From 7b747f176ea234b347307c6cce9fcb833f8e1707 Mon Sep 17 00:00:00 2001 From: Jason Masten Date: Mon, 22 Jan 2024 14:49:04 -0500 Subject: [PATCH 1/7] Added zero trust configs for storage & virtual machines (#815) * Added storage pvt endpoints & customer managed keys, Fixed idempotency * Fixed pvt endpoint names * Fixed storage pvt endpoint name * Added pvt endpoint for key vault * Updated nic name for storage pvt endpoint * Added CMK for VMs, Fixed VM settings * Added pvt endpoints for table storage * Fixed deployment name * Fixed deployment name * Removed comment * Fixed role assignment for DES * Fixed hybrid use benefit for linux vm * Updated images to G2 for trusted launch support * Updated API version, Organized code * Fixed group ID for pvt endpoint * Compiled bicep changes * Updated API version, Added custom name for the NIC * Added location abbreviation to naming convention * Compiled bicep changes * Fixed pvt endpoint & NIC name * Added guest attestation for trusted launch * Fixed resource naming * Added settings, Updated API versions * Fixed network access * Compiled bicep changes * Added dependency * Moved hybrid use benefit input * Updated names for Azure Monitor deployment --- src/bicep/core/hub-diagnostics.bicep | 58 + src/bicep/core/hub-network.bicep | 304 +- src/bicep/core/hub-storage.bicep | 35 + .../operations-customer-managed-keys.bicep | 52 + src/bicep/core/remote-access.bicep | 146 +- src/bicep/core/spoke-diagnostics.bicep | 30 + src/bicep/core/spoke-network.bicep | 81 +- src/bicep/core/spoke-storage.bicep | 35 + src/bicep/form/mlz.portal.json | 64 +- src/bicep/mlz.bicep | 567 +- src/bicep/mlz.json | 11960 ++++++++-------- src/bicep/modules/azure-monitor.bicep | 97 + src/bicep/modules/bastion-host.bicep | 28 +- src/bicep/modules/disk-encryption-set.bicep | 42 + src/bicep/modules/firewall-diagnostics.bicep | 27 + src/bicep/modules/firewall.bicep | 75 +- src/bicep/modules/key-vault.bicep | 147 + src/bicep/modules/linux-virtual-machine.bicep | 136 +- src/bicep/modules/network-interface.bicep | 1 - .../network-security-group-diagnostics.bicep | 26 + .../modules/network-security-group.bicep | 22 +- src/bicep/modules/network-watcher.bicep | 10 + src/bicep/modules/private-dns.bicep | 1 + src/bicep/modules/private-link.bicep | 127 - .../public-ip-address-diagnostics.bicep | 25 + src/bicep/modules/public-ip-address.bicep | 29 +- src/bicep/modules/route-table.bicep | 7 +- src/bicep/modules/storage-account.bicep | 93 +- .../modules/user-assigned-identity.bicep | 21 + .../modules/virtual-network-diagnostics.bicep | 25 + src/bicep/modules/virtual-network.bicep | 25 +- .../modules/windows-virtual-machine.bicep | 109 +- 32 files changed, 7630 insertions(+), 6775 deletions(-) create mode 100644 src/bicep/core/hub-diagnostics.bicep create mode 100644 src/bicep/core/hub-storage.bicep create mode 100644 src/bicep/core/operations-customer-managed-keys.bicep create mode 100644 src/bicep/core/spoke-diagnostics.bicep create mode 100644 src/bicep/core/spoke-storage.bicep create mode 100644 src/bicep/modules/azure-monitor.bicep create mode 100644 src/bicep/modules/disk-encryption-set.bicep create mode 100644 src/bicep/modules/firewall-diagnostics.bicep create mode 100644 src/bicep/modules/key-vault.bicep create mode 100644 src/bicep/modules/network-security-group-diagnostics.bicep create mode 100644 src/bicep/modules/network-watcher.bicep delete mode 100644 src/bicep/modules/private-link.bicep create mode 100644 src/bicep/modules/public-ip-address-diagnostics.bicep create mode 100644 src/bicep/modules/user-assigned-identity.bicep create mode 100644 src/bicep/modules/virtual-network-diagnostics.bicep diff --git a/src/bicep/core/hub-diagnostics.bicep b/src/bicep/core/hub-diagnostics.bicep new file mode 100644 index 000000000..40ed0359e --- /dev/null +++ b/src/bicep/core/hub-diagnostics.bicep @@ -0,0 +1,58 @@ +param firewallDiagnosticsLogs array +param firewallDiagnosticsMetrics array +param firewallName string +param hubStorageAccountResourceId string +param logAnalyticsWorkspaceResourceId string +param networkSecurityGroupDiagnosticsLogs array +param networkSecurityGroupDiagnosticsMetrics array +param networkSecurityGroupName string +param publicIPAddressDiagnosticsLogs array +param publicIPAddressDiagnosticsMetrics array +param publicIPAddressNames array +param virtualNetworkDiagnosticsLogs array +param virtualNetworkDiagnosticsMetrics array +param virtualNetworkName string + +module networkSecurityGroupDiagnostics '../modules/network-security-group-diagnostics.bicep' = { + name: 'networkSecurityGroupDiagnostics' + params: { + logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId + logs: networkSecurityGroupDiagnosticsLogs + logStorageAccountResourceId: hubStorageAccountResourceId + metrics: networkSecurityGroupDiagnosticsMetrics + name: networkSecurityGroupName + } +} + +module virtualNetworkDiagnostics '../modules/virtual-network-diagnostics.bicep' = { + name: 'virtualNetworkDiagnostics' + params: { + logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId + logs: virtualNetworkDiagnosticsLogs + logStorageAccountResourceId: hubStorageAccountResourceId + metrics: virtualNetworkDiagnosticsMetrics + name: virtualNetworkName + } +} + +module publicIpAddressDiagnostics '../modules/public-ip-address-diagnostics.bicep' = [for publicIPAddressName in publicIPAddressNames: { + name: 'publicIPAddressDiagnostics_${publicIPAddressName}' + params: { + hubStorageAccountResourceId: hubStorageAccountResourceId + logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId + name: publicIPAddressName + publicIPAddressDiagnosticsLogs: publicIPAddressDiagnosticsLogs + publicIPAddressDiagnosticsMetrics: publicIPAddressDiagnosticsMetrics + } +}] + +module firewallDiagnostics '../modules/firewall-diagnostics.bicep' = { + name: 'firewallDiagnostics' + params: { + logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId + logs: firewallDiagnosticsLogs + logStorageAccountResourceId: hubStorageAccountResourceId + metrics: firewallDiagnosticsMetrics + name: firewallName + } +} diff --git a/src/bicep/core/hub-network.bicep b/src/bicep/core/hub-network.bicep index 1360d5c4f..b3f2dbfb2 100644 --- a/src/bicep/core/hub-network.bicep +++ b/src/bicep/core/hub-network.bicep @@ -3,248 +3,194 @@ Copyright (c) Microsoft Corporation. Licensed under the MIT License. */ -param location string = resourceGroup().location -param tags object = {} - -param logStorageAccountName string -param logStorageSkuName string -param vNetDnsServers array = [] - -param logAnalyticsWorkspaceResourceId string - -param virtualNetworkName string -param virtualNetworkAddressPrefix string -param virtualNetworkDiagnosticsLogs array -param virtualNetworkDiagnosticsMetrics array - -param networkSecurityGroupName string -param networkSecurityGroupRules array -param networkSecurityGroupDiagnosticsLogs array -param networkSecurityGroupDiagnosticsMetrics array - -param subnetName string -param subnetAddressPrefix string -param subnetServiceEndpoints array - -param routeTableName string = '${subnetName}-routetable' -param routeTableRouteName string = 'default_route' -param routeTableRouteAddressPrefix string = '0.0.0.0/0' -param routeTableRouteNextHopType string = 'VirtualAppliance' - -param firewallName string -param firewallSkuTier string -param firewallPolicyName string - -param enableProxy bool = false -param dnsServers array = [] - -param firewallSupernetIPAddress string - -@allowed([ - 'Alert' - 'Deny' - 'Off' -]) -param firewallThreatIntelMode string - +param bastionHostSubnetAddressPrefix string +param deployRemoteAccess bool +param dnsServers array +param enableProxy bool +param firewallClientIpConfigurationName string +param firewallClientPrivateIpAddress string +param firewallClientPublicIPAddressAvailabilityZones array +param firewallClientPublicIPAddressName string +param firewallClientPublicIPAddressSkuName string +param firewallClientPublicIpAllocationMethod string +param firewallClientSubnetAddressPrefix string +param firewallClientSubnetName string @allowed([ 'Alert' 'Deny' 'Off' ]) param firewallIntrusionDetectionMode string -param firewallDiagnosticsLogs array -param firewallDiagnosticsMetrics array -param firewallClientIpConfigurationName string -param firewallClientSubnetName string -param firewallClientSubnetAddressPrefix string -param firewallClientSubnetServiceEndpoints array -param firewallClientPublicIPAddressName string -param firewallClientPublicIPAddressSkuName string -param firewallClientPublicIpAllocationMethod string -param firewallClientPublicIPAddressAvailabilityZones array param firewallManagementIpConfigurationName string -param firewallManagementSubnetName string -param firewallManagementSubnetAddressPrefix string -param firewallManagementSubnetServiceEndpoints array +param firewallManagementPublicIPAddressAvailabilityZones array param firewallManagementPublicIPAddressName string param firewallManagementPublicIPAddressSkuName string param firewallManagementPublicIpAllocationMethod string -param firewallManagementPublicIPAddressAvailabilityZones array - -param publicIPAddressDiagnosticsLogs array -param publicIPAddressDiagnosticsMetrics array - -module logStorage '../modules/storage-account.bicep' = { - name: 'logStorage' - params: { - storageAccountName: logStorageAccountName - location: location - skuName: logStorageSkuName - tags: tags +param firewallManagementSubnetAddressPrefix string +param firewallManagementSubnetName string +param firewallName string +param firewallPolicyName string +param firewallSkuTier string +param firewallSupernetIPAddress string +@allowed([ + 'Alert' + 'Deny' + 'Off' +]) +param firewallThreatIntelMode string +param location string +param networkSecurityGroupName string +param networkSecurityGroupRules array +param networkWatcherName string +param routeTableName string +param routeTableRouteAddressPrefix string = '0.0.0.0/0' +param routeTableRouteName string = 'default_route' +param routeTableRouteNextHopType string = 'VirtualAppliance' +param subnetAddressPrefix string +param subnetName string +param tags object +param virtualNetworkAddressPrefix string +param virtualNetworkName string +param vNetDnsServers array + +var subnets = union(subnetsCommon, subnetsBastion) +var subnetsBastion = deployRemoteAccess ? [ + { + name: 'AzureBastionSubnet' + properties: { + addressPrefix: bastionHostSubnetAddressPrefix + } } -} +] : [] +var subnetsCommon = [ + { + name: 'AzureFirewallSubnet' + properties: { + addressPrefix: firewallClientSubnetAddressPrefix + } + } + { + name: 'AzureFirewallManagementSubnet' + properties: { + addressPrefix: firewallManagementSubnetAddressPrefix + } + } + { + name: subnetName + properties: { + addressPrefix: subnetAddressPrefix + networkSecurityGroup: { + id: networkSecurityGroup.outputs.id + } + privateEndpointNetworkPolicies: 'Disabled' + privateLinkServiceNetworkPolicies: 'Disabled' + routeTable: { + id: routeTable.outputs.id + } + } + } +] module networkSecurityGroup '../modules/network-security-group.bicep' = { name: 'networkSecurityGroup' params: { - name: networkSecurityGroupName location: location - tags: tags - + name: networkSecurityGroupName securityRules: networkSecurityGroupRules - - logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId - logStorageAccountResourceId: logStorage.outputs.id - - logs: networkSecurityGroupDiagnosticsLogs - metrics: networkSecurityGroupDiagnosticsMetrics + tags: tags } } -module virtualNetwork '../modules/virtual-network.bicep' = { - name: 'virtualNetwork' +module routeTable '../modules/route-table.bicep' = { + name: 'routeTable' params: { - name: virtualNetworkName location: location + name: routeTableName + routeAddressPrefix: routeTableRouteAddressPrefix + routeName: routeTableRouteName + routeNextHopIpAddress: firewallClientPrivateIpAddress + routeNextHopType: routeTableRouteNextHopType tags: tags - - addressPrefix: virtualNetworkAddressPrefix - vNetDnsServers: vNetDnsServers - - subnets: [ - { - name: firewallClientSubnetName - properties: { - addressPrefix: firewallClientSubnetAddressPrefix - serviceEndpoints: firewallClientSubnetServiceEndpoints - } - } - { - name: firewallManagementSubnetName - properties: { - addressPrefix: firewallManagementSubnetAddressPrefix - serviceEndpoints: firewallManagementSubnetServiceEndpoints - } - } - ] - - logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId - logStorageAccountResourceId: logStorage.outputs.id - - logs: virtualNetworkDiagnosticsLogs - metrics: virtualNetworkDiagnosticsMetrics } } -module routeTable '../modules/route-table.bicep' = { - name: 'routeTable' +module networkWatcher '../modules/network-watcher.bicep' = { + name: 'networkWatcher' params: { - name: routeTableName location: location + name: networkWatcherName tags: tags - - routeName: routeTableRouteName - routeAddressPrefix: routeTableRouteAddressPrefix - routeNextHopIpAddress: firewall.outputs.privateIPAddress - routeNextHopType: routeTableRouteNextHopType } } -resource subnet 'Microsoft.Network/virtualNetworks/subnets@2021-02-01' = { - name: '${virtualNetworkName}/${subnetName}' - properties: { - addressPrefix: subnetAddressPrefix - networkSecurityGroup: { - id: networkSecurityGroup.outputs.id - } - routeTable: { - id: routeTable.outputs.id - } - serviceEndpoints: subnetServiceEndpoints - privateEndpointNetworkPolicies: 'Disabled' - privateLinkServiceNetworkPolicies: 'Enabled' +module virtualNetwork '../modules/virtual-network.bicep' = { + name: 'virtualNetwork' + params: { + addressPrefix: virtualNetworkAddressPrefix + location: location + name: virtualNetworkName + subnets: subnets + tags: tags + vNetDnsServers: vNetDnsServers } dependsOn: [ - virtualNetwork - firewall + networkWatcher ] } module firewallClientPublicIPAddress '../modules/public-ip-address.bicep' = { name: 'firewallClientPublicIPAddress' params: { - name: firewallClientPublicIPAddressName + availabilityZones: firewallClientPublicIPAddressAvailabilityZones location: location - tags: tags - - skuName: firewallClientPublicIPAddressSkuName + name: firewallClientPublicIPAddressName publicIpAllocationMethod: firewallClientPublicIpAllocationMethod - availabilityZones: firewallClientPublicIPAddressAvailabilityZones - - logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId - logStorageAccountResourceId: logStorage.outputs.id - - logs: publicIPAddressDiagnosticsLogs - metrics: publicIPAddressDiagnosticsMetrics + skuName: firewallClientPublicIPAddressSkuName + tags: tags } } module firewallManagementPublicIPAddress '../modules/public-ip-address.bicep' = { name: 'firewallManagementPublicIPAddress' params: { - name: firewallManagementPublicIPAddressName + availabilityZones: firewallManagementPublicIPAddressAvailabilityZones location: location - tags: tags - - skuName: firewallManagementPublicIPAddressSkuName + name: firewallManagementPublicIPAddressName publicIpAllocationMethod: firewallManagementPublicIpAllocationMethod - availabilityZones: firewallManagementPublicIPAddressAvailabilityZones - - logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId - logStorageAccountResourceId: logStorage.outputs.id - - logs: publicIPAddressDiagnosticsLogs - metrics: publicIPAddressDiagnosticsMetrics + skuName: firewallManagementPublicIPAddressSkuName + tags: tags } } module firewall '../modules/firewall.bicep' = { name: 'firewall' params: { - name: firewallName - location: location - tags: tags - - skuTier: firewallSkuTier - - firewallPolicyName: firewallPolicyName - threatIntelMode: firewallThreatIntelMode - intrusionDetectionMode: firewallIntrusionDetectionMode clientIpConfigurationName: firewallClientIpConfigurationName - clientIpConfigurationSubnetResourceId: '${virtualNetwork.outputs.id}/subnets/${firewallClientSubnetName}' clientIpConfigurationPublicIPAddressResourceId: firewallClientPublicIPAddress.outputs.id - firewallSupernetIPAddress: firewallSupernetIPAddress - enableProxy: enableProxy + clientIpConfigurationSubnetResourceId: '${virtualNetwork.outputs.id}/subnets/${firewallClientSubnetName}' dnsServers: dnsServers - + enableProxy: enableProxy + firewallPolicyName: firewallPolicyName + firewallSupernetIPAddress: firewallSupernetIPAddress + intrusionDetectionMode: firewallIntrusionDetectionMode + location: location managementIpConfigurationName: firewallManagementIpConfigurationName - managementIpConfigurationSubnetResourceId: '${virtualNetwork.outputs.id}/subnets/${firewallManagementSubnetName}' managementIpConfigurationPublicIPAddressResourceId: firewallManagementPublicIPAddress.outputs.id - - logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId - logStorageAccountResourceId: logStorage.outputs.id - - logs: firewallDiagnosticsLogs - metrics: firewallDiagnosticsMetrics + managementIpConfigurationSubnetResourceId: '${virtualNetwork.outputs.id}/subnets/${firewallManagementSubnetName}' + name: firewallName + skuTier: firewallSkuTier + tags: tags + threatIntelMode: firewallThreatIntelMode } } -output virtualNetworkName string = virtualNetwork.outputs.name -output virtualNetworkResourceId string = virtualNetwork.outputs.id -output subnetName string = subnet.name -output subnetAddressPrefix string = subnet.properties.addressPrefix -output subnetResourceId string = subnet.id +output bastionHostSubnetResourceId string = deployRemoteAccess ? virtualNetwork.outputs.subnets[3].id : '' +output firewallName string = firewall.outputs.name +output firewallPrivateIPAddress string = firewall.outputs.privateIPAddress output networkSecurityGroupName string = networkSecurityGroup.outputs.name output networkSecurityGroupResourceId string = networkSecurityGroup.outputs.id -output firewallPrivateIPAddress string = firewall.outputs.privateIPAddress +output subnetAddressPrefix string = virtualNetwork.outputs.subnets[2].properties.addressPrefix +output subnetName string = virtualNetwork.outputs.subnets[2].name +output subnetResourceId string = virtualNetwork.outputs.subnets[2].id +output virtualNetworkName string = virtualNetwork.outputs.name +output virtualNetworkResourceId string = virtualNetwork.outputs.id diff --git a/src/bicep/core/hub-storage.bicep b/src/bicep/core/hub-storage.bicep new file mode 100644 index 000000000..5c3ee7015 --- /dev/null +++ b/src/bicep/core/hub-storage.bicep @@ -0,0 +1,35 @@ +/* +Copyright (c) Microsoft Corporation. +Licensed under the MIT License. +*/ + +param blobsPrivateDnsZoneResourceId string +param keyVaultUri string +param logStorageAccountName string +param logStorageSkuName string +param location string +param resourcePrefix string +param storageEncryptionKeyName string +param subnetResourceId string +param tablesPrivateDnsZoneResourceId string +param tags object +param userAssignedIdentityResourceId string + +module storageAccount '../modules/storage-account.bicep' = { + name: 'storage' + params: { + blobsPrivateDnsZoneResourceId: blobsPrivateDnsZoneResourceId + userAssignedIdentityResourceId: userAssignedIdentityResourceId + keyVaultUri: keyVaultUri + location: location + resourcePrefix: resourcePrefix + skuName: logStorageSkuName + storageAccountName: logStorageAccountName + storageEncryptionKeyName: storageEncryptionKeyName + subnetResourceId: subnetResourceId + tablesPrivateDnsZoneResourceId: tablesPrivateDnsZoneResourceId + tags: tags + } +} + +output storageAccountResourceId string = storageAccount.outputs.id diff --git a/src/bicep/core/operations-customer-managed-keys.bicep b/src/bicep/core/operations-customer-managed-keys.bicep new file mode 100644 index 000000000..d4a7fcd7b --- /dev/null +++ b/src/bicep/core/operations-customer-managed-keys.bicep @@ -0,0 +1,52 @@ +/* +Copyright (c) Microsoft Corporation. +Licensed under the MIT License. +*/ + +param diskEncryptionSetName string +param deploymentNameSuffix string +param keyVaultName string +param keyVaultPrivateDnsZoneResourceId string +param location string +param resourcePrefix string +param subnetResourceId string +param tags object +param userAssignedIdentityName string + +module keyVault '../modules/key-vault.bicep' = { + name: 'deploy-key-vault-${deploymentNameSuffix}' + params: { + keyVaultName: keyVaultName + keyVaultPrivateDnsZoneResourceId: keyVaultPrivateDnsZoneResourceId + location: location + resourcePrefix: resourcePrefix + subnetResourceId: subnetResourceId + tags: tags + } +} + +module diskEncryptionSet '../modules/disk-encryption-set.bicep' = { + name: 'deploy-disk-encryption-set_${deploymentNameSuffix}' + params: { + deploymentNameSuffix: deploymentNameSuffix + diskEncryptionSetName: diskEncryptionSetName + keyUrl: keyVault.outputs.keyUriWithVersion + keyVaultResourceId: keyVault.outputs.keyVaultResourceId + location: location + tags: contains(tags, 'Microsoft.Compute/diskEncryptionSets') ? tags['Microsoft.Compute/diskEncryptionSets'] : {} + } +} + +module userAssignedIdentity '../modules/user-assigned-identity.bicep' = { + name: 'deploy-user-assigned-identity-${deploymentNameSuffix}' + params: { + location: location + name: userAssignedIdentityName + tags: tags + } +} + +output diskEncryptionSetResourceId string = diskEncryptionSet.outputs.resourceId +output keyVaultUri string = keyVault.outputs.keyVaultUri +output storageKeyName string = keyVault.outputs.storageKeyName +output userAssignedIdentityResourceId string = userAssignedIdentity.outputs.resourceId diff --git a/src/bicep/core/remote-access.bicep b/src/bicep/core/remote-access.bicep index 3fdcf3e77..349870266 100644 --- a/src/bicep/core/remote-access.bicep +++ b/src/bicep/core/remote-access.bicep @@ -3,151 +3,141 @@ Copyright (c) Microsoft Corporation. Licensed under the MIT License. */ -param location string -param tags object = {} - -param hubVirtualNetworkName string -param hubSubnetResourceId string -param hubNetworkSecurityGroupResourceId string - +param bastionHostIPConfigurationName string param bastionHostName string -param bastionHostSubnetAddressPrefix string -param bastionHostPublicIPAddressName string -param bastionHostPublicIPAddressSkuName string param bastionHostPublicIPAddressAllocationMethod string param bastionHostPublicIPAddressAvailabilityZones array -param bastionHostIPConfigurationName string - -param linuxNetworkInterfaceName string +param bastionHostPublicIPAddressName string +param bastionHostPublicIPAddressSkuName string +param bastionHostSubnetResourceId string +param diskEncryptionSetResourceId string +param hubNetworkSecurityGroupResourceId string +param hubSubnetResourceId string +param hybridUseBenefit bool +param linuxDiskName string param linuxNetworkInterfaceIpConfigurationName string +param linuxNetworkInterfaceName string param linuxNetworkInterfacePrivateIPAddressAllocationMethod string - -param linuxVmName string -param linuxVmSize string -param linuxVmOsDiskCreateOption string -param linuxVmOsDiskType string -param linuxVmImagePublisher string -param linuxVmImageOffer string -param linuxVmImageSku string -param linuxVmImageVersion string +@secure() +@minLength(12) +param linuxVmAdminPasswordOrKey string param linuxVmAdminUsername string @allowed([ 'sshPublicKey' 'password' ]) param linuxVmAuthenticationType string -@secure() -@minLength(12) -param linuxVmAdminPasswordOrKey string - -param windowsNetworkInterfaceName string +param linuxVmImageOffer string +param linuxVmImagePublisher string +param linuxVmImageSku string +param linuxVmImageVersion string +param linuxVmName string +param linuxVmOsDiskCreateOption string +param linuxVmOsDiskType string +param linuxVmSize string +param location string +param logAnalyticsWorkspaceId string +param tags object +param windowsDiskName string param windowsNetworkInterfaceIpConfigurationName string +param windowsNetworkInterfaceName string param windowsNetworkInterfacePrivateIPAddressAllocationMethod string - -param windowsVmName string -param windowsVmSize string -param windowsVmAdminUsername string @secure() @minLength(12) param windowsVmAdminPassword string -param windowsVmPublisher string +param windowsVmAdminUsername string +param windowsVmCreateOption string +param windowsVmName string param windowsVmOffer string +param windowsVmPublisher string +param windowsVmSize string param windowsVmSku string -param windowsVmVersion string -param windowsVmCreateOption string param windowsVmStorageAccountType string - -param logAnalyticsWorkspaceId string - -resource hubVirtualNetwork 'Microsoft.Network/virtualNetworks@2021-02-01' existing = { - name: hubVirtualNetworkName -} +param windowsVmVersion string module bastionHost '../modules/bastion-host.bicep' = { name: 'remoteAccess-bastionHost' - params: { - name: bastionHostName + bastionHostSubnetResourceId: bastionHostSubnetResourceId + ipConfigurationName: bastionHostIPConfigurationName location: location - tags: tags - - virtualNetworkName: hubVirtualNetwork.name - subnetAddressPrefix: bastionHostSubnetAddressPrefix - publicIPAddressName: bastionHostPublicIPAddressName - publicIPAddressSkuName: bastionHostPublicIPAddressSkuName + name: bastionHostName publicIPAddressAllocationMethod: bastionHostPublicIPAddressAllocationMethod publicIPAddressAvailabilityZones: bastionHostPublicIPAddressAvailabilityZones - ipConfigurationName: bastionHostIPConfigurationName + publicIPAddressName: bastionHostPublicIPAddressName + publicIPAddressSkuName: bastionHostPublicIPAddressSkuName + tags: tags } } module linuxNetworkInterface '../modules/network-interface.bicep' = { name: 'remoteAccess-linuxNetworkInterface' params: { - name: linuxNetworkInterfaceName - location: location - tags: tags - ipConfigurationName: linuxNetworkInterfaceIpConfigurationName + location: location + name: linuxNetworkInterfaceName networkSecurityGroupId: hubNetworkSecurityGroupResourceId privateIPAddressAllocationMethod: linuxNetworkInterfacePrivateIPAddressAllocationMethod subnetId: hubSubnetResourceId + tags: tags } } module linuxVirtualMachine '../modules/linux-virtual-machine.bicep' = { name: 'remoteAccess-linuxVirtualMachine' params: { - name: linuxVmName + adminPasswordOrKey: linuxVmAdminPasswordOrKey + adminUsername: linuxVmAdminUsername + authenticationType: linuxVmAuthenticationType + diskEncryptionSetResourceId: diskEncryptionSetResourceId + diskName: linuxDiskName location: location - tags: tags - - vmSize: linuxVmSize + logAnalyticsWorkspaceId: logAnalyticsWorkspaceId + name: linuxVmName + networkInterfaceName: linuxNetworkInterface.outputs.name osDiskCreateOption: linuxVmOsDiskCreateOption osDiskType: linuxVmOsDiskType - vmImagePublisher: linuxVmImagePublisher + tags: tags vmImageOffer: linuxVmImageOffer + vmImagePublisher: linuxVmImagePublisher vmImageSku: linuxVmImageSku vmImageVersion: linuxVmImageVersion - adminUsername: linuxVmAdminUsername - authenticationType: linuxVmAuthenticationType - adminPasswordOrKey: linuxVmAdminPasswordOrKey - networkInterfaceName: linuxNetworkInterface.outputs.name - logAnalyticsWorkspaceId: logAnalyticsWorkspaceId + vmSize: linuxVmSize } } module windowsNetworkInterface '../modules/network-interface.bicep' = { name: 'remoteAccess-windowsNetworkInterface' params: { - name: windowsNetworkInterfaceName - location: location - tags: tags - ipConfigurationName: windowsNetworkInterfaceIpConfigurationName + location: location + name: windowsNetworkInterfaceName networkSecurityGroupId: hubNetworkSecurityGroupResourceId privateIPAddressAllocationMethod: windowsNetworkInterfacePrivateIPAddressAllocationMethod subnetId: hubSubnetResourceId + tags: tags } } module windowsVirtualMachine '../modules/windows-virtual-machine.bicep' = { name: 'remoteAccess-windowsVirtualMachine' params: { - name: windowsVmName - location: location - tags: tags - - size: windowsVmSize - adminUsername: windowsVmAdminUsername adminPassword: windowsVmAdminPassword - publisher: windowsVmPublisher + adminUsername: windowsVmAdminUsername + createOption: windowsVmCreateOption + diskEncryptionSetResourceId: diskEncryptionSetResourceId + diskName: windowsDiskName + hybridUseBenefit: hybridUseBenefit + location: location + logAnalyticsWorkspaceId: logAnalyticsWorkspaceId + name: windowsVmName + networkInterfaceName: windowsNetworkInterface.outputs.name offer: windowsVmOffer + publisher: windowsVmPublisher + size: windowsVmSize sku: windowsVmSku - version: windowsVmVersion - createOption: windowsVmCreateOption storageAccountType: windowsVmStorageAccountType - networkInterfaceName: windowsNetworkInterface.outputs.name - logAnalyticsWorkspaceId: logAnalyticsWorkspaceId + tags: tags + version: windowsVmVersion } } diff --git a/src/bicep/core/spoke-diagnostics.bicep b/src/bicep/core/spoke-diagnostics.bicep new file mode 100644 index 000000000..d1ab9d7e6 --- /dev/null +++ b/src/bicep/core/spoke-diagnostics.bicep @@ -0,0 +1,30 @@ +param hubStorageAccountResourceId string +param logAnalyticsWorkspaceResourceId string +param networkSecurityGroupDiagnosticsLogs array +param networkSecurityGroupDiagnosticsMetrics array +param networkSecurityGroupName string +param virtualNetworkDiagnosticsLogs array +param virtualNetworkDiagnosticsMetrics array +param virtualNetworkName string + +module networkSecurityGroupDiagnostics '../modules/network-security-group-diagnostics.bicep' = { + name: 'networkSecurityGroupDiagnostics' + params: { + logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId + logs: networkSecurityGroupDiagnosticsLogs + logStorageAccountResourceId: hubStorageAccountResourceId + metrics: networkSecurityGroupDiagnosticsMetrics + name: networkSecurityGroupName + } +} + +module virtualNetworkDiagnostics '../modules/virtual-network-diagnostics.bicep' = { + name: 'virtualNetworkDiagnostics' + params: { + logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId + logs: virtualNetworkDiagnosticsLogs + logStorageAccountResourceId: hubStorageAccountResourceId + metrics: virtualNetworkDiagnosticsMetrics + name: virtualNetworkName + } +} diff --git a/src/bicep/core/spoke-network.bicep b/src/bicep/core/spoke-network.bicep index 25ea25b4c..dfe013e28 100644 --- a/src/bicep/core/spoke-network.bicep +++ b/src/bicep/core/spoke-network.bicep @@ -3,92 +3,52 @@ Copyright (c) Microsoft Corporation. Licensed under the MIT License. */ -param location string = resourceGroup().location -param tags object = {} - -param logStorageAccountName string -param logStorageSkuName string - -param logAnalyticsWorkspaceResourceId string - -param firewallPrivateIPAddress string - -param virtualNetworkName string -param virtualNetworkAddressPrefix string -param virtualNetworkDiagnosticsLogs array -param virtualNetworkDiagnosticsMetrics array -param vNetDnsServers array - +param location string param networkSecurityGroupName string param networkSecurityGroupRules array - -param networkSecurityGroupDiagnosticsLogs array -param networkSecurityGroupDiagnosticsMetrics array - -param subnetName string -param subnetAddressPrefix string -param subnetServiceEndpoints array - -param routeTableName string = '${subnetName}-routetable' +param routeTableName string param routeTableRouteName string = 'default_route' param routeTableRouteAddressPrefix string = '0.0.0.0/0' -param routeTableRouteNextHopIpAddress string = firewallPrivateIPAddress +param routeTableRouteNextHopIpAddress string param routeTableRouteNextHopType string = 'VirtualAppliance' - +param subnetAddressPrefix string +param subnetName string param subnetPrivateEndpointNetworkPolicies string param subnetPrivateLinkServiceNetworkPolicies string - -module logStorage '../modules/storage-account.bicep' = { - name: 'logStorage' - params: { - storageAccountName: logStorageAccountName - location: location - skuName: logStorageSkuName - tags: tags - } -} +param tags object +param virtualNetworkAddressPrefix string +param virtualNetworkName string +param vNetDnsServers array module networkSecurityGroup '../modules/network-security-group.bicep' = { name: 'networkSecurityGroup' params: { - name: networkSecurityGroupName location: location - tags: tags - + name: networkSecurityGroupName securityRules: networkSecurityGroupRules - - logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId - logStorageAccountResourceId: logStorage.outputs.id - - logs: networkSecurityGroupDiagnosticsLogs - metrics: networkSecurityGroupDiagnosticsMetrics + tags: tags } } module routeTable '../modules/route-table.bicep' = { name: 'routeTable' params: { - name: routeTableName location: location - tags: tags - - routeName: routeTableRouteName + name: routeTableName routeAddressPrefix: routeTableRouteAddressPrefix + routeName: routeTableRouteName routeNextHopIpAddress: routeTableRouteNextHopIpAddress routeNextHopType: routeTableRouteNextHopType + tags: tags } } module virtualNetwork '../modules/virtual-network.bicep' = { name: 'virtualNetwork' params: { - name: virtualNetworkName - location: location - tags: tags - addressPrefix: virtualNetworkAddressPrefix - vNetDnsServers: vNetDnsServers - + location: location + name: virtualNetworkName subnets: [ { name: subnetName @@ -100,18 +60,13 @@ module virtualNetwork '../modules/virtual-network.bicep' = { routeTable: { id: routeTable.outputs.id } - serviceEndpoints: subnetServiceEndpoints privateEndpointNetworkPolicies: subnetPrivateEndpointNetworkPolicies privateLinkServiceNetworkPolicies: subnetPrivateLinkServiceNetworkPolicies } } ] - - logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId - logStorageAccountResourceId: logStorage.outputs.id - - logs: virtualNetworkDiagnosticsLogs - metrics: virtualNetworkDiagnosticsMetrics + tags: tags + vNetDnsServers: vNetDnsServers } } diff --git a/src/bicep/core/spoke-storage.bicep b/src/bicep/core/spoke-storage.bicep new file mode 100644 index 000000000..a3851e9e2 --- /dev/null +++ b/src/bicep/core/spoke-storage.bicep @@ -0,0 +1,35 @@ +/* +Copyright (c) Microsoft Corporation. +Licensed under the MIT License. +*/ + +param blobsPrivateDnsZoneResourceId string +param keyVaultUri string +param location string +param logStorageAccountName string +param logStorageSkuName string +param resourcePrefix string +param storageEncryptionKeyName string +param subnetResourceId string +param tablesPrivateDnsZoneResourceId string +param tags object +param userAssignedIdentityResourceId string + +module storageAccount '../modules/storage-account.bicep' = { + name: 'storage' + params: { + blobsPrivateDnsZoneResourceId: blobsPrivateDnsZoneResourceId + keyVaultUri: keyVaultUri + location: location + resourcePrefix: resourcePrefix + skuName: logStorageSkuName + storageAccountName: logStorageAccountName + storageEncryptionKeyName: storageEncryptionKeyName + subnetResourceId: subnetResourceId + tablesPrivateDnsZoneResourceId: tablesPrivateDnsZoneResourceId + tags: tags + userAssignedIdentityResourceId: userAssignedIdentityResourceId + } +} + +output ResourceId string = storageAccount.outputs.id diff --git a/src/bicep/form/mlz.portal.json b/src/bicep/form/mlz.portal.json index 59624478e..ad5c6b0eb 100644 --- a/src/bicep/form/mlz.portal.json +++ b/src/bicep/form/mlz.portal.json @@ -217,8 +217,8 @@ "required": true, "validations": [ { - "regex": "^[a-z0-9]{1,10}$", - "message": "The prefix must be between 1-10 lowercase characters and numbers." + "regex": "^[a-z][a-z0-9]{1,9}$", + "message": "The prefix must contain alphanumeric characters, begin with a letter, letters must be lowercase, and not exceed 10 characters." } ] } @@ -902,6 +902,15 @@ "options": { "hideConfirmation": false } + }, + { + "name": "hybridUseBenefit", + "type": "Microsoft.Common.CheckBox", + "label": "Enable Hybrid Use Benefit?", + "toolTip": "Check here to enable the Hybrid Use Benefit on your virtual machines.", + "constraints": { + "required": false + } } ] }, @@ -981,37 +990,38 @@ "location": "[steps('basics').locationSection.location.name]", "subscriptionId": "[steps('basics').hubSection.hubSubscriptionId]", "parameters": { - "resourcePrefix": "[steps('basics').namingSection.resourcePrefix]", - "resourceSuffix": "[steps('basics').namingSection.resourceSuffix]", - "hubSubscriptionId": "[replace(steps('basics').hubSection.hubSubscriptionId, '/subscriptions/', '')]", - "identitySubscriptionId": "[replace(steps('basics').identitySection.identitySubscriptionId, '/subscriptions/', '')]", - "operationsSubscriptionId": "[replace(steps('basics').operationsSection.operationsSubscriptionId, '/subscriptions/', '')]", - "sharedServicesSubscriptionId": "[replace(steps('basics').sharedServicesSection.sharedServicesSubscriptionId, '/subscriptions/', '')]", - "location": "[steps('basics').locationSection.location.name]", - "firewallSupernetIPAddress": "[steps('networking').hubVirtualNetwork.superNetworkAddressCidrRange]", - "tags": "[if(not(contains(steps('tags').tagsByResource, 'MissionLandingZone')), parse('{}'), first(map(parse(concat('[', string(steps('tags').tagsByResource), ']')), (item) => item.MissionLandingZone)))]", - "hubVirtualNetworkAddressPrefix": "[steps('networking').hubVirtualNetwork.virtualNetworkAddressCidrRange]", - "hubSubnetAddressPrefix": "[steps('networking').hubVirtualNetwork.subnetAddressCidrRange]", + "bastionHostSubnetAddressPrefix": "[steps('remoteAccess').azureBastionSubnetSection.bastionSubnetAddressCidrRange]", + "deployDefender": "[steps('compliance').defenderSection.deployDefender]", + "deployPolicy": "[steps('compliance').policySection.deployPolicy]", + "deployRemoteAccess": "[steps('remoteAccess').remoteAccessSection.deployRemoteAccess]", + "deploySentinel": "[steps('compliance').sentinelSection.deploySentinel]", + "emailSecurityContact": "[steps('compliance').defenderSection.emailSecurityContact]", "firewallClientSubnetAddressPrefix": "[steps('networking').hubVirtualNetwork.firewallClientSubnetAddressCidrRange]", "firewallManagementSubnetAddressPrefix": "[steps('networking').hubVirtualNetwork.firewallManagementSubnetAddressCidrRange]", - "identityVirtualNetworkAddressPrefix": "[steps('networking').identityVirtualNetwork.virtualNetworkAddressCidrRange]", + "firewallSupernetIPAddress": "[steps('networking').hubVirtualNetwork.superNetworkAddressCidrRange]", + "hubSubnetAddressPrefix": "[steps('networking').hubVirtualNetwork.subnetAddressCidrRange]", + "hubSubscriptionId": "[replace(steps('basics').hubSection.hubSubscriptionId, '/subscriptions/', '')]", + "hubVirtualNetworkAddressPrefix": "[steps('networking').hubVirtualNetwork.virtualNetworkAddressCidrRange]", + "hybridUseBenefit": "[steps('remoteAccess').windowsVmSection.hybridUseBenefit]", "identitySubnetAddressPrefix": "[steps('networking').identityVirtualNetwork.subnetAddressCidrRange]", - "operationsVirtualNetworkAddressPrefix": "[steps('networking').operationsVirtualNetwork.virtualNetworkAddressCidrRange]", + "identitySubscriptionId": "[replace(steps('basics').identitySection.identitySubscriptionId, '/subscriptions/', '')]", + "identityVirtualNetworkAddressPrefix": "[steps('networking').identityVirtualNetwork.virtualNetworkAddressCidrRange]", + "linuxVmAdminPasswordOrKey": "[if(equals(steps('remoteAccess').linuxVmSection.linuxVmAdminPasswordOrKey.authenticationType, 'password'), steps('remoteAccess').linuxVmSection.linuxVmAdminPasswordOrKey.password, steps('remoteAccess').linuxVmSection.linuxVmAdminPasswordOrKey.sshPublicKey)]", + "linuxVmAdminUsername": "[steps('remoteAccess').linuxVmSection.linuxVmAdminUsername]", + "linuxVmAuthenticationType": "password", + "location": "[steps('basics').locationSection.location.name]", "operationsSubnetAddressPrefix": "[steps('networking').operationsVirtualNetwork.subnetAddressCidrRange]", - "sharedServicesVirtualNetworkAddressPrefix": "[steps('networking').sharedServicesVirtualNetwork.virtualNetworkAddressCidrRange]", - "sharedServicesSubnetAddressPrefix": "[steps('networking').sharedServicesVirtualNetwork.subnetAddressCidrRange]", - "deploySentinel": "[steps('compliance').sentinelSection.deploySentinel]", - "deployPolicy": "[steps('compliance').policySection.deployPolicy]", + "operationsSubscriptionId": "[replace(steps('basics').operationsSection.operationsSubscriptionId, '/subscriptions/', '')]", + "operationsVirtualNetworkAddressPrefix": "[steps('networking').operationsVirtualNetwork.virtualNetworkAddressCidrRange]", "policy": "[steps('compliance').policySection.policy]", - "deployDefender": "[steps('compliance').defenderSection.deployDefender]", - "emailSecurityContact": "[steps('compliance').defenderSection.emailSecurityContact]", - "deployRemoteAccess": "[steps('remoteAccess').remoteAccessSection.deployRemoteAccess]", - "bastionHostSubnetAddressPrefix": "[steps('remoteAccess').azureBastionSubnetSection.bastionSubnetAddressCidrRange]", - "windowsVmAdminUsername": "[steps('remoteAccess').windowsVmSection.windowsVmAdminUsername]", + "resourcePrefix": "[steps('basics').namingSection.resourcePrefix]", + "resourceSuffix": "[steps('basics').namingSection.resourceSuffix]", + "sharedServicesSubnetAddressPrefix": "[steps('networking').sharedServicesVirtualNetwork.subnetAddressCidrRange]", + "sharedServicesSubscriptionId": "[replace(steps('basics').sharedServicesSection.sharedServicesSubscriptionId, '/subscriptions/', '')]", + "sharedServicesVirtualNetworkAddressPrefix": "[steps('networking').sharedServicesVirtualNetwork.virtualNetworkAddressCidrRange]", + "tags": "[if(not(contains(steps('tags').tagsByResource, 'MissionLandingZone')), parse('{}'), first(map(parse(concat('[', string(steps('tags').tagsByResource), ']')), (item) => item.MissionLandingZone)))]", "windowsVmAdminPassword": "[steps('remoteAccess').windowsVmSection.windowsVmAdminPassword.password]", - "linuxVmAdminUsername": "[steps('remoteAccess').linuxVmSection.linuxVmAdminUsername]", - "linuxVmAuthenticationType": "password", - "linuxVmAdminPasswordOrKey": "[if(equals(steps('remoteAccess').linuxVmSection.linuxVmAdminPasswordOrKey.authenticationType, 'password'), steps('remoteAccess').linuxVmSection.linuxVmAdminPasswordOrKey.password, steps('remoteAccess').linuxVmSection.linuxVmAdminPasswordOrKey.sshPublicKey)]" + "windowsVmAdminUsername": "[steps('remoteAccess').windowsVmSection.windowsVmAdminUsername]" } } } diff --git a/src/bicep/mlz.bicep b/src/bicep/mlz.bicep index 041685c48..2563b71cd 100644 --- a/src/bicep/mlz.bicep +++ b/src/bicep/mlz.bicep @@ -117,7 +117,7 @@ param firewallIntrusionDetectionMode string = 'Alert' param enableProxy bool = true @description('''['168.63.129.16'] The Azure Firewall DNS Proxy will forward all DNS traffic. When this value is set to true, you must provide a value for "servers". This should be a comma separated list of IP addresses to forward DNS traffic''') -param dnsServers array = ['168.63.129.16'] +param dnsServers array = [ '168.63.129.16' ] @description('An array of Firewall Diagnostic Logs categories to collect. See "https://docs.microsoft.com/en-us/azure/firewall/firewall-diagnostics#enable-diagnostic-logging-through-the-azure-portal" for valid values.') param firewallDiagnosticsLogs array = [ @@ -143,15 +143,9 @@ param firewallDiagnosticsMetrics array = [ } ] -@description('An array of Service Endpoints to enable for the Azure Firewall Client Subnet. See https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview for valid settings.') -param firewallClientSubnetServiceEndpoints array = [] - @description('An array of Azure Firewall Public IP Address Availability Zones. It defaults to empty, or "No-Zone", because Availability Zones are not available in every cloud. See https://docs.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#sku for valid settings.') param firewallClientPublicIPAddressAvailabilityZones array = [] -@description('An array of Service Endpoints to enable for the Azure Firewall Management Subnet. See https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview for valid settings.') -param firewallManagementSubnetServiceEndpoints array = [] - @description('An array of Azure Firewall Public IP Address Availability Zones. It defaults to empty, or "No-Zone", because Availability Zones are not available in every cloud. See https://docs.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#sku for valid settings.') param firewallManagementPublicIPAddressAvailabilityZones array = [] @@ -208,13 +202,6 @@ param hubNetworkSecurityGroupDiagnosticsLogs array = [ @description('An array of Network Security Group Metrics to apply to enable for the Hub Virtual Network. See https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#metrics for valid settings.') param hubNetworkSecurityGroupDiagnosticsMetrics array = [] -@description('An array of Service Endpoints to enable for the Hub subnet. See https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview for valid settings.') -param hubSubnetServiceEndpoints array = [ - { - service: 'Microsoft.Storage' - } -] - // IDENTITY PARAMETERS @description('An array of Network Diagnostic Logs to enable for the Identity Virtual Network. See https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#logs for valid settings.') @@ -265,13 +252,6 @@ param identityNetworkSecurityGroupDiagnosticsLogs array = [ @description('An array of Network Security Group Metrics to apply to enable for the Identity Virtual Network. See https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#metrics for valid settings.') param identityNetworkSecurityGroupDiagnosticsMetrics array = [] -@description('An array of Service Endpoints to enable for the Identity subnet. See https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview for valid settings.') -param identitySubnetServiceEndpoints array = [ - { - service: 'Microsoft.Storage' - } -] - // OPERATIONS PARAMETERS @description('An array of Network Diagnostic Logs to enable for the Operations Virtual Network. See https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#logs for valid settings.') @@ -322,13 +302,6 @@ param operationsNetworkSecurityGroupDiagnosticsLogs array = [ @description('An array of Network Security Group Diagnostic Metrics to enable for the Operations Virtual Network. See https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#metrics for valid settings.') param operationsNetworkSecurityGroupDiagnosticsMetrics array = [] -@description('An array of Service Endpoints to enable for the Operations subnet. See https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview for valid settings.') -param operationsSubnetServiceEndpoints array = [ - { - service: 'Microsoft.Storage' - } -] - // SHARED SERVICES PARAMETERS @description('An array of Network Diagnostic Logs to enable for the SharedServices Virtual Network. See https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#logs for valid settings.') @@ -379,13 +352,6 @@ param sharedServicesNetworkSecurityGroupDiagnosticsLogs array = [ @description('An array of Network Security Group Diagnostic Metrics to enable for the SharedServices Virtual Network. See https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#metrics for valid settings.') param sharedServicesNetworkSecurityGroupDiagnosticsMetrics array = [] -@description('An array of Service Endpoints to enable for the SharedServices subnet. See https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview for valid settings.') -param sharedServicesSubnetServiceEndpoints array = [ - { - service: 'Microsoft.Storage' - } -] - // LOGGING PARAMETERS @description('When set to "true", enables Microsoft Sentinel within the Log Analytics Workspace created in this deployment. It defaults to "false".') @@ -422,6 +388,9 @@ param bastionHostSubnetAddressPrefix string = '10.0.100.160/27' @description('The Azure Bastion Public IP Address Availability Zones. It defaults to "No-Zone" because Availability Zones are not available in every cloud. See https://docs.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#sku for valid settings.') param bastionHostPublicIPAddressAvailabilityZones array = [] +@description('The hybrid use benefit provides a discount on virtual machines when a customer has an on-premises Windows Server license with Software Assurance.') +param hybridUseBenefit bool = false + // LINUX VIRTUAL MACHINE PARAMETERS @description('The administrator username for the Linux Virtual Machine to Azure Bastion remote into. It defaults to "azureuser".') @@ -455,7 +424,7 @@ param linuxVmImagePublisher string = 'Canonical' param linuxVmImageOffer string = 'UbuntuServer' @description('The image SKU of the Linux Virtual Machine to Azure Bastion remote into. It defaults to "18.04-LTS".') -param linuxVmImageSku string = '18.04-LTS' +param linuxVmImageSku string = '18_04-lts-gen2' @description('The image version of the Linux Virtual Machine to Azure Bastion remote into. It defaults to "latest".') param linuxVmImageVersion string = 'latest' @@ -487,7 +456,7 @@ param windowsVmPublisher string = 'MicrosoftWindowsServer' param windowsVmOffer string = 'WindowsServer' @description('The SKU of the Windows Virtual Machine to Azure Bastion remote into. It defaults to "2019-datacenter".') -param windowsVmSku string = '2019-datacenter' +param windowsVmSku string = '2019-datacenter-gensecond' @description('The version of the Windows Virtual Machine to Azure Bastion remote into. It defaults to "latest".') param windowsVmVersion string = 'latest' @@ -545,9 +514,11 @@ param emailSecurityContact string = '' */ +var locations = (loadJsonContent('data/locations.json'))[environment().name] +var locationAbbreviation = locations[location].abbreviation var resourceToken = 'resource_token' var nameToken = 'name_token' -var namingConvention = '${toLower(resourcePrefix)}-${resourceToken}-${nameToken}-${toLower(resourceSuffix)}' +var namingConvention = '${toLower(resourcePrefix)}-${resourceToken}-${nameToken}-${toLower(resourceSuffix)}-${locationAbbreviation}' /* @@ -566,16 +537,22 @@ var namingConvention = '${toLower(resourcePrefix)}-${resourceToken}-${nameToken} // RESOURCE NAME CONVENTIONS WITH ABBREVIATIONS var bastionHostNamingConvention = replace(namingConvention, resourceToken, 'bas') +var diskEncryptionSetNamingConvention = replace(namingConvention, resourceToken, 'des') +var diskNamingConvention = replace(namingConvention, resourceToken, 'disk') var firewallNamingConvention = replace(namingConvention, resourceToken, 'afw') var firewallPolicyNamingConvention = replace(namingConvention, resourceToken, 'afwp') +var keyVaultNamingConvention = replace(namingConvention, resourceToken, 'kv') var ipConfigurationNamingConvention = replace(namingConvention, resourceToken, 'ipconf') var logAnalyticsWorkspaceNamingConvention = replace(namingConvention, resourceToken, 'log') var networkInterfaceNamingConvention = replace(namingConvention, resourceToken, 'nic') var networkSecurityGroupNamingConvention = replace(namingConvention, resourceToken, 'nsg') +var networkWatcherNamingConvention = replace(namingConvention, resourceToken, 'nw') var publicIpAddressNamingConvention = replace(namingConvention, resourceToken, 'pip') var resourceGroupNamingConvention = replace(namingConvention, resourceToken, 'rg') -var storageAccountNamingConvention = toLower('${resourcePrefix}st${nameToken}unique_storage_token') +var routeTableNamingConvention = replace(namingConvention, resourceToken, 'rt') +var storageAccountNamingConvention = toLower('${replace(replace(namingConvention, resourceToken, 'st'), '-', '')}unique_storage_token') var subnetNamingConvention = replace(namingConvention, resourceToken, 'snet') +var userAssignedIdentityNamingConvention = replace(namingConvention, resourceToken, 'uaid') var virtualMachineNamingConvention = replace(namingConvention, resourceToken, 'vm') var virtualNetworkNamingConvention = replace(namingConvention, resourceToken, 'vnet') @@ -583,49 +560,57 @@ var virtualNetworkNamingConvention = replace(namingConvention, resourceToken, 'v var hubName = 'hub' var hubShortName = 'hub' -var hubResourceGroupName = replace(resourceGroupNamingConvention, nameToken, hubName) +var hubLogStorageAccountName = take(hubLogStorageAccountUniqueName, 24) var hubLogStorageAccountShortName = replace(storageAccountNamingConvention, nameToken, hubShortName) var hubLogStorageAccountUniqueName = replace(hubLogStorageAccountShortName, 'unique_storage_token', uniqueString(resourcePrefix, resourceSuffix, hubSubscriptionId)) -var hubLogStorageAccountName = take(hubLogStorageAccountUniqueName, 23) -var hubVirtualNetworkName = replace(virtualNetworkNamingConvention, nameToken, hubName) +var hubNetworkWatcherName = replace(networkWatcherNamingConvention, nameToken, hubName) var hubNetworkSecurityGroupName = replace(networkSecurityGroupNamingConvention, nameToken, hubName) +var hubResourceGroupName = replace(resourceGroupNamingConvention, nameToken, hubName) +var hubRouteTableName = replace(routeTableNamingConvention, nameToken, hubName) var hubSubnetName = replace(subnetNamingConvention, nameToken, hubName) +var hubVirtualNetworkName = replace(virtualNetworkNamingConvention, nameToken, hubName) // IDENTITY NAMES var identityName = 'identity' var identityShortName = 'id' -var identityResourceGroupName = replace(resourceGroupNamingConvention, nameToken, identityName) +var identityLogStorageAccountName = take(identityLogStorageAccountUniqueName, 24) var identityLogStorageAccountShortName = replace(storageAccountNamingConvention, nameToken, identityShortName) var identityLogStorageAccountUniqueName = replace(identityLogStorageAccountShortName, 'unique_storage_token', uniqueString(resourcePrefix, resourceSuffix, identitySubscriptionId)) -var identityLogStorageAccountName = take(identityLogStorageAccountUniqueName, 23) -var identityVirtualNetworkName = replace(virtualNetworkNamingConvention, nameToken, identityName) var identityNetworkSecurityGroupName = replace(networkSecurityGroupNamingConvention, nameToken, identityName) +var identityResourceGroupName = replace(resourceGroupNamingConvention, nameToken, identityName) +var identityRouteTableName = replace(routeTableNamingConvention, nameToken, identityName) var identitySubnetName = replace(subnetNamingConvention, nameToken, identityName) +var identityVirtualNetworkName = replace(virtualNetworkNamingConvention, nameToken, identityName) // OPERATIONS NAMES var operationsName = 'operations' var operationsShortName = 'ops' -var operationsResourceGroupName = replace(resourceGroupNamingConvention, nameToken, operationsName) +var operationsDiskEncryptionSetName = replace(diskEncryptionSetNamingConvention, nameToken, operationsName) +var operationsKeyVaultName = replace(keyVaultNamingConvention, nameToken, operationsShortName) +var operationsLogStorageAccountName = take(operationsLogStorageAccountUniqueName, 24) var operationsLogStorageAccountShortName = replace(storageAccountNamingConvention, nameToken, operationsShortName) var operationsLogStorageAccountUniqueName = replace(operationsLogStorageAccountShortName, 'unique_storage_token', uniqueString(resourcePrefix, resourceSuffix, operationsSubscriptionId)) -var operationsLogStorageAccountName = take(operationsLogStorageAccountUniqueName, 23) -var operationsVirtualNetworkName = replace(virtualNetworkNamingConvention, nameToken, operationsName) var operationsNetworkSecurityGroupName = replace(networkSecurityGroupNamingConvention, nameToken, operationsName) +var operationsResourceGroupName = replace(resourceGroupNamingConvention, nameToken, operationsName) +var operationsRouteTableName = replace(routeTableNamingConvention, nameToken, operationsName) var operationsSubnetName = replace(subnetNamingConvention, nameToken, operationsName) +var operationsUserAssignedIdentityName = replace(userAssignedIdentityNamingConvention, nameToken, operationsName) +var operationsVirtualNetworkName = replace(virtualNetworkNamingConvention, nameToken, operationsName) // SHARED SERVICES NAMES var sharedServicesName = 'sharedServices' var sharedServicesShortName = 'svcs' -var sharedServicesResourceGroupName = replace(resourceGroupNamingConvention, nameToken, sharedServicesName) +var sharedServicesLogStorageAccountName = take(sharedServicesLogStorageAccountUniqueName, 24) var sharedServicesLogStorageAccountShortName = replace(storageAccountNamingConvention, nameToken, sharedServicesShortName) var sharedServicesLogStorageAccountUniqueName = replace(sharedServicesLogStorageAccountShortName, 'unique_storage_token', uniqueString(resourcePrefix, resourceSuffix, sharedServicesSubscriptionId)) -var sharedServicesLogStorageAccountName = take(sharedServicesLogStorageAccountUniqueName, 23) -var sharedServicesVirtualNetworkName = replace(virtualNetworkNamingConvention, nameToken, sharedServicesName) var sharedServicesNetworkSecurityGroupName = replace(networkSecurityGroupNamingConvention, nameToken, sharedServicesName) +var sharedServicesResourceGroupName = replace(resourceGroupNamingConvention, nameToken, sharedServicesName) +var sharedServicesRouteTableName = replace(routeTableNamingConvention, nameToken, sharedServicesName) var sharedServicesSubnetName = replace(subnetNamingConvention, nameToken, sharedServicesName) +var sharedServicesVirtualNetworkName = replace(virtualNetworkNamingConvention, nameToken, sharedServicesName) // LOG ANALYTICS NAMES @@ -642,17 +627,21 @@ var firewallManagementPublicIPAddressName = replace(publicIpAddressNamingConvent // FIREWALL VALUES +var firewallClientUsableIpAddresses = [for i in range(0, 4): cidrHost(firewallClientSubnetAddressPrefix, i)] +var firewallClientPrivateIpAddress = firewallClientUsableIpAddresses[3] var firewallPublicIpAddressSkuName = 'Standard' var firewallPublicIpAddressAllocationMethod = 'Static' -// BASTION NAMES +// REMOTE ACCESS NAMES var bastionHostName = replace(bastionHostNamingConvention, nameToken, hubName) var bastionHostPublicIPAddressName = replace(publicIpAddressNamingConvention, nameToken, 'bas') var bastionHostIPConfigurationName = replace(ipConfigurationNamingConvention, nameToken, 'bas') +var linuxDiskName = replace(diskNamingConvention, nameToken, 'bas-linux') var linuxNetworkInterfaceName = replace(networkInterfaceNamingConvention, nameToken, 'bas-linux') var linuxNetworkInterfaceIpConfigurationName = replace(ipConfigurationNamingConvention, nameToken, 'bas-linux') var linuxVmName = replace(virtualMachineNamingConvention, nameToken, 'bas-linux') +var windowsDiskName = replace(diskNamingConvention, nameToken, 'bas-windows') var windowsNetworkInterfaceName = replace(networkInterfaceNamingConvention, nameToken, 'bas-windows') var windowsNetworkInterfaceIpConfigurationName = replace(ipConfigurationNamingConvention, nameToken, 'bas-windows') var windowsVmName = replace(virtualMachineNamingConvention, nameToken, 'bas-windows') @@ -678,11 +667,11 @@ var spokes = [ networkSecurityGroupRules: identityNetworkSecurityGroupRules networkSecurityGroupDiagnosticsLogs: identityNetworkSecurityGroupDiagnosticsLogs networkSecurityGroupDiagnosticsMetrics: identityNetworkSecurityGroupDiagnosticsMetrics + routeTableName: identityRouteTableName subnetName: identitySubnetName subnetAddressPrefix: identitySubnetAddressPrefix - subnetServiceEndpoints: identitySubnetServiceEndpoints - subnetPrivateEndpointNetworkPolicies: 'Enabled' - subnetPrivateLinkServiceNetworkPolicies: 'Enabled' + subnetPrivateEndpointNetworkPolicies: 'Disabled' + subnetPrivateLinkServiceNetworkPolicies: 'Disabled' } { name: operationsName @@ -697,9 +686,9 @@ var spokes = [ networkSecurityGroupRules: operationsNetworkSecurityGroupRules networkSecurityGroupDiagnosticsLogs: operationsNetworkSecurityGroupDiagnosticsLogs networkSecurityGroupDiagnosticsMetrics: operationsNetworkSecurityGroupDiagnosticsMetrics + routeTableName: operationsRouteTableName subnetName: operationsSubnetName subnetAddressPrefix: operationsSubnetAddressPrefix - subnetServiceEndpoints: operationsSubnetServiceEndpoints subnetPrivateEndpointNetworkPolicies: 'Disabled' subnetPrivateLinkServiceNetworkPolicies: 'Disabled' } @@ -716,11 +705,11 @@ var spokes = [ networkSecurityGroupRules: sharedServicesNetworkSecurityGroupRules networkSecurityGroupDiagnosticsLogs: sharedServicesNetworkSecurityGroupDiagnosticsLogs networkSecurityGroupDiagnosticsMetrics: sharedServicesNetworkSecurityGroupDiagnosticsMetrics + routeTableName: sharedServicesRouteTableName subnetName: sharedServicesSubnetName subnetAddressPrefix: sharedServicesSubnetAddressPrefix - subnetServiceEndpoints: sharedServicesSubnetServiceEndpoints - subnetPrivateEndpointNetworkPolicies: 'Enabled' - subnetPrivateLinkServiceNetworkPolicies: 'Enabled' + subnetPrivateEndpointNetworkPolicies: 'Disabled' + subnetPrivateLinkServiceNetworkPolicies: 'Disabled' } ] @@ -789,117 +778,47 @@ module hubNetwork './core/hub-network.bicep' = { name: 'deploy-vnet-hub-${deploymentNameSuffix}' scope: resourceGroup(hubSubscriptionId, hubResourceGroupName) params: { - location: location - tags: calculatedTags - - logStorageAccountName: hubLogStorageAccountName - logStorageSkuName: logStorageSkuName - logAnalyticsWorkspaceResourceId: logAnalyticsWorkspace.outputs.id - - virtualNetworkName: hubVirtualNetworkName - virtualNetworkAddressPrefix: hubVirtualNetworkAddressPrefix - virtualNetworkDiagnosticsLogs: hubVirtualNetworkDiagnosticsLogs - virtualNetworkDiagnosticsMetrics: hubVirtualNetworkDiagnosticsMetrics - - networkSecurityGroupName: hubNetworkSecurityGroupName - networkSecurityGroupRules: hubNetworkSecurityGroupRules - networkSecurityGroupDiagnosticsLogs: hubNetworkSecurityGroupDiagnosticsLogs - networkSecurityGroupDiagnosticsMetrics: hubNetworkSecurityGroupDiagnosticsMetrics - - subnetName: hubSubnetName - subnetAddressPrefix: hubSubnetAddressPrefix - subnetServiceEndpoints: hubSubnetServiceEndpoints - - firewallName: firewallName - firewallSkuTier: firewallSkuTier - firewallPolicyName: firewallPolicyName - firewallThreatIntelMode: firewallThreatIntelMode - firewallIntrusionDetectionMode: firewallIntrusionDetectionMode - firewallDiagnosticsLogs: firewallDiagnosticsLogs - firewallDiagnosticsMetrics: firewallDiagnosticsMetrics + bastionHostSubnetAddressPrefix: bastionHostSubnetAddressPrefix + deployRemoteAccess: deployRemoteAccess + dnsServers: dnsServers + enableProxy: enableProxy firewallClientIpConfigurationName: firewallClientIpConfigurationName - firewallClientSubnetName: 'AzureFirewallSubnet' // this must be 'AzureFirewallSubnet' - firewallClientSubnetAddressPrefix: firewallClientSubnetAddressPrefix - firewallClientSubnetServiceEndpoints: firewallClientSubnetServiceEndpoints + firewallClientPrivateIpAddress: firewallClientPrivateIpAddress + firewallClientPublicIPAddressAvailabilityZones: firewallClientPublicIPAddressAvailabilityZones firewallClientPublicIPAddressName: firewallClientPublicIPAddressName firewallClientPublicIPAddressSkuName: firewallPublicIpAddressSkuName firewallClientPublicIpAllocationMethod: firewallPublicIpAddressAllocationMethod - firewallClientPublicIPAddressAvailabilityZones: firewallClientPublicIPAddressAvailabilityZones + firewallClientSubnetAddressPrefix: firewallClientSubnetAddressPrefix + firewallClientSubnetName: 'AzureFirewallSubnet' // this must be 'AzureFirewallSubnet' + firewallIntrusionDetectionMode: firewallIntrusionDetectionMode firewallManagementIpConfigurationName: firewallManagementIpConfigurationName - firewallManagementSubnetName: 'AzureFirewallManagementSubnet' // this must be 'AzureFirewallManagementSubnet' - firewallManagementSubnetAddressPrefix: firewallManagementSubnetAddressPrefix - firewallManagementSubnetServiceEndpoints: firewallManagementSubnetServiceEndpoints + firewallManagementPublicIPAddressAvailabilityZones: firewallManagementPublicIPAddressAvailabilityZones firewallManagementPublicIPAddressName: firewallManagementPublicIPAddressName firewallManagementPublicIPAddressSkuName: firewallPublicIpAddressSkuName firewallManagementPublicIpAllocationMethod: firewallPublicIpAddressAllocationMethod - firewallManagementPublicIPAddressAvailabilityZones: firewallManagementPublicIPAddressAvailabilityZones + firewallManagementSubnetAddressPrefix: firewallManagementSubnetAddressPrefix + firewallManagementSubnetName: 'AzureFirewallManagementSubnet' // this must be 'AzureFirewallManagementSubnet' + firewallName: firewallName + firewallPolicyName: firewallPolicyName + firewallSkuTier: firewallSkuTier firewallSupernetIPAddress: firewallSupernetIPAddress - - publicIPAddressDiagnosticsLogs: publicIPAddressDiagnosticsLogs - publicIPAddressDiagnosticsMetrics: publicIPAddressDiagnosticsMetrics - enableProxy: enableProxy - dnsServers: dnsServers - } -} - -module hubNetworkDNS './core/hub-network.bicep' = { - name: 'deploy-vnet-hub-DNS-${deploymentNameSuffix}' - scope: resourceGroup(hubSubscriptionId, hubResourceGroupName) - params: { + firewallThreatIntelMode: firewallThreatIntelMode location: location - tags: calculatedTags - - logStorageAccountName: hubLogStorageAccountName - logStorageSkuName: logStorageSkuName - logAnalyticsWorkspaceResourceId: logAnalyticsWorkspace.outputs.id - - virtualNetworkName: hubVirtualNetworkName - virtualNetworkAddressPrefix: hubVirtualNetworkAddressPrefix - virtualNetworkDiagnosticsLogs: hubVirtualNetworkDiagnosticsLogs - virtualNetworkDiagnosticsMetrics: hubVirtualNetworkDiagnosticsMetrics - networkSecurityGroupName: hubNetworkSecurityGroupName networkSecurityGroupRules: hubNetworkSecurityGroupRules - networkSecurityGroupDiagnosticsLogs: hubNetworkSecurityGroupDiagnosticsLogs - networkSecurityGroupDiagnosticsMetrics: hubNetworkSecurityGroupDiagnosticsMetrics - - subnetName: hubSubnetName + networkWatcherName: hubNetworkWatcherName + routeTableName: hubRouteTableName subnetAddressPrefix: hubSubnetAddressPrefix - subnetServiceEndpoints: hubSubnetServiceEndpoints - - firewallName: firewallName - firewallSkuTier: firewallSkuTier - firewallPolicyName: firewallPolicyName - firewallThreatIntelMode: firewallThreatIntelMode - firewallIntrusionDetectionMode: firewallIntrusionDetectionMode - firewallDiagnosticsLogs: firewallDiagnosticsLogs - firewallDiagnosticsMetrics: firewallDiagnosticsMetrics - firewallClientIpConfigurationName: firewallClientIpConfigurationName - firewallClientSubnetName: 'AzureFirewallSubnet' // this must be 'AzureFirewallSubnet' - firewallClientSubnetAddressPrefix: firewallClientSubnetAddressPrefix - firewallClientSubnetServiceEndpoints: firewallClientSubnetServiceEndpoints - firewallClientPublicIPAddressName: firewallClientPublicIPAddressName - firewallClientPublicIPAddressSkuName: firewallPublicIpAddressSkuName - firewallClientPublicIpAllocationMethod: firewallPublicIpAddressAllocationMethod - firewallClientPublicIPAddressAvailabilityZones: firewallClientPublicIPAddressAvailabilityZones - firewallManagementIpConfigurationName: firewallManagementIpConfigurationName - firewallManagementSubnetName: 'AzureFirewallManagementSubnet' // this must be 'AzureFirewallManagementSubnet' - firewallManagementSubnetAddressPrefix: firewallManagementSubnetAddressPrefix - firewallManagementSubnetServiceEndpoints: firewallManagementSubnetServiceEndpoints - firewallManagementPublicIPAddressName: firewallManagementPublicIPAddressName - firewallManagementPublicIPAddressSkuName: firewallPublicIpAddressSkuName - firewallManagementPublicIpAllocationMethod: firewallPublicIpAddressAllocationMethod - firewallManagementPublicIPAddressAvailabilityZones: firewallManagementPublicIPAddressAvailabilityZones - firewallSupernetIPAddress: firewallSupernetIPAddress - vNetDnsServers: [hubNetwork.outputs.firewallPrivateIPAddress] - - publicIPAddressDiagnosticsLogs: publicIPAddressDiagnosticsLogs - publicIPAddressDiagnosticsMetrics: publicIPAddressDiagnosticsMetrics - enableProxy: enableProxy - dnsServers: dnsServers + subnetName: hubSubnetName + tags: calculatedTags + virtualNetworkAddressPrefix: hubVirtualNetworkAddressPrefix + virtualNetworkName: hubVirtualNetworkName + vNetDnsServers: [ + firewallClientPrivateIpAddress + ] } dependsOn: [ - hubNetwork + hubResourceGroup ] } @@ -908,33 +827,22 @@ module spokeNetworks './core/spoke-network.bicep' = [for spoke in spokes: { scope: resourceGroup(spoke.subscriptionId, spoke.resourceGroupName) params: { location: location - tags: calculatedTags - - logStorageAccountName: spoke.logStorageAccountName - logStorageSkuName: logStorageSkuName - - logAnalyticsWorkspaceResourceId: logAnalyticsWorkspace.outputs.id - - firewallPrivateIPAddress: hubNetwork.outputs.firewallPrivateIPAddress - vNetDnsServers: [hubNetwork.outputs.firewallPrivateIPAddress] - - virtualNetworkName: spoke.virtualNetworkName - virtualNetworkAddressPrefix: spoke.virtualNetworkAddressPrefix - virtualNetworkDiagnosticsLogs: spoke.virtualNetworkDiagnosticsLogs - virtualNetworkDiagnosticsMetrics: spoke.virtualNetworkDiagnosticsMetrics - networkSecurityGroupName: spoke.networkSecurityGroupName networkSecurityGroupRules: spoke.networkSecurityGroupRules - networkSecurityGroupDiagnosticsLogs: spoke.networkSecurityGroupDiagnosticsLogs - networkSecurityGroupDiagnosticsMetrics: spoke.networkSecurityGroupDiagnosticsMetrics - - subnetName: spoke.subnetName + routeTableName: spoke.routeTableName + routeTableRouteNextHopIpAddress: firewallClientPrivateIpAddress subnetAddressPrefix: spoke.subnetAddressPrefix - subnetServiceEndpoints: spoke.subnetServiceEndpoints - + subnetName: spoke.subnetName subnetPrivateEndpointNetworkPolicies: spoke.subnetPrivateEndpointNetworkPolicies subnetPrivateLinkServiceNetworkPolicies: spoke.subnetPrivateLinkServiceNetworkPolicies + tags: calculatedTags + virtualNetworkAddressPrefix: spoke.virtualNetworkAddressPrefix + virtualNetworkName: spoke.virtualNetworkName + vNetDnsServers: [ hubNetwork.outputs.firewallPrivateIPAddress ] } + dependsOn: [ + spokeResourceGroups + ] }] // VIRTUAL NETWORK PEERINGS @@ -964,79 +872,217 @@ module spokeVirtualNetworkPeerings './core/spoke-network-peering.bicep' = [for ( } }] -// POLICY ASSIGNMENTS +// PRIVATE DNS -module hubPolicyAssignment './modules/policy-assignment.bicep' = if (deployPolicy) { - name: 'assign-policy-hub-${deploymentNameSuffix}' +module privateDnsZones './modules/private-dns.bicep' = { + name: 'deploy-private-dns-zones-${deploymentNameSuffix}' scope: resourceGroup(hubSubscriptionId, hubResourceGroupName) params: { - builtInAssignment: policy - logAnalyticsWorkspaceName: logAnalyticsWorkspace.outputs.name - logAnalyticsWorkspaceResourceGroupName: logAnalyticsWorkspace.outputs.resourceGroupName - operationsSubscriptionId: operationsSubscriptionId + vnetName: hubNetwork.outputs.virtualNetworkName + tags: tags + } +} + +// OPERATIONS CMK DEPENDANCIES + +module operationsCustomerManagedKeys './core/operations-customer-managed-keys.bicep' = { + name: 'deploy-cmk-ops-${deploymentNameSuffix}' + scope: resourceGroup(operationsSubscriptionId, operationsResourceGroupName) + params: { + deploymentNameSuffix: deploymentNameSuffix + diskEncryptionSetName: operationsDiskEncryptionSetName + keyVaultName: operationsKeyVaultName + keyVaultPrivateDnsZoneResourceId: privateDnsZones.outputs.keyvaultDnsPrivateDnsZoneId location: location + resourcePrefix: resourcePrefix + subnetResourceId: spokeNetworks[1].outputs.subnetResourceId + tags: calculatedTags + userAssignedIdentityName: operationsUserAssignedIdentityName } + dependsOn: [ + spokeNetworks + ] } -module spokePolicyAssignments './modules/policy-assignment.bicep' = [for spoke in spokes: if (deployPolicy) { - name: 'assign-policy-${spoke.name}-${deploymentNameSuffix}' - scope: resourceGroup(spoke.subscriptionId, spoke.resourceGroupName) +// AZURE MONITOR + +module azureMonitor './modules/azure-monitor.bicep' = if (contains(supportedClouds, environment().name)) { + name: 'deploy-azure-monitor-${deploymentNameSuffix}' + scope: resourceGroup(operationsSubscriptionId, operationsResourceGroupName) params: { - builtInAssignment: policy logAnalyticsWorkspaceName: logAnalyticsWorkspace.outputs.name - logAnalyticsWorkspaceResourceGroupName: logAnalyticsWorkspace.outputs.resourceGroupName - operationsSubscriptionId: operationsSubscriptionId + logAnalyticsWorkspaceResourceId: logAnalyticsWorkspace.outputs.id + monitorPrivateDnsZoneId: privateDnsZones.outputs.monitorPrivateDnsZoneId + omsPrivateDnsZoneId: privateDnsZones.outputs.omsPrivateDnsZoneId + odsPrivateDnsZoneId: privateDnsZones.outputs.odsPrivateDnsZoneId + agentsvcPrivateDnsZoneId: privateDnsZones.outputs.agentsvcPrivateDnsZoneId location: location + tags: tags + resourcePrefix: resourcePrefix + subnetResourceId: spokeNetworks[1].outputs.subnetResourceId } -}] + dependsOn: [ + logAnalyticsWorkspace + privateDnsZones + spokeNetworks + ] +} -// PRIVATE DNS +// REMOTE ACCESS -module azurePrivateDns './modules/private-dns.bicep' = { - name: 'azure-private-dns' +module remoteAccess './core/remote-access.bicep' = if (deployRemoteAccess) { + name: 'deploy-remote-access-${deploymentNameSuffix}' scope: resourceGroup(hubSubscriptionId, hubResourceGroupName) params: { - vnetName: hubNetwork.outputs.virtualNetworkName + bastionHostIPConfigurationName: bastionHostIPConfigurationName + bastionHostName: bastionHostName + bastionHostPublicIPAddressAllocationMethod: bastionHostPublicIPAddressAllocationMethod + bastionHostPublicIPAddressAvailabilityZones: bastionHostPublicIPAddressAvailabilityZones + bastionHostPublicIPAddressName: bastionHostPublicIPAddressName + bastionHostPublicIPAddressSkuName: bastionHostPublicIPAddressSkuName + bastionHostSubnetResourceId: hubNetwork.outputs.bastionHostSubnetResourceId + hubNetworkSecurityGroupResourceId: hubNetwork.outputs.networkSecurityGroupResourceId + hubSubnetResourceId: hubNetwork.outputs.subnetResourceId + linuxNetworkInterfaceIpConfigurationName: linuxNetworkInterfaceIpConfigurationName + linuxNetworkInterfaceName: linuxNetworkInterfaceName + linuxNetworkInterfacePrivateIPAddressAllocationMethod: linuxNetworkInterfacePrivateIPAddressAllocationMethod + linuxVmAdminPasswordOrKey: linuxVmAdminPasswordOrKey + linuxVmAdminUsername: linuxVmAdminUsername + linuxVmAuthenticationType: linuxVmAuthenticationType + linuxVmImageOffer: linuxVmImageOffer + linuxVmImagePublisher: linuxVmImagePublisher + linuxVmImageSku: linuxVmImageSku + linuxVmImageVersion: linuxVmImageVersion + linuxVmName: linuxVmName + linuxVmOsDiskCreateOption: linuxVmOsDiskCreateOption + linuxVmOsDiskType: linuxVmOsDiskType + linuxVmSize: linuxVmSize + location: location + logAnalyticsWorkspaceId: logAnalyticsWorkspace.outputs.id tags: tags + windowsNetworkInterfaceIpConfigurationName: windowsNetworkInterfaceIpConfigurationName + windowsNetworkInterfaceName: windowsNetworkInterfaceName + windowsNetworkInterfacePrivateIPAddressAllocationMethod: windowsNetworkInterfacePrivateIPAddressAllocationMethod + windowsVmAdminPassword: windowsVmAdminPassword + windowsVmAdminUsername: windowsVmAdminUsername + windowsVmCreateOption: windowsVmCreateOption + windowsVmName: windowsVmName + windowsVmOffer: windowsVmOffer + windowsVmPublisher: windowsVmPublisher + windowsVmSize: windowsVmSize + windowsVmSku: windowsVmSku + windowsVmStorageAccountType: windowsVmStorageAccountType + windowsVmVersion: windowsVmVersion + diskEncryptionSetResourceId: operationsCustomerManagedKeys.outputs.diskEncryptionSetResourceId + hybridUseBenefit: hybridUseBenefit + linuxDiskName: linuxDiskName + windowsDiskName: windowsDiskName } dependsOn: [ - hubNetwork + azureMonitor ] } -// CENTRAL LOGGING +// HUB LOGGING STORAGE -module hubSubscriptionActivityLogging './modules/central-logging.bicep' = { - name: 'activity-logs-hub-${deploymentNameSuffix}' - scope: subscription(hubSubscriptionId) +module hubStorage './core/hub-storage.bicep' = { + name: 'deploy-log-storage-hub-${deploymentNameSuffix}' + scope: resourceGroup(hubSubscriptionId, hubResourceGroupName) params: { - diagnosticSettingName: 'log-hub-sub-activity-to-${logAnalyticsWorkspace.outputs.name}' - logAnalyticsWorkspaceId: logAnalyticsWorkspace.outputs.id + blobsPrivateDnsZoneResourceId: privateDnsZones.outputs.blobPrivateDnsZoneId + keyVaultUri: operationsCustomerManagedKeys.outputs.keyVaultUri + location: location + logStorageAccountName: hubLogStorageAccountName + logStorageSkuName: logStorageSkuName + resourcePrefix: resourcePrefix + storageEncryptionKeyName: operationsCustomerManagedKeys.outputs.storageKeyName + subnetResourceId: hubNetwork.outputs.subnetResourceId + tablesPrivateDnsZoneResourceId: privateDnsZones.outputs.tablePrivateDnsZoneId + tags: calculatedTags + userAssignedIdentityResourceId: operationsCustomerManagedKeys.outputs.userAssignedIdentityResourceId } dependsOn: [ - hubNetwork + remoteAccess ] } -module azureMonitorPrivateLink './modules/private-link.bicep' = if (contains(supportedClouds, environment().name)) { - name: 'azure-monitor-private-link' - scope: resourceGroup(operationsSubscriptionId, operationsResourceGroupName) +// SPOKE LOGGING STORAGE + +module spokeStorage './core/spoke-storage.bicep' = [for (spoke, i) in spokes: { + name: 'deploy-log-storage-${spoke.name}-${deploymentNameSuffix}' + scope: resourceGroup(spoke.subscriptionId, spoke.resourceGroupName) params: { - logAnalyticsWorkspaceName: logAnalyticsWorkspace.outputs.name - logAnalyticsWorkspaceResourceId: logAnalyticsWorkspace.outputs.id - privateEndpointSubnetName: operationsSubnetName - privateEndpointVnetName: operationsVirtualNetworkName - monitorPrivateDnsZoneId: azurePrivateDns.outputs.monitorPrivateDnsZoneId - omsPrivateDnsZoneId: azurePrivateDns.outputs.omsPrivateDnsZoneId - odsPrivateDnsZoneId: azurePrivateDns.outputs.odsPrivateDnsZoneId - agentsvcPrivateDnsZoneId: azurePrivateDns.outputs.agentsvcPrivateDnsZoneId + blobsPrivateDnsZoneResourceId: privateDnsZones.outputs.blobPrivateDnsZoneId + keyVaultUri: operationsCustomerManagedKeys.outputs.keyVaultUri location: location + logStorageAccountName: spoke.logStorageAccountName + logStorageSkuName: logStorageSkuName + resourcePrefix: resourcePrefix + storageEncryptionKeyName: operationsCustomerManagedKeys.outputs.storageKeyName + subnetResourceId: spokeNetworks[i].outputs.subnetResourceId + tablesPrivateDnsZoneResourceId: privateDnsZones.outputs.tablePrivateDnsZoneId tags: tags + userAssignedIdentityResourceId: operationsCustomerManagedKeys.outputs.userAssignedIdentityResourceId } dependsOn: [ - logAnalyticsWorkspace - spokeNetworks - azurePrivateDns + remoteAccess + ] +}] + +// HUB DIAGONSTIC LOGGING + +module hubDiagnostics 'core/hub-diagnostics.bicep' = { + scope: resourceGroup(hubSubscriptionId, hubResourceGroupName) + name: 'deploy-diagnostic-logging-hub-${deploymentNameSuffix}' + params: { + firewallDiagnosticsLogs: firewallDiagnosticsLogs + firewallDiagnosticsMetrics: firewallDiagnosticsMetrics + firewallName: hubNetwork.outputs.firewallName + hubStorageAccountResourceId: hubStorage.outputs.storageAccountResourceId + logAnalyticsWorkspaceResourceId: logAnalyticsWorkspace.outputs.id + networkSecurityGroupDiagnosticsLogs: hubNetworkSecurityGroupDiagnosticsLogs + networkSecurityGroupDiagnosticsMetrics: hubNetworkSecurityGroupDiagnosticsMetrics + networkSecurityGroupName: hubNetworkSecurityGroupName + publicIPAddressDiagnosticsLogs: publicIPAddressDiagnosticsLogs + publicIPAddressDiagnosticsMetrics: publicIPAddressDiagnosticsMetrics + publicIPAddressNames: [ + firewallClientPublicIPAddressName + firewallManagementPublicIPAddressName + ] + virtualNetworkDiagnosticsLogs: hubVirtualNetworkDiagnosticsLogs + virtualNetworkDiagnosticsMetrics: hubVirtualNetworkDiagnosticsMetrics + virtualNetworkName: hubNetwork.outputs.virtualNetworkName + } +} + +// SPOKE DIAGONSTIC LOGGING + +module spokeDiagnostics 'core/spoke-diagnostics.bicep' = [for (spoke, i) in spokes: { + scope: resourceGroup(spoke.subscriptionId, spoke.resourceGroupName) + name: 'deploy-diagnostic-logging-${spoke.name}-${deploymentNameSuffix}' + params: { + hubStorageAccountResourceId: spokeStorage[i].outputs.ResourceId + logAnalyticsWorkspaceResourceId: logAnalyticsWorkspace.outputs.id + networkSecurityGroupDiagnosticsLogs: spoke.NetworkSecurityGroupDiagnosticsLogs + networkSecurityGroupDiagnosticsMetrics: spoke.NetworkSecurityGroupDiagnosticsMetrics + networkSecurityGroupName: spokeNetworks[i].outputs.networkSecurityGroupName + virtualNetworkDiagnosticsLogs: spoke.VirtualNetworkDiagnosticsLogs + virtualNetworkDiagnosticsMetrics: spoke.VirtualNetworkDiagnosticsMetrics + virtualNetworkName: spokeNetworks[i].outputs.virtualNetworkName + } +}] + +// CENTRAL LOGGING + +module hubSubscriptionActivityLogging './modules/central-logging.bicep' = { + name: 'activity-logs-hub-${deploymentNameSuffix}' + scope: subscription(hubSubscriptionId) + params: { + diagnosticSettingName: 'log-hub-sub-activity-to-${logAnalyticsWorkspace.outputs.name}' + logAnalyticsWorkspaceId: logAnalyticsWorkspace.outputs.id + } + dependsOn: [ + hubNetwork ] } @@ -1060,11 +1106,36 @@ module logAnalyticsDiagnosticLogging './modules/log-analytics-diagnostic-logging logAnalyticsWorkspaceName: logAnalyticsWorkspace.outputs.name } dependsOn: [ - hubNetwork - spokeNetworks + spokeStorage ] } +// POLICY ASSIGNMENTS + +module hubPolicyAssignment './modules/policy-assignment.bicep' = if (deployPolicy) { + name: 'assign-policy-hub-${deploymentNameSuffix}' + scope: resourceGroup(hubSubscriptionId, hubResourceGroupName) + params: { + builtInAssignment: policy + logAnalyticsWorkspaceName: logAnalyticsWorkspace.outputs.name + logAnalyticsWorkspaceResourceGroupName: logAnalyticsWorkspace.outputs.resourceGroupName + operationsSubscriptionId: operationsSubscriptionId + location: location + } +} + +module spokePolicyAssignments './modules/policy-assignment.bicep' = [for spoke in spokes: if (deployPolicy) { + name: 'assign-policy-${spoke.name}-${deploymentNameSuffix}' + scope: resourceGroup(spoke.subscriptionId, spoke.resourceGroupName) + params: { + builtInAssignment: policy + logAnalyticsWorkspaceName: logAnalyticsWorkspace.outputs.name + logAnalyticsWorkspaceResourceGroupName: logAnalyticsWorkspace.outputs.resourceGroupName + operationsSubscriptionId: operationsSubscriptionId + location: location + } +}] + // Microsoft Defender for Cloud module hubDefender './modules/defender.bicep' = if (deployDefender) { @@ -1087,66 +1158,6 @@ module spokeDefender './modules/defender.bicep' = [for spoke in spokes: if ((dep } }] -// REMOTE ACCESS - -module remoteAccess './core/remote-access.bicep' = if (deployRemoteAccess) { - name: 'deploy-remote-access-${deploymentNameSuffix}' - scope: resourceGroup(hubSubscriptionId, hubResourceGroupName) - - params: { - location: location - - hubVirtualNetworkName: hubNetwork.outputs.virtualNetworkName - hubSubnetResourceId: hubNetwork.outputs.subnetResourceId - hubNetworkSecurityGroupResourceId: hubNetwork.outputs.networkSecurityGroupResourceId - - bastionHostName: bastionHostName - bastionHostSubnetAddressPrefix: bastionHostSubnetAddressPrefix - bastionHostPublicIPAddressName: bastionHostPublicIPAddressName - bastionHostPublicIPAddressSkuName: bastionHostPublicIPAddressSkuName - bastionHostPublicIPAddressAllocationMethod: bastionHostPublicIPAddressAllocationMethod - bastionHostPublicIPAddressAvailabilityZones: bastionHostPublicIPAddressAvailabilityZones - bastionHostIPConfigurationName: bastionHostIPConfigurationName - - linuxNetworkInterfaceName: linuxNetworkInterfaceName - linuxNetworkInterfaceIpConfigurationName: linuxNetworkInterfaceIpConfigurationName - linuxNetworkInterfacePrivateIPAddressAllocationMethod: linuxNetworkInterfacePrivateIPAddressAllocationMethod - - linuxVmName: linuxVmName - linuxVmSize: linuxVmSize - linuxVmOsDiskCreateOption: linuxVmOsDiskCreateOption - linuxVmOsDiskType: linuxVmOsDiskType - linuxVmImagePublisher: linuxVmImagePublisher - linuxVmImageOffer: linuxVmImageOffer - linuxVmImageSku: linuxVmImageSku - linuxVmImageVersion: linuxVmImageVersion - linuxVmAdminUsername: linuxVmAdminUsername - linuxVmAuthenticationType: linuxVmAuthenticationType - linuxVmAdminPasswordOrKey: linuxVmAdminPasswordOrKey - - windowsNetworkInterfaceName: windowsNetworkInterfaceName - windowsNetworkInterfaceIpConfigurationName: windowsNetworkInterfaceIpConfigurationName - windowsNetworkInterfacePrivateIPAddressAllocationMethod: windowsNetworkInterfacePrivateIPAddressAllocationMethod - - windowsVmName: windowsVmName - windowsVmSize: windowsVmSize - windowsVmAdminUsername: windowsVmAdminUsername - windowsVmAdminPassword: windowsVmAdminPassword - windowsVmPublisher: windowsVmPublisher - windowsVmOffer: windowsVmOffer - windowsVmSku: windowsVmSku - windowsVmVersion: windowsVmVersion - windowsVmCreateOption: windowsVmCreateOption - windowsVmStorageAccountType: windowsVmStorageAccountType - - logAnalyticsWorkspaceId: logAnalyticsWorkspace.outputs.id - } - dependsOn: [ - azureMonitorPrivateLink - hubNetworkDNS - ] -} - /* OUTPUTS diff --git a/src/bicep/mlz.json b/src/bicep/mlz.json index 68bfca091..594714dc7 100644 --- a/src/bicep/mlz.json +++ b/src/bicep/mlz.json @@ -4,27 +4,27 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "2822344535003118565" + "version": "0.24.24.22086", + "templateHash": "14049943017147962936" } }, "parameters": { "resourcePrefix": { "type": "string", + "minLength": 3, + "maxLength": 10, "metadata": { "description": "A prefix, 3-10 alphanumeric characters without whitespace, used to prefix resources and generate uniqueness for resources with globally unique naming requirements like Storage Accounts and Log Analytics Workspaces" - }, - "maxLength": 10, - "minLength": 3 + } }, "resourceSuffix": { "type": "string", "defaultValue": "mlz", + "minLength": 3, + "maxLength": 6, "metadata": { "description": "A suffix, 3 to 6 characters in length, to append to resource names (e.g. \"dev\", \"test\", \"prod\", \"mlz\"). It defaults to \"mlz\"." - }, - "maxLength": 6, - "minLength": 3 + } }, "hubSubscriptionId": { "type": "string", @@ -158,37 +158,37 @@ "firewallSkuTier": { "type": "string", "defaultValue": "Premium", - "metadata": { - "description": "[Standard/Premium] The SKU for Azure Firewall. It defaults to \"Premium\"." - }, "allowedValues": [ "Standard", "Premium" - ] + ], + "metadata": { + "description": "[Standard/Premium] The SKU for Azure Firewall. It defaults to \"Premium\"." + } }, "firewallThreatIntelMode": { "type": "string", "defaultValue": "Alert", - "metadata": { - "description": "[Alert/Deny/Off] The Azure Firewall Threat Intelligence Rule triggered logging behavior. Valid values are \"Alert\", \"Deny\", or \"Off\". The default value is \"Alert\"." - }, "allowedValues": [ "Alert", "Deny", "Off" - ] + ], + "metadata": { + "description": "[Alert/Deny/Off] The Azure Firewall Threat Intelligence Rule triggered logging behavior. Valid values are \"Alert\", \"Deny\", or \"Off\". The default value is \"Alert\"." + } }, "firewallIntrusionDetectionMode": { "type": "string", "defaultValue": "Alert", - "metadata": { - "description": "[Alert/Deny/Off] The Azure Firewall Intrusion Detection mode. Valid values are \"Alert\", \"Deny\", or \"Off\". The default value is \"Alert\"." - }, "allowedValues": [ "Alert", "Deny", "Off" - ] + ], + "metadata": { + "description": "[Alert/Deny/Off] The Azure Firewall Intrusion Detection mode. Valid values are \"Alert\", \"Deny\", or \"Off\". The default value is \"Alert\"." + } }, "enableProxy": { "type": "bool", @@ -238,13 +238,6 @@ "description": "An array of Firewall Diagnostic Metrics categories to collect. See \"https://docs.microsoft.com/en-us/azure/firewall/firewall-diagnostics#enable-diagnostic-logging-through-the-azure-portal\" for valid values." } }, - "firewallClientSubnetServiceEndpoints": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "An array of Service Endpoints to enable for the Azure Firewall Client Subnet. See https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview for valid settings." - } - }, "firewallClientPublicIPAddressAvailabilityZones": { "type": "array", "defaultValue": [], @@ -252,13 +245,6 @@ "description": "An array of Azure Firewall Public IP Address Availability Zones. It defaults to empty, or \"No-Zone\", because Availability Zones are not available in every cloud. See https://docs.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#sku for valid settings." } }, - "firewallManagementSubnetServiceEndpoints": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "An array of Service Endpoints to enable for the Azure Firewall Management Subnet. See https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview for valid settings." - } - }, "firewallManagementPublicIPAddressAvailabilityZones": { "type": "array", "defaultValue": [], @@ -349,17 +335,6 @@ "description": "An array of Network Security Group Metrics to apply to enable for the Hub Virtual Network. See https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#metrics for valid settings." } }, - "hubSubnetServiceEndpoints": { - "type": "array", - "defaultValue": [ - { - "service": "Microsoft.Storage" - } - ], - "metadata": { - "description": "An array of Service Endpoints to enable for the Hub subnet. See https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview for valid settings." - } - }, "identityVirtualNetworkDiagnosticsLogs": { "type": "array", "defaultValue": [], @@ -428,17 +403,6 @@ "description": "An array of Network Security Group Metrics to apply to enable for the Identity Virtual Network. See https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#metrics for valid settings." } }, - "identitySubnetServiceEndpoints": { - "type": "array", - "defaultValue": [ - { - "service": "Microsoft.Storage" - } - ], - "metadata": { - "description": "An array of Service Endpoints to enable for the Identity subnet. See https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview for valid settings." - } - }, "operationsVirtualNetworkDiagnosticsLogs": { "type": "array", "defaultValue": [], @@ -507,17 +471,6 @@ "description": "An array of Network Security Group Diagnostic Metrics to enable for the Operations Virtual Network. See https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#metrics for valid settings." } }, - "operationsSubnetServiceEndpoints": { - "type": "array", - "defaultValue": [ - { - "service": "Microsoft.Storage" - } - ], - "metadata": { - "description": "An array of Service Endpoints to enable for the Operations subnet. See https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview for valid settings." - } - }, "sharedServicesVirtualNetworkDiagnosticsLogs": { "type": "array", "defaultValue": [], @@ -586,17 +539,6 @@ "description": "An array of Network Security Group Diagnostic Metrics to enable for the SharedServices Virtual Network. See https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#metrics for valid settings." } }, - "sharedServicesSubnetServiceEndpoints": { - "type": "array", - "defaultValue": [ - { - "service": "Microsoft.Storage" - } - ], - "metadata": { - "description": "An array of Service Endpoints to enable for the SharedServices subnet. See https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview for valid settings." - } - }, "deploySentinel": { "type": "bool", "defaultValue": false, @@ -621,9 +563,6 @@ "logAnalyticsWorkspaceSkuName": { "type": "string", "defaultValue": "PerGB2018", - "metadata": { - "description": "[Free/Standard/Premium/PerNode/PerGB2018/Standalone] The SKU for the Log Analytics Workspace. It defaults to \"PerGB2018\". See https://docs.microsoft.com/en-us/azure/azure-monitor/logs/resource-manager-workspace for valid settings." - }, "allowedValues": [ "Free", "Standard", @@ -631,7 +570,10 @@ "PerNode", "PerGB2018", "Standalone" - ] + ], + "metadata": { + "description": "[Free/Standard/Premium/PerNode/PerGB2018/Standalone] The SKU for the Log Analytics Workspace. It defaults to \"PerGB2018\". See https://docs.microsoft.com/en-us/azure/azure-monitor/logs/resource-manager-workspace for valid settings." + } }, "logStorageSkuName": { "type": "string", @@ -661,6 +603,13 @@ "description": "The Azure Bastion Public IP Address Availability Zones. It defaults to \"No-Zone\" because Availability Zones are not available in every cloud. See https://docs.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#sku for valid settings." } }, + "hybridUseBenefit": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "The hybrid use benefit provides a discount on virtual machines when a customer has an on-premises Windows Server license with Software Assurance." + } + }, "linuxVmAdminUsername": { "type": "string", "defaultValue": "azureuser", @@ -671,16 +620,16 @@ "linuxVmAuthenticationType": { "type": "string", "defaultValue": "password", - "metadata": { - "description": "[sshPublicKey/password] The authentication type for the Linux Virtual Machine to Azure Bastion remote into. It defaults to \"password\"." - }, "allowedValues": [ "sshPublicKey", "password" - ] + ], + "metadata": { + "description": "[sshPublicKey/password] The authentication type for the Linux Virtual Machine to Azure Bastion remote into. It defaults to \"password\"." + } }, "linuxVmAdminPasswordOrKey": { - "type": "secureString", + "type": "securestring", "defaultValue": "[if(parameters('deployRemoteAccess'), '', newGuid())]", "minLength": 12, "metadata": { @@ -724,7 +673,7 @@ }, "linuxVmImageSku": { "type": "string", - "defaultValue": "18.04-LTS", + "defaultValue": "18_04-lts-gen2", "metadata": { "description": "The image SKU of the Linux Virtual Machine to Azure Bastion remote into. It defaults to \"18.04-LTS\"." } @@ -739,13 +688,13 @@ "linuxNetworkInterfacePrivateIPAddressAllocationMethod": { "type": "string", "defaultValue": "Dynamic", - "metadata": { - "description": "[Static/Dynamic] The public IP Address allocation method for the Linux virtual machine. It defaults to \"Dynamic\"." - }, "allowedValues": [ "Static", "Dynamic" - ] + ], + "metadata": { + "description": "[Static/Dynamic] The public IP Address allocation method for the Linux virtual machine. It defaults to \"Dynamic\"." + } }, "windowsVmAdminUsername": { "type": "string", @@ -755,7 +704,7 @@ } }, "windowsVmAdminPassword": { - "type": "secureString", + "type": "securestring", "defaultValue": "[if(parameters('deployRemoteAccess'), '', newGuid())]", "minLength": 12, "metadata": { @@ -785,7 +734,7 @@ }, "windowsVmSku": { "type": "string", - "defaultValue": "2019-datacenter", + "defaultValue": "2019-datacenter-gensecond", "metadata": { "description": "The SKU of the Windows Virtual Machine to Azure Bastion remote into. It defaults to \"2019-datacenter\"." } @@ -814,13 +763,13 @@ "windowsNetworkInterfacePrivateIPAddressAllocationMethod": { "type": "string", "defaultValue": "Dynamic", - "metadata": { - "description": "[Static/Dynamic] The public IP Address allocation method for the Windows virtual machine. It defaults to \"Dynamic\"." - }, "allowedValues": [ "Static", "Dynamic" - ] + ], + "metadata": { + "description": "[Static/Dynamic] The public IP Address allocation method for the Windows virtual machine. It defaults to \"Dynamic\"." + } }, "deployPolicy": { "type": "bool", @@ -832,15 +781,15 @@ "policy": { "type": "string", "defaultValue": "NISTRev4", - "metadata": { - "description": "[NISTRev4/NISTRev5/IL5/CMMC] Built-in policy assignments to assign, it defaults to \"NISTRev4\". IL5 is only available for AzureUsGovernment and will switch to NISTRev4 if tried in AzureCloud." - }, "allowedValues": [ "NISTRev4", "NISTRev5", "IL5", "CMMC" - ] + ], + "metadata": { + "description": "[NISTRev4/NISTRev5/IL5/CMMC] Built-in policy assignments to assign, it defaults to \"NISTRev4\". IL5 is only available for AzureUsGovernment and will switch to NISTRev4 if tried in AzureCloud." + } }, "deployDefender": { "type": "bool", @@ -852,13 +801,13 @@ "defenderSkuTier": { "type": "string", "defaultValue": "Standard", - "metadata": { - "description": "[Standard/Free] The SKU for Defender. It defaults to \"Standard\"." - }, "allowedValues": [ "Standard", "Free" - ] + ], + "metadata": { + "description": "[Standard/Free] The SKU for Defender. It defaults to \"Standard\"." + } }, "emailSecurityContact": { "type": "string", @@ -869,58 +818,465 @@ } }, "variables": { + "copy": [ + { + "name": "firewallClientUsableIpAddresses", + "count": "[length(range(0, 4))]", + "input": "[cidrHost(parameters('firewallClientSubnetAddressPrefix'), range(0, 4)[copyIndex('firewallClientUsableIpAddresses')])]" + } + ], + "$fxv#0": { + "AzureChina": { + "chinaeast": { + "abbreviation": "cne", + "recoveryServicesGeo": "sha", + "timeDifference": "+8:00", + "timeZone": "China Standard Time" + }, + "chinaeast2": { + "abbreviation": "cne2", + "recoveryServicesGeo": "sha2", + "timeDifference": "+8:00", + "timeZone": "China Standard Time" + }, + "chinanorth": { + "abbreviation": "cnn", + "recoveryServicesGeo": "bjb", + "timeDifference": "+8:00", + "timeZone": "China Standard Time" + }, + "chinanorth2": { + "abbreviation": "cnn2", + "recoveryServicesGeo": "bjb2", + "timeDifference": "+8:00", + "timeZone": "China Standard Time" + } + }, + "AzureCloud": { + "australiacentral": { + "abbreviation": "auc", + "recoveryServicesGeo": "acl", + "timeDifference": "+10:00", + "timeZone": "AUS Eastern Standard Time" + }, + "australiacentral2": { + "abbreviation": "auc2", + "recoveryServicesGeo": "acl2", + "timeDifference": "+10:00", + "timeZone": "AUS Eastern Standard Time" + }, + "australiaeast": { + "abbreviation": "aue", + "recoveryServicesGeo": "ae", + "timeDifference": "+10:00", + "timeZone": "AUS Eastern Standard Time" + }, + "australiasoutheast": { + "abbreviation": "ause", + "recoveryServicesGeo": "ase", + "timeDifference": "+10:00", + "timeZone": "AUS Eastern Standard Time" + }, + "brazilsouth": { + "abbreviation": "brs", + "recoveryServicesGeo": "brs", + "timeDifference": "-3:00", + "timeZone": "E. South America Standard Time" + }, + "brazilsoutheast": { + "abbreviation": "brse", + "recoveryServicesGeo": "bse", + "timeDifference": "-3:00", + "timeZone": "E. South America Standard Time" + }, + "canadacentral": { + "abbreviation": "cac", + "recoveryServicesGeo": "cnc", + "timeDifference": "-5:00", + "timeZone": "Eastern Standard Time" + }, + "canadaeast": { + "abbreviation": "cae", + "recoveryServicesGeo": "cne", + "timeDifference": "-5:00", + "timeZone": "Eastern Standard Time" + }, + "centralindia": { + "abbreviation": "inc", + "recoveryServicesGeo": "inc", + "timeDifference": "+5:30", + "timeZone": "India Standard Time" + }, + "centralus": { + "abbreviation": "usc", + "recoveryServicesGeo": "cus", + "timeDifference": "-6:00", + "timeZone": "Central Standard Time" + }, + "eastasia": { + "abbreviation": "ase", + "recoveryServicesGeo": "ea", + "timeDifference": "+8:00", + "timeZone": "China Standard Time" + }, + "eastus": { + "abbreviation": "use", + "recoveryServicesGeo": "eus", + "timeDifference": "-5:00", + "timeZone": "Eastern Standard Time" + }, + "eastus2": { + "abbreviation": "use2", + "recoveryServicesGeo": "eus2", + "timeDifference": "-5:00", + "timeZone": "Eastern Standard Time" + }, + "francecentral": { + "abbreviation": "frc", + "recoveryServicesGeo": "frc", + "timeDifference": "+1:00", + "timeZone": "Central Europe Standard Time" + }, + "francesouth": { + "abbreviation": "frs", + "recoveryServicesGeo": "frs", + "timeDifference": "+1:00", + "timeZone": "Central Europe Standard Time" + }, + "germanynorth": { + "abbreviation": "den", + "recoveryServicesGeo": "gn", + "timeDifference": "+1:00", + "timeZone": "Central Europe Standard Time" + }, + "germanywestcentral": { + "abbreviation": "dewc", + "recoveryServicesGeo": "gwc", + "timeDifference": "+1:00", + "timeZone": "Central Europe Standard Time" + }, + "israelcentral": { + "abbreviation": "ilc", + "recoveryServicesGeo": "ilc", + "timeDifference": "+2:00", + "timeZone": "Israel Standard Time" + }, + "italynorth": { + "abbreviation": "itn", + "recoveryServicesGeo": "itn", + "timeDifference": "+1:00", + "timeZone": "Central Europe Standard Time" + }, + "japaneast": { + "abbreviation": "jpe", + "recoveryServicesGeo": "jpe", + "timeDifference": "+9:00", + "timeZone": "Tokyo Standard Time" + }, + "japanwest": { + "abbreviation": "jpw", + "recoveryServicesGeo": "jpw", + "timeDifference": "+9:00", + "timeZone": "Tokyo Standard Time" + }, + "jioindiacentral": { + "abbreviation": "injc", + "recoveryServicesGeo": "jic", + "timeDifference": "+5:30", + "timeZone": "India Standard Time" + }, + "jioindiawest": { + "abbreviation": "injw", + "recoveryServicesGeo": "jiw", + "timeDifference": "+5:30", + "timeZone": "India Standard Time" + }, + "koreacentral": { + "abbreviation": "krc", + "recoveryServicesGeo": "krc", + "timeDifference": "+9:00", + "timeZone": "Korea Standard Time" + }, + "koreasouth": { + "abbreviation": "krs", + "recoveryServicesGeo": "krs", + "timeDifference": "+9:00", + "timeZone": "Korea Standard Time" + }, + "northcentralus": { + "abbreviation": "usnc", + "recoveryServicesGeo": "ncus", + "timeDifference": "-6:00", + "timeZone": "Central Standard Time" + }, + "northeurope": { + "abbreviation": "eun", + "recoveryServicesGeo": "ne", + "timeDifference": "0:00", + "timeZone": "GMT Standard Time" + }, + "norwayeast": { + "abbreviation": "noe", + "recoveryServicesGeo": "nwe", + "timeDifference": "+1:00", + "timeZone": "Central Europe Standard Time" + }, + "norwaywest": { + "abbreviation": "now", + "recoveryServicesGeo": "nww", + "timeDifference": "+1:00", + "timeZone": "Central Europe Standard Time" + }, + "polandcentral": { + "abbreviation": "plc", + "recoveryServicesGeo": "plc", + "timeDifference": "+1:00", + "timeZone": "Central Europe Standard Time" + }, + "qatarcentral": { + "abbreviation": "qac", + "recoveryServicesGeo": "qac", + "timeDifference": "+3:00", + "timeZone": "Arabian Standard Time" + }, + "southafricanorth": { + "abbreviation": "zan", + "recoveryServicesGeo": "san", + "timeDifference": "+2:00", + "timeZone": "South Africa Standard Time" + }, + "southafricawest": { + "abbreviation": "zaw", + "recoveryServicesGeo": "saw", + "timeDifference": "+2:00", + "timeZone": "South Africa Standard Time" + }, + "southcentralus": { + "abbreviation": "ussc", + "recoveryServicesGeo": "scus", + "timeDifference": "-6:00", + "timeZone": "Central Standard Time" + }, + "southeastasia": { + "abbreviation": "asse", + "recoveryServicesGeo": "sea", + "timeDifference": "+8:00", + "timeZone": "Singapore Standard Time" + }, + "southindia": { + "abbreviation": "ins", + "recoveryServicesGeo": "ins", + "timeDifference": "+5:30", + "timeZone": "India Standard Time" + }, + "swedencentral": { + "abbreviation": "sec", + "recoveryServicesGeo": "sdc", + "timeDifference": "+1:00", + "timeZone": "Central Europe Standard Time" + }, + "switzerlandnorth": { + "abbreviation": "chn", + "recoveryServicesGeo": "szn", + "timeDifference": "+1:00", + "timeZone": "Central Europe Standard Time" + }, + "switzerlandwest": { + "abbreviation": "chw", + "recoveryServicesGeo": "szw", + "timeDifference": "+1:00", + "timeZone": "Central Europe Standard Time" + }, + "uaecentral": { + "abbreviation": "aec", + "recoveryServicesGeo": "uac", + "timeDifference": "+3:00", + "timeZone": "Arabian Standard Time" + }, + "uaenorth": { + "abbreviation": "aen", + "recoveryServicesGeo": "uan", + "timeDifference": "+3:00", + "timeZone": "Arabian Standard Time" + }, + "uksouth": { + "abbreviation": "uks", + "recoveryServicesGeo": "uks", + "timeDifference": "0:00", + "timeZone": "GMT Standard Time" + }, + "ukwest": { + "abbreviation": "ukw", + "recoveryServicesGeo": "ukw", + "timeDifference": "0:00", + "timeZone": "GMT Standard Time" + }, + "westcentralus": { + "abbreviation": "uswc", + "recoveryServicesGeo": "wcus", + "timeDifference": "-7:00", + "timeZone": "Mountain Standard Time" + }, + "westeurope": { + "abbreviation": "euw", + "recoveryServicesGeo": "we", + "timeDifference": "+1:00", + "timeZone": "Central Europe Standard Time" + }, + "westindia": { + "abbreviation": "inw", + "recoveryServicesGeo": "inw", + "timeDifference": "+5:30", + "timeZone": "India Standard Time" + }, + "westus": { + "abbreviation": "usw", + "recoveryServicesGeo": "wus", + "timeDifference": "-8:00", + "timeZone": "Pacific Standard Time" + }, + "westus2": { + "abbreviation": "usw2", + "recoveryServicesGeo": "wus2", + "timeDifference": "-8:00", + "timeZone": "Pacific Standard Time" + }, + "westus3": { + "abbreviation": "usw3", + "recoveryServicesGeo": "wus3", + "timeDifference": "-7:00", + "timeZone": "Mountain Standard Time" + } + }, + "AzureUSGovernment": { + "usdodcentral": { + "abbreviation": "dodc", + "recoveryServicesGeo": "udc", + "timeDifference": "-6:00", + "timeZone": "Central Standard Time" + }, + "usdodeast": { + "abbreviation": "dode", + "recoveryServicesGeo": "ude", + "timeDifference": "-5:00", + "timeZone": "Eastern Standard Time" + }, + "usgovarizona": { + "abbreviation": "az", + "recoveryServicesGeo": "uga", + "timeDifference": "-7:00", + "timeZone": "Mountain Standard Time" + }, + "usgovtexas": { + "abbreviation": "tx", + "recoveryServicesGeo": "ugt", + "timeDifference": "-6:00", + "timeZone": "Central Standard Time" + }, + "usgovvirginia": { + "abbreviation": "va", + "recoveryServicesGeo": "ugv", + "timeDifference": "-5:00", + "timeZone": "Eastern Standard Time" + } + }, + "USNat": { + "usnateast": { + "abbreviation": "east", + "recoveryServicesGeo": "exe", + "timeDifference": "-5:00", + "timeZone": "Eastern Standard Time" + }, + "usnatwest": { + "abbreviation": "west", + "recoveryServicesGeo": "exw", + "timeDifference": "-8:00", + "timeZone": "Pacific Standard Time" + } + }, + "USSec": { + "usseceast": { + "abbreviation": "east", + "recoveryServicesGeo": "rxe", + "timeDifference": "-5:00", + "timeZone": "Eastern Standard Time" + }, + "ussecwest": { + "abbreviation": "west", + "recoveryServicesGeo": "rxw", + "timeDifference": "-8:00", + "timeZone": "Pacific Standard Time" + } + } + }, + "locations": "[variables('$fxv#0')[environment().name]]", + "locationAbbreviation": "[variables('locations')[parameters('location')].abbreviation]", "resourceToken": "resource_token", "nameToken": "name_token", - "namingConvention": "[format('{0}-{1}-{2}-{3}', toLower(parameters('resourcePrefix')), variables('resourceToken'), variables('nameToken'), toLower(parameters('resourceSuffix')))]", + "namingConvention": "[format('{0}-{1}-{2}-{3}-{4}', toLower(parameters('resourcePrefix')), variables('resourceToken'), variables('nameToken'), toLower(parameters('resourceSuffix')), variables('locationAbbreviation'))]", "bastionHostNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'bas')]", + "diskEncryptionSetNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'des')]", + "diskNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'disk')]", "firewallNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'afw')]", "firewallPolicyNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'afwp')]", + "keyVaultNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'kv')]", "ipConfigurationNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'ipconf')]", "logAnalyticsWorkspaceNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'log')]", "networkInterfaceNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'nic')]", "networkSecurityGroupNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'nsg')]", + "networkWatcherNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'nw')]", "publicIpAddressNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'pip')]", "resourceGroupNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'rg')]", - "storageAccountNamingConvention": "[toLower(format('{0}st{1}unique_storage_token', parameters('resourcePrefix'), variables('nameToken')))]", + "routeTableNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'rt')]", + "storageAccountNamingConvention": "[toLower(format('{0}unique_storage_token', replace(replace(variables('namingConvention'), variables('resourceToken'), 'st'), '-', '')))]", "subnetNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'snet')]", + "userAssignedIdentityNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'uaid')]", "virtualMachineNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'vm')]", "virtualNetworkNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'vnet')]", "hubName": "hub", "hubShortName": "hub", - "hubResourceGroupName": "[replace(variables('resourceGroupNamingConvention'), variables('nameToken'), variables('hubName'))]", + "hubLogStorageAccountName": "[take(variables('hubLogStorageAccountUniqueName'), 24)]", "hubLogStorageAccountShortName": "[replace(variables('storageAccountNamingConvention'), variables('nameToken'), variables('hubShortName'))]", "hubLogStorageAccountUniqueName": "[replace(variables('hubLogStorageAccountShortName'), 'unique_storage_token', uniqueString(parameters('resourcePrefix'), parameters('resourceSuffix'), parameters('hubSubscriptionId')))]", - "hubLogStorageAccountName": "[take(variables('hubLogStorageAccountUniqueName'), 23)]", - "hubVirtualNetworkName": "[replace(variables('virtualNetworkNamingConvention'), variables('nameToken'), variables('hubName'))]", + "hubNetworkWatcherName": "[replace(variables('networkWatcherNamingConvention'), variables('nameToken'), variables('hubName'))]", "hubNetworkSecurityGroupName": "[replace(variables('networkSecurityGroupNamingConvention'), variables('nameToken'), variables('hubName'))]", + "hubResourceGroupName": "[replace(variables('resourceGroupNamingConvention'), variables('nameToken'), variables('hubName'))]", + "hubRouteTableName": "[replace(variables('routeTableNamingConvention'), variables('nameToken'), variables('hubName'))]", "hubSubnetName": "[replace(variables('subnetNamingConvention'), variables('nameToken'), variables('hubName'))]", + "hubVirtualNetworkName": "[replace(variables('virtualNetworkNamingConvention'), variables('nameToken'), variables('hubName'))]", "identityName": "identity", "identityShortName": "id", - "identityResourceGroupName": "[replace(variables('resourceGroupNamingConvention'), variables('nameToken'), variables('identityName'))]", + "identityLogStorageAccountName": "[take(variables('identityLogStorageAccountUniqueName'), 24)]", "identityLogStorageAccountShortName": "[replace(variables('storageAccountNamingConvention'), variables('nameToken'), variables('identityShortName'))]", "identityLogStorageAccountUniqueName": "[replace(variables('identityLogStorageAccountShortName'), 'unique_storage_token', uniqueString(parameters('resourcePrefix'), parameters('resourceSuffix'), parameters('identitySubscriptionId')))]", - "identityLogStorageAccountName": "[take(variables('identityLogStorageAccountUniqueName'), 23)]", - "identityVirtualNetworkName": "[replace(variables('virtualNetworkNamingConvention'), variables('nameToken'), variables('identityName'))]", "identityNetworkSecurityGroupName": "[replace(variables('networkSecurityGroupNamingConvention'), variables('nameToken'), variables('identityName'))]", + "identityResourceGroupName": "[replace(variables('resourceGroupNamingConvention'), variables('nameToken'), variables('identityName'))]", + "identityRouteTableName": "[replace(variables('routeTableNamingConvention'), variables('nameToken'), variables('identityName'))]", "identitySubnetName": "[replace(variables('subnetNamingConvention'), variables('nameToken'), variables('identityName'))]", + "identityVirtualNetworkName": "[replace(variables('virtualNetworkNamingConvention'), variables('nameToken'), variables('identityName'))]", "operationsName": "operations", "operationsShortName": "ops", - "operationsResourceGroupName": "[replace(variables('resourceGroupNamingConvention'), variables('nameToken'), variables('operationsName'))]", + "operationsDiskEncryptionSetName": "[replace(variables('diskEncryptionSetNamingConvention'), variables('nameToken'), variables('operationsName'))]", + "operationsKeyVaultName": "[replace(variables('keyVaultNamingConvention'), variables('nameToken'), variables('operationsShortName'))]", + "operationsLogStorageAccountName": "[take(variables('operationsLogStorageAccountUniqueName'), 24)]", "operationsLogStorageAccountShortName": "[replace(variables('storageAccountNamingConvention'), variables('nameToken'), variables('operationsShortName'))]", "operationsLogStorageAccountUniqueName": "[replace(variables('operationsLogStorageAccountShortName'), 'unique_storage_token', uniqueString(parameters('resourcePrefix'), parameters('resourceSuffix'), parameters('operationsSubscriptionId')))]", - "operationsLogStorageAccountName": "[take(variables('operationsLogStorageAccountUniqueName'), 23)]", - "operationsVirtualNetworkName": "[replace(variables('virtualNetworkNamingConvention'), variables('nameToken'), variables('operationsName'))]", "operationsNetworkSecurityGroupName": "[replace(variables('networkSecurityGroupNamingConvention'), variables('nameToken'), variables('operationsName'))]", + "operationsResourceGroupName": "[replace(variables('resourceGroupNamingConvention'), variables('nameToken'), variables('operationsName'))]", + "operationsRouteTableName": "[replace(variables('routeTableNamingConvention'), variables('nameToken'), variables('operationsName'))]", "operationsSubnetName": "[replace(variables('subnetNamingConvention'), variables('nameToken'), variables('operationsName'))]", + "operationsUserAssignedIdentityName": "[replace(variables('userAssignedIdentityNamingConvention'), variables('nameToken'), variables('operationsName'))]", + "operationsVirtualNetworkName": "[replace(variables('virtualNetworkNamingConvention'), variables('nameToken'), variables('operationsName'))]", "sharedServicesName": "sharedServices", "sharedServicesShortName": "svcs", - "sharedServicesResourceGroupName": "[replace(variables('resourceGroupNamingConvention'), variables('nameToken'), variables('sharedServicesName'))]", + "sharedServicesLogStorageAccountName": "[take(variables('sharedServicesLogStorageAccountUniqueName'), 24)]", "sharedServicesLogStorageAccountShortName": "[replace(variables('storageAccountNamingConvention'), variables('nameToken'), variables('sharedServicesShortName'))]", "sharedServicesLogStorageAccountUniqueName": "[replace(variables('sharedServicesLogStorageAccountShortName'), 'unique_storage_token', uniqueString(parameters('resourcePrefix'), parameters('resourceSuffix'), parameters('sharedServicesSubscriptionId')))]", - "sharedServicesLogStorageAccountName": "[take(variables('sharedServicesLogStorageAccountUniqueName'), 23)]", - "sharedServicesVirtualNetworkName": "[replace(variables('virtualNetworkNamingConvention'), variables('nameToken'), variables('sharedServicesName'))]", "sharedServicesNetworkSecurityGroupName": "[replace(variables('networkSecurityGroupNamingConvention'), variables('nameToken'), variables('sharedServicesName'))]", + "sharedServicesResourceGroupName": "[replace(variables('resourceGroupNamingConvention'), variables('nameToken'), variables('sharedServicesName'))]", + "sharedServicesRouteTableName": "[replace(variables('routeTableNamingConvention'), variables('nameToken'), variables('sharedServicesName'))]", "sharedServicesSubnetName": "[replace(variables('subnetNamingConvention'), variables('nameToken'), variables('sharedServicesName'))]", + "sharedServicesVirtualNetworkName": "[replace(variables('virtualNetworkNamingConvention'), variables('nameToken'), variables('sharedServicesName'))]", "logAnalyticsWorkspaceName": "[replace(variables('logAnalyticsWorkspaceNamingConvention'), variables('nameToken'), variables('operationsName'))]", "firewallName": "[replace(variables('firewallNamingConvention'), variables('nameToken'), variables('hubName'))]", "firewallPolicyName": "[replace(variables('firewallPolicyNamingConvention'), variables('nameToken'), variables('hubName'))]", @@ -928,14 +1284,17 @@ "firewallClientPublicIPAddressName": "[replace(variables('publicIpAddressNamingConvention'), variables('nameToken'), 'afw-client')]", "firewallManagementIpConfigurationName": "[replace(variables('ipConfigurationNamingConvention'), variables('nameToken'), 'afw-mgmt')]", "firewallManagementPublicIPAddressName": "[replace(variables('publicIpAddressNamingConvention'), variables('nameToken'), 'afw-mgmt')]", + "firewallClientPrivateIpAddress": "[variables('firewallClientUsableIpAddresses')[3]]", "firewallPublicIpAddressSkuName": "Standard", "firewallPublicIpAddressAllocationMethod": "Static", "bastionHostName": "[replace(variables('bastionHostNamingConvention'), variables('nameToken'), variables('hubName'))]", "bastionHostPublicIPAddressName": "[replace(variables('publicIpAddressNamingConvention'), variables('nameToken'), 'bas')]", "bastionHostIPConfigurationName": "[replace(variables('ipConfigurationNamingConvention'), variables('nameToken'), 'bas')]", + "linuxDiskName": "[replace(variables('diskNamingConvention'), variables('nameToken'), 'bas-linux')]", "linuxNetworkInterfaceName": "[replace(variables('networkInterfaceNamingConvention'), variables('nameToken'), 'bas-linux')]", "linuxNetworkInterfaceIpConfigurationName": "[replace(variables('ipConfigurationNamingConvention'), variables('nameToken'), 'bas-linux')]", "linuxVmName": "[replace(variables('virtualMachineNamingConvention'), variables('nameToken'), 'bas-linux')]", + "windowsDiskName": "[replace(variables('diskNamingConvention'), variables('nameToken'), 'bas-windows')]", "windowsNetworkInterfaceName": "[replace(variables('networkInterfaceNamingConvention'), variables('nameToken'), 'bas-windows')]", "windowsNetworkInterfaceIpConfigurationName": "[replace(variables('ipConfigurationNamingConvention'), variables('nameToken'), 'bas-windows')]", "windowsVmName": "[replace(variables('virtualMachineNamingConvention'), variables('nameToken'), 'bas-windows')]", @@ -955,11 +1314,11 @@ "networkSecurityGroupRules": "[parameters('identityNetworkSecurityGroupRules')]", "networkSecurityGroupDiagnosticsLogs": "[parameters('identityNetworkSecurityGroupDiagnosticsLogs')]", "networkSecurityGroupDiagnosticsMetrics": "[parameters('identityNetworkSecurityGroupDiagnosticsMetrics')]", + "routeTableName": "[variables('identityRouteTableName')]", "subnetName": "[variables('identitySubnetName')]", "subnetAddressPrefix": "[parameters('identitySubnetAddressPrefix')]", - "subnetServiceEndpoints": "[parameters('identitySubnetServiceEndpoints')]", - "subnetPrivateEndpointNetworkPolicies": "Enabled", - "subnetPrivateLinkServiceNetworkPolicies": "Enabled" + "subnetPrivateEndpointNetworkPolicies": "Disabled", + "subnetPrivateLinkServiceNetworkPolicies": "Disabled" }, { "name": "[variables('operationsName')]", @@ -974,9 +1333,9 @@ "networkSecurityGroupRules": "[parameters('operationsNetworkSecurityGroupRules')]", "networkSecurityGroupDiagnosticsLogs": "[parameters('operationsNetworkSecurityGroupDiagnosticsLogs')]", "networkSecurityGroupDiagnosticsMetrics": "[parameters('operationsNetworkSecurityGroupDiagnosticsMetrics')]", + "routeTableName": "[variables('operationsRouteTableName')]", "subnetName": "[variables('operationsSubnetName')]", "subnetAddressPrefix": "[parameters('operationsSubnetAddressPrefix')]", - "subnetServiceEndpoints": "[parameters('operationsSubnetServiceEndpoints')]", "subnetPrivateEndpointNetworkPolicies": "Disabled", "subnetPrivateLinkServiceNetworkPolicies": "Disabled" }, @@ -993,11 +1352,11 @@ "networkSecurityGroupRules": "[parameters('sharedServicesNetworkSecurityGroupRules')]", "networkSecurityGroupDiagnosticsLogs": "[parameters('sharedServicesNetworkSecurityGroupDiagnosticsLogs')]", "networkSecurityGroupDiagnosticsMetrics": "[parameters('sharedServicesNetworkSecurityGroupDiagnosticsMetrics')]", + "routeTableName": "[variables('sharedServicesRouteTableName')]", "subnetName": "[variables('sharedServicesSubnetName')]", "subnetAddressPrefix": "[parameters('sharedServicesSubnetAddressPrefix')]", - "subnetServiceEndpoints": "[parameters('sharedServicesSubnetServiceEndpoints')]", - "subnetPrivateEndpointNetworkPolicies": "Enabled", - "subnetPrivateLinkServiceNetworkPolicies": "Enabled" + "subnetPrivateEndpointNetworkPolicies": "Disabled", + "subnetPrivateLinkServiceNetworkPolicies": "Disabled" } ], "defaultTags": { @@ -1010,7 +1369,7 @@ "resources": [ { "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", + "apiVersion": "2022-09-01", "name": "[format('deploy-rg-hub-{0}', parameters('deploymentNameSuffix'))]", "subscriptionId": "[parameters('hubSubscriptionId')]", "location": "[deployment().location]", @@ -1036,8 +1395,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "18346155787391352255" + "version": "0.24.24.22086", + "templateHash": "7140967460139920692" } }, "parameters": { @@ -1088,7 +1447,7 @@ "count": "[length(variables('spokes'))]" }, "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", + "apiVersion": "2022-09-01", "name": "[format('deploy-rg-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))]", "subscriptionId": "[variables('spokes')[copyIndex()].subscriptionId]", "location": "[deployment().location]", @@ -1114,8 +1473,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "18346155787391352255" + "version": "0.24.24.22086", + "templateHash": "7140967460139920692" } }, "parameters": { @@ -1162,7 +1521,7 @@ }, { "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", + "apiVersion": "2022-09-01", "name": "[format('deploy-laws-{0}', parameters('deploymentNameSuffix'))]", "subscriptionId": "[parameters('operationsSubscriptionId')]", "resourceGroup": "[variables('operationsResourceGroupName')]", @@ -1200,8 +1559,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "4363803513381780626" + "version": "0.24.24.22086", + "templateHash": "9947295372567029530" } }, "parameters": { @@ -1316,11 +1675,11 @@ } }, { - "condition": "[variables('solutions')[copyIndex()].deploy]", "copy": { "name": "logAnalyticsSolutions", "count": "[length(variables('solutions'))]" }, + "condition": "[variables('solutions')[copyIndex()].deploy]", "type": "Microsoft.OperationsManagement/solutions", "apiVersion": "2015-11-01-preview", "name": "[format('{0}({1})', variables('solutions')[copyIndex()].name, parameters('name'))]", @@ -1374,7 +1733,7 @@ }, { "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", + "apiVersion": "2022-09-01", "name": "[format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))]", "subscriptionId": "[parameters('hubSubscriptionId')]", "resourceGroup": "[variables('hubResourceGroupName')]", @@ -1384,137 +1743,115 @@ }, "mode": "Incremental", "parameters": { - "location": { - "value": "[parameters('location')]" + "bastionHostSubnetAddressPrefix": { + "value": "[parameters('bastionHostSubnetAddressPrefix')]" }, - "tags": { - "value": "[variables('calculatedTags')]" + "deployRemoteAccess": { + "value": "[parameters('deployRemoteAccess')]" }, - "logStorageAccountName": { - "value": "[variables('hubLogStorageAccountName')]" + "dnsServers": { + "value": "[parameters('dnsServers')]" }, - "logStorageSkuName": { - "value": "[parameters('logStorageSkuName')]" + "enableProxy": { + "value": "[parameters('enableProxy')]" }, - "logAnalyticsWorkspaceResourceId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))).outputs.id.value]" + "firewallClientIpConfigurationName": { + "value": "[variables('firewallClientIpConfigurationName')]" }, - "virtualNetworkName": { - "value": "[variables('hubVirtualNetworkName')]" + "firewallClientPrivateIpAddress": { + "value": "[variables('firewallClientPrivateIpAddress')]" }, - "virtualNetworkAddressPrefix": { - "value": "[parameters('hubVirtualNetworkAddressPrefix')]" + "firewallClientPublicIPAddressAvailabilityZones": { + "value": "[parameters('firewallClientPublicIPAddressAvailabilityZones')]" }, - "virtualNetworkDiagnosticsLogs": { - "value": "[parameters('hubVirtualNetworkDiagnosticsLogs')]" + "firewallClientPublicIPAddressName": { + "value": "[variables('firewallClientPublicIPAddressName')]" }, - "virtualNetworkDiagnosticsMetrics": { - "value": "[parameters('hubVirtualNetworkDiagnosticsMetrics')]" + "firewallClientPublicIPAddressSkuName": { + "value": "[variables('firewallPublicIpAddressSkuName')]" }, - "networkSecurityGroupName": { - "value": "[variables('hubNetworkSecurityGroupName')]" + "firewallClientPublicIpAllocationMethod": { + "value": "[variables('firewallPublicIpAddressAllocationMethod')]" }, - "networkSecurityGroupRules": { - "value": "[parameters('hubNetworkSecurityGroupRules')]" - }, - "networkSecurityGroupDiagnosticsLogs": { - "value": "[parameters('hubNetworkSecurityGroupDiagnosticsLogs')]" - }, - "networkSecurityGroupDiagnosticsMetrics": { - "value": "[parameters('hubNetworkSecurityGroupDiagnosticsMetrics')]" - }, - "subnetName": { - "value": "[variables('hubSubnetName')]" - }, - "subnetAddressPrefix": { - "value": "[parameters('hubSubnetAddressPrefix')]" - }, - "subnetServiceEndpoints": { - "value": "[parameters('hubSubnetServiceEndpoints')]" - }, - "firewallName": { - "value": "[variables('firewallName')]" - }, - "firewallSkuTier": { - "value": "[parameters('firewallSkuTier')]" - }, - "firewallPolicyName": { - "value": "[variables('firewallPolicyName')]" + "firewallClientSubnetAddressPrefix": { + "value": "[parameters('firewallClientSubnetAddressPrefix')]" }, - "firewallThreatIntelMode": { - "value": "[parameters('firewallThreatIntelMode')]" + "firewallClientSubnetName": { + "value": "AzureFirewallSubnet" }, "firewallIntrusionDetectionMode": { "value": "[parameters('firewallIntrusionDetectionMode')]" }, - "firewallDiagnosticsLogs": { - "value": "[parameters('firewallDiagnosticsLogs')]" + "firewallManagementIpConfigurationName": { + "value": "[variables('firewallManagementIpConfigurationName')]" }, - "firewallDiagnosticsMetrics": { - "value": "[parameters('firewallDiagnosticsMetrics')]" + "firewallManagementPublicIPAddressAvailabilityZones": { + "value": "[parameters('firewallManagementPublicIPAddressAvailabilityZones')]" }, - "firewallClientIpConfigurationName": { - "value": "[variables('firewallClientIpConfigurationName')]" + "firewallManagementPublicIPAddressName": { + "value": "[variables('firewallManagementPublicIPAddressName')]" }, - "firewallClientSubnetName": { - "value": "AzureFirewallSubnet" + "firewallManagementPublicIPAddressSkuName": { + "value": "[variables('firewallPublicIpAddressSkuName')]" }, - "firewallClientSubnetAddressPrefix": { - "value": "[parameters('firewallClientSubnetAddressPrefix')]" + "firewallManagementPublicIpAllocationMethod": { + "value": "[variables('firewallPublicIpAddressAllocationMethod')]" }, - "firewallClientSubnetServiceEndpoints": { - "value": "[parameters('firewallClientSubnetServiceEndpoints')]" + "firewallManagementSubnetAddressPrefix": { + "value": "[parameters('firewallManagementSubnetAddressPrefix')]" }, - "firewallClientPublicIPAddressName": { - "value": "[variables('firewallClientPublicIPAddressName')]" + "firewallManagementSubnetName": { + "value": "AzureFirewallManagementSubnet" }, - "firewallClientPublicIPAddressSkuName": { - "value": "[variables('firewallPublicIpAddressSkuName')]" + "firewallName": { + "value": "[variables('firewallName')]" }, - "firewallClientPublicIpAllocationMethod": { - "value": "[variables('firewallPublicIpAddressAllocationMethod')]" + "firewallPolicyName": { + "value": "[variables('firewallPolicyName')]" }, - "firewallClientPublicIPAddressAvailabilityZones": { - "value": "[parameters('firewallClientPublicIPAddressAvailabilityZones')]" + "firewallSkuTier": { + "value": "[parameters('firewallSkuTier')]" }, - "firewallManagementIpConfigurationName": { - "value": "[variables('firewallManagementIpConfigurationName')]" + "firewallSupernetIPAddress": { + "value": "[parameters('firewallSupernetIPAddress')]" }, - "firewallManagementSubnetName": { - "value": "AzureFirewallManagementSubnet" + "firewallThreatIntelMode": { + "value": "[parameters('firewallThreatIntelMode')]" }, - "firewallManagementSubnetAddressPrefix": { - "value": "[parameters('firewallManagementSubnetAddressPrefix')]" + "location": { + "value": "[parameters('location')]" }, - "firewallManagementSubnetServiceEndpoints": { - "value": "[parameters('firewallManagementSubnetServiceEndpoints')]" + "networkSecurityGroupName": { + "value": "[variables('hubNetworkSecurityGroupName')]" }, - "firewallManagementPublicIPAddressName": { - "value": "[variables('firewallManagementPublicIPAddressName')]" + "networkSecurityGroupRules": { + "value": "[parameters('hubNetworkSecurityGroupRules')]" }, - "firewallManagementPublicIPAddressSkuName": { - "value": "[variables('firewallPublicIpAddressSkuName')]" + "networkWatcherName": { + "value": "[variables('hubNetworkWatcherName')]" }, - "firewallManagementPublicIpAllocationMethod": { - "value": "[variables('firewallPublicIpAddressAllocationMethod')]" + "routeTableName": { + "value": "[variables('hubRouteTableName')]" }, - "firewallManagementPublicIPAddressAvailabilityZones": { - "value": "[parameters('firewallManagementPublicIPAddressAvailabilityZones')]" + "subnetAddressPrefix": { + "value": "[parameters('hubSubnetAddressPrefix')]" }, - "firewallSupernetIPAddress": { - "value": "[parameters('firewallSupernetIPAddress')]" + "subnetName": { + "value": "[variables('hubSubnetName')]" }, - "publicIPAddressDiagnosticsLogs": { - "value": "[parameters('publicIPAddressDiagnosticsLogs')]" + "tags": { + "value": "[variables('calculatedTags')]" }, - "publicIPAddressDiagnosticsMetrics": { - "value": "[parameters('publicIPAddressDiagnosticsMetrics')]" + "virtualNetworkAddressPrefix": { + "value": "[parameters('hubVirtualNetworkAddressPrefix')]" }, - "enableProxy": { - "value": "[parameters('enableProxy')]" + "virtualNetworkName": { + "value": "[variables('hubVirtualNetworkName')]" }, - "dnsServers": { - "value": "[parameters('dnsServers')]" + "vNetDnsServers": { + "value": [ + "[variables('firewallClientPrivateIpAddress')]" + ] } }, "template": { @@ -1523,97 +1860,84 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "1557820237271279412" + "version": "0.24.24.22086", + "templateHash": "15296079850903192633" } }, "parameters": { - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]" - }, - "tags": { - "type": "object", - "defaultValue": {} - }, - "logStorageAccountName": { + "bastionHostSubnetAddressPrefix": { "type": "string" }, - "logStorageSkuName": { - "type": "string" + "deployRemoteAccess": { + "type": "bool" }, - "vNetDnsServers": { - "type": "array", - "defaultValue": [] + "dnsServers": { + "type": "array" }, - "logAnalyticsWorkspaceResourceId": { - "type": "string" + "enableProxy": { + "type": "bool" }, - "virtualNetworkName": { + "firewallClientIpConfigurationName": { "type": "string" }, - "virtualNetworkAddressPrefix": { + "firewallClientPrivateIpAddress": { "type": "string" }, - "virtualNetworkDiagnosticsLogs": { - "type": "array" - }, - "virtualNetworkDiagnosticsMetrics": { + "firewallClientPublicIPAddressAvailabilityZones": { "type": "array" }, - "networkSecurityGroupName": { + "firewallClientPublicIPAddressName": { "type": "string" }, - "networkSecurityGroupRules": { - "type": "array" + "firewallClientPublicIPAddressSkuName": { + "type": "string" }, - "networkSecurityGroupDiagnosticsLogs": { - "type": "array" + "firewallClientPublicIpAllocationMethod": { + "type": "string" }, - "networkSecurityGroupDiagnosticsMetrics": { - "type": "array" + "firewallClientSubnetAddressPrefix": { + "type": "string" }, - "subnetName": { + "firewallClientSubnetName": { "type": "string" }, - "subnetAddressPrefix": { + "firewallIntrusionDetectionMode": { + "type": "string", + "allowedValues": [ + "Alert", + "Deny", + "Off" + ] + }, + "firewallManagementIpConfigurationName": { "type": "string" }, - "subnetServiceEndpoints": { + "firewallManagementPublicIPAddressAvailabilityZones": { "type": "array" }, - "routeTableName": { - "type": "string", - "defaultValue": "[format('{0}-routetable', parameters('subnetName'))]" + "firewallManagementPublicIPAddressName": { + "type": "string" }, - "routeTableRouteName": { - "type": "string", - "defaultValue": "default_route" + "firewallManagementPublicIPAddressSkuName": { + "type": "string" }, - "routeTableRouteAddressPrefix": { - "type": "string", - "defaultValue": "0.0.0.0/0" + "firewallManagementPublicIpAllocationMethod": { + "type": "string" }, - "routeTableRouteNextHopType": { - "type": "string", - "defaultValue": "VirtualAppliance" + "firewallManagementSubnetAddressPrefix": { + "type": "string" }, - "firewallName": { + "firewallManagementSubnetName": { "type": "string" }, - "firewallSkuTier": { + "firewallName": { "type": "string" }, "firewallPolicyName": { "type": "string" }, - "enableProxy": { - "type": "bool", - "defaultValue": false - }, - "dnsServers": { - "type": "array", - "defaultValue": [] + "firewallSkuTier": { + "type": "string" }, "firewallSupernetIPAddress": { "type": "string" @@ -1626,117 +1950,74 @@ "Off" ] }, - "firewallIntrusionDetectionMode": { - "type": "string", - "allowedValues": [ - "Alert", - "Deny", - "Off" - ] - }, - "firewallDiagnosticsLogs": { - "type": "array" - }, - "firewallDiagnosticsMetrics": { - "type": "array" - }, - "firewallClientIpConfigurationName": { - "type": "string" - }, - "firewallClientSubnetName": { + "location": { "type": "string" }, - "firewallClientSubnetAddressPrefix": { + "networkSecurityGroupName": { "type": "string" }, - "firewallClientSubnetServiceEndpoints": { + "networkSecurityGroupRules": { "type": "array" }, - "firewallClientPublicIPAddressName": { + "networkWatcherName": { "type": "string" }, - "firewallClientPublicIPAddressSkuName": { + "routeTableName": { "type": "string" }, - "firewallClientPublicIpAllocationMethod": { - "type": "string" + "routeTableRouteAddressPrefix": { + "type": "string", + "defaultValue": "0.0.0.0/0" }, - "firewallClientPublicIPAddressAvailabilityZones": { - "type": "array" + "routeTableRouteName": { + "type": "string", + "defaultValue": "default_route" }, - "firewallManagementIpConfigurationName": { - "type": "string" + "routeTableRouteNextHopType": { + "type": "string", + "defaultValue": "VirtualAppliance" }, - "firewallManagementSubnetName": { + "subnetAddressPrefix": { "type": "string" }, - "firewallManagementSubnetAddressPrefix": { + "subnetName": { "type": "string" }, - "firewallManagementSubnetServiceEndpoints": { - "type": "array" - }, - "firewallManagementPublicIPAddressName": { - "type": "string" + "tags": { + "type": "object" }, - "firewallManagementPublicIPAddressSkuName": { + "virtualNetworkAddressPrefix": { "type": "string" }, - "firewallManagementPublicIpAllocationMethod": { + "virtualNetworkName": { "type": "string" }, - "firewallManagementPublicIPAddressAvailabilityZones": { - "type": "array" - }, - "publicIPAddressDiagnosticsLogs": { - "type": "array" - }, - "publicIPAddressDiagnosticsMetrics": { + "vNetDnsServers": { "type": "array" } }, + "variables": { + "subnetsBastion": "[if(parameters('deployRemoteAccess'), createArray(createObject('name', 'AzureBastionSubnet', 'properties', createObject('addressPrefix', parameters('bastionHostSubnetAddressPrefix')))), createArray())]" + }, "resources": [ - { - "type": "Microsoft.Network/virtualNetworks/subnets", - "apiVersion": "2021-02-01", - "name": "[format('{0}/{1}', parameters('virtualNetworkName'), parameters('subnetName'))]", - "properties": { - "addressPrefix": "[parameters('subnetAddressPrefix')]", - "networkSecurityGroup": { - "id": "[reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup')).outputs.id.value]" - }, - "routeTable": { - "id": "[reference(resourceId('Microsoft.Resources/deployments', 'routeTable')).outputs.id.value]" - }, - "serviceEndpoints": "[parameters('subnetServiceEndpoints')]", - "privateEndpointNetworkPolicies": "Disabled", - "privateLinkServiceNetworkPolicies": "Enabled" - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', 'firewall')]", - "[resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup')]", - "[resourceId('Microsoft.Resources/deployments', 'routeTable')]", - "[resourceId('Microsoft.Resources/deployments', 'virtualNetwork')]" - ] - }, { "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "logStorage", + "apiVersion": "2022-09-01", + "name": "networkSecurityGroup", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { - "storageAccountName": { - "value": "[parameters('logStorageAccountName')]" - }, "location": { "value": "[parameters('location')]" }, - "skuName": { - "value": "[parameters('logStorageSkuName')]" + "name": { + "value": "[parameters('networkSecurityGroupName')]" + }, + "securityRules": { + "value": "[parameters('networkSecurityGroupRules')]" }, "tags": { "value": "[parameters('tags')]" @@ -1748,63 +2029,44 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "4435843471246172620" + "version": "0.24.24.22086", + "templateHash": "14964080576155541488" } }, "parameters": { - "storageAccountName": { - "type": "string" - }, "location": { "type": "string" }, - "skuName": { + "name": { "type": "string" }, + "securityRules": { + "type": "array" + }, "tags": { - "type": "object", - "defaultValue": {} + "type": "object" } }, "resources": [ { - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2021-01-01", - "name": "[parameters('storageAccountName')]", + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "2021-02-01", + "name": "[parameters('name')]", "location": "[parameters('location')]", - "kind": "StorageV2", - "sku": { - "name": "[parameters('skuName')]" - }, "tags": "[parameters('tags')]", "properties": { - "minimumTlsVersion": "TLS1_2", - "encryption": { - "keySource": "Microsoft.Storage", - "requireInfrastructureEncryption": true, - "services": { - "blob": { - "enabled": true - }, - "file": { - "enabled": true - }, - "queue": { - "enabled": true - }, - "table": { - "enabled": true - } - } - } + "securityRules": "[parameters('securityRules')]" } } ], "outputs": { "id": { "type": "string", - "value": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]" + "value": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('name'))]" + }, + "name": { + "type": "string", + "value": "[parameters('name')]" } } } @@ -1812,37 +2074,34 @@ }, { "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "networkSecurityGroup", + "apiVersion": "2022-09-01", + "name": "routeTable", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { - "name": { - "value": "[parameters('networkSecurityGroupName')]" - }, "location": { "value": "[parameters('location')]" }, - "tags": { - "value": "[parameters('tags')]" + "name": { + "value": "[parameters('routeTableName')]" }, - "securityRules": { - "value": "[parameters('networkSecurityGroupRules')]" + "routeAddressPrefix": { + "value": "[parameters('routeTableRouteAddressPrefix')]" }, - "logAnalyticsWorkspaceResourceId": { - "value": "[parameters('logAnalyticsWorkspaceResourceId')]" + "routeName": { + "value": "[parameters('routeTableRouteName')]" }, - "logStorageAccountResourceId": { - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'logStorage')).outputs.id.value]" + "routeNextHopIpAddress": { + "value": "[parameters('firewallClientPrivateIpAddress')]" }, - "logs": { - "value": "[parameters('networkSecurityGroupDiagnosticsLogs')]" + "routeNextHopType": { + "value": "[parameters('routeTableRouteNextHopType')]" }, - "metrics": { - "value": "[parameters('networkSecurityGroupDiagnosticsMetrics')]" + "tags": { + "value": "[parameters('tags')]" } }, "template": { @@ -1851,68 +2110,58 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "7894763285242421186" + "version": "0.24.24.22086", + "templateHash": "3954150695911654455" } }, "parameters": { - "name": { - "type": "string" - }, "location": { "type": "string" }, - "tags": { - "type": "object", - "defaultValue": {} + "name": { + "type": "string" }, - "securityRules": { - "type": "array" + "routeAddressPrefix": { + "type": "string" }, - "logStorageAccountResourceId": { + "routeName": { "type": "string" }, - "logAnalyticsWorkspaceResourceId": { + "routeNextHopIpAddress": { "type": "string" }, - "logs": { - "type": "array" + "routeNextHopType": { + "type": "string" }, - "metrics": { - "type": "array" + "tags": { + "type": "object" } }, "resources": [ { - "type": "Microsoft.Network/networkSecurityGroups", + "type": "Microsoft.Network/routeTables", "apiVersion": "2021-02-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { - "securityRules": "[parameters('securityRules')]" + "routes": [ + { + "name": "[parameters('routeName')]", + "properties": { + "addressPrefix": "[parameters('routeAddressPrefix')]", + "nextHopIpAddress": "[parameters('routeNextHopIpAddress')]", + "nextHopType": "[parameters('routeNextHopType')]" + } + } + ] } - }, - { - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2017-05-01-preview", - "scope": "[format('Microsoft.Network/networkSecurityGroups/{0}', parameters('name'))]", - "name": "[format('{0}-diagnostics', parameters('name'))]", - "properties": { - "storageAccountId": "[parameters('logStorageAccountResourceId')]", - "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", - "logs": "[parameters('logs')]", - "metrics": "[parameters('metrics')]" - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('name'))]" - ] } ], "outputs": { "id": { "type": "string", - "value": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('name'))]" + "value": "[resourceId('Microsoft.Network/routeTables', parameters('name'))]" }, "name": { "type": "string", @@ -1920,65 +2169,89 @@ } } } - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', 'logStorage')]" - ] + } }, { "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "virtualNetwork", + "apiVersion": "2022-09-01", + "name": "networkWatcher", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { - "name": { - "value": "[parameters('virtualNetworkName')]" - }, "location": { "value": "[parameters('location')]" }, + "name": { + "value": "[parameters('networkWatcherName')]" + }, "tags": { "value": "[parameters('tags')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "14546557041983787127" + } + }, + "parameters": { + "location": { + "type": "string" + }, + "name": { + "type": "string" + }, + "tags": { + "type": "object" + } }, + "resources": [ + { + "type": "Microsoft.Network/networkWatchers", + "apiVersion": "2021-02-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": {} + } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "virtualNetwork", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { "addressPrefix": { "value": "[parameters('virtualNetworkAddressPrefix')]" }, - "vNetDnsServers": { - "value": "[parameters('vNetDnsServers')]" - }, - "subnets": { - "value": [ - { - "name": "[parameters('firewallClientSubnetName')]", - "properties": { - "addressPrefix": "[parameters('firewallClientSubnetAddressPrefix')]", - "serviceEndpoints": "[parameters('firewallClientSubnetServiceEndpoints')]" - } - }, - { - "name": "[parameters('firewallManagementSubnetName')]", - "properties": { - "addressPrefix": "[parameters('firewallManagementSubnetAddressPrefix')]", - "serviceEndpoints": "[parameters('firewallManagementSubnetServiceEndpoints')]" - } - } - ] + "location": { + "value": "[parameters('location')]" }, - "logAnalyticsWorkspaceResourceId": { - "value": "[parameters('logAnalyticsWorkspaceResourceId')]" + "name": { + "value": "[parameters('virtualNetworkName')]" }, - "logStorageAccountResourceId": { - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'logStorage')).outputs.id.value]" + "subnets": { + "value": "[union(createArray(createObject('name', 'AzureFirewallSubnet', 'properties', createObject('addressPrefix', parameters('firewallClientSubnetAddressPrefix'))), createObject('name', 'AzureFirewallManagementSubnet', 'properties', createObject('addressPrefix', parameters('firewallManagementSubnetAddressPrefix'))), createObject('name', parameters('subnetName'), 'properties', createObject('addressPrefix', parameters('subnetAddressPrefix'), 'networkSecurityGroup', createObject('id', reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup'), '2022-09-01').outputs.id.value), 'privateEndpointNetworkPolicies', 'Disabled', 'privateLinkServiceNetworkPolicies', 'Disabled', 'routeTable', createObject('id', reference(resourceId('Microsoft.Resources/deployments', 'routeTable'), '2022-09-01').outputs.id.value)))), variables('subnetsBastion'))]" }, - "logs": { - "value": "[parameters('virtualNetworkDiagnosticsLogs')]" + "tags": { + "value": "[parameters('tags')]" }, - "metrics": { - "value": "[parameters('virtualNetworkDiagnosticsMetrics')]" + "vNetDnsServers": { + "value": "[parameters('vNetDnsServers')]" } }, "template": { @@ -1987,41 +2260,27 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "16443263514490560792" + "version": "0.24.24.22086", + "templateHash": "12638783015880972122" } }, "parameters": { - "name": { - "type": "string" - }, - "location": { - "type": "string" - }, - "tags": { - "type": "object", - "defaultValue": {} - }, "addressPrefix": { "type": "string" }, - "vNetDnsServers": { - "type": "array", - "defaultValue": [] - }, - "logAnalyticsWorkspaceResourceId": { + "location": { "type": "string" }, - "logStorageAccountResourceId": { + "name": { "type": "string" }, "subnets": { "type": "array" }, - "logs": { - "type": "array" + "tags": { + "type": "object" }, - "metrics": { + "vNetDnsServers": { "type": "array" } }, @@ -2041,21 +2300,6 @@ "subnets": "[parameters('subnets')]", "dhcpOptions": "[if(not(equals(parameters('vNetDnsServers'), null())), createObject('dnsServers', parameters('vNetDnsServers')), null())]" } - }, - { - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2017-05-01-preview", - "scope": "[format('Microsoft.Network/virtualNetworks/{0}', parameters('name'))]", - "name": "[format('{0}-diagnostics', parameters('name'))]", - "properties": { - "storageAccountId": "[parameters('logStorageAccountResourceId')]", - "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", - "logs": "[parameters('logs')]", - "metrics": "[parameters('metrics')]" - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/virtualNetworks', parameters('name'))]" - ] } ], "outputs": { @@ -2069,49 +2313,48 @@ }, "subnets": { "type": "array", - "value": "[reference(resourceId('Microsoft.Network/virtualNetworks', parameters('name'))).subnets]" + "value": "[reference(resourceId('Microsoft.Network/virtualNetworks', parameters('name')), '2021-02-01').subnets]" }, "addressPrefix": { "type": "string", - "value": "[reference(resourceId('Microsoft.Network/virtualNetworks', parameters('name'))).addressSpace.addressPrefixes[0]]" + "value": "[reference(resourceId('Microsoft.Network/virtualNetworks', parameters('name')), '2021-02-01').addressSpace.addressPrefixes[0]]" } } } }, "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', 'logStorage')]" + "[resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup')]", + "[resourceId('Microsoft.Resources/deployments', 'networkWatcher')]", + "[resourceId('Microsoft.Resources/deployments', 'routeTable')]" ] }, { "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "routeTable", + "apiVersion": "2022-09-01", + "name": "firewallClientPublicIPAddress", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { - "name": { - "value": "[parameters('routeTableName')]" + "availabilityZones": { + "value": "[parameters('firewallClientPublicIPAddressAvailabilityZones')]" }, "location": { "value": "[parameters('location')]" }, - "tags": { - "value": "[parameters('tags')]" - }, - "routeName": { - "value": "[parameters('routeTableRouteName')]" + "name": { + "value": "[parameters('firewallClientPublicIPAddressName')]" }, - "routeAddressPrefix": { - "value": "[parameters('routeTableRouteAddressPrefix')]" + "publicIpAllocationMethod": { + "value": "[parameters('firewallClientPublicIpAllocationMethod')]" }, - "routeNextHopIpAddress": { - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'firewall')).outputs.privateIPAddress.value]" + "skuName": { + "value": "[parameters('firewallClientPublicIPAddressSkuName')]" }, - "routeNextHopType": { - "value": "[parameters('routeTableRouteNextHopType')]" + "tags": { + "value": "[parameters('tags')]" } }, "template": { @@ -2120,110 +2363,82 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "8332169477119932515" + "version": "0.24.24.22086", + "templateHash": "6027084282099740925" } }, "parameters": { - "name": { - "type": "string" + "availabilityZones": { + "type": "array" }, "location": { "type": "string" }, - "tags": { - "type": "object", - "defaultValue": {} - }, - "routeName": { + "name": { "type": "string" }, - "routeAddressPrefix": { + "publicIpAllocationMethod": { "type": "string" }, - "routeNextHopIpAddress": { + "skuName": { "type": "string" }, - "routeNextHopType": { - "type": "string" + "tags": { + "type": "object" } }, "resources": [ { - "type": "Microsoft.Network/routeTables", + "type": "Microsoft.Network/publicIPAddresses", "apiVersion": "2021-02-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", + "sku": { + "name": "[parameters('skuName')]" + }, "properties": { - "routes": [ - { - "name": "[parameters('routeName')]", - "properties": { - "addressPrefix": "[parameters('routeAddressPrefix')]", - "nextHopIpAddress": "[parameters('routeNextHopIpAddress')]", - "nextHopType": "[parameters('routeNextHopType')]" - } - } - ] - } + "publicIPAllocationMethod": "[parameters('publicIpAllocationMethod')]" + }, + "zones": "[parameters('availabilityZones')]" } ], "outputs": { "id": { "type": "string", - "value": "[resourceId('Microsoft.Network/routeTables', parameters('name'))]" - }, - "name": { - "type": "string", - "value": "[parameters('name')]" + "value": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" } } } - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', 'firewall')]" - ] + } }, { "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "firewallClientPublicIPAddress", + "apiVersion": "2022-09-01", + "name": "firewallManagementPublicIPAddress", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { - "name": { - "value": "[parameters('firewallClientPublicIPAddressName')]" + "availabilityZones": { + "value": "[parameters('firewallManagementPublicIPAddressAvailabilityZones')]" }, "location": { "value": "[parameters('location')]" }, - "tags": { - "value": "[parameters('tags')]" - }, - "skuName": { - "value": "[parameters('firewallClientPublicIPAddressSkuName')]" + "name": { + "value": "[parameters('firewallManagementPublicIPAddressName')]" }, "publicIpAllocationMethod": { - "value": "[parameters('firewallClientPublicIpAllocationMethod')]" - }, - "availabilityZones": { - "value": "[parameters('firewallClientPublicIPAddressAvailabilityZones')]" - }, - "logAnalyticsWorkspaceResourceId": { - "value": "[parameters('logAnalyticsWorkspaceResourceId')]" - }, - "logStorageAccountResourceId": { - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'logStorage')).outputs.id.value]" + "value": "[parameters('firewallManagementPublicIpAllocationMethod')]" }, - "logs": { - "value": "[parameters('publicIPAddressDiagnosticsLogs')]" + "skuName": { + "value": "[parameters('firewallManagementPublicIPAddressSkuName')]" }, - "metrics": { - "value": "[parameters('publicIPAddressDiagnosticsMetrics')]" + "tags": { + "value": "[parameters('tags')]" } }, "template": { @@ -2232,41 +2447,28 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "18439825222758045392" + "version": "0.24.24.22086", + "templateHash": "6027084282099740925" } }, "parameters": { - "name": { - "type": "string" + "availabilityZones": { + "type": "array" }, "location": { "type": "string" }, - "tags": { - "type": "object", - "defaultValue": {} - }, - "skuName": { + "name": { "type": "string" }, "publicIpAllocationMethod": { "type": "string" }, - "availabilityZones": { - "type": "array" - }, - "logStorageAccountResourceId": { - "type": "string" - }, - "logAnalyticsWorkspaceResourceId": { + "skuName": { "type": "string" }, - "logs": { - "type": "array" - }, - "metrics": { - "type": "array" + "tags": { + "type": "object" } }, "resources": [ @@ -2283,21 +2485,6 @@ "publicIPAllocationMethod": "[parameters('publicIpAllocationMethod')]" }, "zones": "[parameters('availabilityZones')]" - }, - { - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2017-05-01-preview", - "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', parameters('name'))]", - "name": "[format('{0}-diagnostics', parameters('name'))]", - "properties": { - "storageAccountId": "[parameters('logStorageAccountResourceId')]", - "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", - "logs": "[parameters('logs')]", - "metrics": "[parameters('metrics')]" - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" - ] } ], "outputs": { @@ -2307,50 +2494,65 @@ } } } - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', 'logStorage')]" - ] + } }, { "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "firewallManagementPublicIPAddress", + "apiVersion": "2022-09-01", + "name": "firewall", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { - "name": { - "value": "[parameters('firewallManagementPublicIPAddressName')]" + "clientIpConfigurationName": { + "value": "[parameters('firewallClientIpConfigurationName')]" + }, + "clientIpConfigurationPublicIPAddressResourceId": { + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'firewallClientPublicIPAddress'), '2022-09-01').outputs.id.value]" + }, + "clientIpConfigurationSubnetResourceId": { + "value": "[format('{0}/subnets/{1}', reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2022-09-01').outputs.id.value, parameters('firewallClientSubnetName'))]" + }, + "dnsServers": { + "value": "[parameters('dnsServers')]" + }, + "enableProxy": { + "value": "[parameters('enableProxy')]" + }, + "firewallPolicyName": { + "value": "[parameters('firewallPolicyName')]" + }, + "firewallSupernetIPAddress": { + "value": "[parameters('firewallSupernetIPAddress')]" + }, + "intrusionDetectionMode": { + "value": "[parameters('firewallIntrusionDetectionMode')]" }, "location": { "value": "[parameters('location')]" }, - "tags": { - "value": "[parameters('tags')]" - }, - "skuName": { - "value": "[parameters('firewallManagementPublicIPAddressSkuName')]" + "managementIpConfigurationName": { + "value": "[parameters('firewallManagementIpConfigurationName')]" }, - "publicIpAllocationMethod": { - "value": "[parameters('firewallManagementPublicIpAllocationMethod')]" + "managementIpConfigurationPublicIPAddressResourceId": { + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'firewallManagementPublicIPAddress'), '2022-09-01').outputs.id.value]" }, - "availabilityZones": { - "value": "[parameters('firewallManagementPublicIPAddressAvailabilityZones')]" + "managementIpConfigurationSubnetResourceId": { + "value": "[format('{0}/subnets/{1}', reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2022-09-01').outputs.id.value, parameters('firewallManagementSubnetName'))]" }, - "logAnalyticsWorkspaceResourceId": { - "value": "[parameters('logAnalyticsWorkspaceResourceId')]" + "name": { + "value": "[parameters('firewallName')]" }, - "logStorageAccountResourceId": { - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'logStorage')).outputs.id.value]" + "skuTier": { + "value": "[parameters('firewallSkuTier')]" }, - "logs": { - "value": "[parameters('publicIPAddressDiagnosticsLogs')]" + "tags": { + "value": "[parameters('tags')]" }, - "metrics": { - "value": "[parameters('publicIPAddressDiagnosticsMetrics')]" + "threatIntelMode": { + "value": "[parameters('firewallThreatIntelMode')]" } }, "template": { @@ -2359,179 +2561,55 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "18439825222758045392" + "version": "0.24.24.22086", + "templateHash": "11702995579311223719" } }, "parameters": { - "name": { + "clientIpConfigurationName": { "type": "string" }, - "location": { + "clientIpConfigurationSubnetResourceId": { "type": "string" }, - "tags": { - "type": "object", - "defaultValue": {} + "clientIpConfigurationPublicIPAddressResourceId": { + "type": "string" }, - "skuName": { + "dnsServers": { + "type": "array" + }, + "enableProxy": { + "type": "bool" + }, + "firewallPolicyName": { "type": "string" }, - "publicIpAllocationMethod": { + "firewallSupernetIPAddress": { "type": "string" }, - "availabilityZones": { - "type": "array" + "intrusionDetectionMode": { + "type": "string", + "allowedValues": [ + "Alert", + "Deny", + "Off" + ] }, - "logStorageAccountResourceId": { + "location": { "type": "string" }, - "logAnalyticsWorkspaceResourceId": { + "managementIpConfigurationName": { "type": "string" }, - "logs": { - "type": "array" + "managementIpConfigurationSubnetResourceId": { + "type": "string" }, - "metrics": { - "type": "array" - } - }, - "resources": [ - { - "type": "Microsoft.Network/publicIPAddresses", - "apiVersion": "2021-02-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "sku": { - "name": "[parameters('skuName')]" - }, - "properties": { - "publicIPAllocationMethod": "[parameters('publicIpAllocationMethod')]" - }, - "zones": "[parameters('availabilityZones')]" + "managementIpConfigurationPublicIPAddressResourceId": { + "type": "string" }, - { - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2017-05-01-preview", - "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', parameters('name'))]", - "name": "[format('{0}-diagnostics', parameters('name'))]", - "properties": { - "storageAccountId": "[parameters('logStorageAccountResourceId')]", - "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", - "logs": "[parameters('logs')]", - "metrics": "[parameters('metrics')]" - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" - ] - } - ], - "outputs": { - "id": { - "type": "string", - "value": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" - } - } - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', 'logStorage')]" - ] - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "firewall", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('firewallName')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "tags": { - "value": "[parameters('tags')]" - }, - "skuTier": { - "value": "[parameters('firewallSkuTier')]" - }, - "firewallPolicyName": { - "value": "[parameters('firewallPolicyName')]" - }, - "threatIntelMode": { - "value": "[parameters('firewallThreatIntelMode')]" - }, - "intrusionDetectionMode": { - "value": "[parameters('firewallIntrusionDetectionMode')]" - }, - "clientIpConfigurationName": { - "value": "[parameters('firewallClientIpConfigurationName')]" - }, - "clientIpConfigurationSubnetResourceId": { - "value": "[format('{0}/subnets/{1}', reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork')).outputs.id.value, parameters('firewallClientSubnetName'))]" - }, - "clientIpConfigurationPublicIPAddressResourceId": { - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'firewallClientPublicIPAddress')).outputs.id.value]" - }, - "firewallSupernetIPAddress": { - "value": "[parameters('firewallSupernetIPAddress')]" - }, - "enableProxy": { - "value": "[parameters('enableProxy')]" - }, - "dnsServers": { - "value": "[parameters('dnsServers')]" - }, - "managementIpConfigurationName": { - "value": "[parameters('firewallManagementIpConfigurationName')]" - }, - "managementIpConfigurationSubnetResourceId": { - "value": "[format('{0}/subnets/{1}', reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork')).outputs.id.value, parameters('firewallManagementSubnetName'))]" - }, - "managementIpConfigurationPublicIPAddressResourceId": { - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'firewallManagementPublicIPAddress')).outputs.id.value]" - }, - "logAnalyticsWorkspaceResourceId": { - "value": "[parameters('logAnalyticsWorkspaceResourceId')]" - }, - "logStorageAccountResourceId": { - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'logStorage')).outputs.id.value]" - }, - "logs": { - "value": "[parameters('firewallDiagnosticsLogs')]" - }, - "metrics": { - "value": "[parameters('firewallDiagnosticsMetrics')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "3970955170518833761" - } - }, - "parameters": { "name": { "type": "string" }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]" - }, - "tags": { - "type": "object", - "defaultValue": {} - }, "skuTier": { "type": "string", "allowedValues": [ @@ -2539,63 +2617,17 @@ "Premium" ] }, - "threatIntelMode": { - "type": "string", - "allowedValues": [ - "Alert", - "Deny", - "Off" - ] + "tags": { + "type": "object", + "defaultValue": {} }, - "intrusionDetectionMode": { + "threatIntelMode": { "type": "string", "allowedValues": [ "Alert", "Deny", "Off" ] - }, - "enableProxy": { - "type": "bool" - }, - "dnsServers": { - "type": "array" - }, - "clientIpConfigurationName": { - "type": "string" - }, - "clientIpConfigurationSubnetResourceId": { - "type": "string" - }, - "clientIpConfigurationPublicIPAddressResourceId": { - "type": "string" - }, - "managementIpConfigurationName": { - "type": "string" - }, - "managementIpConfigurationSubnetResourceId": { - "type": "string" - }, - "managementIpConfigurationPublicIPAddressResourceId": { - "type": "string" - }, - "firewallPolicyName": { - "type": "string" - }, - "firewallSupernetIPAddress": { - "type": "string" - }, - "logStorageAccountResourceId": { - "type": "string" - }, - "logAnalyticsWorkspaceResourceId": { - "type": "string" - }, - "logs": { - "type": "array" - }, - "metrics": { - "type": "array" } }, "variables": { @@ -2625,7 +2657,7 @@ { "type": "Microsoft.Network/firewallPolicies/ruleCollectionGroups", "apiVersion": "2021-02-01", - "name": "[format('{0}/DefaultApplicationRuleCollectionGroup', parameters('firewallPolicyName'))]", + "name": "[format('{0}/{1}', parameters('firewallPolicyName'), 'DefaultApplicationRuleCollectionGroup')]", "properties": { "priority": 300, "ruleCollections": [ @@ -2671,7 +2703,7 @@ { "type": "Microsoft.Network/firewallPolicies/ruleCollectionGroups", "apiVersion": "2021-02-01", - "name": "[format('{0}/DefaultNetworkRuleCollectionGroup', parameters('firewallPolicyName'))]", + "name": "[format('{0}/{1}', parameters('firewallPolicyName'), 'DefaultNetworkRuleCollectionGroup')]", "properties": { "priority": 200, "ruleCollections": [ @@ -2736,7 +2768,7 @@ ] }, "dependsOn": [ - "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', split(format('{0}/DefaultApplicationRuleCollectionGroup', parameters('firewallPolicyName')), '/')[0], split(format('{0}/DefaultApplicationRuleCollectionGroup', parameters('firewallPolicyName')), '/')[1])]", + "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', parameters('firewallPolicyName'), 'DefaultApplicationRuleCollectionGroup')]", "[resourceId('Microsoft.Network/firewallPolicies', parameters('firewallPolicyName'))]" ] }, @@ -2779,31 +2811,20 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', split(format('{0}/DefaultApplicationRuleCollectionGroup', parameters('firewallPolicyName')), '/')[0], split(format('{0}/DefaultApplicationRuleCollectionGroup', parameters('firewallPolicyName')), '/')[1])]", - "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', split(format('{0}/DefaultNetworkRuleCollectionGroup', parameters('firewallPolicyName')), '/')[0], split(format('{0}/DefaultNetworkRuleCollectionGroup', parameters('firewallPolicyName')), '/')[1])]", + "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', parameters('firewallPolicyName'), 'DefaultApplicationRuleCollectionGroup')]", + "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', parameters('firewallPolicyName'), 'DefaultNetworkRuleCollectionGroup')]", "[resourceId('Microsoft.Network/firewallPolicies', parameters('firewallPolicyName'))]" ] - }, - { - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2017-05-01-preview", - "scope": "[format('Microsoft.Network/azureFirewalls/{0}', parameters('name'))]", - "name": "[format('{0}-diagnostics', parameters('name'))]", - "properties": { - "storageAccountId": "[parameters('logStorageAccountResourceId')]", - "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", - "logs": "[parameters('logs')]", - "metrics": "[parameters('metrics')]" - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/azureFirewalls', parameters('name'))]" - ] } ], "outputs": { + "name": { + "type": "string", + "value": "[parameters('name')]" + }, "privateIPAddress": { "type": "string", - "value": "[reference(resourceId('Microsoft.Network/azureFirewalls', parameters('name'))).ipConfigurations[0].properties.privateIPAddress]" + "value": "[reference(resourceId('Microsoft.Network/azureFirewalls', parameters('name')), '2021-02-01').ipConfigurations[0].properties.privateIPAddress]" } } } @@ -2811,57 +2832,68 @@ "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', 'firewallClientPublicIPAddress')]", "[resourceId('Microsoft.Resources/deployments', 'firewallManagementPublicIPAddress')]", - "[resourceId('Microsoft.Resources/deployments', 'logStorage')]", "[resourceId('Microsoft.Resources/deployments', 'virtualNetwork')]" ] } ], "outputs": { - "virtualNetworkName": { + "bastionHostSubnetResourceId": { "type": "string", - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork')).outputs.name.value]" + "value": "[if(parameters('deployRemoteAccess'), reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2022-09-01').outputs.subnets.value[3].id, '')]" }, - "virtualNetworkResourceId": { + "firewallName": { "type": "string", - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork')).outputs.id.value]" + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'firewall'), '2022-09-01').outputs.name.value]" }, - "subnetName": { + "firewallPrivateIPAddress": { + "type": "string", + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'firewall'), '2022-09-01').outputs.privateIPAddress.value]" + }, + "networkSecurityGroupName": { + "type": "string", + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup'), '2022-09-01').outputs.name.value]" + }, + "networkSecurityGroupResourceId": { "type": "string", - "value": "[format('{0}/{1}', parameters('virtualNetworkName'), parameters('subnetName'))]" + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup'), '2022-09-01').outputs.id.value]" }, "subnetAddressPrefix": { "type": "string", - "value": "[reference(resourceId('Microsoft.Network/virtualNetworks/subnets', split(format('{0}/{1}', parameters('virtualNetworkName'), parameters('subnetName')), '/')[0], split(format('{0}/{1}', parameters('virtualNetworkName'), parameters('subnetName')), '/')[1])).addressPrefix]" + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2022-09-01').outputs.subnets.value[2].properties.addressPrefix]" }, - "subnetResourceId": { + "subnetName": { "type": "string", - "value": "[resourceId('Microsoft.Network/virtualNetworks/subnets', split(format('{0}/{1}', parameters('virtualNetworkName'), parameters('subnetName')), '/')[0], split(format('{0}/{1}', parameters('virtualNetworkName'), parameters('subnetName')), '/')[1])]" + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2022-09-01').outputs.subnets.value[2].name]" }, - "networkSecurityGroupName": { + "subnetResourceId": { "type": "string", - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup')).outputs.name.value]" + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2022-09-01').outputs.subnets.value[2].id]" }, - "networkSecurityGroupResourceId": { + "virtualNetworkName": { "type": "string", - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup')).outputs.id.value]" + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2022-09-01').outputs.name.value]" }, - "firewallPrivateIPAddress": { + "virtualNetworkResourceId": { "type": "string", - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'firewall')).outputs.privateIPAddress.value]" + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2022-09-01').outputs.id.value]" } } } }, "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]" + "[subscriptionResourceId(parameters('hubSubscriptionId'), 'Microsoft.Resources/deployments', format('deploy-rg-hub-{0}', parameters('deploymentNameSuffix')))]" ] }, { + "copy": { + "name": "spokeNetworks", + "count": "[length(variables('spokes'))]" + }, "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "[format('deploy-vnet-hub-DNS-{0}', parameters('deploymentNameSuffix'))]", - "subscriptionId": "[parameters('hubSubscriptionId')]", - "resourceGroup": "[variables('hubResourceGroupName')]", + "apiVersion": "2022-09-01", + "name": "[format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))]", + "subscriptionId": "[variables('spokes')[copyIndex()].subscriptionId]", + "resourceGroup": "[variables('spokes')[copyIndex()].resourceGroupName]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -2871,139 +2903,43 @@ "location": { "value": "[parameters('location')]" }, - "tags": { - "value": "[variables('calculatedTags')]" + "networkSecurityGroupName": { + "value": "[variables('spokes')[copyIndex()].networkSecurityGroupName]" }, - "logStorageAccountName": { - "value": "[variables('hubLogStorageAccountName')]" + "networkSecurityGroupRules": { + "value": "[variables('spokes')[copyIndex()].networkSecurityGroupRules]" }, - "logStorageSkuName": { - "value": "[parameters('logStorageSkuName')]" + "routeTableName": { + "value": "[variables('spokes')[copyIndex()].routeTableName]" }, - "logAnalyticsWorkspaceResourceId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))).outputs.id.value]" + "routeTableRouteNextHopIpAddress": { + "value": "[variables('firewallClientPrivateIpAddress')]" }, - "virtualNetworkName": { - "value": "[variables('hubVirtualNetworkName')]" + "subnetAddressPrefix": { + "value": "[variables('spokes')[copyIndex()].subnetAddressPrefix]" }, - "virtualNetworkAddressPrefix": { - "value": "[parameters('hubVirtualNetworkAddressPrefix')]" + "subnetName": { + "value": "[variables('spokes')[copyIndex()].subnetName]" }, - "virtualNetworkDiagnosticsLogs": { - "value": "[parameters('hubVirtualNetworkDiagnosticsLogs')]" + "subnetPrivateEndpointNetworkPolicies": { + "value": "[variables('spokes')[copyIndex()].subnetPrivateEndpointNetworkPolicies]" }, - "virtualNetworkDiagnosticsMetrics": { - "value": "[parameters('hubVirtualNetworkDiagnosticsMetrics')]" + "subnetPrivateLinkServiceNetworkPolicies": { + "value": "[variables('spokes')[copyIndex()].subnetPrivateLinkServiceNetworkPolicies]" }, - "networkSecurityGroupName": { - "value": "[variables('hubNetworkSecurityGroupName')]" + "tags": { + "value": "[variables('calculatedTags')]" }, - "networkSecurityGroupRules": { - "value": "[parameters('hubNetworkSecurityGroupRules')]" + "virtualNetworkAddressPrefix": { + "value": "[variables('spokes')[copyIndex()].virtualNetworkAddressPrefix]" }, - "networkSecurityGroupDiagnosticsLogs": { - "value": "[parameters('hubNetworkSecurityGroupDiagnosticsLogs')]" - }, - "networkSecurityGroupDiagnosticsMetrics": { - "value": "[parameters('hubNetworkSecurityGroupDiagnosticsMetrics')]" - }, - "subnetName": { - "value": "[variables('hubSubnetName')]" - }, - "subnetAddressPrefix": { - "value": "[parameters('hubSubnetAddressPrefix')]" - }, - "subnetServiceEndpoints": { - "value": "[parameters('hubSubnetServiceEndpoints')]" - }, - "firewallName": { - "value": "[variables('firewallName')]" - }, - "firewallSkuTier": { - "value": "[parameters('firewallSkuTier')]" - }, - "firewallPolicyName": { - "value": "[variables('firewallPolicyName')]" - }, - "firewallThreatIntelMode": { - "value": "[parameters('firewallThreatIntelMode')]" - }, - "firewallIntrusionDetectionMode": { - "value": "[parameters('firewallIntrusionDetectionMode')]" - }, - "firewallDiagnosticsLogs": { - "value": "[parameters('firewallDiagnosticsLogs')]" - }, - "firewallDiagnosticsMetrics": { - "value": "[parameters('firewallDiagnosticsMetrics')]" - }, - "firewallClientIpConfigurationName": { - "value": "[variables('firewallClientIpConfigurationName')]" - }, - "firewallClientSubnetName": { - "value": "AzureFirewallSubnet" - }, - "firewallClientSubnetAddressPrefix": { - "value": "[parameters('firewallClientSubnetAddressPrefix')]" - }, - "firewallClientSubnetServiceEndpoints": { - "value": "[parameters('firewallClientSubnetServiceEndpoints')]" - }, - "firewallClientPublicIPAddressName": { - "value": "[variables('firewallClientPublicIPAddressName')]" - }, - "firewallClientPublicIPAddressSkuName": { - "value": "[variables('firewallPublicIpAddressSkuName')]" - }, - "firewallClientPublicIpAllocationMethod": { - "value": "[variables('firewallPublicIpAddressAllocationMethod')]" - }, - "firewallClientPublicIPAddressAvailabilityZones": { - "value": "[parameters('firewallClientPublicIPAddressAvailabilityZones')]" - }, - "firewallManagementIpConfigurationName": { - "value": "[variables('firewallManagementIpConfigurationName')]" - }, - "firewallManagementSubnetName": { - "value": "AzureFirewallManagementSubnet" - }, - "firewallManagementSubnetAddressPrefix": { - "value": "[parameters('firewallManagementSubnetAddressPrefix')]" - }, - "firewallManagementSubnetServiceEndpoints": { - "value": "[parameters('firewallManagementSubnetServiceEndpoints')]" - }, - "firewallManagementPublicIPAddressName": { - "value": "[variables('firewallManagementPublicIPAddressName')]" - }, - "firewallManagementPublicIPAddressSkuName": { - "value": "[variables('firewallPublicIpAddressSkuName')]" - }, - "firewallManagementPublicIpAllocationMethod": { - "value": "[variables('firewallPublicIpAddressAllocationMethod')]" - }, - "firewallManagementPublicIPAddressAvailabilityZones": { - "value": "[parameters('firewallManagementPublicIPAddressAvailabilityZones')]" - }, - "firewallSupernetIPAddress": { - "value": "[parameters('firewallSupernetIPAddress')]" + "virtualNetworkName": { + "value": "[variables('spokes')[copyIndex()].virtualNetworkName]" }, "vNetDnsServers": { "value": [ - "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))).outputs.firewallPrivateIPAddress.value]" + "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.firewallPrivateIPAddress.value]" ] - }, - "publicIPAddressDiagnosticsLogs": { - "value": "[parameters('publicIPAddressDiagnosticsLogs')]" - }, - "publicIPAddressDiagnosticsMetrics": { - "value": "[parameters('publicIPAddressDiagnosticsMetrics')]" - }, - "enableProxy": { - "value": "[parameters('enableProxy')]" - }, - "dnsServers": { - "value": "[parameters('dnsServers')]" } }, "template": { @@ -3012,68 +2948,22 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "1557820237271279412" + "version": "0.24.24.22086", + "templateHash": "9456730802221898162" } }, "parameters": { "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]" - }, - "tags": { - "type": "object", - "defaultValue": {} - }, - "logStorageAccountName": { "type": "string" }, - "logStorageSkuName": { - "type": "string" - }, - "vNetDnsServers": { - "type": "array", - "defaultValue": [] - }, - "logAnalyticsWorkspaceResourceId": { - "type": "string" - }, - "virtualNetworkName": { - "type": "string" - }, - "virtualNetworkAddressPrefix": { - "type": "string" - }, - "virtualNetworkDiagnosticsLogs": { - "type": "array" - }, - "virtualNetworkDiagnosticsMetrics": { - "type": "array" - }, "networkSecurityGroupName": { "type": "string" }, "networkSecurityGroupRules": { "type": "array" }, - "networkSecurityGroupDiagnosticsLogs": { - "type": "array" - }, - "networkSecurityGroupDiagnosticsMetrics": { - "type": "array" - }, - "subnetName": { - "type": "string" - }, - "subnetAddressPrefix": { - "type": "string" - }, - "subnetServiceEndpoints": { - "type": "array" - }, "routeTableName": { - "type": "string", - "defaultValue": "[format('{0}-routetable', parameters('subnetName'))]" + "type": "string" }, "routeTableRouteName": { "type": "string", @@ -3083,149 +2973,57 @@ "type": "string", "defaultValue": "0.0.0.0/0" }, - "routeTableRouteNextHopType": { - "type": "string", - "defaultValue": "VirtualAppliance" - }, - "firewallName": { - "type": "string" - }, - "firewallSkuTier": { - "type": "string" - }, - "firewallPolicyName": { - "type": "string" - }, - "enableProxy": { - "type": "bool", - "defaultValue": false - }, - "dnsServers": { - "type": "array", - "defaultValue": [] - }, - "firewallSupernetIPAddress": { + "routeTableRouteNextHopIpAddress": { "type": "string" }, - "firewallThreatIntelMode": { - "type": "string", - "allowedValues": [ - "Alert", - "Deny", - "Off" - ] - }, - "firewallIntrusionDetectionMode": { + "routeTableRouteNextHopType": { "type": "string", - "allowedValues": [ - "Alert", - "Deny", - "Off" - ] - }, - "firewallDiagnosticsLogs": { - "type": "array" - }, - "firewallDiagnosticsMetrics": { - "type": "array" - }, - "firewallClientIpConfigurationName": { - "type": "string" - }, - "firewallClientSubnetName": { - "type": "string" - }, - "firewallClientSubnetAddressPrefix": { - "type": "string" - }, - "firewallClientSubnetServiceEndpoints": { - "type": "array" - }, - "firewallClientPublicIPAddressName": { - "type": "string" - }, - "firewallClientPublicIPAddressSkuName": { - "type": "string" + "defaultValue": "VirtualAppliance" }, - "firewallClientPublicIpAllocationMethod": { + "subnetAddressPrefix": { "type": "string" }, - "firewallClientPublicIPAddressAvailabilityZones": { - "type": "array" - }, - "firewallManagementIpConfigurationName": { + "subnetName": { "type": "string" }, - "firewallManagementSubnetName": { + "subnetPrivateEndpointNetworkPolicies": { "type": "string" }, - "firewallManagementSubnetAddressPrefix": { + "subnetPrivateLinkServiceNetworkPolicies": { "type": "string" }, - "firewallManagementSubnetServiceEndpoints": { - "type": "array" - }, - "firewallManagementPublicIPAddressName": { - "type": "string" + "tags": { + "type": "object" }, - "firewallManagementPublicIPAddressSkuName": { + "virtualNetworkAddressPrefix": { "type": "string" }, - "firewallManagementPublicIpAllocationMethod": { + "virtualNetworkName": { "type": "string" }, - "firewallManagementPublicIPAddressAvailabilityZones": { - "type": "array" - }, - "publicIPAddressDiagnosticsLogs": { - "type": "array" - }, - "publicIPAddressDiagnosticsMetrics": { + "vNetDnsServers": { "type": "array" } }, "resources": [ - { - "type": "Microsoft.Network/virtualNetworks/subnets", - "apiVersion": "2021-02-01", - "name": "[format('{0}/{1}', parameters('virtualNetworkName'), parameters('subnetName'))]", - "properties": { - "addressPrefix": "[parameters('subnetAddressPrefix')]", - "networkSecurityGroup": { - "id": "[reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup')).outputs.id.value]" - }, - "routeTable": { - "id": "[reference(resourceId('Microsoft.Resources/deployments', 'routeTable')).outputs.id.value]" - }, - "serviceEndpoints": "[parameters('subnetServiceEndpoints')]", - "privateEndpointNetworkPolicies": "Disabled", - "privateLinkServiceNetworkPolicies": "Enabled" - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', 'firewall')]", - "[resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup')]", - "[resourceId('Microsoft.Resources/deployments', 'routeTable')]", - "[resourceId('Microsoft.Resources/deployments', 'virtualNetwork')]" - ] - }, { "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "logStorage", + "apiVersion": "2022-09-01", + "name": "networkSecurityGroup", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { - "storageAccountName": { - "value": "[parameters('logStorageAccountName')]" - }, "location": { "value": "[parameters('location')]" }, - "skuName": { - "value": "[parameters('logStorageSkuName')]" + "name": { + "value": "[parameters('networkSecurityGroupName')]" + }, + "securityRules": { + "value": "[parameters('networkSecurityGroupRules')]" }, "tags": { "value": "[parameters('tags')]" @@ -3237,63 +3035,44 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "4435843471246172620" + "version": "0.24.24.22086", + "templateHash": "14964080576155541488" } }, "parameters": { - "storageAccountName": { - "type": "string" - }, "location": { "type": "string" }, - "skuName": { + "name": { "type": "string" }, + "securityRules": { + "type": "array" + }, "tags": { - "type": "object", - "defaultValue": {} + "type": "object" } }, "resources": [ { - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2021-01-01", - "name": "[parameters('storageAccountName')]", - "location": "[parameters('location')]", - "kind": "StorageV2", - "sku": { - "name": "[parameters('skuName')]" - }, + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "2021-02-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { - "minimumTlsVersion": "TLS1_2", - "encryption": { - "keySource": "Microsoft.Storage", - "requireInfrastructureEncryption": true, - "services": { - "blob": { - "enabled": true - }, - "file": { - "enabled": true - }, - "queue": { - "enabled": true - }, - "table": { - "enabled": true - } - } - } + "securityRules": "[parameters('securityRules')]" } } ], "outputs": { "id": { "type": "string", - "value": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]" + "value": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('name'))]" + }, + "name": { + "type": "string", + "value": "[parameters('name')]" } } } @@ -3301,37 +3080,34 @@ }, { "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "networkSecurityGroup", + "apiVersion": "2022-09-01", + "name": "routeTable", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { - "name": { - "value": "[parameters('networkSecurityGroupName')]" - }, "location": { "value": "[parameters('location')]" }, - "tags": { - "value": "[parameters('tags')]" + "name": { + "value": "[parameters('routeTableName')]" }, - "securityRules": { - "value": "[parameters('networkSecurityGroupRules')]" + "routeAddressPrefix": { + "value": "[parameters('routeTableRouteAddressPrefix')]" }, - "logAnalyticsWorkspaceResourceId": { - "value": "[parameters('logAnalyticsWorkspaceResourceId')]" + "routeName": { + "value": "[parameters('routeTableRouteName')]" }, - "logStorageAccountResourceId": { - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'logStorage')).outputs.id.value]" + "routeNextHopIpAddress": { + "value": "[parameters('routeTableRouteNextHopIpAddress')]" }, - "logs": { - "value": "[parameters('networkSecurityGroupDiagnosticsLogs')]" + "routeNextHopType": { + "value": "[parameters('routeTableRouteNextHopType')]" }, - "metrics": { - "value": "[parameters('networkSecurityGroupDiagnosticsMetrics')]" + "tags": { + "value": "[parameters('tags')]" } }, "template": { @@ -3340,68 +3116,58 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "7894763285242421186" + "version": "0.24.24.22086", + "templateHash": "3954150695911654455" } }, "parameters": { - "name": { - "type": "string" - }, "location": { "type": "string" }, - "tags": { - "type": "object", - "defaultValue": {} + "name": { + "type": "string" }, - "securityRules": { - "type": "array" + "routeAddressPrefix": { + "type": "string" }, - "logStorageAccountResourceId": { + "routeName": { "type": "string" }, - "logAnalyticsWorkspaceResourceId": { + "routeNextHopIpAddress": { "type": "string" }, - "logs": { - "type": "array" + "routeNextHopType": { + "type": "string" }, - "metrics": { - "type": "array" + "tags": { + "type": "object" } }, "resources": [ { - "type": "Microsoft.Network/networkSecurityGroups", + "type": "Microsoft.Network/routeTables", "apiVersion": "2021-02-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { - "securityRules": "[parameters('securityRules')]" + "routes": [ + { + "name": "[parameters('routeName')]", + "properties": { + "addressPrefix": "[parameters('routeAddressPrefix')]", + "nextHopIpAddress": "[parameters('routeNextHopIpAddress')]", + "nextHopType": "[parameters('routeNextHopType')]" + } + } + ] } - }, - { - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2017-05-01-preview", - "scope": "[format('Microsoft.Network/networkSecurityGroups/{0}', parameters('name'))]", - "name": "[format('{0}-diagnostics', parameters('name'))]", - "properties": { - "storageAccountId": "[parameters('logStorageAccountResourceId')]", - "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", - "logs": "[parameters('logs')]", - "metrics": "[parameters('metrics')]" - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('name'))]" - ] } ], "outputs": { "id": { "type": "string", - "value": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('name'))]" + "value": "[resourceId('Microsoft.Network/routeTables', parameters('name'))]" }, "name": { "type": "string", @@ -3409,14 +3175,11 @@ } } } - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', 'logStorage')]" - ] + } }, { "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", + "apiVersion": "2022-09-01", "name": "virtualNetwork", "properties": { "expressionEvaluationOptions": { @@ -3424,50 +3187,38 @@ }, "mode": "Incremental", "parameters": { - "name": { - "value": "[parameters('virtualNetworkName')]" + "addressPrefix": { + "value": "[parameters('virtualNetworkAddressPrefix')]" }, "location": { "value": "[parameters('location')]" }, - "tags": { - "value": "[parameters('tags')]" - }, - "addressPrefix": { - "value": "[parameters('virtualNetworkAddressPrefix')]" - }, - "vNetDnsServers": { - "value": "[parameters('vNetDnsServers')]" + "name": { + "value": "[parameters('virtualNetworkName')]" }, "subnets": { "value": [ { - "name": "[parameters('firewallClientSubnetName')]", - "properties": { - "addressPrefix": "[parameters('firewallClientSubnetAddressPrefix')]", - "serviceEndpoints": "[parameters('firewallClientSubnetServiceEndpoints')]" - } - }, - { - "name": "[parameters('firewallManagementSubnetName')]", + "name": "[parameters('subnetName')]", "properties": { - "addressPrefix": "[parameters('firewallManagementSubnetAddressPrefix')]", - "serviceEndpoints": "[parameters('firewallManagementSubnetServiceEndpoints')]" + "addressPrefix": "[parameters('subnetAddressPrefix')]", + "networkSecurityGroup": { + "id": "[reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup'), '2022-09-01').outputs.id.value]" + }, + "routeTable": { + "id": "[reference(resourceId('Microsoft.Resources/deployments', 'routeTable'), '2022-09-01').outputs.id.value]" + }, + "privateEndpointNetworkPolicies": "[parameters('subnetPrivateEndpointNetworkPolicies')]", + "privateLinkServiceNetworkPolicies": "[parameters('subnetPrivateLinkServiceNetworkPolicies')]" } } ] }, - "logAnalyticsWorkspaceResourceId": { - "value": "[parameters('logAnalyticsWorkspaceResourceId')]" - }, - "logStorageAccountResourceId": { - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'logStorage')).outputs.id.value]" - }, - "logs": { - "value": "[parameters('virtualNetworkDiagnosticsLogs')]" + "tags": { + "value": "[parameters('tags')]" }, - "metrics": { - "value": "[parameters('virtualNetworkDiagnosticsMetrics')]" + "vNetDnsServers": { + "value": "[parameters('vNetDnsServers')]" } }, "template": { @@ -3476,41 +3227,27 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "16443263514490560792" + "version": "0.24.24.22086", + "templateHash": "12638783015880972122" } }, "parameters": { - "name": { - "type": "string" - }, - "location": { - "type": "string" - }, - "tags": { - "type": "object", - "defaultValue": {} - }, "addressPrefix": { "type": "string" }, - "vNetDnsServers": { - "type": "array", - "defaultValue": [] - }, - "logAnalyticsWorkspaceResourceId": { + "location": { "type": "string" }, - "logStorageAccountResourceId": { + "name": { "type": "string" }, "subnets": { "type": "array" }, - "logs": { - "type": "array" + "tags": { + "type": "object" }, - "metrics": { + "vNetDnsServers": { "type": "array" } }, @@ -3530,21 +3267,6 @@ "subnets": "[parameters('subnets')]", "dhcpOptions": "[if(not(equals(parameters('vNetDnsServers'), null())), createObject('dnsServers', parameters('vNetDnsServers')), null())]" } - }, - { - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2017-05-01-preview", - "scope": "[format('Microsoft.Network/virtualNetworks/{0}', parameters('name'))]", - "name": "[format('{0}-diagnostics', parameters('name'))]", - "properties": { - "storageAccountId": "[parameters('logStorageAccountResourceId')]", - "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", - "logs": "[parameters('logs')]", - "metrics": "[parameters('metrics')]" - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/virtualNetworks', parameters('name'))]" - ] } ], "outputs": { @@ -3558,126 +3280,234 @@ }, "subnets": { "type": "array", - "value": "[reference(resourceId('Microsoft.Network/virtualNetworks', parameters('name'))).subnets]" + "value": "[reference(resourceId('Microsoft.Network/virtualNetworks', parameters('name')), '2021-02-01').subnets]" }, "addressPrefix": { "type": "string", - "value": "[reference(resourceId('Microsoft.Network/virtualNetworks', parameters('name'))).addressSpace.addressPrefixes[0]]" + "value": "[reference(resourceId('Microsoft.Network/virtualNetworks', parameters('name')), '2021-02-01').addressSpace.addressPrefixes[0]]" } } } }, "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', 'logStorage')]" + "[resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup')]", + "[resourceId('Microsoft.Resources/deployments', 'routeTable')]" ] + } + ], + "outputs": { + "virtualNetworkName": { + "type": "string", + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2022-09-01').outputs.name.value]" }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "routeTable", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('routeTableName')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "tags": { - "value": "[parameters('tags')]" - }, - "routeName": { - "value": "[parameters('routeTableRouteName')]" - }, - "routeAddressPrefix": { - "value": "[parameters('routeTableRouteAddressPrefix')]" - }, - "routeNextHopIpAddress": { - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'firewall')).outputs.privateIPAddress.value]" - }, - "routeNextHopType": { - "value": "[parameters('routeTableRouteNextHopType')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "8332169477119932515" - } - }, - "parameters": { - "name": { - "type": "string" - }, - "location": { - "type": "string" - }, - "tags": { - "type": "object", - "defaultValue": {} - }, - "routeName": { - "type": "string" - }, - "routeAddressPrefix": { - "type": "string" - }, - "routeNextHopIpAddress": { - "type": "string" + "virtualNetworkResourceId": { + "type": "string", + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2022-09-01').outputs.id.value]" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2022-09-01').outputs.addressPrefix.value]" + }, + "subnetName": { + "type": "string", + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2022-09-01').outputs.subnets.value[0].name]" + }, + "subnetAddressPrefix": { + "type": "string", + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2022-09-01').outputs.subnets.value[0].properties.addressPrefix]" + }, + "subnetResourceId": { + "type": "string", + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2022-09-01').outputs.subnets.value[0].id]" + }, + "networkSecurityGroupName": { + "type": "string", + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup'), '2022-09-01').outputs.name.value]" + }, + "networkSecurityGroupResourceId": { + "type": "string", + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup'), '2022-09-01').outputs.id.value]" + } + } + } + }, + "dependsOn": [ + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))]", + "spokeResourceGroups" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('deploy-vnet-peerings-hub-{0}', parameters('deploymentNameSuffix'))]", + "subscriptionId": "[parameters('hubSubscriptionId')]", + "resourceGroup": "[variables('hubResourceGroupName')]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "hubVirtualNetworkName": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.virtualNetworkName.value]" + }, + "spokes": { + "copy": [ + { + "name": "value", + "count": "[length(variables('spokes'))]", + "input": "[createObject('type', variables('spokes')[copyIndex('value')].name, 'virtualNetworkName', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex('value')].subscriptionId, variables('spokes')[copyIndex('value')].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex('value')].name, parameters('deploymentNameSuffix'))), '2022-09-01').outputs.virtualNetworkName.value, 'virtualNetworkResourceId', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex('value')].subscriptionId, variables('spokes')[copyIndex('value')].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex('value')].name, parameters('deploymentNameSuffix'))), '2022-09-01').outputs.virtualNetworkResourceId.value)]" + } + ] + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "9588462177817329290" + } + }, + "parameters": { + "hubVirtualNetworkName": { + "type": "string" + }, + "spokes": { + "type": "array" + } + }, + "resources": [ + { + "copy": { + "name": "hubToSpokePeering", + "count": "[length(parameters('spokes'))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('hub-to-{0}-vnet-peering', parameters('spokes')[copyIndex()].type)]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "name": { + "value": "[format('{0}/to-{1}', parameters('hubVirtualNetworkName'), parameters('spokes')[copyIndex()].virtualNetworkName)]" + }, + "remoteVirtualNetworkResourceId": { + "value": "[parameters('spokes')[copyIndex()].virtualNetworkResourceId]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "9853575474833495545" + } + }, + "parameters": { + "name": { + "type": "string" }, - "routeNextHopType": { + "remoteVirtualNetworkResourceId": { "type": "string" } }, "resources": [ { - "type": "Microsoft.Network/routeTables", + "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings", "apiVersion": "2021-02-01", "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", "properties": { - "routes": [ - { - "name": "[parameters('routeName')]", - "properties": { - "addressPrefix": "[parameters('routeAddressPrefix')]", - "nextHopIpAddress": "[parameters('routeNextHopIpAddress')]", - "nextHopType": "[parameters('routeNextHopType')]" - } - } - ] + "allowForwardedTraffic": true, + "remoteVirtualNetwork": { + "id": "[parameters('remoteVirtualNetworkResourceId')]" + } } } - ], - "outputs": { - "id": { - "type": "string", - "value": "[resourceId('Microsoft.Network/routeTables', parameters('name'))]" - }, - "name": { - "type": "string", - "value": "[parameters('name')]" - } - } + ] } - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', 'firewall')]" - ] + } + } + ] + } + }, + "dependsOn": [ + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))]", + "spokeNetworks" + ] + }, + { + "copy": { + "name": "spokeVirtualNetworkPeerings", + "count": "[length(variables('spokes'))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('deploy-vnet-peerings-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))]", + "subscriptionId": "[variables('spokes')[copyIndex()].subscriptionId]", + "location": "[deployment().location]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "spokeName": { + "value": "[variables('spokes')[copyIndex()].name]" + }, + "spokeResourceGroupName": { + "value": "[variables('spokes')[copyIndex()].resourceGroupName]" + }, + "spokeVirtualNetworkName": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))), '2022-09-01').outputs.virtualNetworkName.value]" + }, + "hubVirtualNetworkName": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.virtualNetworkName.value]" + }, + "hubVirtualNetworkResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.virtualNetworkResourceId.value]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "1352997920612289656" + } + }, + "parameters": { + "spokeName": { + "type": "string" + }, + "spokeResourceGroupName": { + "type": "string" + }, + "spokeVirtualNetworkName": { + "type": "string" + }, + "hubVirtualNetworkName": { + "type": "string" }, + "hubVirtualNetworkResourceId": { + "type": "string" + } + }, + "resources": [ { "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "firewallClientPublicIPAddress", + "apiVersion": "2022-09-01", + "name": "[format('{0}-to-hub-vnet-peering', parameters('spokeName'))]", + "resourceGroup": "[parameters('spokeResourceGroupName')]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -3685,34 +3515,10 @@ "mode": "Incremental", "parameters": { "name": { - "value": "[parameters('firewallClientPublicIPAddressName')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "tags": { - "value": "[parameters('tags')]" - }, - "skuName": { - "value": "[parameters('firewallClientPublicIPAddressSkuName')]" - }, - "publicIpAllocationMethod": { - "value": "[parameters('firewallClientPublicIpAllocationMethod')]" - }, - "availabilityZones": { - "value": "[parameters('firewallClientPublicIPAddressAvailabilityZones')]" - }, - "logAnalyticsWorkspaceResourceId": { - "value": "[parameters('logAnalyticsWorkspaceResourceId')]" - }, - "logStorageAccountResourceId": { - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'logStorage')).outputs.id.value]" - }, - "logs": { - "value": "[parameters('publicIPAddressDiagnosticsLogs')]" + "value": "[format('{0}/to-{1}', parameters('spokeVirtualNetworkName'), parameters('hubVirtualNetworkName'))]" }, - "metrics": { - "value": "[parameters('publicIPAddressDiagnosticsMetrics')]" + "remoteVirtualNetworkResourceId": { + "value": "[parameters('hubVirtualNetworkResourceId')]" } }, "template": { @@ -3721,2999 +3527,4024 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "18439825222758045392" + "version": "0.24.24.22086", + "templateHash": "9853575474833495545" } }, "parameters": { "name": { "type": "string" }, - "location": { - "type": "string" - }, - "tags": { - "type": "object", - "defaultValue": {} - }, - "skuName": { - "type": "string" - }, - "publicIpAllocationMethod": { - "type": "string" - }, - "availabilityZones": { - "type": "array" - }, - "logStorageAccountResourceId": { - "type": "string" - }, - "logAnalyticsWorkspaceResourceId": { + "remoteVirtualNetworkResourceId": { "type": "string" - }, - "logs": { - "type": "array" - }, - "metrics": { - "type": "array" } }, "resources": [ { - "type": "Microsoft.Network/publicIPAddresses", + "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings", "apiVersion": "2021-02-01", "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "sku": { - "name": "[parameters('skuName')]" - }, - "properties": { - "publicIPAllocationMethod": "[parameters('publicIpAllocationMethod')]" - }, - "zones": "[parameters('availabilityZones')]" - }, - { - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2017-05-01-preview", - "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', parameters('name'))]", - "name": "[format('{0}-diagnostics', parameters('name'))]", "properties": { - "storageAccountId": "[parameters('logStorageAccountResourceId')]", - "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", - "logs": "[parameters('logs')]", - "metrics": "[parameters('metrics')]" - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" - ] - } - ], - "outputs": { - "id": { - "type": "string", - "value": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" + "allowForwardedTraffic": true, + "remoteVirtualNetwork": { + "id": "[parameters('remoteVirtualNetworkResourceId')]" + } + } } - } + ] } - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', 'logStorage')]" - ] + } + } + ] + } + }, + "dependsOn": [ + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))]", + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix')))]" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix'))]", + "subscriptionId": "[parameters('hubSubscriptionId')]", + "resourceGroup": "[variables('hubResourceGroupName')]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "vnetName": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.virtualNetworkName.value]" + }, + "tags": { + "value": "[parameters('tags')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "15825906422669965879" + } + }, + "parameters": { + "vnetName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network the private dns zones will be connected to" + } }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "firewallManagementPublicIPAddress", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" + "vnetResourceGroup": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "The name of the the resource group where the virtual network exists" + } + }, + "vnetSubscriptionId": { + "type": "string", + "defaultValue": "[subscription().subscriptionId]", + "metadata": { + "description": "The subscription id of the subscription the virtual network exists in" + } + }, + "tags": { + "type": "object", + "metadata": { + "description": "The tags that will be associated to the resources" + } + } + }, + "variables": { + "copy": [ + { + "name": "privatelink_backup_names", + "count": "[length(items(variables('locations')))]", + "input": "[format('privatelink.backup.{0}.{1}', items(variables('locations'))[copyIndex('privatelink_backup_names')].value.recoveryServicesGeo, variables('cloudSuffix'))]" + } + ], + "$fxv#0": { + "AzureChina": { + "chinaeast": { + "abbreviation": "cne", + "recoveryServicesGeo": "sha", + "timeDifference": "+8:00", + "timeZone": "China Standard Time" }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('firewallManagementPublicIPAddressName')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "tags": { - "value": "[parameters('tags')]" - }, - "skuName": { - "value": "[parameters('firewallManagementPublicIPAddressSkuName')]" - }, - "publicIpAllocationMethod": { - "value": "[parameters('firewallManagementPublicIpAllocationMethod')]" - }, - "availabilityZones": { - "value": "[parameters('firewallManagementPublicIPAddressAvailabilityZones')]" - }, - "logAnalyticsWorkspaceResourceId": { - "value": "[parameters('logAnalyticsWorkspaceResourceId')]" - }, - "logStorageAccountResourceId": { - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'logStorage')).outputs.id.value]" - }, - "logs": { - "value": "[parameters('publicIPAddressDiagnosticsLogs')]" - }, - "metrics": { - "value": "[parameters('publicIPAddressDiagnosticsMetrics')]" - } + "chinaeast2": { + "abbreviation": "cne2", + "recoveryServicesGeo": "sha2", + "timeDifference": "+8:00", + "timeZone": "China Standard Time" }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "18439825222758045392" - } - }, - "parameters": { - "name": { - "type": "string" - }, - "location": { - "type": "string" - }, - "tags": { - "type": "object", - "defaultValue": {} - }, - "skuName": { - "type": "string" - }, - "publicIpAllocationMethod": { - "type": "string" - }, - "availabilityZones": { - "type": "array" - }, - "logStorageAccountResourceId": { - "type": "string" - }, - "logAnalyticsWorkspaceResourceId": { - "type": "string" - }, - "logs": { - "type": "array" - }, - "metrics": { - "type": "array" - } - }, - "resources": [ - { - "type": "Microsoft.Network/publicIPAddresses", - "apiVersion": "2021-02-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "sku": { - "name": "[parameters('skuName')]" - }, - "properties": { - "publicIPAllocationMethod": "[parameters('publicIpAllocationMethod')]" - }, - "zones": "[parameters('availabilityZones')]" - }, - { - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2017-05-01-preview", - "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', parameters('name'))]", - "name": "[format('{0}-diagnostics', parameters('name'))]", - "properties": { - "storageAccountId": "[parameters('logStorageAccountResourceId')]", - "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", - "logs": "[parameters('logs')]", - "metrics": "[parameters('metrics')]" - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" - ] - } - ], - "outputs": { - "id": { - "type": "string", - "value": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" - } - } + "chinanorth": { + "abbreviation": "cnn", + "recoveryServicesGeo": "bjb", + "timeDifference": "+8:00", + "timeZone": "China Standard Time" + }, + "chinanorth2": { + "abbreviation": "cnn2", + "recoveryServicesGeo": "bjb2", + "timeDifference": "+8:00", + "timeZone": "China Standard Time" } }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', 'logStorage')]" - ] - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "firewall", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('firewallName')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "tags": { - "value": "[parameters('tags')]" - }, - "skuTier": { - "value": "[parameters('firewallSkuTier')]" - }, - "firewallPolicyName": { - "value": "[parameters('firewallPolicyName')]" - }, - "threatIntelMode": { - "value": "[parameters('firewallThreatIntelMode')]" - }, - "intrusionDetectionMode": { - "value": "[parameters('firewallIntrusionDetectionMode')]" - }, - "clientIpConfigurationName": { - "value": "[parameters('firewallClientIpConfigurationName')]" - }, - "clientIpConfigurationSubnetResourceId": { - "value": "[format('{0}/subnets/{1}', reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork')).outputs.id.value, parameters('firewallClientSubnetName'))]" - }, - "clientIpConfigurationPublicIPAddressResourceId": { - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'firewallClientPublicIPAddress')).outputs.id.value]" - }, - "firewallSupernetIPAddress": { - "value": "[parameters('firewallSupernetIPAddress')]" - }, - "enableProxy": { - "value": "[parameters('enableProxy')]" - }, - "dnsServers": { - "value": "[parameters('dnsServers')]" - }, - "managementIpConfigurationName": { - "value": "[parameters('firewallManagementIpConfigurationName')]" - }, - "managementIpConfigurationSubnetResourceId": { - "value": "[format('{0}/subnets/{1}', reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork')).outputs.id.value, parameters('firewallManagementSubnetName'))]" - }, - "managementIpConfigurationPublicIPAddressResourceId": { - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'firewallManagementPublicIPAddress')).outputs.id.value]" - }, - "logAnalyticsWorkspaceResourceId": { - "value": "[parameters('logAnalyticsWorkspaceResourceId')]" - }, - "logStorageAccountResourceId": { - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'logStorage')).outputs.id.value]" - }, - "logs": { - "value": "[parameters('firewallDiagnosticsLogs')]" - }, - "metrics": { - "value": "[parameters('firewallDiagnosticsMetrics')]" - } + "AzureCloud": { + "australiacentral": { + "abbreviation": "auc", + "recoveryServicesGeo": "acl", + "timeDifference": "+10:00", + "timeZone": "AUS Eastern Standard Time" }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "3970955170518833761" - } - }, - "parameters": { - "name": { - "type": "string" - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]" - }, - "tags": { - "type": "object", - "defaultValue": {} - }, - "skuTier": { - "type": "string", - "allowedValues": [ - "Standard", - "Premium" - ] - }, - "threatIntelMode": { - "type": "string", - "allowedValues": [ - "Alert", - "Deny", - "Off" - ] - }, - "intrusionDetectionMode": { - "type": "string", - "allowedValues": [ - "Alert", - "Deny", - "Off" - ] - }, - "enableProxy": { - "type": "bool" - }, - "dnsServers": { - "type": "array" - }, - "clientIpConfigurationName": { - "type": "string" - }, - "clientIpConfigurationSubnetResourceId": { - "type": "string" - }, - "clientIpConfigurationPublicIPAddressResourceId": { - "type": "string" - }, - "managementIpConfigurationName": { - "type": "string" - }, - "managementIpConfigurationSubnetResourceId": { - "type": "string" - }, - "managementIpConfigurationPublicIPAddressResourceId": { - "type": "string" - }, - "firewallPolicyName": { - "type": "string" - }, - "firewallSupernetIPAddress": { - "type": "string" - }, - "logStorageAccountResourceId": { - "type": "string" - }, - "logAnalyticsWorkspaceResourceId": { - "type": "string" - }, - "logs": { - "type": "array" - }, - "metrics": { - "type": "array" - } - }, - "variables": { - "intrusionDetectionObject": { - "mode": "[parameters('intrusionDetectionMode')]" - } - }, - "resources": [ - { - "type": "Microsoft.Network/firewallPolicies", - "apiVersion": "2021-02-01", - "name": "[parameters('firewallPolicyName')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "threatIntelMode": "[parameters('threatIntelMode')]", - "intrusionDetection": "[if(equals(parameters('skuTier'), 'Premium'), variables('intrusionDetectionObject'), null())]", - "sku": { - "tier": "[parameters('skuTier')]" - }, - "dnsSettings": { - "enableProxy": "[parameters('enableProxy')]", - "servers": "[parameters('dnsServers')]" - } - } - }, - { - "type": "Microsoft.Network/firewallPolicies/ruleCollectionGroups", - "apiVersion": "2021-02-01", - "name": "[format('{0}/DefaultApplicationRuleCollectionGroup', parameters('firewallPolicyName'))]", - "properties": { - "priority": 300, - "ruleCollections": [ - { - "ruleCollectionType": "FirewallPolicyFilterRuleCollection", - "action": { - "type": "Allow" - }, - "rules": [ - { - "ruleType": "ApplicationRule", - "name": "msftauth", - "protocols": [ - { - "protocolType": "Https", - "port": 443 - } - ], - "fqdnTags": [], - "webCategories": [], - "targetFqdns": [ - "aadcdn.msftauth.net", - "aadcdn.msauth.net" - ], - "targetUrls": [], - "terminateTLS": false, - "sourceAddresses": [ - "*" - ], - "destinationAddresses": [], - "sourceIpGroups": [] - } - ], - "name": "AzureAuth", - "priority": 110 - } - ] - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/firewallPolicies', parameters('firewallPolicyName'))]" - ] - }, - { - "type": "Microsoft.Network/firewallPolicies/ruleCollectionGroups", - "apiVersion": "2021-02-01", - "name": "[format('{0}/DefaultNetworkRuleCollectionGroup', parameters('firewallPolicyName'))]", - "properties": { - "priority": 200, - "ruleCollections": [ - { - "ruleCollectionType": "FirewallPolicyFilterRuleCollection", - "action": { - "type": "Allow" - }, - "rules": [ - { - "ruleType": "NetworkRule", - "name": "AzureCloud", - "ipProtocols": [ - "Any" - ], - "sourceAddresses": [ - "*" - ], - "sourceIpGroups": [], - "destinationAddresses": [ - "AzureCloud" - ], - "destinationIpGroups": [], - "destinationFqdns": [], - "destinationPorts": [ - "*" - ] - } - ], - "name": "AllowAzureCloud", - "priority": 100 - }, - { - "ruleCollectionType": "FirewallPolicyFilterRuleCollection", - "action": { - "type": "Allow" - }, - "rules": [ - { - "ruleType": "NetworkRule", - "name": "AllSpokeTraffic", - "ipProtocols": [ - "Any" - ], - "sourceAddresses": [ - "[parameters('firewallSupernetIPAddress')]" - ], - "sourceIpGroups": [], - "destinationAddresses": [ - "*" - ], - "destinationIpGroups": [], - "destinationFqdns": [], - "destinationPorts": [ - "*" - ] - } - ], - "name": "AllowTrafficBetweenSpokes", - "priority": 200 - } - ] - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', split(format('{0}/DefaultApplicationRuleCollectionGroup', parameters('firewallPolicyName')), '/')[0], split(format('{0}/DefaultApplicationRuleCollectionGroup', parameters('firewallPolicyName')), '/')[1])]", - "[resourceId('Microsoft.Network/firewallPolicies', parameters('firewallPolicyName'))]" - ] - }, - { - "type": "Microsoft.Network/azureFirewalls", - "apiVersion": "2021-02-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "ipConfigurations": [ - { - "name": "[parameters('clientIpConfigurationName')]", - "properties": { - "subnet": { - "id": "[parameters('clientIpConfigurationSubnetResourceId')]" - }, - "publicIPAddress": { - "id": "[parameters('clientIpConfigurationPublicIPAddressResourceId')]" - } - } - } - ], - "managementIpConfiguration": { - "name": "[parameters('managementIpConfigurationName')]", - "properties": { - "subnet": { - "id": "[parameters('managementIpConfigurationSubnetResourceId')]" - }, - "publicIPAddress": { - "id": "[parameters('managementIpConfigurationPublicIPAddressResourceId')]" - } - } - }, - "firewallPolicy": { - "id": "[resourceId('Microsoft.Network/firewallPolicies', parameters('firewallPolicyName'))]" - }, - "sku": { - "tier": "[parameters('skuTier')]" - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', split(format('{0}/DefaultApplicationRuleCollectionGroup', parameters('firewallPolicyName')), '/')[0], split(format('{0}/DefaultApplicationRuleCollectionGroup', parameters('firewallPolicyName')), '/')[1])]", - "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', split(format('{0}/DefaultNetworkRuleCollectionGroup', parameters('firewallPolicyName')), '/')[0], split(format('{0}/DefaultNetworkRuleCollectionGroup', parameters('firewallPolicyName')), '/')[1])]", - "[resourceId('Microsoft.Network/firewallPolicies', parameters('firewallPolicyName'))]" - ] - }, - { - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2017-05-01-preview", - "scope": "[format('Microsoft.Network/azureFirewalls/{0}', parameters('name'))]", - "name": "[format('{0}-diagnostics', parameters('name'))]", - "properties": { - "storageAccountId": "[parameters('logStorageAccountResourceId')]", - "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", - "logs": "[parameters('logs')]", - "metrics": "[parameters('metrics')]" - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/azureFirewalls', parameters('name'))]" - ] - } - ], - "outputs": { - "privateIPAddress": { - "type": "string", - "value": "[reference(resourceId('Microsoft.Network/azureFirewalls', parameters('name'))).ipConfigurations[0].properties.privateIPAddress]" - } - } - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', 'firewallClientPublicIPAddress')]", - "[resourceId('Microsoft.Resources/deployments', 'firewallManagementPublicIPAddress')]", - "[resourceId('Microsoft.Resources/deployments', 'logStorage')]", - "[resourceId('Microsoft.Resources/deployments', 'virtualNetwork')]" - ] - } - ], - "outputs": { - "virtualNetworkName": { - "type": "string", - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork')).outputs.name.value]" - }, - "virtualNetworkResourceId": { - "type": "string", - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork')).outputs.id.value]" - }, - "subnetName": { - "type": "string", - "value": "[format('{0}/{1}', parameters('virtualNetworkName'), parameters('subnetName'))]" - }, - "subnetAddressPrefix": { - "type": "string", - "value": "[reference(resourceId('Microsoft.Network/virtualNetworks/subnets', split(format('{0}/{1}', parameters('virtualNetworkName'), parameters('subnetName')), '/')[0], split(format('{0}/{1}', parameters('virtualNetworkName'), parameters('subnetName')), '/')[1])).addressPrefix]" - }, - "subnetResourceId": { - "type": "string", - "value": "[resourceId('Microsoft.Network/virtualNetworks/subnets', split(format('{0}/{1}', parameters('virtualNetworkName'), parameters('subnetName')), '/')[0], split(format('{0}/{1}', parameters('virtualNetworkName'), parameters('subnetName')), '/')[1])]" - }, - "networkSecurityGroupName": { - "type": "string", - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup')).outputs.name.value]" - }, - "networkSecurityGroupResourceId": { - "type": "string", - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup')).outputs.id.value]" - }, - "firewallPrivateIPAddress": { - "type": "string", - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'firewall')).outputs.privateIPAddress.value]" - } - } - } - }, - "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))]", - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]" - ] - }, - { - "copy": { - "name": "spokeNetworks", - "count": "[length(variables('spokes'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "[format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))]", - "subscriptionId": "[variables('spokes')[copyIndex()].subscriptionId]", - "resourceGroup": "[variables('spokes')[copyIndex()].resourceGroupName]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "location": { - "value": "[parameters('location')]" - }, - "tags": { - "value": "[variables('calculatedTags')]" - }, - "logStorageAccountName": { - "value": "[variables('spokes')[copyIndex()].logStorageAccountName]" - }, - "logStorageSkuName": { - "value": "[parameters('logStorageSkuName')]" - }, - "logAnalyticsWorkspaceResourceId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))).outputs.id.value]" - }, - "firewallPrivateIPAddress": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))).outputs.firewallPrivateIPAddress.value]" - }, - "vNetDnsServers": { - "value": [ - "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))).outputs.firewallPrivateIPAddress.value]" - ] - }, - "virtualNetworkName": { - "value": "[variables('spokes')[copyIndex()].virtualNetworkName]" - }, - "virtualNetworkAddressPrefix": { - "value": "[variables('spokes')[copyIndex()].virtualNetworkAddressPrefix]" - }, - "virtualNetworkDiagnosticsLogs": { - "value": "[variables('spokes')[copyIndex()].virtualNetworkDiagnosticsLogs]" - }, - "virtualNetworkDiagnosticsMetrics": { - "value": "[variables('spokes')[copyIndex()].virtualNetworkDiagnosticsMetrics]" - }, - "networkSecurityGroupName": { - "value": "[variables('spokes')[copyIndex()].networkSecurityGroupName]" - }, - "networkSecurityGroupRules": { - "value": "[variables('spokes')[copyIndex()].networkSecurityGroupRules]" - }, - "networkSecurityGroupDiagnosticsLogs": { - "value": "[variables('spokes')[copyIndex()].networkSecurityGroupDiagnosticsLogs]" - }, - "networkSecurityGroupDiagnosticsMetrics": { - "value": "[variables('spokes')[copyIndex()].networkSecurityGroupDiagnosticsMetrics]" - }, - "subnetName": { - "value": "[variables('spokes')[copyIndex()].subnetName]" - }, - "subnetAddressPrefix": { - "value": "[variables('spokes')[copyIndex()].subnetAddressPrefix]" - }, - "subnetServiceEndpoints": { - "value": "[variables('spokes')[copyIndex()].subnetServiceEndpoints]" - }, - "subnetPrivateEndpointNetworkPolicies": { - "value": "[variables('spokes')[copyIndex()].subnetPrivateEndpointNetworkPolicies]" - }, - "subnetPrivateLinkServiceNetworkPolicies": { - "value": "[variables('spokes')[copyIndex()].subnetPrivateLinkServiceNetworkPolicies]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "6504783739414137516" - } - }, - "parameters": { - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]" - }, - "tags": { - "type": "object", - "defaultValue": {} - }, - "logStorageAccountName": { - "type": "string" - }, - "logStorageSkuName": { - "type": "string" - }, - "logAnalyticsWorkspaceResourceId": { - "type": "string" - }, - "firewallPrivateIPAddress": { - "type": "string" - }, - "virtualNetworkName": { - "type": "string" - }, - "virtualNetworkAddressPrefix": { - "type": "string" - }, - "virtualNetworkDiagnosticsLogs": { - "type": "array" - }, - "virtualNetworkDiagnosticsMetrics": { - "type": "array" - }, - "vNetDnsServers": { - "type": "array" - }, - "networkSecurityGroupName": { - "type": "string" - }, - "networkSecurityGroupRules": { - "type": "array" - }, - "networkSecurityGroupDiagnosticsLogs": { - "type": "array" - }, - "networkSecurityGroupDiagnosticsMetrics": { - "type": "array" - }, - "subnetName": { - "type": "string" - }, - "subnetAddressPrefix": { - "type": "string" - }, - "subnetServiceEndpoints": { - "type": "array" - }, - "routeTableName": { - "type": "string", - "defaultValue": "[format('{0}-routetable', parameters('subnetName'))]" - }, - "routeTableRouteName": { - "type": "string", - "defaultValue": "default_route" - }, - "routeTableRouteAddressPrefix": { - "type": "string", - "defaultValue": "0.0.0.0/0" - }, - "routeTableRouteNextHopIpAddress": { - "type": "string", - "defaultValue": "[parameters('firewallPrivateIPAddress')]" - }, - "routeTableRouteNextHopType": { - "type": "string", - "defaultValue": "VirtualAppliance" - }, - "subnetPrivateEndpointNetworkPolicies": { - "type": "string" - }, - "subnetPrivateLinkServiceNetworkPolicies": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "logStorage", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" + "australiacentral2": { + "abbreviation": "auc2", + "recoveryServicesGeo": "acl2", + "timeDifference": "+10:00", + "timeZone": "AUS Eastern Standard Time" }, - "mode": "Incremental", - "parameters": { - "storageAccountName": { - "value": "[parameters('logStorageAccountName')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "skuName": { - "value": "[parameters('logStorageSkuName')]" - }, - "tags": { - "value": "[parameters('tags')]" - } + "australiaeast": { + "abbreviation": "aue", + "recoveryServicesGeo": "ae", + "timeDifference": "+10:00", + "timeZone": "AUS Eastern Standard Time" }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "4435843471246172620" - } - }, - "parameters": { - "storageAccountName": { - "type": "string" - }, - "location": { - "type": "string" - }, - "skuName": { - "type": "string" - }, - "tags": { - "type": "object", - "defaultValue": {} - } - }, - "resources": [ - { - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2021-01-01", - "name": "[parameters('storageAccountName')]", - "location": "[parameters('location')]", - "kind": "StorageV2", - "sku": { - "name": "[parameters('skuName')]" - }, - "tags": "[parameters('tags')]", - "properties": { - "minimumTlsVersion": "TLS1_2", - "encryption": { - "keySource": "Microsoft.Storage", - "requireInfrastructureEncryption": true, - "services": { - "blob": { - "enabled": true - }, - "file": { - "enabled": true - }, - "queue": { - "enabled": true - }, - "table": { - "enabled": true - } - } - } - } - } - ], - "outputs": { - "id": { - "type": "string", - "value": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]" - } - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "networkSecurityGroup", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" + "australiasoutheast": { + "abbreviation": "ause", + "recoveryServicesGeo": "ase", + "timeDifference": "+10:00", + "timeZone": "AUS Eastern Standard Time" + }, + "brazilsouth": { + "abbreviation": "brs", + "recoveryServicesGeo": "brs", + "timeDifference": "-3:00", + "timeZone": "E. South America Standard Time" + }, + "brazilsoutheast": { + "abbreviation": "brse", + "recoveryServicesGeo": "bse", + "timeDifference": "-3:00", + "timeZone": "E. South America Standard Time" }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('networkSecurityGroupName')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "tags": { - "value": "[parameters('tags')]" - }, - "securityRules": { - "value": "[parameters('networkSecurityGroupRules')]" - }, - "logAnalyticsWorkspaceResourceId": { - "value": "[parameters('logAnalyticsWorkspaceResourceId')]" - }, - "logStorageAccountResourceId": { - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'logStorage')).outputs.id.value]" - }, - "logs": { - "value": "[parameters('networkSecurityGroupDiagnosticsLogs')]" - }, - "metrics": { - "value": "[parameters('networkSecurityGroupDiagnosticsMetrics')]" - } + "canadacentral": { + "abbreviation": "cac", + "recoveryServicesGeo": "cnc", + "timeDifference": "-5:00", + "timeZone": "Eastern Standard Time" }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "7894763285242421186" - } - }, - "parameters": { - "name": { - "type": "string" - }, - "location": { - "type": "string" - }, - "tags": { - "type": "object", - "defaultValue": {} - }, - "securityRules": { - "type": "array" - }, - "logStorageAccountResourceId": { - "type": "string" - }, - "logAnalyticsWorkspaceResourceId": { - "type": "string" - }, - "logs": { - "type": "array" - }, - "metrics": { - "type": "array" - } - }, - "resources": [ - { - "type": "Microsoft.Network/networkSecurityGroups", - "apiVersion": "2021-02-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "securityRules": "[parameters('securityRules')]" - } - }, - { - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2017-05-01-preview", - "scope": "[format('Microsoft.Network/networkSecurityGroups/{0}', parameters('name'))]", - "name": "[format('{0}-diagnostics', parameters('name'))]", - "properties": { - "storageAccountId": "[parameters('logStorageAccountResourceId')]", - "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", - "logs": "[parameters('logs')]", - "metrics": "[parameters('metrics')]" - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('name'))]" - ] - } - ], - "outputs": { - "id": { - "type": "string", - "value": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('name'))]" - }, - "name": { - "type": "string", - "value": "[parameters('name')]" - } - } - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', 'logStorage')]" - ] - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "routeTable", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" + "canadaeast": { + "abbreviation": "cae", + "recoveryServicesGeo": "cne", + "timeDifference": "-5:00", + "timeZone": "Eastern Standard Time" }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('routeTableName')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "tags": { - "value": "[parameters('tags')]" - }, - "routeName": { - "value": "[parameters('routeTableRouteName')]" - }, - "routeAddressPrefix": { - "value": "[parameters('routeTableRouteAddressPrefix')]" - }, - "routeNextHopIpAddress": { - "value": "[parameters('routeTableRouteNextHopIpAddress')]" - }, - "routeNextHopType": { - "value": "[parameters('routeTableRouteNextHopType')]" - } + "centralindia": { + "abbreviation": "inc", + "recoveryServicesGeo": "inc", + "timeDifference": "+5:30", + "timeZone": "India Standard Time" }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "8332169477119932515" - } - }, - "parameters": { - "name": { - "type": "string" - }, - "location": { - "type": "string" - }, - "tags": { - "type": "object", - "defaultValue": {} - }, - "routeName": { - "type": "string" - }, - "routeAddressPrefix": { - "type": "string" - }, - "routeNextHopIpAddress": { - "type": "string" - }, - "routeNextHopType": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.Network/routeTables", - "apiVersion": "2021-02-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "routes": [ - { - "name": "[parameters('routeName')]", - "properties": { - "addressPrefix": "[parameters('routeAddressPrefix')]", - "nextHopIpAddress": "[parameters('routeNextHopIpAddress')]", - "nextHopType": "[parameters('routeNextHopType')]" - } - } - ] - } - } - ], - "outputs": { - "id": { - "type": "string", - "value": "[resourceId('Microsoft.Network/routeTables', parameters('name'))]" - }, - "name": { - "type": "string", - "value": "[parameters('name')]" - } - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "virtualNetwork", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" + "centralus": { + "abbreviation": "usc", + "recoveryServicesGeo": "cus", + "timeDifference": "-6:00", + "timeZone": "Central Standard Time" + }, + "eastasia": { + "abbreviation": "ase", + "recoveryServicesGeo": "ea", + "timeDifference": "+8:00", + "timeZone": "China Standard Time" + }, + "eastus": { + "abbreviation": "use", + "recoveryServicesGeo": "eus", + "timeDifference": "-5:00", + "timeZone": "Eastern Standard Time" + }, + "eastus2": { + "abbreviation": "use2", + "recoveryServicesGeo": "eus2", + "timeDifference": "-5:00", + "timeZone": "Eastern Standard Time" + }, + "francecentral": { + "abbreviation": "frc", + "recoveryServicesGeo": "frc", + "timeDifference": "+1:00", + "timeZone": "Central Europe Standard Time" + }, + "francesouth": { + "abbreviation": "frs", + "recoveryServicesGeo": "frs", + "timeDifference": "+1:00", + "timeZone": "Central Europe Standard Time" }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('virtualNetworkName')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "tags": { - "value": "[parameters('tags')]" - }, - "addressPrefix": { - "value": "[parameters('virtualNetworkAddressPrefix')]" - }, - "vNetDnsServers": { - "value": "[parameters('vNetDnsServers')]" - }, - "subnets": { - "value": [ - { - "name": "[parameters('subnetName')]", - "properties": { - "addressPrefix": "[parameters('subnetAddressPrefix')]", - "networkSecurityGroup": { - "id": "[reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup')).outputs.id.value]" - }, - "routeTable": { - "id": "[reference(resourceId('Microsoft.Resources/deployments', 'routeTable')).outputs.id.value]" - }, - "serviceEndpoints": "[parameters('subnetServiceEndpoints')]", - "privateEndpointNetworkPolicies": "[parameters('subnetPrivateEndpointNetworkPolicies')]", - "privateLinkServiceNetworkPolicies": "[parameters('subnetPrivateLinkServiceNetworkPolicies')]" - } - } - ] - }, - "logAnalyticsWorkspaceResourceId": { - "value": "[parameters('logAnalyticsWorkspaceResourceId')]" - }, - "logStorageAccountResourceId": { - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'logStorage')).outputs.id.value]" - }, - "logs": { - "value": "[parameters('virtualNetworkDiagnosticsLogs')]" - }, - "metrics": { - "value": "[parameters('virtualNetworkDiagnosticsMetrics')]" - } + "germanynorth": { + "abbreviation": "den", + "recoveryServicesGeo": "gn", + "timeDifference": "+1:00", + "timeZone": "Central Europe Standard Time" }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "16443263514490560792" - } - }, - "parameters": { - "name": { - "type": "string" - }, - "location": { - "type": "string" - }, - "tags": { - "type": "object", - "defaultValue": {} - }, - "addressPrefix": { - "type": "string" - }, - "vNetDnsServers": { - "type": "array", - "defaultValue": [] - }, - "logAnalyticsWorkspaceResourceId": { - "type": "string" - }, - "logStorageAccountResourceId": { - "type": "string" - }, - "subnets": { - "type": "array" - }, - "logs": { - "type": "array" - }, - "metrics": { - "type": "array" - } - }, - "resources": [ - { - "type": "Microsoft.Network/virtualNetworks", - "apiVersion": "2021-02-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "addressSpace": { - "addressPrefixes": [ - "[parameters('addressPrefix')]" - ] - }, - "subnets": "[parameters('subnets')]", - "dhcpOptions": "[if(not(equals(parameters('vNetDnsServers'), null())), createObject('dnsServers', parameters('vNetDnsServers')), null())]" - } - }, - { - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2017-05-01-preview", - "scope": "[format('Microsoft.Network/virtualNetworks/{0}', parameters('name'))]", - "name": "[format('{0}-diagnostics', parameters('name'))]", - "properties": { - "storageAccountId": "[parameters('logStorageAccountResourceId')]", - "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", - "logs": "[parameters('logs')]", - "metrics": "[parameters('metrics')]" - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/virtualNetworks', parameters('name'))]" - ] - } - ], - "outputs": { - "name": { - "type": "string", - "value": "[parameters('name')]" - }, - "id": { - "type": "string", - "value": "[resourceId('Microsoft.Network/virtualNetworks', parameters('name'))]" - }, - "subnets": { - "type": "array", - "value": "[reference(resourceId('Microsoft.Network/virtualNetworks', parameters('name'))).subnets]" - }, - "addressPrefix": { - "type": "string", - "value": "[reference(resourceId('Microsoft.Network/virtualNetworks', parameters('name'))).addressSpace.addressPrefixes[0]]" - } - } - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', 'logStorage')]", - "[resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup')]", - "[resourceId('Microsoft.Resources/deployments', 'routeTable')]" - ] - } - ], - "outputs": { - "virtualNetworkName": { - "type": "string", - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork')).outputs.name.value]" - }, - "virtualNetworkResourceId": { - "type": "string", - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork')).outputs.id.value]" - }, - "virtualNetworkAddressPrefix": { - "type": "string", - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork')).outputs.addressPrefix.value]" - }, - "subnetName": { - "type": "string", - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork')).outputs.subnets.value[0].name]" - }, - "subnetAddressPrefix": { - "type": "string", - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork')).outputs.subnets.value[0].properties.addressPrefix]" - }, - "subnetResourceId": { - "type": "string", - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork')).outputs.subnets.value[0].id]" - }, - "networkSecurityGroupName": { - "type": "string", - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup')).outputs.name.value]" - }, - "networkSecurityGroupResourceId": { - "type": "string", - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup')).outputs.id.value]" - } - } - } - }, - "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))]", - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]" - ] - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "[format('deploy-vnet-peerings-hub-{0}', parameters('deploymentNameSuffix'))]", - "subscriptionId": "[parameters('hubSubscriptionId')]", - "resourceGroup": "[variables('hubResourceGroupName')]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "hubVirtualNetworkName": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))).outputs.virtualNetworkName.value]" - }, - "spokes": { - "copy": [ - { - "name": "value", - "count": "[length(variables('spokes'))]", - "input": "[createObject('type', variables('spokes')[copyIndex('value')].name, 'virtualNetworkName', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex('value')].subscriptionId, variables('spokes')[copyIndex('value')].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex('value')].name, parameters('deploymentNameSuffix')))).outputs.virtualNetworkName.value, 'virtualNetworkResourceId', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex('value')].subscriptionId, variables('spokes')[copyIndex('value')].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex('value')].name, parameters('deploymentNameSuffix')))).outputs.virtualNetworkResourceId.value)]" - } - ] - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "15629689242937002521" - } - }, - "parameters": { - "hubVirtualNetworkName": { - "type": "string" - }, - "spokes": { - "type": "array" - } - }, - "resources": [ - { - "copy": { - "name": "hubToSpokePeering", - "count": "[length(parameters('spokes'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "[format('hub-to-{0}-vnet-peering', parameters('spokes')[copyIndex()].type)]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" + "germanywestcentral": { + "abbreviation": "dewc", + "recoveryServicesGeo": "gwc", + "timeDifference": "+1:00", + "timeZone": "Central Europe Standard Time" + }, + "israelcentral": { + "abbreviation": "ilc", + "recoveryServicesGeo": "ilc", + "timeDifference": "+2:00", + "timeZone": "Israel Standard Time" + }, + "italynorth": { + "abbreviation": "itn", + "recoveryServicesGeo": "itn", + "timeDifference": "+1:00", + "timeZone": "Central Europe Standard Time" + }, + "japaneast": { + "abbreviation": "jpe", + "recoveryServicesGeo": "jpe", + "timeDifference": "+9:00", + "timeZone": "Tokyo Standard Time" + }, + "japanwest": { + "abbreviation": "jpw", + "recoveryServicesGeo": "jpw", + "timeDifference": "+9:00", + "timeZone": "Tokyo Standard Time" }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[format('{0}/to-{1}', parameters('hubVirtualNetworkName'), parameters('spokes')[copyIndex()].virtualNetworkName)]" - }, - "remoteVirtualNetworkResourceId": { - "value": "[parameters('spokes')[copyIndex()].virtualNetworkResourceId]" - } + "jioindiacentral": { + "abbreviation": "injc", + "recoveryServicesGeo": "jic", + "timeDifference": "+5:30", + "timeZone": "India Standard Time" }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "18419282456813263047" - } - }, - "parameters": { - "name": { - "type": "string" - }, - "remoteVirtualNetworkResourceId": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings", - "apiVersion": "2021-02-01", - "name": "[parameters('name')]", - "properties": { - "allowForwardedTraffic": true, - "remoteVirtualNetwork": { - "id": "[parameters('remoteVirtualNetworkResourceId')]" - } - } - } - ] - } - } - } - ] - } - }, - "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))]", - "spokeNetworks" - ] - }, - { - "copy": { - "name": "spokeVirtualNetworkPeerings", - "count": "[length(variables('spokes'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "[format('deploy-vnet-peerings-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))]", - "subscriptionId": "[variables('spokes')[copyIndex()].subscriptionId]", - "location": "[deployment().location]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "spokeName": { - "value": "[variables('spokes')[copyIndex()].name]" - }, - "spokeResourceGroupName": { - "value": "[variables('spokes')[copyIndex()].resourceGroupName]" - }, - "spokeVirtualNetworkName": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix')))).outputs.virtualNetworkName.value]" - }, - "hubVirtualNetworkName": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))).outputs.virtualNetworkName.value]" - }, - "hubVirtualNetworkResourceId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))).outputs.virtualNetworkResourceId.value]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "2611495743947239031" - } - }, - "parameters": { - "spokeName": { - "type": "string" - }, - "spokeResourceGroupName": { - "type": "string" - }, - "spokeVirtualNetworkName": { - "type": "string" - }, - "hubVirtualNetworkName": { - "type": "string" - }, - "hubVirtualNetworkResourceId": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "[format('{0}-to-hub-vnet-peering', parameters('spokeName'))]", - "resourceGroup": "[parameters('spokeResourceGroupName')]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" + "jioindiawest": { + "abbreviation": "injw", + "recoveryServicesGeo": "jiw", + "timeDifference": "+5:30", + "timeZone": "India Standard Time" + }, + "koreacentral": { + "abbreviation": "krc", + "recoveryServicesGeo": "krc", + "timeDifference": "+9:00", + "timeZone": "Korea Standard Time" + }, + "koreasouth": { + "abbreviation": "krs", + "recoveryServicesGeo": "krs", + "timeDifference": "+9:00", + "timeZone": "Korea Standard Time" + }, + "northcentralus": { + "abbreviation": "usnc", + "recoveryServicesGeo": "ncus", + "timeDifference": "-6:00", + "timeZone": "Central Standard Time" + }, + "northeurope": { + "abbreviation": "eun", + "recoveryServicesGeo": "ne", + "timeDifference": "0:00", + "timeZone": "GMT Standard Time" + }, + "norwayeast": { + "abbreviation": "noe", + "recoveryServicesGeo": "nwe", + "timeDifference": "+1:00", + "timeZone": "Central Europe Standard Time" + }, + "norwaywest": { + "abbreviation": "now", + "recoveryServicesGeo": "nww", + "timeDifference": "+1:00", + "timeZone": "Central Europe Standard Time" + }, + "polandcentral": { + "abbreviation": "plc", + "recoveryServicesGeo": "plc", + "timeDifference": "+1:00", + "timeZone": "Central Europe Standard Time" + }, + "qatarcentral": { + "abbreviation": "qac", + "recoveryServicesGeo": "qac", + "timeDifference": "+3:00", + "timeZone": "Arabian Standard Time" + }, + "southafricanorth": { + "abbreviation": "zan", + "recoveryServicesGeo": "san", + "timeDifference": "+2:00", + "timeZone": "South Africa Standard Time" + }, + "southafricawest": { + "abbreviation": "zaw", + "recoveryServicesGeo": "saw", + "timeDifference": "+2:00", + "timeZone": "South Africa Standard Time" + }, + "southcentralus": { + "abbreviation": "ussc", + "recoveryServicesGeo": "scus", + "timeDifference": "-6:00", + "timeZone": "Central Standard Time" + }, + "southeastasia": { + "abbreviation": "asse", + "recoveryServicesGeo": "sea", + "timeDifference": "+8:00", + "timeZone": "Singapore Standard Time" + }, + "southindia": { + "abbreviation": "ins", + "recoveryServicesGeo": "ins", + "timeDifference": "+5:30", + "timeZone": "India Standard Time" + }, + "swedencentral": { + "abbreviation": "sec", + "recoveryServicesGeo": "sdc", + "timeDifference": "+1:00", + "timeZone": "Central Europe Standard Time" + }, + "switzerlandnorth": { + "abbreviation": "chn", + "recoveryServicesGeo": "szn", + "timeDifference": "+1:00", + "timeZone": "Central Europe Standard Time" + }, + "switzerlandwest": { + "abbreviation": "chw", + "recoveryServicesGeo": "szw", + "timeDifference": "+1:00", + "timeZone": "Central Europe Standard Time" + }, + "uaecentral": { + "abbreviation": "aec", + "recoveryServicesGeo": "uac", + "timeDifference": "+3:00", + "timeZone": "Arabian Standard Time" + }, + "uaenorth": { + "abbreviation": "aen", + "recoveryServicesGeo": "uan", + "timeDifference": "+3:00", + "timeZone": "Arabian Standard Time" + }, + "uksouth": { + "abbreviation": "uks", + "recoveryServicesGeo": "uks", + "timeDifference": "0:00", + "timeZone": "GMT Standard Time" + }, + "ukwest": { + "abbreviation": "ukw", + "recoveryServicesGeo": "ukw", + "timeDifference": "0:00", + "timeZone": "GMT Standard Time" + }, + "westcentralus": { + "abbreviation": "uswc", + "recoveryServicesGeo": "wcus", + "timeDifference": "-7:00", + "timeZone": "Mountain Standard Time" + }, + "westeurope": { + "abbreviation": "euw", + "recoveryServicesGeo": "we", + "timeDifference": "+1:00", + "timeZone": "Central Europe Standard Time" + }, + "westindia": { + "abbreviation": "inw", + "recoveryServicesGeo": "inw", + "timeDifference": "+5:30", + "timeZone": "India Standard Time" }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[format('{0}/to-{1}', parameters('spokeVirtualNetworkName'), parameters('hubVirtualNetworkName'))]" - }, - "remoteVirtualNetworkResourceId": { - "value": "[parameters('hubVirtualNetworkResourceId')]" - } + "westus": { + "abbreviation": "usw", + "recoveryServicesGeo": "wus", + "timeDifference": "-8:00", + "timeZone": "Pacific Standard Time" }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "18419282456813263047" - } - }, - "parameters": { - "name": { - "type": "string" - }, - "remoteVirtualNetworkResourceId": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings", - "apiVersion": "2021-02-01", - "name": "[parameters('name')]", - "properties": { - "allowForwardedTraffic": true, - "remoteVirtualNetwork": { - "id": "[parameters('remoteVirtualNetworkResourceId')]" - } - } - } - ] + "westus2": { + "abbreviation": "usw2", + "recoveryServicesGeo": "wus2", + "timeDifference": "-8:00", + "timeZone": "Pacific Standard Time" + }, + "westus3": { + "abbreviation": "usw3", + "recoveryServicesGeo": "wus3", + "timeDifference": "-7:00", + "timeZone": "Mountain Standard Time" } - } - } - ] - } - }, - "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))]", - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix')))]" - ] - }, - { - "condition": "[parameters('deployPolicy')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "[format('assign-policy-hub-{0}', parameters('deploymentNameSuffix'))]", - "subscriptionId": "[parameters('hubSubscriptionId')]", - "resourceGroup": "[variables('hubResourceGroupName')]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "builtInAssignment": { - "value": "[parameters('policy')]" - }, - "logAnalyticsWorkspaceName": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))).outputs.name.value]" - }, - "logAnalyticsWorkspaceResourceGroupName": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))).outputs.resourceGroupName.value]" - }, - "operationsSubscriptionId": { - "value": "[parameters('operationsSubscriptionId')]" - }, - "location": { - "value": "[parameters('location')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "3765055138598353912" - } - }, - "parameters": { - "builtInAssignment": { - "type": "string", - "defaultValue": "NISTRev4", - "metadata": { - "description": "[NISTRev4/NISTRev5/IL5/CMMC] Built-in policy assignments to assign, default is NISTRev4. IL5 is only available for AzureUsGovernment and will switch to NISTRev4 if tried in AzureCloud." - }, - "allowedValues": [ - "NISTRev4", - "NISTRev5", - "IL5", - "CMMC" - ] - }, - "logAnalyticsWorkspaceName": { - "type": "string" - }, - "logAnalyticsWorkspaceResourceGroupName": { - "type": "string" - }, - "operationsSubscriptionId": { - "type": "string" - }, - "deployRemediation": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Starts a policy remediation for the VM Agent policies in hub RG. Set to false by default since this is time consuming in deployment." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "The location of this resource" - } - } - }, - "variables": { - "$fxv#0": " {\n \"listOfMembersToExcludeFromWindowsVMAdministratorsGroup\": \n {\n \"value\": \"admin\"\n },\n \"listOfMembersToIncludeInWindowsVMAdministratorsGroup\": \n {\n \"value\": \"azureuser\"\n },\n \"logAnalyticsWorkspaceIdforVMReporting\": \n {\n \"value\": \"\"\n },\n \"IncludeArcMachines\": \n {\n \"value\": \"true\"\n },\n \"MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112\": \n {\n \"value\": \"1.2\"\n },\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\": \n {\n \"value\": \"Compliant\"\n },\n \"requiredRetentionDays\": \n {\n \"value\": \"365\"\n },\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\": \n {\n \"value\": \"NetworkWatcherRG\"\n }\n }", - "$fxv#1": " {\n \"IncludeArcMachines\": \n {\n \"value\": \"true\"\n },\n \"MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112\": \n {\n \"value\": \"1.2\"\n },\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\": \n {\n \"value\": \"Compliant\"\n },\n \"requiredRetentionDays\": \n {\n \"value\": \"365\"\n },\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\": \n {\n \"value\": \"NetworkWatcherRG\"\n }\n }", - "$fxv#2": "{\n \"IncludeArcMachines\" : { \n \"value\" : \"false\"\n },\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\" : { \n \"value\" : \"Compliant\"\n },\n \"MinimumTLSVersionForWindowsServers\" : { \n \"value\" : \"1.2\"\n },\n \"requiredRetentionDays\" : { \n \"value\" : \"365\"\n },\n \"effect-febd0533-8e55-448f-b837-bd0e06f16469\" : { \n \"value\" : \"audit\"\n },\n \"allowedContainerImagesRegex-febd0533-8e55-448f-b837-bd0e06f16469\" : { \n \"value\" : \"^(.+){0}$\"\n },\n \"effect-95edb821-ddaf-4404-9732-666045e056b4\" : { \n \"value\" : \"audit\"\n },\n \"effect-440b515e-a580-421e-abeb-b159a61ddcbc\" : { \n \"value\" : \"audit\"\n },\n \"effect-233a2a17-77ca-4fb1-9b6b-69223d272a44\" : { \n \"value\" : \"audit\"\n },\n \"effect-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \n \"value\" : \"audit\"\n },\n \"cpuLimit-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \n \"value\" : \"0\"\n },\n \"memoryLimit-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \n \"value\" : \"0\"\n },\n \"effect-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"audit\"\n },\n \"runAsUserRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"MustRunAsNonRoot\"\n },\n \"runAsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"RunAsAny\"\n },\n \"supplementalGroupsRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"RunAsAny\"\n },\n \"fsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"RunAsAny\"\n },\n \"effect-1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\" : { \n \"value\" : \"audit\"\n },\n \"effect-47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\" : { \n \"value\" : \"audit\"\n },\n \"effect-df49d893-a74c-421d-bc95-c663042e5b80\" : { \n \"value\" : \"audit\"\n },\n \"effect-1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\" : { \n \"value\" : \"audit\"\n },\n \"effect-c26596ff-4d70-4e6a-9a30-c2506bd2f80c\" : { \n \"value\" : \"audit\"\n },\n \"effect-511f5417-5d12-434d-ab2e-816901e72a5e\" : { \n \"value\" : \"audit\"\n },\n \"effect-82985f06-dc18-4a48-bc1c-b9f4f0098cfe\" : { \n \"value\" : \"audit\"\n },\n \"effect-098fc59e-46c7-4d99-9b16-64990e543d75\" : { \n \"value\" : \"audit\"\n },\n \"NetworkWatcherResourceGroupName\" : { \n \"value\" : \"NetworkWatcherRG\"\n },\n \"setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \n \"value\" : \"enabled\"\n },\n \"aadAuthenticationInServiceFabricMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"effect-71ef260a-8f18-47b7-abcb-62d0673d94dc\" : { \n \"value\" : \"Audit\"\n },\n \"effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\" : { \n \"value\" : \"Audit\"\n },\n \"effect-862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d9da03a1-f3c3-412a-9709-947156872263\" : { \n \"value\" : \"Audit\"\n },\n \"effect-617c02be-7f02-4efd-8836-3180d47b6c68\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c349d81b-9985-44ae-a8da-ff98d108ede8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-3657f5a0-770e-44a3-b44e-9431ba1e9735\" : { \n \"value\" : \"Audit\"\n },\n \"effect-b4ac1030-89c5-4697-8e00-28b5ba6a8811\" : { \n \"value\" : \"audit\"\n },\n \"effect-ea0dfaed-95fb-448c-934e-d6e713ce393d\" : { \n \"value\" : \"audit\"\n },\n \"effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a\" : { \n \"value\" : \"Audit\"\n },\n \"effect-f4b53539-8df9-40e4-86c6-6b607703bd4e\" : { \n \"value\" : \"Audit\"\n },\n \"effect-41425d9f-d1a5-499a-9932-f8ed8453932c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-fc4d8e41-e223-45ea-9bf5-eada37891d87\" : { \n \"value\" : \"Audit\"\n },\n \"effect-86efb160-8de7-451d-bc08-5d475b0aadae\" : { \n \"value\" : \"Audit\"\n },\n \"effect-4ec52d6d-beb7-40c4-9a9e-fe753254690e\" : { \n \"value\" : \"Audit\"\n },\n \"effect-64d314f6-6062-4780-a861-c23e8951bee5\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-fa298e57-9444-42ba-bf04-86e8470e32c7\" : { \n \"value\" : \"audit\"\n },\n \"effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1f905d99-2ab7-462c-a6b0-f709acca6c8f\" : { \n \"value\" : \"audit\"\n },\n \"effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ba769a63-b8cc-4b2d-abf6-ac33c7204be8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-81e74cea-30fd-40d5-802f-d72103c2aaaa\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0aa61e00-0a01-4a3c-9945-e93cffedf0e6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-47031206-ce96-41f8-861b-6a915f3de284\" : { \n \"value\" : \"Audit\"\n },\n \"effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7\" : { \n \"value\" : \"audit\"\n },\n \"effect-51522a96-0869-4791-82f3-981000c2c67f\" : { \n \"value\" : \"audit\"\n },\n \"effect-b5ec538c-daa0-4006-8596-35468b9148e8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-56a5ee18-2ae6-4810-86f7-18e39ce5629b\" : { \n \"value\" : \"Audit\"\n },\n \"effect-2e94d99a-8a36-4563-bc77-810d8893b671\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5\" : { \n \"value\" : \"Audit\"\n },\n \"effect-99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1f68a601-6e6d-4e42-babf-3f643a047ea2\" : { \n \"value\" : \"audit\"\n },\n \"effect-f7d52b2d-e161-4dfa-a82b-55e564167385\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ca91455f-eace-4f96-be59-e6e2c35b4816\" : { \n \"value\" : \"Audit\"\n },\n \"effect-702dd420-7fcc-42c5-afe8-4026edd20fe0\" : { \n \"value\" : \"Audit\"\n },\n \"diagnosticsLogsInRedisCacheMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"secureTransferToStorageAccountMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d0793b48-0edc-4296-a390-4c75d1bdfd71\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7d092e0a-7acd-40d2-a975-dca21cae48c4\" : { \n \"value\" : \"Audit\"\n },\n \"effect-2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\" : { \n \"value\" : \"Audit\"\n },\n \"disableUnrestrictedNetworkToStorageAccountMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"effect-55615ac9-af46-4a59-874e-391cc3dfb490\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1b8ca024-1d5c-4dec-8995-b1a932b41780\" : { \n \"value\" : \"Audit\"\n },\n \"effect-037eea7a-bd0a-46c5-9a66-03aea78705d3\" : { \n \"value\" : \"Audit\"\n },\n \"effect-53503636-bcc9-4748-9663-5348217f160f\" : { \n \"value\" : \"Audit\"\n },\n \"effect-40cec1dd-a100-4920-b15b-3024fe8901ab\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca\" : { \n \"value\" : \"Audit\"\n },\n \"effect-a049bf77-880b-470f-ba6d-9f21c530cf83\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ee980b6d-0eca-4501-8d54-f6290fd512c3\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1d84d5fb-01f6-4d12-ba4f-4a26081d403d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-37e0d2fe-28a5-43d6-a273-67d37d1f5606\" : { \n \"value\" : \"Audit\"\n },\n \"identityDesignateMoreThanOneOwnerMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"diskEncryptionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"emailNotificationToSubscriptionOwnerHighSeverityAlertsEnabledEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"functionAppDisableRemoteDebuggingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"sqlDbEncryptionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vulnerabilityAssessmentOnManagedInstanceMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePHPVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"aadAuthenticationInSqlServerMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vmssEndpointProtectionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vmssOsVulnerabilitiesMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"adaptiveApplicationControlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"geoRedundantBackupShouldBeEnabledForAzureDatabaseForPostgreSQLEffect\" : { \n \"value\" : \"Audit\"\n },\n \"ensureJavaVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityDesignateLessThanOwnersMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"securityContactEmailAddressForSubscriptionEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"webAppRestrictCORSAccessMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveDeprecatedAccountMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"functionAppEnforceHttpsMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"ensurePythonVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePythonVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePHPVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePythonVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"geoRedundantBackupShouldBeEnabledForAzureDatabaseForMySQLEffect\" : { \n \"value\" : \"Audit\"\n },\n \"systemUpdatesMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureJavaVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureHTTPVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"apiAppRequireLatestTlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityEnableMFAForWritePermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureHTTPVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureJavaVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"nextGenerationFirewallMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"useRbacRulesMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"webAppEnforceHttpsMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"sqlServerAuditingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vnetEnableDDoSProtectionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityEnableMFAForOwnerPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"sqlServerAdvancedDataSecurityMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"sqlManagedInstanceAdvancedDataSecurityMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"endpointProtectionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"jitNetworkAccessMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"apiAppEnforceHttpsMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"geoRedundantStorageShouldBeEnabledForStorageAccountsEffect\" : { \n \"value\" : \"Audit\"\n },\n \"vmssSystemUpdatesMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"webAppDisableRemoteDebuggingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"systemConfigurationsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureHTTPVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityEnableMFAForReadPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"containerBenchmarkMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"apiAppDisableRemoteDebuggingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vulnerabilityAssessmentOnServerMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"webAppRequireLatestTlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"functionAppRequireLatestTlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"kubernetesServiceVersionUpToDateMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"sqlDbVulnerabilityAssesmentMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"membersToIncludeInLocalAdministratorsGroup\" : { \n \"value\" : \"\"\n },\n \"membersToExcludeInLocalAdministratorsGroup\" : { \n \"value\" : \"\"\n },\n \"logAnalyticsWorkspaceIDForVMAgents\" : { \n \"value\" : \"\"\n },\n \"PHPLatestVersionForAppServices\" : { \n \"value\" : \"7.4\"\n },\n \"JavaLatestVersionForAppServices\" : { \n \"value\" : \"11\"\n },\n \"WindowsPythonLatestVersionForAppServices\" : { \n \"value\" : \"3.6\"\n },\n \"LinuxPythonLatestVersionForAppServices\" : { \n \"value\" : \"3.9\"\n },\n \"ensureDotNetFrameworkLatestForFunctionAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlManagedInstanceAdvancedDataSecurityEmailsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"vulnerabilityAssessmentMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"ensureDotNetFrameworkLatestForWebAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlServerAdvancedDataSecurityEmailsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"microsoftIaaSAntimalwareExtensionShouldBeDeployedOnWindowsServersEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"securityCenterStandardPricingTierShouldBeSelectedEffect\" : { \n \"value\" : \"Audit\"\n },\n \"theLogAnalyticsAgentShouldBeInstalledOnVirtualMachinesEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"ensurePHPVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlManagedInstanceAdvancedDataSecurityEmailAdminsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"securityContactPhoneNumberShouldBeProvidedForSubscriptionEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"threatDetectionTypesOnManagedInstanceMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"ensureDotNetFrameworkLatestForAPIAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlServerAdvancedDataSecurityEmailAdminsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"threatDetectionTypesOnServerMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"theLogAnalyticsAgentShouldBeInstalledOnVirtualMachineScaleSetsEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n }\n}", - "$fxv#3": "{\n \"logAnalyticsWorkspaceId-f47b5582-33ec-4c5c-87c0-b010a6b2e917\" : { \n \"value\" : \"\"\n },\n \"effect-09024ccc-0c5f-475e-9457-b7c0d9ed487b\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"MembersToExclude-69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f\" :{\n \"value\": \"\"\n },\n \"MembersToInclude-30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7\": {\n \"value\": \"\"\n },\n \"effect-0961003e-5a0a-4549-abde-af6a37f2724d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0b15565f-aa9e-48ba-8619-45960f2c314d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0e60b895-3786-45da-8377-9c6b4b6ac5f9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-17k78e20-9358-41c9-923c-fb736d382a12\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"PHPLatestVersion\" : { \n \"value\" : \"7.3\"\n },\n \"effect-22bee202-a82f-4305-9a2a-6d7f44d4dedb\" : { \n \"value\" : \"Audit\"\n },\n \"effect-26a828e1-e88f-464e-bbb3-c134a282b9de\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-34c877ad-507e-4c82-993e-3452a6e0ad3c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-404c3081-a854-4457-ae30-26a93ef643f9\" : { \n \"value\" : \"Audit\"\n },\n \"effect-47a6b606-51aa-4496-8bb7-64b11cf66adc\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-496223c3-ad65-4ecd-878a-bae78737e9ed\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"JavaLatestVersion\" : { \n \"value\" : \"11\"\n },\n \"effect-4f11b553-d42e-4e3a-89be-32ca364cad4c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-5c607a2e-c700-4744-8254-d77e7c9eb5e4\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-5f76cf89-fbf2-47fd-a3f4-b891fa780b60\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-6b1cbf55-e8b6-442f-ba4c-7246b6381474\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7008174a-fd10-4ef0-817e-fc820a951d73\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"LinuxPythonLatestVersion\" : { \n \"value\" : \"3.8\"\n },\n \"effect-7238174a-fd10-4ef0-817e-fc820a951d73\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-7261b898-8a84-4db8-9e04-18527132abb3\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-74c3584d-afae-46f7-a20a-6f8adba71a16\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-86b3d65f-7626-441e-b690-81a8b71cff60\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-88999f4c-376a-45c8-bcb3-4058f713cf39\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-8c122334-9d20-4eb8-89ea-ac9a705b74ae\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9297c21d-2ed6-4474-b48f-163f75654ce3\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-991310cd-e9f3-47bc-b7b6-f57b557d07db\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9b597639-28e4-48eb-b506-56b05d366257\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9daedab3-fb2d-461e-b861-71790eead4f6\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-a4af4a39-4135-47fb-b175-47fbdf85311d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \n \"value\" : \"enabled\"\n },\n \"effect-a70ca396-0a34-413a-88e1-b956c1e683be\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-aa633080-8b72-40c4-a2d7-d00c03e80bed\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-af6cd1bd-1635-48cb-bde7-5b15693900b9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\" : { \n \"value\" : \"NetworkWatcherRG\"\n },\n \"effect-b7ddfbdc-1260-477d-91fd-98bd9be789a6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c3f317a7-a95c-4547-b7e7-11017ebdf2fe\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-cb510bfd-1cba-4d9f-a230-cb0976f4bb71\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e2c1c086-2d84-4019-bff3-c44ccd95113c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e3576e28-8b17-4677-84c3-db2990658d64\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e8cbc669-f12d-49eb-93e7-9273119e9933\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ebb62a0c-3560-49e1-89ed-27e074e9f8ad\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-efbde977-ba53-4479-b8e9-10b957924fbf\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f8456c1c-aa66-4dfb-861a-25d127b775c9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f9d614c5-c173-4d56-95a7-b4437057d193\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-fb893a29-21bb-418c-a157-e99480ec364c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-feedbf84-6b99-488c-acc2-71c829aa5ffc\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-3b980d31-7904-4bb7-8575-5665739a8052\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-6e2593d9-add6-4083-9c9b-4b7d2188c899\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-12430be1-6cc8-4527-a9a8-e3d38f250096\" : { \n \"value\" : \"Audit\"\n },\n \"modeRequirement-12430be1-6cc8-4527-a9a8-e3d38f250096\" : { \n \"value\" : \"Detection\"\n },\n \"effect-425bea59-a659-4cbb-8d31-34499bd030b8\" : { \n \"value\" : \"Audit\"\n },\n \"modeRequirement-425bea59-a659-4cbb-8d31-34499bd030b8\" : { \n \"value\" : \"Detection\"\n },\n \"effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\" : { \n \"value\" : \"Audit\"\n },\n \"effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-013e242c-8828-4970-87b3-ab247555486d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-d38fc420-0735-4ef3-ac11-c806f651a570\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-a1181c5f-672a-477a-979a-7d58aa086233\" : { \n \"value\" : \"Audit\"\n },\n \"effect-308fbb08-4ab8-4e67-9b29-592e93fb94fa\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-4da35fc9-c9e7-4960-aec9-797fe7d9051d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-523b5cd1-3e23-492f-a539-13118b6d1e3a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-7fe3b40f-802b-4cdd-8bd4-fd799c948cc2\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-c25d9a16-bc35-4e15-a7e5-9db606bf9ed4\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b0f33259-77d7-4c9e-aac6-3aabcfae693c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-037eea7a-bd0a-46c5-9a66-03aea78705d3\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0820b7b9-23aa-4725-a1ce-ae4558f718e5\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-2c89a2e5-7285-40fe-afe0-ae8654b92fab\" : { \n \"value\" : \"Audit\"\n },\n \"effect-358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-5744710e-cc2f-4ee8-8809-3b11e89f4bc9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c9d007d0-c057-4772-b18c-01e546713bcd\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d0793b48-0edc-4296-a390-4c75d1bdfd71\" : { \n \"value\" : \"Audit\"\n },\n \"effect-e372f825-a257-4fb8-9175-797a8a8627d6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d158790f-bfb0-486c-8631-2dc6b4e8e6af\" : { \n \"value\" : \"Audit\"\n },\n \"effect-e802a67a-daf5-4436-9ea6-f6d821dd0c5d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-a451c1ef-c6ca-483d-87ed-f49761e3ffb5\" : { \n \"value\" : \"Audit\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftSql-servers-firewallRules-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftClassicNetwork-networkSecurityGroups-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-securityRules-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftClassicNetwork-networkSecurityGroups-securityRules-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ae89ebca-1c92-4898-ac2c-9f63decb045c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-d26f7642-7545-4e18-9b75-8c9bbdee3a9a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-1a4e592a-6a6e-44a5-9814-e36264ca96e7\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-7796937f-307b-4598-941c-67d3a05ebfe7\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-c5447c04-a4d7-4ba8-a263-c9ee321a6858\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-41388f1c-2db0-4c25-95b2-35d7f5ccbfa9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b02aacc0-b073-424e-8298-42b22829ee0a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0ec47710-77ff-4a3d-9181-6aa50af424d0\" : { \n \"value\" : \"Audit\"\n },\n \"effect-48af4db5-9b8b-401c-8e74-076be876a430\" : { \n \"value\" : \"Audit\"\n },\n \"effect-82339799-d096-41ae-8538-b108becf0970\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1b7aa243-30e4-4c9e-bca8-d0d3022b634a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-bb91dfba-c30d-4263-9add-9c2384e659a6\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e71308d3-144b-4262-b144-efdc3cc90517\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-2bdd0062-9d75-436e-89df-487dd8e4b3c7\" : { \n \"value\" : \"Disabled\"\n },\n \"effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a\" : { \n \"value\" : \"Audit\"\n },\n \"effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-6fac406b-40ca-413b-bf8e-0bf964659c25\" : { \n \"value\" : \"Audit\"\n },\n \"effect-81e74cea-30fd-40d5-802f-d72103c2aaaa\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c349d81b-9985-44ae-a8da-ff98d108ede8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-f4b53539-8df9-40e4-86c6-6b607703bd4e\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\" : { \n \"value\" : \"Audit\"\n },\n \"effect-048248b0-55cd-46da-b1ff-39efd52db260\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0d134df8-db83-46fb-ad72-fe0c9428c8dd\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-2c89a2e5-7285-40fe-afe0-ae8654b92fb2\" : { \n \"value\" : \"Audit\"\n },\n \"effect-3657f5a0-770e-44a3-b44e-9431ba1e9735\" : { \n \"value\" : \"Audit\"\n },\n \"effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\" : { \n \"value\" : \"Audit\"\n },\n \"effect-617c02be-7f02-4efd-8836-3180d47b6c68\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67\" : { \n \"value\" : \"Audit\"\n },\n \"effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7\" : { \n \"value\" : \"audit\"\n },\n \"effect-f7d52b2d-e161-4dfa-a82b-55e564167385\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c43e4a30-77cb-48ab-a4dd-93f175c63b57\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1f314764-cb73-4fc9-b863-8eca98ac36e9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-123a3936-f020-408a-ba0c-47873faf1534\" : { \n \"value\" : \"AuditIfNotExists\"\n }\n}\n", - "modifiedAssignment": "[if(and(equals(toLower(environment().name), toLower('AzureCloud')), equals(toLower(parameters('builtInAssignment')), toLower('IL5'))), 'NISTRev4', parameters('builtInAssignment'))]", - "assignmentName": "[format('{0} {1}', variables('modifiedAssignment'), resourceGroup().name)]", - "agentVmssAssignmentName": "[format('Deploy VMSS Agents {0}', resourceGroup().name)]", - "agentVmAssignmentName": "[format('Deploy VM Agents {0}', resourceGroup().name)]", - "contributorRoleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "lawsReaderRoleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]" - }, - "resources": [ - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2020-09-01", - "name": "[variables('assignmentName')]", - "location": "[parameters('location')]", - "properties": { - "policyDefinitionId": "[createObject('NISTRev4', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f', 'parameters', json(replace(variables('$fxv#0'), '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'NISTRev5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f', 'parameters', json(variables('$fxv#1'))), 'IL5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/f9a961fa-3241-4b20-adc4-bbf8ad9d7197', 'parameters', json(replace(variables('$fxv#2'), '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'CMMC', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/b5629c75-5c77-4422-87b9-2509e680f8de', 'parameters', json(replace(variables('$fxv#3'), '', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName')), '2021-06-01').customerId))))[variables('modifiedAssignment')].id]", - "parameters": "[createObject('NISTRev4', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f', 'parameters', json(replace(variables('$fxv#0'), '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'NISTRev5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f', 'parameters', json(variables('$fxv#1'))), 'IL5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/f9a961fa-3241-4b20-adc4-bbf8ad9d7197', 'parameters', json(replace(variables('$fxv#2'), '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'CMMC', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/b5629c75-5c77-4422-87b9-2509e680f8de', 'parameters', json(replace(variables('$fxv#3'), '', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName')), '2021-06-01').customerId))))[variables('modifiedAssignment')].parameters]" }, - "identity": { - "type": "SystemAssigned" - } - }, - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2020-09-01", - "name": "[variables('agentVmssAssignmentName')]", - "location": "[parameters('location')]", - "properties": { - "policyDefinitionId": "[tenantResourceId('Microsoft.Authorization/policySetDefinitions', '75714362-cae7-409e-9b99-a8e5075b7fad')]", - "parameters": { - "logAnalytics_1": { - "value": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))]" - } + "AzureUSGovernment": { + "usdodcentral": { + "abbreviation": "dodc", + "recoveryServicesGeo": "udc", + "timeDifference": "-6:00", + "timeZone": "Central Standard Time" + }, + "usdodeast": { + "abbreviation": "dode", + "recoveryServicesGeo": "ude", + "timeDifference": "-5:00", + "timeZone": "Eastern Standard Time" + }, + "usgovarizona": { + "abbreviation": "az", + "recoveryServicesGeo": "uga", + "timeDifference": "-7:00", + "timeZone": "Mountain Standard Time" + }, + "usgovtexas": { + "abbreviation": "tx", + "recoveryServicesGeo": "ugt", + "timeDifference": "-6:00", + "timeZone": "Central Standard Time" + }, + "usgovvirginia": { + "abbreviation": "va", + "recoveryServicesGeo": "ugv", + "timeDifference": "-5:00", + "timeZone": "Eastern Standard Time" } }, - "identity": { - "type": "SystemAssigned" - } - }, - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2020-09-01", - "name": "[variables('agentVmAssignmentName')]", - "location": "[parameters('location')]", - "properties": { - "policyDefinitionId": "[tenantResourceId('Microsoft.Authorization/policySetDefinitions', '55f3eceb-5573-4f18-9695-226972c6d74a')]", - "parameters": { - "logAnalytics_1": { - "value": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))]" - } + "USNat": { + "usnateast": { + "abbreviation": "east", + "recoveryServicesGeo": "exe", + "timeDifference": "-5:00", + "timeZone": "Eastern Standard Time" + }, + "usnatwest": { + "abbreviation": "west", + "recoveryServicesGeo": "exw", + "timeDifference": "-8:00", + "timeZone": "Pacific Standard Time" } }, - "identity": { - "type": "SystemAssigned" + "USSec": { + "usseceast": { + "abbreviation": "east", + "recoveryServicesGeo": "rxe", + "timeDifference": "-5:00", + "timeZone": "Eastern Standard Time" + }, + "ussecwest": { + "abbreviation": "west", + "recoveryServicesGeo": "rxw", + "timeDifference": "-8:00", + "timeZone": "Pacific Standard Time" + } } }, + "cloudSuffix": "[replace(replace(environment().resourceManager, 'https://management.', ''), '/', '')]", + "automationSuffix": "[replace(environment().suffixes.storage, 'core.windows.', '')]", + "locations": "[variables('$fxv#0')[environment().name]]", + "privatelink_agentsvc_azure_automation_name": "[format('privatelink.agentsvc.azure-automation.{0}', variables('automationSuffix'))]", + "privatelink_azure_automation_name": "[format('privatelink.azure-automation.{0}', variables('automationSuffix'))]", + "privatelink_avd_name": "[format('privatelink.wvd.{0}', variables('cloudSuffix'))]", + "privatelink_avd_global_name": "[format('privatelink-global.wvd.{0}', variables('cloudSuffix'))]", + "privatelink_file_name": "[format('privatelink.file.{0}', environment().suffixes.storage)]", + "privatelink_queue_name": "[format('privatelink.queue.{0}', environment().suffixes.storage)]", + "privatelink_table_name": "[format('privatelink.table.{0}', environment().suffixes.storage)]", + "privatelink_blob_name": "[format('privatelink.blob.{0}', environment().suffixes.storage)]", + "privatelink_keyvaultDns_name": "[replace(format('privatelink{0}', environment().suffixes.keyvaultDns), 'vault', 'vaultcore')]", + "privatelink_monitor_name": "[format('privatelink.monitor.{0}', variables('cloudSuffix'))]", + "privatelink_ods_opinsights_name": "[format('privatelink.ods.opinsights.{0}', variables('cloudSuffix'))]", + "privatelink_oms_opinsights_name": "[format('privatelink.oms.opinsights.{0}', variables('cloudSuffix'))]" + }, + "resources": [ { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2020-04-01-preview", - "name": "[guid(variables('contributorRoleDefinitionId'), variables('assignmentName'))]", - "properties": { - "roleDefinitionId": "[variables('contributorRoleDefinitionId')]", - "principalId": "[if(empty(variables('modifiedAssignment')), '', reference(resourceId('Microsoft.Authorization/policyAssignments', variables('assignmentName')), '2020-09-01', 'full').identity.principalId)]", - "principalType": "ServicePrincipal" - }, - "dependsOn": [ - "[resourceId('Microsoft.Authorization/policyAssignments', variables('assignmentName'))]" - ] + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2018-09-01", + "name": "[variables('privatelink_avd_name')]", + "location": "global", + "tags": "[parameters('tags')]" }, { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2020-04-01-preview", - "name": "[guid(variables('contributorRoleDefinitionId'), variables('agentVmssAssignmentName'))]", - "properties": { - "roleDefinitionId": "[variables('contributorRoleDefinitionId')]", - "principalId": "[reference(resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmssAssignmentName')), '2020-09-01', 'full').identity.principalId]", - "principalType": "ServicePrincipal" - }, - "dependsOn": [ - "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmssAssignmentName'))]" - ] + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2018-09-01", + "name": "[variables('privatelink_avd_global_name')]", + "location": "global", + "tags": "[parameters('tags')]" }, { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2020-04-01-preview", - "name": "[guid(variables('contributorRoleDefinitionId'), variables('agentVmAssignmentName'))]", - "properties": { - "roleDefinitionId": "[variables('contributorRoleDefinitionId')]", - "principalId": "[reference(resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName')), '2020-09-01', 'full').identity.principalId]", - "principalType": "ServicePrincipal" + "copy": { + "name": "privateDnsZone_backup_rsv", + "count": "[length(variables('privatelink_backup_names'))]" }, - "dependsOn": [ - "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName'))]" - ] + "condition": "[not(contains(variables('privatelink_backup_names')[copyIndex()], '..'))]", + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2018-09-01", + "name": "[variables('privatelink_backup_names')[copyIndex()]]", + "location": "global", + "tags": "[parameters('tags')]" }, { - "condition": "[parameters('deployRemediation')]", - "type": "Microsoft.PolicyInsights/remediations", - "apiVersion": "2019-07-01", - "name": "VM-Agent-Policy-Remediation", - "properties": { - "policyAssignmentId": "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName'))]", - "resourceDiscoveryMode": "ReEvaluateCompliance" - }, - "dependsOn": [ - "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName'))]" - ] + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2018-09-01", + "name": "[variables('privatelink_file_name')]", + "location": "global", + "tags": "[parameters('tags')]" }, { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "[format('Assign-Laws-Role-Policy-{0}', resourceGroup().name)]", - "subscriptionId": "[parameters('operationsSubscriptionId')]", - "resourceGroup": "[parameters('logAnalyticsWorkspaceResourceGroupName')]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "targetResourceId": { - "value": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))]" - }, - "roleDefinitionId": { - "value": "[variables('lawsReaderRoleDefinitionId')]" - }, - "principalId": { - "value": "[reference(resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName')), '2020-09-01', 'full').identity.principalId]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "15761836246481461949" - } - }, - "parameters": { - "targetResourceId": { - "type": "string" - }, - "roleDefinitionId": { - "type": "string" - }, - "principalId": { - "type": "string" - }, - "principalType": { - "type": "string", - "defaultValue": "ServicePrincipal", - "allowedValues": [ - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ] - }, - "description": { - "type": "string", - "defaultValue": "" - } - }, - "resources": [ - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2020-04-01-preview", - "name": "[guid(parameters('targetResourceId'), parameters('roleDefinitionId'), parameters('principalId'))]", - "properties": { - "principalId": "[parameters('principalId')]", - "principalType": "[parameters('principalType')]", - "roleDefinitionId": "[parameters('roleDefinitionId')]", - "description": "[parameters('description')]" - } - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName'))]" - ] - } - ] - } - }, - "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]" - ] - }, - { - "condition": "[parameters('deployPolicy')]", - "copy": { - "name": "spokePolicyAssignments", - "count": "[length(variables('spokes'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "[format('assign-policy-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))]", - "subscriptionId": "[variables('spokes')[copyIndex()].subscriptionId]", - "resourceGroup": "[variables('spokes')[copyIndex()].resourceGroupName]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "builtInAssignment": { - "value": "[parameters('policy')]" - }, - "logAnalyticsWorkspaceName": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))).outputs.name.value]" - }, - "logAnalyticsWorkspaceResourceGroupName": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))).outputs.resourceGroupName.value]" - }, - "operationsSubscriptionId": { - "value": "[parameters('operationsSubscriptionId')]" - }, - "location": { - "value": "[parameters('location')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "3765055138598353912" - } - }, - "parameters": { - "builtInAssignment": { - "type": "string", - "defaultValue": "NISTRev4", - "metadata": { - "description": "[NISTRev4/NISTRev5/IL5/CMMC] Built-in policy assignments to assign, default is NISTRev4. IL5 is only available for AzureUsGovernment and will switch to NISTRev4 if tried in AzureCloud." - }, - "allowedValues": [ - "NISTRev4", - "NISTRev5", - "IL5", - "CMMC" - ] - }, - "logAnalyticsWorkspaceName": { - "type": "string" + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2018-09-01", + "name": "[variables('privatelink_queue_name')]", + "location": "global", + "tags": "[parameters('tags')]" }, - "logAnalyticsWorkspaceResourceGroupName": { - "type": "string" + { + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2018-09-01", + "name": "[variables('privatelink_table_name')]", + "location": "global", + "tags": "[parameters('tags')]" }, - "operationsSubscriptionId": { - "type": "string" + { + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2018-09-01", + "name": "[variables('privatelink_keyvaultDns_name')]", + "location": "global", + "tags": "[parameters('tags')]" }, - "deployRemediation": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Starts a policy remediation for the VM Agent policies in hub RG. Set to false by default since this is time consuming in deployment." - } + { + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2018-09-01", + "name": "[variables('privatelink_monitor_name')]", + "location": "global", + "tags": "[parameters('tags')]" + }, + { + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2018-09-01", + "name": "[variables('privatelink_oms_opinsights_name')]", + "location": "global", + "tags": "[parameters('tags')]" }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "The location of this resource" - } - } - }, - "variables": { - "$fxv#0": " {\n \"listOfMembersToExcludeFromWindowsVMAdministratorsGroup\": \n {\n \"value\": \"admin\"\n },\n \"listOfMembersToIncludeInWindowsVMAdministratorsGroup\": \n {\n \"value\": \"azureuser\"\n },\n \"logAnalyticsWorkspaceIdforVMReporting\": \n {\n \"value\": \"\"\n },\n \"IncludeArcMachines\": \n {\n \"value\": \"true\"\n },\n \"MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112\": \n {\n \"value\": \"1.2\"\n },\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\": \n {\n \"value\": \"Compliant\"\n },\n \"requiredRetentionDays\": \n {\n \"value\": \"365\"\n },\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\": \n {\n \"value\": \"NetworkWatcherRG\"\n }\n }", - "$fxv#1": " {\n \"IncludeArcMachines\": \n {\n \"value\": \"true\"\n },\n \"MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112\": \n {\n \"value\": \"1.2\"\n },\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\": \n {\n \"value\": \"Compliant\"\n },\n \"requiredRetentionDays\": \n {\n \"value\": \"365\"\n },\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\": \n {\n \"value\": \"NetworkWatcherRG\"\n }\n }", - "$fxv#2": "{\n \"IncludeArcMachines\" : { \n \"value\" : \"false\"\n },\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\" : { \n \"value\" : \"Compliant\"\n },\n \"MinimumTLSVersionForWindowsServers\" : { \n \"value\" : \"1.2\"\n },\n \"requiredRetentionDays\" : { \n \"value\" : \"365\"\n },\n \"effect-febd0533-8e55-448f-b837-bd0e06f16469\" : { \n \"value\" : \"audit\"\n },\n \"allowedContainerImagesRegex-febd0533-8e55-448f-b837-bd0e06f16469\" : { \n \"value\" : \"^(.+){0}$\"\n },\n \"effect-95edb821-ddaf-4404-9732-666045e056b4\" : { \n \"value\" : \"audit\"\n },\n \"effect-440b515e-a580-421e-abeb-b159a61ddcbc\" : { \n \"value\" : \"audit\"\n },\n \"effect-233a2a17-77ca-4fb1-9b6b-69223d272a44\" : { \n \"value\" : \"audit\"\n },\n \"effect-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \n \"value\" : \"audit\"\n },\n \"cpuLimit-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \n \"value\" : \"0\"\n },\n \"memoryLimit-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \n \"value\" : \"0\"\n },\n \"effect-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"audit\"\n },\n \"runAsUserRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"MustRunAsNonRoot\"\n },\n \"runAsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"RunAsAny\"\n },\n \"supplementalGroupsRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"RunAsAny\"\n },\n \"fsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"RunAsAny\"\n },\n \"effect-1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\" : { \n \"value\" : \"audit\"\n },\n \"effect-47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\" : { \n \"value\" : \"audit\"\n },\n \"effect-df49d893-a74c-421d-bc95-c663042e5b80\" : { \n \"value\" : \"audit\"\n },\n \"effect-1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\" : { \n \"value\" : \"audit\"\n },\n \"effect-c26596ff-4d70-4e6a-9a30-c2506bd2f80c\" : { \n \"value\" : \"audit\"\n },\n \"effect-511f5417-5d12-434d-ab2e-816901e72a5e\" : { \n \"value\" : \"audit\"\n },\n \"effect-82985f06-dc18-4a48-bc1c-b9f4f0098cfe\" : { \n \"value\" : \"audit\"\n },\n \"effect-098fc59e-46c7-4d99-9b16-64990e543d75\" : { \n \"value\" : \"audit\"\n },\n \"NetworkWatcherResourceGroupName\" : { \n \"value\" : \"NetworkWatcherRG\"\n },\n \"setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \n \"value\" : \"enabled\"\n },\n \"aadAuthenticationInServiceFabricMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"effect-71ef260a-8f18-47b7-abcb-62d0673d94dc\" : { \n \"value\" : \"Audit\"\n },\n \"effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\" : { \n \"value\" : \"Audit\"\n },\n \"effect-862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d9da03a1-f3c3-412a-9709-947156872263\" : { \n \"value\" : \"Audit\"\n },\n \"effect-617c02be-7f02-4efd-8836-3180d47b6c68\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c349d81b-9985-44ae-a8da-ff98d108ede8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-3657f5a0-770e-44a3-b44e-9431ba1e9735\" : { \n \"value\" : \"Audit\"\n },\n \"effect-b4ac1030-89c5-4697-8e00-28b5ba6a8811\" : { \n \"value\" : \"audit\"\n },\n \"effect-ea0dfaed-95fb-448c-934e-d6e713ce393d\" : { \n \"value\" : \"audit\"\n },\n \"effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a\" : { \n \"value\" : \"Audit\"\n },\n \"effect-f4b53539-8df9-40e4-86c6-6b607703bd4e\" : { \n \"value\" : \"Audit\"\n },\n \"effect-41425d9f-d1a5-499a-9932-f8ed8453932c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-fc4d8e41-e223-45ea-9bf5-eada37891d87\" : { \n \"value\" : \"Audit\"\n },\n \"effect-86efb160-8de7-451d-bc08-5d475b0aadae\" : { \n \"value\" : \"Audit\"\n },\n \"effect-4ec52d6d-beb7-40c4-9a9e-fe753254690e\" : { \n \"value\" : \"Audit\"\n },\n \"effect-64d314f6-6062-4780-a861-c23e8951bee5\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-fa298e57-9444-42ba-bf04-86e8470e32c7\" : { \n \"value\" : \"audit\"\n },\n \"effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1f905d99-2ab7-462c-a6b0-f709acca6c8f\" : { \n \"value\" : \"audit\"\n },\n \"effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ba769a63-b8cc-4b2d-abf6-ac33c7204be8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-81e74cea-30fd-40d5-802f-d72103c2aaaa\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0aa61e00-0a01-4a3c-9945-e93cffedf0e6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-47031206-ce96-41f8-861b-6a915f3de284\" : { \n \"value\" : \"Audit\"\n },\n \"effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7\" : { \n \"value\" : \"audit\"\n },\n \"effect-51522a96-0869-4791-82f3-981000c2c67f\" : { \n \"value\" : \"audit\"\n },\n \"effect-b5ec538c-daa0-4006-8596-35468b9148e8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-56a5ee18-2ae6-4810-86f7-18e39ce5629b\" : { \n \"value\" : \"Audit\"\n },\n \"effect-2e94d99a-8a36-4563-bc77-810d8893b671\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5\" : { \n \"value\" : \"Audit\"\n },\n \"effect-99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1f68a601-6e6d-4e42-babf-3f643a047ea2\" : { \n \"value\" : \"audit\"\n },\n \"effect-f7d52b2d-e161-4dfa-a82b-55e564167385\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ca91455f-eace-4f96-be59-e6e2c35b4816\" : { \n \"value\" : \"Audit\"\n },\n \"effect-702dd420-7fcc-42c5-afe8-4026edd20fe0\" : { \n \"value\" : \"Audit\"\n },\n \"diagnosticsLogsInRedisCacheMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"secureTransferToStorageAccountMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d0793b48-0edc-4296-a390-4c75d1bdfd71\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7d092e0a-7acd-40d2-a975-dca21cae48c4\" : { \n \"value\" : \"Audit\"\n },\n \"effect-2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\" : { \n \"value\" : \"Audit\"\n },\n \"disableUnrestrictedNetworkToStorageAccountMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"effect-55615ac9-af46-4a59-874e-391cc3dfb490\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1b8ca024-1d5c-4dec-8995-b1a932b41780\" : { \n \"value\" : \"Audit\"\n },\n \"effect-037eea7a-bd0a-46c5-9a66-03aea78705d3\" : { \n \"value\" : \"Audit\"\n },\n \"effect-53503636-bcc9-4748-9663-5348217f160f\" : { \n \"value\" : \"Audit\"\n },\n \"effect-40cec1dd-a100-4920-b15b-3024fe8901ab\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca\" : { \n \"value\" : \"Audit\"\n },\n \"effect-a049bf77-880b-470f-ba6d-9f21c530cf83\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ee980b6d-0eca-4501-8d54-f6290fd512c3\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1d84d5fb-01f6-4d12-ba4f-4a26081d403d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-37e0d2fe-28a5-43d6-a273-67d37d1f5606\" : { \n \"value\" : \"Audit\"\n },\n \"identityDesignateMoreThanOneOwnerMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"diskEncryptionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"emailNotificationToSubscriptionOwnerHighSeverityAlertsEnabledEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"functionAppDisableRemoteDebuggingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"sqlDbEncryptionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vulnerabilityAssessmentOnManagedInstanceMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePHPVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"aadAuthenticationInSqlServerMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vmssEndpointProtectionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vmssOsVulnerabilitiesMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"adaptiveApplicationControlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"geoRedundantBackupShouldBeEnabledForAzureDatabaseForPostgreSQLEffect\" : { \n \"value\" : \"Audit\"\n },\n \"ensureJavaVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityDesignateLessThanOwnersMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"securityContactEmailAddressForSubscriptionEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"webAppRestrictCORSAccessMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveDeprecatedAccountMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"functionAppEnforceHttpsMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"ensurePythonVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePythonVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePHPVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePythonVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"geoRedundantBackupShouldBeEnabledForAzureDatabaseForMySQLEffect\" : { \n \"value\" : \"Audit\"\n },\n \"systemUpdatesMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureJavaVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureHTTPVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"apiAppRequireLatestTlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityEnableMFAForWritePermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureHTTPVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureJavaVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"nextGenerationFirewallMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"useRbacRulesMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"webAppEnforceHttpsMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"sqlServerAuditingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vnetEnableDDoSProtectionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityEnableMFAForOwnerPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"sqlServerAdvancedDataSecurityMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"sqlManagedInstanceAdvancedDataSecurityMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"endpointProtectionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"jitNetworkAccessMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"apiAppEnforceHttpsMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"geoRedundantStorageShouldBeEnabledForStorageAccountsEffect\" : { \n \"value\" : \"Audit\"\n },\n \"vmssSystemUpdatesMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"webAppDisableRemoteDebuggingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"systemConfigurationsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureHTTPVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityEnableMFAForReadPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"containerBenchmarkMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"apiAppDisableRemoteDebuggingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vulnerabilityAssessmentOnServerMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"webAppRequireLatestTlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"functionAppRequireLatestTlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"kubernetesServiceVersionUpToDateMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"sqlDbVulnerabilityAssesmentMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"membersToIncludeInLocalAdministratorsGroup\" : { \n \"value\" : \"\"\n },\n \"membersToExcludeInLocalAdministratorsGroup\" : { \n \"value\" : \"\"\n },\n \"logAnalyticsWorkspaceIDForVMAgents\" : { \n \"value\" : \"\"\n },\n \"PHPLatestVersionForAppServices\" : { \n \"value\" : \"7.4\"\n },\n \"JavaLatestVersionForAppServices\" : { \n \"value\" : \"11\"\n },\n \"WindowsPythonLatestVersionForAppServices\" : { \n \"value\" : \"3.6\"\n },\n \"LinuxPythonLatestVersionForAppServices\" : { \n \"value\" : \"3.9\"\n },\n \"ensureDotNetFrameworkLatestForFunctionAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlManagedInstanceAdvancedDataSecurityEmailsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"vulnerabilityAssessmentMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"ensureDotNetFrameworkLatestForWebAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlServerAdvancedDataSecurityEmailsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"microsoftIaaSAntimalwareExtensionShouldBeDeployedOnWindowsServersEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"securityCenterStandardPricingTierShouldBeSelectedEffect\" : { \n \"value\" : \"Audit\"\n },\n \"theLogAnalyticsAgentShouldBeInstalledOnVirtualMachinesEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"ensurePHPVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlManagedInstanceAdvancedDataSecurityEmailAdminsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"securityContactPhoneNumberShouldBeProvidedForSubscriptionEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"threatDetectionTypesOnManagedInstanceMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"ensureDotNetFrameworkLatestForAPIAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlServerAdvancedDataSecurityEmailAdminsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"threatDetectionTypesOnServerMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"theLogAnalyticsAgentShouldBeInstalledOnVirtualMachineScaleSetsEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n }\n}", - "$fxv#3": "{\n \"logAnalyticsWorkspaceId-f47b5582-33ec-4c5c-87c0-b010a6b2e917\" : { \n \"value\" : \"\"\n },\n \"effect-09024ccc-0c5f-475e-9457-b7c0d9ed487b\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"MembersToExclude-69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f\" :{\n \"value\": \"\"\n },\n \"MembersToInclude-30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7\": {\n \"value\": \"\"\n },\n \"effect-0961003e-5a0a-4549-abde-af6a37f2724d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0b15565f-aa9e-48ba-8619-45960f2c314d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0e60b895-3786-45da-8377-9c6b4b6ac5f9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-17k78e20-9358-41c9-923c-fb736d382a12\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"PHPLatestVersion\" : { \n \"value\" : \"7.3\"\n },\n \"effect-22bee202-a82f-4305-9a2a-6d7f44d4dedb\" : { \n \"value\" : \"Audit\"\n },\n \"effect-26a828e1-e88f-464e-bbb3-c134a282b9de\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-34c877ad-507e-4c82-993e-3452a6e0ad3c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-404c3081-a854-4457-ae30-26a93ef643f9\" : { \n \"value\" : \"Audit\"\n },\n \"effect-47a6b606-51aa-4496-8bb7-64b11cf66adc\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-496223c3-ad65-4ecd-878a-bae78737e9ed\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"JavaLatestVersion\" : { \n \"value\" : \"11\"\n },\n \"effect-4f11b553-d42e-4e3a-89be-32ca364cad4c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-5c607a2e-c700-4744-8254-d77e7c9eb5e4\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-5f76cf89-fbf2-47fd-a3f4-b891fa780b60\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-6b1cbf55-e8b6-442f-ba4c-7246b6381474\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7008174a-fd10-4ef0-817e-fc820a951d73\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"LinuxPythonLatestVersion\" : { \n \"value\" : \"3.8\"\n },\n \"effect-7238174a-fd10-4ef0-817e-fc820a951d73\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-7261b898-8a84-4db8-9e04-18527132abb3\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-74c3584d-afae-46f7-a20a-6f8adba71a16\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-86b3d65f-7626-441e-b690-81a8b71cff60\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-88999f4c-376a-45c8-bcb3-4058f713cf39\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-8c122334-9d20-4eb8-89ea-ac9a705b74ae\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9297c21d-2ed6-4474-b48f-163f75654ce3\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-991310cd-e9f3-47bc-b7b6-f57b557d07db\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9b597639-28e4-48eb-b506-56b05d366257\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9daedab3-fb2d-461e-b861-71790eead4f6\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-a4af4a39-4135-47fb-b175-47fbdf85311d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \n \"value\" : \"enabled\"\n },\n \"effect-a70ca396-0a34-413a-88e1-b956c1e683be\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-aa633080-8b72-40c4-a2d7-d00c03e80bed\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-af6cd1bd-1635-48cb-bde7-5b15693900b9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\" : { \n \"value\" : \"NetworkWatcherRG\"\n },\n \"effect-b7ddfbdc-1260-477d-91fd-98bd9be789a6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c3f317a7-a95c-4547-b7e7-11017ebdf2fe\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-cb510bfd-1cba-4d9f-a230-cb0976f4bb71\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e2c1c086-2d84-4019-bff3-c44ccd95113c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e3576e28-8b17-4677-84c3-db2990658d64\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e8cbc669-f12d-49eb-93e7-9273119e9933\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ebb62a0c-3560-49e1-89ed-27e074e9f8ad\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-efbde977-ba53-4479-b8e9-10b957924fbf\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f8456c1c-aa66-4dfb-861a-25d127b775c9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f9d614c5-c173-4d56-95a7-b4437057d193\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-fb893a29-21bb-418c-a157-e99480ec364c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-feedbf84-6b99-488c-acc2-71c829aa5ffc\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-3b980d31-7904-4bb7-8575-5665739a8052\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-6e2593d9-add6-4083-9c9b-4b7d2188c899\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-12430be1-6cc8-4527-a9a8-e3d38f250096\" : { \n \"value\" : \"Audit\"\n },\n \"modeRequirement-12430be1-6cc8-4527-a9a8-e3d38f250096\" : { \n \"value\" : \"Detection\"\n },\n \"effect-425bea59-a659-4cbb-8d31-34499bd030b8\" : { \n \"value\" : \"Audit\"\n },\n \"modeRequirement-425bea59-a659-4cbb-8d31-34499bd030b8\" : { \n \"value\" : \"Detection\"\n },\n \"effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\" : { \n \"value\" : \"Audit\"\n },\n \"effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-013e242c-8828-4970-87b3-ab247555486d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-d38fc420-0735-4ef3-ac11-c806f651a570\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-a1181c5f-672a-477a-979a-7d58aa086233\" : { \n \"value\" : \"Audit\"\n },\n \"effect-308fbb08-4ab8-4e67-9b29-592e93fb94fa\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-4da35fc9-c9e7-4960-aec9-797fe7d9051d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-523b5cd1-3e23-492f-a539-13118b6d1e3a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-7fe3b40f-802b-4cdd-8bd4-fd799c948cc2\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-c25d9a16-bc35-4e15-a7e5-9db606bf9ed4\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b0f33259-77d7-4c9e-aac6-3aabcfae693c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-037eea7a-bd0a-46c5-9a66-03aea78705d3\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0820b7b9-23aa-4725-a1ce-ae4558f718e5\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-2c89a2e5-7285-40fe-afe0-ae8654b92fab\" : { \n \"value\" : \"Audit\"\n },\n \"effect-358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-5744710e-cc2f-4ee8-8809-3b11e89f4bc9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c9d007d0-c057-4772-b18c-01e546713bcd\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d0793b48-0edc-4296-a390-4c75d1bdfd71\" : { \n \"value\" : \"Audit\"\n },\n \"effect-e372f825-a257-4fb8-9175-797a8a8627d6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d158790f-bfb0-486c-8631-2dc6b4e8e6af\" : { \n \"value\" : \"Audit\"\n },\n \"effect-e802a67a-daf5-4436-9ea6-f6d821dd0c5d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-a451c1ef-c6ca-483d-87ed-f49761e3ffb5\" : { \n \"value\" : \"Audit\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftSql-servers-firewallRules-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftClassicNetwork-networkSecurityGroups-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-securityRules-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftClassicNetwork-networkSecurityGroups-securityRules-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ae89ebca-1c92-4898-ac2c-9f63decb045c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-d26f7642-7545-4e18-9b75-8c9bbdee3a9a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-1a4e592a-6a6e-44a5-9814-e36264ca96e7\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-7796937f-307b-4598-941c-67d3a05ebfe7\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-c5447c04-a4d7-4ba8-a263-c9ee321a6858\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-41388f1c-2db0-4c25-95b2-35d7f5ccbfa9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b02aacc0-b073-424e-8298-42b22829ee0a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0ec47710-77ff-4a3d-9181-6aa50af424d0\" : { \n \"value\" : \"Audit\"\n },\n \"effect-48af4db5-9b8b-401c-8e74-076be876a430\" : { \n \"value\" : \"Audit\"\n },\n \"effect-82339799-d096-41ae-8538-b108becf0970\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1b7aa243-30e4-4c9e-bca8-d0d3022b634a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-bb91dfba-c30d-4263-9add-9c2384e659a6\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e71308d3-144b-4262-b144-efdc3cc90517\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-2bdd0062-9d75-436e-89df-487dd8e4b3c7\" : { \n \"value\" : \"Disabled\"\n },\n \"effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a\" : { \n \"value\" : \"Audit\"\n },\n \"effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-6fac406b-40ca-413b-bf8e-0bf964659c25\" : { \n \"value\" : \"Audit\"\n },\n \"effect-81e74cea-30fd-40d5-802f-d72103c2aaaa\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c349d81b-9985-44ae-a8da-ff98d108ede8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-f4b53539-8df9-40e4-86c6-6b607703bd4e\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\" : { \n \"value\" : \"Audit\"\n },\n \"effect-048248b0-55cd-46da-b1ff-39efd52db260\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0d134df8-db83-46fb-ad72-fe0c9428c8dd\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-2c89a2e5-7285-40fe-afe0-ae8654b92fb2\" : { \n \"value\" : \"Audit\"\n },\n \"effect-3657f5a0-770e-44a3-b44e-9431ba1e9735\" : { \n \"value\" : \"Audit\"\n },\n \"effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\" : { \n \"value\" : \"Audit\"\n },\n \"effect-617c02be-7f02-4efd-8836-3180d47b6c68\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67\" : { \n \"value\" : \"Audit\"\n },\n \"effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7\" : { \n \"value\" : \"audit\"\n },\n \"effect-f7d52b2d-e161-4dfa-a82b-55e564167385\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c43e4a30-77cb-48ab-a4dd-93f175c63b57\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1f314764-cb73-4fc9-b863-8eca98ac36e9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-123a3936-f020-408a-ba0c-47873faf1534\" : { \n \"value\" : \"AuditIfNotExists\"\n }\n}\n", - "modifiedAssignment": "[if(and(equals(toLower(environment().name), toLower('AzureCloud')), equals(toLower(parameters('builtInAssignment')), toLower('IL5'))), 'NISTRev4', parameters('builtInAssignment'))]", - "assignmentName": "[format('{0} {1}', variables('modifiedAssignment'), resourceGroup().name)]", - "agentVmssAssignmentName": "[format('Deploy VMSS Agents {0}', resourceGroup().name)]", - "agentVmAssignmentName": "[format('Deploy VM Agents {0}', resourceGroup().name)]", - "contributorRoleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "lawsReaderRoleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]" - }, - "resources": [ { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2020-09-01", - "name": "[variables('assignmentName')]", - "location": "[parameters('location')]", - "properties": { - "policyDefinitionId": "[createObject('NISTRev4', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f', 'parameters', json(replace(variables('$fxv#0'), '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'NISTRev5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f', 'parameters', json(variables('$fxv#1'))), 'IL5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/f9a961fa-3241-4b20-adc4-bbf8ad9d7197', 'parameters', json(replace(variables('$fxv#2'), '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'CMMC', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/b5629c75-5c77-4422-87b9-2509e680f8de', 'parameters', json(replace(variables('$fxv#3'), '', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName')), '2021-06-01').customerId))))[variables('modifiedAssignment')].id]", - "parameters": "[createObject('NISTRev4', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f', 'parameters', json(replace(variables('$fxv#0'), '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'NISTRev5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f', 'parameters', json(variables('$fxv#1'))), 'IL5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/f9a961fa-3241-4b20-adc4-bbf8ad9d7197', 'parameters', json(replace(variables('$fxv#2'), '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'CMMC', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/b5629c75-5c77-4422-87b9-2509e680f8de', 'parameters', json(replace(variables('$fxv#3'), '', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName')), '2021-06-01').customerId))))[variables('modifiedAssignment')].parameters]" - }, - "identity": { - "type": "SystemAssigned" - } + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2018-09-01", + "name": "[variables('privatelink_ods_opinsights_name')]", + "location": "global", + "tags": "[parameters('tags')]" }, { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2020-09-01", - "name": "[variables('agentVmssAssignmentName')]", - "location": "[parameters('location')]", - "properties": { - "policyDefinitionId": "[tenantResourceId('Microsoft.Authorization/policySetDefinitions', '75714362-cae7-409e-9b99-a8e5075b7fad')]", - "parameters": { - "logAnalytics_1": { - "value": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))]" - } - } - }, - "identity": { - "type": "SystemAssigned" - } + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2018-09-01", + "name": "[variables('privatelink_agentsvc_azure_automation_name')]", + "location": "global", + "tags": "[parameters('tags')]" }, { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2020-09-01", - "name": "[variables('agentVmAssignmentName')]", - "location": "[parameters('location')]", - "properties": { - "policyDefinitionId": "[tenantResourceId('Microsoft.Authorization/policySetDefinitions', '55f3eceb-5573-4f18-9695-226972c6d74a')]", - "parameters": { - "logAnalytics_1": { - "value": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))]" - } - } - }, - "identity": { - "type": "SystemAssigned" - } + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2018-09-01", + "name": "[variables('privatelink_azure_automation_name')]", + "location": "global", + "tags": "[parameters('tags')]" }, { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2020-04-01-preview", - "name": "[guid(variables('contributorRoleDefinitionId'), variables('assignmentName'))]", - "properties": { - "roleDefinitionId": "[variables('contributorRoleDefinitionId')]", - "principalId": "[if(empty(variables('modifiedAssignment')), '', reference(resourceId('Microsoft.Authorization/policyAssignments', variables('assignmentName')), '2020-09-01', 'full').identity.principalId)]", - "principalType": "ServicePrincipal" - }, - "dependsOn": [ - "[resourceId('Microsoft.Authorization/policyAssignments', variables('assignmentName'))]" - ] + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2018-09-01", + "name": "[variables('privatelink_blob_name')]", + "location": "global", + "tags": "[parameters('tags')]" }, { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2020-04-01-preview", - "name": "[guid(variables('contributorRoleDefinitionId'), variables('agentVmssAssignmentName'))]", + "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", + "apiVersion": "2018-09-01", + "name": "[format('{0}/{1}', variables('privatelink_avd_name'), format('{0}-link', variables('privatelink_avd_name')))]", + "location": "global", "properties": { - "roleDefinitionId": "[variables('contributorRoleDefinitionId')]", - "principalId": "[reference(resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmssAssignmentName')), '2020-09-01', 'full').identity.principalId]", - "principalType": "ServicePrincipal" + "registrationEnabled": false, + "virtualNetwork": { + "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]" + } }, "dependsOn": [ - "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmssAssignmentName'))]" + "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_avd_name'))]" ] }, { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2020-04-01-preview", - "name": "[guid(variables('contributorRoleDefinitionId'), variables('agentVmAssignmentName'))]", + "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", + "apiVersion": "2018-09-01", + "name": "[format('{0}/{1}', variables('privatelink_file_name'), format('{0}-link', variables('privatelink_file_name')))]", + "location": "global", "properties": { - "roleDefinitionId": "[variables('contributorRoleDefinitionId')]", - "principalId": "[reference(resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName')), '2020-09-01', 'full').identity.principalId]", - "principalType": "ServicePrincipal" + "registrationEnabled": false, + "virtualNetwork": { + "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]" + } }, "dependsOn": [ - "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName'))]" + "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_file_name'))]" ] }, { - "condition": "[parameters('deployRemediation')]", - "type": "Microsoft.PolicyInsights/remediations", - "apiVersion": "2019-07-01", - "name": "VM-Agent-Policy-Remediation", + "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", + "apiVersion": "2018-09-01", + "name": "[format('{0}/{1}', variables('privatelink_table_name'), format('{0}-link', variables('privatelink_table_name')))]", + "location": "global", "properties": { - "policyAssignmentId": "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName'))]", - "resourceDiscoveryMode": "ReEvaluateCompliance" + "registrationEnabled": false, + "virtualNetwork": { + "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]" + } }, "dependsOn": [ - "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName'))]" + "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_table_name'))]" ] }, { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "[format('Assign-Laws-Role-Policy-{0}', resourceGroup().name)]", - "subscriptionId": "[parameters('operationsSubscriptionId')]", - "resourceGroup": "[parameters('logAnalyticsWorkspaceResourceGroupName')]", + "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", + "apiVersion": "2018-09-01", + "name": "[format('{0}/{1}', variables('privatelink_keyvaultDns_name'), format('{0}-link', variables('privatelink_keyvaultDns_name')))]", + "location": "global", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "targetResourceId": { - "value": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))]" - }, - "roleDefinitionId": { - "value": "[variables('lawsReaderRoleDefinitionId')]" - }, - "principalId": { - "value": "[reference(resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName')), '2020-09-01', 'full').identity.principalId]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "15761836246481461949" - } - }, - "parameters": { - "targetResourceId": { - "type": "string" - }, - "roleDefinitionId": { - "type": "string" - }, - "principalId": { - "type": "string" - }, - "principalType": { - "type": "string", - "defaultValue": "ServicePrincipal", - "allowedValues": [ - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ] - }, - "description": { - "type": "string", - "defaultValue": "" - } - }, - "resources": [ - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2020-04-01-preview", - "name": "[guid(parameters('targetResourceId'), parameters('roleDefinitionId'), parameters('principalId'))]", - "properties": { - "principalId": "[parameters('principalId')]", - "principalType": "[parameters('principalType')]", - "roleDefinitionId": "[parameters('roleDefinitionId')]", - "description": "[parameters('description')]" - } - } - ] + "registrationEnabled": false, + "virtualNetwork": { + "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]" } }, "dependsOn": [ - "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName'))]" + "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_keyvaultDns_name'))]" ] - } - ] - } - }, - "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]" - ] - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "azure-private-dns", - "subscriptionId": "[parameters('hubSubscriptionId')]", - "resourceGroup": "[variables('hubResourceGroupName')]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "vnetName": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))).outputs.virtualNetworkName.value]" - }, - "tags": { - "value": "[parameters('tags')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "15092561807650368974" - } - }, - "parameters": { - "vnetName": { - "type": "string", - "metadata": { - "description": "The name of the virtual network the private dns zones will be connected to" - } - }, - "vnetResourceGroup": { - "type": "string", - "defaultValue": "[resourceGroup().name]", - "metadata": { - "description": "The name of the the resource group where the virtual network exists" - } }, - "vnetSubscriptionId": { - "type": "string", - "defaultValue": "[subscription().subscriptionId]", - "metadata": { - "description": "The subscription id of the subscription the virtual network exists in" - } + { + "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", + "apiVersion": "2018-09-01", + "name": "[format('{0}/{1}', variables('privatelink_queue_name'), format('{0}-link', variables('privatelink_queue_name')))]", + "location": "global", + "properties": { + "registrationEnabled": false, + "virtualNetwork": { + "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]" + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_queue_name'))]" + ] }, - "tags": { - "type": "object", - "metadata": { - "description": "The tags that will be associated to the resources" - } - } - }, - "variables": { - "$fxv#0": { - "AzureChina": { - "chinaeast": { - "abbreviation": "cne", - "recoveryServicesGeo": "sha", - "timeDifference": "+8:00", - "timeZone": "China Standard Time" - }, - "chinaeast2": { - "abbreviation": "cne2", - "recoveryServicesGeo": "sha2", - "timeDifference": "+8:00", - "timeZone": "China Standard Time" - }, - "chinanorth": { - "abbreviation": "cnn", - "recoveryServicesGeo": "bjb", - "timeDifference": "+8:00", - "timeZone": "China Standard Time" - }, - "chinanorth2": { - "abbreviation": "cnn2", - "recoveryServicesGeo": "bjb2", - "timeDifference": "+8:00", - "timeZone": "China Standard Time" + { + "copy": { + "name": "virtualNetworkLink_backup_rsv", + "count": "[length(variables('privatelink_backup_names'))]" + }, + "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", + "apiVersion": "2018-09-01", + "name": "[format('{0}/{1}', variables('privatelink_backup_names')[copyIndex()], format('{0}-link', variables('privatelink_backup_names')[copyIndex()]))]", + "location": "global", + "properties": { + "registrationEnabled": false, + "virtualNetwork": { + "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]" } }, - "AzureCloud": { - "australiacentral": { - "abbreviation": "auc", - "recoveryServicesGeo": "acl", - "timeDifference": "+10:00", - "timeZone": "AUS Eastern Standard Time" - }, - "australiacentral2": { - "abbreviation": "auc2", - "recoveryServicesGeo": "acl2", - "timeDifference": "+10:00", - "timeZone": "AUS Eastern Standard Time" - }, - "australiaeast": { - "abbreviation": "aue", - "recoveryServicesGeo": "ae", - "timeDifference": "+10:00", - "timeZone": "AUS Eastern Standard Time" - }, - "australiasoutheast": { - "abbreviation": "ause", - "recoveryServicesGeo": "ase", - "timeDifference": "+10:00", - "timeZone": "AUS Eastern Standard Time" - }, - "brazilsouth": { - "abbreviation": "brs", - "recoveryServicesGeo": "brs", - "timeDifference": "-3:00", - "timeZone": "E. South America Standard Time" - }, - "brazilsoutheast": { - "abbreviation": "brse", - "recoveryServicesGeo": "bse", - "timeDifference": "-3:00", - "timeZone": "E. South America Standard Time" - }, - "canadacentral": { - "abbreviation": "cac", - "recoveryServicesGeo": "cnc", - "timeDifference": "-5:00", - "timeZone": "Eastern Standard Time" - }, - "canadaeast": { - "abbreviation": "cae", - "recoveryServicesGeo": "cne", - "timeDifference": "-5:00", - "timeZone": "Eastern Standard Time" - }, - "centralindia": { - "abbreviation": "inc", - "recoveryServicesGeo": "inc", - "timeDifference": "+5:30", - "timeZone": "India Standard Time" - }, - "centralus": { - "abbreviation": "usc", - "recoveryServicesGeo": "cus", - "timeDifference": "-6:00", - "timeZone": "Central Standard Time" - }, - "eastasia": { - "abbreviation": "ase", - "recoveryServicesGeo": "ea", - "timeDifference": "+8:00", - "timeZone": "China Standard Time" - }, - "eastus": { - "abbreviation": "use", - "recoveryServicesGeo": "eus", - "timeDifference": "-5:00", - "timeZone": "Eastern Standard Time" - }, - "eastus2": { - "abbreviation": "use2", - "recoveryServicesGeo": "eus2", - "timeDifference": "-5:00", - "timeZone": "Eastern Standard Time" - }, - "francecentral": { - "abbreviation": "frc", - "recoveryServicesGeo": "frc", - "timeDifference": "+1:00", - "timeZone": "Central Europe Standard Time" - }, - "francesouth": { - "abbreviation": "frs", - "recoveryServicesGeo": "frs", - "timeDifference": "+1:00", - "timeZone": "Central Europe Standard Time" - }, - "germanynorth": { - "abbreviation": "den", - "recoveryServicesGeo": "gn", - "timeDifference": "+1:00", - "timeZone": "Central Europe Standard Time" - }, - "germanywestcentral": { - "abbreviation": "dewc", - "recoveryServicesGeo": "gwc", - "timeDifference": "+1:00", - "timeZone": "Central Europe Standard Time" - }, - "israelcentral": { - "abbreviation": "ilc", - "recoveryServicesGeo": "ilc", - "timeDifference": "+2:00", - "timeZone": "Israel Standard Time" - }, - "italynorth": { - "abbreviation": "itn", - "recoveryServicesGeo": "itn", - "timeDifference": "+1:00", - "timeZone": "Central Europe Standard Time" - }, - "japaneast": { - "abbreviation": "jpe", - "recoveryServicesGeo": "jpe", - "timeDifference": "+9:00", - "timeZone": "Tokyo Standard Time" - }, - "japanwest": { - "abbreviation": "jpw", - "recoveryServicesGeo": "jpw", - "timeDifference": "+9:00", - "timeZone": "Tokyo Standard Time" - }, - "jioindiacentral": { - "abbreviation": "injc", - "recoveryServicesGeo": "jic", - "timeDifference": "+5:30", - "timeZone": "India Standard Time" - }, - "jioindiawest": { - "abbreviation": "injw", - "recoveryServicesGeo": "jiw", - "timeDifference": "+5:30", - "timeZone": "India Standard Time" - }, - "koreacentral": { - "abbreviation": "krc", - "recoveryServicesGeo": "krc", - "timeDifference": "+9:00", - "timeZone": "Korea Standard Time" - }, - "koreasouth": { - "abbreviation": "krs", - "recoveryServicesGeo": "krs", - "timeDifference": "+9:00", - "timeZone": "Korea Standard Time" - }, - "northcentralus": { - "abbreviation": "usnc", - "recoveryServicesGeo": "ncus", - "timeDifference": "-6:00", - "timeZone": "Central Standard Time" - }, - "northeurope": { - "abbreviation": "eun", - "recoveryServicesGeo": "ne", - "timeDifference": "0:00", - "timeZone": "GMT Standard Time" - }, - "norwayeast": { - "abbreviation": "noe", - "recoveryServicesGeo": "nwe", - "timeDifference": "+1:00", - "timeZone": "Central Europe Standard Time" - }, - "norwaywest": { - "abbreviation": "now", - "recoveryServicesGeo": "nww", - "timeDifference": "+1:00", - "timeZone": "Central Europe Standard Time" - }, - "polandcentral": { - "abbreviation": "plc", - "recoveryServicesGeo": "plc", - "timeDifference": "+1:00", - "timeZone": "Central Europe Standard Time" - }, - "qatarcentral": { - "abbreviation": "qac", - "recoveryServicesGeo": "qac", - "timeDifference": "+3:00", - "timeZone": "Arabian Standard Time" - }, - "southafricanorth": { - "abbreviation": "zan", - "recoveryServicesGeo": "san", - "timeDifference": "+2:00", - "timeZone": "South Africa Standard Time" - }, - "southafricawest": { - "abbreviation": "zaw", - "recoveryServicesGeo": "saw", - "timeDifference": "+2:00", - "timeZone": "South Africa Standard Time" + "dependsOn": [ + "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_backup_names')[copyIndex()])]" + ] + }, + { + "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", + "apiVersion": "2018-09-01", + "name": "[format('{0}/{1}', variables('privatelink_avd_global_name'), format('{0}-link', variables('privatelink_avd_global_name')))]", + "location": "global", + "properties": { + "registrationEnabled": false, + "virtualNetwork": { + "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]" + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_avd_global_name'))]" + ] + }, + { + "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", + "apiVersion": "2018-09-01", + "name": "[format('{0}/{1}', variables('privatelink_monitor_name'), format('{0}-link', variables('privatelink_monitor_name')))]", + "location": "global", + "properties": { + "registrationEnabled": false, + "virtualNetwork": { + "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]" + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_monitor_name'))]" + ] + }, + { + "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", + "apiVersion": "2018-09-01", + "name": "[format('{0}/{1}', variables('privatelink_oms_opinsights_name'), format('{0}-link', variables('privatelink_oms_opinsights_name')))]", + "location": "global", + "properties": { + "registrationEnabled": false, + "virtualNetwork": { + "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]" + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_oms_opinsights_name'))]" + ] + }, + { + "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", + "apiVersion": "2018-09-01", + "name": "[format('{0}/{1}', variables('privatelink_ods_opinsights_name'), format('{0}-link', variables('privatelink_ods_opinsights_name')))]", + "location": "global", + "properties": { + "registrationEnabled": false, + "virtualNetwork": { + "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]" + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_ods_opinsights_name'))]" + ] + }, + { + "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", + "apiVersion": "2018-09-01", + "name": "[format('{0}/{1}', variables('privatelink_agentsvc_azure_automation_name'), format('{0}-link', variables('privatelink_agentsvc_azure_automation_name')))]", + "location": "global", + "properties": { + "registrationEnabled": false, + "virtualNetwork": { + "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]" + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_agentsvc_azure_automation_name'))]" + ] + }, + { + "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", + "apiVersion": "2018-09-01", + "name": "[format('{0}/{1}', variables('privatelink_azure_automation_name'), format('{0}-link', variables('privatelink_azure_automation_name')))]", + "location": "global", + "properties": { + "registrationEnabled": false, + "virtualNetwork": { + "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]" + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_azure_automation_name'))]" + ] + }, + { + "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", + "apiVersion": "2018-09-01", + "name": "[format('{0}/{1}', variables('privatelink_blob_name'), format('{0}-link', variables('privatelink_blob_name')))]", + "location": "global", + "properties": { + "registrationEnabled": false, + "virtualNetwork": { + "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]" + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_blob_name'))]" + ] + } + ], + "outputs": { + "agentsvcPrivateDnsZoneId": { + "type": "string", + "value": "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_agentsvc_azure_automation_name'))]" + }, + "automationPrivateDnsZoneId": { + "type": "string", + "value": "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_azure_automation_name'))]" + }, + "avdGlobalPrivateDnsZoneId": { + "type": "string", + "value": "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_avd_global_name'))]" + }, + "avdPrivateDnsZoneId": { + "type": "string", + "value": "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_avd_name'))]" + }, + "backupPrivateDnsZoneIds": { + "type": "array", + "copy": { + "count": "[length(variables('privatelink_backup_names'))]", + "input": "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_backup_names')[copyIndex()])]" + } + }, + "blobPrivateDnsZoneId": { + "type": "string", + "value": "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_blob_name'))]" + }, + "filePrivateDnsZoneId": { + "type": "string", + "value": "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_file_name'))]" + }, + "keyvaultDnsPrivateDnsZoneId": { + "type": "string", + "value": "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_keyvaultDns_name'))]" + }, + "monitorPrivateDnsZoneId": { + "type": "string", + "value": "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_monitor_name'))]" + }, + "odsPrivateDnsZoneId": { + "type": "string", + "value": "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_ods_opinsights_name'))]" + }, + "omsPrivateDnsZoneId": { + "type": "string", + "value": "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_oms_opinsights_name'))]" + }, + "queuePrivateDnsZoneId": { + "type": "string", + "value": "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_queue_name'))]" + }, + "storagePrivateDnsZoneId": { + "type": "string", + "value": "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_blob_name'))]" + }, + "tablePrivateDnsZoneId": { + "type": "string", + "value": "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_table_name'))]" + } + } + } + }, + "dependsOn": [ + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))]" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix'))]", + "subscriptionId": "[parameters('operationsSubscriptionId')]", + "resourceGroup": "[variables('operationsResourceGroupName')]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "deploymentNameSuffix": { + "value": "[parameters('deploymentNameSuffix')]" + }, + "diskEncryptionSetName": { + "value": "[variables('operationsDiskEncryptionSetName')]" + }, + "keyVaultName": { + "value": "[variables('operationsKeyVaultName')]" + }, + "keyVaultPrivateDnsZoneResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.keyvaultDnsPrivateDnsZoneId.value]" + }, + "location": { + "value": "[parameters('location')]" + }, + "resourcePrefix": { + "value": "[parameters('resourcePrefix')]" + }, + "subnetResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[1].subscriptionId, variables('spokes')[1].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[1].name, parameters('deploymentNameSuffix'))), '2022-09-01').outputs.subnetResourceId.value]" + }, + "tags": { + "value": "[variables('calculatedTags')]" + }, + "userAssignedIdentityName": { + "value": "[variables('operationsUserAssignedIdentityName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "15205511176758446611" + } + }, + "parameters": { + "diskEncryptionSetName": { + "type": "string" + }, + "deploymentNameSuffix": { + "type": "string" + }, + "keyVaultName": { + "type": "string" + }, + "keyVaultPrivateDnsZoneResourceId": { + "type": "string" + }, + "location": { + "type": "string" + }, + "resourcePrefix": { + "type": "string" + }, + "subnetResourceId": { + "type": "string" + }, + "tags": { + "type": "object" + }, + "userAssignedIdentityName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('deploy-key-vault-{0}', parameters('deploymentNameSuffix'))]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" }, - "southcentralus": { - "abbreviation": "ussc", - "recoveryServicesGeo": "scus", - "timeDifference": "-6:00", - "timeZone": "Central Standard Time" + "mode": "Incremental", + "parameters": { + "keyVaultName": { + "value": "[parameters('keyVaultName')]" + }, + "keyVaultPrivateDnsZoneResourceId": { + "value": "[parameters('keyVaultPrivateDnsZoneResourceId')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "resourcePrefix": { + "value": "[parameters('resourcePrefix')]" + }, + "subnetResourceId": { + "value": "[parameters('subnetResourceId')]" + }, + "tags": { + "value": "[parameters('tags')]" + } }, - "southeastasia": { - "abbreviation": "asse", - "recoveryServicesGeo": "sea", - "timeDifference": "+8:00", - "timeZone": "Singapore Standard Time" + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "8627782382405074284" + } + }, + "parameters": { + "diskEncryptionKeyExpirationInDays": { + "type": "int", + "defaultValue": 30 + }, + "keyVaultName": { + "type": "string" + }, + "keyVaultPrivateDnsZoneResourceId": { + "type": "string" + }, + "location": { + "type": "string" + }, + "resourcePrefix": { + "type": "string" + }, + "subnetResourceId": { + "type": "string" + }, + "tags": { + "type": "object" + } + }, + "resources": [ + { + "type": "Microsoft.KeyVault/vaults", + "apiVersion": "2022-07-01", + "name": "[parameters('keyVaultName')]", + "location": "[parameters('location')]", + "tags": "[if(contains(parameters('tags'), 'Microsoft.KeyVault/vaults'), parameters('tags')['Microsoft.KeyVault/vaults'], createObject())]", + "properties": { + "enabledForDeployment": false, + "enabledForDiskEncryption": true, + "enabledForTemplateDeployment": false, + "enablePurgeProtection": true, + "enableRbacAuthorization": true, + "enableSoftDelete": true, + "networkAcls": { + "bypass": "AzureServices", + "defaultAction": "Deny", + "ipRules": [], + "virtualNetworkRules": [] + }, + "publicNetworkAccess": "Disabled", + "sku": { + "family": "A", + "name": "standard" + }, + "softDeleteRetentionInDays": 7, + "tenantId": "[subscription().tenantId]" + } + }, + { + "type": "Microsoft.Network/privateEndpoints", + "apiVersion": "2023-04-01", + "name": "[replace(parameters('keyVaultName'), parameters('resourcePrefix'), format('{0}-pe', parameters('resourcePrefix')))]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": { + "customNetworkInterfaceName": "[replace(parameters('keyVaultName'), parameters('resourcePrefix'), format('{0}-nic', parameters('resourcePrefix')))]", + "privateLinkServiceConnections": [ + { + "name": "[replace(parameters('keyVaultName'), parameters('resourcePrefix'), format('{0}-nic', parameters('resourcePrefix')))]", + "properties": { + "privateLinkServiceId": "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]", + "groupIds": [ + "vault" + ] + } + } + ], + "subnet": { + "id": "[parameters('subnetResourceId')]" + } + }, + "dependsOn": [ + "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]" + ] + }, + { + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "apiVersion": "2021-08-01", + "name": "[format('{0}/{1}', replace(parameters('keyVaultName'), parameters('resourcePrefix'), format('{0}-pe', parameters('resourcePrefix'))), parameters('keyVaultName'))]", + "properties": { + "privateDnsZoneConfigs": [ + { + "name": "ipconfig1", + "properties": { + "privateDnsZoneId": "[parameters('keyVaultPrivateDnsZoneResourceId')]" + } + } + ] + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/privateEndpoints', replace(parameters('keyVaultName'), parameters('resourcePrefix'), format('{0}-pe', parameters('resourcePrefix'))))]" + ] + }, + { + "type": "Microsoft.KeyVault/vaults/keys", + "apiVersion": "2022-07-01", + "name": "[format('{0}/{1}', parameters('keyVaultName'), 'DiskEncryptionKey')]", + "properties": { + "attributes": { + "enabled": true + }, + "keySize": 4096, + "kty": "RSA", + "rotationPolicy": { + "attributes": { + "expiryTime": "[format('P{0}D', string(parameters('diskEncryptionKeyExpirationInDays')))]" + }, + "lifetimeActions": [ + { + "action": { + "type": "Notify" + }, + "trigger": { + "timeBeforeExpiry": "P10D" + } + }, + { + "action": { + "type": "Rotate" + }, + "trigger": { + "timeAfterCreate": "[format('P{0}D', string(sub(parameters('diskEncryptionKeyExpirationInDays'), 7)))]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]" + ] + }, + { + "type": "Microsoft.KeyVault/vaults/keys", + "apiVersion": "2022-07-01", + "name": "[format('{0}/{1}', parameters('keyVaultName'), 'StorageEncryptionKey')]", + "properties": { + "attributes": { + "enabled": true + }, + "keySize": 4096, + "kty": "RSA", + "rotationPolicy": { + "attributes": { + "expiryTime": "[format('P{0}D', string(parameters('diskEncryptionKeyExpirationInDays')))]" + }, + "lifetimeActions": [ + { + "action": { + "type": "Notify" + }, + "trigger": { + "timeBeforeExpiry": "P10D" + } + }, + { + "action": { + "type": "Rotate" + }, + "trigger": { + "timeAfterCreate": "[format('P{0}D', string(sub(parameters('diskEncryptionKeyExpirationInDays'), 7)))]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]" + ] + } + ], + "outputs": { + "keyUriWithVersion": { + "type": "string", + "value": "[reference(resourceId('Microsoft.KeyVault/vaults/keys', parameters('keyVaultName'), 'DiskEncryptionKey'), '2022-07-01').keyUriWithVersion]" + }, + "keyVaultResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]" + }, + "keyVaultUri": { + "type": "string", + "value": "[reference(resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName')), '2022-07-01').vaultUri]" + }, + "storageKeyName": { + "type": "string", + "value": "StorageEncryptionKey" + } + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('deploy-disk-encryption-set_{0}', parameters('deploymentNameSuffix'))]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" }, - "southindia": { - "abbreviation": "ins", - "recoveryServicesGeo": "ins", - "timeDifference": "+5:30", - "timeZone": "India Standard Time" + "mode": "Incremental", + "parameters": { + "deploymentNameSuffix": { + "value": "[parameters('deploymentNameSuffix')]" + }, + "diskEncryptionSetName": { + "value": "[parameters('diskEncryptionSetName')]" + }, + "keyUrl": { + "value": "[reference(resourceId('Microsoft.Resources/deployments', format('deploy-key-vault-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.keyUriWithVersion.value]" + }, + "keyVaultResourceId": { + "value": "[reference(resourceId('Microsoft.Resources/deployments', format('deploy-key-vault-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.keyVaultResourceId.value]" + }, + "location": { + "value": "[parameters('location')]" + }, + "tags": "[if(contains(parameters('tags'), 'Microsoft.Compute/diskEncryptionSets'), createObject('value', parameters('tags')['Microsoft.Compute/diskEncryptionSets']), createObject('value', createObject()))]" }, - "swedencentral": { - "abbreviation": "sec", - "recoveryServicesGeo": "sdc", - "timeDifference": "+1:00", - "timeZone": "Central Europe Standard Time" + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "168612721220957252" + } + }, + "parameters": { + "deploymentNameSuffix": { + "type": "string" + }, + "diskEncryptionSetName": { + "type": "string" + }, + "keyUrl": { + "type": "string" + }, + "keyVaultResourceId": { + "type": "string" + }, + "location": { + "type": "string" + }, + "tags": { + "type": "object" + } + }, + "resources": [ + { + "type": "Microsoft.Compute/diskEncryptionSets", + "apiVersion": "2023-04-02", + "name": "[parameters('diskEncryptionSetName')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "activeKey": { + "sourceVault": { + "id": "[parameters('keyVaultResourceId')]" + }, + "keyUrl": "[parameters('keyUrl')]" + }, + "encryptionType": "EncryptionAtRestWithPlatformAndCustomerKeys", + "rotationToLatestKeyVersionEnabled": true + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('assign-role-disk-encryption-set-ops-{0}', parameters('deploymentNameSuffix'))]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "principalId": { + "value": "[reference(resourceId('Microsoft.Compute/diskEncryptionSets', parameters('diskEncryptionSetName')), '2023-04-02', 'full').identity.principalId]" + }, + "principalType": { + "value": "ServicePrincipal" + }, + "roleDefinitionId": { + "value": "[resourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6')]" + }, + "targetResourceId": { + "value": "[resourceGroup().id]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "8686326864657481429" + } + }, + "parameters": { + "targetResourceId": { + "type": "string" + }, + "roleDefinitionId": { + "type": "string" + }, + "principalId": { + "type": "string" + }, + "principalType": { + "type": "string", + "defaultValue": "ServicePrincipal", + "allowedValues": [ + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ] + }, + "description": { + "type": "string", + "defaultValue": "" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[guid(parameters('targetResourceId'), parameters('roleDefinitionId'), parameters('principalId'))]", + "properties": { + "principalId": "[parameters('principalId')]", + "principalType": "[parameters('principalType')]", + "roleDefinitionId": "[parameters('roleDefinitionId')]", + "description": "[parameters('description')]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Compute/diskEncryptionSets', parameters('diskEncryptionSetName'))]" + ] + } + ], + "outputs": { + "resourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Compute/diskEncryptionSets', parameters('diskEncryptionSetName'))]" + } + } + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', format('deploy-key-vault-{0}', parameters('deploymentNameSuffix')))]" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('deploy-user-assigned-identity-{0}', parameters('deploymentNameSuffix'))]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" }, - "switzerlandnorth": { - "abbreviation": "chn", - "recoveryServicesGeo": "szn", - "timeDifference": "+1:00", - "timeZone": "Central Europe Standard Time" + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "name": { + "value": "[parameters('userAssignedIdentityName')]" + }, + "tags": { + "value": "[parameters('tags')]" + } }, - "switzerlandwest": { - "abbreviation": "chw", - "recoveryServicesGeo": "szw", - "timeDifference": "+1:00", - "timeZone": "Central Europe Standard Time" + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "10179940749207677256" + } + }, + "parameters": { + "location": { + "type": "string" + }, + "name": { + "type": "string" + }, + "tags": { + "type": "object" + } + }, + "resources": [ + { + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "apiVersion": "2018-11-30", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]" + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "roleAssignmentEncryption", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "principalId": { + "value": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('name')), '2018-11-30').principalId]" + }, + "principalType": { + "value": "ServicePrincipal" + }, + "roleDefinitionId": { + "value": "[resourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6')]" + }, + "targetResourceId": { + "value": "[resourceGroup().id]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "8686326864657481429" + } + }, + "parameters": { + "targetResourceId": { + "type": "string" + }, + "roleDefinitionId": { + "type": "string" + }, + "principalId": { + "type": "string" + }, + "principalType": { + "type": "string", + "defaultValue": "ServicePrincipal", + "allowedValues": [ + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ] + }, + "description": { + "type": "string", + "defaultValue": "" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[guid(parameters('targetResourceId'), parameters('roleDefinitionId'), parameters('principalId'))]", + "properties": { + "principalId": "[parameters('principalId')]", + "principalType": "[parameters('principalType')]", + "roleDefinitionId": "[parameters('roleDefinitionId')]", + "description": "[parameters('description')]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('name'))]" + ] + } + ], + "outputs": { + "resourceId": { + "type": "string", + "value": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('name'))]" + } + } + } + } + } + ], + "outputs": { + "diskEncryptionSetResourceId": { + "type": "string", + "value": "[reference(resourceId('Microsoft.Resources/deployments', format('deploy-disk-encryption-set_{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.resourceId.value]" + }, + "keyVaultUri": { + "type": "string", + "value": "[reference(resourceId('Microsoft.Resources/deployments', format('deploy-key-vault-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.keyVaultUri.value]" + }, + "storageKeyName": { + "type": "string", + "value": "[reference(resourceId('Microsoft.Resources/deployments', format('deploy-key-vault-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.storageKeyName.value]" + }, + "userAssignedIdentityResourceId": { + "type": "string", + "value": "[reference(resourceId('Microsoft.Resources/deployments', format('deploy-user-assigned-identity-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.resourceId.value]" + } + } + } + }, + "dependsOn": [ + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix')))]", + "spokeNetworks" + ] + }, + { + "condition": "[contains(parameters('supportedClouds'), environment().name)]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('deploy-azure-monitor-{0}', parameters('deploymentNameSuffix'))]", + "subscriptionId": "[parameters('operationsSubscriptionId')]", + "resourceGroup": "[variables('operationsResourceGroupName')]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "logAnalyticsWorkspaceName": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.name.value]" + }, + "logAnalyticsWorkspaceResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.id.value]" + }, + "monitorPrivateDnsZoneId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.monitorPrivateDnsZoneId.value]" + }, + "omsPrivateDnsZoneId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.omsPrivateDnsZoneId.value]" + }, + "odsPrivateDnsZoneId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.odsPrivateDnsZoneId.value]" + }, + "agentsvcPrivateDnsZoneId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.agentsvcPrivateDnsZoneId.value]" + }, + "location": { + "value": "[parameters('location')]" + }, + "tags": { + "value": "[parameters('tags')]" + }, + "resourcePrefix": { + "value": "[parameters('resourcePrefix')]" + }, + "subnetResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[1].subscriptionId, variables('spokes')[1].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[1].name, parameters('deploymentNameSuffix'))), '2022-09-01').outputs.subnetResourceId.value]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "8449324246862763859" + } + }, + "parameters": { + "agentsvcPrivateDnsZoneId": { + "type": "string" + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]" + }, + "logAnalyticsWorkspaceName": { + "type": "string" + }, + "logAnalyticsWorkspaceResourceId": { + "type": "string" + }, + "monitorPrivateDnsZoneId": { + "type": "string" + }, + "odsPrivateDnsZoneId": { + "type": "string" + }, + "omsPrivateDnsZoneId": { + "type": "string" + }, + "resourcePrefix": { + "type": "string" + }, + "subnetResourceId": { + "type": "string" + }, + "tags": { + "type": "object" + } + }, + "variables": { + "privateEndpointName": "[replace(parameters('logAnalyticsWorkspaceName'), parameters('resourcePrefix'), format('{0}-pe', parameters('resourcePrefix')))]", + "privateEndpointNetworkInterfaceName": "[replace(parameters('logAnalyticsWorkspaceName'), parameters('resourcePrefix'), format('{0}-nic', parameters('resourcePrefix')))]", + "privateLinkScopeName": "[replace(parameters('logAnalyticsWorkspaceName'), parameters('resourcePrefix'), format('{0}-pls', parameters('resourcePrefix')))]" + }, + "resources": [ + { + "type": "microsoft.insights/privateLinkScopes", + "apiVersion": "2021-09-01", + "name": "[variables('privateLinkScopeName')]", + "location": "global", + "properties": { + "accessModeSettings": { + "ingestionAccessMode": "Private", + "queryAccessMode": "Private" + } + } + }, + { + "type": "Microsoft.Insights/privateLinkScopes/scopedResources", + "apiVersion": "2021-09-01", + "name": "[format('{0}/{1}', variables('privateLinkScopeName'), parameters('logAnalyticsWorkspaceName'))]", + "properties": { + "linkedResourceId": "[parameters('logAnalyticsWorkspaceResourceId')]" + }, + "dependsOn": [ + "[resourceId('microsoft.insights/privateLinkScopes', variables('privateLinkScopeName'))]" + ] + }, + { + "type": "Microsoft.Network/privateEndpoints", + "apiVersion": "2023-04-01", + "name": "[variables('privateEndpointName')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": { + "customNetworkInterfaceName": "[variables('privateEndpointNetworkInterfaceName')]", + "privateLinkServiceConnections": [ + { + "name": "[variables('privateEndpointNetworkInterfaceName')]", + "properties": { + "privateLinkServiceId": "[resourceId('microsoft.insights/privateLinkScopes', variables('privateLinkScopeName'))]", + "groupIds": [ + "azuremonitor" + ] + } + } + ], + "subnet": { + "id": "[parameters('subnetResourceId')]" + } + }, + "dependsOn": [ + "[resourceId('microsoft.insights/privateLinkScopes', variables('privateLinkScopeName'))]", + "[resourceId('Microsoft.Insights/privateLinkScopes/scopedResources', variables('privateLinkScopeName'), parameters('logAnalyticsWorkspaceName'))]" + ] + }, + { + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "apiVersion": "2023-04-01", + "name": "[format('{0}/{1}', variables('privateEndpointName'), variables('privateEndpointName'))]", + "properties": { + "privateDnsZoneConfigs": [ + { + "name": "monitor", + "properties": { + "privateDnsZoneId": "[parameters('monitorPrivateDnsZoneId')]" + } + }, + { + "name": "oms", + "properties": { + "privateDnsZoneId": "[parameters('omsPrivateDnsZoneId')]" + } + }, + { + "name": "ods", + "properties": { + "privateDnsZoneId": "[parameters('odsPrivateDnsZoneId')]" + } + }, + { + "name": "agentsvc", + "properties": { + "privateDnsZoneId": "[parameters('agentsvcPrivateDnsZoneId')]" + } + } + ] + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/privateEndpoints', variables('privateEndpointName'))]" + ] + } + ] + } + }, + "dependsOn": [ + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]", + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix')))]", + "spokeNetworks" + ] + }, + { + "condition": "[parameters('deployRemoteAccess')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('deploy-remote-access-{0}', parameters('deploymentNameSuffix'))]", + "subscriptionId": "[parameters('hubSubscriptionId')]", + "resourceGroup": "[variables('hubResourceGroupName')]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "bastionHostIPConfigurationName": { + "value": "[variables('bastionHostIPConfigurationName')]" + }, + "bastionHostName": { + "value": "[variables('bastionHostName')]" + }, + "bastionHostPublicIPAddressAllocationMethod": { + "value": "[variables('bastionHostPublicIPAddressAllocationMethod')]" + }, + "bastionHostPublicIPAddressAvailabilityZones": { + "value": "[parameters('bastionHostPublicIPAddressAvailabilityZones')]" + }, + "bastionHostPublicIPAddressName": { + "value": "[variables('bastionHostPublicIPAddressName')]" + }, + "bastionHostPublicIPAddressSkuName": { + "value": "[variables('bastionHostPublicIPAddressSkuName')]" + }, + "bastionHostSubnetResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.bastionHostSubnetResourceId.value]" + }, + "hubNetworkSecurityGroupResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.networkSecurityGroupResourceId.value]" + }, + "hubSubnetResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.subnetResourceId.value]" + }, + "linuxNetworkInterfaceIpConfigurationName": { + "value": "[variables('linuxNetworkInterfaceIpConfigurationName')]" + }, + "linuxNetworkInterfaceName": { + "value": "[variables('linuxNetworkInterfaceName')]" + }, + "linuxNetworkInterfacePrivateIPAddressAllocationMethod": { + "value": "[parameters('linuxNetworkInterfacePrivateIPAddressAllocationMethod')]" + }, + "linuxVmAdminPasswordOrKey": { + "value": "[parameters('linuxVmAdminPasswordOrKey')]" + }, + "linuxVmAdminUsername": { + "value": "[parameters('linuxVmAdminUsername')]" + }, + "linuxVmAuthenticationType": { + "value": "[parameters('linuxVmAuthenticationType')]" + }, + "linuxVmImageOffer": { + "value": "[parameters('linuxVmImageOffer')]" + }, + "linuxVmImagePublisher": { + "value": "[parameters('linuxVmImagePublisher')]" + }, + "linuxVmImageSku": { + "value": "[parameters('linuxVmImageSku')]" + }, + "linuxVmImageVersion": { + "value": "[parameters('linuxVmImageVersion')]" + }, + "linuxVmName": { + "value": "[variables('linuxVmName')]" + }, + "linuxVmOsDiskCreateOption": { + "value": "[parameters('linuxVmOsDiskCreateOption')]" + }, + "linuxVmOsDiskType": { + "value": "[parameters('linuxVmOsDiskType')]" + }, + "linuxVmSize": { + "value": "[parameters('linuxVmSize')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "logAnalyticsWorkspaceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.id.value]" + }, + "tags": { + "value": "[parameters('tags')]" + }, + "windowsNetworkInterfaceIpConfigurationName": { + "value": "[variables('windowsNetworkInterfaceIpConfigurationName')]" + }, + "windowsNetworkInterfaceName": { + "value": "[variables('windowsNetworkInterfaceName')]" + }, + "windowsNetworkInterfacePrivateIPAddressAllocationMethod": { + "value": "[parameters('windowsNetworkInterfacePrivateIPAddressAllocationMethod')]" + }, + "windowsVmAdminPassword": { + "value": "[parameters('windowsVmAdminPassword')]" + }, + "windowsVmAdminUsername": { + "value": "[parameters('windowsVmAdminUsername')]" + }, + "windowsVmCreateOption": { + "value": "[parameters('windowsVmCreateOption')]" + }, + "windowsVmName": { + "value": "[variables('windowsVmName')]" + }, + "windowsVmOffer": { + "value": "[parameters('windowsVmOffer')]" + }, + "windowsVmPublisher": { + "value": "[parameters('windowsVmPublisher')]" + }, + "windowsVmSize": { + "value": "[parameters('windowsVmSize')]" + }, + "windowsVmSku": { + "value": "[parameters('windowsVmSku')]" + }, + "windowsVmStorageAccountType": { + "value": "[parameters('windowsVmStorageAccountType')]" + }, + "windowsVmVersion": { + "value": "[parameters('windowsVmVersion')]" + }, + "diskEncryptionSetResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.diskEncryptionSetResourceId.value]" + }, + "hybridUseBenefit": { + "value": "[parameters('hybridUseBenefit')]" + }, + "linuxDiskName": { + "value": "[variables('linuxDiskName')]" + }, + "windowsDiskName": { + "value": "[variables('windowsDiskName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "5778706831016165290" + } + }, + "parameters": { + "bastionHostIPConfigurationName": { + "type": "string" + }, + "bastionHostName": { + "type": "string" + }, + "bastionHostPublicIPAddressAllocationMethod": { + "type": "string" + }, + "bastionHostPublicIPAddressAvailabilityZones": { + "type": "array" + }, + "bastionHostPublicIPAddressName": { + "type": "string" + }, + "bastionHostPublicIPAddressSkuName": { + "type": "string" + }, + "bastionHostSubnetResourceId": { + "type": "string" + }, + "diskEncryptionSetResourceId": { + "type": "string" + }, + "hubNetworkSecurityGroupResourceId": { + "type": "string" + }, + "hubSubnetResourceId": { + "type": "string" + }, + "hybridUseBenefit": { + "type": "bool" + }, + "linuxDiskName": { + "type": "string" + }, + "linuxNetworkInterfaceIpConfigurationName": { + "type": "string" + }, + "linuxNetworkInterfaceName": { + "type": "string" + }, + "linuxNetworkInterfacePrivateIPAddressAllocationMethod": { + "type": "string" + }, + "linuxVmAdminPasswordOrKey": { + "type": "securestring", + "minLength": 12 + }, + "linuxVmAdminUsername": { + "type": "string" + }, + "linuxVmAuthenticationType": { + "type": "string", + "allowedValues": [ + "sshPublicKey", + "password" + ] + }, + "linuxVmImageOffer": { + "type": "string" + }, + "linuxVmImagePublisher": { + "type": "string" + }, + "linuxVmImageSku": { + "type": "string" + }, + "linuxVmImageVersion": { + "type": "string" + }, + "linuxVmName": { + "type": "string" + }, + "linuxVmOsDiskCreateOption": { + "type": "string" + }, + "linuxVmOsDiskType": { + "type": "string" + }, + "linuxVmSize": { + "type": "string" + }, + "location": { + "type": "string" + }, + "logAnalyticsWorkspaceId": { + "type": "string" + }, + "tags": { + "type": "object" + }, + "windowsDiskName": { + "type": "string" + }, + "windowsNetworkInterfaceIpConfigurationName": { + "type": "string" + }, + "windowsNetworkInterfaceName": { + "type": "string" + }, + "windowsNetworkInterfacePrivateIPAddressAllocationMethod": { + "type": "string" + }, + "windowsVmAdminPassword": { + "type": "securestring", + "minLength": 12 + }, + "windowsVmAdminUsername": { + "type": "string" + }, + "windowsVmCreateOption": { + "type": "string" + }, + "windowsVmName": { + "type": "string" + }, + "windowsVmOffer": { + "type": "string" + }, + "windowsVmPublisher": { + "type": "string" + }, + "windowsVmSize": { + "type": "string" + }, + "windowsVmSku": { + "type": "string" + }, + "windowsVmStorageAccountType": { + "type": "string" + }, + "windowsVmVersion": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "remoteAccess-bastionHost", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" }, - "uaecentral": { - "abbreviation": "aec", - "recoveryServicesGeo": "uac", - "timeDifference": "+3:00", - "timeZone": "Arabian Standard Time" + "mode": "Incremental", + "parameters": { + "bastionHostSubnetResourceId": { + "value": "[parameters('bastionHostSubnetResourceId')]" + }, + "ipConfigurationName": { + "value": "[parameters('bastionHostIPConfigurationName')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "name": { + "value": "[parameters('bastionHostName')]" + }, + "publicIPAddressAllocationMethod": { + "value": "[parameters('bastionHostPublicIPAddressAllocationMethod')]" + }, + "publicIPAddressAvailabilityZones": { + "value": "[parameters('bastionHostPublicIPAddressAvailabilityZones')]" + }, + "publicIPAddressName": { + "value": "[parameters('bastionHostPublicIPAddressName')]" + }, + "publicIPAddressSkuName": { + "value": "[parameters('bastionHostPublicIPAddressSkuName')]" + }, + "tags": { + "value": "[parameters('tags')]" + } }, - "uaenorth": { - "abbreviation": "aen", - "recoveryServicesGeo": "uan", - "timeDifference": "+3:00", - "timeZone": "Arabian Standard Time" + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "11993026043185066546" + } + }, + "parameters": { + "bastionHostSubnetResourceId": { + "type": "string" + }, + "ipConfigurationName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "name": { + "type": "string" + }, + "publicIPAddressAllocationMethod": { + "type": "string" + }, + "publicIPAddressAvailabilityZones": { + "type": "array" + }, + "publicIPAddressName": { + "type": "string" + }, + "publicIPAddressSkuName": { + "type": "string" + }, + "tags": { + "type": "object" + } + }, + "resources": [ + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "2021-02-01", + "name": "[parameters('publicIPAddressName')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "sku": { + "name": "[parameters('publicIPAddressSkuName')]" + }, + "properties": { + "publicIPAllocationMethod": "[parameters('publicIPAddressAllocationMethod')]" + }, + "zones": "[parameters('publicIPAddressAvailabilityZones')]" + }, + { + "type": "Microsoft.Network/bastionHosts", + "apiVersion": "2021-02-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": { + "ipConfigurations": [ + { + "name": "[parameters('ipConfigurationName')]", + "properties": { + "subnet": { + "id": "[parameters('bastionHostSubnetResourceId')]" + }, + "publicIPAddress": { + "id": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIPAddressName'))]" + } + } + } + ] + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIPAddressName'))]" + ] + } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "remoteAccess-linuxNetworkInterface", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" }, - "uksouth": { - "abbreviation": "uks", - "recoveryServicesGeo": "uks", - "timeDifference": "0:00", - "timeZone": "GMT Standard Time" + "mode": "Incremental", + "parameters": { + "ipConfigurationName": { + "value": "[parameters('linuxNetworkInterfaceIpConfigurationName')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "name": { + "value": "[parameters('linuxNetworkInterfaceName')]" + }, + "networkSecurityGroupId": { + "value": "[parameters('hubNetworkSecurityGroupResourceId')]" + }, + "privateIPAddressAllocationMethod": { + "value": "[parameters('linuxNetworkInterfacePrivateIPAddressAllocationMethod')]" + }, + "subnetId": { + "value": "[parameters('hubSubnetResourceId')]" + }, + "tags": { + "value": "[parameters('tags')]" + } }, - "ukwest": { - "abbreviation": "ukw", - "recoveryServicesGeo": "ukw", - "timeDifference": "0:00", - "timeZone": "GMT Standard Time" + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "16624262267285514706" + } + }, + "parameters": { + "name": { + "type": "string" + }, + "location": { + "type": "string" + }, + "tags": { + "type": "object", + "defaultValue": {} + }, + "ipConfigurationName": { + "type": "string" + }, + "subnetId": { + "type": "string" + }, + "networkSecurityGroupId": { + "type": "string" + }, + "privateIPAddressAllocationMethod": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2021-02-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": { + "ipConfigurations": [ + { + "name": "[parameters('ipConfigurationName')]", + "properties": { + "subnet": { + "id": "[parameters('subnetId')]" + }, + "privateIPAllocationMethod": "[parameters('privateIPAddressAllocationMethod')]" + } + } + ], + "networkSecurityGroup": { + "id": "[parameters('networkSecurityGroupId')]" + } + } + } + ], + "outputs": { + "id": { + "type": "string", + "value": "[resourceId('Microsoft.Network/networkInterfaces', parameters('name'))]" + }, + "name": { + "type": "string", + "value": "[parameters('name')]" + } + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "remoteAccess-linuxVirtualMachine", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" }, - "westcentralus": { - "abbreviation": "uswc", - "recoveryServicesGeo": "wcus", - "timeDifference": "-7:00", - "timeZone": "Mountain Standard Time" + "mode": "Incremental", + "parameters": { + "adminPasswordOrKey": { + "value": "[parameters('linuxVmAdminPasswordOrKey')]" + }, + "adminUsername": { + "value": "[parameters('linuxVmAdminUsername')]" + }, + "authenticationType": { + "value": "[parameters('linuxVmAuthenticationType')]" + }, + "diskEncryptionSetResourceId": { + "value": "[parameters('diskEncryptionSetResourceId')]" + }, + "diskName": { + "value": "[parameters('linuxDiskName')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "logAnalyticsWorkspaceId": { + "value": "[parameters('logAnalyticsWorkspaceId')]" + }, + "name": { + "value": "[parameters('linuxVmName')]" + }, + "networkInterfaceName": { + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'remoteAccess-linuxNetworkInterface'), '2022-09-01').outputs.name.value]" + }, + "osDiskCreateOption": { + "value": "[parameters('linuxVmOsDiskCreateOption')]" + }, + "osDiskType": { + "value": "[parameters('linuxVmOsDiskType')]" + }, + "tags": { + "value": "[parameters('tags')]" + }, + "vmImageOffer": { + "value": "[parameters('linuxVmImageOffer')]" + }, + "vmImagePublisher": { + "value": "[parameters('linuxVmImagePublisher')]" + }, + "vmImageSku": { + "value": "[parameters('linuxVmImageSku')]" + }, + "vmImageVersion": { + "value": "[parameters('linuxVmImageVersion')]" + }, + "vmSize": { + "value": "[parameters('linuxVmSize')]" + } }, - "westeurope": { - "abbreviation": "euw", - "recoveryServicesGeo": "we", - "timeDifference": "+1:00", - "timeZone": "Central Europe Standard Time" + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "13448922027561695966" + } + }, + "parameters": { + "adminPasswordOrKey": { + "type": "securestring", + "minLength": 12 + }, + "adminUsername": { + "type": "string" + }, + "authenticationType": { + "type": "string", + "allowedValues": [ + "sshPublicKey", + "password" + ] + }, + "diskEncryptionSetResourceId": { + "type": "string" + }, + "diskName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "name": { + "type": "string" + }, + "networkInterfaceName": { + "type": "string" + }, + "osDiskCreateOption": { + "type": "string" + }, + "osDiskType": { + "type": "string" + }, + "tags": { + "type": "object" + }, + "vmImageOffer": { + "type": "string" + }, + "vmImagePublisher": { + "type": "string" + }, + "vmImageSku": { + "type": "string" + }, + "vmImageVersion": { + "type": "string" + }, + "vmSize": { + "type": "string" + }, + "logAnalyticsWorkspaceId": { + "type": "string" + } + }, + "variables": { + "linuxConfiguration": { + "disablePasswordAuthentication": true, + "ssh": { + "publicKeys": [ + { + "path": "[format('/home/{0}/.ssh/authorized_keys', parameters('adminUsername'))]", + "keyData": "[parameters('adminPasswordOrKey')]" + } + ] + } + } + }, + "resources": [ + { + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "2021-04-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": { + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": false + } + }, + "hardwareProfile": { + "vmSize": "[parameters('vmSize')]" + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', parameters('networkInterfaceName'))]", + "properties": { + "deleteOption": "Delete" + } + } + ] + }, + "osProfile": { + "computerName": "[parameters('name')]", + "adminUsername": "[parameters('adminUsername')]", + "adminPassword": "[parameters('adminPasswordOrKey')]", + "linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), null(), variables('linuxConfiguration'))]" + }, + "securityProfile": { + "uefiSettings": { + "secureBootEnabled": true, + "vTpmEnabled": true + }, + "securityType": "trustedLaunch", + "encryptionAtHost": true + }, + "storageProfile": { + "osDisk": { + "caching": "ReadWrite", + "createOption": "[parameters('osDiskCreateOption')]", + "deleteOption": "Delete", + "managedDisk": { + "diskEncryptionSet": { + "id": "[parameters('diskEncryptionSetResourceId')]" + }, + "storageAccountType": "[parameters('osDiskType')]" + }, + "name": "[parameters('diskName')]", + "osType": "Linux" + }, + "imageReference": { + "publisher": "[parameters('vmImagePublisher')]", + "offer": "[parameters('vmImageOffer')]", + "sku": "[parameters('vmImageSku')]", + "version": "[parameters('vmImageVersion')]" + } + }, + "licenseType": null + } + }, + { + "type": "Microsoft.Compute/virtualMachines/extensions", + "apiVersion": "2021-03-01", + "name": "[format('{0}/{1}', parameters('name'), 'GuestAttestation')]", + "location": "[parameters('location')]", + "properties": { + "publisher": "Microsoft.Azure.Security.LinuxAttestation", + "type": "GuestAttestation", + "typeHandlerVersion": "1.0", + "autoUpgradeMinorVersion": true, + "settings": { + "AttestationConfig": { + "MaaSettings": { + "maaEndpoint": "", + "maaTenantName": "GuestAttestation" + }, + "AscSettings": { + "ascReportingEndpoint": "", + "ascReportingFrequency": "" + }, + "useCustomToken": "false", + "disableAlerts": "false" + } + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" + ] + }, + { + "type": "Microsoft.Compute/virtualMachines/extensions", + "apiVersion": "2021-04-01", + "name": "[format('{0}/{1}', parameters('name'), 'AzurePolicyforLinux')]", + "location": "[parameters('location')]", + "properties": { + "publisher": "Microsoft.GuestConfiguration", + "type": "ConfigurationforLinux", + "typeHandlerVersion": "1.0", + "autoUpgradeMinorVersion": true, + "enableAutomaticUpgrade": true + }, + "dependsOn": [ + "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" + ] + }, + { + "type": "Microsoft.Compute/virtualMachines/extensions", + "apiVersion": "2021-04-01", + "name": "[format('{0}/{1}', parameters('name'), 'Microsoft.Azure.NetworkWatcher')]", + "location": "[parameters('location')]", + "properties": { + "publisher": "Microsoft.Azure.NetworkWatcher", + "type": "NetworkWatcherAgentLinux", + "typeHandlerVersion": "1.4" + }, + "dependsOn": [ + "[resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('name'), 'AzurePolicyforLinux')]", + "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" + ] + }, + { + "type": "Microsoft.Compute/virtualMachines/extensions", + "apiVersion": "2020-06-01", + "name": "[format('{0}/{1}', parameters('name'), 'OMSExtension')]", + "location": "[parameters('location')]", + "properties": { + "publisher": "Microsoft.EnterpriseCloud.Monitoring", + "type": "OmsAgentForLinux", + "typeHandlerVersion": "1.13", + "settings": { + "workspaceId": "[reference(parameters('logAnalyticsWorkspaceId'), '2015-11-01-preview').customerId]", + "stopOnMultipleConnections": true + }, + "protectedSettings": { + "workspaceKey": "[listKeys(parameters('logAnalyticsWorkspaceId'), '2015-11-01-preview').primarySharedKey]" + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('name'), 'Microsoft.Azure.NetworkWatcher')]", + "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" + ] + }, + { + "type": "Microsoft.Compute/virtualMachines/extensions", + "apiVersion": "2021-04-01", + "name": "[format('{0}/{1}', parameters('name'), 'DependencyAgentLinux')]", + "location": "[parameters('location')]", + "properties": { + "publisher": "Microsoft.Azure.Monitoring.DependencyAgent", + "type": "DependencyAgentLinux", + "typeHandlerVersion": "9.5", + "autoUpgradeMinorVersion": true + }, + "dependsOn": [ + "[resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('name'), 'OMSExtension')]", + "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" + ] + } + ], + "outputs": { + "adminUsername": { + "type": "string", + "value": "[parameters('adminUsername')]" + }, + "authenticationType": { + "type": "string", + "value": "[parameters('authenticationType')]" + } + } + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', 'remoteAccess-linuxNetworkInterface')]" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "remoteAccess-windowsNetworkInterface", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" }, - "westindia": { - "abbreviation": "inw", - "recoveryServicesGeo": "inw", - "timeDifference": "+5:30", - "timeZone": "India Standard Time" + "mode": "Incremental", + "parameters": { + "ipConfigurationName": { + "value": "[parameters('windowsNetworkInterfaceIpConfigurationName')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "name": { + "value": "[parameters('windowsNetworkInterfaceName')]" + }, + "networkSecurityGroupId": { + "value": "[parameters('hubNetworkSecurityGroupResourceId')]" + }, + "privateIPAddressAllocationMethod": { + "value": "[parameters('windowsNetworkInterfacePrivateIPAddressAllocationMethod')]" + }, + "subnetId": { + "value": "[parameters('hubSubnetResourceId')]" + }, + "tags": { + "value": "[parameters('tags')]" + } }, - "westus": { - "abbreviation": "usw", - "recoveryServicesGeo": "wus", - "timeDifference": "-8:00", - "timeZone": "Pacific Standard Time" + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "16624262267285514706" + } + }, + "parameters": { + "name": { + "type": "string" + }, + "location": { + "type": "string" + }, + "tags": { + "type": "object", + "defaultValue": {} + }, + "ipConfigurationName": { + "type": "string" + }, + "subnetId": { + "type": "string" + }, + "networkSecurityGroupId": { + "type": "string" + }, + "privateIPAddressAllocationMethod": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2021-02-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": { + "ipConfigurations": [ + { + "name": "[parameters('ipConfigurationName')]", + "properties": { + "subnet": { + "id": "[parameters('subnetId')]" + }, + "privateIPAllocationMethod": "[parameters('privateIPAddressAllocationMethod')]" + } + } + ], + "networkSecurityGroup": { + "id": "[parameters('networkSecurityGroupId')]" + } + } + } + ], + "outputs": { + "id": { + "type": "string", + "value": "[resourceId('Microsoft.Network/networkInterfaces', parameters('name'))]" + }, + "name": { + "type": "string", + "value": "[parameters('name')]" + } + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "remoteAccess-windowsVirtualMachine", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" }, - "westus2": { - "abbreviation": "usw2", - "recoveryServicesGeo": "wus2", - "timeDifference": "-8:00", - "timeZone": "Pacific Standard Time" + "mode": "Incremental", + "parameters": { + "adminPassword": { + "value": "[parameters('windowsVmAdminPassword')]" + }, + "adminUsername": { + "value": "[parameters('windowsVmAdminUsername')]" + }, + "createOption": { + "value": "[parameters('windowsVmCreateOption')]" + }, + "diskEncryptionSetResourceId": { + "value": "[parameters('diskEncryptionSetResourceId')]" + }, + "diskName": { + "value": "[parameters('windowsDiskName')]" + }, + "hybridUseBenefit": { + "value": "[parameters('hybridUseBenefit')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "logAnalyticsWorkspaceId": { + "value": "[parameters('logAnalyticsWorkspaceId')]" + }, + "name": { + "value": "[parameters('windowsVmName')]" + }, + "networkInterfaceName": { + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'remoteAccess-windowsNetworkInterface'), '2022-09-01').outputs.name.value]" + }, + "offer": { + "value": "[parameters('windowsVmOffer')]" + }, + "publisher": { + "value": "[parameters('windowsVmPublisher')]" + }, + "size": { + "value": "[parameters('windowsVmSize')]" + }, + "sku": { + "value": "[parameters('windowsVmSku')]" + }, + "storageAccountType": { + "value": "[parameters('windowsVmStorageAccountType')]" + }, + "tags": { + "value": "[parameters('tags')]" + }, + "version": { + "value": "[parameters('windowsVmVersion')]" + } }, - "westus3": { - "abbreviation": "usw3", - "recoveryServicesGeo": "wus3", - "timeDifference": "-7:00", - "timeZone": "Mountain Standard Time" + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "5793129099305307535" + } + }, + "parameters": { + "adminPassword": { + "type": "securestring", + "minLength": 12 + }, + "adminUsername": { + "type": "string" + }, + "createOption": { + "type": "string" + }, + "dataDisks": { + "type": "array", + "defaultValue": [] + }, + "diskEncryptionSetResourceId": { + "type": "string" + }, + "diskName": { + "type": "string" + }, + "hybridUseBenefit": { + "type": "bool" + }, + "location": { + "type": "string" + }, + "logAnalyticsWorkspaceId": { + "type": "string" + }, + "name": { + "type": "string" + }, + "networkInterfaceName": { + "type": "string" + }, + "offer": { + "type": "string" + }, + "publisher": { + "type": "string" + }, + "size": { + "type": "string" + }, + "sku": { + "type": "string" + }, + "storageAccountType": { + "type": "string" + }, + "tags": { + "type": "object", + "defaultValue": {} + }, + "version": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "2021-04-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": false + } + }, + "hardwareProfile": { + "vmSize": "[parameters('size')]" + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', parameters('networkInterfaceName'))]", + "properties": { + "deleteOption": "Delete" + } + } + ] + }, + "osProfile": { + "computerName": "[take(parameters('name'), 15)]", + "adminUsername": "[parameters('adminUsername')]", + "adminPassword": "[parameters('adminPassword')]" + }, + "securityProfile": { + "uefiSettings": { + "secureBootEnabled": true, + "vTpmEnabled": true + }, + "securityType": "trustedLaunch", + "encryptionAtHost": true + }, + "storageProfile": { + "imageReference": { + "publisher": "[parameters('publisher')]", + "offer": "[parameters('offer')]", + "sku": "[parameters('sku')]", + "version": "[parameters('version')]" + }, + "osDisk": { + "caching": "ReadWrite", + "createOption": "[parameters('createOption')]", + "deleteOption": "Delete", + "managedDisk": { + "diskEncryptionSet": { + "id": "[parameters('diskEncryptionSetResourceId')]" + }, + "storageAccountType": "[parameters('storageAccountType')]" + }, + "name": "[parameters('diskName')]", + "osType": "Windows" + }, + "dataDisks": "[parameters('dataDisks')]" + }, + "licenseType": "[if(parameters('hybridUseBenefit'), 'Windows_Server', null())]" + } + }, + { + "type": "Microsoft.Compute/virtualMachines/extensions", + "apiVersion": "2021-03-01", + "name": "[format('{0}/{1}', parameters('name'), 'GuestAttestation')]", + "location": "[parameters('location')]", + "properties": { + "publisher": "Microsoft.Azure.Security.WindowsAttestation", + "type": "GuestAttestation", + "typeHandlerVersion": "1.0", + "autoUpgradeMinorVersion": true, + "settings": { + "AttestationConfig": { + "MaaSettings": { + "maaEndpoint": "", + "maaTenantName": "GuestAttestation" + }, + "AscSettings": { + "ascReportingEndpoint": "", + "ascReportingFrequency": "" + }, + "useCustomToken": "false", + "disableAlerts": "false" + } + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" + ] + }, + { + "type": "Microsoft.Compute/virtualMachines/extensions", + "apiVersion": "2021-04-01", + "name": "[format('{0}/{1}', parameters('name'), 'DependencyAgentWindows')]", + "location": "[parameters('location')]", + "properties": { + "publisher": "Microsoft.Azure.Monitoring.DependencyAgent", + "type": "DependencyAgentWindows", + "typeHandlerVersion": "9.5", + "autoUpgradeMinorVersion": true + }, + "dependsOn": [ + "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" + ] + }, + { + "type": "Microsoft.Compute/virtualMachines/extensions", + "apiVersion": "2021-04-01", + "name": "[format('{0}/{1}', parameters('name'), 'AzurePolicyforWindows')]", + "location": "[parameters('location')]", + "properties": { + "publisher": "Microsoft.GuestConfiguration", + "type": "ConfigurationforWindows", + "typeHandlerVersion": "1.0", + "autoUpgradeMinorVersion": true, + "enableAutomaticUpgrade": true + }, + "dependsOn": [ + "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" + ] + }, + { + "type": "Microsoft.Compute/virtualMachines/extensions", + "apiVersion": "2021-04-01", + "name": "[format('{0}/{1}', parameters('name'), 'MMAExtension')]", + "location": "[parameters('location')]", + "properties": { + "publisher": "Microsoft.EnterpriseCloud.Monitoring", + "type": "MicrosoftMonitoringAgent", + "typeHandlerVersion": "1.0", + "settings": { + "workspaceId": "[reference(parameters('logAnalyticsWorkspaceId'), '2015-11-01-preview').customerId]", + "stopOnMultipleConnections": true + }, + "protectedSettings": { + "workspaceKey": "[listKeys(parameters('logAnalyticsWorkspaceId'), '2015-11-01-preview').primarySharedKey]" + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" + ] + }, + { + "type": "Microsoft.Compute/virtualMachines/extensions", + "apiVersion": "2021-04-01", + "name": "[format('{0}/{1}', parameters('name'), 'Microsoft.Azure.NetworkWatcher')]", + "location": "[parameters('location')]", + "properties": { + "publisher": "Microsoft.Azure.NetworkWatcher", + "type": "NetworkWatcherAgentWindows", + "typeHandlerVersion": "1.4" + }, + "dependsOn": [ + "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" + ] + } + ] } }, - "AzureUSGovernment": { - "usdodcentral": { - "abbreviation": "dodc", - "recoveryServicesGeo": "udc", - "timeDifference": "-6:00", - "timeZone": "Central Standard Time" - }, - "usdodeast": { - "abbreviation": "dode", - "recoveryServicesGeo": "ude", - "timeDifference": "-5:00", - "timeZone": "Eastern Standard Time" - }, - "usgovarizona": { - "abbreviation": "az", - "recoveryServicesGeo": "uga", - "timeDifference": "-7:00", - "timeZone": "Mountain Standard Time" + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', 'remoteAccess-windowsNetworkInterface')]" + ] + } + ] + } + }, + "dependsOn": [ + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-azure-monitor-{0}', parameters('deploymentNameSuffix')))]", + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))]", + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]", + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix')))]" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('deploy-log-storage-hub-{0}', parameters('deploymentNameSuffix'))]", + "subscriptionId": "[parameters('hubSubscriptionId')]", + "resourceGroup": "[variables('hubResourceGroupName')]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "blobsPrivateDnsZoneResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.blobPrivateDnsZoneId.value]" + }, + "keyVaultUri": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.keyVaultUri.value]" + }, + "location": { + "value": "[parameters('location')]" + }, + "logStorageAccountName": { + "value": "[variables('hubLogStorageAccountName')]" + }, + "logStorageSkuName": { + "value": "[parameters('logStorageSkuName')]" + }, + "resourcePrefix": { + "value": "[parameters('resourcePrefix')]" + }, + "storageEncryptionKeyName": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.storageKeyName.value]" + }, + "subnetResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.subnetResourceId.value]" + }, + "tablesPrivateDnsZoneResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.tablePrivateDnsZoneId.value]" + }, + "tags": { + "value": "[variables('calculatedTags')]" + }, + "userAssignedIdentityResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.userAssignedIdentityResourceId.value]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "3711120774165826362" + } + }, + "parameters": { + "blobsPrivateDnsZoneResourceId": { + "type": "string" + }, + "keyVaultUri": { + "type": "string" + }, + "logStorageAccountName": { + "type": "string" + }, + "logStorageSkuName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "resourcePrefix": { + "type": "string" + }, + "storageEncryptionKeyName": { + "type": "string" + }, + "subnetResourceId": { + "type": "string" + }, + "tablesPrivateDnsZoneResourceId": { + "type": "string" + }, + "tags": { + "type": "object" + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "storage", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" }, - "usgovtexas": { - "abbreviation": "tx", - "recoveryServicesGeo": "ugt", - "timeDifference": "-6:00", - "timeZone": "Central Standard Time" + "mode": "Incremental", + "parameters": { + "blobsPrivateDnsZoneResourceId": { + "value": "[parameters('blobsPrivateDnsZoneResourceId')]" + }, + "userAssignedIdentityResourceId": { + "value": "[parameters('userAssignedIdentityResourceId')]" + }, + "keyVaultUri": { + "value": "[parameters('keyVaultUri')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "resourcePrefix": { + "value": "[parameters('resourcePrefix')]" + }, + "skuName": { + "value": "[parameters('logStorageSkuName')]" + }, + "storageAccountName": { + "value": "[parameters('logStorageAccountName')]" + }, + "storageEncryptionKeyName": { + "value": "[parameters('storageEncryptionKeyName')]" + }, + "subnetResourceId": { + "value": "[parameters('subnetResourceId')]" + }, + "tablesPrivateDnsZoneResourceId": { + "value": "[parameters('tablesPrivateDnsZoneResourceId')]" + }, + "tags": { + "value": "[parameters('tags')]" + } }, - "usgovvirginia": { - "abbreviation": "va", - "recoveryServicesGeo": "ugv", - "timeDifference": "-5:00", - "timeZone": "Eastern Standard Time" + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "234191582863282012" + } + }, + "parameters": { + "blobsPrivateDnsZoneResourceId": { + "type": "string" + }, + "keyVaultUri": { + "type": "string" + }, + "location": { + "type": "string" + }, + "resourcePrefix": { + "type": "string" + }, + "skuName": { + "type": "string" + }, + "storageAccountName": { + "type": "string" + }, + "storageEncryptionKeyName": { + "type": "string" + }, + "subnetResourceId": { + "type": "string" + }, + "tablesPrivateDnsZoneResourceId": { + "type": "string" + }, + "tags": { + "type": "object" + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "variables": { + "zones": [ + "[parameters('blobsPrivateDnsZoneResourceId')]", + "[parameters('tablesPrivateDnsZoneResourceId')]" + ] + }, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2023-01-01", + "name": "[parameters('storageAccountName')]", + "location": "[parameters('location')]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[format('{0}', parameters('userAssignedIdentityResourceId'))]": {} + } + }, + "kind": "StorageV2", + "sku": { + "name": "[parameters('skuName')]" + }, + "tags": "[parameters('tags')]", + "properties": { + "accessTier": "Hot", + "allowBlobPublicAccess": false, + "allowCrossTenantReplication": false, + "allowedCopyScope": "PrivateLink", + "allowSharedKeyAccess": true, + "defaultToOAuthAuthentication": false, + "dnsEndpointType": "Standard", + "encryption": { + "identity": { + "userAssignedIdentity": "[parameters('userAssignedIdentityResourceId')]" + }, + "keySource": "Microsoft.KeyVault", + "keyvaultproperties": { + "keyvaulturi": "[parameters('keyVaultUri')]", + "keyname": "[parameters('storageEncryptionKeyName')]" + }, + "requireInfrastructureEncryption": true, + "services": { + "blob": { + "keyType": "Account", + "enabled": true + }, + "file": { + "keyType": "Account", + "enabled": true + }, + "queue": { + "keyType": "Account", + "enabled": true + }, + "table": { + "keyType": "Account", + "enabled": true + } + } + }, + "minimumTlsVersion": "TLS1_2", + "networkAcls": { + "bypass": "AzureServices", + "virtualNetworkRules": [], + "ipRules": [], + "defaultAction": "Deny" + }, + "publicNetworkAccess": "Disabled", + "supportsHttpsTrafficOnly": true + } + }, + { + "copy": { + "name": "privateEndpoints", + "count": "[length(variables('zones'))]" + }, + "type": "Microsoft.Network/privateEndpoints", + "apiVersion": "2023-04-01", + "name": "[format('{0}-{1}', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe-', parameters('resourcePrefix'))), split(split(variables('zones')[copyIndex()], '/')[8], '.')[1])]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": { + "customNetworkInterfaceName": "[format('{0}-{1}', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-nic-', parameters('resourcePrefix'))), split(split(variables('zones')[copyIndex()], '/')[8], '.')[1])]", + "privateLinkServiceConnections": [ + { + "name": "[format('{0}-{1}', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-nic-', parameters('resourcePrefix'))), split(split(variables('zones')[copyIndex()], '/')[8], '.')[1])]", + "properties": { + "privateLinkServiceId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]", + "groupIds": [ + "[split(split(variables('zones')[copyIndex()], '/')[8], '.')[1]]" + ] + } + } + ], + "subnet": { + "id": "[parameters('subnetResourceId')]" + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]" + ] + }, + { + "copy": { + "name": "privateDnsZoneGroups", + "count": "[length(variables('zones'))]" + }, + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "apiVersion": "2021-08-01", + "name": "[format('{0}/{1}', format('{0}-{1}', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe-', parameters('resourcePrefix'))), split(split(variables('zones')[copyIndex()], '/')[8], '.')[1]), parameters('storageAccountName'))]", + "properties": { + "privateDnsZoneConfigs": [ + { + "name": "ipconfig1", + "properties": { + "privateDnsZoneId": "[variables('zones')[copyIndex()]]" + } + } + ] + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/privateEndpoints', format('{0}-{1}', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe-', parameters('resourcePrefix'))), split(split(variables('zones')[copyIndex()], '/')[8], '.')[1]))]" + ] + } + ], + "outputs": { + "id": { + "type": "string", + "value": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]" + } + } } - }, - "USNat": { - "usnateast": { - "abbreviation": "east", - "recoveryServicesGeo": "exe", - "timeDifference": "-5:00", - "timeZone": "Eastern Standard Time" + } + } + ], + "outputs": { + "storageAccountResourceId": { + "type": "string", + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'storage'), '2022-09-01').outputs.id.value]" + } + } + } + }, + "dependsOn": [ + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))]", + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix')))]", + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix')))]", + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-remote-access-{0}', parameters('deploymentNameSuffix')))]" + ] + }, + { + "copy": { + "name": "spokeStorage", + "count": "[length(variables('spokes'))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('deploy-log-storage-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))]", + "subscriptionId": "[variables('spokes')[copyIndex()].subscriptionId]", + "resourceGroup": "[variables('spokes')[copyIndex()].resourceGroupName]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "blobsPrivateDnsZoneResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.blobPrivateDnsZoneId.value]" + }, + "keyVaultUri": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.keyVaultUri.value]" + }, + "location": { + "value": "[parameters('location')]" + }, + "logStorageAccountName": { + "value": "[variables('spokes')[copyIndex()].logStorageAccountName]" + }, + "logStorageSkuName": { + "value": "[parameters('logStorageSkuName')]" + }, + "resourcePrefix": { + "value": "[parameters('resourcePrefix')]" + }, + "storageEncryptionKeyName": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.storageKeyName.value]" + }, + "subnetResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))), '2022-09-01').outputs.subnetResourceId.value]" + }, + "tablesPrivateDnsZoneResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.tablePrivateDnsZoneId.value]" + }, + "tags": { + "value": "[parameters('tags')]" + }, + "userAssignedIdentityResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.userAssignedIdentityResourceId.value]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "6037549614709568341" + } + }, + "parameters": { + "blobsPrivateDnsZoneResourceId": { + "type": "string" + }, + "keyVaultUri": { + "type": "string" + }, + "location": { + "type": "string" + }, + "logStorageAccountName": { + "type": "string" + }, + "logStorageSkuName": { + "type": "string" + }, + "resourcePrefix": { + "type": "string" + }, + "storageEncryptionKeyName": { + "type": "string" + }, + "subnetResourceId": { + "type": "string" + }, + "tablesPrivateDnsZoneResourceId": { + "type": "string" + }, + "tags": { + "type": "object" + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "storage", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" }, - "usnatwest": { - "abbreviation": "west", - "recoveryServicesGeo": "exw", - "timeDifference": "-8:00", - "timeZone": "Pacific Standard Time" - } - }, - "USSec": { - "usseceast": { - "abbreviation": "east", - "recoveryServicesGeo": "rxe", - "timeDifference": "-5:00", - "timeZone": "Eastern Standard Time" + "mode": "Incremental", + "parameters": { + "blobsPrivateDnsZoneResourceId": { + "value": "[parameters('blobsPrivateDnsZoneResourceId')]" + }, + "keyVaultUri": { + "value": "[parameters('keyVaultUri')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "resourcePrefix": { + "value": "[parameters('resourcePrefix')]" + }, + "skuName": { + "value": "[parameters('logStorageSkuName')]" + }, + "storageAccountName": { + "value": "[parameters('logStorageAccountName')]" + }, + "storageEncryptionKeyName": { + "value": "[parameters('storageEncryptionKeyName')]" + }, + "subnetResourceId": { + "value": "[parameters('subnetResourceId')]" + }, + "tablesPrivateDnsZoneResourceId": { + "value": "[parameters('tablesPrivateDnsZoneResourceId')]" + }, + "tags": { + "value": "[parameters('tags')]" + }, + "userAssignedIdentityResourceId": { + "value": "[parameters('userAssignedIdentityResourceId')]" + } }, - "ussecwest": { - "abbreviation": "west", - "recoveryServicesGeo": "rxw", - "timeDifference": "-8:00", - "timeZone": "Pacific Standard Time" + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "234191582863282012" + } + }, + "parameters": { + "blobsPrivateDnsZoneResourceId": { + "type": "string" + }, + "keyVaultUri": { + "type": "string" + }, + "location": { + "type": "string" + }, + "resourcePrefix": { + "type": "string" + }, + "skuName": { + "type": "string" + }, + "storageAccountName": { + "type": "string" + }, + "storageEncryptionKeyName": { + "type": "string" + }, + "subnetResourceId": { + "type": "string" + }, + "tablesPrivateDnsZoneResourceId": { + "type": "string" + }, + "tags": { + "type": "object" + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "variables": { + "zones": [ + "[parameters('blobsPrivateDnsZoneResourceId')]", + "[parameters('tablesPrivateDnsZoneResourceId')]" + ] + }, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2023-01-01", + "name": "[parameters('storageAccountName')]", + "location": "[parameters('location')]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[format('{0}', parameters('userAssignedIdentityResourceId'))]": {} + } + }, + "kind": "StorageV2", + "sku": { + "name": "[parameters('skuName')]" + }, + "tags": "[parameters('tags')]", + "properties": { + "accessTier": "Hot", + "allowBlobPublicAccess": false, + "allowCrossTenantReplication": false, + "allowedCopyScope": "PrivateLink", + "allowSharedKeyAccess": true, + "defaultToOAuthAuthentication": false, + "dnsEndpointType": "Standard", + "encryption": { + "identity": { + "userAssignedIdentity": "[parameters('userAssignedIdentityResourceId')]" + }, + "keySource": "Microsoft.KeyVault", + "keyvaultproperties": { + "keyvaulturi": "[parameters('keyVaultUri')]", + "keyname": "[parameters('storageEncryptionKeyName')]" + }, + "requireInfrastructureEncryption": true, + "services": { + "blob": { + "keyType": "Account", + "enabled": true + }, + "file": { + "keyType": "Account", + "enabled": true + }, + "queue": { + "keyType": "Account", + "enabled": true + }, + "table": { + "keyType": "Account", + "enabled": true + } + } + }, + "minimumTlsVersion": "TLS1_2", + "networkAcls": { + "bypass": "AzureServices", + "virtualNetworkRules": [], + "ipRules": [], + "defaultAction": "Deny" + }, + "publicNetworkAccess": "Disabled", + "supportsHttpsTrafficOnly": true + } + }, + { + "copy": { + "name": "privateEndpoints", + "count": "[length(variables('zones'))]" + }, + "type": "Microsoft.Network/privateEndpoints", + "apiVersion": "2023-04-01", + "name": "[format('{0}-{1}', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe-', parameters('resourcePrefix'))), split(split(variables('zones')[copyIndex()], '/')[8], '.')[1])]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": { + "customNetworkInterfaceName": "[format('{0}-{1}', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-nic-', parameters('resourcePrefix'))), split(split(variables('zones')[copyIndex()], '/')[8], '.')[1])]", + "privateLinkServiceConnections": [ + { + "name": "[format('{0}-{1}', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-nic-', parameters('resourcePrefix'))), split(split(variables('zones')[copyIndex()], '/')[8], '.')[1])]", + "properties": { + "privateLinkServiceId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]", + "groupIds": [ + "[split(split(variables('zones')[copyIndex()], '/')[8], '.')[1]]" + ] + } + } + ], + "subnet": { + "id": "[parameters('subnetResourceId')]" + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]" + ] + }, + { + "copy": { + "name": "privateDnsZoneGroups", + "count": "[length(variables('zones'))]" + }, + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "apiVersion": "2021-08-01", + "name": "[format('{0}/{1}', format('{0}-{1}', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe-', parameters('resourcePrefix'))), split(split(variables('zones')[copyIndex()], '/')[8], '.')[1]), parameters('storageAccountName'))]", + "properties": { + "privateDnsZoneConfigs": [ + { + "name": "ipconfig1", + "properties": { + "privateDnsZoneId": "[variables('zones')[copyIndex()]]" + } + } + ] + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/privateEndpoints', format('{0}-{1}', replace(parameters('storageAccountName'), parameters('resourcePrefix'), format('{0}-pe-', parameters('resourcePrefix'))), split(split(variables('zones')[copyIndex()], '/')[8], '.')[1]))]" + ] + } + ], + "outputs": { + "id": { + "type": "string", + "value": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]" + } + } } } - }, - "copy": [ - { - "name": "privatelink_backup_names", - "count": "[length(items(variables('locations')))]", - "input": "[format('privatelink.backup.{0}.{1}', items(variables('locations'))[copyIndex('privatelink_backup_names')].value.recoveryServicesGeo, variables('cloudSuffix'))]" - } - ], - "cloudSuffix": "[replace(replace(environment().resourceManager, 'https://management.', ''), '/', '')]", - "automationSuffix": "[replace(environment().suffixes.storage, 'core.windows.', '')]", - "locations": "[variables('$fxv#0')[environment().name]]", - "privatelink_agentsvc_azure_automation_name": "[format('privatelink.agentsvc.azure-automation.{0}', variables('automationSuffix'))]", - "privatelink_azure_automation_name": "[format('privatelink.azure-automation.{0}', variables('automationSuffix'))]", - "privatelink_avd_name": "[format('privatelink.wvd.{0}', variables('cloudSuffix'))]", - "privatelink_avd_global_name": "[format('privatelink-global.wvd.{0}', variables('cloudSuffix'))]", - "privatelink_file_name": "[format('privatelink.file.{0}', environment().suffixes.storage)]", - "privatelink_queue_name": "[format('privatelink.queue.{0}', environment().suffixes.storage)]", - "privatelink_table_name": "[format('privatelink.table.{0}', environment().suffixes.storage)]", - "privatelink_blob_name": "[format('privatelink.blob.{0}', environment().suffixes.storage)]", - "privatelink_keyvaultDns_name": "[replace(format('privatelink{0}', environment().suffixes.keyvaultDns), 'vault', 'vaultcore')]", - "privatelink_monitor_name": "[format('privatelink.monitor.{0}', variables('cloudSuffix'))]", - "privatelink_ods_opinsights_name": "[format('privatelink.ods.opinsights.{0}', variables('cloudSuffix'))]", - "privatelink_oms_opinsights_name": "[format('privatelink.oms.opinsights.{0}', variables('cloudSuffix'))]" + } + ], + "outputs": { + "ResourceId": { + "type": "string", + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'storage'), '2022-09-01').outputs.id.value]" + } + } + } + }, + "dependsOn": [ + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix')))]", + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix')))]", + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-remote-access-{0}', parameters('deploymentNameSuffix')))]", + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix')))]" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('deploy-diagnostic-logging-hub-{0}', parameters('deploymentNameSuffix'))]", + "subscriptionId": "[parameters('hubSubscriptionId')]", + "resourceGroup": "[variables('hubResourceGroupName')]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "firewallDiagnosticsLogs": { + "value": "[parameters('firewallDiagnosticsLogs')]" }, - "resources": [ - { - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2018-09-01", - "name": "[variables('privatelink_avd_name')]", - "location": "global", - "tags": "[parameters('tags')]" - }, - { - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2018-09-01", - "name": "[variables('privatelink_avd_global_name')]", - "location": "global", - "tags": "[parameters('tags')]" - }, - { - "condition": "[not(contains(variables('privatelink_backup_names')[copyIndex()], '..'))]", - "copy": { - "name": "privateDnsZone_backup_rsv", - "count": "[length(variables('privatelink_backup_names'))]" - }, - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2018-09-01", - "name": "[variables('privatelink_backup_names')[copyIndex()]]", - "location": "global", - "tags": "[parameters('tags')]" - }, - { - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2018-09-01", - "name": "[variables('privatelink_file_name')]", - "location": "global", - "tags": "[parameters('tags')]" - }, - { - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2018-09-01", - "name": "[variables('privatelink_queue_name')]", - "location": "global", - "tags": "[parameters('tags')]" - }, - { - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2018-09-01", - "name": "[variables('privatelink_table_name')]", - "location": "global", - "tags": "[parameters('tags')]" - }, - { - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2018-09-01", - "name": "[variables('privatelink_keyvaultDns_name')]", - "location": "global", - "tags": "[parameters('tags')]" - }, - { - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2018-09-01", - "name": "[variables('privatelink_monitor_name')]", - "location": "global", - "tags": "[parameters('tags')]" - }, - { - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2018-09-01", - "name": "[variables('privatelink_oms_opinsights_name')]", - "location": "global", - "tags": "[parameters('tags')]" - }, - { - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2018-09-01", - "name": "[variables('privatelink_ods_opinsights_name')]", - "location": "global", - "tags": "[parameters('tags')]" - }, - { - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2018-09-01", - "name": "[variables('privatelink_agentsvc_azure_automation_name')]", - "location": "global", - "tags": "[parameters('tags')]" - }, - { - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2018-09-01", - "name": "[variables('privatelink_azure_automation_name')]", - "location": "global", - "tags": "[parameters('tags')]" + "firewallDiagnosticsMetrics": { + "value": "[parameters('firewallDiagnosticsMetrics')]" + }, + "firewallName": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.firewallName.value]" + }, + "hubStorageAccountResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-log-storage-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.storageAccountResourceId.value]" + }, + "logAnalyticsWorkspaceResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.id.value]" + }, + "networkSecurityGroupDiagnosticsLogs": { + "value": "[parameters('hubNetworkSecurityGroupDiagnosticsLogs')]" + }, + "networkSecurityGroupDiagnosticsMetrics": { + "value": "[parameters('hubNetworkSecurityGroupDiagnosticsMetrics')]" + }, + "networkSecurityGroupName": { + "value": "[variables('hubNetworkSecurityGroupName')]" + }, + "publicIPAddressDiagnosticsLogs": { + "value": "[parameters('publicIPAddressDiagnosticsLogs')]" + }, + "publicIPAddressDiagnosticsMetrics": { + "value": "[parameters('publicIPAddressDiagnosticsMetrics')]" + }, + "publicIPAddressNames": { + "value": [ + "[variables('firewallClientPublicIPAddressName')]", + "[variables('firewallManagementPublicIPAddressName')]" + ] + }, + "virtualNetworkDiagnosticsLogs": { + "value": "[parameters('hubVirtualNetworkDiagnosticsLogs')]" + }, + "virtualNetworkDiagnosticsMetrics": { + "value": "[parameters('hubVirtualNetworkDiagnosticsMetrics')]" + }, + "virtualNetworkName": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.virtualNetworkName.value]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "5804157384629948286" + } + }, + "parameters": { + "firewallDiagnosticsLogs": { + "type": "array" }, - { - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2018-09-01", - "name": "[variables('privatelink_blob_name')]", - "location": "global", - "tags": "[parameters('tags')]" + "firewallDiagnosticsMetrics": { + "type": "array" }, - { - "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", - "apiVersion": "2018-09-01", - "name": "[format('{0}/{1}', variables('privatelink_avd_name'), format('{0}-link', variables('privatelink_avd_name')))]", - "location": "global", - "properties": { - "registrationEnabled": false, - "virtualNetwork": { - "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]" - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_avd_name'))]" - ] + "firewallName": { + "type": "string" }, - { - "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", - "apiVersion": "2018-09-01", - "name": "[format('{0}/{1}', variables('privatelink_file_name'), format('{0}-link', variables('privatelink_file_name')))]", - "location": "global", - "properties": { - "registrationEnabled": false, - "virtualNetwork": { - "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]" - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_file_name'))]" - ] + "hubStorageAccountResourceId": { + "type": "string" }, - { - "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", - "apiVersion": "2018-09-01", - "name": "[format('{0}/{1}', variables('privatelink_table_name'), format('{0}-link', variables('privatelink_table_name')))]", - "location": "global", - "properties": { - "registrationEnabled": false, - "virtualNetwork": { - "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]" - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_table_name'))]" - ] + "logAnalyticsWorkspaceResourceId": { + "type": "string" }, - { - "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", - "apiVersion": "2018-09-01", - "name": "[format('{0}/{1}', variables('privatelink_keyvaultDns_name'), format('{0}-link', variables('privatelink_keyvaultDns_name')))]", - "location": "global", - "properties": { - "registrationEnabled": false, - "virtualNetwork": { - "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]" - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_keyvaultDns_name'))]" - ] + "networkSecurityGroupDiagnosticsLogs": { + "type": "array" }, - { - "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", - "apiVersion": "2018-09-01", - "name": "[format('{0}/{1}', variables('privatelink_queue_name'), format('{0}-link', variables('privatelink_queue_name')))]", - "location": "global", - "properties": { - "registrationEnabled": false, - "virtualNetwork": { - "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]" - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_queue_name'))]" - ] + "networkSecurityGroupDiagnosticsMetrics": { + "type": "array" }, - { - "copy": { - "name": "virtualNetworkLink_backup_rsv", - "count": "[length(variables('privatelink_backup_names'))]" - }, - "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", - "apiVersion": "2018-09-01", - "name": "[format('{0}/{1}', variables('privatelink_backup_names')[copyIndex()], format('{0}-link', variables('privatelink_backup_names')[copyIndex()]))]", - "location": "global", - "properties": { - "registrationEnabled": false, - "virtualNetwork": { - "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]" - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_backup_names')[copyIndex()])]" - ] + "networkSecurityGroupName": { + "type": "string" }, - { - "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", - "apiVersion": "2018-09-01", - "name": "[format('{0}/{1}', variables('privatelink_avd_global_name'), format('{0}-link', variables('privatelink_avd_global_name')))]", - "location": "global", - "properties": { - "registrationEnabled": false, - "virtualNetwork": { - "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]" - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_avd_global_name'))]" - ] + "publicIPAddressDiagnosticsLogs": { + "type": "array" }, - { - "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", - "apiVersion": "2018-09-01", - "name": "[format('{0}/{1}', variables('privatelink_monitor_name'), format('{0}-link', variables('privatelink_monitor_name')))]", - "location": "global", - "properties": { - "registrationEnabled": false, - "virtualNetwork": { - "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]" - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_monitor_name'))]" - ] + "publicIPAddressDiagnosticsMetrics": { + "type": "array" }, - { - "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", - "apiVersion": "2018-09-01", - "name": "[format('{0}/{1}', variables('privatelink_oms_opinsights_name'), format('{0}-link', variables('privatelink_oms_opinsights_name')))]", - "location": "global", - "properties": { - "registrationEnabled": false, - "virtualNetwork": { - "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]" - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_oms_opinsights_name'))]" - ] + "publicIPAddressNames": { + "type": "array" }, - { - "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", - "apiVersion": "2018-09-01", - "name": "[format('{0}/{1}', variables('privatelink_ods_opinsights_name'), format('{0}-link', variables('privatelink_ods_opinsights_name')))]", - "location": "global", - "properties": { - "registrationEnabled": false, - "virtualNetwork": { - "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]" - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_ods_opinsights_name'))]" - ] + "virtualNetworkDiagnosticsLogs": { + "type": "array" + }, + "virtualNetworkDiagnosticsMetrics": { + "type": "array" }, + "virtualNetworkName": { + "type": "string" + } + }, + "resources": [ { - "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", - "apiVersion": "2018-09-01", - "name": "[format('{0}/{1}', variables('privatelink_agentsvc_azure_automation_name'), format('{0}-link', variables('privatelink_agentsvc_azure_automation_name')))]", - "location": "global", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "networkSecurityGroupDiagnostics", "properties": { - "registrationEnabled": false, - "virtualNetwork": { - "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]" + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "logAnalyticsWorkspaceResourceId": { + "value": "[parameters('logAnalyticsWorkspaceResourceId')]" + }, + "logs": { + "value": "[parameters('networkSecurityGroupDiagnosticsLogs')]" + }, + "logStorageAccountResourceId": { + "value": "[parameters('hubStorageAccountResourceId')]" + }, + "metrics": { + "value": "[parameters('networkSecurityGroupDiagnosticsMetrics')]" + }, + "name": { + "value": "[parameters('networkSecurityGroupName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "7786315125053139576" + } + }, + "parameters": { + "name": { + "type": "string" + }, + "logAnalyticsWorkspaceResourceId": { + "type": "string" + }, + "logs": { + "type": "array" + }, + "logStorageAccountResourceId": { + "type": "string" + }, + "metrics": { + "type": "array" + } + }, + "resources": [ + { + "type": "Microsoft.Insights/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "scope": "[format('Microsoft.Network/networkSecurityGroups/{0}', parameters('name'))]", + "name": "[format('{0}-diagnostics', parameters('name'))]", + "properties": { + "storageAccountId": "[parameters('logStorageAccountResourceId')]", + "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", + "logs": "[parameters('logs')]", + "metrics": "[parameters('metrics')]" + } + } + ] } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_agentsvc_azure_automation_name'))]" - ] + } }, { - "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", - "apiVersion": "2018-09-01", - "name": "[format('{0}/{1}', variables('privatelink_azure_automation_name'), format('{0}-link', variables('privatelink_azure_automation_name')))]", - "location": "global", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "virtualNetworkDiagnostics", "properties": { - "registrationEnabled": false, - "virtualNetwork": { - "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]" + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "logAnalyticsWorkspaceResourceId": { + "value": "[parameters('logAnalyticsWorkspaceResourceId')]" + }, + "logs": { + "value": "[parameters('virtualNetworkDiagnosticsLogs')]" + }, + "logStorageAccountResourceId": { + "value": "[parameters('hubStorageAccountResourceId')]" + }, + "metrics": { + "value": "[parameters('virtualNetworkDiagnosticsMetrics')]" + }, + "name": { + "value": "[parameters('virtualNetworkName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "15623637455522175927" + } + }, + "parameters": { + "logAnalyticsWorkspaceResourceId": { + "type": "string" + }, + "logs": { + "type": "array" + }, + "logStorageAccountResourceId": { + "type": "string" + }, + "metrics": { + "type": "array" + }, + "name": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Insights/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "scope": "[format('Microsoft.Network/virtualNetworks/{0}', parameters('name'))]", + "name": "[format('{0}-diagnostics', parameters('name'))]", + "properties": { + "storageAccountId": "[parameters('logStorageAccountResourceId')]", + "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", + "logs": "[parameters('logs')]", + "metrics": "[parameters('metrics')]" + } + } + ] } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_azure_automation_name'))]" - ] + } }, { - "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", - "apiVersion": "2018-09-01", - "name": "[format('{0}/{1}', variables('privatelink_blob_name'), format('{0}-link', variables('privatelink_blob_name')))]", - "location": "global", + "copy": { + "name": "publicIpAddressDiagnostics", + "count": "[length(parameters('publicIPAddressNames'))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('publicIPAddressDiagnostics_{0}', parameters('publicIPAddressNames')[copyIndex()])]", "properties": { - "registrationEnabled": false, - "virtualNetwork": { - "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]" + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "hubStorageAccountResourceId": { + "value": "[parameters('hubStorageAccountResourceId')]" + }, + "logAnalyticsWorkspaceResourceId": { + "value": "[parameters('logAnalyticsWorkspaceResourceId')]" + }, + "name": { + "value": "[parameters('publicIPAddressNames')[copyIndex()]]" + }, + "publicIPAddressDiagnosticsLogs": { + "value": "[parameters('publicIPAddressDiagnosticsLogs')]" + }, + "publicIPAddressDiagnosticsMetrics": { + "value": "[parameters('publicIPAddressDiagnosticsMetrics')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "8851210835492653728" + } + }, + "parameters": { + "hubStorageAccountResourceId": { + "type": "string" + }, + "logAnalyticsWorkspaceResourceId": { + "type": "string" + }, + "name": { + "type": "string" + }, + "publicIPAddressDiagnosticsLogs": { + "type": "array" + }, + "publicIPAddressDiagnosticsMetrics": { + "type": "array" + } + }, + "resources": [ + { + "type": "Microsoft.Insights/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', parameters('name'))]", + "name": "[format('{0}-diagnostics', parameters('name'))]", + "properties": { + "storageAccountId": "[parameters('hubStorageAccountResourceId')]", + "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", + "logs": "[parameters('publicIPAddressDiagnosticsLogs')]", + "metrics": "[parameters('publicIPAddressDiagnosticsMetrics')]" + } + } + ] } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_blob_name'))]" - ] - } - ], - "outputs": { - "agentsvcPrivateDnsZoneId": { - "type": "string", - "value": "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_agentsvc_azure_automation_name'))]" - }, - "automationPrivateDnsZoneId": { - "type": "string", - "value": "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_azure_automation_name'))]" - }, - "avdGlobalPrivateDnsZoneId": { - "type": "string", - "value": "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_avd_global_name'))]" - }, - "avdPrivateDnsZoneId": { - "type": "string", - "value": "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_avd_name'))]" - }, - "backupPrivateDnsZoneIds": { - "type": "array", - "copy": { - "count": "[length(variables('privatelink_backup_names'))]", - "input": "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_backup_names')[copyIndex()])]" } }, - "filePrivateDnsZoneId": { - "type": "string", - "value": "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_file_name'))]" - }, - "keyvaultDnsPrivateDnsZoneId": { - "type": "string", - "value": "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_keyvaultDns_name'))]" - }, - "monitorPrivateDnsZoneId": { - "type": "string", - "value": "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_monitor_name'))]" - }, - "odsPrivateDnsZoneId": { - "type": "string", - "value": "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_ods_opinsights_name'))]" - }, - "omsPrivateDnsZoneId": { - "type": "string", - "value": "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_oms_opinsights_name'))]" - }, - "queuePrivateDnsZoneId": { - "type": "string", - "value": "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_queue_name'))]" - }, - "storagePrivateDnsZoneId": { - "type": "string", - "value": "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_blob_name'))]" - }, - "tablePrivateDnsZoneId": { - "type": "string", - "value": "[resourceId('Microsoft.Network/privateDnsZones', variables('privatelink_table_name'))]" - } - } - } - }, - "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))]" - ] - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "[format('activity-logs-hub-{0}', parameters('deploymentNameSuffix'))]", - "subscriptionId": "[parameters('hubSubscriptionId')]", - "location": "[deployment().location]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "diagnosticSettingName": { - "value": "[format('log-hub-sub-activity-to-{0}', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))).outputs.name.value)]" - }, - "logAnalyticsWorkspaceId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))).outputs.id.value]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "4564752438272570911" - } - }, - "parameters": { - "diagnosticSettingName": { - "type": "string" - }, - "logAnalyticsWorkspaceId": { - "type": "string" - }, - "supportedClouds": { - "type": "array", - "defaultValue": [ - "AzureCloud", - "AzureUSGovernment" - ] - } - }, - "resources": [ { - "condition": "[contains(parameters('supportedClouds'), environment().name)]", - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2017-05-01-preview", - "name": "[parameters('diagnosticSettingName')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "firewallDiagnostics", "properties": { - "workspaceId": "[parameters('logAnalyticsWorkspaceId')]", - "logs": [ - { - "category": "Administrative", - "enabled": true - }, - { - "category": "Security", - "enabled": true + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "logAnalyticsWorkspaceResourceId": { + "value": "[parameters('logAnalyticsWorkspaceResourceId')]" }, - { - "category": "ServiceHealth", - "enabled": true + "logs": { + "value": "[parameters('firewallDiagnosticsLogs')]" }, - { - "category": "Alert", - "enabled": true + "logStorageAccountResourceId": { + "value": "[parameters('hubStorageAccountResourceId')]" }, - { - "category": "Recommendation", - "enabled": true + "metrics": { + "value": "[parameters('firewallDiagnosticsMetrics')]" }, - { - "category": "Policy", - "enabled": true + "name": { + "value": "[parameters('firewallName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "9632306168160596389" + } }, - { - "category": "Autoscale", - "enabled": true + "parameters": { + "logAnalyticsWorkspaceResourceId": { + "type": "string" + }, + "logs": { + "type": "array" + }, + "logStorageAccountResourceId": { + "type": "string" + }, + "metrics": { + "type": "array" + }, + "name": { + "type": "string" + } }, - { - "category": "ResourceHealth", - "enabled": true + "resources": [ + { + "type": "Microsoft.Insights/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "scope": "[format('Microsoft.Network/azureFirewalls/{0}', parameters('name'))]", + "name": "[format('{0}-diagnostics', parameters('name'))]", + "properties": { + "storageAccountId": "[parameters('logStorageAccountResourceId')]", + "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", + "logs": "[parameters('logs')]", + "metrics": "[parameters('metrics')]" + } + } + ], + "outputs": { + "privateIPAddress": { + "type": "string", + "value": "[reference(resourceId('Microsoft.Network/azureFirewalls', parameters('name')), '2021-02-01').ipConfigurations[0].properties.privateIPAddress]" + } } - ] + } } } ] @@ -6721,51 +7552,49 @@ }, "dependsOn": [ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))]", + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-log-storage-hub-{0}', parameters('deploymentNameSuffix')))]", "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]" ] }, { - "condition": "[contains(parameters('supportedClouds'), environment().name)]", + "copy": { + "name": "spokeDiagnostics", + "count": "[length(variables('spokes'))]" + }, "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "azure-monitor-private-link", - "subscriptionId": "[parameters('operationsSubscriptionId')]", - "resourceGroup": "[variables('operationsResourceGroupName')]", + "apiVersion": "2022-09-01", + "name": "[format('deploy-diagnostic-logging-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))]", + "subscriptionId": "[variables('spokes')[copyIndex()].subscriptionId]", + "resourceGroup": "[variables('spokes')[copyIndex()].resourceGroupName]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { - "logAnalyticsWorkspaceName": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))).outputs.name.value]" + "hubStorageAccountResourceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-log-storage-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))), '2022-09-01').outputs.ResourceId.value]" }, "logAnalyticsWorkspaceResourceId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))).outputs.id.value]" - }, - "privateEndpointSubnetName": { - "value": "[variables('operationsSubnetName')]" + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.id.value]" }, - "privateEndpointVnetName": { - "value": "[variables('operationsVirtualNetworkName')]" - }, - "monitorPrivateDnsZoneId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', 'azure-private-dns')).outputs.monitorPrivateDnsZoneId.value]" + "networkSecurityGroupDiagnosticsLogs": { + "value": "[variables('spokes')[copyIndex()].NetworkSecurityGroupDiagnosticsLogs]" }, - "omsPrivateDnsZoneId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', 'azure-private-dns')).outputs.omsPrivateDnsZoneId.value]" + "networkSecurityGroupDiagnosticsMetrics": { + "value": "[variables('spokes')[copyIndex()].NetworkSecurityGroupDiagnosticsMetrics]" }, - "odsPrivateDnsZoneId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', 'azure-private-dns')).outputs.odsPrivateDnsZoneId.value]" + "networkSecurityGroupName": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))), '2022-09-01').outputs.networkSecurityGroupName.value]" }, - "agentsvcPrivateDnsZoneId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', 'azure-private-dns')).outputs.agentsvcPrivateDnsZoneId.value]" + "virtualNetworkDiagnosticsLogs": { + "value": "[variables('spokes')[copyIndex()].VirtualNetworkDiagnosticsLogs]" }, - "location": { - "value": "[parameters('location')]" + "virtualNetworkDiagnosticsMetrics": { + "value": "[variables('spokes')[copyIndex()].VirtualNetworkDiagnosticsMetrics]" }, - "tags": { - "value": "[parameters('tags')]" + "virtualNetworkName": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))), '2022-09-01').outputs.virtualNetworkName.value]" } }, "template": { @@ -6774,201 +7603,192 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "10271763324309057378" + "version": "0.24.24.22086", + "templateHash": "1181334419264940080" } }, "parameters": { - "logAnalyticsWorkspaceName": { - "type": "string", - "metadata": { - "description": "The name of the resource the private endpoint is being created for" - } + "hubStorageAccountResourceId": { + "type": "string" }, "logAnalyticsWorkspaceResourceId": { - "type": "string", - "metadata": { - "description": "The resource id of the resoure the private endpoint is being created for" - } - }, - "privateEndpointSubnetName": { - "type": "string", - "metadata": { - "description": "The name of the subnet in the virtual network where the private endpoint will be placed" - } - }, - "privateEndpointVnetName": { - "type": "string", - "metadata": { - "description": "The name of the virtual network where the private endpoint will be placed" - } - }, - "tags": { - "type": "object", - "metadata": { - "description": "The tags that will be associated to the VM" - } - }, - "uniqueData": { - "type": "string", - "defaultValue": "[substring(uniqueString(subscription().subscriptionId, deployment().name), 0, 8)]", - "metadata": { - "description": "Data used to append to resources to ensure uniqueness" - } - }, - "vnetResourceGroup": { - "type": "string", - "defaultValue": "[resourceGroup().name]", - "metadata": { - "description": "The name of the the resource group where the virtual network exists" - } + "type": "string" }, - "vnetSubscriptionId": { - "type": "string", - "defaultValue": "[subscription().subscriptionId]", - "metadata": { - "description": "The subscription id of the subscription the virtual network exists in" - } + "networkSecurityGroupDiagnosticsLogs": { + "type": "array" }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "The location of this resource" - } + "networkSecurityGroupDiagnosticsMetrics": { + "type": "array" }, - "monitorPrivateDnsZoneId": { - "type": "string", - "metadata": { - "description": "Azure Monitor Private DNS Zone resource id" - } + "networkSecurityGroupName": { + "type": "string" }, - "omsPrivateDnsZoneId": { - "type": "string", - "metadata": { - "description": "OMS Private DNS Zone resource id" - } + "virtualNetworkDiagnosticsLogs": { + "type": "array" }, - "odsPrivateDnsZoneId": { - "type": "string", - "metadata": { - "description": "ODS Private DNS Zone resource id" - } + "virtualNetworkDiagnosticsMetrics": { + "type": "array" }, - "agentsvcPrivateDnsZoneId": { - "type": "string", - "metadata": { - "description": "Agentsvc Private DNS Zone resource id" - } + "virtualNetworkName": { + "type": "string" } }, - "variables": { - "privateLinkConnectionName": "[take(format('plconn{0}{1}', parameters('logAnalyticsWorkspaceName'), parameters('uniqueData')), 80)]", - "privateLinkEndpointName": "[take(format('pe{0}{1}', parameters('logAnalyticsWorkspaceName'), parameters('uniqueData')), 80)]", - "privateLinkScopeName": "[take(format('plscope{0}{1}', parameters('logAnalyticsWorkspaceName'), parameters('uniqueData')), 80)]", - "privateLinkScopeResourceName": "[take(format('plscres{0}{1}', parameters('logAnalyticsWorkspaceName'), parameters('uniqueData')), 80)]" - }, "resources": [ { - "type": "microsoft.insights/privateLinkScopes", - "apiVersion": "2019-10-17-preview", - "name": "[variables('privateLinkScopeName')]", - "location": "global", - "properties": {} - }, - { - "type": "Microsoft.Insights/privateLinkScopes/scopedResources", - "apiVersion": "2019-10-17-preview", - "name": "[format('{0}/{1}', variables('privateLinkScopeName'), variables('privateLinkScopeResourceName'))]", - "properties": { - "linkedResourceId": "[parameters('logAnalyticsWorkspaceResourceId')]" - }, - "dependsOn": [ - "[resourceId('microsoft.insights/privateLinkScopes', variables('privateLinkScopeName'))]" - ] - }, - { - "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2020-07-01", - "name": "[variables('privateLinkEndpointName')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "networkSecurityGroupDiagnostics", "properties": { - "subnet": { - "id": "[resourceId(parameters('vnetSubscriptionId'), parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks/subnets', parameters('privateEndpointVnetName'), parameters('privateEndpointSubnetName'))]" + "expressionEvaluationOptions": { + "scope": "inner" }, - "privateLinkServiceConnections": [ - { - "name": "[variables('privateLinkConnectionName')]", - "properties": { - "privateLinkServiceId": "[resourceId('microsoft.insights/privateLinkScopes', variables('privateLinkScopeName'))]", - "groupIds": [ - "azuremonitor" - ] - } + "mode": "Incremental", + "parameters": { + "logAnalyticsWorkspaceResourceId": { + "value": "[parameters('logAnalyticsWorkspaceResourceId')]" + }, + "logs": { + "value": "[parameters('networkSecurityGroupDiagnosticsLogs')]" + }, + "logStorageAccountResourceId": { + "value": "[parameters('hubStorageAccountResourceId')]" + }, + "metrics": { + "value": "[parameters('networkSecurityGroupDiagnosticsMetrics')]" + }, + "name": { + "value": "[parameters('networkSecurityGroupName')]" } - ] - }, - "dependsOn": [ - "[resourceId('microsoft.insights/privateLinkScopes', variables('privateLinkScopeName'))]", - "[resourceId('Microsoft.Insights/privateLinkScopes/scopedResources', split(format('{0}/{1}', variables('privateLinkScopeName'), variables('privateLinkScopeResourceName')), '/')[0], split(format('{0}/{1}', variables('privateLinkScopeName'), variables('privateLinkScopeResourceName')), '/')[1])]" - ] + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "7786315125053139576" + } + }, + "parameters": { + "name": { + "type": "string" + }, + "logAnalyticsWorkspaceResourceId": { + "type": "string" + }, + "logs": { + "type": "array" + }, + "logStorageAccountResourceId": { + "type": "string" + }, + "metrics": { + "type": "array" + } + }, + "resources": [ + { + "type": "Microsoft.Insights/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "scope": "[format('Microsoft.Network/networkSecurityGroups/{0}', parameters('name'))]", + "name": "[format('{0}-diagnostics', parameters('name'))]", + "properties": { + "storageAccountId": "[parameters('logStorageAccountResourceId')]", + "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", + "logs": "[parameters('logs')]", + "metrics": "[parameters('metrics')]" + } + } + ] + } + } }, { - "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", - "apiVersion": "2020-07-01", - "name": "[format('{0}/{1}', variables('privateLinkEndpointName'), variables('privateLinkEndpointName'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "virtualNetworkDiagnostics", "properties": { - "privateDnsZoneConfigs": [ - { - "name": "monitor", - "properties": { - "privateDnsZoneId": "[parameters('monitorPrivateDnsZoneId')]" - } + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "logAnalyticsWorkspaceResourceId": { + "value": "[parameters('logAnalyticsWorkspaceResourceId')]" }, - { - "name": "oms", - "properties": { - "privateDnsZoneId": "[parameters('omsPrivateDnsZoneId')]" + "logs": { + "value": "[parameters('virtualNetworkDiagnosticsLogs')]" + }, + "logStorageAccountResourceId": { + "value": "[parameters('hubStorageAccountResourceId')]" + }, + "metrics": { + "value": "[parameters('virtualNetworkDiagnosticsMetrics')]" + }, + "name": { + "value": "[parameters('virtualNetworkName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "15623637455522175927" } }, - { - "name": "ods", - "properties": { - "privateDnsZoneId": "[parameters('odsPrivateDnsZoneId')]" + "parameters": { + "logAnalyticsWorkspaceResourceId": { + "type": "string" + }, + "logs": { + "type": "array" + }, + "logStorageAccountResourceId": { + "type": "string" + }, + "metrics": { + "type": "array" + }, + "name": { + "type": "string" } }, - { - "name": "agentsvc", - "properties": { - "privateDnsZoneId": "[parameters('agentsvcPrivateDnsZoneId')]" + "resources": [ + { + "type": "Microsoft.Insights/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "scope": "[format('Microsoft.Network/virtualNetworks/{0}', parameters('name'))]", + "name": "[format('{0}-diagnostics', parameters('name'))]", + "properties": { + "storageAccountId": "[parameters('logStorageAccountResourceId')]", + "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", + "logs": "[parameters('logs')]", + "metrics": "[parameters('metrics')]" + } } - } - ] - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', variables('privateLinkEndpointName'))]" - ] + ] + } + } } ] } }, "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', 'azure-private-dns')]", "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]", - "spokeNetworks" + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix')))]", + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix')))]", + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-log-storage-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix')))]" ] }, { - "condition": "[not(equals(variables('spokes')[copyIndex()].subscriptionId, parameters('hubSubscriptionId')))]", - "copy": { - "name": "spokeSubscriptionActivityLogging", - "count": "[length(variables('spokes'))]" - }, "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "[format('activity-logs-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))]", - "subscriptionId": "[variables('spokes')[copyIndex()].subscriptionId]", + "apiVersion": "2022-09-01", + "name": "[format('activity-logs-hub-{0}', parameters('deploymentNameSuffix'))]", + "subscriptionId": "[parameters('hubSubscriptionId')]", "location": "[deployment().location]", "properties": { "expressionEvaluationOptions": { @@ -6977,10 +7797,10 @@ "mode": "Incremental", "parameters": { "diagnosticSettingName": { - "value": "[format('log-{0}-sub-activity-to-{1}', variables('spokes')[copyIndex()].name, reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))).outputs.name.value)]" + "value": "[format('log-hub-sub-activity-to-{0}', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.name.value)]" }, "logAnalyticsWorkspaceId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))).outputs.id.value]" + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.id.value]" } }, "template": { @@ -6989,8 +7809,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "4564752438272570911" + "version": "0.24.24.22086", + "templateHash": "3850477028148266020" } }, "parameters": { @@ -7056,44 +7876,49 @@ } }, "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]", - "spokeNetworks" + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))]", + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]" ] }, { + "copy": { + "name": "spokeSubscriptionActivityLogging", + "count": "[length(variables('spokes'))]" + }, + "condition": "[not(equals(variables('spokes')[copyIndex()].subscriptionId, parameters('hubSubscriptionId')))]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "[format('deploy-diagnostic-logging-{0}', parameters('deploymentNameSuffix'))]", - "subscriptionId": "[parameters('operationsSubscriptionId')]", - "resourceGroup": "[variables('operationsResourceGroupName')]", + "apiVersion": "2022-09-01", + "name": "[format('activity-logs-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))]", + "subscriptionId": "[variables('spokes')[copyIndex()].subscriptionId]", + "location": "[deployment().location]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { - "diagnosticStorageAccountName": { - "value": "[variables('operationsLogStorageAccountName')]" + "diagnosticSettingName": { + "value": "[format('log-{0}-sub-activity-to-{1}', variables('spokes')[copyIndex()].name, reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.name.value)]" }, - "logAnalyticsWorkspaceName": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))).outputs.name.value]" + "logAnalyticsWorkspaceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.id.value]" } }, "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "5252752072010358356" + "version": "0.24.24.22086", + "templateHash": "3850477028148266020" } }, "parameters": { - "diagnosticStorageAccountName": { + "diagnosticSettingName": { "type": "string" }, - "logAnalyticsWorkspaceName": { + "logAnalyticsWorkspaceId": { "type": "string" }, "supportedClouds": { @@ -7109,20 +7934,40 @@ "condition": "[contains(parameters('supportedClouds'), environment().name)]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2017-05-01-preview", - "scope": "[format('Microsoft.OperationalInsights/workspaces/{0}', parameters('logAnalyticsWorkspaceName'))]", - "name": "enable-log-analytics-diagnostics", + "name": "[parameters('diagnosticSettingName')]", "properties": { - "workspaceId": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))]", - "storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('diagnosticStorageAccountName'))]", + "workspaceId": "[parameters('logAnalyticsWorkspaceId')]", "logs": [ { - "category": "Audit", + "category": "Administrative", "enabled": true - } - ], - "metrics": [ + }, { - "category": "AllMetrics", + "category": "Security", + "enabled": true + }, + { + "category": "ServiceHealth", + "enabled": true + }, + { + "category": "Alert", + "enabled": true + }, + { + "category": "Recommendation", + "enabled": true + }, + { + "category": "Policy", + "enabled": true + }, + { + "category": "Autoscale", + "enabled": true + }, + { + "category": "ResourceHealth", "enabled": true } ] @@ -7132,314 +7977,91 @@ } }, "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))]", "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]", "spokeNetworks" ] }, { - "condition": "[parameters('deployDefender')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "[format('set-hub-sub-defender-{0}', parameters('deploymentNameSuffix'))]", - "subscriptionId": "[parameters('hubSubscriptionId')]", - "location": "[deployment().location]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "logAnalyticsWorkspaceId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))).outputs.id.value]" - }, - "emailSecurityContact": { - "value": "[parameters('emailSecurityContact')]" - }, - "defenderSkuTier": { - "value": "[parameters('defenderSkuTier')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "9863600299947422102" - } - }, - "parameters": { - "bundle": { - "type": "array", - "defaultValue": "[if(equals(environment().name, 'AzureCloud'), createArray('Api', 'AppServices', 'Arm', 'CloudPosture', 'Containers', 'CosmosDbs', 'KeyVaults', 'OpenSourceRelationalDatabases', 'SqlServers', 'SqlServerVirtualMachines', 'StorageAccounts', 'VirtualMachines'), if(equals(environment().name, 'AzureUSGovernment'), createArray('Arm', 'Containers', 'OpenSourceRelationalDatabases', 'SqlServers', 'SqlServerVirtualMachines', 'StorageAccounts', 'VirtualMachines'), createArray()))]" - }, - "enableAutoProvisioning": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Turn automatic deployment by Defender of the MMA (OMS VM extension) on or off" - } - }, - "logAnalyticsWorkspaceId": { - "type": "string", - "metadata": { - "description": "Specify the ID of your custom Log Analytics workspace to collect Defender data." - } - }, - "emailSecurityContact": { - "type": "string", - "metadata": { - "description": "Email address of the contact, in the form of john@doe.com" - } - }, - "policySetDescription": { - "type": "string", - "defaultValue": "The Microsoft Cloud Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Microsoft Cloud Security Benchmark v2, see https://aka.ms/azsecbm. This also serves as the Microsoft Defender for Cloud default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Microsoft Defender.", - "metadata": { - "description": "Policy Initiative description field" - } - }, - "defenderSkuTier": { - "type": "string", - "defaultValue": "Standard", - "metadata": { - "description": "[Standard/Free] The SKU for Defender. It defaults to \"Standard\"." - } - } - }, - "variables": { - "autoProvisioning": "[if(parameters('enableAutoProvisioning'), 'On', 'Off')]" - }, - "resources": [ - { - "copy": { - "name": "defenderPricing", - "count": "[length(parameters('bundle'))]", - "mode": "serial", - "batchSize": 1 - }, - "type": "Microsoft.Security/pricings", - "apiVersion": "2023-01-01", - "name": "[parameters('bundle')[copyIndex()]]", - "properties": { - "pricingTier": "[parameters('defenderSkuTier')]" - } - }, - { - "type": "Microsoft.Security/autoProvisioningSettings", - "apiVersion": "2019-01-01", - "name": "default", - "properties": { - "autoProvision": "[variables('autoProvisioning')]" - } - }, - { - "type": "Microsoft.Security/workspaceSettings", - "apiVersion": "2019-01-01", - "name": "default", - "properties": { - "workspaceId": "[parameters('logAnalyticsWorkspaceId')]", - "scope": "[subscription().id]" - } - }, - { - "condition": "[not(empty(parameters('emailSecurityContact')))]", - "type": "Microsoft.Security/securityContacts", - "apiVersion": "2020-01-01-preview", - "name": "default", - "properties": { - "notificationsByRole": { - "roles": [ - "AccountAdmin", - "Contributor", - "Owner", - "ServiceAdmin" - ], - "state": "On" - }, - "alertNotifications": { - "state": "On" - }, - "emails": "[parameters('emailSecurityContact')]" - } - }, - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", - "name": "Microsoft Cloud Security Benchmark", - "properties": { - "displayName": "Defender Default", - "description": "[parameters('policySetDescription')]", - "enforcementMode": "DoNotEnforce", - "parameters": {}, - "policyDefinitionId": "[tenantResourceId('Microsoft.Authorization/policySetDefinitions', '1f3afdf9-d0c9-4c3d-847f-89da613e70a8')]" - } - } - ] - } - }, - "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]" - ] - }, - { - "condition": "[and(parameters('deployDefender'), not(equals(variables('spokes')[copyIndex()].subscriptionId, parameters('hubSubscriptionId'))))]", - "copy": { - "name": "spokeDefender", - "count": "[length(variables('spokes'))]" - }, "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "[format('set-{0}-sub-defender', variables('spokes')[copyIndex()].name)]", - "subscriptionId": "[variables('spokes')[copyIndex()].subscriptionId]", - "location": "[deployment().location]", + "apiVersion": "2022-09-01", + "name": "[format('deploy-diagnostic-logging-{0}', parameters('deploymentNameSuffix'))]", + "subscriptionId": "[parameters('operationsSubscriptionId')]", + "resourceGroup": "[variables('operationsResourceGroupName')]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { - "logAnalyticsWorkspaceId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))).outputs.id.value]" - }, - "emailSecurityContact": { - "value": "[parameters('emailSecurityContact')]" + "diagnosticStorageAccountName": { + "value": "[variables('operationsLogStorageAccountName')]" }, - "defenderSkuTier": { - "value": "[parameters('defenderSkuTier')]" + "logAnalyticsWorkspaceName": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.name.value]" } }, "template": { - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "9863600299947422102" + "version": "0.24.24.22086", + "templateHash": "6866155279282592403" } }, "parameters": { - "bundle": { - "type": "array", - "defaultValue": "[if(equals(environment().name, 'AzureCloud'), createArray('Api', 'AppServices', 'Arm', 'CloudPosture', 'Containers', 'CosmosDbs', 'KeyVaults', 'OpenSourceRelationalDatabases', 'SqlServers', 'SqlServerVirtualMachines', 'StorageAccounts', 'VirtualMachines'), if(equals(environment().name, 'AzureUSGovernment'), createArray('Arm', 'Containers', 'OpenSourceRelationalDatabases', 'SqlServers', 'SqlServerVirtualMachines', 'StorageAccounts', 'VirtualMachines'), createArray()))]" - }, - "enableAutoProvisioning": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Turn automatic deployment by Defender of the MMA (OMS VM extension) on or off" - } - }, - "logAnalyticsWorkspaceId": { - "type": "string", - "metadata": { - "description": "Specify the ID of your custom Log Analytics workspace to collect Defender data." - } - }, - "emailSecurityContact": { - "type": "string", - "metadata": { - "description": "Email address of the contact, in the form of john@doe.com" - } + "diagnosticStorageAccountName": { + "type": "string" }, - "policySetDescription": { - "type": "string", - "defaultValue": "The Microsoft Cloud Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Microsoft Cloud Security Benchmark v2, see https://aka.ms/azsecbm. This also serves as the Microsoft Defender for Cloud default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Microsoft Defender.", - "metadata": { - "description": "Policy Initiative description field" - } + "logAnalyticsWorkspaceName": { + "type": "string" }, - "defenderSkuTier": { - "type": "string", - "defaultValue": "Standard", - "metadata": { - "description": "[Standard/Free] The SKU for Defender. It defaults to \"Standard\"." - } + "supportedClouds": { + "type": "array", + "defaultValue": [ + "AzureCloud", + "AzureUSGovernment" + ] } }, - "variables": { - "autoProvisioning": "[if(parameters('enableAutoProvisioning'), 'On', 'Off')]" - }, "resources": [ { - "copy": { - "name": "defenderPricing", - "count": "[length(parameters('bundle'))]", - "mode": "serial", - "batchSize": 1 - }, - "type": "Microsoft.Security/pricings", - "apiVersion": "2023-01-01", - "name": "[parameters('bundle')[copyIndex()]]", - "properties": { - "pricingTier": "[parameters('defenderSkuTier')]" - } - }, - { - "type": "Microsoft.Security/autoProvisioningSettings", - "apiVersion": "2019-01-01", - "name": "default", - "properties": { - "autoProvision": "[variables('autoProvisioning')]" - } - }, - { - "type": "Microsoft.Security/workspaceSettings", - "apiVersion": "2019-01-01", - "name": "default", - "properties": { - "workspaceId": "[parameters('logAnalyticsWorkspaceId')]", - "scope": "[subscription().id]" - } - }, - { - "condition": "[not(empty(parameters('emailSecurityContact')))]", - "type": "Microsoft.Security/securityContacts", - "apiVersion": "2020-01-01-preview", - "name": "default", - "properties": { - "notificationsByRole": { - "roles": [ - "AccountAdmin", - "Contributor", - "Owner", - "ServiceAdmin" - ], - "state": "On" - }, - "alertNotifications": { - "state": "On" - }, - "emails": "[parameters('emailSecurityContact')]" - } - }, - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", - "name": "Microsoft Cloud Security Benchmark", + "condition": "[contains(parameters('supportedClouds'), environment().name)]", + "type": "Microsoft.Insights/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "scope": "[format('Microsoft.OperationalInsights/workspaces/{0}', parameters('logAnalyticsWorkspaceName'))]", + "name": "enable-log-analytics-diagnostics", "properties": { - "displayName": "Defender Default", - "description": "[parameters('policySetDescription')]", - "enforcementMode": "DoNotEnforce", - "parameters": {}, - "policyDefinitionId": "[tenantResourceId('Microsoft.Authorization/policySetDefinitions', '1f3afdf9-d0c9-4c3d-847f-89da613e70a8')]" + "workspaceId": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))]", + "storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('diagnosticStorageAccountName'))]", + "logs": [ + { + "category": "Audit", + "enabled": true + } + ], + "metrics": [ + { + "category": "AllMetrics", + "enabled": true + } + ] } } ] } }, "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]" + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]", + "spokeStorage" ] }, { - "condition": "[parameters('deployRemoteAccess')]", + "condition": "[parameters('deployPolicy')]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "[format('deploy-remote-access-{0}', parameters('deploymentNameSuffix'))]", + "apiVersion": "2022-09-01", + "name": "[format('assign-policy-hub-{0}', parameters('deploymentNameSuffix'))]", "subscriptionId": "[parameters('hubSubscriptionId')]", "resourceGroup": "[variables('hubResourceGroupName')]", "properties": { @@ -7448,122 +8070,20 @@ }, "mode": "Incremental", "parameters": { - "location": { - "value": "[parameters('location')]" - }, - "hubVirtualNetworkName": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))).outputs.virtualNetworkName.value]" - }, - "hubSubnetResourceId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))).outputs.subnetResourceId.value]" - }, - "hubNetworkSecurityGroupResourceId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))).outputs.networkSecurityGroupResourceId.value]" - }, - "bastionHostName": { - "value": "[variables('bastionHostName')]" - }, - "bastionHostSubnetAddressPrefix": { - "value": "[parameters('bastionHostSubnetAddressPrefix')]" - }, - "bastionHostPublicIPAddressName": { - "value": "[variables('bastionHostPublicIPAddressName')]" - }, - "bastionHostPublicIPAddressSkuName": { - "value": "[variables('bastionHostPublicIPAddressSkuName')]" - }, - "bastionHostPublicIPAddressAllocationMethod": { - "value": "[variables('bastionHostPublicIPAddressAllocationMethod')]" - }, - "bastionHostPublicIPAddressAvailabilityZones": { - "value": "[parameters('bastionHostPublicIPAddressAvailabilityZones')]" - }, - "bastionHostIPConfigurationName": { - "value": "[variables('bastionHostIPConfigurationName')]" - }, - "linuxNetworkInterfaceName": { - "value": "[variables('linuxNetworkInterfaceName')]" - }, - "linuxNetworkInterfaceIpConfigurationName": { - "value": "[variables('linuxNetworkInterfaceIpConfigurationName')]" - }, - "linuxNetworkInterfacePrivateIPAddressAllocationMethod": { - "value": "[parameters('linuxNetworkInterfacePrivateIPAddressAllocationMethod')]" - }, - "linuxVmName": { - "value": "[variables('linuxVmName')]" - }, - "linuxVmSize": { - "value": "[parameters('linuxVmSize')]" - }, - "linuxVmOsDiskCreateOption": { - "value": "[parameters('linuxVmOsDiskCreateOption')]" - }, - "linuxVmOsDiskType": { - "value": "[parameters('linuxVmOsDiskType')]" - }, - "linuxVmImagePublisher": { - "value": "[parameters('linuxVmImagePublisher')]" - }, - "linuxVmImageOffer": { - "value": "[parameters('linuxVmImageOffer')]" - }, - "linuxVmImageSku": { - "value": "[parameters('linuxVmImageSku')]" - }, - "linuxVmImageVersion": { - "value": "[parameters('linuxVmImageVersion')]" - }, - "linuxVmAdminUsername": { - "value": "[parameters('linuxVmAdminUsername')]" - }, - "linuxVmAuthenticationType": { - "value": "[parameters('linuxVmAuthenticationType')]" - }, - "linuxVmAdminPasswordOrKey": { - "value": "[parameters('linuxVmAdminPasswordOrKey')]" - }, - "windowsNetworkInterfaceName": { - "value": "[variables('windowsNetworkInterfaceName')]" - }, - "windowsNetworkInterfaceIpConfigurationName": { - "value": "[variables('windowsNetworkInterfaceIpConfigurationName')]" - }, - "windowsNetworkInterfacePrivateIPAddressAllocationMethod": { - "value": "[parameters('windowsNetworkInterfacePrivateIPAddressAllocationMethod')]" - }, - "windowsVmName": { - "value": "[variables('windowsVmName')]" - }, - "windowsVmSize": { - "value": "[parameters('windowsVmSize')]" - }, - "windowsVmAdminUsername": { - "value": "[parameters('windowsVmAdminUsername')]" - }, - "windowsVmAdminPassword": { - "value": "[parameters('windowsVmAdminPassword')]" - }, - "windowsVmPublisher": { - "value": "[parameters('windowsVmPublisher')]" - }, - "windowsVmOffer": { - "value": "[parameters('windowsVmOffer')]" - }, - "windowsVmSku": { - "value": "[parameters('windowsVmSku')]" + "builtInAssignment": { + "value": "[parameters('policy')]" }, - "windowsVmVersion": { - "value": "[parameters('windowsVmVersion')]" + "logAnalyticsWorkspaceName": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.name.value]" }, - "windowsVmCreateOption": { - "value": "[parameters('windowsVmCreateOption')]" + "logAnalyticsWorkspaceResourceGroupName": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.resourceGroupName.value]" }, - "windowsVmStorageAccountType": { - "value": "[parameters('windowsVmStorageAccountType')]" + "operationsSubscriptionId": { + "value": "[parameters('operationsSubscriptionId')]" }, - "logAnalyticsWorkspaceId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))).outputs.id.value]" + "location": { + "value": "[parameters('location')]" } }, "template": { @@ -7572,438 +8092,180 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "12263908493790666338" + "version": "0.24.24.22086", + "templateHash": "16693295535307781768" } }, "parameters": { - "location": { - "type": "string" - }, - "tags": { - "type": "object", - "defaultValue": {} - }, - "hubVirtualNetworkName": { - "type": "string" - }, - "hubSubnetResourceId": { - "type": "string" - }, - "hubNetworkSecurityGroupResourceId": { - "type": "string" - }, - "bastionHostName": { - "type": "string" - }, - "bastionHostSubnetAddressPrefix": { - "type": "string" - }, - "bastionHostPublicIPAddressName": { - "type": "string" - }, - "bastionHostPublicIPAddressSkuName": { - "type": "string" - }, - "bastionHostPublicIPAddressAllocationMethod": { - "type": "string" - }, - "bastionHostPublicIPAddressAvailabilityZones": { - "type": "array" - }, - "bastionHostIPConfigurationName": { - "type": "string" - }, - "linuxNetworkInterfaceName": { - "type": "string" - }, - "linuxNetworkInterfaceIpConfigurationName": { - "type": "string" - }, - "linuxNetworkInterfacePrivateIPAddressAllocationMethod": { - "type": "string" - }, - "linuxVmName": { - "type": "string" - }, - "linuxVmSize": { - "type": "string" - }, - "linuxVmOsDiskCreateOption": { - "type": "string" - }, - "linuxVmOsDiskType": { - "type": "string" - }, - "linuxVmImagePublisher": { - "type": "string" - }, - "linuxVmImageOffer": { - "type": "string" - }, - "linuxVmImageSku": { - "type": "string" - }, - "linuxVmImageVersion": { - "type": "string" - }, - "linuxVmAdminUsername": { - "type": "string" - }, - "linuxVmAuthenticationType": { + "builtInAssignment": { "type": "string", + "defaultValue": "NISTRev4", "allowedValues": [ - "sshPublicKey", - "password" - ] - }, - "linuxVmAdminPasswordOrKey": { - "type": "secureString", - "minLength": 12 - }, - "windowsNetworkInterfaceName": { - "type": "string" - }, - "windowsNetworkInterfaceIpConfigurationName": { - "type": "string" - }, - "windowsNetworkInterfacePrivateIPAddressAllocationMethod": { - "type": "string" - }, - "windowsVmName": { - "type": "string" - }, - "windowsVmSize": { - "type": "string" - }, - "windowsVmAdminUsername": { - "type": "string" - }, - "windowsVmAdminPassword": { - "type": "secureString", - "minLength": 12 - }, - "windowsVmPublisher": { - "type": "string" - }, - "windowsVmOffer": { - "type": "string" - }, - "windowsVmSku": { - "type": "string" + "NISTRev4", + "NISTRev5", + "IL5", + "CMMC" + ], + "metadata": { + "description": "[NISTRev4/NISTRev5/IL5/CMMC] Built-in policy assignments to assign, default is NISTRev4. IL5 is only available for AzureUsGovernment and will switch to NISTRev4 if tried in AzureCloud." + } }, - "windowsVmVersion": { + "logAnalyticsWorkspaceName": { "type": "string" }, - "windowsVmCreateOption": { + "logAnalyticsWorkspaceResourceGroupName": { "type": "string" }, - "windowsVmStorageAccountType": { + "operationsSubscriptionId": { "type": "string" }, - "logAnalyticsWorkspaceId": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "remoteAccess-bastionHost", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('bastionHostName')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "tags": { - "value": "[parameters('tags')]" - }, - "virtualNetworkName": { - "value": "[parameters('hubVirtualNetworkName')]" - }, - "subnetAddressPrefix": { - "value": "[parameters('bastionHostSubnetAddressPrefix')]" - }, - "publicIPAddressName": { - "value": "[parameters('bastionHostPublicIPAddressName')]" - }, - "publicIPAddressSkuName": { - "value": "[parameters('bastionHostPublicIPAddressSkuName')]" - }, - "publicIPAddressAllocationMethod": { - "value": "[parameters('bastionHostPublicIPAddressAllocationMethod')]" - }, - "publicIPAddressAvailabilityZones": { - "value": "[parameters('bastionHostPublicIPAddressAvailabilityZones')]" - }, - "ipConfigurationName": { - "value": "[parameters('bastionHostIPConfigurationName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "9188768803513020911" - } - }, - "parameters": { - "name": { - "type": "string" - }, - "location": { - "type": "string" - }, - "tags": { - "type": "object", - "defaultValue": {} - }, - "virtualNetworkName": { - "type": "string" - }, - "subnetAddressPrefix": { - "type": "string" - }, - "publicIPAddressName": { - "type": "string" - }, - "publicIPAddressSkuName": { - "type": "string" - }, - "publicIPAddressAllocationMethod": { - "type": "string" - }, - "publicIPAddressAvailabilityZones": { - "type": "array" - }, - "ipConfigurationName": { - "type": "string" - } - }, - "variables": { - "subnetName": "AzureBastionSubnet" - }, - "resources": [ - { - "type": "Microsoft.Network/publicIPAddresses", - "apiVersion": "2021-02-01", - "name": "[parameters('publicIPAddressName')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "sku": { - "name": "[parameters('publicIPAddressSkuName')]" - }, - "properties": { - "publicIPAllocationMethod": "[parameters('publicIPAddressAllocationMethod')]" - }, - "zones": "[parameters('publicIPAddressAvailabilityZones')]" - }, - { - "type": "Microsoft.Network/virtualNetworks/subnets", - "apiVersion": "2021-02-01", - "name": "[format('{0}/{1}', parameters('virtualNetworkName'), variables('subnetName'))]", - "properties": { - "addressPrefix": "[parameters('subnetAddressPrefix')]" - } - }, - { - "type": "Microsoft.Network/bastionHosts", - "apiVersion": "2021-02-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "ipConfigurations": [ - { - "name": "[parameters('ipConfigurationName')]", - "properties": { - "subnet": { - "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', split(format('{0}/{1}', parameters('virtualNetworkName'), variables('subnetName')), '/')[0], split(format('{0}/{1}', parameters('virtualNetworkName'), variables('subnetName')), '/')[1])]" - }, - "publicIPAddress": { - "id": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIPAddressName'))]" - } - } - } - ] - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIPAddressName'))]", - "[resourceId('Microsoft.Network/virtualNetworks/subnets', split(format('{0}/{1}', parameters('virtualNetworkName'), variables('subnetName')), '/')[0], split(format('{0}/{1}', parameters('virtualNetworkName'), variables('subnetName')), '/')[1])]" - ] - } - ] - } + "deployRemediation": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Starts a policy remediation for the VM Agent policies in hub RG. Set to false by default since this is time consuming in deployment." } }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location of this resource" + } + } + }, + "variables": { + "$fxv#0": " {\r\n \"listOfMembersToExcludeFromWindowsVMAdministratorsGroup\": \r\n {\r\n \"value\": \"admin\"\r\n },\r\n \"listOfMembersToIncludeInWindowsVMAdministratorsGroup\": \r\n {\r\n \"value\": \"azureuser\"\r\n },\r\n \"logAnalyticsWorkspaceIdforVMReporting\": \r\n {\r\n \"value\": \"\"\r\n },\r\n \"IncludeArcMachines\": \r\n {\r\n \"value\": \"true\"\r\n },\r\n \"MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112\": \r\n {\r\n \"value\": \"1.2\"\r\n },\r\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\": \r\n {\r\n \"value\": \"Compliant\"\r\n },\r\n \"requiredRetentionDays\": \r\n {\r\n \"value\": \"365\"\r\n },\r\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\": \r\n {\r\n \"value\": \"NetworkWatcherRG\"\r\n }\r\n }", + "$fxv#1": " {\r\n \"IncludeArcMachines\": \r\n {\r\n \"value\": \"true\"\r\n },\r\n \"MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112\": \r\n {\r\n \"value\": \"1.2\"\r\n },\r\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\": \r\n {\r\n \"value\": \"Compliant\"\r\n },\r\n \"requiredRetentionDays\": \r\n {\r\n \"value\": \"365\"\r\n },\r\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\": \r\n {\r\n \"value\": \"NetworkWatcherRG\"\r\n }\r\n }", + "$fxv#2": "{\r\n \"IncludeArcMachines\" : { \r\n \"value\" : \"false\"\r\n },\r\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\" : { \r\n \"value\" : \"Compliant\"\r\n },\r\n \"MinimumTLSVersionForWindowsServers\" : { \r\n \"value\" : \"1.2\"\r\n },\r\n \"requiredRetentionDays\" : { \r\n \"value\" : \"365\"\r\n },\r\n \"effect-febd0533-8e55-448f-b837-bd0e06f16469\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"allowedContainerImagesRegex-febd0533-8e55-448f-b837-bd0e06f16469\" : { \r\n \"value\" : \"^(.+){0}$\"\r\n },\r\n \"effect-95edb821-ddaf-4404-9732-666045e056b4\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-440b515e-a580-421e-abeb-b159a61ddcbc\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-233a2a17-77ca-4fb1-9b6b-69223d272a44\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"cpuLimit-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \r\n \"value\" : \"0\"\r\n },\r\n \"memoryLimit-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \r\n \"value\" : \"0\"\r\n },\r\n \"effect-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"runAsUserRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \r\n \"value\" : \"MustRunAsNonRoot\"\r\n },\r\n \"runAsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \r\n \"value\" : \"RunAsAny\"\r\n },\r\n \"supplementalGroupsRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \r\n \"value\" : \"RunAsAny\"\r\n },\r\n \"fsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \r\n \"value\" : \"RunAsAny\"\r\n },\r\n \"effect-1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-df49d893-a74c-421d-bc95-c663042e5b80\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-c26596ff-4d70-4e6a-9a30-c2506bd2f80c\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-511f5417-5d12-434d-ab2e-816901e72a5e\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-82985f06-dc18-4a48-bc1c-b9f4f0098cfe\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-098fc59e-46c7-4d99-9b16-64990e543d75\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"NetworkWatcherResourceGroupName\" : { \r\n \"value\" : \"NetworkWatcherRG\"\r\n },\r\n \"setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \r\n \"value\" : \"enabled\"\r\n },\r\n \"aadAuthenticationInServiceFabricMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-71ef260a-8f18-47b7-abcb-62d0673d94dc\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-d9da03a1-f3c3-412a-9709-947156872263\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-617c02be-7f02-4efd-8836-3180d47b6c68\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-c349d81b-9985-44ae-a8da-ff98d108ede8\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-3657f5a0-770e-44a3-b44e-9431ba1e9735\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-b4ac1030-89c5-4697-8e00-28b5ba6a8811\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-ea0dfaed-95fb-448c-934e-d6e713ce393d\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-f4b53539-8df9-40e4-86c6-6b607703bd4e\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-41425d9f-d1a5-499a-9932-f8ed8453932c\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-fc4d8e41-e223-45ea-9bf5-eada37891d87\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-86efb160-8de7-451d-bc08-5d475b0aadae\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-4ec52d6d-beb7-40c4-9a9e-fe753254690e\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-64d314f6-6062-4780-a861-c23e8951bee5\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-fa298e57-9444-42ba-bf04-86e8470e32c7\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1f905d99-2ab7-462c-a6b0-f709acca6c8f\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-ba769a63-b8cc-4b2d-abf6-ac33c7204be8\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-81e74cea-30fd-40d5-802f-d72103c2aaaa\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-0aa61e00-0a01-4a3c-9945-e93cffedf0e6\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-47031206-ce96-41f8-861b-6a915f3de284\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-51522a96-0869-4791-82f3-981000c2c67f\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-b5ec538c-daa0-4006-8596-35468b9148e8\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-56a5ee18-2ae6-4810-86f7-18e39ce5629b\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-2e94d99a-8a36-4563-bc77-810d8893b671\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1f68a601-6e6d-4e42-babf-3f643a047ea2\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-f7d52b2d-e161-4dfa-a82b-55e564167385\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-ca91455f-eace-4f96-be59-e6e2c35b4816\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-702dd420-7fcc-42c5-afe8-4026edd20fe0\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"diagnosticsLogsInRedisCacheMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"secureTransferToStorageAccountMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-d0793b48-0edc-4296-a390-4c75d1bdfd71\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-7d092e0a-7acd-40d2-a975-dca21cae48c4\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"disableUnrestrictedNetworkToStorageAccountMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-55615ac9-af46-4a59-874e-391cc3dfb490\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1b8ca024-1d5c-4dec-8995-b1a932b41780\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-037eea7a-bd0a-46c5-9a66-03aea78705d3\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-53503636-bcc9-4748-9663-5348217f160f\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-40cec1dd-a100-4920-b15b-3024fe8901ab\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-a049bf77-880b-470f-ba6d-9f21c530cf83\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-ee980b6d-0eca-4501-8d54-f6290fd512c3\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1d84d5fb-01f6-4d12-ba4f-4a26081d403d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-37e0d2fe-28a5-43d6-a273-67d37d1f5606\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"identityDesignateMoreThanOneOwnerMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"diskEncryptionMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"emailNotificationToSubscriptionOwnerHighSeverityAlertsEnabledEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"functionAppDisableRemoteDebuggingMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"sqlDbEncryptionMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"vulnerabilityAssessmentOnManagedInstanceMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensurePHPVersionLatestForAPIAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"aadAuthenticationInSqlServerMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"vmssEndpointProtectionMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"vmssOsVulnerabilitiesMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"adaptiveApplicationControlsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"geoRedundantBackupShouldBeEnabledForAzureDatabaseForPostgreSQLEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"ensureJavaVersionLatestForWebAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityDesignateLessThanOwnersMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"securityContactEmailAddressForSubscriptionEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"webAppRestrictCORSAccessMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityRemoveDeprecatedAccountMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"functionAppEnforceHttpsMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"ensurePythonVersionLatestForWebAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensurePythonVersionLatestForFunctionAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensurePHPVersionLatestForWebAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensurePythonVersionLatestForAPIAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"geoRedundantBackupShouldBeEnabledForAzureDatabaseForMySQLEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"systemUpdatesMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensureJavaVersionLatestForAPIAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensureHTTPVersionLatestForWebAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"apiAppRequireLatestTlsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityEnableMFAForWritePermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensureHTTPVersionLatestForAPIAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensureJavaVersionLatestForFunctionAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"nextGenerationFirewallMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"useRbacRulesMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"webAppEnforceHttpsMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"sqlServerAuditingMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"vnetEnableDDoSProtectionMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityEnableMFAForOwnerPermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"sqlServerAdvancedDataSecurityMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"sqlManagedInstanceAdvancedDataSecurityMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"endpointProtectionMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"jitNetworkAccessMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"apiAppEnforceHttpsMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"geoRedundantStorageShouldBeEnabledForStorageAccountsEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"vmssSystemUpdatesMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"webAppDisableRemoteDebuggingMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"systemConfigurationsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensureHTTPVersionLatestForFunctionAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityEnableMFAForReadPermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"containerBenchmarkMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"apiAppDisableRemoteDebuggingMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"vulnerabilityAssessmentOnServerMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"webAppRequireLatestTlsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"functionAppRequireLatestTlsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"kubernetesServiceVersionUpToDateMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"sqlDbVulnerabilityAssesmentMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"membersToIncludeInLocalAdministratorsGroup\" : { \r\n \"value\" : \"\"\r\n },\r\n \"membersToExcludeInLocalAdministratorsGroup\" : { \r\n \"value\" : \"\"\r\n },\r\n \"logAnalyticsWorkspaceIDForVMAgents\" : { \r\n \"value\" : \"\"\r\n },\r\n \"PHPLatestVersionForAppServices\" : { \r\n \"value\" : \"7.4\"\r\n },\r\n \"JavaLatestVersionForAppServices\" : { \r\n \"value\" : \"11\"\r\n },\r\n \"WindowsPythonLatestVersionForAppServices\" : { \r\n \"value\" : \"3.6\"\r\n },\r\n \"LinuxPythonLatestVersionForAppServices\" : { \r\n \"value\" : \"3.9\"\r\n },\r\n \"ensureDotNetFrameworkLatestForFunctionAppEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"sqlManagedInstanceAdvancedDataSecurityEmailsMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"vulnerabilityAssessmentMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"ensureDotNetFrameworkLatestForWebAppEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"sqlServerAdvancedDataSecurityEmailsMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"microsoftIaaSAntimalwareExtensionShouldBeDeployedOnWindowsServersEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"securityCenterStandardPricingTierShouldBeSelectedEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"theLogAnalyticsAgentShouldBeInstalledOnVirtualMachinesEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"ensurePHPVersionLatestForFunctionAppEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"sqlManagedInstanceAdvancedDataSecurityEmailAdminsMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"securityContactPhoneNumberShouldBeProvidedForSubscriptionEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"threatDetectionTypesOnManagedInstanceMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"ensureDotNetFrameworkLatestForAPIAppEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"sqlServerAdvancedDataSecurityEmailAdminsMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"threatDetectionTypesOnServerMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"theLogAnalyticsAgentShouldBeInstalledOnVirtualMachineScaleSetsEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n }\r\n}", + "$fxv#3": "{\r\n \"logAnalyticsWorkspaceId-f47b5582-33ec-4c5c-87c0-b010a6b2e917\" : { \r\n \"value\" : \"\"\r\n },\r\n \"effect-09024ccc-0c5f-475e-9457-b7c0d9ed487b\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"MembersToExclude-69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f\" :{\r\n \"value\": \"\"\r\n },\r\n \"MembersToInclude-30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7\": {\r\n \"value\": \"\"\r\n },\r\n \"effect-0961003e-5a0a-4549-abde-af6a37f2724d\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-0b15565f-aa9e-48ba-8619-45960f2c314d\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-0e60b895-3786-45da-8377-9c6b4b6ac5f9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-17k78e20-9358-41c9-923c-fb736d382a12\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"PHPLatestVersion\" : { \r\n \"value\" : \"7.3\"\r\n },\r\n \"effect-22bee202-a82f-4305-9a2a-6d7f44d4dedb\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-26a828e1-e88f-464e-bbb3-c134a282b9de\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-34c877ad-507e-4c82-993e-3452a6e0ad3c\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-404c3081-a854-4457-ae30-26a93ef643f9\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-47a6b606-51aa-4496-8bb7-64b11cf66adc\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-496223c3-ad65-4ecd-878a-bae78737e9ed\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"JavaLatestVersion\" : { \r\n \"value\" : \"11\"\r\n },\r\n \"effect-4f11b553-d42e-4e3a-89be-32ca364cad4c\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-5c607a2e-c700-4744-8254-d77e7c9eb5e4\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-5f76cf89-fbf2-47fd-a3f4-b891fa780b60\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-6b1cbf55-e8b6-442f-ba4c-7246b6381474\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-7008174a-fd10-4ef0-817e-fc820a951d73\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"LinuxPythonLatestVersion\" : { \r\n \"value\" : \"3.8\"\r\n },\r\n \"effect-7238174a-fd10-4ef0-817e-fc820a951d73\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-7261b898-8a84-4db8-9e04-18527132abb3\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-74c3584d-afae-46f7-a20a-6f8adba71a16\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-86b3d65f-7626-441e-b690-81a8b71cff60\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-88999f4c-376a-45c8-bcb3-4058f713cf39\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-8c122334-9d20-4eb8-89ea-ac9a705b74ae\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-9297c21d-2ed6-4474-b48f-163f75654ce3\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-991310cd-e9f3-47bc-b7b6-f57b557d07db\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-9b597639-28e4-48eb-b506-56b05d366257\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-9daedab3-fb2d-461e-b861-71790eead4f6\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-a4af4a39-4135-47fb-b175-47fbdf85311d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \r\n \"value\" : \"enabled\"\r\n },\r\n \"effect-a70ca396-0a34-413a-88e1-b956c1e683be\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-aa633080-8b72-40c4-a2d7-d00c03e80bed\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-af6cd1bd-1635-48cb-bde7-5b15693900b9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\" : { \r\n \"value\" : \"NetworkWatcherRG\"\r\n },\r\n \"effect-b7ddfbdc-1260-477d-91fd-98bd9be789a6\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-c3f317a7-a95c-4547-b7e7-11017ebdf2fe\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-cb510bfd-1cba-4d9f-a230-cb0976f4bb71\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e2c1c086-2d84-4019-bff3-c44ccd95113c\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e3576e28-8b17-4677-84c3-db2990658d64\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e8cbc669-f12d-49eb-93e7-9273119e9933\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-ebb62a0c-3560-49e1-89ed-27e074e9f8ad\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-efbde977-ba53-4479-b8e9-10b957924fbf\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-f8456c1c-aa66-4dfb-861a-25d127b775c9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-f9d614c5-c173-4d56-95a7-b4437057d193\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-fb893a29-21bb-418c-a157-e99480ec364c\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-feedbf84-6b99-488c-acc2-71c829aa5ffc\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-3b980d31-7904-4bb7-8575-5665739a8052\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-6e2593d9-add6-4083-9c9b-4b7d2188c899\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-12430be1-6cc8-4527-a9a8-e3d38f250096\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"modeRequirement-12430be1-6cc8-4527-a9a8-e3d38f250096\" : { \r\n \"value\" : \"Detection\"\r\n },\r\n \"effect-425bea59-a659-4cbb-8d31-34499bd030b8\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"modeRequirement-425bea59-a659-4cbb-8d31-34499bd030b8\" : { \r\n \"value\" : \"Detection\"\r\n },\r\n \"effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-013e242c-8828-4970-87b3-ab247555486d\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-d38fc420-0735-4ef3-ac11-c806f651a570\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-a1181c5f-672a-477a-979a-7d58aa086233\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-308fbb08-4ab8-4e67-9b29-592e93fb94fa\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-4da35fc9-c9e7-4960-aec9-797fe7d9051d\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-523b5cd1-3e23-492f-a539-13118b6d1e3a\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-7fe3b40f-802b-4cdd-8bd4-fd799c948cc2\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-c25d9a16-bc35-4e15-a7e5-9db606bf9ed4\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b0f33259-77d7-4c9e-aac6-3aabcfae693c\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-037eea7a-bd0a-46c5-9a66-03aea78705d3\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-0820b7b9-23aa-4725-a1ce-ae4558f718e5\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-2c89a2e5-7285-40fe-afe0-ae8654b92fab\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-5744710e-cc2f-4ee8-8809-3b11e89f4bc9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-c9d007d0-c057-4772-b18c-01e546713bcd\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-d0793b48-0edc-4296-a390-4c75d1bdfd71\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-e372f825-a257-4fb8-9175-797a8a8627d6\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-d158790f-bfb0-486c-8631-2dc6b4e8e6af\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-e802a67a-daf5-4436-9ea6-f6d821dd0c5d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-a451c1ef-c6ca-483d-87ed-f49761e3ffb5\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftSql-servers-firewallRules-delete\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-delete\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftClassicNetwork-networkSecurityGroups-delete\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-securityRules-delete\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftClassicNetwork-networkSecurityGroups-securityRules-delete\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-ae89ebca-1c92-4898-ac2c-9f63decb045c\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-d26f7642-7545-4e18-9b75-8c9bbdee3a9a\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-1a4e592a-6a6e-44a5-9814-e36264ca96e7\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-7796937f-307b-4598-941c-67d3a05ebfe7\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-c5447c04-a4d7-4ba8-a263-c9ee321a6858\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-41388f1c-2db0-4c25-95b2-35d7f5ccbfa9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b02aacc0-b073-424e-8298-42b22829ee0a\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-0ec47710-77ff-4a3d-9181-6aa50af424d0\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-48af4db5-9b8b-401c-8e74-076be876a430\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-82339799-d096-41ae-8538-b108becf0970\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1b7aa243-30e4-4c9e-bca8-d0d3022b634a\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-bb91dfba-c30d-4263-9add-9c2384e659a6\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e71308d3-144b-4262-b144-efdc3cc90517\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-2bdd0062-9d75-436e-89df-487dd8e4b3c7\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-6fac406b-40ca-413b-bf8e-0bf964659c25\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-81e74cea-30fd-40d5-802f-d72103c2aaaa\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-c349d81b-9985-44ae-a8da-ff98d108ede8\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-f4b53539-8df9-40e4-86c6-6b607703bd4e\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-048248b0-55cd-46da-b1ff-39efd52db260\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-0d134df8-db83-46fb-ad72-fe0c9428c8dd\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-2c89a2e5-7285-40fe-afe0-ae8654b92fb2\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-3657f5a0-770e-44a3-b44e-9431ba1e9735\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-617c02be-7f02-4efd-8836-3180d47b6c68\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-f7d52b2d-e161-4dfa-a82b-55e564167385\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-c43e4a30-77cb-48ab-a4dd-93f175c63b57\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1f314764-cb73-4fc9-b863-8eca98ac36e9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-123a3936-f020-408a-ba0c-47873faf1534\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n }\r\n}\r\n", + "modifiedAssignment": "[if(and(equals(toLower(environment().name), toLower('AzureCloud')), equals(toLower(parameters('builtInAssignment')), toLower('IL5'))), 'NISTRev4', parameters('builtInAssignment'))]", + "assignmentName": "[format('{0} {1}', variables('modifiedAssignment'), resourceGroup().name)]", + "agentVmssAssignmentName": "[format('Deploy VMSS Agents {0}', resourceGroup().name)]", + "agentVmAssignmentName": "[format('Deploy VM Agents {0}', resourceGroup().name)]", + "contributorRoleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "lawsReaderRoleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]" + }, + "resources": [ { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "remoteAccess-linuxNetworkInterface", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2020-09-01", + "name": "[variables('assignmentName')]", + "location": "[parameters('location')]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", + "policyDefinitionId": "[createObject('NISTRev4', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f', 'parameters', json(replace(variables('$fxv#0'), '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'NISTRev5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f', 'parameters', json(variables('$fxv#1'))), 'IL5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/f9a961fa-3241-4b20-adc4-bbf8ad9d7197', 'parameters', json(replace(variables('$fxv#2'), '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'CMMC', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/b5629c75-5c77-4422-87b9-2509e680f8de', 'parameters', json(replace(variables('$fxv#3'), '', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName')), '2021-06-01').customerId))))[variables('modifiedAssignment')].id]", + "parameters": "[createObject('NISTRev4', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f', 'parameters', json(replace(variables('$fxv#0'), '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'NISTRev5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f', 'parameters', json(variables('$fxv#1'))), 'IL5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/f9a961fa-3241-4b20-adc4-bbf8ad9d7197', 'parameters', json(replace(variables('$fxv#2'), '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'CMMC', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/b5629c75-5c77-4422-87b9-2509e680f8de', 'parameters', json(replace(variables('$fxv#3'), '', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName')), '2021-06-01').customerId))))[variables('modifiedAssignment')].parameters]" + }, + "identity": { + "type": "SystemAssigned" + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2020-09-01", + "name": "[variables('agentVmssAssignmentName')]", + "location": "[parameters('location')]", + "properties": { + "policyDefinitionId": "[tenantResourceId('Microsoft.Authorization/policySetDefinitions', '75714362-cae7-409e-9b99-a8e5075b7fad')]", "parameters": { - "name": { - "value": "[parameters('linuxNetworkInterfaceName')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "tags": { - "value": "[parameters('tags')]" - }, - "ipConfigurationName": { - "value": "[parameters('linuxNetworkInterfaceIpConfigurationName')]" - }, - "networkSecurityGroupId": { - "value": "[parameters('hubNetworkSecurityGroupResourceId')]" - }, - "privateIPAddressAllocationMethod": { - "value": "[parameters('linuxNetworkInterfacePrivateIPAddressAllocationMethod')]" - }, - "subnetId": { - "value": "[parameters('hubSubnetResourceId')]" + "logAnalytics_1": { + "value": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))]" } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "11989297668424739974" - } - }, - "parameters": { - "name": { - "type": "string" - }, - "location": { - "type": "string" - }, - "tags": { - "type": "object", - "defaultValue": {} - }, - "ipConfigurationName": { - "type": "string" - }, - "subnetId": { - "type": "string" - }, - "networkSecurityGroupId": { - "type": "string" - }, - "privateIPAddressAllocationMethod": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.Network/networkInterfaces", - "apiVersion": "2021-02-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "ipConfigurations": [ - { - "name": "[parameters('ipConfigurationName')]", - "properties": { - "subnet": { - "id": "[parameters('subnetId')]" - }, - "privateIPAllocationMethod": "[parameters('privateIPAddressAllocationMethod')]" - } - } - ], - "networkSecurityGroup": { - "id": "[parameters('networkSecurityGroupId')]" - } - } - } - ], - "outputs": { - "id": { - "type": "string", - "value": "[resourceId('Microsoft.Network/networkInterfaces', parameters('name'))]" - }, - "name": { - "type": "string", - "value": "[parameters('name')]" - } + } + }, + "identity": { + "type": "SystemAssigned" + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2020-09-01", + "name": "[variables('agentVmAssignmentName')]", + "location": "[parameters('location')]", + "properties": { + "policyDefinitionId": "[tenantResourceId('Microsoft.Authorization/policySetDefinitions', '55f3eceb-5573-4f18-9695-226972c6d74a')]", + "parameters": { + "logAnalytics_1": { + "value": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))]" } } + }, + "identity": { + "type": "SystemAssigned" } }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[guid(variables('contributorRoleDefinitionId'), variables('assignmentName'))]", + "properties": { + "roleDefinitionId": "[variables('contributorRoleDefinitionId')]", + "principalId": "[if(empty(variables('modifiedAssignment')), '', reference(resourceId('Microsoft.Authorization/policyAssignments', variables('assignmentName')), '2020-09-01', 'full').identity.principalId)]", + "principalType": "ServicePrincipal" + }, + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('assignmentName'))]" + ] + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[guid(variables('contributorRoleDefinitionId'), variables('agentVmssAssignmentName'))]", + "properties": { + "roleDefinitionId": "[variables('contributorRoleDefinitionId')]", + "principalId": "[reference(resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmssAssignmentName')), '2020-09-01', 'full').identity.principalId]", + "principalType": "ServicePrincipal" + }, + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmssAssignmentName'))]" + ] + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[guid(variables('contributorRoleDefinitionId'), variables('agentVmAssignmentName'))]", + "properties": { + "roleDefinitionId": "[variables('contributorRoleDefinitionId')]", + "principalId": "[reference(resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName')), '2020-09-01', 'full').identity.principalId]", + "principalType": "ServicePrincipal" + }, + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName'))]" + ] + }, + { + "condition": "[parameters('deployRemediation')]", + "type": "Microsoft.PolicyInsights/remediations", + "apiVersion": "2019-07-01", + "name": "VM-Agent-Policy-Remediation", + "properties": { + "policyAssignmentId": "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName'))]", + "resourceDiscoveryMode": "ReEvaluateCompliance" + }, + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName'))]" + ] + }, { "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "remoteAccess-linuxVirtualMachine", + "apiVersion": "2022-09-01", + "name": "[format('Assign-Laws-Role-Policy-{0}', resourceGroup().name)]", + "subscriptionId": "[parameters('operationsSubscriptionId')]", + "resourceGroup": "[parameters('logAnalyticsWorkspaceResourceGroupName')]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { - "name": { - "value": "[parameters('linuxVmName')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "tags": { - "value": "[parameters('tags')]" - }, - "vmSize": { - "value": "[parameters('linuxVmSize')]" - }, - "osDiskCreateOption": { - "value": "[parameters('linuxVmOsDiskCreateOption')]" - }, - "osDiskType": { - "value": "[parameters('linuxVmOsDiskType')]" - }, - "vmImagePublisher": { - "value": "[parameters('linuxVmImagePublisher')]" - }, - "vmImageOffer": { - "value": "[parameters('linuxVmImageOffer')]" - }, - "vmImageSku": { - "value": "[parameters('linuxVmImageSku')]" - }, - "vmImageVersion": { - "value": "[parameters('linuxVmImageVersion')]" - }, - "adminUsername": { - "value": "[parameters('linuxVmAdminUsername')]" - }, - "authenticationType": { - "value": "[parameters('linuxVmAuthenticationType')]" - }, - "adminPasswordOrKey": { - "value": "[parameters('linuxVmAdminPasswordOrKey')]" + "targetResourceId": { + "value": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))]" }, - "networkInterfaceName": { - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'remoteAccess-linuxNetworkInterface')).outputs.name.value]" + "roleDefinitionId": { + "value": "[variables('lawsReaderRoleDefinitionId')]" }, - "logAnalyticsWorkspaceId": { - "value": "[parameters('logAnalyticsWorkspaceId')]" + "principalId": { + "value": "[reference(resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName')), '2020-09-01', 'full').identity.principalId]" } }, "template": { @@ -8012,544 +8274,632 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "13732851487663219597" + "version": "0.24.24.22086", + "templateHash": "8686326864657481429" } }, "parameters": { - "name": { - "type": "string" - }, - "location": { - "type": "string" - }, - "tags": { - "type": "object", - "defaultValue": {} - }, - "networkInterfaceName": { - "type": "string" - }, - "vmSize": { - "type": "string" - }, - "osDiskCreateOption": { + "targetResourceId": { "type": "string" }, - "osDiskType": { + "roleDefinitionId": { "type": "string" }, - "vmImagePublisher": { + "principalId": { "type": "string" }, - "vmImageOffer": { - "type": "string" + "principalType": { + "type": "string", + "defaultValue": "ServicePrincipal", + "allowedValues": [ + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ] }, - "vmImageSku": { + "description": { + "type": "string", + "defaultValue": "" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[guid(parameters('targetResourceId'), parameters('roleDefinitionId'), parameters('principalId'))]", + "properties": { + "principalId": "[parameters('principalId')]", + "principalType": "[parameters('principalType')]", + "roleDefinitionId": "[parameters('roleDefinitionId')]", + "description": "[parameters('description')]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName'))]" + ] + } + ] + } + }, + "dependsOn": [ + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]" + ] + }, + { + "copy": { + "name": "spokePolicyAssignments", + "count": "[length(variables('spokes'))]" + }, + "condition": "[parameters('deployPolicy')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('assign-policy-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))]", + "subscriptionId": "[variables('spokes')[copyIndex()].subscriptionId]", + "resourceGroup": "[variables('spokes')[copyIndex()].resourceGroupName]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "builtInAssignment": { + "value": "[parameters('policy')]" + }, + "logAnalyticsWorkspaceName": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.name.value]" + }, + "logAnalyticsWorkspaceResourceGroupName": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.resourceGroupName.value]" + }, + "operationsSubscriptionId": { + "value": "[parameters('operationsSubscriptionId')]" + }, + "location": { + "value": "[parameters('location')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "16693295535307781768" + } + }, + "parameters": { + "builtInAssignment": { + "type": "string", + "defaultValue": "NISTRev4", + "allowedValues": [ + "NISTRev4", + "NISTRev5", + "IL5", + "CMMC" + ], + "metadata": { + "description": "[NISTRev4/NISTRev5/IL5/CMMC] Built-in policy assignments to assign, default is NISTRev4. IL5 is only available for AzureUsGovernment and will switch to NISTRev4 if tried in AzureCloud." + } + }, + "logAnalyticsWorkspaceName": { + "type": "string" + }, + "logAnalyticsWorkspaceResourceGroupName": { + "type": "string" + }, + "operationsSubscriptionId": { + "type": "string" + }, + "deployRemediation": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Starts a policy remediation for the VM Agent policies in hub RG. Set to false by default since this is time consuming in deployment." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location of this resource" + } + } + }, + "variables": { + "$fxv#0": " {\r\n \"listOfMembersToExcludeFromWindowsVMAdministratorsGroup\": \r\n {\r\n \"value\": \"admin\"\r\n },\r\n \"listOfMembersToIncludeInWindowsVMAdministratorsGroup\": \r\n {\r\n \"value\": \"azureuser\"\r\n },\r\n \"logAnalyticsWorkspaceIdforVMReporting\": \r\n {\r\n \"value\": \"\"\r\n },\r\n \"IncludeArcMachines\": \r\n {\r\n \"value\": \"true\"\r\n },\r\n \"MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112\": \r\n {\r\n \"value\": \"1.2\"\r\n },\r\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\": \r\n {\r\n \"value\": \"Compliant\"\r\n },\r\n \"requiredRetentionDays\": \r\n {\r\n \"value\": \"365\"\r\n },\r\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\": \r\n {\r\n \"value\": \"NetworkWatcherRG\"\r\n }\r\n }", + "$fxv#1": " {\r\n \"IncludeArcMachines\": \r\n {\r\n \"value\": \"true\"\r\n },\r\n \"MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112\": \r\n {\r\n \"value\": \"1.2\"\r\n },\r\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\": \r\n {\r\n \"value\": \"Compliant\"\r\n },\r\n \"requiredRetentionDays\": \r\n {\r\n \"value\": \"365\"\r\n },\r\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\": \r\n {\r\n \"value\": \"NetworkWatcherRG\"\r\n }\r\n }", + "$fxv#2": "{\r\n \"IncludeArcMachines\" : { \r\n \"value\" : \"false\"\r\n },\r\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\" : { \r\n \"value\" : \"Compliant\"\r\n },\r\n \"MinimumTLSVersionForWindowsServers\" : { \r\n \"value\" : \"1.2\"\r\n },\r\n \"requiredRetentionDays\" : { \r\n \"value\" : \"365\"\r\n },\r\n \"effect-febd0533-8e55-448f-b837-bd0e06f16469\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"allowedContainerImagesRegex-febd0533-8e55-448f-b837-bd0e06f16469\" : { \r\n \"value\" : \"^(.+){0}$\"\r\n },\r\n \"effect-95edb821-ddaf-4404-9732-666045e056b4\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-440b515e-a580-421e-abeb-b159a61ddcbc\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-233a2a17-77ca-4fb1-9b6b-69223d272a44\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"cpuLimit-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \r\n \"value\" : \"0\"\r\n },\r\n \"memoryLimit-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \r\n \"value\" : \"0\"\r\n },\r\n \"effect-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"runAsUserRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \r\n \"value\" : \"MustRunAsNonRoot\"\r\n },\r\n \"runAsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \r\n \"value\" : \"RunAsAny\"\r\n },\r\n \"supplementalGroupsRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \r\n \"value\" : \"RunAsAny\"\r\n },\r\n \"fsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \r\n \"value\" : \"RunAsAny\"\r\n },\r\n \"effect-1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-df49d893-a74c-421d-bc95-c663042e5b80\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-c26596ff-4d70-4e6a-9a30-c2506bd2f80c\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-511f5417-5d12-434d-ab2e-816901e72a5e\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-82985f06-dc18-4a48-bc1c-b9f4f0098cfe\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-098fc59e-46c7-4d99-9b16-64990e543d75\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"NetworkWatcherResourceGroupName\" : { \r\n \"value\" : \"NetworkWatcherRG\"\r\n },\r\n \"setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \r\n \"value\" : \"enabled\"\r\n },\r\n \"aadAuthenticationInServiceFabricMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-71ef260a-8f18-47b7-abcb-62d0673d94dc\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-d9da03a1-f3c3-412a-9709-947156872263\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-617c02be-7f02-4efd-8836-3180d47b6c68\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-c349d81b-9985-44ae-a8da-ff98d108ede8\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-3657f5a0-770e-44a3-b44e-9431ba1e9735\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-b4ac1030-89c5-4697-8e00-28b5ba6a8811\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-ea0dfaed-95fb-448c-934e-d6e713ce393d\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-f4b53539-8df9-40e4-86c6-6b607703bd4e\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-41425d9f-d1a5-499a-9932-f8ed8453932c\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-fc4d8e41-e223-45ea-9bf5-eada37891d87\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-86efb160-8de7-451d-bc08-5d475b0aadae\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-4ec52d6d-beb7-40c4-9a9e-fe753254690e\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-64d314f6-6062-4780-a861-c23e8951bee5\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-fa298e57-9444-42ba-bf04-86e8470e32c7\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1f905d99-2ab7-462c-a6b0-f709acca6c8f\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-ba769a63-b8cc-4b2d-abf6-ac33c7204be8\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-81e74cea-30fd-40d5-802f-d72103c2aaaa\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-0aa61e00-0a01-4a3c-9945-e93cffedf0e6\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-47031206-ce96-41f8-861b-6a915f3de284\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-51522a96-0869-4791-82f3-981000c2c67f\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-b5ec538c-daa0-4006-8596-35468b9148e8\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-56a5ee18-2ae6-4810-86f7-18e39ce5629b\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-2e94d99a-8a36-4563-bc77-810d8893b671\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1f68a601-6e6d-4e42-babf-3f643a047ea2\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-f7d52b2d-e161-4dfa-a82b-55e564167385\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-ca91455f-eace-4f96-be59-e6e2c35b4816\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-702dd420-7fcc-42c5-afe8-4026edd20fe0\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"diagnosticsLogsInRedisCacheMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"secureTransferToStorageAccountMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-d0793b48-0edc-4296-a390-4c75d1bdfd71\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-7d092e0a-7acd-40d2-a975-dca21cae48c4\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"disableUnrestrictedNetworkToStorageAccountMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-55615ac9-af46-4a59-874e-391cc3dfb490\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1b8ca024-1d5c-4dec-8995-b1a932b41780\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-037eea7a-bd0a-46c5-9a66-03aea78705d3\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-53503636-bcc9-4748-9663-5348217f160f\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-40cec1dd-a100-4920-b15b-3024fe8901ab\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-a049bf77-880b-470f-ba6d-9f21c530cf83\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-ee980b6d-0eca-4501-8d54-f6290fd512c3\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1d84d5fb-01f6-4d12-ba4f-4a26081d403d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-37e0d2fe-28a5-43d6-a273-67d37d1f5606\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"identityDesignateMoreThanOneOwnerMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"diskEncryptionMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"emailNotificationToSubscriptionOwnerHighSeverityAlertsEnabledEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"functionAppDisableRemoteDebuggingMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"sqlDbEncryptionMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"vulnerabilityAssessmentOnManagedInstanceMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensurePHPVersionLatestForAPIAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"aadAuthenticationInSqlServerMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"vmssEndpointProtectionMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"vmssOsVulnerabilitiesMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"adaptiveApplicationControlsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"geoRedundantBackupShouldBeEnabledForAzureDatabaseForPostgreSQLEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"ensureJavaVersionLatestForWebAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityDesignateLessThanOwnersMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"securityContactEmailAddressForSubscriptionEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"webAppRestrictCORSAccessMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityRemoveDeprecatedAccountMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"functionAppEnforceHttpsMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"ensurePythonVersionLatestForWebAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensurePythonVersionLatestForFunctionAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensurePHPVersionLatestForWebAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensurePythonVersionLatestForAPIAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"geoRedundantBackupShouldBeEnabledForAzureDatabaseForMySQLEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"systemUpdatesMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensureJavaVersionLatestForAPIAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensureHTTPVersionLatestForWebAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"apiAppRequireLatestTlsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityEnableMFAForWritePermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensureHTTPVersionLatestForAPIAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensureJavaVersionLatestForFunctionAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"nextGenerationFirewallMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"useRbacRulesMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"webAppEnforceHttpsMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"sqlServerAuditingMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"vnetEnableDDoSProtectionMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityEnableMFAForOwnerPermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"sqlServerAdvancedDataSecurityMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"sqlManagedInstanceAdvancedDataSecurityMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"endpointProtectionMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"jitNetworkAccessMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"apiAppEnforceHttpsMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"geoRedundantStorageShouldBeEnabledForStorageAccountsEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"vmssSystemUpdatesMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"webAppDisableRemoteDebuggingMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"systemConfigurationsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensureHTTPVersionLatestForFunctionAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityEnableMFAForReadPermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"containerBenchmarkMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"apiAppDisableRemoteDebuggingMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"vulnerabilityAssessmentOnServerMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"webAppRequireLatestTlsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"functionAppRequireLatestTlsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"kubernetesServiceVersionUpToDateMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"sqlDbVulnerabilityAssesmentMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"membersToIncludeInLocalAdministratorsGroup\" : { \r\n \"value\" : \"\"\r\n },\r\n \"membersToExcludeInLocalAdministratorsGroup\" : { \r\n \"value\" : \"\"\r\n },\r\n \"logAnalyticsWorkspaceIDForVMAgents\" : { \r\n \"value\" : \"\"\r\n },\r\n \"PHPLatestVersionForAppServices\" : { \r\n \"value\" : \"7.4\"\r\n },\r\n \"JavaLatestVersionForAppServices\" : { \r\n \"value\" : \"11\"\r\n },\r\n \"WindowsPythonLatestVersionForAppServices\" : { \r\n \"value\" : \"3.6\"\r\n },\r\n \"LinuxPythonLatestVersionForAppServices\" : { \r\n \"value\" : \"3.9\"\r\n },\r\n \"ensureDotNetFrameworkLatestForFunctionAppEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"sqlManagedInstanceAdvancedDataSecurityEmailsMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"vulnerabilityAssessmentMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"ensureDotNetFrameworkLatestForWebAppEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"sqlServerAdvancedDataSecurityEmailsMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"microsoftIaaSAntimalwareExtensionShouldBeDeployedOnWindowsServersEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"securityCenterStandardPricingTierShouldBeSelectedEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"theLogAnalyticsAgentShouldBeInstalledOnVirtualMachinesEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"ensurePHPVersionLatestForFunctionAppEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"sqlManagedInstanceAdvancedDataSecurityEmailAdminsMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"securityContactPhoneNumberShouldBeProvidedForSubscriptionEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"threatDetectionTypesOnManagedInstanceMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"ensureDotNetFrameworkLatestForAPIAppEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"sqlServerAdvancedDataSecurityEmailAdminsMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"threatDetectionTypesOnServerMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"theLogAnalyticsAgentShouldBeInstalledOnVirtualMachineScaleSetsEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n }\r\n}", + "$fxv#3": "{\r\n \"logAnalyticsWorkspaceId-f47b5582-33ec-4c5c-87c0-b010a6b2e917\" : { \r\n \"value\" : \"\"\r\n },\r\n \"effect-09024ccc-0c5f-475e-9457-b7c0d9ed487b\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"MembersToExclude-69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f\" :{\r\n \"value\": \"\"\r\n },\r\n \"MembersToInclude-30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7\": {\r\n \"value\": \"\"\r\n },\r\n \"effect-0961003e-5a0a-4549-abde-af6a37f2724d\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-0b15565f-aa9e-48ba-8619-45960f2c314d\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-0e60b895-3786-45da-8377-9c6b4b6ac5f9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-17k78e20-9358-41c9-923c-fb736d382a12\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"PHPLatestVersion\" : { \r\n \"value\" : \"7.3\"\r\n },\r\n \"effect-22bee202-a82f-4305-9a2a-6d7f44d4dedb\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-26a828e1-e88f-464e-bbb3-c134a282b9de\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-34c877ad-507e-4c82-993e-3452a6e0ad3c\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-404c3081-a854-4457-ae30-26a93ef643f9\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-47a6b606-51aa-4496-8bb7-64b11cf66adc\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-496223c3-ad65-4ecd-878a-bae78737e9ed\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"JavaLatestVersion\" : { \r\n \"value\" : \"11\"\r\n },\r\n \"effect-4f11b553-d42e-4e3a-89be-32ca364cad4c\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-5c607a2e-c700-4744-8254-d77e7c9eb5e4\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-5f76cf89-fbf2-47fd-a3f4-b891fa780b60\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-6b1cbf55-e8b6-442f-ba4c-7246b6381474\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-7008174a-fd10-4ef0-817e-fc820a951d73\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"LinuxPythonLatestVersion\" : { \r\n \"value\" : \"3.8\"\r\n },\r\n \"effect-7238174a-fd10-4ef0-817e-fc820a951d73\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-7261b898-8a84-4db8-9e04-18527132abb3\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-74c3584d-afae-46f7-a20a-6f8adba71a16\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-86b3d65f-7626-441e-b690-81a8b71cff60\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-88999f4c-376a-45c8-bcb3-4058f713cf39\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-8c122334-9d20-4eb8-89ea-ac9a705b74ae\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-9297c21d-2ed6-4474-b48f-163f75654ce3\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-991310cd-e9f3-47bc-b7b6-f57b557d07db\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-9b597639-28e4-48eb-b506-56b05d366257\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-9daedab3-fb2d-461e-b861-71790eead4f6\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-a4af4a39-4135-47fb-b175-47fbdf85311d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \r\n \"value\" : \"enabled\"\r\n },\r\n \"effect-a70ca396-0a34-413a-88e1-b956c1e683be\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-aa633080-8b72-40c4-a2d7-d00c03e80bed\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-af6cd1bd-1635-48cb-bde7-5b15693900b9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\" : { \r\n \"value\" : \"NetworkWatcherRG\"\r\n },\r\n \"effect-b7ddfbdc-1260-477d-91fd-98bd9be789a6\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-c3f317a7-a95c-4547-b7e7-11017ebdf2fe\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-cb510bfd-1cba-4d9f-a230-cb0976f4bb71\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e2c1c086-2d84-4019-bff3-c44ccd95113c\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e3576e28-8b17-4677-84c3-db2990658d64\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e8cbc669-f12d-49eb-93e7-9273119e9933\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-ebb62a0c-3560-49e1-89ed-27e074e9f8ad\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-efbde977-ba53-4479-b8e9-10b957924fbf\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-f8456c1c-aa66-4dfb-861a-25d127b775c9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-f9d614c5-c173-4d56-95a7-b4437057d193\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-fb893a29-21bb-418c-a157-e99480ec364c\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-feedbf84-6b99-488c-acc2-71c829aa5ffc\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-3b980d31-7904-4bb7-8575-5665739a8052\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-6e2593d9-add6-4083-9c9b-4b7d2188c899\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-12430be1-6cc8-4527-a9a8-e3d38f250096\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"modeRequirement-12430be1-6cc8-4527-a9a8-e3d38f250096\" : { \r\n \"value\" : \"Detection\"\r\n },\r\n \"effect-425bea59-a659-4cbb-8d31-34499bd030b8\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"modeRequirement-425bea59-a659-4cbb-8d31-34499bd030b8\" : { \r\n \"value\" : \"Detection\"\r\n },\r\n \"effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-013e242c-8828-4970-87b3-ab247555486d\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-d38fc420-0735-4ef3-ac11-c806f651a570\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-a1181c5f-672a-477a-979a-7d58aa086233\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-308fbb08-4ab8-4e67-9b29-592e93fb94fa\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-4da35fc9-c9e7-4960-aec9-797fe7d9051d\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-523b5cd1-3e23-492f-a539-13118b6d1e3a\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-7fe3b40f-802b-4cdd-8bd4-fd799c948cc2\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-c25d9a16-bc35-4e15-a7e5-9db606bf9ed4\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b0f33259-77d7-4c9e-aac6-3aabcfae693c\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-037eea7a-bd0a-46c5-9a66-03aea78705d3\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-0820b7b9-23aa-4725-a1ce-ae4558f718e5\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-2c89a2e5-7285-40fe-afe0-ae8654b92fab\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-5744710e-cc2f-4ee8-8809-3b11e89f4bc9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-c9d007d0-c057-4772-b18c-01e546713bcd\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-d0793b48-0edc-4296-a390-4c75d1bdfd71\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-e372f825-a257-4fb8-9175-797a8a8627d6\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-d158790f-bfb0-486c-8631-2dc6b4e8e6af\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-e802a67a-daf5-4436-9ea6-f6d821dd0c5d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-a451c1ef-c6ca-483d-87ed-f49761e3ffb5\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftSql-servers-firewallRules-delete\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-delete\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftClassicNetwork-networkSecurityGroups-delete\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-securityRules-delete\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftClassicNetwork-networkSecurityGroups-securityRules-delete\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-ae89ebca-1c92-4898-ac2c-9f63decb045c\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-d26f7642-7545-4e18-9b75-8c9bbdee3a9a\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-1a4e592a-6a6e-44a5-9814-e36264ca96e7\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-7796937f-307b-4598-941c-67d3a05ebfe7\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-c5447c04-a4d7-4ba8-a263-c9ee321a6858\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-41388f1c-2db0-4c25-95b2-35d7f5ccbfa9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b02aacc0-b073-424e-8298-42b22829ee0a\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-0ec47710-77ff-4a3d-9181-6aa50af424d0\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-48af4db5-9b8b-401c-8e74-076be876a430\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-82339799-d096-41ae-8538-b108becf0970\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1b7aa243-30e4-4c9e-bca8-d0d3022b634a\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-bb91dfba-c30d-4263-9add-9c2384e659a6\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e71308d3-144b-4262-b144-efdc3cc90517\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-2bdd0062-9d75-436e-89df-487dd8e4b3c7\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-6fac406b-40ca-413b-bf8e-0bf964659c25\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-81e74cea-30fd-40d5-802f-d72103c2aaaa\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-c349d81b-9985-44ae-a8da-ff98d108ede8\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-f4b53539-8df9-40e4-86c6-6b607703bd4e\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-048248b0-55cd-46da-b1ff-39efd52db260\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-0d134df8-db83-46fb-ad72-fe0c9428c8dd\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-2c89a2e5-7285-40fe-afe0-ae8654b92fb2\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-3657f5a0-770e-44a3-b44e-9431ba1e9735\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-617c02be-7f02-4efd-8836-3180d47b6c68\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-f7d52b2d-e161-4dfa-a82b-55e564167385\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-c43e4a30-77cb-48ab-a4dd-93f175c63b57\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1f314764-cb73-4fc9-b863-8eca98ac36e9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-123a3936-f020-408a-ba0c-47873faf1534\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n }\r\n}\r\n", + "modifiedAssignment": "[if(and(equals(toLower(environment().name), toLower('AzureCloud')), equals(toLower(parameters('builtInAssignment')), toLower('IL5'))), 'NISTRev4', parameters('builtInAssignment'))]", + "assignmentName": "[format('{0} {1}', variables('modifiedAssignment'), resourceGroup().name)]", + "agentVmssAssignmentName": "[format('Deploy VMSS Agents {0}', resourceGroup().name)]", + "agentVmAssignmentName": "[format('Deploy VM Agents {0}', resourceGroup().name)]", + "contributorRoleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "lawsReaderRoleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]" + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2020-09-01", + "name": "[variables('assignmentName')]", + "location": "[parameters('location')]", + "properties": { + "policyDefinitionId": "[createObject('NISTRev4', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f', 'parameters', json(replace(variables('$fxv#0'), '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'NISTRev5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f', 'parameters', json(variables('$fxv#1'))), 'IL5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/f9a961fa-3241-4b20-adc4-bbf8ad9d7197', 'parameters', json(replace(variables('$fxv#2'), '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'CMMC', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/b5629c75-5c77-4422-87b9-2509e680f8de', 'parameters', json(replace(variables('$fxv#3'), '', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName')), '2021-06-01').customerId))))[variables('modifiedAssignment')].id]", + "parameters": "[createObject('NISTRev4', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f', 'parameters', json(replace(variables('$fxv#0'), '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'NISTRev5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f', 'parameters', json(variables('$fxv#1'))), 'IL5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/f9a961fa-3241-4b20-adc4-bbf8ad9d7197', 'parameters', json(replace(variables('$fxv#2'), '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'CMMC', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/b5629c75-5c77-4422-87b9-2509e680f8de', 'parameters', json(replace(variables('$fxv#3'), '', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName')), '2021-06-01').customerId))))[variables('modifiedAssignment')].parameters]" + }, + "identity": { + "type": "SystemAssigned" + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2020-09-01", + "name": "[variables('agentVmssAssignmentName')]", + "location": "[parameters('location')]", + "properties": { + "policyDefinitionId": "[tenantResourceId('Microsoft.Authorization/policySetDefinitions', '75714362-cae7-409e-9b99-a8e5075b7fad')]", + "parameters": { + "logAnalytics_1": { + "value": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))]" + } + } + }, + "identity": { + "type": "SystemAssigned" + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2020-09-01", + "name": "[variables('agentVmAssignmentName')]", + "location": "[parameters('location')]", + "properties": { + "policyDefinitionId": "[tenantResourceId('Microsoft.Authorization/policySetDefinitions', '55f3eceb-5573-4f18-9695-226972c6d74a')]", + "parameters": { + "logAnalytics_1": { + "value": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))]" + } + } + }, + "identity": { + "type": "SystemAssigned" + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[guid(variables('contributorRoleDefinitionId'), variables('assignmentName'))]", + "properties": { + "roleDefinitionId": "[variables('contributorRoleDefinitionId')]", + "principalId": "[if(empty(variables('modifiedAssignment')), '', reference(resourceId('Microsoft.Authorization/policyAssignments', variables('assignmentName')), '2020-09-01', 'full').identity.principalId)]", + "principalType": "ServicePrincipal" + }, + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('assignmentName'))]" + ] + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[guid(variables('contributorRoleDefinitionId'), variables('agentVmssAssignmentName'))]", + "properties": { + "roleDefinitionId": "[variables('contributorRoleDefinitionId')]", + "principalId": "[reference(resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmssAssignmentName')), '2020-09-01', 'full').identity.principalId]", + "principalType": "ServicePrincipal" + }, + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmssAssignmentName'))]" + ] + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[guid(variables('contributorRoleDefinitionId'), variables('agentVmAssignmentName'))]", + "properties": { + "roleDefinitionId": "[variables('contributorRoleDefinitionId')]", + "principalId": "[reference(resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName')), '2020-09-01', 'full').identity.principalId]", + "principalType": "ServicePrincipal" + }, + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName'))]" + ] + }, + { + "condition": "[parameters('deployRemediation')]", + "type": "Microsoft.PolicyInsights/remediations", + "apiVersion": "2019-07-01", + "name": "VM-Agent-Policy-Remediation", + "properties": { + "policyAssignmentId": "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName'))]", + "resourceDiscoveryMode": "ReEvaluateCompliance" + }, + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName'))]" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('Assign-Laws-Role-Policy-{0}', resourceGroup().name)]", + "subscriptionId": "[parameters('operationsSubscriptionId')]", + "resourceGroup": "[parameters('logAnalyticsWorkspaceResourceGroupName')]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "targetResourceId": { + "value": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))]" + }, + "roleDefinitionId": { + "value": "[variables('lawsReaderRoleDefinitionId')]" + }, + "principalId": { + "value": "[reference(resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName')), '2020-09-01', 'full').identity.principalId]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "8686326864657481429" + } + }, + "parameters": { + "targetResourceId": { "type": "string" }, - "vmImageVersion": { + "roleDefinitionId": { "type": "string" }, - "adminUsername": { + "principalId": { "type": "string" }, - "authenticationType": { + "principalType": { "type": "string", + "defaultValue": "ServicePrincipal", "allowedValues": [ - "sshPublicKey", - "password" + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" ] }, - "adminPasswordOrKey": { - "type": "secureString", - "minLength": 12 - }, - "logAnalyticsWorkspaceId": { - "type": "string" - } - }, - "variables": { - "linuxConfiguration": { - "disablePasswordAuthentication": true, - "ssh": { - "publicKeys": [ - { - "path": "[format('/home/{0}/.ssh/authorized_keys', parameters('adminUsername'))]", - "keyData": "[parameters('adminPasswordOrKey')]" - } - ] - } + "description": { + "type": "string", + "defaultValue": "" } }, "resources": [ { - "type": "Microsoft.Compute/virtualMachines", - "apiVersion": "2020-06-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[guid(parameters('targetResourceId'), parameters('roleDefinitionId'), parameters('principalId'))]", "properties": { - "hardwareProfile": { - "vmSize": "[parameters('vmSize')]" - }, - "storageProfile": { - "osDisk": { - "createOption": "[parameters('osDiskCreateOption')]", - "managedDisk": { - "storageAccountType": "[parameters('osDiskType')]" - } - }, - "imageReference": { - "publisher": "[parameters('vmImagePublisher')]", - "offer": "[parameters('vmImageOffer')]", - "sku": "[parameters('vmImageSku')]", - "version": "[parameters('vmImageVersion')]" - } - }, - "networkProfile": { - "networkInterfaces": [ - { - "id": "[resourceId('Microsoft.Network/networkInterfaces', parameters('networkInterfaceName'))]" - } - ] - }, - "osProfile": { - "computerName": "[parameters('name')]", - "adminUsername": "[parameters('adminUsername')]", - "adminPassword": "[parameters('adminPasswordOrKey')]", - "linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), null(), variables('linuxConfiguration'))]" - } + "principalId": "[parameters('principalId')]", + "principalType": "[parameters('principalType')]", + "roleDefinitionId": "[parameters('roleDefinitionId')]", + "description": "[parameters('description')]" } - }, - { - "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2020-06-01", - "name": "[format('{0}/Microsoft.Azure.NetworkWatcher', parameters('name'))]", - "location": "[parameters('location')]", - "properties": { - "publisher": "Microsoft.Azure.NetworkWatcher", - "type": "NetworkWatcherAgentLinux", - "typeHandlerVersion": "1.4" - }, - "dependsOn": [ - "[resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('name'), 'AzurePolicyforLinux')]", - "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" - ] - }, - { - "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2020-12-01", - "name": "[format('{0}/{1}', parameters('name'), 'AzurePolicyforLinux')]", - "location": "[parameters('location')]", - "properties": { - "publisher": "Microsoft.GuestConfiguration", - "type": "ConfigurationforLinux", - "typeHandlerVersion": "1.0", - "autoUpgradeMinorVersion": true, - "enableAutomaticUpgrade": true - }, - "dependsOn": [ - "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" - ] - }, - { - "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2020-06-01", - "name": "[format('{0}/OMSExtension', parameters('name'))]", - "location": "[parameters('location')]", - "properties": { - "publisher": "Microsoft.EnterpriseCloud.Monitoring", - "type": "OmsAgentForLinux", - "typeHandlerVersion": "1.13", - "settings": { - "workspaceId": "[reference(parameters('logAnalyticsWorkspaceId'), '2015-11-01-preview').customerId]", - "stopOnMultipleConnections": true - }, - "protectedSettings": { - "workspaceKey": "[listKeys(parameters('logAnalyticsWorkspaceId'), '2015-11-01-preview').primarySharedKey]" - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Compute/virtualMachines/extensions', split(format('{0}/Microsoft.Azure.NetworkWatcher', parameters('name')), '/')[0], split(format('{0}/Microsoft.Azure.NetworkWatcher', parameters('name')), '/')[1])]", - "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" - ] - }, - { - "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2020-06-01", - "name": "[format('{0}/DependencyAgentLinux', parameters('name'))]", - "location": "[parameters('location')]", - "properties": { - "publisher": "Microsoft.Azure.Monitoring.DependencyAgent", - "type": "DependencyAgentLinux", - "typeHandlerVersion": "9.5", - "autoUpgradeMinorVersion": true - }, - "dependsOn": [ - "[resourceId('Microsoft.Compute/virtualMachines/extensions', split(format('{0}/OMSExtension', parameters('name')), '/')[0], split(format('{0}/OMSExtension', parameters('name')), '/')[1])]", - "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" - ] - } - ], - "outputs": { - "adminUsername": { - "type": "string", - "value": "[parameters('adminUsername')]" - }, - "authenticationType": { - "type": "string", - "value": "[parameters('authenticationType')]" } - } + ] } }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', 'remoteAccess-linuxNetworkInterface')]" - ] + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('agentVmAssignmentName'))]" + ] + } + ] + } + }, + "dependsOn": [ + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]" + ] + }, + { + "condition": "[parameters('deployDefender')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('set-hub-sub-defender-{0}', parameters('deploymentNameSuffix'))]", + "subscriptionId": "[parameters('hubSubscriptionId')]", + "location": "[deployment().location]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "logAnalyticsWorkspaceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.id.value]" + }, + "emailSecurityContact": { + "value": "[parameters('emailSecurityContact')]" + }, + "defenderSkuTier": { + "value": "[parameters('defenderSkuTier')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "17349871984393503749" + } + }, + "parameters": { + "bundle": { + "type": "array", + "defaultValue": "[if(equals(environment().name, 'AzureCloud'), createArray('Api', 'AppServices', 'Arm', 'CloudPosture', 'Containers', 'CosmosDbs', 'KeyVaults', 'OpenSourceRelationalDatabases', 'SqlServers', 'SqlServerVirtualMachines', 'StorageAccounts', 'VirtualMachines'), if(equals(environment().name, 'AzureUSGovernment'), createArray('Arm', 'Containers', 'OpenSourceRelationalDatabases', 'SqlServers', 'SqlServerVirtualMachines', 'StorageAccounts', 'VirtualMachines'), createArray()))]" + }, + "enableAutoProvisioning": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Turn automatic deployment by Defender of the MMA (OMS VM extension) on or off" + } + }, + "logAnalyticsWorkspaceId": { + "type": "string", + "metadata": { + "description": "Specify the ID of your custom Log Analytics workspace to collect Defender data." + } + }, + "emailSecurityContact": { + "type": "string", + "metadata": { + "description": "Email address of the contact, in the form of john@doe.com" + } + }, + "policySetDescription": { + "type": "string", + "defaultValue": "The Microsoft Cloud Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Microsoft Cloud Security Benchmark v2, see https://aka.ms/azsecbm. This also serves as the Microsoft Defender for Cloud default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Microsoft Defender.", + "metadata": { + "description": "Policy Initiative description field" + } + }, + "defenderSkuTier": { + "type": "string", + "defaultValue": "Standard", + "metadata": { + "description": "[Standard/Free] The SKU for Defender. It defaults to \"Standard\"." + } + } + }, + "variables": { + "autoProvisioning": "[if(parameters('enableAutoProvisioning'), 'On', 'Off')]" + }, + "resources": [ + { + "copy": { + "name": "defenderPricing", + "count": "[length(parameters('bundle'))]", + "mode": "serial", + "batchSize": 1 + }, + "type": "Microsoft.Security/pricings", + "apiVersion": "2023-01-01", + "name": "[parameters('bundle')[copyIndex()]]", + "properties": { + "pricingTier": "[parameters('defenderSkuTier')]" + } }, { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "remoteAccess-windowsNetworkInterface", + "type": "Microsoft.Security/autoProvisioningSettings", + "apiVersion": "2019-01-01", + "name": "default", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" + "autoProvision": "[variables('autoProvisioning')]" + } + }, + { + "type": "Microsoft.Security/workspaceSettings", + "apiVersion": "2019-01-01", + "name": "default", + "properties": { + "workspaceId": "[parameters('logAnalyticsWorkspaceId')]", + "scope": "[subscription().id]" + } + }, + { + "condition": "[not(empty(parameters('emailSecurityContact')))]", + "type": "Microsoft.Security/securityContacts", + "apiVersion": "2020-01-01-preview", + "name": "default", + "properties": { + "notificationsByRole": { + "roles": [ + "AccountAdmin", + "Contributor", + "Owner", + "ServiceAdmin" + ], + "state": "On" }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('windowsNetworkInterfaceName')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "tags": { - "value": "[parameters('tags')]" - }, - "ipConfigurationName": { - "value": "[parameters('windowsNetworkInterfaceIpConfigurationName')]" - }, - "networkSecurityGroupId": { - "value": "[parameters('hubNetworkSecurityGroupResourceId')]" - }, - "privateIPAddressAllocationMethod": { - "value": "[parameters('windowsNetworkInterfacePrivateIPAddressAllocationMethod')]" - }, - "subnetId": { - "value": "[parameters('hubSubnetResourceId')]" - } + "alertNotifications": { + "state": "On" }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "11989297668424739974" - } - }, - "parameters": { - "name": { - "type": "string" - }, - "location": { - "type": "string" - }, - "tags": { - "type": "object", - "defaultValue": {} - }, - "ipConfigurationName": { - "type": "string" - }, - "subnetId": { - "type": "string" - }, - "networkSecurityGroupId": { - "type": "string" - }, - "privateIPAddressAllocationMethod": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.Network/networkInterfaces", - "apiVersion": "2021-02-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "ipConfigurations": [ - { - "name": "[parameters('ipConfigurationName')]", - "properties": { - "subnet": { - "id": "[parameters('subnetId')]" - }, - "privateIPAllocationMethod": "[parameters('privateIPAddressAllocationMethod')]" - } - } - ], - "networkSecurityGroup": { - "id": "[parameters('networkSecurityGroupId')]" - } - } - } - ], - "outputs": { - "id": { - "type": "string", - "value": "[resourceId('Microsoft.Network/networkInterfaces', parameters('name'))]" - }, - "name": { - "type": "string", - "value": "[parameters('name')]" - } - } - } + "emails": "[parameters('emailSecurityContact')]" + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "Microsoft Cloud Security Benchmark", + "properties": { + "displayName": "Defender Default", + "description": "[parameters('policySetDescription')]", + "enforcementMode": "DoNotEnforce", + "parameters": {}, + "policyDefinitionId": "[tenantResourceId('Microsoft.Authorization/policySetDefinitions', '1f3afdf9-d0c9-4c3d-847f-89da613e70a8')]" + } + } + ] + } + }, + "dependsOn": [ + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]" + ] + }, + { + "copy": { + "name": "spokeDefender", + "count": "[length(variables('spokes'))]" + }, + "condition": "[and(parameters('deployDefender'), not(equals(variables('spokes')[copyIndex()].subscriptionId, parameters('hubSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('set-{0}-sub-defender', variables('spokes')[copyIndex()].name)]", + "subscriptionId": "[variables('spokes')[copyIndex()].subscriptionId]", + "location": "[deployment().location]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "logAnalyticsWorkspaceId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.id.value]" + }, + "emailSecurityContact": { + "value": "[parameters('emailSecurityContact')]" + }, + "defenderSkuTier": { + "value": "[parameters('defenderSkuTier')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "17349871984393503749" + } + }, + "parameters": { + "bundle": { + "type": "array", + "defaultValue": "[if(equals(environment().name, 'AzureCloud'), createArray('Api', 'AppServices', 'Arm', 'CloudPosture', 'Containers', 'CosmosDbs', 'KeyVaults', 'OpenSourceRelationalDatabases', 'SqlServers', 'SqlServerVirtualMachines', 'StorageAccounts', 'VirtualMachines'), if(equals(environment().name, 'AzureUSGovernment'), createArray('Arm', 'Containers', 'OpenSourceRelationalDatabases', 'SqlServers', 'SqlServerVirtualMachines', 'StorageAccounts', 'VirtualMachines'), createArray()))]" + }, + "enableAutoProvisioning": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Turn automatic deployment by Defender of the MMA (OMS VM extension) on or off" + } + }, + "logAnalyticsWorkspaceId": { + "type": "string", + "metadata": { + "description": "Specify the ID of your custom Log Analytics workspace to collect Defender data." + } + }, + "emailSecurityContact": { + "type": "string", + "metadata": { + "description": "Email address of the contact, in the form of john@doe.com" + } + }, + "policySetDescription": { + "type": "string", + "defaultValue": "The Microsoft Cloud Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Microsoft Cloud Security Benchmark v2, see https://aka.ms/azsecbm. This also serves as the Microsoft Defender for Cloud default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Microsoft Defender.", + "metadata": { + "description": "Policy Initiative description field" + } + }, + "defenderSkuTier": { + "type": "string", + "defaultValue": "Standard", + "metadata": { + "description": "[Standard/Free] The SKU for Defender. It defaults to \"Standard\"." + } + } + }, + "variables": { + "autoProvisioning": "[if(parameters('enableAutoProvisioning'), 'On', 'Off')]" + }, + "resources": [ + { + "copy": { + "name": "defenderPricing", + "count": "[length(parameters('bundle'))]", + "mode": "serial", + "batchSize": 1 + }, + "type": "Microsoft.Security/pricings", + "apiVersion": "2023-01-01", + "name": "[parameters('bundle')[copyIndex()]]", + "properties": { + "pricingTier": "[parameters('defenderSkuTier')]" + } + }, + { + "type": "Microsoft.Security/autoProvisioningSettings", + "apiVersion": "2019-01-01", + "name": "default", + "properties": { + "autoProvision": "[variables('autoProvisioning')]" } }, { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "remoteAccess-windowsVirtualMachine", + "type": "Microsoft.Security/workspaceSettings", + "apiVersion": "2019-01-01", + "name": "default", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" + "workspaceId": "[parameters('logAnalyticsWorkspaceId')]", + "scope": "[subscription().id]" + } + }, + { + "condition": "[not(empty(parameters('emailSecurityContact')))]", + "type": "Microsoft.Security/securityContacts", + "apiVersion": "2020-01-01-preview", + "name": "default", + "properties": { + "notificationsByRole": { + "roles": [ + "AccountAdmin", + "Contributor", + "Owner", + "ServiceAdmin" + ], + "state": "On" }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('windowsVmName')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "tags": { - "value": "[parameters('tags')]" - }, - "size": { - "value": "[parameters('windowsVmSize')]" - }, - "adminUsername": { - "value": "[parameters('windowsVmAdminUsername')]" - }, - "adminPassword": { - "value": "[parameters('windowsVmAdminPassword')]" - }, - "publisher": { - "value": "[parameters('windowsVmPublisher')]" - }, - "offer": { - "value": "[parameters('windowsVmOffer')]" - }, - "sku": { - "value": "[parameters('windowsVmSku')]" - }, - "version": { - "value": "[parameters('windowsVmVersion')]" - }, - "createOption": { - "value": "[parameters('windowsVmCreateOption')]" - }, - "storageAccountType": { - "value": "[parameters('windowsVmStorageAccountType')]" - }, - "networkInterfaceName": { - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'remoteAccess-windowsNetworkInterface')).outputs.name.value]" - }, - "logAnalyticsWorkspaceId": { - "value": "[parameters('logAnalyticsWorkspaceId')]" - } + "alertNotifications": { + "state": "On" }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "3741703278800278886" - } - }, - "parameters": { - "name": { - "type": "string" - }, - "location": { - "type": "string" - }, - "tags": { - "type": "object", - "defaultValue": {} - }, - "networkInterfaceName": { - "type": "string" - }, - "size": { - "type": "string" - }, - "adminUsername": { - "type": "string" - }, - "adminPassword": { - "type": "secureString", - "minLength": 12 - }, - "publisher": { - "type": "string" - }, - "offer": { - "type": "string" - }, - "sku": { - "type": "string" - }, - "version": { - "type": "string" - }, - "createOption": { - "type": "string" - }, - "storageAccountType": { - "type": "string" - }, - "logAnalyticsWorkspaceId": { - "type": "string" - }, - "availabilitySet": { - "type": "object", - "defaultValue": {} - }, - "dataDisks": { - "type": "array", - "defaultValue": [] - } - }, - "resources": [ - { - "type": "Microsoft.Compute/virtualMachines", - "apiVersion": "2021-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "availabilitySet": "[if(not(equals(parameters('availabilitySet'), createObject())), parameters('availabilitySet'), null())]", - "hardwareProfile": { - "vmSize": "[parameters('size')]" - }, - "osProfile": { - "computerName": "[take(parameters('name'), 15)]", - "adminUsername": "[parameters('adminUsername')]", - "adminPassword": "[parameters('adminPassword')]" - }, - "storageProfile": { - "imageReference": { - "publisher": "[parameters('publisher')]", - "offer": "[parameters('offer')]", - "sku": "[parameters('sku')]", - "version": "[parameters('version')]" - }, - "osDisk": { - "createOption": "[parameters('createOption')]", - "managedDisk": { - "storageAccountType": "[parameters('storageAccountType')]" - } - }, - "dataDisks": "[parameters('dataDisks')]" - }, - "networkProfile": { - "networkInterfaces": [ - { - "id": "[resourceId('Microsoft.Network/networkInterfaces', parameters('networkInterfaceName'))]" - } - ] - } - } - }, - { - "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2021-04-01", - "name": "[format('{0}/DependencyAgentWindows', parameters('name'))]", - "location": "[parameters('location')]", - "properties": { - "publisher": "Microsoft.Azure.Monitoring.DependencyAgent", - "type": "DependencyAgentWindows", - "typeHandlerVersion": "9.5", - "autoUpgradeMinorVersion": true - }, - "dependsOn": [ - "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" - ] - }, - { - "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2021-04-01", - "name": "[format('{0}/AzurePolicyforWindows', parameters('name'))]", - "location": "[parameters('location')]", - "properties": { - "publisher": "Microsoft.GuestConfiguration", - "type": "ConfigurationforWindows", - "typeHandlerVersion": "1.0", - "autoUpgradeMinorVersion": true, - "enableAutomaticUpgrade": true - }, - "dependsOn": [ - "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" - ] - }, - { - "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2021-04-01", - "name": "[format('{0}/MMAExtension', parameters('name'))]", - "location": "[parameters('location')]", - "properties": { - "publisher": "Microsoft.EnterpriseCloud.Monitoring", - "type": "MicrosoftMonitoringAgent", - "typeHandlerVersion": "1.0", - "settings": { - "workspaceId": "[reference(parameters('logAnalyticsWorkspaceId'), '2015-11-01-preview').customerId]", - "stopOnMultipleConnections": true - }, - "protectedSettings": { - "workspaceKey": "[listKeys(parameters('logAnalyticsWorkspaceId'), '2015-11-01-preview').primarySharedKey]" - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" - ] - }, - { - "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2020-06-01", - "name": "[format('{0}/Microsoft.Azure.NetworkWatcher', parameters('name'))]", - "location": "[parameters('location')]", - "properties": { - "publisher": "Microsoft.Azure.NetworkWatcher", - "type": "NetworkWatcherAgentWindows", - "typeHandlerVersion": "1.4" - }, - "dependsOn": [ - "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" - ] - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', 'remoteAccess-windowsNetworkInterface')]" - ] + "emails": "[parameters('emailSecurityContact')]" + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "Microsoft Cloud Security Benchmark", + "properties": { + "displayName": "Defender Default", + "description": "[parameters('policySetDescription')]", + "enforcementMode": "DoNotEnforce", + "parameters": {}, + "policyDefinitionId": "[tenantResourceId('Microsoft.Authorization/policySetDefinitions', '1f3afdf9-d0c9-4c3d-847f-89da613e70a8')]" + } } ] } }, "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', 'azure-monitor-private-link')]", - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))]", - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-DNS-{0}', parameters('deploymentNameSuffix')))]", "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]" ] } @@ -8561,21 +8911,21 @@ }, "firewallPrivateIPAddress": { "type": "string", - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))).outputs.firewallPrivateIPAddress.value]" + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.firewallPrivateIPAddress.value]" }, "hub": { "type": "object", "value": { "subscriptionId": "[parameters('hubSubscriptionId')]", - "resourceGroupName": "[reference(subscriptionResourceId(parameters('hubSubscriptionId'), 'Microsoft.Resources/deployments', format('deploy-rg-hub-{0}', parameters('deploymentNameSuffix')))).outputs.name.value]", - "resourceGroupResourceId": "[reference(subscriptionResourceId(parameters('hubSubscriptionId'), 'Microsoft.Resources/deployments', format('deploy-rg-hub-{0}', parameters('deploymentNameSuffix')))).outputs.id.value]", - "virtualNetworkName": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))).outputs.virtualNetworkName.value]", - "virtualNetworkResourceId": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))).outputs.virtualNetworkResourceId.value]", - "subnetName": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))).outputs.subnetName.value]", - "subnetResourceId": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))).outputs.subnetResourceId.value]", - "subnetAddressPrefix": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))).outputs.subnetAddressPrefix.value]", - "networkSecurityGroupName": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))).outputs.networkSecurityGroupName.value]", - "networkSecurityGroupResourceId": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))).outputs.networkSecurityGroupResourceId.value]" + "resourceGroupName": "[reference(subscriptionResourceId(parameters('hubSubscriptionId'), 'Microsoft.Resources/deployments', format('deploy-rg-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.name.value]", + "resourceGroupResourceId": "[reference(subscriptionResourceId(parameters('hubSubscriptionId'), 'Microsoft.Resources/deployments', format('deploy-rg-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.id.value]", + "virtualNetworkName": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.virtualNetworkName.value]", + "virtualNetworkResourceId": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.virtualNetworkResourceId.value]", + "subnetName": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.subnetName.value]", + "subnetResourceId": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.subnetResourceId.value]", + "subnetAddressPrefix": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.subnetAddressPrefix.value]", + "networkSecurityGroupName": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.networkSecurityGroupName.value]", + "networkSecurityGroupResourceId": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.networkSecurityGroupResourceId.value]" } }, "deployDefender": { @@ -8588,11 +8938,11 @@ }, "logAnalyticsWorkspaceName": { "type": "string", - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))).outputs.name.value]" + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.name.value]" }, "logAnalyticsWorkspaceResourceId": { "type": "string", - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))).outputs.id.value]" + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.id.value]" }, "diagnosticStorageAccountName": { "type": "string", @@ -8613,15 +8963,15 @@ "input": { "name": "[variables('spokes')[copyIndex()].name]", "subscriptionId": "[variables('spokes')[copyIndex()].subscriptionId]", - "resourceGroupName": "[reference(subscriptionResourceId(variables('spokes')[copyIndex()].subscriptionId, 'Microsoft.Resources/deployments', format('deploy-rg-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix')))).outputs.name.value]", - "resourceGroupId": "[reference(subscriptionResourceId(variables('spokes')[copyIndex()].subscriptionId, 'Microsoft.Resources/deployments', format('deploy-rg-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix')))).outputs.id.value]", - "virtualNetworkName": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix')))).outputs.virtualNetworkName.value]", - "virtualNetworkResourceId": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix')))).outputs.virtualNetworkResourceId.value]", - "subnetName": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix')))).outputs.subnetName.value]", - "subnetResourceId": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix')))).outputs.subnetResourceId.value]", - "subnetAddressPrefix": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix')))).outputs.subnetAddressPrefix.value]", - "networkSecurityGroupName": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix')))).outputs.networkSecurityGroupName.value]", - "networkSecurityGroupResourceId": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix')))).outputs.networkSecurityGroupResourceId.value]" + "resourceGroupName": "[reference(subscriptionResourceId(variables('spokes')[copyIndex()].subscriptionId, 'Microsoft.Resources/deployments', format('deploy-rg-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))), '2022-09-01').outputs.name.value]", + "resourceGroupId": "[reference(subscriptionResourceId(variables('spokes')[copyIndex()].subscriptionId, 'Microsoft.Resources/deployments', format('deploy-rg-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))), '2022-09-01').outputs.id.value]", + "virtualNetworkName": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))), '2022-09-01').outputs.virtualNetworkName.value]", + "virtualNetworkResourceId": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))), '2022-09-01').outputs.virtualNetworkResourceId.value]", + "subnetName": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))), '2022-09-01').outputs.subnetName.value]", + "subnetResourceId": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))), '2022-09-01').outputs.subnetResourceId.value]", + "subnetAddressPrefix": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))), '2022-09-01').outputs.subnetAddressPrefix.value]", + "networkSecurityGroupName": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))), '2022-09-01').outputs.networkSecurityGroupName.value]", + "networkSecurityGroupResourceId": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))), '2022-09-01').outputs.networkSecurityGroupResourceId.value]" } } } diff --git a/src/bicep/modules/azure-monitor.bicep b/src/bicep/modules/azure-monitor.bicep new file mode 100644 index 000000000..f1f4adfad --- /dev/null +++ b/src/bicep/modules/azure-monitor.bicep @@ -0,0 +1,97 @@ +/* +Copyright (c) Microsoft Corporation. +Licensed under the MIT License. +*/ + +param agentsvcPrivateDnsZoneId string +param location string = resourceGroup().location +param logAnalyticsWorkspaceName string +param logAnalyticsWorkspaceResourceId string +param monitorPrivateDnsZoneId string +param odsPrivateDnsZoneId string +param omsPrivateDnsZoneId string +param resourcePrefix string +param subnetResourceId string +param tags object + +var privateEndpointName = replace(logAnalyticsWorkspaceName, resourcePrefix, '${resourcePrefix}-pe') +var privateEndpointNetworkInterfaceName = replace(logAnalyticsWorkspaceName, resourcePrefix, '${resourcePrefix}-nic') +var privateLinkScopeName = replace(logAnalyticsWorkspaceName, resourcePrefix, '${resourcePrefix}-pls') + +resource privateLinkScope 'microsoft.insights/privateLinkScopes@2021-09-01' = { + name: privateLinkScopeName + location: 'global' + properties: { + accessModeSettings: { + ingestionAccessMode: 'Private' + queryAccessMode: 'Private' + } + } +} + +resource scopedResource 'Microsoft.Insights/privateLinkScopes/scopedResources@2021-09-01' = { + parent: privateLinkScope + name: logAnalyticsWorkspaceName + properties: { + linkedResourceId: logAnalyticsWorkspaceResourceId + } +} + +resource privateEndpoint 'Microsoft.Network/privateEndpoints@2023-04-01' = { + name: privateEndpointName + location: location + tags: tags + properties: { + customNetworkInterfaceName: privateEndpointNetworkInterfaceName + privateLinkServiceConnections: [ + { + name: privateEndpointNetworkInterfaceName + properties: { + privateLinkServiceId: privateLinkScope.id + groupIds: [ + 'azuremonitor' + ] + } + } + ] + subnet: { + id: subnetResourceId + } + } + dependsOn: [ + scopedResource + ] +} + +resource privateDnsZoneGroup 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2023-04-01' = { + name: privateEndpointName + parent: privateEndpoint + properties: { + privateDnsZoneConfigs: [ + { + name: 'monitor' + properties: { + privateDnsZoneId: monitorPrivateDnsZoneId + } + } + { + name: 'oms' + properties: { + privateDnsZoneId: omsPrivateDnsZoneId + } + } + { + name: 'ods' + properties: { + privateDnsZoneId: odsPrivateDnsZoneId + } + } + { + name: 'agentsvc' + properties: { + privateDnsZoneId: agentsvcPrivateDnsZoneId + } + } + ] + } +} diff --git a/src/bicep/modules/bastion-host.bicep b/src/bicep/modules/bastion-host.bicep index dbc110f19..b4916690f 100644 --- a/src/bicep/modules/bastion-host.bicep +++ b/src/bicep/modules/bastion-host.bicep @@ -3,21 +3,15 @@ Copyright (c) Microsoft Corporation. Licensed under the MIT License. */ -param name string +param bastionHostSubnetResourceId string +param ipConfigurationName string param location string -param tags object = {} - -param virtualNetworkName string - -var subnetName = 'AzureBastionSubnet' // The subnet name for Azure Bastion Hosts must be 'AzureBastionSubnet' -param subnetAddressPrefix string - -param publicIPAddressName string -param publicIPAddressSkuName string +param name string param publicIPAddressAllocationMethod string param publicIPAddressAvailabilityZones array - -param ipConfigurationName string +param publicIPAddressName string +param publicIPAddressSkuName string +param tags object resource publicIPAddress 'Microsoft.Network/publicIPAddresses@2021-02-01' = { name: publicIPAddressName @@ -35,14 +29,6 @@ resource publicIPAddress 'Microsoft.Network/publicIPAddresses@2021-02-01' = { zones: publicIPAddressAvailabilityZones } -resource subnet 'Microsoft.Network/virtualNetworks/subnets@2021-02-01' = { - name: '${virtualNetworkName}/${subnetName}' - - properties: { - addressPrefix: subnetAddressPrefix - } -} - resource bastionHost 'Microsoft.Network/bastionHosts@2021-02-01' = { name: name location: location @@ -54,7 +40,7 @@ resource bastionHost 'Microsoft.Network/bastionHosts@2021-02-01' = { name: ipConfigurationName properties: { subnet: { - id: subnet.id + id: bastionHostSubnetResourceId } publicIPAddress: { id: publicIPAddress.id diff --git a/src/bicep/modules/disk-encryption-set.bicep b/src/bicep/modules/disk-encryption-set.bicep new file mode 100644 index 000000000..085cad3b3 --- /dev/null +++ b/src/bicep/modules/disk-encryption-set.bicep @@ -0,0 +1,42 @@ +/* +Copyright (c) Microsoft Corporation. +Licensed under the MIT License. +*/ + +param deploymentNameSuffix string +param diskEncryptionSetName string +param keyUrl string +param keyVaultResourceId string +param location string +param tags object + +resource diskEncryptionSet 'Microsoft.Compute/diskEncryptionSets@2023-04-02' = { + name: diskEncryptionSetName + location: location + tags: tags + identity: { + type: 'SystemAssigned' + } + properties: { + activeKey: { + sourceVault: { + id: keyVaultResourceId + } + keyUrl: keyUrl + } + encryptionType: 'EncryptionAtRestWithPlatformAndCustomerKeys' + rotationToLatestKeyVersionEnabled: true + } +} + +module roleAssignment 'role-assignment.bicep' = { + name: 'assign-role-disk-encryption-set-ops-${deploymentNameSuffix}' + params: { + principalId: diskEncryptionSet.identity.principalId + principalType: 'ServicePrincipal' + roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions','e147488a-f6f5-4113-8e2d-b22465e65bf6') // Key Vault Crypto Service Encryption User + targetResourceId: resourceGroup().id + } +} + +output resourceId string = diskEncryptionSet.id diff --git a/src/bicep/modules/firewall-diagnostics.bicep b/src/bicep/modules/firewall-diagnostics.bicep new file mode 100644 index 000000000..77c45b69d --- /dev/null +++ b/src/bicep/modules/firewall-diagnostics.bicep @@ -0,0 +1,27 @@ +/* +Copyright (c) Microsoft Corporation. +Licensed under the MIT License. +*/ + +param logAnalyticsWorkspaceResourceId string +param logs array +param logStorageAccountResourceId string +param metrics array +param name string + +resource firewall 'Microsoft.Network/azureFirewalls@2021-02-01' existing = { + name: name +} + +resource diagnostics 'Microsoft.Insights/diagnosticSettings@2017-05-01-preview' = { + scope: firewall + name: '${firewall.name}-diagnostics' + properties: { + storageAccountId: logStorageAccountResourceId + workspaceId: logAnalyticsWorkspaceResourceId + logs: logs + metrics: metrics + } +} + +output privateIPAddress string = firewall.properties.ipConfigurations[0].properties.privateIPAddress diff --git a/src/bicep/modules/firewall.bicep b/src/bicep/modules/firewall.bicep index 9c7a5c40e..3b97c3a91 100644 --- a/src/bicep/modules/firewall.bicep +++ b/src/bicep/modules/firewall.bicep @@ -3,17 +3,30 @@ Copyright (c) Microsoft Corporation. Licensed under the MIT License. */ - +param clientIpConfigurationName string +param clientIpConfigurationSubnetResourceId string +param clientIpConfigurationPublicIPAddressResourceId string +param dnsServers array +param enableProxy bool +param firewallPolicyName string +param firewallSupernetIPAddress string +@allowed([ + 'Alert' + 'Deny' + 'Off' +]) +param intrusionDetectionMode string +param location string +param managementIpConfigurationName string +param managementIpConfigurationSubnetResourceId string +param managementIpConfigurationPublicIPAddressResourceId string param name string -param location string = resourceGroup().location -param tags object = {} - @allowed([ 'Standard' 'Premium' ]) param skuTier string - +param tags object = {} @allowed([ 'Alert' 'Deny' @@ -21,40 +34,10 @@ param skuTier string ]) param threatIntelMode string -@allowed([ - 'Alert' - 'Deny' - 'Off' -]) -param intrusionDetectionMode string - -//DNS Proxy Settings -param enableProxy bool -param dnsServers array - -param clientIpConfigurationName string -param clientIpConfigurationSubnetResourceId string -param clientIpConfigurationPublicIPAddressResourceId string - -param managementIpConfigurationName string -param managementIpConfigurationSubnetResourceId string -param managementIpConfigurationPublicIPAddressResourceId string - -param firewallPolicyName string - -param firewallSupernetIPAddress string - -param logStorageAccountResourceId string -param logAnalyticsWorkspaceResourceId string - -param logs array -param metrics array - var intrusionDetectionObject = { mode: intrusionDetectionMode } - resource firewallPolicy 'Microsoft.Network/firewallPolicies@2021-02-01' = { name: firewallPolicyName location: location @@ -73,10 +56,8 @@ resource firewallPolicy 'Microsoft.Network/firewallPolicies@2021-02-01' = { } resource firewallAppRuleCollectionGroup 'Microsoft.Network/firewallPolicies/ruleCollectionGroups@2021-02-01' = { - name: '${firewallPolicyName}/DefaultApplicationRuleCollectionGroup' - dependsOn: [ - firewallPolicy - ] + parent: firewallPolicy + name: 'DefaultApplicationRuleCollectionGroup' properties: { priority: 300 ruleCollections: [ @@ -118,9 +99,9 @@ resource firewallAppRuleCollectionGroup 'Microsoft.Network/firewallPolicies/rule } resource firewallNetworkRuleCollectionGroup 'Microsoft.Network/firewallPolicies/ruleCollectionGroups@2021-02-01' = { - name: '${firewallPolicyName}/DefaultNetworkRuleCollectionGroup' + parent: firewallPolicy + name: 'DefaultNetworkRuleCollectionGroup' dependsOn: [ - firewallPolicy firewallAppRuleCollectionGroup ] properties: { @@ -230,15 +211,5 @@ resource firewall 'Microsoft.Network/azureFirewalls@2021-02-01' = { } } -resource diagnostics 'Microsoft.Insights/diagnosticSettings@2017-05-01-preview' = { - scope: firewall - name: '${firewall.name}-diagnostics' - properties: { - storageAccountId: logStorageAccountResourceId - workspaceId: logAnalyticsWorkspaceResourceId - logs: logs - metrics: metrics - } -} - +output name string = firewall.name output privateIPAddress string = firewall.properties.ipConfigurations[0].properties.privateIPAddress diff --git a/src/bicep/modules/key-vault.bicep b/src/bicep/modules/key-vault.bicep new file mode 100644 index 000000000..e86482f32 --- /dev/null +++ b/src/bicep/modules/key-vault.bicep @@ -0,0 +1,147 @@ +param diskEncryptionKeyExpirationInDays int = 30 +param keyVaultName string +param keyVaultPrivateDnsZoneResourceId string +param location string +param resourcePrefix string +param subnetResourceId string +param tags object + +resource vault 'Microsoft.KeyVault/vaults@2022-07-01' = { + name: keyVaultName + location: location + tags: contains(tags, 'Microsoft.KeyVault/vaults') ? tags['Microsoft.KeyVault/vaults'] : {} + properties: { + enabledForDeployment: false + enabledForDiskEncryption: true + enabledForTemplateDeployment: false + enablePurgeProtection: true + enableRbacAuthorization: true + enableSoftDelete: true + networkAcls: { + bypass: 'AzureServices' + defaultAction: 'Deny' + ipRules: [] + virtualNetworkRules: [] + } + publicNetworkAccess: 'Disabled' + sku: { + family: 'A' + name: 'standard' + } + softDeleteRetentionInDays: 7 + tenantId: subscription().tenantId + } +} + +resource privateEndpoint 'Microsoft.Network/privateEndpoints@2023-04-01' = { + name: replace(keyVaultName, resourcePrefix, '${resourcePrefix}-pe') + location: location + tags: tags + properties: { + customNetworkInterfaceName: replace(keyVaultName, resourcePrefix, '${resourcePrefix}-nic') + privateLinkServiceConnections: [ + { + name: replace(keyVaultName, resourcePrefix, '${resourcePrefix}-nic') + properties: { + privateLinkServiceId: vault.id + groupIds: [ + 'vault' + ] + } + } + ] + subnet: { + id: subnetResourceId + } + } +} + +resource privateDnsZoneGroups 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2021-08-01' = { + parent: privateEndpoint + name: keyVaultName + properties: { + privateDnsZoneConfigs: [ + { + name: 'ipconfig1' + properties: { + privateDnsZoneId: keyVaultPrivateDnsZoneResourceId + } + } + ] + } +} + +resource key_disks 'Microsoft.KeyVault/vaults/keys@2022-07-01' = { + parent: vault + name: 'DiskEncryptionKey' + properties: { + attributes: { + enabled: true + } + keySize: 4096 + kty: 'RSA' + rotationPolicy: { + attributes: { + expiryTime: 'P${string(diskEncryptionKeyExpirationInDays)}D' + } + lifetimeActions: [ + { + action: { + type: 'Notify' + } + trigger: { + timeBeforeExpiry: 'P10D' + } + } + { + action: { + type: 'Rotate' + } + trigger: { + timeAfterCreate: 'P${string(diskEncryptionKeyExpirationInDays - 7)}D' + } + } + ] + } + } +} + +resource key_storageAccounts 'Microsoft.KeyVault/vaults/keys@2022-07-01' = { + parent: vault + name: 'StorageEncryptionKey' + properties: { + attributes: { + enabled: true + } + keySize: 4096 + kty: 'RSA' + rotationPolicy: { + attributes: { + expiryTime: 'P${string(diskEncryptionKeyExpirationInDays)}D' + } + lifetimeActions: [ + { + action: { + type: 'Notify' + } + trigger: { + timeBeforeExpiry: 'P10D' + } + } + { + action: { + type: 'Rotate' + } + trigger: { + timeAfterCreate: 'P${string(diskEncryptionKeyExpirationInDays - 7)}D' + } + } + ] + } + } +} + +output keyUriWithVersion string = key_disks.properties.keyUriWithVersion +output keyVaultResourceId string = vault.id +output keyVaultUri string = vault.properties.vaultUri +output storageKeyName string = key_storageAccounts.name diff --git a/src/bicep/modules/linux-virtual-machine.bicep b/src/bicep/modules/linux-virtual-machine.bicep index ebf2c1c81..94007d118 100644 --- a/src/bicep/modules/linux-virtual-machine.bicep +++ b/src/bicep/modules/linux-virtual-machine.bicep @@ -3,28 +3,28 @@ Copyright (c) Microsoft Corporation. Licensed under the MIT License. */ -param name string +@secure() +@minLength(12) +param adminPasswordOrKey string +param adminUsername string +@allowed([ + 'sshPublicKey' + 'password' +]) +param authenticationType string +param diskEncryptionSetResourceId string +param diskName string param location string -param tags object = {} - +param name string param networkInterfaceName string - -param vmSize string param osDiskCreateOption string param osDiskType string -param vmImagePublisher string +param tags object param vmImageOffer string +param vmImagePublisher string param vmImageSku string param vmImageVersion string -param adminUsername string -@allowed([ - 'sshPublicKey' - 'password' -]) -param authenticationType string -@secure() -@minLength(12) -param adminPasswordOrKey string +param vmSize string var linuxConfiguration = { disablePasswordAuthentication: true @@ -43,21 +43,56 @@ resource networkInterface 'Microsoft.Network/networkInterfaces@2021-02-01' exist name: networkInterfaceName } -resource virtualMachine 'Microsoft.Compute/virtualMachines@2020-06-01' = { +resource virtualMachine 'Microsoft.Compute/virtualMachines@2021-04-01' = { name: name location: location tags: tags - properties: { + diagnosticsProfile: { + bootDiagnostics: { + enabled: false + } + } hardwareProfile: { vmSize: vmSize } + networkProfile: { + networkInterfaces: [ + { + id: networkInterface.id + properties: { + deleteOption: 'Delete' + } + } + ] + } + osProfile: { + computerName: name + adminUsername: adminUsername + adminPassword: adminPasswordOrKey + linuxConfiguration: ((authenticationType == 'password') ? null : linuxConfiguration) + } + securityProfile: { + uefiSettings: { + secureBootEnabled: true + vTpmEnabled: true + } + securityType: 'trustedLaunch' + encryptionAtHost: true + } storageProfile: { osDisk: { + caching: 'ReadWrite' createOption: osDiskCreateOption + deleteOption: 'Delete' managedDisk: { + diskEncryptionSet: { + id: diskEncryptionSetResourceId + } storageAccountType: osDiskType } + name: diskName + osType: 'Linux' } imageReference: { publisher: vmImagePublisher @@ -66,36 +101,37 @@ resource virtualMachine 'Microsoft.Compute/virtualMachines@2020-06-01' = { version: vmImageVersion } } - networkProfile: { - networkInterfaces: [ - { - id: networkInterface.id - } - ] - } - osProfile: { - computerName: name - adminUsername: adminUsername - adminPassword: adminPasswordOrKey - linuxConfiguration: ((authenticationType == 'password') ? null : linuxConfiguration) - } + licenseType: null } } -resource networkWatcher 'Microsoft.Compute/virtualMachines/extensions@2020-06-01' = { - name: '${virtualMachine.name}/Microsoft.Azure.NetworkWatcher' +resource guestAttestationExtension 'Microsoft.Compute/virtualMachines/extensions@2021-03-01' = { + parent: virtualMachine + name: 'GuestAttestation' location: location properties: { - publisher: 'Microsoft.Azure.NetworkWatcher' - type: 'NetworkWatcherAgentLinux' - typeHandlerVersion: '1.4' + publisher: 'Microsoft.Azure.Security.LinuxAttestation' + type: 'GuestAttestation' + typeHandlerVersion: '1.0' + autoUpgradeMinorVersion: true + settings: { + AttestationConfig: { + MaaSettings: { + maaEndpoint: '' + maaTenantName: 'GuestAttestation' + } + AscSettings: { + ascReportingEndpoint: '' + ascReportingFrequency: '' + } + useCustomToken: 'false' + disableAlerts: 'false' + } + } } - dependsOn: [ - policyExtension - ] } -resource policyExtension 'Microsoft.Compute/virtualMachines/extensions@2020-12-01' = { +resource policyExtension 'Microsoft.Compute/virtualMachines/extensions@2021-04-01' = { parent: virtualMachine name: 'AzurePolicyforLinux' location: location @@ -108,8 +144,23 @@ resource policyExtension 'Microsoft.Compute/virtualMachines/extensions@2020-12-0 } } +resource networkWatcher 'Microsoft.Compute/virtualMachines/extensions@2021-04-01' = { + parent: virtualMachine + name: 'Microsoft.Azure.NetworkWatcher' + location: location + properties: { + publisher: 'Microsoft.Azure.NetworkWatcher' + type: 'NetworkWatcherAgentLinux' + typeHandlerVersion: '1.4' + } + dependsOn: [ + policyExtension + ] +} + resource omsExtension 'Microsoft.Compute/virtualMachines/extensions@2020-06-01' = { - name: '${virtualMachine.name}/OMSExtension' + parent: virtualMachine + name: 'OMSExtension' location: location properties: { publisher: 'Microsoft.EnterpriseCloud.Monitoring' @@ -128,8 +179,9 @@ resource omsExtension 'Microsoft.Compute/virtualMachines/extensions@2020-06-01' ] } -resource dependencyAgent 'Microsoft.Compute/virtualMachines/extensions@2020-06-01' = { - name: '${virtualMachine.name}/DependencyAgentLinux' +resource dependencyAgent 'Microsoft.Compute/virtualMachines/extensions@2021-04-01' = { + parent: virtualMachine + name: 'DependencyAgentLinux' location: location properties: { publisher: 'Microsoft.Azure.Monitoring.DependencyAgent' diff --git a/src/bicep/modules/network-interface.bicep b/src/bicep/modules/network-interface.bicep index e90e65ba0..21f90e0cd 100644 --- a/src/bicep/modules/network-interface.bicep +++ b/src/bicep/modules/network-interface.bicep @@ -16,7 +16,6 @@ resource networkInterface 'Microsoft.Network/networkInterfaces@2021-02-01' = { name: name location: location tags: tags - properties: { ipConfigurations: [ { diff --git a/src/bicep/modules/network-security-group-diagnostics.bicep b/src/bicep/modules/network-security-group-diagnostics.bicep new file mode 100644 index 000000000..1fff4d97c --- /dev/null +++ b/src/bicep/modules/network-security-group-diagnostics.bicep @@ -0,0 +1,26 @@ +/* +Copyright (c) Microsoft Corporation. +Licensed under the MIT License. +*/ + +param name string + +param logAnalyticsWorkspaceResourceId string +param logs array +param logStorageAccountResourceId string +param metrics array + +resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2021-02-01' existing = { + name: name +} + +resource diagnostics 'Microsoft.Insights/diagnosticSettings@2017-05-01-preview' = { + scope: networkSecurityGroup + name: '${networkSecurityGroup.name}-diagnostics' + properties: { + storageAccountId: logStorageAccountResourceId + workspaceId: logAnalyticsWorkspaceResourceId + logs: logs + metrics: metrics + } +} diff --git a/src/bicep/modules/network-security-group.bicep b/src/bicep/modules/network-security-group.bicep index ef2b7af59..695fcf489 100644 --- a/src/bicep/modules/network-security-group.bicep +++ b/src/bicep/modules/network-security-group.bicep @@ -3,17 +3,10 @@ Copyright (c) Microsoft Corporation. Licensed under the MIT License. */ -param name string param location string -param tags object = {} - +param name string param securityRules array - -param logStorageAccountResourceId string -param logAnalyticsWorkspaceResourceId string - -param logs array -param metrics array +param tags object resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2021-02-01' = { name: name @@ -25,16 +18,5 @@ resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2021-02-0 } } -resource diagnostics 'Microsoft.Insights/diagnosticSettings@2017-05-01-preview' = { - scope: networkSecurityGroup - name: '${networkSecurityGroup.name}-diagnostics' - properties: { - storageAccountId: logStorageAccountResourceId - workspaceId: logAnalyticsWorkspaceResourceId - logs: logs - metrics: metrics - } -} - output id string = networkSecurityGroup.id output name string = networkSecurityGroup.name diff --git a/src/bicep/modules/network-watcher.bicep b/src/bicep/modules/network-watcher.bicep new file mode 100644 index 000000000..e6eaef11a --- /dev/null +++ b/src/bicep/modules/network-watcher.bicep @@ -0,0 +1,10 @@ +param location string +param name string +param tags object + +resource networkWatcher 'Microsoft.Network/networkWatchers@2021-02-01' = { + name: name + location: location + tags: tags + properties: {} +} diff --git a/src/bicep/modules/private-dns.bicep b/src/bicep/modules/private-dns.bicep index 258b5c57d..77a5e5003 100644 --- a/src/bicep/modules/private-dns.bicep +++ b/src/bicep/modules/private-dns.bicep @@ -282,6 +282,7 @@ output automationPrivateDnsZoneId string = privateDnsZone_azure_automation.id output avdGlobalPrivateDnsZoneId string = privateDnsZone_avd_global.id output avdPrivateDnsZoneId string = privateDnsZone_avd.id output backupPrivateDnsZoneIds array = [for (name, i) in privatelink_backup_names: privateDnsZone_backup_rsv[i].id] +output blobPrivateDnsZoneId string = privateDnsZone_blob.id output filePrivateDnsZoneId string = privateDnsZone_file.id output keyvaultDnsPrivateDnsZoneId string = privateDnsZone_keyvaultDns.id output monitorPrivateDnsZoneId string = privateDnsZone_monitor.id diff --git a/src/bicep/modules/private-link.bicep b/src/bicep/modules/private-link.bicep deleted file mode 100644 index 183bae98e..000000000 --- a/src/bicep/modules/private-link.bicep +++ /dev/null @@ -1,127 +0,0 @@ -/* -Copyright (c) Microsoft Corporation. -Licensed under the MIT License. -*/ - -@description('The name of the resource the private endpoint is being created for') -param logAnalyticsWorkspaceName string - -@description('The resource id of the resoure the private endpoint is being created for') -param logAnalyticsWorkspaceResourceId string - -@description('The name of the subnet in the virtual network where the private endpoint will be placed') -param privateEndpointSubnetName string - -@description('The name of the virtual network where the private endpoint will be placed') -param privateEndpointVnetName string - -@description('The tags that will be associated to the VM') -param tags object - -@description('Data used to append to resources to ensure uniqueness') -param uniqueData string = substring(uniqueString(subscription().subscriptionId, deployment().name), 0, 8) - -@description('The name of the the resource group where the virtual network exists') -param vnetResourceGroup string = resourceGroup().name - -@description('The subscription id of the subscription the virtual network exists in') -param vnetSubscriptionId string = subscription().subscriptionId - -@description('The location of this resource') -param location string = resourceGroup().location - -@description('Azure Monitor Private DNS Zone resource id') -param monitorPrivateDnsZoneId string - -@description('OMS Private DNS Zone resource id') -param omsPrivateDnsZoneId string - -@description('ODS Private DNS Zone resource id') -param odsPrivateDnsZoneId string - -@description('Agentsvc Private DNS Zone resource id') -param agentsvcPrivateDnsZoneId string - -var privateLinkConnectionName = take('plconn${logAnalyticsWorkspaceName}${uniqueData}', 80) -var privateLinkEndpointName = take('pe${logAnalyticsWorkspaceName}${uniqueData}', 80) -var privateLinkScopeName = take('plscope${logAnalyticsWorkspaceName}${uniqueData}', 80) -var privateLinkScopeResourceName = take('plscres${logAnalyticsWorkspaceName}${uniqueData}', 80) - -resource globalPrivateLinkScope 'microsoft.insights/privateLinkScopes@2019-10-17-preview' = { - name: privateLinkScopeName - location: 'global' - properties: {} -} - -resource logAnalyticsWorkspacePrivateLinkScope 'microsoft.insights/privateLinkScopes/scopedResources@2019-10-17-preview' = { - name: '${privateLinkScopeName}/${privateLinkScopeResourceName}' - properties: { - linkedResourceId: logAnalyticsWorkspaceResourceId - } - dependsOn: [ - globalPrivateLinkScope - ] -} - -resource subnetPrivateEndpoint 'Microsoft.Network/privateEndpoints@2020-07-01' = { - name: privateLinkEndpointName - location: location - tags: tags - properties: { - subnet: { - id: resourceId(vnetSubscriptionId, vnetResourceGroup, 'Microsoft.Network/virtualNetworks/subnets', privateEndpointVnetName, privateEndpointSubnetName) - } - privateLinkServiceConnections: [ - { - name: privateLinkConnectionName - properties: { - privateLinkServiceId: globalPrivateLinkScope.id - groupIds: [ - 'azuremonitor' - ] - } - } - ] - } - dependsOn: [ - logAnalyticsWorkspacePrivateLinkScope - ] -} - - -resource dnsZonePrivateLinkEndpoint 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2020-07-01' = { - name: privateLinkEndpointName - parent: subnetPrivateEndpoint - properties: { - privateDnsZoneConfigs: [ - { - name: 'monitor' - properties: { - privateDnsZoneId: monitorPrivateDnsZoneId - } - } - { - name: 'oms' - properties: { - privateDnsZoneId: omsPrivateDnsZoneId - } - } - { - name: 'ods' - properties: { - privateDnsZoneId: odsPrivateDnsZoneId - } - } - { - name: 'agentsvc' - properties: { - privateDnsZoneId: agentsvcPrivateDnsZoneId - } - } - ] - } - dependsOn: [ - subnetPrivateEndpoint - ] -} - diff --git a/src/bicep/modules/public-ip-address-diagnostics.bicep b/src/bicep/modules/public-ip-address-diagnostics.bicep new file mode 100644 index 000000000..ca84868b7 --- /dev/null +++ b/src/bicep/modules/public-ip-address-diagnostics.bicep @@ -0,0 +1,25 @@ +/* +Copyright (c) Microsoft Corporation. +Licensed under the MIT License. +*/ + +param hubStorageAccountResourceId string +param logAnalyticsWorkspaceResourceId string +param name string +param publicIPAddressDiagnosticsLogs array +param publicIPAddressDiagnosticsMetrics array + +resource publicIPAddress 'Microsoft.Network/publicIPAddresses@2021-02-01' existing = { + name: name +} + +resource publicIpAddressDiagnostics 'Microsoft.Insights/diagnosticSettings@2017-05-01-preview' = { + scope: publicIPAddress + name: '${publicIPAddress.name}-diagnostics' + properties: { + storageAccountId: hubStorageAccountResourceId + workspaceId: logAnalyticsWorkspaceResourceId + logs: publicIPAddressDiagnosticsLogs + metrics: publicIPAddressDiagnosticsMetrics + } +} diff --git a/src/bicep/modules/public-ip-address.bicep b/src/bicep/modules/public-ip-address.bicep index f1cddda7c..cd81e6088 100644 --- a/src/bicep/modules/public-ip-address.bicep +++ b/src/bicep/modules/public-ip-address.bicep @@ -3,45 +3,24 @@ Copyright (c) Microsoft Corporation. Licensed under the MIT License. */ -param name string +param availabilityZones array param location string -param tags object = {} - -param skuName string +param name string param publicIpAllocationMethod string -param availabilityZones array - -param logStorageAccountResourceId string -param logAnalyticsWorkspaceResourceId string - -param logs array -param metrics array +param skuName string +param tags object resource publicIPAddress 'Microsoft.Network/publicIPAddresses@2021-02-01' = { name: name location: location tags: tags - sku: { name: skuName } - properties: { publicIPAllocationMethod: publicIpAllocationMethod } - zones: availabilityZones } -resource diagnostics 'Microsoft.Insights/diagnosticSettings@2017-05-01-preview' = { - scope: publicIPAddress - name: '${publicIPAddress.name}-diagnostics' - properties: { - storageAccountId: logStorageAccountResourceId - workspaceId: logAnalyticsWorkspaceResourceId - logs: logs - metrics: metrics - } -} - output id string = publicIPAddress.id diff --git a/src/bicep/modules/route-table.bicep b/src/bicep/modules/route-table.bicep index d1a4306ee..1aa64b243 100644 --- a/src/bicep/modules/route-table.bicep +++ b/src/bicep/modules/route-table.bicep @@ -3,14 +3,13 @@ Copyright (c) Microsoft Corporation. Licensed under the MIT License. */ -param name string param location string -param tags object = {} - -param routeName string +param name string param routeAddressPrefix string +param routeName string param routeNextHopIpAddress string param routeNextHopType string +param tags object resource routeTable 'Microsoft.Network/routeTables@2021-02-01' = { name: name diff --git a/src/bicep/modules/storage-account.bicep b/src/bicep/modules/storage-account.bicep index a8324ca2f..315e2c74f 100644 --- a/src/bicep/modules/storage-account.bicep +++ b/src/bicep/modules/storage-account.bicep @@ -3,39 +3,122 @@ Copyright (c) Microsoft Corporation. Licensed under the MIT License. */ -param storageAccountName string +param blobsPrivateDnsZoneResourceId string +param keyVaultUri string param location string +param resourcePrefix string param skuName string -param tags object = {} +param storageAccountName string +param storageEncryptionKeyName string +param subnetResourceId string +param tablesPrivateDnsZoneResourceId string +param tags object +param userAssignedIdentityResourceId string -resource storageAccount 'Microsoft.Storage/storageAccounts@2021-01-01' = { +var zones = [ + blobsPrivateDnsZoneResourceId + tablesPrivateDnsZoneResourceId +] + +resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = { name: storageAccountName location: location + identity: { + type: 'UserAssigned' + userAssignedIdentities: { + '${userAssignedIdentityResourceId}': {} + } + } kind: 'StorageV2' sku: { name: skuName } tags: tags properties: { - minimumTlsVersion: 'TLS1_2' + accessTier: 'Hot' + allowBlobPublicAccess: false + allowCrossTenantReplication: false + allowedCopyScope: 'PrivateLink' + allowSharedKeyAccess: true + defaultToOAuthAuthentication: false + dnsEndpointType: 'Standard' encryption: { - keySource: 'Microsoft.Storage' + identity: { + userAssignedIdentity: userAssignedIdentityResourceId + } + keySource: 'Microsoft.KeyVault' + keyvaultproperties: { + keyvaulturi: keyVaultUri + keyname: storageEncryptionKeyName + } requireInfrastructureEncryption: true services: { blob: { + keyType: 'Account' enabled: true } file: { + keyType: 'Account' enabled: true } queue: { + keyType: 'Account' enabled: true } table: { + keyType: 'Account' enabled: true } } } + minimumTlsVersion: 'TLS1_2' + networkAcls: { + bypass: 'AzureServices' + virtualNetworkRules: [] + ipRules: [] + defaultAction: 'Deny' + } + publicNetworkAccess: 'Disabled' + supportsHttpsTrafficOnly: true } } + +resource privateEndpoints 'Microsoft.Network/privateEndpoints@2023-04-01' = [for (zone, i) in zones: { + name: '${replace(storageAccountName, resourcePrefix, '${resourcePrefix}-pe-')}-${split(split(zone, '/')[8], '.')[1]}' + location: location + tags: tags + properties: { + customNetworkInterfaceName: '${replace(storageAccountName, resourcePrefix, '${resourcePrefix}-nic-')}-${split(split(zone, '/')[8], '.')[1]}' + privateLinkServiceConnections: [ + { + name: '${replace(storageAccountName, resourcePrefix, '${resourcePrefix}-nic-')}-${split(split(zone, '/')[8], '.')[1]}' + properties: { + privateLinkServiceId: storageAccount.id + groupIds: [ + split(split(zone, '/')[8], '.')[1] + ] + } + } + ] + subnet: { + id: subnetResourceId + } + } +}] + +resource privateDnsZoneGroups 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2021-08-01' = [for (zone, i) in zones: { + parent: privateEndpoints[i] + name: storageAccountName + properties: { + privateDnsZoneConfigs: [ + { + name: 'ipconfig1' + properties: { + privateDnsZoneId: zone + } + } + ] + } +}] + output id string = storageAccount.id diff --git a/src/bicep/modules/user-assigned-identity.bicep b/src/bicep/modules/user-assigned-identity.bicep new file mode 100644 index 000000000..2e4692b7c --- /dev/null +++ b/src/bicep/modules/user-assigned-identity.bicep @@ -0,0 +1,21 @@ +param location string +param name string +param tags object + +resource userAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: name + location: location + tags: tags +} + +module roleAssignment 'role-assignment.bicep' = { + name: 'roleAssignmentEncryption' + params: { + principalId: userAssignedIdentity.properties.principalId + principalType: 'ServicePrincipal' + roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6') // Key Vault Crypto Service Encryption User + targetResourceId: resourceGroup().id + } +} + +output resourceId string = userAssignedIdentity.id diff --git a/src/bicep/modules/virtual-network-diagnostics.bicep b/src/bicep/modules/virtual-network-diagnostics.bicep new file mode 100644 index 000000000..8c48743d9 --- /dev/null +++ b/src/bicep/modules/virtual-network-diagnostics.bicep @@ -0,0 +1,25 @@ +/* +Copyright (c) Microsoft Corporation. +Licensed under the MIT License. +*/ + +param logAnalyticsWorkspaceResourceId string +param logs array +param logStorageAccountResourceId string +param metrics array +param name string + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2021-02-01' existing = { + name: name +} + +resource diagnostics 'Microsoft.Insights/diagnosticSettings@2017-05-01-preview' = { + scope: virtualNetwork + name: '${virtualNetwork.name}-diagnostics' + properties: { + storageAccountId: logStorageAccountResourceId + workspaceId: logAnalyticsWorkspaceResourceId + logs: logs + metrics: metrics + } +} diff --git a/src/bicep/modules/virtual-network.bicep b/src/bicep/modules/virtual-network.bicep index afe38843d..cd2f38f1e 100644 --- a/src/bicep/modules/virtual-network.bicep +++ b/src/bicep/modules/virtual-network.bicep @@ -3,18 +3,12 @@ Copyright (c) Microsoft Corporation. Licensed under the MIT License. */ -param name string -param location string -param tags object = {} - param addressPrefix string -param vNetDnsServers array = [] -param logAnalyticsWorkspaceResourceId string -param logStorageAccountResourceId string +param location string +param name string param subnets array - -param logs array -param metrics array +param tags object +param vNetDnsServers array resource virtualNetwork 'Microsoft.Network/virtualNetworks@2021-02-01' = { name: name @@ -34,17 +28,6 @@ resource virtualNetwork 'Microsoft.Network/virtualNetworks@2021-02-01' = { } } -resource diagnostics 'Microsoft.Insights/diagnosticSettings@2017-05-01-preview' = { - scope: virtualNetwork - name: '${virtualNetwork.name}-diagnostics' - properties: { - storageAccountId: logStorageAccountResourceId - workspaceId: logAnalyticsWorkspaceResourceId - logs: logs - metrics: metrics - } -} - output name string = virtualNetwork.name output id string = virtualNetwork.id output subnets array = virtualNetwork.properties.subnets diff --git a/src/bicep/modules/windows-virtual-machine.bicep b/src/bicep/modules/windows-virtual-machine.bicep index a9a2fbfed..09a220438 100644 --- a/src/bicep/modules/windows-virtual-machine.bicep +++ b/src/bicep/modules/windows-virtual-machine.bicep @@ -3,46 +3,70 @@ Copyright (c) Microsoft Corporation. Licensed under the MIT License. */ -param name string -param location string -param tags object = {} - -param networkInterfaceName string - -param size string -param adminUsername string @secure() @minLength(12) param adminPassword string -param publisher string +param adminUsername string +param createOption string +param dataDisks array = [] +param diskEncryptionSetResourceId string +param diskName string +param hybridUseBenefit bool +param location string +param logAnalyticsWorkspaceId string +param name string +param networkInterfaceName string param offer string +param publisher string +param size string param sku string -param version string -param createOption string param storageAccountType string -param logAnalyticsWorkspaceId string -param availabilitySet object = {} -param dataDisks array = [] +param tags object = {} +param version string resource networkInterface 'Microsoft.Network/networkInterfaces@2021-02-01' existing = { name: networkInterfaceName } -resource windowsVirtualMachine 'Microsoft.Compute/virtualMachines@2021-04-01' = { +resource virtualMachine 'Microsoft.Compute/virtualMachines@2021-04-01' = { name: name location: location tags: tags - + identity: { + type: 'SystemAssigned' + } properties: { - availabilitySet: ((availabilitySet != {}) ? availabilitySet : null) + diagnosticsProfile: { + bootDiagnostics: { + enabled: false + } + } hardwareProfile: { vmSize: size } + networkProfile: { + networkInterfaces: [ + { + id: networkInterface.id + properties: { + deleteOption: 'Delete' + } + } + ] + } osProfile: { computerName: take(name, 15) adminUsername: adminUsername adminPassword: adminPassword } + securityProfile: { + uefiSettings: { + secureBootEnabled: true + vTpmEnabled: true + } + securityType: 'trustedLaunch' + encryptionAtHost: true + } storageProfile: { imageReference: { publisher: publisher @@ -51,25 +75,53 @@ resource windowsVirtualMachine 'Microsoft.Compute/virtualMachines@2021-04-01' = version: version } osDisk: { + caching: 'ReadWrite' createOption: createOption + deleteOption: 'Delete' managedDisk: { + diskEncryptionSet: { + id: diskEncryptionSetResourceId + } storageAccountType: storageAccountType } + name: diskName + osType: 'Windows' } dataDisks: dataDisks } - networkProfile: { - networkInterfaces: [ - { - id: networkInterface.id + licenseType: hybridUseBenefit ? 'Windows_Server' : null + } +} + +resource guestAttestationExtension 'Microsoft.Compute/virtualMachines/extensions@2021-03-01' = { + parent: virtualMachine + name: 'GuestAttestation' + location: location + properties: { + publisher: 'Microsoft.Azure.Security.WindowsAttestation' + type: 'GuestAttestation' + typeHandlerVersion: '1.0' + autoUpgradeMinorVersion: true + settings: { + AttestationConfig: { + MaaSettings: { + maaEndpoint: '' + maaTenantName: 'GuestAttestation' } - ] + AscSettings: { + ascReportingEndpoint: '' + ascReportingFrequency: '' + } + useCustomToken: 'false' + disableAlerts: 'false' + } } } } resource dependencyAgent 'Microsoft.Compute/virtualMachines/extensions@2021-04-01' = { - name: '${windowsVirtualMachine.name}/DependencyAgentWindows' + parent: virtualMachine + name: 'DependencyAgentWindows' location: location properties: { publisher: 'Microsoft.Azure.Monitoring.DependencyAgent' @@ -80,7 +132,8 @@ resource dependencyAgent 'Microsoft.Compute/virtualMachines/extensions@2021-04-0 } resource policyExtension 'Microsoft.Compute/virtualMachines/extensions@2021-04-01' = { - name: '${windowsVirtualMachine.name}/AzurePolicyforWindows' + parent: virtualMachine + name: 'AzurePolicyforWindows' location: location properties: { publisher: 'Microsoft.GuestConfiguration' @@ -92,7 +145,8 @@ resource policyExtension 'Microsoft.Compute/virtualMachines/extensions@2021-04-0 } resource mmaExtension 'Microsoft.Compute/virtualMachines/extensions@2021-04-01' = { - name: '${windowsVirtualMachine.name}/MMAExtension' + parent: virtualMachine + name: 'MMAExtension' location: location properties: { publisher: 'Microsoft.EnterpriseCloud.Monitoring' @@ -108,8 +162,9 @@ resource mmaExtension 'Microsoft.Compute/virtualMachines/extensions@2021-04-01' } } -resource networkWatcher 'Microsoft.Compute/virtualMachines/extensions@2020-06-01' = { - name: '${windowsVirtualMachine.name}/Microsoft.Azure.NetworkWatcher' +resource networkWatcher 'Microsoft.Compute/virtualMachines/extensions@2021-04-01' = { + parent: virtualMachine + name: 'Microsoft.Azure.NetworkWatcher' location: location properties: { publisher: 'Microsoft.Azure.NetworkWatcher' From 515db10d5b65f6a603c32cd5972273060aa345d3 Mon Sep 17 00:00:00 2001 From: Mike Dzikowski <34066455+mikedzikowski@users.noreply.github.com> Date: Mon, 22 Jan 2024 14:52:07 -0500 Subject: [PATCH 2/7] Update validate-build-bicep.yml (#818) Updating workflow validation bicep version to v0.24.24 --- .github/workflows/validate-build-bicep.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/validate-build-bicep.yml b/.github/workflows/validate-build-bicep.yml index c379fc621..eba376f51 100644 --- a/.github/workflows/validate-build-bicep.yml +++ b/.github/workflows/validate-build-bicep.yml @@ -10,7 +10,7 @@ on: - 'src/bicep/**' - '!src/bicep/**.md' env: - BICEP_VERSION: 'v0.10.61' + BICEP_VERSION: 'v0.24.24' jobs: validate-build: runs-on: ubuntu-latest @@ -28,4 +28,4 @@ jobs: git add src/bicep/mlz.json git commit -m "GitHub Action: Build Bicep to JSON" git push origin HEAD:"$GITHUB_HEAD_REF" - fi \ No newline at end of file + fi From 6d3c8440157e9b1216defac84fdf071489d9de4d Mon Sep 17 00:00:00 2001 From: Jason Masten Date: Tue, 23 Jan 2024 13:10:34 -0500 Subject: [PATCH 3/7] Fixed version for OmsAgentForLinux (#821) --- src/bicep/mlz.json | 28 +++++++++---------- src/bicep/modules/linux-virtual-machine.bicep | 2 +- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/src/bicep/mlz.json b/src/bicep/mlz.json index 594714dc7..ebac95a91 100644 --- a/src/bicep/mlz.json +++ b/src/bicep/mlz.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "14049943017147962936" + "templateHash": "6733078488232120276" } }, "parameters": { @@ -5376,7 +5376,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "5778706831016165290" + "templateHash": "3162099420723273910" } }, "parameters": { @@ -5811,7 +5811,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "13448922027561695966" + "templateHash": "8511457086563424614" } }, "parameters": { @@ -6017,7 +6017,7 @@ "properties": { "publisher": "Microsoft.EnterpriseCloud.Monitoring", "type": "OmsAgentForLinux", - "typeHandlerVersion": "1.13", + "typeHandlerVersion": "1.17", "settings": { "workspaceId": "[reference(parameters('logAnalyticsWorkspaceId'), '2015-11-01-preview').customerId]", "stopOnMultipleConnections": true @@ -8093,7 +8093,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "16693295535307781768" + "templateHash": "16012918268376848316" } }, "parameters": { @@ -8135,10 +8135,10 @@ } }, "variables": { - "$fxv#0": " {\r\n \"listOfMembersToExcludeFromWindowsVMAdministratorsGroup\": \r\n {\r\n \"value\": \"admin\"\r\n },\r\n \"listOfMembersToIncludeInWindowsVMAdministratorsGroup\": \r\n {\r\n \"value\": \"azureuser\"\r\n },\r\n \"logAnalyticsWorkspaceIdforVMReporting\": \r\n {\r\n \"value\": \"\"\r\n },\r\n \"IncludeArcMachines\": \r\n {\r\n \"value\": \"true\"\r\n },\r\n \"MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112\": \r\n {\r\n \"value\": \"1.2\"\r\n },\r\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\": \r\n {\r\n \"value\": \"Compliant\"\r\n },\r\n \"requiredRetentionDays\": \r\n {\r\n \"value\": \"365\"\r\n },\r\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\": \r\n {\r\n \"value\": \"NetworkWatcherRG\"\r\n }\r\n }", - "$fxv#1": " {\r\n \"IncludeArcMachines\": \r\n {\r\n \"value\": \"true\"\r\n },\r\n \"MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112\": \r\n {\r\n \"value\": \"1.2\"\r\n },\r\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\": \r\n {\r\n \"value\": \"Compliant\"\r\n },\r\n \"requiredRetentionDays\": \r\n {\r\n \"value\": \"365\"\r\n },\r\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\": \r\n {\r\n \"value\": \"NetworkWatcherRG\"\r\n }\r\n }", - "$fxv#2": "{\r\n \"IncludeArcMachines\" : { \r\n \"value\" : \"false\"\r\n },\r\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\" : { \r\n \"value\" : \"Compliant\"\r\n },\r\n \"MinimumTLSVersionForWindowsServers\" : { \r\n \"value\" : \"1.2\"\r\n },\r\n \"requiredRetentionDays\" : { \r\n \"value\" : \"365\"\r\n },\r\n \"effect-febd0533-8e55-448f-b837-bd0e06f16469\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"allowedContainerImagesRegex-febd0533-8e55-448f-b837-bd0e06f16469\" : { \r\n \"value\" : \"^(.+){0}$\"\r\n },\r\n \"effect-95edb821-ddaf-4404-9732-666045e056b4\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-440b515e-a580-421e-abeb-b159a61ddcbc\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-233a2a17-77ca-4fb1-9b6b-69223d272a44\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"cpuLimit-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \r\n \"value\" : \"0\"\r\n },\r\n \"memoryLimit-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \r\n \"value\" : \"0\"\r\n },\r\n \"effect-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"runAsUserRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \r\n \"value\" : \"MustRunAsNonRoot\"\r\n },\r\n \"runAsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \r\n \"value\" : \"RunAsAny\"\r\n },\r\n \"supplementalGroupsRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \r\n \"value\" : \"RunAsAny\"\r\n },\r\n \"fsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \r\n \"value\" : \"RunAsAny\"\r\n },\r\n \"effect-1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-df49d893-a74c-421d-bc95-c663042e5b80\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-c26596ff-4d70-4e6a-9a30-c2506bd2f80c\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-511f5417-5d12-434d-ab2e-816901e72a5e\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-82985f06-dc18-4a48-bc1c-b9f4f0098cfe\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-098fc59e-46c7-4d99-9b16-64990e543d75\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"NetworkWatcherResourceGroupName\" : { \r\n \"value\" : \"NetworkWatcherRG\"\r\n },\r\n \"setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \r\n \"value\" : \"enabled\"\r\n },\r\n \"aadAuthenticationInServiceFabricMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-71ef260a-8f18-47b7-abcb-62d0673d94dc\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-d9da03a1-f3c3-412a-9709-947156872263\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-617c02be-7f02-4efd-8836-3180d47b6c68\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-c349d81b-9985-44ae-a8da-ff98d108ede8\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-3657f5a0-770e-44a3-b44e-9431ba1e9735\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-b4ac1030-89c5-4697-8e00-28b5ba6a8811\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-ea0dfaed-95fb-448c-934e-d6e713ce393d\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-f4b53539-8df9-40e4-86c6-6b607703bd4e\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-41425d9f-d1a5-499a-9932-f8ed8453932c\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-fc4d8e41-e223-45ea-9bf5-eada37891d87\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-86efb160-8de7-451d-bc08-5d475b0aadae\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-4ec52d6d-beb7-40c4-9a9e-fe753254690e\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-64d314f6-6062-4780-a861-c23e8951bee5\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-fa298e57-9444-42ba-bf04-86e8470e32c7\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1f905d99-2ab7-462c-a6b0-f709acca6c8f\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-ba769a63-b8cc-4b2d-abf6-ac33c7204be8\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-81e74cea-30fd-40d5-802f-d72103c2aaaa\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-0aa61e00-0a01-4a3c-9945-e93cffedf0e6\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-47031206-ce96-41f8-861b-6a915f3de284\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-51522a96-0869-4791-82f3-981000c2c67f\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-b5ec538c-daa0-4006-8596-35468b9148e8\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-56a5ee18-2ae6-4810-86f7-18e39ce5629b\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-2e94d99a-8a36-4563-bc77-810d8893b671\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1f68a601-6e6d-4e42-babf-3f643a047ea2\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-f7d52b2d-e161-4dfa-a82b-55e564167385\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-ca91455f-eace-4f96-be59-e6e2c35b4816\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-702dd420-7fcc-42c5-afe8-4026edd20fe0\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"diagnosticsLogsInRedisCacheMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"secureTransferToStorageAccountMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-d0793b48-0edc-4296-a390-4c75d1bdfd71\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-7d092e0a-7acd-40d2-a975-dca21cae48c4\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"disableUnrestrictedNetworkToStorageAccountMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-55615ac9-af46-4a59-874e-391cc3dfb490\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1b8ca024-1d5c-4dec-8995-b1a932b41780\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-037eea7a-bd0a-46c5-9a66-03aea78705d3\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-53503636-bcc9-4748-9663-5348217f160f\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-40cec1dd-a100-4920-b15b-3024fe8901ab\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-a049bf77-880b-470f-ba6d-9f21c530cf83\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-ee980b6d-0eca-4501-8d54-f6290fd512c3\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1d84d5fb-01f6-4d12-ba4f-4a26081d403d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-37e0d2fe-28a5-43d6-a273-67d37d1f5606\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"identityDesignateMoreThanOneOwnerMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"diskEncryptionMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"emailNotificationToSubscriptionOwnerHighSeverityAlertsEnabledEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"functionAppDisableRemoteDebuggingMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"sqlDbEncryptionMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"vulnerabilityAssessmentOnManagedInstanceMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensurePHPVersionLatestForAPIAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"aadAuthenticationInSqlServerMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"vmssEndpointProtectionMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"vmssOsVulnerabilitiesMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"adaptiveApplicationControlsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"geoRedundantBackupShouldBeEnabledForAzureDatabaseForPostgreSQLEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"ensureJavaVersionLatestForWebAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityDesignateLessThanOwnersMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"securityContactEmailAddressForSubscriptionEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"webAppRestrictCORSAccessMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityRemoveDeprecatedAccountMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"functionAppEnforceHttpsMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"ensurePythonVersionLatestForWebAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensurePythonVersionLatestForFunctionAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensurePHPVersionLatestForWebAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensurePythonVersionLatestForAPIAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"geoRedundantBackupShouldBeEnabledForAzureDatabaseForMySQLEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"systemUpdatesMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensureJavaVersionLatestForAPIAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensureHTTPVersionLatestForWebAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"apiAppRequireLatestTlsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityEnableMFAForWritePermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensureHTTPVersionLatestForAPIAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensureJavaVersionLatestForFunctionAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"nextGenerationFirewallMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"useRbacRulesMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"webAppEnforceHttpsMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"sqlServerAuditingMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"vnetEnableDDoSProtectionMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityEnableMFAForOwnerPermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"sqlServerAdvancedDataSecurityMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"sqlManagedInstanceAdvancedDataSecurityMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"endpointProtectionMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"jitNetworkAccessMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"apiAppEnforceHttpsMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"geoRedundantStorageShouldBeEnabledForStorageAccountsEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"vmssSystemUpdatesMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"webAppDisableRemoteDebuggingMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"systemConfigurationsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensureHTTPVersionLatestForFunctionAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityEnableMFAForReadPermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"containerBenchmarkMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"apiAppDisableRemoteDebuggingMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"vulnerabilityAssessmentOnServerMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"webAppRequireLatestTlsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"functionAppRequireLatestTlsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"kubernetesServiceVersionUpToDateMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"sqlDbVulnerabilityAssesmentMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"membersToIncludeInLocalAdministratorsGroup\" : { \r\n \"value\" : \"\"\r\n },\r\n \"membersToExcludeInLocalAdministratorsGroup\" : { \r\n \"value\" : \"\"\r\n },\r\n \"logAnalyticsWorkspaceIDForVMAgents\" : { \r\n \"value\" : \"\"\r\n },\r\n \"PHPLatestVersionForAppServices\" : { \r\n \"value\" : \"7.4\"\r\n },\r\n \"JavaLatestVersionForAppServices\" : { \r\n \"value\" : \"11\"\r\n },\r\n \"WindowsPythonLatestVersionForAppServices\" : { \r\n \"value\" : \"3.6\"\r\n },\r\n \"LinuxPythonLatestVersionForAppServices\" : { \r\n \"value\" : \"3.9\"\r\n },\r\n \"ensureDotNetFrameworkLatestForFunctionAppEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"sqlManagedInstanceAdvancedDataSecurityEmailsMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"vulnerabilityAssessmentMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"ensureDotNetFrameworkLatestForWebAppEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"sqlServerAdvancedDataSecurityEmailsMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"microsoftIaaSAntimalwareExtensionShouldBeDeployedOnWindowsServersEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"securityCenterStandardPricingTierShouldBeSelectedEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"theLogAnalyticsAgentShouldBeInstalledOnVirtualMachinesEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"ensurePHPVersionLatestForFunctionAppEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"sqlManagedInstanceAdvancedDataSecurityEmailAdminsMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"securityContactPhoneNumberShouldBeProvidedForSubscriptionEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"threatDetectionTypesOnManagedInstanceMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"ensureDotNetFrameworkLatestForAPIAppEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"sqlServerAdvancedDataSecurityEmailAdminsMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"threatDetectionTypesOnServerMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"theLogAnalyticsAgentShouldBeInstalledOnVirtualMachineScaleSetsEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n }\r\n}", - "$fxv#3": "{\r\n \"logAnalyticsWorkspaceId-f47b5582-33ec-4c5c-87c0-b010a6b2e917\" : { \r\n \"value\" : \"\"\r\n },\r\n \"effect-09024ccc-0c5f-475e-9457-b7c0d9ed487b\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"MembersToExclude-69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f\" :{\r\n \"value\": \"\"\r\n },\r\n \"MembersToInclude-30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7\": {\r\n \"value\": \"\"\r\n },\r\n \"effect-0961003e-5a0a-4549-abde-af6a37f2724d\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-0b15565f-aa9e-48ba-8619-45960f2c314d\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-0e60b895-3786-45da-8377-9c6b4b6ac5f9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-17k78e20-9358-41c9-923c-fb736d382a12\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"PHPLatestVersion\" : { \r\n \"value\" : \"7.3\"\r\n },\r\n \"effect-22bee202-a82f-4305-9a2a-6d7f44d4dedb\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-26a828e1-e88f-464e-bbb3-c134a282b9de\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-34c877ad-507e-4c82-993e-3452a6e0ad3c\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-404c3081-a854-4457-ae30-26a93ef643f9\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-47a6b606-51aa-4496-8bb7-64b11cf66adc\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-496223c3-ad65-4ecd-878a-bae78737e9ed\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"JavaLatestVersion\" : { \r\n \"value\" : \"11\"\r\n },\r\n \"effect-4f11b553-d42e-4e3a-89be-32ca364cad4c\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-5c607a2e-c700-4744-8254-d77e7c9eb5e4\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-5f76cf89-fbf2-47fd-a3f4-b891fa780b60\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-6b1cbf55-e8b6-442f-ba4c-7246b6381474\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-7008174a-fd10-4ef0-817e-fc820a951d73\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"LinuxPythonLatestVersion\" : { \r\n \"value\" : \"3.8\"\r\n },\r\n \"effect-7238174a-fd10-4ef0-817e-fc820a951d73\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-7261b898-8a84-4db8-9e04-18527132abb3\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-74c3584d-afae-46f7-a20a-6f8adba71a16\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-86b3d65f-7626-441e-b690-81a8b71cff60\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-88999f4c-376a-45c8-bcb3-4058f713cf39\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-8c122334-9d20-4eb8-89ea-ac9a705b74ae\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-9297c21d-2ed6-4474-b48f-163f75654ce3\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-991310cd-e9f3-47bc-b7b6-f57b557d07db\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-9b597639-28e4-48eb-b506-56b05d366257\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-9daedab3-fb2d-461e-b861-71790eead4f6\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-a4af4a39-4135-47fb-b175-47fbdf85311d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \r\n \"value\" : \"enabled\"\r\n },\r\n \"effect-a70ca396-0a34-413a-88e1-b956c1e683be\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-aa633080-8b72-40c4-a2d7-d00c03e80bed\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-af6cd1bd-1635-48cb-bde7-5b15693900b9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\" : { \r\n \"value\" : \"NetworkWatcherRG\"\r\n },\r\n \"effect-b7ddfbdc-1260-477d-91fd-98bd9be789a6\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-c3f317a7-a95c-4547-b7e7-11017ebdf2fe\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-cb510bfd-1cba-4d9f-a230-cb0976f4bb71\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e2c1c086-2d84-4019-bff3-c44ccd95113c\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e3576e28-8b17-4677-84c3-db2990658d64\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e8cbc669-f12d-49eb-93e7-9273119e9933\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-ebb62a0c-3560-49e1-89ed-27e074e9f8ad\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-efbde977-ba53-4479-b8e9-10b957924fbf\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-f8456c1c-aa66-4dfb-861a-25d127b775c9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-f9d614c5-c173-4d56-95a7-b4437057d193\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-fb893a29-21bb-418c-a157-e99480ec364c\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-feedbf84-6b99-488c-acc2-71c829aa5ffc\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-3b980d31-7904-4bb7-8575-5665739a8052\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-6e2593d9-add6-4083-9c9b-4b7d2188c899\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-12430be1-6cc8-4527-a9a8-e3d38f250096\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"modeRequirement-12430be1-6cc8-4527-a9a8-e3d38f250096\" : { \r\n \"value\" : \"Detection\"\r\n },\r\n \"effect-425bea59-a659-4cbb-8d31-34499bd030b8\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"modeRequirement-425bea59-a659-4cbb-8d31-34499bd030b8\" : { \r\n \"value\" : \"Detection\"\r\n },\r\n \"effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-013e242c-8828-4970-87b3-ab247555486d\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-d38fc420-0735-4ef3-ac11-c806f651a570\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-a1181c5f-672a-477a-979a-7d58aa086233\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-308fbb08-4ab8-4e67-9b29-592e93fb94fa\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-4da35fc9-c9e7-4960-aec9-797fe7d9051d\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-523b5cd1-3e23-492f-a539-13118b6d1e3a\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-7fe3b40f-802b-4cdd-8bd4-fd799c948cc2\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-c25d9a16-bc35-4e15-a7e5-9db606bf9ed4\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b0f33259-77d7-4c9e-aac6-3aabcfae693c\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-037eea7a-bd0a-46c5-9a66-03aea78705d3\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-0820b7b9-23aa-4725-a1ce-ae4558f718e5\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-2c89a2e5-7285-40fe-afe0-ae8654b92fab\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-5744710e-cc2f-4ee8-8809-3b11e89f4bc9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-c9d007d0-c057-4772-b18c-01e546713bcd\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-d0793b48-0edc-4296-a390-4c75d1bdfd71\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-e372f825-a257-4fb8-9175-797a8a8627d6\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-d158790f-bfb0-486c-8631-2dc6b4e8e6af\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-e802a67a-daf5-4436-9ea6-f6d821dd0c5d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-a451c1ef-c6ca-483d-87ed-f49761e3ffb5\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftSql-servers-firewallRules-delete\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-delete\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftClassicNetwork-networkSecurityGroups-delete\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-securityRules-delete\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftClassicNetwork-networkSecurityGroups-securityRules-delete\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-ae89ebca-1c92-4898-ac2c-9f63decb045c\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-d26f7642-7545-4e18-9b75-8c9bbdee3a9a\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-1a4e592a-6a6e-44a5-9814-e36264ca96e7\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-7796937f-307b-4598-941c-67d3a05ebfe7\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-c5447c04-a4d7-4ba8-a263-c9ee321a6858\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-41388f1c-2db0-4c25-95b2-35d7f5ccbfa9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b02aacc0-b073-424e-8298-42b22829ee0a\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-0ec47710-77ff-4a3d-9181-6aa50af424d0\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-48af4db5-9b8b-401c-8e74-076be876a430\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-82339799-d096-41ae-8538-b108becf0970\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1b7aa243-30e4-4c9e-bca8-d0d3022b634a\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-bb91dfba-c30d-4263-9add-9c2384e659a6\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e71308d3-144b-4262-b144-efdc3cc90517\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-2bdd0062-9d75-436e-89df-487dd8e4b3c7\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-6fac406b-40ca-413b-bf8e-0bf964659c25\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-81e74cea-30fd-40d5-802f-d72103c2aaaa\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-c349d81b-9985-44ae-a8da-ff98d108ede8\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-f4b53539-8df9-40e4-86c6-6b607703bd4e\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-048248b0-55cd-46da-b1ff-39efd52db260\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-0d134df8-db83-46fb-ad72-fe0c9428c8dd\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-2c89a2e5-7285-40fe-afe0-ae8654b92fb2\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-3657f5a0-770e-44a3-b44e-9431ba1e9735\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-617c02be-7f02-4efd-8836-3180d47b6c68\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-f7d52b2d-e161-4dfa-a82b-55e564167385\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-c43e4a30-77cb-48ab-a4dd-93f175c63b57\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1f314764-cb73-4fc9-b863-8eca98ac36e9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-123a3936-f020-408a-ba0c-47873faf1534\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n }\r\n}\r\n", + "$fxv#0": " {\n \"listOfMembersToExcludeFromWindowsVMAdministratorsGroup\": \n {\n \"value\": \"admin\"\n },\n \"listOfMembersToIncludeInWindowsVMAdministratorsGroup\": \n {\n \"value\": \"azureuser\"\n },\n \"logAnalyticsWorkspaceIdforVMReporting\": \n {\n \"value\": \"\"\n },\n \"IncludeArcMachines\": \n {\n \"value\": \"true\"\n },\n \"MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112\": \n {\n \"value\": \"1.2\"\n },\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\": \n {\n \"value\": \"Compliant\"\n },\n \"requiredRetentionDays\": \n {\n \"value\": \"365\"\n },\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\": \n {\n \"value\": \"NetworkWatcherRG\"\n }\n }", + "$fxv#1": " {\n \"IncludeArcMachines\": \n {\n \"value\": \"true\"\n },\n \"MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112\": \n {\n \"value\": \"1.2\"\n },\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\": \n {\n \"value\": \"Compliant\"\n },\n \"requiredRetentionDays\": \n {\n \"value\": \"365\"\n },\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\": \n {\n \"value\": \"NetworkWatcherRG\"\n }\n }", + "$fxv#2": "{\n \"IncludeArcMachines\" : { \n \"value\" : \"false\"\n },\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\" : { \n \"value\" : \"Compliant\"\n },\n \"MinimumTLSVersionForWindowsServers\" : { \n \"value\" : \"1.2\"\n },\n \"requiredRetentionDays\" : { \n \"value\" : \"365\"\n },\n \"effect-febd0533-8e55-448f-b837-bd0e06f16469\" : { \n \"value\" : \"audit\"\n },\n \"allowedContainerImagesRegex-febd0533-8e55-448f-b837-bd0e06f16469\" : { \n \"value\" : \"^(.+){0}$\"\n },\n \"effect-95edb821-ddaf-4404-9732-666045e056b4\" : { \n \"value\" : \"audit\"\n },\n \"effect-440b515e-a580-421e-abeb-b159a61ddcbc\" : { \n \"value\" : \"audit\"\n },\n \"effect-233a2a17-77ca-4fb1-9b6b-69223d272a44\" : { \n \"value\" : \"audit\"\n },\n \"effect-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \n \"value\" : \"audit\"\n },\n \"cpuLimit-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \n \"value\" : \"0\"\n },\n \"memoryLimit-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \n \"value\" : \"0\"\n },\n \"effect-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"audit\"\n },\n \"runAsUserRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"MustRunAsNonRoot\"\n },\n \"runAsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"RunAsAny\"\n },\n \"supplementalGroupsRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"RunAsAny\"\n },\n \"fsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"RunAsAny\"\n },\n \"effect-1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\" : { \n \"value\" : \"audit\"\n },\n \"effect-47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\" : { \n \"value\" : \"audit\"\n },\n \"effect-df49d893-a74c-421d-bc95-c663042e5b80\" : { \n \"value\" : \"audit\"\n },\n \"effect-1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\" : { \n \"value\" : \"audit\"\n },\n \"effect-c26596ff-4d70-4e6a-9a30-c2506bd2f80c\" : { \n \"value\" : \"audit\"\n },\n \"effect-511f5417-5d12-434d-ab2e-816901e72a5e\" : { \n \"value\" : \"audit\"\n },\n \"effect-82985f06-dc18-4a48-bc1c-b9f4f0098cfe\" : { \n \"value\" : \"audit\"\n },\n \"effect-098fc59e-46c7-4d99-9b16-64990e543d75\" : { \n \"value\" : \"audit\"\n },\n \"NetworkWatcherResourceGroupName\" : { \n \"value\" : \"NetworkWatcherRG\"\n },\n \"setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \n \"value\" : \"enabled\"\n },\n \"aadAuthenticationInServiceFabricMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"effect-71ef260a-8f18-47b7-abcb-62d0673d94dc\" : { \n \"value\" : \"Audit\"\n },\n \"effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\" : { \n \"value\" : \"Audit\"\n },\n \"effect-862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d9da03a1-f3c3-412a-9709-947156872263\" : { \n \"value\" : \"Audit\"\n },\n \"effect-617c02be-7f02-4efd-8836-3180d47b6c68\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c349d81b-9985-44ae-a8da-ff98d108ede8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-3657f5a0-770e-44a3-b44e-9431ba1e9735\" : { \n \"value\" : \"Audit\"\n },\n \"effect-b4ac1030-89c5-4697-8e00-28b5ba6a8811\" : { \n \"value\" : \"audit\"\n },\n \"effect-ea0dfaed-95fb-448c-934e-d6e713ce393d\" : { \n \"value\" : \"audit\"\n },\n \"effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a\" : { \n \"value\" : \"Audit\"\n },\n \"effect-f4b53539-8df9-40e4-86c6-6b607703bd4e\" : { \n \"value\" : \"Audit\"\n },\n \"effect-41425d9f-d1a5-499a-9932-f8ed8453932c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-fc4d8e41-e223-45ea-9bf5-eada37891d87\" : { \n \"value\" : \"Audit\"\n },\n \"effect-86efb160-8de7-451d-bc08-5d475b0aadae\" : { \n \"value\" : \"Audit\"\n },\n \"effect-4ec52d6d-beb7-40c4-9a9e-fe753254690e\" : { \n \"value\" : \"Audit\"\n },\n \"effect-64d314f6-6062-4780-a861-c23e8951bee5\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-fa298e57-9444-42ba-bf04-86e8470e32c7\" : { \n \"value\" : \"audit\"\n },\n \"effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1f905d99-2ab7-462c-a6b0-f709acca6c8f\" : { \n \"value\" : \"audit\"\n },\n \"effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ba769a63-b8cc-4b2d-abf6-ac33c7204be8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-81e74cea-30fd-40d5-802f-d72103c2aaaa\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0aa61e00-0a01-4a3c-9945-e93cffedf0e6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-47031206-ce96-41f8-861b-6a915f3de284\" : { \n \"value\" : \"Audit\"\n },\n \"effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7\" : { \n \"value\" : \"audit\"\n },\n \"effect-51522a96-0869-4791-82f3-981000c2c67f\" : { \n \"value\" : \"audit\"\n },\n \"effect-b5ec538c-daa0-4006-8596-35468b9148e8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-56a5ee18-2ae6-4810-86f7-18e39ce5629b\" : { \n \"value\" : \"Audit\"\n },\n \"effect-2e94d99a-8a36-4563-bc77-810d8893b671\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5\" : { \n \"value\" : \"Audit\"\n },\n \"effect-99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1f68a601-6e6d-4e42-babf-3f643a047ea2\" : { \n \"value\" : \"audit\"\n },\n \"effect-f7d52b2d-e161-4dfa-a82b-55e564167385\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ca91455f-eace-4f96-be59-e6e2c35b4816\" : { \n \"value\" : \"Audit\"\n },\n \"effect-702dd420-7fcc-42c5-afe8-4026edd20fe0\" : { \n \"value\" : \"Audit\"\n },\n \"diagnosticsLogsInRedisCacheMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"secureTransferToStorageAccountMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d0793b48-0edc-4296-a390-4c75d1bdfd71\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7d092e0a-7acd-40d2-a975-dca21cae48c4\" : { \n \"value\" : \"Audit\"\n },\n \"effect-2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\" : { \n \"value\" : \"Audit\"\n },\n \"disableUnrestrictedNetworkToStorageAccountMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"effect-55615ac9-af46-4a59-874e-391cc3dfb490\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1b8ca024-1d5c-4dec-8995-b1a932b41780\" : { \n \"value\" : \"Audit\"\n },\n \"effect-037eea7a-bd0a-46c5-9a66-03aea78705d3\" : { \n \"value\" : \"Audit\"\n },\n \"effect-53503636-bcc9-4748-9663-5348217f160f\" : { \n \"value\" : \"Audit\"\n },\n \"effect-40cec1dd-a100-4920-b15b-3024fe8901ab\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca\" : { \n \"value\" : \"Audit\"\n },\n \"effect-a049bf77-880b-470f-ba6d-9f21c530cf83\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ee980b6d-0eca-4501-8d54-f6290fd512c3\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1d84d5fb-01f6-4d12-ba4f-4a26081d403d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-37e0d2fe-28a5-43d6-a273-67d37d1f5606\" : { \n \"value\" : \"Audit\"\n },\n \"identityDesignateMoreThanOneOwnerMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"diskEncryptionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"emailNotificationToSubscriptionOwnerHighSeverityAlertsEnabledEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"functionAppDisableRemoteDebuggingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"sqlDbEncryptionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vulnerabilityAssessmentOnManagedInstanceMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePHPVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"aadAuthenticationInSqlServerMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vmssEndpointProtectionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vmssOsVulnerabilitiesMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"adaptiveApplicationControlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"geoRedundantBackupShouldBeEnabledForAzureDatabaseForPostgreSQLEffect\" : { \n \"value\" : \"Audit\"\n },\n \"ensureJavaVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityDesignateLessThanOwnersMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"securityContactEmailAddressForSubscriptionEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"webAppRestrictCORSAccessMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveDeprecatedAccountMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"functionAppEnforceHttpsMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"ensurePythonVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePythonVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePHPVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePythonVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"geoRedundantBackupShouldBeEnabledForAzureDatabaseForMySQLEffect\" : { \n \"value\" : \"Audit\"\n },\n \"systemUpdatesMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureJavaVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureHTTPVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"apiAppRequireLatestTlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityEnableMFAForWritePermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureHTTPVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureJavaVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"nextGenerationFirewallMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"useRbacRulesMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"webAppEnforceHttpsMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"sqlServerAuditingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vnetEnableDDoSProtectionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityEnableMFAForOwnerPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"sqlServerAdvancedDataSecurityMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"sqlManagedInstanceAdvancedDataSecurityMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"endpointProtectionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"jitNetworkAccessMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"apiAppEnforceHttpsMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"geoRedundantStorageShouldBeEnabledForStorageAccountsEffect\" : { \n \"value\" : \"Audit\"\n },\n \"vmssSystemUpdatesMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"webAppDisableRemoteDebuggingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"systemConfigurationsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureHTTPVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityEnableMFAForReadPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"containerBenchmarkMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"apiAppDisableRemoteDebuggingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vulnerabilityAssessmentOnServerMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"webAppRequireLatestTlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"functionAppRequireLatestTlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"kubernetesServiceVersionUpToDateMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"sqlDbVulnerabilityAssesmentMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"membersToIncludeInLocalAdministratorsGroup\" : { \n \"value\" : \"\"\n },\n \"membersToExcludeInLocalAdministratorsGroup\" : { \n \"value\" : \"\"\n },\n \"logAnalyticsWorkspaceIDForVMAgents\" : { \n \"value\" : \"\"\n },\n \"PHPLatestVersionForAppServices\" : { \n \"value\" : \"7.4\"\n },\n \"JavaLatestVersionForAppServices\" : { \n \"value\" : \"11\"\n },\n \"WindowsPythonLatestVersionForAppServices\" : { \n \"value\" : \"3.6\"\n },\n \"LinuxPythonLatestVersionForAppServices\" : { \n \"value\" : \"3.9\"\n },\n \"ensureDotNetFrameworkLatestForFunctionAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlManagedInstanceAdvancedDataSecurityEmailsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"vulnerabilityAssessmentMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"ensureDotNetFrameworkLatestForWebAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlServerAdvancedDataSecurityEmailsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"microsoftIaaSAntimalwareExtensionShouldBeDeployedOnWindowsServersEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"securityCenterStandardPricingTierShouldBeSelectedEffect\" : { \n \"value\" : \"Audit\"\n },\n \"theLogAnalyticsAgentShouldBeInstalledOnVirtualMachinesEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"ensurePHPVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlManagedInstanceAdvancedDataSecurityEmailAdminsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"securityContactPhoneNumberShouldBeProvidedForSubscriptionEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"threatDetectionTypesOnManagedInstanceMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"ensureDotNetFrameworkLatestForAPIAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlServerAdvancedDataSecurityEmailAdminsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"threatDetectionTypesOnServerMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"theLogAnalyticsAgentShouldBeInstalledOnVirtualMachineScaleSetsEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n }\n}", + "$fxv#3": "{\n \"logAnalyticsWorkspaceId-f47b5582-33ec-4c5c-87c0-b010a6b2e917\" : { \n \"value\" : \"\"\n },\n \"effect-09024ccc-0c5f-475e-9457-b7c0d9ed487b\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"MembersToExclude-69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f\" :{\n \"value\": \"\"\n },\n \"MembersToInclude-30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7\": {\n \"value\": \"\"\n },\n \"effect-0961003e-5a0a-4549-abde-af6a37f2724d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0b15565f-aa9e-48ba-8619-45960f2c314d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0e60b895-3786-45da-8377-9c6b4b6ac5f9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-17k78e20-9358-41c9-923c-fb736d382a12\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"PHPLatestVersion\" : { \n \"value\" : \"7.3\"\n },\n \"effect-22bee202-a82f-4305-9a2a-6d7f44d4dedb\" : { \n \"value\" : \"Audit\"\n },\n \"effect-26a828e1-e88f-464e-bbb3-c134a282b9de\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-34c877ad-507e-4c82-993e-3452a6e0ad3c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-404c3081-a854-4457-ae30-26a93ef643f9\" : { \n \"value\" : \"Audit\"\n },\n \"effect-47a6b606-51aa-4496-8bb7-64b11cf66adc\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-496223c3-ad65-4ecd-878a-bae78737e9ed\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"JavaLatestVersion\" : { \n \"value\" : \"11\"\n },\n \"effect-4f11b553-d42e-4e3a-89be-32ca364cad4c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-5c607a2e-c700-4744-8254-d77e7c9eb5e4\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-5f76cf89-fbf2-47fd-a3f4-b891fa780b60\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-6b1cbf55-e8b6-442f-ba4c-7246b6381474\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7008174a-fd10-4ef0-817e-fc820a951d73\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"LinuxPythonLatestVersion\" : { \n \"value\" : \"3.8\"\n },\n \"effect-7238174a-fd10-4ef0-817e-fc820a951d73\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-7261b898-8a84-4db8-9e04-18527132abb3\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-74c3584d-afae-46f7-a20a-6f8adba71a16\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-86b3d65f-7626-441e-b690-81a8b71cff60\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-88999f4c-376a-45c8-bcb3-4058f713cf39\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-8c122334-9d20-4eb8-89ea-ac9a705b74ae\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9297c21d-2ed6-4474-b48f-163f75654ce3\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-991310cd-e9f3-47bc-b7b6-f57b557d07db\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9b597639-28e4-48eb-b506-56b05d366257\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9daedab3-fb2d-461e-b861-71790eead4f6\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-a4af4a39-4135-47fb-b175-47fbdf85311d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \n \"value\" : \"enabled\"\n },\n \"effect-a70ca396-0a34-413a-88e1-b956c1e683be\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-aa633080-8b72-40c4-a2d7-d00c03e80bed\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-af6cd1bd-1635-48cb-bde7-5b15693900b9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\" : { \n \"value\" : \"NetworkWatcherRG\"\n },\n \"effect-b7ddfbdc-1260-477d-91fd-98bd9be789a6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c3f317a7-a95c-4547-b7e7-11017ebdf2fe\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-cb510bfd-1cba-4d9f-a230-cb0976f4bb71\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e2c1c086-2d84-4019-bff3-c44ccd95113c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e3576e28-8b17-4677-84c3-db2990658d64\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e8cbc669-f12d-49eb-93e7-9273119e9933\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ebb62a0c-3560-49e1-89ed-27e074e9f8ad\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-efbde977-ba53-4479-b8e9-10b957924fbf\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f8456c1c-aa66-4dfb-861a-25d127b775c9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f9d614c5-c173-4d56-95a7-b4437057d193\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-fb893a29-21bb-418c-a157-e99480ec364c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-feedbf84-6b99-488c-acc2-71c829aa5ffc\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-3b980d31-7904-4bb7-8575-5665739a8052\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-6e2593d9-add6-4083-9c9b-4b7d2188c899\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-12430be1-6cc8-4527-a9a8-e3d38f250096\" : { \n \"value\" : \"Audit\"\n },\n \"modeRequirement-12430be1-6cc8-4527-a9a8-e3d38f250096\" : { \n \"value\" : \"Detection\"\n },\n \"effect-425bea59-a659-4cbb-8d31-34499bd030b8\" : { \n \"value\" : \"Audit\"\n },\n \"modeRequirement-425bea59-a659-4cbb-8d31-34499bd030b8\" : { \n \"value\" : \"Detection\"\n },\n \"effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\" : { \n \"value\" : \"Audit\"\n },\n \"effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-013e242c-8828-4970-87b3-ab247555486d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-d38fc420-0735-4ef3-ac11-c806f651a570\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-a1181c5f-672a-477a-979a-7d58aa086233\" : { \n \"value\" : \"Audit\"\n },\n \"effect-308fbb08-4ab8-4e67-9b29-592e93fb94fa\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-4da35fc9-c9e7-4960-aec9-797fe7d9051d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-523b5cd1-3e23-492f-a539-13118b6d1e3a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-7fe3b40f-802b-4cdd-8bd4-fd799c948cc2\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-c25d9a16-bc35-4e15-a7e5-9db606bf9ed4\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b0f33259-77d7-4c9e-aac6-3aabcfae693c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-037eea7a-bd0a-46c5-9a66-03aea78705d3\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0820b7b9-23aa-4725-a1ce-ae4558f718e5\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-2c89a2e5-7285-40fe-afe0-ae8654b92fab\" : { \n \"value\" : \"Audit\"\n },\n \"effect-358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-5744710e-cc2f-4ee8-8809-3b11e89f4bc9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c9d007d0-c057-4772-b18c-01e546713bcd\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d0793b48-0edc-4296-a390-4c75d1bdfd71\" : { \n \"value\" : \"Audit\"\n },\n \"effect-e372f825-a257-4fb8-9175-797a8a8627d6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d158790f-bfb0-486c-8631-2dc6b4e8e6af\" : { \n \"value\" : \"Audit\"\n },\n \"effect-e802a67a-daf5-4436-9ea6-f6d821dd0c5d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-a451c1ef-c6ca-483d-87ed-f49761e3ffb5\" : { \n \"value\" : \"Audit\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftSql-servers-firewallRules-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftClassicNetwork-networkSecurityGroups-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-securityRules-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftClassicNetwork-networkSecurityGroups-securityRules-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ae89ebca-1c92-4898-ac2c-9f63decb045c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-d26f7642-7545-4e18-9b75-8c9bbdee3a9a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-1a4e592a-6a6e-44a5-9814-e36264ca96e7\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-7796937f-307b-4598-941c-67d3a05ebfe7\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-c5447c04-a4d7-4ba8-a263-c9ee321a6858\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-41388f1c-2db0-4c25-95b2-35d7f5ccbfa9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b02aacc0-b073-424e-8298-42b22829ee0a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0ec47710-77ff-4a3d-9181-6aa50af424d0\" : { \n \"value\" : \"Audit\"\n },\n \"effect-48af4db5-9b8b-401c-8e74-076be876a430\" : { \n \"value\" : \"Audit\"\n },\n \"effect-82339799-d096-41ae-8538-b108becf0970\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1b7aa243-30e4-4c9e-bca8-d0d3022b634a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-bb91dfba-c30d-4263-9add-9c2384e659a6\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e71308d3-144b-4262-b144-efdc3cc90517\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-2bdd0062-9d75-436e-89df-487dd8e4b3c7\" : { \n \"value\" : \"Disabled\"\n },\n \"effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a\" : { \n \"value\" : \"Audit\"\n },\n \"effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-6fac406b-40ca-413b-bf8e-0bf964659c25\" : { \n \"value\" : \"Audit\"\n },\n \"effect-81e74cea-30fd-40d5-802f-d72103c2aaaa\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c349d81b-9985-44ae-a8da-ff98d108ede8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-f4b53539-8df9-40e4-86c6-6b607703bd4e\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\" : { \n \"value\" : \"Audit\"\n },\n \"effect-048248b0-55cd-46da-b1ff-39efd52db260\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0d134df8-db83-46fb-ad72-fe0c9428c8dd\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-2c89a2e5-7285-40fe-afe0-ae8654b92fb2\" : { \n \"value\" : \"Audit\"\n },\n \"effect-3657f5a0-770e-44a3-b44e-9431ba1e9735\" : { \n \"value\" : \"Audit\"\n },\n \"effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\" : { \n \"value\" : \"Audit\"\n },\n \"effect-617c02be-7f02-4efd-8836-3180d47b6c68\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67\" : { \n \"value\" : \"Audit\"\n },\n \"effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7\" : { \n \"value\" : \"audit\"\n },\n \"effect-f7d52b2d-e161-4dfa-a82b-55e564167385\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c43e4a30-77cb-48ab-a4dd-93f175c63b57\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1f314764-cb73-4fc9-b863-8eca98ac36e9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-123a3936-f020-408a-ba0c-47873faf1534\" : { \n \"value\" : \"AuditIfNotExists\"\n }\n}\n", "modifiedAssignment": "[if(and(equals(toLower(environment().name), toLower('AzureCloud')), equals(toLower(parameters('builtInAssignment')), toLower('IL5'))), 'NISTRev4', parameters('builtInAssignment'))]", "assignmentName": "[format('{0} {1}', variables('modifiedAssignment'), resourceGroup().name)]", "agentVmssAssignmentName": "[format('Deploy VMSS Agents {0}', resourceGroup().name)]", @@ -8369,7 +8369,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "16693295535307781768" + "templateHash": "16012918268376848316" } }, "parameters": { @@ -8411,10 +8411,10 @@ } }, "variables": { - "$fxv#0": " {\r\n \"listOfMembersToExcludeFromWindowsVMAdministratorsGroup\": \r\n {\r\n \"value\": \"admin\"\r\n },\r\n \"listOfMembersToIncludeInWindowsVMAdministratorsGroup\": \r\n {\r\n \"value\": \"azureuser\"\r\n },\r\n \"logAnalyticsWorkspaceIdforVMReporting\": \r\n {\r\n \"value\": \"\"\r\n },\r\n \"IncludeArcMachines\": \r\n {\r\n \"value\": \"true\"\r\n },\r\n \"MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112\": \r\n {\r\n \"value\": \"1.2\"\r\n },\r\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\": \r\n {\r\n \"value\": \"Compliant\"\r\n },\r\n \"requiredRetentionDays\": \r\n {\r\n \"value\": \"365\"\r\n },\r\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\": \r\n {\r\n \"value\": \"NetworkWatcherRG\"\r\n }\r\n }", - "$fxv#1": " {\r\n \"IncludeArcMachines\": \r\n {\r\n \"value\": \"true\"\r\n },\r\n \"MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112\": \r\n {\r\n \"value\": \"1.2\"\r\n },\r\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\": \r\n {\r\n \"value\": \"Compliant\"\r\n },\r\n \"requiredRetentionDays\": \r\n {\r\n \"value\": \"365\"\r\n },\r\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\": \r\n {\r\n \"value\": \"NetworkWatcherRG\"\r\n }\r\n }", - "$fxv#2": "{\r\n \"IncludeArcMachines\" : { \r\n \"value\" : \"false\"\r\n },\r\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\" : { \r\n \"value\" : \"Compliant\"\r\n },\r\n \"MinimumTLSVersionForWindowsServers\" : { \r\n \"value\" : \"1.2\"\r\n },\r\n \"requiredRetentionDays\" : { \r\n \"value\" : \"365\"\r\n },\r\n \"effect-febd0533-8e55-448f-b837-bd0e06f16469\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"allowedContainerImagesRegex-febd0533-8e55-448f-b837-bd0e06f16469\" : { \r\n \"value\" : \"^(.+){0}$\"\r\n },\r\n \"effect-95edb821-ddaf-4404-9732-666045e056b4\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-440b515e-a580-421e-abeb-b159a61ddcbc\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-233a2a17-77ca-4fb1-9b6b-69223d272a44\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"cpuLimit-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \r\n \"value\" : \"0\"\r\n },\r\n \"memoryLimit-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \r\n \"value\" : \"0\"\r\n },\r\n \"effect-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"runAsUserRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \r\n \"value\" : \"MustRunAsNonRoot\"\r\n },\r\n \"runAsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \r\n \"value\" : \"RunAsAny\"\r\n },\r\n \"supplementalGroupsRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \r\n \"value\" : \"RunAsAny\"\r\n },\r\n \"fsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \r\n \"value\" : \"RunAsAny\"\r\n },\r\n \"effect-1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-df49d893-a74c-421d-bc95-c663042e5b80\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-c26596ff-4d70-4e6a-9a30-c2506bd2f80c\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-511f5417-5d12-434d-ab2e-816901e72a5e\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-82985f06-dc18-4a48-bc1c-b9f4f0098cfe\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-098fc59e-46c7-4d99-9b16-64990e543d75\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"NetworkWatcherResourceGroupName\" : { \r\n \"value\" : \"NetworkWatcherRG\"\r\n },\r\n \"setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \r\n \"value\" : \"enabled\"\r\n },\r\n \"aadAuthenticationInServiceFabricMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-71ef260a-8f18-47b7-abcb-62d0673d94dc\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-d9da03a1-f3c3-412a-9709-947156872263\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-617c02be-7f02-4efd-8836-3180d47b6c68\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-c349d81b-9985-44ae-a8da-ff98d108ede8\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-3657f5a0-770e-44a3-b44e-9431ba1e9735\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-b4ac1030-89c5-4697-8e00-28b5ba6a8811\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-ea0dfaed-95fb-448c-934e-d6e713ce393d\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-f4b53539-8df9-40e4-86c6-6b607703bd4e\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-41425d9f-d1a5-499a-9932-f8ed8453932c\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-fc4d8e41-e223-45ea-9bf5-eada37891d87\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-86efb160-8de7-451d-bc08-5d475b0aadae\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-4ec52d6d-beb7-40c4-9a9e-fe753254690e\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-64d314f6-6062-4780-a861-c23e8951bee5\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-fa298e57-9444-42ba-bf04-86e8470e32c7\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1f905d99-2ab7-462c-a6b0-f709acca6c8f\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-ba769a63-b8cc-4b2d-abf6-ac33c7204be8\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-81e74cea-30fd-40d5-802f-d72103c2aaaa\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-0aa61e00-0a01-4a3c-9945-e93cffedf0e6\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-47031206-ce96-41f8-861b-6a915f3de284\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-51522a96-0869-4791-82f3-981000c2c67f\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-b5ec538c-daa0-4006-8596-35468b9148e8\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-56a5ee18-2ae6-4810-86f7-18e39ce5629b\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-2e94d99a-8a36-4563-bc77-810d8893b671\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1f68a601-6e6d-4e42-babf-3f643a047ea2\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-f7d52b2d-e161-4dfa-a82b-55e564167385\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-ca91455f-eace-4f96-be59-e6e2c35b4816\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-702dd420-7fcc-42c5-afe8-4026edd20fe0\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"diagnosticsLogsInRedisCacheMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"secureTransferToStorageAccountMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-d0793b48-0edc-4296-a390-4c75d1bdfd71\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-7d092e0a-7acd-40d2-a975-dca21cae48c4\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"disableUnrestrictedNetworkToStorageAccountMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-55615ac9-af46-4a59-874e-391cc3dfb490\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1b8ca024-1d5c-4dec-8995-b1a932b41780\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-037eea7a-bd0a-46c5-9a66-03aea78705d3\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-53503636-bcc9-4748-9663-5348217f160f\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-40cec1dd-a100-4920-b15b-3024fe8901ab\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-a049bf77-880b-470f-ba6d-9f21c530cf83\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-ee980b6d-0eca-4501-8d54-f6290fd512c3\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1d84d5fb-01f6-4d12-ba4f-4a26081d403d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-37e0d2fe-28a5-43d6-a273-67d37d1f5606\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"identityDesignateMoreThanOneOwnerMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"diskEncryptionMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"emailNotificationToSubscriptionOwnerHighSeverityAlertsEnabledEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"functionAppDisableRemoteDebuggingMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"sqlDbEncryptionMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"vulnerabilityAssessmentOnManagedInstanceMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensurePHPVersionLatestForAPIAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"aadAuthenticationInSqlServerMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"vmssEndpointProtectionMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"vmssOsVulnerabilitiesMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"adaptiveApplicationControlsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"geoRedundantBackupShouldBeEnabledForAzureDatabaseForPostgreSQLEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"ensureJavaVersionLatestForWebAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityDesignateLessThanOwnersMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"securityContactEmailAddressForSubscriptionEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"webAppRestrictCORSAccessMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityRemoveDeprecatedAccountMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"functionAppEnforceHttpsMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"ensurePythonVersionLatestForWebAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensurePythonVersionLatestForFunctionAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensurePHPVersionLatestForWebAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensurePythonVersionLatestForAPIAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"geoRedundantBackupShouldBeEnabledForAzureDatabaseForMySQLEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"systemUpdatesMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensureJavaVersionLatestForAPIAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensureHTTPVersionLatestForWebAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"apiAppRequireLatestTlsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityEnableMFAForWritePermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensureHTTPVersionLatestForAPIAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensureJavaVersionLatestForFunctionAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"nextGenerationFirewallMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"useRbacRulesMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"webAppEnforceHttpsMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"sqlServerAuditingMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"vnetEnableDDoSProtectionMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityEnableMFAForOwnerPermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"sqlServerAdvancedDataSecurityMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"sqlManagedInstanceAdvancedDataSecurityMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"endpointProtectionMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"jitNetworkAccessMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"apiAppEnforceHttpsMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"geoRedundantStorageShouldBeEnabledForStorageAccountsEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"vmssSystemUpdatesMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"webAppDisableRemoteDebuggingMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"systemConfigurationsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"ensureHTTPVersionLatestForFunctionAppEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityEnableMFAForReadPermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"containerBenchmarkMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"apiAppDisableRemoteDebuggingMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"vulnerabilityAssessmentOnServerMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"webAppRequireLatestTlsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"functionAppRequireLatestTlsMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"kubernetesServiceVersionUpToDateMonitoringEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"sqlDbVulnerabilityAssesmentMonitoringEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"membersToIncludeInLocalAdministratorsGroup\" : { \r\n \"value\" : \"\"\r\n },\r\n \"membersToExcludeInLocalAdministratorsGroup\" : { \r\n \"value\" : \"\"\r\n },\r\n \"logAnalyticsWorkspaceIDForVMAgents\" : { \r\n \"value\" : \"\"\r\n },\r\n \"PHPLatestVersionForAppServices\" : { \r\n \"value\" : \"7.4\"\r\n },\r\n \"JavaLatestVersionForAppServices\" : { \r\n \"value\" : \"11\"\r\n },\r\n \"WindowsPythonLatestVersionForAppServices\" : { \r\n \"value\" : \"3.6\"\r\n },\r\n \"LinuxPythonLatestVersionForAppServices\" : { \r\n \"value\" : \"3.9\"\r\n },\r\n \"ensureDotNetFrameworkLatestForFunctionAppEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"sqlManagedInstanceAdvancedDataSecurityEmailsMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"vulnerabilityAssessmentMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"ensureDotNetFrameworkLatestForWebAppEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"sqlServerAdvancedDataSecurityEmailsMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"microsoftIaaSAntimalwareExtensionShouldBeDeployedOnWindowsServersEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"securityCenterStandardPricingTierShouldBeSelectedEffect\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"theLogAnalyticsAgentShouldBeInstalledOnVirtualMachinesEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"ensurePHPVersionLatestForFunctionAppEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"sqlManagedInstanceAdvancedDataSecurityEmailAdminsMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"securityContactPhoneNumberShouldBeProvidedForSubscriptionEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"threatDetectionTypesOnManagedInstanceMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"ensureDotNetFrameworkLatestForAPIAppEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"sqlServerAdvancedDataSecurityEmailAdminsMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"threatDetectionTypesOnServerMonitoringEffect\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"theLogAnalyticsAgentShouldBeInstalledOnVirtualMachineScaleSetsEffect\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n }\r\n}", - "$fxv#3": "{\r\n \"logAnalyticsWorkspaceId-f47b5582-33ec-4c5c-87c0-b010a6b2e917\" : { \r\n \"value\" : \"\"\r\n },\r\n \"effect-09024ccc-0c5f-475e-9457-b7c0d9ed487b\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"MembersToExclude-69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f\" :{\r\n \"value\": \"\"\r\n },\r\n \"MembersToInclude-30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7\": {\r\n \"value\": \"\"\r\n },\r\n \"effect-0961003e-5a0a-4549-abde-af6a37f2724d\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-0b15565f-aa9e-48ba-8619-45960f2c314d\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-0e60b895-3786-45da-8377-9c6b4b6ac5f9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-17k78e20-9358-41c9-923c-fb736d382a12\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"PHPLatestVersion\" : { \r\n \"value\" : \"7.3\"\r\n },\r\n \"effect-22bee202-a82f-4305-9a2a-6d7f44d4dedb\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-26a828e1-e88f-464e-bbb3-c134a282b9de\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-34c877ad-507e-4c82-993e-3452a6e0ad3c\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-404c3081-a854-4457-ae30-26a93ef643f9\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-47a6b606-51aa-4496-8bb7-64b11cf66adc\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-496223c3-ad65-4ecd-878a-bae78737e9ed\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"JavaLatestVersion\" : { \r\n \"value\" : \"11\"\r\n },\r\n \"effect-4f11b553-d42e-4e3a-89be-32ca364cad4c\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-5c607a2e-c700-4744-8254-d77e7c9eb5e4\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-5f76cf89-fbf2-47fd-a3f4-b891fa780b60\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-6b1cbf55-e8b6-442f-ba4c-7246b6381474\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-7008174a-fd10-4ef0-817e-fc820a951d73\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"LinuxPythonLatestVersion\" : { \r\n \"value\" : \"3.8\"\r\n },\r\n \"effect-7238174a-fd10-4ef0-817e-fc820a951d73\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-7261b898-8a84-4db8-9e04-18527132abb3\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-74c3584d-afae-46f7-a20a-6f8adba71a16\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-86b3d65f-7626-441e-b690-81a8b71cff60\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-88999f4c-376a-45c8-bcb3-4058f713cf39\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-8c122334-9d20-4eb8-89ea-ac9a705b74ae\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-9297c21d-2ed6-4474-b48f-163f75654ce3\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-991310cd-e9f3-47bc-b7b6-f57b557d07db\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-9b597639-28e4-48eb-b506-56b05d366257\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-9daedab3-fb2d-461e-b861-71790eead4f6\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-a4af4a39-4135-47fb-b175-47fbdf85311d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \r\n \"value\" : \"enabled\"\r\n },\r\n \"effect-a70ca396-0a34-413a-88e1-b956c1e683be\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-aa633080-8b72-40c4-a2d7-d00c03e80bed\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-af6cd1bd-1635-48cb-bde7-5b15693900b9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\" : { \r\n \"value\" : \"NetworkWatcherRG\"\r\n },\r\n \"effect-b7ddfbdc-1260-477d-91fd-98bd9be789a6\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-c3f317a7-a95c-4547-b7e7-11017ebdf2fe\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-cb510bfd-1cba-4d9f-a230-cb0976f4bb71\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e2c1c086-2d84-4019-bff3-c44ccd95113c\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e3576e28-8b17-4677-84c3-db2990658d64\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e8cbc669-f12d-49eb-93e7-9273119e9933\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-ebb62a0c-3560-49e1-89ed-27e074e9f8ad\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-efbde977-ba53-4479-b8e9-10b957924fbf\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-f8456c1c-aa66-4dfb-861a-25d127b775c9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-f9d614c5-c173-4d56-95a7-b4437057d193\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-fb893a29-21bb-418c-a157-e99480ec364c\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-feedbf84-6b99-488c-acc2-71c829aa5ffc\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-3b980d31-7904-4bb7-8575-5665739a8052\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-6e2593d9-add6-4083-9c9b-4b7d2188c899\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-12430be1-6cc8-4527-a9a8-e3d38f250096\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"modeRequirement-12430be1-6cc8-4527-a9a8-e3d38f250096\" : { \r\n \"value\" : \"Detection\"\r\n },\r\n \"effect-425bea59-a659-4cbb-8d31-34499bd030b8\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"modeRequirement-425bea59-a659-4cbb-8d31-34499bd030b8\" : { \r\n \"value\" : \"Detection\"\r\n },\r\n \"effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-013e242c-8828-4970-87b3-ab247555486d\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-d38fc420-0735-4ef3-ac11-c806f651a570\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-a1181c5f-672a-477a-979a-7d58aa086233\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-308fbb08-4ab8-4e67-9b29-592e93fb94fa\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-4da35fc9-c9e7-4960-aec9-797fe7d9051d\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-523b5cd1-3e23-492f-a539-13118b6d1e3a\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-7fe3b40f-802b-4cdd-8bd4-fd799c948cc2\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-c25d9a16-bc35-4e15-a7e5-9db606bf9ed4\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b0f33259-77d7-4c9e-aac6-3aabcfae693c\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-037eea7a-bd0a-46c5-9a66-03aea78705d3\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-0820b7b9-23aa-4725-a1ce-ae4558f718e5\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-2c89a2e5-7285-40fe-afe0-ae8654b92fab\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-5744710e-cc2f-4ee8-8809-3b11e89f4bc9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-c9d007d0-c057-4772-b18c-01e546713bcd\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-d0793b48-0edc-4296-a390-4c75d1bdfd71\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-e372f825-a257-4fb8-9175-797a8a8627d6\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-d158790f-bfb0-486c-8631-2dc6b4e8e6af\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-e802a67a-daf5-4436-9ea6-f6d821dd0c5d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-a451c1ef-c6ca-483d-87ed-f49761e3ffb5\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftSql-servers-firewallRules-delete\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-delete\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftClassicNetwork-networkSecurityGroups-delete\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-securityRules-delete\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftClassicNetwork-networkSecurityGroups-securityRules-delete\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-ae89ebca-1c92-4898-ac2c-9f63decb045c\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-d26f7642-7545-4e18-9b75-8c9bbdee3a9a\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-1a4e592a-6a6e-44a5-9814-e36264ca96e7\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-7796937f-307b-4598-941c-67d3a05ebfe7\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-c5447c04-a4d7-4ba8-a263-c9ee321a6858\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-41388f1c-2db0-4c25-95b2-35d7f5ccbfa9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-b02aacc0-b073-424e-8298-42b22829ee0a\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-0ec47710-77ff-4a3d-9181-6aa50af424d0\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-48af4db5-9b8b-401c-8e74-076be876a430\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-82339799-d096-41ae-8538-b108becf0970\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1b7aa243-30e4-4c9e-bca8-d0d3022b634a\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-bb91dfba-c30d-4263-9add-9c2384e659a6\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-e71308d3-144b-4262-b144-efdc3cc90517\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-2bdd0062-9d75-436e-89df-487dd8e4b3c7\" : { \r\n \"value\" : \"Disabled\"\r\n },\r\n \"effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-6fac406b-40ca-413b-bf8e-0bf964659c25\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-81e74cea-30fd-40d5-802f-d72103c2aaaa\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-c349d81b-9985-44ae-a8da-ff98d108ede8\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-f4b53539-8df9-40e4-86c6-6b607703bd4e\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-048248b0-55cd-46da-b1ff-39efd52db260\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-0d134df8-db83-46fb-ad72-fe0c9428c8dd\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-2c89a2e5-7285-40fe-afe0-ae8654b92fb2\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-3657f5a0-770e-44a3-b44e-9431ba1e9735\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-617c02be-7f02-4efd-8836-3180d47b6c68\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7\" : { \r\n \"value\" : \"audit\"\r\n },\r\n \"effect-f7d52b2d-e161-4dfa-a82b-55e564167385\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-c43e4a30-77cb-48ab-a4dd-93f175c63b57\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\" : { \r\n \"value\" : \"Audit\"\r\n },\r\n \"effect-1f314764-cb73-4fc9-b863-8eca98ac36e9\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n },\r\n \"effect-123a3936-f020-408a-ba0c-47873faf1534\" : { \r\n \"value\" : \"AuditIfNotExists\"\r\n }\r\n}\r\n", + "$fxv#0": " {\n \"listOfMembersToExcludeFromWindowsVMAdministratorsGroup\": \n {\n \"value\": \"admin\"\n },\n \"listOfMembersToIncludeInWindowsVMAdministratorsGroup\": \n {\n \"value\": \"azureuser\"\n },\n \"logAnalyticsWorkspaceIdforVMReporting\": \n {\n \"value\": \"\"\n },\n \"IncludeArcMachines\": \n {\n \"value\": \"true\"\n },\n \"MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112\": \n {\n \"value\": \"1.2\"\n },\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\": \n {\n \"value\": \"Compliant\"\n },\n \"requiredRetentionDays\": \n {\n \"value\": \"365\"\n },\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\": \n {\n \"value\": \"NetworkWatcherRG\"\n }\n }", + "$fxv#1": " {\n \"IncludeArcMachines\": \n {\n \"value\": \"true\"\n },\n \"MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112\": \n {\n \"value\": \"1.2\"\n },\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\": \n {\n \"value\": \"Compliant\"\n },\n \"requiredRetentionDays\": \n {\n \"value\": \"365\"\n },\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\": \n {\n \"value\": \"NetworkWatcherRG\"\n }\n }", + "$fxv#2": "{\n \"IncludeArcMachines\" : { \n \"value\" : \"false\"\n },\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\" : { \n \"value\" : \"Compliant\"\n },\n \"MinimumTLSVersionForWindowsServers\" : { \n \"value\" : \"1.2\"\n },\n \"requiredRetentionDays\" : { \n \"value\" : \"365\"\n },\n \"effect-febd0533-8e55-448f-b837-bd0e06f16469\" : { \n \"value\" : \"audit\"\n },\n \"allowedContainerImagesRegex-febd0533-8e55-448f-b837-bd0e06f16469\" : { \n \"value\" : \"^(.+){0}$\"\n },\n \"effect-95edb821-ddaf-4404-9732-666045e056b4\" : { \n \"value\" : \"audit\"\n },\n \"effect-440b515e-a580-421e-abeb-b159a61ddcbc\" : { \n \"value\" : \"audit\"\n },\n \"effect-233a2a17-77ca-4fb1-9b6b-69223d272a44\" : { \n \"value\" : \"audit\"\n },\n \"effect-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \n \"value\" : \"audit\"\n },\n \"cpuLimit-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \n \"value\" : \"0\"\n },\n \"memoryLimit-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \n \"value\" : \"0\"\n },\n \"effect-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"audit\"\n },\n \"runAsUserRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"MustRunAsNonRoot\"\n },\n \"runAsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"RunAsAny\"\n },\n \"supplementalGroupsRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"RunAsAny\"\n },\n \"fsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"RunAsAny\"\n },\n \"effect-1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\" : { \n \"value\" : \"audit\"\n },\n \"effect-47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\" : { \n \"value\" : \"audit\"\n },\n \"effect-df49d893-a74c-421d-bc95-c663042e5b80\" : { \n \"value\" : \"audit\"\n },\n \"effect-1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\" : { \n \"value\" : \"audit\"\n },\n \"effect-c26596ff-4d70-4e6a-9a30-c2506bd2f80c\" : { \n \"value\" : \"audit\"\n },\n \"effect-511f5417-5d12-434d-ab2e-816901e72a5e\" : { \n \"value\" : \"audit\"\n },\n \"effect-82985f06-dc18-4a48-bc1c-b9f4f0098cfe\" : { \n \"value\" : \"audit\"\n },\n \"effect-098fc59e-46c7-4d99-9b16-64990e543d75\" : { \n \"value\" : \"audit\"\n },\n \"NetworkWatcherResourceGroupName\" : { \n \"value\" : \"NetworkWatcherRG\"\n },\n \"setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \n \"value\" : \"enabled\"\n },\n \"aadAuthenticationInServiceFabricMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"effect-71ef260a-8f18-47b7-abcb-62d0673d94dc\" : { \n \"value\" : \"Audit\"\n },\n \"effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\" : { \n \"value\" : \"Audit\"\n },\n \"effect-862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d9da03a1-f3c3-412a-9709-947156872263\" : { \n \"value\" : \"Audit\"\n },\n \"effect-617c02be-7f02-4efd-8836-3180d47b6c68\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c349d81b-9985-44ae-a8da-ff98d108ede8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-3657f5a0-770e-44a3-b44e-9431ba1e9735\" : { \n \"value\" : \"Audit\"\n },\n \"effect-b4ac1030-89c5-4697-8e00-28b5ba6a8811\" : { \n \"value\" : \"audit\"\n },\n \"effect-ea0dfaed-95fb-448c-934e-d6e713ce393d\" : { \n \"value\" : \"audit\"\n },\n \"effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a\" : { \n \"value\" : \"Audit\"\n },\n \"effect-f4b53539-8df9-40e4-86c6-6b607703bd4e\" : { \n \"value\" : \"Audit\"\n },\n \"effect-41425d9f-d1a5-499a-9932-f8ed8453932c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-fc4d8e41-e223-45ea-9bf5-eada37891d87\" : { \n \"value\" : \"Audit\"\n },\n \"effect-86efb160-8de7-451d-bc08-5d475b0aadae\" : { \n \"value\" : \"Audit\"\n },\n \"effect-4ec52d6d-beb7-40c4-9a9e-fe753254690e\" : { \n \"value\" : \"Audit\"\n },\n \"effect-64d314f6-6062-4780-a861-c23e8951bee5\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-fa298e57-9444-42ba-bf04-86e8470e32c7\" : { \n \"value\" : \"audit\"\n },\n \"effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1f905d99-2ab7-462c-a6b0-f709acca6c8f\" : { \n \"value\" : \"audit\"\n },\n \"effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ba769a63-b8cc-4b2d-abf6-ac33c7204be8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-81e74cea-30fd-40d5-802f-d72103c2aaaa\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0aa61e00-0a01-4a3c-9945-e93cffedf0e6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-47031206-ce96-41f8-861b-6a915f3de284\" : { \n \"value\" : \"Audit\"\n },\n \"effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7\" : { \n \"value\" : \"audit\"\n },\n \"effect-51522a96-0869-4791-82f3-981000c2c67f\" : { \n \"value\" : \"audit\"\n },\n \"effect-b5ec538c-daa0-4006-8596-35468b9148e8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-56a5ee18-2ae6-4810-86f7-18e39ce5629b\" : { \n \"value\" : \"Audit\"\n },\n \"effect-2e94d99a-8a36-4563-bc77-810d8893b671\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5\" : { \n \"value\" : \"Audit\"\n },\n \"effect-99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1f68a601-6e6d-4e42-babf-3f643a047ea2\" : { \n \"value\" : \"audit\"\n },\n \"effect-f7d52b2d-e161-4dfa-a82b-55e564167385\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ca91455f-eace-4f96-be59-e6e2c35b4816\" : { \n \"value\" : \"Audit\"\n },\n \"effect-702dd420-7fcc-42c5-afe8-4026edd20fe0\" : { \n \"value\" : \"Audit\"\n },\n \"diagnosticsLogsInRedisCacheMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"secureTransferToStorageAccountMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d0793b48-0edc-4296-a390-4c75d1bdfd71\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7d092e0a-7acd-40d2-a975-dca21cae48c4\" : { \n \"value\" : \"Audit\"\n },\n \"effect-2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\" : { \n \"value\" : \"Audit\"\n },\n \"disableUnrestrictedNetworkToStorageAccountMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"effect-55615ac9-af46-4a59-874e-391cc3dfb490\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1b8ca024-1d5c-4dec-8995-b1a932b41780\" : { \n \"value\" : \"Audit\"\n },\n \"effect-037eea7a-bd0a-46c5-9a66-03aea78705d3\" : { \n \"value\" : \"Audit\"\n },\n \"effect-53503636-bcc9-4748-9663-5348217f160f\" : { \n \"value\" : \"Audit\"\n },\n \"effect-40cec1dd-a100-4920-b15b-3024fe8901ab\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca\" : { \n \"value\" : \"Audit\"\n },\n \"effect-a049bf77-880b-470f-ba6d-9f21c530cf83\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ee980b6d-0eca-4501-8d54-f6290fd512c3\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1d84d5fb-01f6-4d12-ba4f-4a26081d403d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-37e0d2fe-28a5-43d6-a273-67d37d1f5606\" : { \n \"value\" : \"Audit\"\n },\n \"identityDesignateMoreThanOneOwnerMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"diskEncryptionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"emailNotificationToSubscriptionOwnerHighSeverityAlertsEnabledEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"functionAppDisableRemoteDebuggingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"sqlDbEncryptionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vulnerabilityAssessmentOnManagedInstanceMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePHPVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"aadAuthenticationInSqlServerMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vmssEndpointProtectionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vmssOsVulnerabilitiesMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"adaptiveApplicationControlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"geoRedundantBackupShouldBeEnabledForAzureDatabaseForPostgreSQLEffect\" : { \n \"value\" : \"Audit\"\n },\n \"ensureJavaVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityDesignateLessThanOwnersMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"securityContactEmailAddressForSubscriptionEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"webAppRestrictCORSAccessMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveDeprecatedAccountMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"functionAppEnforceHttpsMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"ensurePythonVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePythonVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePHPVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePythonVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"geoRedundantBackupShouldBeEnabledForAzureDatabaseForMySQLEffect\" : { \n \"value\" : \"Audit\"\n },\n \"systemUpdatesMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureJavaVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureHTTPVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"apiAppRequireLatestTlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityEnableMFAForWritePermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureHTTPVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureJavaVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"nextGenerationFirewallMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"useRbacRulesMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"webAppEnforceHttpsMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"sqlServerAuditingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vnetEnableDDoSProtectionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityEnableMFAForOwnerPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"sqlServerAdvancedDataSecurityMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"sqlManagedInstanceAdvancedDataSecurityMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"endpointProtectionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"jitNetworkAccessMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"apiAppEnforceHttpsMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"geoRedundantStorageShouldBeEnabledForStorageAccountsEffect\" : { \n \"value\" : \"Audit\"\n },\n \"vmssSystemUpdatesMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"webAppDisableRemoteDebuggingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"systemConfigurationsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureHTTPVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityEnableMFAForReadPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"containerBenchmarkMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"apiAppDisableRemoteDebuggingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vulnerabilityAssessmentOnServerMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"webAppRequireLatestTlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"functionAppRequireLatestTlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"kubernetesServiceVersionUpToDateMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"sqlDbVulnerabilityAssesmentMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"membersToIncludeInLocalAdministratorsGroup\" : { \n \"value\" : \"\"\n },\n \"membersToExcludeInLocalAdministratorsGroup\" : { \n \"value\" : \"\"\n },\n \"logAnalyticsWorkspaceIDForVMAgents\" : { \n \"value\" : \"\"\n },\n \"PHPLatestVersionForAppServices\" : { \n \"value\" : \"7.4\"\n },\n \"JavaLatestVersionForAppServices\" : { \n \"value\" : \"11\"\n },\n \"WindowsPythonLatestVersionForAppServices\" : { \n \"value\" : \"3.6\"\n },\n \"LinuxPythonLatestVersionForAppServices\" : { \n \"value\" : \"3.9\"\n },\n \"ensureDotNetFrameworkLatestForFunctionAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlManagedInstanceAdvancedDataSecurityEmailsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"vulnerabilityAssessmentMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"ensureDotNetFrameworkLatestForWebAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlServerAdvancedDataSecurityEmailsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"microsoftIaaSAntimalwareExtensionShouldBeDeployedOnWindowsServersEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"securityCenterStandardPricingTierShouldBeSelectedEffect\" : { \n \"value\" : \"Audit\"\n },\n \"theLogAnalyticsAgentShouldBeInstalledOnVirtualMachinesEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"ensurePHPVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlManagedInstanceAdvancedDataSecurityEmailAdminsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"securityContactPhoneNumberShouldBeProvidedForSubscriptionEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"threatDetectionTypesOnManagedInstanceMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"ensureDotNetFrameworkLatestForAPIAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlServerAdvancedDataSecurityEmailAdminsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"threatDetectionTypesOnServerMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"theLogAnalyticsAgentShouldBeInstalledOnVirtualMachineScaleSetsEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n }\n}", + "$fxv#3": "{\n \"logAnalyticsWorkspaceId-f47b5582-33ec-4c5c-87c0-b010a6b2e917\" : { \n \"value\" : \"\"\n },\n \"effect-09024ccc-0c5f-475e-9457-b7c0d9ed487b\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"MembersToExclude-69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f\" :{\n \"value\": \"\"\n },\n \"MembersToInclude-30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7\": {\n \"value\": \"\"\n },\n \"effect-0961003e-5a0a-4549-abde-af6a37f2724d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0b15565f-aa9e-48ba-8619-45960f2c314d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0e60b895-3786-45da-8377-9c6b4b6ac5f9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-17k78e20-9358-41c9-923c-fb736d382a12\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"PHPLatestVersion\" : { \n \"value\" : \"7.3\"\n },\n \"effect-22bee202-a82f-4305-9a2a-6d7f44d4dedb\" : { \n \"value\" : \"Audit\"\n },\n \"effect-26a828e1-e88f-464e-bbb3-c134a282b9de\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-34c877ad-507e-4c82-993e-3452a6e0ad3c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-404c3081-a854-4457-ae30-26a93ef643f9\" : { \n \"value\" : \"Audit\"\n },\n \"effect-47a6b606-51aa-4496-8bb7-64b11cf66adc\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-496223c3-ad65-4ecd-878a-bae78737e9ed\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"JavaLatestVersion\" : { \n \"value\" : \"11\"\n },\n \"effect-4f11b553-d42e-4e3a-89be-32ca364cad4c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-5c607a2e-c700-4744-8254-d77e7c9eb5e4\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-5f76cf89-fbf2-47fd-a3f4-b891fa780b60\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-6b1cbf55-e8b6-442f-ba4c-7246b6381474\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7008174a-fd10-4ef0-817e-fc820a951d73\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"LinuxPythonLatestVersion\" : { \n \"value\" : \"3.8\"\n },\n \"effect-7238174a-fd10-4ef0-817e-fc820a951d73\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-7261b898-8a84-4db8-9e04-18527132abb3\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-74c3584d-afae-46f7-a20a-6f8adba71a16\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-86b3d65f-7626-441e-b690-81a8b71cff60\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-88999f4c-376a-45c8-bcb3-4058f713cf39\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-8c122334-9d20-4eb8-89ea-ac9a705b74ae\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9297c21d-2ed6-4474-b48f-163f75654ce3\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-991310cd-e9f3-47bc-b7b6-f57b557d07db\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9b597639-28e4-48eb-b506-56b05d366257\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9daedab3-fb2d-461e-b861-71790eead4f6\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-a4af4a39-4135-47fb-b175-47fbdf85311d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \n \"value\" : \"enabled\"\n },\n \"effect-a70ca396-0a34-413a-88e1-b956c1e683be\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-aa633080-8b72-40c4-a2d7-d00c03e80bed\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-af6cd1bd-1635-48cb-bde7-5b15693900b9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\" : { \n \"value\" : \"NetworkWatcherRG\"\n },\n \"effect-b7ddfbdc-1260-477d-91fd-98bd9be789a6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c3f317a7-a95c-4547-b7e7-11017ebdf2fe\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-cb510bfd-1cba-4d9f-a230-cb0976f4bb71\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e2c1c086-2d84-4019-bff3-c44ccd95113c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e3576e28-8b17-4677-84c3-db2990658d64\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e8cbc669-f12d-49eb-93e7-9273119e9933\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ebb62a0c-3560-49e1-89ed-27e074e9f8ad\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-efbde977-ba53-4479-b8e9-10b957924fbf\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f8456c1c-aa66-4dfb-861a-25d127b775c9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f9d614c5-c173-4d56-95a7-b4437057d193\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-fb893a29-21bb-418c-a157-e99480ec364c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-feedbf84-6b99-488c-acc2-71c829aa5ffc\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-3b980d31-7904-4bb7-8575-5665739a8052\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-6e2593d9-add6-4083-9c9b-4b7d2188c899\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-12430be1-6cc8-4527-a9a8-e3d38f250096\" : { \n \"value\" : \"Audit\"\n },\n \"modeRequirement-12430be1-6cc8-4527-a9a8-e3d38f250096\" : { \n \"value\" : \"Detection\"\n },\n \"effect-425bea59-a659-4cbb-8d31-34499bd030b8\" : { \n \"value\" : \"Audit\"\n },\n \"modeRequirement-425bea59-a659-4cbb-8d31-34499bd030b8\" : { \n \"value\" : \"Detection\"\n },\n \"effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\" : { \n \"value\" : \"Audit\"\n },\n \"effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-013e242c-8828-4970-87b3-ab247555486d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-d38fc420-0735-4ef3-ac11-c806f651a570\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-a1181c5f-672a-477a-979a-7d58aa086233\" : { \n \"value\" : \"Audit\"\n },\n \"effect-308fbb08-4ab8-4e67-9b29-592e93fb94fa\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-4da35fc9-c9e7-4960-aec9-797fe7d9051d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-523b5cd1-3e23-492f-a539-13118b6d1e3a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-7fe3b40f-802b-4cdd-8bd4-fd799c948cc2\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-c25d9a16-bc35-4e15-a7e5-9db606bf9ed4\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b0f33259-77d7-4c9e-aac6-3aabcfae693c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-037eea7a-bd0a-46c5-9a66-03aea78705d3\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0820b7b9-23aa-4725-a1ce-ae4558f718e5\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-2c89a2e5-7285-40fe-afe0-ae8654b92fab\" : { \n \"value\" : \"Audit\"\n },\n \"effect-358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-5744710e-cc2f-4ee8-8809-3b11e89f4bc9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c9d007d0-c057-4772-b18c-01e546713bcd\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d0793b48-0edc-4296-a390-4c75d1bdfd71\" : { \n \"value\" : \"Audit\"\n },\n \"effect-e372f825-a257-4fb8-9175-797a8a8627d6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d158790f-bfb0-486c-8631-2dc6b4e8e6af\" : { \n \"value\" : \"Audit\"\n },\n \"effect-e802a67a-daf5-4436-9ea6-f6d821dd0c5d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-a451c1ef-c6ca-483d-87ed-f49761e3ffb5\" : { \n \"value\" : \"Audit\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftSql-servers-firewallRules-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftClassicNetwork-networkSecurityGroups-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-securityRules-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftClassicNetwork-networkSecurityGroups-securityRules-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ae89ebca-1c92-4898-ac2c-9f63decb045c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-d26f7642-7545-4e18-9b75-8c9bbdee3a9a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-1a4e592a-6a6e-44a5-9814-e36264ca96e7\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-7796937f-307b-4598-941c-67d3a05ebfe7\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-c5447c04-a4d7-4ba8-a263-c9ee321a6858\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-41388f1c-2db0-4c25-95b2-35d7f5ccbfa9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b02aacc0-b073-424e-8298-42b22829ee0a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0ec47710-77ff-4a3d-9181-6aa50af424d0\" : { \n \"value\" : \"Audit\"\n },\n \"effect-48af4db5-9b8b-401c-8e74-076be876a430\" : { \n \"value\" : \"Audit\"\n },\n \"effect-82339799-d096-41ae-8538-b108becf0970\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1b7aa243-30e4-4c9e-bca8-d0d3022b634a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-bb91dfba-c30d-4263-9add-9c2384e659a6\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e71308d3-144b-4262-b144-efdc3cc90517\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-2bdd0062-9d75-436e-89df-487dd8e4b3c7\" : { \n \"value\" : \"Disabled\"\n },\n \"effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a\" : { \n \"value\" : \"Audit\"\n },\n \"effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-6fac406b-40ca-413b-bf8e-0bf964659c25\" : { \n \"value\" : \"Audit\"\n },\n \"effect-81e74cea-30fd-40d5-802f-d72103c2aaaa\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c349d81b-9985-44ae-a8da-ff98d108ede8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-f4b53539-8df9-40e4-86c6-6b607703bd4e\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\" : { \n \"value\" : \"Audit\"\n },\n \"effect-048248b0-55cd-46da-b1ff-39efd52db260\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0d134df8-db83-46fb-ad72-fe0c9428c8dd\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-2c89a2e5-7285-40fe-afe0-ae8654b92fb2\" : { \n \"value\" : \"Audit\"\n },\n \"effect-3657f5a0-770e-44a3-b44e-9431ba1e9735\" : { \n \"value\" : \"Audit\"\n },\n \"effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\" : { \n \"value\" : \"Audit\"\n },\n \"effect-617c02be-7f02-4efd-8836-3180d47b6c68\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67\" : { \n \"value\" : \"Audit\"\n },\n \"effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7\" : { \n \"value\" : \"audit\"\n },\n \"effect-f7d52b2d-e161-4dfa-a82b-55e564167385\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c43e4a30-77cb-48ab-a4dd-93f175c63b57\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1f314764-cb73-4fc9-b863-8eca98ac36e9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-123a3936-f020-408a-ba0c-47873faf1534\" : { \n \"value\" : \"AuditIfNotExists\"\n }\n}\n", "modifiedAssignment": "[if(and(equals(toLower(environment().name), toLower('AzureCloud')), equals(toLower(parameters('builtInAssignment')), toLower('IL5'))), 'NISTRev4', parameters('builtInAssignment'))]", "assignmentName": "[format('{0} {1}', variables('modifiedAssignment'), resourceGroup().name)]", "agentVmssAssignmentName": "[format('Deploy VMSS Agents {0}', resourceGroup().name)]", diff --git a/src/bicep/modules/linux-virtual-machine.bicep b/src/bicep/modules/linux-virtual-machine.bicep index 94007d118..8758b65a3 100644 --- a/src/bicep/modules/linux-virtual-machine.bicep +++ b/src/bicep/modules/linux-virtual-machine.bicep @@ -165,7 +165,7 @@ resource omsExtension 'Microsoft.Compute/virtualMachines/extensions@2020-06-01' properties: { publisher: 'Microsoft.EnterpriseCloud.Monitoring' type: 'OmsAgentForLinux' - typeHandlerVersion: '1.13' + typeHandlerVersion: '1.17' settings: { workspaceId: reference(logAnalyticsWorkspaceId , '2015-11-01-preview').customerId stopOnMultipleConnections: true From 7c595c0a374aad460c9016b66a4ade9066175334 Mon Sep 17 00:00:00 2001 From: Jason Masten Date: Tue, 23 Jan 2024 15:30:39 -0500 Subject: [PATCH 4/7] Updated resource prefix length to support resource names with shorter limits (#823) --- src/bicep/form/mlz.portal.json | 6 +++--- src/bicep/mlz.bicep | 4 ++-- src/bicep/mlz.json | 6 +++--- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/src/bicep/form/mlz.portal.json b/src/bicep/form/mlz.portal.json index ad5c6b0eb..353729aac 100644 --- a/src/bicep/form/mlz.portal.json +++ b/src/bicep/form/mlz.portal.json @@ -212,13 +212,13 @@ "label": "Resource Naming Prefix", "type": "Microsoft.Common.TextBox", "defaultValue": "", - "toolTip": "Specify a prefix (min 1 and max 10 lowercase characters and numbers) to prepend to all resources.", + "toolTip": "Specify a prefix (min 3 and max 6 lowercase characters and numbers) to prepend to all resources.", "constraints": { "required": true, "validations": [ { - "regex": "^[a-z][a-z0-9]{1,9}$", - "message": "The prefix must contain alphanumeric characters, begin with a letter, letters must be lowercase, and not exceed 10 characters." + "regex": "^[a-z][a-z0-9]{1,5}$", + "message": "The prefix must contain alphanumeric characters, begin with a letter, letters must be lowercase, and the length must be between 3 to 6 characters." } ] } diff --git a/src/bicep/mlz.bicep b/src/bicep/mlz.bicep index 2563b71cd..e74186bbf 100644 --- a/src/bicep/mlz.bicep +++ b/src/bicep/mlz.bicep @@ -18,8 +18,8 @@ targetScope = 'subscription' // REQUIRED PARAMETERS @minLength(3) -@maxLength(10) -@description('A prefix, 3-10 alphanumeric characters without whitespace, used to prefix resources and generate uniqueness for resources with globally unique naming requirements like Storage Accounts and Log Analytics Workspaces') +@maxLength(6) +@description('A prefix, 3-6 alphanumeric characters without whitespace, used to prefix resources and generate uniqueness for resources with globally unique naming requirements like Storage Accounts and Log Analytics Workspaces') param resourcePrefix string @minLength(3) diff --git a/src/bicep/mlz.json b/src/bicep/mlz.json index ebac95a91..891df8fe4 100644 --- a/src/bicep/mlz.json +++ b/src/bicep/mlz.json @@ -5,16 +5,16 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "6733078488232120276" + "templateHash": "11783352289111650944" } }, "parameters": { "resourcePrefix": { "type": "string", "minLength": 3, - "maxLength": 10, + "maxLength": 6, "metadata": { - "description": "A prefix, 3-10 alphanumeric characters without whitespace, used to prefix resources and generate uniqueness for resources with globally unique naming requirements like Storage Accounts and Log Analytics Workspaces" + "description": "A prefix, 3-6 alphanumeric characters without whitespace, used to prefix resources and generate uniqueness for resources with globally unique naming requirements like Storage Accounts and Log Analytics Workspaces" } }, "resourceSuffix": { From c7274f9708dfbd6f971b614671f8569d4ead0865 Mon Sep 17 00:00:00 2001 From: Jason Masten Date: Wed, 24 Jan 2024 09:34:06 -0500 Subject: [PATCH 5/7] Added suffix to deployment name (#824) * Added suffix to deployment name * GitHub Action: Build Bicep to JSON --------- Co-authored-by: github-actions --- src/bicep/mlz.bicep | 2 +- src/bicep/mlz.json | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/bicep/mlz.bicep b/src/bicep/mlz.bicep index e74186bbf..90fd59f28 100644 --- a/src/bicep/mlz.bicep +++ b/src/bicep/mlz.bicep @@ -1149,7 +1149,7 @@ module hubDefender './modules/defender.bicep' = if (deployDefender) { } module spokeDefender './modules/defender.bicep' = [for spoke in spokes: if ((deployDefender) && (spoke.subscriptionId != hubSubscriptionId)) { - name: 'set-${spoke.name}-sub-defender' + name: 'set-${spoke.name}-sub-defender-${deploymentNameSuffix}' scope: subscription(spoke.subscriptionId) params: { logAnalyticsWorkspaceId: logAnalyticsWorkspace.outputs.id diff --git a/src/bicep/mlz.json b/src/bicep/mlz.json index 891df8fe4..d5b7b66a8 100644 --- a/src/bicep/mlz.json +++ b/src/bicep/mlz.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "11783352289111650944" + "templateHash": "2150776309753846228" } }, "parameters": { @@ -8760,7 +8760,7 @@ "condition": "[and(parameters('deployDefender'), not(equals(variables('spokes')[copyIndex()].subscriptionId, parameters('hubSubscriptionId'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('set-{0}-sub-defender', variables('spokes')[copyIndex()].name)]", + "name": "[format('set-{0}-sub-defender-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))]", "subscriptionId": "[variables('spokes')[copyIndex()].subscriptionId]", "location": "[deployment().location]", "properties": { From 3f2b9c852a4f219af890273e34e223a7b8b855e6 Mon Sep 17 00:00:00 2001 From: Jason Masten Date: Wed, 24 Jan 2024 13:55:51 -0500 Subject: [PATCH 6/7] Fixed pvt dns zones for recovery services (#828) --- src/bicep/mlz.json | 6 +++--- src/bicep/modules/private-dns.bicep | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/bicep/mlz.json b/src/bicep/mlz.json index d5b7b66a8..c46f4b146 100644 --- a/src/bicep/mlz.json +++ b/src/bicep/mlz.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "2150776309753846228" + "templateHash": "7889693018590170190" } }, "parameters": { @@ -3589,7 +3589,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "15825906422669965879" + "templateHash": "7144753336729388863" } }, "parameters": { @@ -3625,7 +3625,7 @@ { "name": "privatelink_backup_names", "count": "[length(items(variables('locations')))]", - "input": "[format('privatelink.backup.{0}.{1}', items(variables('locations'))[copyIndex('privatelink_backup_names')].value.recoveryServicesGeo, variables('cloudSuffix'))]" + "input": "[format('privatelink.{0}.backup.{1}', items(variables('locations'))[copyIndex('privatelink_backup_names')].value.recoveryServicesGeo, variables('cloudSuffix'))]" } ], "$fxv#0": { diff --git a/src/bicep/modules/private-dns.bicep b/src/bicep/modules/private-dns.bicep index 77a5e5003..1dd2c899c 100644 --- a/src/bicep/modules/private-dns.bicep +++ b/src/bicep/modules/private-dns.bicep @@ -22,7 +22,7 @@ var privatelink_agentsvc_azure_automation_name = 'privatelink.agentsvc.azure-aut var privatelink_azure_automation_name = 'privatelink.azure-automation.${automationSuffix}' var privatelink_avd_name = 'privatelink.wvd.${cloudSuffix}' var privatelink_avd_global_name = 'privatelink-global.wvd.${cloudSuffix}' -var privatelink_backup_names = [for location in items(locations): 'privatelink.backup.${location.value.recoveryServicesGeo}.${cloudSuffix}'] +var privatelink_backup_names = [for location in items(locations): 'privatelink.${location.value.recoveryServicesGeo}.backup.${cloudSuffix}'] var privatelink_file_name = 'privatelink.file.${environment().suffixes.storage}' var privatelink_queue_name = 'privatelink.queue.${environment().suffixes.storage}' var privatelink_table_name = 'privatelink.table.${environment().suffixes.storage}' From 9d4eac86f3547a03d1f27167583a30af271e1d0a Mon Sep 17 00:00:00 2001 From: Jason Masten Date: Tue, 30 Jan 2024 21:42:35 -0500 Subject: [PATCH 7/7] Updated key vault name for global uniqueness (#831) * Updated key vault name for global uniqueness * GitHub Action: Build Bicep to JSON --------- Co-authored-by: github-actions --- src/bicep/mlz.bicep | 18 ++++++++++-------- src/bicep/mlz.json | 18 ++++++++++-------- 2 files changed, 20 insertions(+), 16 deletions(-) diff --git a/src/bicep/mlz.bicep b/src/bicep/mlz.bicep index 90fd59f28..2936b2a35 100644 --- a/src/bicep/mlz.bicep +++ b/src/bicep/mlz.bicep @@ -530,7 +530,7 @@ var namingConvention = '${toLower(resourcePrefix)}-${resourceToken}-${nameToken} `storageAccountNamingConvention` is a unique naming convention: In an effort to reduce the likelihood of naming collisions, - we replace `unique_storage_token` with a uniqueString() calculated by resourcePrefix, resourceSuffix, and the subscription ID + we replace `unique_token` with a uniqueString() calculated by resourcePrefix, resourceSuffix, and the subscription ID */ @@ -541,7 +541,7 @@ var diskEncryptionSetNamingConvention = replace(namingConvention, resourceToken, var diskNamingConvention = replace(namingConvention, resourceToken, 'disk') var firewallNamingConvention = replace(namingConvention, resourceToken, 'afw') var firewallPolicyNamingConvention = replace(namingConvention, resourceToken, 'afwp') -var keyVaultNamingConvention = replace(namingConvention, resourceToken, 'kv') +var keyVaultNamingConvention = '${replace(replace(namingConvention, resourceToken, 'kv'), '-', '')}unique_token' var ipConfigurationNamingConvention = replace(namingConvention, resourceToken, 'ipconf') var logAnalyticsWorkspaceNamingConvention = replace(namingConvention, resourceToken, 'log') var networkInterfaceNamingConvention = replace(namingConvention, resourceToken, 'nic') @@ -550,7 +550,7 @@ var networkWatcherNamingConvention = replace(namingConvention, resourceToken, 'n var publicIpAddressNamingConvention = replace(namingConvention, resourceToken, 'pip') var resourceGroupNamingConvention = replace(namingConvention, resourceToken, 'rg') var routeTableNamingConvention = replace(namingConvention, resourceToken, 'rt') -var storageAccountNamingConvention = toLower('${replace(replace(namingConvention, resourceToken, 'st'), '-', '')}unique_storage_token') +var storageAccountNamingConvention = toLower('${replace(replace(namingConvention, resourceToken, 'st'), '-', '')}unique_token') var subnetNamingConvention = replace(namingConvention, resourceToken, 'snet') var userAssignedIdentityNamingConvention = replace(namingConvention, resourceToken, 'uaid') var virtualMachineNamingConvention = replace(namingConvention, resourceToken, 'vm') @@ -562,7 +562,7 @@ var hubName = 'hub' var hubShortName = 'hub' var hubLogStorageAccountName = take(hubLogStorageAccountUniqueName, 24) var hubLogStorageAccountShortName = replace(storageAccountNamingConvention, nameToken, hubShortName) -var hubLogStorageAccountUniqueName = replace(hubLogStorageAccountShortName, 'unique_storage_token', uniqueString(resourcePrefix, resourceSuffix, hubSubscriptionId)) +var hubLogStorageAccountUniqueName = replace(hubLogStorageAccountShortName, 'unique_token', uniqueString(resourcePrefix, resourceSuffix, hubSubscriptionId)) var hubNetworkWatcherName = replace(networkWatcherNamingConvention, nameToken, hubName) var hubNetworkSecurityGroupName = replace(networkSecurityGroupNamingConvention, nameToken, hubName) var hubResourceGroupName = replace(resourceGroupNamingConvention, nameToken, hubName) @@ -576,7 +576,7 @@ var identityName = 'identity' var identityShortName = 'id' var identityLogStorageAccountName = take(identityLogStorageAccountUniqueName, 24) var identityLogStorageAccountShortName = replace(storageAccountNamingConvention, nameToken, identityShortName) -var identityLogStorageAccountUniqueName = replace(identityLogStorageAccountShortName, 'unique_storage_token', uniqueString(resourcePrefix, resourceSuffix, identitySubscriptionId)) +var identityLogStorageAccountUniqueName = replace(identityLogStorageAccountShortName, 'unique_token', uniqueString(resourcePrefix, resourceSuffix, identitySubscriptionId)) var identityNetworkSecurityGroupName = replace(networkSecurityGroupNamingConvention, nameToken, identityName) var identityResourceGroupName = replace(resourceGroupNamingConvention, nameToken, identityName) var identityRouteTableName = replace(routeTableNamingConvention, nameToken, identityName) @@ -588,10 +588,12 @@ var identityVirtualNetworkName = replace(virtualNetworkNamingConvention, nameTok var operationsName = 'operations' var operationsShortName = 'ops' var operationsDiskEncryptionSetName = replace(diskEncryptionSetNamingConvention, nameToken, operationsName) -var operationsKeyVaultName = replace(keyVaultNamingConvention, nameToken, operationsShortName) +var operationsKeyVaultName = take(operationsKeyVaultUniqueName, 24) +var operationsKeyVaultShortName = replace(keyVaultNamingConvention, nameToken, operationsShortName) +var operationsKeyVaultUniqueName = replace(operationsKeyVaultShortName, 'unique_token', uniqueString(resourcePrefix, resourceSuffix, operationsSubscriptionId)) var operationsLogStorageAccountName = take(operationsLogStorageAccountUniqueName, 24) var operationsLogStorageAccountShortName = replace(storageAccountNamingConvention, nameToken, operationsShortName) -var operationsLogStorageAccountUniqueName = replace(operationsLogStorageAccountShortName, 'unique_storage_token', uniqueString(resourcePrefix, resourceSuffix, operationsSubscriptionId)) +var operationsLogStorageAccountUniqueName = replace(operationsLogStorageAccountShortName, 'unique_token', uniqueString(resourcePrefix, resourceSuffix, operationsSubscriptionId)) var operationsNetworkSecurityGroupName = replace(networkSecurityGroupNamingConvention, nameToken, operationsName) var operationsResourceGroupName = replace(resourceGroupNamingConvention, nameToken, operationsName) var operationsRouteTableName = replace(routeTableNamingConvention, nameToken, operationsName) @@ -605,7 +607,7 @@ var sharedServicesName = 'sharedServices' var sharedServicesShortName = 'svcs' var sharedServicesLogStorageAccountName = take(sharedServicesLogStorageAccountUniqueName, 24) var sharedServicesLogStorageAccountShortName = replace(storageAccountNamingConvention, nameToken, sharedServicesShortName) -var sharedServicesLogStorageAccountUniqueName = replace(sharedServicesLogStorageAccountShortName, 'unique_storage_token', uniqueString(resourcePrefix, resourceSuffix, sharedServicesSubscriptionId)) +var sharedServicesLogStorageAccountUniqueName = replace(sharedServicesLogStorageAccountShortName, 'unique_token', uniqueString(resourcePrefix, resourceSuffix, sharedServicesSubscriptionId)) var sharedServicesNetworkSecurityGroupName = replace(networkSecurityGroupNamingConvention, nameToken, sharedServicesName) var sharedServicesResourceGroupName = replace(resourceGroupNamingConvention, nameToken, sharedServicesName) var sharedServicesRouteTableName = replace(routeTableNamingConvention, nameToken, sharedServicesName) diff --git a/src/bicep/mlz.json b/src/bicep/mlz.json index c46f4b146..28faf4801 100644 --- a/src/bicep/mlz.json +++ b/src/bicep/mlz.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "7889693018590170190" + "templateHash": "6223699048141403655" } }, "parameters": { @@ -1219,7 +1219,7 @@ "diskNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'disk')]", "firewallNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'afw')]", "firewallPolicyNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'afwp')]", - "keyVaultNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'kv')]", + "keyVaultNamingConvention": "[format('{0}unique_token', replace(replace(variables('namingConvention'), variables('resourceToken'), 'kv'), '-', ''))]", "ipConfigurationNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'ipconf')]", "logAnalyticsWorkspaceNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'log')]", "networkInterfaceNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'nic')]", @@ -1228,7 +1228,7 @@ "publicIpAddressNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'pip')]", "resourceGroupNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'rg')]", "routeTableNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'rt')]", - "storageAccountNamingConvention": "[toLower(format('{0}unique_storage_token', replace(replace(variables('namingConvention'), variables('resourceToken'), 'st'), '-', '')))]", + "storageAccountNamingConvention": "[toLower(format('{0}unique_token', replace(replace(variables('namingConvention'), variables('resourceToken'), 'st'), '-', '')))]", "subnetNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'snet')]", "userAssignedIdentityNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'uaid')]", "virtualMachineNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'vm')]", @@ -1237,7 +1237,7 @@ "hubShortName": "hub", "hubLogStorageAccountName": "[take(variables('hubLogStorageAccountUniqueName'), 24)]", "hubLogStorageAccountShortName": "[replace(variables('storageAccountNamingConvention'), variables('nameToken'), variables('hubShortName'))]", - "hubLogStorageAccountUniqueName": "[replace(variables('hubLogStorageAccountShortName'), 'unique_storage_token', uniqueString(parameters('resourcePrefix'), parameters('resourceSuffix'), parameters('hubSubscriptionId')))]", + "hubLogStorageAccountUniqueName": "[replace(variables('hubLogStorageAccountShortName'), 'unique_token', uniqueString(parameters('resourcePrefix'), parameters('resourceSuffix'), parameters('hubSubscriptionId')))]", "hubNetworkWatcherName": "[replace(variables('networkWatcherNamingConvention'), variables('nameToken'), variables('hubName'))]", "hubNetworkSecurityGroupName": "[replace(variables('networkSecurityGroupNamingConvention'), variables('nameToken'), variables('hubName'))]", "hubResourceGroupName": "[replace(variables('resourceGroupNamingConvention'), variables('nameToken'), variables('hubName'))]", @@ -1248,7 +1248,7 @@ "identityShortName": "id", "identityLogStorageAccountName": "[take(variables('identityLogStorageAccountUniqueName'), 24)]", "identityLogStorageAccountShortName": "[replace(variables('storageAccountNamingConvention'), variables('nameToken'), variables('identityShortName'))]", - "identityLogStorageAccountUniqueName": "[replace(variables('identityLogStorageAccountShortName'), 'unique_storage_token', uniqueString(parameters('resourcePrefix'), parameters('resourceSuffix'), parameters('identitySubscriptionId')))]", + "identityLogStorageAccountUniqueName": "[replace(variables('identityLogStorageAccountShortName'), 'unique_token', uniqueString(parameters('resourcePrefix'), parameters('resourceSuffix'), parameters('identitySubscriptionId')))]", "identityNetworkSecurityGroupName": "[replace(variables('networkSecurityGroupNamingConvention'), variables('nameToken'), variables('identityName'))]", "identityResourceGroupName": "[replace(variables('resourceGroupNamingConvention'), variables('nameToken'), variables('identityName'))]", "identityRouteTableName": "[replace(variables('routeTableNamingConvention'), variables('nameToken'), variables('identityName'))]", @@ -1257,10 +1257,12 @@ "operationsName": "operations", "operationsShortName": "ops", "operationsDiskEncryptionSetName": "[replace(variables('diskEncryptionSetNamingConvention'), variables('nameToken'), variables('operationsName'))]", - "operationsKeyVaultName": "[replace(variables('keyVaultNamingConvention'), variables('nameToken'), variables('operationsShortName'))]", + "operationsKeyVaultName": "[take(variables('operationsKeyVaultUniqueName'), 24)]", + "operationsKeyVaultShortName": "[replace(variables('keyVaultNamingConvention'), variables('nameToken'), variables('operationsShortName'))]", + "operationsKeyVaultUniqueName": "[replace(variables('operationsKeyVaultShortName'), 'unique_token', uniqueString(parameters('resourcePrefix'), parameters('resourceSuffix'), parameters('operationsSubscriptionId')))]", "operationsLogStorageAccountName": "[take(variables('operationsLogStorageAccountUniqueName'), 24)]", "operationsLogStorageAccountShortName": "[replace(variables('storageAccountNamingConvention'), variables('nameToken'), variables('operationsShortName'))]", - "operationsLogStorageAccountUniqueName": "[replace(variables('operationsLogStorageAccountShortName'), 'unique_storage_token', uniqueString(parameters('resourcePrefix'), parameters('resourceSuffix'), parameters('operationsSubscriptionId')))]", + "operationsLogStorageAccountUniqueName": "[replace(variables('operationsLogStorageAccountShortName'), 'unique_token', uniqueString(parameters('resourcePrefix'), parameters('resourceSuffix'), parameters('operationsSubscriptionId')))]", "operationsNetworkSecurityGroupName": "[replace(variables('networkSecurityGroupNamingConvention'), variables('nameToken'), variables('operationsName'))]", "operationsResourceGroupName": "[replace(variables('resourceGroupNamingConvention'), variables('nameToken'), variables('operationsName'))]", "operationsRouteTableName": "[replace(variables('routeTableNamingConvention'), variables('nameToken'), variables('operationsName'))]", @@ -1271,7 +1273,7 @@ "sharedServicesShortName": "svcs", "sharedServicesLogStorageAccountName": "[take(variables('sharedServicesLogStorageAccountUniqueName'), 24)]", "sharedServicesLogStorageAccountShortName": "[replace(variables('storageAccountNamingConvention'), variables('nameToken'), variables('sharedServicesShortName'))]", - "sharedServicesLogStorageAccountUniqueName": "[replace(variables('sharedServicesLogStorageAccountShortName'), 'unique_storage_token', uniqueString(parameters('resourcePrefix'), parameters('resourceSuffix'), parameters('sharedServicesSubscriptionId')))]", + "sharedServicesLogStorageAccountUniqueName": "[replace(variables('sharedServicesLogStorageAccountShortName'), 'unique_token', uniqueString(parameters('resourcePrefix'), parameters('resourceSuffix'), parameters('sharedServicesSubscriptionId')))]", "sharedServicesNetworkSecurityGroupName": "[replace(variables('networkSecurityGroupNamingConvention'), variables('nameToken'), variables('sharedServicesName'))]", "sharedServicesResourceGroupName": "[replace(variables('resourceGroupNamingConvention'), variables('nameToken'), variables('sharedServicesName'))]", "sharedServicesRouteTableName": "[replace(variables('routeTableNamingConvention'), variables('nameToken'), variables('sharedServicesName'))]",