Portal Accelerator Update: Defender for Cloud ARM template and AzFW AZs

docs/wiki/Whats-new.md

@@ -50,6 +50,7 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones:
 #### Tooling
 
 - Add new Regulatory Compliance Policy Assignment flexibility feature
+- Added ARM template to enable Microsoft Defender for Cloud as part of the deployment. Policies will still remediate additional subscriptions added to ALZ after deployment.
 
 ### February 2024
 

eslzArm/eslz-portal.json

@@ -2281,11 +2281,21 @@
                                 ]
                             }
                         },
+                        {
+                            "name": "esFWAZNote",
+                            "type": "Microsoft.Common.InfoBox",
+                            "visible": "[if(or(equals(steps('connectivity').enableHub, 'vhub'), equals(steps('connectivity').enableHub, 'vwan')), and(equals(steps('connectivity').enableAzFw,'Yes'), contains(split('brazilsouth,canadacentral,centralus,eastus,eastus2,southcentralus,westus2,westus3,francecentral,germanywestcentral,northeurope,norwayeast,uksouth,westeurope,swedencentral,switzerlandnorth,qatarcentral,uaenorth,southafricanorth,australiaeast,centralindia,japaneast,koreacentral,southeastasia,eastasia,italynorth', ','), steps('connectivity').connectivityLocation)), false)]",
+                            "options": {
+                                "text": "ALZ enables Availability Zones for all services that it deploys by default for maximum resiliency in regions where Availability Zones are supported, including for Azure Firewall. Review the selected Availability Zones meet your architectural requirements and that you understand the added costs for inbound and outbound data transfers associated with Avaialability Zones, before proceeding. Click on this box to learn more about the Availability Zones and Azure Firewall.",
+                                "uri": "https://learn.microsoft.com/en-us/azure/firewall/features#built-in-high-availability",
+                                "style": "Info"
+                            }
+                        },
                         {
                             "name": "firewallZones",
                             "type": "Microsoft.Common.DropDown",
                             "label": "Select Availability Zones for the Azure Firewall",
-                            "defaultValue": "None",
+                            "defaultValue": [{"value": "1"}, {"value": "2"}, {"value": "3"}],
                             "multiselect": true,
                             "selectAll": true,
                             "filter": true,

eslzArm/eslzArm.json

@@ -1088,7 +1088,8 @@
             "ChangeTrackingVmArcPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMArcPolicyAssignment.json')]",
             "ChangeTrackingVmssPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMSSPolicyAssignment.json')]",
             "MDFCDefenderSqlAma": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-MDFCDefenderSQLAMAPolicyAssignment.json')]",
-            "dataCollectionRuleMdfcDefenderSQL": "[uri(deployment().properties.templateLink.uri, 'resourceGroupTemplates/dataCollectionRule-DefenderSQL.json')]"
+            "dataCollectionRuleMdfcDefenderSQL": "[uri(deployment().properties.templateLink.uri, 'resourceGroupTemplates/dataCollectionRule-DefenderSQL.json')]",
+            "MDFCSubscriptionEnablement": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/mdfcConfiguration.json')]"
         },
         // Declaring deterministic deployment names
         "deploymentSuffix": "[concat('-', deployment().location, '-', guid(parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow')))]",
@@ -1187,7 +1188,8 @@
             "ChangeTrackingVmArcDeploymentName": "[take(concat('alz-ChangeTracking-VMArc', variables('deploymentSuffix')), 64)]",
             "ChangeTrackingVmssDeploymentName": "[take(concat('alz-ChangeTracking-VMSS', variables('deploymentSuffix')), 64)]",
             "MDFCDefenderSqlAmaDeploymentName": "[take(concat('alz-MDFCDefenderSqlAma', variables('deploymentSuffix')), 64)]",
-            "dataCollectionRuleMdfcDefenderSQLDeploymentName": "[take(concat('alz-DataCollectionRuleDefenderSQL', variables('deploymentSuffix')), 64)]"
+            "dataCollectionRuleMdfcDefenderSQLDeploymentName": "[take(concat('alz-DataCollectionRuleDefenderSQL', variables('deploymentSuffix')), 64)]",
+            "MDFCSubscriptionEnableDeploymentName": "[take(concat('alz-MDFCSubEnable', variables('deploymentSuffix')), 62)]"
         },
         "esLiteDeploymentNames": {
             "mgmtGroupLiteDeploymentName": "[take(concat('alz-MgsLite', variables('deploymentSuffix')), 64)]",
@@ -2319,6 +2321,85 @@
                 }
             }
         },
+        {
+            // Assigning Microsoft Defender for Cloud configurations to subscriptions if condition is true (not policy)
+            "condition": "[and(equals(parameters('enableAsc'), 'Yes'), not(empty(variables('subscriptionIds'))))]",
+            "type": "Microsoft.Resources/deployments",
+            "apiVersion": "2020-10-01",
+            "name": "[concat(variables('deploymentNames').MDFCSubscriptionEnableDeploymentName, copyIndex())]",
+            "subscriptionId": "[variables('subscriptionIds')[copyIndex()]]",
+            "location": "[deployment().location]",
+            "dependsOn": [
+                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]",
+                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').connectivitySubscriptionPlacement)]",
+                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').identitySubscriptionPlacement)]",
+                "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').platformLiteSubscriptionPlacement)]",
+                "onlineLzs",
+                "corpLzs",
+                "corpConnectedMoveLzs"
+            ],
+            "copy": {
+                "name": "MDFCSubscriptionEnable",
+                "count": "[length(variables('subscriptionIds'))]"
+            },
+            "properties": {
+                "mode": "Incremental",
+                "templateLink": {
+                    "contentVersion": "1.0.0.0",
+                    "uri": "[variables('deploymentUris').MDFCSubscriptionEnablement]"
+                },
+                "parameters": {
+                    "logAnalyticsResourceId": {
+                        "value": "[variables('platformResourceIds').logAnalyticsResourceId]"
+                    },
+                    "resourceGroupLocation": {
+                        "value": "[deployment().location]"
+                    },
+                    "resourceGroupName": {
+                        "value": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-asc-export')]"
+                    },
+                    "emailContactAsc": {
+                        "value": "[parameters('emailContactAsc')]"
+                    },
+                    "enableAscForServers": {
+                        "value": "[parameters('enableAscForServers')]"
+                    },
+                    "enableAscForSql": {
+                        "value": "[parameters('enableAscForSql')]"
+                    },
+                    "enableAscForAppServices": {
+                        "value": "[parameters('enableAscForAppServices')]"
+                    },
+                    "enableAscForStorage": {
+                        "value": "[parameters('enableAscForStorage')]"
+                    },
+                    "enableAscForContainers": {
+                        "value": "[parameters('enableAscForContainers')]"
+                    },
+                    "enableAscForKeyVault": {
+                        "value": "[parameters('enableAscForKeyVault')]"
+                    },
+                    "enableAscForSqlOnVm": {
+                        "value": "[parameters('enableAscForSqlOnVm')]"
+                    },
+                    "enableAscForArm": {
+                        "value": "[parameters('enableAscForArm')]"
+                    },
+                    "enableAscForApis": {
+                        "value": "[parameters('enableAscForApis')]"
+                    },
+                    "enableAscForCspm": {
+                        "value": "[parameters('enableAscForCspm')]"
+                    },
+                    "enableAscForOssDb": {
+                        "value": "[parameters('enableAscForOssDb')]"
+                    },
+                    "enableAscForCosmosDbs": {
+                        "value": "[parameters('enableAscForCosmosDbs')]"
+                    }
+                }
+            }
+        },
         {
             // Assigning Azure Security Center configuration policy initiative to intermediate root management group if condition is true
             "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableAsc'), 'Yes'), equals(environment().resourceManager, 'https://management.azure.com/'))]",