - parTopLevelManagementGroupPrefix: parTopLevelManagementGroupPrefix - parTopLevelManagementGroupDisplayName: parTopLevelManagementGroupDisplayName - parTelemetryOptOut: parTelemetryOptOut - } -} - -// Module - Custom RBAC Role Definitions - https://github.com/Azure/bicep/issues/5371 -module modCustomRBACRoleDefinitions '../../../customRoleDefinitions/customRoleDefinitions.bicep' = { - dependsOn: [ - modManagementGroups - ] - scope: managementGroup(varManagementGroupIds.intRoot) - name: varModuleDeploymentNames.modCustomRBACRoleDefinitions - params: { - parAssignableScopeManagementGroupId: parTopLevelManagementGroupPrefix - parTelemetryOptOut: parTelemetryOptOut - } -} - -// Module - Custom Policy Definitions and Initiatives -module modCustomPolicyDefinitions '../../../policy/definitions/customPolicyDefinitions.bicep' = { - scope: managementGroup(varManagementGroupIds.intRoot) - name: varModuleDeploymentNames.modCustomPolicyDefinitions - params: { - parTargetManagementGroupId: modManagementGroups.outputs.outTopLevelManagementGroupName - parTelemetryOptOut: parTelemetryOptOut - } -} - -// Resource - Resource Group - For Logging - https://github.com/Azure/bicep/issues/5151 & https://github.com/Azure/bicep/issues/4992 -module modResourceGroupForLogging '../../../resourceGroup/resourceGroup.bicep' = { - scope: subscription(parManagementSubscriptionId) - name: varModuleDeploymentNames.modResourceGroupForLogging - params: { - parLocation: parLocation - parResourceGroupName: parResourceGroupNameForLogging - parTelemetryOptOut: parTelemetryOptOut - } -} - -// Module - Logging, Automation & Sentinel -module modLogging '../../../logging/logging.bicep' = { - dependsOn: [ - modResourceGroupForLogging - ] - scope: resourceGroup(parManagementSubscriptionId, parResourceGroupNameForLogging) - name: varModuleDeploymentNames.modLogging - params: { - parAutomationAccountName: parAutomationAccountName - parAutomationAccountLocation: parLocation - parLogAnalyticsWorkspaceLogRetentionInDays: parLogAnalyticsWorkspaceLogRetentionInDays - parLogAnalyticsWorkspaceName: parLogAnalyticsWorkspaceName - parLogAnalyticsWorkspaceLocation: parLocation - parLogAnalyticsWorkspaceSolutions: parLogAnalyticsWorkspaceSolutions - parTelemetryOptOut: parTelemetryOptOut - } -} - -// Resource - Resource Group - For Hub Networking - https://github.com/Azure/bicep/issues/5151 -module modResourceGroupForHubNetworking '../../../resourceGroup/resourceGroup.bicep' = { - scope: subscription(parConnectivitySubscriptionId) - name: varModuleDeploymentNames.modResourceGroupForHubNetworking - params: { - parLocation: parLocation - parResourceGroupName: parResourceGroupNameForHubNetworking - parTelemetryOptOut: parTelemetryOptOut - } -} - -// Module - Hub Virtual Networking -module modHubNetworking '../../../hubNetworking/hubNetworking.bicep' = { - dependsOn: [ - modResourceGroupForHubNetworking - ] - scope: resourceGroup(parConnectivitySubscriptionId, parResourceGroupNameForHubNetworking) - name: varModuleDeploymentNames.modHubNetworking - params: { - parAzBastionEnabled: parAzBastionEnabled - parDdosEnabled: parDdosEnabled - parDdosPlanName: parDdosPlanName - parAzFirewallEnabled: parAzFirewallEnabled - parAzFirewallDnsProxyEnabled: parAzFirewallDnsProxyEnabled - parDisableBgpRoutePropagation: parDisableBgpRoutePropagation - parPrivateDnsZonesEnabled: parPrivateDnsZonesEnabled - parExpressRouteGatewayConfig: parExpressRouteGatewayConfig - parVpnGatewayConfig: parVpnGatewayConfig - parCompanyPrefix: parTopLevelManagementGroupPrefix - parAzBastionSku: parAzBastionSku - parPublicIpSku: parPublicIpSku - parTags: parTags - parHubNetworkAddressPrefix: parHubNetworkAddressPrefix - parHubNetworkName: parHubNetworkName - parAzFirewallName: parAzFirewallName - parAzFirewallTier: parAzFirewallTier - parHubRouteTableName: parHubRouteTableName - parSubnets: parSubnets - parAzBastionName: parAzBastionName - parPrivateDnsZones: parPrivateDnsZones - parDnsServerIps: parDnsServerIps - parTelemetryOptOut: parTelemetryOptOut - } -} - -// Subscription Placements Into Management Group Hierarchy -// Module - Subscription Placement - Management -module modSubscriptionPlacementManagement '../../../subscriptionPlacement/subscriptionPlacement.bicep' = { - scope: managementGroup(varManagementGroupIds.platformManagement) - name: varModuleDeploymentNames.modSubscriptionPlacementManagement - params: { - parTargetManagementGroupId: modManagementGroups.outputs.outPlatformManagementManagementGroupName - parSubscriptionIds: [ - parManagementSubscriptionId - ] - parTelemetryOptOut: parTelemetryOptOut - } -} - -// Module - Subscription Placement - Connectivity -module modSubscriptionPlacementConnectivity '../../../subscriptionPlacement/subscriptionPlacement.bicep' = { - scope: managementGroup(varManagementGroupIds.platformConnectivity) - name: varModuleDeploymentNames.modSubscriptionPlacementConnectivity - params: { - parTargetManagementGroupId: modManagementGroups.outputs.outPlatformConnectivityManagementGroupName - parSubscriptionIds: [ - parConnectivitySubscriptionId - ] - parTelemetryOptOut: parTelemetryOptOut - } -} - -// Module - Subscription Placement - Identity -module modSubscriptionPlacementIdentity '../../../subscriptionPlacement/subscriptionPlacement.bicep' = { - scope: managementGroup(varManagementGroupIds.platformIdentity) - name: varModuleDeploymentNames.modSubscriptionPlacementIdentity - params: { - parTargetManagementGroupId: modManagementGroups.outputs.outPlatformIdentityManagementGroupName - parSubscriptionIds: [ - parIdentitySubscriptionId - ] - parTelemetryOptOut: parTelemetryOptOut - } -} - -// Module - Subscription Placement - Corp -module modSubscriptionPlacementCorp '../../../subscriptionPlacement/subscriptionPlacement.bicep' = if (!empty(parCorpSubscriptionIds)) { - scope: managementGroup(varManagementGroupIds.landingZonesCorp) - name: varModuleDeploymentNames.modSubscriptionPlacementCorp - params: { - parTargetManagementGroupId: modManagementGroups.outputs.outLandingZonesCorpManagementGroupName - parSubscriptionIds: [ - parCorpSubscriptionIds - ] - parTelemetryOptOut: parTelemetryOptOut - } -} - -// Module - Subscription Placement - Online -module modSubscriptionPlacementOnline '../../../subscriptionPlacement/subscriptionPlacement.bicep' = if (!empty(parOnlineSubscriptionIds)) { - scope: managementGroup(varManagementGroupIds.landingZonesOnline) - name: varModuleDeploymentNames.modSubscriptionPlacementOnline - params: { - parTargetManagementGroupId: modManagementGroups.outputs.outLandingZonesOnlineManagementGroupName - parSubscriptionIds: [ - parOnlineSubscriptionIds - ] - parTelemetryOptOut: parTelemetryOptOut - } -} - -// Modules - Policy Assignments - Intermediate Root Management Group -// Module - Policy Assignment - Deploy-ASCDF-Config -// module modPolicyAssignmentIntRootDeployAscDfConfig '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { -// dependsOn: [ -// modCustomPolicyDefinitions -// ] -// scope: managementGroup(varManagementGroupIds.intRoot) -// name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployAscDfConfig -// params: { -// parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployASCDFConfig.definitionId -// parPolicyAssignmentName: varPolicyAssignmentDeployASCDFConfig.libDefinition.name -// parPolicyAssignmentDisplayName: varPolicyAssignmentDeployASCDFConfig.libDefinition.properties.displayName -// parPolicyAssignmentDescription: varPolicyAssignmentDeployASCDFConfig.libDefinition.properties.description -// parPolicyAssignmentParameters: varPolicyAssignmentDeployASCDFConfig.libDefinition.properties.parameters -// parPolicyAssignmentParameterOverrides: { -// emailSecurityContact: { -// value: parAscEmailSecurityContact -// } -// ascExportResourceGroupLocation: { -// value: parLocation -// } -// logAnalytics: { -// value: modLogging.outputs.outLogAnalyticsWorkspaceId -// } -// } -// parPolicyAssignmentIdentityType: varPolicyAssignmentDeployASCDFConfig.libDefinition.identity.type -// parPolicyAssignmentIdentityRoleDefinitionIds: [ -// varRbacRoleDefinitionIds.owner -// ] -// parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployASCDFConfig.libDefinition.properties.enforcementMode -// parTelemetryOptOut: parTelemetryOptOut -// } -// } - -// Module - Policy Assignment - Deploy-AzActivity-Log -module modPolicyAssignmentIntRootDeployAzActivityLog '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - dependsOn: [ - modCustomPolicyDefinitions - ] - scope: managementGroup(varManagementGroupIds.intRoot) - name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployAzActivityLog - params: { - parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployAzActivityLog.definitionId - parPolicyAssignmentName: varPolicyAssignmentDeployAzActivityLog.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDeployAzActivityLog.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDeployAzActivityLog.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDeployAzActivityLog.libDefinition.properties.parameters - parPolicyAssignmentParameterOverrides: { - logAnalytics: { - value: modLogging.outputs.outLogAnalyticsWorkspaceId - } - } - parPolicyAssignmentIdentityType: varPolicyAssignmentDeployAzActivityLog.libDefinition.identity.type - parPolicyAssignmentIdentityRoleDefinitionIds: [ - varRbacRoleDefinitionIds.owner - ] - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployAzActivityLog.libDefinition.properties.enforcementMode - parTelemetryOptOut: parTelemetryOptOut - } -} - -// Module - Policy Assignment - Deploy-ASC-Monitoring - https://github.com/Azure/bicep/issues/5371 -module modPolicyAssignmentIntRootDeployAscMonitoring '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - // dependsOn: [ - // modCustomPolicyDefinitions - // ] - scope: managementGroup(varManagementGroupIds.intRoot) - name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployAscMonitoring - params: { - parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployAscMonitoring.definitionId - parPolicyAssignmentName: varPolicyAssignmentDeployAscMonitoring.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDeployAscMonitoring.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDeployAscMonitoring.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDeployAscMonitoring.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDeployAscMonitoring.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployAscMonitoring.libDefinition.properties.enforcementMode - parTelemetryOptOut: parTelemetryOptOut - } -} - -// // Module - Policy Assignment - Deploy-Resource-Diag -module modPolicyAssignmentIntRootDeployResourceDiag '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - dependsOn: [ - modCustomPolicyDefinitions - ] - scope: managementGroup(varManagementGroupIds.intRoot) - name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployResourceDiag - params: { - parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployResourceDiag.definitionId - parPolicyAssignmentName: varPolicyAssignmentDeployResourceDiag.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDeployResourceDiag.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDeployResourceDiag.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDeployResourceDiag.libDefinition.properties.parameters - parPolicyAssignmentParameterOverrides: { - logAnalytics: { - value: modLogging.outputs.outLogAnalyticsWorkspaceId - } - } - parPolicyAssignmentIdentityType: varPolicyAssignmentDeployResourceDiag.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployResourceDiag.libDefinition.properties.enforcementMode - parPolicyAssignmentIdentityRoleDefinitionIds: [ - varRbacRoleDefinitionIds.owner - ] - parTelemetryOptOut: parTelemetryOptOut - } -} - -// Module - Policy Assignment - Deploy-VM-Monitoring -module modPolicyAssignmentIntRootDeployVmMonitoring '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - dependsOn: [ - modCustomPolicyDefinitions - ] - scope: managementGroup(varManagementGroupIds.intRoot) - name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployVmMonitoring - params: { - parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVmMonitoring.definitionId - parPolicyAssignmentName: varPolicyAssignmentDeployVmMonitoring.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVmMonitoring.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDeployVmMonitoring.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDeployVmMonitoring.libDefinition.properties.parameters - parPolicyAssignmentParameterOverrides: { - logAnalytics_1: { - value: modLogging.outputs.outLogAnalyticsWorkspaceId - } - } - parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVmMonitoring.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployVmMonitoring.libDefinition.properties.enforcementMode - parPolicyAssignmentIdentityRoleDefinitionIds: [ - varRbacRoleDefinitionIds.owner - ] - parTelemetryOptOut: parTelemetryOptOut - } -} - -// Module - Policy Assignment - Deploy-VMSS-Monitoring -module modPolicyAssignmentIntRootDeployVmssMonitoring '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - dependsOn: [ - modCustomPolicyDefinitions - ] - scope: managementGroup(varManagementGroupIds.intRoot) - name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployVmssMonitoring - params: { - parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVmssMonitoring.definitionId - parPolicyAssignmentName: varPolicyAssignmentDeployVmssMonitoring.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVmssMonitoring.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDeployVmssMonitoring.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDeployVmssMonitoring.libDefinition.properties.parameters - parPolicyAssignmentParameterOverrides: { - logAnalytics_1: { - value: modLogging.outputs.outLogAnalyticsWorkspaceId - } - } - parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVmssMonitoring.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployVmssMonitoring.libDefinition.properties.enforcementMode - parPolicyAssignmentIdentityRoleDefinitionIds: [ - varRbacRoleDefinitionIds.owner - ] - parTelemetryOptOut: parTelemetryOptOut - } -} - -// // Modules - Policy Assignments - Connectivity Management Group -// Module - Policy Assignment - Enable-DDoS-VNET -module modPolicyAssignmentConnEnableDdosVnet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - dependsOn: [ - modCustomPolicyDefinitions - ] - scope: managementGroup(varManagementGroupIds.platformConnectivity) - name: varModuleDeploymentNames.modPolicyAssignmentConnEnableDdosVnet - params: { - parPolicyAssignmentDefinitionId: varPolicyAssignmentEnableDdosVnet.definitionId - parPolicyAssignmentName: varPolicyAssignmentEnableDdosVnet.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentEnableDdosVnet.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentEnableDdosVnet.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentEnableDdosVnet.libDefinition.properties.parameters - parPolicyAssignmentParameterOverrides: { - ddosPlan: { - value: modHubNetworking.outputs.outDdosPlanResourceId - } - } - parPolicyAssignmentIdentityType: varPolicyAssignmentEnableDdosVnet.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentEnableDdosVnet.libDefinition.properties.enforcementMode - parPolicyAssignmentIdentityRoleDefinitionIds: [ - varRbacRoleDefinitionIds.networkContributor - ] - parTelemetryOptOut: parTelemetryOptOut - } -} - -// Modules - Policy Assignments - Identity Management Group -// Module - Policy Assignment - Deny-Public-IP -module modPolicyAssignmentIdentDenyPublicIp '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - dependsOn: [ - modCustomPolicyDefinitions - ] - scope: managementGroup(varManagementGroupIds.platformIdentity) - name: varModuleDeploymentNames.modPolicyAssignmentIdentDenyPublicIp - params: { - parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyPublicIp.definitionId - parPolicyAssignmentName: varPolicyAssignmentDenyPublicIp.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDenyPublicIp.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDenyPublicIp.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDenyPublicIp.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDenyPublicIp.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenyPublicIp.libDefinition.properties.enforcementMode - parTelemetryOptOut: parTelemetryOptOut - } -} - -// Module - Policy Assignment - Deny-RDP-From-Internet -module modPolicyAssignmentIdentDenyRdpFromInternet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - dependsOn: [ - modCustomPolicyDefinitions - ] - scope: managementGroup(varManagementGroupIds.platformIdentity) - name: varModuleDeploymentNames.modPolicyAssignmentIdentDenyRdpFromInternet - params: { - parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyRdpFromInternet.definitionId - parPolicyAssignmentName: varPolicyAssignmentDenyRdpFromInternet.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDenyRdpFromInternet.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDenyRdpFromInternet.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDenyRdpFromInternet.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDenyRdpFromInternet.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenyRdpFromInternet.libDefinition.properties.enforcementMode - parTelemetryOptOut: parTelemetryOptOut - } -} - -// Module - Policy Assignment - Deny-Subnet-Without-Nsg -module modPolicyAssignmentIdentDenySubnetWithoutNsg '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - dependsOn: [ - modCustomPolicyDefinitions - ] - scope: managementGroup(varManagementGroupIds.platformIdentity) - name: varModuleDeploymentNames.modPolicyAssignmentIdentDenySubnetWithoutNsg - params: { - parPolicyAssignmentDefinitionId: varPolicyAssignmentDenySubnetWithoutNsg.definitionId - parPolicyAssignmentName: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.enforcementMode - parTelemetryOptOut: parTelemetryOptOut - } -} - -// Module - Policy Assignment - Deploy-VM-Backup - https://github.com/Azure/bicep/issues/5371 -module modPolicyAssignmentIdentDeployVmBackup '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - dependsOn: [ - modCustomPolicyDefinitions - ] - scope: managementGroup(varManagementGroupIds.platformIdentity) - name: varModuleDeploymentNames.modPolicyAssignmentIdentDeployVmBackup - params: { - parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVmBackup.definitionId - parPolicyAssignmentName: varPolicyAssignmentDeployVmBackup.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVmBackup.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDeployVmBackup.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDeployVmBackup.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVmBackup.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployVmBackup.libDefinition.properties.enforcementMode - parPolicyAssignmentIdentityRoleDefinitionIds: [ - varRbacRoleDefinitionIds.owner - ] - parTelemetryOptOut: parTelemetryOptOut - } -} - -// Modules - Policy Assignments - Management Management Group - https://github.com/Azure/bicep/issues/5371 -// Module - Policy Assignment - Deploy-Log-Analytics - ISSUES -module modPolicyAssignmentMgmtDeployLogAnalytics '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - dependsOn: [ - modCustomPolicyDefinitions - ] - scope: managementGroup(varManagementGroupIds.platformIdentity) - name: varModuleDeploymentNames.modPolicyAssignmentMgmtDeployLogAnalytics - params: { - parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployLogAnalytics.definitionId - parPolicyAssignmentName: varPolicyAssignmentDeployLogAnalytics.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDeployLogAnalytics.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDeployLogAnalytics.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDeployLogAnalytics.libDefinition.properties.parameters - parPolicyAssignmentParameterOverrides: { - rgName: { - value: parResourceGroupNameForLogging - } - workspaceName: { - value: parLogAnalyticsWorkspaceName - } - workspaceRegion: { - value: parLocation - } - dataRetention: { - value: parLogAnalyticsWorkspaceLogRetentionInDays - } - automationAccountName: { - value: parAutomationAccountName - } - automationRegion: { - value: parLocation - } - } - parPolicyAssignmentIdentityType: varPolicyAssignmentDeployLogAnalytics.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployLogAnalytics.libDefinition.properties.enforcementMode - parPolicyAssignmentIdentityRoleDefinitionIds: [ - varRbacRoleDefinitionIds.owner - ] - parTelemetryOptOut: parTelemetryOptOut - } -} - -// Modules - Policy Assignments - Landing Zones Management Group - https://github.com/Azure/bicep/issues/5371 -// Module - Policy Assignment - Deny-IP-Forwarding - ISSUES -module modPolicyAssignmentLzsDenyIpForwarding '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - dependsOn: [ - modCustomPolicyDefinitions - ] - scope: managementGroup(varManagementGroupIds.landingZones) - name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyIpForwarding - params: { - parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyIpForwarding.definitionId - parPolicyAssignmentName: varPolicyAssignmentDenyIpForwarding.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDenyIpForwarding.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDenyIpForwarding.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDenyIpForwarding.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDenyIpForwarding.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenyIpForwarding.libDefinition.properties.enforcementMode - parTelemetryOptOut: parTelemetryOptOut - } -} - -// Module - Policy Assignment - Deny-Public-IP - NOT DONE IN ARM????? -module modPolicyAssignmentLzsDenyPublicIp '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - dependsOn: [ - modCustomPolicyDefinitions - ] - scope: managementGroup(varManagementGroupIds.landingZones) - name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyPublicIp - params: { - parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyPublicIp.definitionId - parPolicyAssignmentName: varPolicyAssignmentDenyPublicIp.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDenyPublicIp.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDenyPublicIp.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDenyPublicIp.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDenyPublicIp.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenyPublicIp.libDefinition.properties.enforcementMode - parTelemetryOptOut: parTelemetryOptOut - } -} - -// Module - Policy Assignment - Deny-RDP-From-Internet -module modPolicyAssignmentLzsDenyRdpFromInternet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - dependsOn: [ - modCustomPolicyDefinitions - ] - scope: managementGroup(varManagementGroupIds.landingZones) - name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyRdpFromInternet - params: { - parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyRdpFromInternet.definitionId - parPolicyAssignmentName: varPolicyAssignmentDenyRdpFromInternet.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDenyRdpFromInternet.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDenyRdpFromInternet.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDenyRdpFromInternet.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDenyRdpFromInternet.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenyRdpFromInternet.libDefinition.properties.enforcementMode - parTelemetryOptOut: parTelemetryOptOut - } -} - -// Module - Policy Assignment - Deny-Subnet-Without-Nsg -module modPolicyAssignmentLzsDenySubnetWithoutNsg '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - dependsOn: [ - modCustomPolicyDefinitions - ] - scope: managementGroup(varManagementGroupIds.landingZones) - name: varModuleDeploymentNames.modPolicyAssignmentLzsDenySubnetWithoutNsg - params: { - parPolicyAssignmentDefinitionId: varPolicyAssignmentDenySubnetWithoutNsg.definitionId - parPolicyAssignmentName: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.enforcementMode - parTelemetryOptOut: parTelemetryOptOut - } -} - -// Module - Policy Assignment - Deploy-VM-Backup - https://github.com/Azure/bicep/issues/5371 -module modPolicyAssignmentLzsDeployVmBackup '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - dependsOn: [ - modCustomPolicyDefinitions - ] - scope: managementGroup(varManagementGroupIds.landingZones) - name: varModuleDeploymentNames.modPolicyAssignmentLzsDeployVmBackup - params: { - parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVmBackup.definitionId - parPolicyAssignmentName: varPolicyAssignmentDeployVmBackup.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVmBackup.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDeployVmBackup.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDeployVmBackup.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVmBackup.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployVmBackup.libDefinition.properties.enforcementMode - parPolicyAssignmentIdentityRoleDefinitionIds: [ - varRbacRoleDefinitionIds.owner - ] - parTelemetryOptOut: parTelemetryOptOut - } -} - -// Module - Policy Assignment - Enable-DDoS-VNET -module modPolicyAssignmentLzsEnableDdosVnet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - dependsOn: [ - modCustomPolicyDefinitions - ] - scope: managementGroup(varManagementGroupIds.platformConnectivity) - name: varModuleDeploymentNames.modPolicyAssignmentLzsEnableDdosVnet - params: { - parPolicyAssignmentDefinitionId: varPolicyAssignmentEnableDdosVnet.definitionId - parPolicyAssignmentName: varPolicyAssignmentEnableDdosVnet.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentEnableDdosVnet.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentEnableDdosVnet.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentEnableDdosVnet.libDefinition.properties.parameters - parPolicyAssignmentParameterOverrides: { - ddosPlan: { - value: modHubNetworking.outputs.outDdosPlanResourceId - } - } - parPolicyAssignmentIdentityType: varPolicyAssignmentEnableDdosVnet.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentEnableDdosVnet.libDefinition.properties.enforcementMode - parPolicyAssignmentIdentityRoleDefinitionIds: [ - varRbacRoleDefinitionIds.networkContributor - ] - parTelemetryOptOut: parTelemetryOptOut - } -} - -// Module - Policy Assignment - Deny-Storage-http - https://github.com/Azure/bicep/issues/5371 -module modPolicyAssignmentLzsDenyStorageHttp '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - dependsOn: [ - modCustomPolicyDefinitions - ] - scope: managementGroup(varManagementGroupIds.landingZones) - name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyStorageHttp - params: { - parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyStorageHttp.definitionId - parPolicyAssignmentName: varPolicyAssignmentDenyStorageHttp.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDenyStorageHttp.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDenyStorageHttp.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDenyStorageHttp.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDenyStorageHttp.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenyStorageHttp.libDefinition.properties.enforcementMode - parTelemetryOptOut: parTelemetryOptOut - } -} - -// Module - Policy Assignment - Deploy-AKS-Policy - https://github.com/Azure/bicep/issues/5371 -module modPolicyAssignmentLzsDeployAksPolicy '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - dependsOn: [ - modCustomPolicyDefinitions - ] - scope: managementGroup(varManagementGroupIds.landingZones) - name: varModuleDeploymentNames.modPolicyAssignmentLzsDeployAksPolicy - params: { - parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployAksPolicy.definitionId - parPolicyAssignmentName: varPolicyAssignmentDeployAksPolicy.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDeployAksPolicy.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDeployAksPolicy.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDeployAksPolicy.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDeployAksPolicy.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployAksPolicy.libDefinition.properties.enforcementMode - parPolicyAssignmentIdentityRoleDefinitionIds: [ - varRbacRoleDefinitionIds.aksContributor - ] - parTelemetryOptOut: parTelemetryOptOut - } -} - -// Module - Policy Assignment - Deny-Priv-Escalation-AKS - https://github.com/Azure/bicep/issues/5371 -module modPolicyAssignmentLzsDenyPrivEscalationAks '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - dependsOn: [ - modCustomPolicyDefinitions - ] - scope: managementGroup(varManagementGroupIds.landingZones) - name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyPrivEscalationAks - params: { - parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyPrivEscalationAks.definitionId - parPolicyAssignmentName: varPolicyAssignmentDenyPrivEscalationAks.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDenyPrivEscalationAks.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDenyPrivEscalationAks.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDenyPrivEscalationAks.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDenyPrivEscalationAks.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenyPrivEscalationAks.libDefinition.properties.enforcementMode - parTelemetryOptOut: parTelemetryOptOut - } -} - -// Module - Policy Assignment - Deny-Priv-Containers-AKS - https://github.com/Azure/bicep/issues/5371 -module modPolicyAssignmentLzsDenyPrivContainersAks '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - dependsOn: [ - modCustomPolicyDefinitions - ] - scope: managementGroup(varManagementGroupIds.landingZones) - name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyPrivContainersAks - params: { - parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyPrivContainersAks.definitionId - parPolicyAssignmentName: varPolicyAssignmentDenyPrivContainersAks.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDenyPrivContainersAks.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDenyPrivContainersAks.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDenyPrivContainersAks.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDenyPrivContainersAks.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenyPrivContainersAks.libDefinition.properties.enforcementMode - parTelemetryOptOut: parTelemetryOptOut - } -} - -// Module - Policy Assignment - Enforce-AKS-HTTPS - https://github.com/Azure/bicep/issues/5371 -module modPolicyAssignmentLzsEnforceAksHttps '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - dependsOn: [ - modCustomPolicyDefinitions - ] - scope: managementGroup(varManagementGroupIds.landingZones) - name: varModuleDeploymentNames.modPolicyAssignmentLzsEnforceAksHttps - params: { - parPolicyAssignmentDefinitionId: varPolicyAssignmentEnforceAksHttps.definitionId - parPolicyAssignmentName: varPolicyAssignmentEnforceAksHttps.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentEnforceAksHttps.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentEnforceAksHttps.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentEnforceAksHttps.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceAksHttps.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentEnforceAksHttps.libDefinition.properties.enforcementMode - parTelemetryOptOut: parTelemetryOptOut - } -} - -// Module - Policy Assignment - Enforce-TLS-SSL -module modPolicyAssignmentLzsEnforceTlsSsl '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - dependsOn: [ - modCustomPolicyDefinitions - ] - scope: managementGroup(varManagementGroupIds.landingZones) - name: varModuleDeploymentNames.modPolicyAssignmentLzsEnforceTlsSsl - params: { - parPolicyAssignmentDefinitionId: varPolicyAssignmentEnforceTlsSsl.definitionId - parPolicyAssignmentName: varPolicyAssignmentEnforceTlsSsl.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentEnforceTlsSsl.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentEnforceTlsSsl.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentEnforceTlsSsl.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceTlsSsl.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentEnforceTlsSsl.libDefinition.properties.enforcementMode - parTelemetryOptOut: parTelemetryOptOut - } -} - -// Module - Policy Assignment - Deploy-SQL-DB-Auditing - https://github.com/Azure/bicep/issues/5371 -module modPolicyAssignmentLzsDeploySqlDbAuditing '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - dependsOn: [ - modCustomPolicyDefinitions - ] - scope: managementGroup(varManagementGroupIds.landingZones) - name: varModuleDeploymentNames.modPolicyAssignmentLzsDeploySqlDbAuditing - params: { - parPolicyAssignmentDefinitionId: varPolicyAssignmentDeploySqlDbAuditing.definitionId - parPolicyAssignmentName: varPolicyAssignmentDeploySqlDbAuditing.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDeploySqlDbAuditing.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDeploySqlDbAuditing.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDeploySqlDbAuditing.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDeploySqlDbAuditing.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeploySqlDbAuditing.libDefinition.properties.enforcementMode - parPolicyAssignmentIdentityRoleDefinitionIds: [ - varRbacRoleDefinitionIds.owner - ] - parTelemetryOptOut: parTelemetryOptOut - } -} - -// Module - Policy Assignment - Deploy-SQL-Threat - https://github.com/Azure/bicep/issues/5371 -module modPolicyAssignmentLzsDeploySqlThreat '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - dependsOn: [ - modCustomPolicyDefinitions - ] - scope: managementGroup(varManagementGroupIds.landingZones) - name: varModuleDeploymentNames.modPolicyAssignmentLzsDeploySqlThreat - params: { - parPolicyAssignmentDefinitionId: varPolicyAssignmentDeploySqlThreat.definitionId - parPolicyAssignmentName: varPolicyAssignmentDeploySqlThreat.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDeploySqlThreat.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDeploySqlThreat.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDeploySqlThreat.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDeploySqlThreat.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeploySqlThreat.libDefinition.properties.enforcementMode - parPolicyAssignmentIdentityRoleDefinitionIds: [ - varRbacRoleDefinitionIds.owner - ] - parTelemetryOptOut: parTelemetryOptOut - } -} - -// Modules - Policy Assignments - Corp Management Group -// Module - Policy Assignment - Deny-Public-Endpoints -module modPolicyAssignmentLzsDenyPublicEndpoints '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - dependsOn: [ - modCustomPolicyDefinitions - ] - scope: managementGroup(varManagementGroupIds.landingZones) - name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyPublicEndpoints - params: { - parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyPublicEndpoints.definitionId - parPolicyAssignmentName: varPolicyAssignmentDenyPublicEndpoints.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDenyPublicEndpoints.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDenyPublicEndpoints.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDenyPublicEndpoints.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDenyPublicEndpoints.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenyPublicEndpoints.libDefinition.properties.enforcementMode - parTelemetryOptOut: parTelemetryOptOut - } -} - -// Module - Policy Assignment - Deploy-Private-DNS-Zones -module modPolicyAssignmentLzsDeployPrivateDnsZones '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - dependsOn: [ - modCustomPolicyDefinitions - ] - scope: managementGroup(varManagementGroupIds.landingZones) - name: varModuleDeploymentNames.modPolicyAssignmentLzsDeployPrivateDnsZones - params: { - parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployPrivateDnzZones.definitionId - parPolicyAssignmentName: varPolicyAssignmentDeployPrivateDnzZones.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDeployPrivateDnzZones.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDeployPrivateDnzZones.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDeployPrivateDnzZones.libDefinition.properties.parameters - parPolicyAssignmentParameterOverrides: { - azureFilePrivateDnsZoneId: { - value: modHubNetworking.outputs.outPrivateDnsZones[29].id - } - azureWebPrivateDnsZoneId: { - value: modHubNetworking.outputs.outPrivateDnsZones[37].id - } - azureBatchPrivateDnsZoneId: { - value: modHubNetworking.outputs.outPrivateDnsZones[15].id - } - azureAppPrivateDnsZoneId: { - value: modHubNetworking.outputs.outPrivateDnsZones[36].id - } - azureAsrPrivateDnsZoneId: { - value: modHubNetworking.outputs.outPrivateDnsZones[21].id - } - azureIoTPrivateDnsZoneId: { - value: modHubNetworking.outputs.outPrivateDnsZones[38].id - } - azureKeyVaultPrivateDnsZoneId: { - value: modHubNetworking.outputs.outPrivateDnsZones[19].id - } - azureSignalRPrivateDnsZoneId: { - value: modHubNetworking.outputs.outPrivateDnsZones[28].id - } - azureAppServicesPrivateDnsZoneId: { - value: modHubNetworking.outputs.outPrivateDnsZones[25].id - } - azureEventGridTopicsPrivateDnsZoneId: { - value: modHubNetworking.outputs.outPrivateDnsZones[24].id - } - azureDiskAccessPrivateDnsZoneId: { - value: modHubNetworking.outputs.outPrivateDnsZones[4].id - } - azureCognitiveServicesPrivateDnsZoneId: { - value: modHubNetworking.outputs.outPrivateDnsZones[39].id - } - azureIotHubsPrivateDnsZoneId: { - value: modHubNetworking.outputs.outPrivateDnsZones[23].id - } - azureEventGridDomainsPrivateDnsZoneId: { - value: modHubNetworking.outputs.outPrivateDnsZones[24].id - } - azureRedisCachePrivateDnsZoneId: { - value: modHubNetworking.outputs.outPrivateDnsZones[32].id - } - azureAcrPrivateDnsZoneId: { - value: modHubNetworking.outputs.outPrivateDnsZones[40].id - } - azureEventHubNamespacePrivateDnsZoneId: { - value: modHubNetworking.outputs.outPrivateDnsZones[22].id - } - azureMachineLearningWorkspacePrivateDnsZoneId: { - value: modHubNetworking.outputs.outPrivateDnsZones[26].id - } - azureServiceBusNamespacePrivateDnsZoneId: { - value: modHubNetworking.outputs.outPrivateDnsZones[22].id - } - azureCognitiveSearchPrivateDnsZoneId: { - value: modHubNetworking.outputs.outPrivateDnsZones[41].id - } - } - parPolicyAssignmentIdentityType: varPolicyAssignmentDeployPrivateDnzZones.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: varPolicyAssignmentDeployPrivateDnzZones.libDefinition.properties.enforcementMode - parPolicyAssignmentIdentityRoleDefinitionIds: [ - varRbacRoleDefinitionIds.networkContributor - ] - parTelemetryOptOut: parTelemetryOptOut - } -} - -// Resource - Resource Group - For Spoke Networking - https://github.com/Azure/bicep/issues/5151 -module modResourceGroupForSpokeNetworking '../../../resourceGroup/resourceGroup.bicep' = [for (corpSub, i) in parCorpSubscriptionIds: if (!empty(parCorpSubscriptionIds)) { - scope: subscription(corpSub.subID) - name: '${varModuleDeploymentNames.modResourceGroupForSpokeNetworking}-${i}' - params: { - parLocation: parLocation - parResourceGroupName: parResourceGroupNameForSpokeNetworking - parTelemetryOptOut: parTelemetryOptOut - } -}] - -// Module - Corp Spoke Virtual Networks -module modSpokeNetworking '../../../spokeNetworking/spokeNetworking.bicep' = [for (corpSub, i) in parCorpSubscriptionIds: if (!empty(parCorpSubscriptionIds)) { - scope: resourceGroup(corpSub.subID, parResourceGroupNameForSpokeNetworking) - name: '${varModuleDeploymentNames.modSpokeNetworking}-${i}' - params: { - parSpokeNetworkName: '${take('vnet-spoke-corp-${uniqueString(corpSub.subID)}', 64)}' - parSpokeNetworkAddressPrefix: corpSub.vnetCIDR - parDdosEnabled: parDDoSEnabled - parDdosProtectionPlanId: modHubNetworking.outputs.outDdosPlanResourceId - parAzFirewallDnsProxyEnabled: parAzFirewallDnsProxyEnabled - parHubNVAEnabled: parAzFirewallEnabled - parDnsServerIps: parDnsServerIps - parNextHopIpAddress: parAzFirewallEnabled ? modHubNetworking.outputs.outAzFirewallPrivateIp : '' - parSpoketoHubRouteTableName: parSpoketoHubRouteTableName - parDisableBgpRoutePropagation: parDisableBgpRoutePropagation - parTags: parTags - parTelemetryOptOut: parTelemetryOptOut - } -}] - -// Module - Corp Spoke Virtual Network Peering - Spoke To Hub -module modSpokePeeringToHub '../../../virtualNetworkPeer/virtualNetworkPeer.bicep' = [for (corpSub, i) in parCorpSubscriptionIds: if (!empty(parCorpSubscriptionIds)) { - scope: resourceGroup(corpSub.subID, parResourceGroupNameForSpokeNetworking) - name: '${varModuleDeploymentNames.modSpokePeeringToHub}-${i}' - params: { - parDestinationVirtualNetworkId: modHubNetworking.outputs.outHubVirtualNetworkId - parDestinationVirtualNetworkName: modHubNetworking.outputs.outHubVirtualNetworkName - parSourceVirtualNetworkName: '${take('vnet-spoke-corp-${uniqueString(corpSub.subID)}', 64)}' - parAllowForwardedTraffic: true - parAllowGatewayTransit: true - parAllowVirtualNetworkAccess: true - parTelemetryOptOut: parTelemetryOptOut - } -}] - -// Module - Corp Spoke Virtual Network Peering - Hub To Spoke -module modSpokePeeringFromHub '../../virtualNetworkPeer/virtualNetworkPeer.bicep' = [for (corpSub, i) in parCorpSubscriptionIds: if (!empty(parCorpSubscriptionIds)) { - scope: resourceGroup(parConnectivitySubscriptionId, parResourceGroupNameForHubNetworking) - name: '${varModuleDeploymentNames.modSpokePeeringFromHub}-${i}' - params: { - parDestinationVirtualNetworkId: '/subscriptions/${corpSub.subID}/resourceGroups/${parResourceGroupNameForSpokeNetworking}/providers/Microsoft.Network/virtualNetworks/${take('vnet-spoke-corp-${uniqueString(corpSub.subID)}', 64)}' - parDestinationVirtualNetworkName: '${take('vnet-spoke-corp-${uniqueString(corpSub.subID)}', 64)}' - parSourceVirtualNetworkName: modHubNetworking.outputs.outHubVirtualNetworkName - parAllowForwardedTraffic: true - parAllowGatewayTransit: true - parAllowVirtualNetworkAccess: true - parTelemetryOptOut: parTelemetryOptOut - } -}] diff --git a/infra-as-code/bicep/modules/unstable/orchestration/hubSpoke/parameters/orchHubSpoke.parameters.all.json b/infra-as-code/bicep/modules/unstable/orchestration/hubSpoke/parameters/orchHubSpoke.parameters.all.json deleted file mode 100644 index 39b9c1fe1..000000000 --- a/infra-as-code/bicep/modules/unstable/orchestration/hubSpoke/parameters/orchHubSpoke.parameters.all.json +++ /dev/null @@ -1,227 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "parLocation": { - "value": "northeurope" - }, - "parManagementSubscriptionId": { - "value": "" - }, - "parConnectivitySubscriptionId": { - "value": "" - }, - "parIdentitySubscriptionId": { - "value": "" - }, - "parCorpSubscriptionIds": { - "value": [] - }, - "parOnlineSubscriptionIds": { - "value": [] - }, - "parResourceGroupNameForLogging": { - "value": "rsg-mgmt" - }, - "parResourceGroupNameForHubNetworking": { - "value": "rsg-hub-networking" - }, - "parResourceGroupNameForSpokeNetworking": { - "value": "rsg-spoke-networking" - }, - "parTopLevelManagementGroupPrefix": { - "value": "alz" - }, - "parTopLevelManagementGroupDisplayName": { - "value": "Azure Landing Zones" - }, - "parLogAnalyticsWorkspaceName": { - "value": "alz-log-analytics" - }, - "parLogAnalyticsWorkspaceLogRetentionInDays": { - "value": 365 - }, - "parLogAnalyticsWorkspaceSolutions": { - "value": [ - "AgentHealthAssessment", - "AntiMalware", - "AzureActivity", - "ChangeTracking", - "Security", - "SecurityInsights", - "ServiceMap", - "SQLAssessment", - "Updates", - "VMInsights" - ] - }, - "parAutomationAccountName": { - "value": "alz-automation-account" - }, - "parAzBastionEnabled": { - "value": true - }, - "parDDoSEnabled": { - "value": true - }, - "parDDoSPlanName": { - "value": "ddos-connectivity" - }, - "parAzFirewallEnabled": { - "value": true - }, - "parAzFirewallDnsProxyEnabled": { - "value": true - }, - "parDisableBgpRoutePropagation": { - "value": false - }, - "parPrivateDnsZonesEnabled": { - "value": true - }, - "parVpnGatewayConfig": { - "value": { - "name": "alz-vpn-gateway", - "gatewayType": "Vpn", - "sku": "VpnGw1", - "vpnType": "RouteBased", - "generation": "Generation1", - "enableBgp": false, - "activeActive": false, - "enableBgpRouteTranslationForNat": false, - "enableDnsForwarding": false, - "asn": 65515, - "bgpPeeringAddress": "", - "bgpsettings": { - "asn": 65515, - "bgpPeeringAddress": "", - "peerWeight": 5 - } - } - }, - "parExpressRouteGatewayConfig": { - "value": { - "name": "alz-er-gateway", - "gatewayType": "ExpressRoute", - "sku": "ErGw1AZ", - "vpnType": "RouteBased", - "vpnGatewayGeneration": "None", - "enableBgp": false, - "activeActive": false, - "enableBgpRouteTranslationForNat": false, - "enableDnsForwarding": false, - "asn": "65515", - "bgpPeeringAddress": "", - "bgpsettings": { - "asn": "65515", - "bgpPeeringAddress": "", - "peerWeight": "5" - } - } - }, - "parAzBastionSku": { - "value": "Standard" - }, - "parPublicIpSku": { - "value": "Standard" - }, - "parTags": { - "value": {} - }, - "parHubNetworkAddressPrefix": { - "value": "10.10.0.0/16" - }, - "parHubNetworkName": { - "value": "vnet-hub" - }, - "parAzFirewallName": { - "value": "azfw-hub" - }, - "parAzFirewallTier": { - "value": "Standard" - }, - "parHubRouteTableName": { - "value": "rtb-hub" - }, - "parSubnets": { - "value": [ - { - "name": "AzureBastionSubnet", - "ipAddressRange": "10.10.15.0/24" - }, - { - "name": "GatewaySubnet", - "ipAddressRange": "10.10.252.0/24" - }, - { - "name": "AzureFirewallSubnet", - "ipAddressRange": "10.10.254.0/24" - } - ] - }, - "parAzBastionName": { - "value": "bst-hub" - }, - "parPrivateDnsZones": { - "value": [ - "privatelink.azure-automation.net", - "privatelink.database.windows.net", - "privatelink.sql.azuresynapse.net", - "privatelink.azuresynapse.net", - "privatelink.blob.core.windows.net", - "privatelink.table.core.windows.net", - "privatelink.queue.core.windows.net", - "privatelink.file.core.windows.net", - "privatelink.web.core.windows.net", - "privatelink.dfs.core.windows.net", - "privatelink.documents.azure.com", - "privatelink.mongo.cosmos.azure.com", - "privatelink.cassandra.cosmos.azure.com", - "privatelink.gremlin.cosmos.azure.com", - "privatelink.table.cosmos.azure.com", - "[format('privatelink.{0}.batch.azure.com', parameters('parLocation'))]", - "privatelink.postgres.database.azure.com", - "privatelink.mysql.database.azure.com", - "privatelink.mariadb.database.azure.com", - "privatelink.vaultcore.azure.net", - "[format('privatelink.{0}.azmk8s.io', parameters('parLocation'))]", - "[format('{0}.privatelink.siterecovery.windowsazure.com', parameters('parLocation'))]", - "privatelink.servicebus.windows.net", - "privatelink.azure-devices.net", - "privatelink.eventgrid.azure.net", - "privatelink.azurewebsites.net", - "privatelink.api.azureml.ms", - "privatelink.notebooks.azure.net", - "privatelink.service.signalr.net", - "privatelink.afs.azure.net", - "privatelink.datafactory.azure.net", - "privatelink.adf.azure.com", - "privatelink.redis.cache.windows.net", - "privatelink.redisenterprise.cache.azure.net", - "privatelink.purview.azure.com", - "privatelink.digitaltwins.azure.net", - "privatelink.azconfig.io", - "privatelink.webpubsub.azure.com", - "privatelink.azure-devices-provisioning.net", - "privatelink.cognitiveservices.azure.com", - "privatelink.azurecr.io", - "privatelink.search.windows.net" - ] - }, - "parDnsServerIps": { - "value": [] - }, - "parAscEmailSecurityContact": { - "value": "replace_me@security_contact.com" - }, - "parSpokeNetworkName": { - "value": "vnet-spoke" - }, - "parSpoketoHubRouteTableName": { - "value": "rtb-spoke-to-hub" - }, - "parTelemetryOptOut": { - "value": false - } - } -} \ No newline at end of file