Azure · jaredfholgate · Jul 18, 2024 · Jun 24, 2024 · Jun 24, 2024 · Jun 24, 2024
diff --git a/README.md b/README.md
@@ -116,7 +116,7 @@ For support on the artifacts contained in this repository, please refer to [this
 [wiki_resiliency]:                            https://github.com/Azure/ALZ-Bicep/wiki/Resiliency "Wiki - Resiliency"
 [wiki_contributing]:                          https://github.com/Azure/ALZ-Bicep/wiki/Contributing "Wiki - Contributing"
 [wiki_accelerator]:                          <https://github.com/Azure/ALZ-Bicep/wiki/Accelerator> "Wiki - Accelerator"
-[wiki_amba]:                            <https://github.com/Azure/ALZ-Bicep/wiki/Accelerator> "Wiki - AMBA"
+[wiki_amba]:                            <https://github.com/Azure/ALZ-Bicep/wiki/AzureMonitorBaselineAlerts> "Wiki - AMBA"
 [wiki_faq]:                          <https://github.com/Azure/ALZ-Bicep/wiki/FAQ> "Wiki - FAQs"
 [wiki_cuaid]:                          <https://github.com/Azure/ALZ-Bicep/wiki/CustomerUsage> "Wiki - Telemetry Usage ID"
 [wiki_acrdeploy]:                          <https://github.com/Azure/ALZ-Bicep/wiki/ACRDeployment> "Wiki - Private Bicep Registry"

diff --git a/accelerator/.config/ALZ-Powershell-Auto.config.json b/accelerator/.config/ALZ-Powershell-Auto.config.json
diff --git a/accelerator/scripts/destroy-landing-zone.ps1 b/accelerator/scripts/destroy-landing-zone.ps1
@@ -0,0 +1,190 @@
+## This script is derived from the original by Jack Tracey, which you can find here: https://github.com/jtracey93/PublicScripts/blob/master/Azure/PowerShell/Enterprise-scale/Wipe-ESLZAzTenant.ps1
+
+param (
+    [bool]$whatIfEnabled = $true,
+    [string]$prefix = $env:PREFIX,
+    [string]$intermediateRootGroupID = $env:MANAGEMENT_GROUP_ID,
+    [string]$tenantRootGroupID = $env:ROOT_PARENT_MANAGEMENT_GROUP_ID,
+    [string]$connectivitySubscriptionId = $env:CONNECTIVITY_SUBSCRIPTION_ID,
+    [string]$identitySubscriptionId = $env:IDENTITY_SUBSCRIPTION_ID,
+    [string]$managementSubscriptionId = $env:MANAGEMENT_SUBSCRIPTION_ID
+)
+
+if($whatIfEnabled) {
+  Write-Warning "The deploy stage of this run will delete all aspects of your landing zone. This includes all resources in your platform subscriptions. Please ensure you have a backup of any data you wish to keep."
+  Write-Warning "DANGER! DO NOT APPROVE THIS RUN UNLESS YOU ARE CERTAIN YOU WANT TO DELETE EVERYTHING."
+  exit 0
+}
+
+$managementGroups = Get-AzManagementGroup
+$managementGroup = $managementGroups | Where-Object { $_.Name -eq $intermediateRootGroupID }
+if($null -eq $managementGroup) {
+    Write-Warning "The $intermediateRootGroupID does not exist, so there is nothing to delete."
+    exit 0
+}
+
+if ($tenantRootGroupID -eq "") {
+    $tenantRootGroupID = (Get-AzContext).Tenant.TenantId
+}
+$resetMdfcTierOnSubs = $true
+
+#Toggle to stop warnings with regards to DisplayName and DisplayId
+Set-Item Env:\SuppressAzurePowerShellBreakingChangeWarnings "true"
+
+# Start timer
+$StopWatch = New-Object -TypeName System.Diagnostics.Stopwatch
+$StopWatch.Start()
+
+# Get all Subscriptions that are in the Intermediate Root Management Group's hierarchy tree
+$intermediateRootGroupChildSubscriptions = Search-AzGraph -Query "resourcecontainers | where type =~ 'microsoft.resources/subscriptions' | mv-expand mgmtGroups=properties.managementGroupAncestorsChain | where mgmtGroups.name =~ '$intermediateRootGroupID' | project subName=name, subID=subscriptionId, subState=properties.state, aadTenantID=tenantId, mgID=mgmtGroups.name, mgDisplayName=mgmtGroups.displayName"
+
+Write-Output "Moving all subscriptions under root management group"
+
+# For each Subscription in Intermediate Root Management Group's hierarchy tree, move it to the Tenant Root Management Group
+$intermediateRootGroupChildSubscriptions | ForEach-Object -Parallel {
+    # The name 'Tenant Root Group' doesn't work. Instead, use the GUID of your Tenant Root Group
+    if ($_.subState -ne "Disabled") {
+        Write-Output "Moving Subscription: '$($_.subName)' under Tenant Root Management Group: '$($using:tenantRootGroupID)'"
+        New-AzManagementGroupSubscription -GroupId $using:tenantRootGroupID -SubscriptionId $_.subID | Out-Null
+    }
+}
+
+# For each Subscription in the Intermediate Root Management Group's hierarchy tree, remove all Resources, Resource Groups and Deployments
+Write-Output "Removing all Azure Resources, Resource Groups and Deployments from Subscriptions in scope"
+
+$subscriptionsToClean = @()
+ForEach ($subscription in $intermediateRootGroupChildSubscriptions) {
+    $subscriptionsToClean += @{
+        name = $subscription.subName
+        id   = $subscription.subID
+    }
+}
+
+$subscriptionIds = $subscriptionsToClean | Select-Object -ExpandProperty id
+
+if($subscriptionIds -notcontains $managementSubscriptionId) {
+    $subscriptionsToClean += @{
+        name = "Management"
+        id   = $managementSubscriptionId
+    }
+    $subscriptionIds += $managementSubscriptionId
+}
+
+if($subscriptionIds -notcontains $identitySubscriptionId) {
+    $subscriptionsToClean += @{
+        name = "Identity"
+        id   = $identitySubscriptionId
+    }
+    $subscriptionIds += $identitySubscriptionId
+}
+
+if($subscriptionIds -notcontains $connectivitySubscriptionId) {
+    $subscriptionsToClean += @{
+        name = "Connectivity"
+        id   = $connectivitySubscriptionId
+    }
+    $subscriptionIds += $connectivitySubscriptionId
+}
+
+ForEach ($subscription in $subscriptionsToClean) {
+    Write-Output "Set context to Subscription: '$($subscription.name)'"
+    Set-AzContext -Subscription $subscription.id | Out-Null
+
+    # Get all Resource Groups in Subscription
+    $resourceGroups = Get-AzResourceGroup
+
+    $resourceGroupsToRemove = @()
+    ForEach ($resourceGroup in $resourceGroups) {
+        if ($resourceGroup.ResourceGroupName -like "rg-$prefix*") {
+            $resourceGroupsToRemove += $resourceGroup.ResourceGroupName
+        }
+    }
+
+    $resourceGroupsToRemove | ForEach-Object -Parallel {
+        Write-Output "Deleting $_..."
+        Remove-AzResourceGroup -Name $_ -Force | Out-Null
+    }
+
+    # Get Deployments for Subscription
+    $subDeployments = Get-AzSubscriptionDeployment
+
+    Write-Output "Removing All Successful Subscription Deployments for: $($subscription.name)"
+
+    $deploymentsToRemove = @()
+    ForEach ($deployment in $subDeployments) {
+        if ($deployment.DeploymentName -like "$prefix*" -and $deployment.ProvisioningState -eq "Succeeded") {
+            $deploymentsToRemove += $deployment
+        }
+    }
+
+    # For each Subscription level deployment, remove it
+    $deploymentsToRemove | ForEach-Object -Parallel {
+        Write-Output "Removing $($_.DeploymentName) ..."
+        Remove-AzSubscriptionDeployment -Id $_.Id | Out-Null
+    }
+
+    # Set MDFC tier to Free for each Subscription
+    if ($resetMdfcTierOnSubs) {
+        Write-Output "Resetting MDFC tier to Free for Subscription: $($subscription.name)"
+
+        $currentMdfcForSubUnfiltered = Get-AzSecurityPricing
+        $currentMdfcForSub = $currentMdfcForSubUnfiltered | Where-Object { $_.PricingTier -ne "Free" }
+
+        ForEach ($mdfcPricingTier in $currentMdfcForSub) {
+            Write-Output "Resetting $($mdfcPricingTier.Name) to Free MDFC Pricing Tier for Subscription: $($subscription.name)"
+
+            Set-AzSecurityPricing -Name $mdfcPricingTier.Name -PricingTier 'Free' | Out-Null
+        }
+    }
+}
+
+# This function only deletes Management Groups in the Intermediate Root Management Group's hierarchy tree and will NOT delete other Intermediate Root level Management Groups and their children e.g. in the case of "canary"
+
+function Remove-Recursively {
+    [CmdletBinding(SupportsShouldProcess = $true)]
+    param (
+        [string]$name
+    )
+    if($PSCmdlet.ShouldProcess($name, "Remove-AzManagementGroup")) {
+        # Enters the parent Level
+        Write-Output "Entering the scope with $name"
+        $parent = Get-AzManagementGroup -GroupId $name -Expand -Recurse
+
+        # Checks if there is any parent level
+        if ($null -ne $parent.Children) {
+            Write-Output "Found the following Children :"
+            Write-Output ($parent.Children | Select-Object Name).Name
+
+            foreach ($children in $parent.Children) {
+                # Tries to recur to each child item
+                Remove-Recursively($children.Name)
+            }
+        }
+
+        # If no children are found at each scope
+        Write-Output "No children found in scope $name"
+        Write-Output "Removing the scope $name"
+
+        Remove-AzManagementGroup -InputObject $parent | Out-Null
+    }
+}
+
+# Check if Management Group exists for idempotency
+$managementGroups = Get-AzManagementGroup
+$managementGroup = $managementGroups | Where-Object { $_.Name -eq $intermediateRootGroupID }
+
+if($null -eq $managementGroup) {
+    Write-Output "Management Group with ID: '$intermediateRootGroupID' does not exist."
+} else {
+    Write-Output "Management Group with ID: '$intermediateRootGroupID' exists. Proceeding with deletion."
+
+    # Remove all the Management Groups in Intermediate Root Management Group's hierarchy tree, including itself
+    Remove-Recursively($intermediateRootGroupID)
+}
+
+# Stop timer
+$StopWatch.Stop()
+
+# Display timer output as table
+Write-Output "Time taken to complete task:"
+$StopWatch.Elapsed | Format-Table
diff --git a/accelerator/test_modules/managementGroup/managementGroup.bicep b/accelerator/test_modules/managementGroup/managementGroup.bicep
@@ -0,0 +1,36 @@
+targetScope = 'managementGroup'
+
+metadata name = 'ALZ Bicep - Management Groups Module with Scope Escape'
+metadata description = 'ALZ Bicep Module to set up Management Group structure, using Scope Escaping feature of ARM to allow deployment not requiring tenant root scope access.'
+
+@sys.description('Prefix used for the management group hierarchy. This management group will be created as part of the deployment.')
+@minLength(2)
+@maxLength(10)
+param parTopLevelManagementGroupPrefix string = 'alz'
+
+@sys.description('Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix')
+@maxLength(10)
+param parTopLevelManagementGroupSuffix string = ''
+
+@sys.description('Display name for top level management group. This name will be applied to the management group prefix defined in parTopLevelManagementGroupPrefix parameter.')
+@minLength(2)
+param parTopLevelManagementGroupDisplayName string = 'Azure Landing Zones'
+
+@sys.description('Optional parent for Management Group hierarchy, used as intermediate root Management Group parent, if specified. If empty, default, will deploy beneath Tenant Root Management Group.')
+param parTopLevelManagementGroupParentId string = ''
+
+resource resTopLevelMg 'Microsoft.Management/managementGroups@2023-04-01' = {
+  scope: tenant()
+  name: '${parTopLevelManagementGroupPrefix}${parTopLevelManagementGroupSuffix}'
+  properties: {
+    displayName: parTopLevelManagementGroupDisplayName
+    details: {
+      parent: {
+        id: empty(parTopLevelManagementGroupParentId) ? '/providers/Microsoft.Management/managementGroups/${tenant().tenantId}' : contains(toLower(parTopLevelManagementGroupParentId), toLower('/providers/Microsoft.Management/managementGroups/')) ? parTopLevelManagementGroupParentId : '/providers/Microsoft.Management/managementGroups/${parTopLevelManagementGroupParentId}'
+      }
+    }
+  }
+}
+
+// Output Management Group IDs
+output outTopLevelManagementGroupId string = resTopLevelMg.id
diff --git a/accelerator/test_modules/managementGroup/parameters/managementGroup.parameters.all.json b/accelerator/test_modules/managementGroup/parameters/managementGroup.parameters.all.json
@@ -0,0 +1,18 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "parTopLevelManagementGroupPrefix": {
+      "value": "alz"
+    },
+    "parTopLevelManagementGroupSuffix": {
+      "value": ""
+    },
+    "parTopLevelManagementGroupDisplayName": {
+      "value": "Azure Landing Zones"
+    },
+    "parTopLevelManagementGroupParentId": {
+      "value": ""
+    }
+  }
+}
diff --git a/docs/wiki/Accelerator.md b/docs/wiki/Accelerator.md
@@ -1,10 +1,20 @@
 <!-- markdownlint-disable -->
-## ALZ Bicep Accelerator
+## ALZ Bicep Accelerator (Classic)
 <!-- markdownlint-restore -->
 
-This document provides prescriptive guidance around implementing, automating, and maintaining your ALZ Bicep module with the ALZ Bicep Accelerator.
+> [!IMPORTANT]
+> The ALZ Bicep Accelerator has been updated to automate the bootstrapping of your Version Control System and Azure resources. The ALZ Bicep Accelerator's documentation has been moved to [aka.ms/alz/accelerator/docs](https://aka.ms/alz/accelerator/docs). Head over there now to get started!
+> Use the instructions below only if you need to use the classic version of the ALZ Bicep Accelerator.
 
-### What is the ALZ Bicep Accelerator?
+### Deprecation Notice
+
+> [!WARNING]
+> The classic version of the ALZ Bicep Accelerator will be maintained for a limited time. We recommend migrating to the new version as soon as possible.
+
+### What is the ALZ Bicep Accelerator (Classic)?
+
+> [!NOTE]
+> These instructions now include the `-bicepLegacyMode $true` parameter, which needs be set explicily to use the classic version.
 
 The ALZ Bicep Accelerator framework was developed to provide end-users with the following abilities:
 
@@ -67,7 +77,7 @@ In order to setup the Accelerator framework with the production GitHub Action Wo
 1. Create your ALZ Bicep Accelerator framework with the following ALZ PowerShell Module cmdlet:
 
     ```powershell
-    Deploy-Accelerator -o <output_directory> -i "bicep" -b "alz_github
+    Deploy-Accelerator -o <output_directory> -i "bicep" -b "alz_github" -bicepLegacyMode $true
     ```
 
     > **Note:**
@@ -137,7 +147,7 @@ In order to setup the Accelerator framework with the production ready Azure DevO
 1. Create your ALZ Bicep Accelerator framework with the following ALZ PowerShell Module cmdlet:
 
     ```powershell
-    Deploy-Accelerator -o <output_directory> -i "bicep" -b "alz_azuredevops"
+    Deploy-Accelerator -o <output_directory> -i "bicep" -b "alz_azuredevops" -bicepLegacyMode $true
     ```
 
     > **Note:**
@@ -217,20 +227,20 @@ The ALZ-Bicep repository regularly releases new [versions](https://github.com/Az
 
 With the ALZ Accelerator framework, we have designed the pipelines and directory structure to make it easy to upgrade to the latest ALZ Bicep version. The following steps will guide you through the upgrade process.
 
-1. Prior to upgrading, read the release note:s for the version you are upgrading to. The release note:s will provide you with information on any breaking changes that may impact your deployment. This is especially important if you have created any custom modules or have [modified any of the ALZ Bicep modules](#incorporating-modified-alz-modules) that may have dependencies on the modules that are being upgraded.
+1. Prior to upgrading, read the release notes for the version you are upgrading to. The release notes will provide you with information on any breaking changes that may impact your deployment. This is especially important if you have created any custom modules or have [modified any of the ALZ Bicep modules](#incorporating-modified-alz-modules) that may have dependencies on the modules that are being upgraded.
 
 1. Using the ALZ PowerShell Module, you can update to the latest or a specified version. You must specifiy the same IaC, Bootstrap and Output directory that you used when you initially deployed the ALZ Bicep Accelerator.
 
     Here is an example of using the cmdlet to upgrade to the latest version:
 
     ```powershell
-    Deploy-Accelerator -i "bicep" -b "alz_github" -o "C:\Repos\ALZ\accelerator"
+    Deploy-Accelerator -i "bicep" -b "alz_github" -o "C:\Repos\ALZ\accelerator" -bicepLegacyMode $true
     ```
 
     Here is an example of using the to upgrade to version v0.17.2:
 
     ```powershell
-    Deploy-Accelerator -i "bicep" -b "alz_github" -v "v0.17.2" -o "C:\Repos\ALZ\accelerator"
+    Deploy-Accelerator -i "bicep" -b "alz_github" -v "v0.17.2" -o "C:\Repos\ALZ\accelerator" -bicepLegacyMode $true
     ```
 
     You will be prompted for inputs again and the upgrade will be run for you.

diff --git a/infra-as-code/bicep/modules/README.md b/infra-as-code/bicep/modules/README.md
@@ -12,7 +12,6 @@ To get started with ALZ Bicep, please refer to the [Deployment Flow wiki page][w
 2. High-level deployment flow.
 3. Links to more detailed instructions on individual modules.
 
-
  [//]: # (************************)
  [//]: # (INSERT LINK LABELS BELOW)
  [//]: # (************************)

diff --git a/version.json b/version.json
@@ -1,6 +1,6 @@
 {
-  "version": "0.18.0",
-  "gitTag": "v0.18.0",
-  "releaseNotes": "https://github.com/Azure/ALZ-Bicep/releases/tag/v0.18.0",
-  "releaseDateTimeUTC": "20240709T0222079056Z"
+  "version": "0.19.0",
+  "gitTag": "v0.19.0",
+  "releaseNotes": "https://github.com/Azure/ALZ-Bicep/releases/tag/v0.19.0",
+  "releaseDateTimeUTC": "20240713T1000000000Z"
 }