fix: Resolve a variety of bugs and update api version of private dns …

…zone links resource (#896) * Added tags to AMA resources * Update API version of private dns virtual link * Add additional logic to default to at least 2 zones for pip in case not specified * Add additional role assignments * Add additional management group scopes for ama policies * Add secondary location references * Adding pattern to skip checking for any email
Azure · Nov 7, 2024 · 301891f · 301891f
1 parent c282211
commit 301891f
Show file tree

Hide file tree

Showing 6 changed files with 86 additions and 14 deletions.
diff --git a/.github/actions-config/mlc_config.json b/.github/actions-config/mlc_config.json
@@ -6,6 +6,9 @@
     {
       "pattern": "^(https:\\/\\/)?([www.]?)+(microsoft.com\\/)+[\\w\\-\\._~:/?#[\\]@!\\$&'\\(\\)\\*\\+,;=.]+$"
     }
+    {
+      "pattern": "^mailto:"
+    }
   ],
   "httpHeaders": [
     {
@@ -27,4 +30,4 @@
     203,
     206
   ]
-}
+}
diff --git a/infra-as-code/bicep/modules/hubNetworking/hubNetworking-multiRegion.bicep b/infra-as-code/bicep/modules/hubNetworking/hubNetworking-multiRegion.bicep
@@ -1265,8 +1265,14 @@ module modGatewayPublicIp '../publicIp/publicIp.bicep' = [
     params: {
       parLocation: parLocation
       parAvailabilityZones: toLower(gateway.gatewayType) == 'expressroute'
-        ? parAzErGatewayAvailabilityZones
-        : toLower(gateway.gatewayType) == 'vpn' ? parAzVpnGatewayAvailabilityZones : []
+      ? (contains(toLower(gateway.sku), 'az') && empty(parAzErGatewayAvailabilityZones)
+          ? ['1', '2']
+          : parAzErGatewayAvailabilityZones)
+      : (toLower(gateway.gatewayType) == 'vpn'
+          ? (contains(toLower(gateway.sku), 'az') && empty(parAzVpnGatewayAvailabilityZones)
+              ? ['1', '2']
+              : parAzVpnGatewayAvailabilityZones)
+          : [])
       parPublicIpName: '${parPublicIpPrefix}${gateway.name}${parPublicIpSuffix}'
       parPublicIpProperties: {
         publicIpAddressVersion: 'IPv4'
@@ -1291,8 +1297,14 @@ module modGatewayPublicIpActiveActive '../publicIp/publicIp.bicep' = [
     params: {
       parLocation: parLocation
       parAvailabilityZones: toLower(gateway.gatewayType) == 'expressroute'
-        ? parAzErGatewayAvailabilityZones
-        : toLower(gateway.gatewayType) == 'vpn' ? parAzVpnGatewayAvailabilityZones : []
+      ? (contains(toLower(gateway.sku), 'az') && empty(parAzErGatewayAvailabilityZones)
+          ? ['1', '2']
+          : parAzErGatewayAvailabilityZones)
+      : (toLower(gateway.gatewayType) == 'vpn'
+          ? (contains(toLower(gateway.sku), 'az') && empty(parAzVpnGatewayAvailabilityZones)
+              ? ['1', '2']
+              : parAzVpnGatewayAvailabilityZones)
+          : [])
       parPublicIpName: '${parPublicIpPrefix}${gateway.name}${parPublicIpSuffix}-aa'
       parPublicIpProperties: {
         publicIpAddressVersion: 'IPv4'
@@ -1316,8 +1328,14 @@ module modGatewayPublicIpSecondaryLocation '../publicIp/publicIp.bicep' = [
     params: {
       parLocation: parSecondaryLocation
       parAvailabilityZones: toLower(gateway.gatewayType) == 'expressroute'
-        ? parAzErGatewayAvailabilityZonesSecondaryLocation
-        : toLower(gateway.gatewayType) == 'vpn' ? parAzVpnGatewayAvailabilityZonesSecondaryLocation : []
+      ? (contains(toLower(gateway.sku), 'az') && empty(parAzErGatewayAvailabilityZonesSecondaryLocation)
+          ? ['1', '2']
+          : parAzErGatewayAvailabilityZones)
+      : (toLower(gateway.gatewayType) == 'vpn'
+          ? (contains(toLower(gateway.sku), 'az') && empty(parAzVpnGatewayAvailabilityZonesSecondaryLocation)
+              ? ['1', '2']
+              : parAzVpnGatewayAvailabilityZonesSecondaryLocation)
+          : [])
       parPublicIpName: '${parPublicIpPrefixSecondaryLocation}${gateway.name}${parPublicIpSuffix}'
       parPublicIpProperties: {
         publicIpAddressVersion: 'IPv4'
@@ -1342,8 +1360,14 @@ module modGatewayPublicIpActiveActiveSecondaryLocation '../publicIp/publicIp.bic
     params: {
       parLocation: parLocation
       parAvailabilityZones: toLower(gateway.gatewayType) == 'expressroute'
-        ? parAzErGatewayAvailabilityZones
-        : toLower(gateway.gatewayType) == 'vpn' ? parAzVpnGatewayAvailabilityZones : []
+      ? (contains(toLower(gateway.sku), 'az') && empty(parAzErGatewayAvailabilityZonesSecondaryLocation)
+          ? ['1', '2']
+          : parAzErGatewayAvailabilityZones)
+      : (toLower(gateway.gatewayType) == 'vpn'
+          ? (contains(toLower(gateway.sku), 'az') && empty(parAzVpnGatewayAvailabilityZonesSecondaryLocation)
+              ? ['1', '2']
+              : parAzVpnGatewayAvailabilityZonesSecondaryLocation)
+          : [])
       parPublicIpName: '${parPublicIpPrefix}${gateway.name}${parPublicIpSuffix}-aa'
       parPublicIpProperties: {
         publicIpAddressVersion: 'IPv4'

diff --git a/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep b/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep
@@ -696,8 +696,14 @@ module modGatewayPublicIp '../publicIp/publicIp.bicep' = [
     params: {
       parLocation: parLocation
       parAvailabilityZones: toLower(gateway.gatewayType) == 'expressroute'
-        ? parAzErGatewayAvailabilityZones
-        : toLower(gateway.gatewayType) == 'vpn' ? parAzVpnGatewayAvailabilityZones : []
+      ? (contains(toLower(gateway.sku), 'az') && empty(parAzErGatewayAvailabilityZones)
+          ? ['1', '2']
+          : parAzErGatewayAvailabilityZones)
+      : (toLower(gateway.gatewayType) == 'vpn'
+          ? (contains(toLower(gateway.sku), 'az') && empty(parAzVpnGatewayAvailabilityZones)
+              ? ['1', '2']
+              : parAzVpnGatewayAvailabilityZones)
+          : [])
       parPublicIpName: '${parPublicIpPrefix}${gateway.name}${parPublicIpSuffix}'
       parPublicIpProperties: {
         publicIpAddressVersion: 'IPv4'
@@ -722,8 +728,14 @@ module modGatewayPublicIpActiveActive '../publicIp/publicIp.bicep' = [
     params: {
       parLocation: parLocation
       parAvailabilityZones: toLower(gateway.gatewayType) == 'expressroute'
-        ? parAzErGatewayAvailabilityZones
-        : toLower(gateway.gatewayType) == 'vpn' ? parAzVpnGatewayAvailabilityZones : []
+      ? (contains(toLower(gateway.sku), 'az') && empty(parAzErGatewayAvailabilityZones)
+          ? ['1', '2']
+          : parAzErGatewayAvailabilityZones)
+      : (toLower(gateway.gatewayType) == 'vpn'
+          ? (contains(toLower(gateway.sku), 'az') && empty(parAzVpnGatewayAvailabilityZones)
+              ? ['1', '2']
+              : parAzVpnGatewayAvailabilityZones)
+          : [])
       parPublicIpName: '${parPublicIpPrefix}${gateway.name}${parPublicIpSuffix}-aa'
       parPublicIpProperties: {
         publicIpAddressVersion: 'IPv4'

diff --git a/infra-as-code/bicep/modules/logging/logging.bicep b/infra-as-code/bicep/modules/logging/logging.bicep
@@ -187,6 +187,7 @@ var varCuaid = 'f8087c67-cc41-46b2-994d-66e4b661860d'
 resource resUserAssignedManagedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
   name: parUserAssignedManagedIdentityName
   location: parUserAssignedManagedIdentityLocation
+  tags: parTags
 }
 
 resource resAutomationAccount 'Microsoft.Automation/automationAccounts@2023-11-01' = {
@@ -243,6 +244,7 @@ resource resLogAnalyticsWorkspaceLock 'Microsoft.Authorization/locks@2020-05-01'
 resource resDataCollectionRuleVMInsights 'Microsoft.Insights/dataCollectionRules@2021-04-01' = {
   name: parDataCollectionRuleVMInsightsName
   location: parLogAnalyticsWorkspaceLocation
+  tags: parTags
   properties: {
     description: 'Data collection rule for VM Insights'
     dataSources: {
@@ -311,6 +313,7 @@ resource resDataCollectionRuleVMInsightsLock 'Microsoft.Authorization/locks@2020
 resource resDataCollectionRuleChangeTracking 'Microsoft.Insights/dataCollectionRules@2021-04-01' = {
   name: parDataCollectionRuleChangeTrackingName
   location: parLogAnalyticsWorkspaceLocation
+  tags: parTags
   properties: {
     description: 'Data collection rule for CT.'
     dataSources: {
@@ -582,6 +585,7 @@ resource resDataCollectionRuleChangeTrackingLock 'Microsoft.Authorization/locks@
 resource resDataCollectionRuleMDFCSQL'Microsoft.Insights/dataCollectionRules@2021-04-01' = {
   name: parDataCollectionRuleMDFCSQLName
   location: parLogAnalyticsWorkspaceLocation
+  tags: parTags
   properties: {
     description: 'Data collection rule for Defender for SQL.'
     dataSources: {

diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep
@@ -941,6 +941,9 @@ module modPolicyAssignmentPlatformDeployVmArcChangeTrack '../../../policy/assign
       varRbacRoleDefinitionIds.monitoringContributor
       varRbacRoleDefinitionIds.reader
     ]
+    parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: [
+      string(varManagementGroupIds.landingZones)
+    ]
     parTelemetryOptOut: parTelemetryOptOut
   }
 }
@@ -972,6 +975,9 @@ module modPolicyAssignmentPlatformDeployVmChangeTrack '../../../policy/assignmen
       varRbacRoleDefinitionIds.managedIdentityOperator
       varRbacRoleDefinitionIds.reader
     ]
+    parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: [
+      string(varManagementGroupIds.landingZones)
+    ]
     parTelemetryOptOut: parTelemetryOptOut
   }
 }
@@ -1003,6 +1009,9 @@ module modPolicyAssignmentPlatformDeployVmssChangeTrack '../../../policy/assignm
       varRbacRoleDefinitionIds.managedIdentityOperator
       varRbacRoleDefinitionIds.reader
     ]
+    parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: [
+      string(varManagementGroupIds.landingZones)
+    ]
     parTelemetryOptOut: parTelemetryOptOut
   }
 }
@@ -1030,6 +1039,8 @@ module modPolicyAssignmentPlatformDeployVmArcMonitor '../../../policy/assignment
       varRbacRoleDefinitionIds.reader
       varRbacRoleDefinitionIds.connectedMachineResourceAdministrator
     ]
+    parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: [
+      string(varManagementGroupIds.landingZones)    ]
     parTelemetryOptOut: parTelemetryOptOut
   }
 }
@@ -1061,6 +1072,9 @@ module modPolicyAssignmentPlatformDeployVmMonitor '../../../policy/assignments/p
       varRbacRoleDefinitionIds.managedIdentityOperator
       varRbacRoleDefinitionIds.reader
     ]
+    parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: [
+      string(varManagementGroupIds.landingZones)
+    ]
     parTelemetryOptOut: parTelemetryOptOut
   }
 }
@@ -1095,6 +1109,9 @@ module modPolicyAssignmentPlatformDeployMdfcDefSqlAma '../../../policy/assignmen
       varRbacRoleDefinitionIds.managedIdentityOperator
       varRbacRoleDefinitionIds.reader
     ]
+    parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: [
+      string(varManagementGroupIds.landingZones)
+    ]
     parTelemetryOptOut: parTelemetryOptOut
   }
 }
@@ -1146,6 +1163,9 @@ module modPolicyAssignmentPlatformDeployVmssMonitor '../../../policy/assignments
       varRbacRoleDefinitionIds.managedIdentityOperator
       varRbacRoleDefinitionIds.reader
     ]
+    parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: [
+      string(varManagementGroupIds.landingZones)
+    ]
     parTelemetryOptOut: parTelemetryOptOut
   }
 }
@@ -1751,6 +1771,9 @@ module modPolicyAssignmentLzsDeployVmMonitor '../../../policy/assignments/policy
       varRbacRoleDefinitionIds.managedIdentityOperator
       varRbacRoleDefinitionIds.reader
     ]
+    parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: [
+      string(varManagementGroupIds.platform)
+    ]
     parTelemetryOptOut: parTelemetryOptOut
   }
 }
@@ -1782,6 +1805,9 @@ module modPolicyAssignmentLzsDeployVmssMonitor '../../../policy/assignments/poli
       varRbacRoleDefinitionIds.managedIdentityOperator
       varRbacRoleDefinitionIds.reader
     ]
+    parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: [
+      string(varManagementGroupIds.platform)
+    ]
     parTelemetryOptOut: parTelemetryOptOut
   }
 }
@@ -1813,6 +1839,9 @@ module modPolicyAssignmentLzsmDeployMdfcDefSqlAma '../../../policy/assignments/p
       varRbacRoleDefinitionIds.managedIdentityOperator
       varRbacRoleDefinitionIds.reader
     ]
+    parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: [
+      string(varManagementGroupIds.platform)
+    ]
     parTelemetryOptOut: parTelemetryOptOut
   }
 }

diff --git a/infra-as-code/bicep/modules/privateDnsZoneLinks/privateDnsZoneLinks.bicep b/infra-as-code/bicep/modules/privateDnsZoneLinks/privateDnsZoneLinks.bicep
@@ -30,7 +30,7 @@ param parResourceLockConfig lockType = {
 
 var varSpokeVirtualNetworkName = split(parSpokeVirtualNetworkResourceId, '/')[8]
 
-resource resPrivateDnsZoneLinkToSpoke 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2020-06-01' = if (!empty(parPrivateDnsZoneResourceId)) {
+resource resPrivateDnsZoneLinkToSpoke 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2024-06-01' = if (!empty(parPrivateDnsZoneResourceId)) {
   location: 'global'
   name: '${split(parPrivateDnsZoneResourceId, '/')[8]}/dnslink-to-${varSpokeVirtualNetworkName}'
   properties: {
-Original file line number
+Diff line change
@@ Expand Up / @@ -6,6 +6,9 @@ @@
         {
           "pattern": "^(https:\\/\\/)?([www.]?)+(microsoft.com\\/)+[\\w\\-\\._~:/?#[\\]@!\\$&'\\(\\)\\*\\+,;=.]+$"
         }
+        {
+          "pattern": "^mailto:"
+        }
       ],
       "httpHeaders": [
         {
@@ Expand All / @@ -27,4 +30,4 @@ @@
 ,
       ]
-    }
+    }