Breestryker/restructure code (#699)

* So many renames.

* Fix mlz.bicep.

* Add brief readmes to core and module.

* GitHub Action: Build Bicep to JSON

Co-authored-by: Bree Stryker <[email protected]>
Co-authored-by: github-actions <[email protected]>

.azure-devops/nightlybuild/templates/az-deployment.yml

@@ -54,5 +54,5 @@ steps:
            --subscription ${{ parameters.WorkloadSubId }} \
            --location ${{ parameters.Location }} \
            --name ${{ parameters.WorkloadName }} \
-           --template-file $(Build.SourcesDirectory)/src/bicep/examples/newWorkload/newWorkload.bicep \
+           --template-file $(Build.SourcesDirectory)/src/bicep/examples/tier3/tier3.bicep \
            --parameters resourcePrefix=$datetime

.gitignore

@@ -30,4 +30,4 @@ deploymentVariables.json
 src/bicep/examples/appServicePlan/appService.json
 src/bicep/examples/containerRegistry/contRegistry.json
 src/bicep/examples/keyVault/azureKeyVault.json
-src/bicep/examples/newWorkload/newWorkload.json
+src/bicep/examples/tier3/tier3.json

docs/deployment-guide-bicep.md

@@ -221,9 +221,9 @@ params: {
 
 MLZ allows for deploying one or many workloads that are peered to the hub network. Each workload can be in its own subscription or multiple workloads may be combined into a single subscription.
 
-A separate Bicep template is provided for deploying an empty workload. It deploys a virtual network, a route table, a network security group, a storage account (for logs), and a network peering to the hub network. The template is at [src/bicep/examples/newWorkload](../src/bicep/examples/newWorkload). You can use this template as a starting point to create and customize specific workload deployments.
+A separate Bicep template is provided for deploying an empty workload. It deploys a virtual network, a route table, a network security group, a storage account (for logs), and a network peering to the hub network. The template is at [src/bicep/add-ons/tier3](../src/bicep/add-ons/tier3). You can use this template as a starting point to create and customize specific workload deployments.
 
-The `newWorkload` template contains defaults for IP address ranges, but additional workloads will require planning for additional ranges. The following parameters affect `newWorkload` networking:
+The `tier3` template contains defaults for IP address ranges, but additional workloads will require planning for additional ranges. The following parameters affect `tier3` networking:
 
 Parameter name | Default Value | Description
 -------------- | ------------- | -----------

docs/deployment-guide-terraform.md

@@ -99,7 +99,7 @@ MLZ allows for deploying one or many workloads that are peered to the hub networ
 
 A separate Terraform template is provided for deploying an empty workload `src/terraform/tier3`. You can use this template as a starting point to create and customize specific workload deployments.
 
-The following parameters affect newWorkload networking. To override the defaults edit the variables file at [`src/terraform/tier3/variables.tf`](../src/terraform/tier3/variables.tf).
+The following parameters affect tier3 networking. To override the defaults edit the variables file at [`src/terraform/tier3/variables.tf`](../src/terraform/tier3/variables.tf).
 
 Parameter name | Default Value | Description
 -------------- | ------------- | -----------

docs/policies.md

@@ -56,7 +56,7 @@ Or, you can apply policy after deploying MLZ:
 az deployment group create \
   --resource-group <Resource Group to assign> \
   --name <original deployment name + descriptor> \
-  --template-file ./src/bicep/modules/policyAssignment.bicep \
+  --template-file ./src/bicep/modules/policy-assignment.bicep \
   --parameters builtInAssignment=<one of 'CMMC', 'IL5', or 'NIST'> logAnalyticsWorkspaceName=<Log analytics workspace name> \
   --parameters logAnalyticsWorkspaceName=<Log Analytics Workspace Name> \
   --parameters logAnalyticsWorkspaceResourceGroupName=<Log Analytics Workspace Resource Group Name>

src/bicep/examples/remoteAccess/README.md → src/bicep/add-ons/remote-access/README.md

@@ -83,7 +83,7 @@ Once you have the Mission LZ output values, you can pass those in as parameters
 For example, deploying using the `az deployment group create` command in the Azure CLI:
 
 ```bash
-cd examples/remoteAccess
+cd add-ons/remote-access
 
 hubResourceGroupName="mlz-dev-hub"
 hubVirtualNetworkName="hub-vnet"

src/bicep/examples/remoteAccess/main.bicep → src/bicep/add-ons/remote-access/main.bicep

@@ -65,7 +65,7 @@ var defaultTags = {
 }
 var calculatedTags = union(tags, defaultTags)
 
-module remoteAccess '../../modules/remoteAccess.bicep' = {
+module remoteAccess '../../core/remote-access.bicep' = {
   name: 'deploy-remoteAccess-Example-${nowUtc}'
   params: {
     location: location

src/bicep/examples/newWorkload/README.md → src/bicep/add-ons/tier3/README.md

@@ -30,9 +30,9 @@ virtualNetworkAddressPrefix | 10.0.125.0/26 | The address prefix for the network
 
 ### Generate MLZ Variable File
 
-For instructions on generating 'deploymentVariables.json' using both Azure PowerShell and Azure CLI, please see the [README at the root of the examples folder](..\README.md).
+For instructions on generating 'deploymentVariables.json' using both Azure PowerShell and Azure CLI, please see the [README at the root of the examples folder](..\examples\README.md).
 
-Place the resulting 'deploymentVariables.json' file within the ./src/bicep/examples folder.
+Place the resulting 'deploymentVariables.json' file within the ./src/bicep/add-ons folder.
 
 ## Deploy the example
 
@@ -42,24 +42,24 @@ And deploy with `az deployment sub create` from the Azure CLI or `New-AzSubscrip
 
 ### Deploying the new workload
 
-Connect to the appropriate Azure Environment and set appropriate context, see [getting started with Azure PowerShell or Azure CLI](..\README.md) for help if needed.  The commands below assume you are deploying in Azure Commercial and show the entire process from deploying MLZ and then adding an Azure App Service Plan post-deployment.
+Connect to the appropriate Azure Environment and set appropriate context, see [getting started with Azure PowerShell or Azure CLI](..\examples\README.md) for help if needed.  The commands below assume you are deploying in Azure Commercial and show the entire process from deploying MLZ and then adding an Azure App Service Plan post-deployment.
 
 ```PowerShell
 cd .\src\bicep
 Connect-AzAccount
 New-AzSubscriptionDeployment -Name contoso -TemplateFile .\mlz.bicep -resourcePrefix 'contoso' -Location 'eastus'
-cd .\examples
+cd .\add-ons
 (Get-AzSubscriptionDeployment -Name contoso).outputs | ConvertTo-Json | Out-File -FilePath .\deploymentVariables.json
-cd .\newWorkload
-New-AzSubscriptionDeployment -DeploymentName deployNewWorkload -TemplateFile .\newWorkload.bicep -resourcePrefix myWorkload -Location 'eastus'
+cd .\tier3
+New-AzSubscriptionDeployment -DeploymentName deployTier3 -TemplateFile .\tier3.bicep -resourcePrefix myTier3 -Location 'eastus'
 ```
 
 ```Azure CLI
 az login
 cd src/bicep
 az deployment sub create -n contoso -f mlz.bicep -l eastus --parameters resourcePrefix=contoso
-cd examples
+cd add-ons
 az deployment sub show -n contoso --query properties.outputs > ./deploymentVariables.json
-cd newWorkload
-az deployment sub create -n deployNewWorkload -f newWorkload.bicep -l eastus --parameters resourcePrefix='myWorkload'
+cd tier3
+az deployment sub create -n deployTier3 -f tier3.bicep -l eastus --parameters resourcePrefix='myTier3'
 ```

src/bicep/examples/newWorkload/modules/hubNetworkPeering.bicep → src/bicep/add-ons/tier3/modules/hub-network-peering.bicep

@@ -10,7 +10,7 @@ param hubVirtualNetworkName string
 param spokeVirtualNetworkName string
 param spokeVirtualNetworkResourceId string
 
-module hubToSpokeVirtualNetworkPeering '../../../modules/virtualNetworkPeering.bicep' = {
+module hubToSpokeVirtualNetworkPeering '../../../modules/virtual-network-peering.bicep' = {
   scope: resourceGroup(hubResourceGroupName)
   name: 'hubToSpokeVirtualNetworkPeering'
   params: {

src/bicep/examples/newWorkload/newWorkload.bicep → src/bicep/add-ons/tier3/tier3.bicep

@@ -116,7 +116,7 @@ var defaultTags = {
 }
 var calculatedTags = union(tags, defaultTags)
 
-module resourceGroup '../../modules/resourceGroup.bicep' = {
+module resourceGroup '../../modules/resource-group.bicep' = {
   name: workloadResourceGroupName
   params: {
     name: workloadResourceGroupName
@@ -125,7 +125,7 @@ module resourceGroup '../../modules/resourceGroup.bicep' = {
   }
 }
 
-module spokeNetwork '../../modules/spokeNetwork.bicep' = {
+module spokeNetwork '../../core/spoke-network.bicep' = {
   name: 'spokeNetwork'
   scope: az.resourceGroup(resourceGroup.name)
   params: {
@@ -154,7 +154,7 @@ module spokeNetwork '../../modules/spokeNetwork.bicep' = {
   }
 }
 
-module workloadVirtualNetworkPeerings '../../modules/spokeNetworkPeering.bicep' = {
+module workloadVirtualNetworkPeerings '../../core/spoke-network-peering.bicep' = {
   name: take('${workloadName}-to-hub-vnet-peering', 64)
   params: {
     spokeName: workloadName
@@ -166,7 +166,7 @@ module workloadVirtualNetworkPeerings '../../modules/spokeNetworkPeering.bicep'
   }
 }
 
-module hubToWorkloadVirtualNetworkPeering './modules/hubNetworkPeering.bicep' = {
+module hubToWorkloadVirtualNetworkPeering './modules/hub-network-peering.bicep' = {
   scope: subscription(hubSubscriptionId)
   name: take('hub-to-${workloadName}-vnet-peering', 64)
   params: {

src/bicep/core/README.md

@@ -0,0 +1,5 @@
+# Mission Landing Zone Core Bicep Templates
+
+This folder contains the core bicep templates deploying Mission Landing Zone. These templates provide the core networking and functionality for the landing zone.  These components make use of the modules in the [Modules](../modules/) folder.
+
+See the [Deployment Guide for Bicep](../../docs/deployment-guide-bicep.md) for detailed instructions on how to use these templates.

src/bicep/modules/hubNetworkPeerings.bicep → src/bicep/core/hub-network-peerings.bicep

@@ -6,7 +6,7 @@ Licensed under the MIT License.
 param hubVirtualNetworkName string
 param spokes array
 
-module hubToSpokePeering './virtualNetworkPeering.bicep' = [ for spoke in spokes: {
+module hubToSpokePeering '../modules/virtual-network-peering.bicep' = [ for spoke in spokes: {
   name: 'hub-to-${spoke.type}-vnet-peering'
   params: {
     name: '${hubVirtualNetworkName}/to-${spoke.virtualNetworkName}'

src/bicep/modules/hubNetwork.bicep → src/bicep/core/hub-network.bicep

@@ -76,7 +76,7 @@ param supportedClouds array = [
   'AzureUSGovernment'
 ]
 
-module logStorage './storageAccount.bicep' = {
+module logStorage '../modules/storage-account.bicep' = {
   name: 'logStorage'
   params: {
     storageAccountName: logStorageAccountName
@@ -86,7 +86,7 @@ module logStorage './storageAccount.bicep' = {
   }
 }
 
-module networkSecurityGroup './networkSecurityGroup.bicep' = {
+module networkSecurityGroup '../modules/network-security-group.bicep' = {
   name: 'networkSecurityGroup'
   params: {
     name: networkSecurityGroupName
@@ -103,7 +103,7 @@ module networkSecurityGroup './networkSecurityGroup.bicep' = {
   }
 }
 
-module virtualNetwork './virtualNetwork.bicep' = {
+module virtualNetwork '../modules/virtual-network.bicep' = {
   name: 'virtualNetwork'
   params: {
     name: virtualNetworkName
@@ -137,7 +137,7 @@ module virtualNetwork './virtualNetwork.bicep' = {
   }
 }
 
-module routeTable './routeTable.bicep' = {
+module routeTable '../modules/route-table.bicep' = {
   name: 'routeTable'
   params: {
     name: routeTableName
@@ -171,7 +171,7 @@ resource subnet 'Microsoft.Network/virtualNetworks/subnets@2021-02-01' = {
   ]
 }
 
-module firewallClientPublicIPAddress './publicIPAddress.bicep' = {
+module firewallClientPublicIPAddress '../modules/public-ip-address.bicep' = {
   name: 'firewallClientPublicIPAddress'
   params: {
     name: firewallClientPublicIPAddressName
@@ -190,7 +190,7 @@ module firewallClientPublicIPAddress './publicIPAddress.bicep' = {
   }
 }
 
-module firewallManagementPublicIPAddress './publicIPAddress.bicep' = {
+module firewallManagementPublicIPAddress '../modules/public-ip-address.bicep' = {
   name: 'firewallManagementPublicIPAddress'
   params: {
     name: firewallManagementPublicIPAddressName
@@ -209,7 +209,7 @@ module firewallManagementPublicIPAddress './publicIPAddress.bicep' = {
   }
 }
 
-module firewall './firewall.bicep' = {
+module firewall '../modules/firewall.bicep' = {
   name: 'firewall'
   params: {
     name: firewallName
@@ -238,7 +238,7 @@ module firewall './firewall.bicep' = {
   }
 }
 
-module azureMonitorPrivateLink './privateLink.bicep' = if ( contains(supportedClouds, environment().name) ){
+module azureMonitorPrivateLink '../modules/private-link.bicep' = if ( contains(supportedClouds, environment().name) ){
   name: 'azure-monitor-private-link'
   params: {
     logAnalyticsWorkspaceName: logAnalyticsWorkspaceName

src/bicep/modules/remoteAccess.bicep → src/bicep/core/remote-access.bicep

@@ -63,7 +63,7 @@ resource hubVirtualNetwork 'Microsoft.Network/virtualNetworks@2021-02-01' existi
   name: hubVirtualNetworkName
 }
 
-module bastionHost './bastionHost.bicep' = {
+module bastionHost '../modules/bastion-host.bicep' = {
   name: 'remoteAccess-bastionHost'
 
   params: {
@@ -81,7 +81,7 @@ module bastionHost './bastionHost.bicep' = {
   }
 }
 
-module linuxNetworkInterface './networkInterface.bicep' = {
+module linuxNetworkInterface '../modules/network-interface.bicep' = {
   name: 'remoteAccess-linuxNetworkInterface'
   params: {
     name: linuxNetworkInterfaceName
@@ -95,7 +95,7 @@ module linuxNetworkInterface './networkInterface.bicep' = {
   }
 }
 
-module linuxVirtualMachine './linuxVirtualMachine.bicep' = {
+module linuxVirtualMachine '../modules/linux-virtual-machine.bicep' = {
   name: 'remoteAccess-linuxVirtualMachine'
   params: {
     name: linuxVmName
@@ -117,7 +117,7 @@ module linuxVirtualMachine './linuxVirtualMachine.bicep' = {
   }
 }
 
-module windowsNetworkInterface './networkInterface.bicep' = {
+module windowsNetworkInterface '../modules/network-interface.bicep' = {
   name: 'remoteAccess-windowsNetworkInterface'
   params: {
     name: windowsNetworkInterfaceName
@@ -131,7 +131,7 @@ module windowsNetworkInterface './networkInterface.bicep' = {
   }
 }
 
-module windowsVirtualMachine './windowsVirtualMachine.bicep' = {
+module windowsVirtualMachine '../modules/windows-virtual-machine.bicep' = {
   name: 'remoteAccess-windowsVirtualMachine'
   params: {
     name: windowsVmName

src/bicep/modules/spokeNetworkPeering.bicep → src/bicep/core/spoke-network-peering.bicep

@@ -12,7 +12,7 @@ param spokeVirtualNetworkName string
 param hubVirtualNetworkName string
 param hubVirtualNetworkResourceId string
 
-module spokeNetworkPeering './virtualNetworkPeering.bicep' = {
+module spokeNetworkPeering '../modules/virtual-network-peering.bicep' = {
   name: '${spokeName}-to-hub-vnet-peering'
   scope: resourceGroup(spokeResourceGroupName)
   params: {

src/bicep/modules/spokeNetwork.bicep → src/bicep/core/spoke-network.bicep

@@ -34,7 +34,7 @@ param routeTableRouteAddressPrefix string = '0.0.0.0/0'
 param routeTableRouteNextHopIpAddress string = firewallPrivateIPAddress
 param routeTableRouteNextHopType string = 'VirtualAppliance'
 
-module logStorage './storageAccount.bicep' = {
+module logStorage '../modules/storage-account.bicep' = {
   name: 'logStorage'
   params: {
     storageAccountName: logStorageAccountName
@@ -44,7 +44,7 @@ module logStorage './storageAccount.bicep' = {
   }
 }
 
-module networkSecurityGroup './networkSecurityGroup.bicep' = {
+module networkSecurityGroup '../modules/network-security-group.bicep' = {
   name: 'networkSecurityGroup'
   params: {
     name: networkSecurityGroupName
@@ -61,7 +61,7 @@ module networkSecurityGroup './networkSecurityGroup.bicep' = {
   }
 }
 
-module routeTable './routeTable.bicep' = {
+module routeTable '../modules/route-table.bicep' = {
   name: 'routeTable'
   params: {
     name: routeTableName
@@ -75,7 +75,7 @@ module routeTable './routeTable.bicep' = {
   }
 }
 
-module virtualNetwork './virtualNetwork.bicep' = {
+module virtualNetwork '../modules/virtual-network.bicep' = {
   name: 'virtualNetwork'
   params: {
     name: virtualNetworkName

src/bicep/examples/README.md

@@ -8,15 +8,13 @@ You [must first deploy MissionLZ](../README.md#Deployment), then you can deploy
 
 Example | Description
 ------- | -----------
-[appServicePlan](./appServicePlan) | Deploys an App Service Plan (AKA: Web Server Cluster) to support simple web accessible linux docker containers with optional dynamic auto scaling.
-[Automation Account](./automationAccount) | Deploys an Azure Automation account that can be used to execute runbooks.
-[Container Registry](./containerRegistry/) | Deploys an Azure Container Registry for holding and deploying docker containers.
-[Inherit Tags](./inheritTags) | Adds or replaces a specified tag and value from the parent resource group when any resource is created or updated.
-[KeyVault](./keyVault/) | Deploys a premium Azure Key Vault with RBAC enabled to support secret, key, and certificate management.
-[New Workload](./newWorkload) | Adds a new Spoke Network and peers it to the Hub Network routing all traffic to the Azure Firewall.
-[Remote Access](./remoteAccess) | Adds a Bastion Host and a virtual machine to serve as a jumpbox into the network.
+[appServicePlan](./app-service-plan) | Deploys an App Service Plan (AKA: Web Server Cluster) to support simple web accessible linux docker containers with optional dynamic auto scaling.
+[Automation Account](./automation-account) | Deploys an Azure Automation account that can be used to execute runbooks.
+[Container Registry](./container-registry/) | Deploys an Azure Container Registry for holding and deploying docker containers.
+[Inherit Tags](./inherit-tags) | Adds or replaces a specified tag and value from the parent resource group when any resource is created or updated.
+[KeyVault](./key-vault/) | Deploys a premium Azure Key Vault with RBAC enabled to support secret, key, and certificate management.
 [Azure Sentinel](./sentinel) | A Terraform module that adds an Azure Sentinel solution to a Log Analytics Workspace. Sentinel can also be deployed via bicep and the base deployment of mlz.bicep by using the boolean param '-deploySentinel'.
-[Zero Trust (TIC3.0) Workbook](./zeroTrustWorkbook) | Deploys an Azure Sentinel Zero Trust (TIC3.0) Workbook
+[Zero Trust (TIC3.0) Workbook](./zero-trust-workbook) | Deploys an Azure Sentinel Zero Trust (TIC3.0) Workbook
 
 ## Shared Variable File Pattern (deploymentVariables.json)
 

src/bicep/examples/appServicePlan/appService.bicep → src/bicep/examples/app-service-plan/app-service.bicep

@@ -21,6 +21,9 @@ param enableAutoScale bool = true
 @description('Defines the performance tier of your web farm.  By default the performance scale will be premium 2nd generation version 2 "p2v2".  Another value would be standard generation 2 "s2".')
 param appServiceSkuName string = 'p2v2'
 
+@description('The deployment location being deployed to.')
+param location string  = deployment().location
+
 @description('A string dictionary of tags to add to deployed resources. See https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json#arm-templates for valid settings.')
 param tags object = {}
 var defaultTags = {
@@ -29,7 +32,7 @@ var defaultTags = {
 var calculatedTags = union(tags, defaultTags)
 
 var targetSubscriptionId_Var = targetResourceGroup == '${mlzDeploymentVariables.spokes.Value[2].resourceGroupName}' ? '${mlzDeploymentVariables.spokes.Value[2].subscriptionId}' : subscription().subscriptionId
-var location = deployment().location
+
 var kind = 'linux'
 var capacity = 2
 
@@ -39,7 +42,7 @@ resource targetASPResourceGroup 'Microsoft.Resources/resourceGroups@2020-10-01'
   tags: calculatedTags
 }
 
-module appServicePlan 'modules/appServicePlan.bicep' = {
+module appServicePlan './modules/app-service-plan.bicep' = {
   name: appServicePlanName
   scope: resourceGroup(targetSubscriptionId_Var, targetASPResourceGroup.name)
   params: {
@@ -52,7 +55,7 @@ module appServicePlan 'modules/appServicePlan.bicep' = {
   }
 }
 
-module appServicePlanSettings 'modules/appServiceSettings.bicep' = if (enableAutoScale) {
+module appServicePlanSettings './modules/app-service-settings.bicep' = if (enableAutoScale) {
   name: 'appServicePlanSettingsName'
   scope: resourceGroup(targetSubscriptionId_Var, targetASPResourceGroup.name)
   params: {