diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
index 4131337de..7962d112b 100644
--- a/.devcontainer/Dockerfile
+++ b/.devcontainer/Dockerfile
@@ -35,13 +35,6 @@ RUN add-apt-repository ppa:git-core/ppa \
sudo \
shellcheck
-# Install Python 3
-RUN apt-get update \
- && apt-get install -y \
- python3 \
- python3-pip \
- && ln -s /usr/bin/python3 /usr/bin/python
-
# Install Terraform and tflint
RUN wget -O terraform.zip https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip \
&& wget -O tflint.zip https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/tflint_linux_amd64.zip \
@@ -95,6 +88,10 @@ RUN AZ_REPO=$(lsb_release -cs) \
# Install AZ CLI
RUN apt-get update && apt-get install -y azure-cli=${AZURE_CLI_VERSION}
+# Install Bicep
+RUN curl -Lo /usr/local/bin/bicep https://github.com/Azure/bicep/releases/latest/download/bicep-linux-x64 \
+ && chmod +x /usr/local/bin/bicep
+
# Clean up
RUN apt-get autoremove -y \
&& apt-get clean -y \
diff --git a/.devcontainer/README.md b/.devcontainer/README.md
index e0a33009d..8c37537c8 100644
--- a/.devcontainer/README.md
+++ b/.devcontainer/README.md
@@ -11,7 +11,8 @@ All configuration related to the development container is in the `.devcontainer`
### Step-by-Step
-1. Follow the Mission LZ [Getting Started](https://github.com/Azure/missionlz/blob/main/src/docs/getting-started.md#pre-requisites) pre-requisites and step-by-step guide.
+1. Follow the Mission LZ [Getting Started](../docs/getting-started.md) pre-requisites and step-by-step guide.
+
1. Open a command line (e.g. `wsl.exe` or `bash.exe`), change to the root folder of the local workspace for the cloned Mission LZ project, and start VS Code from this root folder (not a sub folder or a parent folder).
> **NOTE:** If you are using WSL or BASH on Linux or Mac, you can navigate to the root folder of the project (for example, in the path `$HOME/missionlz` assuming you cloned the project to $HOME) and enter the command below to launch VS Code in correct directory. Be sure to include the trailing "." in the second command.
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
index 68915ad56..b5e255671 100644
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -22,7 +22,8 @@
"ms-vscode-remote.vscode-remote-extensionpack",
"davidanson.vscode-markdownlint",
"github.vscode-pull-request-github",
- "timonwong.shellcheck"
+ "timonwong.shellcheck",
+ "ms-azuretools.vscode-bicep"
],
// Additional args to pass to the 'docker run' command
diff --git a/.github/workflows/apply-and-destroy-terraform.yml b/.github/workflows/apply-and-destroy-terraform.yml
deleted file mode 100644
index 8014424a6..000000000
--- a/.github/workflows/apply-and-destroy-terraform.yml
+++ /dev/null
@@ -1,52 +0,0 @@
-# Copyright (c) Microsoft Corporation.
-# Licensed under the MIT License.
-
-name: apply-and-destroy-terraform
-on: [workflow_dispatch]
-jobs:
- apply-and-destroy-terraform:
- runs-on: ubuntu-latest
-
- container:
- image: acrmlzcicd.azurecr.io/missionlzdev
- credentials:
- username: ${{ secrets.acr_username }}
- password: ${{ secrets.acr_password }}
-
- steps:
- - uses: actions/checkout@v2
-
- - uses: azure/login@v1
- with:
- creds: ${{ secrets.AZURE_CREDENTIALS }}
-
- - uses: Azure/get-keyvault-secrets@v1
- with:
- keyvault: ${{ secrets.KEY_VAULT_NAME }}
- secrets: '*'
-
- - name: get vars
- run : |
- cd src/build
- ./get_vars.sh "$STORAGEACCOUNT" "$STORAGETOKEN" "$STORAGECONTAINER"
-
- - name: login
- run : |
- cd src/build
- ./login_azcli.sh "$MLZTENANTID" "$MLZCLIENTID" "$MLZCLIENTSECRET"
-
- - name: apply terraform
- run : |
- cd src/build
- ./apply_tf.sh \
- vars/mlz.config \
- vars/mlz.tfvars \
- n
-
- - name: destroy terraform
- run : |
- cd src/build
- ./destroy_tf.sh \
- vars/mlz.config \
- vars/mlz.tfvars \
- n
diff --git a/.github/workflows/validate-bicep.yml b/.github/workflows/validate-bicep.yml
new file mode 100644
index 000000000..451b9d651
--- /dev/null
+++ b/.github/workflows/validate-bicep.yml
@@ -0,0 +1,18 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+
+name: validate-bicep
+on:
+ pull_request:
+ paths:
+ - '**.bicep'
+ workflow_dispatch:
+ paths:
+ - '**.bicep'
+jobs:
+ validate-bicep:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v2
+ - run: |
+ az bicep build --file src/bicep/mlz.bicep
diff --git a/.github/workflows/validate-build-bicep.yml b/.github/workflows/validate-build-bicep.yml
new file mode 100644
index 000000000..d9004c80e
--- /dev/null
+++ b/.github/workflows/validate-build-bicep.yml
@@ -0,0 +1,22 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+
+name: validate-build-bicep
+on:
+ push:
+ paths:
+ - '**.bicep'
+ branches:
+ - bicep
+jobs:
+ validate-build:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v2
+ - run: |
+ git config user.name github-actions
+ git config user.email github-actions@github.com
+ az bicep build --file src/bicep/mlz.bicep --outfile src/bicep/mlz.json
+ git add src/bicep/mlz.json
+ git commit -m "GitHub Action: Build Bicep to JSON"
+ git push
diff --git a/.github/workflows/validate-terraform.yml b/.github/workflows/validate-terraform.yml
index da4c96cf9..d4a5b0c68 100644
--- a/.github/workflows/validate-terraform.yml
+++ b/.github/workflows/validate-terraform.yml
@@ -2,14 +2,18 @@
# Licensed under the MIT License.
name: validate-terraform
-on: [pull_request, workflow_dispatch]
+on:
+ pull_request:
+ paths:
+ - 'src/terraform/**'
+ workflow_dispatch:
jobs:
validate-terraform:
runs-on: ubuntu-latest
steps:
- uses: hashicorp/setup-terraform@v1
with:
- terraform_version: 0.13.4
+ terraform_version: 1.0.3
- shell: bash
name: check tooling versions
run: |
@@ -18,4 +22,8 @@ jobs:
- shell: bash
name: validate and lint terraform
run: |
- src/build/validate_tf.sh
+ src/build/validate_tf.sh src/terraform/mlz src/terraform/tier3
+ - shell: bash
+ name: check terraform formatting
+ run: |
+ src/build/check_tf_format.sh src/terraform
diff --git a/.gitignore b/.gitignore
index 495708425..ecfd17ea9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,6 @@
# Copyright (c) Microsoft Corporation.
# Licensed under the MIT License.
+
# Terraform artifacts
*.tfvars
*.terraform
@@ -17,48 +18,5 @@ crash.log
*plan*
*.plan*
-# Setup config variables file
-mlz.config
-saca-hub.tfvars.json
-tier-0.tfvars.json
-tier-1.tfvars.json
-tier-2.tfvars.json
-globals.tfvars.json
-*.tfvars.json
-!*.orig.tfvars.json
-
-# Bash artifacts
-*.vars
-
# Mac files
.DS_Store
-
-# .NET Core
-project.lock.json
-project.fragment.lock.json
-artifacts/
-**/Properties/launchSettings.json
-
-# NuGet Packages
-*.nupkg
-# The packages folder can be ignored because of Package Restore
-**/[Pp]ackages/*
-# except build/, which is used as an MSBuild target.
-!**/[Pp]ackages/build/
-# Uncomment if necessary however generally it will be regenerated when needed
-#!**/[Pp]ackages/repositories.config
-# NuGet v3's project.json files produces more ignorable files
-*.nuget.props
-*.nuget.targets
-
-# Python Tools for Visual Studio (PTVS)
-__pycache__/
-*.pyc
-**/.idea/
-**/config_output/
-**/exec_output
-
-# ignore generated output
-**/generated-configurations/*
-mlz.zip
-mlz.tar
diff --git a/.vscode/extensions.json b/.vscode/extensions.json
index 847713352..8c5c3526f 100644
--- a/.vscode/extensions.json
+++ b/.vscode/extensions.json
@@ -9,6 +9,7 @@
"ms-vscode-remote.vscode-remote-extensionpack",
"davidanson.vscode-markdownlint",
"github.vscode-pull-request-github",
+ "ms-azuretools.vscode-bicep",
],
// List of extensions recommended by VS Code that should not be recommended for users of this workspace.
"unwantedRecommendations": [
diff --git a/README.md b/README.md
index 33a9ccdf3..e3f053b02 100644
--- a/README.md
+++ b/README.md
@@ -45,7 +45,7 @@ Mission LZ has the following scope:
-
+
## Networking
@@ -53,12 +53,12 @@ Mission LZ has the following scope:
Networking is set up in a hub and spoke design, separated by tiers: T0 (Identity and Authorization), T1 (Infrastructure Operations), T2 (DevSecOps and Shared Services), and multiple T3s (Workloads). Security can be configured to allow separation of duties between all tiers. Most customers will deploy each tier to a separate Azure subscription, but multiple subscriptions are not required.
-
+
## Getting Started using Mission LZ
-See our [Getting Started Guide](src/docs/getting-started.md) in the docs.
+See our [Getting Started Guide](docs/getting-started.md) in the docs.
## Product Roadmap
@@ -67,7 +67,7 @@ See the [Projects](https://github.com/Azure/missionlz/projects) page for the rel
Here's what the repo consists of as of May 2021:
-
+
## Contributing
diff --git a/docs/command-line-deployment.md b/docs/command-line-deployment.md
new file mode 100644
index 000000000..10611c4e9
--- /dev/null
+++ b/docs/command-line-deployment.md
@@ -0,0 +1,25 @@
+# Command-Line Deployment
+
+The steps in this article assume the following pre-requisites for command-line deployments:
+
+* Follow the Mission LZ [Getting Started](./getting-started.md) steps.
+
+## Step-by-step
+
+1. Follow the [steps to open the `.devcontainer`](../.devcontainer/README.md) as recommended (or start a local BASH shell with the prerequisites installed)
+
+ > `vscode@missionlz-dev:/workspaces/missionlz$` is the root working directory for the BASH shell in the `.devcontainer`
+
+1. Deploy with Bicep (recommended)
+ 1. [Deploy](../src/bicep/README.md#Azure-CLI)
+ 1. [Customize deployment](../src/bicep/README.md#Deploying-to-Other-Clouds)
+
+1. Or, deploy with Terraform
+ 1. [Apply](../src/terraform/README.md)
+ 1. [Customize deployment](../src/terraform/README.md#Deploying-to-Other-Clouds)
+
+See the development container [README](../.devcontainer/README.md) for more details on building and running the container.
+
+## Helpful Links
+
+For more endpoint mappings between AzureCloud and AzureUsGovernment:
diff --git a/docs/getting-started.md b/docs/getting-started.md
new file mode 100644
index 000000000..3f358085e
--- /dev/null
+++ b/docs/getting-started.md
@@ -0,0 +1,42 @@
+# Getting Started
+
+## Prerequisites
+
+* Current version of the [Azure CLI](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli)
+* An Azure Subscription where you have ['Owner' RBAC permissions](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#owner)
+
+## Concepts
+
+### Command Line Deployments
+
+You can deploy Mission LZ from your workstation using the command line. Some other configurations are possible, but this is the simplest path.
+
+We highly recommend deploying from the Development Container since it comes packaged with all the right versions of the dependencies you'll need.
+
+### Use the Development Container for Command Line Deployments
+
+If you are planning to deploy from your local workstation, we recommend using the VS Code development container specified in this repository. The container includes all the tools and pre-requisites, but you have to build and run the container. If you have Docker Desktop installed, then VS Code makes the rest of it easy. See the [README](../.devcontainer/README.md) document in the `.devcontainer` folder for details.
+
+See [Using the devcontainer](./using-the-devcontainer.md) for configuring your workstation with the development container.
+
+If you want to deploy from the command line on your workstation but do not want to use the development container, take a look at the [`Dockerfile`](../.devcontainer/Dockerfile) and the [`devcontainer.json`](../.devcontainer/Dockerfile) file for examples on how to configure your environment.
+
+## Next steps
+
+### 1. Deploy the Hub and Spoke
+
+With the environment pre-requisites out of the way, deploy the hub and spoke using the [Command Line Deployment](./command-line-deployment.md) for step-by-step instructions:
+
+* [Command Line Deployment](./command-line-deployment.md)
+
+### 2. Deploy Your Workloads
+
+Now that you have the core hub and spoke tiers deployed (Hub, Tier 0, Tier 1, Tier 2), the next step is to deploy one or more workload tiers. Misson LZ supports multiple workload tiers. See [Workload Deployment](./workload-deployment.md) for details and step-by-step instructions:
+
+* [Workload Deployment](./workload-deployment.md)
+
+### 3. Manage Your Deployment
+
+Once you have a lab deployment of Mission Landing Zone established and have decided to move forward, you will want to start planning your production deployment. We recommend reviewing the following pages during your planning phase.
+
+* [Using Management Groups with Mission Landing Zone](./management-groups.md)
diff --git a/src/docs/images/20210419_missionlz_as_of_Aug2021_Policy.png b/docs/images/20210419_missionlz_as_of_Aug2021_Policy.png
similarity index 100%
rename from src/docs/images/20210419_missionlz_as_of_Aug2021_Policy.png
rename to docs/images/20210419_missionlz_as_of_Aug2021_Policy.png
diff --git a/docs/images/custom_template_deployment.gif b/docs/images/custom_template_deployment.gif
new file mode 100644
index 000000000..11c6594f2
Binary files /dev/null and b/docs/images/custom_template_deployment.gif differ
diff --git a/docs/images/deploytoazure.svg b/docs/images/deploytoazure.svg
new file mode 100644
index 000000000..418df5007
--- /dev/null
+++ b/docs/images/deploytoazure.svg
@@ -0,0 +1,50 @@
+
+
diff --git a/docs/images/deploytoazuregov.svg b/docs/images/deploytoazuregov.svg
new file mode 100644
index 000000000..465349a79
--- /dev/null
+++ b/docs/images/deploytoazuregov.svg
@@ -0,0 +1,50 @@
+
+
diff --git a/src/docs/images/management-groups/mg1-management-groups-list.png b/docs/images/management-groups/mg1-management-groups-list.png
similarity index 100%
rename from src/docs/images/management-groups/mg1-management-groups-list.png
rename to docs/images/management-groups/mg1-management-groups-list.png
diff --git a/src/docs/images/management-groups/mg2-empty-subscription-list.png b/docs/images/management-groups/mg2-empty-subscription-list.png
similarity index 100%
rename from src/docs/images/management-groups/mg2-empty-subscription-list.png
rename to docs/images/management-groups/mg2-empty-subscription-list.png
diff --git a/src/docs/images/management-groups/mg3-select-subscription.png b/docs/images/management-groups/mg3-select-subscription.png
similarity index 100%
rename from src/docs/images/management-groups/mg3-select-subscription.png
rename to docs/images/management-groups/mg3-select-subscription.png
diff --git a/src/docs/images/management-groups/mg4-subscription-in-management-group.png b/docs/images/management-groups/mg4-subscription-in-management-group.png
similarity index 100%
rename from src/docs/images/management-groups/mg4-subscription-in-management-group.png
rename to docs/images/management-groups/mg4-subscription-in-management-group.png
diff --git a/src/docs/images/missionlz_as_of_july2021.jpg b/docs/images/missionlz_as_of_july2021.jpg
similarity index 100%
rename from src/docs/images/missionlz_as_of_july2021.jpg
rename to docs/images/missionlz_as_of_july2021.jpg
diff --git a/docs/images/missionlz_as_of_may2021.png b/docs/images/missionlz_as_of_may2021.png
new file mode 100644
index 000000000..4cc28b276
Binary files /dev/null and b/docs/images/missionlz_as_of_may2021.png differ
diff --git a/src/docs/images/networking.png b/docs/images/networking.png
similarity index 100%
rename from src/docs/images/networking.png
rename to docs/images/networking.png
diff --git a/src/docs/images/scope.png b/docs/images/scope.png
similarity index 100%
rename from src/docs/images/scope.png
rename to docs/images/scope.png
diff --git a/src/docs/management-groups.md b/docs/management-groups.md
similarity index 100%
rename from src/docs/management-groups.md
rename to docs/management-groups.md
diff --git a/src/docs/policies.md b/docs/policies.md
similarity index 64%
rename from src/docs/policies.md
rename to docs/policies.md
index fa9741a9f..7d45dc681 100644
--- a/src/docs/policies.md
+++ b/docs/policies.md
@@ -4,9 +4,7 @@ As part of Mission Landing Zone (MLZ) it's been a goal to ensure deployments hav
For the purposes of this documentation we created an example method in which the MLZ deployment can be audited for current National Institute of Standards and Technology (NIST) controls and requirements using [Azure Policies built in initiative](https://docs.microsoft.com/en-us/azure/governance/policy/samples/nist-sp-800-53-r4) for NIST 800-53. _Note: this is focused on NIST controls that have built in policies in Azure clouds._
-By adding the `--policy` switch to the deployment command the script will multiple assignments to the deployment final architecture. The result is for each Tier (Hub, Tier0, Tier1, and Tier2) there will be an additional policy/initiative assigned scoped to those recourse groups. This will not impact other policies/initiatives assigned that are deployed at different scopes either prior to deploying MLZ or post deployment.
-
-
+
## Known Issues
@@ -18,19 +16,56 @@ The final note is that these are audits based on NIST controls and recommendatio
## Deploying
-Deploying policy assignments for NIST along with a standard deployment of MLZ is as simple as adding the –policy switch to the deployment script command. This will add a separate assignment of the built in NIST initiative per resource group in the deployment, excluding the resource groups used as deployment artifacts like state and config.
+Deploying policy assignments for NIST along with a standard deployment of MLZ is simple and described below. This example will add a separate assignment of the built in NIST initiative per resource group in the deployment.
+
+### Deploying with Bicep
+
+To include one of the built in Azure policy initiatives for NIST 800-53, CMMC Level 3 or DoD IL5 compliance add the parameter with one of the following, NIST, IL5 or CMMC. For example:
+
+```plaintext
+az deployment sub create \
+ --location eastus \
+ --template-file mlz.bicep \
+ --parameters policy=
+```
+
+Or, you can apply policy after deploying MLZ:
+
+```plaintext
+az deployment group create \
+ --resource-group \
+ --name \
+ --template-file ./src/bicep/modules/policyAssignment.bicep \
+ --parameters builtInAssignment= logAnalyticsWorkspaceName= \
+ --parameters logAnalyticsWorkspaceName= \
+ --parameters logAnalyticsWorkspaceResourceGroupName=
+```
+
+### Deploying with Terraform
-Example:
- `src/scripts/deploy.sh -s -l usgovvirginia --tf-environment usgovernment –policy`
+By default, the Terraform implementaiton at `src/terraform/mlz/main.tf` will assign the NIST 800-53 policies. You can disable this by providing a `false` value to the `create_policy_assignment` variable:
+
+```plaintext
+cd src/terraform/mlz
+terraform init
+terraform apply -var="create_policy_assignment=false"
+```
After the resources are deployed, you will need to go into go into each assignment and retrieve the managed identity and modify its role access to contributor scoped to the associated resource group. This is due to the initiative including modify and deploy policies that act on resources, like deploying the require policy guest configuration extensions to VMs.
-Modifying
+## Modifying
+
+### Modifying with Bicep
+
+The project stores well-known policies at [src/bicep/modules/policies](../src/bicep/modules/policies) where JSON files named for the initiatives with default parameters (except for a Log Analytics workspace ID value `` that we substitute at deployment time -- any other parameter can be modified as needed).
-This model uses an additional custom terraform module called 'policy-assignments'. This can be modified for adding additional initiatives if desired. The module deployments retrieve their parameter values from a local json file stored in the module directory named 'nist-parameter-values' and named after the cloud environment they are deploying to, public or usgovernment.
+### Modifying with Terraform
+
+This project uses a custom terraform module called 'policy-assignments'. This can be modified for adding additional initiatives if desired. The module deployments retrieve their parameter values from a local json file stored in the module directory named 'nist-parameter-values' and named after the cloud environment they are deploying to, public or usgovernment.
Example parameters file snippet:
-```
+
+```arm
{
"listOfMembersToExcludeFromWindowsVMAdministratorsGroup":
{
@@ -52,8 +87,6 @@ Example parameters file snippet:
In the above example the 'logAnalyticsWorkspaceIdforVMReporting' is retrieved from the running terraform deployment variables. This could be modified to use a central logging workspace if desired.
-What's Next
+## What's Next
While this is only a start, the NIST controls included in the built-in initiatives are a good start to understanding requirements on top of MLZ for compliance. In the near future the hopes are for this to be expanded with additional built-in initiatives as well as offering an option to create your own initiative and custom policies. Potential additions will be server baselines, IL compliances, and custom policies.
-
-Also scripts to assist in these out-of-band processes will be added.
\ No newline at end of file
diff --git a/src/docs/scca.md b/docs/scca.md
similarity index 100%
rename from src/docs/scca.md
rename to docs/scca.md
diff --git a/src/docs/getting-started.md b/docs/using-the-devcontainer.md
similarity index 51%
rename from src/docs/getting-started.md
rename to docs/using-the-devcontainer.md
index 4aecddd64..5e350c4e9 100644
--- a/src/docs/getting-started.md
+++ b/docs/using-the-devcontainer.md
@@ -1,27 +1,11 @@
-# Getting Started
+# Using the devcontainer
-## Concepts
-
-### Command Line Deployments
-
-You can deploy Mission LZ from your workstation using the command line. Some other configurations are possible, but these are the two simplest paths.
-
-The command-line deployments involve (1) defining configuration settings (we have examples and defaults to make this easier), and (2) running shell scripts that consolidate and wrap the Terraform commands. We strongly recommend using these scripts because they were designed to be usable, but you could also run the Terraform templates directly using the `terraform` command line tool.
-
-### Use the Development Container for Command Line Deployments
-
-If you are planning to deploy from your local workstation, we recommend using the VS Code development container specified in this repository. The container includes all the tools and pre-requisites, but you have to build and run the container. If you have Docker Desktop installed, then VS Code makes the rest of it easy. See the [README](../../.devcontainer/README.md) document in the `.devcontainer` folder for details.
-
-If you want to deploy from the command line on your workstation but do not want to use the development container, take a look at the [`Dockerfile`](../../.devcontainer/Dockerfile) and the [`devcontainer.json`](../../.devcontainer/Dockerfile) file for examples on how to configure your environment.
-
-## Pre-Requisites
+## Prerequisites
* **Operating system:** Mac OS, Linux, or [Windows 10 with Windows Subsystem for Linux (WSL)](https://docs.microsoft.com/en-us/windows/wsl/install-win10)
>*We developed this on Windows 10/WSL running Ubuntu 20.04*
* **Docker:** Docker Desktop or Docker CE
>*We use [Docker Desktop on Windows 10](https://docs.docker.com/docker-for-windows/install/), integrated with WSL*
-* Current version of the [Azure CLI](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli).
-* An Azure Subscription where you have ['Owner' RBAC permissions].
All other tools and resources are in the development container. The simplest path is to deploy from one of these containers, but it is not required if you want to configure your own deployment environment.
@@ -46,27 +30,3 @@ All other tools and resources are in the development container. The simplest pat
```BASH
git config --global credential.helper "/mnt/c/Program\ Files/Git/mingw64/libexec/git-core/git-credential-manager.exe"
```
-
-## Deployment paths
-
-* (*Optional*) For details and pre-requisites for the development container, see the [README](../../.devcontainer/README.md) document in the `.devcontainer` folder.
-
-## Next steps
-
-### 1. Deploy the Hub and Spoke
-
-With the environment pre-requisites out of the way, deploy the hub and spoke using the [Command Line Deployment](command-line-deployment.md) for step-by-step instructions:
-
-* [Command Line Deployment](command-line-deployment.md)
-
-### 2. Deploy Your Workloads
-
-Now that you have the core hub and spoke tiers deployed (tier 0, tier 1, tier 2), the next step is to deploy one or more workload tiers. Misson LZ supports multiple workload tiers. See [Workload Deployment](workload-deployment.md) for details and step-by-step instructions:
-
-* [Workload Deployment](workload-deployment.md)
-
-### 3. Manage Your Deployment
-
-Once you have a lab deployment of Mission Landing Zone established and have decided to move forward, you will want to start planning your production deployment. We recommend reviewing the following pages during your planning phase.
-
-* [Using Management Groups with Mission Landing Zone](management-groups.md)
diff --git a/docs/workload-deployment.md b/docs/workload-deployment.md
new file mode 100644
index 000000000..844d68eaf
--- /dev/null
+++ b/docs/workload-deployment.md
@@ -0,0 +1,21 @@
+# Workload Deployment (Tier 3)
+
+Mission LZ supports deploying multiple workload tiers that are connected to the hub. We call these tier 3s, or T3s, for convenience. Each tier 3 is intended to support a single workload or single team that needs isolation from the other teams and network connectivity via the hub.
+
+You'll have to have completed the deployment of Mission LZ to peer this new workload to the Hub network and Firewall. See [Command-Line Deployment](./command-line-deployment.md) for steps on how to do deploy those things.
+
+## Step-by-step
+
+1. Log in using the Azure CLI
+
+ ```BASH
+ az login
+ ```
+
+1. Deploy with Bicep (recommended)
+ 1. [Deploy](../src/bicep/examples/newWorkload/README.md)
+ 1. [Customize deployment](../src/bicep/README.md#Deploying-to-Other-Clouds)
+
+1. Or, deploy with Terraform
+ 1. [Apply](../src/terraform/README.md#Deploying-new-Spoke-Networks)
+ 1. [Customize deployment](../src/terraform/README.md#Deploying-to-Other-Clouds)
diff --git a/src/bicep/README.md b/src/bicep/README.md
new file mode 100644
index 000000000..9650f2096
--- /dev/null
+++ b/src/bicep/README.md
@@ -0,0 +1,195 @@
+# MLZ Bicep
+
+## Deployment
+
+### Deployment Pre-requisites
+
+You can deploy with the Azure Portal, the Azure CLI, or with both in a Azure Commercial, Azure for Government, or Air-Gapped Clouds. But first, you'll need these pre-requisites:
+
+1. At least one Azure Subscription
+1. At least [Contributor RBAC permissions](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#all) to that subscription
+
+Are you deploying into a cloud other than `AzureCloud` like say `AzureUsGovernment`? See [Deploying to Other Clouds](#Deploying-to-Other-Clouds).
+
+Want to add Azure Policies to this deployment? See [Adding Azure Policy](#Adding-Azure-Policy) to add policies like DoD IL5, NIST 800-53, CMMC Level 3, or how to apply your own.
+
+Want to remotely access the network without exposing it via Public IP Addresses? See [Adding Remote Access via Bastion Host](#Adding-Remote-Access-via-Bastion-Host) to add virtual machines inside the network that you can access from an authenticated session in the Azure Portal with Azure Bastion.
+
+### Azure CLI
+
+Use `az deployment sub` to deploy MLZ across 1:M subscriptions (and `az deployment sub create --help` for more information).
+
+#### Single subscription deployment
+
+This is the minimum command necessary to deploy Mission LZ (replacing `mlz.bicep` with `mlz.json` if I'm disconnected from the internet or do not have an installation of [Bicep](https://aka.ms/bicep) available):
+
+```plaintext
+az deployment sub create \
+ --location eastus \
+ --template-file ./mlz.bicep
+```
+
+#### Multiple subscription deployment
+
+I can deploy into multiple subscriptions by specifying the `--parameters` flag and passing `key=value` arguments:
+
+```plaintext
+az deployment sub create \
+ --subscription $deploymentSubscription \
+ --location eastus \
+ --name multiSubscriptionTest \
+ --template-file ./mlz.bicep \
+ --parameters \
+ hubSubscriptionId=$hubSubscriptionId \
+ identitySubscriptionId=$identitySubscriptionId \
+ operationsSubscriptionId=$operationsSubscriptionId \
+ sharedServicesSubscriptionId=$sharedServicesSubscriptionId
+```
+
+When deploying to multiple subscriptions, you must have at least [Contributor RBAC permissions](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#all) to those subscriptions.
+
+#### Deploying to Other Clouds
+
+If I'm deploying to another cloud, say Azure Government, I will first login to that cloud...
+
+Logging into `AzureUsGovernment`:
+
+```plaintext
+az cloud set -n AzureUsGovernment
+az login
+```
+
+...and supply a different value for the deployment `--location` argument:
+
+```plaintext
+az deployment sub create \
+ --location usgovvirginia \
+ --template-file ./mlz.bicep
+```
+
+And if I need to deploy into multiple subscriptions, I would pass the relevant subscription IDs as `parameters` as described in [Multiple subscription deployment](#Multiple-subscription-deployment).
+
+### Azure Portal
+
+You can also deploy Mission LZ from the Azure Portal. The compiled JSON ARM template of `mlz.bicep` can be executed from the Custom Deployment feature.
+
+There is work in progress to provide a more elegant user-interface, but today, with the compiled output of `mlz.bicep`, you can set the deployment subscription and a deployment region and click 'Create' to start deployment.
+
+#### AzureCloud
+
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fmain%2Fsrc%2Fbicep%2Fmlz.json)
+
+#### AzureUSGovernment
+
+[](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fmain%2Fsrc%2Fbicep%2Fmlz.json)
+
+### Air-Gapped Clouds
+
+#### Air-Gapped Clouds Deployment from the Azure Portal
+
+1. Save `mlz.json` to disk:
+1. Create a deployment using the 'Custom Deployment' feature: or
+1. Click 'Build your own template in the editor'
+1. Click 'Load file'
+1. Select the 'mlz.json' file you saved
+1. Click 'Save'
+1. Click 'Review + Create'
+
+Check out this GIF in the docs to see a visual explanation: [../../docs/images/custom_template_deployment.gif](../../docs/images/custom_template_deployment.gif)
+
+#### Air-Gapped Clouds Deployment with Azure CLI
+
+If I were in an offline environment that didn't have a Bicep installation available (like an air-gapped cloud), I could always deploy the `az bicep build` output ARM template **`mlz.json`**:
+
+```plaintext
+az cloud set -n
+
+az deployment sub create \
+ --subscription $deploymentSubscription \
+ --location \
+ --name multisubtest \
+ --template-file ./mlz.json \
+ --parameters \
+ hubSubscriptionId=$hubSubscriptionId \
+ identitySubscriptionId=$identitySubscriptionId \
+ operationsSubscriptionId=$operationsSubscriptionId \
+ sharedServicesSubscriptionId=$sharedServicesSubscriptionId
+```
+
+## Adding Azure Policy
+
+To include one of the built in Azure policy initiatives for NIST 800-53, CMMC Level 3 or DoD IL5 compliance add the parameter with one of the following, NIST, IL5 or CMMC. For example deploying with MLZ:
+
+```plaintext
+az deployment sub create \
+ --location eastus \
+ --template-file mlz.bicep \
+ --parameters policy=
+```
+
+Or, apply policy after deploying MLZ:
+
+```plaintext
+az deployment group create \
+ --resource-group \
+ --name \
+ --template-file ./src/bicep/modules/policyAssignment.bicep \
+ --parameters builtInAssignment= logAnalyticsWorkspaceName= \
+ --parameters logAnalyticsWorkspaceName= \
+ --parameters logAnalyticsWorkspaceResourceGroupName=
+```
+
+The result will be a policy assignment created for each resource group deployed by MLZ that can be viewed in the 'Compliance' view of Azure Policy in the Azure Portal.
+
+Under the [modules/policies](modules/policies) directory are JSON files named for the initiatives with default parameters (except for a Log Analytics workspace ID value `` that we substitute at deployment time -- any other parameter can be modified as needed).
+
+## Adding Remote Access via Bastion Host
+
+Want to remotely access the network and the resources you've deployed into it? You can use [Azure Bastion](https://docs.microsoft.com/en-us/azure/bastion/) to remotely access virtual machines within the network without exposing them via Public IP Addresses.
+
+To deploy a virtual machine as a jumpbox into the network without a Public IP Address using Azure Bastion Host, provide two parameters `deployRemoteAccess=true` and `linuxVmAdminPasswordOrKey=` and `windowsVmAdminPassword=` to the deployment. A quick and easy way to generate a secure password from the .devcontainer is the command `openssl rand -base64 14`.
+
+```plaintext
+my_password=$(openssl rand -base64 14)
+
+az deployment sub create \
+ --name "myRemoteAccessDeployment" \
+ --location "eastus" \
+ --template-file "src/bicep/mlz.bicep" \
+ --parameters deployRemoteAccess="true" \
+ --parameters linuxVmAdminPasswordOrKey="$my_password" \
+ --parameters windowsVmAdminPassword="$my_password"
+```
+
+Then, once you've deployed the virtual machines and Bastion Host, use these docs to connect with the provided password:
+
+### Using an SSH Key with Remote Access via Bastion Host
+
+If you have a key pair you'd like to use for SSH connections to the Linux virtual machine that is deployed with `deployRemoteAccess=true`, specify the `linuxVmAuthenticationType` parameter to `sshPublicKey` like so:
+
+```plaintext
+my_sshkey=$(cat ~/.ssh/id_rsa.pub) # or, however you source your public key
+my_password=$(openssl rand -base64 14)
+
+az deployment sub create \
+ --name "myRemoteAccessDeployment" \
+ --location "eastus" \
+ --template-file "src/bicep/mlz.bicep" \
+ --parameters deployRemoteAccess="true" \
+ --parameters linuxVmAuthenticationType="sshPublicKey" \
+ --parameters linuxVmAdminPasswordOrKey="$my_sshkey" \
+ --parameters windowsVmAdminPassword="$my_password"
+```
+
+For more information on generating a public/private key pair see .
+
+Then, once you've deployed the virtual machines and Bastion Host, use these docs to connect with an SSH Key:
+
+## Development Pre-requisites
+
+If you want to develop with Bicep you'll need these:
+
+1. Install Azure CLI
+1. Install Bicep
+
+However, you don't need to develop with Bicep to deploy the compiled `mlz.json` in this repository.
diff --git a/src/bicep/bicepconfig.json b/src/bicep/bicepconfig.json
new file mode 100644
index 000000000..2f5755649
--- /dev/null
+++ b/src/bicep/bicepconfig.json
@@ -0,0 +1,28 @@
+{
+ "analyzers": {
+ "core": {
+ "verbose": false,
+ "enabled": true,
+ "rules": {
+ "no-hardcoded-env-urls": {
+ "level": "error"
+ },
+ "no-unused-params": {
+ "level": "error"
+ },
+ "no-unused-vars": {
+ "level": "error"
+ },
+ "prefer-interpolation": {
+ "level": "error"
+ },
+ "secure-parameter-default": {
+ "level": "error"
+ },
+ "simplify-interpolation": {
+ "level": "error"
+ }
+ }
+ }
+ }
+ }
diff --git a/src/bicep/examples/README.md b/src/bicep/examples/README.md
new file mode 100644
index 000000000..5b305e5cd
--- /dev/null
+++ b/src/bicep/examples/README.md
@@ -0,0 +1,12 @@
+# Examples
+
+In this directory are examples of how to add and extend functionality on-top of MissionLZ.
+
+You [must first deploy MissionLZ](../README.md#Deployment), then you can deploy these examples.
+
+Example | Description
+------- | -----------
+[Remote Access](./remoteAccess) | Adds a Bastion Host and a virtual machine to serve as a jumpbox into the network
+[New Workload](./newWorkload) | Adds a new Spoke Network and peers it to the Hub Network routing all traffic to the Azure Firewall
+[Azure Sentinel](./sentinel) | A Terraform module that adds an Azure Sentinel solution to a Log Analytics Workspace
+
diff --git a/src/bicep/examples/newWorkload/README.md b/src/bicep/examples/newWorkload/README.md
new file mode 100644
index 000000000..9c7c12af7
--- /dev/null
+++ b/src/bicep/examples/newWorkload/README.md
@@ -0,0 +1,123 @@
+# New Workload Example
+
+This example adds a spoke network and peers it to the Hub Virtual Network and routes traffic to the Hub Firewall.
+
+Read on to understand what this example does, and when you're ready, collect all of the pre-requisites, then deploy the example.
+
+## What this example does
+
+### Deploys a Spoke Network
+
+## Pre-requisites
+
+1. A Mission LZ deployment (a deployment of mlz.bicep)
+1. Define some new values for required parameters described below.
+1. The output from the Mission LZ deployment described below.
+
+Required Parameters | Description
+------------------- | -----------
+subscriptionID | The subscription ID where you want to deploy the new spoke network
+workloadName | A name (3 to 24 characters) for your workload
+
+Deployment Output Name | Description
+-----------------------| -----------
+hubSubscriptionId | The subscription that contain the Hub Resource Group
+hubResourceGroupName | The resource group that contains the Hub Virtual Network and deploy the virtual machines into
+hubVirtualNetworkName | The network to peer the new workload network to
+hubVirtualNetworkResourceId | The network to peer the new workload network to
+logAnalyticsWorkspaceResourceId | The resource ID of the Log Analytics Workspace to send diagnostic logs to
+firewallPrivateIPAddress | The private IP Address to the Firewall to route traffic to from the new workload network
+
+One way to retreive these values is with the Azure CLI:
+
+```bash
+# after a Mission LZ deployment
+#
+# az deployment sub create \
+# --subscription $deploymentSubscription \
+# --name "myDeploymentName" \
+# --template-file ./mlz.bicep \
+
+az deployment sub show \
+ --subscription $deploymentSubscription \
+ --name "myDeploymentName" \
+ --query properties.outputs
+```
+
+...which should return an object containing the values you need:
+
+```plaintext
+{
+ "hubSubscriptionId": {
+ "type": "String",
+ "value": "0987654-3210..."
+ },
+ ...
+ "hubResourceGroupName": {
+ "type": "String",
+ "value": "mlz-dev-hub"
+ },
+ ...
+ "hubVirtualNetworkName": {
+ "type": "String",
+ "value": "hub-vnet"
+ },
+ ...
+ "hubVirtualNetworkId": {
+ "type": "String",
+ "value": "/subscriptions/.../providers/Microsoft.Network/virtualNetworks/hub-vnet"
+ },
+ ...
+ "logAnalyticsWorkspaceResourceId": {
+ "type": "String",
+ "value": "/subscriptions/.../providers/Microsoft.OperationalInsights/workspaces/mlz-dev-laws"
+ },
+ ...
+ "firewallPrivateIPAddress": {
+ "type": "String",
+ "value": "10.0.100.4"
+ },
+}
+```
+
+...and if you're on a BASH terminal, this command (take note to replace "myDeploymentName" with your deployment name) will export the values as environment variables:
+
+```bash
+export $(az deployment sub show --name "myDeploymentName" --query "properties.outputs.{ args: [ join('', ['hubSubscriptionId=', hubSubscriptionId.value]), join('', ['hubResourceGroupName=', hubResourceGroupName.value]), join('', ['hubVirtualNetworkName=', hubVirtualNetworkName.value]), join('', ['hubVirtualNetworkResourceId=', hubVirtualNetworkResourceId.value]), join('', ['logAnalyticsWorkspaceResourceId=', logAnalyticsWorkspaceResourceId.value]), join('', ['firewallPrivateIPAddress=', firewallPrivateIPAddress.value]) ] }.args" --output tsv | xargs)
+```
+
+## Deploy the example
+
+Once you have the Mission LZ output values, you can pass those in as parameters to this deployment.
+
+And deploy with `az deployment group create` from the Azure CLI:
+
+```bash
+cd examples/newWorkload
+
+workloadSubscriptionId="12345678-1234..."
+location="eastus"
+workloadName="myNewWorkload"
+
+az deployment sub create \
+ --subscription $workloadSubscriptionId \
+ --location $location \
+ --name $workloadName \
+ --template-file "./newWorkload.bicep" \
+ --parameters \
+ workloadName="$workloadName" \
+ hubSubscriptionId="$hubSubscriptionId" \
+ hubResourceGroupName="$hubResourceGroupName" \
+ hubVirtualNetworkName="$hubVirtualNetworkName" \
+ hubVirtualNetworkResourceId="$hubVirtualNetworkResourceId" \
+ logAnalyticsWorkspaceResourceId="$logAnalyticsWorkspaceResourceId" \
+ firewallPrivateIPAddress="$firewallPrivateIPAddress"
+```
+
+Or, completely experimentally, try the Portal:
+
+#### AzureCloud
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fmain%2Fsrc%2Fbicep%2Fexamples%2FnewWorkload%2FnewWorkload.json)
+
+#### AzureUSGovernment
+[](https://portal.azure.us/#create/Microsoft.https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fmain%2Fsrc%2Fbicep%2Fexamples%2FnewWorkload%2FnewWorkload.json)
diff --git a/src/bicep/examples/newWorkload/modules/hubNetworkPeering.bicep b/src/bicep/examples/newWorkload/modules/hubNetworkPeering.bicep
new file mode 100644
index 000000000..bf84709c8
--- /dev/null
+++ b/src/bicep/examples/newWorkload/modules/hubNetworkPeering.bicep
@@ -0,0 +1,15 @@
+targetScope = 'subscription'
+
+param hubResourceGroupName string
+param hubVirtualNetworkName string
+param spokeVirtualNetworkName string
+param spokeVirtualNetworkResourceId string
+
+module hubToSpokeVirtualNetworkPeering '../../../modules/virtualNetworkPeering.bicep' = {
+ scope: resourceGroup(hubResourceGroupName)
+ name: 'hubToSpokeVirtualNetworkPeering'
+ params: {
+ name: '${hubVirtualNetworkName}/to-${spokeVirtualNetworkName}'
+ remoteVirtualNetworkResourceId: spokeVirtualNetworkResourceId
+ }
+}
diff --git a/src/bicep/examples/newWorkload/newWorkload.bicep b/src/bicep/examples/newWorkload/newWorkload.bicep
new file mode 100644
index 000000000..d49d9c816
--- /dev/null
+++ b/src/bicep/examples/newWorkload/newWorkload.bicep
@@ -0,0 +1,98 @@
+targetScope = 'subscription'
+
+@minLength(3)
+@maxLength(24)
+param workloadName string
+
+param resourceGroupName string = '${workloadName}-rg'
+param location string = deployment().location
+param tags object = {
+ 'resourceIdentifier': resourceIdentifier
+}
+
+param hubSubscriptionId string
+param hubResourceGroupName string
+param hubVirtualNetworkName string
+param hubVirtualNetworkResourceId string
+param logAnalyticsWorkspaceResourceId string
+param firewallPrivateIPAddress string
+
+param virtualNetworkName string = '${workloadName}-vnet'
+param virtualNetworkAddressPrefix string = '10.0.125.0/26'
+param virtualNetworkDiagnosticsLogs array = []
+param virtualNetworkDiagnosticsMetrics array = []
+
+param networkSecurityGroupName string = '${workloadName}-nsg'
+param networkSecurityGroupRules array = []
+
+param subnetName string = '${workloadName}-subnet'
+param subnetAddressPrefix string = '10.0.125.0/27'
+param subnetServiceEndpoints array = []
+
+param logStorageAccountName string = toLower(take('logs${uniqueString(workloadName)}', 24))
+param logStorageSkuName string = 'Standard_GRS'
+
+param resourceIdentifier string = '${workloadName}${uniqueString(workloadName)}'
+
+resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = {
+ name: resourceGroupName
+ location: location
+ tags: tags
+}
+
+module spokeNetwork '../../modules/spokeNetwork.bicep' = {
+ name: 'spokeNetwork'
+ scope: az.resourceGroup(resourceGroup.name)
+ params: {
+ tags: tags
+
+ logStorageAccountName: logStorageAccountName
+ logStorageSkuName: logStorageSkuName
+
+ logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId
+
+ firewallPrivateIPAddress: firewallPrivateIPAddress
+
+ virtualNetworkName: virtualNetworkName
+ virtualNetworkAddressPrefix: virtualNetworkAddressPrefix
+ virtualNetworkDiagnosticsLogs: virtualNetworkDiagnosticsLogs
+ virtualNetworkDiagnosticsMetrics: virtualNetworkDiagnosticsMetrics
+
+ networkSecurityGroupName: networkSecurityGroupName
+ networkSecurityGroupRules: networkSecurityGroupRules
+
+ subnetName: subnetName
+ subnetAddressPrefix: subnetAddressPrefix
+ subnetServiceEndpoints: subnetServiceEndpoints
+ }
+}
+
+module workloadVirtualNetworkPeerings '../../modules/spokeNetworkPeering.bicep' = {
+ name: '${resourceIdentifier}-${workloadName}VirtualNetworkPeerings'
+ params: {
+ spokeResourceGroupName: resourceGroup.name
+ spokeVirtualNetworkName: spokeNetwork.outputs.virtualNetworkName
+
+ hubVirtualNetworkName: hubVirtualNetworkName
+ hubVirtualNetworkResourceId: hubVirtualNetworkResourceId
+ }
+}
+
+module hubToWorkloadVirtualNetworkPeering './modules/hubNetworkPeering.bicep' = {
+ scope: subscription(hubSubscriptionId)
+ name: 'hubToWorkloadVirtualNetworkPeering'
+ params: {
+ hubResourceGroupName: hubResourceGroupName
+ hubVirtualNetworkName: hubVirtualNetworkName
+ spokeVirtualNetworkName: spokeNetwork.outputs.virtualNetworkName
+ spokeVirtualNetworkResourceId: spokeNetwork.outputs.virtualNetworkResourceId
+ }
+}
+
+output virtualNetworkName string = spokeNetwork.outputs.virtualNetworkName
+output virtualNetworkResourceId string = spokeNetwork.outputs.virtualNetworkResourceId
+output subnetName string = spokeNetwork.outputs.subnetName
+output subnetAddressPrefix string = spokeNetwork.outputs.subnetAddressPrefix
+output subnetResourceId string = spokeNetwork.outputs.subnetResourceId
+output networkSecurityGroupName string = spokeNetwork.outputs.networkSecurityGroupName
+output networkSecurityGroupResourceId string = spokeNetwork.outputs.networkSecurityGroupResourceId
diff --git a/src/bicep/examples/newWorkload/newWorkload.json b/src/bicep/examples/newWorkload/newWorkload.json
new file mode 100644
index 000000000..9ca62b0b1
--- /dev/null
+++ b/src/bicep/examples/newWorkload/newWorkload.json
@@ -0,0 +1,967 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.451.19169",
+ "templateHash": "12095444895814117883"
+ }
+ },
+ "parameters": {
+ "workloadName": {
+ "type": "string",
+ "maxLength": 24,
+ "minLength": 3
+ },
+ "resourceGroupName": {
+ "type": "string",
+ "defaultValue": "[format('{0}-rg', parameters('workloadName'))]"
+ },
+ "location": {
+ "type": "string",
+ "defaultValue": "[deployment().location]"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {
+ "resourceIdentifier": "[parameters('resourceIdentifier')]"
+ }
+ },
+ "hubSubscriptionId": {
+ "type": "string"
+ },
+ "hubResourceGroupName": {
+ "type": "string"
+ },
+ "hubVirtualNetworkName": {
+ "type": "string"
+ },
+ "hubVirtualNetworkResourceId": {
+ "type": "string"
+ },
+ "logAnalyticsWorkspaceResourceId": {
+ "type": "string"
+ },
+ "firewallPrivateIPAddress": {
+ "type": "string"
+ },
+ "virtualNetworkName": {
+ "type": "string",
+ "defaultValue": "[format('{0}-vnet', parameters('workloadName'))]"
+ },
+ "virtualNetworkAddressPrefix": {
+ "type": "string",
+ "defaultValue": "10.0.125.0/26"
+ },
+ "virtualNetworkDiagnosticsLogs": {
+ "type": "array",
+ "defaultValue": []
+ },
+ "virtualNetworkDiagnosticsMetrics": {
+ "type": "array",
+ "defaultValue": []
+ },
+ "networkSecurityGroupName": {
+ "type": "string",
+ "defaultValue": "[format('{0}-nsg', parameters('workloadName'))]"
+ },
+ "networkSecurityGroupRules": {
+ "type": "array",
+ "defaultValue": []
+ },
+ "subnetName": {
+ "type": "string",
+ "defaultValue": "[format('{0}-subnet', parameters('workloadName'))]"
+ },
+ "subnetAddressPrefix": {
+ "type": "string",
+ "defaultValue": "10.0.125.0/27"
+ },
+ "subnetServiceEndpoints": {
+ "type": "array",
+ "defaultValue": []
+ },
+ "logStorageAccountName": {
+ "type": "string",
+ "defaultValue": "[toLower(take(format('logs{0}', uniqueString(parameters('workloadName'))), 24))]"
+ },
+ "logStorageSkuName": {
+ "type": "string",
+ "defaultValue": "Standard_GRS"
+ },
+ "resourceIdentifier": {
+ "type": "string",
+ "defaultValue": "[format('{0}{1}', parameters('workloadName'), uniqueString(parameters('workloadName')))]"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Resources/resourceGroups",
+ "apiVersion": "2021-04-01",
+ "name": "[parameters('resourceGroupName')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]"
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "spokeNetwork",
+ "resourceGroup": "[parameters('resourceGroupName')]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "logStorageAccountName": {
+ "value": "[parameters('logStorageAccountName')]"
+ },
+ "logStorageSkuName": {
+ "value": "[parameters('logStorageSkuName')]"
+ },
+ "logAnalyticsWorkspaceResourceId": {
+ "value": "[parameters('logAnalyticsWorkspaceResourceId')]"
+ },
+ "firewallPrivateIPAddress": {
+ "value": "[parameters('firewallPrivateIPAddress')]"
+ },
+ "virtualNetworkName": {
+ "value": "[parameters('virtualNetworkName')]"
+ },
+ "virtualNetworkAddressPrefix": {
+ "value": "[parameters('virtualNetworkAddressPrefix')]"
+ },
+ "virtualNetworkDiagnosticsLogs": {
+ "value": "[parameters('virtualNetworkDiagnosticsLogs')]"
+ },
+ "virtualNetworkDiagnosticsMetrics": {
+ "value": "[parameters('virtualNetworkDiagnosticsMetrics')]"
+ },
+ "networkSecurityGroupName": {
+ "value": "[parameters('networkSecurityGroupName')]"
+ },
+ "networkSecurityGroupRules": {
+ "value": "[parameters('networkSecurityGroupRules')]"
+ },
+ "subnetName": {
+ "value": "[parameters('subnetName')]"
+ },
+ "subnetAddressPrefix": {
+ "value": "[parameters('subnetAddressPrefix')]"
+ },
+ "subnetServiceEndpoints": {
+ "value": "[parameters('subnetServiceEndpoints')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.451.19169",
+ "templateHash": "102664795413105394"
+ }
+ },
+ "parameters": {
+ "location": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().location]"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "logStorageAccountName": {
+ "type": "string"
+ },
+ "logStorageSkuName": {
+ "type": "string"
+ },
+ "logAnalyticsWorkspaceResourceId": {
+ "type": "string"
+ },
+ "firewallPrivateIPAddress": {
+ "type": "string"
+ },
+ "virtualNetworkName": {
+ "type": "string"
+ },
+ "virtualNetworkAddressPrefix": {
+ "type": "string"
+ },
+ "virtualNetworkDiagnosticsLogs": {
+ "type": "array"
+ },
+ "virtualNetworkDiagnosticsMetrics": {
+ "type": "array"
+ },
+ "networkSecurityGroupName": {
+ "type": "string"
+ },
+ "networkSecurityGroupRules": {
+ "type": "array"
+ },
+ "subnetName": {
+ "type": "string"
+ },
+ "subnetAddressPrefix": {
+ "type": "string"
+ },
+ "subnetServiceEndpoints": {
+ "type": "array"
+ },
+ "routeTableName": {
+ "type": "string",
+ "defaultValue": "[format('{0}-routetable', parameters('subnetName'))]"
+ },
+ "routeTableRouteName": {
+ "type": "string",
+ "defaultValue": "default_route"
+ },
+ "routeTableRouteAddressPrefix": {
+ "type": "string",
+ "defaultValue": "0.0.0.0/0"
+ },
+ "routeTableRouteNextHopIpAddress": {
+ "type": "string",
+ "defaultValue": "[parameters('firewallPrivateIPAddress')]"
+ },
+ "routeTableRouteNextHopType": {
+ "type": "string",
+ "defaultValue": "VirtualAppliance"
+ }
+ },
+ "functions": [],
+ "variables": {
+ "defaultVirtualNetworkDiagnosticsLogs": [],
+ "defaultVirtualNetworkDiagnosticsMetrics": [
+ {
+ "category": "AllMetrics",
+ "enabled": true
+ }
+ ],
+ "defaultSubnetServiceEndpoints": [
+ {
+ "service": "Microsoft.Storage"
+ }
+ ],
+ "defaultNetworkSecurityGroupRules": [
+ {
+ "name": "allow_ssh",
+ "properties": {
+ "description": "Allow SSH access from anywhere",
+ "access": "Allow",
+ "priority": 100,
+ "protocol": "Tcp",
+ "direction": "Inbound",
+ "sourcePortRange": "*",
+ "sourceAddressPrefix": "*",
+ "destinationPortRange": "22",
+ "destinationAddressPrefix": "*"
+ }
+ },
+ {
+ "name": "allow_rdp",
+ "properties": {
+ "description": "Allow RDP access from anywhere",
+ "access": "Allow",
+ "priority": 200,
+ "protocol": "Tcp",
+ "direction": "Inbound",
+ "sourcePortRange": "*",
+ "sourceAddressPrefix": "*",
+ "destinationPortRange": "3389",
+ "destinationAddressPrefix": "*"
+ }
+ }
+ ]
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "logStorage",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "storageAccountName": {
+ "value": "[parameters('logStorageAccountName')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "skuName": {
+ "value": "[parameters('logStorageSkuName')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.451.19169",
+ "templateHash": "7478919688835670168"
+ }
+ },
+ "parameters": {
+ "storageAccountName": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "skuName": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Storage/storageAccounts",
+ "apiVersion": "2019-06-01",
+ "name": "[parameters('storageAccountName')]",
+ "location": "[parameters('location')]",
+ "kind": "Storage",
+ "sku": {
+ "name": "[parameters('skuName')]"
+ },
+ "tags": "[parameters('tags')]"
+ }
+ ],
+ "outputs": {
+ "id": {
+ "type": "string",
+ "value": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "networkSecurityGroup",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[parameters('networkSecurityGroupName')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "securityRules": {
+ "value": "[if(empty(parameters('networkSecurityGroupRules')), variables('defaultNetworkSecurityGroupRules'), parameters('networkSecurityGroupRules'))]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.451.19169",
+ "templateHash": "16344320883906419641"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "securityRules": {
+ "type": "array"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Network/networkSecurityGroups",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "securityRules": "[parameters('securityRules')]"
+ }
+ }
+ ],
+ "outputs": {
+ "id": {
+ "type": "string",
+ "value": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('name'))]"
+ },
+ "name": {
+ "type": "string",
+ "value": "[parameters('name')]"
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "routeTable",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[parameters('routeTableName')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "routeName": {
+ "value": "[parameters('routeTableRouteName')]"
+ },
+ "routeAddressPrefix": {
+ "value": "[parameters('routeTableRouteAddressPrefix')]"
+ },
+ "routeNextHopIpAddress": {
+ "value": "[parameters('routeTableRouteNextHopIpAddress')]"
+ },
+ "routeNextHopType": {
+ "value": "[parameters('routeTableRouteNextHopType')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.451.19169",
+ "templateHash": "9581615100111735872"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "routeName": {
+ "type": "string"
+ },
+ "routeAddressPrefix": {
+ "type": "string"
+ },
+ "routeNextHopIpAddress": {
+ "type": "string"
+ },
+ "routeNextHopType": {
+ "type": "string"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Network/routeTables",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "routes": [
+ {
+ "name": "[parameters('routeName')]",
+ "properties": {
+ "addressPrefix": "[parameters('routeAddressPrefix')]",
+ "nextHopIpAddress": "[parameters('routeNextHopIpAddress')]",
+ "nextHopType": "[parameters('routeNextHopType')]"
+ }
+ }
+ ]
+ }
+ }
+ ],
+ "outputs": {
+ "id": {
+ "type": "string",
+ "value": "[resourceId('Microsoft.Network/routeTables', parameters('name'))]"
+ },
+ "name": {
+ "type": "string",
+ "value": "[parameters('name')]"
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "virtualNetwork",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[parameters('virtualNetworkName')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "addressPrefix": {
+ "value": "[parameters('virtualNetworkAddressPrefix')]"
+ },
+ "diagnosticsLogs": {
+ "value": "[if(empty(parameters('virtualNetworkDiagnosticsLogs')), variables('defaultVirtualNetworkDiagnosticsLogs'), parameters('virtualNetworkDiagnosticsLogs'))]"
+ },
+ "diagnosticsMetrics": {
+ "value": "[if(empty(parameters('virtualNetworkDiagnosticsMetrics')), variables('defaultVirtualNetworkDiagnosticsMetrics'), parameters('virtualNetworkDiagnosticsMetrics'))]"
+ },
+ "subnets": {
+ "value": [
+ {
+ "name": "[parameters('subnetName')]",
+ "properties": {
+ "addressPrefix": "[parameters('subnetAddressPrefix')]",
+ "networkSecurityGroup": {
+ "id": "[reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup'), '2019-10-01').outputs.id.value]"
+ },
+ "routeTable": {
+ "id": "[reference(resourceId('Microsoft.Resources/deployments', 'routeTable'), '2019-10-01').outputs.id.value]"
+ },
+ "serviceEndpoints": "[if(empty(parameters('subnetServiceEndpoints')), variables('defaultSubnetServiceEndpoints'), parameters('subnetServiceEndpoints'))]"
+ }
+ }
+ ]
+ },
+ "logAnalyticsWorkspaceResourceId": {
+ "value": "[parameters('logAnalyticsWorkspaceResourceId')]"
+ },
+ "logStorageAccountResourceId": {
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'logStorage'), '2019-10-01').outputs.id.value]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.451.19169",
+ "templateHash": "4251305185578211506"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "addressPrefix": {
+ "type": "string"
+ },
+ "logAnalyticsWorkspaceResourceId": {
+ "type": "string"
+ },
+ "logStorageAccountResourceId": {
+ "type": "string"
+ },
+ "subnets": {
+ "type": "array"
+ },
+ "diagnosticsMetrics": {
+ "type": "array"
+ },
+ "diagnosticsLogs": {
+ "type": "array"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Network/virtualNetworks",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "addressSpace": {
+ "addressPrefixes": [
+ "[parameters('addressPrefix')]"
+ ]
+ },
+ "subnets": "[parameters('subnets')]"
+ }
+ },
+ {
+ "type": "Microsoft.Insights/diagnosticSettings",
+ "apiVersion": "2017-05-01-preview",
+ "scope": "[format('Microsoft.Network/virtualNetworks/{0}', parameters('name'))]",
+ "name": "[format('{0}-diagnostics', parameters('name'))]",
+ "properties": {
+ "storageAccountId": "[parameters('logStorageAccountResourceId')]",
+ "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]",
+ "metrics": "[parameters('diagnosticsMetrics')]",
+ "logs": "[parameters('diagnosticsLogs')]"
+ },
+ "dependsOn": [
+ "[resourceId('Microsoft.Network/virtualNetworks', parameters('name'))]"
+ ]
+ }
+ ],
+ "outputs": {
+ "name": {
+ "type": "string",
+ "value": "[parameters('name')]"
+ },
+ "id": {
+ "type": "string",
+ "value": "[resourceId('Microsoft.Network/virtualNetworks', parameters('name'))]"
+ },
+ "subnets": {
+ "type": "array",
+ "value": "[reference(resourceId('Microsoft.Network/virtualNetworks', parameters('name'))).subnets]"
+ }
+ }
+ }
+ },
+ "dependsOn": [
+ "[resourceId('Microsoft.Resources/deployments', 'logStorage')]",
+ "[resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup')]",
+ "[resourceId('Microsoft.Resources/deployments', 'routeTable')]"
+ ]
+ }
+ ],
+ "outputs": {
+ "virtualNetworkName": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2019-10-01').outputs.name.value]"
+ },
+ "virtualNetworkResourceId": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2019-10-01').outputs.id.value]"
+ },
+ "subnetName": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2019-10-01').outputs.subnets.value[0].name]"
+ },
+ "subnetAddressPrefix": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2019-10-01').outputs.subnets.value[0].properties.addressPrefix]"
+ },
+ "subnetResourceId": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2019-10-01').outputs.subnets.value[0].id]"
+ },
+ "networkSecurityGroupName": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup'), '2019-10-01').outputs.name.value]"
+ },
+ "networkSecurityGroupResourceId": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup'), '2019-10-01').outputs.id.value]"
+ }
+ }
+ }
+ },
+ "dependsOn": [
+ "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]"
+ ]
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "[format('{0}-{1}VirtualNetworkPeerings', parameters('resourceIdentifier'), parameters('workloadName'))]",
+ "location": "[deployment().location]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "spokeResourceGroupName": {
+ "value": "[parameters('resourceGroupName')]"
+ },
+ "spokeVirtualNetworkName": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'spokeNetwork'), '2019-10-01').outputs.virtualNetworkName.value]"
+ },
+ "hubVirtualNetworkName": {
+ "value": "[parameters('hubVirtualNetworkName')]"
+ },
+ "hubVirtualNetworkResourceId": {
+ "value": "[parameters('hubVirtualNetworkResourceId')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.451.19169",
+ "templateHash": "13857954278136382775"
+ }
+ },
+ "parameters": {
+ "spokeResourceGroupName": {
+ "type": "string"
+ },
+ "spokeVirtualNetworkName": {
+ "type": "string"
+ },
+ "hubVirtualNetworkName": {
+ "type": "string"
+ },
+ "hubVirtualNetworkResourceId": {
+ "type": "string"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "spokeNetworkPeering",
+ "resourceGroup": "[parameters('spokeResourceGroupName')]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[format('{0}/to-{1}', parameters('spokeVirtualNetworkName'), parameters('hubVirtualNetworkName'))]"
+ },
+ "remoteVirtualNetworkResourceId": {
+ "value": "[parameters('hubVirtualNetworkResourceId')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.451.19169",
+ "templateHash": "16145505190701732004"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "remoteVirtualNetworkResourceId": {
+ "type": "string"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('name')]",
+ "properties": {
+ "remoteVirtualNetwork": {
+ "id": "[parameters('remoteVirtualNetworkResourceId')]"
+ }
+ }
+ }
+ ]
+ }
+ }
+ }
+ ]
+ }
+ },
+ "dependsOn": [
+ "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]",
+ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'spokeNetwork')]"
+ ]
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "hubToWorkloadVirtualNetworkPeering",
+ "subscriptionId": "[parameters('hubSubscriptionId')]",
+ "location": "[deployment().location]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "hubResourceGroupName": {
+ "value": "[parameters('hubResourceGroupName')]"
+ },
+ "hubVirtualNetworkName": {
+ "value": "[parameters('hubVirtualNetworkName')]"
+ },
+ "spokeVirtualNetworkName": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'spokeNetwork'), '2019-10-01').outputs.virtualNetworkName.value]"
+ },
+ "spokeVirtualNetworkResourceId": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'spokeNetwork'), '2019-10-01').outputs.virtualNetworkResourceId.value]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.451.19169",
+ "templateHash": "6333836552364681267"
+ }
+ },
+ "parameters": {
+ "hubResourceGroupName": {
+ "type": "string"
+ },
+ "hubVirtualNetworkName": {
+ "type": "string"
+ },
+ "spokeVirtualNetworkName": {
+ "type": "string"
+ },
+ "spokeVirtualNetworkResourceId": {
+ "type": "string"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "hubToSpokeVirtualNetworkPeering",
+ "resourceGroup": "[parameters('hubResourceGroupName')]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[format('{0}/to-{1}', parameters('hubVirtualNetworkName'), parameters('spokeVirtualNetworkName'))]"
+ },
+ "remoteVirtualNetworkResourceId": {
+ "value": "[parameters('spokeVirtualNetworkResourceId')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.451.19169",
+ "templateHash": "16145505190701732004"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "remoteVirtualNetworkResourceId": {
+ "type": "string"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('name')]",
+ "properties": {
+ "remoteVirtualNetwork": {
+ "id": "[parameters('remoteVirtualNetworkResourceId')]"
+ }
+ }
+ }
+ ]
+ }
+ }
+ }
+ ]
+ }
+ },
+ "dependsOn": [
+ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'spokeNetwork')]"
+ ]
+ }
+ ],
+ "outputs": {
+ "virtualNetworkName": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'spokeNetwork'), '2019-10-01').outputs.virtualNetworkName.value]"
+ },
+ "virtualNetworkResourceId": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'spokeNetwork'), '2019-10-01').outputs.virtualNetworkResourceId.value]"
+ },
+ "subnetName": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'spokeNetwork'), '2019-10-01').outputs.subnetName.value]"
+ },
+ "subnetAddressPrefix": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'spokeNetwork'), '2019-10-01').outputs.subnetAddressPrefix.value]"
+ },
+ "subnetResourceId": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'spokeNetwork'), '2019-10-01').outputs.subnetResourceId.value]"
+ },
+ "networkSecurityGroupName": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'spokeNetwork'), '2019-10-01').outputs.networkSecurityGroupName.value]"
+ },
+ "networkSecurityGroupResourceId": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'spokeNetwork'), '2019-10-01').outputs.networkSecurityGroupResourceId.value]"
+ }
+ }
+}
\ No newline at end of file
diff --git a/src/bicep/examples/remoteAccess/README.md b/src/bicep/examples/remoteAccess/README.md
new file mode 100644
index 000000000..d1243497c
--- /dev/null
+++ b/src/bicep/examples/remoteAccess/README.md
@@ -0,0 +1,121 @@
+# Remote Access Example
+
+This example adds a virtual machine to the Hub resource group to serve as a jumpbox into the network using Azure Bastion Host as the remote desktop solution without exposing the virtual machine via a Public IP address.
+
+Read on to understand what this example does, and when you're ready, collect all of the pre-requisites, then deploy the example.
+
+## What this example does
+
+### Deploys Azure Bastion Host
+
+The docs on Azure Bastion:
+
+Some particulars about Bastion:
+
+- Azure Bastion Host requires a subnet of /27 or larger
+- the subnet must be titled `AzureBastionSubnet`
+- Azure Bastion Hosts require a public IP address
+
+### Deploys Virtual Machine
+
+This example deploys two virtual machines into a new subnet in the existing Hub virtual network to serve as jumpboxes.
+
+The docs on Virtual Machines:
+
+## Pre-requisites
+
+1. A Mission LZ deployment (a deployment of mlz.bicep)
+1. The output from that deployment described below:
+
+Deployment Output Name | Description
+-----------------------| -----------
+hubResourceGroupName | The resource group that contains the Hub Virtual Network and deploy the virtual machines into
+hubVirtualNetworkName | The resource to deploy a subnet configured for Bastion Host
+hubSubnetResourceId | The resource ID of the subnet in the Hub Virtual Network for hosting virtual machines
+hubNetworkSecurityGroupResourceId | The resource ID of the Network Security Group in the Hub Virtual Network that hosts rules for Hub Subnet traffic
+
+One way to retreive these values is with the Azure CLI:
+
+```bash
+# after a Mission LZ deployment
+#
+# az deployment sub create \
+# --subscription $deploymentSubscription \
+# --name "myDeploymentName" \
+# --template-file ./mlz.bicep \
+
+az deployment sub show \
+ --subscription $deploymentSubscription \
+ --name "myDeploymentName" \
+ --query properties.outputs
+```
+
+...which should return an object containing the values you need:
+
+```plaintext
+{
+ ...
+ "hubResourceGroupName": {
+ "type": "String",
+ "value": "mlz-dev-hub"
+ },
+ ...
+ "hubVirtualNetworkName": {
+ "type": "String",
+ "value": "hub-vnet"
+ },
+ ...
+ "hubSubnetResourceId": {
+ "type": "String",
+ "value": "/subscriptions/.../providers/Microsoft.Network/virtualNetworks/hub-vnet/subnets/hub-subnet"
+ },
+ ...
+ "hubNetworkSecurityGroupResourceId": {
+ "type": "String",
+ "value": "/subscriptions/.../providers/Microsoft.Network/networkSecurityGroups/hub-nsg"
+ },
+}
+```
+
+...and if you're on a BASH terminal, this command (take note to replace "myDeploymentName" with your deployment name) will export the values as environment variables:
+
+```bash
+export $(az deployment sub show --name "myDeploymentName" --query "properties.outputs.{ args: [ join('', ['hubResourceGroupName=', hubResourceGroupName.value]), join('', ['hubVirtualNetworkName=', hubVirtualNetworkName.value]), join('', ['hubSubnetResourceId=', hubSubnetResourceId.value]), join('', ['hubNetworkSecurityGroupResourceId=', hubNetworkSecurityGroupResourceId.value]) ] }.args" --output tsv | xargs)
+```
+
+## Deploy the example
+
+Once you have the Mission LZ output values, you can pass those in as parameters to this deployment.
+
+For example, deploying using the `az deployment group create` command in the Azure CLI:
+
+```bash
+cd examples/remoteAccess
+
+hubResourceGroupName="mlz-dev-hub"
+hubVirtualNetworkName="hub-vnet"
+hubSubnetResourceId="/subscriptions/.../providers/Microsoft.Network/virtualNetworks/hub-vnet/subnets/hub-subnet"
+hubNetworkSecurityGroupResourceId="/subscriptions/.../providers/Microsoft.Network/networkSecurityGroups/hub-nsg"
+
+linuxPassword=$(openssl rand -base64 14) # generate a random 14 character password
+
+az deployment group create \
+ --name "RemoteAccessExample" \
+ --resource-group $hubResourceGroupName \
+ --template-file "./main.bicep" \
+ --parameters \
+ hubVirtualNetworkName="$hubVirtualNetworkName" \
+ hubSubnetResourceId="$hubSubnetResourceId" \
+ hubNetworkSecurityGroupResourceId="$hubNetworkSecurityGroupResourceId" \
+ linuxVmAdminPasswordOrKey="$linuxPassword"
+```
+
+Or, completely experimentally, try the Portal:
+
+### AzureCloud
+
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fmain%2Fsrc%2Fbicep%2Fexamples%2FremoteAccess%2Fmain.json)
+
+### AzureUSGovernment
+
+[](https://portal.azure.us/#create/Microsoft.https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fmain%2Fsrc%2Fbicep%2Fexamples%2FremoteAccess%2Fmain.json)
diff --git a/src/bicep/examples/remoteAccess/main.bicep b/src/bicep/examples/remoteAccess/main.bicep
new file mode 100644
index 000000000..eaef3a7ff
--- /dev/null
+++ b/src/bicep/examples/remoteAccess/main.bicep
@@ -0,0 +1,103 @@
+param location string = resourceGroup().location
+
+param hubVirtualNetworkName string
+param hubSubnetResourceId string
+param hubNetworkSecurityGroupResourceId string
+
+param bastionHostName string = 'bastionHost'
+param bastionHostSubnetAddressPrefix string = '10.0.100.160/27'
+param bastionHostPublicIPAddressName string = 'bastionHostPublicIPAddress'
+param bastionHostPublicIPAddressSkuName string = 'Standard'
+param bastionHostPublicIPAddressAllocationMethod string = 'Static'
+param bastionHostPublicIPAddressAvailabilityZones array = []
+param bastionHostIPConfigurationName string = 'bastionHostIPConfiguration'
+
+param linuxNetworkInterfaceName string = 'linuxVmNetworkInterface'
+param linuxNetworkInterfaceIpConfigurationName string = 'linuxVmIpConfiguration'
+param linuxNetworkInterfacePrivateIPAddressAllocationMethod string = 'Dynamic'
+
+param linuxVmName string = 'linuxVirtualMachine'
+param linuxVmSize string = 'Standard_B2s'
+param linuxVmOsDiskCreateOption string = 'FromImage'
+param linuxVmOsDiskType string = 'Standard_LRS'
+param linuxVmImagePublisher string = 'Canonical'
+param linuxVmImageOffer string = 'UbuntuServer'
+param linuxVmImageSku string = '18.04-LTS'
+param linuxVmImageVersion string = 'latest'
+param linuxVmAdminUsername string = 'azureuser'
+@allowed([
+ 'sshPublicKey'
+ 'password'
+])
+param linuxVmAuthenticationType string = 'password'
+@secure()
+@minLength(14)
+param linuxVmAdminPasswordOrKey string
+
+param windowsNetworkInterfaceName string = 'windowsVmNetworkInterface'
+param windowsNetworkInterfaceIpConfigurationName string = 'windowsVmIpConfiguration'
+param windowsNetworkInterfacePrivateIPAddressAllocationMethod string = 'Dynamic'
+param windowsVmName string = 'windowsVm'
+param windowsVmSize string = 'Standard_DS1_v2'
+param windowsVmAdminUsername string = 'azureuser'
+@secure()
+@minLength(14)
+param windowsVmAdminPassword string
+param windowsVmPublisher string = 'MicrosoftWindowsServer'
+param windowsVmOffer string = 'WindowsServer'
+param windowsVmSku string = '2019-datacenter-gensecond'
+param windowsVmVersion string = 'latest'
+param windowsVmCreateOption string = 'FromImage'
+param windowsVmStorageAccountType string = 'StandardSSD_LRS'
+
+param nowUtc string = utcNow()
+
+module remoteAccess '../../modules/remoteAccess.bicep' = {
+ name: 'deploy-remoteAccess-Example-${nowUtc}'
+ params: {
+ location: location
+
+ hubVirtualNetworkName: hubVirtualNetworkName
+ hubSubnetResourceId: hubSubnetResourceId
+ hubNetworkSecurityGroupResourceId: hubNetworkSecurityGroupResourceId
+
+ bastionHostName: bastionHostName
+ bastionHostSubnetAddressPrefix: bastionHostSubnetAddressPrefix
+ bastionHostPublicIPAddressName: bastionHostPublicIPAddressName
+ bastionHostPublicIPAddressSkuName: bastionHostPublicIPAddressSkuName
+ bastionHostPublicIPAddressAllocationMethod: bastionHostPublicIPAddressAllocationMethod
+ bastionHostPublicIPAddressAvailabilityZones: bastionHostPublicIPAddressAvailabilityZones
+ bastionHostIPConfigurationName: bastionHostIPConfigurationName
+
+ linuxNetworkInterfaceName: linuxNetworkInterfaceName
+ linuxNetworkInterfaceIpConfigurationName: linuxNetworkInterfaceIpConfigurationName
+ linuxNetworkInterfacePrivateIPAddressAllocationMethod: linuxNetworkInterfacePrivateIPAddressAllocationMethod
+
+ linuxVmName: linuxVmName
+ linuxVmSize: linuxVmSize
+ linuxVmOsDiskCreateOption: linuxVmOsDiskCreateOption
+ linuxVmOsDiskType: linuxVmOsDiskType
+ linuxVmImagePublisher: linuxVmImagePublisher
+ linuxVmImageOffer: linuxVmImageOffer
+ linuxVmImageSku: linuxVmImageSku
+ linuxVmImageVersion: linuxVmImageVersion
+ linuxVmAdminUsername: linuxVmAdminUsername
+ linuxVmAuthenticationType: linuxVmAuthenticationType
+ linuxVmAdminPasswordOrKey: linuxVmAdminPasswordOrKey
+
+ windowsNetworkInterfaceName: windowsNetworkInterfaceName
+ windowsNetworkInterfaceIpConfigurationName: windowsNetworkInterfaceIpConfigurationName
+ windowsNetworkInterfacePrivateIPAddressAllocationMethod: windowsNetworkInterfacePrivateIPAddressAllocationMethod
+
+ windowsVmName: windowsVmName
+ windowsVmSize: windowsVmSize
+ windowsVmAdminUsername: windowsVmAdminUsername
+ windowsVmAdminPassword: windowsVmAdminPassword
+ windowsVmPublisher: windowsVmPublisher
+ windowsVmOffer: windowsVmOffer
+ windowsVmSku: windowsVmSku
+ windowsVmVersion: windowsVmVersion
+ windowsVmCreateOption: windowsVmCreateOption
+ windowsVmStorageAccountType: windowsVmStorageAccountType
+ }
+}
diff --git a/src/bicep/examples/remoteAccess/main.json b/src/bicep/examples/remoteAccess/main.json
new file mode 100644
index 000000000..102115f84
--- /dev/null
+++ b/src/bicep/examples/remoteAccess/main.json
@@ -0,0 +1,1125 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "10649862739162036164"
+ }
+ },
+ "parameters": {
+ "location": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().location]"
+ },
+ "hubVirtualNetworkName": {
+ "type": "string"
+ },
+ "hubSubnetResourceId": {
+ "type": "string"
+ },
+ "hubNetworkSecurityGroupResourceId": {
+ "type": "string"
+ },
+ "bastionHostName": {
+ "type": "string",
+ "defaultValue": "bastionHost"
+ },
+ "bastionHostSubnetAddressPrefix": {
+ "type": "string",
+ "defaultValue": "10.0.100.160/27"
+ },
+ "bastionHostPublicIPAddressName": {
+ "type": "string",
+ "defaultValue": "bastionHostPublicIPAddress"
+ },
+ "bastionHostPublicIPAddressSkuName": {
+ "type": "string",
+ "defaultValue": "Standard"
+ },
+ "bastionHostPublicIPAddressAllocationMethod": {
+ "type": "string",
+ "defaultValue": "Static"
+ },
+ "bastionHostPublicIPAddressAvailabilityZones": {
+ "type": "array",
+ "defaultValue": []
+ },
+ "bastionHostIPConfigurationName": {
+ "type": "string",
+ "defaultValue": "bastionHostIPConfiguration"
+ },
+ "linuxNetworkInterfaceName": {
+ "type": "string",
+ "defaultValue": "linuxVmNetworkInterface"
+ },
+ "linuxNetworkInterfaceIpConfigurationName": {
+ "type": "string",
+ "defaultValue": "linuxVmIpConfiguration"
+ },
+ "linuxNetworkInterfacePrivateIPAddressAllocationMethod": {
+ "type": "string",
+ "defaultValue": "Dynamic"
+ },
+ "linuxVmName": {
+ "type": "string",
+ "defaultValue": "linuxVirtualMachine"
+ },
+ "linuxVmSize": {
+ "type": "string",
+ "defaultValue": "Standard_B2s"
+ },
+ "linuxVmOsDiskCreateOption": {
+ "type": "string",
+ "defaultValue": "FromImage"
+ },
+ "linuxVmOsDiskType": {
+ "type": "string",
+ "defaultValue": "Standard_LRS"
+ },
+ "linuxVmImagePublisher": {
+ "type": "string",
+ "defaultValue": "Canonical"
+ },
+ "linuxVmImageOffer": {
+ "type": "string",
+ "defaultValue": "UbuntuServer"
+ },
+ "linuxVmImageSku": {
+ "type": "string",
+ "defaultValue": "18.04-LTS"
+ },
+ "linuxVmImageVersion": {
+ "type": "string",
+ "defaultValue": "latest"
+ },
+ "linuxVmAdminUsername": {
+ "type": "string",
+ "defaultValue": "azureuser"
+ },
+ "linuxVmAuthenticationType": {
+ "type": "string",
+ "defaultValue": "password",
+ "allowedValues": [
+ "sshPublicKey",
+ "password"
+ ]
+ },
+ "linuxVmAdminPasswordOrKey": {
+ "type": "secureString",
+ "minLength": 14
+ },
+ "windowsNetworkInterfaceName": {
+ "type": "string",
+ "defaultValue": "windowsVmNetworkInterface"
+ },
+ "windowsNetworkInterfaceIpConfigurationName": {
+ "type": "string",
+ "defaultValue": "windowsVmIpConfiguration"
+ },
+ "windowsNetworkInterfacePrivateIPAddressAllocationMethod": {
+ "type": "string",
+ "defaultValue": "Dynamic"
+ },
+ "windowsVmName": {
+ "type": "string",
+ "defaultValue": "windowsVm"
+ },
+ "windowsVmSize": {
+ "type": "string",
+ "defaultValue": "Standard_DS1_v2"
+ },
+ "windowsVmAdminUsername": {
+ "type": "string",
+ "defaultValue": "azureuser"
+ },
+ "windowsVmAdminPassword": {
+ "type": "secureString",
+ "minLength": 14
+ },
+ "windowsVmPublisher": {
+ "type": "string",
+ "defaultValue": "MicrosoftWindowsServer"
+ },
+ "windowsVmOffer": {
+ "type": "string",
+ "defaultValue": "WindowsServer"
+ },
+ "windowsVmSku": {
+ "type": "string",
+ "defaultValue": "2019-datacenter-gensecond"
+ },
+ "windowsVmVersion": {
+ "type": "string",
+ "defaultValue": "latest"
+ },
+ "windowsVmCreateOption": {
+ "type": "string",
+ "defaultValue": "FromImage"
+ },
+ "windowsVmStorageAccountType": {
+ "type": "string",
+ "defaultValue": "StandardSSD_LRS"
+ },
+ "nowUtc": {
+ "type": "string",
+ "defaultValue": "[utcNow()]"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "[format('deploy-remoteAccess-Example-{0}', parameters('nowUtc'))]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "hubVirtualNetworkName": {
+ "value": "[parameters('hubVirtualNetworkName')]"
+ },
+ "hubSubnetResourceId": {
+ "value": "[parameters('hubSubnetResourceId')]"
+ },
+ "hubNetworkSecurityGroupResourceId": {
+ "value": "[parameters('hubNetworkSecurityGroupResourceId')]"
+ },
+ "bastionHostName": {
+ "value": "[parameters('bastionHostName')]"
+ },
+ "bastionHostSubnetAddressPrefix": {
+ "value": "[parameters('bastionHostSubnetAddressPrefix')]"
+ },
+ "bastionHostPublicIPAddressName": {
+ "value": "[parameters('bastionHostPublicIPAddressName')]"
+ },
+ "bastionHostPublicIPAddressSkuName": {
+ "value": "[parameters('bastionHostPublicIPAddressSkuName')]"
+ },
+ "bastionHostPublicIPAddressAllocationMethod": {
+ "value": "[parameters('bastionHostPublicIPAddressAllocationMethod')]"
+ },
+ "bastionHostPublicIPAddressAvailabilityZones": {
+ "value": "[parameters('bastionHostPublicIPAddressAvailabilityZones')]"
+ },
+ "bastionHostIPConfigurationName": {
+ "value": "[parameters('bastionHostIPConfigurationName')]"
+ },
+ "linuxNetworkInterfaceName": {
+ "value": "[parameters('linuxNetworkInterfaceName')]"
+ },
+ "linuxNetworkInterfaceIpConfigurationName": {
+ "value": "[parameters('linuxNetworkInterfaceIpConfigurationName')]"
+ },
+ "linuxNetworkInterfacePrivateIPAddressAllocationMethod": {
+ "value": "[parameters('linuxNetworkInterfacePrivateIPAddressAllocationMethod')]"
+ },
+ "linuxVmName": {
+ "value": "[parameters('linuxVmName')]"
+ },
+ "linuxVmSize": {
+ "value": "[parameters('linuxVmSize')]"
+ },
+ "linuxVmOsDiskCreateOption": {
+ "value": "[parameters('linuxVmOsDiskCreateOption')]"
+ },
+ "linuxVmOsDiskType": {
+ "value": "[parameters('linuxVmOsDiskType')]"
+ },
+ "linuxVmImagePublisher": {
+ "value": "[parameters('linuxVmImagePublisher')]"
+ },
+ "linuxVmImageOffer": {
+ "value": "[parameters('linuxVmImageOffer')]"
+ },
+ "linuxVmImageSku": {
+ "value": "[parameters('linuxVmImageSku')]"
+ },
+ "linuxVmImageVersion": {
+ "value": "[parameters('linuxVmImageVersion')]"
+ },
+ "linuxVmAdminUsername": {
+ "value": "[parameters('linuxVmAdminUsername')]"
+ },
+ "linuxVmAuthenticationType": {
+ "value": "[parameters('linuxVmAuthenticationType')]"
+ },
+ "linuxVmAdminPasswordOrKey": {
+ "value": "[parameters('linuxVmAdminPasswordOrKey')]"
+ },
+ "windowsNetworkInterfaceName": {
+ "value": "[parameters('windowsNetworkInterfaceName')]"
+ },
+ "windowsNetworkInterfaceIpConfigurationName": {
+ "value": "[parameters('windowsNetworkInterfaceIpConfigurationName')]"
+ },
+ "windowsNetworkInterfacePrivateIPAddressAllocationMethod": {
+ "value": "[parameters('windowsNetworkInterfacePrivateIPAddressAllocationMethod')]"
+ },
+ "windowsVmName": {
+ "value": "[parameters('windowsVmName')]"
+ },
+ "windowsVmSize": {
+ "value": "[parameters('windowsVmSize')]"
+ },
+ "windowsVmAdminUsername": {
+ "value": "[parameters('windowsVmAdminUsername')]"
+ },
+ "windowsVmAdminPassword": {
+ "value": "[parameters('windowsVmAdminPassword')]"
+ },
+ "windowsVmPublisher": {
+ "value": "[parameters('windowsVmPublisher')]"
+ },
+ "windowsVmOffer": {
+ "value": "[parameters('windowsVmOffer')]"
+ },
+ "windowsVmSku": {
+ "value": "[parameters('windowsVmSku')]"
+ },
+ "windowsVmVersion": {
+ "value": "[parameters('windowsVmVersion')]"
+ },
+ "windowsVmCreateOption": {
+ "value": "[parameters('windowsVmCreateOption')]"
+ },
+ "windowsVmStorageAccountType": {
+ "value": "[parameters('windowsVmStorageAccountType')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "9206703012100649755"
+ }
+ },
+ "parameters": {
+ "location": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "hubVirtualNetworkName": {
+ "type": "string"
+ },
+ "hubSubnetResourceId": {
+ "type": "string"
+ },
+ "hubNetworkSecurityGroupResourceId": {
+ "type": "string"
+ },
+ "bastionHostName": {
+ "type": "string"
+ },
+ "bastionHostSubnetAddressPrefix": {
+ "type": "string"
+ },
+ "bastionHostPublicIPAddressName": {
+ "type": "string"
+ },
+ "bastionHostPublicIPAddressSkuName": {
+ "type": "string"
+ },
+ "bastionHostPublicIPAddressAllocationMethod": {
+ "type": "string"
+ },
+ "bastionHostPublicIPAddressAvailabilityZones": {
+ "type": "array"
+ },
+ "bastionHostIPConfigurationName": {
+ "type": "string"
+ },
+ "linuxNetworkInterfaceName": {
+ "type": "string"
+ },
+ "linuxNetworkInterfaceIpConfigurationName": {
+ "type": "string"
+ },
+ "linuxNetworkInterfacePrivateIPAddressAllocationMethod": {
+ "type": "string"
+ },
+ "linuxVmName": {
+ "type": "string"
+ },
+ "linuxVmSize": {
+ "type": "string"
+ },
+ "linuxVmOsDiskCreateOption": {
+ "type": "string"
+ },
+ "linuxVmOsDiskType": {
+ "type": "string"
+ },
+ "linuxVmImagePublisher": {
+ "type": "string"
+ },
+ "linuxVmImageOffer": {
+ "type": "string"
+ },
+ "linuxVmImageSku": {
+ "type": "string"
+ },
+ "linuxVmImageVersion": {
+ "type": "string"
+ },
+ "linuxVmAdminUsername": {
+ "type": "string"
+ },
+ "linuxVmAuthenticationType": {
+ "type": "string",
+ "allowedValues": [
+ "sshPublicKey",
+ "password"
+ ]
+ },
+ "linuxVmAdminPasswordOrKey": {
+ "type": "secureString",
+ "minLength": 14
+ },
+ "windowsNetworkInterfaceName": {
+ "type": "string"
+ },
+ "windowsNetworkInterfaceIpConfigurationName": {
+ "type": "string"
+ },
+ "windowsNetworkInterfacePrivateIPAddressAllocationMethod": {
+ "type": "string"
+ },
+ "windowsVmName": {
+ "type": "string"
+ },
+ "windowsVmSize": {
+ "type": "string"
+ },
+ "windowsVmAdminUsername": {
+ "type": "string"
+ },
+ "windowsVmAdminPassword": {
+ "type": "secureString",
+ "minLength": 14
+ },
+ "windowsVmPublisher": {
+ "type": "string"
+ },
+ "windowsVmOffer": {
+ "type": "string"
+ },
+ "windowsVmSku": {
+ "type": "string"
+ },
+ "windowsVmVersion": {
+ "type": "string"
+ },
+ "windowsVmCreateOption": {
+ "type": "string"
+ },
+ "windowsVmStorageAccountType": {
+ "type": "string"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "remoteAccess-bastionHost",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[parameters('bastionHostName')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "virtualNetworkName": {
+ "value": "[parameters('hubVirtualNetworkName')]"
+ },
+ "subnetAddressPrefix": {
+ "value": "[parameters('bastionHostSubnetAddressPrefix')]"
+ },
+ "publicIPAddressName": {
+ "value": "[parameters('bastionHostPublicIPAddressName')]"
+ },
+ "publicIPAddressSkuName": {
+ "value": "[parameters('bastionHostPublicIPAddressSkuName')]"
+ },
+ "publicIPAddressAllocationMethod": {
+ "value": "[parameters('bastionHostPublicIPAddressAllocationMethod')]"
+ },
+ "publicIPAddressAvailabilityZones": {
+ "value": "[parameters('bastionHostPublicIPAddressAvailabilityZones')]"
+ },
+ "ipConfigurationName": {
+ "value": "[parameters('bastionHostIPConfigurationName')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "10497818437168204965"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "virtualNetworkName": {
+ "type": "string"
+ },
+ "subnetAddressPrefix": {
+ "type": "string"
+ },
+ "publicIPAddressName": {
+ "type": "string"
+ },
+ "publicIPAddressSkuName": {
+ "type": "string"
+ },
+ "publicIPAddressAllocationMethod": {
+ "type": "string"
+ },
+ "publicIPAddressAvailabilityZones": {
+ "type": "array"
+ },
+ "ipConfigurationName": {
+ "type": "string"
+ }
+ },
+ "functions": [],
+ "variables": {
+ "subnetName": "AzureBastionSubnet"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Network/publicIPAddresses",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('publicIPAddressName')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "sku": {
+ "name": "[parameters('publicIPAddressSkuName')]"
+ },
+ "properties": {
+ "publicIPAllocationMethod": "[parameters('publicIPAddressAllocationMethod')]"
+ },
+ "zones": "[parameters('publicIPAddressAvailabilityZones')]"
+ },
+ {
+ "type": "Microsoft.Network/virtualNetworks/subnets",
+ "apiVersion": "2021-02-01",
+ "name": "[format('{0}/{1}', parameters('virtualNetworkName'), variables('subnetName'))]",
+ "properties": {
+ "addressPrefix": "[parameters('subnetAddressPrefix')]"
+ }
+ },
+ {
+ "type": "Microsoft.Network/bastionHosts",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "ipConfigurations": [
+ {
+ "name": "[parameters('ipConfigurationName')]",
+ "properties": {
+ "subnet": {
+ "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', split(format('{0}/{1}', parameters('virtualNetworkName'), variables('subnetName')), '/')[0], split(format('{0}/{1}', parameters('virtualNetworkName'), variables('subnetName')), '/')[1])]"
+ },
+ "publicIPAddress": {
+ "id": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIPAddressName'))]"
+ }
+ }
+ }
+ ]
+ },
+ "dependsOn": [
+ "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIPAddressName'))]",
+ "[resourceId('Microsoft.Network/virtualNetworks/subnets', split(format('{0}/{1}', parameters('virtualNetworkName'), variables('subnetName')), '/')[0], split(format('{0}/{1}', parameters('virtualNetworkName'), variables('subnetName')), '/')[1])]"
+ ]
+ }
+ ]
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "remoteAccess-linuxNetworkInterface",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[parameters('linuxNetworkInterfaceName')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "ipConfigurationName": {
+ "value": "[parameters('linuxNetworkInterfaceIpConfigurationName')]"
+ },
+ "networkSecurityGroupId": {
+ "value": "[parameters('hubNetworkSecurityGroupResourceId')]"
+ },
+ "privateIPAddressAllocationMethod": {
+ "value": "[parameters('linuxNetworkInterfacePrivateIPAddressAllocationMethod')]"
+ },
+ "subnetId": {
+ "value": "[parameters('hubSubnetResourceId')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "14459425343428091407"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "ipConfigurationName": {
+ "type": "string"
+ },
+ "subnetId": {
+ "type": "string"
+ },
+ "networkSecurityGroupId": {
+ "type": "string"
+ },
+ "privateIPAddressAllocationMethod": {
+ "type": "string"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Network/networkInterfaces",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "ipConfigurations": [
+ {
+ "name": "[parameters('ipConfigurationName')]",
+ "properties": {
+ "subnet": {
+ "id": "[parameters('subnetId')]"
+ },
+ "privateIPAllocationMethod": "[parameters('privateIPAddressAllocationMethod')]"
+ }
+ }
+ ],
+ "networkSecurityGroup": {
+ "id": "[parameters('networkSecurityGroupId')]"
+ }
+ }
+ }
+ ],
+ "outputs": {
+ "id": {
+ "type": "string",
+ "value": "[resourceId('Microsoft.Network/networkInterfaces', parameters('name'))]"
+ },
+ "name": {
+ "type": "string",
+ "value": "[parameters('name')]"
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "remoteAccess-linuxVirtualMachine",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[parameters('linuxVmName')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "vmSize": {
+ "value": "[parameters('linuxVmSize')]"
+ },
+ "osDiskCreateOption": {
+ "value": "[parameters('linuxVmOsDiskCreateOption')]"
+ },
+ "osDiskType": {
+ "value": "[parameters('linuxVmOsDiskType')]"
+ },
+ "vmImagePublisher": {
+ "value": "[parameters('linuxVmImagePublisher')]"
+ },
+ "vmImageOffer": {
+ "value": "[parameters('linuxVmImageOffer')]"
+ },
+ "vmImageSku": {
+ "value": "[parameters('linuxVmImageSku')]"
+ },
+ "vmImageVersion": {
+ "value": "[parameters('linuxVmImageVersion')]"
+ },
+ "adminUsername": {
+ "value": "[parameters('linuxVmAdminUsername')]"
+ },
+ "authenticationType": {
+ "value": "[parameters('linuxVmAuthenticationType')]"
+ },
+ "adminPasswordOrKey": {
+ "value": "[parameters('linuxVmAdminPasswordOrKey')]"
+ },
+ "networkInterfaceName": {
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'remoteAccess-linuxNetworkInterface'), '2019-10-01').outputs.name.value]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "9484732926763055555"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "networkInterfaceName": {
+ "type": "string"
+ },
+ "vmSize": {
+ "type": "string"
+ },
+ "osDiskCreateOption": {
+ "type": "string"
+ },
+ "osDiskType": {
+ "type": "string"
+ },
+ "vmImagePublisher": {
+ "type": "string"
+ },
+ "vmImageOffer": {
+ "type": "string"
+ },
+ "vmImageSku": {
+ "type": "string"
+ },
+ "vmImageVersion": {
+ "type": "string"
+ },
+ "adminUsername": {
+ "type": "string"
+ },
+ "authenticationType": {
+ "type": "string",
+ "allowedValues": [
+ "sshPublicKey",
+ "password"
+ ]
+ },
+ "adminPasswordOrKey": {
+ "type": "secureString",
+ "minLength": 14
+ }
+ },
+ "functions": [],
+ "variables": {
+ "linuxConfiguration": {
+ "disablePasswordAuthentication": true,
+ "ssh": {
+ "publicKeys": [
+ {
+ "path": "[format('/home/{0}/.ssh/authorized_keys', parameters('adminUsername'))]",
+ "keyData": "[parameters('adminPasswordOrKey')]"
+ }
+ ]
+ }
+ }
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Compute/virtualMachines",
+ "apiVersion": "2020-06-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "hardwareProfile": {
+ "vmSize": "[parameters('vmSize')]"
+ },
+ "storageProfile": {
+ "osDisk": {
+ "createOption": "[parameters('osDiskCreateOption')]",
+ "managedDisk": {
+ "storageAccountType": "[parameters('osDiskType')]"
+ }
+ },
+ "imageReference": {
+ "publisher": "[parameters('vmImagePublisher')]",
+ "offer": "[parameters('vmImageOffer')]",
+ "sku": "[parameters('vmImageSku')]",
+ "version": "[parameters('vmImageVersion')]"
+ }
+ },
+ "networkProfile": {
+ "networkInterfaces": [
+ {
+ "id": "[resourceId('Microsoft.Network/networkInterfaces', parameters('networkInterfaceName'))]"
+ }
+ ]
+ },
+ "osProfile": {
+ "computerName": "[parameters('name')]",
+ "adminUsername": "[parameters('adminUsername')]",
+ "adminPassword": "[parameters('adminPasswordOrKey')]",
+ "linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), null(), variables('linuxConfiguration'))]"
+ }
+ }
+ }
+ ],
+ "outputs": {
+ "adminUsername": {
+ "type": "string",
+ "value": "[parameters('adminUsername')]"
+ },
+ "authenticationType": {
+ "type": "string",
+ "value": "[parameters('authenticationType')]"
+ }
+ }
+ }
+ },
+ "dependsOn": [
+ "[resourceId('Microsoft.Resources/deployments', 'remoteAccess-linuxNetworkInterface')]"
+ ]
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "remoteAccess-windowsNetworkInterface",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[parameters('windowsNetworkInterfaceName')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "ipConfigurationName": {
+ "value": "[parameters('windowsNetworkInterfaceIpConfigurationName')]"
+ },
+ "networkSecurityGroupId": {
+ "value": "[parameters('hubNetworkSecurityGroupResourceId')]"
+ },
+ "privateIPAddressAllocationMethod": {
+ "value": "[parameters('windowsNetworkInterfacePrivateIPAddressAllocationMethod')]"
+ },
+ "subnetId": {
+ "value": "[parameters('hubSubnetResourceId')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "14459425343428091407"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "ipConfigurationName": {
+ "type": "string"
+ },
+ "subnetId": {
+ "type": "string"
+ },
+ "networkSecurityGroupId": {
+ "type": "string"
+ },
+ "privateIPAddressAllocationMethod": {
+ "type": "string"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Network/networkInterfaces",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "ipConfigurations": [
+ {
+ "name": "[parameters('ipConfigurationName')]",
+ "properties": {
+ "subnet": {
+ "id": "[parameters('subnetId')]"
+ },
+ "privateIPAllocationMethod": "[parameters('privateIPAddressAllocationMethod')]"
+ }
+ }
+ ],
+ "networkSecurityGroup": {
+ "id": "[parameters('networkSecurityGroupId')]"
+ }
+ }
+ }
+ ],
+ "outputs": {
+ "id": {
+ "type": "string",
+ "value": "[resourceId('Microsoft.Network/networkInterfaces', parameters('name'))]"
+ },
+ "name": {
+ "type": "string",
+ "value": "[parameters('name')]"
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "remoteAccess-windowsVirtualMachine",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[parameters('windowsVmName')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "size": {
+ "value": "[parameters('windowsVmSize')]"
+ },
+ "adminUsername": {
+ "value": "[parameters('windowsVmAdminUsername')]"
+ },
+ "adminPassword": {
+ "value": "[parameters('windowsVmAdminPassword')]"
+ },
+ "publisher": {
+ "value": "[parameters('windowsVmPublisher')]"
+ },
+ "offer": {
+ "value": "[parameters('windowsVmOffer')]"
+ },
+ "sku": {
+ "value": "[parameters('windowsVmSku')]"
+ },
+ "version": {
+ "value": "[parameters('windowsVmVersion')]"
+ },
+ "createOption": {
+ "value": "[parameters('windowsVmCreateOption')]"
+ },
+ "storageAccountType": {
+ "value": "[parameters('windowsVmStorageAccountType')]"
+ },
+ "networkInterfaceName": {
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'remoteAccess-windowsNetworkInterface'), '2019-10-01').outputs.name.value]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "13028397952765670280"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "networkInterfaceName": {
+ "type": "string"
+ },
+ "size": {
+ "type": "string"
+ },
+ "adminUsername": {
+ "type": "string"
+ },
+ "adminPassword": {
+ "type": "secureString",
+ "minLength": 14
+ },
+ "publisher": {
+ "type": "string"
+ },
+ "offer": {
+ "type": "string"
+ },
+ "sku": {
+ "type": "string"
+ },
+ "version": {
+ "type": "string"
+ },
+ "createOption": {
+ "type": "string"
+ },
+ "storageAccountType": {
+ "type": "string"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Compute/virtualMachines",
+ "apiVersion": "2021-04-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "hardwareProfile": {
+ "vmSize": "[parameters('size')]"
+ },
+ "osProfile": {
+ "computerName": "[take(parameters('name'), 15)]",
+ "adminUsername": "[parameters('adminUsername')]",
+ "adminPassword": "[parameters('adminPassword')]"
+ },
+ "storageProfile": {
+ "imageReference": {
+ "publisher": "[parameters('publisher')]",
+ "offer": "[parameters('offer')]",
+ "sku": "[parameters('sku')]",
+ "version": "[parameters('version')]"
+ },
+ "osDisk": {
+ "createOption": "[parameters('createOption')]",
+ "managedDisk": {
+ "storageAccountType": "[parameters('storageAccountType')]"
+ }
+ }
+ },
+ "networkProfile": {
+ "networkInterfaces": [
+ {
+ "id": "[resourceId('Microsoft.Network/networkInterfaces', parameters('networkInterfaceName'))]"
+ }
+ ]
+ }
+ }
+ }
+ ]
+ }
+ },
+ "dependsOn": [
+ "[resourceId('Microsoft.Resources/deployments', 'remoteAccess-windowsNetworkInterface')]"
+ ]
+ }
+ ]
+ }
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/src/bicep/examples/sentinel/README.md b/src/bicep/examples/sentinel/README.md
new file mode 100644
index 000000000..40e4f384b
--- /dev/null
+++ b/src/bicep/examples/sentinel/README.md
@@ -0,0 +1,101 @@
+# Sentinel Example
+
+This example adds an Azure Sentinel solution to a Log Analytics Workspace using Terraform.
+
+Read on to understand what this example does, and when you're ready, collect all of the pre-requisites, then deploy the example.
+
+## What this example does
+
+### Deploys Sentinel
+
+The docs on Azure Sentinel: https://docs.microsoft.com/en-us/azure/sentinel/overview
+
+## Pre-requisites
+
+1. Terraform ([link to download](https://www.terraform.io/downloads.html))
+1. An internet connection (you can bundle Terraform dependencies, but this example does not and retrieves them from the internet)
+1. A desired region to deploy Azure Sentinel into described below
+1. A Mission LZ deployment (a deployment of mlz.bicep)
+1. The output from that deployment described below
+
+Required Parameters | Description
+------------------- | -----------
+location | The region to deploy Azure Sentinel into
+
+Deployment Output Name | Description
+-----------------------| -----------
+operationsSubscriptionId | The subscription that contains the Log Analytics Workspace and to deploy the Sentinel solution into
+operationsResourceGroupName | The resource group that contains the Log Analytics Workspace to link Azure Sentinel to
+logAnalyticsWorkspaceName | The name of the Log Analytics Workspace to link Azure Sentinel to
+logAnalyticsWorkspaceResourceId | The resource ID of the Log Analytics Workspace to link Azure Sentinel to
+
+One way to retreive these values is with the Azure CLI:
+
+```bash
+# after a Mission LZ deployment
+#
+# az deployment sub create \
+# --subscription $deploymentSubscription \
+# --name "myDeploymentName" \
+# --template-file ./mlz.bicep \
+
+az deployment sub show \
+ --subscription $deploymentSubscription \
+ --name "myDeploymentName" \
+ --query properties.outputs
+```
+
+...which should return an object containing the values you need:
+
+```plaintext
+{
+ "operationsSubscriptionId": {
+ "type": "String",
+ "value": "0987654-3210..."
+ },
+ ...
+ "operationsResourceGroupName": {
+ "type": "String",
+ "value": "mlz-dev-operations"
+ },
+ ...
+ "logAnalyticsWorkspaceName": {
+ "type": "String",
+ "value": "mlz-dev-laws"
+ },
+ ...
+ "logAnalyticsWorkspaceResourceId": {
+ "type": "String",
+ "value": "/subscriptions/.../providers/Microsoft.OperationalInsights/workspaces/mlz-dev-laws"
+ },
+}
+```
+
+...and if you're on a BASH terminal, this command (take note to replace "myDeploymentName" with your deployment name) will export the values as environment variables:
+
+```bash
+export $(az deployment sub show --name "myDeploymentName" --query "properties.outputs.{ args: [ join('', ['operationsSubscriptionId=', operationsSubscriptionId.value]), join('', ['operationsResourceGroupName=', operationsResourceGroupName.value]), join('', ['logAnalyticsWorkspaceName=', logAnalyticsWorkspaceName.value]), join('', ['logAnalyticsWorkspaceResourceId=', logAnalyticsWorkspaceResourceId.value]) ] }.args" --output tsv | xargs)
+```
+
+## Deploying Sentinel
+
+You'll need to initialize Terraform in this directory:
+
+```bash
+cd examples/sentinel
+
+terraform init
+```
+
+Then, using our MLZ deployment output [as input variables](https://www.terraform.io/docs/language/values/variables.html), and specifying a `location` variable, you can call Terraform apply:
+
+```bash
+location="eastus"
+
+terraform apply \
+ -var subscription_id="$operationsSubscriptionId" \
+ -var location="$location" \
+ -var resource_group_name="$operationsResourceGroupName" \
+ -var workspace_resource_id="$logAnalyticsWorkspaceResourceId" \
+ -var workspace_name="$logAnalyticsWorkspaceName"
+````
diff --git a/src/bicep/examples/sentinel/sentinel.tf b/src/bicep/examples/sentinel/sentinel.tf
new file mode 100644
index 000000000..16d681c17
--- /dev/null
+++ b/src/bicep/examples/sentinel/sentinel.tf
@@ -0,0 +1,62 @@
+terraform {
+ backend "local" {}
+
+ required_providers {
+ azurerm = {
+ source = "hashicorp/azurerm"
+ version = "= 2.69.0"
+ }
+ random = {
+ source = "hashicorp/random"
+ version = "= 3.1.0"
+ }
+ time = {
+ source = "hashicorp/time"
+ version = "0.7.2"
+ }
+ }
+}
+
+provider "azurerm" {
+ subscription_id = var.subscription_id
+ features {}
+}
+
+variable "subscription_id" {
+ type = string
+ description = "The subscription that contains the Log Analytics Workspace and to deploy the Sentinel solution into"
+}
+
+variable location {
+ type = string
+ description = "The Azure region to deploy the Sentinel solution"
+}
+
+variable "resource_group_name" {
+ type = string
+ description = "The name of the resource group that will contain the Sentinel solution"
+}
+
+variable "workspace_name" {
+ type = string
+ description = "The name of the Log Analytics Workspace that will link to the Sentinel solution"
+}
+
+variable "workspace_resource_id" {
+ type = string
+ description = "The resource id of the Log Analytics Workspace that will link to the Sentinel solution"
+}
+
+
+resource "azurerm_log_analytics_solution" "laws_sentinel" {
+ solution_name = "SecurityInsights"
+ location = var.location
+ resource_group_name = var.resource_group_name
+ workspace_name = var.workspace_name
+ workspace_resource_id = var.workspace_resource_id
+
+ plan {
+ publisher = "Microsoft"
+ product = "OMSGallery/SecurityInsights"
+ }
+}
\ No newline at end of file
diff --git a/src/bicep/marketplace/README.md b/src/bicep/marketplace/README.md
new file mode 100644
index 000000000..c80445b55
--- /dev/null
+++ b/src/bicep/marketplace/README.md
@@ -0,0 +1,6 @@
+# MLZ MarketPlace Offering
+
+The contents of this folder are used to package the marketplace offering of MLZ.
+mainTemplate.json is the post build ARM templates from the bicep output
+createUiDefinition.json is the semi manually created bladed template to allow users to enter variables for the UI configuration
+
diff --git a/src/bicep/marketplace/createUiDefinition.json b/src/bicep/marketplace/createUiDefinition.json
new file mode 100644
index 000000000..1c7b195ee
--- /dev/null
+++ b/src/bicep/marketplace/createUiDefinition.json
@@ -0,0 +1,1230 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+ "handler": "Microsoft.Azure.CreateUIDef",
+ "version": "0.1.2-preview",
+ "parameters": {
+ "config": {
+ "isWizard": false,
+ "basics": {}
+ },
+ "basics": [],
+ "steps": [{
+ "name": "generalSettings",
+ "label": "General Settings",
+ "subLabel": {
+ "preValidation": "Configure general settings",
+ "postValidation": "Done"
+ },
+ "bladeTitle": "General Settings",
+ "elements": [{
+ "name": "resourcePrefix",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Resource Prefix",
+ "defaultValue": "[[format('mlz-{0}', parameters('uniqueId'))]",
+ "toolTip": "A name (3-24 alphanumeric characters in length without whitespace) used to prefix resources and generate uniqueness for resources with globally unique naming requirements like Storage Accounts and Log Analytics Workspaces",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "tags",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Tags",
+ "defaultValue": "{\"resourcePrefix\":\"[parameters('resourcePrefix')]\"}",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "uniqueId",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Unique Id",
+ "defaultValue": "[[uniqueString(deployment().name)]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ }
+ ]
+ },
+ {
+ "name": "hubSettings",
+ "label": "Hub Settings",
+ "subLabel": {
+ "preValidation": "Configure Hub settings",
+ "postValidation": "Done"
+ },
+ "bladeTitle": "Hub Settings",
+ "elements": [{
+ "name": "hubSubscriptionId",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Hub Subscription Id",
+ "defaultValue": "[[subscription().subscriptionId]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "hubResourceGroupName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Hub Resource Group Name",
+ "defaultValue": "[[format('{0}-hub', parameters('resourcePrefix'))]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "hubLocation",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Hub Location",
+ "defaultValue": "[[deployment().location]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "hubVirtualNetworkName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Hub Virtual Network Name",
+ "defaultValue": "hub-vnet",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "hubSubnetName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Hub Subnet Name",
+ "defaultValue": "hub-subnet",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "hubVirtualNetworkAddressPrefix",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Hub Virtual Network Address Prefix",
+ "defaultValue": "10.0.100.0/24",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "hubSubnetAddressPrefix",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Hub Subnet Address Prefix",
+ "defaultValue": "10.0.100.128/27",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "hubVirtualNetworkDiagnosticsLogs",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Hub Virtual Network Diagnostics Logs",
+ "defaultValue": "[[]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "hubVirtualNetworkDiagnosticsMetrics",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Hub Virtual Network Diagnostics Metrics",
+ "defaultValue": "[[]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "hubNetworkSecurityGroupName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Hub Network Security Group Name",
+ "defaultValue": "hub-nsg",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "hubNetworkSecurityGroupRules",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Hub Network Security Group Rules",
+ "defaultValue": "[[]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "hubSubnetServiceEndpoints",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Hub Subnet Service Endpoints",
+ "defaultValue": "[[]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "hubLogStorageAccountName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Hub Log Storage Account Name",
+ "defaultValue": "[[toLower(take(format('hublogs{0}', parameters('uniqueId')), 24))]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "hubLogStorageSkuName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Hub Log Storage Sku Name",
+ "defaultValue": "Standard_GRS",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "firewallName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Firewall Name",
+ "defaultValue": "firewall",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "firewallSkuTier",
+ "type": "Microsoft.Common.DropDown",
+ "label": "Firewall Sku Tier",
+ "defaultValue": "Premium",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "allowedValues": [{
+ "label": "Standard",
+ "value": "Standard"
+ },
+ {
+ "label": "Premium",
+ "value": "Premium"
+ }
+ ]
+ },
+ "visible": true
+ },
+ {
+ "name": "firewallManagementSubnetAddressPrefix",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Firewall Management Subnet Address Prefix",
+ "defaultValue": "10.0.100.64/26",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "firewallClientSubnetAddressPrefix",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Firewall Client Subnet Address Prefix",
+ "defaultValue": "10.0.100.0/26",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "firewallPolicyName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Firewall Policy Name",
+ "defaultValue": "firewall-policy",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "firewallThreatIntelMode",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Firewall Threat Intel Mode",
+ "defaultValue": "Alert",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "firewallClientIpConfigurationName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Firewall Client Ip Configuration Name",
+ "defaultValue": "firewall-client-ip-config",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "firewallClientSubnetServiceEndpoints",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Firewall Client Subnet Service Endpoints",
+ "defaultValue": "[[]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "firewallClientPublicIPAddressName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Firewall Client Public IP Address Name",
+ "defaultValue": "firewall-client-public-ip",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "firewallClientPublicIPAddressSkuName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Firewall Client Public IP Address Sku Name",
+ "defaultValue": "Standard",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "firewallClientPublicIpAllocationMethod",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Firewall Client Public Ip Allocation Method",
+ "defaultValue": "Static",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "firewallClientPublicIPAddressAvailabilityZones",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Firewall Client Public IP Address Availability Zones",
+ "defaultValue": "[[]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "firewallManagementIpConfigurationName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Firewall Management Ip Configuration Name",
+ "defaultValue": "firewall-management-ip-config",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "firewallManagementSubnetServiceEndpoints",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Firewall Management Subnet Service Endpoints",
+ "defaultValue": "[[]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "firewallManagementPublicIPAddressName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Firewall Management Public IP Address Name",
+ "defaultValue": "firewall-management-public-ip",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "firewallManagementPublicIPAddressSkuName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Firewall Management Public IP Address Sku Name",
+ "defaultValue": "Standard",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "firewallManagementPublicIpAllocationMethod",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Firewall Management Public Ip Allocation Method",
+ "defaultValue": "Static",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "firewallManagementPublicIPAddressAvailabilityZones",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Firewall Management Public IP Address Availability Zones",
+ "defaultValue": "[[]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ }
+ ]
+ },
+ {
+ "name": "identitySettings",
+ "label": "Identity Settings",
+ "subLabel": {
+ "preValidation": "Configure identity settings",
+ "postValidation": "Done"
+ },
+ "bladeTitle": "Identity Settings",
+ "elements": [{
+ "name": "identitySubscriptionId",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Identity Subscription Id",
+ "defaultValue": "[[parameters('hubSubscriptionId')]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "identityResourceGroupName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Identity Resource Group Name",
+ "defaultValue": "[[replace(parameters('hubResourceGroupName'), 'hub', 'identity')]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "identityLocation",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Identity Location",
+ "defaultValue": "[[parameters('hubLocation')]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "identityVirtualNetworkName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Identity Virtual Network Name",
+ "defaultValue": "[[replace(parameters('hubVirtualNetworkName'), 'hub', 'identity')]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "identitySubnetName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Identity Subnet Name",
+ "defaultValue": "[[replace(parameters('hubSubnetName'), 'hub', 'identity')]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "identityVirtualNetworkAddressPrefix",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Identity Virtual Network Address Prefix",
+ "defaultValue": "10.0.110.0/26",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "identitySubnetAddressPrefix",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Identity Subnet Address Prefix",
+ "defaultValue": "10.0.110.0/27",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "identityVirtualNetworkDiagnosticsLogs",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Identity Virtual Network Diagnostics Logs",
+ "defaultValue": "[[]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "identityVirtualNetworkDiagnosticsMetrics",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Identity Virtual Network Diagnostics Metrics",
+ "defaultValue": "[[]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "identityNetworkSecurityGroupName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Identity Network Security Group Name",
+ "defaultValue": "[[replace(parameters('hubNetworkSecurityGroupName'), 'hub', 'identity')]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "identityNetworkSecurityGroupRules",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Identity Network Security Group Rules",
+ "defaultValue": "[[]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "identitySubnetServiceEndpoints",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Identity Subnet Service Endpoints",
+ "defaultValue": "[[]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "identityLogStorageAccountName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Identity Log Storage Account Name",
+ "defaultValue": "[[toLower(take(format('idlogs{0}', parameters('uniqueId')), 24))]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "identityLogStorageSkuName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Identity Log Storage Sku Name",
+ "defaultValue": "[[parameters('hubLogStorageSkuName')]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ }
+ ]
+ },
+ {
+ "name": "operationsSettings",
+ "label": "Operations Settings",
+ "subLabel": {
+ "preValidation": "Configure operations settings",
+ "postValidation": "Done"
+ },
+ "bladeTitle": "Operations Settings",
+ "elements": [{
+ "name": "operationsSubscriptionId",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Operations Subscription Id",
+ "defaultValue": "[[parameters('hubSubscriptionId')]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "operationsResourceGroupName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Operations Resource Group Name",
+ "defaultValue": "[[replace(parameters('hubResourceGroupName'), 'hub', 'operations')]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "operationsLocation",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Operations Location",
+ "defaultValue": "[[parameters('hubLocation')]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "operationsVirtualNetworkName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Operations Virtual Network Name",
+ "defaultValue": "[[replace(parameters('hubVirtualNetworkName'), 'hub', 'operations')]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "operationsVirtualNetworkAddressPrefix",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Operations Virtual Network Address Prefix",
+ "defaultValue": "10.0.115.0/26",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "operationsVirtualNetworkDiagnosticsLogs",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Operations Virtual Network Diagnostics Logs",
+ "defaultValue": "[[]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "operationsVirtualNetworkDiagnosticsMetrics",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Operations Virtual Network Diagnostics Metrics",
+ "defaultValue": "[[]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "operationsNetworkSecurityGroupName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Operations Network Security Group Name",
+ "defaultValue": "[[replace(parameters('hubNetworkSecurityGroupName'), 'hub', 'operations')]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "operationsNetworkSecurityGroupRules",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Operations Network Security Group Rules",
+ "defaultValue": "[[]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "operationsSubnetName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Operations Subnet Name",
+ "defaultValue": "[[replace(parameters('hubSubnetName'), 'hub', 'operations')]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "operationsSubnetAddressPrefix",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Operations Subnet Address Prefix",
+ "defaultValue": "10.0.115.0/27",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "operationsSubnetServiceEndpoints",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Operations Subnet Service Endpoints",
+ "defaultValue": "[[]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "operationsLogStorageAccountName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Operations Log Storage Account Name",
+ "defaultValue": "[[toLower(take(format('opslogs{0}', parameters('uniqueId')), 24))]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "operationsLogStorageSkuName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Operations Log Storage Sku Name",
+ "defaultValue": "[[parameters('hubLogStorageSkuName')]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ }
+ ]
+ },
+ {
+ "name": "sharedSettings",
+ "label": "Shared Settings",
+ "subLabel": {
+ "preValidation": "Configure shared settings",
+ "postValidation": "Done"
+ },
+ "bladeTitle": "General Settings",
+ "elements": [{
+ "name": "sharedServicesSubscriptionId",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Shared Services Subscription Id",
+ "defaultValue": "[[parameters('hubSubscriptionId')]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "sharedServicesResourceGroupName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Shared Services Resource Group Name",
+ "defaultValue": "[[replace(parameters('hubResourceGroupName'), 'hub', 'sharedServices')]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "sharedServicesLocation",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Shared Services Location",
+ "defaultValue": "[[parameters('hubLocation')]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "sharedServicesVirtualNetworkName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Shared Services Virtual Network Name",
+ "defaultValue": "[[replace(parameters('hubVirtualNetworkName'), 'hub', 'sharedServices')]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "sharedServicesSubnetName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Shared Services Subnet Name",
+ "defaultValue": "[[replace(parameters('hubSubnetName'), 'hub', 'sharedServices')]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "sharedServicesVirtualNetworkAddressPrefix",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Shared Services Virtual Network Address Prefix",
+ "defaultValue": "10.0.120.0/26",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "sharedServicesSubnetAddressPrefix",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Shared Services Subnet Address Prefix",
+ "defaultValue": "10.0.120.0/27",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "sharedServicesVirtualNetworkDiagnosticsLogs",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Shared Services Virtual Network Diagnostics Logs",
+ "defaultValue": "[[]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "sharedServicesVirtualNetworkDiagnosticsMetrics",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Shared Services Virtual Network Diagnostics Metrics",
+ "defaultValue": "[[]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "sharedServicesNetworkSecurityGroupName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Shared Services Network Security Group Name",
+ "defaultValue": "[[replace(parameters('hubNetworkSecurityGroupName'), 'hub', 'sharedServices')]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "sharedServicesNetworkSecurityGroupRules",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Shared Services Network Security Group Rules",
+ "defaultValue": "[[]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "sharedServicesSubnetServiceEndpoints",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Shared Services Subnet Service Endpoints",
+ "defaultValue": "[[]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "sharedServicesLogStorageAccountName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Shared Services Log Storage Account Name",
+ "defaultValue": "[[toLower(take(format('shrdSvclogs{0}', parameters('uniqueId')), 24))]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "sharedServicesLogStorageSkuName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Shared Services Log Storage Sku Name",
+ "defaultValue": "[[parameters('hubLogStorageSkuName')]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ }
+ ]
+ },
+ {
+ "name": "logSettings",
+ "label": "Log Settings",
+ "subLabel": {
+ "preValidation": "Configure log settings",
+ "postValidation": "Done"
+ },
+ "bladeTitle": "Log Settings",
+ "elements": [{
+ "name": "logAnalyticsWorkspaceName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Log Analytics Workspace Name",
+ "defaultValue": "[[take(format('{0}-laws', parameters('resourcePrefix')), 63)]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "logAnalyticsWorkspaceLocation",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Log Analytics Workspace Location",
+ "defaultValue": "[[parameters('sharedServicesLocation')]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "logAnalyticsWorkspaceCappingDailyQuotaGb",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Log Analytics Workspace Capping Daily Quota Gb",
+ "defaultValue": "-1",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "logAnalyticsWorkspaceRetentionInDays",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Log Analytics Workspace Retention In Days",
+ "defaultValue": "30",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "logAnalyticsWorkspaceSkuName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Log Analytics Workspace Sku Name",
+ "defaultValue": "PerGB2018",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ }
+ ]
+ }
+ ],
+ "outputs": {
+ "resourcePrefix": "[steps('generalSettings').resourcePrefix]",
+ "hubSubscriptionId": "[steps('hubSettings').hubSubscriptionId]",
+ "identitySubscriptionId": "[steps('identitySettings').identitySubscriptionId]",
+ "operationsSubscriptionId": "[steps('operationsSettings').operationsSubscriptionId]",
+ "sharedServicesSubscriptionId": "[steps('sharedSettings').sharedServicesSubscriptionId]",
+ "firewallSkuTier": "[steps('hubSettings').firewallSkuTier]",
+ "hubResourceGroupName": "[steps('hubSettings').hubResourceGroupName]",
+ "hubLocation": "[steps('hubSettings').hubLocation]",
+ "hubVirtualNetworkName": "[steps('hubSettings').hubVirtualNetworkName]",
+ "hubSubnetName": "[steps('hubSettings').hubSubnetName]",
+ "hubVirtualNetworkAddressPrefix": "[steps('hubSettings').hubVirtualNetworkAddressPrefix]",
+ "hubSubnetAddressPrefix": "[steps('hubSettings').hubSubnetAddressPrefix]",
+ "hubVirtualNetworkDiagnosticsLogs": "[steps('hubSettings').hubVirtualNetworkDiagnosticsLogs]",
+ "hubVirtualNetworkDiagnosticsMetrics": "[steps('hubSettings').hubVirtualNetworkDiagnosticsMetrics]",
+ "hubNetworkSecurityGroupName": "[steps('hubSettings').hubNetworkSecurityGroupName]",
+ "hubNetworkSecurityGroupRules": "[steps('hubSettings').hubNetworkSecurityGroupRules]",
+ "hubSubnetServiceEndpoints": "[steps('hubSettings').hubSubnetServiceEndpoints]",
+ "hubLogStorageAccountName": "[steps('hubSettings').hubLogStorageAccountName]",
+ "hubLogStorageSkuName": "[steps('hubSettings').hubLogStorageSkuName]",
+ "firewallName": "[steps('hubSettings').firewallName]",
+ "firewallManagementSubnetAddressPrefix": "[steps('hubSettings').firewallManagementSubnetAddressPrefix]",
+ "firewallClientSubnetAddressPrefix": "[steps('hubSettings').firewallClientSubnetAddressPrefix]",
+ "firewallPolicyName": "[steps('hubSettings').firewallPolicyName]",
+ "firewallThreatIntelMode": "[steps('hubSettings').firewallThreatIntelMode]",
+ "firewallClientIpConfigurationName": "[steps('hubSettings').firewallClientIpConfigurationName]",
+ "firewallClientSubnetServiceEndpoints": "[steps('hubSettings').firewallClientSubnetServiceEndpoints]",
+ "firewallClientPublicIPAddressName": "[steps('hubSettings').firewallClientPublicIPAddressName]",
+ "firewallClientPublicIPAddressSkuName": "[steps('hubSettings').firewallClientPublicIPAddressSkuName]",
+ "firewallClientPublicIpAllocationMethod": "[steps('hubSettings').firewallClientPublicIpAllocationMethod]",
+ "firewallClientPublicIPAddressAvailabilityZones": "[steps('hubSettings').firewallClientPublicIPAddressAvailabilityZones]",
+ "firewallManagementIpConfigurationName": "[steps('hubSettings').firewallManagementIpConfigurationName]",
+ "firewallManagementSubnetServiceEndpoints": "[steps('hubSettings').firewallManagementSubnetServiceEndpoints]",
+ "firewallManagementPublicIPAddressName": "[steps('hubSettings').firewallManagementPublicIPAddressName]",
+ "firewallManagementPublicIPAddressSkuName": "[steps('hubSettings').firewallManagementPublicIPAddressSkuName]",
+ "firewallManagementPublicIpAllocationMethod": "[steps('hubSettings').firewallManagementPublicIpAllocationMethod]",
+ "firewallManagementPublicIPAddressAvailabilityZones": "[steps('hubSettings').firewallManagementPublicIPAddressAvailabilityZones]",
+ "identityResourceGroupName": "[steps('identitySettings').identityResourceGroupName]",
+ "identityLocation": "[steps('identitySettings').identityLocation]",
+ "identityVirtualNetworkName": "[steps('identitySettings').identityVirtualNetworkName]",
+ "identitySubnetName": "[steps('identitySettings').identitySubnetName]",
+ "identityVirtualNetworkAddressPrefix": "[steps('identitySettings').identityVirtualNetworkAddressPrefix]",
+ "identitySubnetAddressPrefix": "[steps('identitySettings').identitySubnetAddressPrefix]",
+ "identityVirtualNetworkDiagnosticsLogs": "[steps('identitySettings').identityVirtualNetworkDiagnosticsLogs]",
+ "identityVirtualNetworkDiagnosticsMetrics": "[steps('identitySettings').identityVirtualNetworkDiagnosticsMetrics]",
+ "identityNetworkSecurityGroupName": "[steps('identitySettings').identityNetworkSecurityGroupName]",
+ "identityNetworkSecurityGroupRules": "[steps('identitySettings').identityNetworkSecurityGroupRules]",
+ "identitySubnetServiceEndpoints": "[steps('identitySettings').identitySubnetServiceEndpoints]",
+ "identityLogStorageAccountName": "[steps('identitySettings').identityLogStorageAccountName]",
+ "identityLogStorageSkuName": "[steps('identitySettings').identityLogStorageSkuName]",
+ "operationsResourceGroupName": "[steps('operationsSettings').operationsResourceGroupName]",
+ "operationsLocation": "[steps('operationsSettings').operationsLocation]",
+ "operationsVirtualNetworkName": "[steps('operationsSettings').operationsVirtualNetworkName]",
+ "operationsVirtualNetworkAddressPrefix": "[steps('operationsSettings').operationsVirtualNetworkAddressPrefix]",
+ "operationsVirtualNetworkDiagnosticsLogs": "[steps('operationsSettings').operationsVirtualNetworkDiagnosticsLogs]",
+ "operationsVirtualNetworkDiagnosticsMetrics": "[steps('operationsSettings').operationsVirtualNetworkDiagnosticsMetrics]",
+ "operationsNetworkSecurityGroupName": "[steps('operationsSettings').operationsNetworkSecurityGroupName]",
+ "operationsNetworkSecurityGroupRules": "[steps('operationsSettings').operationsNetworkSecurityGroupRules]",
+ "operationsSubnetName": "[steps('operationsSettings').operationsSubnetName]",
+ "operationsSubnetAddressPrefix": "[steps('operationsSettings').operationsSubnetAddressPrefix]",
+ "operationsSubnetServiceEndpoints": "[steps('operationsSettings').operationsSubnetServiceEndpoints]",
+ "operationsLogStorageAccountName": "[steps('operationsSettings').operationsLogStorageAccountName]",
+ "operationsLogStorageSkuName": "[steps('operationsSettings').operationsLogStorageSkuName]",
+ "sharedServicesResourceGroupName": "[steps('sharedSettings').sharedServicesResourceGroupName]",
+ "sharedServicesLocation": "[steps('sharedSettings').sharedServicesLocation]",
+ "sharedServicesVirtualNetworkName": "[steps('sharedSettings').sharedServicesVirtualNetworkName]",
+ "sharedServicesSubnetName": "[steps('sharedSettings').sharedServicesSubnetName]",
+ "sharedServicesVirtualNetworkAddressPrefix": "[steps('sharedSettings').sharedServicesVirtualNetworkAddressPrefix]",
+ "sharedServicesSubnetAddressPrefix": "[steps('sharedSettings').sharedServicesSubnetAddressPrefix]",
+ "sharedServicesVirtualNetworkDiagnosticsLogs": "[steps('sharedSettings').sharedServicesVirtualNetworkDiagnosticsLogs]",
+ "sharedServicesVirtualNetworkDiagnosticsMetrics": "[steps('sharedSettings').sharedServicesVirtualNetworkDiagnosticsMetrics]",
+ "sharedServicesNetworkSecurityGroupName": "[steps('sharedSettings').sharedServicesNetworkSecurityGroupName]",
+ "sharedServicesNetworkSecurityGroupRules": "[steps('sharedSettings').sharedServicesNetworkSecurityGroupRules]",
+ "sharedServicesSubnetServiceEndpoints": "[steps('sharedSettings').sharedServicesSubnetServiceEndpoints]",
+ "sharedServicesLogStorageAccountName": "[steps('sharedSettings').sharedServicesLogStorageAccountName]",
+ "sharedServicesLogStorageSkuName": "[steps('sharedSettings').sharedServicesLogStorageSkuName]",
+ "logAnalyticsWorkspaceName": "[steps('logSettings').logAnalyticsWorkspaceName]",
+ "logAnalyticsWorkspaceLocation": "[steps('logSettings').logAnalyticsWorkspaceLocation]",
+ "logAnalyticsWorkspaceCappingDailyQuotaGb": "[steps('logSettings').logAnalyticsWorkspaceCappingDailyQuotaGb]",
+ "logAnalyticsWorkspaceRetentionInDays": "[steps('logSettings').logAnalyticsWorkspaceRetentionInDays]",
+ "logAnalyticsWorkspaceSkuName": "[steps('logSettings').logAnalyticsWorkspaceSkuName]",
+ "tags": "[steps('generalSettings').tags]",
+ "uniqueId": "[steps('generalSettings').uniqueId]"
+ }
+ }
+}
\ No newline at end of file
diff --git a/src/bicep/marketplace/mainTemplate.json b/src/bicep/marketplace/mainTemplate.json
new file mode 100644
index 000000000..738d0e42b
--- /dev/null
+++ b/src/bicep/marketplace/mainTemplate.json
@@ -0,0 +1,4416 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.451.19169",
+ "templateHash": "6513664242668600242"
+ }
+ },
+ "parameters": {
+ "resourcePrefix": {
+ "type": "string",
+ "defaultValue": "[format('mlz-{0}', parameters('uniqueId'))]",
+ "metadata": {
+ "description": "A name (3-24 alphanumeric characters in length without whitespace) used to prefix resources and generate uniqueness for resources with globally unique naming requirements like Storage Accounts and Log Analytics Workspaces"
+ },
+ "maxLength": 24,
+ "minLength": 3
+ },
+ "hubSubscriptionId": {
+ "type": "string",
+ "defaultValue": "[subscription().subscriptionId]"
+ },
+ "identitySubscriptionId": {
+ "type": "string",
+ "defaultValue": "[parameters('hubSubscriptionId')]"
+ },
+ "operationsSubscriptionId": {
+ "type": "string",
+ "defaultValue": "[parameters('hubSubscriptionId')]"
+ },
+ "sharedServicesSubscriptionId": {
+ "type": "string",
+ "defaultValue": "[parameters('hubSubscriptionId')]"
+ },
+ "firewallSkuTier": {
+ "type": "string",
+ "defaultValue": "Premium",
+ "allowedValues": [
+ "Standard",
+ "Premium"
+ ]
+ },
+ "hubResourceGroupName": {
+ "type": "string",
+ "defaultValue": "[format('{0}-hub', parameters('resourcePrefix'))]"
+ },
+ "hubLocation": {
+ "type": "string",
+ "defaultValue": "[deployment().location]"
+ },
+ "hubVirtualNetworkName": {
+ "type": "string",
+ "defaultValue": "hub-vnet"
+ },
+ "hubSubnetName": {
+ "type": "string",
+ "defaultValue": "hub-subnet"
+ },
+ "hubVirtualNetworkAddressPrefix": {
+ "type": "string",
+ "defaultValue": "10.0.100.0/24"
+ },
+ "hubSubnetAddressPrefix": {
+ "type": "string",
+ "defaultValue": "10.0.100.128/27"
+ },
+ "hubVirtualNetworkDiagnosticsLogs": {
+ "type": "array",
+ "defaultValue": []
+ },
+ "hubVirtualNetworkDiagnosticsMetrics": {
+ "type": "array",
+ "defaultValue": []
+ },
+ "hubNetworkSecurityGroupName": {
+ "type": "string",
+ "defaultValue": "hub-nsg"
+ },
+ "hubNetworkSecurityGroupRules": {
+ "type": "array",
+ "defaultValue": []
+ },
+ "hubSubnetServiceEndpoints": {
+ "type": "array",
+ "defaultValue": []
+ },
+ "hubLogStorageAccountName": {
+ "type": "string",
+ "defaultValue": "[toLower(take(format('hublogs{0}', parameters('uniqueId')), 24))]"
+ },
+ "hubLogStorageSkuName": {
+ "type": "string",
+ "defaultValue": "Standard_GRS"
+ },
+ "firewallName": {
+ "type": "string",
+ "defaultValue": "firewall"
+ },
+ "firewallManagementSubnetAddressPrefix": {
+ "type": "string",
+ "defaultValue": "10.0.100.64/26"
+ },
+ "firewallClientSubnetAddressPrefix": {
+ "type": "string",
+ "defaultValue": "10.0.100.0/26"
+ },
+ "firewallPolicyName": {
+ "type": "string",
+ "defaultValue": "firewall-policy"
+ },
+ "firewallThreatIntelMode": {
+ "type": "string",
+ "defaultValue": "Alert"
+ },
+ "firewallClientIpConfigurationName": {
+ "type": "string",
+ "defaultValue": "firewall-client-ip-config"
+ },
+ "firewallClientSubnetServiceEndpoints": {
+ "type": "array",
+ "defaultValue": []
+ },
+ "firewallClientPublicIPAddressName": {
+ "type": "string",
+ "defaultValue": "firewall-client-public-ip"
+ },
+ "firewallClientPublicIPAddressSkuName": {
+ "type": "string",
+ "defaultValue": "Standard"
+ },
+ "firewallClientPublicIpAllocationMethod": {
+ "type": "string",
+ "defaultValue": "Static"
+ },
+ "firewallClientPublicIPAddressAvailabilityZones": {
+ "type": "array",
+ "defaultValue": []
+ },
+ "firewallManagementIpConfigurationName": {
+ "type": "string",
+ "defaultValue": "firewall-management-ip-config"
+ },
+ "firewallManagementSubnetServiceEndpoints": {
+ "type": "array",
+ "defaultValue": []
+ },
+ "firewallManagementPublicIPAddressName": {
+ "type": "string",
+ "defaultValue": "firewall-management-public-ip"
+ },
+ "firewallManagementPublicIPAddressSkuName": {
+ "type": "string",
+ "defaultValue": "Standard"
+ },
+ "firewallManagementPublicIpAllocationMethod": {
+ "type": "string",
+ "defaultValue": "Static"
+ },
+ "firewallManagementPublicIPAddressAvailabilityZones": {
+ "type": "array",
+ "defaultValue": []
+ },
+ "identityResourceGroupName": {
+ "type": "string",
+ "defaultValue": "[replace(parameters('hubResourceGroupName'), 'hub', 'identity')]"
+ },
+ "identityLocation": {
+ "type": "string",
+ "defaultValue": "[parameters('hubLocation')]"
+ },
+ "identityVirtualNetworkName": {
+ "type": "string",
+ "defaultValue": "[replace(parameters('hubVirtualNetworkName'), 'hub', 'identity')]"
+ },
+ "identitySubnetName": {
+ "type": "string",
+ "defaultValue": "[replace(parameters('hubSubnetName'), 'hub', 'identity')]"
+ },
+ "identityVirtualNetworkAddressPrefix": {
+ "type": "string",
+ "defaultValue": "10.0.110.0/26"
+ },
+ "identitySubnetAddressPrefix": {
+ "type": "string",
+ "defaultValue": "10.0.110.0/27"
+ },
+ "identityVirtualNetworkDiagnosticsLogs": {
+ "type": "array",
+ "defaultValue": []
+ },
+ "identityVirtualNetworkDiagnosticsMetrics": {
+ "type": "array",
+ "defaultValue": []
+ },
+ "identityNetworkSecurityGroupName": {
+ "type": "string",
+ "defaultValue": "[replace(parameters('hubNetworkSecurityGroupName'), 'hub', 'identity')]"
+ },
+ "identityNetworkSecurityGroupRules": {
+ "type": "array",
+ "defaultValue": []
+ },
+ "identitySubnetServiceEndpoints": {
+ "type": "array",
+ "defaultValue": []
+ },
+ "identityLogStorageAccountName": {
+ "type": "string",
+ "defaultValue": "[toLower(take(format('idlogs{0}', parameters('uniqueId')), 24))]"
+ },
+ "identityLogStorageSkuName": {
+ "type": "string",
+ "defaultValue": "[parameters('hubLogStorageSkuName')]"
+ },
+ "operationsResourceGroupName": {
+ "type": "string",
+ "defaultValue": "[replace(parameters('hubResourceGroupName'), 'hub', 'operations')]"
+ },
+ "operationsLocation": {
+ "type": "string",
+ "defaultValue": "[parameters('hubLocation')]"
+ },
+ "operationsVirtualNetworkName": {
+ "type": "string",
+ "defaultValue": "[replace(parameters('hubVirtualNetworkName'), 'hub', 'operations')]"
+ },
+ "operationsVirtualNetworkAddressPrefix": {
+ "type": "string",
+ "defaultValue": "10.0.115.0/26"
+ },
+ "operationsVirtualNetworkDiagnosticsLogs": {
+ "type": "array",
+ "defaultValue": []
+ },
+ "operationsVirtualNetworkDiagnosticsMetrics": {
+ "type": "array",
+ "defaultValue": []
+ },
+ "operationsNetworkSecurityGroupName": {
+ "type": "string",
+ "defaultValue": "[replace(parameters('hubNetworkSecurityGroupName'), 'hub', 'operations')]"
+ },
+ "operationsNetworkSecurityGroupRules": {
+ "type": "array",
+ "defaultValue": []
+ },
+ "operationsSubnetName": {
+ "type": "string",
+ "defaultValue": "[replace(parameters('hubSubnetName'), 'hub', 'operations')]"
+ },
+ "operationsSubnetAddressPrefix": {
+ "type": "string",
+ "defaultValue": "10.0.115.0/27"
+ },
+ "operationsSubnetServiceEndpoints": {
+ "type": "array",
+ "defaultValue": []
+ },
+ "operationsLogStorageAccountName": {
+ "type": "string",
+ "defaultValue": "[toLower(take(format('opslogs{0}', parameters('uniqueId')), 24))]"
+ },
+ "operationsLogStorageSkuName": {
+ "type": "string",
+ "defaultValue": "[parameters('hubLogStorageSkuName')]"
+ },
+ "sharedServicesResourceGroupName": {
+ "type": "string",
+ "defaultValue": "[replace(parameters('hubResourceGroupName'), 'hub', 'sharedServices')]"
+ },
+ "sharedServicesLocation": {
+ "type": "string",
+ "defaultValue": "[parameters('hubLocation')]"
+ },
+ "sharedServicesVirtualNetworkName": {
+ "type": "string",
+ "defaultValue": "[replace(parameters('hubVirtualNetworkName'), 'hub', 'sharedServices')]"
+ },
+ "sharedServicesSubnetName": {
+ "type": "string",
+ "defaultValue": "[replace(parameters('hubSubnetName'), 'hub', 'sharedServices')]"
+ },
+ "sharedServicesVirtualNetworkAddressPrefix": {
+ "type": "string",
+ "defaultValue": "10.0.120.0/26"
+ },
+ "sharedServicesSubnetAddressPrefix": {
+ "type": "string",
+ "defaultValue": "10.0.120.0/27"
+ },
+ "sharedServicesVirtualNetworkDiagnosticsLogs": {
+ "type": "array",
+ "defaultValue": []
+ },
+ "sharedServicesVirtualNetworkDiagnosticsMetrics": {
+ "type": "array",
+ "defaultValue": []
+ },
+ "sharedServicesNetworkSecurityGroupName": {
+ "type": "string",
+ "defaultValue": "[replace(parameters('hubNetworkSecurityGroupName'), 'hub', 'sharedServices')]"
+ },
+ "sharedServicesNetworkSecurityGroupRules": {
+ "type": "array",
+ "defaultValue": []
+ },
+ "sharedServicesSubnetServiceEndpoints": {
+ "type": "array",
+ "defaultValue": []
+ },
+ "sharedServicesLogStorageAccountName": {
+ "type": "string",
+ "defaultValue": "[toLower(take(format('shrdSvclogs{0}', parameters('uniqueId')), 24))]"
+ },
+ "sharedServicesLogStorageSkuName": {
+ "type": "string",
+ "defaultValue": "[parameters('hubLogStorageSkuName')]"
+ },
+ "logAnalyticsWorkspaceName": {
+ "type": "string",
+ "defaultValue": "[take(format('{0}-laws', parameters('resourcePrefix')), 63)]"
+ },
+ "logAnalyticsWorkspaceLocation": {
+ "type": "string",
+ "defaultValue": "[parameters('sharedServicesLocation')]"
+ },
+ "logAnalyticsWorkspaceCappingDailyQuotaGb": {
+ "type": "int",
+ "defaultValue": -1
+ },
+ "logAnalyticsWorkspaceRetentionInDays": {
+ "type": "int",
+ "defaultValue": 30
+ },
+ "logAnalyticsWorkspaceSkuName": {
+ "type": "string",
+ "defaultValue": "PerGB2018"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {
+ "resourcePrefix": "[parameters('resourcePrefix')]"
+ }
+ },
+ "uniqueId": {
+ "type": "string",
+ "defaultValue": "[uniqueString(deployment().name)]"
+ }
+ },
+ "functions": [],
+ "variables": {
+ "firewallClientSubnetName": "AzureFirewallSubnet",
+ "firewallManagementSubnetName": "AzureFirewallManagementSubnet"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "hubResourceGroup",
+ "subscriptionId": "[parameters('hubSubscriptionId')]",
+ "location": "[deployment().location]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[parameters('hubResourceGroupName')]"
+ },
+ "location": {
+ "value": "[parameters('hubLocation')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.451.19169",
+ "templateHash": "4391723078931511573"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Resources/resourceGroups",
+ "apiVersion": "2021-04-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]"
+ }
+ ],
+ "outputs": {
+ "id": {
+ "type": "string",
+ "value": "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('name'))]"
+ },
+ "name": {
+ "type": "string",
+ "value": "[parameters('name')]"
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "identityResourceGroup",
+ "subscriptionId": "[parameters('identitySubscriptionId')]",
+ "location": "[deployment().location]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[parameters('identityResourceGroupName')]"
+ },
+ "location": {
+ "value": "[parameters('identityLocation')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.451.19169",
+ "templateHash": "4391723078931511573"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Resources/resourceGroups",
+ "apiVersion": "2021-04-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]"
+ }
+ ],
+ "outputs": {
+ "id": {
+ "type": "string",
+ "value": "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('name'))]"
+ },
+ "name": {
+ "type": "string",
+ "value": "[parameters('name')]"
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "operationsResourceGroup",
+ "subscriptionId": "[parameters('operationsSubscriptionId')]",
+ "location": "[deployment().location]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[parameters('operationsResourceGroupName')]"
+ },
+ "location": {
+ "value": "[parameters('operationsLocation')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.451.19169",
+ "templateHash": "4391723078931511573"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Resources/resourceGroups",
+ "apiVersion": "2021-04-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]"
+ }
+ ],
+ "outputs": {
+ "id": {
+ "type": "string",
+ "value": "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('name'))]"
+ },
+ "name": {
+ "type": "string",
+ "value": "[parameters('name')]"
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "sharedServicesResourceGroup",
+ "subscriptionId": "[parameters('sharedServicesSubscriptionId')]",
+ "location": "[deployment().location]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[parameters('sharedServicesResourceGroupName')]"
+ },
+ "location": {
+ "value": "[parameters('sharedServicesLocation')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.451.19169",
+ "templateHash": "4391723078931511573"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Resources/resourceGroups",
+ "apiVersion": "2021-04-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]"
+ }
+ ],
+ "outputs": {
+ "id": {
+ "type": "string",
+ "value": "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('name'))]"
+ },
+ "name": {
+ "type": "string",
+ "value": "[parameters('name')]"
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "logAnalyticsWorkspace",
+ "subscriptionId": "[parameters('operationsSubscriptionId')]",
+ "resourceGroup": "[parameters('operationsResourceGroupName')]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[parameters('logAnalyticsWorkspaceName')]"
+ },
+ "location": {
+ "value": "[parameters('logAnalyticsWorkspaceLocation')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "retentionInDays": {
+ "value": "[parameters('logAnalyticsWorkspaceRetentionInDays')]"
+ },
+ "skuName": {
+ "value": "[parameters('logAnalyticsWorkspaceSkuName')]"
+ },
+ "workspaceCappingDailyQuotaGb": {
+ "value": "[parameters('logAnalyticsWorkspaceCappingDailyQuotaGb')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.451.19169",
+ "templateHash": "3654750523315639217"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "retentionInDays": {
+ "type": "int",
+ "defaultValue": 30
+ },
+ "skuName": {
+ "type": "string",
+ "defaultValue": "PerGB2018"
+ },
+ "workspaceCappingDailyQuotaGb": {
+ "type": "int",
+ "defaultValue": -1
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/workspaces",
+ "apiVersion": "2021-06-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "retentionInDays": "[parameters('retentionInDays')]",
+ "sku": {
+ "name": "[parameters('skuName')]"
+ },
+ "workspaceCapping": {
+ "dailyQuotaGb": "[parameters('workspaceCappingDailyQuotaGb')]"
+ }
+ }
+ }
+ ],
+ "outputs": {
+ "id": {
+ "type": "string",
+ "value": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('name'))]"
+ },
+ "name": {
+ "type": "string",
+ "value": "[parameters('name')]"
+ }
+ }
+ }
+ },
+ "dependsOn": [
+ "[subscriptionResourceId(parameters('operationsSubscriptionId'), 'Microsoft.Resources/deployments', 'operationsResourceGroup')]"
+ ]
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "[format('{0}-hub', parameters('resourcePrefix'))]",
+ "subscriptionId": "[parameters('hubSubscriptionId')]",
+ "resourceGroup": "[parameters('hubResourceGroupName')]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "location": {
+ "value": "[parameters('hubLocation')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "logStorageAccountName": {
+ "value": "[parameters('hubLogStorageAccountName')]"
+ },
+ "logStorageSkuName": {
+ "value": "[parameters('hubLogStorageSkuName')]"
+ },
+ "logAnalyticsWorkspaceResourceId": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', 'logAnalyticsWorkspace'), '2019-10-01').outputs.id.value]"
+ },
+ "virtualNetworkName": {
+ "value": "[parameters('hubVirtualNetworkName')]"
+ },
+ "virtualNetworkAddressPrefix": {
+ "value": "[parameters('hubVirtualNetworkAddressPrefix')]"
+ },
+ "virtualNetworkDiagnosticsLogs": {
+ "value": "[parameters('hubVirtualNetworkDiagnosticsLogs')]"
+ },
+ "virtualNetworkDiagnosticsMetrics": {
+ "value": "[parameters('hubVirtualNetworkDiagnosticsMetrics')]"
+ },
+ "networkSecurityGroupName": {
+ "value": "[parameters('hubNetworkSecurityGroupName')]"
+ },
+ "networkSecurityGroupRules": {
+ "value": "[parameters('hubNetworkSecurityGroupRules')]"
+ },
+ "subnetName": {
+ "value": "[parameters('hubSubnetName')]"
+ },
+ "subnetAddressPrefix": {
+ "value": "[parameters('hubSubnetAddressPrefix')]"
+ },
+ "subnetServiceEndpoints": {
+ "value": "[parameters('hubSubnetServiceEndpoints')]"
+ },
+ "firewallName": {
+ "value": "[parameters('firewallName')]"
+ },
+ "firewallSkuTier": {
+ "value": "[parameters('firewallSkuTier')]"
+ },
+ "firewallPolicyName": {
+ "value": "[parameters('firewallPolicyName')]"
+ },
+ "firewallThreatIntelMode": {
+ "value": "[parameters('firewallThreatIntelMode')]"
+ },
+ "firewallClientIpConfigurationName": {
+ "value": "[parameters('firewallClientIpConfigurationName')]"
+ },
+ "firewallClientSubnetName": {
+ "value": "[variables('firewallClientSubnetName')]"
+ },
+ "firewallClientSubnetAddressPrefix": {
+ "value": "[parameters('firewallClientSubnetAddressPrefix')]"
+ },
+ "firewallClientSubnetServiceEndpoints": {
+ "value": "[parameters('firewallClientSubnetServiceEndpoints')]"
+ },
+ "firewallClientPublicIPAddressName": {
+ "value": "[parameters('firewallClientPublicIPAddressName')]"
+ },
+ "firewallClientPublicIPAddressSkuName": {
+ "value": "[parameters('firewallClientPublicIPAddressSkuName')]"
+ },
+ "firewallClientPublicIpAllocationMethod": {
+ "value": "[parameters('firewallClientPublicIpAllocationMethod')]"
+ },
+ "firewallClientPublicIPAddressAvailabilityZones": {
+ "value": "[parameters('firewallClientPublicIPAddressAvailabilityZones')]"
+ },
+ "firewallManagementIpConfigurationName": {
+ "value": "[parameters('firewallManagementIpConfigurationName')]"
+ },
+ "firewallManagementSubnetName": {
+ "value": "[variables('firewallManagementSubnetName')]"
+ },
+ "firewallManagementSubnetAddressPrefix": {
+ "value": "[parameters('firewallManagementSubnetAddressPrefix')]"
+ },
+ "firewallManagementSubnetServiceEndpoints": {
+ "value": "[parameters('firewallManagementSubnetServiceEndpoints')]"
+ },
+ "firewallManagementPublicIPAddressName": {
+ "value": "[parameters('firewallManagementPublicIPAddressName')]"
+ },
+ "firewallManagementPublicIPAddressSkuName": {
+ "value": "[parameters('firewallManagementPublicIPAddressSkuName')]"
+ },
+ "firewallManagementPublicIpAllocationMethod": {
+ "value": "[parameters('firewallManagementPublicIpAllocationMethod')]"
+ },
+ "firewallManagementPublicIPAddressAvailabilityZones": {
+ "value": "[parameters('firewallManagementPublicIPAddressAvailabilityZones')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.451.19169",
+ "templateHash": "7795182658623507493"
+ }
+ },
+ "parameters": {
+ "location": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().location]"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "logStorageAccountName": {
+ "type": "string"
+ },
+ "logStorageSkuName": {
+ "type": "string"
+ },
+ "logAnalyticsWorkspaceResourceId": {
+ "type": "string"
+ },
+ "virtualNetworkName": {
+ "type": "string"
+ },
+ "virtualNetworkAddressPrefix": {
+ "type": "string"
+ },
+ "virtualNetworkDiagnosticsLogs": {
+ "type": "array"
+ },
+ "virtualNetworkDiagnosticsMetrics": {
+ "type": "array"
+ },
+ "networkSecurityGroupName": {
+ "type": "string"
+ },
+ "networkSecurityGroupRules": {
+ "type": "array"
+ },
+ "subnetName": {
+ "type": "string"
+ },
+ "subnetAddressPrefix": {
+ "type": "string"
+ },
+ "subnetServiceEndpoints": {
+ "type": "array"
+ },
+ "routeTableName": {
+ "type": "string",
+ "defaultValue": "[format('{0}-routetable', parameters('subnetName'))]"
+ },
+ "routeTableRouteName": {
+ "type": "string",
+ "defaultValue": "default_route"
+ },
+ "routeTableRouteAddressPrefix": {
+ "type": "string",
+ "defaultValue": "0.0.0.0/0"
+ },
+ "routeTableRouteNextHopType": {
+ "type": "string",
+ "defaultValue": "VirtualAppliance"
+ },
+ "firewallName": {
+ "type": "string"
+ },
+ "firewallSkuTier": {
+ "type": "string"
+ },
+ "firewallPolicyName": {
+ "type": "string"
+ },
+ "firewallThreatIntelMode": {
+ "type": "string"
+ },
+ "firewallClientIpConfigurationName": {
+ "type": "string"
+ },
+ "firewallClientSubnetName": {
+ "type": "string"
+ },
+ "firewallClientSubnetAddressPrefix": {
+ "type": "string"
+ },
+ "firewallClientSubnetServiceEndpoints": {
+ "type": "array"
+ },
+ "firewallClientPublicIPAddressName": {
+ "type": "string"
+ },
+ "firewallClientPublicIPAddressSkuName": {
+ "type": "string"
+ },
+ "firewallClientPublicIpAllocationMethod": {
+ "type": "string"
+ },
+ "firewallClientPublicIPAddressAvailabilityZones": {
+ "type": "array"
+ },
+ "firewallManagementIpConfigurationName": {
+ "type": "string"
+ },
+ "firewallManagementSubnetName": {
+ "type": "string"
+ },
+ "firewallManagementSubnetAddressPrefix": {
+ "type": "string"
+ },
+ "firewallManagementSubnetServiceEndpoints": {
+ "type": "array"
+ },
+ "firewallManagementPublicIPAddressName": {
+ "type": "string"
+ },
+ "firewallManagementPublicIPAddressSkuName": {
+ "type": "string"
+ },
+ "firewallManagementPublicIpAllocationMethod": {
+ "type": "string"
+ },
+ "firewallManagementPublicIPAddressAvailabilityZones": {
+ "type": "array"
+ }
+ },
+ "functions": [],
+ "variables": {
+ "defaultVirtualNewtorkDiagnosticsLogs": [],
+ "defaultVirtualNetworkDiagnosticsMetrics": [
+ {
+ "category": "AllMetrics",
+ "enabled": true
+ }
+ ],
+ "defaultSubnetServiceEndpoints": [
+ {
+ "service": "Microsoft.Storage"
+ }
+ ],
+ "defaultNetworkSecurityGroupRules": [
+ {
+ "name": "allow_ssh",
+ "properties": {
+ "description": "Allow SSH access from anywhere",
+ "access": "Allow",
+ "priority": 100,
+ "protocol": "Tcp",
+ "direction": "Inbound",
+ "sourcePortRange": "*",
+ "sourceAddressPrefix": "*",
+ "destinationPortRange": "22",
+ "destinationAddressPrefix": "*"
+ }
+ },
+ {
+ "name": "allow_rdp",
+ "properties": {
+ "description": "Allow RDP access from anywhere",
+ "access": "Allow",
+ "priority": 200,
+ "protocol": "Tcp",
+ "direction": "Inbound",
+ "sourcePortRange": "*",
+ "sourceAddressPrefix": "*",
+ "destinationPortRange": "3389",
+ "destinationAddressPrefix": "*"
+ }
+ }
+ ]
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Network/virtualNetworks/subnets",
+ "apiVersion": "2021-02-01",
+ "name": "[format('{0}/{1}', parameters('virtualNetworkName'), parameters('subnetName'))]",
+ "properties": {
+ "addressPrefix": "[parameters('subnetAddressPrefix')]",
+ "networkSecurityGroup": {
+ "id": "[reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup'), '2019-10-01').outputs.id.value]"
+ },
+ "routeTable": {
+ "id": "[reference(resourceId('Microsoft.Resources/deployments', 'routeTable'), '2019-10-01').outputs.id.value]"
+ },
+ "serviceEndpoints": "[if(empty(parameters('subnetServiceEndpoints')), variables('defaultSubnetServiceEndpoints'), parameters('subnetServiceEndpoints'))]"
+ },
+ "dependsOn": [
+ "[resourceId('Microsoft.Resources/deployments', 'firewall')]",
+ "[resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup')]",
+ "[resourceId('Microsoft.Resources/deployments', 'routeTable')]",
+ "[resourceId('Microsoft.Resources/deployments', 'virtualNetwork')]"
+ ]
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "logStorage",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "storageAccountName": {
+ "value": "[parameters('logStorageAccountName')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "skuName": {
+ "value": "[parameters('logStorageSkuName')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.451.19169",
+ "templateHash": "7478919688835670168"
+ }
+ },
+ "parameters": {
+ "storageAccountName": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "skuName": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Storage/storageAccounts",
+ "apiVersion": "2019-06-01",
+ "name": "[parameters('storageAccountName')]",
+ "location": "[parameters('location')]",
+ "kind": "Storage",
+ "sku": {
+ "name": "[parameters('skuName')]"
+ },
+ "tags": "[parameters('tags')]"
+ }
+ ],
+ "outputs": {
+ "id": {
+ "type": "string",
+ "value": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "networkSecurityGroup",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[parameters('networkSecurityGroupName')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "securityRules": {
+ "value": "[if(empty(parameters('networkSecurityGroupRules')), variables('defaultNetworkSecurityGroupRules'), parameters('networkSecurityGroupRules'))]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.451.19169",
+ "templateHash": "16344320883906419641"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "securityRules": {
+ "type": "array"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Network/networkSecurityGroups",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "securityRules": "[parameters('securityRules')]"
+ }
+ }
+ ],
+ "outputs": {
+ "id": {
+ "type": "string",
+ "value": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('name'))]"
+ },
+ "name": {
+ "type": "string",
+ "value": "[parameters('name')]"
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "virtualNetwork",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[parameters('virtualNetworkName')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "addressPrefix": {
+ "value": "[parameters('virtualNetworkAddressPrefix')]"
+ },
+ "diagnosticsLogs": {
+ "value": "[if(empty(parameters('virtualNetworkDiagnosticsLogs')), variables('defaultVirtualNewtorkDiagnosticsLogs'), parameters('virtualNetworkDiagnosticsLogs'))]"
+ },
+ "diagnosticsMetrics": {
+ "value": "[if(empty(parameters('virtualNetworkDiagnosticsMetrics')), variables('defaultVirtualNetworkDiagnosticsMetrics'), parameters('virtualNetworkDiagnosticsMetrics'))]"
+ },
+ "subnets": {
+ "value": [
+ {
+ "name": "[parameters('firewallClientSubnetName')]",
+ "properties": {
+ "addressPrefix": "[parameters('firewallClientSubnetAddressPrefix')]",
+ "serviceEndpoints": "[parameters('firewallClientSubnetServiceEndpoints')]"
+ }
+ },
+ {
+ "name": "[parameters('firewallManagementSubnetName')]",
+ "properties": {
+ "addressPrefix": "[parameters('firewallManagementSubnetAddressPrefix')]",
+ "serviceEndpoints": "[parameters('firewallManagementSubnetServiceEndpoints')]"
+ }
+ }
+ ]
+ },
+ "logAnalyticsWorkspaceResourceId": {
+ "value": "[parameters('logAnalyticsWorkspaceResourceId')]"
+ },
+ "logStorageAccountResourceId": {
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'logStorage'), '2019-10-01').outputs.id.value]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.451.19169",
+ "templateHash": "4251305185578211506"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "addressPrefix": {
+ "type": "string"
+ },
+ "logAnalyticsWorkspaceResourceId": {
+ "type": "string"
+ },
+ "logStorageAccountResourceId": {
+ "type": "string"
+ },
+ "subnets": {
+ "type": "array"
+ },
+ "diagnosticsMetrics": {
+ "type": "array"
+ },
+ "diagnosticsLogs": {
+ "type": "array"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Network/virtualNetworks",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "addressSpace": {
+ "addressPrefixes": [
+ "[parameters('addressPrefix')]"
+ ]
+ },
+ "subnets": "[parameters('subnets')]"
+ }
+ },
+ {
+ "type": "Microsoft.Insights/diagnosticSettings",
+ "apiVersion": "2017-05-01-preview",
+ "scope": "[format('Microsoft.Network/virtualNetworks/{0}', parameters('name'))]",
+ "name": "[format('{0}-diagnostics', parameters('name'))]",
+ "properties": {
+ "storageAccountId": "[parameters('logStorageAccountResourceId')]",
+ "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]",
+ "metrics": "[parameters('diagnosticsMetrics')]",
+ "logs": "[parameters('diagnosticsLogs')]"
+ },
+ "dependsOn": [
+ "[resourceId('Microsoft.Network/virtualNetworks', parameters('name'))]"
+ ]
+ }
+ ],
+ "outputs": {
+ "name": {
+ "type": "string",
+ "value": "[parameters('name')]"
+ },
+ "id": {
+ "type": "string",
+ "value": "[resourceId('Microsoft.Network/virtualNetworks', parameters('name'))]"
+ },
+ "subnets": {
+ "type": "array",
+ "value": "[reference(resourceId('Microsoft.Network/virtualNetworks', parameters('name'))).subnets]"
+ }
+ }
+ }
+ },
+ "dependsOn": [
+ "[resourceId('Microsoft.Resources/deployments', 'logStorage')]"
+ ]
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "routeTable",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[parameters('routeTableName')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "routeName": {
+ "value": "[parameters('routeTableRouteName')]"
+ },
+ "routeAddressPrefix": {
+ "value": "[parameters('routeTableRouteAddressPrefix')]"
+ },
+ "routeNextHopIpAddress": {
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'firewall'), '2019-10-01').outputs.privateIPAddress.value]"
+ },
+ "routeNextHopType": {
+ "value": "[parameters('routeTableRouteNextHopType')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.451.19169",
+ "templateHash": "9581615100111735872"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "routeName": {
+ "type": "string"
+ },
+ "routeAddressPrefix": {
+ "type": "string"
+ },
+ "routeNextHopIpAddress": {
+ "type": "string"
+ },
+ "routeNextHopType": {
+ "type": "string"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Network/routeTables",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "routes": [
+ {
+ "name": "[parameters('routeName')]",
+ "properties": {
+ "addressPrefix": "[parameters('routeAddressPrefix')]",
+ "nextHopIpAddress": "[parameters('routeNextHopIpAddress')]",
+ "nextHopType": "[parameters('routeNextHopType')]"
+ }
+ }
+ ]
+ }
+ }
+ ],
+ "outputs": {
+ "id": {
+ "type": "string",
+ "value": "[resourceId('Microsoft.Network/routeTables', parameters('name'))]"
+ },
+ "name": {
+ "type": "string",
+ "value": "[parameters('name')]"
+ }
+ }
+ }
+ },
+ "dependsOn": [
+ "[resourceId('Microsoft.Resources/deployments', 'firewall')]"
+ ]
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "firewallClientPublicIPAddress",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[parameters('firewallClientPublicIPAddressName')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "skuName": {
+ "value": "[parameters('firewallClientPublicIPAddressSkuName')]"
+ },
+ "publicIpAllocationMethod": {
+ "value": "[parameters('firewallClientPublicIpAllocationMethod')]"
+ },
+ "availabilityZones": {
+ "value": "[parameters('firewallClientPublicIPAddressAvailabilityZones')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.451.19169",
+ "templateHash": "11223093195346446502"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "skuName": {
+ "type": "string"
+ },
+ "publicIpAllocationMethod": {
+ "type": "string"
+ },
+ "availabilityZones": {
+ "type": "array"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Network/publicIPAddresses",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "sku": {
+ "name": "[parameters('skuName')]"
+ },
+ "properties": {
+ "publicIPAllocationMethod": "[parameters('publicIpAllocationMethod')]"
+ },
+ "zones": "[parameters('availabilityZones')]"
+ }
+ ],
+ "outputs": {
+ "id": {
+ "type": "string",
+ "value": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]"
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "firewallManagementPublicIPAddress",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[parameters('firewallManagementPublicIPAddressName')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "skuName": {
+ "value": "[parameters('firewallManagementPublicIPAddressSkuName')]"
+ },
+ "publicIpAllocationMethod": {
+ "value": "[parameters('firewallManagementPublicIpAllocationMethod')]"
+ },
+ "availabilityZones": {
+ "value": "[parameters('firewallManagementPublicIPAddressAvailabilityZones')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.451.19169",
+ "templateHash": "11223093195346446502"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "skuName": {
+ "type": "string"
+ },
+ "publicIpAllocationMethod": {
+ "type": "string"
+ },
+ "availabilityZones": {
+ "type": "array"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Network/publicIPAddresses",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "sku": {
+ "name": "[parameters('skuName')]"
+ },
+ "properties": {
+ "publicIPAllocationMethod": "[parameters('publicIpAllocationMethod')]"
+ },
+ "zones": "[parameters('availabilityZones')]"
+ }
+ ],
+ "outputs": {
+ "id": {
+ "type": "string",
+ "value": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]"
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "firewall",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[parameters('firewallName')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "skuTier": {
+ "value": "[parameters('firewallSkuTier')]"
+ },
+ "firewallPolicyName": {
+ "value": "[parameters('firewallPolicyName')]"
+ },
+ "threatIntelMode": {
+ "value": "[parameters('firewallThreatIntelMode')]"
+ },
+ "clientIpConfigurationName": {
+ "value": "[parameters('firewallClientIpConfigurationName')]"
+ },
+ "clientIpConfigurationSubnetResourceId": {
+ "value": "[format('{0}/subnets/{1}', reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2019-10-01').outputs.id.value, parameters('firewallClientSubnetName'))]"
+ },
+ "clientIpConfigurationPublicIPAddressResourceId": {
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'firewallClientPublicIPAddress'), '2019-10-01').outputs.id.value]"
+ },
+ "managementIpConfigurationName": {
+ "value": "[parameters('firewallManagementIpConfigurationName')]"
+ },
+ "managementIpConfigurationSubnetResourceId": {
+ "value": "[format('{0}/subnets/{1}', reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2019-10-01').outputs.id.value, parameters('firewallManagementSubnetName'))]"
+ },
+ "managementIpConfigurationPublicIPAddressResourceId": {
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'firewallManagementPublicIPAddress'), '2019-10-01').outputs.id.value]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.451.19169",
+ "templateHash": "1108501968354388067"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().location]"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "skuTier": {
+ "type": "string"
+ },
+ "threatIntelMode": {
+ "type": "string"
+ },
+ "clientIpConfigurationName": {
+ "type": "string"
+ },
+ "clientIpConfigurationSubnetResourceId": {
+ "type": "string"
+ },
+ "clientIpConfigurationPublicIPAddressResourceId": {
+ "type": "string"
+ },
+ "managementIpConfigurationName": {
+ "type": "string"
+ },
+ "managementIpConfigurationSubnetResourceId": {
+ "type": "string"
+ },
+ "managementIpConfigurationPublicIPAddressResourceId": {
+ "type": "string"
+ },
+ "firewallPolicyName": {
+ "type": "string"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Network/firewallPolicies",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('firewallPolicyName')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "threatIntelMode": "[parameters('threatIntelMode')]",
+ "sku": {
+ "tier": "[parameters('skuTier')]"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Network/azureFirewalls",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "ipConfigurations": [
+ {
+ "name": "[parameters('clientIpConfigurationName')]",
+ "properties": {
+ "subnet": {
+ "id": "[parameters('clientIpConfigurationSubnetResourceId')]"
+ },
+ "publicIPAddress": {
+ "id": "[parameters('clientIpConfigurationPublicIPAddressResourceId')]"
+ }
+ }
+ }
+ ],
+ "managementIpConfiguration": {
+ "name": "[parameters('managementIpConfigurationName')]",
+ "properties": {
+ "subnet": {
+ "id": "[parameters('managementIpConfigurationSubnetResourceId')]"
+ },
+ "publicIPAddress": {
+ "id": "[parameters('managementIpConfigurationPublicIPAddressResourceId')]"
+ }
+ }
+ },
+ "firewallPolicy": {
+ "id": "[resourceId('Microsoft.Network/firewallPolicies', parameters('firewallPolicyName'))]"
+ },
+ "sku": {
+ "tier": "[parameters('skuTier')]"
+ }
+ },
+ "dependsOn": [
+ "[resourceId('Microsoft.Network/firewallPolicies', parameters('firewallPolicyName'))]"
+ ]
+ }
+ ],
+ "outputs": {
+ "privateIPAddress": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Network/azureFirewalls', parameters('name'))).ipConfigurations[0].properties.privateIPAddress]"
+ }
+ }
+ }
+ },
+ "dependsOn": [
+ "[resourceId('Microsoft.Resources/deployments', 'firewallClientPublicIPAddress')]",
+ "[resourceId('Microsoft.Resources/deployments', 'firewallManagementPublicIPAddress')]",
+ "[resourceId('Microsoft.Resources/deployments', 'virtualNetwork')]"
+ ]
+ }
+ ],
+ "outputs": {
+ "virtualNetworkName": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2019-10-01').outputs.name.value]"
+ },
+ "virtualNetworkResourceId": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2019-10-01').outputs.id.value]"
+ },
+ "subnetName": {
+ "type": "string",
+ "value": "[format('{0}/{1}', parameters('virtualNetworkName'), parameters('subnetName'))]"
+ },
+ "subnetAddressPrefix": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Network/virtualNetworks/subnets', split(format('{0}/{1}', parameters('virtualNetworkName'), parameters('subnetName')), '/')[0], split(format('{0}/{1}', parameters('virtualNetworkName'), parameters('subnetName')), '/')[1])).addressPrefix]"
+ },
+ "subnetResourceId": {
+ "type": "string",
+ "value": "[resourceId('Microsoft.Network/virtualNetworks/subnets', split(format('{0}/{1}', parameters('virtualNetworkName'), parameters('subnetName')), '/')[0], split(format('{0}/{1}', parameters('virtualNetworkName'), parameters('subnetName')), '/')[1])]"
+ },
+ "networkSecurityGroupName": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup'), '2019-10-01').outputs.name.value]"
+ },
+ "networkSecurityGroupResourceId": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup'), '2019-10-01').outputs.id.value]"
+ },
+ "firewallPrivateIPAddress": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'firewall'), '2019-10-01').outputs.privateIPAddress.value]"
+ }
+ }
+ }
+ },
+ "dependsOn": [
+ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', 'logAnalyticsWorkspace')]"
+ ]
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "[format('{0}-identity', parameters('resourcePrefix'))]",
+ "subscriptionId": "[parameters('identitySubscriptionId')]",
+ "resourceGroup": "[parameters('identityResourceGroupName')]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "location": {
+ "value": "[parameters('identityLocation')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "logStorageAccountName": {
+ "value": "[parameters('identityLogStorageAccountName')]"
+ },
+ "logStorageSkuName": {
+ "value": "[parameters('identityLogStorageSkuName')]"
+ },
+ "logAnalyticsWorkspaceResourceId": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', 'logAnalyticsWorkspace'), '2019-10-01').outputs.id.value]"
+ },
+ "firewallPrivateIPAddress": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-hub', parameters('resourcePrefix'))), '2019-10-01').outputs.firewallPrivateIPAddress.value]"
+ },
+ "virtualNetworkName": {
+ "value": "[parameters('identityVirtualNetworkName')]"
+ },
+ "virtualNetworkAddressPrefix": {
+ "value": "[parameters('identityVirtualNetworkAddressPrefix')]"
+ },
+ "virtualNetworkDiagnosticsLogs": {
+ "value": "[parameters('identityVirtualNetworkDiagnosticsLogs')]"
+ },
+ "virtualNetworkDiagnosticsMetrics": {
+ "value": "[parameters('identityVirtualNetworkDiagnosticsMetrics')]"
+ },
+ "networkSecurityGroupName": {
+ "value": "[parameters('identityNetworkSecurityGroupName')]"
+ },
+ "networkSecurityGroupRules": {
+ "value": "[parameters('identityNetworkSecurityGroupRules')]"
+ },
+ "subnetName": {
+ "value": "[parameters('identitySubnetName')]"
+ },
+ "subnetAddressPrefix": {
+ "value": "[parameters('identitySubnetAddressPrefix')]"
+ },
+ "subnetServiceEndpoints": {
+ "value": "[parameters('identitySubnetServiceEndpoints')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.451.19169",
+ "templateHash": "102664795413105394"
+ }
+ },
+ "parameters": {
+ "location": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().location]"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "logStorageAccountName": {
+ "type": "string"
+ },
+ "logStorageSkuName": {
+ "type": "string"
+ },
+ "logAnalyticsWorkspaceResourceId": {
+ "type": "string"
+ },
+ "firewallPrivateIPAddress": {
+ "type": "string"
+ },
+ "virtualNetworkName": {
+ "type": "string"
+ },
+ "virtualNetworkAddressPrefix": {
+ "type": "string"
+ },
+ "virtualNetworkDiagnosticsLogs": {
+ "type": "array"
+ },
+ "virtualNetworkDiagnosticsMetrics": {
+ "type": "array"
+ },
+ "networkSecurityGroupName": {
+ "type": "string"
+ },
+ "networkSecurityGroupRules": {
+ "type": "array"
+ },
+ "subnetName": {
+ "type": "string"
+ },
+ "subnetAddressPrefix": {
+ "type": "string"
+ },
+ "subnetServiceEndpoints": {
+ "type": "array"
+ },
+ "routeTableName": {
+ "type": "string",
+ "defaultValue": "[format('{0}-routetable', parameters('subnetName'))]"
+ },
+ "routeTableRouteName": {
+ "type": "string",
+ "defaultValue": "default_route"
+ },
+ "routeTableRouteAddressPrefix": {
+ "type": "string",
+ "defaultValue": "0.0.0.0/0"
+ },
+ "routeTableRouteNextHopIpAddress": {
+ "type": "string",
+ "defaultValue": "[parameters('firewallPrivateIPAddress')]"
+ },
+ "routeTableRouteNextHopType": {
+ "type": "string",
+ "defaultValue": "VirtualAppliance"
+ }
+ },
+ "functions": [],
+ "variables": {
+ "defaultVirtualNetworkDiagnosticsLogs": [],
+ "defaultVirtualNetworkDiagnosticsMetrics": [
+ {
+ "category": "AllMetrics",
+ "enabled": true
+ }
+ ],
+ "defaultSubnetServiceEndpoints": [
+ {
+ "service": "Microsoft.Storage"
+ }
+ ],
+ "defaultNetworkSecurityGroupRules": [
+ {
+ "name": "allow_ssh",
+ "properties": {
+ "description": "Allow SSH access from anywhere",
+ "access": "Allow",
+ "priority": 100,
+ "protocol": "Tcp",
+ "direction": "Inbound",
+ "sourcePortRange": "*",
+ "sourceAddressPrefix": "*",
+ "destinationPortRange": "22",
+ "destinationAddressPrefix": "*"
+ }
+ },
+ {
+ "name": "allow_rdp",
+ "properties": {
+ "description": "Allow RDP access from anywhere",
+ "access": "Allow",
+ "priority": 200,
+ "protocol": "Tcp",
+ "direction": "Inbound",
+ "sourcePortRange": "*",
+ "sourceAddressPrefix": "*",
+ "destinationPortRange": "3389",
+ "destinationAddressPrefix": "*"
+ }
+ }
+ ]
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "logStorage",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "storageAccountName": {
+ "value": "[parameters('logStorageAccountName')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "skuName": {
+ "value": "[parameters('logStorageSkuName')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.451.19169",
+ "templateHash": "7478919688835670168"
+ }
+ },
+ "parameters": {
+ "storageAccountName": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "skuName": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Storage/storageAccounts",
+ "apiVersion": "2019-06-01",
+ "name": "[parameters('storageAccountName')]",
+ "location": "[parameters('location')]",
+ "kind": "Storage",
+ "sku": {
+ "name": "[parameters('skuName')]"
+ },
+ "tags": "[parameters('tags')]"
+ }
+ ],
+ "outputs": {
+ "id": {
+ "type": "string",
+ "value": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "networkSecurityGroup",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[parameters('networkSecurityGroupName')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "securityRules": {
+ "value": "[if(empty(parameters('networkSecurityGroupRules')), variables('defaultNetworkSecurityGroupRules'), parameters('networkSecurityGroupRules'))]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.451.19169",
+ "templateHash": "16344320883906419641"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "securityRules": {
+ "type": "array"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Network/networkSecurityGroups",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "securityRules": "[parameters('securityRules')]"
+ }
+ }
+ ],
+ "outputs": {
+ "id": {
+ "type": "string",
+ "value": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('name'))]"
+ },
+ "name": {
+ "type": "string",
+ "value": "[parameters('name')]"
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "routeTable",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[parameters('routeTableName')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "routeName": {
+ "value": "[parameters('routeTableRouteName')]"
+ },
+ "routeAddressPrefix": {
+ "value": "[parameters('routeTableRouteAddressPrefix')]"
+ },
+ "routeNextHopIpAddress": {
+ "value": "[parameters('routeTableRouteNextHopIpAddress')]"
+ },
+ "routeNextHopType": {
+ "value": "[parameters('routeTableRouteNextHopType')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.451.19169",
+ "templateHash": "9581615100111735872"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "routeName": {
+ "type": "string"
+ },
+ "routeAddressPrefix": {
+ "type": "string"
+ },
+ "routeNextHopIpAddress": {
+ "type": "string"
+ },
+ "routeNextHopType": {
+ "type": "string"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Network/routeTables",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "routes": [
+ {
+ "name": "[parameters('routeName')]",
+ "properties": {
+ "addressPrefix": "[parameters('routeAddressPrefix')]",
+ "nextHopIpAddress": "[parameters('routeNextHopIpAddress')]",
+ "nextHopType": "[parameters('routeNextHopType')]"
+ }
+ }
+ ]
+ }
+ }
+ ],
+ "outputs": {
+ "id": {
+ "type": "string",
+ "value": "[resourceId('Microsoft.Network/routeTables', parameters('name'))]"
+ },
+ "name": {
+ "type": "string",
+ "value": "[parameters('name')]"
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "virtualNetwork",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[parameters('virtualNetworkName')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "addressPrefix": {
+ "value": "[parameters('virtualNetworkAddressPrefix')]"
+ },
+ "diagnosticsLogs": {
+ "value": "[if(empty(parameters('virtualNetworkDiagnosticsLogs')), variables('defaultVirtualNetworkDiagnosticsLogs'), parameters('virtualNetworkDiagnosticsLogs'))]"
+ },
+ "diagnosticsMetrics": {
+ "value": "[if(empty(parameters('virtualNetworkDiagnosticsMetrics')), variables('defaultVirtualNetworkDiagnosticsMetrics'), parameters('virtualNetworkDiagnosticsMetrics'))]"
+ },
+ "subnets": {
+ "value": [
+ {
+ "name": "[parameters('subnetName')]",
+ "properties": {
+ "addressPrefix": "[parameters('subnetAddressPrefix')]",
+ "networkSecurityGroup": {
+ "id": "[reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup'), '2019-10-01').outputs.id.value]"
+ },
+ "routeTable": {
+ "id": "[reference(resourceId('Microsoft.Resources/deployments', 'routeTable'), '2019-10-01').outputs.id.value]"
+ },
+ "serviceEndpoints": "[if(empty(parameters('subnetServiceEndpoints')), variables('defaultSubnetServiceEndpoints'), parameters('subnetServiceEndpoints'))]"
+ }
+ }
+ ]
+ },
+ "logAnalyticsWorkspaceResourceId": {
+ "value": "[parameters('logAnalyticsWorkspaceResourceId')]"
+ },
+ "logStorageAccountResourceId": {
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'logStorage'), '2019-10-01').outputs.id.value]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.451.19169",
+ "templateHash": "4251305185578211506"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "addressPrefix": {
+ "type": "string"
+ },
+ "logAnalyticsWorkspaceResourceId": {
+ "type": "string"
+ },
+ "logStorageAccountResourceId": {
+ "type": "string"
+ },
+ "subnets": {
+ "type": "array"
+ },
+ "diagnosticsMetrics": {
+ "type": "array"
+ },
+ "diagnosticsLogs": {
+ "type": "array"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Network/virtualNetworks",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "addressSpace": {
+ "addressPrefixes": [
+ "[parameters('addressPrefix')]"
+ ]
+ },
+ "subnets": "[parameters('subnets')]"
+ }
+ },
+ {
+ "type": "Microsoft.Insights/diagnosticSettings",
+ "apiVersion": "2017-05-01-preview",
+ "scope": "[format('Microsoft.Network/virtualNetworks/{0}', parameters('name'))]",
+ "name": "[format('{0}-diagnostics', parameters('name'))]",
+ "properties": {
+ "storageAccountId": "[parameters('logStorageAccountResourceId')]",
+ "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]",
+ "metrics": "[parameters('diagnosticsMetrics')]",
+ "logs": "[parameters('diagnosticsLogs')]"
+ },
+ "dependsOn": [
+ "[resourceId('Microsoft.Network/virtualNetworks', parameters('name'))]"
+ ]
+ }
+ ],
+ "outputs": {
+ "name": {
+ "type": "string",
+ "value": "[parameters('name')]"
+ },
+ "id": {
+ "type": "string",
+ "value": "[resourceId('Microsoft.Network/virtualNetworks', parameters('name'))]"
+ },
+ "subnets": {
+ "type": "array",
+ "value": "[reference(resourceId('Microsoft.Network/virtualNetworks', parameters('name'))).subnets]"
+ }
+ }
+ }
+ },
+ "dependsOn": [
+ "[resourceId('Microsoft.Resources/deployments', 'logStorage')]",
+ "[resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup')]",
+ "[resourceId('Microsoft.Resources/deployments', 'routeTable')]"
+ ]
+ }
+ ],
+ "outputs": {
+ "virtualNetworkName": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2019-10-01').outputs.name.value]"
+ },
+ "virtualNetworkResourceId": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2019-10-01').outputs.id.value]"
+ },
+ "subnetName": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2019-10-01').outputs.subnets.value[0].name]"
+ },
+ "subnetAddressPrefix": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2019-10-01').outputs.subnets.value[0].properties.addressPrefix]"
+ },
+ "subnetResourceId": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2019-10-01').outputs.subnets.value[0].id]"
+ },
+ "networkSecurityGroupName": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup'), '2019-10-01').outputs.name.value]"
+ },
+ "networkSecurityGroupResourceId": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup'), '2019-10-01').outputs.id.value]"
+ }
+ }
+ }
+ },
+ "dependsOn": [
+ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-hub', parameters('resourcePrefix')))]",
+ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', 'logAnalyticsWorkspace')]"
+ ]
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "[format('{0}-operations', parameters('resourcePrefix'))]",
+ "subscriptionId": "[parameters('operationsSubscriptionId')]",
+ "resourceGroup": "[parameters('operationsResourceGroupName')]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "location": {
+ "value": "[parameters('operationsLocation')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "logStorageAccountName": {
+ "value": "[parameters('operationsLogStorageAccountName')]"
+ },
+ "logStorageSkuName": {
+ "value": "[parameters('operationsLogStorageSkuName')]"
+ },
+ "logAnalyticsWorkspaceResourceId": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', 'logAnalyticsWorkspace'), '2019-10-01').outputs.id.value]"
+ },
+ "firewallPrivateIPAddress": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-hub', parameters('resourcePrefix'))), '2019-10-01').outputs.firewallPrivateIPAddress.value]"
+ },
+ "virtualNetworkName": {
+ "value": "[parameters('operationsVirtualNetworkName')]"
+ },
+ "virtualNetworkAddressPrefix": {
+ "value": "[parameters('operationsVirtualNetworkAddressPrefix')]"
+ },
+ "virtualNetworkDiagnosticsLogs": {
+ "value": "[parameters('operationsVirtualNetworkDiagnosticsLogs')]"
+ },
+ "virtualNetworkDiagnosticsMetrics": {
+ "value": "[parameters('operationsVirtualNetworkDiagnosticsMetrics')]"
+ },
+ "networkSecurityGroupName": {
+ "value": "[parameters('operationsNetworkSecurityGroupName')]"
+ },
+ "networkSecurityGroupRules": {
+ "value": "[parameters('operationsNetworkSecurityGroupRules')]"
+ },
+ "subnetName": {
+ "value": "[parameters('operationsSubnetName')]"
+ },
+ "subnetAddressPrefix": {
+ "value": "[parameters('operationsSubnetAddressPrefix')]"
+ },
+ "subnetServiceEndpoints": {
+ "value": "[parameters('operationsSubnetServiceEndpoints')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.451.19169",
+ "templateHash": "102664795413105394"
+ }
+ },
+ "parameters": {
+ "location": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().location]"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "logStorageAccountName": {
+ "type": "string"
+ },
+ "logStorageSkuName": {
+ "type": "string"
+ },
+ "logAnalyticsWorkspaceResourceId": {
+ "type": "string"
+ },
+ "firewallPrivateIPAddress": {
+ "type": "string"
+ },
+ "virtualNetworkName": {
+ "type": "string"
+ },
+ "virtualNetworkAddressPrefix": {
+ "type": "string"
+ },
+ "virtualNetworkDiagnosticsLogs": {
+ "type": "array"
+ },
+ "virtualNetworkDiagnosticsMetrics": {
+ "type": "array"
+ },
+ "networkSecurityGroupName": {
+ "type": "string"
+ },
+ "networkSecurityGroupRules": {
+ "type": "array"
+ },
+ "subnetName": {
+ "type": "string"
+ },
+ "subnetAddressPrefix": {
+ "type": "string"
+ },
+ "subnetServiceEndpoints": {
+ "type": "array"
+ },
+ "routeTableName": {
+ "type": "string",
+ "defaultValue": "[format('{0}-routetable', parameters('subnetName'))]"
+ },
+ "routeTableRouteName": {
+ "type": "string",
+ "defaultValue": "default_route"
+ },
+ "routeTableRouteAddressPrefix": {
+ "type": "string",
+ "defaultValue": "0.0.0.0/0"
+ },
+ "routeTableRouteNextHopIpAddress": {
+ "type": "string",
+ "defaultValue": "[parameters('firewallPrivateIPAddress')]"
+ },
+ "routeTableRouteNextHopType": {
+ "type": "string",
+ "defaultValue": "VirtualAppliance"
+ }
+ },
+ "functions": [],
+ "variables": {
+ "defaultVirtualNetworkDiagnosticsLogs": [],
+ "defaultVirtualNetworkDiagnosticsMetrics": [
+ {
+ "category": "AllMetrics",
+ "enabled": true
+ }
+ ],
+ "defaultSubnetServiceEndpoints": [
+ {
+ "service": "Microsoft.Storage"
+ }
+ ],
+ "defaultNetworkSecurityGroupRules": [
+ {
+ "name": "allow_ssh",
+ "properties": {
+ "description": "Allow SSH access from anywhere",
+ "access": "Allow",
+ "priority": 100,
+ "protocol": "Tcp",
+ "direction": "Inbound",
+ "sourcePortRange": "*",
+ "sourceAddressPrefix": "*",
+ "destinationPortRange": "22",
+ "destinationAddressPrefix": "*"
+ }
+ },
+ {
+ "name": "allow_rdp",
+ "properties": {
+ "description": "Allow RDP access from anywhere",
+ "access": "Allow",
+ "priority": 200,
+ "protocol": "Tcp",
+ "direction": "Inbound",
+ "sourcePortRange": "*",
+ "sourceAddressPrefix": "*",
+ "destinationPortRange": "3389",
+ "destinationAddressPrefix": "*"
+ }
+ }
+ ]
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "logStorage",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "storageAccountName": {
+ "value": "[parameters('logStorageAccountName')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "skuName": {
+ "value": "[parameters('logStorageSkuName')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.451.19169",
+ "templateHash": "7478919688835670168"
+ }
+ },
+ "parameters": {
+ "storageAccountName": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "skuName": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Storage/storageAccounts",
+ "apiVersion": "2019-06-01",
+ "name": "[parameters('storageAccountName')]",
+ "location": "[parameters('location')]",
+ "kind": "Storage",
+ "sku": {
+ "name": "[parameters('skuName')]"
+ },
+ "tags": "[parameters('tags')]"
+ }
+ ],
+ "outputs": {
+ "id": {
+ "type": "string",
+ "value": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "networkSecurityGroup",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[parameters('networkSecurityGroupName')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "securityRules": {
+ "value": "[if(empty(parameters('networkSecurityGroupRules')), variables('defaultNetworkSecurityGroupRules'), parameters('networkSecurityGroupRules'))]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.451.19169",
+ "templateHash": "16344320883906419641"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "securityRules": {
+ "type": "array"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Network/networkSecurityGroups",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "securityRules": "[parameters('securityRules')]"
+ }
+ }
+ ],
+ "outputs": {
+ "id": {
+ "type": "string",
+ "value": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('name'))]"
+ },
+ "name": {
+ "type": "string",
+ "value": "[parameters('name')]"
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "routeTable",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[parameters('routeTableName')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "routeName": {
+ "value": "[parameters('routeTableRouteName')]"
+ },
+ "routeAddressPrefix": {
+ "value": "[parameters('routeTableRouteAddressPrefix')]"
+ },
+ "routeNextHopIpAddress": {
+ "value": "[parameters('routeTableRouteNextHopIpAddress')]"
+ },
+ "routeNextHopType": {
+ "value": "[parameters('routeTableRouteNextHopType')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.451.19169",
+ "templateHash": "9581615100111735872"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "routeName": {
+ "type": "string"
+ },
+ "routeAddressPrefix": {
+ "type": "string"
+ },
+ "routeNextHopIpAddress": {
+ "type": "string"
+ },
+ "routeNextHopType": {
+ "type": "string"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Network/routeTables",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "routes": [
+ {
+ "name": "[parameters('routeName')]",
+ "properties": {
+ "addressPrefix": "[parameters('routeAddressPrefix')]",
+ "nextHopIpAddress": "[parameters('routeNextHopIpAddress')]",
+ "nextHopType": "[parameters('routeNextHopType')]"
+ }
+ }
+ ]
+ }
+ }
+ ],
+ "outputs": {
+ "id": {
+ "type": "string",
+ "value": "[resourceId('Microsoft.Network/routeTables', parameters('name'))]"
+ },
+ "name": {
+ "type": "string",
+ "value": "[parameters('name')]"
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "virtualNetwork",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[parameters('virtualNetworkName')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "addressPrefix": {
+ "value": "[parameters('virtualNetworkAddressPrefix')]"
+ },
+ "diagnosticsLogs": {
+ "value": "[if(empty(parameters('virtualNetworkDiagnosticsLogs')), variables('defaultVirtualNetworkDiagnosticsLogs'), parameters('virtualNetworkDiagnosticsLogs'))]"
+ },
+ "diagnosticsMetrics": {
+ "value": "[if(empty(parameters('virtualNetworkDiagnosticsMetrics')), variables('defaultVirtualNetworkDiagnosticsMetrics'), parameters('virtualNetworkDiagnosticsMetrics'))]"
+ },
+ "subnets": {
+ "value": [
+ {
+ "name": "[parameters('subnetName')]",
+ "properties": {
+ "addressPrefix": "[parameters('subnetAddressPrefix')]",
+ "networkSecurityGroup": {
+ "id": "[reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup'), '2019-10-01').outputs.id.value]"
+ },
+ "routeTable": {
+ "id": "[reference(resourceId('Microsoft.Resources/deployments', 'routeTable'), '2019-10-01').outputs.id.value]"
+ },
+ "serviceEndpoints": "[if(empty(parameters('subnetServiceEndpoints')), variables('defaultSubnetServiceEndpoints'), parameters('subnetServiceEndpoints'))]"
+ }
+ }
+ ]
+ },
+ "logAnalyticsWorkspaceResourceId": {
+ "value": "[parameters('logAnalyticsWorkspaceResourceId')]"
+ },
+ "logStorageAccountResourceId": {
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'logStorage'), '2019-10-01').outputs.id.value]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.451.19169",
+ "templateHash": "4251305185578211506"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "addressPrefix": {
+ "type": "string"
+ },
+ "logAnalyticsWorkspaceResourceId": {
+ "type": "string"
+ },
+ "logStorageAccountResourceId": {
+ "type": "string"
+ },
+ "subnets": {
+ "type": "array"
+ },
+ "diagnosticsMetrics": {
+ "type": "array"
+ },
+ "diagnosticsLogs": {
+ "type": "array"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Network/virtualNetworks",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "addressSpace": {
+ "addressPrefixes": [
+ "[parameters('addressPrefix')]"
+ ]
+ },
+ "subnets": "[parameters('subnets')]"
+ }
+ },
+ {
+ "type": "Microsoft.Insights/diagnosticSettings",
+ "apiVersion": "2017-05-01-preview",
+ "scope": "[format('Microsoft.Network/virtualNetworks/{0}', parameters('name'))]",
+ "name": "[format('{0}-diagnostics', parameters('name'))]",
+ "properties": {
+ "storageAccountId": "[parameters('logStorageAccountResourceId')]",
+ "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]",
+ "metrics": "[parameters('diagnosticsMetrics')]",
+ "logs": "[parameters('diagnosticsLogs')]"
+ },
+ "dependsOn": [
+ "[resourceId('Microsoft.Network/virtualNetworks', parameters('name'))]"
+ ]
+ }
+ ],
+ "outputs": {
+ "name": {
+ "type": "string",
+ "value": "[parameters('name')]"
+ },
+ "id": {
+ "type": "string",
+ "value": "[resourceId('Microsoft.Network/virtualNetworks', parameters('name'))]"
+ },
+ "subnets": {
+ "type": "array",
+ "value": "[reference(resourceId('Microsoft.Network/virtualNetworks', parameters('name'))).subnets]"
+ }
+ }
+ }
+ },
+ "dependsOn": [
+ "[resourceId('Microsoft.Resources/deployments', 'logStorage')]",
+ "[resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup')]",
+ "[resourceId('Microsoft.Resources/deployments', 'routeTable')]"
+ ]
+ }
+ ],
+ "outputs": {
+ "virtualNetworkName": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2019-10-01').outputs.name.value]"
+ },
+ "virtualNetworkResourceId": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2019-10-01').outputs.id.value]"
+ },
+ "subnetName": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2019-10-01').outputs.subnets.value[0].name]"
+ },
+ "subnetAddressPrefix": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2019-10-01').outputs.subnets.value[0].properties.addressPrefix]"
+ },
+ "subnetResourceId": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2019-10-01').outputs.subnets.value[0].id]"
+ },
+ "networkSecurityGroupName": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup'), '2019-10-01').outputs.name.value]"
+ },
+ "networkSecurityGroupResourceId": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup'), '2019-10-01').outputs.id.value]"
+ }
+ }
+ }
+ },
+ "dependsOn": [
+ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-hub', parameters('resourcePrefix')))]",
+ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', 'logAnalyticsWorkspace')]"
+ ]
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "[format('{0}-sharedServices', parameters('resourcePrefix'))]",
+ "subscriptionId": "[parameters('sharedServicesSubscriptionId')]",
+ "resourceGroup": "[parameters('sharedServicesResourceGroupName')]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "location": {
+ "value": "[parameters('sharedServicesLocation')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "logStorageAccountName": {
+ "value": "[parameters('sharedServicesLogStorageAccountName')]"
+ },
+ "logStorageSkuName": {
+ "value": "[parameters('sharedServicesLogStorageSkuName')]"
+ },
+ "logAnalyticsWorkspaceResourceId": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', 'logAnalyticsWorkspace'), '2019-10-01').outputs.id.value]"
+ },
+ "firewallPrivateIPAddress": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-hub', parameters('resourcePrefix'))), '2019-10-01').outputs.firewallPrivateIPAddress.value]"
+ },
+ "virtualNetworkName": {
+ "value": "[parameters('sharedServicesVirtualNetworkName')]"
+ },
+ "virtualNetworkAddressPrefix": {
+ "value": "[parameters('sharedServicesVirtualNetworkAddressPrefix')]"
+ },
+ "virtualNetworkDiagnosticsLogs": {
+ "value": "[parameters('sharedServicesVirtualNetworkDiagnosticsLogs')]"
+ },
+ "virtualNetworkDiagnosticsMetrics": {
+ "value": "[parameters('sharedServicesVirtualNetworkDiagnosticsMetrics')]"
+ },
+ "networkSecurityGroupName": {
+ "value": "[parameters('sharedServicesNetworkSecurityGroupName')]"
+ },
+ "networkSecurityGroupRules": {
+ "value": "[parameters('sharedServicesNetworkSecurityGroupRules')]"
+ },
+ "subnetName": {
+ "value": "[parameters('sharedServicesSubnetName')]"
+ },
+ "subnetAddressPrefix": {
+ "value": "[parameters('sharedServicesSubnetAddressPrefix')]"
+ },
+ "subnetServiceEndpoints": {
+ "value": "[parameters('sharedServicesSubnetServiceEndpoints')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.451.19169",
+ "templateHash": "102664795413105394"
+ }
+ },
+ "parameters": {
+ "location": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().location]"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "logStorageAccountName": {
+ "type": "string"
+ },
+ "logStorageSkuName": {
+ "type": "string"
+ },
+ "logAnalyticsWorkspaceResourceId": {
+ "type": "string"
+ },
+ "firewallPrivateIPAddress": {
+ "type": "string"
+ },
+ "virtualNetworkName": {
+ "type": "string"
+ },
+ "virtualNetworkAddressPrefix": {
+ "type": "string"
+ },
+ "virtualNetworkDiagnosticsLogs": {
+ "type": "array"
+ },
+ "virtualNetworkDiagnosticsMetrics": {
+ "type": "array"
+ },
+ "networkSecurityGroupName": {
+ "type": "string"
+ },
+ "networkSecurityGroupRules": {
+ "type": "array"
+ },
+ "subnetName": {
+ "type": "string"
+ },
+ "subnetAddressPrefix": {
+ "type": "string"
+ },
+ "subnetServiceEndpoints": {
+ "type": "array"
+ },
+ "routeTableName": {
+ "type": "string",
+ "defaultValue": "[format('{0}-routetable', parameters('subnetName'))]"
+ },
+ "routeTableRouteName": {
+ "type": "string",
+ "defaultValue": "default_route"
+ },
+ "routeTableRouteAddressPrefix": {
+ "type": "string",
+ "defaultValue": "0.0.0.0/0"
+ },
+ "routeTableRouteNextHopIpAddress": {
+ "type": "string",
+ "defaultValue": "[parameters('firewallPrivateIPAddress')]"
+ },
+ "routeTableRouteNextHopType": {
+ "type": "string",
+ "defaultValue": "VirtualAppliance"
+ }
+ },
+ "functions": [],
+ "variables": {
+ "defaultVirtualNetworkDiagnosticsLogs": [],
+ "defaultVirtualNetworkDiagnosticsMetrics": [
+ {
+ "category": "AllMetrics",
+ "enabled": true
+ }
+ ],
+ "defaultSubnetServiceEndpoints": [
+ {
+ "service": "Microsoft.Storage"
+ }
+ ],
+ "defaultNetworkSecurityGroupRules": [
+ {
+ "name": "allow_ssh",
+ "properties": {
+ "description": "Allow SSH access from anywhere",
+ "access": "Allow",
+ "priority": 100,
+ "protocol": "Tcp",
+ "direction": "Inbound",
+ "sourcePortRange": "*",
+ "sourceAddressPrefix": "*",
+ "destinationPortRange": "22",
+ "destinationAddressPrefix": "*"
+ }
+ },
+ {
+ "name": "allow_rdp",
+ "properties": {
+ "description": "Allow RDP access from anywhere",
+ "access": "Allow",
+ "priority": 200,
+ "protocol": "Tcp",
+ "direction": "Inbound",
+ "sourcePortRange": "*",
+ "sourceAddressPrefix": "*",
+ "destinationPortRange": "3389",
+ "destinationAddressPrefix": "*"
+ }
+ }
+ ]
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "logStorage",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "storageAccountName": {
+ "value": "[parameters('logStorageAccountName')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "skuName": {
+ "value": "[parameters('logStorageSkuName')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.451.19169",
+ "templateHash": "7478919688835670168"
+ }
+ },
+ "parameters": {
+ "storageAccountName": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "skuName": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Storage/storageAccounts",
+ "apiVersion": "2019-06-01",
+ "name": "[parameters('storageAccountName')]",
+ "location": "[parameters('location')]",
+ "kind": "Storage",
+ "sku": {
+ "name": "[parameters('skuName')]"
+ },
+ "tags": "[parameters('tags')]"
+ }
+ ],
+ "outputs": {
+ "id": {
+ "type": "string",
+ "value": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "networkSecurityGroup",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[parameters('networkSecurityGroupName')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "securityRules": {
+ "value": "[if(empty(parameters('networkSecurityGroupRules')), variables('defaultNetworkSecurityGroupRules'), parameters('networkSecurityGroupRules'))]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.451.19169",
+ "templateHash": "16344320883906419641"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "securityRules": {
+ "type": "array"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Network/networkSecurityGroups",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "securityRules": "[parameters('securityRules')]"
+ }
+ }
+ ],
+ "outputs": {
+ "id": {
+ "type": "string",
+ "value": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('name'))]"
+ },
+ "name": {
+ "type": "string",
+ "value": "[parameters('name')]"
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "routeTable",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[parameters('routeTableName')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "routeName": {
+ "value": "[parameters('routeTableRouteName')]"
+ },
+ "routeAddressPrefix": {
+ "value": "[parameters('routeTableRouteAddressPrefix')]"
+ },
+ "routeNextHopIpAddress": {
+ "value": "[parameters('routeTableRouteNextHopIpAddress')]"
+ },
+ "routeNextHopType": {
+ "value": "[parameters('routeTableRouteNextHopType')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.451.19169",
+ "templateHash": "9581615100111735872"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "routeName": {
+ "type": "string"
+ },
+ "routeAddressPrefix": {
+ "type": "string"
+ },
+ "routeNextHopIpAddress": {
+ "type": "string"
+ },
+ "routeNextHopType": {
+ "type": "string"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Network/routeTables",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "routes": [
+ {
+ "name": "[parameters('routeName')]",
+ "properties": {
+ "addressPrefix": "[parameters('routeAddressPrefix')]",
+ "nextHopIpAddress": "[parameters('routeNextHopIpAddress')]",
+ "nextHopType": "[parameters('routeNextHopType')]"
+ }
+ }
+ ]
+ }
+ }
+ ],
+ "outputs": {
+ "id": {
+ "type": "string",
+ "value": "[resourceId('Microsoft.Network/routeTables', parameters('name'))]"
+ },
+ "name": {
+ "type": "string",
+ "value": "[parameters('name')]"
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "virtualNetwork",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[parameters('virtualNetworkName')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "addressPrefix": {
+ "value": "[parameters('virtualNetworkAddressPrefix')]"
+ },
+ "diagnosticsLogs": {
+ "value": "[if(empty(parameters('virtualNetworkDiagnosticsLogs')), variables('defaultVirtualNetworkDiagnosticsLogs'), parameters('virtualNetworkDiagnosticsLogs'))]"
+ },
+ "diagnosticsMetrics": {
+ "value": "[if(empty(parameters('virtualNetworkDiagnosticsMetrics')), variables('defaultVirtualNetworkDiagnosticsMetrics'), parameters('virtualNetworkDiagnosticsMetrics'))]"
+ },
+ "subnets": {
+ "value": [
+ {
+ "name": "[parameters('subnetName')]",
+ "properties": {
+ "addressPrefix": "[parameters('subnetAddressPrefix')]",
+ "networkSecurityGroup": {
+ "id": "[reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup'), '2019-10-01').outputs.id.value]"
+ },
+ "routeTable": {
+ "id": "[reference(resourceId('Microsoft.Resources/deployments', 'routeTable'), '2019-10-01').outputs.id.value]"
+ },
+ "serviceEndpoints": "[if(empty(parameters('subnetServiceEndpoints')), variables('defaultSubnetServiceEndpoints'), parameters('subnetServiceEndpoints'))]"
+ }
+ }
+ ]
+ },
+ "logAnalyticsWorkspaceResourceId": {
+ "value": "[parameters('logAnalyticsWorkspaceResourceId')]"
+ },
+ "logStorageAccountResourceId": {
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'logStorage'), '2019-10-01').outputs.id.value]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.451.19169",
+ "templateHash": "4251305185578211506"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "addressPrefix": {
+ "type": "string"
+ },
+ "logAnalyticsWorkspaceResourceId": {
+ "type": "string"
+ },
+ "logStorageAccountResourceId": {
+ "type": "string"
+ },
+ "subnets": {
+ "type": "array"
+ },
+ "diagnosticsMetrics": {
+ "type": "array"
+ },
+ "diagnosticsLogs": {
+ "type": "array"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Network/virtualNetworks",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "addressSpace": {
+ "addressPrefixes": [
+ "[parameters('addressPrefix')]"
+ ]
+ },
+ "subnets": "[parameters('subnets')]"
+ }
+ },
+ {
+ "type": "Microsoft.Insights/diagnosticSettings",
+ "apiVersion": "2017-05-01-preview",
+ "scope": "[format('Microsoft.Network/virtualNetworks/{0}', parameters('name'))]",
+ "name": "[format('{0}-diagnostics', parameters('name'))]",
+ "properties": {
+ "storageAccountId": "[parameters('logStorageAccountResourceId')]",
+ "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]",
+ "metrics": "[parameters('diagnosticsMetrics')]",
+ "logs": "[parameters('diagnosticsLogs')]"
+ },
+ "dependsOn": [
+ "[resourceId('Microsoft.Network/virtualNetworks', parameters('name'))]"
+ ]
+ }
+ ],
+ "outputs": {
+ "name": {
+ "type": "string",
+ "value": "[parameters('name')]"
+ },
+ "id": {
+ "type": "string",
+ "value": "[resourceId('Microsoft.Network/virtualNetworks', parameters('name'))]"
+ },
+ "subnets": {
+ "type": "array",
+ "value": "[reference(resourceId('Microsoft.Network/virtualNetworks', parameters('name'))).subnets]"
+ }
+ }
+ }
+ },
+ "dependsOn": [
+ "[resourceId('Microsoft.Resources/deployments', 'logStorage')]",
+ "[resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup')]",
+ "[resourceId('Microsoft.Resources/deployments', 'routeTable')]"
+ ]
+ }
+ ],
+ "outputs": {
+ "virtualNetworkName": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2019-10-01').outputs.name.value]"
+ },
+ "virtualNetworkResourceId": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2019-10-01').outputs.id.value]"
+ },
+ "subnetName": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2019-10-01').outputs.subnets.value[0].name]"
+ },
+ "subnetAddressPrefix": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2019-10-01').outputs.subnets.value[0].properties.addressPrefix]"
+ },
+ "subnetResourceId": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2019-10-01').outputs.subnets.value[0].id]"
+ },
+ "networkSecurityGroupName": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup'), '2019-10-01').outputs.name.value]"
+ },
+ "networkSecurityGroupResourceId": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup'), '2019-10-01').outputs.id.value]"
+ }
+ }
+ }
+ },
+ "dependsOn": [
+ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-hub', parameters('resourcePrefix')))]",
+ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', 'logAnalyticsWorkspace')]"
+ ]
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "[format('{0}-hubVirtualNetworkPeerings', parameters('resourcePrefix'))]",
+ "subscriptionId": "[parameters('hubSubscriptionId')]",
+ "location": "[deployment().location]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "hubResourceGroupName": {
+ "value": "[reference(subscriptionResourceId(parameters('hubSubscriptionId'), 'Microsoft.Resources/deployments', 'hubResourceGroup'), '2019-10-01').outputs.name.value]"
+ },
+ "hubVirtualNetworkName": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-hub', parameters('resourcePrefix'))), '2019-10-01').outputs.virtualNetworkName.value]"
+ },
+ "identityVirtualNetworkName": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('identitySubscriptionId'), parameters('identityResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-identity', parameters('resourcePrefix'))), '2019-10-01').outputs.virtualNetworkName.value]"
+ },
+ "operationsVirtualNetworkName": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-operations', parameters('resourcePrefix'))), '2019-10-01').outputs.virtualNetworkName.value]"
+ },
+ "sharedServicesVirtualNetworkName": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('sharedServicesSubscriptionId'), parameters('sharedServicesResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-sharedServices', parameters('resourcePrefix'))), '2019-10-01').outputs.virtualNetworkName.value]"
+ },
+ "identityVirtualNetworkResourceId": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('identitySubscriptionId'), parameters('identityResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-identity', parameters('resourcePrefix'))), '2019-10-01').outputs.virtualNetworkResourceId.value]"
+ },
+ "operationsVirtualNetworkResourceId": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('sharedServicesSubscriptionId'), parameters('sharedServicesResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-sharedServices', parameters('resourcePrefix'))), '2019-10-01').outputs.virtualNetworkResourceId.value]"
+ },
+ "sharedServicesVirtualNetworkResourceId": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-operations', parameters('resourcePrefix'))), '2019-10-01').outputs.virtualNetworkResourceId.value]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.451.19169",
+ "templateHash": "1911650182896073393"
+ }
+ },
+ "parameters": {
+ "hubResourceGroupName": {
+ "type": "string"
+ },
+ "hubVirtualNetworkName": {
+ "type": "string"
+ },
+ "identityVirtualNetworkName": {
+ "type": "string"
+ },
+ "identityVirtualNetworkResourceId": {
+ "type": "string"
+ },
+ "operationsVirtualNetworkName": {
+ "type": "string"
+ },
+ "operationsVirtualNetworkResourceId": {
+ "type": "string"
+ },
+ "sharedServicesVirtualNetworkName": {
+ "type": "string"
+ },
+ "sharedServicesVirtualNetworkResourceId": {
+ "type": "string"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "hubToIdentityVirtualNetworkPeering",
+ "resourceGroup": "[parameters('hubResourceGroupName')]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[format('{0}/to-{1}', parameters('hubVirtualNetworkName'), parameters('identityVirtualNetworkName'))]"
+ },
+ "remoteVirtualNetworkResourceId": {
+ "value": "[parameters('identityVirtualNetworkResourceId')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.451.19169",
+ "templateHash": "16145505190701732004"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "remoteVirtualNetworkResourceId": {
+ "type": "string"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('name')]",
+ "properties": {
+ "remoteVirtualNetwork": {
+ "id": "[parameters('remoteVirtualNetworkResourceId')]"
+ }
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "hubToOperationsVirtualNetworkPeering",
+ "resourceGroup": "[parameters('hubResourceGroupName')]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[format('{0}/to-{1}', parameters('hubVirtualNetworkName'), parameters('operationsVirtualNetworkName'))]"
+ },
+ "remoteVirtualNetworkResourceId": {
+ "value": "[parameters('operationsVirtualNetworkResourceId')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.451.19169",
+ "templateHash": "16145505190701732004"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "remoteVirtualNetworkResourceId": {
+ "type": "string"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('name')]",
+ "properties": {
+ "remoteVirtualNetwork": {
+ "id": "[parameters('remoteVirtualNetworkResourceId')]"
+ }
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "hubToSharedServicesVirtualNetworkPeering",
+ "resourceGroup": "[parameters('hubResourceGroupName')]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[format('{0}/to-{1}', parameters('hubVirtualNetworkName'), parameters('sharedServicesVirtualNetworkName'))]"
+ },
+ "remoteVirtualNetworkResourceId": {
+ "value": "[parameters('sharedServicesVirtualNetworkResourceId')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.451.19169",
+ "templateHash": "16145505190701732004"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "remoteVirtualNetworkResourceId": {
+ "type": "string"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('name')]",
+ "properties": {
+ "remoteVirtualNetwork": {
+ "id": "[parameters('remoteVirtualNetworkResourceId')]"
+ }
+ }
+ }
+ ]
+ }
+ }
+ }
+ ]
+ }
+ },
+ "dependsOn": [
+ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-hub', parameters('resourcePrefix')))]",
+ "[subscriptionResourceId(parameters('hubSubscriptionId'), 'Microsoft.Resources/deployments', 'hubResourceGroup')]",
+ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('identitySubscriptionId'), parameters('identityResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-identity', parameters('resourcePrefix')))]",
+ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-operations', parameters('resourcePrefix')))]",
+ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('sharedServicesSubscriptionId'), parameters('sharedServicesResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-sharedServices', parameters('resourcePrefix')))]"
+ ]
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "[format('{0}-identityVirtualNetworkPeerings', parameters('resourcePrefix'))]",
+ "subscriptionId": "[parameters('identitySubscriptionId')]",
+ "location": "[deployment().location]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "spokeResourceGroupName": {
+ "value": "[reference(subscriptionResourceId(parameters('identitySubscriptionId'), 'Microsoft.Resources/deployments', 'identityResourceGroup'), '2019-10-01').outputs.name.value]"
+ },
+ "spokeVirtualNetworkName": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('identitySubscriptionId'), parameters('identityResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-identity', parameters('resourcePrefix'))), '2019-10-01').outputs.virtualNetworkName.value]"
+ },
+ "hubVirtualNetworkName": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-hub', parameters('resourcePrefix'))), '2019-10-01').outputs.virtualNetworkName.value]"
+ },
+ "hubVirtualNetworkResourceId": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-hub', parameters('resourcePrefix'))), '2019-10-01').outputs.virtualNetworkResourceId.value]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.451.19169",
+ "templateHash": "13857954278136382775"
+ }
+ },
+ "parameters": {
+ "spokeResourceGroupName": {
+ "type": "string"
+ },
+ "spokeVirtualNetworkName": {
+ "type": "string"
+ },
+ "hubVirtualNetworkName": {
+ "type": "string"
+ },
+ "hubVirtualNetworkResourceId": {
+ "type": "string"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "spokeNetworkPeering",
+ "resourceGroup": "[parameters('spokeResourceGroupName')]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[format('{0}/to-{1}', parameters('spokeVirtualNetworkName'), parameters('hubVirtualNetworkName'))]"
+ },
+ "remoteVirtualNetworkResourceId": {
+ "value": "[parameters('hubVirtualNetworkResourceId')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.451.19169",
+ "templateHash": "16145505190701732004"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "remoteVirtualNetworkResourceId": {
+ "type": "string"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('name')]",
+ "properties": {
+ "remoteVirtualNetwork": {
+ "id": "[parameters('remoteVirtualNetworkResourceId')]"
+ }
+ }
+ }
+ ]
+ }
+ }
+ }
+ ]
+ }
+ },
+ "dependsOn": [
+ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-hub', parameters('resourcePrefix')))]",
+ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('identitySubscriptionId'), parameters('identityResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-identity', parameters('resourcePrefix')))]",
+ "[subscriptionResourceId(parameters('identitySubscriptionId'), 'Microsoft.Resources/deployments', 'identityResourceGroup')]"
+ ]
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "[format('{0}-operationsVirtualNetworkPeerings', parameters('resourcePrefix'))]",
+ "subscriptionId": "[parameters('operationsSubscriptionId')]",
+ "location": "[deployment().location]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "spokeResourceGroupName": {
+ "value": "[reference(subscriptionResourceId(parameters('operationsSubscriptionId'), 'Microsoft.Resources/deployments', 'operationsResourceGroup'), '2019-10-01').outputs.name.value]"
+ },
+ "spokeVirtualNetworkName": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-operations', parameters('resourcePrefix'))), '2019-10-01').outputs.virtualNetworkName.value]"
+ },
+ "hubVirtualNetworkName": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-hub', parameters('resourcePrefix'))), '2019-10-01').outputs.virtualNetworkName.value]"
+ },
+ "hubVirtualNetworkResourceId": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-hub', parameters('resourcePrefix'))), '2019-10-01').outputs.virtualNetworkResourceId.value]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.451.19169",
+ "templateHash": "13857954278136382775"
+ }
+ },
+ "parameters": {
+ "spokeResourceGroupName": {
+ "type": "string"
+ },
+ "spokeVirtualNetworkName": {
+ "type": "string"
+ },
+ "hubVirtualNetworkName": {
+ "type": "string"
+ },
+ "hubVirtualNetworkResourceId": {
+ "type": "string"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "spokeNetworkPeering",
+ "resourceGroup": "[parameters('spokeResourceGroupName')]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[format('{0}/to-{1}', parameters('spokeVirtualNetworkName'), parameters('hubVirtualNetworkName'))]"
+ },
+ "remoteVirtualNetworkResourceId": {
+ "value": "[parameters('hubVirtualNetworkResourceId')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.451.19169",
+ "templateHash": "16145505190701732004"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "remoteVirtualNetworkResourceId": {
+ "type": "string"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('name')]",
+ "properties": {
+ "remoteVirtualNetwork": {
+ "id": "[parameters('remoteVirtualNetworkResourceId')]"
+ }
+ }
+ }
+ ]
+ }
+ }
+ }
+ ]
+ }
+ },
+ "dependsOn": [
+ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-hub', parameters('resourcePrefix')))]",
+ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-operations', parameters('resourcePrefix')))]",
+ "[subscriptionResourceId(parameters('operationsSubscriptionId'), 'Microsoft.Resources/deployments', 'operationsResourceGroup')]"
+ ]
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "[format('{0}-sharedServicesVirtualNetworkPeerings', parameters('resourcePrefix'))]",
+ "subscriptionId": "[parameters('sharedServicesSubscriptionId')]",
+ "location": "[deployment().location]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "spokeResourceGroupName": {
+ "value": "[reference(subscriptionResourceId(parameters('sharedServicesSubscriptionId'), 'Microsoft.Resources/deployments', 'sharedServicesResourceGroup'), '2019-10-01').outputs.name.value]"
+ },
+ "spokeVirtualNetworkName": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('sharedServicesSubscriptionId'), parameters('sharedServicesResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-sharedServices', parameters('resourcePrefix'))), '2019-10-01').outputs.virtualNetworkName.value]"
+ },
+ "hubVirtualNetworkName": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-hub', parameters('resourcePrefix'))), '2019-10-01').outputs.virtualNetworkName.value]"
+ },
+ "hubVirtualNetworkResourceId": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-hub', parameters('resourcePrefix'))), '2019-10-01').outputs.virtualNetworkResourceId.value]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.451.19169",
+ "templateHash": "13857954278136382775"
+ }
+ },
+ "parameters": {
+ "spokeResourceGroupName": {
+ "type": "string"
+ },
+ "spokeVirtualNetworkName": {
+ "type": "string"
+ },
+ "hubVirtualNetworkName": {
+ "type": "string"
+ },
+ "hubVirtualNetworkResourceId": {
+ "type": "string"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "spokeNetworkPeering",
+ "resourceGroup": "[parameters('spokeResourceGroupName')]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[format('{0}/to-{1}', parameters('spokeVirtualNetworkName'), parameters('hubVirtualNetworkName'))]"
+ },
+ "remoteVirtualNetworkResourceId": {
+ "value": "[parameters('hubVirtualNetworkResourceId')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.451.19169",
+ "templateHash": "16145505190701732004"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "remoteVirtualNetworkResourceId": {
+ "type": "string"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('name')]",
+ "properties": {
+ "remoteVirtualNetwork": {
+ "id": "[parameters('remoteVirtualNetworkResourceId')]"
+ }
+ }
+ }
+ ]
+ }
+ }
+ }
+ ]
+ }
+ },
+ "dependsOn": [
+ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-hub', parameters('resourcePrefix')))]",
+ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('sharedServicesSubscriptionId'), parameters('sharedServicesResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-sharedServices', parameters('resourcePrefix')))]",
+ "[subscriptionResourceId(parameters('sharedServicesSubscriptionId'), 'Microsoft.Resources/deployments', 'sharedServicesResourceGroup')]"
+ ]
+ }
+ ],
+ "outputs": {
+ "hubSubscriptionId": {
+ "type": "string",
+ "value": "[parameters('hubSubscriptionId')]"
+ },
+ "hubResourceGroupName": {
+ "type": "string",
+ "value": "[reference(subscriptionResourceId(parameters('hubSubscriptionId'), 'Microsoft.Resources/deployments', 'hubResourceGroup'), '2019-10-01').outputs.name.value]"
+ },
+ "hubResourceGroupResourceId": {
+ "type": "string",
+ "value": "[reference(subscriptionResourceId(parameters('hubSubscriptionId'), 'Microsoft.Resources/deployments', 'hubResourceGroup'), '2019-10-01').outputs.id.value]"
+ },
+ "hubVirtualNetworkName": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-hub', parameters('resourcePrefix'))), '2019-10-01').outputs.virtualNetworkName.value]"
+ },
+ "hubVirtualNetworkResourceId": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-hub', parameters('resourcePrefix'))), '2019-10-01').outputs.virtualNetworkResourceId.value]"
+ },
+ "hubSubnetName": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-hub', parameters('resourcePrefix'))), '2019-10-01').outputs.subnetName.value]"
+ },
+ "hubSubnetResourceId": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-hub', parameters('resourcePrefix'))), '2019-10-01').outputs.subnetResourceId.value]"
+ },
+ "hubSubnetAddressPrefix": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-hub', parameters('resourcePrefix'))), '2019-10-01').outputs.subnetAddressPrefix.value]"
+ },
+ "hubNetworkSecurityGroupName": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-hub', parameters('resourcePrefix'))), '2019-10-01').outputs.networkSecurityGroupName.value]"
+ },
+ "hubNetworkSecurityGroupResourceId": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-hub', parameters('resourcePrefix'))), '2019-10-01').outputs.networkSecurityGroupResourceId.value]"
+ },
+ "hubFirewallPrivateIPAddress": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-hub', parameters('resourcePrefix'))), '2019-10-01').outputs.firewallPrivateIPAddress.value]"
+ },
+ "logAnalyticsWorkspaceName": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', 'logAnalyticsWorkspace'), '2019-10-01').outputs.name.value]"
+ },
+ "logAnalyticsWorkspaceResourceId": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', 'logAnalyticsWorkspace'), '2019-10-01').outputs.id.value]"
+ },
+ "firewallPrivateIPAddress": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-hub', parameters('resourcePrefix'))), '2019-10-01').outputs.firewallPrivateIPAddress.value]"
+ },
+ "identitySubscriptionId": {
+ "type": "string",
+ "value": "[parameters('identitySubscriptionId')]"
+ },
+ "identityResourceGroupName": {
+ "type": "string",
+ "value": "[reference(subscriptionResourceId(parameters('identitySubscriptionId'), 'Microsoft.Resources/deployments', 'identityResourceGroup'), '2019-10-01').outputs.name.value]"
+ },
+ "identityResourceGroupResourceId": {
+ "type": "string",
+ "value": "[reference(subscriptionResourceId(parameters('identitySubscriptionId'), 'Microsoft.Resources/deployments', 'identityResourceGroup'), '2019-10-01').outputs.id.value]"
+ },
+ "identityVirtualNetworkName": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('identitySubscriptionId'), parameters('identityResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-identity', parameters('resourcePrefix'))), '2019-10-01').outputs.virtualNetworkName.value]"
+ },
+ "identityVirtualNetworkResourceId": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('identitySubscriptionId'), parameters('identityResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-identity', parameters('resourcePrefix'))), '2019-10-01').outputs.virtualNetworkResourceId.value]"
+ },
+ "identitySubnetName": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('identitySubscriptionId'), parameters('identityResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-identity', parameters('resourcePrefix'))), '2019-10-01').outputs.subnetName.value]"
+ },
+ "identitySubnetResourceId": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('identitySubscriptionId'), parameters('identityResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-identity', parameters('resourcePrefix'))), '2019-10-01').outputs.subnetResourceId.value]"
+ },
+ "identitySubnetAddressPrefix": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('identitySubscriptionId'), parameters('identityResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-identity', parameters('resourcePrefix'))), '2019-10-01').outputs.subnetAddressPrefix.value]"
+ },
+ "identityNetworkSecurityGroupName": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('identitySubscriptionId'), parameters('identityResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-identity', parameters('resourcePrefix'))), '2019-10-01').outputs.networkSecurityGroupName.value]"
+ },
+ "identityNetworkSecurityGroupResourceId": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('identitySubscriptionId'), parameters('identityResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-identity', parameters('resourcePrefix'))), '2019-10-01').outputs.networkSecurityGroupResourceId.value]"
+ },
+ "operationsSubscriptionId": {
+ "type": "string",
+ "value": "[parameters('operationsSubscriptionId')]"
+ },
+ "operationsResourceGroupName": {
+ "type": "string",
+ "value": "[reference(subscriptionResourceId(parameters('operationsSubscriptionId'), 'Microsoft.Resources/deployments', 'operationsResourceGroup'), '2019-10-01').outputs.name.value]"
+ },
+ "operationsResourceGroupResourceId": {
+ "type": "string",
+ "value": "[reference(subscriptionResourceId(parameters('operationsSubscriptionId'), 'Microsoft.Resources/deployments', 'operationsResourceGroup'), '2019-10-01').outputs.id.value]"
+ },
+ "operationsVirtualNetworkName": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-operations', parameters('resourcePrefix'))), '2019-10-01').outputs.virtualNetworkName.value]"
+ },
+ "operationsVirtualNetworkResourceId": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-operations', parameters('resourcePrefix'))), '2019-10-01').outputs.virtualNetworkResourceId.value]"
+ },
+ "operationsSubnetName": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-operations', parameters('resourcePrefix'))), '2019-10-01').outputs.subnetName.value]"
+ },
+ "operationsSubnetResourceId": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-operations', parameters('resourcePrefix'))), '2019-10-01').outputs.subnetResourceId.value]"
+ },
+ "operationsSubnetAddressPrefix": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-operations', parameters('resourcePrefix'))), '2019-10-01').outputs.subnetAddressPrefix.value]"
+ },
+ "operationsNetworkSecurityGroupName": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-operations', parameters('resourcePrefix'))), '2019-10-01').outputs.networkSecurityGroupName.value]"
+ },
+ "operationsNetworkSecurityGroupResourceId": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-operations', parameters('resourcePrefix'))), '2019-10-01').outputs.networkSecurityGroupResourceId.value]"
+ },
+ "sharedServicesSubscriptionId": {
+ "type": "string",
+ "value": "[parameters('sharedServicesSubscriptionId')]"
+ },
+ "sharedServicesResourceGroupName": {
+ "type": "string",
+ "value": "[reference(subscriptionResourceId(parameters('sharedServicesSubscriptionId'), 'Microsoft.Resources/deployments', 'sharedServicesResourceGroup'), '2019-10-01').outputs.name.value]"
+ },
+ "sharedServicesResourceGroupResourceId": {
+ "type": "string",
+ "value": "[reference(subscriptionResourceId(parameters('sharedServicesSubscriptionId'), 'Microsoft.Resources/deployments', 'sharedServicesResourceGroup'), '2019-10-01').outputs.id.value]"
+ },
+ "sharedServicesVirtualNetworkName": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('sharedServicesSubscriptionId'), parameters('sharedServicesResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-sharedServices', parameters('resourcePrefix'))), '2019-10-01').outputs.virtualNetworkName.value]"
+ },
+ "sharedServicesVirtualNetworkResourceId": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('sharedServicesSubscriptionId'), parameters('sharedServicesResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-sharedServices', parameters('resourcePrefix'))), '2019-10-01').outputs.virtualNetworkResourceId.value]"
+ },
+ "sharedServicesSubnetName": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('sharedServicesSubscriptionId'), parameters('sharedServicesResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-sharedServices', parameters('resourcePrefix'))), '2019-10-01').outputs.subnetName.value]"
+ },
+ "sharedServicesSubnetResourceId": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('sharedServicesSubscriptionId'), parameters('sharedServicesResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-sharedServices', parameters('resourcePrefix'))), '2019-10-01').outputs.subnetResourceId.value]"
+ },
+ "sharedServicesSubnetAddressPrefix": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('sharedServicesSubscriptionId'), parameters('sharedServicesResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-sharedServices', parameters('resourcePrefix'))), '2019-10-01').outputs.subnetAddressPrefix.value]"
+ },
+ "sharedServicesNetworkSecurityGroupName": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('sharedServicesSubscriptionId'), parameters('sharedServicesResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-sharedServices', parameters('resourcePrefix'))), '2019-10-01').outputs.networkSecurityGroupName.value]"
+ },
+ "sharedServicesNetworkSecurityGroupResourceId": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('sharedServicesSubscriptionId'), parameters('sharedServicesResourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-sharedServices', parameters('resourcePrefix'))), '2019-10-01').outputs.networkSecurityGroupResourceId.value]"
+ }
+ }
+ }
\ No newline at end of file
diff --git a/src/bicep/mlz.bicep b/src/bicep/mlz.bicep
new file mode 100644
index 000000000..6683fbd7c
--- /dev/null
+++ b/src/bicep/mlz.bicep
@@ -0,0 +1,600 @@
+// scope
+targetScope = 'subscription'
+
+// main
+
+//// scaffolding
+
+module hubResourceGroup './modules/resourceGroup.bicep' = {
+ name: 'deploy-hub-rg-${nowUtc}'
+ scope: subscription(hubSubscriptionId)
+ params: {
+ name: hubResourceGroupName
+ location: hubLocation
+ tags: tags
+ }
+}
+
+module identityResourceGroup './modules/resourceGroup.bicep' = {
+ name: 'deploy-identity-rg-${nowUtc}'
+ scope: subscription(identitySubscriptionId)
+ params: {
+ name: identityResourceGroupName
+ location: identityLocation
+ tags: tags
+ }
+}
+
+module operationsResourceGroup './modules/resourceGroup.bicep' = {
+ name: 'deploy-operations-rg-${nowUtc}'
+ scope: subscription(operationsSubscriptionId)
+ params: {
+ name: operationsResourceGroupName
+ location: operationsLocation
+ tags: tags
+ }
+}
+
+module sharedServicesResourceGroup './modules/resourceGroup.bicep' = {
+ name: 'deploy-sharedServices-rg-${nowUtc}'
+ scope: subscription(sharedServicesSubscriptionId)
+ params: {
+ name: sharedServicesResourceGroupName
+ location: sharedServicesLocation
+ tags: tags
+ }
+}
+
+//// logging
+
+module logAnalyticsWorkspace './modules/logAnalyticsWorkspace.bicep' = {
+ name: 'deploy-laws-${nowUtc}'
+ scope: resourceGroup(operationsSubscriptionId, operationsResourceGroupName)
+ params: {
+ name: logAnalyticsWorkspaceName
+ location: logAnalyticsWorkspaceLocation
+ tags: tags
+
+ retentionInDays: logAnalyticsWorkspaceRetentionInDays
+ skuName: logAnalyticsWorkspaceSkuName
+ workspaceCappingDailyQuotaGb: logAnalyticsWorkspaceCappingDailyQuotaGb
+ }
+ dependsOn: [
+ operationsResourceGroup
+ ]
+}
+
+//// hub and spoke
+
+module hub './modules/hubNetwork.bicep' = {
+ name: 'deploy-hub-${nowUtc}'
+ scope: resourceGroup(hubSubscriptionId, hubResourceGroupName)
+ params: {
+ location: hubLocation
+ tags: tags
+
+ logStorageAccountName: hubLogStorageAccountName
+ logStorageSkuName: hubLogStorageSkuName
+
+ logAnalyticsWorkspaceResourceId: logAnalyticsWorkspace.outputs.id
+
+ virtualNetworkName: hubVirtualNetworkName
+ virtualNetworkAddressPrefix: hubVirtualNetworkAddressPrefix
+ virtualNetworkDiagnosticsLogs: hubVirtualNetworkDiagnosticsLogs
+ virtualNetworkDiagnosticsMetrics: hubVirtualNetworkDiagnosticsMetrics
+
+ networkSecurityGroupName: hubNetworkSecurityGroupName
+ networkSecurityGroupRules: hubNetworkSecurityGroupRules
+
+ subnetName: hubSubnetName
+ subnetAddressPrefix: hubSubnetAddressPrefix
+ subnetServiceEndpoints: hubSubnetServiceEndpoints
+
+ firewallName: firewallName
+ firewallSkuTier: firewallSkuTier
+ firewallPolicyName: firewallPolicyName
+ firewallThreatIntelMode: firewallThreatIntelMode
+ firewallClientIpConfigurationName: firewallClientIpConfigurationName
+ firewallClientSubnetName: firewallClientSubnetName
+ firewallClientSubnetAddressPrefix: firewallClientSubnetAddressPrefix
+ firewallClientSubnetServiceEndpoints: firewallClientSubnetServiceEndpoints
+ firewallClientPublicIPAddressName: firewallClientPublicIPAddressName
+ firewallClientPublicIPAddressSkuName: firewallClientPublicIPAddressSkuName
+ firewallClientPublicIpAllocationMethod: firewallClientPublicIpAllocationMethod
+ firewallClientPublicIPAddressAvailabilityZones: firewallClientPublicIPAddressAvailabilityZones
+ firewallManagementIpConfigurationName: firewallManagementIpConfigurationName
+ firewallManagementSubnetName: firewallManagementSubnetName
+ firewallManagementSubnetAddressPrefix: firewallManagementSubnetAddressPrefix
+ firewallManagementSubnetServiceEndpoints: firewallManagementSubnetServiceEndpoints
+ firewallManagementPublicIPAddressName: firewallManagementPublicIPAddressName
+ firewallManagementPublicIPAddressSkuName: firewallManagementPublicIPAddressSkuName
+ firewallManagementPublicIpAllocationMethod: firewallManagementPublicIpAllocationMethod
+ firewallManagementPublicIPAddressAvailabilityZones: firewallManagementPublicIPAddressAvailabilityZones
+ }
+}
+
+module identity './modules/spokeNetwork.bicep' = {
+ name: 'deploy-identity-spoke-${nowUtc}'
+ scope: resourceGroup(identitySubscriptionId, identityResourceGroupName)
+ params: {
+ location: identityLocation
+ tags: tags
+
+ logStorageAccountName: identityLogStorageAccountName
+ logStorageSkuName: identityLogStorageSkuName
+
+ logAnalyticsWorkspaceResourceId: logAnalyticsWorkspace.outputs.id
+
+ firewallPrivateIPAddress: hub.outputs.firewallPrivateIPAddress
+
+ virtualNetworkName: identityVirtualNetworkName
+ virtualNetworkAddressPrefix: identityVirtualNetworkAddressPrefix
+ virtualNetworkDiagnosticsLogs: identityVirtualNetworkDiagnosticsLogs
+ virtualNetworkDiagnosticsMetrics: identityVirtualNetworkDiagnosticsMetrics
+
+ networkSecurityGroupName: identityNetworkSecurityGroupName
+ networkSecurityGroupRules: identityNetworkSecurityGroupRules
+
+ subnetName: identitySubnetName
+ subnetAddressPrefix: identitySubnetAddressPrefix
+ subnetServiceEndpoints: identitySubnetServiceEndpoints
+ }
+}
+
+module operations './modules/spokeNetwork.bicep' = {
+ name: 'deploy-operations-spoke-${nowUtc}'
+ scope: resourceGroup(operationsSubscriptionId, operationsResourceGroupName)
+ params: {
+ location: operationsLocation
+ tags: tags
+
+ logStorageAccountName: operationsLogStorageAccountName
+ logStorageSkuName: operationsLogStorageSkuName
+
+ logAnalyticsWorkspaceResourceId: logAnalyticsWorkspace.outputs.id
+
+ firewallPrivateIPAddress: hub.outputs.firewallPrivateIPAddress
+
+ virtualNetworkName: operationsVirtualNetworkName
+ virtualNetworkAddressPrefix: operationsVirtualNetworkAddressPrefix
+ virtualNetworkDiagnosticsLogs: operationsVirtualNetworkDiagnosticsLogs
+ virtualNetworkDiagnosticsMetrics: operationsVirtualNetworkDiagnosticsMetrics
+
+ networkSecurityGroupName: operationsNetworkSecurityGroupName
+ networkSecurityGroupRules: operationsNetworkSecurityGroupRules
+
+ subnetName: operationsSubnetName
+ subnetAddressPrefix: operationsSubnetAddressPrefix
+ subnetServiceEndpoints: operationsSubnetServiceEndpoints
+ }
+}
+
+module sharedServices './modules/spokeNetwork.bicep' = {
+ name: 'deploy-sharedServices-spoke-${nowUtc}'
+ scope: resourceGroup(sharedServicesSubscriptionId, sharedServicesResourceGroupName)
+ params: {
+ location: sharedServicesLocation
+ tags: tags
+
+ logStorageAccountName: sharedServicesLogStorageAccountName
+ logStorageSkuName: sharedServicesLogStorageSkuName
+
+ logAnalyticsWorkspaceResourceId: logAnalyticsWorkspace.outputs.id
+
+ firewallPrivateIPAddress: hub.outputs.firewallPrivateIPAddress
+
+ virtualNetworkName: sharedServicesVirtualNetworkName
+ virtualNetworkAddressPrefix: sharedServicesVirtualNetworkAddressPrefix
+ virtualNetworkDiagnosticsLogs: sharedServicesVirtualNetworkDiagnosticsLogs
+ virtualNetworkDiagnosticsMetrics: sharedServicesVirtualNetworkDiagnosticsMetrics
+
+ networkSecurityGroupName: sharedServicesNetworkSecurityGroupName
+ networkSecurityGroupRules: sharedServicesNetworkSecurityGroupRules
+
+ subnetName: sharedServicesSubnetName
+ subnetAddressPrefix: sharedServicesSubnetAddressPrefix
+ subnetServiceEndpoints: sharedServicesSubnetServiceEndpoints
+ }
+}
+
+//// peering
+
+module hubVirtualNetworkPeerings './modules/hubNetworkPeerings.bicep' = {
+ name: 'deploy-hub-peerings-${nowUtc}'
+ scope: subscription(hubSubscriptionId)
+ params: {
+ hubResourceGroupName: hubResourceGroup.outputs.name
+ hubVirtualNetworkName: hub.outputs.virtualNetworkName
+
+ identityVirtualNetworkName: identity.outputs.virtualNetworkName
+ operationsVirtualNetworkName: operations.outputs.virtualNetworkName
+ sharedServicesVirtualNetworkName: sharedServices.outputs.virtualNetworkName
+
+ identityVirtualNetworkResourceId: identity.outputs.virtualNetworkResourceId
+ operationsVirtualNetworkResourceId: sharedServices.outputs.virtualNetworkResourceId
+ sharedServicesVirtualNetworkResourceId: operations.outputs.virtualNetworkResourceId
+ }
+}
+
+module identityVirtualNetworkPeering './modules/spokeNetworkPeering.bicep' = {
+ name: 'deploy-identity-peerings-${nowUtc}'
+ scope: subscription(identitySubscriptionId)
+ params: {
+ spokeResourceGroupName: identityResourceGroup.outputs.name
+ spokeVirtualNetworkName: identity.outputs.virtualNetworkName
+
+ hubVirtualNetworkName: hub.outputs.virtualNetworkName
+ hubVirtualNetworkResourceId: hub.outputs.virtualNetworkResourceId
+ }
+}
+
+module operationsVirtualNetworkPeering './modules/spokeNetworkPeering.bicep' = {
+ name: 'deploy-operations-peerings-${nowUtc}'
+ scope: subscription(operationsSubscriptionId)
+ params: {
+ spokeResourceGroupName: operationsResourceGroup.outputs.name
+ spokeVirtualNetworkName: operations.outputs.virtualNetworkName
+
+ hubVirtualNetworkName: hub.outputs.virtualNetworkName
+ hubVirtualNetworkResourceId: hub.outputs.virtualNetworkResourceId
+ }
+}
+
+module sharedServicesVirtualNetworkPeering './modules/spokeNetworkPeering.bicep' = {
+ name: 'deploy-sharedServices-peerings-${nowUtc}'
+ scope: subscription(sharedServicesSubscriptionId)
+ params: {
+ spokeResourceGroupName: sharedServicesResourceGroup.outputs.name
+ spokeVirtualNetworkName: sharedServices.outputs.virtualNetworkName
+
+ hubVirtualNetworkName: hub.outputs.virtualNetworkName
+ hubVirtualNetworkResourceId: hub.outputs.virtualNetworkResourceId
+ }
+}
+
+//// policy
+
+module hubPolicyAssignment './modules/policyAssignment.bicep' = {
+ name: 'assign-policy-hub-${nowUtc}'
+ scope: resourceGroup(hubSubscriptionId, hubResourceGroupName)
+ params: {
+ builtInAssignment: policy
+ logAnalyticsWorkspaceName: logAnalyticsWorkspace.outputs.name
+ logAnalyticsWorkspaceResourceGroupName: operationsResourceGroup.outputs.name
+ operationsSubscriptionId: operationsSubscriptionId
+ }
+}
+
+module operationsPolicyAssignment './modules/policyAssignment.bicep' = {
+ name: 'assign-policy-operations-${nowUtc}'
+ scope: resourceGroup(operationsSubscriptionId, operationsResourceGroupName)
+ params: {
+ builtInAssignment: policy
+ logAnalyticsWorkspaceName: logAnalyticsWorkspace.outputs.name
+ logAnalyticsWorkspaceResourceGroupName: operationsResourceGroup.outputs.name
+ operationsSubscriptionId: operationsSubscriptionId
+ }
+}
+
+module sharedServicesPolicyAssignment './modules/policyAssignment.bicep' = {
+ name: 'assign-policy-sharedServices-${nowUtc}'
+ scope: resourceGroup(sharedServicesSubscriptionId, sharedServicesResourceGroupName)
+ params: {
+ builtInAssignment: policy
+ logAnalyticsWorkspaceName: logAnalyticsWorkspace.outputs.name
+ logAnalyticsWorkspaceResourceGroupName: operationsResourceGroup.outputs.name
+ operationsSubscriptionId: operationsSubscriptionId
+ }
+}
+
+module identityPolicyAssignment './modules/policyAssignment.bicep' = {
+ name: 'assign-policy-identity-${nowUtc}'
+ scope: resourceGroup(identitySubscriptionId, identityResourceGroupName)
+ params: {
+ builtInAssignment: policy
+ logAnalyticsWorkspaceName: logAnalyticsWorkspace.outputs.name
+ logAnalyticsWorkspaceResourceGroupName: operationsResourceGroup.outputs.name
+ operationsSubscriptionId: operationsSubscriptionId
+ }
+}
+
+module hubSubscriptionCreateActivityLogging './modules/centralLogging.bicep' = {
+ name: 'activity-logs-hub-${nowUtc}'
+ scope: subscription(hubSubscriptionId)
+ params: {
+ diagnosticSettingName: 'log-hub-sub-activity-to-${logAnalyticsWorkspace.outputs.name}'
+ logAnalyticsWorkspaceId: logAnalyticsWorkspace.outputs.id
+ }
+}
+
+module operationsSubscriptionCreateActivityLogging './modules/centralLogging.bicep' = if(hubSubscriptionId != operationsSubscriptionId) {
+ name: 'activity-logs-operations-${nowUtc}'
+ scope: subscription(operationsSubscriptionId)
+ params: {
+ diagnosticSettingName: 'log-operations-sub-activity-to-${logAnalyticsWorkspace.outputs.name}'
+ logAnalyticsWorkspaceId: logAnalyticsWorkspace.outputs.id
+ }
+}
+
+module identitySubscriptionCreateActivityLogging './modules/centralLogging.bicep' = if(hubSubscriptionId != identitySubscriptionId) {
+ name: 'activity-logs-identity-${nowUtc}'
+ scope: subscription(identitySubscriptionId)
+ params: {
+ diagnosticSettingName: 'log-identity-sub-activity-to-${logAnalyticsWorkspace.outputs.name}'
+ logAnalyticsWorkspaceId: logAnalyticsWorkspace.outputs.id
+ }
+}
+
+module sharedServicesSubscriptionCreateActivityLogging './modules/centralLogging.bicep' = if(hubSubscriptionId != sharedServicesSubscriptionId) {
+ name: 'activity-logs-sharedServices-${nowUtc}'
+ scope: subscription(sharedServicesSubscriptionId)
+ params: {
+ diagnosticSettingName: 'log-sharedServices-sub-activity-to-${logAnalyticsWorkspace.outputs.name}'
+ logAnalyticsWorkspaceId: logAnalyticsWorkspace.outputs.id
+ }
+}
+
+//// remote access
+
+module remoteAccess './modules/remoteAccess.bicep' = if(deployRemoteAccess) {
+ name: 'deploy-remote-access-${nowUtc}'
+ scope: resourceGroup(hubSubscriptionId, hubResourceGroupName)
+
+ params: {
+ location: hubLocation
+
+ hubVirtualNetworkName: hub.outputs.virtualNetworkName
+ hubSubnetResourceId: hub.outputs.subnetResourceId
+ hubNetworkSecurityGroupResourceId: hub.outputs.networkSecurityGroupResourceId
+
+ bastionHostName: bastionHostName
+ bastionHostSubnetAddressPrefix: bastionHostSubnetAddressPrefix
+ bastionHostPublicIPAddressName: bastionHostPublicIPAddressName
+ bastionHostPublicIPAddressSkuName: bastionHostPublicIPAddressSkuName
+ bastionHostPublicIPAddressAllocationMethod: bastionHostPublicIPAddressAllocationMethod
+ bastionHostPublicIPAddressAvailabilityZones: bastionHostPublicIPAddressAvailabilityZones
+ bastionHostIPConfigurationName: bastionHostIPConfigurationName
+
+ linuxNetworkInterfaceName: linuxNetworkInterfaceName
+ linuxNetworkInterfaceIpConfigurationName: linuxNetworkInterfaceIpConfigurationName
+ linuxNetworkInterfacePrivateIPAddressAllocationMethod: linuxNetworkInterfacePrivateIPAddressAllocationMethod
+
+ linuxVmName: linuxVmName
+ linuxVmSize: linuxVmSize
+ linuxVmOsDiskCreateOption: linuxVmOsDiskCreateOption
+ linuxVmOsDiskType: linuxVmOsDiskType
+ linuxVmImagePublisher: linuxVmImagePublisher
+ linuxVmImageOffer: linuxVmImageOffer
+ linuxVmImageSku: linuxVmImageSku
+ linuxVmImageVersion: linuxVmImageVersion
+ linuxVmAdminUsername: linuxVmAdminUsername
+ linuxVmAuthenticationType: linuxVmAuthenticationType
+ linuxVmAdminPasswordOrKey: linuxVmAdminPasswordOrKey
+
+ windowsNetworkInterfaceName: windowsNetworkInterfaceName
+ windowsNetworkInterfaceIpConfigurationName: windowsNetworkInterfaceIpConfigurationName
+ windowsNetworkInterfacePrivateIPAddressAllocationMethod: windowsNetworkInterfacePrivateIPAddressAllocationMethod
+
+ windowsVmName: windowsVmName
+ windowsVmSize: windowsVmSize
+ windowsVmAdminUsername: windowsVmAdminUsername
+ windowsVmAdminPassword: windowsVmAdminPassword
+ windowsVmPublisher: windowsVmPublisher
+ windowsVmOffer: windowsVmOffer
+ windowsVmSku: windowsVmSku
+ windowsVmVersion: windowsVmVersion
+ windowsVmCreateOption: windowsVmCreateOption
+ windowsVmStorageAccountType: windowsVmStorageAccountType
+ }
+}
+
+// parameters
+
+@minLength(3)
+@maxLength(24)
+@description('A name (3-24 alphanumeric characters in length without whitespace) used to prefix resources and generate uniqueness for resources with globally unique naming requirements like Storage Accounts and Log Analytics Workspaces')
+param resourcePrefix string = 'mlz-${uniqueId}'
+param hubSubscriptionId string = subscription().subscriptionId
+param identitySubscriptionId string = hubSubscriptionId
+param operationsSubscriptionId string = hubSubscriptionId
+param sharedServicesSubscriptionId string = hubSubscriptionId
+
+@allowed([
+ 'Standard'
+ 'Premium'
+])
+param firewallSkuTier string = 'Premium'
+
+param hubResourceGroupName string = '${resourcePrefix}-hub'
+param hubLocation string = deployment().location
+param hubVirtualNetworkName string = 'hub-vnet'
+param hubSubnetName string = 'hub-subnet'
+param hubVirtualNetworkAddressPrefix string = '10.0.100.0/24'
+param hubSubnetAddressPrefix string = '10.0.100.128/27'
+param hubVirtualNetworkDiagnosticsLogs array = []
+param hubVirtualNetworkDiagnosticsMetrics array = []
+param hubNetworkSecurityGroupName string = 'hub-nsg'
+param hubNetworkSecurityGroupRules array = []
+param hubSubnetServiceEndpoints array = []
+param hubLogStorageAccountName string = toLower(take('hublogs${uniqueId}', 24))
+param hubLogStorageSkuName string = 'Standard_GRS'
+
+param firewallName string = 'firewall'
+param firewallManagementSubnetAddressPrefix string = '10.0.100.64/26'
+param firewallClientSubnetAddressPrefix string = '10.0.100.0/26'
+param firewallPolicyName string = 'firewall-policy'
+param firewallThreatIntelMode string = 'Alert'
+var firewallClientSubnetName = 'AzureFirewallSubnet' //this must be 'AzureFirewallSubnet'
+param firewallClientIpConfigurationName string = 'firewall-client-ip-config'
+param firewallClientSubnetServiceEndpoints array = []
+param firewallClientPublicIPAddressName string = 'firewall-client-public-ip'
+param firewallClientPublicIPAddressSkuName string = 'Standard'
+param firewallClientPublicIpAllocationMethod string = 'Static'
+param firewallClientPublicIPAddressAvailabilityZones array = []
+var firewallManagementSubnetName = 'AzureFirewallManagementSubnet' //this must be 'AzureFirewallManagementSubnet'
+param firewallManagementIpConfigurationName string = 'firewall-management-ip-config'
+param firewallManagementSubnetServiceEndpoints array = []
+param firewallManagementPublicIPAddressName string = 'firewall-management-public-ip'
+param firewallManagementPublicIPAddressSkuName string = 'Standard'
+param firewallManagementPublicIpAllocationMethod string = 'Static'
+param firewallManagementPublicIPAddressAvailabilityZones array = []
+
+param identityResourceGroupName string = replace(hubResourceGroupName, 'hub', 'identity')
+param identityLocation string = hubLocation
+param identityVirtualNetworkName string = replace(hubVirtualNetworkName, 'hub', 'identity')
+param identitySubnetName string = replace(hubSubnetName, 'hub', 'identity')
+param identityVirtualNetworkAddressPrefix string = '10.0.110.0/26'
+param identitySubnetAddressPrefix string = '10.0.110.0/27'
+param identityVirtualNetworkDiagnosticsLogs array = []
+param identityVirtualNetworkDiagnosticsMetrics array = []
+param identityNetworkSecurityGroupName string = replace(hubNetworkSecurityGroupName, 'hub', 'identity')
+param identityNetworkSecurityGroupRules array = []
+param identitySubnetServiceEndpoints array = []
+param identityLogStorageAccountName string = toLower(take('idlogs${uniqueId}', 24))
+param identityLogStorageSkuName string = hubLogStorageSkuName
+
+param operationsResourceGroupName string = replace(hubResourceGroupName, 'hub', 'operations')
+param operationsLocation string = hubLocation
+param operationsVirtualNetworkName string = replace(hubVirtualNetworkName, 'hub', 'operations')
+param operationsVirtualNetworkAddressPrefix string = '10.0.115.0/26'
+param operationsVirtualNetworkDiagnosticsLogs array = []
+param operationsVirtualNetworkDiagnosticsMetrics array = []
+param operationsNetworkSecurityGroupName string = replace(hubNetworkSecurityGroupName, 'hub', 'operations')
+param operationsNetworkSecurityGroupRules array = []
+param operationsSubnetName string = replace(hubSubnetName, 'hub', 'operations')
+param operationsSubnetAddressPrefix string = '10.0.115.0/27'
+param operationsSubnetServiceEndpoints array = []
+param operationsLogStorageAccountName string = toLower(take('opslogs${uniqueId}', 24))
+param operationsLogStorageSkuName string = hubLogStorageSkuName
+
+param sharedServicesResourceGroupName string = replace(hubResourceGroupName, 'hub', 'sharedServices')
+param sharedServicesLocation string = hubLocation
+param sharedServicesVirtualNetworkName string = replace(hubVirtualNetworkName, 'hub', 'sharedServices')
+param sharedServicesSubnetName string = replace(hubSubnetName, 'hub', 'sharedServices')
+param sharedServicesVirtualNetworkAddressPrefix string = '10.0.120.0/26'
+param sharedServicesSubnetAddressPrefix string = '10.0.120.0/27'
+param sharedServicesVirtualNetworkDiagnosticsLogs array = []
+param sharedServicesVirtualNetworkDiagnosticsMetrics array = []
+param sharedServicesNetworkSecurityGroupName string = replace(hubNetworkSecurityGroupName, 'hub', 'sharedServices')
+param sharedServicesNetworkSecurityGroupRules array = []
+param sharedServicesSubnetServiceEndpoints array = []
+param sharedServicesLogStorageAccountName string = toLower(take('shrdSvclogs${uniqueId}', 24))
+param sharedServicesLogStorageSkuName string = hubLogStorageSkuName
+
+param logAnalyticsWorkspaceName string = take('${resourcePrefix}-laws', 63)
+param logAnalyticsWorkspaceLocation string = operationsLocation
+param logAnalyticsWorkspaceCappingDailyQuotaGb int = -1
+param logAnalyticsWorkspaceRetentionInDays int = 30
+param logAnalyticsWorkspaceSkuName string = 'PerGB2018'
+
+@allowed([
+ 'NIST'
+ 'IL5' // Gov cloud only, trying to deploy IL5 in AzureCloud will switch to NIST
+ 'CMMC'
+ ''
+])
+@description('Built-in policy assignments to assign, default is none. [NIST/IL5/CMMC] IL5 is only availalbe for GOV cloud and will switch to NIST if tried in AzureCloud.')
+param policy string = ''
+
+@description('Provision Azure Bastion Host and jumpboxes in this deployment')
+param deployRemoteAccess bool = false
+param bastionHostName string = 'bastionHost'
+param bastionHostSubnetAddressPrefix string = '10.0.100.160/27'
+param bastionHostPublicIPAddressName string = 'bastionHostPublicIPAddress'
+param bastionHostPublicIPAddressSkuName string = 'Standard'
+param bastionHostPublicIPAddressAllocationMethod string = 'Static'
+param bastionHostPublicIPAddressAvailabilityZones array = []
+param bastionHostIPConfigurationName string = 'bastionHostIPConfiguration'
+param linuxNetworkInterfaceName string = 'linuxVmNetworkInterface'
+param linuxNetworkInterfaceIpConfigurationName string = 'linuxVmIpConfiguration'
+param linuxNetworkInterfacePrivateIPAddressAllocationMethod string = 'Dynamic'
+param linuxVmName string = 'linuxVirtualMachine'
+param linuxVmSize string = 'Standard_B2s'
+param linuxVmOsDiskCreateOption string = 'FromImage'
+param linuxVmOsDiskType string = 'Standard_LRS'
+param linuxVmImagePublisher string = 'Canonical'
+param linuxVmImageOffer string = 'UbuntuServer'
+param linuxVmImageSku string = '18.04-LTS'
+param linuxVmImageVersion string = 'latest'
+param linuxVmAdminUsername string = 'azureuser'
+@allowed([
+ 'sshPublicKey'
+ 'password'
+])
+param linuxVmAuthenticationType string = 'password'
+@secure()
+@minLength(14)
+param linuxVmAdminPasswordOrKey string = deployRemoteAccess ? '' : newGuid()
+param windowsNetworkInterfaceName string = 'windowsVmNetworkInterface'
+param windowsNetworkInterfaceIpConfigurationName string = 'windowsVmIpConfiguration'
+param windowsNetworkInterfacePrivateIPAddressAllocationMethod string = 'Dynamic'
+param windowsVmName string = 'windowsVm'
+param windowsVmSize string = 'Standard_DS1_v2'
+param windowsVmAdminUsername string = 'azureuser'
+@secure()
+@minLength(14)
+param windowsVmAdminPassword string = deployRemoteAccess ? '' : newGuid()
+param windowsVmPublisher string = 'MicrosoftWindowsServer'
+param windowsVmOffer string = 'WindowsServer'
+param windowsVmSku string = '2019-datacenter-gensecond'
+param windowsVmVersion string = 'latest'
+param windowsVmCreateOption string = 'FromImage'
+param windowsVmStorageAccountType string = 'StandardSSD_LRS'
+
+param tags object = {
+ 'resourcePrefix': resourcePrefix
+}
+
+param uniqueId string = uniqueString(deployment().name)
+param nowUtc string = utcNow()
+
+// outputs
+
+output hubSubscriptionId string = hubSubscriptionId
+output hubResourceGroupName string = hubResourceGroup.outputs.name
+output hubResourceGroupResourceId string = hubResourceGroup.outputs.id
+output hubVirtualNetworkName string = hub.outputs.virtualNetworkName
+output hubVirtualNetworkResourceId string = hub.outputs.virtualNetworkResourceId
+output hubSubnetName string = hub.outputs.subnetName
+output hubSubnetResourceId string = hub.outputs.subnetResourceId
+output hubSubnetAddressPrefix string = hub.outputs.subnetAddressPrefix
+output hubNetworkSecurityGroupName string = hub.outputs.networkSecurityGroupName
+output hubNetworkSecurityGroupResourceId string = hub.outputs.networkSecurityGroupResourceId
+output hubFirewallPrivateIPAddress string = hub.outputs.firewallPrivateIPAddress
+
+output logAnalyticsWorkspaceName string = logAnalyticsWorkspace.outputs.name
+output logAnalyticsWorkspaceResourceId string = logAnalyticsWorkspace.outputs.id
+output firewallPrivateIPAddress string = hub.outputs.firewallPrivateIPAddress
+
+output identitySubscriptionId string = identitySubscriptionId
+output identityResourceGroupName string = identityResourceGroup.outputs.name
+output identityResourceGroupResourceId string = identityResourceGroup.outputs.id
+output identityVirtualNetworkName string = identity.outputs.virtualNetworkName
+output identityVirtualNetworkResourceId string = identity.outputs.virtualNetworkResourceId
+output identitySubnetName string = identity.outputs.subnetName
+output identitySubnetResourceId string = identity.outputs.subnetResourceId
+output identitySubnetAddressPrefix string = identity.outputs.subnetAddressPrefix
+output identityNetworkSecurityGroupName string = identity.outputs.networkSecurityGroupName
+output identityNetworkSecurityGroupResourceId string = identity.outputs.networkSecurityGroupResourceId
+
+output operationsSubscriptionId string = operationsSubscriptionId
+output operationsResourceGroupName string = operationsResourceGroup.outputs.name
+output operationsResourceGroupResourceId string = operationsResourceGroup.outputs.id
+output operationsVirtualNetworkName string = operations.outputs.virtualNetworkName
+output operationsVirtualNetworkResourceId string = operations.outputs.virtualNetworkResourceId
+output operationsSubnetName string = operations.outputs.subnetName
+output operationsSubnetResourceId string = operations.outputs.subnetResourceId
+output operationsSubnetAddressPrefix string = operations.outputs.subnetAddressPrefix
+output operationsNetworkSecurityGroupName string = operations.outputs.networkSecurityGroupName
+output operationsNetworkSecurityGroupResourceId string = operations.outputs.networkSecurityGroupResourceId
+
+output sharedServicesSubscriptionId string = sharedServicesSubscriptionId
+output sharedServicesResourceGroupName string = sharedServicesResourceGroup.outputs.name
+output sharedServicesResourceGroupResourceId string = sharedServicesResourceGroup.outputs.id
+output sharedServicesVirtualNetworkName string = sharedServices.outputs.virtualNetworkName
+output sharedServicesVirtualNetworkResourceId string = sharedServices.outputs.virtualNetworkResourceId
+output sharedServicesSubnetName string = sharedServices.outputs.subnetName
+output sharedServicesSubnetResourceId string = sharedServices.outputs.subnetResourceId
+output sharedServicesSubnetAddressPrefix string = sharedServices.outputs.subnetAddressPrefix
+output sharedServicesNetworkSecurityGroupName string = sharedServices.outputs.networkSecurityGroupName
+output sharedServicesNetworkSecurityGroupResourceId string = sharedServices.outputs.networkSecurityGroupResourceId
diff --git a/src/bicep/mlz.json b/src/bicep/mlz.json
new file mode 100644
index 000000000..9036170b4
--- /dev/null
+++ b/src/bicep/mlz.json
@@ -0,0 +1,6279 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "10197699490604004243"
+ }
+ },
+ "parameters": {
+ "resourcePrefix": {
+ "type": "string",
+ "defaultValue": "[format('mlz-{0}', parameters('uniqueId'))]",
+ "metadata": {
+ "description": "A name (3-24 alphanumeric characters in length without whitespace) used to prefix resources and generate uniqueness for resources with globally unique naming requirements like Storage Accounts and Log Analytics Workspaces"
+ },
+ "maxLength": 24,
+ "minLength": 3
+ },
+ "hubSubscriptionId": {
+ "type": "string",
+ "defaultValue": "[subscription().subscriptionId]"
+ },
+ "identitySubscriptionId": {
+ "type": "string",
+ "defaultValue": "[parameters('hubSubscriptionId')]"
+ },
+ "operationsSubscriptionId": {
+ "type": "string",
+ "defaultValue": "[parameters('hubSubscriptionId')]"
+ },
+ "sharedServicesSubscriptionId": {
+ "type": "string",
+ "defaultValue": "[parameters('hubSubscriptionId')]"
+ },
+ "firewallSkuTier": {
+ "type": "string",
+ "defaultValue": "Premium",
+ "allowedValues": [
+ "Standard",
+ "Premium"
+ ]
+ },
+ "hubResourceGroupName": {
+ "type": "string",
+ "defaultValue": "[format('{0}-hub', parameters('resourcePrefix'))]"
+ },
+ "hubLocation": {
+ "type": "string",
+ "defaultValue": "[deployment().location]"
+ },
+ "hubVirtualNetworkName": {
+ "type": "string",
+ "defaultValue": "hub-vnet"
+ },
+ "hubSubnetName": {
+ "type": "string",
+ "defaultValue": "hub-subnet"
+ },
+ "hubVirtualNetworkAddressPrefix": {
+ "type": "string",
+ "defaultValue": "10.0.100.0/24"
+ },
+ "hubSubnetAddressPrefix": {
+ "type": "string",
+ "defaultValue": "10.0.100.128/27"
+ },
+ "hubVirtualNetworkDiagnosticsLogs": {
+ "type": "array",
+ "defaultValue": []
+ },
+ "hubVirtualNetworkDiagnosticsMetrics": {
+ "type": "array",
+ "defaultValue": []
+ },
+ "hubNetworkSecurityGroupName": {
+ "type": "string",
+ "defaultValue": "hub-nsg"
+ },
+ "hubNetworkSecurityGroupRules": {
+ "type": "array",
+ "defaultValue": []
+ },
+ "hubSubnetServiceEndpoints": {
+ "type": "array",
+ "defaultValue": []
+ },
+ "hubLogStorageAccountName": {
+ "type": "string",
+ "defaultValue": "[toLower(take(format('hublogs{0}', parameters('uniqueId')), 24))]"
+ },
+ "hubLogStorageSkuName": {
+ "type": "string",
+ "defaultValue": "Standard_GRS"
+ },
+ "firewallName": {
+ "type": "string",
+ "defaultValue": "firewall"
+ },
+ "firewallManagementSubnetAddressPrefix": {
+ "type": "string",
+ "defaultValue": "10.0.100.64/26"
+ },
+ "firewallClientSubnetAddressPrefix": {
+ "type": "string",
+ "defaultValue": "10.0.100.0/26"
+ },
+ "firewallPolicyName": {
+ "type": "string",
+ "defaultValue": "firewall-policy"
+ },
+ "firewallThreatIntelMode": {
+ "type": "string",
+ "defaultValue": "Alert"
+ },
+ "firewallClientIpConfigurationName": {
+ "type": "string",
+ "defaultValue": "firewall-client-ip-config"
+ },
+ "firewallClientSubnetServiceEndpoints": {
+ "type": "array",
+ "defaultValue": []
+ },
+ "firewallClientPublicIPAddressName": {
+ "type": "string",
+ "defaultValue": "firewall-client-public-ip"
+ },
+ "firewallClientPublicIPAddressSkuName": {
+ "type": "string",
+ "defaultValue": "Standard"
+ },
+ "firewallClientPublicIpAllocationMethod": {
+ "type": "string",
+ "defaultValue": "Static"
+ },
+ "firewallClientPublicIPAddressAvailabilityZones": {
+ "type": "array",
+ "defaultValue": []
+ },
+ "firewallManagementIpConfigurationName": {
+ "type": "string",
+ "defaultValue": "firewall-management-ip-config"
+ },
+ "firewallManagementSubnetServiceEndpoints": {
+ "type": "array",
+ "defaultValue": []
+ },
+ "firewallManagementPublicIPAddressName": {
+ "type": "string",
+ "defaultValue": "firewall-management-public-ip"
+ },
+ "firewallManagementPublicIPAddressSkuName": {
+ "type": "string",
+ "defaultValue": "Standard"
+ },
+ "firewallManagementPublicIpAllocationMethod": {
+ "type": "string",
+ "defaultValue": "Static"
+ },
+ "firewallManagementPublicIPAddressAvailabilityZones": {
+ "type": "array",
+ "defaultValue": []
+ },
+ "identityResourceGroupName": {
+ "type": "string",
+ "defaultValue": "[replace(parameters('hubResourceGroupName'), 'hub', 'identity')]"
+ },
+ "identityLocation": {
+ "type": "string",
+ "defaultValue": "[parameters('hubLocation')]"
+ },
+ "identityVirtualNetworkName": {
+ "type": "string",
+ "defaultValue": "[replace(parameters('hubVirtualNetworkName'), 'hub', 'identity')]"
+ },
+ "identitySubnetName": {
+ "type": "string",
+ "defaultValue": "[replace(parameters('hubSubnetName'), 'hub', 'identity')]"
+ },
+ "identityVirtualNetworkAddressPrefix": {
+ "type": "string",
+ "defaultValue": "10.0.110.0/26"
+ },
+ "identitySubnetAddressPrefix": {
+ "type": "string",
+ "defaultValue": "10.0.110.0/27"
+ },
+ "identityVirtualNetworkDiagnosticsLogs": {
+ "type": "array",
+ "defaultValue": []
+ },
+ "identityVirtualNetworkDiagnosticsMetrics": {
+ "type": "array",
+ "defaultValue": []
+ },
+ "identityNetworkSecurityGroupName": {
+ "type": "string",
+ "defaultValue": "[replace(parameters('hubNetworkSecurityGroupName'), 'hub', 'identity')]"
+ },
+ "identityNetworkSecurityGroupRules": {
+ "type": "array",
+ "defaultValue": []
+ },
+ "identitySubnetServiceEndpoints": {
+ "type": "array",
+ "defaultValue": []
+ },
+ "identityLogStorageAccountName": {
+ "type": "string",
+ "defaultValue": "[toLower(take(format('idlogs{0}', parameters('uniqueId')), 24))]"
+ },
+ "identityLogStorageSkuName": {
+ "type": "string",
+ "defaultValue": "[parameters('hubLogStorageSkuName')]"
+ },
+ "operationsResourceGroupName": {
+ "type": "string",
+ "defaultValue": "[replace(parameters('hubResourceGroupName'), 'hub', 'operations')]"
+ },
+ "operationsLocation": {
+ "type": "string",
+ "defaultValue": "[parameters('hubLocation')]"
+ },
+ "operationsVirtualNetworkName": {
+ "type": "string",
+ "defaultValue": "[replace(parameters('hubVirtualNetworkName'), 'hub', 'operations')]"
+ },
+ "operationsVirtualNetworkAddressPrefix": {
+ "type": "string",
+ "defaultValue": "10.0.115.0/26"
+ },
+ "operationsVirtualNetworkDiagnosticsLogs": {
+ "type": "array",
+ "defaultValue": []
+ },
+ "operationsVirtualNetworkDiagnosticsMetrics": {
+ "type": "array",
+ "defaultValue": []
+ },
+ "operationsNetworkSecurityGroupName": {
+ "type": "string",
+ "defaultValue": "[replace(parameters('hubNetworkSecurityGroupName'), 'hub', 'operations')]"
+ },
+ "operationsNetworkSecurityGroupRules": {
+ "type": "array",
+ "defaultValue": []
+ },
+ "operationsSubnetName": {
+ "type": "string",
+ "defaultValue": "[replace(parameters('hubSubnetName'), 'hub', 'operations')]"
+ },
+ "operationsSubnetAddressPrefix": {
+ "type": "string",
+ "defaultValue": "10.0.115.0/27"
+ },
+ "operationsSubnetServiceEndpoints": {
+ "type": "array",
+ "defaultValue": []
+ },
+ "operationsLogStorageAccountName": {
+ "type": "string",
+ "defaultValue": "[toLower(take(format('opslogs{0}', parameters('uniqueId')), 24))]"
+ },
+ "operationsLogStorageSkuName": {
+ "type": "string",
+ "defaultValue": "[parameters('hubLogStorageSkuName')]"
+ },
+ "sharedServicesResourceGroupName": {
+ "type": "string",
+ "defaultValue": "[replace(parameters('hubResourceGroupName'), 'hub', 'sharedServices')]"
+ },
+ "sharedServicesLocation": {
+ "type": "string",
+ "defaultValue": "[parameters('hubLocation')]"
+ },
+ "sharedServicesVirtualNetworkName": {
+ "type": "string",
+ "defaultValue": "[replace(parameters('hubVirtualNetworkName'), 'hub', 'sharedServices')]"
+ },
+ "sharedServicesSubnetName": {
+ "type": "string",
+ "defaultValue": "[replace(parameters('hubSubnetName'), 'hub', 'sharedServices')]"
+ },
+ "sharedServicesVirtualNetworkAddressPrefix": {
+ "type": "string",
+ "defaultValue": "10.0.120.0/26"
+ },
+ "sharedServicesSubnetAddressPrefix": {
+ "type": "string",
+ "defaultValue": "10.0.120.0/27"
+ },
+ "sharedServicesVirtualNetworkDiagnosticsLogs": {
+ "type": "array",
+ "defaultValue": []
+ },
+ "sharedServicesVirtualNetworkDiagnosticsMetrics": {
+ "type": "array",
+ "defaultValue": []
+ },
+ "sharedServicesNetworkSecurityGroupName": {
+ "type": "string",
+ "defaultValue": "[replace(parameters('hubNetworkSecurityGroupName'), 'hub', 'sharedServices')]"
+ },
+ "sharedServicesNetworkSecurityGroupRules": {
+ "type": "array",
+ "defaultValue": []
+ },
+ "sharedServicesSubnetServiceEndpoints": {
+ "type": "array",
+ "defaultValue": []
+ },
+ "sharedServicesLogStorageAccountName": {
+ "type": "string",
+ "defaultValue": "[toLower(take(format('shrdSvclogs{0}', parameters('uniqueId')), 24))]"
+ },
+ "sharedServicesLogStorageSkuName": {
+ "type": "string",
+ "defaultValue": "[parameters('hubLogStorageSkuName')]"
+ },
+ "logAnalyticsWorkspaceName": {
+ "type": "string",
+ "defaultValue": "[take(format('{0}-laws', parameters('resourcePrefix')), 63)]"
+ },
+ "logAnalyticsWorkspaceLocation": {
+ "type": "string",
+ "defaultValue": "[parameters('operationsLocation')]"
+ },
+ "logAnalyticsWorkspaceCappingDailyQuotaGb": {
+ "type": "int",
+ "defaultValue": -1
+ },
+ "logAnalyticsWorkspaceRetentionInDays": {
+ "type": "int",
+ "defaultValue": 30
+ },
+ "logAnalyticsWorkspaceSkuName": {
+ "type": "string",
+ "defaultValue": "PerGB2018"
+ },
+ "policy": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "Built-in policy assignments to assign, default is none. [NIST/IL5/CMMC] IL5 is only availalbe for GOV cloud and will switch to NIST if tried in AzureCloud."
+ },
+ "allowedValues": [
+ "NIST",
+ "IL5",
+ "CMMC",
+ ""
+ ]
+ },
+ "deployRemoteAccess": {
+ "type": "bool",
+ "defaultValue": false,
+ "metadata": {
+ "description": "Provision Azure Bastion Host and jumpboxes in this deployment"
+ }
+ },
+ "bastionHostName": {
+ "type": "string",
+ "defaultValue": "bastionHost"
+ },
+ "bastionHostSubnetAddressPrefix": {
+ "type": "string",
+ "defaultValue": "10.0.100.160/27"
+ },
+ "bastionHostPublicIPAddressName": {
+ "type": "string",
+ "defaultValue": "bastionHostPublicIPAddress"
+ },
+ "bastionHostPublicIPAddressSkuName": {
+ "type": "string",
+ "defaultValue": "Standard"
+ },
+ "bastionHostPublicIPAddressAllocationMethod": {
+ "type": "string",
+ "defaultValue": "Static"
+ },
+ "bastionHostPublicIPAddressAvailabilityZones": {
+ "type": "array",
+ "defaultValue": []
+ },
+ "bastionHostIPConfigurationName": {
+ "type": "string",
+ "defaultValue": "bastionHostIPConfiguration"
+ },
+ "linuxNetworkInterfaceName": {
+ "type": "string",
+ "defaultValue": "linuxVmNetworkInterface"
+ },
+ "linuxNetworkInterfaceIpConfigurationName": {
+ "type": "string",
+ "defaultValue": "linuxVmIpConfiguration"
+ },
+ "linuxNetworkInterfacePrivateIPAddressAllocationMethod": {
+ "type": "string",
+ "defaultValue": "Dynamic"
+ },
+ "linuxVmName": {
+ "type": "string",
+ "defaultValue": "linuxVirtualMachine"
+ },
+ "linuxVmSize": {
+ "type": "string",
+ "defaultValue": "Standard_B2s"
+ },
+ "linuxVmOsDiskCreateOption": {
+ "type": "string",
+ "defaultValue": "FromImage"
+ },
+ "linuxVmOsDiskType": {
+ "type": "string",
+ "defaultValue": "Standard_LRS"
+ },
+ "linuxVmImagePublisher": {
+ "type": "string",
+ "defaultValue": "Canonical"
+ },
+ "linuxVmImageOffer": {
+ "type": "string",
+ "defaultValue": "UbuntuServer"
+ },
+ "linuxVmImageSku": {
+ "type": "string",
+ "defaultValue": "18.04-LTS"
+ },
+ "linuxVmImageVersion": {
+ "type": "string",
+ "defaultValue": "latest"
+ },
+ "linuxVmAdminUsername": {
+ "type": "string",
+ "defaultValue": "azureuser"
+ },
+ "linuxVmAuthenticationType": {
+ "type": "string",
+ "defaultValue": "password",
+ "allowedValues": [
+ "sshPublicKey",
+ "password"
+ ]
+ },
+ "linuxVmAdminPasswordOrKey": {
+ "type": "secureString",
+ "defaultValue": "[if(parameters('deployRemoteAccess'), '', newGuid())]",
+ "minLength": 14
+ },
+ "windowsNetworkInterfaceName": {
+ "type": "string",
+ "defaultValue": "windowsVmNetworkInterface"
+ },
+ "windowsNetworkInterfaceIpConfigurationName": {
+ "type": "string",
+ "defaultValue": "windowsVmIpConfiguration"
+ },
+ "windowsNetworkInterfacePrivateIPAddressAllocationMethod": {
+ "type": "string",
+ "defaultValue": "Dynamic"
+ },
+ "windowsVmName": {
+ "type": "string",
+ "defaultValue": "windowsVm"
+ },
+ "windowsVmSize": {
+ "type": "string",
+ "defaultValue": "Standard_DS1_v2"
+ },
+ "windowsVmAdminUsername": {
+ "type": "string",
+ "defaultValue": "azureuser"
+ },
+ "windowsVmAdminPassword": {
+ "type": "secureString",
+ "defaultValue": "[if(parameters('deployRemoteAccess'), '', newGuid())]",
+ "minLength": 14
+ },
+ "windowsVmPublisher": {
+ "type": "string",
+ "defaultValue": "MicrosoftWindowsServer"
+ },
+ "windowsVmOffer": {
+ "type": "string",
+ "defaultValue": "WindowsServer"
+ },
+ "windowsVmSku": {
+ "type": "string",
+ "defaultValue": "2019-datacenter-gensecond"
+ },
+ "windowsVmVersion": {
+ "type": "string",
+ "defaultValue": "latest"
+ },
+ "windowsVmCreateOption": {
+ "type": "string",
+ "defaultValue": "FromImage"
+ },
+ "windowsVmStorageAccountType": {
+ "type": "string",
+ "defaultValue": "StandardSSD_LRS"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {
+ "resourcePrefix": "[parameters('resourcePrefix')]"
+ }
+ },
+ "uniqueId": {
+ "type": "string",
+ "defaultValue": "[uniqueString(deployment().name)]"
+ },
+ "nowUtc": {
+ "type": "string",
+ "defaultValue": "[utcNow()]"
+ }
+ },
+ "functions": [],
+ "variables": {
+ "firewallClientSubnetName": "AzureFirewallSubnet",
+ "firewallManagementSubnetName": "AzureFirewallManagementSubnet"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "[format('deploy-hub-rg-{0}', parameters('nowUtc'))]",
+ "subscriptionId": "[parameters('hubSubscriptionId')]",
+ "location": "[deployment().location]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[parameters('hubResourceGroupName')]"
+ },
+ "location": {
+ "value": "[parameters('hubLocation')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "2597065260920167442"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Resources/resourceGroups",
+ "apiVersion": "2019-05-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]"
+ }
+ ],
+ "outputs": {
+ "id": {
+ "type": "string",
+ "value": "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('name'))]"
+ },
+ "name": {
+ "type": "string",
+ "value": "[parameters('name')]"
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "[format('deploy-identity-rg-{0}', parameters('nowUtc'))]",
+ "subscriptionId": "[parameters('identitySubscriptionId')]",
+ "location": "[deployment().location]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[parameters('identityResourceGroupName')]"
+ },
+ "location": {
+ "value": "[parameters('identityLocation')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "2597065260920167442"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Resources/resourceGroups",
+ "apiVersion": "2019-05-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]"
+ }
+ ],
+ "outputs": {
+ "id": {
+ "type": "string",
+ "value": "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('name'))]"
+ },
+ "name": {
+ "type": "string",
+ "value": "[parameters('name')]"
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "[format('deploy-operations-rg-{0}', parameters('nowUtc'))]",
+ "subscriptionId": "[parameters('operationsSubscriptionId')]",
+ "location": "[deployment().location]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[parameters('operationsResourceGroupName')]"
+ },
+ "location": {
+ "value": "[parameters('operationsLocation')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "2597065260920167442"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Resources/resourceGroups",
+ "apiVersion": "2019-05-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]"
+ }
+ ],
+ "outputs": {
+ "id": {
+ "type": "string",
+ "value": "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('name'))]"
+ },
+ "name": {
+ "type": "string",
+ "value": "[parameters('name')]"
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "[format('deploy-sharedServices-rg-{0}', parameters('nowUtc'))]",
+ "subscriptionId": "[parameters('sharedServicesSubscriptionId')]",
+ "location": "[deployment().location]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[parameters('sharedServicesResourceGroupName')]"
+ },
+ "location": {
+ "value": "[parameters('sharedServicesLocation')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "2597065260920167442"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Resources/resourceGroups",
+ "apiVersion": "2019-05-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]"
+ }
+ ],
+ "outputs": {
+ "id": {
+ "type": "string",
+ "value": "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('name'))]"
+ },
+ "name": {
+ "type": "string",
+ "value": "[parameters('name')]"
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "[format('deploy-laws-{0}', parameters('nowUtc'))]",
+ "subscriptionId": "[parameters('operationsSubscriptionId')]",
+ "resourceGroup": "[parameters('operationsResourceGroupName')]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[parameters('logAnalyticsWorkspaceName')]"
+ },
+ "location": {
+ "value": "[parameters('logAnalyticsWorkspaceLocation')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "retentionInDays": {
+ "value": "[parameters('logAnalyticsWorkspaceRetentionInDays')]"
+ },
+ "skuName": {
+ "value": "[parameters('logAnalyticsWorkspaceSkuName')]"
+ },
+ "workspaceCappingDailyQuotaGb": {
+ "value": "[parameters('logAnalyticsWorkspaceCappingDailyQuotaGb')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "1135244664014368490"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "retentionInDays": {
+ "type": "int",
+ "defaultValue": 30
+ },
+ "skuName": {
+ "type": "string",
+ "defaultValue": "PerGB2018"
+ },
+ "workspaceCappingDailyQuotaGb": {
+ "type": "int",
+ "defaultValue": -1
+ },
+ "deploySentinel": {
+ "type": "bool",
+ "defaultValue": false
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/workspaces",
+ "apiVersion": "2021-06-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "retentionInDays": "[parameters('retentionInDays')]",
+ "sku": {
+ "name": "[parameters('skuName')]"
+ },
+ "workspaceCapping": {
+ "dailyQuotaGb": "[parameters('workspaceCappingDailyQuotaGb')]"
+ }
+ }
+ },
+ {
+ "condition": "[parameters('deploySentinel')]",
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "sentinelSolution",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "workspaceName": {
+ "value": "[parameters('name')]"
+ },
+ "workspaceLocation": {
+ "value": "[parameters('location')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "13919557056268320158"
+ }
+ },
+ "parameters": {
+ "workspaceName": {
+ "type": "string"
+ },
+ "workspaceLocation": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.OperationsManagement/solutions",
+ "apiVersion": "2015-11-01-preview",
+ "name": "[format('SecurityInsights({0})', parameters('workspaceName'))]",
+ "location": "[parameters('workspaceLocation')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceName'))]"
+ },
+ "plan": {
+ "name": "[format('SecurityInsights({0})', parameters('workspaceName'))]",
+ "publisher": "Microsoft",
+ "product": "OMSGallery/SecurityInsights",
+ "promotionCode": ""
+ }
+ }
+ ]
+ }
+ },
+ "dependsOn": [
+ "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('name'))]"
+ ]
+ }
+ ],
+ "outputs": {
+ "id": {
+ "type": "string",
+ "value": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('name'))]"
+ },
+ "name": {
+ "type": "string",
+ "value": "[parameters('name')]"
+ }
+ }
+ }
+ },
+ "dependsOn": [
+ "[subscriptionResourceId(parameters('operationsSubscriptionId'), 'Microsoft.Resources/deployments', format('deploy-operations-rg-{0}', parameters('nowUtc')))]"
+ ]
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "[format('deploy-hub-{0}', parameters('nowUtc'))]",
+ "subscriptionId": "[parameters('hubSubscriptionId')]",
+ "resourceGroup": "[parameters('hubResourceGroupName')]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "location": {
+ "value": "[parameters('hubLocation')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "logStorageAccountName": {
+ "value": "[parameters('hubLogStorageAccountName')]"
+ },
+ "logStorageSkuName": {
+ "value": "[parameters('hubLogStorageSkuName')]"
+ },
+ "logAnalyticsWorkspaceResourceId": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('nowUtc'))), '2019-10-01').outputs.id.value]"
+ },
+ "virtualNetworkName": {
+ "value": "[parameters('hubVirtualNetworkName')]"
+ },
+ "virtualNetworkAddressPrefix": {
+ "value": "[parameters('hubVirtualNetworkAddressPrefix')]"
+ },
+ "virtualNetworkDiagnosticsLogs": {
+ "value": "[parameters('hubVirtualNetworkDiagnosticsLogs')]"
+ },
+ "virtualNetworkDiagnosticsMetrics": {
+ "value": "[parameters('hubVirtualNetworkDiagnosticsMetrics')]"
+ },
+ "networkSecurityGroupName": {
+ "value": "[parameters('hubNetworkSecurityGroupName')]"
+ },
+ "networkSecurityGroupRules": {
+ "value": "[parameters('hubNetworkSecurityGroupRules')]"
+ },
+ "subnetName": {
+ "value": "[parameters('hubSubnetName')]"
+ },
+ "subnetAddressPrefix": {
+ "value": "[parameters('hubSubnetAddressPrefix')]"
+ },
+ "subnetServiceEndpoints": {
+ "value": "[parameters('hubSubnetServiceEndpoints')]"
+ },
+ "firewallName": {
+ "value": "[parameters('firewallName')]"
+ },
+ "firewallSkuTier": {
+ "value": "[parameters('firewallSkuTier')]"
+ },
+ "firewallPolicyName": {
+ "value": "[parameters('firewallPolicyName')]"
+ },
+ "firewallThreatIntelMode": {
+ "value": "[parameters('firewallThreatIntelMode')]"
+ },
+ "firewallClientIpConfigurationName": {
+ "value": "[parameters('firewallClientIpConfigurationName')]"
+ },
+ "firewallClientSubnetName": {
+ "value": "[variables('firewallClientSubnetName')]"
+ },
+ "firewallClientSubnetAddressPrefix": {
+ "value": "[parameters('firewallClientSubnetAddressPrefix')]"
+ },
+ "firewallClientSubnetServiceEndpoints": {
+ "value": "[parameters('firewallClientSubnetServiceEndpoints')]"
+ },
+ "firewallClientPublicIPAddressName": {
+ "value": "[parameters('firewallClientPublicIPAddressName')]"
+ },
+ "firewallClientPublicIPAddressSkuName": {
+ "value": "[parameters('firewallClientPublicIPAddressSkuName')]"
+ },
+ "firewallClientPublicIpAllocationMethod": {
+ "value": "[parameters('firewallClientPublicIpAllocationMethod')]"
+ },
+ "firewallClientPublicIPAddressAvailabilityZones": {
+ "value": "[parameters('firewallClientPublicIPAddressAvailabilityZones')]"
+ },
+ "firewallManagementIpConfigurationName": {
+ "value": "[parameters('firewallManagementIpConfigurationName')]"
+ },
+ "firewallManagementSubnetName": {
+ "value": "[variables('firewallManagementSubnetName')]"
+ },
+ "firewallManagementSubnetAddressPrefix": {
+ "value": "[parameters('firewallManagementSubnetAddressPrefix')]"
+ },
+ "firewallManagementSubnetServiceEndpoints": {
+ "value": "[parameters('firewallManagementSubnetServiceEndpoints')]"
+ },
+ "firewallManagementPublicIPAddressName": {
+ "value": "[parameters('firewallManagementPublicIPAddressName')]"
+ },
+ "firewallManagementPublicIPAddressSkuName": {
+ "value": "[parameters('firewallManagementPublicIPAddressSkuName')]"
+ },
+ "firewallManagementPublicIpAllocationMethod": {
+ "value": "[parameters('firewallManagementPublicIpAllocationMethod')]"
+ },
+ "firewallManagementPublicIPAddressAvailabilityZones": {
+ "value": "[parameters('firewallManagementPublicIPAddressAvailabilityZones')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "11367184292724438005"
+ }
+ },
+ "parameters": {
+ "location": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().location]"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "logStorageAccountName": {
+ "type": "string"
+ },
+ "logStorageSkuName": {
+ "type": "string"
+ },
+ "logAnalyticsWorkspaceResourceId": {
+ "type": "string"
+ },
+ "virtualNetworkName": {
+ "type": "string"
+ },
+ "virtualNetworkAddressPrefix": {
+ "type": "string"
+ },
+ "virtualNetworkDiagnosticsLogs": {
+ "type": "array"
+ },
+ "virtualNetworkDiagnosticsMetrics": {
+ "type": "array"
+ },
+ "networkSecurityGroupName": {
+ "type": "string"
+ },
+ "networkSecurityGroupRules": {
+ "type": "array"
+ },
+ "subnetName": {
+ "type": "string"
+ },
+ "subnetAddressPrefix": {
+ "type": "string"
+ },
+ "subnetServiceEndpoints": {
+ "type": "array"
+ },
+ "routeTableName": {
+ "type": "string",
+ "defaultValue": "[format('{0}-routetable', parameters('subnetName'))]"
+ },
+ "routeTableRouteName": {
+ "type": "string",
+ "defaultValue": "default_route"
+ },
+ "routeTableRouteAddressPrefix": {
+ "type": "string",
+ "defaultValue": "0.0.0.0/0"
+ },
+ "routeTableRouteNextHopType": {
+ "type": "string",
+ "defaultValue": "VirtualAppliance"
+ },
+ "firewallName": {
+ "type": "string"
+ },
+ "firewallSkuTier": {
+ "type": "string"
+ },
+ "firewallPolicyName": {
+ "type": "string"
+ },
+ "firewallThreatIntelMode": {
+ "type": "string"
+ },
+ "firewallClientIpConfigurationName": {
+ "type": "string"
+ },
+ "firewallClientSubnetName": {
+ "type": "string"
+ },
+ "firewallClientSubnetAddressPrefix": {
+ "type": "string"
+ },
+ "firewallClientSubnetServiceEndpoints": {
+ "type": "array"
+ },
+ "firewallClientPublicIPAddressName": {
+ "type": "string"
+ },
+ "firewallClientPublicIPAddressSkuName": {
+ "type": "string"
+ },
+ "firewallClientPublicIpAllocationMethod": {
+ "type": "string"
+ },
+ "firewallClientPublicIPAddressAvailabilityZones": {
+ "type": "array"
+ },
+ "firewallManagementIpConfigurationName": {
+ "type": "string"
+ },
+ "firewallManagementSubnetName": {
+ "type": "string"
+ },
+ "firewallManagementSubnetAddressPrefix": {
+ "type": "string"
+ },
+ "firewallManagementSubnetServiceEndpoints": {
+ "type": "array"
+ },
+ "firewallManagementPublicIPAddressName": {
+ "type": "string"
+ },
+ "firewallManagementPublicIPAddressSkuName": {
+ "type": "string"
+ },
+ "firewallManagementPublicIpAllocationMethod": {
+ "type": "string"
+ },
+ "firewallManagementPublicIPAddressAvailabilityZones": {
+ "type": "array"
+ }
+ },
+ "functions": [],
+ "variables": {
+ "defaultVirtualNewtorkDiagnosticsLogs": [],
+ "defaultVirtualNetworkDiagnosticsMetrics": [
+ {
+ "category": "AllMetrics",
+ "enabled": true
+ }
+ ],
+ "defaultSubnetServiceEndpoints": [
+ {
+ "service": "Microsoft.Storage"
+ }
+ ],
+ "defaultNetworkSecurityGroupRules": [
+ {
+ "name": "allow_ssh",
+ "properties": {
+ "description": "Allow SSH access from anywhere",
+ "access": "Allow",
+ "priority": 100,
+ "protocol": "Tcp",
+ "direction": "Inbound",
+ "sourcePortRange": "*",
+ "sourceAddressPrefix": "*",
+ "destinationPortRange": "22",
+ "destinationAddressPrefix": "*"
+ }
+ },
+ {
+ "name": "allow_rdp",
+ "properties": {
+ "description": "Allow RDP access from anywhere",
+ "access": "Allow",
+ "priority": 200,
+ "protocol": "Tcp",
+ "direction": "Inbound",
+ "sourcePortRange": "*",
+ "sourceAddressPrefix": "*",
+ "destinationPortRange": "3389",
+ "destinationAddressPrefix": "*"
+ }
+ }
+ ]
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Network/virtualNetworks/subnets",
+ "apiVersion": "2021-02-01",
+ "name": "[format('{0}/{1}', parameters('virtualNetworkName'), parameters('subnetName'))]",
+ "properties": {
+ "addressPrefix": "[parameters('subnetAddressPrefix')]",
+ "networkSecurityGroup": {
+ "id": "[reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup'), '2019-10-01').outputs.id.value]"
+ },
+ "routeTable": {
+ "id": "[reference(resourceId('Microsoft.Resources/deployments', 'routeTable'), '2019-10-01').outputs.id.value]"
+ },
+ "serviceEndpoints": "[if(empty(parameters('subnetServiceEndpoints')), variables('defaultSubnetServiceEndpoints'), parameters('subnetServiceEndpoints'))]"
+ },
+ "dependsOn": [
+ "[resourceId('Microsoft.Resources/deployments', 'firewall')]",
+ "[resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup')]",
+ "[resourceId('Microsoft.Resources/deployments', 'routeTable')]",
+ "[resourceId('Microsoft.Resources/deployments', 'virtualNetwork')]"
+ ]
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "logStorage",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "storageAccountName": {
+ "value": "[parameters('logStorageAccountName')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "skuName": {
+ "value": "[parameters('logStorageSkuName')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "833209748305454708"
+ }
+ },
+ "parameters": {
+ "storageAccountName": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "skuName": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Storage/storageAccounts",
+ "apiVersion": "2019-06-01",
+ "name": "[parameters('storageAccountName')]",
+ "location": "[parameters('location')]",
+ "kind": "Storage",
+ "sku": {
+ "name": "[parameters('skuName')]"
+ },
+ "tags": "[parameters('tags')]"
+ }
+ ],
+ "outputs": {
+ "id": {
+ "type": "string",
+ "value": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "networkSecurityGroup",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[parameters('networkSecurityGroupName')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "securityRules": {
+ "value": "[if(empty(parameters('networkSecurityGroupRules')), variables('defaultNetworkSecurityGroupRules'), parameters('networkSecurityGroupRules'))]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "5161805386163632044"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "securityRules": {
+ "type": "array"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Network/networkSecurityGroups",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "securityRules": "[parameters('securityRules')]"
+ }
+ }
+ ],
+ "outputs": {
+ "id": {
+ "type": "string",
+ "value": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('name'))]"
+ },
+ "name": {
+ "type": "string",
+ "value": "[parameters('name')]"
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "virtualNetwork",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[parameters('virtualNetworkName')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "addressPrefix": {
+ "value": "[parameters('virtualNetworkAddressPrefix')]"
+ },
+ "diagnosticsLogs": {
+ "value": "[if(empty(parameters('virtualNetworkDiagnosticsLogs')), variables('defaultVirtualNewtorkDiagnosticsLogs'), parameters('virtualNetworkDiagnosticsLogs'))]"
+ },
+ "diagnosticsMetrics": {
+ "value": "[if(empty(parameters('virtualNetworkDiagnosticsMetrics')), variables('defaultVirtualNetworkDiagnosticsMetrics'), parameters('virtualNetworkDiagnosticsMetrics'))]"
+ },
+ "subnets": {
+ "value": [
+ {
+ "name": "[parameters('firewallClientSubnetName')]",
+ "properties": {
+ "addressPrefix": "[parameters('firewallClientSubnetAddressPrefix')]",
+ "serviceEndpoints": "[parameters('firewallClientSubnetServiceEndpoints')]"
+ }
+ },
+ {
+ "name": "[parameters('firewallManagementSubnetName')]",
+ "properties": {
+ "addressPrefix": "[parameters('firewallManagementSubnetAddressPrefix')]",
+ "serviceEndpoints": "[parameters('firewallManagementSubnetServiceEndpoints')]"
+ }
+ }
+ ]
+ },
+ "logAnalyticsWorkspaceResourceId": {
+ "value": "[parameters('logAnalyticsWorkspaceResourceId')]"
+ },
+ "logStorageAccountResourceId": {
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'logStorage'), '2019-10-01').outputs.id.value]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "16117476816851398131"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "addressPrefix": {
+ "type": "string"
+ },
+ "logAnalyticsWorkspaceResourceId": {
+ "type": "string"
+ },
+ "logStorageAccountResourceId": {
+ "type": "string"
+ },
+ "subnets": {
+ "type": "array"
+ },
+ "diagnosticsMetrics": {
+ "type": "array"
+ },
+ "diagnosticsLogs": {
+ "type": "array"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Network/virtualNetworks",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "addressSpace": {
+ "addressPrefixes": [
+ "[parameters('addressPrefix')]"
+ ]
+ },
+ "subnets": "[parameters('subnets')]"
+ }
+ },
+ {
+ "type": "Microsoft.Insights/diagnosticSettings",
+ "apiVersion": "2017-05-01-preview",
+ "scope": "[format('Microsoft.Network/virtualNetworks/{0}', parameters('name'))]",
+ "name": "[format('{0}-diagnostics', parameters('name'))]",
+ "properties": {
+ "storageAccountId": "[parameters('logStorageAccountResourceId')]",
+ "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]",
+ "metrics": "[parameters('diagnosticsMetrics')]",
+ "logs": "[parameters('diagnosticsLogs')]"
+ },
+ "dependsOn": [
+ "[resourceId('Microsoft.Network/virtualNetworks', parameters('name'))]"
+ ]
+ }
+ ],
+ "outputs": {
+ "name": {
+ "type": "string",
+ "value": "[parameters('name')]"
+ },
+ "id": {
+ "type": "string",
+ "value": "[resourceId('Microsoft.Network/virtualNetworks', parameters('name'))]"
+ },
+ "subnets": {
+ "type": "array",
+ "value": "[reference(resourceId('Microsoft.Network/virtualNetworks', parameters('name'))).subnets]"
+ }
+ }
+ }
+ },
+ "dependsOn": [
+ "[resourceId('Microsoft.Resources/deployments', 'logStorage')]"
+ ]
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "routeTable",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[parameters('routeTableName')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "routeName": {
+ "value": "[parameters('routeTableRouteName')]"
+ },
+ "routeAddressPrefix": {
+ "value": "[parameters('routeTableRouteAddressPrefix')]"
+ },
+ "routeNextHopIpAddress": {
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'firewall'), '2019-10-01').outputs.privateIPAddress.value]"
+ },
+ "routeNextHopType": {
+ "value": "[parameters('routeTableRouteNextHopType')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "4341229051409225242"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "routeName": {
+ "type": "string"
+ },
+ "routeAddressPrefix": {
+ "type": "string"
+ },
+ "routeNextHopIpAddress": {
+ "type": "string"
+ },
+ "routeNextHopType": {
+ "type": "string"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Network/routeTables",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "routes": [
+ {
+ "name": "[parameters('routeName')]",
+ "properties": {
+ "addressPrefix": "[parameters('routeAddressPrefix')]",
+ "nextHopIpAddress": "[parameters('routeNextHopIpAddress')]",
+ "nextHopType": "[parameters('routeNextHopType')]"
+ }
+ }
+ ]
+ }
+ }
+ ],
+ "outputs": {
+ "id": {
+ "type": "string",
+ "value": "[resourceId('Microsoft.Network/routeTables', parameters('name'))]"
+ },
+ "name": {
+ "type": "string",
+ "value": "[parameters('name')]"
+ }
+ }
+ }
+ },
+ "dependsOn": [
+ "[resourceId('Microsoft.Resources/deployments', 'firewall')]"
+ ]
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "firewallClientPublicIPAddress",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[parameters('firewallClientPublicIPAddressName')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "skuName": {
+ "value": "[parameters('firewallClientPublicIPAddressSkuName')]"
+ },
+ "publicIpAllocationMethod": {
+ "value": "[parameters('firewallClientPublicIpAllocationMethod')]"
+ },
+ "availabilityZones": {
+ "value": "[parameters('firewallClientPublicIPAddressAvailabilityZones')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "11905204395726802012"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "skuName": {
+ "type": "string"
+ },
+ "publicIpAllocationMethod": {
+ "type": "string"
+ },
+ "availabilityZones": {
+ "type": "array"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Network/publicIPAddresses",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "sku": {
+ "name": "[parameters('skuName')]"
+ },
+ "properties": {
+ "publicIPAllocationMethod": "[parameters('publicIpAllocationMethod')]"
+ },
+ "zones": "[parameters('availabilityZones')]"
+ }
+ ],
+ "outputs": {
+ "id": {
+ "type": "string",
+ "value": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]"
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "firewallManagementPublicIPAddress",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[parameters('firewallManagementPublicIPAddressName')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "skuName": {
+ "value": "[parameters('firewallManagementPublicIPAddressSkuName')]"
+ },
+ "publicIpAllocationMethod": {
+ "value": "[parameters('firewallManagementPublicIpAllocationMethod')]"
+ },
+ "availabilityZones": {
+ "value": "[parameters('firewallManagementPublicIPAddressAvailabilityZones')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "11905204395726802012"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "skuName": {
+ "type": "string"
+ },
+ "publicIpAllocationMethod": {
+ "type": "string"
+ },
+ "availabilityZones": {
+ "type": "array"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Network/publicIPAddresses",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "sku": {
+ "name": "[parameters('skuName')]"
+ },
+ "properties": {
+ "publicIPAllocationMethod": "[parameters('publicIpAllocationMethod')]"
+ },
+ "zones": "[parameters('availabilityZones')]"
+ }
+ ],
+ "outputs": {
+ "id": {
+ "type": "string",
+ "value": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]"
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "firewall",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[parameters('firewallName')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "skuTier": {
+ "value": "[parameters('firewallSkuTier')]"
+ },
+ "firewallPolicyName": {
+ "value": "[parameters('firewallPolicyName')]"
+ },
+ "threatIntelMode": {
+ "value": "[parameters('firewallThreatIntelMode')]"
+ },
+ "clientIpConfigurationName": {
+ "value": "[parameters('firewallClientIpConfigurationName')]"
+ },
+ "clientIpConfigurationSubnetResourceId": {
+ "value": "[format('{0}/subnets/{1}', reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2019-10-01').outputs.id.value, parameters('firewallClientSubnetName'))]"
+ },
+ "clientIpConfigurationPublicIPAddressResourceId": {
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'firewallClientPublicIPAddress'), '2019-10-01').outputs.id.value]"
+ },
+ "managementIpConfigurationName": {
+ "value": "[parameters('firewallManagementIpConfigurationName')]"
+ },
+ "managementIpConfigurationSubnetResourceId": {
+ "value": "[format('{0}/subnets/{1}', reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2019-10-01').outputs.id.value, parameters('firewallManagementSubnetName'))]"
+ },
+ "managementIpConfigurationPublicIPAddressResourceId": {
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'firewallManagementPublicIPAddress'), '2019-10-01').outputs.id.value]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "14377085769738688639"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().location]"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "skuTier": {
+ "type": "string"
+ },
+ "threatIntelMode": {
+ "type": "string"
+ },
+ "clientIpConfigurationName": {
+ "type": "string"
+ },
+ "clientIpConfigurationSubnetResourceId": {
+ "type": "string"
+ },
+ "clientIpConfigurationPublicIPAddressResourceId": {
+ "type": "string"
+ },
+ "managementIpConfigurationName": {
+ "type": "string"
+ },
+ "managementIpConfigurationSubnetResourceId": {
+ "type": "string"
+ },
+ "managementIpConfigurationPublicIPAddressResourceId": {
+ "type": "string"
+ },
+ "firewallPolicyName": {
+ "type": "string"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Network/firewallPolicies",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('firewallPolicyName')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "threatIntelMode": "[parameters('threatIntelMode')]",
+ "sku": {
+ "tier": "[parameters('skuTier')]"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Network/azureFirewalls",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "ipConfigurations": [
+ {
+ "name": "[parameters('clientIpConfigurationName')]",
+ "properties": {
+ "subnet": {
+ "id": "[parameters('clientIpConfigurationSubnetResourceId')]"
+ },
+ "publicIPAddress": {
+ "id": "[parameters('clientIpConfigurationPublicIPAddressResourceId')]"
+ }
+ }
+ }
+ ],
+ "managementIpConfiguration": {
+ "name": "[parameters('managementIpConfigurationName')]",
+ "properties": {
+ "subnet": {
+ "id": "[parameters('managementIpConfigurationSubnetResourceId')]"
+ },
+ "publicIPAddress": {
+ "id": "[parameters('managementIpConfigurationPublicIPAddressResourceId')]"
+ }
+ }
+ },
+ "firewallPolicy": {
+ "id": "[resourceId('Microsoft.Network/firewallPolicies', parameters('firewallPolicyName'))]"
+ },
+ "sku": {
+ "tier": "[parameters('skuTier')]"
+ }
+ },
+ "dependsOn": [
+ "[resourceId('Microsoft.Network/firewallPolicies', parameters('firewallPolicyName'))]"
+ ]
+ }
+ ],
+ "outputs": {
+ "privateIPAddress": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Network/azureFirewalls', parameters('name'))).ipConfigurations[0].properties.privateIPAddress]"
+ }
+ }
+ }
+ },
+ "dependsOn": [
+ "[resourceId('Microsoft.Resources/deployments', 'firewallClientPublicIPAddress')]",
+ "[resourceId('Microsoft.Resources/deployments', 'firewallManagementPublicIPAddress')]",
+ "[resourceId('Microsoft.Resources/deployments', 'virtualNetwork')]"
+ ]
+ }
+ ],
+ "outputs": {
+ "virtualNetworkName": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2019-10-01').outputs.name.value]"
+ },
+ "virtualNetworkResourceId": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2019-10-01').outputs.id.value]"
+ },
+ "subnetName": {
+ "type": "string",
+ "value": "[format('{0}/{1}', parameters('virtualNetworkName'), parameters('subnetName'))]"
+ },
+ "subnetAddressPrefix": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Network/virtualNetworks/subnets', split(format('{0}/{1}', parameters('virtualNetworkName'), parameters('subnetName')), '/')[0], split(format('{0}/{1}', parameters('virtualNetworkName'), parameters('subnetName')), '/')[1])).addressPrefix]"
+ },
+ "subnetResourceId": {
+ "type": "string",
+ "value": "[resourceId('Microsoft.Network/virtualNetworks/subnets', split(format('{0}/{1}', parameters('virtualNetworkName'), parameters('subnetName')), '/')[0], split(format('{0}/{1}', parameters('virtualNetworkName'), parameters('subnetName')), '/')[1])]"
+ },
+ "networkSecurityGroupName": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup'), '2019-10-01').outputs.name.value]"
+ },
+ "networkSecurityGroupResourceId": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup'), '2019-10-01').outputs.id.value]"
+ },
+ "firewallPrivateIPAddress": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'firewall'), '2019-10-01').outputs.privateIPAddress.value]"
+ }
+ }
+ }
+ },
+ "dependsOn": [
+ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('nowUtc')))]"
+ ]
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "[format('deploy-identity-spoke-{0}', parameters('nowUtc'))]",
+ "subscriptionId": "[parameters('identitySubscriptionId')]",
+ "resourceGroup": "[parameters('identityResourceGroupName')]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "location": {
+ "value": "[parameters('identityLocation')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "logStorageAccountName": {
+ "value": "[parameters('identityLogStorageAccountName')]"
+ },
+ "logStorageSkuName": {
+ "value": "[parameters('identityLogStorageSkuName')]"
+ },
+ "logAnalyticsWorkspaceResourceId": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('nowUtc'))), '2019-10-01').outputs.id.value]"
+ },
+ "firewallPrivateIPAddress": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-hub-{0}', parameters('nowUtc'))), '2019-10-01').outputs.firewallPrivateIPAddress.value]"
+ },
+ "virtualNetworkName": {
+ "value": "[parameters('identityVirtualNetworkName')]"
+ },
+ "virtualNetworkAddressPrefix": {
+ "value": "[parameters('identityVirtualNetworkAddressPrefix')]"
+ },
+ "virtualNetworkDiagnosticsLogs": {
+ "value": "[parameters('identityVirtualNetworkDiagnosticsLogs')]"
+ },
+ "virtualNetworkDiagnosticsMetrics": {
+ "value": "[parameters('identityVirtualNetworkDiagnosticsMetrics')]"
+ },
+ "networkSecurityGroupName": {
+ "value": "[parameters('identityNetworkSecurityGroupName')]"
+ },
+ "networkSecurityGroupRules": {
+ "value": "[parameters('identityNetworkSecurityGroupRules')]"
+ },
+ "subnetName": {
+ "value": "[parameters('identitySubnetName')]"
+ },
+ "subnetAddressPrefix": {
+ "value": "[parameters('identitySubnetAddressPrefix')]"
+ },
+ "subnetServiceEndpoints": {
+ "value": "[parameters('identitySubnetServiceEndpoints')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "15949869288234268239"
+ }
+ },
+ "parameters": {
+ "location": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().location]"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "logStorageAccountName": {
+ "type": "string"
+ },
+ "logStorageSkuName": {
+ "type": "string"
+ },
+ "logAnalyticsWorkspaceResourceId": {
+ "type": "string"
+ },
+ "firewallPrivateIPAddress": {
+ "type": "string"
+ },
+ "virtualNetworkName": {
+ "type": "string"
+ },
+ "virtualNetworkAddressPrefix": {
+ "type": "string"
+ },
+ "virtualNetworkDiagnosticsLogs": {
+ "type": "array"
+ },
+ "virtualNetworkDiagnosticsMetrics": {
+ "type": "array"
+ },
+ "networkSecurityGroupName": {
+ "type": "string"
+ },
+ "networkSecurityGroupRules": {
+ "type": "array"
+ },
+ "subnetName": {
+ "type": "string"
+ },
+ "subnetAddressPrefix": {
+ "type": "string"
+ },
+ "subnetServiceEndpoints": {
+ "type": "array"
+ },
+ "routeTableName": {
+ "type": "string",
+ "defaultValue": "[format('{0}-routetable', parameters('subnetName'))]"
+ },
+ "routeTableRouteName": {
+ "type": "string",
+ "defaultValue": "default_route"
+ },
+ "routeTableRouteAddressPrefix": {
+ "type": "string",
+ "defaultValue": "0.0.0.0/0"
+ },
+ "routeTableRouteNextHopIpAddress": {
+ "type": "string",
+ "defaultValue": "[parameters('firewallPrivateIPAddress')]"
+ },
+ "routeTableRouteNextHopType": {
+ "type": "string",
+ "defaultValue": "VirtualAppliance"
+ }
+ },
+ "functions": [],
+ "variables": {
+ "defaultVirtualNetworkDiagnosticsLogs": [],
+ "defaultVirtualNetworkDiagnosticsMetrics": [
+ {
+ "category": "AllMetrics",
+ "enabled": true
+ }
+ ],
+ "defaultSubnetServiceEndpoints": [
+ {
+ "service": "Microsoft.Storage"
+ }
+ ],
+ "defaultNetworkSecurityGroupRules": [
+ {
+ "name": "allow_ssh",
+ "properties": {
+ "description": "Allow SSH access from anywhere",
+ "access": "Allow",
+ "priority": 100,
+ "protocol": "Tcp",
+ "direction": "Inbound",
+ "sourcePortRange": "*",
+ "sourceAddressPrefix": "*",
+ "destinationPortRange": "22",
+ "destinationAddressPrefix": "*"
+ }
+ },
+ {
+ "name": "allow_rdp",
+ "properties": {
+ "description": "Allow RDP access from anywhere",
+ "access": "Allow",
+ "priority": 200,
+ "protocol": "Tcp",
+ "direction": "Inbound",
+ "sourcePortRange": "*",
+ "sourceAddressPrefix": "*",
+ "destinationPortRange": "3389",
+ "destinationAddressPrefix": "*"
+ }
+ }
+ ]
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "logStorage",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "storageAccountName": {
+ "value": "[parameters('logStorageAccountName')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "skuName": {
+ "value": "[parameters('logStorageSkuName')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "833209748305454708"
+ }
+ },
+ "parameters": {
+ "storageAccountName": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "skuName": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Storage/storageAccounts",
+ "apiVersion": "2019-06-01",
+ "name": "[parameters('storageAccountName')]",
+ "location": "[parameters('location')]",
+ "kind": "Storage",
+ "sku": {
+ "name": "[parameters('skuName')]"
+ },
+ "tags": "[parameters('tags')]"
+ }
+ ],
+ "outputs": {
+ "id": {
+ "type": "string",
+ "value": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "networkSecurityGroup",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[parameters('networkSecurityGroupName')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "securityRules": {
+ "value": "[if(empty(parameters('networkSecurityGroupRules')), variables('defaultNetworkSecurityGroupRules'), parameters('networkSecurityGroupRules'))]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "5161805386163632044"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "securityRules": {
+ "type": "array"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Network/networkSecurityGroups",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "securityRules": "[parameters('securityRules')]"
+ }
+ }
+ ],
+ "outputs": {
+ "id": {
+ "type": "string",
+ "value": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('name'))]"
+ },
+ "name": {
+ "type": "string",
+ "value": "[parameters('name')]"
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "routeTable",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[parameters('routeTableName')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "routeName": {
+ "value": "[parameters('routeTableRouteName')]"
+ },
+ "routeAddressPrefix": {
+ "value": "[parameters('routeTableRouteAddressPrefix')]"
+ },
+ "routeNextHopIpAddress": {
+ "value": "[parameters('routeTableRouteNextHopIpAddress')]"
+ },
+ "routeNextHopType": {
+ "value": "[parameters('routeTableRouteNextHopType')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "4341229051409225242"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "routeName": {
+ "type": "string"
+ },
+ "routeAddressPrefix": {
+ "type": "string"
+ },
+ "routeNextHopIpAddress": {
+ "type": "string"
+ },
+ "routeNextHopType": {
+ "type": "string"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Network/routeTables",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "routes": [
+ {
+ "name": "[parameters('routeName')]",
+ "properties": {
+ "addressPrefix": "[parameters('routeAddressPrefix')]",
+ "nextHopIpAddress": "[parameters('routeNextHopIpAddress')]",
+ "nextHopType": "[parameters('routeNextHopType')]"
+ }
+ }
+ ]
+ }
+ }
+ ],
+ "outputs": {
+ "id": {
+ "type": "string",
+ "value": "[resourceId('Microsoft.Network/routeTables', parameters('name'))]"
+ },
+ "name": {
+ "type": "string",
+ "value": "[parameters('name')]"
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "virtualNetwork",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[parameters('virtualNetworkName')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "addressPrefix": {
+ "value": "[parameters('virtualNetworkAddressPrefix')]"
+ },
+ "diagnosticsLogs": {
+ "value": "[if(empty(parameters('virtualNetworkDiagnosticsLogs')), variables('defaultVirtualNetworkDiagnosticsLogs'), parameters('virtualNetworkDiagnosticsLogs'))]"
+ },
+ "diagnosticsMetrics": {
+ "value": "[if(empty(parameters('virtualNetworkDiagnosticsMetrics')), variables('defaultVirtualNetworkDiagnosticsMetrics'), parameters('virtualNetworkDiagnosticsMetrics'))]"
+ },
+ "subnets": {
+ "value": [
+ {
+ "name": "[parameters('subnetName')]",
+ "properties": {
+ "addressPrefix": "[parameters('subnetAddressPrefix')]",
+ "networkSecurityGroup": {
+ "id": "[reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup'), '2019-10-01').outputs.id.value]"
+ },
+ "routeTable": {
+ "id": "[reference(resourceId('Microsoft.Resources/deployments', 'routeTable'), '2019-10-01').outputs.id.value]"
+ },
+ "serviceEndpoints": "[if(empty(parameters('subnetServiceEndpoints')), variables('defaultSubnetServiceEndpoints'), parameters('subnetServiceEndpoints'))]"
+ }
+ }
+ ]
+ },
+ "logAnalyticsWorkspaceResourceId": {
+ "value": "[parameters('logAnalyticsWorkspaceResourceId')]"
+ },
+ "logStorageAccountResourceId": {
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'logStorage'), '2019-10-01').outputs.id.value]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "16117476816851398131"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "addressPrefix": {
+ "type": "string"
+ },
+ "logAnalyticsWorkspaceResourceId": {
+ "type": "string"
+ },
+ "logStorageAccountResourceId": {
+ "type": "string"
+ },
+ "subnets": {
+ "type": "array"
+ },
+ "diagnosticsMetrics": {
+ "type": "array"
+ },
+ "diagnosticsLogs": {
+ "type": "array"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Network/virtualNetworks",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "addressSpace": {
+ "addressPrefixes": [
+ "[parameters('addressPrefix')]"
+ ]
+ },
+ "subnets": "[parameters('subnets')]"
+ }
+ },
+ {
+ "type": "Microsoft.Insights/diagnosticSettings",
+ "apiVersion": "2017-05-01-preview",
+ "scope": "[format('Microsoft.Network/virtualNetworks/{0}', parameters('name'))]",
+ "name": "[format('{0}-diagnostics', parameters('name'))]",
+ "properties": {
+ "storageAccountId": "[parameters('logStorageAccountResourceId')]",
+ "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]",
+ "metrics": "[parameters('diagnosticsMetrics')]",
+ "logs": "[parameters('diagnosticsLogs')]"
+ },
+ "dependsOn": [
+ "[resourceId('Microsoft.Network/virtualNetworks', parameters('name'))]"
+ ]
+ }
+ ],
+ "outputs": {
+ "name": {
+ "type": "string",
+ "value": "[parameters('name')]"
+ },
+ "id": {
+ "type": "string",
+ "value": "[resourceId('Microsoft.Network/virtualNetworks', parameters('name'))]"
+ },
+ "subnets": {
+ "type": "array",
+ "value": "[reference(resourceId('Microsoft.Network/virtualNetworks', parameters('name'))).subnets]"
+ }
+ }
+ }
+ },
+ "dependsOn": [
+ "[resourceId('Microsoft.Resources/deployments', 'logStorage')]",
+ "[resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup')]",
+ "[resourceId('Microsoft.Resources/deployments', 'routeTable')]"
+ ]
+ }
+ ],
+ "outputs": {
+ "virtualNetworkName": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2019-10-01').outputs.name.value]"
+ },
+ "virtualNetworkResourceId": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2019-10-01').outputs.id.value]"
+ },
+ "subnetName": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2019-10-01').outputs.subnets.value[0].name]"
+ },
+ "subnetAddressPrefix": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2019-10-01').outputs.subnets.value[0].properties.addressPrefix]"
+ },
+ "subnetResourceId": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2019-10-01').outputs.subnets.value[0].id]"
+ },
+ "networkSecurityGroupName": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup'), '2019-10-01').outputs.name.value]"
+ },
+ "networkSecurityGroupResourceId": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup'), '2019-10-01').outputs.id.value]"
+ }
+ }
+ }
+ },
+ "dependsOn": [
+ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-hub-{0}', parameters('nowUtc')))]",
+ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('nowUtc')))]"
+ ]
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "[format('deploy-operations-spoke-{0}', parameters('nowUtc'))]",
+ "subscriptionId": "[parameters('operationsSubscriptionId')]",
+ "resourceGroup": "[parameters('operationsResourceGroupName')]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "location": {
+ "value": "[parameters('operationsLocation')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "logStorageAccountName": {
+ "value": "[parameters('operationsLogStorageAccountName')]"
+ },
+ "logStorageSkuName": {
+ "value": "[parameters('operationsLogStorageSkuName')]"
+ },
+ "logAnalyticsWorkspaceResourceId": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('nowUtc'))), '2019-10-01').outputs.id.value]"
+ },
+ "firewallPrivateIPAddress": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-hub-{0}', parameters('nowUtc'))), '2019-10-01').outputs.firewallPrivateIPAddress.value]"
+ },
+ "virtualNetworkName": {
+ "value": "[parameters('operationsVirtualNetworkName')]"
+ },
+ "virtualNetworkAddressPrefix": {
+ "value": "[parameters('operationsVirtualNetworkAddressPrefix')]"
+ },
+ "virtualNetworkDiagnosticsLogs": {
+ "value": "[parameters('operationsVirtualNetworkDiagnosticsLogs')]"
+ },
+ "virtualNetworkDiagnosticsMetrics": {
+ "value": "[parameters('operationsVirtualNetworkDiagnosticsMetrics')]"
+ },
+ "networkSecurityGroupName": {
+ "value": "[parameters('operationsNetworkSecurityGroupName')]"
+ },
+ "networkSecurityGroupRules": {
+ "value": "[parameters('operationsNetworkSecurityGroupRules')]"
+ },
+ "subnetName": {
+ "value": "[parameters('operationsSubnetName')]"
+ },
+ "subnetAddressPrefix": {
+ "value": "[parameters('operationsSubnetAddressPrefix')]"
+ },
+ "subnetServiceEndpoints": {
+ "value": "[parameters('operationsSubnetServiceEndpoints')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "15949869288234268239"
+ }
+ },
+ "parameters": {
+ "location": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().location]"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "logStorageAccountName": {
+ "type": "string"
+ },
+ "logStorageSkuName": {
+ "type": "string"
+ },
+ "logAnalyticsWorkspaceResourceId": {
+ "type": "string"
+ },
+ "firewallPrivateIPAddress": {
+ "type": "string"
+ },
+ "virtualNetworkName": {
+ "type": "string"
+ },
+ "virtualNetworkAddressPrefix": {
+ "type": "string"
+ },
+ "virtualNetworkDiagnosticsLogs": {
+ "type": "array"
+ },
+ "virtualNetworkDiagnosticsMetrics": {
+ "type": "array"
+ },
+ "networkSecurityGroupName": {
+ "type": "string"
+ },
+ "networkSecurityGroupRules": {
+ "type": "array"
+ },
+ "subnetName": {
+ "type": "string"
+ },
+ "subnetAddressPrefix": {
+ "type": "string"
+ },
+ "subnetServiceEndpoints": {
+ "type": "array"
+ },
+ "routeTableName": {
+ "type": "string",
+ "defaultValue": "[format('{0}-routetable', parameters('subnetName'))]"
+ },
+ "routeTableRouteName": {
+ "type": "string",
+ "defaultValue": "default_route"
+ },
+ "routeTableRouteAddressPrefix": {
+ "type": "string",
+ "defaultValue": "0.0.0.0/0"
+ },
+ "routeTableRouteNextHopIpAddress": {
+ "type": "string",
+ "defaultValue": "[parameters('firewallPrivateIPAddress')]"
+ },
+ "routeTableRouteNextHopType": {
+ "type": "string",
+ "defaultValue": "VirtualAppliance"
+ }
+ },
+ "functions": [],
+ "variables": {
+ "defaultVirtualNetworkDiagnosticsLogs": [],
+ "defaultVirtualNetworkDiagnosticsMetrics": [
+ {
+ "category": "AllMetrics",
+ "enabled": true
+ }
+ ],
+ "defaultSubnetServiceEndpoints": [
+ {
+ "service": "Microsoft.Storage"
+ }
+ ],
+ "defaultNetworkSecurityGroupRules": [
+ {
+ "name": "allow_ssh",
+ "properties": {
+ "description": "Allow SSH access from anywhere",
+ "access": "Allow",
+ "priority": 100,
+ "protocol": "Tcp",
+ "direction": "Inbound",
+ "sourcePortRange": "*",
+ "sourceAddressPrefix": "*",
+ "destinationPortRange": "22",
+ "destinationAddressPrefix": "*"
+ }
+ },
+ {
+ "name": "allow_rdp",
+ "properties": {
+ "description": "Allow RDP access from anywhere",
+ "access": "Allow",
+ "priority": 200,
+ "protocol": "Tcp",
+ "direction": "Inbound",
+ "sourcePortRange": "*",
+ "sourceAddressPrefix": "*",
+ "destinationPortRange": "3389",
+ "destinationAddressPrefix": "*"
+ }
+ }
+ ]
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "logStorage",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "storageAccountName": {
+ "value": "[parameters('logStorageAccountName')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "skuName": {
+ "value": "[parameters('logStorageSkuName')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "833209748305454708"
+ }
+ },
+ "parameters": {
+ "storageAccountName": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "skuName": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Storage/storageAccounts",
+ "apiVersion": "2019-06-01",
+ "name": "[parameters('storageAccountName')]",
+ "location": "[parameters('location')]",
+ "kind": "Storage",
+ "sku": {
+ "name": "[parameters('skuName')]"
+ },
+ "tags": "[parameters('tags')]"
+ }
+ ],
+ "outputs": {
+ "id": {
+ "type": "string",
+ "value": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "networkSecurityGroup",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[parameters('networkSecurityGroupName')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "securityRules": {
+ "value": "[if(empty(parameters('networkSecurityGroupRules')), variables('defaultNetworkSecurityGroupRules'), parameters('networkSecurityGroupRules'))]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "5161805386163632044"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "securityRules": {
+ "type": "array"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Network/networkSecurityGroups",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "securityRules": "[parameters('securityRules')]"
+ }
+ }
+ ],
+ "outputs": {
+ "id": {
+ "type": "string",
+ "value": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('name'))]"
+ },
+ "name": {
+ "type": "string",
+ "value": "[parameters('name')]"
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "routeTable",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[parameters('routeTableName')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "routeName": {
+ "value": "[parameters('routeTableRouteName')]"
+ },
+ "routeAddressPrefix": {
+ "value": "[parameters('routeTableRouteAddressPrefix')]"
+ },
+ "routeNextHopIpAddress": {
+ "value": "[parameters('routeTableRouteNextHopIpAddress')]"
+ },
+ "routeNextHopType": {
+ "value": "[parameters('routeTableRouteNextHopType')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "4341229051409225242"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "routeName": {
+ "type": "string"
+ },
+ "routeAddressPrefix": {
+ "type": "string"
+ },
+ "routeNextHopIpAddress": {
+ "type": "string"
+ },
+ "routeNextHopType": {
+ "type": "string"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Network/routeTables",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "routes": [
+ {
+ "name": "[parameters('routeName')]",
+ "properties": {
+ "addressPrefix": "[parameters('routeAddressPrefix')]",
+ "nextHopIpAddress": "[parameters('routeNextHopIpAddress')]",
+ "nextHopType": "[parameters('routeNextHopType')]"
+ }
+ }
+ ]
+ }
+ }
+ ],
+ "outputs": {
+ "id": {
+ "type": "string",
+ "value": "[resourceId('Microsoft.Network/routeTables', parameters('name'))]"
+ },
+ "name": {
+ "type": "string",
+ "value": "[parameters('name')]"
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "virtualNetwork",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[parameters('virtualNetworkName')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "addressPrefix": {
+ "value": "[parameters('virtualNetworkAddressPrefix')]"
+ },
+ "diagnosticsLogs": {
+ "value": "[if(empty(parameters('virtualNetworkDiagnosticsLogs')), variables('defaultVirtualNetworkDiagnosticsLogs'), parameters('virtualNetworkDiagnosticsLogs'))]"
+ },
+ "diagnosticsMetrics": {
+ "value": "[if(empty(parameters('virtualNetworkDiagnosticsMetrics')), variables('defaultVirtualNetworkDiagnosticsMetrics'), parameters('virtualNetworkDiagnosticsMetrics'))]"
+ },
+ "subnets": {
+ "value": [
+ {
+ "name": "[parameters('subnetName')]",
+ "properties": {
+ "addressPrefix": "[parameters('subnetAddressPrefix')]",
+ "networkSecurityGroup": {
+ "id": "[reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup'), '2019-10-01').outputs.id.value]"
+ },
+ "routeTable": {
+ "id": "[reference(resourceId('Microsoft.Resources/deployments', 'routeTable'), '2019-10-01').outputs.id.value]"
+ },
+ "serviceEndpoints": "[if(empty(parameters('subnetServiceEndpoints')), variables('defaultSubnetServiceEndpoints'), parameters('subnetServiceEndpoints'))]"
+ }
+ }
+ ]
+ },
+ "logAnalyticsWorkspaceResourceId": {
+ "value": "[parameters('logAnalyticsWorkspaceResourceId')]"
+ },
+ "logStorageAccountResourceId": {
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'logStorage'), '2019-10-01').outputs.id.value]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "16117476816851398131"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "addressPrefix": {
+ "type": "string"
+ },
+ "logAnalyticsWorkspaceResourceId": {
+ "type": "string"
+ },
+ "logStorageAccountResourceId": {
+ "type": "string"
+ },
+ "subnets": {
+ "type": "array"
+ },
+ "diagnosticsMetrics": {
+ "type": "array"
+ },
+ "diagnosticsLogs": {
+ "type": "array"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Network/virtualNetworks",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "addressSpace": {
+ "addressPrefixes": [
+ "[parameters('addressPrefix')]"
+ ]
+ },
+ "subnets": "[parameters('subnets')]"
+ }
+ },
+ {
+ "type": "Microsoft.Insights/diagnosticSettings",
+ "apiVersion": "2017-05-01-preview",
+ "scope": "[format('Microsoft.Network/virtualNetworks/{0}', parameters('name'))]",
+ "name": "[format('{0}-diagnostics', parameters('name'))]",
+ "properties": {
+ "storageAccountId": "[parameters('logStorageAccountResourceId')]",
+ "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]",
+ "metrics": "[parameters('diagnosticsMetrics')]",
+ "logs": "[parameters('diagnosticsLogs')]"
+ },
+ "dependsOn": [
+ "[resourceId('Microsoft.Network/virtualNetworks', parameters('name'))]"
+ ]
+ }
+ ],
+ "outputs": {
+ "name": {
+ "type": "string",
+ "value": "[parameters('name')]"
+ },
+ "id": {
+ "type": "string",
+ "value": "[resourceId('Microsoft.Network/virtualNetworks', parameters('name'))]"
+ },
+ "subnets": {
+ "type": "array",
+ "value": "[reference(resourceId('Microsoft.Network/virtualNetworks', parameters('name'))).subnets]"
+ }
+ }
+ }
+ },
+ "dependsOn": [
+ "[resourceId('Microsoft.Resources/deployments', 'logStorage')]",
+ "[resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup')]",
+ "[resourceId('Microsoft.Resources/deployments', 'routeTable')]"
+ ]
+ }
+ ],
+ "outputs": {
+ "virtualNetworkName": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2019-10-01').outputs.name.value]"
+ },
+ "virtualNetworkResourceId": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2019-10-01').outputs.id.value]"
+ },
+ "subnetName": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2019-10-01').outputs.subnets.value[0].name]"
+ },
+ "subnetAddressPrefix": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2019-10-01').outputs.subnets.value[0].properties.addressPrefix]"
+ },
+ "subnetResourceId": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2019-10-01').outputs.subnets.value[0].id]"
+ },
+ "networkSecurityGroupName": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup'), '2019-10-01').outputs.name.value]"
+ },
+ "networkSecurityGroupResourceId": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup'), '2019-10-01').outputs.id.value]"
+ }
+ }
+ }
+ },
+ "dependsOn": [
+ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-hub-{0}', parameters('nowUtc')))]",
+ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('nowUtc')))]"
+ ]
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "[format('deploy-sharedServices-spoke-{0}', parameters('nowUtc'))]",
+ "subscriptionId": "[parameters('sharedServicesSubscriptionId')]",
+ "resourceGroup": "[parameters('sharedServicesResourceGroupName')]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "location": {
+ "value": "[parameters('sharedServicesLocation')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "logStorageAccountName": {
+ "value": "[parameters('sharedServicesLogStorageAccountName')]"
+ },
+ "logStorageSkuName": {
+ "value": "[parameters('sharedServicesLogStorageSkuName')]"
+ },
+ "logAnalyticsWorkspaceResourceId": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('nowUtc'))), '2019-10-01').outputs.id.value]"
+ },
+ "firewallPrivateIPAddress": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-hub-{0}', parameters('nowUtc'))), '2019-10-01').outputs.firewallPrivateIPAddress.value]"
+ },
+ "virtualNetworkName": {
+ "value": "[parameters('sharedServicesVirtualNetworkName')]"
+ },
+ "virtualNetworkAddressPrefix": {
+ "value": "[parameters('sharedServicesVirtualNetworkAddressPrefix')]"
+ },
+ "virtualNetworkDiagnosticsLogs": {
+ "value": "[parameters('sharedServicesVirtualNetworkDiagnosticsLogs')]"
+ },
+ "virtualNetworkDiagnosticsMetrics": {
+ "value": "[parameters('sharedServicesVirtualNetworkDiagnosticsMetrics')]"
+ },
+ "networkSecurityGroupName": {
+ "value": "[parameters('sharedServicesNetworkSecurityGroupName')]"
+ },
+ "networkSecurityGroupRules": {
+ "value": "[parameters('sharedServicesNetworkSecurityGroupRules')]"
+ },
+ "subnetName": {
+ "value": "[parameters('sharedServicesSubnetName')]"
+ },
+ "subnetAddressPrefix": {
+ "value": "[parameters('sharedServicesSubnetAddressPrefix')]"
+ },
+ "subnetServiceEndpoints": {
+ "value": "[parameters('sharedServicesSubnetServiceEndpoints')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "15949869288234268239"
+ }
+ },
+ "parameters": {
+ "location": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().location]"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "logStorageAccountName": {
+ "type": "string"
+ },
+ "logStorageSkuName": {
+ "type": "string"
+ },
+ "logAnalyticsWorkspaceResourceId": {
+ "type": "string"
+ },
+ "firewallPrivateIPAddress": {
+ "type": "string"
+ },
+ "virtualNetworkName": {
+ "type": "string"
+ },
+ "virtualNetworkAddressPrefix": {
+ "type": "string"
+ },
+ "virtualNetworkDiagnosticsLogs": {
+ "type": "array"
+ },
+ "virtualNetworkDiagnosticsMetrics": {
+ "type": "array"
+ },
+ "networkSecurityGroupName": {
+ "type": "string"
+ },
+ "networkSecurityGroupRules": {
+ "type": "array"
+ },
+ "subnetName": {
+ "type": "string"
+ },
+ "subnetAddressPrefix": {
+ "type": "string"
+ },
+ "subnetServiceEndpoints": {
+ "type": "array"
+ },
+ "routeTableName": {
+ "type": "string",
+ "defaultValue": "[format('{0}-routetable', parameters('subnetName'))]"
+ },
+ "routeTableRouteName": {
+ "type": "string",
+ "defaultValue": "default_route"
+ },
+ "routeTableRouteAddressPrefix": {
+ "type": "string",
+ "defaultValue": "0.0.0.0/0"
+ },
+ "routeTableRouteNextHopIpAddress": {
+ "type": "string",
+ "defaultValue": "[parameters('firewallPrivateIPAddress')]"
+ },
+ "routeTableRouteNextHopType": {
+ "type": "string",
+ "defaultValue": "VirtualAppliance"
+ }
+ },
+ "functions": [],
+ "variables": {
+ "defaultVirtualNetworkDiagnosticsLogs": [],
+ "defaultVirtualNetworkDiagnosticsMetrics": [
+ {
+ "category": "AllMetrics",
+ "enabled": true
+ }
+ ],
+ "defaultSubnetServiceEndpoints": [
+ {
+ "service": "Microsoft.Storage"
+ }
+ ],
+ "defaultNetworkSecurityGroupRules": [
+ {
+ "name": "allow_ssh",
+ "properties": {
+ "description": "Allow SSH access from anywhere",
+ "access": "Allow",
+ "priority": 100,
+ "protocol": "Tcp",
+ "direction": "Inbound",
+ "sourcePortRange": "*",
+ "sourceAddressPrefix": "*",
+ "destinationPortRange": "22",
+ "destinationAddressPrefix": "*"
+ }
+ },
+ {
+ "name": "allow_rdp",
+ "properties": {
+ "description": "Allow RDP access from anywhere",
+ "access": "Allow",
+ "priority": 200,
+ "protocol": "Tcp",
+ "direction": "Inbound",
+ "sourcePortRange": "*",
+ "sourceAddressPrefix": "*",
+ "destinationPortRange": "3389",
+ "destinationAddressPrefix": "*"
+ }
+ }
+ ]
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "logStorage",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "storageAccountName": {
+ "value": "[parameters('logStorageAccountName')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "skuName": {
+ "value": "[parameters('logStorageSkuName')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "833209748305454708"
+ }
+ },
+ "parameters": {
+ "storageAccountName": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "skuName": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Storage/storageAccounts",
+ "apiVersion": "2019-06-01",
+ "name": "[parameters('storageAccountName')]",
+ "location": "[parameters('location')]",
+ "kind": "Storage",
+ "sku": {
+ "name": "[parameters('skuName')]"
+ },
+ "tags": "[parameters('tags')]"
+ }
+ ],
+ "outputs": {
+ "id": {
+ "type": "string",
+ "value": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "networkSecurityGroup",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[parameters('networkSecurityGroupName')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "securityRules": {
+ "value": "[if(empty(parameters('networkSecurityGroupRules')), variables('defaultNetworkSecurityGroupRules'), parameters('networkSecurityGroupRules'))]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "5161805386163632044"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "securityRules": {
+ "type": "array"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Network/networkSecurityGroups",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "securityRules": "[parameters('securityRules')]"
+ }
+ }
+ ],
+ "outputs": {
+ "id": {
+ "type": "string",
+ "value": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('name'))]"
+ },
+ "name": {
+ "type": "string",
+ "value": "[parameters('name')]"
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "routeTable",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[parameters('routeTableName')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "routeName": {
+ "value": "[parameters('routeTableRouteName')]"
+ },
+ "routeAddressPrefix": {
+ "value": "[parameters('routeTableRouteAddressPrefix')]"
+ },
+ "routeNextHopIpAddress": {
+ "value": "[parameters('routeTableRouteNextHopIpAddress')]"
+ },
+ "routeNextHopType": {
+ "value": "[parameters('routeTableRouteNextHopType')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "4341229051409225242"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "routeName": {
+ "type": "string"
+ },
+ "routeAddressPrefix": {
+ "type": "string"
+ },
+ "routeNextHopIpAddress": {
+ "type": "string"
+ },
+ "routeNextHopType": {
+ "type": "string"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Network/routeTables",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "routes": [
+ {
+ "name": "[parameters('routeName')]",
+ "properties": {
+ "addressPrefix": "[parameters('routeAddressPrefix')]",
+ "nextHopIpAddress": "[parameters('routeNextHopIpAddress')]",
+ "nextHopType": "[parameters('routeNextHopType')]"
+ }
+ }
+ ]
+ }
+ }
+ ],
+ "outputs": {
+ "id": {
+ "type": "string",
+ "value": "[resourceId('Microsoft.Network/routeTables', parameters('name'))]"
+ },
+ "name": {
+ "type": "string",
+ "value": "[parameters('name')]"
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "virtualNetwork",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[parameters('virtualNetworkName')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "addressPrefix": {
+ "value": "[parameters('virtualNetworkAddressPrefix')]"
+ },
+ "diagnosticsLogs": {
+ "value": "[if(empty(parameters('virtualNetworkDiagnosticsLogs')), variables('defaultVirtualNetworkDiagnosticsLogs'), parameters('virtualNetworkDiagnosticsLogs'))]"
+ },
+ "diagnosticsMetrics": {
+ "value": "[if(empty(parameters('virtualNetworkDiagnosticsMetrics')), variables('defaultVirtualNetworkDiagnosticsMetrics'), parameters('virtualNetworkDiagnosticsMetrics'))]"
+ },
+ "subnets": {
+ "value": [
+ {
+ "name": "[parameters('subnetName')]",
+ "properties": {
+ "addressPrefix": "[parameters('subnetAddressPrefix')]",
+ "networkSecurityGroup": {
+ "id": "[reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup'), '2019-10-01').outputs.id.value]"
+ },
+ "routeTable": {
+ "id": "[reference(resourceId('Microsoft.Resources/deployments', 'routeTable'), '2019-10-01').outputs.id.value]"
+ },
+ "serviceEndpoints": "[if(empty(parameters('subnetServiceEndpoints')), variables('defaultSubnetServiceEndpoints'), parameters('subnetServiceEndpoints'))]"
+ }
+ }
+ ]
+ },
+ "logAnalyticsWorkspaceResourceId": {
+ "value": "[parameters('logAnalyticsWorkspaceResourceId')]"
+ },
+ "logStorageAccountResourceId": {
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'logStorage'), '2019-10-01').outputs.id.value]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "16117476816851398131"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "addressPrefix": {
+ "type": "string"
+ },
+ "logAnalyticsWorkspaceResourceId": {
+ "type": "string"
+ },
+ "logStorageAccountResourceId": {
+ "type": "string"
+ },
+ "subnets": {
+ "type": "array"
+ },
+ "diagnosticsMetrics": {
+ "type": "array"
+ },
+ "diagnosticsLogs": {
+ "type": "array"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Network/virtualNetworks",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "addressSpace": {
+ "addressPrefixes": [
+ "[parameters('addressPrefix')]"
+ ]
+ },
+ "subnets": "[parameters('subnets')]"
+ }
+ },
+ {
+ "type": "Microsoft.Insights/diagnosticSettings",
+ "apiVersion": "2017-05-01-preview",
+ "scope": "[format('Microsoft.Network/virtualNetworks/{0}', parameters('name'))]",
+ "name": "[format('{0}-diagnostics', parameters('name'))]",
+ "properties": {
+ "storageAccountId": "[parameters('logStorageAccountResourceId')]",
+ "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]",
+ "metrics": "[parameters('diagnosticsMetrics')]",
+ "logs": "[parameters('diagnosticsLogs')]"
+ },
+ "dependsOn": [
+ "[resourceId('Microsoft.Network/virtualNetworks', parameters('name'))]"
+ ]
+ }
+ ],
+ "outputs": {
+ "name": {
+ "type": "string",
+ "value": "[parameters('name')]"
+ },
+ "id": {
+ "type": "string",
+ "value": "[resourceId('Microsoft.Network/virtualNetworks', parameters('name'))]"
+ },
+ "subnets": {
+ "type": "array",
+ "value": "[reference(resourceId('Microsoft.Network/virtualNetworks', parameters('name'))).subnets]"
+ }
+ }
+ }
+ },
+ "dependsOn": [
+ "[resourceId('Microsoft.Resources/deployments', 'logStorage')]",
+ "[resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup')]",
+ "[resourceId('Microsoft.Resources/deployments', 'routeTable')]"
+ ]
+ }
+ ],
+ "outputs": {
+ "virtualNetworkName": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2019-10-01').outputs.name.value]"
+ },
+ "virtualNetworkResourceId": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2019-10-01').outputs.id.value]"
+ },
+ "subnetName": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2019-10-01').outputs.subnets.value[0].name]"
+ },
+ "subnetAddressPrefix": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2019-10-01').outputs.subnets.value[0].properties.addressPrefix]"
+ },
+ "subnetResourceId": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'virtualNetwork'), '2019-10-01').outputs.subnets.value[0].id]"
+ },
+ "networkSecurityGroupName": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup'), '2019-10-01').outputs.name.value]"
+ },
+ "networkSecurityGroupResourceId": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup'), '2019-10-01').outputs.id.value]"
+ }
+ }
+ }
+ },
+ "dependsOn": [
+ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-hub-{0}', parameters('nowUtc')))]",
+ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('nowUtc')))]"
+ ]
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "[format('deploy-hub-peerings-{0}', parameters('nowUtc'))]",
+ "subscriptionId": "[parameters('hubSubscriptionId')]",
+ "location": "[deployment().location]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "hubResourceGroupName": {
+ "value": "[reference(subscriptionResourceId(parameters('hubSubscriptionId'), 'Microsoft.Resources/deployments', format('deploy-hub-rg-{0}', parameters('nowUtc'))), '2019-10-01').outputs.name.value]"
+ },
+ "hubVirtualNetworkName": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-hub-{0}', parameters('nowUtc'))), '2019-10-01').outputs.virtualNetworkName.value]"
+ },
+ "identityVirtualNetworkName": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('identitySubscriptionId'), parameters('identityResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-identity-spoke-{0}', parameters('nowUtc'))), '2019-10-01').outputs.virtualNetworkName.value]"
+ },
+ "operationsVirtualNetworkName": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-operations-spoke-{0}', parameters('nowUtc'))), '2019-10-01').outputs.virtualNetworkName.value]"
+ },
+ "sharedServicesVirtualNetworkName": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('sharedServicesSubscriptionId'), parameters('sharedServicesResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-sharedServices-spoke-{0}', parameters('nowUtc'))), '2019-10-01').outputs.virtualNetworkName.value]"
+ },
+ "identityVirtualNetworkResourceId": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('identitySubscriptionId'), parameters('identityResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-identity-spoke-{0}', parameters('nowUtc'))), '2019-10-01').outputs.virtualNetworkResourceId.value]"
+ },
+ "operationsVirtualNetworkResourceId": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('sharedServicesSubscriptionId'), parameters('sharedServicesResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-sharedServices-spoke-{0}', parameters('nowUtc'))), '2019-10-01').outputs.virtualNetworkResourceId.value]"
+ },
+ "sharedServicesVirtualNetworkResourceId": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-operations-spoke-{0}', parameters('nowUtc'))), '2019-10-01').outputs.virtualNetworkResourceId.value]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "9872315491162767153"
+ }
+ },
+ "parameters": {
+ "hubResourceGroupName": {
+ "type": "string"
+ },
+ "hubVirtualNetworkName": {
+ "type": "string"
+ },
+ "identityVirtualNetworkName": {
+ "type": "string"
+ },
+ "identityVirtualNetworkResourceId": {
+ "type": "string"
+ },
+ "operationsVirtualNetworkName": {
+ "type": "string"
+ },
+ "operationsVirtualNetworkResourceId": {
+ "type": "string"
+ },
+ "sharedServicesVirtualNetworkName": {
+ "type": "string"
+ },
+ "sharedServicesVirtualNetworkResourceId": {
+ "type": "string"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "hubToIdentityVirtualNetworkPeering",
+ "resourceGroup": "[parameters('hubResourceGroupName')]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[format('{0}/to-{1}', parameters('hubVirtualNetworkName'), parameters('identityVirtualNetworkName'))]"
+ },
+ "remoteVirtualNetworkResourceId": {
+ "value": "[parameters('identityVirtualNetworkResourceId')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "12715137779259556895"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "remoteVirtualNetworkResourceId": {
+ "type": "string"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('name')]",
+ "properties": {
+ "remoteVirtualNetwork": {
+ "id": "[parameters('remoteVirtualNetworkResourceId')]"
+ }
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "hubToOperationsVirtualNetworkPeering",
+ "resourceGroup": "[parameters('hubResourceGroupName')]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[format('{0}/to-{1}', parameters('hubVirtualNetworkName'), parameters('operationsVirtualNetworkName'))]"
+ },
+ "remoteVirtualNetworkResourceId": {
+ "value": "[parameters('operationsVirtualNetworkResourceId')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "12715137779259556895"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "remoteVirtualNetworkResourceId": {
+ "type": "string"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('name')]",
+ "properties": {
+ "remoteVirtualNetwork": {
+ "id": "[parameters('remoteVirtualNetworkResourceId')]"
+ }
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "hubToSharedServicesVirtualNetworkPeering",
+ "resourceGroup": "[parameters('hubResourceGroupName')]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[format('{0}/to-{1}', parameters('hubVirtualNetworkName'), parameters('sharedServicesVirtualNetworkName'))]"
+ },
+ "remoteVirtualNetworkResourceId": {
+ "value": "[parameters('sharedServicesVirtualNetworkResourceId')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "12715137779259556895"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "remoteVirtualNetworkResourceId": {
+ "type": "string"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('name')]",
+ "properties": {
+ "remoteVirtualNetwork": {
+ "id": "[parameters('remoteVirtualNetworkResourceId')]"
+ }
+ }
+ }
+ ]
+ }
+ }
+ }
+ ]
+ }
+ },
+ "dependsOn": [
+ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-hub-{0}', parameters('nowUtc')))]",
+ "[subscriptionResourceId(parameters('hubSubscriptionId'), 'Microsoft.Resources/deployments', format('deploy-hub-rg-{0}', parameters('nowUtc')))]",
+ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('identitySubscriptionId'), parameters('identityResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-identity-spoke-{0}', parameters('nowUtc')))]",
+ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-operations-spoke-{0}', parameters('nowUtc')))]",
+ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('sharedServicesSubscriptionId'), parameters('sharedServicesResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-sharedServices-spoke-{0}', parameters('nowUtc')))]"
+ ]
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "[format('deploy-identity-peerings-{0}', parameters('nowUtc'))]",
+ "subscriptionId": "[parameters('identitySubscriptionId')]",
+ "location": "[deployment().location]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "spokeResourceGroupName": {
+ "value": "[reference(subscriptionResourceId(parameters('identitySubscriptionId'), 'Microsoft.Resources/deployments', format('deploy-identity-rg-{0}', parameters('nowUtc'))), '2019-10-01').outputs.name.value]"
+ },
+ "spokeVirtualNetworkName": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('identitySubscriptionId'), parameters('identityResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-identity-spoke-{0}', parameters('nowUtc'))), '2019-10-01').outputs.virtualNetworkName.value]"
+ },
+ "hubVirtualNetworkName": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-hub-{0}', parameters('nowUtc'))), '2019-10-01').outputs.virtualNetworkName.value]"
+ },
+ "hubVirtualNetworkResourceId": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-hub-{0}', parameters('nowUtc'))), '2019-10-01').outputs.virtualNetworkResourceId.value]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "7742888482530749531"
+ }
+ },
+ "parameters": {
+ "spokeResourceGroupName": {
+ "type": "string"
+ },
+ "spokeVirtualNetworkName": {
+ "type": "string"
+ },
+ "hubVirtualNetworkName": {
+ "type": "string"
+ },
+ "hubVirtualNetworkResourceId": {
+ "type": "string"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "spokeNetworkPeering",
+ "resourceGroup": "[parameters('spokeResourceGroupName')]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[format('{0}/to-{1}', parameters('spokeVirtualNetworkName'), parameters('hubVirtualNetworkName'))]"
+ },
+ "remoteVirtualNetworkResourceId": {
+ "value": "[parameters('hubVirtualNetworkResourceId')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "12715137779259556895"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "remoteVirtualNetworkResourceId": {
+ "type": "string"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('name')]",
+ "properties": {
+ "remoteVirtualNetwork": {
+ "id": "[parameters('remoteVirtualNetworkResourceId')]"
+ }
+ }
+ }
+ ]
+ }
+ }
+ }
+ ]
+ }
+ },
+ "dependsOn": [
+ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-hub-{0}', parameters('nowUtc')))]",
+ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('identitySubscriptionId'), parameters('identityResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-identity-spoke-{0}', parameters('nowUtc')))]",
+ "[subscriptionResourceId(parameters('identitySubscriptionId'), 'Microsoft.Resources/deployments', format('deploy-identity-rg-{0}', parameters('nowUtc')))]"
+ ]
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "[format('deploy-operations-peerings-{0}', parameters('nowUtc'))]",
+ "subscriptionId": "[parameters('operationsSubscriptionId')]",
+ "location": "[deployment().location]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "spokeResourceGroupName": {
+ "value": "[reference(subscriptionResourceId(parameters('operationsSubscriptionId'), 'Microsoft.Resources/deployments', format('deploy-operations-rg-{0}', parameters('nowUtc'))), '2019-10-01').outputs.name.value]"
+ },
+ "spokeVirtualNetworkName": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-operations-spoke-{0}', parameters('nowUtc'))), '2019-10-01').outputs.virtualNetworkName.value]"
+ },
+ "hubVirtualNetworkName": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-hub-{0}', parameters('nowUtc'))), '2019-10-01').outputs.virtualNetworkName.value]"
+ },
+ "hubVirtualNetworkResourceId": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-hub-{0}', parameters('nowUtc'))), '2019-10-01').outputs.virtualNetworkResourceId.value]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "7742888482530749531"
+ }
+ },
+ "parameters": {
+ "spokeResourceGroupName": {
+ "type": "string"
+ },
+ "spokeVirtualNetworkName": {
+ "type": "string"
+ },
+ "hubVirtualNetworkName": {
+ "type": "string"
+ },
+ "hubVirtualNetworkResourceId": {
+ "type": "string"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "spokeNetworkPeering",
+ "resourceGroup": "[parameters('spokeResourceGroupName')]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[format('{0}/to-{1}', parameters('spokeVirtualNetworkName'), parameters('hubVirtualNetworkName'))]"
+ },
+ "remoteVirtualNetworkResourceId": {
+ "value": "[parameters('hubVirtualNetworkResourceId')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "12715137779259556895"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "remoteVirtualNetworkResourceId": {
+ "type": "string"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('name')]",
+ "properties": {
+ "remoteVirtualNetwork": {
+ "id": "[parameters('remoteVirtualNetworkResourceId')]"
+ }
+ }
+ }
+ ]
+ }
+ }
+ }
+ ]
+ }
+ },
+ "dependsOn": [
+ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-hub-{0}', parameters('nowUtc')))]",
+ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-operations-spoke-{0}', parameters('nowUtc')))]",
+ "[subscriptionResourceId(parameters('operationsSubscriptionId'), 'Microsoft.Resources/deployments', format('deploy-operations-rg-{0}', parameters('nowUtc')))]"
+ ]
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "[format('deploy-sharedServices-peerings-{0}', parameters('nowUtc'))]",
+ "subscriptionId": "[parameters('sharedServicesSubscriptionId')]",
+ "location": "[deployment().location]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "spokeResourceGroupName": {
+ "value": "[reference(subscriptionResourceId(parameters('sharedServicesSubscriptionId'), 'Microsoft.Resources/deployments', format('deploy-sharedServices-rg-{0}', parameters('nowUtc'))), '2019-10-01').outputs.name.value]"
+ },
+ "spokeVirtualNetworkName": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('sharedServicesSubscriptionId'), parameters('sharedServicesResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-sharedServices-spoke-{0}', parameters('nowUtc'))), '2019-10-01').outputs.virtualNetworkName.value]"
+ },
+ "hubVirtualNetworkName": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-hub-{0}', parameters('nowUtc'))), '2019-10-01').outputs.virtualNetworkName.value]"
+ },
+ "hubVirtualNetworkResourceId": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-hub-{0}', parameters('nowUtc'))), '2019-10-01').outputs.virtualNetworkResourceId.value]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "7742888482530749531"
+ }
+ },
+ "parameters": {
+ "spokeResourceGroupName": {
+ "type": "string"
+ },
+ "spokeVirtualNetworkName": {
+ "type": "string"
+ },
+ "hubVirtualNetworkName": {
+ "type": "string"
+ },
+ "hubVirtualNetworkResourceId": {
+ "type": "string"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "spokeNetworkPeering",
+ "resourceGroup": "[parameters('spokeResourceGroupName')]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[format('{0}/to-{1}', parameters('spokeVirtualNetworkName'), parameters('hubVirtualNetworkName'))]"
+ },
+ "remoteVirtualNetworkResourceId": {
+ "value": "[parameters('hubVirtualNetworkResourceId')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "12715137779259556895"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "remoteVirtualNetworkResourceId": {
+ "type": "string"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('name')]",
+ "properties": {
+ "remoteVirtualNetwork": {
+ "id": "[parameters('remoteVirtualNetworkResourceId')]"
+ }
+ }
+ }
+ ]
+ }
+ }
+ }
+ ]
+ }
+ },
+ "dependsOn": [
+ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-hub-{0}', parameters('nowUtc')))]",
+ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('sharedServicesSubscriptionId'), parameters('sharedServicesResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-sharedServices-spoke-{0}', parameters('nowUtc')))]",
+ "[subscriptionResourceId(parameters('sharedServicesSubscriptionId'), 'Microsoft.Resources/deployments', format('deploy-sharedServices-rg-{0}', parameters('nowUtc')))]"
+ ]
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "[format('assign-policy-hub-{0}', parameters('nowUtc'))]",
+ "subscriptionId": "[parameters('hubSubscriptionId')]",
+ "resourceGroup": "[parameters('hubResourceGroupName')]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "builtInAssignment": {
+ "value": "[parameters('policy')]"
+ },
+ "logAnalyticsWorkspaceName": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('nowUtc'))), '2019-10-01').outputs.name.value]"
+ },
+ "logAnalyticsWorkspaceResourceGroupName": {
+ "value": "[reference(subscriptionResourceId(parameters('operationsSubscriptionId'), 'Microsoft.Resources/deployments', format('deploy-operations-rg-{0}', parameters('nowUtc'))), '2019-10-01').outputs.name.value]"
+ },
+ "operationsSubscriptionId": {
+ "value": "[parameters('operationsSubscriptionId')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "3675806177489000536"
+ }
+ },
+ "parameters": {
+ "builtInAssignment": {
+ "type": "string",
+ "defaultValue": ""
+ },
+ "logAnalyticsWorkspaceName": {
+ "type": "string"
+ },
+ "logAnalyticsWorkspaceResourceGroupName": {
+ "type": "string"
+ },
+ "operationsSubscriptionId": {
+ "type": "string"
+ }
+ },
+ "functions": [],
+ "variables": {
+ "modifiedAssignment": "[if(and(equals(toLower(environment().name), toLower('AzureCloud')), equals(toLower(parameters('builtInAssignment')), toLower('IL5'))), 'NIST', parameters('builtInAssignment'))]",
+ "assignmentName": "[format('{0} {1}', variables('modifiedAssignment'), resourceGroup().name)]"
+ },
+ "resources": [
+ {
+ "condition": "[not(empty(variables('modifiedAssignment')))]",
+ "type": "Microsoft.Authorization/policyAssignments",
+ "apiVersion": "2020-09-01",
+ "name": "[variables('assignmentName')]",
+ "location": "[resourceGroup().location]",
+ "properties": {
+ "policyDefinitionId": "[createObject('NIST', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f', 'parameters', json(replace(' {\n \"listOfMembersToExcludeFromWindowsVMAdministratorsGroup\": \n {\n \"value\": \"admin\"\n },\n \"listOfMembersToIncludeInWindowsVMAdministratorsGroup\": \n {\n \"value\": \"azureuser\"\n },\n \"logAnalyticsWorkspaceIdforVMReporting\": \n {\n \"value\": \"\"\n },\n \"IncludeArcMachines\": \n {\n \"value\": \"true\"\n },\n \"MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112\": \n {\n \"value\": \"1.2\"\n },\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\": \n {\n \"value\": \"Compliant\"\n },\n \"requiredRetentionDays\": \n {\n \"value\": \"365\"\n },\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\": \n {\n \"value\": \"NetworkWatcherRG\"\n }\n }', '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'IL5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/f9a961fa-3241-4b20-adc4-bbf8ad9d7197', 'parameters', json(replace('{\n \"IncludeArcMachines\" : { \n \"value\" : \"false\"\n },\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\" : { \n \"value\" : \"Compliant\"\n },\n \"MinimumTLSVersionForWindowsServers\" : { \n \"value\" : \"1.2\"\n },\n \"requiredRetentionDays\" : { \n \"value\" : \"365\"\n },\n \"effect-febd0533-8e55-448f-b837-bd0e06f16469\" : { \n \"value\" : \"audit\"\n },\n \"allowedContainerImagesRegex-febd0533-8e55-448f-b837-bd0e06f16469\" : { \n \"value\" : \"^(.+){0}$\"\n },\n \"effect-95edb821-ddaf-4404-9732-666045e056b4\" : { \n \"value\" : \"audit\"\n },\n \"effect-440b515e-a580-421e-abeb-b159a61ddcbc\" : { \n \"value\" : \"audit\"\n },\n \"effect-233a2a17-77ca-4fb1-9b6b-69223d272a44\" : { \n \"value\" : \"audit\"\n },\n \"effect-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \n \"value\" : \"audit\"\n },\n \"cpuLimit-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \n \"value\" : \"0\"\n },\n \"memoryLimit-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \n \"value\" : \"0\"\n },\n \"effect-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"audit\"\n },\n \"runAsUserRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"MustRunAsNonRoot\"\n },\n \"runAsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"RunAsAny\"\n },\n \"supplementalGroupsRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"RunAsAny\"\n },\n \"fsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"RunAsAny\"\n },\n \"effect-1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\" : { \n \"value\" : \"audit\"\n },\n \"effect-47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\" : { \n \"value\" : \"audit\"\n },\n \"effect-df49d893-a74c-421d-bc95-c663042e5b80\" : { \n \"value\" : \"audit\"\n },\n \"effect-1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\" : { \n \"value\" : \"audit\"\n },\n \"effect-c26596ff-4d70-4e6a-9a30-c2506bd2f80c\" : { \n \"value\" : \"audit\"\n },\n \"effect-511f5417-5d12-434d-ab2e-816901e72a5e\" : { \n \"value\" : \"audit\"\n },\n \"effect-82985f06-dc18-4a48-bc1c-b9f4f0098cfe\" : { \n \"value\" : \"audit\"\n },\n \"effect-098fc59e-46c7-4d99-9b16-64990e543d75\" : { \n \"value\" : \"audit\"\n },\n \"NetworkWatcherResourceGroupName\" : { \n \"value\" : \"NetworkWatcherRG\"\n },\n \"setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \n \"value\" : \"enabled\"\n },\n \"aadAuthenticationInServiceFabricMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"effect-71ef260a-8f18-47b7-abcb-62d0673d94dc\" : { \n \"value\" : \"Audit\"\n },\n \"effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\" : { \n \"value\" : \"Audit\"\n },\n \"effect-862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d9da03a1-f3c3-412a-9709-947156872263\" : { \n \"value\" : \"Audit\"\n },\n \"effect-617c02be-7f02-4efd-8836-3180d47b6c68\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c349d81b-9985-44ae-a8da-ff98d108ede8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-3657f5a0-770e-44a3-b44e-9431ba1e9735\" : { \n \"value\" : \"Audit\"\n },\n \"effect-b4ac1030-89c5-4697-8e00-28b5ba6a8811\" : { \n \"value\" : \"audit\"\n },\n \"effect-ea0dfaed-95fb-448c-934e-d6e713ce393d\" : { \n \"value\" : \"audit\"\n },\n \"effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a\" : { \n \"value\" : \"Audit\"\n },\n \"effect-f4b53539-8df9-40e4-86c6-6b607703bd4e\" : { \n \"value\" : \"Audit\"\n },\n \"effect-41425d9f-d1a5-499a-9932-f8ed8453932c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-fc4d8e41-e223-45ea-9bf5-eada37891d87\" : { \n \"value\" : \"Audit\"\n },\n \"effect-86efb160-8de7-451d-bc08-5d475b0aadae\" : { \n \"value\" : \"Audit\"\n },\n \"effect-4ec52d6d-beb7-40c4-9a9e-fe753254690e\" : { \n \"value\" : \"Audit\"\n },\n \"effect-64d314f6-6062-4780-a861-c23e8951bee5\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-fa298e57-9444-42ba-bf04-86e8470e32c7\" : { \n \"value\" : \"audit\"\n },\n \"effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1f905d99-2ab7-462c-a6b0-f709acca6c8f\" : { \n \"value\" : \"audit\"\n },\n \"effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ba769a63-b8cc-4b2d-abf6-ac33c7204be8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-81e74cea-30fd-40d5-802f-d72103c2aaaa\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0aa61e00-0a01-4a3c-9945-e93cffedf0e6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-47031206-ce96-41f8-861b-6a915f3de284\" : { \n \"value\" : \"Audit\"\n },\n \"effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7\" : { \n \"value\" : \"audit\"\n },\n \"effect-51522a96-0869-4791-82f3-981000c2c67f\" : { \n \"value\" : \"audit\"\n },\n \"effect-b5ec538c-daa0-4006-8596-35468b9148e8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-56a5ee18-2ae6-4810-86f7-18e39ce5629b\" : { \n \"value\" : \"Audit\"\n },\n \"effect-2e94d99a-8a36-4563-bc77-810d8893b671\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5\" : { \n \"value\" : \"Audit\"\n },\n \"effect-99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1f68a601-6e6d-4e42-babf-3f643a047ea2\" : { \n \"value\" : \"audit\"\n },\n \"effect-f7d52b2d-e161-4dfa-a82b-55e564167385\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ca91455f-eace-4f96-be59-e6e2c35b4816\" : { \n \"value\" : \"Audit\"\n },\n \"effect-702dd420-7fcc-42c5-afe8-4026edd20fe0\" : { \n \"value\" : \"Audit\"\n },\n \"diagnosticsLogsInRedisCacheMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"secureTransferToStorageAccountMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d0793b48-0edc-4296-a390-4c75d1bdfd71\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7d092e0a-7acd-40d2-a975-dca21cae48c4\" : { \n \"value\" : \"Audit\"\n },\n \"effect-2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\" : { \n \"value\" : \"Audit\"\n },\n \"disableUnrestrictedNetworkToStorageAccountMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"effect-55615ac9-af46-4a59-874e-391cc3dfb490\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1b8ca024-1d5c-4dec-8995-b1a932b41780\" : { \n \"value\" : \"Audit\"\n },\n \"effect-037eea7a-bd0a-46c5-9a66-03aea78705d3\" : { \n \"value\" : \"Audit\"\n },\n \"effect-53503636-bcc9-4748-9663-5348217f160f\" : { \n \"value\" : \"Audit\"\n },\n \"effect-40cec1dd-a100-4920-b15b-3024fe8901ab\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca\" : { \n \"value\" : \"Audit\"\n },\n \"effect-a049bf77-880b-470f-ba6d-9f21c530cf83\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ee980b6d-0eca-4501-8d54-f6290fd512c3\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1d84d5fb-01f6-4d12-ba4f-4a26081d403d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-37e0d2fe-28a5-43d6-a273-67d37d1f5606\" : { \n \"value\" : \"Audit\"\n },\n \"identityDesignateMoreThanOneOwnerMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"diskEncryptionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"emailNotificationToSubscriptionOwnerHighSeverityAlertsEnabledEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"functionAppDisableRemoteDebuggingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"sqlDbEncryptionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vulnerabilityAssessmentOnManagedInstanceMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePHPVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"aadAuthenticationInSqlServerMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vmssEndpointProtectionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vmssOsVulnerabilitiesMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"adaptiveApplicationControlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"geoRedundantBackupShouldBeEnabledForAzureDatabaseForPostgreSQLEffect\" : { \n \"value\" : \"Audit\"\n },\n \"ensureJavaVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityDesignateLessThanOwnersMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"securityContactEmailAddressForSubscriptionEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"webAppRestrictCORSAccessMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveDeprecatedAccountMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"functionAppEnforceHttpsMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"ensurePythonVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePythonVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePHPVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePythonVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"geoRedundantBackupShouldBeEnabledForAzureDatabaseForMySQLEffect\" : { \n \"value\" : \"Audit\"\n },\n \"systemUpdatesMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureJavaVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureHTTPVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"apiAppRequireLatestTlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityEnableMFAForWritePermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureHTTPVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureJavaVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"nextGenerationFirewallMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"useRbacRulesMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"webAppEnforceHttpsMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"sqlServerAuditingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vnetEnableDDoSProtectionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityEnableMFAForOwnerPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"sqlServerAdvancedDataSecurityMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"sqlManagedInstanceAdvancedDataSecurityMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"endpointProtectionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"jitNetworkAccessMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"apiAppEnforceHttpsMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"geoRedundantStorageShouldBeEnabledForStorageAccountsEffect\" : { \n \"value\" : \"Audit\"\n },\n \"vmssSystemUpdatesMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"webAppDisableRemoteDebuggingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"systemConfigurationsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureHTTPVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityEnableMFAForReadPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"containerBenchmarkMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"apiAppDisableRemoteDebuggingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vulnerabilityAssessmentOnServerMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"webAppRequireLatestTlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"functionAppRequireLatestTlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"kubernetesServiceVersionUpToDateMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"sqlDbVulnerabilityAssesmentMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"membersToIncludeInLocalAdministratorsGroup\" : { \n \"value\" : \"\"\n },\n \"membersToExcludeInLocalAdministratorsGroup\" : { \n \"value\" : \"\"\n },\n \"logAnalyticsWorkspaceIDForVMAgents\" : { \n \"value\" : \"\"\n },\n \"PHPLatestVersionForAppServices\" : { \n \"value\" : \"7.4\"\n },\n \"JavaLatestVersionForAppServices\" : { \n \"value\" : \"11\"\n },\n \"WindowsPythonLatestVersionForAppServices\" : { \n \"value\" : \"3.6\"\n },\n \"LinuxPythonLatestVersionForAppServices\" : { \n \"value\" : \"3.9\"\n },\n \"ensureDotNetFrameworkLatestForFunctionAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlManagedInstanceAdvancedDataSecurityEmailsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"vulnerabilityAssessmentMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"ensureDotNetFrameworkLatestForWebAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlServerAdvancedDataSecurityEmailsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"microsoftIaaSAntimalwareExtensionShouldBeDeployedOnWindowsServersEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"securityCenterStandardPricingTierShouldBeSelectedEffect\" : { \n \"value\" : \"Audit\"\n },\n \"theLogAnalyticsAgentShouldBeInstalledOnVirtualMachinesEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"ensurePHPVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlManagedInstanceAdvancedDataSecurityEmailAdminsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"securityContactPhoneNumberShouldBeProvidedForSubscriptionEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"threatDetectionTypesOnManagedInstanceMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"ensureDotNetFrameworkLatestForAPIAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlServerAdvancedDataSecurityEmailAdminsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"threatDetectionTypesOnServerMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"theLogAnalyticsAgentShouldBeInstalledOnVirtualMachineScaleSetsEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n }\n}', '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'CMMC', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/b5629c75-5c77-4422-87b9-2509e680f8de', 'parameters', json(replace('{\n \"logAnalyticsWorkspaceId-f47b5582-33ec-4c5c-87c0-b010a6b2e917\" : { \n \"value\" : \"\"\n },\n \"effect-09024ccc-0c5f-475e-9457-b7c0d9ed487b\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"MembersToExclude-69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f\" :{\n \"value\": \"\"\n },\n \"MembersToInclude-30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7\": {\n \"value\": \"\"\n },\n \"effect-0961003e-5a0a-4549-abde-af6a37f2724d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0b15565f-aa9e-48ba-8619-45960f2c314d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0e60b895-3786-45da-8377-9c6b4b6ac5f9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-17k78e20-9358-41c9-923c-fb736d382a12\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"PHPLatestVersion\" : { \n \"value\" : \"7.3\"\n },\n \"effect-22bee202-a82f-4305-9a2a-6d7f44d4dedb\" : { \n \"value\" : \"Audit\"\n },\n \"effect-26a828e1-e88f-464e-bbb3-c134a282b9de\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-34c877ad-507e-4c82-993e-3452a6e0ad3c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-404c3081-a854-4457-ae30-26a93ef643f9\" : { \n \"value\" : \"Audit\"\n },\n \"effect-47a6b606-51aa-4496-8bb7-64b11cf66adc\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-496223c3-ad65-4ecd-878a-bae78737e9ed\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"JavaLatestVersion\" : { \n \"value\" : \"11\"\n },\n \"effect-4f11b553-d42e-4e3a-89be-32ca364cad4c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-5c607a2e-c700-4744-8254-d77e7c9eb5e4\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-5f76cf89-fbf2-47fd-a3f4-b891fa780b60\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-6b1cbf55-e8b6-442f-ba4c-7246b6381474\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7008174a-fd10-4ef0-817e-fc820a951d73\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"LinuxPythonLatestVersion\" : { \n \"value\" : \"3.8\"\n },\n \"effect-7238174a-fd10-4ef0-817e-fc820a951d73\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-7261b898-8a84-4db8-9e04-18527132abb3\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-74c3584d-afae-46f7-a20a-6f8adba71a16\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-86b3d65f-7626-441e-b690-81a8b71cff60\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-88999f4c-376a-45c8-bcb3-4058f713cf39\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-8c122334-9d20-4eb8-89ea-ac9a705b74ae\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9297c21d-2ed6-4474-b48f-163f75654ce3\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-991310cd-e9f3-47bc-b7b6-f57b557d07db\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9b597639-28e4-48eb-b506-56b05d366257\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9daedab3-fb2d-461e-b861-71790eead4f6\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-a4af4a39-4135-47fb-b175-47fbdf85311d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \n \"value\" : \"enabled\"\n },\n \"effect-a70ca396-0a34-413a-88e1-b956c1e683be\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-aa633080-8b72-40c4-a2d7-d00c03e80bed\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-af6cd1bd-1635-48cb-bde7-5b15693900b9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\" : { \n \"value\" : \"NetworkWatcherRG\"\n },\n \"effect-b7ddfbdc-1260-477d-91fd-98bd9be789a6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c3f317a7-a95c-4547-b7e7-11017ebdf2fe\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-cb510bfd-1cba-4d9f-a230-cb0976f4bb71\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e2c1c086-2d84-4019-bff3-c44ccd95113c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e3576e28-8b17-4677-84c3-db2990658d64\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e8cbc669-f12d-49eb-93e7-9273119e9933\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ebb62a0c-3560-49e1-89ed-27e074e9f8ad\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-efbde977-ba53-4479-b8e9-10b957924fbf\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f8456c1c-aa66-4dfb-861a-25d127b775c9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f9d614c5-c173-4d56-95a7-b4437057d193\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-fb893a29-21bb-418c-a157-e99480ec364c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-feedbf84-6b99-488c-acc2-71c829aa5ffc\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-3b980d31-7904-4bb7-8575-5665739a8052\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-6e2593d9-add6-4083-9c9b-4b7d2188c899\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-12430be1-6cc8-4527-a9a8-e3d38f250096\" : { \n \"value\" : \"Audit\"\n },\n \"modeRequirement-12430be1-6cc8-4527-a9a8-e3d38f250096\" : { \n \"value\" : \"Detection\"\n },\n \"effect-425bea59-a659-4cbb-8d31-34499bd030b8\" : { \n \"value\" : \"Audit\"\n },\n \"modeRequirement-425bea59-a659-4cbb-8d31-34499bd030b8\" : { \n \"value\" : \"Detection\"\n },\n \"effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\" : { \n \"value\" : \"Audit\"\n },\n \"effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-013e242c-8828-4970-87b3-ab247555486d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-d38fc420-0735-4ef3-ac11-c806f651a570\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-a1181c5f-672a-477a-979a-7d58aa086233\" : { \n \"value\" : \"Audit\"\n },\n \"effect-308fbb08-4ab8-4e67-9b29-592e93fb94fa\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-4da35fc9-c9e7-4960-aec9-797fe7d9051d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-523b5cd1-3e23-492f-a539-13118b6d1e3a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-7fe3b40f-802b-4cdd-8bd4-fd799c948cc2\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-c25d9a16-bc35-4e15-a7e5-9db606bf9ed4\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b0f33259-77d7-4c9e-aac6-3aabcfae693c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-037eea7a-bd0a-46c5-9a66-03aea78705d3\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0820b7b9-23aa-4725-a1ce-ae4558f718e5\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-2c89a2e5-7285-40fe-afe0-ae8654b92fab\" : { \n \"value\" : \"Audit\"\n },\n \"effect-358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-5744710e-cc2f-4ee8-8809-3b11e89f4bc9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c9d007d0-c057-4772-b18c-01e546713bcd\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d0793b48-0edc-4296-a390-4c75d1bdfd71\" : { \n \"value\" : \"Audit\"\n },\n \"effect-e372f825-a257-4fb8-9175-797a8a8627d6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d158790f-bfb0-486c-8631-2dc6b4e8e6af\" : { \n \"value\" : \"Audit\"\n },\n \"effect-e802a67a-daf5-4436-9ea6-f6d821dd0c5d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-a451c1ef-c6ca-483d-87ed-f49761e3ffb5\" : { \n \"value\" : \"Audit\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftSql-servers-firewallRules-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftClassicNetwork-networkSecurityGroups-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-securityRules-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftClassicNetwork-networkSecurityGroups-securityRules-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ae89ebca-1c92-4898-ac2c-9f63decb045c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-d26f7642-7545-4e18-9b75-8c9bbdee3a9a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-1a4e592a-6a6e-44a5-9814-e36264ca96e7\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-7796937f-307b-4598-941c-67d3a05ebfe7\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-c5447c04-a4d7-4ba8-a263-c9ee321a6858\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-41388f1c-2db0-4c25-95b2-35d7f5ccbfa9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b02aacc0-b073-424e-8298-42b22829ee0a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0ec47710-77ff-4a3d-9181-6aa50af424d0\" : { \n \"value\" : \"Audit\"\n },\n \"effect-48af4db5-9b8b-401c-8e74-076be876a430\" : { \n \"value\" : \"Audit\"\n },\n \"effect-82339799-d096-41ae-8538-b108becf0970\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1b7aa243-30e4-4c9e-bca8-d0d3022b634a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-bb91dfba-c30d-4263-9add-9c2384e659a6\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e71308d3-144b-4262-b144-efdc3cc90517\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-2bdd0062-9d75-436e-89df-487dd8e4b3c7\" : { \n \"value\" : \"Disabled\"\n },\n \"effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a\" : { \n \"value\" : \"Audit\"\n },\n \"effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-6fac406b-40ca-413b-bf8e-0bf964659c25\" : { \n \"value\" : \"Audit\"\n },\n \"effect-81e74cea-30fd-40d5-802f-d72103c2aaaa\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c349d81b-9985-44ae-a8da-ff98d108ede8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-f4b53539-8df9-40e4-86c6-6b607703bd4e\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\" : { \n \"value\" : \"Audit\"\n },\n \"effect-048248b0-55cd-46da-b1ff-39efd52db260\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0d134df8-db83-46fb-ad72-fe0c9428c8dd\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-2c89a2e5-7285-40fe-afe0-ae8654b92fb2\" : { \n \"value\" : \"Audit\"\n },\n \"effect-3657f5a0-770e-44a3-b44e-9431ba1e9735\" : { \n \"value\" : \"Audit\"\n },\n \"effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\" : { \n \"value\" : \"Audit\"\n },\n \"effect-617c02be-7f02-4efd-8836-3180d47b6c68\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67\" : { \n \"value\" : \"Audit\"\n },\n \"effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7\" : { \n \"value\" : \"audit\"\n },\n \"effect-f7d52b2d-e161-4dfa-a82b-55e564167385\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c43e4a30-77cb-48ab-a4dd-93f175c63b57\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1f314764-cb73-4fc9-b863-8eca98ac36e9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-123a3936-f020-408a-ba0c-47873faf1534\" : { \n \"value\" : \"AuditIfNotExists\"\n }\n}\n', '', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName')), '2021-06-01').customerId))))[variables('modifiedAssignment')].id]",
+ "parameters": "[createObject('NIST', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f', 'parameters', json(replace(' {\n \"listOfMembersToExcludeFromWindowsVMAdministratorsGroup\": \n {\n \"value\": \"admin\"\n },\n \"listOfMembersToIncludeInWindowsVMAdministratorsGroup\": \n {\n \"value\": \"azureuser\"\n },\n \"logAnalyticsWorkspaceIdforVMReporting\": \n {\n \"value\": \"\"\n },\n \"IncludeArcMachines\": \n {\n \"value\": \"true\"\n },\n \"MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112\": \n {\n \"value\": \"1.2\"\n },\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\": \n {\n \"value\": \"Compliant\"\n },\n \"requiredRetentionDays\": \n {\n \"value\": \"365\"\n },\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\": \n {\n \"value\": \"NetworkWatcherRG\"\n }\n }', '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'IL5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/f9a961fa-3241-4b20-adc4-bbf8ad9d7197', 'parameters', json(replace('{\n \"IncludeArcMachines\" : { \n \"value\" : \"false\"\n },\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\" : { \n \"value\" : \"Compliant\"\n },\n \"MinimumTLSVersionForWindowsServers\" : { \n \"value\" : \"1.2\"\n },\n \"requiredRetentionDays\" : { \n \"value\" : \"365\"\n },\n \"effect-febd0533-8e55-448f-b837-bd0e06f16469\" : { \n \"value\" : \"audit\"\n },\n \"allowedContainerImagesRegex-febd0533-8e55-448f-b837-bd0e06f16469\" : { \n \"value\" : \"^(.+){0}$\"\n },\n \"effect-95edb821-ddaf-4404-9732-666045e056b4\" : { \n \"value\" : \"audit\"\n },\n \"effect-440b515e-a580-421e-abeb-b159a61ddcbc\" : { \n \"value\" : \"audit\"\n },\n \"effect-233a2a17-77ca-4fb1-9b6b-69223d272a44\" : { \n \"value\" : \"audit\"\n },\n \"effect-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \n \"value\" : \"audit\"\n },\n \"cpuLimit-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \n \"value\" : \"0\"\n },\n \"memoryLimit-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \n \"value\" : \"0\"\n },\n \"effect-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"audit\"\n },\n \"runAsUserRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"MustRunAsNonRoot\"\n },\n \"runAsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"RunAsAny\"\n },\n \"supplementalGroupsRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"RunAsAny\"\n },\n \"fsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"RunAsAny\"\n },\n \"effect-1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\" : { \n \"value\" : \"audit\"\n },\n \"effect-47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\" : { \n \"value\" : \"audit\"\n },\n \"effect-df49d893-a74c-421d-bc95-c663042e5b80\" : { \n \"value\" : \"audit\"\n },\n \"effect-1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\" : { \n \"value\" : \"audit\"\n },\n \"effect-c26596ff-4d70-4e6a-9a30-c2506bd2f80c\" : { \n \"value\" : \"audit\"\n },\n \"effect-511f5417-5d12-434d-ab2e-816901e72a5e\" : { \n \"value\" : \"audit\"\n },\n \"effect-82985f06-dc18-4a48-bc1c-b9f4f0098cfe\" : { \n \"value\" : \"audit\"\n },\n \"effect-098fc59e-46c7-4d99-9b16-64990e543d75\" : { \n \"value\" : \"audit\"\n },\n \"NetworkWatcherResourceGroupName\" : { \n \"value\" : \"NetworkWatcherRG\"\n },\n \"setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \n \"value\" : \"enabled\"\n },\n \"aadAuthenticationInServiceFabricMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"effect-71ef260a-8f18-47b7-abcb-62d0673d94dc\" : { \n \"value\" : \"Audit\"\n },\n \"effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\" : { \n \"value\" : \"Audit\"\n },\n \"effect-862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d9da03a1-f3c3-412a-9709-947156872263\" : { \n \"value\" : \"Audit\"\n },\n \"effect-617c02be-7f02-4efd-8836-3180d47b6c68\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c349d81b-9985-44ae-a8da-ff98d108ede8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-3657f5a0-770e-44a3-b44e-9431ba1e9735\" : { \n \"value\" : \"Audit\"\n },\n \"effect-b4ac1030-89c5-4697-8e00-28b5ba6a8811\" : { \n \"value\" : \"audit\"\n },\n \"effect-ea0dfaed-95fb-448c-934e-d6e713ce393d\" : { \n \"value\" : \"audit\"\n },\n \"effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a\" : { \n \"value\" : \"Audit\"\n },\n \"effect-f4b53539-8df9-40e4-86c6-6b607703bd4e\" : { \n \"value\" : \"Audit\"\n },\n \"effect-41425d9f-d1a5-499a-9932-f8ed8453932c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-fc4d8e41-e223-45ea-9bf5-eada37891d87\" : { \n \"value\" : \"Audit\"\n },\n \"effect-86efb160-8de7-451d-bc08-5d475b0aadae\" : { \n \"value\" : \"Audit\"\n },\n \"effect-4ec52d6d-beb7-40c4-9a9e-fe753254690e\" : { \n \"value\" : \"Audit\"\n },\n \"effect-64d314f6-6062-4780-a861-c23e8951bee5\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-fa298e57-9444-42ba-bf04-86e8470e32c7\" : { \n \"value\" : \"audit\"\n },\n \"effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1f905d99-2ab7-462c-a6b0-f709acca6c8f\" : { \n \"value\" : \"audit\"\n },\n \"effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ba769a63-b8cc-4b2d-abf6-ac33c7204be8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-81e74cea-30fd-40d5-802f-d72103c2aaaa\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0aa61e00-0a01-4a3c-9945-e93cffedf0e6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-47031206-ce96-41f8-861b-6a915f3de284\" : { \n \"value\" : \"Audit\"\n },\n \"effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7\" : { \n \"value\" : \"audit\"\n },\n \"effect-51522a96-0869-4791-82f3-981000c2c67f\" : { \n \"value\" : \"audit\"\n },\n \"effect-b5ec538c-daa0-4006-8596-35468b9148e8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-56a5ee18-2ae6-4810-86f7-18e39ce5629b\" : { \n \"value\" : \"Audit\"\n },\n \"effect-2e94d99a-8a36-4563-bc77-810d8893b671\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5\" : { \n \"value\" : \"Audit\"\n },\n \"effect-99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1f68a601-6e6d-4e42-babf-3f643a047ea2\" : { \n \"value\" : \"audit\"\n },\n \"effect-f7d52b2d-e161-4dfa-a82b-55e564167385\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ca91455f-eace-4f96-be59-e6e2c35b4816\" : { \n \"value\" : \"Audit\"\n },\n \"effect-702dd420-7fcc-42c5-afe8-4026edd20fe0\" : { \n \"value\" : \"Audit\"\n },\n \"diagnosticsLogsInRedisCacheMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"secureTransferToStorageAccountMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d0793b48-0edc-4296-a390-4c75d1bdfd71\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7d092e0a-7acd-40d2-a975-dca21cae48c4\" : { \n \"value\" : \"Audit\"\n },\n \"effect-2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\" : { \n \"value\" : \"Audit\"\n },\n \"disableUnrestrictedNetworkToStorageAccountMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"effect-55615ac9-af46-4a59-874e-391cc3dfb490\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1b8ca024-1d5c-4dec-8995-b1a932b41780\" : { \n \"value\" : \"Audit\"\n },\n \"effect-037eea7a-bd0a-46c5-9a66-03aea78705d3\" : { \n \"value\" : \"Audit\"\n },\n \"effect-53503636-bcc9-4748-9663-5348217f160f\" : { \n \"value\" : \"Audit\"\n },\n \"effect-40cec1dd-a100-4920-b15b-3024fe8901ab\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca\" : { \n \"value\" : \"Audit\"\n },\n \"effect-a049bf77-880b-470f-ba6d-9f21c530cf83\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ee980b6d-0eca-4501-8d54-f6290fd512c3\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1d84d5fb-01f6-4d12-ba4f-4a26081d403d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-37e0d2fe-28a5-43d6-a273-67d37d1f5606\" : { \n \"value\" : \"Audit\"\n },\n \"identityDesignateMoreThanOneOwnerMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"diskEncryptionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"emailNotificationToSubscriptionOwnerHighSeverityAlertsEnabledEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"functionAppDisableRemoteDebuggingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"sqlDbEncryptionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vulnerabilityAssessmentOnManagedInstanceMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePHPVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"aadAuthenticationInSqlServerMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vmssEndpointProtectionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vmssOsVulnerabilitiesMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"adaptiveApplicationControlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"geoRedundantBackupShouldBeEnabledForAzureDatabaseForPostgreSQLEffect\" : { \n \"value\" : \"Audit\"\n },\n \"ensureJavaVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityDesignateLessThanOwnersMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"securityContactEmailAddressForSubscriptionEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"webAppRestrictCORSAccessMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveDeprecatedAccountMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"functionAppEnforceHttpsMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"ensurePythonVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePythonVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePHPVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePythonVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"geoRedundantBackupShouldBeEnabledForAzureDatabaseForMySQLEffect\" : { \n \"value\" : \"Audit\"\n },\n \"systemUpdatesMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureJavaVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureHTTPVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"apiAppRequireLatestTlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityEnableMFAForWritePermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureHTTPVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureJavaVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"nextGenerationFirewallMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"useRbacRulesMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"webAppEnforceHttpsMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"sqlServerAuditingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vnetEnableDDoSProtectionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityEnableMFAForOwnerPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"sqlServerAdvancedDataSecurityMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"sqlManagedInstanceAdvancedDataSecurityMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"endpointProtectionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"jitNetworkAccessMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"apiAppEnforceHttpsMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"geoRedundantStorageShouldBeEnabledForStorageAccountsEffect\" : { \n \"value\" : \"Audit\"\n },\n \"vmssSystemUpdatesMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"webAppDisableRemoteDebuggingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"systemConfigurationsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureHTTPVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityEnableMFAForReadPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"containerBenchmarkMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"apiAppDisableRemoteDebuggingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vulnerabilityAssessmentOnServerMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"webAppRequireLatestTlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"functionAppRequireLatestTlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"kubernetesServiceVersionUpToDateMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"sqlDbVulnerabilityAssesmentMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"membersToIncludeInLocalAdministratorsGroup\" : { \n \"value\" : \"\"\n },\n \"membersToExcludeInLocalAdministratorsGroup\" : { \n \"value\" : \"\"\n },\n \"logAnalyticsWorkspaceIDForVMAgents\" : { \n \"value\" : \"\"\n },\n \"PHPLatestVersionForAppServices\" : { \n \"value\" : \"7.4\"\n },\n \"JavaLatestVersionForAppServices\" : { \n \"value\" : \"11\"\n },\n \"WindowsPythonLatestVersionForAppServices\" : { \n \"value\" : \"3.6\"\n },\n \"LinuxPythonLatestVersionForAppServices\" : { \n \"value\" : \"3.9\"\n },\n \"ensureDotNetFrameworkLatestForFunctionAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlManagedInstanceAdvancedDataSecurityEmailsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"vulnerabilityAssessmentMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"ensureDotNetFrameworkLatestForWebAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlServerAdvancedDataSecurityEmailsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"microsoftIaaSAntimalwareExtensionShouldBeDeployedOnWindowsServersEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"securityCenterStandardPricingTierShouldBeSelectedEffect\" : { \n \"value\" : \"Audit\"\n },\n \"theLogAnalyticsAgentShouldBeInstalledOnVirtualMachinesEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"ensurePHPVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlManagedInstanceAdvancedDataSecurityEmailAdminsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"securityContactPhoneNumberShouldBeProvidedForSubscriptionEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"threatDetectionTypesOnManagedInstanceMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"ensureDotNetFrameworkLatestForAPIAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlServerAdvancedDataSecurityEmailAdminsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"threatDetectionTypesOnServerMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"theLogAnalyticsAgentShouldBeInstalledOnVirtualMachineScaleSetsEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n }\n}', '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'CMMC', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/b5629c75-5c77-4422-87b9-2509e680f8de', 'parameters', json(replace('{\n \"logAnalyticsWorkspaceId-f47b5582-33ec-4c5c-87c0-b010a6b2e917\" : { \n \"value\" : \"\"\n },\n \"effect-09024ccc-0c5f-475e-9457-b7c0d9ed487b\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"MembersToExclude-69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f\" :{\n \"value\": \"\"\n },\n \"MembersToInclude-30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7\": {\n \"value\": \"\"\n },\n \"effect-0961003e-5a0a-4549-abde-af6a37f2724d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0b15565f-aa9e-48ba-8619-45960f2c314d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0e60b895-3786-45da-8377-9c6b4b6ac5f9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-17k78e20-9358-41c9-923c-fb736d382a12\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"PHPLatestVersion\" : { \n \"value\" : \"7.3\"\n },\n \"effect-22bee202-a82f-4305-9a2a-6d7f44d4dedb\" : { \n \"value\" : \"Audit\"\n },\n \"effect-26a828e1-e88f-464e-bbb3-c134a282b9de\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-34c877ad-507e-4c82-993e-3452a6e0ad3c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-404c3081-a854-4457-ae30-26a93ef643f9\" : { \n \"value\" : \"Audit\"\n },\n \"effect-47a6b606-51aa-4496-8bb7-64b11cf66adc\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-496223c3-ad65-4ecd-878a-bae78737e9ed\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"JavaLatestVersion\" : { \n \"value\" : \"11\"\n },\n \"effect-4f11b553-d42e-4e3a-89be-32ca364cad4c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-5c607a2e-c700-4744-8254-d77e7c9eb5e4\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-5f76cf89-fbf2-47fd-a3f4-b891fa780b60\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-6b1cbf55-e8b6-442f-ba4c-7246b6381474\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7008174a-fd10-4ef0-817e-fc820a951d73\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"LinuxPythonLatestVersion\" : { \n \"value\" : \"3.8\"\n },\n \"effect-7238174a-fd10-4ef0-817e-fc820a951d73\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-7261b898-8a84-4db8-9e04-18527132abb3\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-74c3584d-afae-46f7-a20a-6f8adba71a16\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-86b3d65f-7626-441e-b690-81a8b71cff60\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-88999f4c-376a-45c8-bcb3-4058f713cf39\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-8c122334-9d20-4eb8-89ea-ac9a705b74ae\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9297c21d-2ed6-4474-b48f-163f75654ce3\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-991310cd-e9f3-47bc-b7b6-f57b557d07db\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9b597639-28e4-48eb-b506-56b05d366257\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9daedab3-fb2d-461e-b861-71790eead4f6\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-a4af4a39-4135-47fb-b175-47fbdf85311d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \n \"value\" : \"enabled\"\n },\n \"effect-a70ca396-0a34-413a-88e1-b956c1e683be\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-aa633080-8b72-40c4-a2d7-d00c03e80bed\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-af6cd1bd-1635-48cb-bde7-5b15693900b9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\" : { \n \"value\" : \"NetworkWatcherRG\"\n },\n \"effect-b7ddfbdc-1260-477d-91fd-98bd9be789a6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c3f317a7-a95c-4547-b7e7-11017ebdf2fe\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-cb510bfd-1cba-4d9f-a230-cb0976f4bb71\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e2c1c086-2d84-4019-bff3-c44ccd95113c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e3576e28-8b17-4677-84c3-db2990658d64\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e8cbc669-f12d-49eb-93e7-9273119e9933\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ebb62a0c-3560-49e1-89ed-27e074e9f8ad\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-efbde977-ba53-4479-b8e9-10b957924fbf\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f8456c1c-aa66-4dfb-861a-25d127b775c9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f9d614c5-c173-4d56-95a7-b4437057d193\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-fb893a29-21bb-418c-a157-e99480ec364c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-feedbf84-6b99-488c-acc2-71c829aa5ffc\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-3b980d31-7904-4bb7-8575-5665739a8052\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-6e2593d9-add6-4083-9c9b-4b7d2188c899\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-12430be1-6cc8-4527-a9a8-e3d38f250096\" : { \n \"value\" : \"Audit\"\n },\n \"modeRequirement-12430be1-6cc8-4527-a9a8-e3d38f250096\" : { \n \"value\" : \"Detection\"\n },\n \"effect-425bea59-a659-4cbb-8d31-34499bd030b8\" : { \n \"value\" : \"Audit\"\n },\n \"modeRequirement-425bea59-a659-4cbb-8d31-34499bd030b8\" : { \n \"value\" : \"Detection\"\n },\n \"effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\" : { \n \"value\" : \"Audit\"\n },\n \"effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-013e242c-8828-4970-87b3-ab247555486d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-d38fc420-0735-4ef3-ac11-c806f651a570\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-a1181c5f-672a-477a-979a-7d58aa086233\" : { \n \"value\" : \"Audit\"\n },\n \"effect-308fbb08-4ab8-4e67-9b29-592e93fb94fa\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-4da35fc9-c9e7-4960-aec9-797fe7d9051d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-523b5cd1-3e23-492f-a539-13118b6d1e3a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-7fe3b40f-802b-4cdd-8bd4-fd799c948cc2\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-c25d9a16-bc35-4e15-a7e5-9db606bf9ed4\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b0f33259-77d7-4c9e-aac6-3aabcfae693c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-037eea7a-bd0a-46c5-9a66-03aea78705d3\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0820b7b9-23aa-4725-a1ce-ae4558f718e5\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-2c89a2e5-7285-40fe-afe0-ae8654b92fab\" : { \n \"value\" : \"Audit\"\n },\n \"effect-358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-5744710e-cc2f-4ee8-8809-3b11e89f4bc9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c9d007d0-c057-4772-b18c-01e546713bcd\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d0793b48-0edc-4296-a390-4c75d1bdfd71\" : { \n \"value\" : \"Audit\"\n },\n \"effect-e372f825-a257-4fb8-9175-797a8a8627d6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d158790f-bfb0-486c-8631-2dc6b4e8e6af\" : { \n \"value\" : \"Audit\"\n },\n \"effect-e802a67a-daf5-4436-9ea6-f6d821dd0c5d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-a451c1ef-c6ca-483d-87ed-f49761e3ffb5\" : { \n \"value\" : \"Audit\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftSql-servers-firewallRules-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftClassicNetwork-networkSecurityGroups-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-securityRules-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftClassicNetwork-networkSecurityGroups-securityRules-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ae89ebca-1c92-4898-ac2c-9f63decb045c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-d26f7642-7545-4e18-9b75-8c9bbdee3a9a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-1a4e592a-6a6e-44a5-9814-e36264ca96e7\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-7796937f-307b-4598-941c-67d3a05ebfe7\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-c5447c04-a4d7-4ba8-a263-c9ee321a6858\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-41388f1c-2db0-4c25-95b2-35d7f5ccbfa9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b02aacc0-b073-424e-8298-42b22829ee0a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0ec47710-77ff-4a3d-9181-6aa50af424d0\" : { \n \"value\" : \"Audit\"\n },\n \"effect-48af4db5-9b8b-401c-8e74-076be876a430\" : { \n \"value\" : \"Audit\"\n },\n \"effect-82339799-d096-41ae-8538-b108becf0970\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1b7aa243-30e4-4c9e-bca8-d0d3022b634a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-bb91dfba-c30d-4263-9add-9c2384e659a6\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e71308d3-144b-4262-b144-efdc3cc90517\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-2bdd0062-9d75-436e-89df-487dd8e4b3c7\" : { \n \"value\" : \"Disabled\"\n },\n \"effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a\" : { \n \"value\" : \"Audit\"\n },\n \"effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-6fac406b-40ca-413b-bf8e-0bf964659c25\" : { \n \"value\" : \"Audit\"\n },\n \"effect-81e74cea-30fd-40d5-802f-d72103c2aaaa\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c349d81b-9985-44ae-a8da-ff98d108ede8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-f4b53539-8df9-40e4-86c6-6b607703bd4e\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\" : { \n \"value\" : \"Audit\"\n },\n \"effect-048248b0-55cd-46da-b1ff-39efd52db260\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0d134df8-db83-46fb-ad72-fe0c9428c8dd\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-2c89a2e5-7285-40fe-afe0-ae8654b92fb2\" : { \n \"value\" : \"Audit\"\n },\n \"effect-3657f5a0-770e-44a3-b44e-9431ba1e9735\" : { \n \"value\" : \"Audit\"\n },\n \"effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\" : { \n \"value\" : \"Audit\"\n },\n \"effect-617c02be-7f02-4efd-8836-3180d47b6c68\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67\" : { \n \"value\" : \"Audit\"\n },\n \"effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7\" : { \n \"value\" : \"audit\"\n },\n \"effect-f7d52b2d-e161-4dfa-a82b-55e564167385\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c43e4a30-77cb-48ab-a4dd-93f175c63b57\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1f314764-cb73-4fc9-b863-8eca98ac36e9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-123a3936-f020-408a-ba0c-47873faf1534\" : { \n \"value\" : \"AuditIfNotExists\"\n }\n}\n', '', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName')), '2021-06-01').customerId))))[variables('modifiedAssignment')].parameters]"
+ },
+ "identity": {
+ "type": "SystemAssigned"
+ }
+ }
+ ]
+ }
+ },
+ "dependsOn": [
+ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('nowUtc')))]",
+ "[subscriptionResourceId(parameters('operationsSubscriptionId'), 'Microsoft.Resources/deployments', format('deploy-operations-rg-{0}', parameters('nowUtc')))]"
+ ]
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "[format('assign-policy-operations-{0}', parameters('nowUtc'))]",
+ "subscriptionId": "[parameters('operationsSubscriptionId')]",
+ "resourceGroup": "[parameters('operationsResourceGroupName')]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "builtInAssignment": {
+ "value": "[parameters('policy')]"
+ },
+ "logAnalyticsWorkspaceName": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('nowUtc'))), '2019-10-01').outputs.name.value]"
+ },
+ "logAnalyticsWorkspaceResourceGroupName": {
+ "value": "[reference(subscriptionResourceId(parameters('operationsSubscriptionId'), 'Microsoft.Resources/deployments', format('deploy-operations-rg-{0}', parameters('nowUtc'))), '2019-10-01').outputs.name.value]"
+ },
+ "operationsSubscriptionId": {
+ "value": "[parameters('operationsSubscriptionId')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "3675806177489000536"
+ }
+ },
+ "parameters": {
+ "builtInAssignment": {
+ "type": "string",
+ "defaultValue": ""
+ },
+ "logAnalyticsWorkspaceName": {
+ "type": "string"
+ },
+ "logAnalyticsWorkspaceResourceGroupName": {
+ "type": "string"
+ },
+ "operationsSubscriptionId": {
+ "type": "string"
+ }
+ },
+ "functions": [],
+ "variables": {
+ "modifiedAssignment": "[if(and(equals(toLower(environment().name), toLower('AzureCloud')), equals(toLower(parameters('builtInAssignment')), toLower('IL5'))), 'NIST', parameters('builtInAssignment'))]",
+ "assignmentName": "[format('{0} {1}', variables('modifiedAssignment'), resourceGroup().name)]"
+ },
+ "resources": [
+ {
+ "condition": "[not(empty(variables('modifiedAssignment')))]",
+ "type": "Microsoft.Authorization/policyAssignments",
+ "apiVersion": "2020-09-01",
+ "name": "[variables('assignmentName')]",
+ "location": "[resourceGroup().location]",
+ "properties": {
+ "policyDefinitionId": "[createObject('NIST', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f', 'parameters', json(replace(' {\n \"listOfMembersToExcludeFromWindowsVMAdministratorsGroup\": \n {\n \"value\": \"admin\"\n },\n \"listOfMembersToIncludeInWindowsVMAdministratorsGroup\": \n {\n \"value\": \"azureuser\"\n },\n \"logAnalyticsWorkspaceIdforVMReporting\": \n {\n \"value\": \"\"\n },\n \"IncludeArcMachines\": \n {\n \"value\": \"true\"\n },\n \"MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112\": \n {\n \"value\": \"1.2\"\n },\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\": \n {\n \"value\": \"Compliant\"\n },\n \"requiredRetentionDays\": \n {\n \"value\": \"365\"\n },\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\": \n {\n \"value\": \"NetworkWatcherRG\"\n }\n }', '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'IL5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/f9a961fa-3241-4b20-adc4-bbf8ad9d7197', 'parameters', json(replace('{\n \"IncludeArcMachines\" : { \n \"value\" : \"false\"\n },\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\" : { \n \"value\" : \"Compliant\"\n },\n \"MinimumTLSVersionForWindowsServers\" : { \n \"value\" : \"1.2\"\n },\n \"requiredRetentionDays\" : { \n \"value\" : \"365\"\n },\n \"effect-febd0533-8e55-448f-b837-bd0e06f16469\" : { \n \"value\" : \"audit\"\n },\n \"allowedContainerImagesRegex-febd0533-8e55-448f-b837-bd0e06f16469\" : { \n \"value\" : \"^(.+){0}$\"\n },\n \"effect-95edb821-ddaf-4404-9732-666045e056b4\" : { \n \"value\" : \"audit\"\n },\n \"effect-440b515e-a580-421e-abeb-b159a61ddcbc\" : { \n \"value\" : \"audit\"\n },\n \"effect-233a2a17-77ca-4fb1-9b6b-69223d272a44\" : { \n \"value\" : \"audit\"\n },\n \"effect-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \n \"value\" : \"audit\"\n },\n \"cpuLimit-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \n \"value\" : \"0\"\n },\n \"memoryLimit-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \n \"value\" : \"0\"\n },\n \"effect-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"audit\"\n },\n \"runAsUserRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"MustRunAsNonRoot\"\n },\n \"runAsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"RunAsAny\"\n },\n \"supplementalGroupsRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"RunAsAny\"\n },\n \"fsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"RunAsAny\"\n },\n \"effect-1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\" : { \n \"value\" : \"audit\"\n },\n \"effect-47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\" : { \n \"value\" : \"audit\"\n },\n \"effect-df49d893-a74c-421d-bc95-c663042e5b80\" : { \n \"value\" : \"audit\"\n },\n \"effect-1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\" : { \n \"value\" : \"audit\"\n },\n \"effect-c26596ff-4d70-4e6a-9a30-c2506bd2f80c\" : { \n \"value\" : \"audit\"\n },\n \"effect-511f5417-5d12-434d-ab2e-816901e72a5e\" : { \n \"value\" : \"audit\"\n },\n \"effect-82985f06-dc18-4a48-bc1c-b9f4f0098cfe\" : { \n \"value\" : \"audit\"\n },\n \"effect-098fc59e-46c7-4d99-9b16-64990e543d75\" : { \n \"value\" : \"audit\"\n },\n \"NetworkWatcherResourceGroupName\" : { \n \"value\" : \"NetworkWatcherRG\"\n },\n \"setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \n \"value\" : \"enabled\"\n },\n \"aadAuthenticationInServiceFabricMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"effect-71ef260a-8f18-47b7-abcb-62d0673d94dc\" : { \n \"value\" : \"Audit\"\n },\n \"effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\" : { \n \"value\" : \"Audit\"\n },\n \"effect-862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d9da03a1-f3c3-412a-9709-947156872263\" : { \n \"value\" : \"Audit\"\n },\n \"effect-617c02be-7f02-4efd-8836-3180d47b6c68\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c349d81b-9985-44ae-a8da-ff98d108ede8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-3657f5a0-770e-44a3-b44e-9431ba1e9735\" : { \n \"value\" : \"Audit\"\n },\n \"effect-b4ac1030-89c5-4697-8e00-28b5ba6a8811\" : { \n \"value\" : \"audit\"\n },\n \"effect-ea0dfaed-95fb-448c-934e-d6e713ce393d\" : { \n \"value\" : \"audit\"\n },\n \"effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a\" : { \n \"value\" : \"Audit\"\n },\n \"effect-f4b53539-8df9-40e4-86c6-6b607703bd4e\" : { \n \"value\" : \"Audit\"\n },\n \"effect-41425d9f-d1a5-499a-9932-f8ed8453932c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-fc4d8e41-e223-45ea-9bf5-eada37891d87\" : { \n \"value\" : \"Audit\"\n },\n \"effect-86efb160-8de7-451d-bc08-5d475b0aadae\" : { \n \"value\" : \"Audit\"\n },\n \"effect-4ec52d6d-beb7-40c4-9a9e-fe753254690e\" : { \n \"value\" : \"Audit\"\n },\n \"effect-64d314f6-6062-4780-a861-c23e8951bee5\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-fa298e57-9444-42ba-bf04-86e8470e32c7\" : { \n \"value\" : \"audit\"\n },\n \"effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1f905d99-2ab7-462c-a6b0-f709acca6c8f\" : { \n \"value\" : \"audit\"\n },\n \"effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ba769a63-b8cc-4b2d-abf6-ac33c7204be8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-81e74cea-30fd-40d5-802f-d72103c2aaaa\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0aa61e00-0a01-4a3c-9945-e93cffedf0e6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-47031206-ce96-41f8-861b-6a915f3de284\" : { \n \"value\" : \"Audit\"\n },\n \"effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7\" : { \n \"value\" : \"audit\"\n },\n \"effect-51522a96-0869-4791-82f3-981000c2c67f\" : { \n \"value\" : \"audit\"\n },\n \"effect-b5ec538c-daa0-4006-8596-35468b9148e8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-56a5ee18-2ae6-4810-86f7-18e39ce5629b\" : { \n \"value\" : \"Audit\"\n },\n \"effect-2e94d99a-8a36-4563-bc77-810d8893b671\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5\" : { \n \"value\" : \"Audit\"\n },\n \"effect-99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1f68a601-6e6d-4e42-babf-3f643a047ea2\" : { \n \"value\" : \"audit\"\n },\n \"effect-f7d52b2d-e161-4dfa-a82b-55e564167385\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ca91455f-eace-4f96-be59-e6e2c35b4816\" : { \n \"value\" : \"Audit\"\n },\n \"effect-702dd420-7fcc-42c5-afe8-4026edd20fe0\" : { \n \"value\" : \"Audit\"\n },\n \"diagnosticsLogsInRedisCacheMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"secureTransferToStorageAccountMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d0793b48-0edc-4296-a390-4c75d1bdfd71\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7d092e0a-7acd-40d2-a975-dca21cae48c4\" : { \n \"value\" : \"Audit\"\n },\n \"effect-2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\" : { \n \"value\" : \"Audit\"\n },\n \"disableUnrestrictedNetworkToStorageAccountMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"effect-55615ac9-af46-4a59-874e-391cc3dfb490\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1b8ca024-1d5c-4dec-8995-b1a932b41780\" : { \n \"value\" : \"Audit\"\n },\n \"effect-037eea7a-bd0a-46c5-9a66-03aea78705d3\" : { \n \"value\" : \"Audit\"\n },\n \"effect-53503636-bcc9-4748-9663-5348217f160f\" : { \n \"value\" : \"Audit\"\n },\n \"effect-40cec1dd-a100-4920-b15b-3024fe8901ab\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca\" : { \n \"value\" : \"Audit\"\n },\n \"effect-a049bf77-880b-470f-ba6d-9f21c530cf83\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ee980b6d-0eca-4501-8d54-f6290fd512c3\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1d84d5fb-01f6-4d12-ba4f-4a26081d403d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-37e0d2fe-28a5-43d6-a273-67d37d1f5606\" : { \n \"value\" : \"Audit\"\n },\n \"identityDesignateMoreThanOneOwnerMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"diskEncryptionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"emailNotificationToSubscriptionOwnerHighSeverityAlertsEnabledEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"functionAppDisableRemoteDebuggingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"sqlDbEncryptionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vulnerabilityAssessmentOnManagedInstanceMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePHPVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"aadAuthenticationInSqlServerMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vmssEndpointProtectionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vmssOsVulnerabilitiesMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"adaptiveApplicationControlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"geoRedundantBackupShouldBeEnabledForAzureDatabaseForPostgreSQLEffect\" : { \n \"value\" : \"Audit\"\n },\n \"ensureJavaVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityDesignateLessThanOwnersMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"securityContactEmailAddressForSubscriptionEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"webAppRestrictCORSAccessMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveDeprecatedAccountMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"functionAppEnforceHttpsMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"ensurePythonVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePythonVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePHPVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePythonVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"geoRedundantBackupShouldBeEnabledForAzureDatabaseForMySQLEffect\" : { \n \"value\" : \"Audit\"\n },\n \"systemUpdatesMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureJavaVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureHTTPVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"apiAppRequireLatestTlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityEnableMFAForWritePermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureHTTPVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureJavaVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"nextGenerationFirewallMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"useRbacRulesMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"webAppEnforceHttpsMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"sqlServerAuditingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vnetEnableDDoSProtectionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityEnableMFAForOwnerPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"sqlServerAdvancedDataSecurityMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"sqlManagedInstanceAdvancedDataSecurityMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"endpointProtectionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"jitNetworkAccessMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"apiAppEnforceHttpsMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"geoRedundantStorageShouldBeEnabledForStorageAccountsEffect\" : { \n \"value\" : \"Audit\"\n },\n \"vmssSystemUpdatesMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"webAppDisableRemoteDebuggingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"systemConfigurationsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureHTTPVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityEnableMFAForReadPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"containerBenchmarkMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"apiAppDisableRemoteDebuggingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vulnerabilityAssessmentOnServerMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"webAppRequireLatestTlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"functionAppRequireLatestTlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"kubernetesServiceVersionUpToDateMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"sqlDbVulnerabilityAssesmentMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"membersToIncludeInLocalAdministratorsGroup\" : { \n \"value\" : \"\"\n },\n \"membersToExcludeInLocalAdministratorsGroup\" : { \n \"value\" : \"\"\n },\n \"logAnalyticsWorkspaceIDForVMAgents\" : { \n \"value\" : \"\"\n },\n \"PHPLatestVersionForAppServices\" : { \n \"value\" : \"7.4\"\n },\n \"JavaLatestVersionForAppServices\" : { \n \"value\" : \"11\"\n },\n \"WindowsPythonLatestVersionForAppServices\" : { \n \"value\" : \"3.6\"\n },\n \"LinuxPythonLatestVersionForAppServices\" : { \n \"value\" : \"3.9\"\n },\n \"ensureDotNetFrameworkLatestForFunctionAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlManagedInstanceAdvancedDataSecurityEmailsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"vulnerabilityAssessmentMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"ensureDotNetFrameworkLatestForWebAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlServerAdvancedDataSecurityEmailsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"microsoftIaaSAntimalwareExtensionShouldBeDeployedOnWindowsServersEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"securityCenterStandardPricingTierShouldBeSelectedEffect\" : { \n \"value\" : \"Audit\"\n },\n \"theLogAnalyticsAgentShouldBeInstalledOnVirtualMachinesEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"ensurePHPVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlManagedInstanceAdvancedDataSecurityEmailAdminsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"securityContactPhoneNumberShouldBeProvidedForSubscriptionEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"threatDetectionTypesOnManagedInstanceMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"ensureDotNetFrameworkLatestForAPIAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlServerAdvancedDataSecurityEmailAdminsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"threatDetectionTypesOnServerMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"theLogAnalyticsAgentShouldBeInstalledOnVirtualMachineScaleSetsEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n }\n}', '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'CMMC', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/b5629c75-5c77-4422-87b9-2509e680f8de', 'parameters', json(replace('{\n \"logAnalyticsWorkspaceId-f47b5582-33ec-4c5c-87c0-b010a6b2e917\" : { \n \"value\" : \"\"\n },\n \"effect-09024ccc-0c5f-475e-9457-b7c0d9ed487b\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"MembersToExclude-69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f\" :{\n \"value\": \"\"\n },\n \"MembersToInclude-30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7\": {\n \"value\": \"\"\n },\n \"effect-0961003e-5a0a-4549-abde-af6a37f2724d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0b15565f-aa9e-48ba-8619-45960f2c314d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0e60b895-3786-45da-8377-9c6b4b6ac5f9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-17k78e20-9358-41c9-923c-fb736d382a12\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"PHPLatestVersion\" : { \n \"value\" : \"7.3\"\n },\n \"effect-22bee202-a82f-4305-9a2a-6d7f44d4dedb\" : { \n \"value\" : \"Audit\"\n },\n \"effect-26a828e1-e88f-464e-bbb3-c134a282b9de\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-34c877ad-507e-4c82-993e-3452a6e0ad3c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-404c3081-a854-4457-ae30-26a93ef643f9\" : { \n \"value\" : \"Audit\"\n },\n \"effect-47a6b606-51aa-4496-8bb7-64b11cf66adc\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-496223c3-ad65-4ecd-878a-bae78737e9ed\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"JavaLatestVersion\" : { \n \"value\" : \"11\"\n },\n \"effect-4f11b553-d42e-4e3a-89be-32ca364cad4c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-5c607a2e-c700-4744-8254-d77e7c9eb5e4\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-5f76cf89-fbf2-47fd-a3f4-b891fa780b60\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-6b1cbf55-e8b6-442f-ba4c-7246b6381474\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7008174a-fd10-4ef0-817e-fc820a951d73\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"LinuxPythonLatestVersion\" : { \n \"value\" : \"3.8\"\n },\n \"effect-7238174a-fd10-4ef0-817e-fc820a951d73\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-7261b898-8a84-4db8-9e04-18527132abb3\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-74c3584d-afae-46f7-a20a-6f8adba71a16\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-86b3d65f-7626-441e-b690-81a8b71cff60\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-88999f4c-376a-45c8-bcb3-4058f713cf39\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-8c122334-9d20-4eb8-89ea-ac9a705b74ae\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9297c21d-2ed6-4474-b48f-163f75654ce3\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-991310cd-e9f3-47bc-b7b6-f57b557d07db\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9b597639-28e4-48eb-b506-56b05d366257\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9daedab3-fb2d-461e-b861-71790eead4f6\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-a4af4a39-4135-47fb-b175-47fbdf85311d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \n \"value\" : \"enabled\"\n },\n \"effect-a70ca396-0a34-413a-88e1-b956c1e683be\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-aa633080-8b72-40c4-a2d7-d00c03e80bed\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-af6cd1bd-1635-48cb-bde7-5b15693900b9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\" : { \n \"value\" : \"NetworkWatcherRG\"\n },\n \"effect-b7ddfbdc-1260-477d-91fd-98bd9be789a6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c3f317a7-a95c-4547-b7e7-11017ebdf2fe\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-cb510bfd-1cba-4d9f-a230-cb0976f4bb71\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e2c1c086-2d84-4019-bff3-c44ccd95113c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e3576e28-8b17-4677-84c3-db2990658d64\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e8cbc669-f12d-49eb-93e7-9273119e9933\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ebb62a0c-3560-49e1-89ed-27e074e9f8ad\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-efbde977-ba53-4479-b8e9-10b957924fbf\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f8456c1c-aa66-4dfb-861a-25d127b775c9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f9d614c5-c173-4d56-95a7-b4437057d193\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-fb893a29-21bb-418c-a157-e99480ec364c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-feedbf84-6b99-488c-acc2-71c829aa5ffc\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-3b980d31-7904-4bb7-8575-5665739a8052\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-6e2593d9-add6-4083-9c9b-4b7d2188c899\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-12430be1-6cc8-4527-a9a8-e3d38f250096\" : { \n \"value\" : \"Audit\"\n },\n \"modeRequirement-12430be1-6cc8-4527-a9a8-e3d38f250096\" : { \n \"value\" : \"Detection\"\n },\n \"effect-425bea59-a659-4cbb-8d31-34499bd030b8\" : { \n \"value\" : \"Audit\"\n },\n \"modeRequirement-425bea59-a659-4cbb-8d31-34499bd030b8\" : { \n \"value\" : \"Detection\"\n },\n \"effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\" : { \n \"value\" : \"Audit\"\n },\n \"effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-013e242c-8828-4970-87b3-ab247555486d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-d38fc420-0735-4ef3-ac11-c806f651a570\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-a1181c5f-672a-477a-979a-7d58aa086233\" : { \n \"value\" : \"Audit\"\n },\n \"effect-308fbb08-4ab8-4e67-9b29-592e93fb94fa\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-4da35fc9-c9e7-4960-aec9-797fe7d9051d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-523b5cd1-3e23-492f-a539-13118b6d1e3a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-7fe3b40f-802b-4cdd-8bd4-fd799c948cc2\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-c25d9a16-bc35-4e15-a7e5-9db606bf9ed4\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b0f33259-77d7-4c9e-aac6-3aabcfae693c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-037eea7a-bd0a-46c5-9a66-03aea78705d3\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0820b7b9-23aa-4725-a1ce-ae4558f718e5\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-2c89a2e5-7285-40fe-afe0-ae8654b92fab\" : { \n \"value\" : \"Audit\"\n },\n \"effect-358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-5744710e-cc2f-4ee8-8809-3b11e89f4bc9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c9d007d0-c057-4772-b18c-01e546713bcd\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d0793b48-0edc-4296-a390-4c75d1bdfd71\" : { \n \"value\" : \"Audit\"\n },\n \"effect-e372f825-a257-4fb8-9175-797a8a8627d6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d158790f-bfb0-486c-8631-2dc6b4e8e6af\" : { \n \"value\" : \"Audit\"\n },\n \"effect-e802a67a-daf5-4436-9ea6-f6d821dd0c5d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-a451c1ef-c6ca-483d-87ed-f49761e3ffb5\" : { \n \"value\" : \"Audit\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftSql-servers-firewallRules-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftClassicNetwork-networkSecurityGroups-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-securityRules-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftClassicNetwork-networkSecurityGroups-securityRules-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ae89ebca-1c92-4898-ac2c-9f63decb045c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-d26f7642-7545-4e18-9b75-8c9bbdee3a9a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-1a4e592a-6a6e-44a5-9814-e36264ca96e7\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-7796937f-307b-4598-941c-67d3a05ebfe7\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-c5447c04-a4d7-4ba8-a263-c9ee321a6858\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-41388f1c-2db0-4c25-95b2-35d7f5ccbfa9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b02aacc0-b073-424e-8298-42b22829ee0a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0ec47710-77ff-4a3d-9181-6aa50af424d0\" : { \n \"value\" : \"Audit\"\n },\n \"effect-48af4db5-9b8b-401c-8e74-076be876a430\" : { \n \"value\" : \"Audit\"\n },\n \"effect-82339799-d096-41ae-8538-b108becf0970\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1b7aa243-30e4-4c9e-bca8-d0d3022b634a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-bb91dfba-c30d-4263-9add-9c2384e659a6\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e71308d3-144b-4262-b144-efdc3cc90517\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-2bdd0062-9d75-436e-89df-487dd8e4b3c7\" : { \n \"value\" : \"Disabled\"\n },\n \"effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a\" : { \n \"value\" : \"Audit\"\n },\n \"effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-6fac406b-40ca-413b-bf8e-0bf964659c25\" : { \n \"value\" : \"Audit\"\n },\n \"effect-81e74cea-30fd-40d5-802f-d72103c2aaaa\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c349d81b-9985-44ae-a8da-ff98d108ede8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-f4b53539-8df9-40e4-86c6-6b607703bd4e\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\" : { \n \"value\" : \"Audit\"\n },\n \"effect-048248b0-55cd-46da-b1ff-39efd52db260\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0d134df8-db83-46fb-ad72-fe0c9428c8dd\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-2c89a2e5-7285-40fe-afe0-ae8654b92fb2\" : { \n \"value\" : \"Audit\"\n },\n \"effect-3657f5a0-770e-44a3-b44e-9431ba1e9735\" : { \n \"value\" : \"Audit\"\n },\n \"effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\" : { \n \"value\" : \"Audit\"\n },\n \"effect-617c02be-7f02-4efd-8836-3180d47b6c68\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67\" : { \n \"value\" : \"Audit\"\n },\n \"effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7\" : { \n \"value\" : \"audit\"\n },\n \"effect-f7d52b2d-e161-4dfa-a82b-55e564167385\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c43e4a30-77cb-48ab-a4dd-93f175c63b57\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1f314764-cb73-4fc9-b863-8eca98ac36e9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-123a3936-f020-408a-ba0c-47873faf1534\" : { \n \"value\" : \"AuditIfNotExists\"\n }\n}\n', '', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName')), '2021-06-01').customerId))))[variables('modifiedAssignment')].id]",
+ "parameters": "[createObject('NIST', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f', 'parameters', json(replace(' {\n \"listOfMembersToExcludeFromWindowsVMAdministratorsGroup\": \n {\n \"value\": \"admin\"\n },\n \"listOfMembersToIncludeInWindowsVMAdministratorsGroup\": \n {\n \"value\": \"azureuser\"\n },\n \"logAnalyticsWorkspaceIdforVMReporting\": \n {\n \"value\": \"\"\n },\n \"IncludeArcMachines\": \n {\n \"value\": \"true\"\n },\n \"MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112\": \n {\n \"value\": \"1.2\"\n },\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\": \n {\n \"value\": \"Compliant\"\n },\n \"requiredRetentionDays\": \n {\n \"value\": \"365\"\n },\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\": \n {\n \"value\": \"NetworkWatcherRG\"\n }\n }', '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'IL5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/f9a961fa-3241-4b20-adc4-bbf8ad9d7197', 'parameters', json(replace('{\n \"IncludeArcMachines\" : { \n \"value\" : \"false\"\n },\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\" : { \n \"value\" : \"Compliant\"\n },\n \"MinimumTLSVersionForWindowsServers\" : { \n \"value\" : \"1.2\"\n },\n \"requiredRetentionDays\" : { \n \"value\" : \"365\"\n },\n \"effect-febd0533-8e55-448f-b837-bd0e06f16469\" : { \n \"value\" : \"audit\"\n },\n \"allowedContainerImagesRegex-febd0533-8e55-448f-b837-bd0e06f16469\" : { \n \"value\" : \"^(.+){0}$\"\n },\n \"effect-95edb821-ddaf-4404-9732-666045e056b4\" : { \n \"value\" : \"audit\"\n },\n \"effect-440b515e-a580-421e-abeb-b159a61ddcbc\" : { \n \"value\" : \"audit\"\n },\n \"effect-233a2a17-77ca-4fb1-9b6b-69223d272a44\" : { \n \"value\" : \"audit\"\n },\n \"effect-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \n \"value\" : \"audit\"\n },\n \"cpuLimit-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \n \"value\" : \"0\"\n },\n \"memoryLimit-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \n \"value\" : \"0\"\n },\n \"effect-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"audit\"\n },\n \"runAsUserRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"MustRunAsNonRoot\"\n },\n \"runAsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"RunAsAny\"\n },\n \"supplementalGroupsRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"RunAsAny\"\n },\n \"fsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"RunAsAny\"\n },\n \"effect-1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\" : { \n \"value\" : \"audit\"\n },\n \"effect-47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\" : { \n \"value\" : \"audit\"\n },\n \"effect-df49d893-a74c-421d-bc95-c663042e5b80\" : { \n \"value\" : \"audit\"\n },\n \"effect-1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\" : { \n \"value\" : \"audit\"\n },\n \"effect-c26596ff-4d70-4e6a-9a30-c2506bd2f80c\" : { \n \"value\" : \"audit\"\n },\n \"effect-511f5417-5d12-434d-ab2e-816901e72a5e\" : { \n \"value\" : \"audit\"\n },\n \"effect-82985f06-dc18-4a48-bc1c-b9f4f0098cfe\" : { \n \"value\" : \"audit\"\n },\n \"effect-098fc59e-46c7-4d99-9b16-64990e543d75\" : { \n \"value\" : \"audit\"\n },\n \"NetworkWatcherResourceGroupName\" : { \n \"value\" : \"NetworkWatcherRG\"\n },\n \"setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \n \"value\" : \"enabled\"\n },\n \"aadAuthenticationInServiceFabricMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"effect-71ef260a-8f18-47b7-abcb-62d0673d94dc\" : { \n \"value\" : \"Audit\"\n },\n \"effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\" : { \n \"value\" : \"Audit\"\n },\n \"effect-862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d9da03a1-f3c3-412a-9709-947156872263\" : { \n \"value\" : \"Audit\"\n },\n \"effect-617c02be-7f02-4efd-8836-3180d47b6c68\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c349d81b-9985-44ae-a8da-ff98d108ede8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-3657f5a0-770e-44a3-b44e-9431ba1e9735\" : { \n \"value\" : \"Audit\"\n },\n \"effect-b4ac1030-89c5-4697-8e00-28b5ba6a8811\" : { \n \"value\" : \"audit\"\n },\n \"effect-ea0dfaed-95fb-448c-934e-d6e713ce393d\" : { \n \"value\" : \"audit\"\n },\n \"effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a\" : { \n \"value\" : \"Audit\"\n },\n \"effect-f4b53539-8df9-40e4-86c6-6b607703bd4e\" : { \n \"value\" : \"Audit\"\n },\n \"effect-41425d9f-d1a5-499a-9932-f8ed8453932c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-fc4d8e41-e223-45ea-9bf5-eada37891d87\" : { \n \"value\" : \"Audit\"\n },\n \"effect-86efb160-8de7-451d-bc08-5d475b0aadae\" : { \n \"value\" : \"Audit\"\n },\n \"effect-4ec52d6d-beb7-40c4-9a9e-fe753254690e\" : { \n \"value\" : \"Audit\"\n },\n \"effect-64d314f6-6062-4780-a861-c23e8951bee5\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-fa298e57-9444-42ba-bf04-86e8470e32c7\" : { \n \"value\" : \"audit\"\n },\n \"effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1f905d99-2ab7-462c-a6b0-f709acca6c8f\" : { \n \"value\" : \"audit\"\n },\n \"effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ba769a63-b8cc-4b2d-abf6-ac33c7204be8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-81e74cea-30fd-40d5-802f-d72103c2aaaa\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0aa61e00-0a01-4a3c-9945-e93cffedf0e6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-47031206-ce96-41f8-861b-6a915f3de284\" : { \n \"value\" : \"Audit\"\n },\n \"effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7\" : { \n \"value\" : \"audit\"\n },\n \"effect-51522a96-0869-4791-82f3-981000c2c67f\" : { \n \"value\" : \"audit\"\n },\n \"effect-b5ec538c-daa0-4006-8596-35468b9148e8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-56a5ee18-2ae6-4810-86f7-18e39ce5629b\" : { \n \"value\" : \"Audit\"\n },\n \"effect-2e94d99a-8a36-4563-bc77-810d8893b671\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5\" : { \n \"value\" : \"Audit\"\n },\n \"effect-99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1f68a601-6e6d-4e42-babf-3f643a047ea2\" : { \n \"value\" : \"audit\"\n },\n \"effect-f7d52b2d-e161-4dfa-a82b-55e564167385\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ca91455f-eace-4f96-be59-e6e2c35b4816\" : { \n \"value\" : \"Audit\"\n },\n \"effect-702dd420-7fcc-42c5-afe8-4026edd20fe0\" : { \n \"value\" : \"Audit\"\n },\n \"diagnosticsLogsInRedisCacheMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"secureTransferToStorageAccountMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d0793b48-0edc-4296-a390-4c75d1bdfd71\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7d092e0a-7acd-40d2-a975-dca21cae48c4\" : { \n \"value\" : \"Audit\"\n },\n \"effect-2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\" : { \n \"value\" : \"Audit\"\n },\n \"disableUnrestrictedNetworkToStorageAccountMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"effect-55615ac9-af46-4a59-874e-391cc3dfb490\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1b8ca024-1d5c-4dec-8995-b1a932b41780\" : { \n \"value\" : \"Audit\"\n },\n \"effect-037eea7a-bd0a-46c5-9a66-03aea78705d3\" : { \n \"value\" : \"Audit\"\n },\n \"effect-53503636-bcc9-4748-9663-5348217f160f\" : { \n \"value\" : \"Audit\"\n },\n \"effect-40cec1dd-a100-4920-b15b-3024fe8901ab\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca\" : { \n \"value\" : \"Audit\"\n },\n \"effect-a049bf77-880b-470f-ba6d-9f21c530cf83\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ee980b6d-0eca-4501-8d54-f6290fd512c3\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1d84d5fb-01f6-4d12-ba4f-4a26081d403d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-37e0d2fe-28a5-43d6-a273-67d37d1f5606\" : { \n \"value\" : \"Audit\"\n },\n \"identityDesignateMoreThanOneOwnerMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"diskEncryptionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"emailNotificationToSubscriptionOwnerHighSeverityAlertsEnabledEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"functionAppDisableRemoteDebuggingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"sqlDbEncryptionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vulnerabilityAssessmentOnManagedInstanceMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePHPVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"aadAuthenticationInSqlServerMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vmssEndpointProtectionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vmssOsVulnerabilitiesMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"adaptiveApplicationControlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"geoRedundantBackupShouldBeEnabledForAzureDatabaseForPostgreSQLEffect\" : { \n \"value\" : \"Audit\"\n },\n \"ensureJavaVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityDesignateLessThanOwnersMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"securityContactEmailAddressForSubscriptionEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"webAppRestrictCORSAccessMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveDeprecatedAccountMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"functionAppEnforceHttpsMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"ensurePythonVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePythonVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePHPVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePythonVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"geoRedundantBackupShouldBeEnabledForAzureDatabaseForMySQLEffect\" : { \n \"value\" : \"Audit\"\n },\n \"systemUpdatesMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureJavaVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureHTTPVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"apiAppRequireLatestTlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityEnableMFAForWritePermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureHTTPVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureJavaVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"nextGenerationFirewallMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"useRbacRulesMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"webAppEnforceHttpsMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"sqlServerAuditingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vnetEnableDDoSProtectionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityEnableMFAForOwnerPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"sqlServerAdvancedDataSecurityMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"sqlManagedInstanceAdvancedDataSecurityMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"endpointProtectionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"jitNetworkAccessMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"apiAppEnforceHttpsMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"geoRedundantStorageShouldBeEnabledForStorageAccountsEffect\" : { \n \"value\" : \"Audit\"\n },\n \"vmssSystemUpdatesMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"webAppDisableRemoteDebuggingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"systemConfigurationsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureHTTPVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityEnableMFAForReadPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"containerBenchmarkMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"apiAppDisableRemoteDebuggingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vulnerabilityAssessmentOnServerMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"webAppRequireLatestTlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"functionAppRequireLatestTlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"kubernetesServiceVersionUpToDateMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"sqlDbVulnerabilityAssesmentMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"membersToIncludeInLocalAdministratorsGroup\" : { \n \"value\" : \"\"\n },\n \"membersToExcludeInLocalAdministratorsGroup\" : { \n \"value\" : \"\"\n },\n \"logAnalyticsWorkspaceIDForVMAgents\" : { \n \"value\" : \"\"\n },\n \"PHPLatestVersionForAppServices\" : { \n \"value\" : \"7.4\"\n },\n \"JavaLatestVersionForAppServices\" : { \n \"value\" : \"11\"\n },\n \"WindowsPythonLatestVersionForAppServices\" : { \n \"value\" : \"3.6\"\n },\n \"LinuxPythonLatestVersionForAppServices\" : { \n \"value\" : \"3.9\"\n },\n \"ensureDotNetFrameworkLatestForFunctionAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlManagedInstanceAdvancedDataSecurityEmailsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"vulnerabilityAssessmentMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"ensureDotNetFrameworkLatestForWebAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlServerAdvancedDataSecurityEmailsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"microsoftIaaSAntimalwareExtensionShouldBeDeployedOnWindowsServersEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"securityCenterStandardPricingTierShouldBeSelectedEffect\" : { \n \"value\" : \"Audit\"\n },\n \"theLogAnalyticsAgentShouldBeInstalledOnVirtualMachinesEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"ensurePHPVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlManagedInstanceAdvancedDataSecurityEmailAdminsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"securityContactPhoneNumberShouldBeProvidedForSubscriptionEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"threatDetectionTypesOnManagedInstanceMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"ensureDotNetFrameworkLatestForAPIAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlServerAdvancedDataSecurityEmailAdminsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"threatDetectionTypesOnServerMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"theLogAnalyticsAgentShouldBeInstalledOnVirtualMachineScaleSetsEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n }\n}', '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'CMMC', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/b5629c75-5c77-4422-87b9-2509e680f8de', 'parameters', json(replace('{\n \"logAnalyticsWorkspaceId-f47b5582-33ec-4c5c-87c0-b010a6b2e917\" : { \n \"value\" : \"\"\n },\n \"effect-09024ccc-0c5f-475e-9457-b7c0d9ed487b\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"MembersToExclude-69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f\" :{\n \"value\": \"\"\n },\n \"MembersToInclude-30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7\": {\n \"value\": \"\"\n },\n \"effect-0961003e-5a0a-4549-abde-af6a37f2724d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0b15565f-aa9e-48ba-8619-45960f2c314d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0e60b895-3786-45da-8377-9c6b4b6ac5f9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-17k78e20-9358-41c9-923c-fb736d382a12\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"PHPLatestVersion\" : { \n \"value\" : \"7.3\"\n },\n \"effect-22bee202-a82f-4305-9a2a-6d7f44d4dedb\" : { \n \"value\" : \"Audit\"\n },\n \"effect-26a828e1-e88f-464e-bbb3-c134a282b9de\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-34c877ad-507e-4c82-993e-3452a6e0ad3c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-404c3081-a854-4457-ae30-26a93ef643f9\" : { \n \"value\" : \"Audit\"\n },\n \"effect-47a6b606-51aa-4496-8bb7-64b11cf66adc\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-496223c3-ad65-4ecd-878a-bae78737e9ed\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"JavaLatestVersion\" : { \n \"value\" : \"11\"\n },\n \"effect-4f11b553-d42e-4e3a-89be-32ca364cad4c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-5c607a2e-c700-4744-8254-d77e7c9eb5e4\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-5f76cf89-fbf2-47fd-a3f4-b891fa780b60\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-6b1cbf55-e8b6-442f-ba4c-7246b6381474\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7008174a-fd10-4ef0-817e-fc820a951d73\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"LinuxPythonLatestVersion\" : { \n \"value\" : \"3.8\"\n },\n \"effect-7238174a-fd10-4ef0-817e-fc820a951d73\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-7261b898-8a84-4db8-9e04-18527132abb3\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-74c3584d-afae-46f7-a20a-6f8adba71a16\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-86b3d65f-7626-441e-b690-81a8b71cff60\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-88999f4c-376a-45c8-bcb3-4058f713cf39\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-8c122334-9d20-4eb8-89ea-ac9a705b74ae\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9297c21d-2ed6-4474-b48f-163f75654ce3\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-991310cd-e9f3-47bc-b7b6-f57b557d07db\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9b597639-28e4-48eb-b506-56b05d366257\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9daedab3-fb2d-461e-b861-71790eead4f6\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-a4af4a39-4135-47fb-b175-47fbdf85311d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \n \"value\" : \"enabled\"\n },\n \"effect-a70ca396-0a34-413a-88e1-b956c1e683be\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-aa633080-8b72-40c4-a2d7-d00c03e80bed\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-af6cd1bd-1635-48cb-bde7-5b15693900b9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\" : { \n \"value\" : \"NetworkWatcherRG\"\n },\n \"effect-b7ddfbdc-1260-477d-91fd-98bd9be789a6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c3f317a7-a95c-4547-b7e7-11017ebdf2fe\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-cb510bfd-1cba-4d9f-a230-cb0976f4bb71\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e2c1c086-2d84-4019-bff3-c44ccd95113c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e3576e28-8b17-4677-84c3-db2990658d64\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e8cbc669-f12d-49eb-93e7-9273119e9933\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ebb62a0c-3560-49e1-89ed-27e074e9f8ad\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-efbde977-ba53-4479-b8e9-10b957924fbf\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f8456c1c-aa66-4dfb-861a-25d127b775c9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f9d614c5-c173-4d56-95a7-b4437057d193\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-fb893a29-21bb-418c-a157-e99480ec364c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-feedbf84-6b99-488c-acc2-71c829aa5ffc\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-3b980d31-7904-4bb7-8575-5665739a8052\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-6e2593d9-add6-4083-9c9b-4b7d2188c899\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-12430be1-6cc8-4527-a9a8-e3d38f250096\" : { \n \"value\" : \"Audit\"\n },\n \"modeRequirement-12430be1-6cc8-4527-a9a8-e3d38f250096\" : { \n \"value\" : \"Detection\"\n },\n \"effect-425bea59-a659-4cbb-8d31-34499bd030b8\" : { \n \"value\" : \"Audit\"\n },\n \"modeRequirement-425bea59-a659-4cbb-8d31-34499bd030b8\" : { \n \"value\" : \"Detection\"\n },\n \"effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\" : { \n \"value\" : \"Audit\"\n },\n \"effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-013e242c-8828-4970-87b3-ab247555486d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-d38fc420-0735-4ef3-ac11-c806f651a570\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-a1181c5f-672a-477a-979a-7d58aa086233\" : { \n \"value\" : \"Audit\"\n },\n \"effect-308fbb08-4ab8-4e67-9b29-592e93fb94fa\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-4da35fc9-c9e7-4960-aec9-797fe7d9051d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-523b5cd1-3e23-492f-a539-13118b6d1e3a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-7fe3b40f-802b-4cdd-8bd4-fd799c948cc2\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-c25d9a16-bc35-4e15-a7e5-9db606bf9ed4\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b0f33259-77d7-4c9e-aac6-3aabcfae693c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-037eea7a-bd0a-46c5-9a66-03aea78705d3\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0820b7b9-23aa-4725-a1ce-ae4558f718e5\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-2c89a2e5-7285-40fe-afe0-ae8654b92fab\" : { \n \"value\" : \"Audit\"\n },\n \"effect-358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-5744710e-cc2f-4ee8-8809-3b11e89f4bc9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c9d007d0-c057-4772-b18c-01e546713bcd\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d0793b48-0edc-4296-a390-4c75d1bdfd71\" : { \n \"value\" : \"Audit\"\n },\n \"effect-e372f825-a257-4fb8-9175-797a8a8627d6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d158790f-bfb0-486c-8631-2dc6b4e8e6af\" : { \n \"value\" : \"Audit\"\n },\n \"effect-e802a67a-daf5-4436-9ea6-f6d821dd0c5d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-a451c1ef-c6ca-483d-87ed-f49761e3ffb5\" : { \n \"value\" : \"Audit\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftSql-servers-firewallRules-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftClassicNetwork-networkSecurityGroups-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-securityRules-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftClassicNetwork-networkSecurityGroups-securityRules-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ae89ebca-1c92-4898-ac2c-9f63decb045c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-d26f7642-7545-4e18-9b75-8c9bbdee3a9a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-1a4e592a-6a6e-44a5-9814-e36264ca96e7\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-7796937f-307b-4598-941c-67d3a05ebfe7\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-c5447c04-a4d7-4ba8-a263-c9ee321a6858\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-41388f1c-2db0-4c25-95b2-35d7f5ccbfa9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b02aacc0-b073-424e-8298-42b22829ee0a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0ec47710-77ff-4a3d-9181-6aa50af424d0\" : { \n \"value\" : \"Audit\"\n },\n \"effect-48af4db5-9b8b-401c-8e74-076be876a430\" : { \n \"value\" : \"Audit\"\n },\n \"effect-82339799-d096-41ae-8538-b108becf0970\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1b7aa243-30e4-4c9e-bca8-d0d3022b634a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-bb91dfba-c30d-4263-9add-9c2384e659a6\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e71308d3-144b-4262-b144-efdc3cc90517\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-2bdd0062-9d75-436e-89df-487dd8e4b3c7\" : { \n \"value\" : \"Disabled\"\n },\n \"effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a\" : { \n \"value\" : \"Audit\"\n },\n \"effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-6fac406b-40ca-413b-bf8e-0bf964659c25\" : { \n \"value\" : \"Audit\"\n },\n \"effect-81e74cea-30fd-40d5-802f-d72103c2aaaa\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c349d81b-9985-44ae-a8da-ff98d108ede8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-f4b53539-8df9-40e4-86c6-6b607703bd4e\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\" : { \n \"value\" : \"Audit\"\n },\n \"effect-048248b0-55cd-46da-b1ff-39efd52db260\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0d134df8-db83-46fb-ad72-fe0c9428c8dd\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-2c89a2e5-7285-40fe-afe0-ae8654b92fb2\" : { \n \"value\" : \"Audit\"\n },\n \"effect-3657f5a0-770e-44a3-b44e-9431ba1e9735\" : { \n \"value\" : \"Audit\"\n },\n \"effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\" : { \n \"value\" : \"Audit\"\n },\n \"effect-617c02be-7f02-4efd-8836-3180d47b6c68\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67\" : { \n \"value\" : \"Audit\"\n },\n \"effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7\" : { \n \"value\" : \"audit\"\n },\n \"effect-f7d52b2d-e161-4dfa-a82b-55e564167385\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c43e4a30-77cb-48ab-a4dd-93f175c63b57\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1f314764-cb73-4fc9-b863-8eca98ac36e9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-123a3936-f020-408a-ba0c-47873faf1534\" : { \n \"value\" : \"AuditIfNotExists\"\n }\n}\n', '', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName')), '2021-06-01').customerId))))[variables('modifiedAssignment')].parameters]"
+ },
+ "identity": {
+ "type": "SystemAssigned"
+ }
+ }
+ ]
+ }
+ },
+ "dependsOn": [
+ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('nowUtc')))]",
+ "[subscriptionResourceId(parameters('operationsSubscriptionId'), 'Microsoft.Resources/deployments', format('deploy-operations-rg-{0}', parameters('nowUtc')))]"
+ ]
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "[format('assign-policy-sharedServices-{0}', parameters('nowUtc'))]",
+ "subscriptionId": "[parameters('sharedServicesSubscriptionId')]",
+ "resourceGroup": "[parameters('sharedServicesResourceGroupName')]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "builtInAssignment": {
+ "value": "[parameters('policy')]"
+ },
+ "logAnalyticsWorkspaceName": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('nowUtc'))), '2019-10-01').outputs.name.value]"
+ },
+ "logAnalyticsWorkspaceResourceGroupName": {
+ "value": "[reference(subscriptionResourceId(parameters('operationsSubscriptionId'), 'Microsoft.Resources/deployments', format('deploy-operations-rg-{0}', parameters('nowUtc'))), '2019-10-01').outputs.name.value]"
+ },
+ "operationsSubscriptionId": {
+ "value": "[parameters('operationsSubscriptionId')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "3675806177489000536"
+ }
+ },
+ "parameters": {
+ "builtInAssignment": {
+ "type": "string",
+ "defaultValue": ""
+ },
+ "logAnalyticsWorkspaceName": {
+ "type": "string"
+ },
+ "logAnalyticsWorkspaceResourceGroupName": {
+ "type": "string"
+ },
+ "operationsSubscriptionId": {
+ "type": "string"
+ }
+ },
+ "functions": [],
+ "variables": {
+ "modifiedAssignment": "[if(and(equals(toLower(environment().name), toLower('AzureCloud')), equals(toLower(parameters('builtInAssignment')), toLower('IL5'))), 'NIST', parameters('builtInAssignment'))]",
+ "assignmentName": "[format('{0} {1}', variables('modifiedAssignment'), resourceGroup().name)]"
+ },
+ "resources": [
+ {
+ "condition": "[not(empty(variables('modifiedAssignment')))]",
+ "type": "Microsoft.Authorization/policyAssignments",
+ "apiVersion": "2020-09-01",
+ "name": "[variables('assignmentName')]",
+ "location": "[resourceGroup().location]",
+ "properties": {
+ "policyDefinitionId": "[createObject('NIST', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f', 'parameters', json(replace(' {\n \"listOfMembersToExcludeFromWindowsVMAdministratorsGroup\": \n {\n \"value\": \"admin\"\n },\n \"listOfMembersToIncludeInWindowsVMAdministratorsGroup\": \n {\n \"value\": \"azureuser\"\n },\n \"logAnalyticsWorkspaceIdforVMReporting\": \n {\n \"value\": \"\"\n },\n \"IncludeArcMachines\": \n {\n \"value\": \"true\"\n },\n \"MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112\": \n {\n \"value\": \"1.2\"\n },\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\": \n {\n \"value\": \"Compliant\"\n },\n \"requiredRetentionDays\": \n {\n \"value\": \"365\"\n },\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\": \n {\n \"value\": \"NetworkWatcherRG\"\n }\n }', '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'IL5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/f9a961fa-3241-4b20-adc4-bbf8ad9d7197', 'parameters', json(replace('{\n \"IncludeArcMachines\" : { \n \"value\" : \"false\"\n },\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\" : { \n \"value\" : \"Compliant\"\n },\n \"MinimumTLSVersionForWindowsServers\" : { \n \"value\" : \"1.2\"\n },\n \"requiredRetentionDays\" : { \n \"value\" : \"365\"\n },\n \"effect-febd0533-8e55-448f-b837-bd0e06f16469\" : { \n \"value\" : \"audit\"\n },\n \"allowedContainerImagesRegex-febd0533-8e55-448f-b837-bd0e06f16469\" : { \n \"value\" : \"^(.+){0}$\"\n },\n \"effect-95edb821-ddaf-4404-9732-666045e056b4\" : { \n \"value\" : \"audit\"\n },\n \"effect-440b515e-a580-421e-abeb-b159a61ddcbc\" : { \n \"value\" : \"audit\"\n },\n \"effect-233a2a17-77ca-4fb1-9b6b-69223d272a44\" : { \n \"value\" : \"audit\"\n },\n \"effect-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \n \"value\" : \"audit\"\n },\n \"cpuLimit-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \n \"value\" : \"0\"\n },\n \"memoryLimit-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \n \"value\" : \"0\"\n },\n \"effect-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"audit\"\n },\n \"runAsUserRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"MustRunAsNonRoot\"\n },\n \"runAsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"RunAsAny\"\n },\n \"supplementalGroupsRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"RunAsAny\"\n },\n \"fsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"RunAsAny\"\n },\n \"effect-1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\" : { \n \"value\" : \"audit\"\n },\n \"effect-47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\" : { \n \"value\" : \"audit\"\n },\n \"effect-df49d893-a74c-421d-bc95-c663042e5b80\" : { \n \"value\" : \"audit\"\n },\n \"effect-1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\" : { \n \"value\" : \"audit\"\n },\n \"effect-c26596ff-4d70-4e6a-9a30-c2506bd2f80c\" : { \n \"value\" : \"audit\"\n },\n \"effect-511f5417-5d12-434d-ab2e-816901e72a5e\" : { \n \"value\" : \"audit\"\n },\n \"effect-82985f06-dc18-4a48-bc1c-b9f4f0098cfe\" : { \n \"value\" : \"audit\"\n },\n \"effect-098fc59e-46c7-4d99-9b16-64990e543d75\" : { \n \"value\" : \"audit\"\n },\n \"NetworkWatcherResourceGroupName\" : { \n \"value\" : \"NetworkWatcherRG\"\n },\n \"setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \n \"value\" : \"enabled\"\n },\n \"aadAuthenticationInServiceFabricMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"effect-71ef260a-8f18-47b7-abcb-62d0673d94dc\" : { \n \"value\" : \"Audit\"\n },\n \"effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\" : { \n \"value\" : \"Audit\"\n },\n \"effect-862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d9da03a1-f3c3-412a-9709-947156872263\" : { \n \"value\" : \"Audit\"\n },\n \"effect-617c02be-7f02-4efd-8836-3180d47b6c68\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c349d81b-9985-44ae-a8da-ff98d108ede8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-3657f5a0-770e-44a3-b44e-9431ba1e9735\" : { \n \"value\" : \"Audit\"\n },\n \"effect-b4ac1030-89c5-4697-8e00-28b5ba6a8811\" : { \n \"value\" : \"audit\"\n },\n \"effect-ea0dfaed-95fb-448c-934e-d6e713ce393d\" : { \n \"value\" : \"audit\"\n },\n \"effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a\" : { \n \"value\" : \"Audit\"\n },\n \"effect-f4b53539-8df9-40e4-86c6-6b607703bd4e\" : { \n \"value\" : \"Audit\"\n },\n \"effect-41425d9f-d1a5-499a-9932-f8ed8453932c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-fc4d8e41-e223-45ea-9bf5-eada37891d87\" : { \n \"value\" : \"Audit\"\n },\n \"effect-86efb160-8de7-451d-bc08-5d475b0aadae\" : { \n \"value\" : \"Audit\"\n },\n \"effect-4ec52d6d-beb7-40c4-9a9e-fe753254690e\" : { \n \"value\" : \"Audit\"\n },\n \"effect-64d314f6-6062-4780-a861-c23e8951bee5\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-fa298e57-9444-42ba-bf04-86e8470e32c7\" : { \n \"value\" : \"audit\"\n },\n \"effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1f905d99-2ab7-462c-a6b0-f709acca6c8f\" : { \n \"value\" : \"audit\"\n },\n \"effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ba769a63-b8cc-4b2d-abf6-ac33c7204be8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-81e74cea-30fd-40d5-802f-d72103c2aaaa\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0aa61e00-0a01-4a3c-9945-e93cffedf0e6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-47031206-ce96-41f8-861b-6a915f3de284\" : { \n \"value\" : \"Audit\"\n },\n \"effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7\" : { \n \"value\" : \"audit\"\n },\n \"effect-51522a96-0869-4791-82f3-981000c2c67f\" : { \n \"value\" : \"audit\"\n },\n \"effect-b5ec538c-daa0-4006-8596-35468b9148e8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-56a5ee18-2ae6-4810-86f7-18e39ce5629b\" : { \n \"value\" : \"Audit\"\n },\n \"effect-2e94d99a-8a36-4563-bc77-810d8893b671\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5\" : { \n \"value\" : \"Audit\"\n },\n \"effect-99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1f68a601-6e6d-4e42-babf-3f643a047ea2\" : { \n \"value\" : \"audit\"\n },\n \"effect-f7d52b2d-e161-4dfa-a82b-55e564167385\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ca91455f-eace-4f96-be59-e6e2c35b4816\" : { \n \"value\" : \"Audit\"\n },\n \"effect-702dd420-7fcc-42c5-afe8-4026edd20fe0\" : { \n \"value\" : \"Audit\"\n },\n \"diagnosticsLogsInRedisCacheMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"secureTransferToStorageAccountMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d0793b48-0edc-4296-a390-4c75d1bdfd71\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7d092e0a-7acd-40d2-a975-dca21cae48c4\" : { \n \"value\" : \"Audit\"\n },\n \"effect-2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\" : { \n \"value\" : \"Audit\"\n },\n \"disableUnrestrictedNetworkToStorageAccountMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"effect-55615ac9-af46-4a59-874e-391cc3dfb490\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1b8ca024-1d5c-4dec-8995-b1a932b41780\" : { \n \"value\" : \"Audit\"\n },\n \"effect-037eea7a-bd0a-46c5-9a66-03aea78705d3\" : { \n \"value\" : \"Audit\"\n },\n \"effect-53503636-bcc9-4748-9663-5348217f160f\" : { \n \"value\" : \"Audit\"\n },\n \"effect-40cec1dd-a100-4920-b15b-3024fe8901ab\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca\" : { \n \"value\" : \"Audit\"\n },\n \"effect-a049bf77-880b-470f-ba6d-9f21c530cf83\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ee980b6d-0eca-4501-8d54-f6290fd512c3\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1d84d5fb-01f6-4d12-ba4f-4a26081d403d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-37e0d2fe-28a5-43d6-a273-67d37d1f5606\" : { \n \"value\" : \"Audit\"\n },\n \"identityDesignateMoreThanOneOwnerMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"diskEncryptionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"emailNotificationToSubscriptionOwnerHighSeverityAlertsEnabledEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"functionAppDisableRemoteDebuggingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"sqlDbEncryptionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vulnerabilityAssessmentOnManagedInstanceMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePHPVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"aadAuthenticationInSqlServerMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vmssEndpointProtectionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vmssOsVulnerabilitiesMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"adaptiveApplicationControlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"geoRedundantBackupShouldBeEnabledForAzureDatabaseForPostgreSQLEffect\" : { \n \"value\" : \"Audit\"\n },\n \"ensureJavaVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityDesignateLessThanOwnersMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"securityContactEmailAddressForSubscriptionEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"webAppRestrictCORSAccessMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveDeprecatedAccountMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"functionAppEnforceHttpsMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"ensurePythonVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePythonVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePHPVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePythonVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"geoRedundantBackupShouldBeEnabledForAzureDatabaseForMySQLEffect\" : { \n \"value\" : \"Audit\"\n },\n \"systemUpdatesMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureJavaVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureHTTPVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"apiAppRequireLatestTlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityEnableMFAForWritePermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureHTTPVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureJavaVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"nextGenerationFirewallMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"useRbacRulesMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"webAppEnforceHttpsMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"sqlServerAuditingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vnetEnableDDoSProtectionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityEnableMFAForOwnerPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"sqlServerAdvancedDataSecurityMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"sqlManagedInstanceAdvancedDataSecurityMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"endpointProtectionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"jitNetworkAccessMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"apiAppEnforceHttpsMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"geoRedundantStorageShouldBeEnabledForStorageAccountsEffect\" : { \n \"value\" : \"Audit\"\n },\n \"vmssSystemUpdatesMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"webAppDisableRemoteDebuggingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"systemConfigurationsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureHTTPVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityEnableMFAForReadPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"containerBenchmarkMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"apiAppDisableRemoteDebuggingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vulnerabilityAssessmentOnServerMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"webAppRequireLatestTlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"functionAppRequireLatestTlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"kubernetesServiceVersionUpToDateMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"sqlDbVulnerabilityAssesmentMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"membersToIncludeInLocalAdministratorsGroup\" : { \n \"value\" : \"\"\n },\n \"membersToExcludeInLocalAdministratorsGroup\" : { \n \"value\" : \"\"\n },\n \"logAnalyticsWorkspaceIDForVMAgents\" : { \n \"value\" : \"\"\n },\n \"PHPLatestVersionForAppServices\" : { \n \"value\" : \"7.4\"\n },\n \"JavaLatestVersionForAppServices\" : { \n \"value\" : \"11\"\n },\n \"WindowsPythonLatestVersionForAppServices\" : { \n \"value\" : \"3.6\"\n },\n \"LinuxPythonLatestVersionForAppServices\" : { \n \"value\" : \"3.9\"\n },\n \"ensureDotNetFrameworkLatestForFunctionAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlManagedInstanceAdvancedDataSecurityEmailsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"vulnerabilityAssessmentMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"ensureDotNetFrameworkLatestForWebAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlServerAdvancedDataSecurityEmailsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"microsoftIaaSAntimalwareExtensionShouldBeDeployedOnWindowsServersEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"securityCenterStandardPricingTierShouldBeSelectedEffect\" : { \n \"value\" : \"Audit\"\n },\n \"theLogAnalyticsAgentShouldBeInstalledOnVirtualMachinesEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"ensurePHPVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlManagedInstanceAdvancedDataSecurityEmailAdminsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"securityContactPhoneNumberShouldBeProvidedForSubscriptionEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"threatDetectionTypesOnManagedInstanceMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"ensureDotNetFrameworkLatestForAPIAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlServerAdvancedDataSecurityEmailAdminsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"threatDetectionTypesOnServerMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"theLogAnalyticsAgentShouldBeInstalledOnVirtualMachineScaleSetsEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n }\n}', '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'CMMC', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/b5629c75-5c77-4422-87b9-2509e680f8de', 'parameters', json(replace('{\n \"logAnalyticsWorkspaceId-f47b5582-33ec-4c5c-87c0-b010a6b2e917\" : { \n \"value\" : \"\"\n },\n \"effect-09024ccc-0c5f-475e-9457-b7c0d9ed487b\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"MembersToExclude-69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f\" :{\n \"value\": \"\"\n },\n \"MembersToInclude-30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7\": {\n \"value\": \"\"\n },\n \"effect-0961003e-5a0a-4549-abde-af6a37f2724d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0b15565f-aa9e-48ba-8619-45960f2c314d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0e60b895-3786-45da-8377-9c6b4b6ac5f9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-17k78e20-9358-41c9-923c-fb736d382a12\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"PHPLatestVersion\" : { \n \"value\" : \"7.3\"\n },\n \"effect-22bee202-a82f-4305-9a2a-6d7f44d4dedb\" : { \n \"value\" : \"Audit\"\n },\n \"effect-26a828e1-e88f-464e-bbb3-c134a282b9de\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-34c877ad-507e-4c82-993e-3452a6e0ad3c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-404c3081-a854-4457-ae30-26a93ef643f9\" : { \n \"value\" : \"Audit\"\n },\n \"effect-47a6b606-51aa-4496-8bb7-64b11cf66adc\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-496223c3-ad65-4ecd-878a-bae78737e9ed\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"JavaLatestVersion\" : { \n \"value\" : \"11\"\n },\n \"effect-4f11b553-d42e-4e3a-89be-32ca364cad4c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-5c607a2e-c700-4744-8254-d77e7c9eb5e4\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-5f76cf89-fbf2-47fd-a3f4-b891fa780b60\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-6b1cbf55-e8b6-442f-ba4c-7246b6381474\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7008174a-fd10-4ef0-817e-fc820a951d73\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"LinuxPythonLatestVersion\" : { \n \"value\" : \"3.8\"\n },\n \"effect-7238174a-fd10-4ef0-817e-fc820a951d73\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-7261b898-8a84-4db8-9e04-18527132abb3\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-74c3584d-afae-46f7-a20a-6f8adba71a16\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-86b3d65f-7626-441e-b690-81a8b71cff60\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-88999f4c-376a-45c8-bcb3-4058f713cf39\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-8c122334-9d20-4eb8-89ea-ac9a705b74ae\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9297c21d-2ed6-4474-b48f-163f75654ce3\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-991310cd-e9f3-47bc-b7b6-f57b557d07db\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9b597639-28e4-48eb-b506-56b05d366257\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9daedab3-fb2d-461e-b861-71790eead4f6\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-a4af4a39-4135-47fb-b175-47fbdf85311d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \n \"value\" : \"enabled\"\n },\n \"effect-a70ca396-0a34-413a-88e1-b956c1e683be\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-aa633080-8b72-40c4-a2d7-d00c03e80bed\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-af6cd1bd-1635-48cb-bde7-5b15693900b9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\" : { \n \"value\" : \"NetworkWatcherRG\"\n },\n \"effect-b7ddfbdc-1260-477d-91fd-98bd9be789a6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c3f317a7-a95c-4547-b7e7-11017ebdf2fe\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-cb510bfd-1cba-4d9f-a230-cb0976f4bb71\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e2c1c086-2d84-4019-bff3-c44ccd95113c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e3576e28-8b17-4677-84c3-db2990658d64\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e8cbc669-f12d-49eb-93e7-9273119e9933\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ebb62a0c-3560-49e1-89ed-27e074e9f8ad\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-efbde977-ba53-4479-b8e9-10b957924fbf\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f8456c1c-aa66-4dfb-861a-25d127b775c9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f9d614c5-c173-4d56-95a7-b4437057d193\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-fb893a29-21bb-418c-a157-e99480ec364c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-feedbf84-6b99-488c-acc2-71c829aa5ffc\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-3b980d31-7904-4bb7-8575-5665739a8052\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-6e2593d9-add6-4083-9c9b-4b7d2188c899\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-12430be1-6cc8-4527-a9a8-e3d38f250096\" : { \n \"value\" : \"Audit\"\n },\n \"modeRequirement-12430be1-6cc8-4527-a9a8-e3d38f250096\" : { \n \"value\" : \"Detection\"\n },\n \"effect-425bea59-a659-4cbb-8d31-34499bd030b8\" : { \n \"value\" : \"Audit\"\n },\n \"modeRequirement-425bea59-a659-4cbb-8d31-34499bd030b8\" : { \n \"value\" : \"Detection\"\n },\n \"effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\" : { \n \"value\" : \"Audit\"\n },\n \"effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-013e242c-8828-4970-87b3-ab247555486d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-d38fc420-0735-4ef3-ac11-c806f651a570\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-a1181c5f-672a-477a-979a-7d58aa086233\" : { \n \"value\" : \"Audit\"\n },\n \"effect-308fbb08-4ab8-4e67-9b29-592e93fb94fa\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-4da35fc9-c9e7-4960-aec9-797fe7d9051d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-523b5cd1-3e23-492f-a539-13118b6d1e3a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-7fe3b40f-802b-4cdd-8bd4-fd799c948cc2\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-c25d9a16-bc35-4e15-a7e5-9db606bf9ed4\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b0f33259-77d7-4c9e-aac6-3aabcfae693c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-037eea7a-bd0a-46c5-9a66-03aea78705d3\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0820b7b9-23aa-4725-a1ce-ae4558f718e5\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-2c89a2e5-7285-40fe-afe0-ae8654b92fab\" : { \n \"value\" : \"Audit\"\n },\n \"effect-358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-5744710e-cc2f-4ee8-8809-3b11e89f4bc9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c9d007d0-c057-4772-b18c-01e546713bcd\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d0793b48-0edc-4296-a390-4c75d1bdfd71\" : { \n \"value\" : \"Audit\"\n },\n \"effect-e372f825-a257-4fb8-9175-797a8a8627d6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d158790f-bfb0-486c-8631-2dc6b4e8e6af\" : { \n \"value\" : \"Audit\"\n },\n \"effect-e802a67a-daf5-4436-9ea6-f6d821dd0c5d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-a451c1ef-c6ca-483d-87ed-f49761e3ffb5\" : { \n \"value\" : \"Audit\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftSql-servers-firewallRules-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftClassicNetwork-networkSecurityGroups-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-securityRules-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftClassicNetwork-networkSecurityGroups-securityRules-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ae89ebca-1c92-4898-ac2c-9f63decb045c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-d26f7642-7545-4e18-9b75-8c9bbdee3a9a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-1a4e592a-6a6e-44a5-9814-e36264ca96e7\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-7796937f-307b-4598-941c-67d3a05ebfe7\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-c5447c04-a4d7-4ba8-a263-c9ee321a6858\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-41388f1c-2db0-4c25-95b2-35d7f5ccbfa9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b02aacc0-b073-424e-8298-42b22829ee0a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0ec47710-77ff-4a3d-9181-6aa50af424d0\" : { \n \"value\" : \"Audit\"\n },\n \"effect-48af4db5-9b8b-401c-8e74-076be876a430\" : { \n \"value\" : \"Audit\"\n },\n \"effect-82339799-d096-41ae-8538-b108becf0970\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1b7aa243-30e4-4c9e-bca8-d0d3022b634a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-bb91dfba-c30d-4263-9add-9c2384e659a6\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e71308d3-144b-4262-b144-efdc3cc90517\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-2bdd0062-9d75-436e-89df-487dd8e4b3c7\" : { \n \"value\" : \"Disabled\"\n },\n \"effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a\" : { \n \"value\" : \"Audit\"\n },\n \"effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-6fac406b-40ca-413b-bf8e-0bf964659c25\" : { \n \"value\" : \"Audit\"\n },\n \"effect-81e74cea-30fd-40d5-802f-d72103c2aaaa\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c349d81b-9985-44ae-a8da-ff98d108ede8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-f4b53539-8df9-40e4-86c6-6b607703bd4e\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\" : { \n \"value\" : \"Audit\"\n },\n \"effect-048248b0-55cd-46da-b1ff-39efd52db260\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0d134df8-db83-46fb-ad72-fe0c9428c8dd\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-2c89a2e5-7285-40fe-afe0-ae8654b92fb2\" : { \n \"value\" : \"Audit\"\n },\n \"effect-3657f5a0-770e-44a3-b44e-9431ba1e9735\" : { \n \"value\" : \"Audit\"\n },\n \"effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\" : { \n \"value\" : \"Audit\"\n },\n \"effect-617c02be-7f02-4efd-8836-3180d47b6c68\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67\" : { \n \"value\" : \"Audit\"\n },\n \"effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7\" : { \n \"value\" : \"audit\"\n },\n \"effect-f7d52b2d-e161-4dfa-a82b-55e564167385\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c43e4a30-77cb-48ab-a4dd-93f175c63b57\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1f314764-cb73-4fc9-b863-8eca98ac36e9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-123a3936-f020-408a-ba0c-47873faf1534\" : { \n \"value\" : \"AuditIfNotExists\"\n }\n}\n', '', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName')), '2021-06-01').customerId))))[variables('modifiedAssignment')].id]",
+ "parameters": "[createObject('NIST', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f', 'parameters', json(replace(' {\n \"listOfMembersToExcludeFromWindowsVMAdministratorsGroup\": \n {\n \"value\": \"admin\"\n },\n \"listOfMembersToIncludeInWindowsVMAdministratorsGroup\": \n {\n \"value\": \"azureuser\"\n },\n \"logAnalyticsWorkspaceIdforVMReporting\": \n {\n \"value\": \"\"\n },\n \"IncludeArcMachines\": \n {\n \"value\": \"true\"\n },\n \"MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112\": \n {\n \"value\": \"1.2\"\n },\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\": \n {\n \"value\": \"Compliant\"\n },\n \"requiredRetentionDays\": \n {\n \"value\": \"365\"\n },\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\": \n {\n \"value\": \"NetworkWatcherRG\"\n }\n }', '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'IL5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/f9a961fa-3241-4b20-adc4-bbf8ad9d7197', 'parameters', json(replace('{\n \"IncludeArcMachines\" : { \n \"value\" : \"false\"\n },\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\" : { \n \"value\" : \"Compliant\"\n },\n \"MinimumTLSVersionForWindowsServers\" : { \n \"value\" : \"1.2\"\n },\n \"requiredRetentionDays\" : { \n \"value\" : \"365\"\n },\n \"effect-febd0533-8e55-448f-b837-bd0e06f16469\" : { \n \"value\" : \"audit\"\n },\n \"allowedContainerImagesRegex-febd0533-8e55-448f-b837-bd0e06f16469\" : { \n \"value\" : \"^(.+){0}$\"\n },\n \"effect-95edb821-ddaf-4404-9732-666045e056b4\" : { \n \"value\" : \"audit\"\n },\n \"effect-440b515e-a580-421e-abeb-b159a61ddcbc\" : { \n \"value\" : \"audit\"\n },\n \"effect-233a2a17-77ca-4fb1-9b6b-69223d272a44\" : { \n \"value\" : \"audit\"\n },\n \"effect-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \n \"value\" : \"audit\"\n },\n \"cpuLimit-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \n \"value\" : \"0\"\n },\n \"memoryLimit-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \n \"value\" : \"0\"\n },\n \"effect-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"audit\"\n },\n \"runAsUserRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"MustRunAsNonRoot\"\n },\n \"runAsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"RunAsAny\"\n },\n \"supplementalGroupsRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"RunAsAny\"\n },\n \"fsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"RunAsAny\"\n },\n \"effect-1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\" : { \n \"value\" : \"audit\"\n },\n \"effect-47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\" : { \n \"value\" : \"audit\"\n },\n \"effect-df49d893-a74c-421d-bc95-c663042e5b80\" : { \n \"value\" : \"audit\"\n },\n \"effect-1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\" : { \n \"value\" : \"audit\"\n },\n \"effect-c26596ff-4d70-4e6a-9a30-c2506bd2f80c\" : { \n \"value\" : \"audit\"\n },\n \"effect-511f5417-5d12-434d-ab2e-816901e72a5e\" : { \n \"value\" : \"audit\"\n },\n \"effect-82985f06-dc18-4a48-bc1c-b9f4f0098cfe\" : { \n \"value\" : \"audit\"\n },\n \"effect-098fc59e-46c7-4d99-9b16-64990e543d75\" : { \n \"value\" : \"audit\"\n },\n \"NetworkWatcherResourceGroupName\" : { \n \"value\" : \"NetworkWatcherRG\"\n },\n \"setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \n \"value\" : \"enabled\"\n },\n \"aadAuthenticationInServiceFabricMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"effect-71ef260a-8f18-47b7-abcb-62d0673d94dc\" : { \n \"value\" : \"Audit\"\n },\n \"effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\" : { \n \"value\" : \"Audit\"\n },\n \"effect-862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d9da03a1-f3c3-412a-9709-947156872263\" : { \n \"value\" : \"Audit\"\n },\n \"effect-617c02be-7f02-4efd-8836-3180d47b6c68\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c349d81b-9985-44ae-a8da-ff98d108ede8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-3657f5a0-770e-44a3-b44e-9431ba1e9735\" : { \n \"value\" : \"Audit\"\n },\n \"effect-b4ac1030-89c5-4697-8e00-28b5ba6a8811\" : { \n \"value\" : \"audit\"\n },\n \"effect-ea0dfaed-95fb-448c-934e-d6e713ce393d\" : { \n \"value\" : \"audit\"\n },\n \"effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a\" : { \n \"value\" : \"Audit\"\n },\n \"effect-f4b53539-8df9-40e4-86c6-6b607703bd4e\" : { \n \"value\" : \"Audit\"\n },\n \"effect-41425d9f-d1a5-499a-9932-f8ed8453932c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-fc4d8e41-e223-45ea-9bf5-eada37891d87\" : { \n \"value\" : \"Audit\"\n },\n \"effect-86efb160-8de7-451d-bc08-5d475b0aadae\" : { \n \"value\" : \"Audit\"\n },\n \"effect-4ec52d6d-beb7-40c4-9a9e-fe753254690e\" : { \n \"value\" : \"Audit\"\n },\n \"effect-64d314f6-6062-4780-a861-c23e8951bee5\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-fa298e57-9444-42ba-bf04-86e8470e32c7\" : { \n \"value\" : \"audit\"\n },\n \"effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1f905d99-2ab7-462c-a6b0-f709acca6c8f\" : { \n \"value\" : \"audit\"\n },\n \"effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ba769a63-b8cc-4b2d-abf6-ac33c7204be8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-81e74cea-30fd-40d5-802f-d72103c2aaaa\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0aa61e00-0a01-4a3c-9945-e93cffedf0e6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-47031206-ce96-41f8-861b-6a915f3de284\" : { \n \"value\" : \"Audit\"\n },\n \"effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7\" : { \n \"value\" : \"audit\"\n },\n \"effect-51522a96-0869-4791-82f3-981000c2c67f\" : { \n \"value\" : \"audit\"\n },\n \"effect-b5ec538c-daa0-4006-8596-35468b9148e8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-56a5ee18-2ae6-4810-86f7-18e39ce5629b\" : { \n \"value\" : \"Audit\"\n },\n \"effect-2e94d99a-8a36-4563-bc77-810d8893b671\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5\" : { \n \"value\" : \"Audit\"\n },\n \"effect-99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1f68a601-6e6d-4e42-babf-3f643a047ea2\" : { \n \"value\" : \"audit\"\n },\n \"effect-f7d52b2d-e161-4dfa-a82b-55e564167385\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ca91455f-eace-4f96-be59-e6e2c35b4816\" : { \n \"value\" : \"Audit\"\n },\n \"effect-702dd420-7fcc-42c5-afe8-4026edd20fe0\" : { \n \"value\" : \"Audit\"\n },\n \"diagnosticsLogsInRedisCacheMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"secureTransferToStorageAccountMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d0793b48-0edc-4296-a390-4c75d1bdfd71\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7d092e0a-7acd-40d2-a975-dca21cae48c4\" : { \n \"value\" : \"Audit\"\n },\n \"effect-2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\" : { \n \"value\" : \"Audit\"\n },\n \"disableUnrestrictedNetworkToStorageAccountMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"effect-55615ac9-af46-4a59-874e-391cc3dfb490\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1b8ca024-1d5c-4dec-8995-b1a932b41780\" : { \n \"value\" : \"Audit\"\n },\n \"effect-037eea7a-bd0a-46c5-9a66-03aea78705d3\" : { \n \"value\" : \"Audit\"\n },\n \"effect-53503636-bcc9-4748-9663-5348217f160f\" : { \n \"value\" : \"Audit\"\n },\n \"effect-40cec1dd-a100-4920-b15b-3024fe8901ab\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca\" : { \n \"value\" : \"Audit\"\n },\n \"effect-a049bf77-880b-470f-ba6d-9f21c530cf83\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ee980b6d-0eca-4501-8d54-f6290fd512c3\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1d84d5fb-01f6-4d12-ba4f-4a26081d403d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-37e0d2fe-28a5-43d6-a273-67d37d1f5606\" : { \n \"value\" : \"Audit\"\n },\n \"identityDesignateMoreThanOneOwnerMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"diskEncryptionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"emailNotificationToSubscriptionOwnerHighSeverityAlertsEnabledEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"functionAppDisableRemoteDebuggingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"sqlDbEncryptionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vulnerabilityAssessmentOnManagedInstanceMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePHPVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"aadAuthenticationInSqlServerMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vmssEndpointProtectionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vmssOsVulnerabilitiesMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"adaptiveApplicationControlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"geoRedundantBackupShouldBeEnabledForAzureDatabaseForPostgreSQLEffect\" : { \n \"value\" : \"Audit\"\n },\n \"ensureJavaVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityDesignateLessThanOwnersMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"securityContactEmailAddressForSubscriptionEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"webAppRestrictCORSAccessMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveDeprecatedAccountMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"functionAppEnforceHttpsMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"ensurePythonVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePythonVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePHPVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePythonVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"geoRedundantBackupShouldBeEnabledForAzureDatabaseForMySQLEffect\" : { \n \"value\" : \"Audit\"\n },\n \"systemUpdatesMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureJavaVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureHTTPVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"apiAppRequireLatestTlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityEnableMFAForWritePermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureHTTPVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureJavaVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"nextGenerationFirewallMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"useRbacRulesMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"webAppEnforceHttpsMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"sqlServerAuditingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vnetEnableDDoSProtectionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityEnableMFAForOwnerPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"sqlServerAdvancedDataSecurityMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"sqlManagedInstanceAdvancedDataSecurityMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"endpointProtectionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"jitNetworkAccessMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"apiAppEnforceHttpsMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"geoRedundantStorageShouldBeEnabledForStorageAccountsEffect\" : { \n \"value\" : \"Audit\"\n },\n \"vmssSystemUpdatesMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"webAppDisableRemoteDebuggingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"systemConfigurationsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureHTTPVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityEnableMFAForReadPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"containerBenchmarkMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"apiAppDisableRemoteDebuggingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vulnerabilityAssessmentOnServerMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"webAppRequireLatestTlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"functionAppRequireLatestTlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"kubernetesServiceVersionUpToDateMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"sqlDbVulnerabilityAssesmentMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"membersToIncludeInLocalAdministratorsGroup\" : { \n \"value\" : \"\"\n },\n \"membersToExcludeInLocalAdministratorsGroup\" : { \n \"value\" : \"\"\n },\n \"logAnalyticsWorkspaceIDForVMAgents\" : { \n \"value\" : \"\"\n },\n \"PHPLatestVersionForAppServices\" : { \n \"value\" : \"7.4\"\n },\n \"JavaLatestVersionForAppServices\" : { \n \"value\" : \"11\"\n },\n \"WindowsPythonLatestVersionForAppServices\" : { \n \"value\" : \"3.6\"\n },\n \"LinuxPythonLatestVersionForAppServices\" : { \n \"value\" : \"3.9\"\n },\n \"ensureDotNetFrameworkLatestForFunctionAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlManagedInstanceAdvancedDataSecurityEmailsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"vulnerabilityAssessmentMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"ensureDotNetFrameworkLatestForWebAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlServerAdvancedDataSecurityEmailsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"microsoftIaaSAntimalwareExtensionShouldBeDeployedOnWindowsServersEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"securityCenterStandardPricingTierShouldBeSelectedEffect\" : { \n \"value\" : \"Audit\"\n },\n \"theLogAnalyticsAgentShouldBeInstalledOnVirtualMachinesEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"ensurePHPVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlManagedInstanceAdvancedDataSecurityEmailAdminsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"securityContactPhoneNumberShouldBeProvidedForSubscriptionEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"threatDetectionTypesOnManagedInstanceMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"ensureDotNetFrameworkLatestForAPIAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlServerAdvancedDataSecurityEmailAdminsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"threatDetectionTypesOnServerMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"theLogAnalyticsAgentShouldBeInstalledOnVirtualMachineScaleSetsEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n }\n}', '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'CMMC', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/b5629c75-5c77-4422-87b9-2509e680f8de', 'parameters', json(replace('{\n \"logAnalyticsWorkspaceId-f47b5582-33ec-4c5c-87c0-b010a6b2e917\" : { \n \"value\" : \"\"\n },\n \"effect-09024ccc-0c5f-475e-9457-b7c0d9ed487b\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"MembersToExclude-69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f\" :{\n \"value\": \"\"\n },\n \"MembersToInclude-30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7\": {\n \"value\": \"\"\n },\n \"effect-0961003e-5a0a-4549-abde-af6a37f2724d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0b15565f-aa9e-48ba-8619-45960f2c314d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0e60b895-3786-45da-8377-9c6b4b6ac5f9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-17k78e20-9358-41c9-923c-fb736d382a12\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"PHPLatestVersion\" : { \n \"value\" : \"7.3\"\n },\n \"effect-22bee202-a82f-4305-9a2a-6d7f44d4dedb\" : { \n \"value\" : \"Audit\"\n },\n \"effect-26a828e1-e88f-464e-bbb3-c134a282b9de\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-34c877ad-507e-4c82-993e-3452a6e0ad3c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-404c3081-a854-4457-ae30-26a93ef643f9\" : { \n \"value\" : \"Audit\"\n },\n \"effect-47a6b606-51aa-4496-8bb7-64b11cf66adc\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-496223c3-ad65-4ecd-878a-bae78737e9ed\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"JavaLatestVersion\" : { \n \"value\" : \"11\"\n },\n \"effect-4f11b553-d42e-4e3a-89be-32ca364cad4c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-5c607a2e-c700-4744-8254-d77e7c9eb5e4\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-5f76cf89-fbf2-47fd-a3f4-b891fa780b60\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-6b1cbf55-e8b6-442f-ba4c-7246b6381474\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7008174a-fd10-4ef0-817e-fc820a951d73\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"LinuxPythonLatestVersion\" : { \n \"value\" : \"3.8\"\n },\n \"effect-7238174a-fd10-4ef0-817e-fc820a951d73\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-7261b898-8a84-4db8-9e04-18527132abb3\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-74c3584d-afae-46f7-a20a-6f8adba71a16\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-86b3d65f-7626-441e-b690-81a8b71cff60\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-88999f4c-376a-45c8-bcb3-4058f713cf39\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-8c122334-9d20-4eb8-89ea-ac9a705b74ae\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9297c21d-2ed6-4474-b48f-163f75654ce3\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-991310cd-e9f3-47bc-b7b6-f57b557d07db\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9b597639-28e4-48eb-b506-56b05d366257\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9daedab3-fb2d-461e-b861-71790eead4f6\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-a4af4a39-4135-47fb-b175-47fbdf85311d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \n \"value\" : \"enabled\"\n },\n \"effect-a70ca396-0a34-413a-88e1-b956c1e683be\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-aa633080-8b72-40c4-a2d7-d00c03e80bed\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-af6cd1bd-1635-48cb-bde7-5b15693900b9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\" : { \n \"value\" : \"NetworkWatcherRG\"\n },\n \"effect-b7ddfbdc-1260-477d-91fd-98bd9be789a6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c3f317a7-a95c-4547-b7e7-11017ebdf2fe\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-cb510bfd-1cba-4d9f-a230-cb0976f4bb71\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e2c1c086-2d84-4019-bff3-c44ccd95113c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e3576e28-8b17-4677-84c3-db2990658d64\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e8cbc669-f12d-49eb-93e7-9273119e9933\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ebb62a0c-3560-49e1-89ed-27e074e9f8ad\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-efbde977-ba53-4479-b8e9-10b957924fbf\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f8456c1c-aa66-4dfb-861a-25d127b775c9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f9d614c5-c173-4d56-95a7-b4437057d193\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-fb893a29-21bb-418c-a157-e99480ec364c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-feedbf84-6b99-488c-acc2-71c829aa5ffc\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-3b980d31-7904-4bb7-8575-5665739a8052\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-6e2593d9-add6-4083-9c9b-4b7d2188c899\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-12430be1-6cc8-4527-a9a8-e3d38f250096\" : { \n \"value\" : \"Audit\"\n },\n \"modeRequirement-12430be1-6cc8-4527-a9a8-e3d38f250096\" : { \n \"value\" : \"Detection\"\n },\n \"effect-425bea59-a659-4cbb-8d31-34499bd030b8\" : { \n \"value\" : \"Audit\"\n },\n \"modeRequirement-425bea59-a659-4cbb-8d31-34499bd030b8\" : { \n \"value\" : \"Detection\"\n },\n \"effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\" : { \n \"value\" : \"Audit\"\n },\n \"effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-013e242c-8828-4970-87b3-ab247555486d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-d38fc420-0735-4ef3-ac11-c806f651a570\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-a1181c5f-672a-477a-979a-7d58aa086233\" : { \n \"value\" : \"Audit\"\n },\n \"effect-308fbb08-4ab8-4e67-9b29-592e93fb94fa\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-4da35fc9-c9e7-4960-aec9-797fe7d9051d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-523b5cd1-3e23-492f-a539-13118b6d1e3a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-7fe3b40f-802b-4cdd-8bd4-fd799c948cc2\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-c25d9a16-bc35-4e15-a7e5-9db606bf9ed4\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b0f33259-77d7-4c9e-aac6-3aabcfae693c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-037eea7a-bd0a-46c5-9a66-03aea78705d3\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0820b7b9-23aa-4725-a1ce-ae4558f718e5\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-2c89a2e5-7285-40fe-afe0-ae8654b92fab\" : { \n \"value\" : \"Audit\"\n },\n \"effect-358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-5744710e-cc2f-4ee8-8809-3b11e89f4bc9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c9d007d0-c057-4772-b18c-01e546713bcd\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d0793b48-0edc-4296-a390-4c75d1bdfd71\" : { \n \"value\" : \"Audit\"\n },\n \"effect-e372f825-a257-4fb8-9175-797a8a8627d6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d158790f-bfb0-486c-8631-2dc6b4e8e6af\" : { \n \"value\" : \"Audit\"\n },\n \"effect-e802a67a-daf5-4436-9ea6-f6d821dd0c5d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-a451c1ef-c6ca-483d-87ed-f49761e3ffb5\" : { \n \"value\" : \"Audit\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftSql-servers-firewallRules-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftClassicNetwork-networkSecurityGroups-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-securityRules-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftClassicNetwork-networkSecurityGroups-securityRules-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ae89ebca-1c92-4898-ac2c-9f63decb045c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-d26f7642-7545-4e18-9b75-8c9bbdee3a9a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-1a4e592a-6a6e-44a5-9814-e36264ca96e7\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-7796937f-307b-4598-941c-67d3a05ebfe7\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-c5447c04-a4d7-4ba8-a263-c9ee321a6858\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-41388f1c-2db0-4c25-95b2-35d7f5ccbfa9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b02aacc0-b073-424e-8298-42b22829ee0a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0ec47710-77ff-4a3d-9181-6aa50af424d0\" : { \n \"value\" : \"Audit\"\n },\n \"effect-48af4db5-9b8b-401c-8e74-076be876a430\" : { \n \"value\" : \"Audit\"\n },\n \"effect-82339799-d096-41ae-8538-b108becf0970\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1b7aa243-30e4-4c9e-bca8-d0d3022b634a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-bb91dfba-c30d-4263-9add-9c2384e659a6\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e71308d3-144b-4262-b144-efdc3cc90517\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-2bdd0062-9d75-436e-89df-487dd8e4b3c7\" : { \n \"value\" : \"Disabled\"\n },\n \"effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a\" : { \n \"value\" : \"Audit\"\n },\n \"effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-6fac406b-40ca-413b-bf8e-0bf964659c25\" : { \n \"value\" : \"Audit\"\n },\n \"effect-81e74cea-30fd-40d5-802f-d72103c2aaaa\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c349d81b-9985-44ae-a8da-ff98d108ede8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-f4b53539-8df9-40e4-86c6-6b607703bd4e\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\" : { \n \"value\" : \"Audit\"\n },\n \"effect-048248b0-55cd-46da-b1ff-39efd52db260\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0d134df8-db83-46fb-ad72-fe0c9428c8dd\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-2c89a2e5-7285-40fe-afe0-ae8654b92fb2\" : { \n \"value\" : \"Audit\"\n },\n \"effect-3657f5a0-770e-44a3-b44e-9431ba1e9735\" : { \n \"value\" : \"Audit\"\n },\n \"effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\" : { \n \"value\" : \"Audit\"\n },\n \"effect-617c02be-7f02-4efd-8836-3180d47b6c68\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67\" : { \n \"value\" : \"Audit\"\n },\n \"effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7\" : { \n \"value\" : \"audit\"\n },\n \"effect-f7d52b2d-e161-4dfa-a82b-55e564167385\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c43e4a30-77cb-48ab-a4dd-93f175c63b57\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1f314764-cb73-4fc9-b863-8eca98ac36e9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-123a3936-f020-408a-ba0c-47873faf1534\" : { \n \"value\" : \"AuditIfNotExists\"\n }\n}\n', '', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName')), '2021-06-01').customerId))))[variables('modifiedAssignment')].parameters]"
+ },
+ "identity": {
+ "type": "SystemAssigned"
+ }
+ }
+ ]
+ }
+ },
+ "dependsOn": [
+ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('nowUtc')))]",
+ "[subscriptionResourceId(parameters('operationsSubscriptionId'), 'Microsoft.Resources/deployments', format('deploy-operations-rg-{0}', parameters('nowUtc')))]"
+ ]
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "[format('assign-policy-identity-{0}', parameters('nowUtc'))]",
+ "subscriptionId": "[parameters('identitySubscriptionId')]",
+ "resourceGroup": "[parameters('identityResourceGroupName')]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "builtInAssignment": {
+ "value": "[parameters('policy')]"
+ },
+ "logAnalyticsWorkspaceName": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('nowUtc'))), '2019-10-01').outputs.name.value]"
+ },
+ "logAnalyticsWorkspaceResourceGroupName": {
+ "value": "[reference(subscriptionResourceId(parameters('operationsSubscriptionId'), 'Microsoft.Resources/deployments', format('deploy-operations-rg-{0}', parameters('nowUtc'))), '2019-10-01').outputs.name.value]"
+ },
+ "operationsSubscriptionId": {
+ "value": "[parameters('operationsSubscriptionId')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "3675806177489000536"
+ }
+ },
+ "parameters": {
+ "builtInAssignment": {
+ "type": "string",
+ "defaultValue": ""
+ },
+ "logAnalyticsWorkspaceName": {
+ "type": "string"
+ },
+ "logAnalyticsWorkspaceResourceGroupName": {
+ "type": "string"
+ },
+ "operationsSubscriptionId": {
+ "type": "string"
+ }
+ },
+ "functions": [],
+ "variables": {
+ "modifiedAssignment": "[if(and(equals(toLower(environment().name), toLower('AzureCloud')), equals(toLower(parameters('builtInAssignment')), toLower('IL5'))), 'NIST', parameters('builtInAssignment'))]",
+ "assignmentName": "[format('{0} {1}', variables('modifiedAssignment'), resourceGroup().name)]"
+ },
+ "resources": [
+ {
+ "condition": "[not(empty(variables('modifiedAssignment')))]",
+ "type": "Microsoft.Authorization/policyAssignments",
+ "apiVersion": "2020-09-01",
+ "name": "[variables('assignmentName')]",
+ "location": "[resourceGroup().location]",
+ "properties": {
+ "policyDefinitionId": "[createObject('NIST', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f', 'parameters', json(replace(' {\n \"listOfMembersToExcludeFromWindowsVMAdministratorsGroup\": \n {\n \"value\": \"admin\"\n },\n \"listOfMembersToIncludeInWindowsVMAdministratorsGroup\": \n {\n \"value\": \"azureuser\"\n },\n \"logAnalyticsWorkspaceIdforVMReporting\": \n {\n \"value\": \"\"\n },\n \"IncludeArcMachines\": \n {\n \"value\": \"true\"\n },\n \"MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112\": \n {\n \"value\": \"1.2\"\n },\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\": \n {\n \"value\": \"Compliant\"\n },\n \"requiredRetentionDays\": \n {\n \"value\": \"365\"\n },\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\": \n {\n \"value\": \"NetworkWatcherRG\"\n }\n }', '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'IL5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/f9a961fa-3241-4b20-adc4-bbf8ad9d7197', 'parameters', json(replace('{\n \"IncludeArcMachines\" : { \n \"value\" : \"false\"\n },\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\" : { \n \"value\" : \"Compliant\"\n },\n \"MinimumTLSVersionForWindowsServers\" : { \n \"value\" : \"1.2\"\n },\n \"requiredRetentionDays\" : { \n \"value\" : \"365\"\n },\n \"effect-febd0533-8e55-448f-b837-bd0e06f16469\" : { \n \"value\" : \"audit\"\n },\n \"allowedContainerImagesRegex-febd0533-8e55-448f-b837-bd0e06f16469\" : { \n \"value\" : \"^(.+){0}$\"\n },\n \"effect-95edb821-ddaf-4404-9732-666045e056b4\" : { \n \"value\" : \"audit\"\n },\n \"effect-440b515e-a580-421e-abeb-b159a61ddcbc\" : { \n \"value\" : \"audit\"\n },\n \"effect-233a2a17-77ca-4fb1-9b6b-69223d272a44\" : { \n \"value\" : \"audit\"\n },\n \"effect-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \n \"value\" : \"audit\"\n },\n \"cpuLimit-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \n \"value\" : \"0\"\n },\n \"memoryLimit-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \n \"value\" : \"0\"\n },\n \"effect-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"audit\"\n },\n \"runAsUserRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"MustRunAsNonRoot\"\n },\n \"runAsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"RunAsAny\"\n },\n \"supplementalGroupsRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"RunAsAny\"\n },\n \"fsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"RunAsAny\"\n },\n \"effect-1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\" : { \n \"value\" : \"audit\"\n },\n \"effect-47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\" : { \n \"value\" : \"audit\"\n },\n \"effect-df49d893-a74c-421d-bc95-c663042e5b80\" : { \n \"value\" : \"audit\"\n },\n \"effect-1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\" : { \n \"value\" : \"audit\"\n },\n \"effect-c26596ff-4d70-4e6a-9a30-c2506bd2f80c\" : { \n \"value\" : \"audit\"\n },\n \"effect-511f5417-5d12-434d-ab2e-816901e72a5e\" : { \n \"value\" : \"audit\"\n },\n \"effect-82985f06-dc18-4a48-bc1c-b9f4f0098cfe\" : { \n \"value\" : \"audit\"\n },\n \"effect-098fc59e-46c7-4d99-9b16-64990e543d75\" : { \n \"value\" : \"audit\"\n },\n \"NetworkWatcherResourceGroupName\" : { \n \"value\" : \"NetworkWatcherRG\"\n },\n \"setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \n \"value\" : \"enabled\"\n },\n \"aadAuthenticationInServiceFabricMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"effect-71ef260a-8f18-47b7-abcb-62d0673d94dc\" : { \n \"value\" : \"Audit\"\n },\n \"effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\" : { \n \"value\" : \"Audit\"\n },\n \"effect-862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d9da03a1-f3c3-412a-9709-947156872263\" : { \n \"value\" : \"Audit\"\n },\n \"effect-617c02be-7f02-4efd-8836-3180d47b6c68\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c349d81b-9985-44ae-a8da-ff98d108ede8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-3657f5a0-770e-44a3-b44e-9431ba1e9735\" : { \n \"value\" : \"Audit\"\n },\n \"effect-b4ac1030-89c5-4697-8e00-28b5ba6a8811\" : { \n \"value\" : \"audit\"\n },\n \"effect-ea0dfaed-95fb-448c-934e-d6e713ce393d\" : { \n \"value\" : \"audit\"\n },\n \"effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a\" : { \n \"value\" : \"Audit\"\n },\n \"effect-f4b53539-8df9-40e4-86c6-6b607703bd4e\" : { \n \"value\" : \"Audit\"\n },\n \"effect-41425d9f-d1a5-499a-9932-f8ed8453932c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-fc4d8e41-e223-45ea-9bf5-eada37891d87\" : { \n \"value\" : \"Audit\"\n },\n \"effect-86efb160-8de7-451d-bc08-5d475b0aadae\" : { \n \"value\" : \"Audit\"\n },\n \"effect-4ec52d6d-beb7-40c4-9a9e-fe753254690e\" : { \n \"value\" : \"Audit\"\n },\n \"effect-64d314f6-6062-4780-a861-c23e8951bee5\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-fa298e57-9444-42ba-bf04-86e8470e32c7\" : { \n \"value\" : \"audit\"\n },\n \"effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1f905d99-2ab7-462c-a6b0-f709acca6c8f\" : { \n \"value\" : \"audit\"\n },\n \"effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ba769a63-b8cc-4b2d-abf6-ac33c7204be8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-81e74cea-30fd-40d5-802f-d72103c2aaaa\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0aa61e00-0a01-4a3c-9945-e93cffedf0e6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-47031206-ce96-41f8-861b-6a915f3de284\" : { \n \"value\" : \"Audit\"\n },\n \"effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7\" : { \n \"value\" : \"audit\"\n },\n \"effect-51522a96-0869-4791-82f3-981000c2c67f\" : { \n \"value\" : \"audit\"\n },\n \"effect-b5ec538c-daa0-4006-8596-35468b9148e8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-56a5ee18-2ae6-4810-86f7-18e39ce5629b\" : { \n \"value\" : \"Audit\"\n },\n \"effect-2e94d99a-8a36-4563-bc77-810d8893b671\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5\" : { \n \"value\" : \"Audit\"\n },\n \"effect-99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1f68a601-6e6d-4e42-babf-3f643a047ea2\" : { \n \"value\" : \"audit\"\n },\n \"effect-f7d52b2d-e161-4dfa-a82b-55e564167385\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ca91455f-eace-4f96-be59-e6e2c35b4816\" : { \n \"value\" : \"Audit\"\n },\n \"effect-702dd420-7fcc-42c5-afe8-4026edd20fe0\" : { \n \"value\" : \"Audit\"\n },\n \"diagnosticsLogsInRedisCacheMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"secureTransferToStorageAccountMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d0793b48-0edc-4296-a390-4c75d1bdfd71\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7d092e0a-7acd-40d2-a975-dca21cae48c4\" : { \n \"value\" : \"Audit\"\n },\n \"effect-2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\" : { \n \"value\" : \"Audit\"\n },\n \"disableUnrestrictedNetworkToStorageAccountMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"effect-55615ac9-af46-4a59-874e-391cc3dfb490\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1b8ca024-1d5c-4dec-8995-b1a932b41780\" : { \n \"value\" : \"Audit\"\n },\n \"effect-037eea7a-bd0a-46c5-9a66-03aea78705d3\" : { \n \"value\" : \"Audit\"\n },\n \"effect-53503636-bcc9-4748-9663-5348217f160f\" : { \n \"value\" : \"Audit\"\n },\n \"effect-40cec1dd-a100-4920-b15b-3024fe8901ab\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca\" : { \n \"value\" : \"Audit\"\n },\n \"effect-a049bf77-880b-470f-ba6d-9f21c530cf83\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ee980b6d-0eca-4501-8d54-f6290fd512c3\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1d84d5fb-01f6-4d12-ba4f-4a26081d403d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-37e0d2fe-28a5-43d6-a273-67d37d1f5606\" : { \n \"value\" : \"Audit\"\n },\n \"identityDesignateMoreThanOneOwnerMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"diskEncryptionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"emailNotificationToSubscriptionOwnerHighSeverityAlertsEnabledEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"functionAppDisableRemoteDebuggingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"sqlDbEncryptionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vulnerabilityAssessmentOnManagedInstanceMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePHPVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"aadAuthenticationInSqlServerMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vmssEndpointProtectionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vmssOsVulnerabilitiesMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"adaptiveApplicationControlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"geoRedundantBackupShouldBeEnabledForAzureDatabaseForPostgreSQLEffect\" : { \n \"value\" : \"Audit\"\n },\n \"ensureJavaVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityDesignateLessThanOwnersMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"securityContactEmailAddressForSubscriptionEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"webAppRestrictCORSAccessMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveDeprecatedAccountMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"functionAppEnforceHttpsMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"ensurePythonVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePythonVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePHPVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePythonVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"geoRedundantBackupShouldBeEnabledForAzureDatabaseForMySQLEffect\" : { \n \"value\" : \"Audit\"\n },\n \"systemUpdatesMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureJavaVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureHTTPVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"apiAppRequireLatestTlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityEnableMFAForWritePermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureHTTPVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureJavaVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"nextGenerationFirewallMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"useRbacRulesMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"webAppEnforceHttpsMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"sqlServerAuditingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vnetEnableDDoSProtectionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityEnableMFAForOwnerPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"sqlServerAdvancedDataSecurityMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"sqlManagedInstanceAdvancedDataSecurityMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"endpointProtectionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"jitNetworkAccessMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"apiAppEnforceHttpsMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"geoRedundantStorageShouldBeEnabledForStorageAccountsEffect\" : { \n \"value\" : \"Audit\"\n },\n \"vmssSystemUpdatesMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"webAppDisableRemoteDebuggingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"systemConfigurationsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureHTTPVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityEnableMFAForReadPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"containerBenchmarkMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"apiAppDisableRemoteDebuggingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vulnerabilityAssessmentOnServerMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"webAppRequireLatestTlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"functionAppRequireLatestTlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"kubernetesServiceVersionUpToDateMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"sqlDbVulnerabilityAssesmentMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"membersToIncludeInLocalAdministratorsGroup\" : { \n \"value\" : \"\"\n },\n \"membersToExcludeInLocalAdministratorsGroup\" : { \n \"value\" : \"\"\n },\n \"logAnalyticsWorkspaceIDForVMAgents\" : { \n \"value\" : \"\"\n },\n \"PHPLatestVersionForAppServices\" : { \n \"value\" : \"7.4\"\n },\n \"JavaLatestVersionForAppServices\" : { \n \"value\" : \"11\"\n },\n \"WindowsPythonLatestVersionForAppServices\" : { \n \"value\" : \"3.6\"\n },\n \"LinuxPythonLatestVersionForAppServices\" : { \n \"value\" : \"3.9\"\n },\n \"ensureDotNetFrameworkLatestForFunctionAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlManagedInstanceAdvancedDataSecurityEmailsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"vulnerabilityAssessmentMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"ensureDotNetFrameworkLatestForWebAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlServerAdvancedDataSecurityEmailsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"microsoftIaaSAntimalwareExtensionShouldBeDeployedOnWindowsServersEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"securityCenterStandardPricingTierShouldBeSelectedEffect\" : { \n \"value\" : \"Audit\"\n },\n \"theLogAnalyticsAgentShouldBeInstalledOnVirtualMachinesEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"ensurePHPVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlManagedInstanceAdvancedDataSecurityEmailAdminsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"securityContactPhoneNumberShouldBeProvidedForSubscriptionEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"threatDetectionTypesOnManagedInstanceMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"ensureDotNetFrameworkLatestForAPIAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlServerAdvancedDataSecurityEmailAdminsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"threatDetectionTypesOnServerMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"theLogAnalyticsAgentShouldBeInstalledOnVirtualMachineScaleSetsEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n }\n}', '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'CMMC', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/b5629c75-5c77-4422-87b9-2509e680f8de', 'parameters', json(replace('{\n \"logAnalyticsWorkspaceId-f47b5582-33ec-4c5c-87c0-b010a6b2e917\" : { \n \"value\" : \"\"\n },\n \"effect-09024ccc-0c5f-475e-9457-b7c0d9ed487b\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"MembersToExclude-69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f\" :{\n \"value\": \"\"\n },\n \"MembersToInclude-30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7\": {\n \"value\": \"\"\n },\n \"effect-0961003e-5a0a-4549-abde-af6a37f2724d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0b15565f-aa9e-48ba-8619-45960f2c314d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0e60b895-3786-45da-8377-9c6b4b6ac5f9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-17k78e20-9358-41c9-923c-fb736d382a12\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"PHPLatestVersion\" : { \n \"value\" : \"7.3\"\n },\n \"effect-22bee202-a82f-4305-9a2a-6d7f44d4dedb\" : { \n \"value\" : \"Audit\"\n },\n \"effect-26a828e1-e88f-464e-bbb3-c134a282b9de\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-34c877ad-507e-4c82-993e-3452a6e0ad3c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-404c3081-a854-4457-ae30-26a93ef643f9\" : { \n \"value\" : \"Audit\"\n },\n \"effect-47a6b606-51aa-4496-8bb7-64b11cf66adc\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-496223c3-ad65-4ecd-878a-bae78737e9ed\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"JavaLatestVersion\" : { \n \"value\" : \"11\"\n },\n \"effect-4f11b553-d42e-4e3a-89be-32ca364cad4c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-5c607a2e-c700-4744-8254-d77e7c9eb5e4\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-5f76cf89-fbf2-47fd-a3f4-b891fa780b60\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-6b1cbf55-e8b6-442f-ba4c-7246b6381474\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7008174a-fd10-4ef0-817e-fc820a951d73\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"LinuxPythonLatestVersion\" : { \n \"value\" : \"3.8\"\n },\n \"effect-7238174a-fd10-4ef0-817e-fc820a951d73\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-7261b898-8a84-4db8-9e04-18527132abb3\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-74c3584d-afae-46f7-a20a-6f8adba71a16\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-86b3d65f-7626-441e-b690-81a8b71cff60\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-88999f4c-376a-45c8-bcb3-4058f713cf39\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-8c122334-9d20-4eb8-89ea-ac9a705b74ae\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9297c21d-2ed6-4474-b48f-163f75654ce3\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-991310cd-e9f3-47bc-b7b6-f57b557d07db\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9b597639-28e4-48eb-b506-56b05d366257\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9daedab3-fb2d-461e-b861-71790eead4f6\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-a4af4a39-4135-47fb-b175-47fbdf85311d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \n \"value\" : \"enabled\"\n },\n \"effect-a70ca396-0a34-413a-88e1-b956c1e683be\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-aa633080-8b72-40c4-a2d7-d00c03e80bed\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-af6cd1bd-1635-48cb-bde7-5b15693900b9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\" : { \n \"value\" : \"NetworkWatcherRG\"\n },\n \"effect-b7ddfbdc-1260-477d-91fd-98bd9be789a6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c3f317a7-a95c-4547-b7e7-11017ebdf2fe\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-cb510bfd-1cba-4d9f-a230-cb0976f4bb71\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e2c1c086-2d84-4019-bff3-c44ccd95113c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e3576e28-8b17-4677-84c3-db2990658d64\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e8cbc669-f12d-49eb-93e7-9273119e9933\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ebb62a0c-3560-49e1-89ed-27e074e9f8ad\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-efbde977-ba53-4479-b8e9-10b957924fbf\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f8456c1c-aa66-4dfb-861a-25d127b775c9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f9d614c5-c173-4d56-95a7-b4437057d193\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-fb893a29-21bb-418c-a157-e99480ec364c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-feedbf84-6b99-488c-acc2-71c829aa5ffc\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-3b980d31-7904-4bb7-8575-5665739a8052\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-6e2593d9-add6-4083-9c9b-4b7d2188c899\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-12430be1-6cc8-4527-a9a8-e3d38f250096\" : { \n \"value\" : \"Audit\"\n },\n \"modeRequirement-12430be1-6cc8-4527-a9a8-e3d38f250096\" : { \n \"value\" : \"Detection\"\n },\n \"effect-425bea59-a659-4cbb-8d31-34499bd030b8\" : { \n \"value\" : \"Audit\"\n },\n \"modeRequirement-425bea59-a659-4cbb-8d31-34499bd030b8\" : { \n \"value\" : \"Detection\"\n },\n \"effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\" : { \n \"value\" : \"Audit\"\n },\n \"effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-013e242c-8828-4970-87b3-ab247555486d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-d38fc420-0735-4ef3-ac11-c806f651a570\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-a1181c5f-672a-477a-979a-7d58aa086233\" : { \n \"value\" : \"Audit\"\n },\n \"effect-308fbb08-4ab8-4e67-9b29-592e93fb94fa\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-4da35fc9-c9e7-4960-aec9-797fe7d9051d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-523b5cd1-3e23-492f-a539-13118b6d1e3a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-7fe3b40f-802b-4cdd-8bd4-fd799c948cc2\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-c25d9a16-bc35-4e15-a7e5-9db606bf9ed4\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b0f33259-77d7-4c9e-aac6-3aabcfae693c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-037eea7a-bd0a-46c5-9a66-03aea78705d3\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0820b7b9-23aa-4725-a1ce-ae4558f718e5\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-2c89a2e5-7285-40fe-afe0-ae8654b92fab\" : { \n \"value\" : \"Audit\"\n },\n \"effect-358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-5744710e-cc2f-4ee8-8809-3b11e89f4bc9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c9d007d0-c057-4772-b18c-01e546713bcd\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d0793b48-0edc-4296-a390-4c75d1bdfd71\" : { \n \"value\" : \"Audit\"\n },\n \"effect-e372f825-a257-4fb8-9175-797a8a8627d6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d158790f-bfb0-486c-8631-2dc6b4e8e6af\" : { \n \"value\" : \"Audit\"\n },\n \"effect-e802a67a-daf5-4436-9ea6-f6d821dd0c5d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-a451c1ef-c6ca-483d-87ed-f49761e3ffb5\" : { \n \"value\" : \"Audit\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftSql-servers-firewallRules-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftClassicNetwork-networkSecurityGroups-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-securityRules-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftClassicNetwork-networkSecurityGroups-securityRules-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ae89ebca-1c92-4898-ac2c-9f63decb045c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-d26f7642-7545-4e18-9b75-8c9bbdee3a9a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-1a4e592a-6a6e-44a5-9814-e36264ca96e7\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-7796937f-307b-4598-941c-67d3a05ebfe7\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-c5447c04-a4d7-4ba8-a263-c9ee321a6858\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-41388f1c-2db0-4c25-95b2-35d7f5ccbfa9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b02aacc0-b073-424e-8298-42b22829ee0a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0ec47710-77ff-4a3d-9181-6aa50af424d0\" : { \n \"value\" : \"Audit\"\n },\n \"effect-48af4db5-9b8b-401c-8e74-076be876a430\" : { \n \"value\" : \"Audit\"\n },\n \"effect-82339799-d096-41ae-8538-b108becf0970\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1b7aa243-30e4-4c9e-bca8-d0d3022b634a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-bb91dfba-c30d-4263-9add-9c2384e659a6\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e71308d3-144b-4262-b144-efdc3cc90517\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-2bdd0062-9d75-436e-89df-487dd8e4b3c7\" : { \n \"value\" : \"Disabled\"\n },\n \"effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a\" : { \n \"value\" : \"Audit\"\n },\n \"effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-6fac406b-40ca-413b-bf8e-0bf964659c25\" : { \n \"value\" : \"Audit\"\n },\n \"effect-81e74cea-30fd-40d5-802f-d72103c2aaaa\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c349d81b-9985-44ae-a8da-ff98d108ede8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-f4b53539-8df9-40e4-86c6-6b607703bd4e\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\" : { \n \"value\" : \"Audit\"\n },\n \"effect-048248b0-55cd-46da-b1ff-39efd52db260\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0d134df8-db83-46fb-ad72-fe0c9428c8dd\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-2c89a2e5-7285-40fe-afe0-ae8654b92fb2\" : { \n \"value\" : \"Audit\"\n },\n \"effect-3657f5a0-770e-44a3-b44e-9431ba1e9735\" : { \n \"value\" : \"Audit\"\n },\n \"effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\" : { \n \"value\" : \"Audit\"\n },\n \"effect-617c02be-7f02-4efd-8836-3180d47b6c68\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67\" : { \n \"value\" : \"Audit\"\n },\n \"effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7\" : { \n \"value\" : \"audit\"\n },\n \"effect-f7d52b2d-e161-4dfa-a82b-55e564167385\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c43e4a30-77cb-48ab-a4dd-93f175c63b57\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1f314764-cb73-4fc9-b863-8eca98ac36e9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-123a3936-f020-408a-ba0c-47873faf1534\" : { \n \"value\" : \"AuditIfNotExists\"\n }\n}\n', '', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName')), '2021-06-01').customerId))))[variables('modifiedAssignment')].id]",
+ "parameters": "[createObject('NIST', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f', 'parameters', json(replace(' {\n \"listOfMembersToExcludeFromWindowsVMAdministratorsGroup\": \n {\n \"value\": \"admin\"\n },\n \"listOfMembersToIncludeInWindowsVMAdministratorsGroup\": \n {\n \"value\": \"azureuser\"\n },\n \"logAnalyticsWorkspaceIdforVMReporting\": \n {\n \"value\": \"\"\n },\n \"IncludeArcMachines\": \n {\n \"value\": \"true\"\n },\n \"MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112\": \n {\n \"value\": \"1.2\"\n },\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\": \n {\n \"value\": \"Compliant\"\n },\n \"requiredRetentionDays\": \n {\n \"value\": \"365\"\n },\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\": \n {\n \"value\": \"NetworkWatcherRG\"\n }\n }', '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'IL5', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/f9a961fa-3241-4b20-adc4-bbf8ad9d7197', 'parameters', json(replace('{\n \"IncludeArcMachines\" : { \n \"value\" : \"false\"\n },\n \"NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40\" : { \n \"value\" : \"Compliant\"\n },\n \"MinimumTLSVersionForWindowsServers\" : { \n \"value\" : \"1.2\"\n },\n \"requiredRetentionDays\" : { \n \"value\" : \"365\"\n },\n \"effect-febd0533-8e55-448f-b837-bd0e06f16469\" : { \n \"value\" : \"audit\"\n },\n \"allowedContainerImagesRegex-febd0533-8e55-448f-b837-bd0e06f16469\" : { \n \"value\" : \"^(.+){0}$\"\n },\n \"effect-95edb821-ddaf-4404-9732-666045e056b4\" : { \n \"value\" : \"audit\"\n },\n \"effect-440b515e-a580-421e-abeb-b159a61ddcbc\" : { \n \"value\" : \"audit\"\n },\n \"effect-233a2a17-77ca-4fb1-9b6b-69223d272a44\" : { \n \"value\" : \"audit\"\n },\n \"effect-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \n \"value\" : \"audit\"\n },\n \"cpuLimit-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \n \"value\" : \"0\"\n },\n \"memoryLimit-e345eecc-fa47-480f-9e88-67dcc122b164\" : { \n \"value\" : \"0\"\n },\n \"effect-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"audit\"\n },\n \"runAsUserRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"MustRunAsNonRoot\"\n },\n \"runAsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"RunAsAny\"\n },\n \"supplementalGroupsRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"RunAsAny\"\n },\n \"fsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042\" : { \n \"value\" : \"RunAsAny\"\n },\n \"effect-1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\" : { \n \"value\" : \"audit\"\n },\n \"effect-47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\" : { \n \"value\" : \"audit\"\n },\n \"effect-df49d893-a74c-421d-bc95-c663042e5b80\" : { \n \"value\" : \"audit\"\n },\n \"effect-1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\" : { \n \"value\" : \"audit\"\n },\n \"effect-c26596ff-4d70-4e6a-9a30-c2506bd2f80c\" : { \n \"value\" : \"audit\"\n },\n \"effect-511f5417-5d12-434d-ab2e-816901e72a5e\" : { \n \"value\" : \"audit\"\n },\n \"effect-82985f06-dc18-4a48-bc1c-b9f4f0098cfe\" : { \n \"value\" : \"audit\"\n },\n \"effect-098fc59e-46c7-4d99-9b16-64990e543d75\" : { \n \"value\" : \"audit\"\n },\n \"NetworkWatcherResourceGroupName\" : { \n \"value\" : \"NetworkWatcherRG\"\n },\n \"setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \n \"value\" : \"enabled\"\n },\n \"aadAuthenticationInServiceFabricMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"effect-71ef260a-8f18-47b7-abcb-62d0673d94dc\" : { \n \"value\" : \"Audit\"\n },\n \"effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\" : { \n \"value\" : \"Audit\"\n },\n \"effect-862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d9da03a1-f3c3-412a-9709-947156872263\" : { \n \"value\" : \"Audit\"\n },\n \"effect-617c02be-7f02-4efd-8836-3180d47b6c68\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c349d81b-9985-44ae-a8da-ff98d108ede8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-3657f5a0-770e-44a3-b44e-9431ba1e9735\" : { \n \"value\" : \"Audit\"\n },\n \"effect-b4ac1030-89c5-4697-8e00-28b5ba6a8811\" : { \n \"value\" : \"audit\"\n },\n \"effect-ea0dfaed-95fb-448c-934e-d6e713ce393d\" : { \n \"value\" : \"audit\"\n },\n \"effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a\" : { \n \"value\" : \"Audit\"\n },\n \"effect-f4b53539-8df9-40e4-86c6-6b607703bd4e\" : { \n \"value\" : \"Audit\"\n },\n \"effect-41425d9f-d1a5-499a-9932-f8ed8453932c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-fc4d8e41-e223-45ea-9bf5-eada37891d87\" : { \n \"value\" : \"Audit\"\n },\n \"effect-86efb160-8de7-451d-bc08-5d475b0aadae\" : { \n \"value\" : \"Audit\"\n },\n \"effect-4ec52d6d-beb7-40c4-9a9e-fe753254690e\" : { \n \"value\" : \"Audit\"\n },\n \"effect-64d314f6-6062-4780-a861-c23e8951bee5\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-fa298e57-9444-42ba-bf04-86e8470e32c7\" : { \n \"value\" : \"audit\"\n },\n \"effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1f905d99-2ab7-462c-a6b0-f709acca6c8f\" : { \n \"value\" : \"audit\"\n },\n \"effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ba769a63-b8cc-4b2d-abf6-ac33c7204be8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-81e74cea-30fd-40d5-802f-d72103c2aaaa\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0aa61e00-0a01-4a3c-9945-e93cffedf0e6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-47031206-ce96-41f8-861b-6a915f3de284\" : { \n \"value\" : \"Audit\"\n },\n \"effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7\" : { \n \"value\" : \"audit\"\n },\n \"effect-51522a96-0869-4791-82f3-981000c2c67f\" : { \n \"value\" : \"audit\"\n },\n \"effect-b5ec538c-daa0-4006-8596-35468b9148e8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-56a5ee18-2ae6-4810-86f7-18e39ce5629b\" : { \n \"value\" : \"Audit\"\n },\n \"effect-2e94d99a-8a36-4563-bc77-810d8893b671\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5\" : { \n \"value\" : \"Audit\"\n },\n \"effect-99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1f68a601-6e6d-4e42-babf-3f643a047ea2\" : { \n \"value\" : \"audit\"\n },\n \"effect-f7d52b2d-e161-4dfa-a82b-55e564167385\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ca91455f-eace-4f96-be59-e6e2c35b4816\" : { \n \"value\" : \"Audit\"\n },\n \"effect-702dd420-7fcc-42c5-afe8-4026edd20fe0\" : { \n \"value\" : \"Audit\"\n },\n \"diagnosticsLogsInRedisCacheMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"secureTransferToStorageAccountMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d0793b48-0edc-4296-a390-4c75d1bdfd71\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7d092e0a-7acd-40d2-a975-dca21cae48c4\" : { \n \"value\" : \"Audit\"\n },\n \"effect-2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\" : { \n \"value\" : \"Audit\"\n },\n \"disableUnrestrictedNetworkToStorageAccountMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"effect-55615ac9-af46-4a59-874e-391cc3dfb490\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1b8ca024-1d5c-4dec-8995-b1a932b41780\" : { \n \"value\" : \"Audit\"\n },\n \"effect-037eea7a-bd0a-46c5-9a66-03aea78705d3\" : { \n \"value\" : \"Audit\"\n },\n \"effect-53503636-bcc9-4748-9663-5348217f160f\" : { \n \"value\" : \"Audit\"\n },\n \"effect-40cec1dd-a100-4920-b15b-3024fe8901ab\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca\" : { \n \"value\" : \"Audit\"\n },\n \"effect-a049bf77-880b-470f-ba6d-9f21c530cf83\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ee980b6d-0eca-4501-8d54-f6290fd512c3\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1d84d5fb-01f6-4d12-ba4f-4a26081d403d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-37e0d2fe-28a5-43d6-a273-67d37d1f5606\" : { \n \"value\" : \"Audit\"\n },\n \"identityDesignateMoreThanOneOwnerMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"diskEncryptionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"emailNotificationToSubscriptionOwnerHighSeverityAlertsEnabledEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"functionAppDisableRemoteDebuggingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"sqlDbEncryptionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vulnerabilityAssessmentOnManagedInstanceMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePHPVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"aadAuthenticationInSqlServerMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vmssEndpointProtectionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vmssOsVulnerabilitiesMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"adaptiveApplicationControlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"geoRedundantBackupShouldBeEnabledForAzureDatabaseForPostgreSQLEffect\" : { \n \"value\" : \"Audit\"\n },\n \"ensureJavaVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityDesignateLessThanOwnersMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"securityContactEmailAddressForSubscriptionEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"webAppRestrictCORSAccessMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveDeprecatedAccountMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"functionAppEnforceHttpsMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"ensurePythonVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePythonVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePHPVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensurePythonVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"geoRedundantBackupShouldBeEnabledForAzureDatabaseForMySQLEffect\" : { \n \"value\" : \"Audit\"\n },\n \"systemUpdatesMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureJavaVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureHTTPVersionLatestForWebAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"apiAppRequireLatestTlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityEnableMFAForWritePermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureHTTPVersionLatestForAPIAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureJavaVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"nextGenerationFirewallMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"useRbacRulesMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"webAppEnforceHttpsMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"sqlServerAuditingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vnetEnableDDoSProtectionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityEnableMFAForOwnerPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"sqlServerAdvancedDataSecurityMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"sqlManagedInstanceAdvancedDataSecurityMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"endpointProtectionMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"jitNetworkAccessMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"apiAppEnforceHttpsMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"geoRedundantStorageShouldBeEnabledForStorageAccountsEffect\" : { \n \"value\" : \"Audit\"\n },\n \"vmssSystemUpdatesMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"webAppDisableRemoteDebuggingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"systemConfigurationsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"ensureHTTPVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityEnableMFAForReadPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"containerBenchmarkMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"apiAppDisableRemoteDebuggingMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"vulnerabilityAssessmentOnServerMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"webAppRequireLatestTlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"functionAppRequireLatestTlsMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"kubernetesServiceVersionUpToDateMonitoringEffect\" : { \n \"value\" : \"Audit\"\n },\n \"sqlDbVulnerabilityAssesmentMonitoringEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"membersToIncludeInLocalAdministratorsGroup\" : { \n \"value\" : \"\"\n },\n \"membersToExcludeInLocalAdministratorsGroup\" : { \n \"value\" : \"\"\n },\n \"logAnalyticsWorkspaceIDForVMAgents\" : { \n \"value\" : \"\"\n },\n \"PHPLatestVersionForAppServices\" : { \n \"value\" : \"7.4\"\n },\n \"JavaLatestVersionForAppServices\" : { \n \"value\" : \"11\"\n },\n \"WindowsPythonLatestVersionForAppServices\" : { \n \"value\" : \"3.6\"\n },\n \"LinuxPythonLatestVersionForAppServices\" : { \n \"value\" : \"3.9\"\n },\n \"ensureDotNetFrameworkLatestForFunctionAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlManagedInstanceAdvancedDataSecurityEmailsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"vulnerabilityAssessmentMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"ensureDotNetFrameworkLatestForWebAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlServerAdvancedDataSecurityEmailsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"microsoftIaaSAntimalwareExtensionShouldBeDeployedOnWindowsServersEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"securityCenterStandardPricingTierShouldBeSelectedEffect\" : { \n \"value\" : \"Audit\"\n },\n \"theLogAnalyticsAgentShouldBeInstalledOnVirtualMachinesEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"ensurePHPVersionLatestForFunctionAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlManagedInstanceAdvancedDataSecurityEmailAdminsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"securityContactPhoneNumberShouldBeProvidedForSubscriptionEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"threatDetectionTypesOnManagedInstanceMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"ensureDotNetFrameworkLatestForAPIAppEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"sqlServerAdvancedDataSecurityEmailAdminsMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"threatDetectionTypesOnServerMonitoringEffect\" : { \n \"value\" : \"Disabled\"\n },\n \"theLogAnalyticsAgentShouldBeInstalledOnVirtualMachineScaleSetsEffect\" : { \n \"value\" : \"AuditIfNotExists\"\n }\n}', '', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))))), 'CMMC', createObject('id', '/providers/Microsoft.Authorization/policySetDefinitions/b5629c75-5c77-4422-87b9-2509e680f8de', 'parameters', json(replace('{\n \"logAnalyticsWorkspaceId-f47b5582-33ec-4c5c-87c0-b010a6b2e917\" : { \n \"value\" : \"\"\n },\n \"effect-09024ccc-0c5f-475e-9457-b7c0d9ed487b\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"MembersToExclude-69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f\" :{\n \"value\": \"\"\n },\n \"MembersToInclude-30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7\": {\n \"value\": \"\"\n },\n \"effect-0961003e-5a0a-4549-abde-af6a37f2724d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0b15565f-aa9e-48ba-8619-45960f2c314d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0e60b895-3786-45da-8377-9c6b4b6ac5f9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-17k78e20-9358-41c9-923c-fb736d382a12\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"PHPLatestVersion\" : { \n \"value\" : \"7.3\"\n },\n \"effect-22bee202-a82f-4305-9a2a-6d7f44d4dedb\" : { \n \"value\" : \"Audit\"\n },\n \"effect-26a828e1-e88f-464e-bbb3-c134a282b9de\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-34c877ad-507e-4c82-993e-3452a6e0ad3c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-404c3081-a854-4457-ae30-26a93ef643f9\" : { \n \"value\" : \"Audit\"\n },\n \"effect-47a6b606-51aa-4496-8bb7-64b11cf66adc\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-496223c3-ad65-4ecd-878a-bae78737e9ed\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"JavaLatestVersion\" : { \n \"value\" : \"11\"\n },\n \"effect-4f11b553-d42e-4e3a-89be-32ca364cad4c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-5c607a2e-c700-4744-8254-d77e7c9eb5e4\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-5f76cf89-fbf2-47fd-a3f4-b891fa780b60\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-6b1cbf55-e8b6-442f-ba4c-7246b6381474\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7008174a-fd10-4ef0-817e-fc820a951d73\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"LinuxPythonLatestVersion\" : { \n \"value\" : \"3.8\"\n },\n \"effect-7238174a-fd10-4ef0-817e-fc820a951d73\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-7261b898-8a84-4db8-9e04-18527132abb3\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-74c3584d-afae-46f7-a20a-6f8adba71a16\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-86b3d65f-7626-441e-b690-81a8b71cff60\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-88999f4c-376a-45c8-bcb3-4058f713cf39\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-8c122334-9d20-4eb8-89ea-ac9a705b74ae\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9297c21d-2ed6-4474-b48f-163f75654ce3\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-991310cd-e9f3-47bc-b7b6-f57b557d07db\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9b597639-28e4-48eb-b506-56b05d366257\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-9daedab3-fb2d-461e-b861-71790eead4f6\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-a4af4a39-4135-47fb-b175-47fbdf85311d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\" : { \n \"value\" : \"enabled\"\n },\n \"effect-a70ca396-0a34-413a-88e1-b956c1e683be\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-aa633080-8b72-40c4-a2d7-d00c03e80bed\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-af6cd1bd-1635-48cb-bde7-5b15693900b9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\" : { \n \"value\" : \"NetworkWatcherRG\"\n },\n \"effect-b7ddfbdc-1260-477d-91fd-98bd9be789a6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c3f317a7-a95c-4547-b7e7-11017ebdf2fe\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-cb510bfd-1cba-4d9f-a230-cb0976f4bb71\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e2c1c086-2d84-4019-bff3-c44ccd95113c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e3576e28-8b17-4677-84c3-db2990658d64\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e8cbc669-f12d-49eb-93e7-9273119e9933\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ebb62a0c-3560-49e1-89ed-27e074e9f8ad\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-efbde977-ba53-4479-b8e9-10b957924fbf\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f8456c1c-aa66-4dfb-861a-25d127b775c9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-f9d614c5-c173-4d56-95a7-b4437057d193\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-fb893a29-21bb-418c-a157-e99480ec364c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-feedbf84-6b99-488c-acc2-71c829aa5ffc\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-3b980d31-7904-4bb7-8575-5665739a8052\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-6e2593d9-add6-4083-9c9b-4b7d2188c899\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-12430be1-6cc8-4527-a9a8-e3d38f250096\" : { \n \"value\" : \"Audit\"\n },\n \"modeRequirement-12430be1-6cc8-4527-a9a8-e3d38f250096\" : { \n \"value\" : \"Detection\"\n },\n \"effect-425bea59-a659-4cbb-8d31-34499bd030b8\" : { \n \"value\" : \"Audit\"\n },\n \"modeRequirement-425bea59-a659-4cbb-8d31-34499bd030b8\" : { \n \"value\" : \"Detection\"\n },\n \"effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\" : { \n \"value\" : \"Audit\"\n },\n \"effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c\" : { \n \"value\" : \"Audit\"\n },\n \"effect-013e242c-8828-4970-87b3-ab247555486d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-d38fc420-0735-4ef3-ac11-c806f651a570\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-a1181c5f-672a-477a-979a-7d58aa086233\" : { \n \"value\" : \"Audit\"\n },\n \"effect-308fbb08-4ab8-4e67-9b29-592e93fb94fa\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-4da35fc9-c9e7-4960-aec9-797fe7d9051d\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-523b5cd1-3e23-492f-a539-13118b6d1e3a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-7fe3b40f-802b-4cdd-8bd4-fd799c948cc2\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-c25d9a16-bc35-4e15-a7e5-9db606bf9ed4\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b0f33259-77d7-4c9e-aac6-3aabcfae693c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-037eea7a-bd0a-46c5-9a66-03aea78705d3\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca\" : { \n \"value\" : \"Audit\"\n },\n \"effect-0820b7b9-23aa-4725-a1ce-ae4558f718e5\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-2c89a2e5-7285-40fe-afe0-ae8654b92fab\" : { \n \"value\" : \"Audit\"\n },\n \"effect-358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-5744710e-cc2f-4ee8-8809-3b11e89f4bc9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c9d007d0-c057-4772-b18c-01e546713bcd\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d0793b48-0edc-4296-a390-4c75d1bdfd71\" : { \n \"value\" : \"Audit\"\n },\n \"effect-e372f825-a257-4fb8-9175-797a8a8627d6\" : { \n \"value\" : \"Audit\"\n },\n \"effect-d158790f-bfb0-486c-8631-2dc6b4e8e6af\" : { \n \"value\" : \"Audit\"\n },\n \"effect-e802a67a-daf5-4436-9ea6-f6d821dd0c5d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-a451c1ef-c6ca-483d-87ed-f49761e3ffb5\" : { \n \"value\" : \"Audit\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftSql-servers-firewallRules-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftClassicNetwork-networkSecurityGroups-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-securityRules-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftClassicNetwork-networkSecurityGroups-securityRules-delete\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ae89ebca-1c92-4898-ac2c-9f63decb045c\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-d26f7642-7545-4e18-9b75-8c9bbdee3a9a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-1a4e592a-6a6e-44a5-9814-e36264ca96e7\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-7796937f-307b-4598-941c-67d3a05ebfe7\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-c5447c04-a4d7-4ba8-a263-c9ee321a6858\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-41388f1c-2db0-4c25-95b2-35d7f5ccbfa9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-b02aacc0-b073-424e-8298-42b22829ee0a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0ec47710-77ff-4a3d-9181-6aa50af424d0\" : { \n \"value\" : \"Audit\"\n },\n \"effect-48af4db5-9b8b-401c-8e74-076be876a430\" : { \n \"value\" : \"Audit\"\n },\n \"effect-82339799-d096-41ae-8538-b108becf0970\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1b7aa243-30e4-4c9e-bca8-d0d3022b634a\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-bb91dfba-c30d-4263-9add-9c2384e659a6\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-e71308d3-144b-4262-b144-efdc3cc90517\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-2bdd0062-9d75-436e-89df-487dd8e4b3c7\" : { \n \"value\" : \"Disabled\"\n },\n \"effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a\" : { \n \"value\" : \"Audit\"\n },\n \"effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-6fac406b-40ca-413b-bf8e-0bf964659c25\" : { \n \"value\" : \"Audit\"\n },\n \"effect-81e74cea-30fd-40d5-802f-d72103c2aaaa\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c349d81b-9985-44ae-a8da-ff98d108ede8\" : { \n \"value\" : \"Audit\"\n },\n \"effect-f4b53539-8df9-40e4-86c6-6b607703bd4e\" : { \n \"value\" : \"Audit\"\n },\n \"effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\" : { \n \"value\" : \"Audit\"\n },\n \"effect-048248b0-55cd-46da-b1ff-39efd52db260\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0d134df8-db83-46fb-ad72-fe0c9428c8dd\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-2c89a2e5-7285-40fe-afe0-ae8654b92fb2\" : { \n \"value\" : \"Audit\"\n },\n \"effect-3657f5a0-770e-44a3-b44e-9431ba1e9735\" : { \n \"value\" : \"Audit\"\n },\n \"effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\" : { \n \"value\" : \"Audit\"\n },\n \"effect-617c02be-7f02-4efd-8836-3180d47b6c68\" : { \n \"value\" : \"Audit\"\n },\n \"effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67\" : { \n \"value\" : \"Audit\"\n },\n \"effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7\" : { \n \"value\" : \"audit\"\n },\n \"effect-f7d52b2d-e161-4dfa-a82b-55e564167385\" : { \n \"value\" : \"Audit\"\n },\n \"effect-c43e4a30-77cb-48ab-a4dd-93f175c63b57\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\" : { \n \"value\" : \"Audit\"\n },\n \"effect-1f314764-cb73-4fc9-b863-8eca98ac36e9\" : { \n \"value\" : \"AuditIfNotExists\"\n },\n \"effect-123a3936-f020-408a-ba0c-47873faf1534\" : { \n \"value\" : \"AuditIfNotExists\"\n }\n}\n', '', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('logAnalyticsWorkspaceResourceGroupName')), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName')), '2021-06-01').customerId))))[variables('modifiedAssignment')].parameters]"
+ },
+ "identity": {
+ "type": "SystemAssigned"
+ }
+ }
+ ]
+ }
+ },
+ "dependsOn": [
+ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('nowUtc')))]",
+ "[subscriptionResourceId(parameters('operationsSubscriptionId'), 'Microsoft.Resources/deployments', format('deploy-operations-rg-{0}', parameters('nowUtc')))]"
+ ]
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "[format('activity-logs-hub-{0}', parameters('nowUtc'))]",
+ "subscriptionId": "[parameters('hubSubscriptionId')]",
+ "location": "[deployment().location]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "diagnosticSettingName": {
+ "value": "[format('log-hub-sub-activity-to-{0}', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('nowUtc'))), '2019-10-01').outputs.name.value)]"
+ },
+ "logAnalyticsWorkspaceId": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('nowUtc'))), '2019-10-01').outputs.id.value]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "10501865331857601559"
+ }
+ },
+ "parameters": {
+ "diagnosticSettingName": {
+ "type": "string"
+ },
+ "logAnalyticsWorkspaceId": {
+ "type": "string"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Insights/diagnosticSettings",
+ "apiVersion": "2021-05-01-preview",
+ "name": "[parameters('diagnosticSettingName')]",
+ "properties": {
+ "workspaceId": "[parameters('logAnalyticsWorkspaceId')]",
+ "logs": [
+ {
+ "category": "Administrative",
+ "enabled": true
+ },
+ {
+ "category": "Security",
+ "enabled": true
+ },
+ {
+ "category": "ServiceHealth",
+ "enabled": true
+ },
+ {
+ "category": "Alert",
+ "enabled": true
+ },
+ {
+ "category": "Recommendation",
+ "enabled": true
+ },
+ {
+ "category": "Policy",
+ "enabled": true
+ },
+ {
+ "category": "Autoscale",
+ "enabled": true
+ },
+ {
+ "category": "ResourceHealth",
+ "enabled": true
+ }
+ ]
+ }
+ }
+ ]
+ }
+ },
+ "dependsOn": [
+ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('nowUtc')))]"
+ ]
+ },
+ {
+ "condition": "[not(equals(parameters('hubSubscriptionId'), parameters('operationsSubscriptionId')))]",
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "[format('activity-logs-operations-{0}', parameters('nowUtc'))]",
+ "subscriptionId": "[parameters('operationsSubscriptionId')]",
+ "location": "[deployment().location]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "diagnosticSettingName": {
+ "value": "[format('log-operations-sub-activity-to-{0}', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('nowUtc'))), '2019-10-01').outputs.name.value)]"
+ },
+ "logAnalyticsWorkspaceId": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('nowUtc'))), '2019-10-01').outputs.id.value]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "10501865331857601559"
+ }
+ },
+ "parameters": {
+ "diagnosticSettingName": {
+ "type": "string"
+ },
+ "logAnalyticsWorkspaceId": {
+ "type": "string"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Insights/diagnosticSettings",
+ "apiVersion": "2021-05-01-preview",
+ "name": "[parameters('diagnosticSettingName')]",
+ "properties": {
+ "workspaceId": "[parameters('logAnalyticsWorkspaceId')]",
+ "logs": [
+ {
+ "category": "Administrative",
+ "enabled": true
+ },
+ {
+ "category": "Security",
+ "enabled": true
+ },
+ {
+ "category": "ServiceHealth",
+ "enabled": true
+ },
+ {
+ "category": "Alert",
+ "enabled": true
+ },
+ {
+ "category": "Recommendation",
+ "enabled": true
+ },
+ {
+ "category": "Policy",
+ "enabled": true
+ },
+ {
+ "category": "Autoscale",
+ "enabled": true
+ },
+ {
+ "category": "ResourceHealth",
+ "enabled": true
+ }
+ ]
+ }
+ }
+ ]
+ }
+ },
+ "dependsOn": [
+ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('nowUtc')))]"
+ ]
+ },
+ {
+ "condition": "[not(equals(parameters('hubSubscriptionId'), parameters('identitySubscriptionId')))]",
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "[format('activity-logs-identity-{0}', parameters('nowUtc'))]",
+ "subscriptionId": "[parameters('identitySubscriptionId')]",
+ "location": "[deployment().location]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "diagnosticSettingName": {
+ "value": "[format('log-identity-sub-activity-to-{0}', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('nowUtc'))), '2019-10-01').outputs.name.value)]"
+ },
+ "logAnalyticsWorkspaceId": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('nowUtc'))), '2019-10-01').outputs.id.value]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "10501865331857601559"
+ }
+ },
+ "parameters": {
+ "diagnosticSettingName": {
+ "type": "string"
+ },
+ "logAnalyticsWorkspaceId": {
+ "type": "string"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Insights/diagnosticSettings",
+ "apiVersion": "2021-05-01-preview",
+ "name": "[parameters('diagnosticSettingName')]",
+ "properties": {
+ "workspaceId": "[parameters('logAnalyticsWorkspaceId')]",
+ "logs": [
+ {
+ "category": "Administrative",
+ "enabled": true
+ },
+ {
+ "category": "Security",
+ "enabled": true
+ },
+ {
+ "category": "ServiceHealth",
+ "enabled": true
+ },
+ {
+ "category": "Alert",
+ "enabled": true
+ },
+ {
+ "category": "Recommendation",
+ "enabled": true
+ },
+ {
+ "category": "Policy",
+ "enabled": true
+ },
+ {
+ "category": "Autoscale",
+ "enabled": true
+ },
+ {
+ "category": "ResourceHealth",
+ "enabled": true
+ }
+ ]
+ }
+ }
+ ]
+ }
+ },
+ "dependsOn": [
+ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('nowUtc')))]"
+ ]
+ },
+ {
+ "condition": "[not(equals(parameters('hubSubscriptionId'), parameters('sharedServicesSubscriptionId')))]",
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "[format('activity-logs-sharedServices-{0}', parameters('nowUtc'))]",
+ "subscriptionId": "[parameters('sharedServicesSubscriptionId')]",
+ "location": "[deployment().location]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "diagnosticSettingName": {
+ "value": "[format('log-sharedServices-sub-activity-to-{0}', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('nowUtc'))), '2019-10-01').outputs.name.value)]"
+ },
+ "logAnalyticsWorkspaceId": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('nowUtc'))), '2019-10-01').outputs.id.value]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "10501865331857601559"
+ }
+ },
+ "parameters": {
+ "diagnosticSettingName": {
+ "type": "string"
+ },
+ "logAnalyticsWorkspaceId": {
+ "type": "string"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Insights/diagnosticSettings",
+ "apiVersion": "2021-05-01-preview",
+ "name": "[parameters('diagnosticSettingName')]",
+ "properties": {
+ "workspaceId": "[parameters('logAnalyticsWorkspaceId')]",
+ "logs": [
+ {
+ "category": "Administrative",
+ "enabled": true
+ },
+ {
+ "category": "Security",
+ "enabled": true
+ },
+ {
+ "category": "ServiceHealth",
+ "enabled": true
+ },
+ {
+ "category": "Alert",
+ "enabled": true
+ },
+ {
+ "category": "Recommendation",
+ "enabled": true
+ },
+ {
+ "category": "Policy",
+ "enabled": true
+ },
+ {
+ "category": "Autoscale",
+ "enabled": true
+ },
+ {
+ "category": "ResourceHealth",
+ "enabled": true
+ }
+ ]
+ }
+ }
+ ]
+ }
+ },
+ "dependsOn": [
+ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('nowUtc')))]"
+ ]
+ },
+ {
+ "condition": "[parameters('deployRemoteAccess')]",
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "[format('deploy-remote-access-{0}', parameters('nowUtc'))]",
+ "subscriptionId": "[parameters('hubSubscriptionId')]",
+ "resourceGroup": "[parameters('hubResourceGroupName')]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "location": {
+ "value": "[parameters('hubLocation')]"
+ },
+ "hubVirtualNetworkName": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-hub-{0}', parameters('nowUtc'))), '2019-10-01').outputs.virtualNetworkName.value]"
+ },
+ "hubSubnetResourceId": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-hub-{0}', parameters('nowUtc'))), '2019-10-01').outputs.subnetResourceId.value]"
+ },
+ "hubNetworkSecurityGroupResourceId": {
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-hub-{0}', parameters('nowUtc'))), '2019-10-01').outputs.networkSecurityGroupResourceId.value]"
+ },
+ "bastionHostName": {
+ "value": "[parameters('bastionHostName')]"
+ },
+ "bastionHostSubnetAddressPrefix": {
+ "value": "[parameters('bastionHostSubnetAddressPrefix')]"
+ },
+ "bastionHostPublicIPAddressName": {
+ "value": "[parameters('bastionHostPublicIPAddressName')]"
+ },
+ "bastionHostPublicIPAddressSkuName": {
+ "value": "[parameters('bastionHostPublicIPAddressSkuName')]"
+ },
+ "bastionHostPublicIPAddressAllocationMethod": {
+ "value": "[parameters('bastionHostPublicIPAddressAllocationMethod')]"
+ },
+ "bastionHostPublicIPAddressAvailabilityZones": {
+ "value": "[parameters('bastionHostPublicIPAddressAvailabilityZones')]"
+ },
+ "bastionHostIPConfigurationName": {
+ "value": "[parameters('bastionHostIPConfigurationName')]"
+ },
+ "linuxNetworkInterfaceName": {
+ "value": "[parameters('linuxNetworkInterfaceName')]"
+ },
+ "linuxNetworkInterfaceIpConfigurationName": {
+ "value": "[parameters('linuxNetworkInterfaceIpConfigurationName')]"
+ },
+ "linuxNetworkInterfacePrivateIPAddressAllocationMethod": {
+ "value": "[parameters('linuxNetworkInterfacePrivateIPAddressAllocationMethod')]"
+ },
+ "linuxVmName": {
+ "value": "[parameters('linuxVmName')]"
+ },
+ "linuxVmSize": {
+ "value": "[parameters('linuxVmSize')]"
+ },
+ "linuxVmOsDiskCreateOption": {
+ "value": "[parameters('linuxVmOsDiskCreateOption')]"
+ },
+ "linuxVmOsDiskType": {
+ "value": "[parameters('linuxVmOsDiskType')]"
+ },
+ "linuxVmImagePublisher": {
+ "value": "[parameters('linuxVmImagePublisher')]"
+ },
+ "linuxVmImageOffer": {
+ "value": "[parameters('linuxVmImageOffer')]"
+ },
+ "linuxVmImageSku": {
+ "value": "[parameters('linuxVmImageSku')]"
+ },
+ "linuxVmImageVersion": {
+ "value": "[parameters('linuxVmImageVersion')]"
+ },
+ "linuxVmAdminUsername": {
+ "value": "[parameters('linuxVmAdminUsername')]"
+ },
+ "linuxVmAuthenticationType": {
+ "value": "[parameters('linuxVmAuthenticationType')]"
+ },
+ "linuxVmAdminPasswordOrKey": {
+ "value": "[parameters('linuxVmAdminPasswordOrKey')]"
+ },
+ "windowsNetworkInterfaceName": {
+ "value": "[parameters('windowsNetworkInterfaceName')]"
+ },
+ "windowsNetworkInterfaceIpConfigurationName": {
+ "value": "[parameters('windowsNetworkInterfaceIpConfigurationName')]"
+ },
+ "windowsNetworkInterfacePrivateIPAddressAllocationMethod": {
+ "value": "[parameters('windowsNetworkInterfacePrivateIPAddressAllocationMethod')]"
+ },
+ "windowsVmName": {
+ "value": "[parameters('windowsVmName')]"
+ },
+ "windowsVmSize": {
+ "value": "[parameters('windowsVmSize')]"
+ },
+ "windowsVmAdminUsername": {
+ "value": "[parameters('windowsVmAdminUsername')]"
+ },
+ "windowsVmAdminPassword": {
+ "value": "[parameters('windowsVmAdminPassword')]"
+ },
+ "windowsVmPublisher": {
+ "value": "[parameters('windowsVmPublisher')]"
+ },
+ "windowsVmOffer": {
+ "value": "[parameters('windowsVmOffer')]"
+ },
+ "windowsVmSku": {
+ "value": "[parameters('windowsVmSku')]"
+ },
+ "windowsVmVersion": {
+ "value": "[parameters('windowsVmVersion')]"
+ },
+ "windowsVmCreateOption": {
+ "value": "[parameters('windowsVmCreateOption')]"
+ },
+ "windowsVmStorageAccountType": {
+ "value": "[parameters('windowsVmStorageAccountType')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "9206703012100649755"
+ }
+ },
+ "parameters": {
+ "location": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "hubVirtualNetworkName": {
+ "type": "string"
+ },
+ "hubSubnetResourceId": {
+ "type": "string"
+ },
+ "hubNetworkSecurityGroupResourceId": {
+ "type": "string"
+ },
+ "bastionHostName": {
+ "type": "string"
+ },
+ "bastionHostSubnetAddressPrefix": {
+ "type": "string"
+ },
+ "bastionHostPublicIPAddressName": {
+ "type": "string"
+ },
+ "bastionHostPublicIPAddressSkuName": {
+ "type": "string"
+ },
+ "bastionHostPublicIPAddressAllocationMethod": {
+ "type": "string"
+ },
+ "bastionHostPublicIPAddressAvailabilityZones": {
+ "type": "array"
+ },
+ "bastionHostIPConfigurationName": {
+ "type": "string"
+ },
+ "linuxNetworkInterfaceName": {
+ "type": "string"
+ },
+ "linuxNetworkInterfaceIpConfigurationName": {
+ "type": "string"
+ },
+ "linuxNetworkInterfacePrivateIPAddressAllocationMethod": {
+ "type": "string"
+ },
+ "linuxVmName": {
+ "type": "string"
+ },
+ "linuxVmSize": {
+ "type": "string"
+ },
+ "linuxVmOsDiskCreateOption": {
+ "type": "string"
+ },
+ "linuxVmOsDiskType": {
+ "type": "string"
+ },
+ "linuxVmImagePublisher": {
+ "type": "string"
+ },
+ "linuxVmImageOffer": {
+ "type": "string"
+ },
+ "linuxVmImageSku": {
+ "type": "string"
+ },
+ "linuxVmImageVersion": {
+ "type": "string"
+ },
+ "linuxVmAdminUsername": {
+ "type": "string"
+ },
+ "linuxVmAuthenticationType": {
+ "type": "string",
+ "allowedValues": [
+ "sshPublicKey",
+ "password"
+ ]
+ },
+ "linuxVmAdminPasswordOrKey": {
+ "type": "secureString",
+ "minLength": 14
+ },
+ "windowsNetworkInterfaceName": {
+ "type": "string"
+ },
+ "windowsNetworkInterfaceIpConfigurationName": {
+ "type": "string"
+ },
+ "windowsNetworkInterfacePrivateIPAddressAllocationMethod": {
+ "type": "string"
+ },
+ "windowsVmName": {
+ "type": "string"
+ },
+ "windowsVmSize": {
+ "type": "string"
+ },
+ "windowsVmAdminUsername": {
+ "type": "string"
+ },
+ "windowsVmAdminPassword": {
+ "type": "secureString",
+ "minLength": 14
+ },
+ "windowsVmPublisher": {
+ "type": "string"
+ },
+ "windowsVmOffer": {
+ "type": "string"
+ },
+ "windowsVmSku": {
+ "type": "string"
+ },
+ "windowsVmVersion": {
+ "type": "string"
+ },
+ "windowsVmCreateOption": {
+ "type": "string"
+ },
+ "windowsVmStorageAccountType": {
+ "type": "string"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "remoteAccess-bastionHost",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[parameters('bastionHostName')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "virtualNetworkName": {
+ "value": "[parameters('hubVirtualNetworkName')]"
+ },
+ "subnetAddressPrefix": {
+ "value": "[parameters('bastionHostSubnetAddressPrefix')]"
+ },
+ "publicIPAddressName": {
+ "value": "[parameters('bastionHostPublicIPAddressName')]"
+ },
+ "publicIPAddressSkuName": {
+ "value": "[parameters('bastionHostPublicIPAddressSkuName')]"
+ },
+ "publicIPAddressAllocationMethod": {
+ "value": "[parameters('bastionHostPublicIPAddressAllocationMethod')]"
+ },
+ "publicIPAddressAvailabilityZones": {
+ "value": "[parameters('bastionHostPublicIPAddressAvailabilityZones')]"
+ },
+ "ipConfigurationName": {
+ "value": "[parameters('bastionHostIPConfigurationName')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "10497818437168204965"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "virtualNetworkName": {
+ "type": "string"
+ },
+ "subnetAddressPrefix": {
+ "type": "string"
+ },
+ "publicIPAddressName": {
+ "type": "string"
+ },
+ "publicIPAddressSkuName": {
+ "type": "string"
+ },
+ "publicIPAddressAllocationMethod": {
+ "type": "string"
+ },
+ "publicIPAddressAvailabilityZones": {
+ "type": "array"
+ },
+ "ipConfigurationName": {
+ "type": "string"
+ }
+ },
+ "functions": [],
+ "variables": {
+ "subnetName": "AzureBastionSubnet"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Network/publicIPAddresses",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('publicIPAddressName')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "sku": {
+ "name": "[parameters('publicIPAddressSkuName')]"
+ },
+ "properties": {
+ "publicIPAllocationMethod": "[parameters('publicIPAddressAllocationMethod')]"
+ },
+ "zones": "[parameters('publicIPAddressAvailabilityZones')]"
+ },
+ {
+ "type": "Microsoft.Network/virtualNetworks/subnets",
+ "apiVersion": "2021-02-01",
+ "name": "[format('{0}/{1}', parameters('virtualNetworkName'), variables('subnetName'))]",
+ "properties": {
+ "addressPrefix": "[parameters('subnetAddressPrefix')]"
+ }
+ },
+ {
+ "type": "Microsoft.Network/bastionHosts",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "ipConfigurations": [
+ {
+ "name": "[parameters('ipConfigurationName')]",
+ "properties": {
+ "subnet": {
+ "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', split(format('{0}/{1}', parameters('virtualNetworkName'), variables('subnetName')), '/')[0], split(format('{0}/{1}', parameters('virtualNetworkName'), variables('subnetName')), '/')[1])]"
+ },
+ "publicIPAddress": {
+ "id": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIPAddressName'))]"
+ }
+ }
+ }
+ ]
+ },
+ "dependsOn": [
+ "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIPAddressName'))]",
+ "[resourceId('Microsoft.Network/virtualNetworks/subnets', split(format('{0}/{1}', parameters('virtualNetworkName'), variables('subnetName')), '/')[0], split(format('{0}/{1}', parameters('virtualNetworkName'), variables('subnetName')), '/')[1])]"
+ ]
+ }
+ ]
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "remoteAccess-linuxNetworkInterface",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[parameters('linuxNetworkInterfaceName')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "ipConfigurationName": {
+ "value": "[parameters('linuxNetworkInterfaceIpConfigurationName')]"
+ },
+ "networkSecurityGroupId": {
+ "value": "[parameters('hubNetworkSecurityGroupResourceId')]"
+ },
+ "privateIPAddressAllocationMethod": {
+ "value": "[parameters('linuxNetworkInterfacePrivateIPAddressAllocationMethod')]"
+ },
+ "subnetId": {
+ "value": "[parameters('hubSubnetResourceId')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "14459425343428091407"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "ipConfigurationName": {
+ "type": "string"
+ },
+ "subnetId": {
+ "type": "string"
+ },
+ "networkSecurityGroupId": {
+ "type": "string"
+ },
+ "privateIPAddressAllocationMethod": {
+ "type": "string"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Network/networkInterfaces",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "ipConfigurations": [
+ {
+ "name": "[parameters('ipConfigurationName')]",
+ "properties": {
+ "subnet": {
+ "id": "[parameters('subnetId')]"
+ },
+ "privateIPAllocationMethod": "[parameters('privateIPAddressAllocationMethod')]"
+ }
+ }
+ ],
+ "networkSecurityGroup": {
+ "id": "[parameters('networkSecurityGroupId')]"
+ }
+ }
+ }
+ ],
+ "outputs": {
+ "id": {
+ "type": "string",
+ "value": "[resourceId('Microsoft.Network/networkInterfaces', parameters('name'))]"
+ },
+ "name": {
+ "type": "string",
+ "value": "[parameters('name')]"
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "remoteAccess-linuxVirtualMachine",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[parameters('linuxVmName')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "vmSize": {
+ "value": "[parameters('linuxVmSize')]"
+ },
+ "osDiskCreateOption": {
+ "value": "[parameters('linuxVmOsDiskCreateOption')]"
+ },
+ "osDiskType": {
+ "value": "[parameters('linuxVmOsDiskType')]"
+ },
+ "vmImagePublisher": {
+ "value": "[parameters('linuxVmImagePublisher')]"
+ },
+ "vmImageOffer": {
+ "value": "[parameters('linuxVmImageOffer')]"
+ },
+ "vmImageSku": {
+ "value": "[parameters('linuxVmImageSku')]"
+ },
+ "vmImageVersion": {
+ "value": "[parameters('linuxVmImageVersion')]"
+ },
+ "adminUsername": {
+ "value": "[parameters('linuxVmAdminUsername')]"
+ },
+ "authenticationType": {
+ "value": "[parameters('linuxVmAuthenticationType')]"
+ },
+ "adminPasswordOrKey": {
+ "value": "[parameters('linuxVmAdminPasswordOrKey')]"
+ },
+ "networkInterfaceName": {
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'remoteAccess-linuxNetworkInterface'), '2019-10-01').outputs.name.value]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "9484732926763055555"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "networkInterfaceName": {
+ "type": "string"
+ },
+ "vmSize": {
+ "type": "string"
+ },
+ "osDiskCreateOption": {
+ "type": "string"
+ },
+ "osDiskType": {
+ "type": "string"
+ },
+ "vmImagePublisher": {
+ "type": "string"
+ },
+ "vmImageOffer": {
+ "type": "string"
+ },
+ "vmImageSku": {
+ "type": "string"
+ },
+ "vmImageVersion": {
+ "type": "string"
+ },
+ "adminUsername": {
+ "type": "string"
+ },
+ "authenticationType": {
+ "type": "string",
+ "allowedValues": [
+ "sshPublicKey",
+ "password"
+ ]
+ },
+ "adminPasswordOrKey": {
+ "type": "secureString",
+ "minLength": 14
+ }
+ },
+ "functions": [],
+ "variables": {
+ "linuxConfiguration": {
+ "disablePasswordAuthentication": true,
+ "ssh": {
+ "publicKeys": [
+ {
+ "path": "[format('/home/{0}/.ssh/authorized_keys', parameters('adminUsername'))]",
+ "keyData": "[parameters('adminPasswordOrKey')]"
+ }
+ ]
+ }
+ }
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Compute/virtualMachines",
+ "apiVersion": "2020-06-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "hardwareProfile": {
+ "vmSize": "[parameters('vmSize')]"
+ },
+ "storageProfile": {
+ "osDisk": {
+ "createOption": "[parameters('osDiskCreateOption')]",
+ "managedDisk": {
+ "storageAccountType": "[parameters('osDiskType')]"
+ }
+ },
+ "imageReference": {
+ "publisher": "[parameters('vmImagePublisher')]",
+ "offer": "[parameters('vmImageOffer')]",
+ "sku": "[parameters('vmImageSku')]",
+ "version": "[parameters('vmImageVersion')]"
+ }
+ },
+ "networkProfile": {
+ "networkInterfaces": [
+ {
+ "id": "[resourceId('Microsoft.Network/networkInterfaces', parameters('networkInterfaceName'))]"
+ }
+ ]
+ },
+ "osProfile": {
+ "computerName": "[parameters('name')]",
+ "adminUsername": "[parameters('adminUsername')]",
+ "adminPassword": "[parameters('adminPasswordOrKey')]",
+ "linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), null(), variables('linuxConfiguration'))]"
+ }
+ }
+ }
+ ],
+ "outputs": {
+ "adminUsername": {
+ "type": "string",
+ "value": "[parameters('adminUsername')]"
+ },
+ "authenticationType": {
+ "type": "string",
+ "value": "[parameters('authenticationType')]"
+ }
+ }
+ }
+ },
+ "dependsOn": [
+ "[resourceId('Microsoft.Resources/deployments', 'remoteAccess-linuxNetworkInterface')]"
+ ]
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "remoteAccess-windowsNetworkInterface",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[parameters('windowsNetworkInterfaceName')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "ipConfigurationName": {
+ "value": "[parameters('windowsNetworkInterfaceIpConfigurationName')]"
+ },
+ "networkSecurityGroupId": {
+ "value": "[parameters('hubNetworkSecurityGroupResourceId')]"
+ },
+ "privateIPAddressAllocationMethod": {
+ "value": "[parameters('windowsNetworkInterfacePrivateIPAddressAllocationMethod')]"
+ },
+ "subnetId": {
+ "value": "[parameters('hubSubnetResourceId')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "14459425343428091407"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "ipConfigurationName": {
+ "type": "string"
+ },
+ "subnetId": {
+ "type": "string"
+ },
+ "networkSecurityGroupId": {
+ "type": "string"
+ },
+ "privateIPAddressAllocationMethod": {
+ "type": "string"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Network/networkInterfaces",
+ "apiVersion": "2021-02-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "ipConfigurations": [
+ {
+ "name": "[parameters('ipConfigurationName')]",
+ "properties": {
+ "subnet": {
+ "id": "[parameters('subnetId')]"
+ },
+ "privateIPAllocationMethod": "[parameters('privateIPAddressAllocationMethod')]"
+ }
+ }
+ ],
+ "networkSecurityGroup": {
+ "id": "[parameters('networkSecurityGroupId')]"
+ }
+ }
+ }
+ ],
+ "outputs": {
+ "id": {
+ "type": "string",
+ "value": "[resourceId('Microsoft.Network/networkInterfaces', parameters('name'))]"
+ },
+ "name": {
+ "type": "string",
+ "value": "[parameters('name')]"
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "name": "remoteAccess-windowsVirtualMachine",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[parameters('windowsVmName')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "size": {
+ "value": "[parameters('windowsVmSize')]"
+ },
+ "adminUsername": {
+ "value": "[parameters('windowsVmAdminUsername')]"
+ },
+ "adminPassword": {
+ "value": "[parameters('windowsVmAdminPassword')]"
+ },
+ "publisher": {
+ "value": "[parameters('windowsVmPublisher')]"
+ },
+ "offer": {
+ "value": "[parameters('windowsVmOffer')]"
+ },
+ "sku": {
+ "value": "[parameters('windowsVmSku')]"
+ },
+ "version": {
+ "value": "[parameters('windowsVmVersion')]"
+ },
+ "createOption": {
+ "value": "[parameters('windowsVmCreateOption')]"
+ },
+ "storageAccountType": {
+ "value": "[parameters('windowsVmStorageAccountType')]"
+ },
+ "networkInterfaceName": {
+ "value": "[reference(resourceId('Microsoft.Resources/deployments', 'remoteAccess-windowsNetworkInterface'), '2019-10-01').outputs.name.value]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.4.613.9944",
+ "templateHash": "13028397952765670280"
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object",
+ "defaultValue": {}
+ },
+ "networkInterfaceName": {
+ "type": "string"
+ },
+ "size": {
+ "type": "string"
+ },
+ "adminUsername": {
+ "type": "string"
+ },
+ "adminPassword": {
+ "type": "secureString",
+ "minLength": 14
+ },
+ "publisher": {
+ "type": "string"
+ },
+ "offer": {
+ "type": "string"
+ },
+ "sku": {
+ "type": "string"
+ },
+ "version": {
+ "type": "string"
+ },
+ "createOption": {
+ "type": "string"
+ },
+ "storageAccountType": {
+ "type": "string"
+ }
+ },
+ "functions": [],
+ "resources": [
+ {
+ "type": "Microsoft.Compute/virtualMachines",
+ "apiVersion": "2021-04-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "hardwareProfile": {
+ "vmSize": "[parameters('size')]"
+ },
+ "osProfile": {
+ "computerName": "[take(parameters('name'), 15)]",
+ "adminUsername": "[parameters('adminUsername')]",
+ "adminPassword": "[parameters('adminPassword')]"
+ },
+ "storageProfile": {
+ "imageReference": {
+ "publisher": "[parameters('publisher')]",
+ "offer": "[parameters('offer')]",
+ "sku": "[parameters('sku')]",
+ "version": "[parameters('version')]"
+ },
+ "osDisk": {
+ "createOption": "[parameters('createOption')]",
+ "managedDisk": {
+ "storageAccountType": "[parameters('storageAccountType')]"
+ }
+ }
+ },
+ "networkProfile": {
+ "networkInterfaces": [
+ {
+ "id": "[resourceId('Microsoft.Network/networkInterfaces', parameters('networkInterfaceName'))]"
+ }
+ ]
+ }
+ }
+ }
+ ]
+ }
+ },
+ "dependsOn": [
+ "[resourceId('Microsoft.Resources/deployments', 'remoteAccess-windowsNetworkInterface')]"
+ ]
+ }
+ ]
+ }
+ },
+ "dependsOn": [
+ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-hub-{0}', parameters('nowUtc')))]"
+ ]
+ }
+ ],
+ "outputs": {
+ "hubSubscriptionId": {
+ "type": "string",
+ "value": "[parameters('hubSubscriptionId')]"
+ },
+ "hubResourceGroupName": {
+ "type": "string",
+ "value": "[reference(subscriptionResourceId(parameters('hubSubscriptionId'), 'Microsoft.Resources/deployments', format('deploy-hub-rg-{0}', parameters('nowUtc'))), '2019-10-01').outputs.name.value]"
+ },
+ "hubResourceGroupResourceId": {
+ "type": "string",
+ "value": "[reference(subscriptionResourceId(parameters('hubSubscriptionId'), 'Microsoft.Resources/deployments', format('deploy-hub-rg-{0}', parameters('nowUtc'))), '2019-10-01').outputs.id.value]"
+ },
+ "hubVirtualNetworkName": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-hub-{0}', parameters('nowUtc'))), '2019-10-01').outputs.virtualNetworkName.value]"
+ },
+ "hubVirtualNetworkResourceId": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-hub-{0}', parameters('nowUtc'))), '2019-10-01').outputs.virtualNetworkResourceId.value]"
+ },
+ "hubSubnetName": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-hub-{0}', parameters('nowUtc'))), '2019-10-01').outputs.subnetName.value]"
+ },
+ "hubSubnetResourceId": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-hub-{0}', parameters('nowUtc'))), '2019-10-01').outputs.subnetResourceId.value]"
+ },
+ "hubSubnetAddressPrefix": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-hub-{0}', parameters('nowUtc'))), '2019-10-01').outputs.subnetAddressPrefix.value]"
+ },
+ "hubNetworkSecurityGroupName": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-hub-{0}', parameters('nowUtc'))), '2019-10-01').outputs.networkSecurityGroupName.value]"
+ },
+ "hubNetworkSecurityGroupResourceId": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-hub-{0}', parameters('nowUtc'))), '2019-10-01').outputs.networkSecurityGroupResourceId.value]"
+ },
+ "hubFirewallPrivateIPAddress": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-hub-{0}', parameters('nowUtc'))), '2019-10-01').outputs.firewallPrivateIPAddress.value]"
+ },
+ "logAnalyticsWorkspaceName": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('nowUtc'))), '2019-10-01').outputs.name.value]"
+ },
+ "logAnalyticsWorkspaceResourceId": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('nowUtc'))), '2019-10-01').outputs.id.value]"
+ },
+ "firewallPrivateIPAddress": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), parameters('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-hub-{0}', parameters('nowUtc'))), '2019-10-01').outputs.firewallPrivateIPAddress.value]"
+ },
+ "identitySubscriptionId": {
+ "type": "string",
+ "value": "[parameters('identitySubscriptionId')]"
+ },
+ "identityResourceGroupName": {
+ "type": "string",
+ "value": "[reference(subscriptionResourceId(parameters('identitySubscriptionId'), 'Microsoft.Resources/deployments', format('deploy-identity-rg-{0}', parameters('nowUtc'))), '2019-10-01').outputs.name.value]"
+ },
+ "identityResourceGroupResourceId": {
+ "type": "string",
+ "value": "[reference(subscriptionResourceId(parameters('identitySubscriptionId'), 'Microsoft.Resources/deployments', format('deploy-identity-rg-{0}', parameters('nowUtc'))), '2019-10-01').outputs.id.value]"
+ },
+ "identityVirtualNetworkName": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('identitySubscriptionId'), parameters('identityResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-identity-spoke-{0}', parameters('nowUtc'))), '2019-10-01').outputs.virtualNetworkName.value]"
+ },
+ "identityVirtualNetworkResourceId": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('identitySubscriptionId'), parameters('identityResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-identity-spoke-{0}', parameters('nowUtc'))), '2019-10-01').outputs.virtualNetworkResourceId.value]"
+ },
+ "identitySubnetName": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('identitySubscriptionId'), parameters('identityResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-identity-spoke-{0}', parameters('nowUtc'))), '2019-10-01').outputs.subnetName.value]"
+ },
+ "identitySubnetResourceId": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('identitySubscriptionId'), parameters('identityResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-identity-spoke-{0}', parameters('nowUtc'))), '2019-10-01').outputs.subnetResourceId.value]"
+ },
+ "identitySubnetAddressPrefix": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('identitySubscriptionId'), parameters('identityResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-identity-spoke-{0}', parameters('nowUtc'))), '2019-10-01').outputs.subnetAddressPrefix.value]"
+ },
+ "identityNetworkSecurityGroupName": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('identitySubscriptionId'), parameters('identityResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-identity-spoke-{0}', parameters('nowUtc'))), '2019-10-01').outputs.networkSecurityGroupName.value]"
+ },
+ "identityNetworkSecurityGroupResourceId": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('identitySubscriptionId'), parameters('identityResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-identity-spoke-{0}', parameters('nowUtc'))), '2019-10-01').outputs.networkSecurityGroupResourceId.value]"
+ },
+ "operationsSubscriptionId": {
+ "type": "string",
+ "value": "[parameters('operationsSubscriptionId')]"
+ },
+ "operationsResourceGroupName": {
+ "type": "string",
+ "value": "[reference(subscriptionResourceId(parameters('operationsSubscriptionId'), 'Microsoft.Resources/deployments', format('deploy-operations-rg-{0}', parameters('nowUtc'))), '2019-10-01').outputs.name.value]"
+ },
+ "operationsResourceGroupResourceId": {
+ "type": "string",
+ "value": "[reference(subscriptionResourceId(parameters('operationsSubscriptionId'), 'Microsoft.Resources/deployments', format('deploy-operations-rg-{0}', parameters('nowUtc'))), '2019-10-01').outputs.id.value]"
+ },
+ "operationsVirtualNetworkName": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-operations-spoke-{0}', parameters('nowUtc'))), '2019-10-01').outputs.virtualNetworkName.value]"
+ },
+ "operationsVirtualNetworkResourceId": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-operations-spoke-{0}', parameters('nowUtc'))), '2019-10-01').outputs.virtualNetworkResourceId.value]"
+ },
+ "operationsSubnetName": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-operations-spoke-{0}', parameters('nowUtc'))), '2019-10-01').outputs.subnetName.value]"
+ },
+ "operationsSubnetResourceId": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-operations-spoke-{0}', parameters('nowUtc'))), '2019-10-01').outputs.subnetResourceId.value]"
+ },
+ "operationsSubnetAddressPrefix": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-operations-spoke-{0}', parameters('nowUtc'))), '2019-10-01').outputs.subnetAddressPrefix.value]"
+ },
+ "operationsNetworkSecurityGroupName": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-operations-spoke-{0}', parameters('nowUtc'))), '2019-10-01').outputs.networkSecurityGroupName.value]"
+ },
+ "operationsNetworkSecurityGroupResourceId": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), parameters('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-operations-spoke-{0}', parameters('nowUtc'))), '2019-10-01').outputs.networkSecurityGroupResourceId.value]"
+ },
+ "sharedServicesSubscriptionId": {
+ "type": "string",
+ "value": "[parameters('sharedServicesSubscriptionId')]"
+ },
+ "sharedServicesResourceGroupName": {
+ "type": "string",
+ "value": "[reference(subscriptionResourceId(parameters('sharedServicesSubscriptionId'), 'Microsoft.Resources/deployments', format('deploy-sharedServices-rg-{0}', parameters('nowUtc'))), '2019-10-01').outputs.name.value]"
+ },
+ "sharedServicesResourceGroupResourceId": {
+ "type": "string",
+ "value": "[reference(subscriptionResourceId(parameters('sharedServicesSubscriptionId'), 'Microsoft.Resources/deployments', format('deploy-sharedServices-rg-{0}', parameters('nowUtc'))), '2019-10-01').outputs.id.value]"
+ },
+ "sharedServicesVirtualNetworkName": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('sharedServicesSubscriptionId'), parameters('sharedServicesResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-sharedServices-spoke-{0}', parameters('nowUtc'))), '2019-10-01').outputs.virtualNetworkName.value]"
+ },
+ "sharedServicesVirtualNetworkResourceId": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('sharedServicesSubscriptionId'), parameters('sharedServicesResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-sharedServices-spoke-{0}', parameters('nowUtc'))), '2019-10-01').outputs.virtualNetworkResourceId.value]"
+ },
+ "sharedServicesSubnetName": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('sharedServicesSubscriptionId'), parameters('sharedServicesResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-sharedServices-spoke-{0}', parameters('nowUtc'))), '2019-10-01').outputs.subnetName.value]"
+ },
+ "sharedServicesSubnetResourceId": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('sharedServicesSubscriptionId'), parameters('sharedServicesResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-sharedServices-spoke-{0}', parameters('nowUtc'))), '2019-10-01').outputs.subnetResourceId.value]"
+ },
+ "sharedServicesSubnetAddressPrefix": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('sharedServicesSubscriptionId'), parameters('sharedServicesResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-sharedServices-spoke-{0}', parameters('nowUtc'))), '2019-10-01').outputs.subnetAddressPrefix.value]"
+ },
+ "sharedServicesNetworkSecurityGroupName": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('sharedServicesSubscriptionId'), parameters('sharedServicesResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-sharedServices-spoke-{0}', parameters('nowUtc'))), '2019-10-01').outputs.networkSecurityGroupName.value]"
+ },
+ "sharedServicesNetworkSecurityGroupResourceId": {
+ "type": "string",
+ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('sharedServicesSubscriptionId'), parameters('sharedServicesResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-sharedServices-spoke-{0}', parameters('nowUtc'))), '2019-10-01').outputs.networkSecurityGroupResourceId.value]"
+ }
+ }
+}
\ No newline at end of file
diff --git a/src/bicep/modules/bastionHost.bicep b/src/bicep/modules/bastionHost.bicep
new file mode 100644
index 000000000..85f777349
--- /dev/null
+++ b/src/bicep/modules/bastionHost.bicep
@@ -0,0 +1,61 @@
+param name string
+param location string
+param tags object = {}
+
+param virtualNetworkName string
+
+var subnetName = 'AzureBastionSubnet' // The subnet name for Azure Bastion Hosts must be 'AzureBastionSubnet'
+param subnetAddressPrefix string
+
+param publicIPAddressName string
+param publicIPAddressSkuName string
+param publicIPAddressAllocationMethod string
+param publicIPAddressAvailabilityZones array
+
+param ipConfigurationName string
+
+resource publicIPAddress 'Microsoft.Network/publicIPAddresses@2021-02-01' = {
+ name: publicIPAddressName
+ location: location
+ tags: tags
+
+ sku: {
+ name: publicIPAddressSkuName
+ }
+
+ properties: {
+ publicIPAllocationMethod: publicIPAddressAllocationMethod
+ }
+
+ zones: publicIPAddressAvailabilityZones
+}
+
+resource subnet 'Microsoft.Network/virtualNetworks/subnets@2021-02-01' = {
+ name: '${virtualNetworkName}/${subnetName}'
+
+ properties: {
+ addressPrefix: subnetAddressPrefix
+ }
+}
+
+resource bastionHost 'Microsoft.Network/bastionHosts@2021-02-01' = {
+ name: name
+ location: location
+ tags: tags
+
+ properties: {
+ ipConfigurations: [
+ {
+ name: ipConfigurationName
+ properties: {
+ subnet: {
+ id: subnet.id
+ }
+ publicIPAddress: {
+ id: publicIPAddress.id
+ }
+ }
+ }
+ ]
+ }
+}
diff --git a/src/bicep/modules/centralLogging.bicep b/src/bicep/modules/centralLogging.bicep
new file mode 100644
index 000000000..c19e7d0c0
--- /dev/null
+++ b/src/bicep/modules/centralLogging.bicep
@@ -0,0 +1,48 @@
+// scope
+targetScope = 'subscription'
+
+param diagnosticSettingName string
+param logAnalyticsWorkspaceId string
+
+//// Central activity logging to LAWS
+resource centralLoggingDiagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
+ name: diagnosticSettingName
+ properties: {
+ workspaceId: logAnalyticsWorkspaceId
+ logs: [
+ {
+ category: 'Administrative'
+ enabled: true
+ }
+ {
+ category: 'Security'
+ enabled: true
+ }
+ {
+ category: 'ServiceHealth'
+ enabled: true
+ }
+ {
+ category: 'Alert'
+ enabled: true
+ }
+ {
+ category: 'Recommendation'
+ enabled: true
+ }
+ {
+ category: 'Policy'
+ enabled: true
+ }
+ {
+ category: 'Autoscale'
+ enabled: true
+ }
+ {
+ category: 'ResourceHealth'
+ enabled: true
+ }
+ ]
+ }
+
+}
diff --git a/src/bicep/modules/firewall.bicep b/src/bicep/modules/firewall.bicep
new file mode 100644
index 000000000..f223a1fd8
--- /dev/null
+++ b/src/bicep/modules/firewall.bicep
@@ -0,0 +1,69 @@
+param name string
+param location string = resourceGroup().location
+param tags object = {}
+
+param skuTier string
+param threatIntelMode string
+
+param clientIpConfigurationName string
+param clientIpConfigurationSubnetResourceId string
+param clientIpConfigurationPublicIPAddressResourceId string
+
+param managementIpConfigurationName string
+param managementIpConfigurationSubnetResourceId string
+param managementIpConfigurationPublicIPAddressResourceId string
+
+param firewallPolicyName string
+
+resource firewallPolicy 'Microsoft.Network/firewallPolicies@2021-02-01' = {
+ name: firewallPolicyName
+ location: location
+ tags: tags
+ properties: {
+ threatIntelMode: threatIntelMode
+ sku: {
+ tier: skuTier
+ }
+ }
+}
+
+resource firewall 'Microsoft.Network/azureFirewalls@2021-02-01' = {
+ name: name
+ location: location
+ tags: tags
+
+ properties: {
+ ipConfigurations: [
+ {
+ name: clientIpConfigurationName
+ properties: {
+ subnet: {
+ id: clientIpConfigurationSubnetResourceId
+ }
+ publicIPAddress: {
+ id: clientIpConfigurationPublicIPAddressResourceId
+ }
+ }
+ }
+ ]
+ managementIpConfiguration: {
+ name: managementIpConfigurationName
+ properties: {
+ subnet: {
+ id: managementIpConfigurationSubnetResourceId
+ }
+ publicIPAddress: {
+ id: managementIpConfigurationPublicIPAddressResourceId
+ }
+ }
+ }
+ firewallPolicy: {
+ id: firewallPolicy.id
+ }
+ sku: {
+ tier: skuTier
+ }
+ }
+}
+
+output privateIPAddress string = firewall.properties.ipConfigurations[0].properties.privateIPAddress
diff --git a/src/bicep/modules/hubNetwork.bicep b/src/bicep/modules/hubNetwork.bicep
new file mode 100644
index 000000000..6cf3720ec
--- /dev/null
+++ b/src/bicep/modules/hubNetwork.bicep
@@ -0,0 +1,241 @@
+param location string = resourceGroup().location
+param tags object = {}
+
+param logStorageAccountName string
+param logStorageSkuName string
+
+param logAnalyticsWorkspaceResourceId string
+
+param virtualNetworkName string
+param virtualNetworkAddressPrefix string
+param virtualNetworkDiagnosticsLogs array
+param virtualNetworkDiagnosticsMetrics array
+
+param networkSecurityGroupName string
+param networkSecurityGroupRules array
+
+param subnetName string
+param subnetAddressPrefix string
+param subnetServiceEndpoints array
+
+param routeTableName string = '${subnetName}-routetable'
+param routeTableRouteName string = 'default_route'
+param routeTableRouteAddressPrefix string = '0.0.0.0/0'
+param routeTableRouteNextHopType string = 'VirtualAppliance'
+
+param firewallName string
+param firewallSkuTier string
+param firewallPolicyName string
+param firewallThreatIntelMode string
+param firewallClientIpConfigurationName string
+param firewallClientSubnetName string
+param firewallClientSubnetAddressPrefix string
+param firewallClientSubnetServiceEndpoints array
+param firewallClientPublicIPAddressName string
+param firewallClientPublicIPAddressSkuName string
+param firewallClientPublicIpAllocationMethod string
+param firewallClientPublicIPAddressAvailabilityZones array
+param firewallManagementIpConfigurationName string
+param firewallManagementSubnetName string
+param firewallManagementSubnetAddressPrefix string
+param firewallManagementSubnetServiceEndpoints array
+param firewallManagementPublicIPAddressName string
+param firewallManagementPublicIPAddressSkuName string
+param firewallManagementPublicIpAllocationMethod string
+param firewallManagementPublicIPAddressAvailabilityZones array
+
+var defaultVirtualNewtorkDiagnosticsLogs = [
+ // TODO: 'VMProtectionAlerts' is not supported in AzureUsGovernment
+ // {
+ // category: 'VMProtectionAlerts'
+ // enabled: true
+ // }
+]
+
+var defaultVirtualNetworkDiagnosticsMetrics = [
+ {
+ category: 'AllMetrics'
+ enabled: true
+ }
+]
+
+var defaultSubnetServiceEndpoints = [
+ {
+ service: 'Microsoft.Storage'
+ }
+]
+
+var defaultNetworkSecurityGroupRules = [
+ {
+ name: 'allow_ssh'
+ properties: {
+ description: 'Allow SSH access from anywhere'
+ access: 'Allow'
+ priority: 100
+ protocol: 'Tcp'
+ direction: 'Inbound'
+ sourcePortRange: '*'
+ sourceAddressPrefix: '*'
+ destinationPortRange: '22'
+ destinationAddressPrefix: '*'
+ }
+ }
+ {
+ name: 'allow_rdp'
+ properties: {
+ description: 'Allow RDP access from anywhere'
+ access: 'Allow'
+ priority: 200
+ protocol: 'Tcp'
+ direction: 'Inbound'
+ sourcePortRange: '*'
+ sourceAddressPrefix: '*'
+ destinationPortRange: '3389'
+ destinationAddressPrefix: '*'
+ }
+ }
+]
+
+module logStorage './storageAccount.bicep' = {
+ name: 'logStorage'
+ params: {
+ storageAccountName: logStorageAccountName
+ location: location
+ skuName: logStorageSkuName
+ tags: tags
+ }
+}
+
+module networkSecurityGroup './networkSecurityGroup.bicep' = {
+ name: 'networkSecurityGroup'
+ params: {
+ name: networkSecurityGroupName
+ location: location
+ tags: tags
+
+ securityRules: empty(networkSecurityGroupRules) ? defaultNetworkSecurityGroupRules : networkSecurityGroupRules
+ }
+}
+
+module virtualNetwork './virtualNetwork.bicep' = {
+ name: 'virtualNetwork'
+ params: {
+ name: virtualNetworkName
+ location: location
+ tags: tags
+
+ addressPrefix: virtualNetworkAddressPrefix
+
+ diagnosticsLogs: empty(virtualNetworkDiagnosticsLogs) ? defaultVirtualNewtorkDiagnosticsLogs : virtualNetworkDiagnosticsLogs
+ diagnosticsMetrics: empty(virtualNetworkDiagnosticsMetrics) ? defaultVirtualNetworkDiagnosticsMetrics : virtualNetworkDiagnosticsMetrics
+
+ subnets: [
+ {
+ name: firewallClientSubnetName
+ properties: {
+ addressPrefix: firewallClientSubnetAddressPrefix
+ serviceEndpoints: firewallClientSubnetServiceEndpoints
+ }
+ }
+ {
+ name: firewallManagementSubnetName
+ properties: {
+ addressPrefix: firewallManagementSubnetAddressPrefix
+ serviceEndpoints: firewallManagementSubnetServiceEndpoints
+ }
+ }
+ ]
+
+ logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId
+ logStorageAccountResourceId: logStorage.outputs.id
+ }
+}
+
+module routeTable './routeTable.bicep' = {
+ name: 'routeTable'
+ params: {
+ name: routeTableName
+ location: location
+ tags: tags
+
+ routeName: routeTableRouteName
+ routeAddressPrefix: routeTableRouteAddressPrefix
+ routeNextHopIpAddress: firewall.outputs.privateIPAddress
+ routeNextHopType: routeTableRouteNextHopType
+ }
+}
+
+resource subnet 'Microsoft.Network/virtualNetworks/subnets@2021-02-01' = {
+ name: '${virtualNetworkName}/${subnetName}'
+ properties: {
+ addressPrefix: subnetAddressPrefix
+ networkSecurityGroup: {
+ id: networkSecurityGroup.outputs.id
+ }
+ routeTable: {
+ id: routeTable.outputs.id
+ }
+ serviceEndpoints: empty(subnetServiceEndpoints) ? defaultSubnetServiceEndpoints : subnetServiceEndpoints
+ }
+ dependsOn: [
+ virtualNetwork
+ firewall
+ ]
+}
+
+module firewallClientPublicIPAddress './publicIPAddress.bicep' = {
+ name: 'firewallClientPublicIPAddress'
+ params: {
+ name: firewallClientPublicIPAddressName
+ location: location
+ tags: tags
+
+ skuName: firewallClientPublicIPAddressSkuName
+ publicIpAllocationMethod: firewallClientPublicIpAllocationMethod
+ availabilityZones: firewallClientPublicIPAddressAvailabilityZones
+ }
+}
+
+module firewallManagementPublicIPAddress './publicIPAddress.bicep' = {
+ name: 'firewallManagementPublicIPAddress'
+ params: {
+ name: firewallManagementPublicIPAddressName
+ location: location
+ tags: tags
+
+ skuName: firewallManagementPublicIPAddressSkuName
+ publicIpAllocationMethod: firewallManagementPublicIpAllocationMethod
+ availabilityZones: firewallManagementPublicIPAddressAvailabilityZones
+ }
+}
+
+module firewall './firewall.bicep' = {
+ name: 'firewall'
+ params: {
+ name: firewallName
+ location: location
+ tags: tags
+
+ skuTier: firewallSkuTier
+
+ firewallPolicyName: firewallPolicyName
+ threatIntelMode: firewallThreatIntelMode
+
+ clientIpConfigurationName: firewallClientIpConfigurationName
+ clientIpConfigurationSubnetResourceId: '${virtualNetwork.outputs.id}/subnets/${firewallClientSubnetName}'
+ clientIpConfigurationPublicIPAddressResourceId: firewallClientPublicIPAddress.outputs.id
+
+ managementIpConfigurationName: firewallManagementIpConfigurationName
+ managementIpConfigurationSubnetResourceId: '${virtualNetwork.outputs.id}/subnets/${firewallManagementSubnetName}'
+ managementIpConfigurationPublicIPAddressResourceId: firewallManagementPublicIPAddress.outputs.id
+ }
+}
+
+output virtualNetworkName string = virtualNetwork.outputs.name
+output virtualNetworkResourceId string = virtualNetwork.outputs.id
+output subnetName string = subnet.name
+output subnetAddressPrefix string = subnet.properties.addressPrefix
+output subnetResourceId string = subnet.id
+output networkSecurityGroupName string = networkSecurityGroup.outputs.name
+output networkSecurityGroupResourceId string = networkSecurityGroup.outputs.id
+output firewallPrivateIPAddress string = firewall.outputs.privateIPAddress
diff --git a/src/bicep/modules/hubNetworkPeerings.bicep b/src/bicep/modules/hubNetworkPeerings.bicep
new file mode 100644
index 000000000..62f9d00c5
--- /dev/null
+++ b/src/bicep/modules/hubNetworkPeerings.bicep
@@ -0,0 +1,37 @@
+targetScope = 'subscription'
+
+param hubResourceGroupName string
+param hubVirtualNetworkName string
+param identityVirtualNetworkName string
+param identityVirtualNetworkResourceId string
+param operationsVirtualNetworkName string
+param operationsVirtualNetworkResourceId string
+param sharedServicesVirtualNetworkName string
+param sharedServicesVirtualNetworkResourceId string
+
+module hubToIdentityVirtualNetworkPeering './virtualNetworkPeering.bicep' = {
+ scope: resourceGroup(hubResourceGroupName)
+ name: 'hubToIdentityVirtualNetworkPeering'
+ params: {
+ name: '${hubVirtualNetworkName}/to-${identityVirtualNetworkName}'
+ remoteVirtualNetworkResourceId: identityVirtualNetworkResourceId
+ }
+}
+
+module hubToOperationsVirtualNetworkPeering './virtualNetworkPeering.bicep' = {
+ scope: resourceGroup(hubResourceGroupName)
+ name: 'hubToOperationsVirtualNetworkPeering'
+ params: {
+ name: '${hubVirtualNetworkName}/to-${operationsVirtualNetworkName}'
+ remoteVirtualNetworkResourceId: operationsVirtualNetworkResourceId
+ }
+}
+
+module hubToSharedServicesVirtualNetworkPeering './virtualNetworkPeering.bicep' = {
+ scope: resourceGroup(hubResourceGroupName)
+ name: 'hubToSharedServicesVirtualNetworkPeering'
+ params: {
+ name: '${hubVirtualNetworkName}/to-${sharedServicesVirtualNetworkName}'
+ remoteVirtualNetworkResourceId: sharedServicesVirtualNetworkResourceId
+ }
+}
diff --git a/src/bicep/modules/linuxVirtualMachine.bicep b/src/bicep/modules/linuxVirtualMachine.bicep
new file mode 100644
index 000000000..6619b1929
--- /dev/null
+++ b/src/bicep/modules/linuxVirtualMachine.bicep
@@ -0,0 +1,80 @@
+param name string
+param location string
+param tags object = {}
+
+param networkInterfaceName string
+
+param vmSize string
+param osDiskCreateOption string
+param osDiskType string
+param vmImagePublisher string
+param vmImageOffer string
+param vmImageSku string
+param vmImageVersion string
+param adminUsername string
+@allowed([
+ 'sshPublicKey'
+ 'password'
+])
+param authenticationType string
+@secure()
+@minLength(14)
+param adminPasswordOrKey string
+
+var linuxConfiguration = {
+ disablePasswordAuthentication: true
+ ssh: {
+ publicKeys: [
+ {
+ path: '/home/${adminUsername}/.ssh/authorized_keys'
+ keyData: adminPasswordOrKey
+ }
+ ]
+ }
+}
+
+resource networkInterface 'Microsoft.Network/networkInterfaces@2021-02-01' existing = {
+ name: networkInterfaceName
+}
+
+resource virtualMachine 'Microsoft.Compute/virtualMachines@2020-06-01' = {
+ name: name
+ location: location
+ tags: tags
+
+ properties: {
+ hardwareProfile: {
+ vmSize: vmSize
+ }
+ storageProfile: {
+ osDisk: {
+ createOption: osDiskCreateOption
+ managedDisk: {
+ storageAccountType: osDiskType
+ }
+ }
+ imageReference: {
+ publisher: vmImagePublisher
+ offer: vmImageOffer
+ sku: vmImageSku
+ version: vmImageVersion
+ }
+ }
+ networkProfile: {
+ networkInterfaces: [
+ {
+ id: networkInterface.id
+ }
+ ]
+ }
+ osProfile: {
+ computerName: name
+ adminUsername: adminUsername
+ adminPassword: adminPasswordOrKey
+ linuxConfiguration: ((authenticationType == 'password') ? null : linuxConfiguration)
+ }
+ }
+}
+
+output adminUsername string = adminUsername
+output authenticationType string = authenticationType
diff --git a/src/bicep/modules/logAnalyticsWorkspace.bicep b/src/bicep/modules/logAnalyticsWorkspace.bicep
new file mode 100644
index 000000000..89d00827c
--- /dev/null
+++ b/src/bicep/modules/logAnalyticsWorkspace.bicep
@@ -0,0 +1,35 @@
+param name string
+param location string
+param tags object = {}
+param retentionInDays int = 30
+param skuName string = 'PerGB2018'
+param workspaceCappingDailyQuotaGb int = -1
+param deploySentinel bool = false
+
+resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2021-06-01' = {
+ name: name
+ location: location
+ tags: tags
+ properties: {
+ retentionInDays: retentionInDays
+ sku:{
+ name: skuName
+ }
+ workspaceCapping: {
+ dailyQuotaGb: workspaceCappingDailyQuotaGb
+ }
+ }
+}
+
+//// sentinel
+module sentinelSolution './sentinelSolution.bicep' = if (deploySentinel) {
+ name: 'sentinelSolution'
+ params: {
+ workspaceName: logAnalyticsWorkspace.name
+ workspaceLocation: location
+ tags: tags
+ }
+}
+
+output id string = logAnalyticsWorkspace.id
+output name string = logAnalyticsWorkspace.name
diff --git a/src/bicep/modules/networkInterface.bicep b/src/bicep/modules/networkInterface.bicep
new file mode 100644
index 000000000..b94decb03
--- /dev/null
+++ b/src/bicep/modules/networkInterface.bicep
@@ -0,0 +1,34 @@
+param name string
+param location string
+param tags object = {}
+
+param ipConfigurationName string
+param subnetId string
+param networkSecurityGroupId string
+param privateIPAddressAllocationMethod string
+
+resource networkInterface 'Microsoft.Network/networkInterfaces@2021-02-01' = {
+ name: name
+ location: location
+ tags: tags
+
+ properties: {
+ ipConfigurations: [
+ {
+ name: ipConfigurationName
+ properties: {
+ subnet: {
+ id: subnetId
+ }
+ privateIPAllocationMethod: privateIPAddressAllocationMethod
+ }
+ }
+ ]
+ networkSecurityGroup: {
+ id: networkSecurityGroupId
+ }
+ }
+}
+
+output id string = networkInterface.id
+output name string = networkInterface.name
diff --git a/src/bicep/modules/networkSecurityGroup.bicep b/src/bicep/modules/networkSecurityGroup.bicep
new file mode 100644
index 000000000..06bd1422c
--- /dev/null
+++ b/src/bicep/modules/networkSecurityGroup.bicep
@@ -0,0 +1,18 @@
+param name string
+param location string
+param tags object = {}
+
+param securityRules array
+
+resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2021-02-01' = {
+ name: name
+ location: location
+ tags: tags
+
+ properties: {
+ securityRules: securityRules
+ }
+}
+
+output id string = networkSecurityGroup.id
+output name string = networkSecurityGroup.name
diff --git a/src/bicep/modules/policies/CMMC-policyAssignmentParameters.json b/src/bicep/modules/policies/CMMC-policyAssignmentParameters.json
new file mode 100644
index 000000000..1aafef0e5
--- /dev/null
+++ b/src/bicep/modules/policies/CMMC-policyAssignmentParameters.json
@@ -0,0 +1,410 @@
+{
+ "logAnalyticsWorkspaceId-f47b5582-33ec-4c5c-87c0-b010a6b2e917" : {
+ "value" : ""
+ },
+ "effect-09024ccc-0c5f-475e-9457-b7c0d9ed487b" : {
+ "value" : "AuditIfNotExists"
+ },
+ "MembersToExclude-69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f" :{
+ "value": ""
+ },
+ "MembersToInclude-30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7": {
+ "value": ""
+ },
+ "effect-0961003e-5a0a-4549-abde-af6a37f2724d" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-0b15565f-aa9e-48ba-8619-45960f2c314d" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-0e60b895-3786-45da-8377-9c6b4b6ac5f9" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-17k78e20-9358-41c9-923c-fb736d382a12" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba" : {
+ "value" : "AuditIfNotExists"
+ },
+ "PHPLatestVersion" : {
+ "value" : "7.3"
+ },
+ "effect-22bee202-a82f-4305-9a2a-6d7f44d4dedb" : {
+ "value" : "Audit"
+ },
+ "effect-26a828e1-e88f-464e-bbb3-c134a282b9de" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-34c877ad-507e-4c82-993e-3452a6e0ad3c" : {
+ "value" : "Audit"
+ },
+ "effect-3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-404c3081-a854-4457-ae30-26a93ef643f9" : {
+ "value" : "Audit"
+ },
+ "effect-47a6b606-51aa-4496-8bb7-64b11cf66adc" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-496223c3-ad65-4ecd-878a-bae78737e9ed" : {
+ "value" : "AuditIfNotExists"
+ },
+ "JavaLatestVersion" : {
+ "value" : "11"
+ },
+ "effect-4f11b553-d42e-4e3a-89be-32ca364cad4c" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-5c607a2e-c700-4744-8254-d77e7c9eb5e4" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-5f76cf89-fbf2-47fd-a3f4-b891fa780b60" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-6b1cbf55-e8b6-442f-ba4c-7246b6381474" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab" : {
+ "value" : "Audit"
+ },
+ "effect-7008174a-fd10-4ef0-817e-fc820a951d73" : {
+ "value" : "AuditIfNotExists"
+ },
+ "LinuxPythonLatestVersion" : {
+ "value" : "3.8"
+ },
+ "effect-7238174a-fd10-4ef0-817e-fc820a951d73" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-7261b898-8a84-4db8-9e04-18527132abb3" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-74c3584d-afae-46f7-a20a-6f8adba71a16" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-86b3d65f-7626-441e-b690-81a8b71cff60" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-88999f4c-376a-45c8-bcb3-4058f713cf39" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-8c122334-9d20-4eb8-89ea-ac9a705b74ae" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-9297c21d-2ed6-4474-b48f-163f75654ce3" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-991310cd-e9f3-47bc-b7b6-f57b557d07db" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-9b597639-28e4-48eb-b506-56b05d366257" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-9daedab3-fb2d-461e-b861-71790eead4f6" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-a4af4a39-4135-47fb-b175-47fbdf85311d" : {
+ "value" : "Audit"
+ },
+ "effect-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9" : {
+ "value" : "AuditIfNotExists"
+ },
+ "setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9" : {
+ "value" : "enabled"
+ },
+ "effect-a70ca396-0a34-413a-88e1-b956c1e683be" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-aa633080-8b72-40c4-a2d7-d00c03e80bed" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-af6cd1bd-1635-48cb-bde7-5b15693900b9" : {
+ "value" : "AuditIfNotExists"
+ },
+ "resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6" : {
+ "value" : "NetworkWatcherRG"
+ },
+ "effect-b7ddfbdc-1260-477d-91fd-98bd9be789a6" : {
+ "value" : "Audit"
+ },
+ "effect-c3f317a7-a95c-4547-b7e7-11017ebdf2fe" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-cb510bfd-1cba-4d9f-a230-cb0976f4bb71" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-e2c1c086-2d84-4019-bff3-c44ccd95113c" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-e3576e28-8b17-4677-84c3-db2990658d64" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-e8cbc669-f12d-49eb-93e7-9273119e9933" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-e9c8d085-d9cc-4b17-9cdc-059f1f01f19e" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-ebb62a0c-3560-49e1-89ed-27e074e9f8ad" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-efbde977-ba53-4479-b8e9-10b957924fbf" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-f6de0be7-9a8a-4b8a-b349-43cf02d22f7c" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-f8456c1c-aa66-4dfb-861a-25d127b775c9" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-f9d614c5-c173-4d56-95a7-b4437057d193" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-fb893a29-21bb-418c-a157-e99480ec364c" : {
+ "value" : "Audit"
+ },
+ "effect-feedbf84-6b99-488c-acc2-71c829aa5ffc" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-3b980d31-7904-4bb7-8575-5665739a8052" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-6e2593d9-add6-4083-9c9b-4b7d2188c899" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-12430be1-6cc8-4527-a9a8-e3d38f250096" : {
+ "value" : "Audit"
+ },
+ "modeRequirement-12430be1-6cc8-4527-a9a8-e3d38f250096" : {
+ "value" : "Detection"
+ },
+ "effect-425bea59-a659-4cbb-8d31-34499bd030b8" : {
+ "value" : "Audit"
+ },
+ "modeRequirement-425bea59-a659-4cbb-8d31-34499bd030b8" : {
+ "value" : "Detection"
+ },
+ "effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66" : {
+ "value" : "Audit"
+ },
+ "effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c" : {
+ "value" : "Audit"
+ },
+ "effect-013e242c-8828-4970-87b3-ab247555486d" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-d38fc420-0735-4ef3-ac11-c806f651a570" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-a1181c5f-672a-477a-979a-7d58aa086233" : {
+ "value" : "Audit"
+ },
+ "effect-308fbb08-4ab8-4e67-9b29-592e93fb94fa" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-4da35fc9-c9e7-4960-aec9-797fe7d9051d" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-523b5cd1-3e23-492f-a539-13118b6d1e3a" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-7fe3b40f-802b-4cdd-8bd4-fd799c948cc2" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-c25d9a16-bc35-4e15-a7e5-9db606bf9ed4" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-b0f33259-77d7-4c9e-aac6-3aabcfae693c" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-037eea7a-bd0a-46c5-9a66-03aea78705d3" : {
+ "value" : "Audit"
+ },
+ "effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca" : {
+ "value" : "Audit"
+ },
+ "effect-0820b7b9-23aa-4725-a1ce-ae4558f718e5" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-2c89a2e5-7285-40fe-afe0-ae8654b92fab" : {
+ "value" : "Audit"
+ },
+ "effect-358c20a6-3f9e-4f0e-97ff-c6ce485e2aac" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-5744710e-cc2f-4ee8-8809-3b11e89f4bc9" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-ac4a19c2-fa67-49b4-8ae5-0b2e78c49457" : {
+ "value" : "Audit"
+ },
+ "effect-c9d007d0-c057-4772-b18c-01e546713bcd" : {
+ "value" : "Audit"
+ },
+ "effect-d0793b48-0edc-4296-a390-4c75d1bdfd71" : {
+ "value" : "Audit"
+ },
+ "effect-e372f825-a257-4fb8-9175-797a8a8627d6" : {
+ "value" : "Audit"
+ },
+ "effect-d158790f-bfb0-486c-8631-2dc6b4e8e6af" : {
+ "value" : "Audit"
+ },
+ "effect-e802a67a-daf5-4436-9ea6-f6d821dd0c5d" : {
+ "value" : "Audit"
+ },
+ "effect-a451c1ef-c6ca-483d-87ed-f49761e3ffb5" : {
+ "value" : "Audit"
+ },
+ "effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftSql-servers-firewallRules-delete" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-delete" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftClassicNetwork-networkSecurityGroups-delete" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-securityRules-delete" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftClassicNetwork-networkSecurityGroups-securityRules-delete" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-ae89ebca-1c92-4898-ac2c-9f63decb045c" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-d26f7642-7545-4e18-9b75-8c9bbdee3a9a" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-1a4e592a-6a6e-44a5-9814-e36264ca96e7" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-7796937f-307b-4598-941c-67d3a05ebfe7" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-c5447c04-a4d7-4ba8-a263-c9ee321a6858" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-41388f1c-2db0-4c25-95b2-35d7f5ccbfa9" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-b02aacc0-b073-424e-8298-42b22829ee0a" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-0ec47710-77ff-4a3d-9181-6aa50af424d0" : {
+ "value" : "Audit"
+ },
+ "effect-48af4db5-9b8b-401c-8e74-076be876a430" : {
+ "value" : "Audit"
+ },
+ "effect-82339799-d096-41ae-8538-b108becf0970" : {
+ "value" : "Audit"
+ },
+ "effect-1b7aa243-30e4-4c9e-bca8-d0d3022b634a" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-bb91dfba-c30d-4263-9add-9c2384e659a6" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-e71308d3-144b-4262-b144-efdc3cc90517" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-2bdd0062-9d75-436e-89df-487dd8e4b3c7" : {
+ "value" : "Disabled"
+ },
+ "effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a" : {
+ "value" : "Audit"
+ },
+ "effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d" : {
+ "value" : "Audit"
+ },
+ "effect-6fac406b-40ca-413b-bf8e-0bf964659c25" : {
+ "value" : "Audit"
+ },
+ "effect-81e74cea-30fd-40d5-802f-d72103c2aaaa" : {
+ "value" : "Audit"
+ },
+ "effect-c349d81b-9985-44ae-a8da-ff98d108ede8" : {
+ "value" : "Audit"
+ },
+ "effect-f4b53539-8df9-40e4-86c6-6b607703bd4e" : {
+ "value" : "Audit"
+ },
+ "effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1" : {
+ "value" : "Audit"
+ },
+ "effect-048248b0-55cd-46da-b1ff-39efd52db260" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-0d134df8-db83-46fb-ad72-fe0c9428c8dd" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-2c89a2e5-7285-40fe-afe0-ae8654b92fb2" : {
+ "value" : "Audit"
+ },
+ "effect-3657f5a0-770e-44a3-b44e-9431ba1e9735" : {
+ "value" : "Audit"
+ },
+ "effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580" : {
+ "value" : "Audit"
+ },
+ "effect-617c02be-7f02-4efd-8836-3180d47b6c68" : {
+ "value" : "Audit"
+ },
+ "effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67" : {
+ "value" : "Audit"
+ },
+ "effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7" : {
+ "value" : "audit"
+ },
+ "effect-f7d52b2d-e161-4dfa-a82b-55e564167385" : {
+ "value" : "Audit"
+ },
+ "effect-c43e4a30-77cb-48ab-a4dd-93f175c63b57" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53" : {
+ "value" : "Audit"
+ },
+ "effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d" : {
+ "value" : "Audit"
+ },
+ "effect-1f314764-cb73-4fc9-b863-8eca98ac36e9" : {
+ "value" : "AuditIfNotExists"
+ },
+ "effect-123a3936-f020-408a-ba0c-47873faf1534" : {
+ "value" : "AuditIfNotExists"
+ }
+}
diff --git a/src/bicep/modules/policies/IL5-policyAssignmentParameters.json b/src/bicep/modules/policies/IL5-policyAssignmentParameters.json
new file mode 100644
index 000000000..6306f2d6c
--- /dev/null
+++ b/src/bicep/modules/policies/IL5-policyAssignmentParameters.json
@@ -0,0 +1,503 @@
+{
+ "IncludeArcMachines" : {
+ "value" : "false"
+ },
+ "NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40" : {
+ "value" : "Compliant"
+ },
+ "MinimumTLSVersionForWindowsServers" : {
+ "value" : "1.2"
+ },
+ "requiredRetentionDays" : {
+ "value" : "365"
+ },
+ "effect-febd0533-8e55-448f-b837-bd0e06f16469" : {
+ "value" : "audit"
+ },
+ "allowedContainerImagesRegex-febd0533-8e55-448f-b837-bd0e06f16469" : {
+ "value" : "^(.+){0}$"
+ },
+ "effect-95edb821-ddaf-4404-9732-666045e056b4" : {
+ "value" : "audit"
+ },
+ "effect-440b515e-a580-421e-abeb-b159a61ddcbc" : {
+ "value" : "audit"
+ },
+ "effect-233a2a17-77ca-4fb1-9b6b-69223d272a44" : {
+ "value" : "audit"
+ },
+ "effect-e345eecc-fa47-480f-9e88-67dcc122b164" : {
+ "value" : "audit"
+ },
+ "cpuLimit-e345eecc-fa47-480f-9e88-67dcc122b164" : {
+ "value" : "0"
+ },
+ "memoryLimit-e345eecc-fa47-480f-9e88-67dcc122b164" : {
+ "value" : "0"
+ },
+ "effect-f06ddb64-5fa3-4b77-b166-acb36f7f6042" : {
+ "value" : "audit"
+ },
+ "runAsUserRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042" : {
+ "value" : "MustRunAsNonRoot"
+ },
+ "runAsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042" : {
+ "value" : "RunAsAny"
+ },
+ "supplementalGroupsRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042" : {
+ "value" : "RunAsAny"
+ },
+ "fsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042" : {
+ "value" : "RunAsAny"
+ },
+ "effect-1c6e92c9-99f0-4e55-9cf2-0c234dc48f99" : {
+ "value" : "audit"
+ },
+ "effect-47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8" : {
+ "value" : "audit"
+ },
+ "effect-df49d893-a74c-421d-bc95-c663042e5b80" : {
+ "value" : "audit"
+ },
+ "effect-1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d" : {
+ "value" : "audit"
+ },
+ "effect-c26596ff-4d70-4e6a-9a30-c2506bd2f80c" : {
+ "value" : "audit"
+ },
+ "effect-511f5417-5d12-434d-ab2e-816901e72a5e" : {
+ "value" : "audit"
+ },
+ "effect-82985f06-dc18-4a48-bc1c-b9f4f0098cfe" : {
+ "value" : "audit"
+ },
+ "effect-098fc59e-46c7-4d99-9b16-64990e543d75" : {
+ "value" : "audit"
+ },
+ "NetworkWatcherResourceGroupName" : {
+ "value" : "NetworkWatcherRG"
+ },
+ "setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9" : {
+ "value" : "enabled"
+ },
+ "aadAuthenticationInServiceFabricMonitoringEffect" : {
+ "value" : "Audit"
+ },
+ "effect-71ef260a-8f18-47b7-abcb-62d0673d94dc" : {
+ "value" : "Audit"
+ },
+ "effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c" : {
+ "value" : "Audit"
+ },
+ "effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66" : {
+ "value" : "Audit"
+ },
+ "effect-862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb" : {
+ "value" : "Audit"
+ },
+ "effect-d9da03a1-f3c3-412a-9709-947156872263" : {
+ "value" : "Audit"
+ },
+ "effect-617c02be-7f02-4efd-8836-3180d47b6c68" : {
+ "value" : "Audit"
+ },
+ "effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53" : {
+ "value" : "Audit"
+ },
+ "effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d" : {
+ "value" : "Audit"
+ },
+ "effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1" : {
+ "value" : "Audit"
+ },
+ "effect-c349d81b-9985-44ae-a8da-ff98d108ede8" : {
+ "value" : "Audit"
+ },
+ "effect-3657f5a0-770e-44a3-b44e-9431ba1e9735" : {
+ "value" : "Audit"
+ },
+ "effect-b4ac1030-89c5-4697-8e00-28b5ba6a8811" : {
+ "value" : "audit"
+ },
+ "effect-ea0dfaed-95fb-448c-934e-d6e713ce393d" : {
+ "value" : "audit"
+ },
+ "effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a" : {
+ "value" : "Audit"
+ },
+ "effect-f4b53539-8df9-40e4-86c6-6b607703bd4e" : {
+ "value" : "Audit"
+ },
+ "effect-41425d9f-d1a5-499a-9932-f8ed8453932c" : {
+ "value" : "Audit"
+ },
+ "effect-fc4d8e41-e223-45ea-9bf5-eada37891d87" : {
+ "value" : "Audit"
+ },
+ "effect-86efb160-8de7-451d-bc08-5d475b0aadae" : {
+ "value" : "Audit"
+ },
+ "effect-4ec52d6d-beb7-40c4-9a9e-fe753254690e" : {
+ "value" : "Audit"
+ },
+ "effect-64d314f6-6062-4780-a861-c23e8951bee5" : {
+ "value" : "Audit"
+ },
+ "effect-1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6" : {
+ "value" : "Audit"
+ },
+ "effect-fa298e57-9444-42ba-bf04-86e8470e32c7" : {
+ "value" : "audit"
+ },
+ "effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d" : {
+ "value" : "Audit"
+ },
+ "effect-1f905d99-2ab7-462c-a6b0-f709acca6c8f" : {
+ "value" : "audit"
+ },
+ "effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580" : {
+ "value" : "Audit"
+ },
+ "effect-ba769a63-b8cc-4b2d-abf6-ac33c7204be8" : {
+ "value" : "Audit"
+ },
+ "effect-81e74cea-30fd-40d5-802f-d72103c2aaaa" : {
+ "value" : "Audit"
+ },
+ "effect-0aa61e00-0a01-4a3c-9945-e93cffedf0e6" : {
+ "value" : "Audit"
+ },
+ "effect-47031206-ce96-41f8-861b-6a915f3de284" : {
+ "value" : "Audit"
+ },
+ "effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7" : {
+ "value" : "audit"
+ },
+ "effect-51522a96-0869-4791-82f3-981000c2c67f" : {
+ "value" : "audit"
+ },
+ "effect-b5ec538c-daa0-4006-8596-35468b9148e8" : {
+ "value" : "Audit"
+ },
+ "effect-56a5ee18-2ae6-4810-86f7-18e39ce5629b" : {
+ "value" : "Audit"
+ },
+ "effect-2e94d99a-8a36-4563-bc77-810d8893b671" : {
+ "value" : "Audit"
+ },
+ "effect-1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5" : {
+ "value" : "Audit"
+ },
+ "effect-99e9ccd8-3db9-4592-b0d1-14b1715a4d8a" : {
+ "value" : "Audit"
+ },
+ "effect-1f68a601-6e6d-4e42-babf-3f643a047ea2" : {
+ "value" : "audit"
+ },
+ "effect-f7d52b2d-e161-4dfa-a82b-55e564167385" : {
+ "value" : "Audit"
+ },
+ "effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67" : {
+ "value" : "Audit"
+ },
+ "effect-ca91455f-eace-4f96-be59-e6e2c35b4816" : {
+ "value" : "Audit"
+ },
+ "effect-702dd420-7fcc-42c5-afe8-4026edd20fe0" : {
+ "value" : "Audit"
+ },
+ "diagnosticsLogsInRedisCacheMonitoringEffect" : {
+ "value" : "Audit"
+ },
+ "secureTransferToStorageAccountMonitoringEffect" : {
+ "value" : "Audit"
+ },
+ "effect-d0793b48-0edc-4296-a390-4c75d1bdfd71" : {
+ "value" : "Audit"
+ },
+ "effect-7d092e0a-7acd-40d2-a975-dca21cae48c4" : {
+ "value" : "Audit"
+ },
+ "effect-2a1a9cdf-e04d-429a-8416-3bfb72a1b26f" : {
+ "value" : "Audit"
+ },
+ "disableUnrestrictedNetworkToStorageAccountMonitoringEffect" : {
+ "value" : "Audit"
+ },
+ "effect-55615ac9-af46-4a59-874e-391cc3dfb490" : {
+ "value" : "Audit"
+ },
+ "effect-1b8ca024-1d5c-4dec-8995-b1a932b41780" : {
+ "value" : "Audit"
+ },
+ "effect-037eea7a-bd0a-46c5-9a66-03aea78705d3" : {
+ "value" : "Audit"
+ },
+ "effect-53503636-bcc9-4748-9663-5348217f160f" : {
+ "value" : "Audit"
+ },
+ "effect-40cec1dd-a100-4920-b15b-3024fe8901ab" : {
+ "value" : "Audit"
+ },
+ "effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca" : {
+ "value" : "Audit"
+ },
+ "effect-a049bf77-880b-470f-ba6d-9f21c530cf83" : {
+ "value" : "Audit"
+ },
+ "effect-ee980b6d-0eca-4501-8d54-f6290fd512c3" : {
+ "value" : "Audit"
+ },
+ "effect-1d84d5fb-01f6-4d12-ba4f-4a26081d403d" : {
+ "value" : "Audit"
+ },
+ "effect-37e0d2fe-28a5-43d6-a273-67d37d1f5606" : {
+ "value" : "Audit"
+ },
+ "identityDesignateMoreThanOneOwnerMonitoringEffect" : {
+ "value" : "AuditIfNotExists"
+ },
+ "diskEncryptionMonitoringEffect" : {
+ "value" : "AuditIfNotExists"
+ },
+ "emailNotificationToSubscriptionOwnerHighSeverityAlertsEnabledEffect" : {
+ "value" : "AuditIfNotExists"
+ },
+ "functionAppDisableRemoteDebuggingMonitoringEffect" : {
+ "value" : "AuditIfNotExists"
+ },
+ "sqlDbEncryptionMonitoringEffect" : {
+ "value" : "AuditIfNotExists"
+ },
+ "vulnerabilityAssessmentOnManagedInstanceMonitoringEffect" : {
+ "value" : "AuditIfNotExists"
+ },
+ "ensurePHPVersionLatestForAPIAppEffect" : {
+ "value" : "AuditIfNotExists"
+ },
+ "aadAuthenticationInSqlServerMonitoringEffect" : {
+ "value" : "AuditIfNotExists"
+ },
+ "vmssEndpointProtectionMonitoringEffect" : {
+ "value" : "AuditIfNotExists"
+ },
+ "vmssOsVulnerabilitiesMonitoringEffect" : {
+ "value" : "AuditIfNotExists"
+ },
+ "adaptiveApplicationControlsMonitoringEffect" : {
+ "value" : "AuditIfNotExists"
+ },
+ "geoRedundantBackupShouldBeEnabledForAzureDatabaseForPostgreSQLEffect" : {
+ "value" : "Audit"
+ },
+ "ensureJavaVersionLatestForWebAppEffect" : {
+ "value" : "AuditIfNotExists"
+ },
+ "identityDesignateLessThanOwnersMonitoringEffect" : {
+ "value" : "AuditIfNotExists"
+ },
+ "securityContactEmailAddressForSubscriptionEffect" : {
+ "value" : "AuditIfNotExists"
+ },
+ "webAppRestrictCORSAccessMonitoringEffect" : {
+ "value" : "AuditIfNotExists"
+ },
+ "identityRemoveExternalAccountWithWritePermissionsMonitoringEffect" : {
+ "value" : "AuditIfNotExists"
+ },
+ "identityRemoveExternalAccountWithReadPermissionsMonitoringEffect" : {
+ "value" : "AuditIfNotExists"
+ },
+ "identityRemoveDeprecatedAccountMonitoringEffect" : {
+ "value" : "AuditIfNotExists"
+ },
+ "functionAppEnforceHttpsMonitoringEffect" : {
+ "value" : "Audit"
+ },
+ "ensurePythonVersionLatestForWebAppEffect" : {
+ "value" : "AuditIfNotExists"
+ },
+ "ensurePythonVersionLatestForFunctionAppEffect" : {
+ "value" : "AuditIfNotExists"
+ },
+ "ensurePHPVersionLatestForWebAppEffect" : {
+ "value" : "AuditIfNotExists"
+ },
+ "ensurePythonVersionLatestForAPIAppEffect" : {
+ "value" : "AuditIfNotExists"
+ },
+ "geoRedundantBackupShouldBeEnabledForAzureDatabaseForMySQLEffect" : {
+ "value" : "Audit"
+ },
+ "systemUpdatesMonitoringEffect" : {
+ "value" : "AuditIfNotExists"
+ },
+ "ensureJavaVersionLatestForAPIAppEffect" : {
+ "value" : "AuditIfNotExists"
+ },
+ "ensureHTTPVersionLatestForWebAppEffect" : {
+ "value" : "AuditIfNotExists"
+ },
+ "apiAppRequireLatestTlsMonitoringEffect" : {
+ "value" : "AuditIfNotExists"
+ },
+ "identityEnableMFAForWritePermissionsMonitoringEffect" : {
+ "value" : "AuditIfNotExists"
+ },
+ "ensureHTTPVersionLatestForAPIAppEffect" : {
+ "value" : "AuditIfNotExists"
+ },
+ "ensureJavaVersionLatestForFunctionAppEffect" : {
+ "value" : "AuditIfNotExists"
+ },
+ "nextGenerationFirewallMonitoringEffect" : {
+ "value" : "AuditIfNotExists"
+ },
+ "useRbacRulesMonitoringEffect" : {
+ "value" : "Audit"
+ },
+ "webAppEnforceHttpsMonitoringEffect" : {
+ "value" : "Audit"
+ },
+ "sqlServerAuditingMonitoringEffect" : {
+ "value" : "AuditIfNotExists"
+ },
+ "vnetEnableDDoSProtectionMonitoringEffect" : {
+ "value" : "AuditIfNotExists"
+ },
+ "identityEnableMFAForOwnerPermissionsMonitoringEffect" : {
+ "value" : "AuditIfNotExists"
+ },
+ "sqlServerAdvancedDataSecurityMonitoringEffect" : {
+ "value" : "AuditIfNotExists"
+ },
+ "sqlManagedInstanceAdvancedDataSecurityMonitoringEffect" : {
+ "value" : "AuditIfNotExists"
+ },
+ "endpointProtectionMonitoringEffect" : {
+ "value" : "AuditIfNotExists"
+ },
+ "jitNetworkAccessMonitoringEffect" : {
+ "value" : "AuditIfNotExists"
+ },
+ "apiAppEnforceHttpsMonitoringEffect" : {
+ "value" : "Audit"
+ },
+ "geoRedundantStorageShouldBeEnabledForStorageAccountsEffect" : {
+ "value" : "Audit"
+ },
+ "vmssSystemUpdatesMonitoringEffect" : {
+ "value" : "AuditIfNotExists"
+ },
+ "webAppDisableRemoteDebuggingMonitoringEffect" : {
+ "value" : "AuditIfNotExists"
+ },
+ "longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect" : {
+ "value" : "AuditIfNotExists"
+ },
+ "systemConfigurationsMonitoringEffect" : {
+ "value" : "AuditIfNotExists"
+ },
+ "ensureHTTPVersionLatestForFunctionAppEffect" : {
+ "value" : "AuditIfNotExists"
+ },
+ "identityEnableMFAForReadPermissionsMonitoringEffect" : {
+ "value" : "AuditIfNotExists"
+ },
+ "containerBenchmarkMonitoringEffect" : {
+ "value" : "AuditIfNotExists"
+ },
+ "apiAppDisableRemoteDebuggingMonitoringEffect" : {
+ "value" : "AuditIfNotExists"
+ },
+ "identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect" : {
+ "value" : "AuditIfNotExists"
+ },
+ "vulnerabilityAssessmentOnServerMonitoringEffect" : {
+ "value" : "AuditIfNotExists"
+ },
+ "webAppRequireLatestTlsMonitoringEffect" : {
+ "value" : "AuditIfNotExists"
+ },
+ "identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect" : {
+ "value" : "AuditIfNotExists"
+ },
+ "functionAppRequireLatestTlsMonitoringEffect" : {
+ "value" : "AuditIfNotExists"
+ },
+ "kubernetesServiceVersionUpToDateMonitoringEffect" : {
+ "value" : "Audit"
+ },
+ "sqlDbVulnerabilityAssesmentMonitoringEffect" : {
+ "value" : "AuditIfNotExists"
+ },
+ "membersToIncludeInLocalAdministratorsGroup" : {
+ "value" : ""
+ },
+ "membersToExcludeInLocalAdministratorsGroup" : {
+ "value" : ""
+ },
+ "logAnalyticsWorkspaceIDForVMAgents" : {
+ "value" : ""
+ },
+ "PHPLatestVersionForAppServices" : {
+ "value" : "7.4"
+ },
+ "JavaLatestVersionForAppServices" : {
+ "value" : "11"
+ },
+ "WindowsPythonLatestVersionForAppServices" : {
+ "value" : "3.6"
+ },
+ "LinuxPythonLatestVersionForAppServices" : {
+ "value" : "3.9"
+ },
+ "ensureDotNetFrameworkLatestForFunctionAppEffect" : {
+ "value" : "Disabled"
+ },
+ "sqlManagedInstanceAdvancedDataSecurityEmailsMonitoringEffect" : {
+ "value" : "Disabled"
+ },
+ "vulnerabilityAssessmentMonitoringEffect" : {
+ "value" : "Disabled"
+ },
+ "ensureDotNetFrameworkLatestForWebAppEffect" : {
+ "value" : "Disabled"
+ },
+ "sqlServerAdvancedDataSecurityEmailsMonitoringEffect" : {
+ "value" : "Disabled"
+ },
+ "microsoftIaaSAntimalwareExtensionShouldBeDeployedOnWindowsServersEffect" : {
+ "value" : "Disabled"
+ },
+ "securityCenterStandardPricingTierShouldBeSelectedEffect" : {
+ "value" : "Audit"
+ },
+ "theLogAnalyticsAgentShouldBeInstalledOnVirtualMachinesEffect" : {
+ "value" : "Disabled"
+ },
+ "ensurePHPVersionLatestForFunctionAppEffect" : {
+ "value" : "Disabled"
+ },
+ "sqlManagedInstanceAdvancedDataSecurityEmailAdminsMonitoringEffect" : {
+ "value" : "Disabled"
+ },
+ "securityContactPhoneNumberShouldBeProvidedForSubscriptionEffect" : {
+ "value" : "Disabled"
+ },
+ "threatDetectionTypesOnManagedInstanceMonitoringEffect" : {
+ "value" : "Disabled"
+ },
+ "ensureDotNetFrameworkLatestForAPIAppEffect" : {
+ "value" : "Disabled"
+ },
+ "sqlServerAdvancedDataSecurityEmailAdminsMonitoringEffect" : {
+ "value" : "Disabled"
+ },
+ "threatDetectionTypesOnServerMonitoringEffect" : {
+ "value" : "Disabled"
+ },
+ "theLogAnalyticsAgentShouldBeInstalledOnVirtualMachineScaleSetsEffect" : {
+ "value" : "AuditIfNotExists"
+ }
+}
\ No newline at end of file
diff --git a/src/bicep/modules/policies/NIST-policyAssignmentParameters.json b/src/bicep/modules/policies/NIST-policyAssignmentParameters.json
new file mode 100644
index 000000000..cd7394726
--- /dev/null
+++ b/src/bicep/modules/policies/NIST-policyAssignmentParameters.json
@@ -0,0 +1,34 @@
+ {
+ "listOfMembersToExcludeFromWindowsVMAdministratorsGroup":
+ {
+ "value": "admin"
+ },
+ "listOfMembersToIncludeInWindowsVMAdministratorsGroup":
+ {
+ "value": "azureuser"
+ },
+ "logAnalyticsWorkspaceIdforVMReporting":
+ {
+ "value": ""
+ },
+ "IncludeArcMachines":
+ {
+ "value": "true"
+ },
+ "MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112":
+ {
+ "value": "1.2"
+ },
+ "NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40":
+ {
+ "value": "Compliant"
+ },
+ "requiredRetentionDays":
+ {
+ "value": "365"
+ },
+ "resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6":
+ {
+ "value": "NetworkWatcherRG"
+ }
+ }
\ No newline at end of file
diff --git a/src/bicep/modules/policyAssignment.bicep b/src/bicep/modules/policyAssignment.bicep
new file mode 100644
index 000000000..73e95cde3
--- /dev/null
+++ b/src/bicep/modules/policyAssignment.bicep
@@ -0,0 +1,40 @@
+param builtInAssignment string = ''
+param logAnalyticsWorkspaceName string
+param logAnalyticsWorkspaceResourceGroupName string
+param operationsSubscriptionId string
+
+// Creating a symbolic name for an existing resource
+resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2021-06-01' existing = {
+ name: logAnalyticsWorkspaceName
+ scope: resourceGroup(operationsSubscriptionId, logAnalyticsWorkspaceResourceGroupName)
+}
+
+var policyDefinitionID = {
+ NIST: {
+ id: '/providers/Microsoft.Authorization/policySetDefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f'
+ parameters: json(replace(loadTextContent('policies/NIST-policyAssignmentParameters.json'),'', logAnalyticsWorkspace.id))
+ }
+ IL5: {
+ id: '/providers/Microsoft.Authorization/policySetDefinitions/f9a961fa-3241-4b20-adc4-bbf8ad9d7197'
+ parameters: json(replace(loadTextContent('policies/IL5-policyAssignmentParameters.json'),'', logAnalyticsWorkspace.id))
+ }
+ CMMC: {
+ id: '/providers/Microsoft.Authorization/policySetDefinitions/b5629c75-5c77-4422-87b9-2509e680f8de'
+ parameters: json(replace(loadTextContent('policies/CMMC-policyAssignmentParameters.json'),'', logAnalyticsWorkspace.properties.customerId))
+ }
+}
+
+var modifiedAssignment = ( environment().name =~ 'AzureCloud' && builtInAssignment =~ 'IL5' ? 'NIST' : builtInAssignment )
+var assignmentName = '${modifiedAssignment} ${resourceGroup().name}'
+
+resource assignment 'Microsoft.Authorization/policyAssignments@2020-09-01' = if (!empty(modifiedAssignment)){
+ name: assignmentName
+ location: resourceGroup().location
+ properties: {
+ policyDefinitionId: policyDefinitionID[modifiedAssignment].id
+ parameters: policyDefinitionID[modifiedAssignment].parameters
+ }
+ identity: {
+ type: 'SystemAssigned'
+ }
+}
diff --git a/src/bicep/modules/publicIPAddress.bicep b/src/bicep/modules/publicIPAddress.bicep
new file mode 100644
index 000000000..d29257507
--- /dev/null
+++ b/src/bicep/modules/publicIPAddress.bicep
@@ -0,0 +1,25 @@
+param name string
+param location string
+param tags object = {}
+
+param skuName string
+param publicIpAllocationMethod string
+param availabilityZones array
+
+resource publicIPAddress 'Microsoft.Network/publicIPAddresses@2021-02-01' = {
+ name: name
+ location: location
+ tags: tags
+
+ sku: {
+ name: skuName
+ }
+
+ properties: {
+ publicIPAllocationMethod: publicIpAllocationMethod
+ }
+
+ zones: availabilityZones
+}
+
+output id string = publicIPAddress.id
diff --git a/src/bicep/modules/remoteAccess.bicep b/src/bicep/modules/remoteAccess.bicep
new file mode 100644
index 000000000..f6d499797
--- /dev/null
+++ b/src/bicep/modules/remoteAccess.bicep
@@ -0,0 +1,144 @@
+param location string
+param tags object = {}
+
+param hubVirtualNetworkName string
+param hubSubnetResourceId string
+param hubNetworkSecurityGroupResourceId string
+
+param bastionHostName string
+param bastionHostSubnetAddressPrefix string
+param bastionHostPublicIPAddressName string
+param bastionHostPublicIPAddressSkuName string
+param bastionHostPublicIPAddressAllocationMethod string
+param bastionHostPublicIPAddressAvailabilityZones array
+param bastionHostIPConfigurationName string
+
+param linuxNetworkInterfaceName string
+param linuxNetworkInterfaceIpConfigurationName string
+param linuxNetworkInterfacePrivateIPAddressAllocationMethod string
+
+param linuxVmName string
+param linuxVmSize string
+param linuxVmOsDiskCreateOption string
+param linuxVmOsDiskType string
+param linuxVmImagePublisher string
+param linuxVmImageOffer string
+param linuxVmImageSku string
+param linuxVmImageVersion string
+param linuxVmAdminUsername string
+@allowed([
+ 'sshPublicKey'
+ 'password'
+])
+param linuxVmAuthenticationType string
+@secure()
+@minLength(14)
+param linuxVmAdminPasswordOrKey string
+
+param windowsNetworkInterfaceName string
+param windowsNetworkInterfaceIpConfigurationName string
+param windowsNetworkInterfacePrivateIPAddressAllocationMethod string
+
+param windowsVmName string
+param windowsVmSize string
+param windowsVmAdminUsername string
+@secure()
+@minLength(14)
+param windowsVmAdminPassword string
+param windowsVmPublisher string
+param windowsVmOffer string
+param windowsVmSku string
+param windowsVmVersion string
+param windowsVmCreateOption string
+param windowsVmStorageAccountType string
+
+resource hubVirtualNetwork 'Microsoft.Network/virtualNetworks@2021-02-01' existing = {
+ name: hubVirtualNetworkName
+}
+
+module bastionHost './bastionHost.bicep' = {
+ name: 'remoteAccess-bastionHost'
+
+ params: {
+ name: bastionHostName
+ location: location
+ tags: tags
+
+ virtualNetworkName: hubVirtualNetwork.name
+ subnetAddressPrefix: bastionHostSubnetAddressPrefix
+ publicIPAddressName: bastionHostPublicIPAddressName
+ publicIPAddressSkuName: bastionHostPublicIPAddressSkuName
+ publicIPAddressAllocationMethod: bastionHostPublicIPAddressAllocationMethod
+ publicIPAddressAvailabilityZones: bastionHostPublicIPAddressAvailabilityZones
+ ipConfigurationName: bastionHostIPConfigurationName
+ }
+}
+
+module linuxNetworkInterface './networkInterface.bicep' = {
+ name: 'remoteAccess-linuxNetworkInterface'
+ params: {
+ name: linuxNetworkInterfaceName
+ location: location
+ tags: tags
+
+ ipConfigurationName: linuxNetworkInterfaceIpConfigurationName
+ networkSecurityGroupId: hubNetworkSecurityGroupResourceId
+ privateIPAddressAllocationMethod: linuxNetworkInterfacePrivateIPAddressAllocationMethod
+ subnetId: hubSubnetResourceId
+ }
+}
+
+module linuxVirtualMachine './linuxVirtualMachine.bicep' = {
+ name: 'remoteAccess-linuxVirtualMachine'
+ params: {
+ name: linuxVmName
+ location: location
+ tags: tags
+
+ vmSize: linuxVmSize
+ osDiskCreateOption: linuxVmOsDiskCreateOption
+ osDiskType: linuxVmOsDiskType
+ vmImagePublisher: linuxVmImagePublisher
+ vmImageOffer: linuxVmImageOffer
+ vmImageSku: linuxVmImageSku
+ vmImageVersion: linuxVmImageVersion
+ adminUsername: linuxVmAdminUsername
+ authenticationType: linuxVmAuthenticationType
+ adminPasswordOrKey: linuxVmAdminPasswordOrKey
+ networkInterfaceName: linuxNetworkInterface.outputs.name
+ }
+}
+
+module windowsNetworkInterface './networkInterface.bicep' = {
+ name: 'remoteAccess-windowsNetworkInterface'
+ params: {
+ name: windowsNetworkInterfaceName
+ location: location
+ tags: tags
+
+ ipConfigurationName: windowsNetworkInterfaceIpConfigurationName
+ networkSecurityGroupId: hubNetworkSecurityGroupResourceId
+ privateIPAddressAllocationMethod: windowsNetworkInterfacePrivateIPAddressAllocationMethod
+ subnetId: hubSubnetResourceId
+ }
+}
+
+module windowsVirtualMachine './windowsVirtualMachine.bicep' = {
+ name: 'remoteAccess-windowsVirtualMachine'
+ params: {
+ name: windowsVmName
+ location: location
+ tags: tags
+
+ size: windowsVmSize
+ adminUsername: windowsVmAdminUsername
+ adminPassword: windowsVmAdminPassword
+ publisher: windowsVmPublisher
+ offer: windowsVmOffer
+ sku: windowsVmSku
+ version: windowsVmVersion
+ createOption: windowsVmCreateOption
+ storageAccountType: windowsVmStorageAccountType
+ networkInterfaceName: windowsNetworkInterface.outputs.name
+ }
+}
diff --git a/src/bicep/modules/resourceGroup.bicep b/src/bicep/modules/resourceGroup.bicep
new file mode 100644
index 000000000..ba3cbe31b
--- /dev/null
+++ b/src/bicep/modules/resourceGroup.bicep
@@ -0,0 +1,14 @@
+targetScope = 'subscription'
+
+param name string
+param location string
+param tags object = {}
+
+resource resourceGroup 'Microsoft.Resources/resourceGroups@2019-05-01' = {
+ name: name
+ location: location
+ tags: tags
+}
+
+output id string = resourceGroup.id
+output name string = resourceGroup.name
diff --git a/src/bicep/modules/routeTable.bicep b/src/bicep/modules/routeTable.bicep
new file mode 100644
index 000000000..e7eb75aa6
--- /dev/null
+++ b/src/bicep/modules/routeTable.bicep
@@ -0,0 +1,30 @@
+param name string
+param location string
+param tags object = {}
+
+param routeName string
+param routeAddressPrefix string
+param routeNextHopIpAddress string
+param routeNextHopType string
+
+resource routeTable 'Microsoft.Network/routeTables@2021-02-01' = {
+ name: name
+ location: location
+ tags: tags
+
+ properties: {
+ routes: [
+ {
+ name: routeName
+ properties: {
+ addressPrefix: routeAddressPrefix
+ nextHopIpAddress: routeNextHopIpAddress
+ nextHopType: routeNextHopType
+ }
+ }
+ ]
+ }
+}
+
+output id string = routeTable.id
+output name string = routeTable.name
diff --git a/src/bicep/modules/sentinelSolution.bicep b/src/bicep/modules/sentinelSolution.bicep
new file mode 100644
index 000000000..b01a6afef
--- /dev/null
+++ b/src/bicep/modules/sentinelSolution.bicep
@@ -0,0 +1,22 @@
+param workspaceName string
+param workspaceLocation string
+param tags object = {}
+
+resource workspace 'Microsoft.OperationalInsights/workspaces@2020-08-01' existing = {
+ name: workspaceName
+}
+
+resource sentinelSolution 'Microsoft.OperationsManagement/solutions@2015-11-01-preview'= {
+ name: 'SecurityInsights(${workspace.name})'
+ location: workspaceLocation
+ tags:tags
+ properties: {
+ workspaceResourceId: workspace.id
+ }
+ plan: {
+ name: 'SecurityInsights(${workspace.name})'
+ publisher: 'Microsoft'
+ product: 'OMSGallery/SecurityInsights'
+ promotionCode: ''
+ }
+}
diff --git a/src/bicep/modules/spokeNetwork.bicep b/src/bicep/modules/spokeNetwork.bicep
new file mode 100644
index 000000000..65ec539fa
--- /dev/null
+++ b/src/bicep/modules/spokeNetwork.bicep
@@ -0,0 +1,155 @@
+param location string = resourceGroup().location
+param tags object = {}
+
+param logStorageAccountName string
+param logStorageSkuName string
+
+param logAnalyticsWorkspaceResourceId string
+
+param firewallPrivateIPAddress string
+
+param virtualNetworkName string
+param virtualNetworkAddressPrefix string
+param virtualNetworkDiagnosticsLogs array
+param virtualNetworkDiagnosticsMetrics array
+
+param networkSecurityGroupName string
+param networkSecurityGroupRules array
+
+param subnetName string
+param subnetAddressPrefix string
+param subnetServiceEndpoints array
+
+param routeTableName string = '${subnetName}-routetable'
+param routeTableRouteName string = 'default_route'
+param routeTableRouteAddressPrefix string = '0.0.0.0/0'
+param routeTableRouteNextHopIpAddress string = firewallPrivateIPAddress
+param routeTableRouteNextHopType string = 'VirtualAppliance'
+
+var defaultVirtualNetworkDiagnosticsLogs = [
+ // TODO: 'VMProtectionAlerts' is not supported in AzureUsGovernment
+ // {
+ // category: 'VMProtectionAlerts'
+ // enabled: true
+ // }
+]
+
+var defaultVirtualNetworkDiagnosticsMetrics = [
+ {
+ category: 'AllMetrics'
+ enabled: true
+ }
+]
+
+var defaultSubnetServiceEndpoints = [
+ {
+ service: 'Microsoft.Storage'
+ }
+]
+
+var defaultNetworkSecurityGroupRules = [
+ {
+ name: 'allow_ssh'
+ properties: {
+ description: 'Allow SSH access from anywhere'
+ access: 'Allow'
+ priority: 100
+ protocol: 'Tcp'
+ direction: 'Inbound'
+ sourcePortRange: '*'
+ sourceAddressPrefix: '*'
+ destinationPortRange: '22'
+ destinationAddressPrefix: '*'
+ }
+ }
+ {
+ name: 'allow_rdp'
+ properties: {
+ description: 'Allow RDP access from anywhere'
+ access: 'Allow'
+ priority: 200
+ protocol: 'Tcp'
+ direction: 'Inbound'
+ sourcePortRange: '*'
+ sourceAddressPrefix: '*'
+ destinationPortRange: '3389'
+ destinationAddressPrefix: '*'
+ }
+ }
+]
+
+module logStorage './storageAccount.bicep' = {
+ name: 'logStorage'
+ params: {
+ storageAccountName: logStorageAccountName
+ location: location
+ skuName: logStorageSkuName
+ tags: tags
+ }
+}
+
+module networkSecurityGroup './networkSecurityGroup.bicep' = {
+ name: 'networkSecurityGroup'
+ params: {
+ name: networkSecurityGroupName
+ location: location
+ tags: tags
+
+ securityRules: empty(networkSecurityGroupRules) ? defaultNetworkSecurityGroupRules : networkSecurityGroupRules
+ }
+}
+
+module routeTable './routeTable.bicep' = {
+ name: 'routeTable'
+ params: {
+ name: routeTableName
+ location: location
+ tags: tags
+
+ routeName: routeTableRouteName
+ routeAddressPrefix: routeTableRouteAddressPrefix
+ routeNextHopIpAddress: routeTableRouteNextHopIpAddress
+ routeNextHopType: routeTableRouteNextHopType
+ }
+}
+
+module virtualNetwork './virtualNetwork.bicep' = {
+ name: 'virtualNetwork'
+ params: {
+ name: virtualNetworkName
+ location: location
+ tags: tags
+
+ addressPrefix: virtualNetworkAddressPrefix
+
+ diagnosticsLogs: empty(virtualNetworkDiagnosticsLogs) ? defaultVirtualNetworkDiagnosticsLogs : virtualNetworkDiagnosticsLogs
+ diagnosticsMetrics: empty(virtualNetworkDiagnosticsMetrics) ? defaultVirtualNetworkDiagnosticsMetrics : virtualNetworkDiagnosticsMetrics
+
+ subnets: [
+ {
+ name: subnetName
+ properties: {
+ addressPrefix: subnetAddressPrefix
+ networkSecurityGroup: {
+ id: networkSecurityGroup.outputs.id
+ }
+ routeTable: {
+ id: routeTable.outputs.id
+ }
+ serviceEndpoints: empty(subnetServiceEndpoints) ? defaultSubnetServiceEndpoints : subnetServiceEndpoints
+ }
+ }
+ ]
+
+ logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId
+ logStorageAccountResourceId: logStorage.outputs.id
+ }
+}
+
+output virtualNetworkName string = virtualNetwork.outputs.name
+output virtualNetworkResourceId string = virtualNetwork.outputs.id
+output subnetName string = virtualNetwork.outputs.subnets[0].name
+output subnetAddressPrefix string = virtualNetwork.outputs.subnets[0].properties.addressPrefix
+output subnetResourceId string = virtualNetwork.outputs.subnets[0].id
+output networkSecurityGroupName string = networkSecurityGroup.outputs.name
+output networkSecurityGroupResourceId string = networkSecurityGroup.outputs.id
diff --git a/src/bicep/modules/spokeNetworkPeering.bicep b/src/bicep/modules/spokeNetworkPeering.bicep
new file mode 100644
index 000000000..05f466a2e
--- /dev/null
+++ b/src/bicep/modules/spokeNetworkPeering.bicep
@@ -0,0 +1,16 @@
+targetScope = 'subscription'
+
+param spokeResourceGroupName string
+param spokeVirtualNetworkName string
+
+param hubVirtualNetworkName string
+param hubVirtualNetworkResourceId string
+
+module spokeNetworkPeering './virtualNetworkPeering.bicep' = {
+ scope: resourceGroup(spokeResourceGroupName)
+ name: 'spokeNetworkPeering'
+ params: {
+ name: '${spokeVirtualNetworkName}/to-${hubVirtualNetworkName}'
+ remoteVirtualNetworkResourceId: hubVirtualNetworkResourceId
+ }
+}
diff --git a/src/bicep/modules/storageAccount.bicep b/src/bicep/modules/storageAccount.bicep
new file mode 100644
index 000000000..dd10a4324
--- /dev/null
+++ b/src/bicep/modules/storageAccount.bicep
@@ -0,0 +1,16 @@
+param storageAccountName string
+param location string
+param skuName string
+param tags object = {}
+
+resource storageAccount 'Microsoft.Storage/storageAccounts@2019-06-01' = {
+ name: storageAccountName
+ location: location
+ kind: 'Storage'
+ sku: {
+ name: skuName
+ }
+ tags: tags
+}
+
+output id string = storageAccount.id
diff --git a/src/bicep/modules/subnet.bicep b/src/bicep/modules/subnet.bicep
new file mode 100644
index 000000000..1ca5c37d6
--- /dev/null
+++ b/src/bicep/modules/subnet.bicep
@@ -0,0 +1,13 @@
+param name string
+
+param addressPrefix string
+
+resource subnet 'Microsoft.Network/virtualNetworks/subnets@2021-02-01' = {
+ name: name
+
+ properties: {
+ addressPrefix: addressPrefix
+ }
+}
+
+output id string = subnet.id
diff --git a/src/bicep/modules/virtualNetwork.bicep b/src/bicep/modules/virtualNetwork.bicep
new file mode 100644
index 000000000..ab51e3e1e
--- /dev/null
+++ b/src/bicep/modules/virtualNetwork.bicep
@@ -0,0 +1,42 @@
+param name string
+param location string
+param tags object = {}
+
+param addressPrefix string
+param logAnalyticsWorkspaceResourceId string
+param logStorageAccountResourceId string
+param subnets array
+
+param diagnosticsMetrics array
+
+param diagnosticsLogs array
+
+resource virtualNetwork 'Microsoft.Network/virtualNetworks@2021-02-01' = {
+ name: name
+ location: location
+ tags: tags
+
+ properties: {
+ addressSpace: {
+ addressPrefixes: [
+ addressPrefix
+ ]
+ }
+ subnets: subnets
+ }
+}
+
+resource diagnostics 'Microsoft.Insights/diagnosticSettings@2017-05-01-preview' = {
+ scope: virtualNetwork
+ name: '${virtualNetwork.name}-diagnostics'
+ properties: {
+ storageAccountId: logStorageAccountResourceId
+ workspaceId: logAnalyticsWorkspaceResourceId
+ metrics: diagnosticsMetrics
+ logs: diagnosticsLogs
+ }
+}
+
+output name string = virtualNetwork.name
+output id string = virtualNetwork.id
+output subnets array = virtualNetwork.properties.subnets
diff --git a/src/bicep/modules/virtualNetworkPeering.bicep b/src/bicep/modules/virtualNetworkPeering.bicep
new file mode 100644
index 000000000..a26b4f861
--- /dev/null
+++ b/src/bicep/modules/virtualNetworkPeering.bicep
@@ -0,0 +1,11 @@
+param name string
+param remoteVirtualNetworkResourceId string
+
+resource virtualNetworkPeering 'Microsoft.Network/virtualNetworks/virtualNetworkPeerings@2021-02-01' = {
+ name: name
+ properties: {
+ remoteVirtualNetwork: {
+ id: remoteVirtualNetworkResourceId
+ }
+ }
+}
diff --git a/src/bicep/modules/windowsVirtualMachine.bicep b/src/bicep/modules/windowsVirtualMachine.bicep
new file mode 100644
index 000000000..e986cf1ca
--- /dev/null
+++ b/src/bicep/modules/windowsVirtualMachine.bicep
@@ -0,0 +1,59 @@
+param name string
+param location string
+param tags object = {}
+
+param networkInterfaceName string
+
+param size string
+param adminUsername string
+@secure()
+@minLength(14)
+param adminPassword string
+param publisher string
+param offer string
+param sku string
+param version string
+param createOption string
+param storageAccountType string
+
+resource networkInterface 'Microsoft.Network/networkInterfaces@2021-02-01' existing = {
+ name: networkInterfaceName
+}
+
+resource windowsVirtualMachine 'Microsoft.Compute/virtualMachines@2021-04-01' = {
+ name: name
+ location: location
+ tags: tags
+
+ properties: {
+ hardwareProfile: {
+ vmSize: size
+ }
+ osProfile: {
+ computerName: take(name, 15)
+ adminUsername: adminUsername
+ adminPassword: adminPassword
+ }
+ storageProfile: {
+ imageReference: {
+ publisher: publisher
+ offer: offer
+ sku: sku
+ version: version
+ }
+ osDisk: {
+ createOption: createOption
+ managedDisk: {
+ storageAccountType: storageAccountType
+ }
+ }
+ }
+ networkProfile: {
+ networkInterfaces: [
+ {
+ id: networkInterface.id
+ }
+ ]
+ }
+ }
+}
diff --git a/src/bicep/ui/README.md b/src/bicep/ui/README.md
new file mode 100644
index 000000000..80c8abe62
--- /dev/null
+++ b/src/bicep/ui/README.md
@@ -0,0 +1,7 @@
+# MLZ UI
+
+This folder contains a UI template to be executed against an mlz.json file generated from the bicep modules of MLZ. This file is intented for use as a quickstart only.
+
+[](https://portal.azure.com/#blade/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fbicep%2Fsrc%2Fbicep%2Fmlz.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fmain%2Fsrc%2Fbicep%2Fui%2Fmlz-portal.json)
+
+[](https://portal.azure.us/#blade/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fbicep%2Fsrc%2Fbicep%2Fmlz.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fmain%2Fsrc%2Fbicep%2Fui%2Fmlz-portal.json)
\ No newline at end of file
diff --git a/src/bicep/ui/mlz-portal.json b/src/bicep/ui/mlz-portal.json
new file mode 100644
index 000000000..d47c10f49
--- /dev/null
+++ b/src/bicep/ui/mlz-portal.json
@@ -0,0 +1,1223 @@
+{
+ "$schema": "createFormUI.schema.json",
+ "view": {
+ "kind": "Form",
+ "properties": {
+ "title": "Deploy Mission LZ",
+ "steps": [{
+ "name": "generalSettings",
+ "label": "General Settings",
+ "subLabel": {
+ "preValidation": "Configure general settings",
+ "postValidation": "Done"
+ },
+ "bladeTitle": "General Settings",
+ "elements": [{
+ "name": "resourcePrefix",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Resource Prefix",
+ "defaultValue": "[[format('mlz-{0}', parameters('uniqueId'))]",
+ "toolTip": "A name (3-24 alphanumeric characters in length without whitespace) used to prefix resources and generate uniqueness for resources with globally unique naming requirements like Storage Accounts and Log Analytics Workspaces",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "tags",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Tags",
+ "defaultValue": "{\"resourcePrefix\":\"[parameters('resourcePrefix')]\"}",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "uniqueId",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Unique Id",
+ "defaultValue": "[[uniqueString(deployment().name)]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ }
+ ]
+ },
+ {
+ "name": "hubSettings",
+ "label": "Hub Settings",
+ "subLabel": {
+ "preValidation": "Configure Hub settings",
+ "postValidation": "Done"
+ },
+ "bladeTitle": "Hub Settings",
+ "elements": [{
+ "name": "resourceScope",
+ "type": "Microsoft.Common.ResourceScope"
+ },
+ {
+ "name": "hubResourceGroupName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Hub Resource Group Name",
+ "defaultValue": "[[format('{0}-hub', parameters('resourcePrefix'))]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "hubLocation",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Hub Location",
+ "defaultValue": "[[deployment().location]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "hubVirtualNetworkName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Hub Virtual Network Name",
+ "defaultValue": "hub-vnet",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "hubSubnetName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Hub Subnet Name",
+ "defaultValue": "hub-subnet",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "hubVirtualNetworkAddressPrefix",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Hub Virtual Network Address Prefix",
+ "defaultValue": "10.0.100.0/24",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "hubSubnetAddressPrefix",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Hub Subnet Address Prefix",
+ "defaultValue": "10.0.100.128/27",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "hubVirtualNetworkDiagnosticsLogs",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Hub Virtual Network Diagnostics Logs",
+ "defaultValue": "[[]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "hubVirtualNetworkDiagnosticsMetrics",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Hub Virtual Network Diagnostics Metrics",
+ "defaultValue": "[[]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "hubNetworkSecurityGroupName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Hub Network Security Group Name",
+ "defaultValue": "hub-nsg",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "hubNetworkSecurityGroupRules",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Hub Network Security Group Rules",
+ "defaultValue": "[[]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "hubSubnetServiceEndpoints",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Hub Subnet Service Endpoints",
+ "defaultValue": "[[]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "hubLogStorageAccountName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Hub Log Storage Account Name",
+ "defaultValue": "[[toLower(take(format('hublogs{0}', parameters('uniqueId')), 24))]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "hubLogStorageSkuName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Hub Log Storage Sku Name",
+ "defaultValue": "Standard_GRS",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "firewallName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Firewall Name",
+ "defaultValue": "firewall",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "firewallSkuTier",
+ "type": "Microsoft.Common.DropDown",
+ "label": "Firewall Sku Tier",
+ "defaultValue": "Premium",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "allowedValues": [{
+ "label": "Standard",
+ "value": "Standard"
+ },
+ {
+ "label": "Premium",
+ "value": "Premium"
+ }
+ ]
+ },
+ "visible": true
+ },
+ {
+ "name": "firewallManagementSubnetAddressPrefix",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Firewall Management Subnet Address Prefix",
+ "defaultValue": "10.0.100.64/26",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "firewallClientSubnetAddressPrefix",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Firewall Client Subnet Address Prefix",
+ "defaultValue": "10.0.100.0/26",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "firewallPolicyName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Firewall Policy Name",
+ "defaultValue": "firewall-policy",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "firewallThreatIntelMode",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Firewall Threat Intel Mode",
+ "defaultValue": "Alert",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "firewallClientIpConfigurationName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Firewall Client Ip Configuration Name",
+ "defaultValue": "firewall-client-ip-config",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "firewallClientSubnetServiceEndpoints",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Firewall Client Subnet Service Endpoints",
+ "defaultValue": "[[]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "firewallClientPublicIPAddressName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Firewall Client Public IP Address Name",
+ "defaultValue": "firewall-client-public-ip",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "firewallClientPublicIPAddressSkuName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Firewall Client Public IP Address Sku Name",
+ "defaultValue": "Standard",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "firewallClientPublicIpAllocationMethod",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Firewall Client Public Ip Allocation Method",
+ "defaultValue": "Static",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "firewallClientPublicIPAddressAvailabilityZones",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Firewall Client Public IP Address Availability Zones",
+ "defaultValue": "[[]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "firewallManagementIpConfigurationName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Firewall Management Ip Configuration Name",
+ "defaultValue": "firewall-management-ip-config",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "firewallManagementSubnetServiceEndpoints",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Firewall Management Subnet Service Endpoints",
+ "defaultValue": "[[]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "firewallManagementPublicIPAddressName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Firewall Management Public IP Address Name",
+ "defaultValue": "firewall-management-public-ip",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "firewallManagementPublicIPAddressSkuName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Firewall Management Public IP Address Sku Name",
+ "defaultValue": "Standard",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "firewallManagementPublicIpAllocationMethod",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Firewall Management Public Ip Allocation Method",
+ "defaultValue": "Static",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "firewallManagementPublicIPAddressAvailabilityZones",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Firewall Management Public IP Address Availability Zones",
+ "defaultValue": "[[]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ }
+ ]
+ },
+ {
+ "name": "identitySettings",
+ "label": "Identity Settings",
+ "subLabel": {
+ "preValidation": "Configure identity settings",
+ "postValidation": "Done"
+ },
+ "bladeTitle": "Identity Settings",
+ "elements": [{
+ "name": "identitySubscriptionId",
+ "type": "Microsoft.Common.SubscriptionSelector",
+ "label": "Identity Subscription Id",
+ "defaultValue": "[[parameters('hubSubscriptionId')]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "identityResourceGroupName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Identity Resource Group Name",
+ "defaultValue": "[[replace(parameters('hubResourceGroupName'), 'hub', 'identity')]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "identityLocation",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Identity Location",
+ "defaultValue": "[[parameters('hubLocation')]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "identityVirtualNetworkName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Identity Virtual Network Name",
+ "defaultValue": "[[replace(parameters('hubVirtualNetworkName'), 'hub', 'identity')]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "identitySubnetName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Identity Subnet Name",
+ "defaultValue": "[[replace(parameters('hubSubnetName'), 'hub', 'identity')]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "identityVirtualNetworkAddressPrefix",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Identity Virtual Network Address Prefix",
+ "defaultValue": "10.0.110.0/26",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "identitySubnetAddressPrefix",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Identity Subnet Address Prefix",
+ "defaultValue": "10.0.110.0/27",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "identityVirtualNetworkDiagnosticsLogs",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Identity Virtual Network Diagnostics Logs",
+ "defaultValue": "[[]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "identityVirtualNetworkDiagnosticsMetrics",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Identity Virtual Network Diagnostics Metrics",
+ "defaultValue": "[[]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "identityNetworkSecurityGroupName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Identity Network Security Group Name",
+ "defaultValue": "[[replace(parameters('hubNetworkSecurityGroupName'), 'hub', 'identity')]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "identityNetworkSecurityGroupRules",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Identity Network Security Group Rules",
+ "defaultValue": "[[]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "identitySubnetServiceEndpoints",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Identity Subnet Service Endpoints",
+ "defaultValue": "[[]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "identityLogStorageAccountName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Identity Log Storage Account Name",
+ "defaultValue": "[[toLower(take(format('idlogs{0}', parameters('uniqueId')), 24))]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "identityLogStorageSkuName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Identity Log Storage Sku Name",
+ "defaultValue": "[[parameters('hubLogStorageSkuName')]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ }
+ ]
+ },
+ {
+ "name": "operationsSettings",
+ "label": "Operations Settings",
+ "subLabel": {
+ "preValidation": "Configure operations settings",
+ "postValidation": "Done"
+ },
+ "bladeTitle": "Operations Settings",
+ "elements": [{
+ "name": "operationsSubscriptionId",
+ "type": "Microsoft.Common.SubscriptionSelector",
+ "label": "Operations Subscription Id",
+ "defaultValue": "[[parameters('hubSubscriptionId')]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "operationsResourceGroupName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Operations Resource Group Name",
+ "defaultValue": "[[replace(parameters('hubResourceGroupName'), 'hub', 'operations')]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "operationsLocation",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Operations Location",
+ "defaultValue": "[[parameters('hubLocation')]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "operationsVirtualNetworkName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Operations Virtual Network Name",
+ "defaultValue": "[[replace(parameters('hubVirtualNetworkName'), 'hub', 'operations')]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "operationsVirtualNetworkAddressPrefix",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Operations Virtual Network Address Prefix",
+ "defaultValue": "10.0.115.0/26",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "operationsVirtualNetworkDiagnosticsLogs",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Operations Virtual Network Diagnostics Logs",
+ "defaultValue": "[[]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "operationsVirtualNetworkDiagnosticsMetrics",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Operations Virtual Network Diagnostics Metrics",
+ "defaultValue": "[[]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "operationsNetworkSecurityGroupName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Operations Network Security Group Name",
+ "defaultValue": "[[replace(parameters('hubNetworkSecurityGroupName'), 'hub', 'operations')]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "operationsNetworkSecurityGroupRules",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Operations Network Security Group Rules",
+ "defaultValue": "[[]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "operationsSubnetName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Operations Subnet Name",
+ "defaultValue": "[[replace(parameters('hubSubnetName'), 'hub', 'operations')]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "operationsSubnetAddressPrefix",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Operations Subnet Address Prefix",
+ "defaultValue": "10.0.115.0/27",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "operationsSubnetServiceEndpoints",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Operations Subnet Service Endpoints",
+ "defaultValue": "[[]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "operationsLogStorageAccountName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Operations Log Storage Account Name",
+ "defaultValue": "[[toLower(take(format('opslogs{0}', parameters('uniqueId')), 24))]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "operationsLogStorageSkuName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Operations Log Storage Sku Name",
+ "defaultValue": "[[parameters('hubLogStorageSkuName')]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ }
+ ]
+ },
+ {
+ "name": "sharedSettings",
+ "label": "Shared Settings",
+ "subLabel": {
+ "preValidation": "Configure shared settings",
+ "postValidation": "Done"
+ },
+ "bladeTitle": "General Settings",
+ "elements": [{
+ "name": "sharedServicesSubscriptionId",
+ "type": "Microsoft.Common.SubscriptionSelector",
+ "label": "Shared Services Subscription Id",
+ "defaultValue": "[[parameters('hubSubscriptionId')]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "sharedServicesResourceGroupName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Shared Services Resource Group Name",
+ "defaultValue": "[[replace(parameters('hubResourceGroupName'), 'hub', 'sharedServices')]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "sharedServicesLocation",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Shared Services Location",
+ "defaultValue": "[[parameters('hubLocation')]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "sharedServicesVirtualNetworkName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Shared Services Virtual Network Name",
+ "defaultValue": "[[replace(parameters('hubVirtualNetworkName'), 'hub', 'sharedServices')]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "sharedServicesSubnetName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Shared Services Subnet Name",
+ "defaultValue": "[[replace(parameters('hubSubnetName'), 'hub', 'sharedServices')]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "sharedServicesVirtualNetworkAddressPrefix",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Shared Services Virtual Network Address Prefix",
+ "defaultValue": "10.0.120.0/26",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "sharedServicesSubnetAddressPrefix",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Shared Services Subnet Address Prefix",
+ "defaultValue": "10.0.120.0/27",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "sharedServicesVirtualNetworkDiagnosticsLogs",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Shared Services Virtual Network Diagnostics Logs",
+ "defaultValue": "[[]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "sharedServicesVirtualNetworkDiagnosticsMetrics",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Shared Services Virtual Network Diagnostics Metrics",
+ "defaultValue": "[[]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "sharedServicesNetworkSecurityGroupName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Shared Services Network Security Group Name",
+ "defaultValue": "[[replace(parameters('hubNetworkSecurityGroupName'), 'hub', 'sharedServices')]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "sharedServicesNetworkSecurityGroupRules",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Shared Services Network Security Group Rules",
+ "defaultValue": "[[]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "sharedServicesSubnetServiceEndpoints",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Shared Services Subnet Service Endpoints",
+ "defaultValue": "[[]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "sharedServicesLogStorageAccountName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Shared Services Log Storage Account Name",
+ "defaultValue": "[[toLower(take(format('shrdSvclogs{0}', parameters('uniqueId')), 24))]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "sharedServicesLogStorageSkuName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Shared Services Log Storage Sku Name",
+ "defaultValue": "[[parameters('hubLogStorageSkuName')]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ }
+ ]
+ },
+ {
+ "name": "logSettings",
+ "label": "Log Settings",
+ "subLabel": {
+ "preValidation": "Configure log settings",
+ "postValidation": "Done"
+ },
+ "bladeTitle": "Log Settings",
+ "elements": [{
+ "name": "logAnalyticsWorkspaceName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Log Analytics Workspace Name",
+ "defaultValue": "[[take(format('{0}-laws', parameters('resourcePrefix')), 63)]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "logAnalyticsWorkspaceLocation",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Log Analytics Workspace Location",
+ "defaultValue": "[[parameters('sharedServicesLocation')]",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "logAnalyticsWorkspaceCappingDailyQuotaGb",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Log Analytics Workspace Capping Daily Quota Gb",
+ "defaultValue": "-1",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "logAnalyticsWorkspaceRetentionInDays",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Log Analytics Workspace Retention In Days",
+ "defaultValue": "30",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ },
+ {
+ "name": "logAnalyticsWorkspaceSkuName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Log Analytics Workspace Sku Name",
+ "defaultValue": "PerGB2018",
+ "toolTip": "",
+ "constraints": {
+ "required": false,
+ "regex": "",
+ "validationMessage": ""
+ },
+ "visible": true
+ }
+ ]
+ }
+ ]
+ },
+ "outputs": {
+ "parameters": {
+ "resourcePrefix": "[steps('generalSettings').resourcePrefix]",
+ "hubSubscriptionId": "[steps('hubSettings').resourceScope.subscription.subscriptionId]",
+ "identitySubscriptionId": "[steps('identitySettings').identitySubscriptionId.subscriptionId]",
+ "operationsSubscriptionId": "[steps('operationsSettings').operationsSubscriptionId.subscriptionId]",
+ "sharedServicesSubscriptionId": "[steps('sharedSettings').sharedServicesSubscriptionId.subscriptionId]",
+ "firewallSkuTier": "[steps('hubSettings').firewallSkuTier]",
+ "hubResourceGroupName": "[steps('hubSettings').hubResourceGroupName]",
+ "hubLocation": "[steps('hubSettings').hubLocation]",
+ "hubVirtualNetworkName": "[steps('hubSettings').hubVirtualNetworkName]",
+ "hubSubnetName": "[steps('hubSettings').hubSubnetName]",
+ "hubVirtualNetworkAddressPrefix": "[steps('hubSettings').hubVirtualNetworkAddressPrefix]",
+ "hubSubnetAddressPrefix": "[steps('hubSettings').hubSubnetAddressPrefix]",
+ "hubVirtualNetworkDiagnosticsLogs": "[steps('hubSettings').hubVirtualNetworkDiagnosticsLogs]",
+ "hubVirtualNetworkDiagnosticsMetrics": "[steps('hubSettings').hubVirtualNetworkDiagnosticsMetrics]",
+ "hubNetworkSecurityGroupName": "[steps('hubSettings').hubNetworkSecurityGroupName]",
+ "hubNetworkSecurityGroupRules": "[steps('hubSettings').hubNetworkSecurityGroupRules]",
+ "hubSubnetServiceEndpoints": "[steps('hubSettings').hubSubnetServiceEndpoints]",
+ "hubLogStorageAccountName": "[steps('hubSettings').hubLogStorageAccountName]",
+ "hubLogStorageSkuName": "[steps('hubSettings').hubLogStorageSkuName]",
+ "firewallName": "[steps('hubSettings').firewallName]",
+ "firewallManagementSubnetAddressPrefix": "[steps('hubSettings').firewallManagementSubnetAddressPrefix]",
+ "firewallClientSubnetAddressPrefix": "[steps('hubSettings').firewallClientSubnetAddressPrefix]",
+ "firewallPolicyName": "[steps('hubSettings').firewallPolicyName]",
+ "firewallThreatIntelMode": "[steps('hubSettings').firewallThreatIntelMode]",
+ "firewallClientIpConfigurationName": "[steps('hubSettings').firewallClientIpConfigurationName]",
+ "firewallClientSubnetServiceEndpoints": "[steps('hubSettings').firewallClientSubnetServiceEndpoints]",
+ "firewallClientPublicIPAddressName": "[steps('hubSettings').firewallClientPublicIPAddressName]",
+ "firewallClientPublicIPAddressSkuName": "[steps('hubSettings').firewallClientPublicIPAddressSkuName]",
+ "firewallClientPublicIpAllocationMethod": "[steps('hubSettings').firewallClientPublicIpAllocationMethod]",
+ "firewallClientPublicIPAddressAvailabilityZones": "[steps('hubSettings').firewallClientPublicIPAddressAvailabilityZones]",
+ "firewallManagementIpConfigurationName": "[steps('hubSettings').firewallManagementIpConfigurationName]",
+ "firewallManagementSubnetServiceEndpoints": "[steps('hubSettings').firewallManagementSubnetServiceEndpoints]",
+ "firewallManagementPublicIPAddressName": "[steps('hubSettings').firewallManagementPublicIPAddressName]",
+ "firewallManagementPublicIPAddressSkuName": "[steps('hubSettings').firewallManagementPublicIPAddressSkuName]",
+ "firewallManagementPublicIpAllocationMethod": "[steps('hubSettings').firewallManagementPublicIpAllocationMethod]",
+ "firewallManagementPublicIPAddressAvailabilityZones": "[steps('hubSettings').firewallManagementPublicIPAddressAvailabilityZones]",
+ "identityResourceGroupName": "[steps('identitySettings').identityResourceGroupName]",
+ "identityLocation": "[steps('identitySettings').identityLocation]",
+ "identityVirtualNetworkName": "[steps('identitySettings').identityVirtualNetworkName]",
+ "identitySubnetName": "[steps('identitySettings').identitySubnetName]",
+ "identityVirtualNetworkAddressPrefix": "[steps('identitySettings').identityVirtualNetworkAddressPrefix]",
+ "identitySubnetAddressPrefix": "[steps('identitySettings').identitySubnetAddressPrefix]",
+ "identityVirtualNetworkDiagnosticsLogs": "[steps('identitySettings').identityVirtualNetworkDiagnosticsLogs]",
+ "identityVirtualNetworkDiagnosticsMetrics": "[steps('identitySettings').identityVirtualNetworkDiagnosticsMetrics]",
+ "identityNetworkSecurityGroupName": "[steps('identitySettings').identityNetworkSecurityGroupName]",
+ "identityNetworkSecurityGroupRules": "[steps('identitySettings').identityNetworkSecurityGroupRules]",
+ "identitySubnetServiceEndpoints": "[steps('identitySettings').identitySubnetServiceEndpoints]",
+ "identityLogStorageAccountName": "[steps('identitySettings').identityLogStorageAccountName]",
+ "identityLogStorageSkuName": "[steps('identitySettings').identityLogStorageSkuName]",
+ "operationsResourceGroupName": "[steps('operationsSettings').operationsResourceGroupName]",
+ "operationsLocation": "[steps('operationsSettings').operationsLocation]",
+ "operationsVirtualNetworkName": "[steps('operationsSettings').operationsVirtualNetworkName]",
+ "operationsVirtualNetworkAddressPrefix": "[steps('operationsSettings').operationsVirtualNetworkAddressPrefix]",
+ "operationsVirtualNetworkDiagnosticsLogs": "[steps('operationsSettings').operationsVirtualNetworkDiagnosticsLogs]",
+ "operationsVirtualNetworkDiagnosticsMetrics": "[steps('operationsSettings').operationsVirtualNetworkDiagnosticsMetrics]",
+ "operationsNetworkSecurityGroupName": "[steps('operationsSettings').operationsNetworkSecurityGroupName]",
+ "operationsNetworkSecurityGroupRules": "[steps('operationsSettings').operationsNetworkSecurityGroupRules]",
+ "operationsSubnetName": "[steps('operationsSettings').operationsSubnetName]",
+ "operationsSubnetAddressPrefix": "[steps('operationsSettings').operationsSubnetAddressPrefix]",
+ "operationsSubnetServiceEndpoints": "[steps('operationsSettings').operationsSubnetServiceEndpoints]",
+ "operationsLogStorageAccountName": "[steps('operationsSettings').operationsLogStorageAccountName]",
+ "operationsLogStorageSkuName": "[steps('operationsSettings').operationsLogStorageSkuName]",
+ "sharedServicesResourceGroupName": "[steps('sharedSettings').sharedServicesResourceGroupName]",
+ "sharedServicesLocation": "[steps('sharedSettings').sharedServicesLocation]",
+ "sharedServicesVirtualNetworkName": "[steps('sharedSettings').sharedServicesVirtualNetworkName]",
+ "sharedServicesSubnetName": "[steps('sharedSettings').sharedServicesSubnetName]",
+ "sharedServicesVirtualNetworkAddressPrefix": "[steps('sharedSettings').sharedServicesVirtualNetworkAddressPrefix]",
+ "sharedServicesSubnetAddressPrefix": "[steps('sharedSettings').sharedServicesSubnetAddressPrefix]",
+ "sharedServicesVirtualNetworkDiagnosticsLogs": "[steps('sharedSettings').sharedServicesVirtualNetworkDiagnosticsLogs]",
+ "sharedServicesVirtualNetworkDiagnosticsMetrics": "[steps('sharedSettings').sharedServicesVirtualNetworkDiagnosticsMetrics]",
+ "sharedServicesNetworkSecurityGroupName": "[steps('sharedSettings').sharedServicesNetworkSecurityGroupName]",
+ "sharedServicesNetworkSecurityGroupRules": "[steps('sharedSettings').sharedServicesNetworkSecurityGroupRules]",
+ "sharedServicesSubnetServiceEndpoints": "[steps('sharedSettings').sharedServicesSubnetServiceEndpoints]",
+ "sharedServicesLogStorageAccountName": "[steps('sharedSettings').sharedServicesLogStorageAccountName]",
+ "sharedServicesLogStorageSkuName": "[steps('sharedSettings').sharedServicesLogStorageSkuName]",
+ "logAnalyticsWorkspaceName": "[steps('logSettings').logAnalyticsWorkspaceName]",
+ "logAnalyticsWorkspaceLocation": "[steps('logSettings').logAnalyticsWorkspaceLocation]",
+ "logAnalyticsWorkspaceCappingDailyQuotaGb": "[steps('logSettings').logAnalyticsWorkspaceCappingDailyQuotaGb]",
+ "logAnalyticsWorkspaceRetentionInDays": "[steps('logSettings').logAnalyticsWorkspaceRetentionInDays]",
+ "logAnalyticsWorkspaceSkuName": "[steps('logSettings').logAnalyticsWorkspaceSkuName]",
+ "tags": "[steps('generalSettings').tags]",
+ "uniqueId": "[steps('generalSettings').uniqueId]"
+ },
+ "kind": "Subscription",
+ "subscriptionId": "[steps('hubSettings').resourceScope.subscription.id]",
+ "location": "[steps('hubSettings').resourceScope.location.name]"
+ }
+ }
+}
\ No newline at end of file
diff --git a/src/build/README.md b/src/build/README.md
deleted file mode 100644
index 977bfd679..000000000
--- a/src/build/README.md
+++ /dev/null
@@ -1,76 +0,0 @@
-# build
-
-This folder contains scripts that would be used by some automation tool to apply/destroy terraform in the repo.
-
-This is a work in progress. Future work will be done to integrate this into a GitHub Actions workflow.
-
-## Why
-
-Provide an unattended way to ensure things are deployable in the repo.
-
-## What you need
-
-- Terraform CLI
-- Azure CLI
-- Deployed MLZ Config resources (Service Principal for deployment, Key Vault)
-- A MLZ Config file
-- A global.tfvars
-- .tfvars for saca-hub, tier-0, tier-1, tier-2
-
-## How
-
-See the root [README's "Configure the Terraform Backend"](../README.md#Configure-the-Terraform-Backend) on how to get the MLZ Config resources deployed and a MLZ Config file.
-
-Today, the global.tfvars file and the .tfvars for saca-hub, tier0-2, are well known and stored elsewhere. Reach out to the team if you need them.
-
-Then, to apply and destroy pass those files as arguments to the relevant script.
-
-There's an [optional argument to display terraform output](#Optionally-display-Terraform-output).
-
-```shell
-usage() {
- echo "apply_tf.sh: Automation that calls apply terraform given a MLZ configuration and some tfvars"
- error_log "usage: apply_tf.sh "
-}
-```
-
-```shell
-# assuming src/scripts/config/create_required_resources.sh has been run before...
-./apply_tf.sh \
- ./path-to/mlz.config \
- ./path-to/mlz.tfvars
- y
-```
-
-```shell
-# assuming src/scripts/config/create_required_resources.sh has been run before...
-./destroy_tf.sh \
- ./path-to/mlz.config \
- ./path-to/mlz.tfvars \
- y
-```
-
-### Optionally display Terraform output
-
-There's an optional argument at the end to specify whether or not to display terraform's output. Set it to 'y' if you want to see things as they happen.
-
-By default, if you do not set this argument, terraform output will be sent to /dev/null (to support clean logs in a CI/CD environment) and your logs will look like:
-
-```plaintext
-Applying saca-hub (1/5)...
-Finished applying saca-hub!
-Applying tier-0 (1/5)...
-Finished applying tier-0!
-Applying tier-1 (1/5)...
-Finished applying tier-1!
-Applying tier-2 (1/5)...
-Finished applying tier-2!
-```
-
-## Gotchas
-
-There's wonky behavior with how Log Analytics Workspaces and Azure Monitor diagnostic log settings are deleted at the Azure Resource Manager level.
-
-For example, if you deployed your environment with Terraform, then deleted it with Azure CLI or the Portal, you can end up with orphan/ghost resources that will be deleted at some other unknown time.
-
-To ensure you're able to deploy on-top of existing resources over and over again, __use Terraform to apply and destroy your environment.__
diff --git a/src/build/apply_tf.sh b/src/build/apply_tf.sh
deleted file mode 100755
index bf1fff7b8..000000000
--- a/src/build/apply_tf.sh
+++ /dev/null
@@ -1,115 +0,0 @@
-#!/bin/bash
-#
-# Copyright (c) Microsoft Corporation.
-# Licensed under the MIT License.
-#
-# shellcheck disable=SC1090,SC2154
-# SC1090: Can't follow non-constant source. Use a directive to specify location.
-# SC2154: "var is referenced but not assigned". These values come from an external file.
-#
-# Automation that calls apply terraform given a MLZ configuration
-
-set -e
-
-error_log() {
- echo "${1}" 1>&2;
-}
-
-usage() {
- echo "apply_tf.sh: Automation that calls apply terraform given a MLZ configuration and some tfvars"
- error_log "usage: apply_tf.sh "
-}
-
-if [[ "$#" -lt 2 ]]; then
- usage
- exit 1
-fi
-
-# take some valid, well known, mlz_config and tfvars as input
-mlz_config=$(realpath "${1}")
-mlz_tfvars=$(realpath "${2}")
-display_tf_output=${3:-n}
-
-# reference paths
-this_script_path=$(realpath "${BASH_SOURCE%/*}")
-src_dir=$(dirname "${this_script_path}")
-terraform_dir="${src_dir}/terraform/"
-scripts_dir="${src_dir}/scripts/"
-
-# apply function
-apply() {
- sub_id=$1
- tf_dir=$2
- vars=$3
-
- # generate config.vars based on MLZ Config and Terraform module
- . "${scripts_dir}/config/generate_vars.sh" \
- "${mlz_config}" \
- "${sub_id}" \
- "${tf_dir}"
-
- # remove any existing terraform initialzation
- rm -rf "${tf_dir}/.terraform"
-
- # copy input vars to temporary file
- input_vars=$(realpath "${vars}")
- temp_vars="temp_vars.tfvars"
- rm -f "${temp_vars}"
- touch "${temp_vars}"
- cp "${input_vars}" "${temp_vars}"
-
- # remove any tfvars and subtitute it with input vars
- tf_vars="${tf_dir}/$(basename "${vars}")"
- rm -f "${tf_vars}"
- touch "${tf_vars}"
- cp "${temp_vars}" "${tf_vars}"
- rm -f "${temp_vars}"
-
- # set the target subscription
- az account set \
- --subscription "${sub_id}" \
- --output none
-
- # attempt to apply $max_attempts times before giving up
- # (race conditions, transient errors etc.)
- apply_success="false"
- attempts=1
- max_attempts=1
-
- apply_command="${scripts_dir}/terraform/apply_terraform.sh ${tf_dir} ${tf_vars} y"
- destroy_command="${scripts_dir}/terraform/destroy_terraform.sh ${tf_dir} ${tf_vars} y"
-
- if [[ $display_tf_output == "n" ]]; then
- apply_command+=" &>/dev/null"
- destroy_command+=" &>/dev/null"
- fi
-
- while [ $apply_success == "false" ]
- do
- echo "INFO: applying Terraform at ${tf_dir} (${attempts}/${max_attempts})..."
-
- if ! eval "$apply_command";
- then
- # if we fail, run terraform destroy and try again
- error_log "ERROR: failed to apply ${tf_dir} (${attempts}/${max_attempts}). Trying some manual clean-up and Terraform destroy..."
- eval "$destroy_command"
-
- ((attempts++))
-
- if [[ $attempts -gt $max_attempts ]]; then
- error_log "ERROR: failed ${max_attempts} times to apply ${tf_dir}. Exiting."
- exit 1
- fi
- else
- # if we succeed meet the base case
- apply_success="true"
- echo "INFO: finished applying ${tf_dir}!"
- fi
- done
-}
-
-# source vars from mlz_config
-. "${mlz_config}"
-
-# call apply()
-apply "${mlz_saca_subid}" "${terraform_dir}/mlz" "${mlz_tfvars}"
diff --git a/src/build/check_tf_format.sh b/src/build/check_tf_format.sh
new file mode 100755
index 000000000..906deee2f
--- /dev/null
+++ b/src/build/check_tf_format.sh
@@ -0,0 +1,49 @@
+#!/bin/bash
+#
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+#
+# Check Terraform formatting for 1:M directories, exiting if any errors are produced
+
+program_log () {
+ echo "${0}: ${1}"
+}
+
+error_log () {
+ echo "Error: ${1}"
+}
+
+# Check for Terraform
+if ! command -v terraform &> /dev/null; then
+ error_log "Terraform could not be found. This script requires the Terraform CLI."
+ echo "See https://learn.hashicorp.com/tutorials/terraform/install-cli for installation instructions."
+ exit 1
+fi
+
+format_tf() {
+ local tf_dir=$1
+ cd "$tf_dir" || exit 1
+ program_log "checking formatting at $tf_dir..."
+ if terraform fmt -check -recursive >> /dev/null;
+ then
+ program_log "successful check with 'terraform fmt -check -recursive ${tf_dir}'"
+ else
+ linting_results=$(terraform fmt -check -recursive)
+ for j in $linting_results
+ do
+ error_log "'${j}' is not formatted correctly. Format with the command 'terraform fmt ${j}'"
+ done
+ program_log "run 'terraform fmt -recursive' to format all Terraform components in a directory"
+ exit 1;
+ fi
+}
+
+working_dir=$(pwd)
+
+for arg in "$@"
+do
+ cd "$working_dir" || exit 1
+ format_tf "$(realpath "$arg")"
+done
+
+program_log "done!"
\ No newline at end of file
diff --git a/src/build/destroy_tf.sh b/src/build/destroy_tf.sh
deleted file mode 100755
index c01f9dad7..000000000
--- a/src/build/destroy_tf.sh
+++ /dev/null
@@ -1,111 +0,0 @@
-#!/bin/bash
-#
-# Copyright (c) Microsoft Corporation.
-# Licensed under the MIT License.
-#
-# shellcheck disable=SC1090,SC2154
-# SC1090: Can't follow non-constant source. These values come from an external file.
-# SC2154: "var is referenced but not assigned". These values come from an external file.
-#
-# Automation that calls destroy terraform given a MLZ configuration
-
-set -e
-
-error_log() {
- echo "${1}" 1>&2;
-}
-
-usage() {
- echo "destroy_tf.sh: Automation that calls destroy terraform given a MLZ configuration and some tfvars"
- error_log "usage: destroy_tf.sh "
-}
-
-if [[ "$#" -lt 2 ]]; then
- usage
- exit 1
-fi
-
-# take some valid, well known, mlz_config and tfvars as input
-mlz_config=$(realpath "${1}")
-mlz_tfvars=$(realpath "${2}")
-display_tf_output=${3:-n}
-
-# reference paths
-this_script_path=$(realpath "${BASH_SOURCE%/*}")
-src_dir=$(dirname "${this_script_path}")
-terraform_dir="${src_dir}/terraform/"
-scripts_dir="${src_dir}/scripts/"
-
-# destroy function
-destroy() {
- sub_id=$1
- tf_dir=$2
- vars=$3
-
- # generate config.vars based on MLZ Config and Terraform module
- . "${scripts_dir}/config/generate_vars.sh" \
- "${mlz_config}" \
- "${sub_id}" \
- "${tf_dir}"
-
- # remove any existing terraform initialzation
- rm -rf "${path}/.terraform"
-
- # copy input vars to temporary file
- input_vars=$(realpath "${vars}")
- temp_vars="temp_vars.tfvars"
- rm -f "${temp_vars}"
- touch "${temp_vars}"
- cp "${input_vars}" "${temp_vars}"
-
- # remove any configuration tfvars and subtitute it with input vars
- tf_vars="${tf_dir}/$(basename "${vars}")"
- rm -f "${tf_vars}"
- touch "${tf_vars}"
- cp "${temp_vars}" "${tf_vars}"
- rm -f "${temp_vars}"
-
- # set the target subscription
- az account set \
- --subscription "${sub_id}" \
- --output none
-
- # attempt to apply $max_attempts times before giving up
- # (race conditions, transient errors etc.)
- destroy_success="false"
- attempts=1
- max_attempts=1
-
- destroy_command="${scripts_dir}/terraform/destroy_terraform.sh ${tf_dir} ${tf_vars} y"
-
- if [[ "$display_tf_output" == "n" ]]; then
- destroy_command+=" &>/dev/null"
- fi
-
- while [ $destroy_success == "false" ]
- do
- echo "INFO: destroying ${tf_dir} (${attempts}/${max_attempts})..."
-
- if ! eval "$destroy_command";
- then
- # if we fail, run terraform destroy again until $max_attempts
- error_log "ERROR: failed to destroy ${tf_dir} (${attempts}/${max_attempts})"
-
- ((attempts++))
-
- if [[ $attempts -gt $max_attempts ]]; then
- error_log "ERROR: failed ${max_attempts} times to destroy ${tf_dir}. Exiting."
- exit 1
- fi
- else
- destroy_success="true"
- echo "INFO: finished destroying ${tf_dir}!"
- fi
- done
-}
-
-# source vars from mlz_config
-. "${mlz_config}"
-
-# call destroy()
-destroy "${mlz_saca_subid}" "${terraform_dir}/mlz" "${mlz_tfvars}"
diff --git a/src/build/get_vars.sh b/src/build/get_vars.sh
deleted file mode 100755
index c4b40f91e..000000000
--- a/src/build/get_vars.sh
+++ /dev/null
@@ -1,45 +0,0 @@
-#!/bin/bash
-#
-# Copyright (c) Microsoft Corporation.
-# Licensed under the MIT License.
-#
-# Get MLZ Configuration and Terraform Variables from a storage account
-
-set -e
-
-error_log() {
- echo "${1}" 1>&2;
-}
-
-usage() {
- echo "get_vars.sh: login using known Service Principal credentials into a given tenant"
- error_log "usage: get_vars.sh.sh "
-}
-
-if [[ "$#" -lt 3 ]]; then
- usage
- exit 1
-fi
-
-sa_name=$1
-sa_token=$2
-sa_container=$3
-
-# create some place to hold the configuration and TF vars
-rm -rf "vars"
-mkdir "vars"
-
-# download everything in the container to that place
-az storage blob download-batch \
- --account-name "${sa_name}" \
- --sas-token "${sa_token}" \
- --source "${sa_container}" \
- --pattern "*" \
- --destination "vars" \
- --output "none" \
- --only-show-errors
-
-# remove Windows EOL characters
-for file in vars/*; do
- sed -i 's/\r$//' "${file}"
-done
diff --git a/src/build/login_azcli.sh b/src/build/login_azcli.sh
deleted file mode 100755
index d5cc606aa..000000000
--- a/src/build/login_azcli.sh
+++ /dev/null
@@ -1,38 +0,0 @@
-#!/bin/bash
-#
-# Copyright (c) Microsoft Corporation.
-# Licensed under the MIT License.
-#
-# shellcheck disable=SC1090,SC2154
-# SC1090: Can't follow non-constant source. These values come from an external file.
-# SC2154: "var is referenced but not assigned". These values come from an external file.
-#
-# Get the tenant ID from some MLZ configuration file and login using known Service Principal credentials
-
-set -e
-
-error_log() {
- echo "${1}" 1>&2;
-}
-
-usage() {
- echo "login_azcli.sh: login using known Service Principal credentials into a given tenant"
- error_log "usage: login_azcli.sh "
-}
-
-if [[ "$#" -lt 3 ]]; then
- usage
- exit 1
-fi
-
-tenant_id=$1
-sp_id=$2
-sp_pw=$3
-
-# login with known credentials
-az login --service-principal \
- --user "${sp_id}" \
- --password="${sp_pw}" \
- --tenant "${tenant_id}" \
- --allow-no-subscriptions \
- --output json
diff --git a/src/build/validate_tf.sh b/src/build/validate_tf.sh
index 57858edbd..ab8815375 100755
--- a/src/build/validate_tf.sh
+++ b/src/build/validate_tf.sh
@@ -3,7 +3,7 @@
# Copyright (c) Microsoft Corporation.
# Licensed under the MIT License.
#
-# Validates and lints terraform, exiting if any errors are produced
+# Validates and lints Terraform for 1:M directories, exiting if any errors are produced
program_log () {
echo "${0}: ${1}"
@@ -20,38 +20,20 @@ if ! command -v terraform &> /dev/null; then
exit 1
fi
-full_path=$(realpath "${0}")
-repo_path=$(dirname "$(dirname "${full_path}")")
-core_path="${repo_path}/core"
+validate_tf() {
+ local tf_dir=$1
+ cd "$tf_dir" || exit 1
+ program_log "validating at $tf_dir..."
+ terraform init -backend=false >> /dev/null || exit 1
+ terraform validate >> /dev/null || exit 1
+}
-if [ -d "$core_path" ];
-then
- # Validate all .tf and their dependencies in core_path
- program_log "Validating Terraform..."
- cd "${core_path}" || exit
- for i in $(find . -name "*.tf" -printf "%h\n" | sort --unique)
- do
- cd "${i}" || exit
- echo "validating ${i}..."
- terraform init -backend=false >> /dev/null || exit 1
- terraform validate >> /dev/null || exit 1
- cd "${core_path}" || exit
- done
- program_log "Terraform validated successfully!"
+working_dir=$(pwd)
- # Check formatting in all .tf files in repo
- program_log "Linting Terraform..."
- cd "${repo_path}" || exit
- if terraform fmt -check -recursive >> /dev/null;
- then
- program_log "Terraform linted successfully!"
- else
- linting_results=$(terraform fmt -check -recursive)
- for j in $linting_results
- do
- error_log "please format '${j}' with the command 'terraform fmt'"
- done
- program_log "alternatively, you can run 'terraform fmt -recursive' to format all *.tf in a directory"
- exit 1;
- fi
-fi
+for arg in "$@"
+do
+ cd "$working_dir" || exit 1
+ validate_tf "$(realpath "$arg")"
+done
+
+program_log "done!"
\ No newline at end of file
diff --git a/src/docs/command-line-deployment.md b/src/docs/command-line-deployment.md
deleted file mode 100644
index 0aa3d5f0e..000000000
--- a/src/docs/command-line-deployment.md
+++ /dev/null
@@ -1,258 +0,0 @@
-# Command-Line Deployment
-
-The steps in this article assume the following pre-requisites for command-line deployments:
-
-* Follow the Mission LZ [Getting Started](https://github.com/Azure/missionlz/blob/main/src/docs/getting-started.md#pre-requisites) steps.
-* **(Highly recommend)** Use the [the Mission LZ `.devcontainer`](https://github.com/Azure/missionlz/blob/main/src/docs/getting-started.md#use-the-development-container-for-command-line-deployments) provided in the Mission LZ project and perform the deployment steps below within this context. This container image provides a controlled environment that includes all the pre-requisite tools for Mission LZ deployments and should lead to an overall better user experience.
-
- > As an alternative, it is possible to deploy Mission LZ via BASH running from the local workstation, but requires the following additional requirements:
- >
- > * The current version of Azure CLI (try `az version` or see )
- > * Terraform CLI version > v0.13.4 (try `terraform -v` or see )
-
-## Step-by-step
-
-1. Follow the [steps to open the `.devcontainer`](../../.devcontainer/README.md) as the recommended option (or start a local BASH shell with the additional requirements installed as the alternate option)
-
- > `vscode@missionlz-dev:/workspaces/missionlz$` is the root working directory for the BASH shell in the `.devcontainer`
-
-1. Log in using the Azure CLI
-
- ```BASH
- az login
- ```
-
- > *(Optional)* If you needed to deploy into another cloud such as Azure Government, set the cloud name before logging in:
-
- ```BASH
- az cloud set -n AzureUSGovernment
- az login
- ```
-
-1. Quickstart
- 1. [Deploy](#quickstart-deploy)
- 1. [Clean](#quickstart-clean)
- 1. [Arguments](#quickstart-arguments)
-1. Advanced path (*optional*)
- 1. [Setup Mission LZ Resources](#setup-mission-lz-resources)
- 1. [Set Terraform Configuration Variables](#set-terraform-configuration-variables)
- 1. [Deploy Terraform Configuration](#deploy-terraform-configuration)
- 1. [Clean up Mission LZ Resources](#clean-up-mission-lz-resources)
-
-## Quickstart
-
-### Quickstart Deploy
-
-Interested in just getting started and seeing what this does? Login to Azure CLI and try this command to deploy Mission LZ with some default configuration:
-
-```bash
-src/scripts/deploy.sh -s {your_subscription_id}
-```
-
-The `deploy.sh` command deploys all of the MLZ and Terraform resources, and by default, into a single subscription in Azure Commercial EastUS with a timestamped name.
-
-If you needed to deploy into another cloud, say Azure Government, you would [override the default region](https://azure.microsoft.com/en-us/global-infrastructure/geographies/#overview) and [default azurerm terraform environment](https://www.terraform.io/docs/language/settings/backends/azurerm.html#environment) like:
-
-```bash
-az cloud set -n AzureUSGovernment
-az login
-src/scripts/deploy.sh -s {your_subscription_id} \
- --location usgovvirginia \
- --tf-environment usgovernment
-```
-
-For a complete list of arguments see [Quickstart Arguments](#Quickstart-Arguments).
-
-### Quickstart Clean
-
-Once the deployment is complete, you'll be presented with a command that will clean up all of the resources that were deployed:
-
-```plaintext
-INFO: Complete!
-INFO: All finished? Want to clean up?
-INFO: Try this command:
-INFO: src/scripts/clean.sh -z mymlzenv
-```
-
-Which you can then execute like:
-
-```bash
-src/scripts/clean.sh -z mymlzenv
-```
-
-The `clean.sh` command will call Terraform destroy for all the resources Terraform created and delete the MLZ resources and service principal.
-
-### Quickstart Arguments
-
-If you don't wish to use those defaults, you can customize this command to target multiple subscriptions, different regions, and using different Terraform environments and azurerm configurations with the full set of arguments:
-
-```plaintext
-deploy.sh: create all the configuration and deploy Terraform resources with minimal input
- argument description
- --subscription-id -s Subscription ID for MissionLZ resources
- --location -l [OPTIONAL] The location that you're deploying to (defaults to 'eastus')
- --tf-environment -e [OPTIONAL] Terraform azurerm environment (defaults to 'public') see: https://www.terraform.io/docs/language/settings/backends/azurerm.html#environment
- --mlz-env-name -z [OPTIONAL] Unique name for MLZ environment (defaults to 'mlz' + UNIX timestamp)
- --hub-sub-id -u [OPTIONAL] subscription ID for the hub network and resources (defaults to the value provided for -s --subscription-id)
- --tier0-sub-id -0 [OPTIONAL] subscription ID for tier 0 network and resources (defaults to the value provided for -s --subscription-id)
- --tier1-sub-id -1 [OPTIONAL] subscription ID for tier 1 network and resources (defaults to the value provided for -s --subscription-id)
- --tier2-sub-id -2 [OPTIONAL] subscription ID for tier 2 network and resources (defaults to the value provided for -s --subscription-id)
- --tier3-sub-id -3 [OPTIONAL] subscription ID for tier 3 network and resources (defaults to the value provided for -s --subscription-id), input is used in conjunction with deploy_t3.sh
- --write-output -w [OPTIONAL] Tier 3 Deployment requires Terraform output, use this flag to write terraform output
- --no-bastion [OPTIONAL] when present, do not create a Bastion Host and Jumpbox VM
- --no-sentinel [OPTIONAL] when present, do not create an Azure Sentinel solution
- --policy [OPTIONAL] when present, create Policy Assignments for built-in NIST initiative
- --no-service-principal [OPTIONAL] when present, do not create an Azure Service Principal, instead use the credentials in the environment variables '$ARM_CLIENT_ID' and '$ARM_CLIENT_SECRET'
- --help -h Print this message
-```
-
-For example, if I wanted to deploy into four subscriptions (one for each network) and provide my own name for created resources, I could do so like:
-
-```bash
-src/scripts/deploy.sh -s {my_mlz_configuration_subscription_id} \
- -u {my_hub_network_subscription_id} \
- -0 {my_identity_network_subscription_id} \
- -1 {my_operations_network_subscription_id} \
- -2 {my_shared_services_network_subscription_id} \
- -z {my_mlz_environment_name}
-```
-
-Need further customization? The rest of this documentation covers in detail how to customize this deployment to your needs.
-
-#### Using your own Service Principal
-
-Were you provided a subscription(s) and credentials to use, or do you already have an identity you want to use to deploy and manage Terraform with?
-
-By default, Mission LZ will attempt to create a Service Principal to deploy and manage Terraform on your behalf.
-
-> **NOTE:** If you are providing your own Service Principal, that Service Principal must have at minimum a 'Contributor' role.
-
-To use your own Service Principal credentials, first, set ARM_CLIENT_ID and ARM_CLIENT_SECRET environment variables:
-
-```bash
-export ARM_CLIENT_ID="{YOUR_SERVICE_PRINCIPAL_CLIENT_ID}"
-export ARM_CLIENT_SECRET="{YOUR_SERVICE_PRINCIPAL_CLIENT_SECRET}"
-```
-
-Then, specify the `--no-service-principal` flag when running `deploy.sh`:
-
-```bash
-deploy.sh --subscription-id "{YOUR_SUBSCRIPTION_ID}" --no-service-principal
-```
-
-If you use `--no-service-principal` without `ARM_CLIENT_ID` and `ARM_CLIENT_SECRET` set in your environment, you will recieve an error:
-
-```plaintext
-ERROR: When specifying --no-service-principal, these environment variables are mandatory: ARM_CLIENT_ID, ARM_CLIENT_SECRET
-INFO: You can set these environment variables with 'export ARM_CLIENT_ID="YOUR_CLIENT_ID"' and 'export ARM_CLIENT_SECRET="YOUR_CLIENT_SECRET"'
-```
-
-If you use `--no-service-principal` but the Service Principal you supply with `ARM_CLIENT_ID` does not have "Contributor" RBAC permissions for the subscriptions you wish to deploy into, you will receive an error:
-
-```plaintext:
-ERROR: service principal with client ID AAAAAAAA-BBBB-CCCC-DDDDDDDDDD does not have 'Contributor' or 'Owner' roles for subscription 00000000-1111-2222-333333333333!
-INFO: at minimum, the 'Contributor' role is required to manage resources via Terraform.
-INFO: to set this role for this subscription, a user with the 'Owner' role can try this command:
-INFO: az role assignment create --assignee-object-id EEEEEEEE-FFFF-GGGG-HHHHHHHHHH --role "Contributor" --scope "/subscriptions/00000000-1111-2222-333333333333"
-ERROR: please assign the 'Contributor' role to this subscription and try again.
-```
-
-## Setup Mission LZ Resources
-
-Deployment of MLZ happens through use of a single Service Principal whose credentials are stored in a central "config" Key Vault.
-
-MLZ uses this Service Principal and its credentials from the Key Vault to deploy the resources described in Terraform at `src/terraform` and stores Terraform state for each component into separate storage accounts.
-
-1. First, create the MLZ Configuration file `mlz.config` file using the `mlz.config.sample` as a template.
-
- The information in the `mlz.config` file, will be used by `create_required_resources.sh` to create and populate a `config.vars` file for each tier and saved inside the deployment folder for each tier (example: \src\core\tier-0\config.vars).
-
- For example:
-
- ```plaintext
- mlz_env_name="{MLZ_ENV_NAME}"
- mlz_config_location="{MLZ_CONFIG_LOCATION}"
- ```
-
- Would become:
-
- ```plaintext
- mlz_env_name="dev"
- mlz_config_location="eastus"
- ```
-
-1. Then, run `create_required_resources.sh` at [src/scripts/config/create_required_resources.sh](/src/scripts/config/create_required_resources.sh) to create:
-
- * A Service Principal to execute terraform commands
- * A config Resource Group to store the Key Vault
- * A config Key Vault to store the Service Principal's client ID and client secret
- * A terraform state Resource Groups for each tier
- * A terraform state Storage Account for each tier
- * A terraform state Storage Container for each tier
- * Backend config file (config.vars) for the deployment
-
- ```bash
- src/scripts/config/create_required_resources.sh src/mlz.config
- ```
-
-## Set Terraform Configuration Variables
-
-First, clone the *.tfvars.sample file ([src/terraform/mlz/mlz.tfvars.sample](/src/terraform/mlz/mlz.tfvars.sample)) and substitute placeholders marked by curly braces "{" and "}" with the values of your choosing.
-
-For example:
-
-```plaintext
-location="{MLZ_LOCATION}" # the templated value in src/terraform/mlz/mlz.tfvars.sample
-```
-
-Would become:
-
-```plaintext
-location="eastus" # the value used by Terraform in src/terraform/mlz/mlz.tfvars.sample
-```
-
-## Deploy Terraform Configuration
-
-You can use `apply_terraform.sh` at [src/scripts/terraform/apply_terraform.sh](/src/scripts/terraform/apply_terraform.sh) to both initialize Terraform and apply a Terraform configuration based on the backend environment variables and Terraform variables you've setup in previous steps.
-
-The script `destroy_terraform.sh` at [src/scripts/terraform/destroy_terraform.sh](/src/scripts/terraform/destroy_terraform.sh) is helpful during testing. This script is exactly like the
-`apply_terraform.sh` except it destroys resources defined in the target state file
-
-`apply_terraform.sh` and `destroy_terraform.sh` take two arguments:
-
- 1. The directory that contains the main.tf to apply
- 1. The path to the .tfvars variables file to apply
-
-For example, run the following command to apply the MLZ terraform configuration repository.
-
-```bash
- src/scripts/terraform/apply_terraform.sh \
- src/terraform/mlz \
- src/terraform/mlz.tfvars
-```
-Use `init_terraform.sh` at [src/scripts/terraform/init_terraform.sh](/src/scripts/terraform/init_terraform.sh) to perform just an initialization of the Terraform environment:
-
-```bash
-src/scripts/terraform/init_terraform.sh \
- src/terraform/mlz
-```
-
-## Clean up Mission LZ Resources
-
-After you've deployed your environments with Terraform, it is no longer mandatory to keep Mission LZ Resources like the Service Principal, Key Vault, nor the Terraform state files (though you can re-use these resources and stored Terraform state for updating the deployed environment incrementally using `terraform apply` or destroying them from terraform with `terraform destroy`).
-
-If you no longer have the need for a Service Principal with Contributor rights, the Key Vault that stores this Service Principal's credentials, nor the Terraform state, you can clean up these Mission LZ Resources with the [config_clean.sh](/src/scripts/config/config_clean.sh) script passing in the MLZ Configuration file you created earlier:
-
-```bash
-src/scripts/config/config_clean.sh src/mlz.config
-```
-
-## Terraform Providers
-
-The development container definition downloads the required Terraform plugin providers during the container build so that the container can be transported to an air-gapped network for use. The container also sets the `TF_PLUGIN_CACHE_DIR` environment variable, which Terraform uses as the search location for locally installed providers. If you are not using the container to deploy or if the `TF_PLUGIN_CACHE_DIR` environment variable is not set, Terraform will automatically attempt to download the provider from the internet when you execute the `terraform init` command.
-
-See the development container [README](/.devcontainer/README.md) for more details on building and running the container.
-
-## Helpful Links
-
-For more endpoint mappings between AzureCloud and AzureUsGovernment:
diff --git a/src/docs/workload-deployment.md b/src/docs/workload-deployment.md
deleted file mode 100644
index 5d737ce02..000000000
--- a/src/docs/workload-deployment.md
+++ /dev/null
@@ -1,92 +0,0 @@
-# Workload Deployment (Tier 3)
-
-Mission LZ supports deploying multiple workload tiers that are connected to the hub. We call these tier 3s, or T3s, for convenience. Each tier 3 is intended to support a single workload or single team that needs isolation from the other teams and network connectivity via the hub.
-
-## Command Line Step-by-step
-
-1. Log in using the Azure CLI
-
- ```BASH
- az login
- ```
-
-1. [Quickstart](#Quickstart)
-1. [Advanced Deployment](#Advanced-Deployment)
-
-### Quickstart
-
-#### Quickstart Deploy
-
-In tandem with the quickstart found in [QuickStart Deploying MLZ](command-line-deployment.md#Quickstart) you can quickly get up and running and deploy a single workload instance to your configuration.
-
-> NOTE: This should be run using the `--tier3-sub-id` flag and `--write-output` flag if you wish to specify the subscription ID for the tier 3. Be sure to use the "-w" flag to ensure that the output required for deployment is generated.
-
-After you have deployed the core MLZ resources, you can use this command (the generated-configuration item artifacts come from the base deployment and can be reused), substituting `{mlz_env_name}` with the appropriate value.
-
-```bash
-./deploy_t3.sh ../generated-configurations/{mlz_env_name}.mlzconfig ../generated-configurations/{mlz_env_name}.tfvars ../generated-configurations/output.tfvars.json y
-```
-
-> **CONSIDERATIONS** This script should not be run unless the instructions for setting up the core MLZ deployment have been followed. It will deploy a single workload with default configurations for testing/demonstration purposes.
-
-### Advanced Deployment
-
-A production usage of tier 3 workloads will require a more advanced setup than allowed through a quick start. In order to perform these deployments you will have to modify three configuration files, and use the deployment script with the resulting files.
-
-> **NOTE** These steps will need to be repeated for each workload tier you wish to add.
-
-
-> **NOTE** Like the other Mission LZ tiers, each tier 3 workload can be deployed into its own subscription or they can be deployed into a single subscription. For production deployments we recommend that each tier 3 is deployed into its own subscription to simplify managing security and access.
-
-
-1. First, modify the MLZ Configuration file `mlz.config` file using the `mlz.config.sample` as a template, this file should be a copy of the file used to deploy MLZ. You will need to modify the following to include the actual subscription number:
-
- ```plaintext
- mlz_tier3_subid="{MLZ_TIER3_SUBID}" # Optional if not currently deploying a tier 3
- ```
-
-2. You will need to source the global terraform configuration you used for your primarily deployment. This is typically located at [src/terraform/mlz/mlz.tfvars.sample](/src/terraform/mlz/mlz.tfvars.sample)), if you used quickstart you may find it in the src/generated-configurations directory. Make note of the location. To specify the changes to the custom Tier 3 you will be making, scroll to the tier 3 variables located in the file and change the values to what you need.
-
- > **NOTE** If you will be deploying multiple T3's the subnet network addresses and subscriptions will be the most important values that need your attention as they will conflict otherwise.
-
-3. The deployment of a Tier 3 relies on an already completed deployment of MLZ and a resulting output json file containing 3 variables:
-
- ```json
- {
- "firewall_private_ip": {
- "sensitive": false,
- "type": "string",
- "value": "{value}"
- },
- "laws_name": {
- "sensitive": false,
- "type": "string",
- "value": "{value}"
- },
- "laws_rgname": {
- "sensitive": false,
- "type": "string",
- "value": "{value}"
- }
- }
- ```
-
- ```plaintext
- Values:
- laws_name: The Log Analytic workspace name
- laws_rgname: The resource group you've deployed LAWS to.
- firewall_private_ip: The Ip address of the firewall that the tier 3 will be connecting to.
- ```
-
- You can manually provide these in an output.tfvars.json file if needed.
-
-4. Once you have collected all of these artifacts you can deploy your workload tier with. The folder names are examples, these files can be placed anywhere.
-
- ```bash
- src/scripts/deploy_t3.sh \
- src/mlz.config
- src/terraform/output.tfvars.json
- src/terraform/tier-3/tier-3.tfvars
- ```
-
-After completing these steps, the workload tier will be deployed and you can add whatever services you need to the tier.
diff --git a/src/mlz.config.sample b/src/mlz.config.sample
deleted file mode 100644
index 39f85d24c..000000000
--- a/src/mlz.config.sample
+++ /dev/null
@@ -1,18 +0,0 @@
-# Copyright (c) Microsoft Corporation.
-# Licensed under the MIT License.
-# You can generate one of these with generate_config_file.sh
-tf_environment="{TF_ENVIRONMENT}" # https://www.terraform.io/docs/language/settings/backends/azurerm.html#environment
-mlz_env_name="{MLZ_ENV_NAME}" # Unique name for MLZ environment
-mlz_config_subid="{MLZ_CONFIG_SUBID}" # Subscription ID for MissionLZ configuration resources
-mlz_config_location="{MLZ_CONFIG_LOCATION}" # Azure Region for deploying Mission LZ configuration resources
-mlz_tenantid="{MLZ_TENANTID}"
-mlz_tier0_subid="{MLZ_TIER0_SUBID}"
-mlz_tier1_subid="{MLZ_TIER1_SUBID}"
-mlz_tier2_subid="{MLZ_TIER2_SUBID}"
-mlz_tier3_subid="{MLZ_TIER3_SUBID}" # Optional if not currently deploying a tier 3
-mlz_saca_subid="{MLZ_SACA_SUBID}"
-mlz_metadatahost="{MLZ_METADATAHOST}" # e.g. https://management.azure.com/
-mlz_acrLoginServerEndpoint="{MLZ_ACRLOGINSERVERENDPOINT}" # e.g. .azurecr.io
-mlz_keyvaultDns="{MLZ_KEYVAULTDNS}" # e.g. .vault.azure.net
-mlz_cloudname="{MLZ_CLOUDNAME}" # e.g. AzureCloud
-mlz_activeDirectory="{MLZ_ACTIVEDIRECTORY}" # e.g. https://login.microsoftonline.com
diff --git a/src/scripts/clean.sh b/src/scripts/clean.sh
deleted file mode 100755
index a66663173..000000000
--- a/src/scripts/clean.sh
+++ /dev/null
@@ -1,147 +0,0 @@
-#!/bin/bash
-#
-# Copyright (c) Microsoft Corporation.
-# Licensed under the MIT License.
-#
-# shellcheck disable=1090,1091,2154
-#
-# remove resources deployed by deploy.sh by mlz env name
-
-set -e
-
-error_log() {
- echo "${1}" 1>&2;
-}
-
-show_help() {
- print_formatted() {
- long_name=$1
- char_name=$2
- desc=$3
- printf "%20s %2s %s \n" "$long_name" "$char_name" "$desc"
- }
- print_formatted "argument" "" "description"
- print_formatted "--mlz-env-name" "-z" "Unique name for MLZ environment"
- print_formatted "--help" "-h" "Print this message"
-}
-
-usage() {
- echo "clean.sh: remove resources deployed by deploy.sh by mlz env name"
- show_help
-}
-
-check_dependencies() {
- "${this_script_path}/util/checkforazcli.sh"
- "${this_script_path}/util/checkforterraform.sh"
-}
-
-inspect_user_input() {
- # check mandatory parameters
- # shellcheck disable=1083
- for i in { $mlz_env_name }
- do
- if [[ $i == "notset" ]]; then
- error_log "ERROR: Missing required arguments. These arguments are mandatory: -z"
- usage
- exit 1
- fi
- done
-}
-
-import_configuration() {
- . "${mlz_config_file_path}"
- . "${this_script_path}/config/generate_names.sh" "${mlz_config_file_path}"
-}
-
-login_azcli() {
- echo "INFO: setting current subscription to ${mlz_config_subid}..."
- az account set \
- --subscription "${mlz_config_subid}" \
- --only-show-errors \
- --output none
-}
-
-destroy_terraform() {
- echo "INFO: destroying Terraform using ${mlz_config_file_path} and ${tfvars_file_path}..."
- "${this_script_path}/../build/destroy_tf.sh" \
- "${mlz_config_file_path}" \
- "${tfvars_file_path}" \
- "y"
-}
-
-notify_failed_to_destroy_terraform() {
- error_log "ERROR: failed to destroy Terraform deployment..."
- echo "INFO: continuing to destroy MLZ Configuration resources..."
-}
-
-destroy_mlz() {
- echo "INFO: cleaning up MLZ Configuration resources with tag 'DeploymentName=${mlz_env_name}'..."
-
- # clean up MLZ config resources
- . "${this_script_path}/config/config_clean.sh" "${mlz_config_file_path}"
-
- delete_files_in_directory_by_name() {
- directory_to_search=$1
- file_name_to_match=$2
-
- matches=$(find "$directory_to_search" -type f -name "$file_name_to_match")
-
- for match in $matches
- do
- echo "INFO: deleting $match ..."
- rm -f "$match"
- done
- }
-
- # clean up files
- delete_files_in_directory_by_name "${src_path}" "${tfvars_file_name}"
- echo "INFO: deleting ${configuration_output_path}/${mlz_env_name}.mlzconfig ..."
- rm -rf "${configuration_output_path}/${mlz_env_name}.mlzconfig"
- echo "INFO: deleting ${tf_mlz_main_path}/config.vars ..."
- rm -rf "${tf_mlz_main_path}/config.vars"
- echo "INFO: deleting terraform.lock file and .terraform folder ..."
- rm -rf "${tf_mlz_main_path}/.terraform.lock.hcl"
- rm -rf "${tf_mlz_main_path}/.terraform"
-}
-
-##########
-# main
-##########
-
-this_script_path=$(realpath "${BASH_SOURCE%/*}")
-src_path="$(realpath "${this_script_path}/../")"
-configuration_output_path=$(realpath "${this_script_path}/../generated-configurations")
-
-mlz_env_name="notset"
-
-while [ $# -gt 0 ] ; do
- case $1 in
- -z | --mlz-env-name)
- shift
- mlz_env_name="$1" ;;
- -h | --help)
- show_help
- exit 0 ;;
- *)
- error_log "ERROR: Unexpected argument: ${1}"
- usage && exit 1 ;;
- esac
- shift
-done
-
-# validate requirements
-inspect_user_input
-check_dependencies
-
-# set paths
-mlz_config_file_path="${configuration_output_path}/${mlz_env_name}.mlzconfig"
-tfvars_file_name="${mlz_env_name}.tfvars"
-tfvars_file_path="${configuration_output_path}/${tfvars_file_name}"
-tf_mlz_main_path=$(realpath "${configuration_output_path}/../terraform/mlz")
-
-# teardown resources
-# if terraform destroy fails, notify and continue to destroy mlz
-import_configuration
-login_azcli
-destroy_terraform || notify_failed_to_destroy_terraform
-destroy_mlz
diff --git a/src/scripts/config/append_prereq_endpoints.sh b/src/scripts/config/append_prereq_endpoints.sh
deleted file mode 100755
index 7a5dd062a..000000000
--- a/src/scripts/config/append_prereq_endpoints.sh
+++ /dev/null
@@ -1,86 +0,0 @@
-#!/bin/bash
-#
-# Copyright (c) Microsoft Corporation.
-# Licensed under the MIT License.
-#
-# append pre-req endpoints to an MLZ config file
-
-set -e
-
-error_log() {
- echo "${1}" 1>&2;
-}
-
-usage() {
- echo "append_prereq_endpoints.sh: append pre-req endpoints to an MLZ config file"
- error_log "usage: append_prereq_endpoints.sh "
-}
-
-if [[ "$#" -lt 1 ]]; then
- usage
- exit 1
-fi
-
-file_to_append=$1
-
-# create a dictionary of mlz_* values we want from an `az cloud show` result
-declare -A mlz_az_cloud_keys
-mlz_az_cloud_keys['mlz_metadatahost']='endpoints.resourceManager'
-mlz_az_cloud_keys['mlz_acrLoginServerEndpoint']='suffixes.acrLoginServerEndpoint'
-mlz_az_cloud_keys['mlz_keyvaultDns']='suffixes.keyvaultDns'
-mlz_az_cloud_keys['mlz_cloudname']='name'
-mlz_az_cloud_keys['mlz_activeDirectory']='endpoints.activeDirectory'
-
-# if it's the metadatahost, strip it of URI components
-# in some clouds, Terraform allows only the domain name
-format_if_metadatahost() {
- local mlz_key_name=$1
- local cloud_key_value=$2
-
- if [[ $mlz_key_name != "mlz_metadatahost" ]]; then
- echo "$cloud_key_value"
- else
-
- # 1) awk -F/ '{print $3}'
- #
- # -F/ is "using the character / as a field separator"
- #
- # '{print $3}' is "print me the third field"
- #
- # 2) for example on https://management.azure.com/
- #
- # $1 $2 $3 $4
- # https: / / management.azure.com /
- #
- # $1 is https:
- # $2 is
- # $3 is management.azure.com
- # $4 is
-
- echo "$cloud_key_value" | awk -F/ '{print $3}'
- fi
-}
-
-# since we cannot guarantee the results of `az cloud show` for each value we require,
-# query for values individually and skip printing any empty results
-append_cloud_value() {
- local mlz_key_name=$1
- local cloud_key_name=$2
- local file=$3
-
- local cloud_key_value
- cloud_key_value=$(az cloud show --query "${cloud_key_name}" --output tsv)
-
- if [[ $cloud_key_value ]]; then
- cloud_key_value=$(format_if_metadatahost "$mlz_key_name" "$cloud_key_value")
- printf "%s=%s\n" "${mlz_key_name}" "${cloud_key_value}" >> "${file}"
- else
- echo "INFO: Oops! Did not find a value for 'az cloud show --query ${cloud_key_name}'..."
- echo "INFO: There will not be a value for ${mlz_key_name} on the MLZ config file at ${file}..."
- fi
-}
-
-# for each member of the dictionary, write "key=$(az cloud show...)" to a file
-for mlz_key_name in "${!mlz_az_cloud_keys[@]}"; do
- append_cloud_value "$mlz_key_name" "${mlz_az_cloud_keys[$mlz_key_name]}" "${file_to_append}"
-done
diff --git a/src/scripts/config/config_clean.sh b/src/scripts/config/config_clean.sh
deleted file mode 100755
index c598be2d6..000000000
--- a/src/scripts/config/config_clean.sh
+++ /dev/null
@@ -1,87 +0,0 @@
-#!/bin/bash
-#
-# Copyright (c) Microsoft Corporation.
-# Licensed under the MIT License.
-#
-# shellcheck disable=1090,2154
-#
-# remove mlz configuration resources from an mlz configuration file
-
-set -e
-
-error_log() {
- echo "${1}" 1>&2;
-}
-
-usage() {
- echo "config_clean.sh: remove mlz configuration resources from an mlz configuration file"
- error_log "usage: config_clean.sh "
-}
-
-if [[ "$#" -lt 1 ]]; then
- usage
- exit 1
-fi
-
-mlz_config_file=$(realpath "${1}")
-this_script_path=$(realpath "${BASH_SOURCE%/*}")
-
-# check for dependencies
-"${this_script_path}/../util/checkforazcli.sh"
-"${this_script_path}/../util/checkforterraform.sh"
-"${this_script_path}/../util/checkforfile.sh" \
- "${mlz_config_file}" \
- "The configuration file ${mlz_config_file} is empty or does not exist."
-
-# generate names from config
-. "${mlz_config_file}"
-. "${this_script_path}/generate_names.sh" "${mlz_config_file}"
-
-# Create array of unique subscription IDs. The 'sed' command below search thru the source
-# variables file looking for all lines that do not have a '#' in the line. If a line with
-# a '#' is found, the '#' and ever character after it in the line is ignored. The output
-# of what remains from the sed command is then piped to grep to find the words that match
-# the pattern. These words are what make up the 'mlz_subs' array.
-mlz_sub_pattern="mlz_.*._subid"
-mlz_subs=$(< "${mlz_config_file}" sed 's:#.*$::g' | grep -w "${mlz_sub_pattern}")
-subs=()
-
-for mlz_sub in $mlz_subs
-do
- mlz_sub_id=$(echo "${mlz_sub#*=}" | tr -d '"')
- if [[ ! "${subs[*]}" =~ ${mlz_sub_id} ]];then
- subs+=("${mlz_sub_id}")
- fi
-done
-
-# delete resource groups where deploymentname is mlz_env_name in each subscription
-for sub in "${subs[@]}";
-do
- rgs_to_delete=$(az group list --subscription "${sub}" --tag "DeploymentName=${mlz_config_tag}" --query [].name -o tsv)
- for rg in $rgs_to_delete;
- do
- echo "INFO: deleting ${rg}..."
-
- az group delete \
- --subscription "${sub}" \
- --name "${rg}" \
- --yes \
- --only-show-errors \
- --output none
- done
-done
-
-echo "INFO: querying for any created service principal with name ${mlz_sp_name}..."
-sp_id=$(az ad sp list --display-name "http://${mlz_sp_name}" --query [0].appId --output tsv)
-
-if [[ $sp_id ]]; then
- echo "INFO: deleting service principal ${mlz_sp_name}..."
- az ad sp delete --id "${sp_id}"
-fi
-
-echo "INFO: purging key vault ${mlz_kv_name}..."
-az keyvault purge \
- --name "${mlz_kv_name}" \
- --subscription "${mlz_config_subid}"
-
-echo "INFO: Complete! MLZ Configuration resources for ${mlz_env_name} deleted!"
\ No newline at end of file
diff --git a/src/scripts/config/config_validate.sh b/src/scripts/config/config_validate.sh
deleted file mode 100755
index 3c32f60de..000000000
--- a/src/scripts/config/config_validate.sh
+++ /dev/null
@@ -1,58 +0,0 @@
-#!/bin/bash
-#
-# Copyright (c) Microsoft Corporation.
-# Licensed under the MIT License.
-#
-# shellcheck disable=SC1090,SC1091,SC2154
-# SC1090: Can't follow non-constant source. Use a directive to specify location.
-# SC1091: Not following. Shellcheck can't follow non-constant source.
-# SC2154: "var is referenced but not assigned". These values come from an external file.
-#
-# Validates the existence of resources required to run Terraform init and apply scripts
-
-set -e
-
-error_log() {
- echo "${1}" 1>&2;
-}
-
-usage() {
- echo "config_validate.sh : Validates the existence of resources required to run Terraform init and apply scripts"
- error_log "usage: config_validate.sh "
-}
-
-if [[ "$#" -lt 1 ]]; then
- usage
- exit 1
-fi
-
-tf_dir=$(realpath "${1}")
-config_vars="${tf_dir}/config.vars"
-
-# Validate resources
-if [[ -s "${config_vars}" ]]; then
- source "${tf_dir}/config.vars"
-else
- echo "The variable file ${config_vars} is either empty or does not exist. Please verify file and re-run script"
- exit 1
-fi
-
-# Validate Terraform Backend resource group
-rg_exists="az group show \
- --name ${tf_rg_name} \
- --subscription ${mlz_config_subid}"
-
-if ! $rg_exists &> /dev/null; then
- echo "Terraform State Resource Group '${tf_rg_name}' does not exist...validate config.vars file and re-run script"
- exit 1
-fi
-
-# Validate config key vault
-kv_exists="az keyvault show \
- --name ${mlz_kv_name} \
- --subscription ${mlz_config_subid}"
-
-if ! $kv_exists &> /dev/null; then
- echo "Key Vault to source client_id for deployment '${mlz_kv_name}' does not exist...validate config.vars file and re-run script"
- exit 1
-fi
diff --git a/src/scripts/config/create_mlz_config_resources.sh b/src/scripts/config/create_mlz_config_resources.sh
deleted file mode 100755
index 67d731c47..000000000
--- a/src/scripts/config/create_mlz_config_resources.sh
+++ /dev/null
@@ -1,255 +0,0 @@
-#!/bin/bash
-#
-# Copyright (c) Microsoft Corporation.
-# Licensed under the MIT License.
-#
-# shellcheck disable=SC1090,SC1091,SC2154,SC2207
-# SC1090: Can't follow non-constant source. Use a directive to specify location.
-# SC2154: "var is referenced but not assigned". These values come from an external file.
-#
-# Create MLZ backend config resources
-
-set -e
-
-error_log() {
- echo "${1}" 1>&2;
-}
-
-usage() {
- echo "create_mlz_config_resources.sh: Create MLZ config resources"
- error_log "usage: create_mlz_config_resources.sh "
-}
-
-if [[ "$#" -lt 1 ]]; then
- usage
- exit 1
-fi
-
-mlz_config=$(realpath "${1}")
-create_service_principal=${2:-true}
-
-this_script_path=$(realpath "${BASH_SOURCE%/*}")
-
-# Source variables
-. "${mlz_config}"
-
-# Create array of unique subscription IDs. The 'sed' command below search thru the source
-# variables file looking for all lines that do not have a '#' in the line. If a line with
-# a '#' is found, the '#' and ever character after it in the line is ignored. The output
-# of what remains from the sed command is then piped to grep to find the words that match
-# the pattern. These words are what make up the 'mlz_subs' array.
-mlz_sub_pattern="mlz_.*._subid"
-mlz_subs=$(< "${mlz_config}" sed 's:#.*$::g' | grep -w "${mlz_sub_pattern}")
-subs=()
-
-# generate MLZ configuration names
-. "${BASH_SOURCE%/*}/generate_names.sh" "${mlz_config}"
-
-echo "INFO: creating MLZ resources for ${mlz_env_name}..."
-
-for mlz_sub in $mlz_subs
-do
- # Grab value of variable
- mlz_sub_id=$(echo "${mlz_sub#*=}" | tr -d '"')
- if [[ ! "${subs[*]}" =~ ${mlz_sub_id} ]];then
- subs+=("${mlz_sub_id}")
- fi
-done
-
-# accomodate for transient behavior where Service Principal is created
-# but an immediate query for it will fail
-# and attempt for max_wait_in_seconds before giving up.
-wait_for_sp_creation() {
- sp_name=$1
- sp_query="az ad sp show --id ${sp_name}"
-
- sleep_time_in_seconds=10
- max_wait_in_seconds=180
- max_retries=$((max_wait_in_seconds/sleep_time_in_seconds))
-
- count=1
-
- while ! $sp_query &> /dev/null
- do
- echo "INFO: waiting for service principal ${sp_name} to come back from query '${sp_query}' (${count}/${max_retries})..."
- echo "INFO: trying again in ${sleep_time_in_seconds} seconds..."
- sleep "${sleep_time_in_seconds}"
-
- if [[ ${count} -eq max_retries ]]; then
- error_log "ERROR: unable to retrieve the service principal ${sp_name} from query '${sp_query}' in ${max_wait_in_seconds} seconds. Investigate and re-run script."
- exit 1
- fi
-
- count=$((count +1))
- done
-}
-
-# accomodate for transient behavior where Service Principal is created
-# but an immediate query for its properties will fail
-# and attempt for max_wait_in_seconds before giving up.
-wait_for_sp_property() {
- sp_name=$1
- sp_property=$2
-
- args=(--filter "\"appId eq '$sp_name'\"" --query "[0].$sp_property" --output tsv)
- query="az ad sp list ${args[*]}"
-
- sleep_time_in_seconds=10
- max_wait_in_seconds=180
- max_retries=$((max_wait_in_seconds/sleep_time_in_seconds))
-
- count=1
-
- while [[ -z $(eval "$query") ]]
- do
- echo "INFO: waiting for query \"${query}\" to return results (${count}/${max_retries})"
- echo "INFO: trying again in ${sleep_time_in_seconds} seconds..."
- sleep "${sleep_time_in_seconds}"
-
- if [[ ${count} -eq max_retries ]]; then
- error_log "ERROR: unable to get results from query \"${query}\" in ${max_wait_in_seconds} seconds. Investigate and re-run script."
- exit 1
- fi
-
- count=$((count +1))
- done
-}
-
-check_for_arm_credential() {
- util_path=$(realpath "${this_script_path}/../util")
- "${util_path}/checkforarmcredential.sh" "ERROR: When using a user-provided service principal, these environment variables are mandatory: ARM_CLIENT_ID, ARM_CLIENT_SECRET"
-}
-
-validate_minimum_role_for_sp() {
- "${this_script_path}/validate_minimum_role_for_sp.sh" "${mlz_config}" "${ARM_CLIENT_ID}"
-}
-
-# Create Service Principal
-if [[ "${create_service_principal}" == false ]];
-then
- check_for_arm_credential
- validate_minimum_role_for_sp
-
- echo "INFO: using user-supplied service principal with client ID ${ARM_CLIENT_ID}..."
-
- sp_client_id="${ARM_CLIENT_ID}"
- sp_client_secret="${ARM_CLIENT_SECRET}"
- sp_object_id=$(az ad sp list \
- --filter "appId eq '${ARM_CLIENT_ID}'" \
- --query "[].objectId" \
- --output tsv)
-else
- echo "INFO: verifying service principal ${mlz_sp_name} is unique..."
- if [[ -z $(az ad sp list \
- --filter "displayName eq 'http://${mlz_sp_name}'" \
- --query "[].displayName" \
- --output tsv) ]];
- then
- echo "INFO: creating service principal ${mlz_sp_name}..."
- sp_creds=($(az ad sp create-for-rbac \
- --name "http://${mlz_sp_name}" \
- --skip-assignment true \
- --query "[password, appId]" \
- --only-show-errors \
- --output tsv))
-
- sp_client_secret=${sp_creds[0]}
- sp_client_id=${sp_creds[1]}
-
- wait_for_sp_creation "${sp_client_id}"
- wait_for_sp_property "${sp_client_id}" "objectId"
-
- odata_filter_args=(--filter "\"appId eq '$sp_client_id'\"" --query "[0].objectId" --output tsv)
- object_id_query="az ad sp list ${odata_filter_args[*]}"
-
- sp_object_id=$(eval "$object_id_query")
-
- # Assign Contributor Role to Subscriptions
- for sub in "${subs[@]}"
- do
- echo "INFO: setting Contributor and Policy Contributor role assignments for ${sp_client_id} on subscription ${sub}..."
- az role assignment create \
- --role Contributor \
- --assignee-object-id "${sp_object_id}" \
- --scope "/subscriptions/${sub}" \
- --assignee-principal-type ServicePrincipal \
- --output none
- az role assignment create \
- --role 'Resource Policy Contributor' \
- --assignee-object-id "${sp_object_id}" \
- --scope "/subscriptions/${sub}" \
- --assignee-principal-type ServicePrincipal \
- --output none
- done
- else
- error_log "ERROR: A service principal named ${mlz_sp_name} already exists. This must be a unique service principal for your use only. Try again with a new mlz-env-name. Exiting script."
- exit 1
- fi
-fi
-
-# Validate or create Terraform Config resource group
-rg_exists="az group show \
- --name ${mlz_rg_name} \
- --subscription ${mlz_config_subid}"
-
-echo "INFO: sourcing resource group ${mlz_rg_name} for MLZ resources..."
-if ! $rg_exists &> /dev/null; then
- echo "INFO: creating resource group ${mlz_rg_name} for MLZ resources..."
- az group create \
- --subscription "${mlz_config_subid}" \
- --location "${mlz_config_location}" \
- --name "${mlz_rg_name}" \
- --tags "DeploymentName=${mlz_config_tag}" \
- --output none
-fi
-
-# Create Key Vault
-kv_exists="az keyvault show \
- --name ${mlz_kv_name} \
- --subscription ${mlz_config_subid}"
-
-echo "INFO: sourcing keyvault ${mlz_kv_name} for MLZ resources..."
-if ! $kv_exists &> /dev/null; then
- echo "INFO: creating keyvault ${mlz_kv_name} for MLZ resources..."
- az keyvault create \
- --name "${mlz_kv_name}" \
- --subscription "${mlz_config_subid}" \
- --resource-group "${mlz_rg_name}" \
- --location "${mlz_config_location}" \
- --output none
-fi
-
-# Create Key Vault Access Policy for Service Principal
-echo "INFO: setting access policy on ${mlz_kv_name} for service principal ${mlz_sp_name}..."
-az keyvault set-policy \
- --name "${mlz_kv_name}" \
- --subscription "${mlz_config_subid}" \
- --resource-group "${mlz_rg_name}" \
- --object-id "${sp_object_id}" \
- --secret-permissions get list set \
- --output none
-
-# Set Key Vault Secrets
-echo "INFO: setting secrets in ${mlz_kv_name} for service principal ${mlz_sp_name}..."
-az keyvault secret set \
- --name "${mlz_kv_sp_client_secret}" \
- --subscription "${mlz_config_subid}" \
- --vault-name "${mlz_kv_name}" \
- --value "${sp_client_secret}" \
- --output none
-
-az keyvault secret set \
- --name "${mlz_kv_sp_client_id}" \
- --subscription "${mlz_config_subid}" \
- --vault-name "${mlz_kv_name}" \
- --value "${sp_client_id}" \
- --output none
-
-az keyvault secret set \
- --name "${mlz_kv_sp_object_id}" \
- --subscription "${mlz_config_subid}" \
- --vault-name "${mlz_kv_name}" \
- --value "${sp_object_id}" \
- --output none
-
-echo "INFO: MLZ resources for ${mlz_env_name} created!"
diff --git a/src/scripts/config/create_required_resources.sh b/src/scripts/config/create_required_resources.sh
deleted file mode 100755
index f469309a9..000000000
--- a/src/scripts/config/create_required_resources.sh
+++ /dev/null
@@ -1,48 +0,0 @@
-#!/bin/bash
-#
-# Copyright (c) Microsoft Corporation.
-# Licensed under the MIT License.
-#
-# shellcheck disable=SC1090,SC1091,SC2154
-# SC1090: Can't follow non-constant source. Use a directive to specify location.
-# SC1091: Not following. Shellcheck can't follow non-constant source.
-# SC2154: Referenced but not assigned. These arguments come sourced from other scripts.
-#
-# A script to configure a resource group that contains Terraform state and a secret store.
-
-set -e
-
-error_log() {
- echo "${1}" 1>&2;
-}
-
-usage() {
- echo "create_required_resources.sh: configure a resource group that contains Terraform state and a secret store"
- error_log "usage: create_required_resources.sh "
-}
-
-if [[ "$#" -lt 1 ]]; then
- usage
- exit 1
-fi
-
-mlz_config=$(realpath "${1}")
-create_service_principal=${2:-true}
-
-this_script_path=$(realpath "${BASH_SOURCE%/*}")
-
-mlz_path="$(realpath "${this_script_path}/../../terraform/mlz")"
-
-# check for dependencies
-. "${this_script_path}/../util/checkforazcli.sh"
-
-# source variables
-. "${mlz_config}"
-
-# create MLZ configuration resources
-. "${this_script_path}/create_mlz_config_resources.sh" \
- "${mlz_config}" \
- "${create_service_principal}"
-
-# create terraform resources given a subscription ID and terraform configuration folder
-. "${this_script_path}/create_terraform_backend_resources.sh" "${mlz_config}" "${mlz_config_subid}" "${mlz_path}"
diff --git a/src/scripts/config/create_terraform_backend_resources.sh b/src/scripts/config/create_terraform_backend_resources.sh
deleted file mode 100755
index 42b102b95..000000000
--- a/src/scripts/config/create_terraform_backend_resources.sh
+++ /dev/null
@@ -1,99 +0,0 @@
-#!/bin/bash
-#
-# Copyright (c) Microsoft Corporation.
-# Licensed under the MIT License.
-#
-# shellcheck disable=SC1090,SC1091,SC2154
-# SC1090: Can't follow non-constant source. Use a directive to specify location.
-# SC2154: "var is referenced but not assigned". These values come from an external file.
-#
-# Create Terraform module backend config resources
-
-set -e
-
-error_log() {
- echo "${1}" 1>&2;
-}
-
-usage() {
- echo "create_terraform_backend_resources.sh: Create Terraform module config resources"
- error_log "usage: create_terraform_backend_resources.sh "
-}
-
-if [[ "$#" -lt 3 ]]; then
- usage
- exit 1
-fi
-
-mlz_config=$(realpath "${1}")
-tf_sub_id=$2
-tf_dir=$(realpath "${3}")
-
-# source MLZ config vars
-. "${mlz_config}"
-
-# derive TF names from the terraform directory
-tf_name=$(basename "${tf_dir}")
-
-# generate names
-. "${BASH_SOURCE%/*}/generate_names.sh" "${mlz_config}" "${tf_name}"
-
-echo "INFO: creating resources for ${tf_name} Terraform state..."
-
-# create TF Resource Group and Storage Account for Terraform State files
-echo "INFO: sourcing resource group ${tf_rg_name} for Terraform state..."
-rg_exists="az group show \
- --name ${tf_rg_name} \
- --subscription ${tf_sub_id}"
-
-if ! $rg_exists &> /dev/null; then
- echo "INFO: creating resource group ${tf_rg_name}..."
- az group create \
- --subscription "${tf_sub_id}" \
- --location "${mlz_config_location}" \
- --name "${tf_rg_name}" \
- --tags "DeploymentName=${mlz_config_tag}" \
- --output none
- echo "INFO: resource group ${tf_rg_name} created!"
-fi
-
-echo "INFO: sourcing storage account ${tf_sa_name} for Terraform state..."
-sa_exists="az storage account show \
- --name ${tf_sa_name} \
- --subscription ${tf_sub_id}"
-
-if ! $sa_exists &> /dev/null; then
- echo "INFO: creating storage account ${tf_sa_name}..."
- az storage account create \
- --name "${tf_sa_name}" \
- --subscription "${tf_sub_id}" \
- --resource-group "${tf_rg_name}" \
- --location "${mlz_config_location}" \
- --sku Standard_LRS \
- --output none
-
- sa_key=$(az storage account keys list \
- --account-name "${tf_sa_name}" \
- --subscription "${tf_sub_id}" \
- --resource-group "${tf_rg_name}" \
- --query "[?keyName=='key1'].value" \
- --output tsv)
-
- echo "INFO: creating container ${container_name} in storage account ${tf_sa_name}..."
- az storage container create \
- --name "${container_name}" \
- --subscription "${tf_sub_id}" \
- --resource-group "${tf_rg_name}" \
- --account-name "${tf_sa_name}" \
- --account-key "${sa_key}" \
- --output none
- echo "INFO: storage account ${tf_sa_name} and container ${container_name} created!"
-fi
-
-# generate a config.vars file
-. "${BASH_SOURCE%/*}/generate_vars.sh" \
- "${mlz_config}" \
- "${tf_sub_id}" \
- "${tf_dir}"
-
-echo "INFO: Terraform state resources for ${tf_name} created!"
diff --git a/src/scripts/config/generate_config_file.sh b/src/scripts/config/generate_config_file.sh
deleted file mode 100755
index 23f82958c..000000000
--- a/src/scripts/config/generate_config_file.sh
+++ /dev/null
@@ -1,140 +0,0 @@
-#!/bin/bash
-#
-# Copyright (c) Microsoft Corporation.
-# Licensed under the MIT License.
-#
-# shellcheck disable=1083,1090,2154
-#
-# Generate a configuration file for MLZ prerequisites and optional SACA and T0-T2 subscriptions.
-
-set -e
-
-error_log() {
- echo "${1}" 1>&2;
-}
-
-show_help() {
- print_formatted() {
- long_name=$1
- char_name=$2
- desc=$3
- printf "%15s %2s %s \n" "$long_name" "$char_name" "$desc"
- }
- print_formatted "argument" "" "description"
- print_formatted "--file" "-f" "the destination file path and name (e.g. 'src/mlz.config')"
- print_formatted "--tf-env" "-e" "Terraform azurerm environment (e.g. 'public') see: https://www.terraform.io/docs/language/settings/backends/azurerm.html#environment"
- print_formatted "--mlz-env-name" "-z" "Unique name for MLZ environment"
- print_formatted "--location" "-l" "The location that you're deploying to (e.g. 'eastus')"
- print_formatted "--config-sub-id" "-s" "Subscription ID for MissionLZ configuration resources"
- print_formatted "--tenant-id" "-t" "Tenant ID where your subscriptions live"
- print_formatted "--hub-sub-id" "-u" "[OPTIONAL]: subscription ID for the hub network and resources"
- print_formatted "--tier0-sub-id" "-0" "[OPTIONAL]: subscription ID for tier 0 network and resources"
- print_formatted "--tier1-sub-id" "-1" "[OPTIONAL]: subscription ID for tier 1 network and resources"
- print_formatted "--tier2-sub-id" "-2" "[OPTIONAL]: subscription ID for tier 2 network and resources"
- print_formatted "--tier3-sub-id" "-3" "[OPTIONAL]: subscription ID for tier 3 network and resources"
- print_formatted "--help" "-h" "Print this message"
-}
-
-usage() {
- echo "generate_config_file.sh: Generate a configuration file for MLZ prerequisites and optional SACA and T0-T2 subscriptions"
- show_help
-}
-
-# stage required parameters as not set
-dest_file="notset"
-tf_environment="notset"
-mlz_env_name="notset"
-mlz_config_location="notset"
-mlz_config_subid="notset"
-mlz_tenant_id="notset"
-
-# inspect arguments
-while [ $# -gt 0 ] ; do
- case $1 in
- -f | --file)
- shift
- dest_file="$1" ;;
- -e | --tf-env)
- shift
- tf_environment="$1" ;;
- -z | --mlz-env-name)
- shift
- mlz_env_name="$1" ;;
- -l | --location)
- shift
- mlz_config_location="$1" ;;
- -s | --config-sub-id)
- shift
- mlz_config_subid="$1" ;;
- -t | --tenant-id)
- shift
- mlz_tenant_id="$1" ;;
- -u | --hub-sub-id)
- shift
- mlz_saca_subid="$1" ;;
- -0 | --tier0-sub-id)
- shift
- mlz_tier0_subid="$1" ;;
- -1 | --tier1-sub-id)
- shift
- mlz_tier1_subid="$1" ;;
- -2 | --tier2-sub-id)
- shift
- mlz_tier2_subid="$1" ;;
- -3 | --tier3-sub-id)
- shift
- mlz_tier3_subid="$1" ;;
- -h | --help)
- show_help
- exit 0 ;;
- *)
- error_log "ERROR: Unexpected argument: ${1}"
- usage && exit 1 ;;
- esac
- shift
-done
-
-# check mandatory parameters
-for i in { $dest_file $tf_environment $mlz_env_name $mlz_config_location $mlz_config_subid $mlz_tenant_id }
-do
- if [[ $i == "notset" ]]; then
- error_log "ERROR: Missing required arguments. These arguments are mandatory: -f, -e, -z, -l, -s, -t"
- usage
- exit 1
- fi
-done
-
-# write the file to the desired path
-rm -f "$dest_file"
-dest_file_dir=$(dirname "${dest_file}")
-mkdir -p "${dest_file_dir}"
-touch "$dest_file"
-{
- echo "tf_environment=${tf_environment}"
- echo "mlz_env_name=${mlz_env_name}"
- echo "mlz_config_location=${mlz_config_location}"
- echo "mlz_config_subid=${mlz_config_subid}"
- echo "mlz_tenantid=${mlz_tenant_id}"
-} >> "$dest_file"
-
-# for any optional parameters, check if they're set before appending them to the file
-append_optional_args() {
- key_name=$1
- key_value=$2
- default_value=$3
- file_to_append=$4
- if [[ $key_value ]]; then
- printf "%s=%s\n" "${key_name}" "${key_value}" >> "${file_to_append}"
- else
- printf "%s=%s\n" "${key_name}" "${default_value}" >> "${file_to_append}"
- fi
-}
-append_optional_args "mlz_saca_subid" "${mlz_saca_subid}" "${mlz_config_subid}" "${dest_file}"
-append_optional_args "mlz_tier0_subid" "${mlz_tier0_subid}" "${mlz_config_subid}" "${dest_file}"
-append_optional_args "mlz_tier1_subid" "${mlz_tier1_subid}" "${mlz_config_subid}" "${dest_file}"
-append_optional_args "mlz_tier2_subid" "${mlz_tier2_subid}" "${mlz_config_subid}" "${dest_file}"
-append_optional_args "mlz_tier3_subid" "${mlz_tier3_subid}" "${mlz_config_subid}" "${dest_file}"
-
-# append cloud specific endpoints
-this_script_path=$(realpath "${BASH_SOURCE%/*}")
-. "${this_script_path}/append_prereq_endpoints.sh" "${dest_file}"
diff --git a/src/scripts/config/generate_names.sh b/src/scripts/config/generate_names.sh
deleted file mode 100755
index b03fd6078..000000000
--- a/src/scripts/config/generate_names.sh
+++ /dev/null
@@ -1,81 +0,0 @@
-#!/bin/bash
-#
-# Copyright (c) Microsoft Corporation.
-# Licensed under the MIT License.
-#
-# shellcheck disable=SC1090,SC1091,SC2002,SC2154
-#
-# Generate MLZ resource names
-# rules from: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/resource-name-rules
-
-set -e
-
-error_log() {
- echo "${1}" 1>&2;
-}
-
-usage() {
- echo "generate_names.sh: Generate MLZ resource names"
- error_log "usage: generate_names.sh "
-}
-
-if [[ "$#" -lt 1 ]]; then
- usage
- exit 1
-fi
-
-create_resource_group_names() {
- export mlz_config_tag="${mlz_prefix}-${env_name_alphanumeric}-config"
- export mlz_rg_name="${mlz_config_tag:0:63}"
-}
-
-create_service_principal_name(){
- local mlz_sp_name_full="${mlz_prefix}-${env_name_alphanumeric}-terraform-sp"
- export mlz_sp_name="${mlz_sp_name_full:0:120}"
-}
-
-create_keyvault_names(){
- local mlz_kv_name_full="${mlz_prefix}${env_name_alphanumeric}kv${randomish_identifier}"
- export mlz_kv_name="${mlz_kv_name_full:0:24}"
-
- export mlz_kv_sp_client_id="serviceprincipal-clientid"
- export mlz_kv_sp_client_secret="serviceprincipal-pwd"
- export mlz_kv_sp_object_id="serviceprincipal-objectid"
- export mlz_login_app_kv_name="login-app-clientid"
- export mlz_login_app_kv_password="login-app-pwd"
-}
-
-create_terraform_backend_names() {
- if [[ $tf_name_raw != "notset" ]]; then
- tf_name=$(echo "${tf_name_raw}" | tr -cd '[:alnum:]')
-
- local tfstate_resource_group_name="${mlz_prefix}-${env_name_alphanumeric}-tfstate-${tf_name}"
- export tf_rg_name="${tfstate_resource_group_name:0:63}"
-
- local tfstate_storage_account_name="tfsa${tf_name}${env_name_alphanumeric}${randomish_identifier}"
- valid_tfstate_storage_account_name=$(echo "${tfstate_storage_account_name:0:24}" | tr '[:upper:]' '[:lower:]')
- export tf_sa_name=${valid_tfstate_storage_account_name}
-
- export container_name="tfstate"
- fi
-}
-
-##########
-# main
-##########
-
-mlz_config=$(realpath "${1}")
-tf_name_raw=${2:-notset}
-
-# source variables from MLZ config
-. "${mlz_config}"
-
-mlz_prefix="mlz"
-
-env_name_alphanumeric=$(echo "${mlz_env_name}" | tr -cd '[:alnum:]')
-randomish_identifier=${mlz_config_subid:0:8} # take the first octet in the subscription ID
-
-create_resource_group_names
-create_service_principal_name
-create_keyvault_names
-create_terraform_backend_names
diff --git a/src/scripts/config/generate_vars.sh b/src/scripts/config/generate_vars.sh
deleted file mode 100755
index 2d259bfc6..000000000
--- a/src/scripts/config/generate_vars.sh
+++ /dev/null
@@ -1,58 +0,0 @@
-#!/bin/bash
-#
-# Copyright (c) Microsoft Corporation.
-# Licensed under the MIT License.
-#
-# shellcheck disable=SC1090,SC1091,SC2154
-# SC1090: Can't follow non-constant source. Use a directive to specify location.
-# SC2154: "var is referenced but not assigned". These values come from an external file.
-#
-# Generate a config.vars file at a given Terraform directory
-
-set -e
-
-error_log() {
- echo "${1}" 1>&2;
-}
-
-usage() {
- echo "generate_vars.sh: Generate a config.vars file at a given Terraform directory"
- error_log "usage: generate_vars.sh "
-}
-
-if [[ "$#" -lt 3 ]]; then
- usage
- exit 1
-fi
-
-mlz_config=$(realpath "${1}")
-tf_sub_id="${2}"
-tf_dir=$(realpath "${3}")
-tf_name=$(basename "${tf_dir}")
-
-# source mlz config
-. "${mlz_config}"
-
-# generate names
-. "${BASH_SOURCE%/*}/generate_names.sh" "${mlz_config}" "${tf_name}"
-
-# generate a config.vars file
-config_vars="${tf_dir}/config.vars"
-rm -f "$config_vars"
-touch "$config_vars"
-{
- echo "metadata_host=${mlz_metadatahost}"
- echo "tenant_id=${mlz_tenantid}"
- echo "mlz_env_name=${mlz_env_name}"
- echo "mlz_config_subid=${mlz_config_subid}"
- echo "mlz_kv_name=${mlz_kv_name}"
- echo "sub_id=${tf_sub_id}"
- echo "location=${mlz_config_location}"
- echo "tf_rg_name=${tf_rg_name}"
- echo "tf_sa_name=${tf_sa_name}"
- echo "mlz_kv_sp_client_id=${mlz_kv_sp_client_id}"
- echo "mlz_kv_sp_client_secret=${mlz_kv_sp_client_secret}"
- echo "mlz_kv_sp_object_id=${mlz_kv_sp_object_id}"
- echo "environment=${tf_environment}"
- echo "container_name=${container_name}"
-} >> "$config_vars"
diff --git a/src/scripts/config/get_sp_identity.sh b/src/scripts/config/get_sp_identity.sh
deleted file mode 100755
index f5b72951a..000000000
--- a/src/scripts/config/get_sp_identity.sh
+++ /dev/null
@@ -1,101 +0,0 @@
-#!/bin/bash
-#
-# Copyright (c) Microsoft Corporation.
-# Licensed under the MIT License.
-#
-# shellcheck disable=SC1090,SC2154
-# SC1090: Can't follow non-constant source. Use a directive to specify location.
-# SC2154: "var is referenced but not assigned". These values come from an external file.
-#
-# Given a MLZTF config.vars file, export a mlz_client_id and mlz_client_secret
-
-set -e
-
-error_log() {
- echo "${1}" 1>&2;
-}
-
-usage() {
- echo "get_sp_identity.sh: Given a MLZTF config.vars file, export a mlz_client_id, mlz_client_secret, and mlz_object_id"
- error_log "usage: get_sp_identity.sh "
-}
-
-if [[ "$#" -lt 1 ]]; then
- usage
- exit 1
-fi
-
-config_vars=$1
-
-# Validate configuration file exists
-. "$(dirname "${BASH_SOURCE%/*}")/util/checkforfile.sh" \
- "${config_vars}" \
- "The configuration file ${config_vars} is empty or does not exist. You may need to run MLZ setup."
-
-# Source configuration file
-. "${config_vars}"
-
-# query for service principal client ID
-kv_id_exists="az keyvault secret show \
- --name ${mlz_kv_sp_client_id} \
- --vault-name ${mlz_kv_name} \
- --subscription ${mlz_config_subid}"
-
-if ! $kv_id_exists &> /dev/null; then
- echo "The Key Vault secret ${mlz_kv_sp_client_id} does not exist...validate config.vars file and re-run script"
- exit 1
-else
- client_id=$(az keyvault secret show \
- --name "${mlz_kv_sp_client_id}" \
- --vault-name "${mlz_kv_name}" \
- --subscription "${mlz_config_subid}" \
- --query value \
- --output tsv)
- export client_id
-fi
-
-# query for service principal password
-kv_pwd_exists="az keyvault secret show \
- --name ${mlz_kv_sp_client_secret} \
- --vault-name ${mlz_kv_name} \
- --subscription ${mlz_config_subid}"
-
-if ! $kv_pwd_exists &> /dev/null; then
- echo "The Key Vault secret ${mlz_kv_sp_client_secret} does not exist...validate config.vars file and re-run script"
- exit 1
-else
- client_secret=$(az keyvault secret show \
- --name "${mlz_kv_sp_client_secret}" \
- --vault-name "${mlz_kv_name}" \
- --subscription "${mlz_config_subid}" \
- --query value \
- --output tsv)
- export client_secret
-fi
-
-# query for service principal object ID
-kv_obj_id_exists="az keyvault secret show \
- --name ${mlz_kv_sp_object_id} \
- --vault-name ${mlz_kv_name} \
- --subscription ${mlz_config_subid}"
-if ! $kv_obj_id_exists &> /dev/null; then
- echo "The Key Vault secret ${mlz_kv_sp_object_id} does not exist...validate config.vars file and re-run script"
- exit 1
-else
- object_id=$(az keyvault secret show \
- --name "${mlz_kv_sp_object_id}" \
- --vault-name "${mlz_kv_name}" \
- --subscription "${mlz_config_subid}" \
- --query value \
- --output tsv)
- export object_id
-fi
-
-# Validate Service Principal exists
-sp_exists="az ad sp show \
- --id ${client_id}"
-
-if ! $sp_exists &> /dev/null; then
- echo "Service Principal with Client ID ${client_id} could not be found...validate config.vars file and re-run script"
- exit 1
-fi
diff --git a/src/scripts/config/validate_minimum_role_for_sp.sh b/src/scripts/config/validate_minimum_role_for_sp.sh
deleted file mode 100755
index 60802e564..000000000
--- a/src/scripts/config/validate_minimum_role_for_sp.sh
+++ /dev/null
@@ -1,81 +0,0 @@
-#!/bin/bash
-#
-# Copyright (c) Microsoft Corporation.
-# Licensed under the MIT License.
-#
-# shellcheck disable=SC1090
-# SC1090: Can't follow non-constant source. Use a directive to specify location.
-#
-# validates that a Service Principal has 'Contributor' or 'Owner'
-# role assigned for the subscriptions in a given .mlzconfig
-
-set -e
-
-error_log() {
- echo "${1}" 1>&2;
-}
-
-usage() {
- error_log "usage: validate_minimum_role_for_sp.sh "
- echo "validate_minimum_role_for_sp.sh: validates that a Service Principal for a given Client ID has 'Contributor' or 'Owner' role assigned for the subscriptions in a given .mlzconfig"
-}
-
-if [[ "$#" -lt 2 ]]; then
- usage
- exit 1
-fi
-
-mlz_config=$(realpath "${1}")
-client_id=${2}
-
-# Source variables
-. "${mlz_config}"
-
-# Create array of unique subscription IDs. The 'sed' command below search thru the source
-# variables file looking for all lines that do not have a '#' in the line. If a line with
-# a '#' is found, the '#' and ever character after it in the line is ignored. The output
-# of what remains from the sed command is then piped to grep to find the words that match
-# the pattern. These words are what make up the 'mlz_subs' array.
-mlz_sub_pattern="mlz_.*._subid"
-mlz_subs=$(< "${mlz_config}" sed 's:#.*$::g' | grep -w "${mlz_sub_pattern}")
-subs=()
-for mlz_sub in $mlz_subs
-do
- mlz_sub_id=$(echo "${mlz_sub#*=}" | tr -d '"')
- if [[ ! "${subs[*]}" =~ ${mlz_sub_id} ]];then
- subs+=("${mlz_sub_id}")
- fi
-done
-
-object_id=$(az ad sp list \
- --filter "appId eq '${client_id}'" \
- --query "[].objectId" \
- --output tsv)
-
-subs_requiring_role_assignment=()
-
-for sub in "${subs[@]}"
-do
- valid_assignments=$(az role assignment list \
- --assignee "${object_id}" \
- --scope "/subscriptions/${sub}" \
- --query "[?roleDefinitionName=='Contributor' || roleDefinitionName=='Owner'].{scope: scope}" \
- --output tsv)
- if [[ -z $valid_assignments ]]; then
- subs_requiring_role_assignment+=("${sub}")
- fi
-done
-
-if [[ ${#subs_requiring_role_assignment[@]} -gt 0 ]]; then
- error_log "ERROR: service principal with client ID ${client_id} is missing 'Contributor' role!"
- echo "INFO: at minimum, the 'Contributor' role is required to manage resources via Terraform."
- echo "INFO: to set this role for the relevant subscriptions, a user with the 'Owner' role can try these commands:"
-
- for sub in "${subs_requiring_role_assignment[@]}"
- do
- echo "INFO: az role assignment create --assignee-object-id ${object_id} --role \"Contributor\" --scope \"/subscriptions/${sub}\""
- done
-
- error_log "ERROR: please assign the 'Contributor' role to this service principal and try again."
- exit 1
-fi
diff --git a/src/scripts/deploy.sh b/src/scripts/deploy.sh
deleted file mode 100755
index 04b1632f8..000000000
--- a/src/scripts/deploy.sh
+++ /dev/null
@@ -1,275 +0,0 @@
-#!/bin/bash
-#
-# Copyright (c) Microsoft Corporation.
-# Licensed under the MIT License.
-#
-# shellcheck disable=1091,2155
-#
-# create all the configuration and deploy Terraform resources with minimal input
-
-set -e
-
-error_log() {
- echo "${1}" 1>&2;
-}
-
-show_help() {
- print_formatted() {
- local long_name=$1
- local char_name=$2
- local desc=$3
- printf "%25s %2s %s \n" "$long_name" "$char_name" "$desc"
- }
- print_formatted "--------" "" "-----------"
- print_formatted "argument" "" "description"
- print_formatted "--------" "" "-----------"
- print_formatted "--subscription-id" "-s" "Subscription ID for MissionLZ resources"
- print_formatted "--location" "-l" "[OPTIONAL] The location that you're deploying to (defaults to 'eastus')"
- print_formatted "--tf-environment" "-e" "[OPTIONAL] Terraform azurerm environment (defaults to 'public') see: https://www.terraform.io/docs/language/settings/backends/azurerm.html#environment"
- print_formatted "--mlz-env-name" "-z" "[OPTIONAL] Unique name for MLZ environment (defaults to 'mlz' + UNIX timestamp)"
- print_formatted "--hub-sub-id" "-u" "[OPTIONAL] subscription ID for the hub network and resources (defaults to the value provided for -s --subscription-id)"
- print_formatted "--tier0-sub-id" "-0" "[OPTIONAL] subscription ID for tier 0 network and resources (defaults to the value provided for -s --subscription-id)"
- print_formatted "--tier1-sub-id" "-1" "[OPTIONAL] subscription ID for tier 1 network and resources (defaults to the value provided for -s --subscription-id)"
- print_formatted "--tier2-sub-id" "-2" "[OPTIONAL] subscription ID for tier 2 network and resources (defaults to the value provided for -s --subscription-id)"
- print_formatted "--tier3-sub-id" "-3" "[OPTIONAL] subscription ID for tier 3 network and resources (defaults to the value provided for -s --subscription-id), input is used in conjunction with deploy_t3.sh"
- print_formatted "--write-output" "-w" "[OPTIONAL] Tier 3 Deployment requires Terraform output, use this flag to write terraform output"
- print_formatted "--no-bastion" "" "[OPTIONAL] when present, do not create a Bastion Host and Jumpbox VM"
- print_formatted "--no-sentinel" "" "[OPTIONAL] when present, do not create an Azure Sentinel solution"
- print_formatted "--no-service-principal" "" "[OPTIONAL] when present, do not create an Azure Service Principal, instead use the credentials in the environment variables '\$ARM_CLIENT_ID' and '\$ARM_CLIENT_SECRET'"
- print_formatted "--policy" "" "[OPTIONAL] when present, create Policy Assignments for built-in NIST initiative"
- print_formatted "--help" "-h" "Print this message"
-}
-
-usage() {
- echo "deploy.sh: create all the configuration and deploy Terraform resources with minimal input"
- show_help
-}
-
-check_dependencies() {
- "${this_script_path}/util/checkforazcli.sh"
- "${this_script_path}/util/checkforterraform.sh"
-}
-
-inspect_user_input() {
- # check mandatory parameters
- # shellcheck disable=1083
- for i in { $mlz_config_subid }
- do
- if [[ $i == "notset" ]]; then
- error_log "ERROR: Missing required arguments. These arguments are mandatory: -s"
- usage
- exit 1
- fi
- done
-
- # notify the user about any defaults
- log_default() {
- local argument_name=$1
- local argument_default=$2
- local argument_value=$3
- if [[ "${argument_value}" = "${argument_default}" ]]; then
- echo "INFO: using the default value '${argument_default}' for '${argument_name}', specify the '${argument_name}' argument to provide a different value."
- fi
- }
- log_default "--location" "${default_config_location}" "${mlz_config_location}"
- log_default "--tf-environment" "${default_tf_environment}" "${tf_environment}"
- log_default "--mlz-env-name" "${default_env_name}" "${mlz_env_name}"
-
- # if the user has set --no-service-principal, ensure mandatory environment variables are set
- # and that the service principal exists
- if [[ "${create_service_principal}" == false ]]; then
- "${this_script_path}/util/checkforarmcredential.sh" "ERROR: When specifying --no-service-principal, these environment variables are mandatory: ARM_CLIENT_ID, ARM_CLIENT_SECRET"
- fi
-}
-
-login_azcli() {
- echo "INFO: setting current subscription to ${mlz_config_subid}..."
- az account set \
- --subscription "${mlz_config_subid}" \
- --only-show-errors \
- --output none
-}
-
-validate_cloud_arguments() {
- echo "INFO: validating settings for '${mlz_config_location}' and '${tf_environment}'..."
- # ensure location is present and terraform environment matches for the current cloud
- "${this_script_path}/util/validateazlocation.sh" "${mlz_config_location}"
- "${this_script_path}/terraform/validate_cloud_for_tf_env.sh" "${tf_environment}"
-}
-
-create_mlz_configuration_file() {
- echo "INFO: creating an MLZ config file at ${mlz_config_file_path}..."
-
- local mlz_tenantid=$(az account show \
- --query "tenantId" \
- --output tsv)
-
- local gen_config_args=()
- gen_config_args+=("-f ${mlz_config_file_path}")
- gen_config_args+=("-e ${tf_environment}")
- gen_config_args+=("-z ${mlz_env_name}")
- gen_config_args+=("-l ${mlz_config_location}")
- gen_config_args+=("-s ${mlz_config_subid}")
- gen_config_args+=("-t ${mlz_tenantid}")
-
- # add hubs and spokes input, if present
- for j in "${subs_args[@]}"
- do
- gen_config_args+=("$j")
- done
-
- # expand array into a string of space separated arguments
- local gen_config_args_str=$(printf '%s ' "${gen_config_args[*]}")
-
- # ignoring shellcheck for word splitting because that is the desired behavior
- # shellcheck disable=SC2086
- "${this_script_path}/config/generate_config_file.sh" $gen_config_args_str
-}
-
-validate_mlz_configuration_file() {
- . "${mlz_config_file_path}"
-
- ensure_vars_are_set()
- {
- local var_names=("$@")
- local any_required_var_unset=false
-
- for var_name in "${var_names[@]}"; do
- if [[ -z "${!var_name}" ]]; then
- echo "ERROR: ${var_name} is required but is not set in MLZ configuration file at ${mlz_config_file_path}"
- any_required_var_unset=true
- fi
- done
-
- if [[ "$any_required_var_unset" == true ]]; then
- exit 1
- fi
- }
-
- ensure_vars_are_set mlz_metadatahost mlz_cloudname
-}
-
-create_mlz_resources() {
- echo "INFO: creating MLZ resources using ${mlz_config_file_path}..."
- "${this_script_path}/config/create_required_resources.sh" "${mlz_config_file_path}" "${create_service_principal}"
-}
-
-create_terraform_variables() {
- echo "INFO: creating terraform variables at ${tfvars_file_path}..."
- "${this_script_path}/terraform/create_tfvars_from_config.sh" "${tfvars_file_path}" "${mlz_config_file_path}" "${create_bastion_jumpbox}" "${create_sentinel}" "${create_assignment}"
-}
-
-apply_terraform() {
- echo "INFO: applying Terraform using ${mlz_config_file_path} and ${tfvars_file_path}..."
- . "${this_script_path}/config/generate_names.sh" "${mlz_config_file_path}"
- "${this_script_path}/../build/apply_tf.sh" \
- "${mlz_config_file_path}" \
- "${tfvars_file_path}" \
- "y"
-}
-
-write_outputs() {
- echo "INFO: Writing outputs from terraform deployment"
- cd "${this_script_path}/../terraform/mlz"
- terraform output -json | tee ${configuration_output_path}/output.tfvars.json
-}
-
-display_clean_hint() {
- echo "INFO: Try this command to clean up what was deployed:"
- echo "INFO: ${this_script_path}/clean.sh -z ${mlz_env_name}"
-}
-
-##########
-# main
-##########
-
-this_script_path=$(realpath "${BASH_SOURCE%/*}")
-configuration_output_path="$(realpath ${this_script_path}/../generated-configurations)"
-timestamp=$(date +%s)
-
-# set some defaults
-default_config_subid="notset"
-default_config_location="eastus"
-default_tf_environment="public"
-default_env_name="mlz${timestamp}"
-create_bastion_jumpbox=true
-create_sentinel=true
-create_service_principal=true
-create_assignment=false
-
-mlz_config_subid="${default_config_subid}"
-mlz_config_location="${default_config_location}"
-tf_environment="${default_tf_environment}"
-mlz_env_name="${default_env_name}"
-write_output="false"
-subs_args=()
-
-while [ $# -gt 0 ] ; do
- case $1 in
- -s | --subscription-id)
- shift
- mlz_config_subid="$1" ;;
- -l | --location)
- shift
- mlz_config_location="$1" ;;
- -e | --tf-environment)
- shift
- tf_environment="$1" ;;
- -z | --mlz-env-name)
- shift
- mlz_env_name="$1" ;;
- -u | --hub-sub-id)
- shift
- subs_args+=("-u ${1}") ;;
- -0 | --tier0-sub-id)
- shift
- subs_args+=("-0 ${1}") ;;
- -1 | --tier1-sub-id)
- shift
- subs_args+=("-1 ${1}") ;;
- -2 | --tier2-sub-id)
- shift
- subs_args+=("-2 ${1}") ;;
- -3 | --tier3-sub-id)
- shift
- subs_args+=("-3 ${1}") ;;
- -w | --write-output)
- write_output="true" ;;
- --no-bastion)
- create_bastion_jumpbox=false ;;
- --no-sentinel)
- create_sentinel=false ;;
- --no-service-principal)
- create_service_principal=false ;;
- --policy)
- create_assignment=true ;;
- -h | --help)
- show_help
- exit 0 ;;
- *)
- error_log "ERROR: Unexpected argument: ${1}"
- usage && exit 1 ;;
- esac
- shift
-done
-
-# validate requirements
-check_dependencies
-inspect_user_input
-login_azcli
-validate_cloud_arguments
-
-# create variables
-mlz_config_file_path="${configuration_output_path}/${mlz_env_name}.mlzconfig"
-tfvars_file_path="${configuration_output_path}/${mlz_env_name}.tfvars"
-create_mlz_configuration_file
-validate_mlz_configuration_file
-create_terraform_variables
-
-# create resources
-trap 'display_clean_hint' EXIT # no matter if the next commands fail, run display_clean_hint
-create_mlz_resources
-apply_terraform
-if [[ $write_output == "true" ]]; then
- write_outputs
-fi
diff --git a/src/scripts/deploy_t3.sh b/src/scripts/deploy_t3.sh
deleted file mode 100755
index 7f4bdcc4a..000000000
--- a/src/scripts/deploy_t3.sh
+++ /dev/null
@@ -1,118 +0,0 @@
-#!/bin/bash
-#
-# Copyright (c) Microsoft Corporation.
-# Licensed under the MIT License.
-#
-# shellcheck disable=SC1090,SC2154
-# SC1090: Can't follow non-constant source. Use a directive to specify location.
-# SC2154: "var is referenced but not assigned". These values come from an external file.
-#
-# Deployment script for performing all of the required steps to deploy and bind a tier3 to an existing MLZ deployment
-
-set -e
-
-error_log() {
- echo "${1}" 1>&2;
-}
-
-usage() {
- echo "deploy_t3.sh: Automation that calls apply terraform given a MLZ configuration and some tfvars"
- error_log "usage: deploy_t3.sh "
-}
-
-if [[ "$#" -lt 3 ]]; then
- usage
- exit 1
-fi
-
-# take some valid, well known, mlz_config and vars as input
-mlz_config=$1
-output_vars=$(realpath "${2}")
-tier3_vars=$3
-display_tf_output=${4:-n}
-
-# reference paths
-this_script_path=$(realpath "${BASH_SOURCE%/*}")
-src_dir=$(dirname "${this_script_path}")
-terraform_path="${src_dir}/terraform/"
-scripts_dir="${src_dir}/scripts/"
-
-# apply function
-apply() {
- sub_id=$1
- tf_dir=$2
- vars=$3
-
- . "${this_script_path}/config/create_terraform_backend_resources.sh" "${mlz_config}" "${sub_id}" "${tf_dir}"
-
- # generate config.vars based on MLZ Config and Terraform module
- . "${scripts_dir}/config/generate_vars.sh" \
- "${mlz_config}" \
- "${sub_id}" \
- "${tf_dir}"
-
- # remove any existing terraform initialzation
- rm -rf "${tf_dir}/.terraform"
-
- # copy input vars to temporary file
- input_vars=$(realpath "${vars}")
- temp_vars="temp_vars.tfvars"
- rm -f "${temp_vars}"
- touch "${temp_vars}"
- cp "${input_vars}" "${temp_vars}"
-
- # remove any tfvars and subtitute it with input vars
- tf_vars="${tf_dir}/$(basename "${vars}")"
- rm -f "${tf_vars}"
- touch "${tf_vars}"
- cp "${temp_vars}" "${tf_vars}"
- rm -f "${temp_vars}"
-
- # set the target subscription
- az account set \
- --subscription "${sub_id}" \
- --output none
-
- # attempt to apply $max_attempts times before giving up
- # (race conditions, transient errors etc.)
- apply_success="false"
- attempts=1
- max_attempts=5
-
- apply_command="${scripts_dir}/terraform/apply_terraform.sh ${tf_dir} ${tf_vars} y ${output_vars}"
- destroy_command="${scripts_dir}/terraform/destroy_terraform.sh ${tf_dir} ${tf_vars} y"
-
- if [[ $display_tf_output == "n" ]]; then
- apply_command+=" &>/dev/null"
- destroy_command+=" &>/dev/null"
- fi
-
- while [ $apply_success == "false" ]
- do
- echo "INFO: applying Terraform at ${tf_dir} (${attempts}/${max_attempts})..."
-
- if ! eval "$apply_command";
- then
- # if we fail, run terraform destroy and try again
- error_log "ERROR: failed to apply ${tf_dir} (${attempts}/${max_attempts}). Trying some manual clean-up and Terraform destroy..."
- eval "$destroy_command"
-
- ((attempts++))
-
- if [[ $attempts -gt $max_attempts ]]; then
- error_log "ERROR: failed ${max_attempts} times to apply ${tf_dir}. Exiting."
- exit 1
- fi
- else
- # if we succeed meet the base case
- apply_success="true"
- echo "INFO: finished applying ${tf_dir}!"
- fi
- done
-}
-
-# source vars from mlz_config
-. "${mlz_config}"
-
-# call apply()
-apply "${mlz_tier3_subid}" "${terraform_path}/tier3" "${tier3_vars}"
diff --git a/src/scripts/security-center/configure_asc.sh b/src/scripts/security-center/configure_asc.sh
deleted file mode 100755
index ef8ceb4d9..000000000
--- a/src/scripts/security-center/configure_asc.sh
+++ /dev/null
@@ -1,170 +0,0 @@
-#!/bin/bash
-#
-# Copyright (c) Microsoft Corporation.
-# Licensed under the MIT License.
-#
-# shellcheck disable=SC1090,SC1091,SC2154
-#
-# Configures the landing zone subscriptions for Azure Security Center
-
-set -e
-
-PGM=$(basename "${0}")
-
-if [[ "${PGM}" == "configure_asc.sh" && "$#" -lt 1 ]]; then
- echo "${PGM}: Initializes Azure Security Center Standard tier for Storage Accounts and Virtual Machines"
- echo "usage: ${PGM} "
- exit 1
-elif [[ ! "${PGM}" == "create_required_resources.sh" ]];then
-
- mlz_config=$(realpath "${1}")
-
- # Source variables
- . "${mlz_config}"
-
- mlz_sub_pattern="mlz_.*._subid"
- mlz_subs=$(< "$(realpath "${1}")" sed 's:#.*$::g' | grep -w "${mlz_sub_pattern}")
- subs=()
-
- for mlz_sub in $mlz_subs
- do
- # Grab value of variable
- mlz_sub_id=$(echo "${mlz_sub#*=}" | tr -d '"')
- if [[ ! "${subs[*]}" =~ ${mlz_sub_id} ]];then
- subs+=("${mlz_sub_id}")
- fi
- done
-fi
-
-# Configure Azure Security Center
-for sub in "${subs[@]}"
-do
- ascAutoProv=$(az security auto-provisioning-setting show \
- --subscription "${sub}" \
- --name "default" \
- --query autoProvision \
- --output tsv \
- --only-show-errors)
- if [[ ${ascAutoProv} == "Off" ]]; then
-
- # generate names
- . "${BASH_SOURCE%/*}"/generate_names.sh "${mlz_env_name}"
-
- # Create Resource Group for Log Analytics workspace
- rg_exists="az group show \
- --name ${mlz_lawsrg_name} \
- --subscription ${sub}"
-
- if ! $rg_exists &> /dev/null; then
- echo "Resource Group does not exist...creating resource group ${mlz_lawsrg_name}"
- az group create \
- --subscription "${sub}" \
- --location "${mlz_config_location}" \
- --name "${mlz_lawsrg_name}" \
- --output none
- else
- echo "Resource Group ${mlz_lawsrg_name} already exists. Verify desired ASC configuration and re-run script"
- exit 1
- fi
-
- # Create Log Analytics workspace
- laws_exists="az monitor log-analytics workspace show \
- --resource-group ${mlz_lawsrg_name} \
- --workspace-name ${mlz_laws_name}
- --subscription ${sub}"
-
- if ! $laws_exists &> /dev/null; then
- echo "Log Analytics workspace does not exist...creating workspace ${mlz_laws_name}"
- lawsId=$(az monitor log-analytics workspace create \
- --resource-group "${mlz_lawsrg_name}" \
- --workspace-name "${mlz_laws_name}" \
- --location "${mlz_config_location}" \
- --subscription "${sub}" \
- --query id \
- --output tsv)
- else
- echo "Log Analytics workspace ${mlz_laws_name} already exists. Verify desired ASC configuration and re-run script"
- exit 1
- fi
-
- # Set ASC pricing tier on Virtual Machines
- if [[ $(az security pricing show --name VirtualMachines --subscription "${sub}" --only-show-errors --query pricingTier --output tsv) == "Free" ]]; then
- echo "Setting ASC pricing tier for Virtual Machines to Standard..."
- az security pricing create \
- --name VirtualMachines \
- --subscription "${sub}" \
- --tier "Standard" \
- --output none
- fi
-
- # Set ASC pricing tier on Storage Accounts
- if [[ $(az security pricing show --name StorageAccounts --subscription "${sub}" --only-show-errors --query pricingTier --output tsv --only-show-errors) == "Free" ]]; then
- echo "Setting ASC pricing tier for Storage Accounts to Standard..."
- az security pricing create \
- --name StorageAccounts \
- --subscription "${sub}" \
- --tier "Standard" \
- --output none
- fi
-
- # Create default setting for ASC Log Analytics workspace
- ascwss_exists="az security workspace-setting show \
- --name default \
- --subscription ${sub} \
- --only-show-errors"
-
- if ! $ascwss_exists &> /dev/null; then
-
- sleep_time_in_seconds=30
- max_wait_in_minutes=30
- max_wait_in_seconds=$((max_wait_in_minutes*60))
- max_retries=$((max_wait_in_seconds/sleep_time_in_seconds))
-
- echo "Maximum time to wait in seconds = ${max_wait_in_seconds}"
- echo "Maximum number of retries = ${max_retries}"
-
- echo "ASC Log Analytics workspace setting does not exist...creating default setting"
- echo "This script will attempt to create the setting for ${max_wait_in_minutes} minutes and then timeout if the setting has not been created"
-
- az security workspace-setting create \
- --name "default" \
- --target-workspace "${lawsId}" \
- --subscription "${sub}" \
- --output none
-
- count=1
-
- # TODO (20210309): this could take an unusually long time and even fail altogether.
- # This is under investigation by the `az security` team.
- while [ -z "$(az security workspace-setting show --name default --subscription "${sub}" --query workspaceId --output tsv --only-show-errors)" ]
- do
-
- echo "Waiting for ASC workspace setting to finish provisioning (${count}/${max_retries})"
- echo "Trying again in ${sleep_time_in_seconds} seconds..."
- sleep "${sleep_time_in_seconds}"
-
- if [[ ${count} -eq max_retries ]];then
- echo "Provisioning the workspace setting has exceeded ${max_wait_in_minutes} minutes. Investigate and re-run script."
- exit 1
- fi
-
- count=$((count + 1))
-
- done
- else
- echo "ASC already has a \"default\" Log Analytics workspace configuration. Verify desired ASC configuration and re-run script"
- exit 1
- fi
-
- # Set ASC auto-provisioning to On
- az security auto-provisioning-setting update \
- --auto-provision "On" \
- --subscription "${sub}" \
- --name "default" \
- --only-show-errors \
- --output none
- else
- echo "ASC auto-provisioning is already set to \"On\". Verify desired ASC configuration and re-run script"
- exit 1
- fi
-done
\ No newline at end of file
diff --git a/src/scripts/security-center/generate_names.sh b/src/scripts/security-center/generate_names.sh
deleted file mode 100755
index fb4c9d5cb..000000000
--- a/src/scripts/security-center/generate_names.sh
+++ /dev/null
@@ -1,35 +0,0 @@
-#!/bin/bash
-#
-# Copyright (c) Microsoft Corporation.
-# Licensed under the MIT License.
-#
-# Generate Azure Security Center resource names
-
-set -e
-
-error_log() {
- echo "${1}" 1>&2;
-}
-
-usage() {
- echo "${0}: Generate Security Center resource names"
- error_log "usage: ${0} "
-}
-
-if [[ "$#" -ne 2 ]]; then
- usage
- exit 1
-fi
-
-mlz_enclave_name_raw=$1
-sub_raw=$2
-
-# remove hyphens for resource naming restrictions
-# in the future, do more cleansing
-mlz_enclave_name="${mlz_enclave_name_raw//-}"
-safeSubId="${sub_raw//-}"
-
-
-# Name MLZ config resources
-export mlz_lawsrg_name="rg-mlz-laws-${mlz_enclave_name}"
-export mlz_laws_name="laws-${mlz_enclave_name}-${safeSubId}"
\ No newline at end of file
diff --git a/src/scripts/terraform/apply_terraform.sh b/src/scripts/terraform/apply_terraform.sh
deleted file mode 100755
index 460e1bcaf..000000000
--- a/src/scripts/terraform/apply_terraform.sh
+++ /dev/null
@@ -1,51 +0,0 @@
-#!/bin/bash
-#
-# Copyright (c) Microsoft Corporation.
-# Licensed under the MIT License.
-#
-# shellcheck disable=SC1090,SC1091,SC2154,SC2143
-# SC1090: Can't follow non-constant source. Use a directive to specify location.
-# SC1091: Not following. Shellcheck can't follow non-constant source.
-# SC2154: "var is referenced but not assigned". These values come from an external file.
-# SC2143: Use grep -q instead of comparing output. Ignored for legibility.
-#
-# Applies a Terraform configuration given a backend configuration, a global variables file, and a terraform configurationd directory
-
-set -e
-
-if [[ "$#" -lt 2 ]]; then
- echo "apply_terraform.sh: initializes Terraform for a given directory using given a .env file for backend configuration"
- echo "usage: apply_terraform.sh "
- exit 1
-fi
-
-tf_dir=$(realpath "${1}")
-tf_vars=$(realpath "${2}")
-auto_approve=${3:-n}
-extra_vars=${4:-notset}
-
-scripts_path=$(realpath "${BASH_SOURCE%/*}/..")
-
-# init terraform for the directory
-. "${scripts_path}/terraform/init_terraform.sh" "$tf_dir"
-
-# verify Service Principal is valid and set client_id, client_secret, object_id
-. "${scripts_path}/config/get_sp_identity.sh" "${config_vars}"
-
-apply_command="terraform apply"
-
-if [[ $auto_approve == "y" ]]; then
- apply_command+=" -input=false -auto-approve"
-fi
-
-apply_command+=" -var-file=${tf_vars}"
-apply_command+=" -var mlz_clientid=${client_id}"
-apply_command+=" -var mlz_clientsecret=${client_secret}"
-apply_command+=" -var mlz_objectid=${object_id}"
-
-if [[ $extra_vars != "notset" ]]; then
- extra_vars_real=$(realpath "${4}")
- apply_command+=" -var-file=${extra_vars_real}"
-fi
-
-eval "${apply_command}"
diff --git a/src/scripts/terraform/create_tfvars_from_config.sh b/src/scripts/terraform/create_tfvars_from_config.sh
deleted file mode 100755
index dcae77907..000000000
--- a/src/scripts/terraform/create_tfvars_from_config.sh
+++ /dev/null
@@ -1,86 +0,0 @@
-#!/bin/bash
-#
-# Copyright (c) Microsoft Corporation.
-# Licensed under the MIT License.
-#
-# shellcheck disable=1090,2154
-# SC1090: Can't follow non-constant source. This file is input.
-# SC2154: "var is referenced but not assigned". These values come from an external file.
-#
-# generate a terraform globals tfvars file given an MLZ config and a desired tfvars file name
-
-set -e
-
-error_log() {
- echo "${1}" 1>&2;
-}
-
-usage() {
- echo "create_tfvars_from_config.sh: generate a terraform tfvars file given an MLZ config and a desired tfvars file name"
- echo "create_tfvars_from_config.sh: "
- show_help
-}
-
-if [[ "$#" -lt 2 ]]; then
- usage
- exit 1
-fi
-
-file_to_create=$1
-mlz_config=$2
-create_bastion_jumpbox=${3:-true}
-create_sentinel=${4:-true}
-create_assignment=${5:-false}
-
-# source config
-. "${mlz_config}"
-
-# given a key and value write a key="value" new line to a file
-append_kvp() {
- key=$1
- value=$2
- printf "%s=\"%s\"\n" "${key}" "${value}" >> "${file_to_create}"
-}
-
-# write the file to the desired path
-rm -f "$file_to_create"
-dest_file_dir=$(dirname "${file_to_create}")
-mkdir -p "${dest_file_dir}"
-touch "$file_to_create"
-
-append_kvp "deploymentname" "${mlz_env_name}"
-
-append_kvp "tf_environment" "${tf_environment}"
-
-append_kvp "mlz_cloud" "${mlz_cloudname}"
-append_kvp "mlz_tenantid" "${mlz_tenantid}"
-append_kvp "mlz_location" "${mlz_config_location}"
-append_kvp "mlz_metadatahost" "${mlz_metadatahost}"
-append_kvp "create_assignment" "${create_assignment}"
-
-append_kvp "hub_subid" "${mlz_saca_subid}"
-append_kvp "hub_rgname" "rg-saca-${mlz_env_name}"
-append_kvp "hub_vnetname" "vn-saca-${mlz_env_name}"
-append_kvp "create_bastion_jumpbox" "${create_bastion_jumpbox}"
-
-append_kvp "tier0_subid" "${mlz_tier0_subid}"
-append_kvp "tier0_rgname" "rg-t0-${mlz_env_name}"
-append_kvp "tier0_vnetname" "vn-t0-${mlz_env_name}"
-
-append_kvp "tier1_subid" "${mlz_tier1_subid}"
-append_kvp "tier1_rgname" "rg-t1-${mlz_env_name}"
-append_kvp "tier1_vnetname" "vn-t1-${mlz_env_name}"
-append_kvp "mlz_lawsname" "laws-${mlz_env_name}"
-append_kvp "create_sentinel" "${create_sentinel}"
-
-append_kvp "tier2_subid" "${mlz_tier2_subid}"
-append_kvp "tier2_rgname" "rg-t2-${mlz_env_name}"
-append_kvp "tier2_vnetname" "vn-t2-${mlz_env_name}"
-
-if [ -n "${mlz_tier3_subid+x}" ]; then
-
-append_kvp "tier3_subid" "${mlz_tier3_subid}"
-append_kvp "tier3_rgname" "rg-t3-${mlz_env_name}"
-append_kvp "tier3_vnetname" "vn-t3-${mlz_env_name}"
-
-fi
diff --git a/src/scripts/terraform/destroy_terraform.sh b/src/scripts/terraform/destroy_terraform.sh
deleted file mode 100755
index 8743e8c25..000000000
--- a/src/scripts/terraform/destroy_terraform.sh
+++ /dev/null
@@ -1,46 +0,0 @@
-#!/bin/bash
-#
-# Copyright (c) Microsoft Corporation.
-# Licensed under the MIT License.
-#
-# shellcheck disable=SC1090,SC1091,SC2154,SC2143
-# SC1090: Can't follow non-constant source. Use a directive to specify location.
-# SC1091: Not following. Shellcheck can't follow non-constant source.
-# SC2154: "var is referenced but not assigned". These values come from an external file.
-# SC2143: Use grep -q instead of comparing output. Ignored for legibility.
-#
-# Destroys a Terraform configuration given a backend configuration, a global variables file, and a terraform configurationd directory
-
-set -e
-
-if [[ "$#" -lt 2 ]]; then
- echo "destroy_terraform.sh: initializes Terraform for a given directory using given a .env file for backend configuration"
- echo "usage: destroy_terraform.sh "
- exit 1
-fi
-
-tf_dir=$(realpath "${1}")
-tf_vars=$(realpath "${2}")
-auto_approve=${3:-n}
-
-scripts_path=$(realpath "${BASH_SOURCE%/*}/..")
-
-# init terraform for the directory
-. "${scripts_path}/terraform/init_terraform.sh" "$tf_dir"
-
-# verify Service Principal is valid and set client_id, client_secret, object_id
-. "${scripts_path}/config/get_sp_identity.sh" "${config_vars}"
-
-# destroy the terraform configuration with global vars and the configuration's tfvars
-destroy_command="terraform destroy"
-
-if [[ $auto_approve == "y" ]]; then
- destroy_command+=" -input=false -auto-approve"
-fi
-
-destroy_command+=" -var-file=${tf_vars}"
-destroy_command+=" -var mlz_clientid=${client_id}"
-destroy_command+=" -var mlz_clientsecret=${client_secret}"
-destroy_command+=" -var mlz_objectid=${object_id}"
-
-eval "${destroy_command}"
diff --git a/src/scripts/terraform/init_terraform.sh b/src/scripts/terraform/init_terraform.sh
deleted file mode 100755
index 24eeee20e..000000000
--- a/src/scripts/terraform/init_terraform.sh
+++ /dev/null
@@ -1,70 +0,0 @@
-#!/bin/bash
-#
-# Copyright (c) Microsoft Corporation.
-# Licensed under the MIT License.
-#
-# shellcheck disable=SC1090,SC1091,SC2143,SC2154
-# SC1090: Can't follow non-constant source. Use a directive to specify location.
-# SC1091: Not following. Shellcheck can't follow non-constant source.
-# SC2154: "var is referenced but not assigned". These values come from an external file.
-# SC2143: Use grep -q instead of comparing output. Ignored for legibility.
-#
-# Initializes Terraform for a given directory using given a .env file for backend configuration
-
-set -e
-
-if [[ "$#" -lt 1 ]]; then
- echo "init_terraform.sh: initializes Terraform for a given directory using given a .env file for backend configuration"
- echo "usage: init_terraform.sh "
- exit 1
-fi
-
-tf_dir=$(realpath "${1}")
-tf_name=$(basename "${tf_dir}")
-
-config_vars="${tf_dir}/config.vars"
-
-scripts_path=$(realpath "${BASH_SOURCE%/*}/..")
-
-# check for dependencies
-. "${scripts_path}/util/checkforazcli.sh"
-. "${scripts_path}/util/checkforterraform.sh"
-
-# Validate necessary Azure resources exist
-. "${scripts_path}/config/config_validate.sh" "${tf_dir}"
-
-# Validate configuration file exists
-. "${scripts_path}/util/checkforfile.sh" \
- "${config_vars}" \
- "The configuration file ${config_vars} is empty or does not exist. You may need to run MLZ setup."
-
-# Source configuration file
-. "${config_vars}"
-
-# Verify Service Principal is valid and set client_id and client_secret environment variables
-. "${scripts_path}/config/get_sp_identity.sh" "${config_vars}"
-
-# Set the terraform state key
-key="${mlz_env_name}${tf_name}"
-
-# declare terraform init arguments for the backend configuration
-init_args=()
-init_args+=("-backend-config=\"metadata_host=${metadata_host}\"")
-init_args+=("-backend-config=\"key=${key}\"")
-init_args+=("-backend-config=\"resource_group_name=${tf_rg_name}\"")
-init_args+=("-backend-config=\"storage_account_name=${tf_sa_name}\"")
-init_args+=("-backend-config=\"container_name=${container_name}\"")
-init_args+=("-backend-config=\"environment=${environment}\"")
-init_args+=("-backend-config=\"tenant_id=${tenant_id}\"")
-init_args+=("-backend-config=\"subscription_id=${mlz_config_subid}\"")
-init_args+=("-backend-config=\"client_id=${client_id}\"")
-init_args+=("-backend-config=\"client_secret=${client_secret}\"")
-
-# If there is an offline terraform provider (plugin) cache, append it to the init arguments
-if [[ -d $TF_PLUGIN_CACHE_DIR ]]; then
- init_args+=("-plugin-dir=${TF_PLUGIN_CACHE_DIR}")
-fi
-
-# Initialize terraform in the configuration directory
-cd "${tf_dir}" || exit
-eval terraform init "${init_args[@]}"
diff --git a/src/scripts/terraform/validate_cloud_for_tf_env.sh b/src/scripts/terraform/validate_cloud_for_tf_env.sh
deleted file mode 100755
index ab1d88e92..000000000
--- a/src/scripts/terraform/validate_cloud_for_tf_env.sh
+++ /dev/null
@@ -1,58 +0,0 @@
-#!/bin/bash
-#
-# Copyright (c) Microsoft Corporation.
-# Licensed under the MIT License.
-#
-# validate cloud matches known tf_environment values
-
-set -e
-
-error_log() {
- echo "${1}" 1>&2;
-}
-
-usage() {
- echo "validate_cloud_for_tf_env.sh: validate a given tf_environment matches the user's cloud"
- error_log "usage: validate_cloud_for_tf_env.sh public"
-}
-
-this_script_path=$(realpath "${BASH_SOURCE%/*}")
-
-# check for dependencies
-"${this_script_path}/../util/checkforazcli.sh"
-
-# inspect user input
-if [[ "$#" -lt 1 ]]; then
- usage
- exit 1
-fi
-
-tf_env=$1
-tf_env_lower=${tf_env,,} # ${var,,} syntax is to output a string as lowercase
-
-current_cloud=$(az cloud show --query name --output tsv)
-current_cloud_lower=${current_cloud,,} # ${var,,} syntax is to output a string as lowercase
-
-# declare a dictionary of Terraform environment names and their clouds
-# sourcing the valid combinations from here https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs#environment
-declare -A tfenv_cloud_pairs
-tfenv_cloud_pairs['public']='azurecloud'
-tfenv_cloud_pairs['usgovernment']='azureusgovernment'
-tfenv_cloud_pairs['german']='azuregermancloud'
-tfenv_cloud_pairs['china']='azurechinacloud'
-tfenv_cloud_pairs['ussec']='ussec'
-tfenv_cloud_pairs['usnat']='usnat'
-
-tf_env_is_valid=false
-
-# if the dictionary does contain the environment and it maps to the current cloud, then we're good
-if [[ ${tfenv_cloud_pairs["${tf_env_lower}"]} == "${current_cloud_lower}" ]]; then
- tf_env_is_valid=true
-fi
-
-# otherwise, throw an error and exit
-if [[ "${tf_env_is_valid}" = false ]]; then
- error_log "ERROR: Terraform environment '${tf_env}' is not a valid environment for cloud '${current_cloud}'"
- echo "INFO: check the valid settings for Terraform environment here: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs#environment"
- exit 1
-fi
diff --git a/src/scripts/util/checkforarmcredential.sh b/src/scripts/util/checkforarmcredential.sh
deleted file mode 100755
index d3ad46356..000000000
--- a/src/scripts/util/checkforarmcredential.sh
+++ /dev/null
@@ -1,38 +0,0 @@
-#!/bin/bash
-#
-# Copyright (c) Microsoft Corporation.
-# Licensed under the MIT License.
-#
-# validate that ARM_CLIENT_ID and ARM_CLIENT_SECRET environment variables are set
-
-set -e
-
-error_log() {
- echo "${1}" 1>&2;
-}
-
-usage() {
- echo "checkforarmcredential.sh: validate that ARM_CLIENT_ID and ARM_CLIENT_SECRET environment variables are set"
- error_log "usage: checkforarmcredential.sh "
-}
-
-if [[ "$#" -lt 1 ]]; then
- usage
- exit 1
-fi
-
-error_message=$1
-
-if [[ -z $ARM_CLIENT_ID || -z $ARM_CLIENT_SECRET ]]; then
- error_log "${error_message}"
- echo "INFO: You can set these environment variables with 'export ARM_CLIENT_ID=\"YOUR_CLIENT_ID\"' and 'export ARM_CLIENT_SECRET=\"YOUR_CLIENT_SECRET\"'"
- exit 1
-fi
-
-sp_exists="az ad sp show --id ${ARM_CLIENT_ID}"
-
-if ! $sp_exists &> /dev/null; then
- error_log "ERROR: unable to find a Service Principal with Client ID ${ARM_CLIENT_ID}!"
- echo "INFO: check the value of the environment variable \$ARM_CLIENT_ID and try 'az ad sp show --id \$ARM_CLIENT_ID' to inspect results..."
- exit 1
-fi
diff --git a/src/scripts/util/checkforazcli.sh b/src/scripts/util/checkforazcli.sh
deleted file mode 100755
index abed1df50..000000000
--- a/src/scripts/util/checkforazcli.sh
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/bin/bash
-#
-# Copyright (c) Microsoft Corporation.
-# Licensed under the MIT License.
-
-set -e
-
-# Check for Azure CLI
-if ! command -v az &> /dev/null; then
- echo "az could not be found. This script requires the Azure CLI."
- echo "see https://docs.microsoft.com/en-us/cli/azure/install-azure-cli for installation instructions."
- exit 1
-fi
-
-# Check for Azure CLI account
-if ! az account show &> /dev/null; then
- echo "Please login to Azure CLI before running this script."
- echo "To set the cloud: az cloud set --name "
- echo "To login as a Service Principal: az login --service-principal -u --password= --tenant --allow-no-subscriptions"
- echo "To login interactively: az login --username "
- exit 1
-fi
diff --git a/src/scripts/util/checkforfile.sh b/src/scripts/util/checkforfile.sh
deleted file mode 100755
index 06fa46cfb..000000000
--- a/src/scripts/util/checkforfile.sh
+++ /dev/null
@@ -1,27 +0,0 @@
-#!/bin/bash
-#
-# Check for an empty or missing file and return an error
-
-set -e
-
-error_log() {
- echo "${1}" 1>&2;
-}
-
-usage() {
- echo "checkforfile.sh: Check for an empty or missing file and return an error"
- error_log "usage: checkforfile.sh "
-}
-
-if [[ "$#" -lt 2 ]]; then
- usage
- exit 1
-fi
-
-file_path=$1
-error_message=$2
-
-if [[ ! -s "${file_path}" ]]; then
- error_log "${error_message}"
- exit 1
-fi
\ No newline at end of file
diff --git a/src/scripts/util/checkforterraform.sh b/src/scripts/util/checkforterraform.sh
deleted file mode 100755
index 1d040cc3c..000000000
--- a/src/scripts/util/checkforterraform.sh
+++ /dev/null
@@ -1,13 +0,0 @@
-#!/bin/bash
-#
-# Copyright (c) Microsoft Corporation.
-# Licensed under the MIT License.
-
-set -e
-
-# Check for Terraform
-if ! command -v terraform &> /dev/null; then
- echo "terraform could not be found. This script requires the Terraform CLI."
- echo "see https://learn.hashicorp.com/tutorials/terraform/install-cli for installation instructions."
- exit 1
-fi
\ No newline at end of file
diff --git a/src/scripts/util/checkforzip.sh b/src/scripts/util/checkforzip.sh
deleted file mode 100755
index 28f703240..000000000
--- a/src/scripts/util/checkforzip.sh
+++ /dev/null
@@ -1,13 +0,0 @@
-#!/bin/bash
-#
-# Copyright (c) Microsoft Corporation.
-# Licensed under the MIT License.
-
-set -e
-
-# Check for zip
-if ! command -v zip &> /dev/null; then
- echo "zip could not be found. This script requires zip."
- echo "On debian based distributions you can try this to install it: sudo apt install zip"
- exit 1
-fi
diff --git a/src/scripts/util/validateazlocation.sh b/src/scripts/util/validateazlocation.sh
deleted file mode 100755
index bab3537fa..000000000
--- a/src/scripts/util/validateazlocation.sh
+++ /dev/null
@@ -1,42 +0,0 @@
-#!/bin/bash
-#
-# Copyright (c) Microsoft Corporation.
-# Licensed under the MIT License.
-#
-# validate that a given location is present in a user's cloud
-
-set -e
-
-error_log() {
- echo "${1}" 1>&2;
-}
-
-usage() {
- echo "validateazlocation.sh: validate that a given location is present in a user's cloud"
- error_log "usage: validateazlocation.sh eastus"
-}
-
-this_script_path=$(realpath "${BASH_SOURCE%/*}")
-
-# check for dependencies
-"${this_script_path}/checkforazcli.sh"
-
-# inspect user input
-if [[ "$#" -lt 1 ]]; then
- usage
- exit 1
-fi
-
-location=$1
-
-current_cloud=$(az cloud show --query name --output tsv)
-current_sub=$(az account show --query id --output tsv)
-valid_locations=$(az account list-locations --query [].name --output tsv)
-
-# if the active subscription does not support the given location, throw an error and exit
-if ! echo "$valid_locations" | grep -iwq "${location}"; then
- error_log "ERROR: could not find region '${location}' for subscription of '${current_sub}' in current cloud '${current_cloud}' "
- echo "INFO: is this a valid region? Try 'az account list-locations' to see what regions are available to you."
- echo "INFO: do you have the correct cloud set? Try 'az cloud set' to set it."
- exit 1
-fi
diff --git a/src/terraform/README.md b/src/terraform/README.md
new file mode 100644
index 000000000..7212dfad8
--- /dev/null
+++ b/src/terraform/README.md
@@ -0,0 +1,353 @@
+# Mission LZ Terraform
+
+Mission LZ also deploys the Hub and Spoke network architecture using [Terraform](https://www.terraform.io/).
+
+To get started with Terraform on Azure check out their useful tutorial:
+
+Once you're comfortable with Terraform, ensure you have the [Prerequisites](#Prerequisites) below and follow the instructions to deploy and clean-up Mission LZ.
+
+## High-Level Steps
+
+From a birds-eye view, we're going to deploy the core Mission LZ deployment of the Hub, Tier 0 (Identity), Tier 1 (Operations), and Tier 2 (Shared Services) networks and supporting resources, followed by a new spoke network/Tier 3. The commands we'll execute along the way will look something like this:
+
+```bash
+cd src/terraform/mlz
+terraform init
+terraform apply # supply some parameters, approve, copy the output values
+cd src/terraform/tier3
+terraform init
+terraform apply # supply some parameters, approve
+```
+
+Read on to understand the [prerequisites](#Prerequisistes), how to get started, and how to optionally [configure your deployment for use in other clouds](#Deploying-to-Other-Clouds) or [deploy with a Service Principal](#Deploying-with-a-Service-Principal).
+
+## Prerequisistes
+
+* Current version of the [Azure CLI](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli)
+* The version of the [Terraform CLI](https://www.terraform.io/downloads.html) described in the [.devcontainer Dockerfile](../../../.devcontainer/Dockerfile)
+* An Azure Subscription(s) where you or an identity you manage has `Owner` [RBAC permissions](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#owner)
+
+Deploying to a Cloud other than Azure Commercial? This requires updating the `azurerm` provider block `environment` and `metadata_host` values. Checkout the [Deploying to Other Clouds](#Deploying-to-Other-Clouds) documentation.
+
+### Login to Azure CLI
+
+1. Log in using the Azure CLI
+
+ ```BASH
+ az login
+ ```
+
+ > *(Optional)* If you needed to deploy into another cloud such as Azure Government, set the cloud name before logging in:
+
+ ```BASH
+ az cloud set -n AzureUSGovernment
+ az login
+ ```
+
+1. (OPTIONAL) Deploying with a Service Principal? This requires updating the `azurerm` provider block. Check out the [Deploying with a Service Principal](#Deploying-with-a-Service-Principal) documentation.
+
+## Deploy Mission LZ
+
+### Terraform init
+
+Before provisioning any Azure resources with Terraform you must initialize a working directory.
+
+Here's the docs on `terraform init`:
+
+1. Navigate to the directory in the repository that contains the MissionLZ Terraform module:
+
+ ```bash
+ cd src/terraform/mlz
+ ```
+
+1. Execute `terraform init`
+
+ ```bash
+ terraform init
+ ```
+
+### Terraform apply
+
+After intializing the directory, use `terraform apply` to provision the resources described in `mlz/main.tf` and its referenced modules at `mlz/modules/*`.
+
+> Looking to deploy this new spoke in a cloud other than `AzureCloud`, say `AzureUsGovernment`? Follow the guidance at [Deploying to Other Clouds](#Deploying-to-Other-Clouds) to set the correct variables for the deployment.
+
+Here's the docs on `terraform apply`:
+
+When you run `terraform apply`, by default, Terraform will inspect the state of your environment to determine what resource creation, modification, or deletion needs to occur as if you invoked a `terraform plan` and then prompt you for your approval before taking action.
+
+Here's the docs on `terraform plan`:
+
+1. From the directory in which you executed `terraform init` execute `terraform apply`:
+
+ ```bash
+ terraform apply
+ ```
+
+1. You'll be prompted for a subscription ID. Supply the subscription ID you want to use for the Hub network:
+
+ ```plaintext
+ > terraform apply
+ var.hub_subid
+ Subscription ID for the deployment
+
+ Enter a value:
+ ```
+
+1. Terraform will then inspect the state of your Azure environment and compare it with what is described in the Mission LZ Terraform module. Eventually, you'll be prompted for your approval to create, modify, or destroy resources. Supply `yes`:
+
+ ```plaintext
+ Do you want to perform these actions?
+ Terraform will perform the actions described above.
+ Only 'yes' will be accepted to approve.
+
+ Enter a value: yes
+ ```
+
+1. The deployment will begin. These commands will deploy all of the resources that make up Mission LZ. Deployment could take up to 45 minutes.
+
+If you'd like to deploy from Terraform over-and-over again with the same resource names and environment values, follow the docs on using [Terraform Destroy](#Terraform-destroy) to clean-up your environment.
+
+#### Apply Complete
+
+When it's complete, you'll see some output values that will be necessary if you want to stand up new spoke, or Tier 3, networks:
+
+```plaintext
+Apply complete! Resources: 99 added, 0 changed, 0 destroyed.
+
+Outputs:
+
+firewall_private_ip = "10.0.100.4"
+hub_rgname = "hub-rg"
+hub_subid = "{the Hub subscription ID}"
+hub_vnetname = "hub-vnet"
+laws_name = "{the name of the Log Analytics Workspace}"
+laws_rgname = "operations-rg"
+tier1_subid = "{the Tier 1 subscription ID}"
+```
+
+Interested in standing up new spoke networks, or Tier 3 environments, after a deployment? See [Deploying New Spoke Networks](#Deploying-New-Spoke-Networks)
+
+### Terraform destroy
+
+Once you're happy with the deployment output and want to modify Mission LZ or just want to tear it down to save on costs, you can use `terraform destroy`.
+
+Here's the docs on `terraform destroy`:
+
+1. From the directory in which you executed `terraform init` and `terraform apply` execute `terraform destroy`:
+
+ ```bash
+ terraform destroy
+ ```
+
+1. You'll be prompted for a subscription ID. Supply the subscription ID you want to used previously:
+
+ ```plaintext
+ > terraform destroy
+ var.hub_subid
+ Subscription ID for the deployment
+
+ Enter a value:
+ ```
+
+1. Terraform will then inspect the state of your Azure environment and compare it with what is described in Terraform state. Eventually, you'll be prompted for your approval to destroy resources. Supply `yes`:
+
+ ```plaintext
+ Do you want to perform these actions?
+ Terraform will perform the actions described above.
+ Only 'yes' will be accepted to approve.
+
+ Enter a value: yes
+ ```
+
+This command will attempt to remove all the resources that were created by `terraform apply` and could take up to 45 minutes.
+
+## Deploying new Spoke Networks
+
+Once you've deployed Mission LZ, you can use the Tier 3 module to deploy and peer new Spoke Networks and workloads to the Hub and Firewall.
+
+>Looking to deploy this new spoke in a cloud other than `AzureCloud`, say `AzureUsGovernment`? Follow the guidance at [Deploying to Other Clouds](#Deploying-to-Other-Clouds) to set the correct variables for the deployment.
+
+1. Navigate to the directory in the repository that contains the MissionLZ Tier 3 Terraform module:
+
+ ```bash
+ cd src/terraform/tier3
+ ```
+
+1. Execute `terraform init`
+
+ ```bash
+ terraform init
+ ```
+
+1. Execute `terraform apply`:
+
+ ```bash
+ terraform apply
+ ```
+
+1. You'll be prompted for environment values for resources deployed by the core Mission LZ deployment for: 1) the Hub Firewall, 2) the Log Analytics Workspace resources and 3) the desired subscription ID for the new spoke network/Tier 3:
+
+ ```plaintext
+ > terraform apply
+ var.firewall_private_ip
+ Firewall IP to bind network to
+
+ Enter a value: 10.0.100.4
+
+ var.hub_rgname
+ Resource Group for the Hub deployment
+
+ Enter a value: hub-rg
+
+ var.hub_subid
+ Subscription ID for the Hub deployment
+
+ Enter a value: {the Hub subscription ID}
+
+ var.hub_vnetname
+ Virtual Network Name for the Hub deployment
+
+ Enter a value: hub-vnet
+
+ var.laws_name
+ Log Analytics Workspace Name for the deployment
+
+ Enter a value: {the name of the Log Analytics Workspace}
+
+ var.laws_rgname
+ The resource group that Log Analytics Workspace was deployed to
+
+ Enter a value: operations-rg
+
+ var.tier1_subid
+ Subscription ID for the Tier 1 deployment
+
+ Enter a value: {the Tier 1 subscription ID}
+
+ var.tier3_subid
+ Subscription ID for this Tier 3 deployment
+
+ Enter a value: {the Tier 3 subscription ID}
+ ```
+
+ You get these values when `terraform apply` is complete for the core Mission LZ deployment. See the [Apply Complete](#Apply-Complete) section for what these values look like. You can also source the values after a successful core Mission LZ deployment by inspecting the `outputs` object in the Terraform state file. By default that state file is at `src/terraform/mlz/terraform.tfstate`.
+
+1. Terraform will then inspect the state of your Azure environment and compare it with what is described in the Tier 3 Terraform module. Eventually, you'll be prompted for your approval to create, modify, or destroy resources. Supply `yes`:
+
+ ```plaintext
+ Do you want to perform these actions?
+ Terraform will perform the actions described above.
+ Only 'yes' will be accepted to approve.
+
+ Enter a value: yes
+ ```
+
+When this Tier 3 network has served its purpose, you can follow the same steps in [Terraform destroy](#Terraform-destroy) to remove the provisioned resources.
+
+## Deploying with a Service Principal
+
+This is not required, in fact, the current Terraform modules are written as if you're executing them as a user.
+
+But, if you're using a Service Principal to deploy Azure resources with Terraform check out this doc:
+
+Using a Service Principal will require updating the resource providers for `mlz/main.tf`, also described in that doc: :
+
+```terraform
+variable "client_secret" {
+}
+
+terraform {
+ required_providers {
+ azurerm = {
+ ...
+ }
+ }
+}
+
+provider "azurerm" {
+ features {}
+
+ subscription_id = "00000000-0000-0000-0000-000000000000"
+ client_id = "00000000-0000-0000-0000-000000000000"
+ client_secret = var.client_secret
+ tenant_id = "00000000-0000-0000-0000-000000000000"
+}
+```
+
+## Terraform Providers
+
+The development container definition downloads the required Terraform plugin providers during the container build so that the container can be transported to an air-gapped network for use. The container also sets the `TF_PLUGIN_CACHE_DIR` environment variable, which Terraform uses as the search location for locally installed providers. If you are not using the container to deploy or if the `TF_PLUGIN_CACHE_DIR` environment variable is not set, Terraform will automatically attempt to download the provider from the internet when you execute the `terraform init` command.
+
+See the development container [README](/.devcontainer/README.md) for more details on building and running the container.
+
+## Terraform Backends
+
+The default templates write a state file directly to disk locally to where you are executing terraform from. If you wish to change the output directory you can set the path directly in the terraform backend block located in the main.tf file via the path variable in the backend configuration block.
+
+```terraform
+terraform {
+ backend "local" {
+ path = "relative/path/to/terraform.tfstate"
+ }
+
+ required_version = ">= 1.0.3"
+ required_providers {
+ azurerm = {
+ source = "hashicorp/azurerm"
+ version = "= 2.71.0"
+ }
+ random = {
+ source = "hashicorp/random"
+ version = "= 3.1.0"
+ }
+ time = {
+ source = "hashicorp/time"
+ version = "0.7.2"
+ }
+ }
+}
+```
+
+To find more information about setting the backend see [Local Backend](https://www.terraform.io/docs/language/settings/backends/local.html), if you wish to AzureRM backend please see [AzureRM Backend](https://www.terraform.io/docs/language/settings/backends/azurerm.html)
+
+## Deploying to Other Clouds
+
+The `azurerm` Terraform provider provides a mechanism for changing the Azure cloud in which to deploy Terraform modules.
+
+If you want to deploy to another cloud, pass in the correct value for `environment`, `metadata_host`, and `location` for the cloud you're targeting to the relevant module's variables file [mlz/variables.tf](../../terraform/mlz/variables.tf) or [tier3/variables.tf](../../terraform/tier3/variables.tf):
+
+```terraform
+variable "environment" {
+ description = "The Terraform backend environment e.g. public or usgovernment"
+ type = string
+ default = "usgovernment"
+}
+
+variable "metadata_host" {
+ description = "The metadata host for the Azure Cloud e.g. management.azure.com"
+ type = string
+ default = "management.usgovcloudapi.net"
+}
+
+variable "location" {
+ description = "The Azure region for most Mission LZ resources"
+ type = string
+ default = "usgovvirginia"
+}
+```
+
+```terraform
+provider "azurerm" {
+ features {}
+
+ environment = var.environment # e.g. 'public' or 'usgovernment'
+ metadata_host = var.metadata_host # e.g. 'management.azure.com' or 'management.usgovcloudapi.net'
+}
+```
+
+For the supported `environment` values, see this doc:
+
+For the supported `metadata_host` values, see this doc:
+
+For more endpoint mappings between AzureCloud and AzureUsGovernment:
diff --git a/src/terraform/mlz/main.tf b/src/terraform/mlz/main.tf
index dc47c088a..7a446ca61 100644
--- a/src/terraform/mlz/main.tf
+++ b/src/terraform/mlz/main.tf
@@ -1,7 +1,7 @@
# Copyright (c) Microsoft Corporation.
# Licensed under the MIT License.
terraform {
- backend "azurerm" {}
+ backend "local" {}
required_version = ">= 1.0.3"
required_providers {
@@ -21,12 +21,9 @@ terraform {
}
provider "azurerm" {
- environment = var.tf_environment
- metadata_host = var.mlz_metadatahost
- tenant_id = var.mlz_tenantid
+ environment = var.environment
+ metadata_host = var.metadata_host
subscription_id = var.hub_subid
- client_id = var.mlz_clientid
- client_secret = var.mlz_clientsecret
features {
log_analytics_workspace {
@@ -40,12 +37,9 @@ provider "azurerm" {
provider "azurerm" {
alias = "hub"
- environment = var.tf_environment
- metadata_host = var.mlz_metadatahost
- tenant_id = var.mlz_tenantid
+ environment = var.environment
+ metadata_host = var.metadata_host
subscription_id = var.hub_subid
- client_id = var.mlz_clientid
- client_secret = var.mlz_clientsecret
features {
log_analytics_workspace {
@@ -59,12 +53,9 @@ provider "azurerm" {
provider "azurerm" {
alias = "tier0"
- environment = var.tf_environment
- metadata_host = var.mlz_metadatahost
- tenant_id = var.mlz_tenantid
- subscription_id = var.tier0_subid
- client_id = var.mlz_clientid
- client_secret = var.mlz_clientsecret
+ environment = var.environment
+ metadata_host = var.metadata_host
+ subscription_id = coalesce(var.tier0_subid, var.hub_subid)
features {
log_analytics_workspace {
@@ -78,12 +69,9 @@ provider "azurerm" {
provider "azurerm" {
alias = "tier1"
- environment = var.tf_environment
- metadata_host = var.mlz_metadatahost
- tenant_id = var.mlz_tenantid
- subscription_id = var.tier1_subid
- client_id = var.mlz_clientid
- client_secret = var.mlz_clientsecret
+ environment = var.environment
+ metadata_host = var.metadata_host
+ subscription_id = coalesce(var.tier1_subid, var.hub_subid)
features {
log_analytics_workspace {
@@ -97,12 +85,9 @@ provider "azurerm" {
provider "azurerm" {
alias = "tier2"
- environment = var.tf_environment
- metadata_host = var.mlz_metadatahost
- tenant_id = var.mlz_tenantid
- subscription_id = var.tier2_subid
- client_id = var.mlz_clientid
- client_secret = var.mlz_clientsecret
+ environment = var.environment
+ metadata_host = var.metadata_host
+ subscription_id = coalesce(var.hub_subid, var.tier2_subid)
features {
log_analytics_workspace {
@@ -120,13 +105,15 @@ provider "random" {
provider "time" {
}
+data "azurerm_client_config" "current_client" {
+}
+
################################
### GLOBAL VARIABLES ###
################################
locals {
- # azurerm terraform environments where Azure Firewall Premium is supported
- firewall_premium_tf_environments = ["public"]
+ firewall_premium_environments = ["public"] # terraform azurerm environments where Azure Firewall Premium is supported
}
################################
@@ -136,15 +123,15 @@ locals {
resource "azurerm_resource_group" "hub" {
provider = azurerm.hub
- location = var.mlz_location
+ location = var.location
name = var.hub_rgname
tags = var.tags
-}
+}
resource "azurerm_resource_group" "tier0" {
provider = azurerm.tier0
- location = var.mlz_location
+ location = var.location
name = var.tier0_rgname
tags = var.tags
}
@@ -152,17 +139,17 @@ resource "azurerm_resource_group" "tier0" {
resource "azurerm_resource_group" "tier1" {
provider = azurerm.tier1
- location = var.mlz_location
+ location = var.location
name = var.tier1_rgname
- tags = var.tags
+ tags = var.tags
}
resource "azurerm_resource_group" "tier2" {
provider = azurerm.tier2
- location = var.mlz_location
+ location = var.location
name = var.tier2_rgname
- tags = var.tags
+ tags = var.tags
}
################################
@@ -181,9 +168,9 @@ resource "azurerm_log_analytics_workspace" "laws" {
provider = azurerm.tier1
depends_on = [random_id.laws]
- name = format("%.24s", lower(replace("${var.mlz_lawsname}${random_id.laws.hex}", "/[[:^alnum:]]/", "")))
- resource_group_name = var.tier1_rgname
- location = var.mlz_location
+ name = coalesce(var.log_analytics_workspace_name, format("%.24s", lower(replace("logAnalyticsWorkspace${random_id.laws.hex}", "/[[:^alnum:]]/", ""))))
+ resource_group_name = azurerm_resource_group.tier1.name
+ location = var.location
sku = "PerGB2018"
retention_in_days = "30"
tags = var.tags
@@ -215,7 +202,7 @@ module "hub-network" {
depends_on = [azurerm_resource_group.hub]
source = "../modules/hub"
- location = var.mlz_location
+ location = var.location
resource_group_name = var.hub_rgname
vnet_name = var.hub_vnetname
vnet_address_space = var.hub_vnet_address_space
@@ -223,7 +210,7 @@ module "hub-network" {
management_address_space = var.hub_management_address_space
log_analytics_workspace_resource_id = azurerm_log_analytics_workspace.laws.id
- tags = var.tags
+ tags = var.tags
}
module "firewall" {
@@ -233,13 +220,13 @@ module "firewall" {
sub_id = var.hub_subid
resource_group_name = module.hub-network.resource_group_name
- location = var.mlz_location
+ location = var.location
vnet_name = module.hub-network.virtual_network_name
vnet_address_space = module.hub-network.virtual_network_address_space
client_address_space = var.hub_client_address_space
firewall_name = var.firewall_name
- firewall_sku = contains(local.firewall_premium_tf_environments, lower(var.tf_environment)) ? "Premium" : "Standard"
+ firewall_sku = contains(local.firewall_premium_environments, lower(var.environment)) ? "Premium" : "Standard"
firewall_client_subnet_name = module.hub-network.firewall_client_subnet_name
firewall_management_subnet_name = module.hub-network.firewall_management_subnet_name
firewall_policy_name = var.firewall_policy_name
@@ -251,7 +238,7 @@ module "firewall" {
management_publicip_name = var.management_publicip_name
log_analytics_workspace_resource_id = azurerm_log_analytics_workspace.laws.id
- tags = var.tags
+ tags = var.tags
}
module "spoke-network-t0" {
@@ -263,7 +250,7 @@ module "spoke-network-t0" {
firewall_private_ip = module.firewall.firewall_private_ip
- laws_location = var.mlz_location
+ laws_location = var.location
laws_workspace_id = azurerm_log_analytics_workspace.laws.workspace_id
laws_resource_id = azurerm_log_analytics_workspace.laws.id
@@ -271,7 +258,7 @@ module "spoke-network-t0" {
spoke_vnetname = var.tier0_vnetname
spoke_vnet_address_space = var.tier0_vnet_address_space
subnets = var.tier0_subnets
- tags = var.tags
+ tags = var.tags
}
resource "azurerm_virtual_network_peering" "t0-to-hub" {
@@ -307,7 +294,7 @@ module "spoke-network-t1" {
firewall_private_ip = module.firewall.firewall_private_ip
- laws_location = var.mlz_location
+ laws_location = var.location
laws_workspace_id = azurerm_log_analytics_workspace.laws.workspace_id
laws_resource_id = azurerm_log_analytics_workspace.laws.id
@@ -315,7 +302,7 @@ module "spoke-network-t1" {
spoke_vnetname = var.tier1_vnetname
spoke_vnet_address_space = var.tier1_vnet_address_space
subnets = var.tier1_subnets
- tags = var.tags
+ tags = var.tags
}
resource "azurerm_virtual_network_peering" "t1-to-hub" {
@@ -351,7 +338,7 @@ module "spoke-network-t2" {
firewall_private_ip = module.firewall.firewall_private_ip
- laws_location = var.mlz_location
+ laws_location = var.location
laws_workspace_id = azurerm_log_analytics_workspace.laws.workspace_id
laws_resource_id = azurerm_log_analytics_workspace.laws.id
@@ -359,7 +346,7 @@ module "spoke-network-t2" {
spoke_vnetname = var.tier2_vnetname
spoke_vnet_address_space = var.tier2_vnet_address_space
subnets = var.tier2_subnets
- tags = var.tags
+ tags = var.tags
}
resource "azurerm_virtual_network_peering" "t2-to-hub" {
@@ -402,7 +389,7 @@ module "jumpbox-subnet" {
source = "../modules/subnet"
name = var.jumpbox_subnet.name
- location = var.mlz_location
+ location = var.location
resource_group_name = var.hub_rgname
virtual_network_name = var.hub_vnetname
address_prefixes = var.jumpbox_subnet.address_prefixes
@@ -419,9 +406,9 @@ module "jumpbox-subnet" {
log_analytics_storage_id = module.hub-network.log_analytics_storage_id
log_analytics_workspace_id = azurerm_log_analytics_workspace.laws.workspace_id
- log_analytics_workspace_location = var.mlz_location
+ log_analytics_workspace_location = var.location
log_analytics_workspace_resource_id = azurerm_log_analytics_workspace.laws.id
- tags = var.tags
+ tags = var.tags
}
module "bastion-host" {
@@ -437,7 +424,7 @@ module "bastion-host" {
subnet_address_prefix = var.bastion_address_space
public_ip_name = var.bastion_public_ip_name
ipconfig_name = var.bastion_ipconfig_name
- tags = var.tags
+ tags = var.tags
}
module "jumpbox" {
@@ -450,11 +437,12 @@ module "jumpbox" {
resource_group_name = var.hub_rgname
virtual_network_name = var.hub_vnetname
subnet_name = var.jumpbox_subnet.name
- location = var.mlz_location
+ location = var.location
keyvault_name = var.jumpbox_keyvault_name
- tenant_id = var.mlz_tenantid
- object_id = var.mlz_objectid
+
+ tenant_id = data.azurerm_client_config.current_client.tenant_id
+ object_id = data.azurerm_client_config.current_client.object_id
windows_name = var.jumpbox_windows_vm_name
windows_size = var.jumpbox_windows_vm_size
@@ -469,7 +457,7 @@ module "jumpbox" {
linux_offer = var.jumpbox_linux_vm_offer
linux_sku = var.jumpbox_linux_vm_sku
linux_image_version = var.jumpbox_linux_vm_version
- tags = var.tags
+ tags = var.tags
}
#####################################
@@ -477,49 +465,49 @@ module "jumpbox" {
#####################################
module "hub-policy-assignment" {
- count = var.create_assignment ? 1 : 0
+ count = var.create_policy_assignment ? 1 : 0
providers = { azurerm = azurerm.hub }
source = "../modules/policy-assignments"
depends_on = [azurerm_resource_group.hub, azurerm_log_analytics_workspace.laws]
resource_group_name = azurerm_resource_group.hub.name
laws_instance_id = azurerm_log_analytics_workspace.laws.workspace_id
- environment = var.tf_environment # Example "usgovernment"
+ environment = var.environment # Example "usgovernment"
log_analytics_workspace_resource_id = azurerm_log_analytics_workspace.laws.id
}
module "tier0-policy-assignment" {
- count = var.create_assignment ? 1 : 0
+ count = var.create_policy_assignment ? 1 : 0
providers = { azurerm = azurerm.tier0 }
source = "../modules/policy-assignments"
depends_on = [azurerm_resource_group.tier0, azurerm_log_analytics_workspace.laws]
resource_group_name = azurerm_resource_group.tier0.name
laws_instance_id = azurerm_log_analytics_workspace.laws.workspace_id
- environment = var.tf_environment # Example "usgovernment"
+ environment = var.environment # Example "usgovernment"
log_analytics_workspace_resource_id = azurerm_log_analytics_workspace.laws.id
}
module "tier1-policy-assignment" {
- count = var.create_assignment ? 1 : 0
+ count = var.create_policy_assignment ? 1 : 0
providers = { azurerm = azurerm.tier1 }
source = "../modules/policy-assignments"
depends_on = [azurerm_resource_group.tier1, azurerm_log_analytics_workspace.laws]
resource_group_name = azurerm_resource_group.tier1.name
laws_instance_id = azurerm_log_analytics_workspace.laws.workspace_id
- environment = var.tf_environment # Example "usgovernment"
+ environment = var.environment # Example "usgovernment"
log_analytics_workspace_resource_id = azurerm_log_analytics_workspace.laws.id
}
module "tier2-policy-assignment" {
- count = var.create_assignment ? 1 : 0
+ count = var.create_policy_assignment ? 1 : 0
providers = { azurerm = azurerm.tier2 }
source = "../modules/policy-assignments"
depends_on = [azurerm_resource_group.tier2, azurerm_log_analytics_workspace.laws]
resource_group_name = azurerm_resource_group.tier2.name
laws_instance_id = azurerm_log_analytics_workspace.laws.workspace_id
- environment = var.tf_environment # Example "usgovernment"
+ environment = var.environment # Example "usgovernment"
log_analytics_workspace_resource_id = azurerm_log_analytics_workspace.laws.id
}
diff --git a/src/terraform/mlz/minimum.tfvars.sample b/src/terraform/mlz/minimum.tfvars.sample
deleted file mode 100644
index 844ba7b05..000000000
--- a/src/terraform/mlz/minimum.tfvars.sample
+++ /dev/null
@@ -1,22 +0,0 @@
-tf_environment = ""
-deploymentname = ""
-mlz_tenantid = ""
-mlz_location = ""
-mlz_metadatahost = ""
-mlz_clientid = ""
-mlz_clientsecret = ""
-mlz_objectid = ""
-
-hub_subid = ""
-hub_rgname = ""
-hub_vnetname = ""
-tier0_subid = ""
-tier0_rgname = ""
-tier0_vnetname = ""
-tier1_subid = ""
-tier1_rgname = ""
-tier1_vnetname = ""
-mlz_lawsname = ""
-tier2_subid = ""
-tier2_rgname = ""
-tier2_vnetname = ""
diff --git a/src/terraform/mlz/mlz.tfvars.sample b/src/terraform/mlz/mlz.tfvars.sample
deleted file mode 100644
index a4f2d048d..000000000
--- a/src/terraform/mlz/mlz.tfvars.sample
+++ /dev/null
@@ -1,251 +0,0 @@
-# Copyright (c) Microsoft Corporation.
-# Licensed under the MIT License.
-
-#################################
-# Global Configuration
-#################################
-
-tf_environment ="{TF_ENVIRONMENT}"
-deploymentname ="{DEPLOYMENTNAME}"
-mlz_tenantid ="{MLZ_TENANTID}"
-mlz_location ="{MLZ_LOCATION}"
-mlz_metadatahost ="{MLZ_METADATAHOST}"
-mlz_clientid ="{MLZ_CLIENTID}"
-mlz_clientsecret ="{MLZ_CLIENTSECRET}"
-mlz_objectid ="{MLZ_OBJECTID}"
-
-#################################
-# Hub Configuration
-#################################
-
-hub_subid = "{HUB_SUBID}"
-hub_rgname = "{HUB_RGNAME}"
-hub_vnetname = "{HUB_VNETNAME}"
-hub_vnet_address_space = ["{HUB_VNET_ADDRESS_SPACE}"]
-hub_client_address_space = "{HUB_CLIENT_ADDRESS_SPACE}"
-hub_management_address_space = "{HUB_MANAGEMENT_ADDRESS_SPACE}"
-
-#################################
-# Firewall configuration section
-#################################
-
-firewall_name = "{FIREWALL_NAME}"
-firewall_policy_name = "{FIREWALL_POLICY_NAME}"
-client_ipconfig_name = "{CLIENT_IPCONFIG_NAME}"
-client_publicip_name = "{CLIENT_PUBLICIP_NAME}"
-management_ipconfig_name = "{MANAGEMENT_IPCONFIG_NAME}"
-management_publicip_name = "{MANAGEMENT_PUBLICIP_NAME}"
-
-#################################
-# Bastion Host Configuration
-#################################
-
-create_bastion_jumpbox = "{CREATE_BASTION_JUMPBOX}"
-bastion_host_name = "{BASTION_HOST_NAME}"
-bastion_address_space = "{BASTION_ADDRESS_SPACE}"
-bastion_public_ip_name = "{BASTION_PUBLIC_IP_NAME}"
-bastion_ipconfig_name = "{BASTION_IPCONFIG_NAME}"
-
-#################################
-# Jumpbox VM Configuration
-#################################
-
-jumpbox_subnet = {
- name = "{JUMPBOX_SUBNET_NAME}"
- address_prefixes = ["{JUMPBOX_SUBNET_SPACE}"]
- service_endpoints = ["Microsoft.Storage"]
-
- enforce_private_link_endpoint_network_policies = false
- enforce_private_link_service_network_policies = false
-
- nsg_name = "{JUMPBOX_SUBNET_NSG_NAME}"
- nsg_rules = {
- "allow_ssh" = {
- name = "allow_ssh"
- priority = "100"
- direction = "Inbound"
- access = "Allow"
- protocol = "Tcp"
- source_port_range = "22"
- destination_port_range = ""
- source_address_prefix = "*"
- destination_address_prefix = ""
- }
- "allow_rdp" = {
- name = "allow_rdp"
- priority = "200"
- direction = "Inbound"
- access = "Allow"
- protocol = "Tcp"
- source_port_range = "3389"
- destination_port_range = ""
- source_address_prefix = "*"
- destination_address_prefix = ""
- }
- }
-
- routetable_name = "{JUMPBOX_SUBNET_RT_NAME}"
-}
-
-jumpbox_keyvault_name = "{JUMPBOX_KEYVAULT_NAME}"
-jumpbox_windows_vm_name = "{JUMPBOX_WINDOWS_VM_NAME}"
-jumpbox_windows_vm_size = "{JUMPBOX_WINDOWS_VM_SIZE}"
-jumpbox_windows_vm_publisher = "{JUMPBOX_WINDOWS_VM_PUBLISHER}"
-jumpbox_windows_vm_offer = "{JUMPBOX_WINDOWS_VM_OFFER}"
-jumpbox_windows_vm_sku = "{JUMPBOX_WINDOWS_VM_SKU}"
-jumpbox_windows_vm_version = "{JUMPBOX_WINDOWS_VM_VERSION}"
-jumpbox_linux_vm_name = "{JUMPBOX_LINUX_VM_NAME}"
-jumpbox_linux_vm_size = "{JUMPBOX_LINUX_VM_SIZE}"
-jumpbox_linux_vm_publisher = "{JUMPBOX_LINUX_VM_PUBLISHER}"
-jumpbox_linux_vm_offer = "{JUMPBOX_LINUX_VM_OFFER}"
-jumpbox_linux_vm_sku = "{JUMPBOX_LINUX_VM_SKU}"
-jumpbox_linux_vm_version = "{JUMPBOX_LINUX_VM_VERSION}"
-
-#################################
-# Tier 0 Configuration
-#################################
-
-tier0_subid = "{TIER0_SUBID}"
-tier0_rgname = "{TIER0_RGNAME}"
-tier0_vnetname = "{TIER0_VNETNAME}"
-
-tier0_vnet_address_space = ["{TIER0_VNET_ADDRESS_SPACE}"]
-
-tier0_subnets = {
- "{TIER0_SUBNETVM_NAME}" = {
- name = "{TIER0_SUBNETVM_NAME}"
- address_prefixes = ["{TIER0_SUBNETVM_ADDRESSPREFIXLIST}"]
- service_endpoints = ["{TIER0_SUBNETVM_SERVICEENDPOINTLIST}"]
-
- enforce_private_link_endpoint_network_policies = {TIER0_SUBNETVM_ENABLEPRIVATELINKENDPOINT}
- enforce_private_link_service_network_policies = {TIER0_SUBNETVM_ENABLEPRIVATELINKSERVICE}
-
- nsg_name = "{TIER0_SUBNETVM_NSGNAME}"
- nsg_rules = {
- "allow_ssh" = {
- name = "allow_ssh"
- priority = "100"
- direction = "Inbound"
- access = "Allow"
- protocol = "Tcp"
- source_port_range = ""
- destination_port_range = "22"
- source_address_prefix = "*"
- destination_address_prefix = ""
- }
- "allow_rdp" = {
- name = "allow_rdp"
- priority = "200"
- direction = "Inbound"
- access = "Allow"
- protocol = "Tcp"
- source_port_range = ""
- destination_port_range = "3389"
- source_address_prefix = "*"
- destination_address_prefix = ""
- }
- }
-
- routetable_name = "{TIER0_SUBNETVM_RTNAME}"
- }
-}
-
-#################################
-# Tier 1 Network configuration section
-#################################
-
-tier1_subid = "{TIER1_SUBID}"
-tier1_rgname = "{TIER1_RGNAME}"
-tier1_vnetname = "{TIER1_VNETNAME}"
-mlz_lawsname = "{MLZ_LAWSNAME}
-create_sentinel = "{CREATE_SENTINEL}"
-
-tier1_vnet_address_space = ["{TIER1_VNET_ADDRESS_SPACE}"]
-
-tier1_subnets = {
- "{TIER1_SUBNETVM_NAME}" = {
- name = "{TIER1_SUBNETVM_NAME}"
- address_prefixes = ["{TIER1_SUBNETVM_ADDRESSPREFIXLIST}"]
- service_endpoints = ["{TIER1_SUBNETVM_SERVICEENDPOINTLIST}"]
-
- enforce_private_link_endpoint_network_policies = {TIER1_SUBNETVM_ENABLEPRIVATELINKENDPOINT}
- enforce_private_link_service_network_policies = {TIER1_SUBNETVM_ENABLEPRIVATELINKSERVICE}
-
- nsg_name = "{TIER1_SUBNETVM_NSGNAME}"
- nsg_rules = {
- "allow_ssh" = {
- name = "allow_ssh"
- priority = "100"
- direction = "Inbound"
- access = "Allow"
- protocol = "Tcp"
- source_port_range = ""
- destination_port_range = "22"
- source_address_prefix = "*"
- destination_address_prefix = ""
- }
- "allow_rdp" = {
- name = "allow_rdp"
- priority = "200"
- direction = "Inbound"
- access = "Allow"
- protocol = "Tcp"
- source_port_range = ""
- destination_port_range = "3389"
- source_address_prefix = "*"
- destination_address_prefix = ""
- }
- }
-
- routetable_name = "{TIER1_SUBNETVM_RTNAME}"
- }
-}
-
-#################################
-# Tier 2 Network configuration section
-#################################
-
-tier2_subid = "{TIER2_SUBID}"
-tier2_rgname = "{TIER2_RGNAME}"
-tier2_vnetname = "{TIER2_VNETNAME}"
-
-tier2_vnet_address_space = ["{TIER2_VNET_ADDRESS_SPACE}"]
-
-tier2_subnets = {
- "{TIER2_SUBNETVM_NAME}" = {
- name = "{TIER2_SUBNETVM_NAME}"
- address_prefixes = ["{TIER2_SUBNETVM_ADDRESSPREFIXLIST}"]
- service_endpoints = ["{TIER2_SUBNETVM_SERVICEENDPOINTLIST}"]
-
- enforce_private_link_endpoint_network_policies = {TIER2_SUBNETVM_ENABLEPRIVATELINKENDPOINT}
- enforce_private_link_service_network_policies = {TIER2_SUBNETVM_ENABLEPRIVATELINKSERVICE}
-
- nsg_name = "{TIER2_SUBNETVM_NSGNAME}"
- nsg_rules = {
- "allow_ssh" = {
- name = "allow_ssh"
- priority = "100"
- direction = "Inbound"
- access = "Allow"
- protocol = "Tcp"
- source_port_range = ""
- destination_port_range = "22"
- source_address_prefix = "*"
- destination_address_prefix = ""
- }
- "allow_rdp" = {
- name = "allow_rdp"
- priority = "200"
- direction = "Inbound"
- access = "Allow"
- protocol = "Tcp"
- source_port_range = ""
- destination_port_range = "3389"
- source_address_prefix = "*"
- destination_address_prefix = ""
- }
- }
-
- routetable_name = "{TIER2_SUBNETVM_RTNAME}"
- }
-}
diff --git a/src/terraform/mlz/outputs.tf b/src/terraform/mlz/outputs.tf
index e55bed72c..c1e1282da 100644
--- a/src/terraform/mlz/outputs.tf
+++ b/src/terraform/mlz/outputs.tf
@@ -1,6 +1,31 @@
# Copyright (c) Microsoft Corporation.
# Licensed under the MIT License.
+output "hub_subid" {
+ description = "Subscription ID where the Hub Resource Group is provisioned"
+ value = var.hub_subid
+}
+
+output "hub_rgname" {
+ description = "The Hub Resource Group name"
+ value = azurerm_resource_group.hub.name
+}
+
+output "hub_vnetname" {
+ description = "The Hub Virtual Network name"
+ value = module.hub-network.virtual_network_name
+}
+
+output "firewall_private_ip" {
+ description = "Firewall private IP"
+ value = module.firewall.firewall_private_ip
+}
+
+output "tier1_subid" {
+ description = "Subscription ID where the Tier 1 Resource Group is provisioned"
+ value = coalesce(var.tier1_subid, var.hub_subid)
+}
+
output "laws_name" {
description = "LAWS Name"
value = azurerm_log_analytics_workspace.laws.name
@@ -10,8 +35,3 @@ output "laws_rgname" {
description = "Resource Group for Laws"
value = azurerm_log_analytics_workspace.laws.resource_group_name
}
-
-output "firewall_private_ip" {
- description = "Firewall private IP"
- value = module.firewall.firewall_private_ip
-}
diff --git a/src/terraform/mlz/variables.tf b/src/terraform/mlz/variables.tf
index b8783ebaf..e8ee28f0b 100644
--- a/src/terraform/mlz/variables.tf
+++ b/src/terraform/mlz/variables.tf
@@ -5,87 +5,57 @@
# Global Configuration
#################################
-variable "tf_environment" {
- description = "The Terraform backend environment e.g. public or usgovernment. It defults to public."
+variable "environment" {
+ description = "The Terraform backend environment e.g. public or usgovernment"
type = string
default = "public"
}
-variable "mlz_tenantid" {
- description = "The Azure Active Directory tenant ID that should be used for the deployment."
- type = string
- sensitive = true
-}
-
-variable "mlz_location" {
- description = "The Azure region for most Mission LZ resources. It defaults to eastus."
- type = string
- default = "eastus"
-}
-
-variable "mlz_metadatahost" {
+variable "metadata_host" {
description = "The metadata host for the Azure Cloud e.g. management.azure.com"
type = string
default = "management.azure.com"
}
-variable "mlz_clientid" {
- description = "The Client ID of the Service Principal to deploy with."
+variable "location" {
+ description = "The Azure region for most Mission LZ resources"
type = string
- sensitive = true
-}
-
-variable "mlz_clientsecret" {
- description = "The Client Secret of the Service Principal to deploy with."
- type = string
- sensitive = true
-}
-
-variable "mlz_objectid" {
- description = "The object ID of a service principal in the Azure Active Directory tenant."
- type = string
- sensitive = true
-}
-
-variable "create_assignment" {
- description = "Create an Azure Policy assignement for defaul NIST initiative."
- type = bool
- default = false
+ default = "East US"
}
variable "tags" {
- description = "A map of key value pairs to apply as tags to resources provisioned in this deployment"
- type = map(string)
- default = {
- "DeploymentType" : "MissionLandingZoneTF"
+ description = "A map of key value pairs to apply as tags to resources provisioned in this deployment"
+ type = map(string)
+ default = {
+ "DeploymentType" : "MissionLandingZoneTF"
}
}
+
#################################
# Hub Configuration
#################################
variable "hub_subid" {
- description = "Subscription ID for the HUB deployment"
+ description = "Subscription ID for the Hub deployment"
type = string
- sensitive = true
}
variable "hub_rgname" {
description = "Resource Group for the deployment"
type = string
- default = "rg-saca-dev"
+ default = "hub-rg"
}
variable "hub_vnetname" {
description = "Virtual Network Name for the deployment"
type = string
- default = "vn-saca-dev"
+ default = "hub-vnet"
}
variable "hub_vnet_address_space" {
description = "The address space to be used for the virtual network."
- default = ["10.0.100.0/24"]
type = list(string)
+ default = ["10.0.100.0/24"]
}
#################################
@@ -94,50 +64,50 @@ variable "hub_vnet_address_space" {
variable "hub_client_address_space" {
description = "The address space to be used for the Firewall virtual network."
- default = "10.0.100.0/26"
type = string
+ default = "10.0.100.0/26"
}
variable "hub_management_address_space" {
description = "The address space to be used for the Firewall virtual network subnet used for management traffic."
- default = "10.0.100.64/26"
type = string
+ default = "10.0.100.64/26"
}
variable "firewall_name" {
description = "Name of the Hub Firewall"
- default = "mlzFirewall"
type = string
+ default = "firewall"
}
variable "firewall_policy_name" {
description = "Name of the firewall policy to apply to the hub firewall"
- default = "firewallpolicy"
type = string
+ default = "firewall-policy"
}
variable "client_ipconfig_name" {
description = "The name of the Firewall Client IP Configuration"
- default = "mlzFWClientIpCfg"
type = string
+ default = "firewall-client-ip-config"
}
variable "client_publicip_name" {
description = "The name of the Firewall Client Public IP"
- default = "mlzFWClientPip"
type = string
+ default = "firewall-client-public-ip"
}
variable "management_ipconfig_name" {
description = "The name of the Firewall Management IP Configuration"
- default = "mlzFWMgmtIpCfg"
type = string
+ default = "firewall-management-ip-config"
}
variable "management_publicip_name" {
description = "The name of the Firewall Management Public IP"
- default = "mlzFWMgmtPip"
type = string
+ default = "firewall-management-public-ip"
}
#################################
@@ -152,26 +122,26 @@ variable "create_bastion_jumpbox" {
variable "bastion_host_name" {
description = "The name of the Bastion Host"
- default = "mlzBastionHost"
type = string
+ default = "bastionHost"
}
variable "bastion_address_space" {
description = "The address space to be used for the Bastion Host subnet (must be /27 or larger)."
- default = "10.0.100.128/27"
type = string
+ default = "10.0.100.128/27"
}
variable "bastion_public_ip_name" {
description = "The name of the Bastion Host Public IP"
- default = "mlzBastionHostPip"
type = string
+ default = "bastionHostPublicIPAddress"
}
variable "bastion_ipconfig_name" {
description = "The name of the Bastion Host IP Configuration"
- default = "mlzBastionHostIpCfg"
type = string
+ default = "bastionHostIPConfiguration"
}
#################################
@@ -204,14 +174,14 @@ variable "jumpbox_subnet" {
routetable_name = string
})
default = {
- name = "mlzJumpboxSubnet"
+ name = "jumpbox-subnet"
address_prefixes = ["10.0.100.160/27"]
service_endpoints = ["Microsoft.Storage"]
enforce_private_link_endpoint_network_policies = false
enforce_private_link_service_network_policies = false
- nsg_name = "mlzJumpboxSubnetNsg"
+ nsg_name = "jumpbox-subnet-nsg"
nsg_rules = {
"allow_ssh" = {
name = "allow_ssh"
@@ -237,86 +207,96 @@ variable "jumpbox_subnet" {
}
}
- routetable_name = "mlzJumpboxSubnetRt"
+ routetable_name = "jumpbox-routetable"
}
}
variable "jumpbox_keyvault_name" {
description = "The name of the jumpbox virtual machine keyvault"
- default = "mlzJumpboxVmKv"
type = string
+ default = "jumpboxKeyvault"
}
variable "jumpbox_windows_vm_name" {
description = "The name of the Windows jumpbox virtual machine"
- default = "mlzJumpboxWindowsVm"
type = string
+ default = "jumpboxWindowsVm"
}
variable "jumpbox_windows_vm_size" {
description = "The size of the Windows jumpbox virtual machine"
- default = "Standard_DS1_v2"
type = string
+ default = "Standard_DS1_v2"
}
variable "jumpbox_windows_vm_publisher" {
description = "The publisher of the Windows jumpbox virtual machine source image"
- default = "MicrosoftWindowsServer"
type = string
+ default = "MicrosoftWindowsServer"
}
variable "jumpbox_windows_vm_offer" {
description = "The offer of the Windows jumpbox virtual machine source image"
- default = "WindowsServer"
type = string
+ default = "WindowsServer"
}
variable "jumpbox_windows_vm_sku" {
description = "The SKU of the Windows jumpbox virtual machine source image"
- default = "2019-datacenter-gensecond"
type = string
+ default = "2019-datacenter-gensecond"
}
variable "jumpbox_windows_vm_version" {
description = "The version of the Windows jumpbox virtual machine source image"
- default = "latest"
type = string
+ default = "latest"
}
variable "jumpbox_linux_vm_name" {
description = "The name of the Linux jumpbox virtual machine"
- default = "mlzJumpboxLinuxVm"
type = string
+ default = "jumpboxLinuxVm"
}
variable "jumpbox_linux_vm_size" {
description = "The size of the Linux jumpbox virtual machine"
- default = "Standard_DS1_v2"
type = string
+ default = "Standard_DS1_v2"
}
variable "jumpbox_linux_vm_publisher" {
description = "The publisher of the Linux jumpbox virtual machine source image"
- default = "Canonical"
type = string
+ default = "Canonical"
}
variable "jumpbox_linux_vm_offer" {
description = "The offer of the Linux jumpbox virtual machine source image"
- default = "UbuntuServer"
type = string
+ default = "UbuntuServer"
}
variable "jumpbox_linux_vm_sku" {
description = "The SKU of the Linux jumpbox virtual machine source image"
- default = "18.04-LTS"
type = string
+ default = "18.04-LTS"
}
variable "jumpbox_linux_vm_version" {
description = "The version of the Linux jumpbox virtual machine source image"
- default = "latest"
type = string
+ default = "latest"
+}
+
+################################
+# Policy Configuration
+################################
+
+variable "create_policy_assignment" {
+ description = "Assign Policy to deployed resources?"
+ type = bool
+ default = true
}
#################################
@@ -326,19 +306,19 @@ variable "jumpbox_linux_vm_version" {
variable "tier0_subid" {
description = "Subscription ID for the deployment"
type = string
- sensitive = true
+ default = ""
}
variable "tier0_rgname" {
description = "Resource Group for the deployment"
type = string
- default = "rg-t0-dev"
+ default = "identity-rg"
}
variable "tier0_vnetname" {
description = "Virtual Network Name for the deployment"
type = string
- default = "vn-t0-dev"
+ default = "identity-vnet"
}
variable "tier0_vnet_address_space" {
@@ -373,15 +353,15 @@ variable "tier0_subnets" {
routetable_name = string
}))
default = {
- "tier0vms" = {
- name = "tier0vms"
+ "identitySubnet" = {
+ name = "identitySubnet"
address_prefixes = ["10.0.110.0/27"]
service_endpoints = ["Microsoft.Storage"]
enforce_private_link_endpoint_network_policies = false
enforce_private_link_service_network_policies = false
- nsg_name = "tier0vmsnsg"
+ nsg_name = "identitySubnetNsg"
nsg_rules = {
"allow_ssh" = {
name = "allow_ssh"
@@ -407,7 +387,7 @@ variable "tier0_subnets" {
}
}
- routetable_name = "tier0vmsrt"
+ routetable_name = "identityRouteTable"
}
}
}
@@ -419,25 +399,25 @@ variable "tier0_subnets" {
variable "tier1_subid" {
description = "Subscription ID for the deployment"
type = string
- sensitive = true
+ default = ""
}
variable "tier1_rgname" {
description = "Resource Group for the deployment"
type = string
- default = "rg-t1-dev"
+ default = "operations-rg"
}
variable "tier1_vnetname" {
description = "Virtual Network Name for the deployment"
type = string
- default = "vn-t1-dev"
+ default = "operations-vnet"
}
-variable "mlz_lawsname" {
+variable "log_analytics_workspace_name" {
description = "Log Analytics Workspace Name for the deployment"
type = string
- default = "laws-dev"
+ default = ""
}
variable "create_sentinel" {
@@ -478,15 +458,15 @@ variable "tier1_subnets" {
routetable_name = string
}))
default = {
- "tier1vms" = {
- name = "tier1vms"
+ "operationsSubnet" = {
+ name = "operationsSubnet"
address_prefixes = ["10.0.115.0/27"]
service_endpoints = ["Microsoft.Storage"]
enforce_private_link_endpoint_network_policies = false
enforce_private_link_service_network_policies = false
- nsg_name = "tier1vmsnsg"
+ nsg_name = "operationsSubnetNsg"
nsg_rules = {
"allow_ssh" = {
name = "allow_ssh"
@@ -512,7 +492,7 @@ variable "tier1_subnets" {
}
}
- routetable_name = "tier1vmsrt"
+ routetable_name = "operationsRouteTable"
}
}
}
@@ -524,19 +504,19 @@ variable "tier1_subnets" {
variable "tier2_subid" {
description = "Subscription ID for the deployment"
type = string
- sensitive = true
+ default = ""
}
variable "tier2_rgname" {
description = "Resource Group for the deployment"
type = string
- default = "rg-t2-dev"
+ default = "sharedServices-rg"
}
variable "tier2_vnetname" {
description = "Virtual Network Name for the deployment"
type = string
- default = "vn-t2-dev"
+ default = "sharedServices-vnet"
}
variable "tier2_vnet_address_space" {
@@ -571,15 +551,15 @@ variable "tier2_subnets" {
routetable_name = string
}))
default = {
- "tier2vms" = {
- name = "tier2vms"
+ "sharedServicesSubnet" = {
+ name = "sharedServicesSubnet"
address_prefixes = ["10.0.120.0/27"]
service_endpoints = ["Microsoft.Storage"]
enforce_private_link_endpoint_network_policies = false
enforce_private_link_service_network_policies = false
- nsg_name = "tier2vmsnsg"
+ nsg_name = "sharedServicesSubnetNsg"
nsg_rules = {
"allow_ssh" = {
name = "allow_ssh"
@@ -605,7 +585,7 @@ variable "tier2_subnets" {
}
}
- routetable_name = "tier2vmsrt"
+ routetable_name = "sharedServicesRouteTable"
}
}
}
diff --git a/src/terraform/modules/firewall/variables.tf b/src/terraform/modules/firewall/variables.tf
index 796c78da6..bf77c6282 100644
--- a/src/terraform/modules/firewall/variables.tf
+++ b/src/terraform/modules/firewall/variables.tf
@@ -4,7 +4,6 @@
variable "sub_id" {
description = "The subscription ID to deploy the Firewall into"
type = string
- sensitive = true
}
variable "location" {
diff --git a/src/terraform/modules/jumpbox/variables.tf b/src/terraform/modules/jumpbox/variables.tf
index b2f07c2fe..4c0e576c4 100644
--- a/src/terraform/modules/jumpbox/variables.tf
+++ b/src/terraform/modules/jumpbox/variables.tf
@@ -29,7 +29,6 @@ variable "keyvault_name" {
variable "tenant_id" {
description = "The tenant ID of the keyvault to store jumpbox credentials in"
type = string
- sensitive = true
}
variable "object_id" {
diff --git a/src/terraform/modules/policy-assignments/main.tf b/src/terraform/modules/policy-assignments/main.tf
index ac8f2c3d0..305ba7bd8 100644
--- a/src/terraform/modules/policy-assignments/main.tf
+++ b/src/terraform/modules/policy-assignments/main.tf
@@ -1,5 +1,6 @@
# Copyright (c) Microsoft Corporation.
# Licensed under the MIT License.
+
data "azurerm_resource_group" "rg" {
name = var.resource_group_name
}
@@ -16,4 +17,4 @@ resource "azurerm_resource_group_policy_assignment" "policy_assign" {
parameters = templatefile("${path.module}/nist-parameter-values/${var.environment}.json.tmpl", {
laws_instance_id = var.laws_instance_id
})
-}
\ No newline at end of file
+}
diff --git a/src/terraform/modules/policy-assignments/variables.tf b/src/terraform/modules/policy-assignments/variables.tf
index d07a9a568..613c49737 100644
--- a/src/terraform/modules/policy-assignments/variables.tf
+++ b/src/terraform/modules/policy-assignments/variables.tf
@@ -1,5 +1,6 @@
# Copyright (c) Microsoft Corporation.
# Licensed under the MIT License.
+
variable "policy_id" {
description = "The Azure policy ID for the NIST 800-53 R4 policy initiative."
type = string
@@ -26,4 +27,4 @@ variable "laws_instance_id" {
variable "log_analytics_workspace_resource_id" {
description = "The resource id of the Log Analytics Workspace"
type = string
-}
\ No newline at end of file
+}
diff --git a/src/terraform/modules/subnet/main.tf b/src/terraform/modules/subnet/main.tf
index b09553ed7..dee90276a 100644
--- a/src/terraform/modules/subnet/main.tf
+++ b/src/terraform/modules/subnet/main.tf
@@ -91,7 +91,7 @@ resource "azurerm_monitor_diagnostic_setting" "nsg" {
resource "azurerm_network_watcher_flow_log" "nsgfl" {
depends_on = [azurerm_network_security_rule.nsgrules, azurerm_network_security_group.nsg]
- network_watcher_name = "NetworkWatcher_${var.location}"
+ network_watcher_name = "NetworkWatcher_${replace(var.location, " ", "")}"
resource_group_name = "NetworkWatcherRG"
network_security_group_id = azurerm_network_security_group.nsg.id
diff --git a/src/terraform/modules/virtual-network/outputs.tf b/src/terraform/modules/virtual-network/outputs.tf
index ca15ea06a..7c68bc9ad 100644
--- a/src/terraform/modules/virtual-network/outputs.tf
+++ b/src/terraform/modules/virtual-network/outputs.tf
@@ -1,5 +1,6 @@
# Copyright (c) Microsoft Corporation.
# Licensed under the MIT License.
+
output "resource_group_name" {
description = "The name of the resource group in which resources are created"
value = data.azurerm_resource_group.rg.name
diff --git a/src/terraform/tier3/main.tf b/src/terraform/tier3/main.tf
index b4077f07f..1c27ab8f1 100644
--- a/src/terraform/tier3/main.tf
+++ b/src/terraform/tier3/main.tf
@@ -1,7 +1,8 @@
# Copyright (c) Microsoft Corporation.
# Licensed under the MIT License.
terraform {
- backend "azurerm" {}
+ backend "local" {}
+
required_version = ">= 1.0.3"
required_providers {
azurerm = {
@@ -12,12 +13,9 @@ terraform {
}
provider "azurerm" {
- environment = var.tf_environment
- metadata_host = var.mlz_metadatahost
- tenant_id = var.mlz_tenantid
+ environment = var.environment
+ metadata_host = var.metadata_host
subscription_id = var.hub_subid
- client_id = var.mlz_clientid
- client_secret = var.mlz_clientsecret
features {
log_analytics_workspace {
@@ -31,12 +29,9 @@ provider "azurerm" {
provider "azurerm" {
alias = "hub"
- environment = var.tf_environment
- metadata_host = var.mlz_metadatahost
- tenant_id = var.mlz_tenantid
+ environment = var.environment
+ metadata_host = var.metadata_host
subscription_id = var.hub_subid
- client_id = var.mlz_clientid
- client_secret = var.mlz_clientsecret
features {
log_analytics_workspace {
@@ -50,12 +45,9 @@ provider "azurerm" {
provider "azurerm" {
alias = "tier1"
- environment = var.tf_environment
- metadata_host = var.mlz_metadatahost
- tenant_id = var.mlz_tenantid
+ environment = var.environment
+ metadata_host = var.metadata_host
subscription_id = var.tier1_subid
- client_id = var.mlz_clientid
- client_secret = var.mlz_clientsecret
features {
log_analytics_workspace {
@@ -69,12 +61,9 @@ provider "azurerm" {
provider "azurerm" {
alias = "tier3"
- environment = var.tf_environment
- metadata_host = var.mlz_metadatahost
- tenant_id = var.mlz_tenantid
+ environment = var.environment
+ metadata_host = var.metadata_host
subscription_id = var.tier3_subid
- client_id = var.mlz_clientid
- client_secret = var.mlz_clientsecret
features {
log_analytics_workspace {
@@ -93,7 +82,7 @@ provider "azurerm" {
resource "azurerm_resource_group" "tier3" {
provider = azurerm.tier3
- location = var.mlz_location
+ location = var.location
name = var.tier3_rgname
tags = var.tags
}
@@ -105,8 +94,8 @@ resource "azurerm_resource_group" "tier3" {
data "azurerm_log_analytics_workspace" "laws" {
provider = azurerm.tier1
- name = var.laws_name.value
- resource_group_name = var.laws_rgname.value
+ name = var.laws_name
+ resource_group_name = var.laws_rgname
}
################################
@@ -118,7 +107,6 @@ data "azurerm_virtual_network" "hub" {
resource_group_name = var.hub_rgname
}
-
module "spoke-network-t3" {
providers = { azurerm = azurerm.tier3 }
depends_on = [azurerm_resource_group.tier3]
@@ -126,9 +114,9 @@ module "spoke-network-t3" {
location = azurerm_resource_group.tier3.location
- firewall_private_ip = var.firewall_private_ip.value
+ firewall_private_ip = var.firewall_private_ip
- laws_location = var.mlz_location
+ laws_location = var.location
laws_workspace_id = data.azurerm_log_analytics_workspace.laws.workspace_id
laws_resource_id = data.azurerm_log_analytics_workspace.laws.id
diff --git a/src/terraform/tier3/minimum.tfvars.sample b/src/terraform/tier3/minimum.tfvars.sample
deleted file mode 100644
index c4ab5490c..000000000
--- a/src/terraform/tier3/minimum.tfvars.sample
+++ /dev/null
@@ -1,17 +0,0 @@
-tf_environment = ""
-deploymentname = ""
-mlz_tenantid = ""
-mlz_location = ""
-mlz_metadatahost = ""
-mlz_clientid = ""
-mlz_clientsecret = ""
-
-hub_subid = ""
-hub_rgname = ""
-hub_vnetname = ""
-laws_name = ""
-laws_rgname = ""
-tier1_subid = ""
-tier3_subid = ""
-tier3_rgname = ""
-tier3_vnetname = ""
diff --git a/src/terraform/tier3/tier3.tfvars.sample b/src/terraform/tier3/tier3.tfvars.sample
deleted file mode 100644
index ba90190e7..000000000
--- a/src/terraform/tier3/tier3.tfvars.sample
+++ /dev/null
@@ -1,82 +0,0 @@
-# Copyright (c) Microsoft Corporation.
-# Licensed under the MIT License.
-
-#################################
-# Global Configuration
-#################################
-
-tf_environment = "{TF_ENVIRONMENT}"
-deploymentname = "{DEPLOYMENTNAME}"
-mlz_tenantid = "{MLZ_TENANTID}"
-mlz_location = "{MLZ_LOCATION}"
-mlz_metadatahost = "{MLZ_METADATAHOST}"
-mlz_clientid = "{MLZ_CLIENTID}"
-mlz_clientsecret = "{MLZ_CLIENTSECRET}"
-mlz_objectid = "{MLZ_OBJECTID}"
-
-#################################
-# Hub Configuration
-#################################
-
-
-hub_subid = "{HUB_SUBID}"
-hub_rgname = "{HUB_RGNAME}"
-hub_vnetname = "{HUB_VNETNAME}"
-firewall_private_ip = "{FIREWALL_PRIVATE_IP}"
-
-#################################
-# Tier 1 Network configuration section
-#################################
-
-tier1_subid = "{TIER1_SUBID}"
-laws_name = "{LAWS_NAME}"
-laws_rgname = "{LAWS_RGNAME}"
-
-#################################
-# Tier 3 Network configuration section
-#################################
-
-tier3_subid = "{TIER3_SUBID}"
-tier3_rgname = "{TIER3_RGNAME}"
-tier3_vnetname = "{TIER3_VNETNAME}"
-
-tier3_vnet_address_space = ["{TIER3_VNET_ADDRESS_SPACE}"]
-
-subnets = {
- "{TIER3_SUBNETVM_NAME}" = {
- name = "{TIER3_SUBNETVM_NAME}"
- address_prefixes = ["{TIER3_SUBNETVM_ADDRESSPREFIXLIST}"]
- service_endpoints = ["{TIER3_SUBNETVM_SERVICEENDPOINTLIST}"]
-
- enforce_private_link_endpoint_network_policies = {TIER3_SUBNETVM_ENABLEPRIVATELINKENDPOINT}
- enforce_private_link_service_network_policies = {TIER3_SUBNETVM_ENABLEPRIVATELINKSERVICE}
-
- nsg_name = "{TIER3_SUBNETVM_NSGNAME}"
- nsg_rules = {
- "allow_ssh" = {
- name = "allow_ssh"
- priority = "100"
- direction = "Inbound"
- access = "Allow"
- protocol = "Tcp"
- source_port_range = ""
- destination_port_range = "22"
- source_address_prefix = "*"
- destination_address_prefix = ""
- }
- "allow_rdp" = {
- name = "allow_rdp"
- priority = "200"
- direction = "Inbound"
- access = "Allow"
- protocol = "Tcp"
- source_port_range = ""
- destination_port_range = "3389"
- source_address_prefix = "*"
- destination_address_prefix = ""
- }
- }
-
- routetable_name = "{TIER3_SUBNETVM_RTNAME}"
- }
-}
diff --git a/src/terraform/tier3/variables.tf b/src/terraform/tier3/variables.tf
index c1f7d5529..ec0ee4810 100644
--- a/src/terraform/tier3/variables.tf
+++ b/src/terraform/tier3/variables.tf
@@ -4,74 +4,49 @@
# Global Configuration
#################################
-variable "tf_environment" {
- description = "The Terraform backend environment e.g. public or usgovernment. It defults to public."
+variable "environment" {
+ description = "The Terraform backend environment e.g. public or usgovernment"
type = string
default = "public"
}
-variable "mlz_tenantid" {
- description = "The Azure Active Directory tenant ID that should be used for the deployment."
- type = string
- sensitive = true
-}
-
-variable "mlz_location" {
- description = "The Azure region for most Mission LZ resources. It defaults to eastus."
- type = string
- default = "eastus"
-}
-
-variable "mlz_metadatahost" {
+variable "metadata_host" {
description = "The metadata host for the Azure Cloud e.g. management.azure.com"
type = string
default = "management.azure.com"
}
-variable "mlz_clientid" {
- description = "The Client ID of the Service Principal to deploy with."
+variable "location" {
+ description = "The Azure region for most Mission LZ resources"
type = string
- sensitive = true
+ default = "East US"
}
-variable "mlz_clientsecret" {
- description = "The Client Secret of the Service Principal to deploy with."
- type = string
- sensitive = true
-}
-
-variable "mlz_objectid" {
- description = "The object ID of a service principal in the Azure Active Directory tenant."
- type = string
- sensitive = true
-}
variable "tags" {
- description = "A map of key value pairs to apply as tags to resources provisioned in this deployment"
- type = map(string)
- default = {
- "DeploymentType" : "MissionLandingZoneTF"
+ description = "A map of key value pairs to apply as tags to resources provisioned in this deployment"
+ type = map(string)
+ default = {
+ "DeploymentType" : "MissionLandingZoneTF"
}
}
+
#################################
# Hub Configuration
#################################
variable "hub_subid" {
- description = "Subscription ID for the HUB deployment"
+ description = "Subscription ID for the Hub deployment"
type = string
- sensitive = true
}
variable "hub_rgname" {
- description = "Resource Group for the deployment"
+ description = "Resource Group for the Hub deployment"
type = string
- default = "rg-saca-dev"
}
variable "hub_vnetname" {
- description = "Virtual Network Name for the deployment"
+ description = "Virtual Network Name for the Hub deployment"
type = string
- default = "vn-saca-dev"
}
variable "firewall_private_ip" {
@@ -84,19 +59,17 @@ variable "firewall_private_ip" {
#################################
variable "tier1_subid" {
- description = "Subscription ID for the deployment"
+ description = "Subscription ID for the Tier 1 deployment"
type = string
- sensitive = true
}
variable "laws_name" {
description = "Log Analytics Workspace Name for the deployment"
type = string
- default = "laws-dev"
}
variable "laws_rgname" {
- description = "The RG that laws was deployed to."
+ description = "The resource group that Log Analytics Workspace was deployed to"
type = string
}
@@ -104,21 +77,20 @@ variable "laws_rgname" {
# Tier 3 Configuration
#################################
variable "tier3_subid" {
- description = "Subscription ID for the deployment"
+ description = "Subscription ID for this Tier 3 deployment"
type = string
- sensitive = true
}
variable "tier3_rgname" {
- description = "Resource Group for the deployment"
+ description = "Resource Group for this Tier 3 deployment"
type = string
- default = "rg-t3-dev"
+ default = "tier3-rg"
}
variable "tier3_vnetname" {
- description = "Virtual Network Name for the deployment"
+ description = "Virtual Network Name for this Tier 3 deployment"
type = string
- default = "vn-t3-dev"
+ default = "tier3-vnet"
}
variable "tier3_vnet_address_space" {
@@ -153,15 +125,15 @@ variable "tier3_subnets" {
routetable_name = string
}))
default = {
- "tier3vms" = {
- name = "tier3vms"
+ "tier3subnet" = {
+ name = "tier3Subnet"
address_prefixes = ["10.0.125.0/27"]
service_endpoints = ["Microsoft.Storage"]
enforce_private_link_endpoint_network_policies = false
enforce_private_link_service_network_policies = false
- nsg_name = "tier3vmsnsg"
+ nsg_name = "tier3SubnetNsg"
nsg_rules = {
"allow_ssh" = {
name = "allow_ssh"
@@ -187,7 +159,7 @@ variable "tier3_subnets" {
}
}
- routetable_name = "tier3vmsrt"
+ routetable_name = "tier3RouteTable"
}
}
}