optionally deploy Azure Bastion Host from the base deployment

src/bicep/README.md

@@ -64,26 +64,6 @@ az deployment sub create \
     operationsSubscriptionId=$operationsSubscriptionId \
     sharedServicesSubscriptionId=$sharedServicesSubscriptionId
 ```
-### Adding Azure Policy
-To include one of the built in Azure policy initiatives for NIST 800-53, CMMC Level 3 or DoD IL5 compliance add the parameter with one of the following, NIST, IL5 or CMMC. For example deploying with MLZ: 
-```
-az deployment sub create \
-  --location eastus \
-  --template-file mlz.bicep \
-  --parameters policy=<one of 'CMMC', 'IL5', or 'NIST'>
-  ```
-For example deploying after MLZ:
-```
-az deployment group create \
-  --resource-group <Resource Group to assign> \
-  --name <original deployment name + descriptor> \
-  --template-file ./src/bicep/modules/policyAssignment.bicep \
-  --parameters builtInAssignment=<one of 'CMMC', 'IL5', or 'NIST'> logAnalyticsWorkspaceName=<Log analytics workspace name> workspaceResourceGroupName=<LA Workspace resource group name>
-```
-
-Under the modules\policies directory are files named accordingly for the initiatives parameters with defaults  except for where a Log Analytics workspace ID is required we substitute that with the MLZ workspace ID, All others can be changed appropriately.
-
-The result will be a policy assignment created for each resource group deployed by MLZ base fabric which can be viewed in the 'Compliance' view of Azure Policy in the portal.
 
 ### Air-Gapped Clouds
 
@@ -119,3 +99,45 @@ az deployment sub create \
     operationsSubscriptionId=$operationsSubscriptionId \
     sharedServicesSubscriptionId=$sharedServicesSubscriptionId
 ```
+
+## Adding Azure Policy
+
+To include one of the built in Azure policy initiatives for NIST 800-53, CMMC Level 3 or DoD IL5 compliance add the parameter with one of the following, NIST, IL5 or CMMC. For example deploying with MLZ:
+
+```plaintext
+az deployment sub create \
+  --location eastus \
+  --template-file mlz.bicep \
+  --parameters policy=<one of 'CMMC', 'IL5', or 'NIST'>
+```
+
+Or, apply policy after deploying MLZ:
+
+```plaintext
+az deployment group create \
+  --resource-group <Resource Group to assign> \
+  --name <original deployment name + descriptor> \
+  --template-file ./src/bicep/modules/policyAssignment.bicep \
+  --parameters builtInAssignment=<one of 'CMMC', 'IL5', or 'NIST'> logAnalyticsWorkspaceName=<Log analytics workspace name> \
+  --parameters logAnalyticsWorkspaceName=<Log Analytics Workspace Name> \
+  --parameters logAnalyticsWorkspaceResourceGroupName=<Log Analytics Workspace Resource Group Name>
+```
+
+Under the [modules/policies](modules/policies) directory are JSON files named for the initiatives with default parameters (except for a Log Analytics workspace ID value `<LAWORKSPACE>` that we substitute at deployment time -- any other parameter can be modified as needed).
+
+The result will be a policy assignment created for each resource group deployed by MLZ that can be viewed in the 'Compliance' view of Azure Policy in the Azure Portal.
+
+## Adding Remote Access via Bastion Host
+
+To deploy a virtual machine as a jumpbox into the network without a Public IP Address using Azure Bastion Host, provide two parameters `deployRemoteAccess=true` and `linuxVmAdminPasswordOrKey=<your password>` to the deployment. A quick and easy way to generate a secure password from the .devcontainer is the command `openssl rand -base64 14`.
+
+```plaintext
+my_password=$(openssl rand -base64 14)
+
+az deployment sub create \
+  --name "myRemoteAccessDeployment" \
+  --location "eastus" \
+  --template-file "src/bicep/mlz.bicep" \
+  --parameters deployRemoteAccess="true" \
+  --parameters linuxVmAdminPasswordOrKey="$my_password"
+```

src/bicep/examples/remoteAccess/README.md

@@ -8,7 +8,7 @@ Read on to understand what this example does, and when you're ready, collect all
 
 ### Deploys Azure Bastion Host
 
-The docs on Azure Bastion: https://docs.microsoft.com/en-us/azure/bastion/bastion-overview
+The docs on Azure Bastion: <https://docs.microsoft.com/en-us/azure/bastion/bastion-overview>
 
 Some particulars about Bastion:
 
@@ -20,7 +20,7 @@ Some particulars about Bastion:
 
 This example deploys two virtual machines into a new subnet in the existing Hub virtual network to serve as jumpboxes.
 
-The docs on Virtual Machines: https://docs.microsoft.com/en-us/azure/templates/microsoft.compute/virtualmachines?tabs=json
+The docs on Virtual Machines: <https://docs.microsoft.com/en-us/azure/templates/microsoft.compute/virtualmachines?tabs=json>
 
 ## Pre-requisites
 
@@ -97,20 +97,25 @@ hubVirtualNetworkName="hub-vnet"
 hubSubnetResourceId="/subscriptions/.../providers/Microsoft.Network/virtualNetworks/hub-vnet/subnets/hub-subnet"
 hubNetworkSecurityGroupResourceId="/subscriptions/.../providers/Microsoft.Network/networkSecurityGroups/hub-nsg"
 
+linuxPassword=$(openssl rand -base64 14) # generate a random 14 character password
+
 az deployment group create \
   --name "RemoteAccessExample" \
   --resource-group $hubResourceGroupName \
-  --template-file "./remoteAccess.bicep" \
+  --template-file "./main.bicep" \
   --parameters \
   hubVirtualNetworkName="$hubVirtualNetworkName" \
   hubSubnetResourceId="$hubSubnetResourceId" \
-  hubNetworkSecurityGroupResourceId="$hubNetworkSecurityGroupResourceId"
+  hubNetworkSecurityGroupResourceId="$hubNetworkSecurityGroupResourceId" \
+  linuxVmAdminPasswordOrKey="$linuxPassword"
 ```
 
 Or, completely experimentally, try the Portal:
 
-#### AzureCloud
-[![Deploy To Azure](../../docs/imgs/deploytoazure.svg?sanitze=true)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fglennmusa%2Fmissionlz%2Fglennmusa%2Fbicep%2Fsrc%2Fbicep%2Fexamples%2FremoteAccess%2FremoteAccess.json)
+### AzureCloud
+
+[![Deploy To Azure](../../docs/imgs/deploytoazure.svg?sanitze=true)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fglennmusa%2Fmissionlz%2Fglennmusa%2Fbicep%2Fsrc%2Fbicep%2Fexamples%2FremoteAccess%2Fmain.json)
+
+### AzureUSGovernment
 
-#### AzureUSGovernment
-[![Deploy To Azure US Gov](../../docs/imgs/deploytoazuregov.svg?sanitize=true)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fglennmusa%2Fmissionlz%2Fglennmusa%2Fbicep%2Fexamples%2FremoteAccess%2FremoteAccess.json)
+[![Deploy To Azure US Gov](../../docs/imgs/deploytoazuregov.svg?sanitize=true)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fglennmusa%2Fmissionlz%2Fglennmusa%2Fbicep%2Fexamples%2FremoteAccess%2Fmain.json)

src/bicep/examples/remoteAccess/main.bicep

@@ -0,0 +1,73 @@
+param location string = resourceGroup().location
+
+param hubVirtualNetworkName string
+param hubSubnetResourceId string
+param hubNetworkSecurityGroupResourceId string
+
+param bastionHostName string = 'bastionHost'
+param bastionHostSubnetAddressPrefix string = '10.0.100.160/27'
+param bastionHostPublicIPAddressName string = 'bastionHostPublicIPAddress'
+param bastionHostPublicIPAddressSkuName string = 'Standard'
+param bastionHostPublicIPAddressAllocationMethod string = 'Static'
+param bastionHostPublicIPAddressAvailabilityZones array = []
+param bastionHostIPConfigurationName string = 'bastionHostIPConfiguration'
+
+param linuxVmName string = 'linuxVirtualMachine'
+param linuxVmSize string = 'Standard_B2s'
+param linuxVmOsDiskCreateOption string = 'FromImage'
+param linuxVmOsDiskType string = 'Standard_LRS'
+param linuxVmImagePublisher string = 'Canonical'
+param linuxVmImageOffer string = 'UbuntuServer'
+param linuxVmImageSku string = '18.04-LTS'
+param linuxVmImageVersion string = 'latest'
+param linuxVmAdminUsername string = 'azureuser'
+
+@allowed([
+  'sshPublicKey'
+  'password'
+])
+param linuxVmAuthenticationType string = 'password'
+@secure()
+@minLength(14)
+param linuxVmAdminPasswordOrKey string
+
+param linuxVmNetworkInterfaceName string = 'linuxVmNetworkInterface'
+param linuxVmNetworkInterfaceIpConfigurationName string = 'linuxVmIpConfiguration'
+param linuxVmNetworkInterfacePrivateIPAddressAllocationMethod string = 'Dynamic'
+
+param nowUtc string = utcNow()
+
+module remoteAccess '../../modules/remoteAccess.bicep' = {
+  name: 'deploy-remoteAccess-Example-${nowUtc}'
+  params: {
+    location: location
+
+    hubVirtualNetworkName: hubVirtualNetworkName
+    hubSubnetResourceId: hubSubnetResourceId
+    hubNetworkSecurityGroupResourceId: hubNetworkSecurityGroupResourceId
+
+    bastionHostName: bastionHostName
+    bastionHostSubnetAddressPrefix: bastionHostSubnetAddressPrefix
+    bastionHostPublicIPAddressName: bastionHostPublicIPAddressName
+    bastionHostPublicIPAddressSkuName: bastionHostPublicIPAddressSkuName
+    bastionHostPublicIPAddressAllocationMethod: bastionHostPublicIPAddressAllocationMethod
+    bastionHostPublicIPAddressAvailabilityZones: bastionHostPublicIPAddressAvailabilityZones
+    bastionHostIPConfigurationName: bastionHostIPConfigurationName
+
+    linuxNetworkInterfaceIpConfigurationName: linuxVmNetworkInterfaceIpConfigurationName
+    linuxNetworkInterfacePrivateIPAddressAllocationMethod: linuxVmNetworkInterfacePrivateIPAddressAllocationMethod
+
+    linuxVmName: linuxVmName
+    linuxVmSize: linuxVmSize
+    linuxVmOsDiskCreateOption: linuxVmOsDiskCreateOption
+    linuxVmOsDiskType: linuxVmOsDiskType
+    linuxVmImagePublisher: linuxVmImagePublisher
+    linuxVmImageOffer: linuxVmImageOffer
+    linuxVmImageSku: linuxVmImageSku
+    linuxVmImageVersion: linuxVmImageVersion
+    linuxVmAdminUsername: linuxVmAdminUsername
+    linuxVmAuthenticationType: linuxVmAuthenticationType
+    linuxVmAdminPasswordOrKey: linuxVmAdminPasswordOrKey
+    linuxVmNetworkInterfaceName: linuxVmNetworkInterfaceName
+  }
+}