diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep index 5677646b6..6e5ef225e 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep @@ -2,60 +2,47 @@ metadata name = 'ALZ Bicep - Default Policy Assignments' metadata description = 'Assigns ALZ Default Policies to the Management Group hierarchy' type policyAssignmentSovereigntyGlobalOptionsType = { - @sys.description('Toggle to enable/disable deployment of Sovereignty Baseline - Global Policies at the intermediate root management group.') + @description('Enable/disable Sovereignty Baseline - Global Policies at root management group.') parTopLevelSovereigntyGlobalPoliciesEnable: bool - @sys.description('List of allowed locations for resource deployment. If empty, only the deployment location is allowed.') + @description('Allowed locations for resource deployment. Empty = deployment location only.') parListOfAllowedLocations: string[] - @sys.description('Effect type for Sovereignty Baseline - Global Policies.') + @description('Effect for Sovereignty Baseline - Global Policies.') parPolicyEffect: ('Audit' | 'Deny' | 'Disabled' | 'AuditIfNotExists') } type policyAssignmentSovereigntyConfidentialOptionsType = { - @sys.description('List of approved Azure resource types (e.g., Confidential Computing SKUs or those not processing customer data). Leave empty to allow all relevant types.') + @description('Approved Azure resource types (e.g., Confidential Computing SKUs). Empty = allow all.') parAllowedResourceTypes: string[] - @sys.description('List of allowed locations for resource deployment. If empty, only the deployment location is allowed.') + @description('Allowed locations for resource deployment. Empty = deployment location only.') parListOfAllowedLocations: string[] - @sys.description('List of approved VM SKUs backed by Azure Confidential Computing. Leave empty to allow all relevant SKUs.') + @description('Approved VM SKUs for Azure Confidential Computing. Empty = allow all.') parAllowedVirtualMachineSKUs: string[] - @sys.description('Effect type for Sovereignty Baseline - Confidential Policies.') + @description('Effect for Sovereignty Baseline - Confidential Policies.') parPolicyEffect: ('Audit' | 'Deny' | 'Disabled' | 'AuditIfNotExists') } -@sys.description('Prefix for the management group hierarchy.') +@description('Prefix for management group hierarchy.') @minLength(2) @maxLength(10) param parTopLevelManagementGroupPrefix string = 'alz' -@sys.description('Optional suffix for management group names/IDs. Include a dash if needed.') +@description('Optional suffix for management group names/IDs.') @maxLength(10) param parTopLevelManagementGroupSuffix string = '' -@sys.description('''Object used to assign Sovereignty Baseline - Global Policies to the intermediate root management group.' - -- `parTopLevelSovereignGlobalPoliciesEnable` - Switch to enable/disable deployment of the Sovereignty Baseline - Global Policies Assignment to the intermediate root management group. -- `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. -- `parPolicyEffect` - The effect type for the Sovereignty Baseline - Global Policies Assignment. - -''') +@description('Assign Sovereignty Baseline - Global Policies to root management group.') param parTopLevelPolicyAssignmentSovereigntyGlobal policyAssignmentSovereigntyGlobalOptionsType = { parTopLevelSovereigntyGlobalPoliciesEnable: false parListOfAllowedLocations: [] parPolicyEffect: 'Deny' } -@sys.description('''Object used to assign Sovereignty Baseline - Confidential Policies to the confidential landing zone management groups.' - -- `parAllowedResourceTypes` - The list of Azure resource types approved for usage, which is the set of resource types that have a SKU backed by Azure Confidential Computing or resource types that do not process customer data. Leave empty to allow all relevant resource types. -- `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. -- `parallowedVirtualMachineSKUs` - The list of VM SKUs approved approved for usage, which is the set of SKUs backed by Azure Confidential Computing. Leave empty to allow all relevant SKUs. -- `parPolicyEffect` - The effect type for the Sovereignty Baseline - Confidential Policies Assignment. - -''') +@description('Assign Sovereignty Baseline - Confidential Policies to confidential landing zone groups.') param parPolicyAssignmentSovereigntyConfidential policyAssignmentSovereigntyConfidentialOptionsType = { parAllowedResourceTypes: [] parListOfAllowedLocations: [] @@ -63,70 +50,70 @@ param parPolicyAssignmentSovereigntyConfidential policyAssignmentSovereigntyConf parPolicyEffect: 'Deny' } -@sys.description('Toggle to apply platform policies to the Platform group or child groups.') +@description('Apply platform policies to Platform group or child groups.') param parPlatformMgAlzDefaultsEnable bool = true -@sys.description('Toggle to assign policies to Corp & Online Management Groups under Landing Zones.') +@description('Assign policies to Corp & Online Management Groups under Landing Zones.') param parLandingZoneChildrenMgAlzDefaultsEnable bool = true -@sys.description('Toggle to assign policies to Confidential Corp and Online groups under Landing Zones.') +@description('Assign policies to Confidential Corp and Online groups under Landing Zones.') param parLandingZoneMgConfidentialEnable bool = false -@sys.description('Location of Log Analytics Workspace & Automation Account.') +@description('Location of Log Analytics Workspace & Automation Account.') param parLogAnalyticsWorkSpaceAndAutomationAccountLocation string = 'eastus' -@sys.description('Resource ID of Log Analytics Workspace.') +@description('Resource ID of Log Analytics Workspace.') param parLogAnalyticsWorkspaceResourceId string = '' -@sys.description('Resource ID for VM Insights Data Collection Rule.') +@description('Resource ID for VM Insights Data Collection Rule.') param parDataCollectionRuleVMInsightsResourceId string = '' -@sys.description('Resource ID for Change Tracking Data Collection Rule.') +@description('Resource ID for Change Tracking Data Collection Rule.') param parDataCollectionRuleChangeTrackingResourceId string = '' -@sys.description('Resource ID for MDFC SQL Data Collection Rule.') +@description('Resource ID for MDFC SQL Data Collection Rule.') param parDataCollectionRuleMDFCSQLResourceId string = '' -@sys.description('Resource ID for User Assigned Managed Identity.') +@description('Resource ID for User Assigned Managed Identity.') param parUserAssignedManagedIdentityResourceId string = '' -@sys.description('Number of days to retain logs in Log Analytics Workspace.') +@description('Number of days to retain logs in Log Analytics Workspace.') param parLogAnalyticsWorkspaceLogRetentionInDays string = '365' -@sys.description('Name of the Automation Account.') +@description('Name of the Automation Account.') param parAutomationAccountName string = 'alz-automation-account' -@sys.description('Email address for Microsoft Defender for Cloud alerts.') +@description('Email address for Microsoft Defender for Cloud alerts.') param parMsDefenderForCloudEmailSecurityContact string = 'security_contact@replace_me.com' -@sys.description('Toggle to enable/disable DDoS Network Protection deployment. True enforces the Enable-DDoS-VNET policy at connectivity or landing zone groups; false does not.') +@description('Enable/disable DDoS Network Protection. True enforces Enable-DDoS-VNET policy; false disables.') param parDdosEnabled bool = true -@sys.description('Resource ID of the DDoS Protection Plan applied to Virtual Networks.') +@description('Resource ID of the DDoS Protection Plan for Virtual Networks.') param parDdosProtectionPlanId string = '' -@sys.description('Resource ID of the Resource Group containing Private DNS Zones. Leave empty to skip assigning the Deploy-Private-DNS-Zones policy to the Corp Management Group.') +@description('Resource ID of the Resource Group for Private DNS Zones. Empty to skip assigning the Deploy-Private-DNS-Zones policy.') param parPrivateDnsResourceGroupId string = '' -@sys.description('List of Private DNS Zones to audit if deployed in Subscriptions under the Corp Management Group. Include all zones, as this parameter overwrites default values. Retrieve names from the outPrivateDnsZonesNames output in the Hub Networking or Private DNS Zone modules.') +@description('List of Private DNS Zones to audit under the Corp Management Group. This overwrites default values.') param parPrivateDnsZonesNamesToAuditInCorp array = [] -@sys.description('Set to true to disable enforcement of all default ALZ policies.') +@description('Disable all default ALZ policies.') param parDisableAlzDefaultPolicies bool = false -@sys.description('Set to true to disable enforcement of all default sovereign policies.') +@description('Disable all default sovereign policies.') param parDisableSlzDefaultPolicies bool = false -@sys.description('Tag name for excluding VMs from this policy’s scope. Use with the Exclusion Tag Value parameter.') +@description('Tag name for excluding VMs from this policy’s scope.') param parVmBackupExclusionTagName string = '' -@sys.description('Tag value for excluding VMs from this policy’s scope (use a comma-separated list for multiple values). Use with the Exclusion Tag Name parameter.') +@description('Tag value for excluding VMs from this policy’s scope. Comma-separated list for multiple values.') param parVmBackupExclusionTagValue array = [] -@sys.description('Add assignment definition names to exclude specific policies. Find values in the Assigning Policies documentation.') +@description('Names of policy assignments to exclude. Found in Assigning Policies documentation.') param parExcludedPolicyAssignments array = [] -@sys.description('Set to true to opt out of deployment telemetry.') +@description('Opt out of deployment telemetry.') param parTelemetryOptOut bool = false var varLogAnalyticsWorkspaceName = split(parLogAnalyticsWorkspaceResourceId, '/')[8] diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md index fa45d547e..59d3e77a6 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md @@ -6,13 +6,13 @@ Assigns ALZ Default Policies to the Management Group hierarchy Parameter name | Required | Description -------------- | -------- | ----------- -parTopLevelManagementGroupPrefix | No | Prefix for the management group hierarchy. -parTopLevelManagementGroupSuffix | No | Optional suffix for management group names/IDs. Include a dash if needed. -parTopLevelPolicyAssignmentSovereigntyGlobal | No | Object used to assign Sovereignty Baseline - Global Policies to the intermediate root management group.' - `parTopLevelSovereignGlobalPoliciesEnable` - Switch to enable/disable deployment of the Sovereignty Baseline - Global Policies Assignment to the intermediate root management group. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parPolicyEffect` - The effect type for the Sovereignty Baseline - Global Policies Assignment. -parPolicyAssignmentSovereigntyConfidential | No | Object used to assign Sovereignty Baseline - Confidential Policies to the confidential landing zone management groups.' - `parAllowedResourceTypes` - The list of Azure resource types approved for usage, which is the set of resource types that have a SKU backed by Azure Confidential Computing or resource types that do not process customer data. Leave empty to allow all relevant resource types. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parallowedVirtualMachineSKUs` - The list of VM SKUs approved approved for usage, which is the set of SKUs backed by Azure Confidential Computing. Leave empty to allow all relevant SKUs. - `parPolicyEffect` - The effect type for the Sovereignty Baseline - Confidential Policies Assignment. -parPlatformMgAlzDefaultsEnable | No | Toggle to apply platform policies to the Platform group or child groups. -parLandingZoneChildrenMgAlzDefaultsEnable | No | Toggle to assign policies to Corp & Online Management Groups under Landing Zones. -parLandingZoneMgConfidentialEnable | No | Toggle to assign policies to Confidential Corp and Online groups under Landing Zones. +parTopLevelManagementGroupPrefix | No | Prefix for management group hierarchy. +parTopLevelManagementGroupSuffix | No | Optional suffix for management group names/IDs. +parTopLevelPolicyAssignmentSovereigntyGlobal | No | Assign Sovereignty Baseline - Global Policies to root management group. +parPolicyAssignmentSovereigntyConfidential | No | Assign Sovereignty Baseline - Confidential Policies to confidential landing zone groups. +parPlatformMgAlzDefaultsEnable | No | Apply platform policies to Platform group or child groups. +parLandingZoneChildrenMgAlzDefaultsEnable | No | Assign policies to Corp & Online Management Groups under Landing Zones. +parLandingZoneMgConfidentialEnable | No | Assign policies to Confidential Corp and Online groups under Landing Zones. parLogAnalyticsWorkSpaceAndAutomationAccountLocation | No | Location of Log Analytics Workspace & Automation Account. parLogAnalyticsWorkspaceResourceId | No | Resource ID of Log Analytics Workspace. parDataCollectionRuleVMInsightsResourceId | No | Resource ID for VM Insights Data Collection Rule. @@ -22,22 +22,22 @@ parUserAssignedManagedIdentityResourceId | No | Resource ID for User Assig parLogAnalyticsWorkspaceLogRetentionInDays | No | Number of days to retain logs in Log Analytics Workspace. parAutomationAccountName | No | Name of the Automation Account. parMsDefenderForCloudEmailSecurityContact | No | Email address for Microsoft Defender for Cloud alerts. -parDdosEnabled | No | Toggle to enable/disable DDoS Network Protection deployment. True enforces the Enable-DDoS-VNET policy at connectivity or landing zone groups; false does not. -parDdosProtectionPlanId | No | Resource ID of the DDoS Protection Plan applied to Virtual Networks. -parPrivateDnsResourceGroupId | No | Resource ID of the Resource Group containing Private DNS Zones. Leave empty to skip assigning the Deploy-Private-DNS-Zones policy to the Corp Management Group. -parPrivateDnsZonesNamesToAuditInCorp | No | List of Private DNS Zones to audit if deployed in Subscriptions under the Corp Management Group. Include all zones, as this parameter overwrites default values. Retrieve names from the outPrivateDnsZonesNames output in the Hub Networking or Private DNS Zone modules. -parDisableAlzDefaultPolicies | No | Set to true to disable enforcement of all default ALZ policies. -parDisableSlzDefaultPolicies | No | Set to true to disable enforcement of all default sovereign policies. -parVmBackupExclusionTagName | No | Tag name for excluding VMs from this policy’s scope. Use with the Exclusion Tag Value parameter. -parVmBackupExclusionTagValue | No | Tag value for excluding VMs from this policy’s scope (use a comma-separated list for multiple values). Use with the Exclusion Tag Name parameter. -parExcludedPolicyAssignments | No | Add assignment definition names to exclude specific policies. Find values in the Assigning Policies documentation. -parTelemetryOptOut | No | Set to true to opt out of deployment telemetry. +parDdosEnabled | No | Enable/disable DDoS Network Protection. True enforces Enable-DDoS-VNET policy; false disables. +parDdosProtectionPlanId | No | Resource ID of the DDoS Protection Plan for Virtual Networks. +parPrivateDnsResourceGroupId | No | Resource ID of the Resource Group for Private DNS Zones. Empty to skip assigning the Deploy-Private-DNS-Zones policy. +parPrivateDnsZonesNamesToAuditInCorp | No | List of Private DNS Zones to audit under the Corp Management Group. This overwrites default values. +parDisableAlzDefaultPolicies | No | Disable all default ALZ policies. +parDisableSlzDefaultPolicies | No | Disable all default sovereign policies. +parVmBackupExclusionTagName | No | Tag name for excluding VMs from this policy’s scope. +parVmBackupExclusionTagValue | No | Tag value for excluding VMs from this policy’s scope. Comma-separated list for multiple values. +parExcludedPolicyAssignments | No | Names of policy assignments to exclude. Found in Assigning Policies documentation. +parTelemetryOptOut | No | Opt out of deployment telemetry. ### parTopLevelManagementGroupPrefix ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Prefix for the management group hierarchy. +Prefix for management group hierarchy. - Default value: `alz` @@ -45,19 +45,13 @@ Prefix for the management group hierarchy. ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Optional suffix for management group names/IDs. Include a dash if needed. +Optional suffix for management group names/IDs. ### parTopLevelPolicyAssignmentSovereigntyGlobal ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Object used to assign Sovereignty Baseline - Global Policies to the intermediate root management group.' - -- `parTopLevelSovereignGlobalPoliciesEnable` - Switch to enable/disable deployment of the Sovereignty Baseline - Global Policies Assignment to the intermediate root management group. -- `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. -- `parPolicyEffect` - The effect type for the Sovereignty Baseline - Global Policies Assignment. - - +Assign Sovereignty Baseline - Global Policies to root management group. - Default value: `@{parTopLevelSovereigntyGlobalPoliciesEnable=False; parListOfAllowedLocations=System.Object[]; parPolicyEffect=Deny}` @@ -65,14 +59,7 @@ Object used to assign Sovereignty Baseline - Global Policies to the intermediate ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Object used to assign Sovereignty Baseline - Confidential Policies to the confidential landing zone management groups.' - -- `parAllowedResourceTypes` - The list of Azure resource types approved for usage, which is the set of resource types that have a SKU backed by Azure Confidential Computing or resource types that do not process customer data. Leave empty to allow all relevant resource types. -- `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. -- `parallowedVirtualMachineSKUs` - The list of VM SKUs approved approved for usage, which is the set of SKUs backed by Azure Confidential Computing. Leave empty to allow all relevant SKUs. -- `parPolicyEffect` - The effect type for the Sovereignty Baseline - Confidential Policies Assignment. - - +Assign Sovereignty Baseline - Confidential Policies to confidential landing zone groups. - Default value: `@{parAllowedResourceTypes=System.Object[]; parListOfAllowedLocations=System.Object[]; parAllowedVirtualMachineSKUs=System.Object[]; parPolicyEffect=Deny}` @@ -80,7 +67,7 @@ Object used to assign Sovereignty Baseline - Confidential Policies to the confid ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Toggle to apply platform policies to the Platform group or child groups. +Apply platform policies to Platform group or child groups. - Default value: `True` @@ -88,7 +75,7 @@ Toggle to apply platform policies to the Platform group or child groups. ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Toggle to assign policies to Corp & Online Management Groups under Landing Zones. +Assign policies to Corp & Online Management Groups under Landing Zones. - Default value: `True` @@ -96,7 +83,7 @@ Toggle to assign policies to Corp & Online Management Groups under Landing Zones ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Toggle to assign policies to Confidential Corp and Online groups under Landing Zones. +Assign policies to Confidential Corp and Online groups under Landing Zones. - Default value: `False` @@ -166,7 +153,7 @@ Email address for Microsoft Defender for Cloud alerts. ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Toggle to enable/disable DDoS Network Protection deployment. True enforces the Enable-DDoS-VNET policy at connectivity or landing zone groups; false does not. +Enable/disable DDoS Network Protection. True enforces Enable-DDoS-VNET policy; false disables. - Default value: `True` @@ -174,25 +161,25 @@ Toggle to enable/disable DDoS Network Protection deployment. True enforces the E ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Resource ID of the DDoS Protection Plan applied to Virtual Networks. +Resource ID of the DDoS Protection Plan for Virtual Networks. ### parPrivateDnsResourceGroupId ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Resource ID of the Resource Group containing Private DNS Zones. Leave empty to skip assigning the Deploy-Private-DNS-Zones policy to the Corp Management Group. +Resource ID of the Resource Group for Private DNS Zones. Empty to skip assigning the Deploy-Private-DNS-Zones policy. ### parPrivateDnsZonesNamesToAuditInCorp ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -List of Private DNS Zones to audit if deployed in Subscriptions under the Corp Management Group. Include all zones, as this parameter overwrites default values. Retrieve names from the outPrivateDnsZonesNames output in the Hub Networking or Private DNS Zone modules. +List of Private DNS Zones to audit under the Corp Management Group. This overwrites default values. ### parDisableAlzDefaultPolicies ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Set to true to disable enforcement of all default ALZ policies. +Disable all default ALZ policies. - Default value: `False` @@ -200,7 +187,7 @@ Set to true to disable enforcement of all default ALZ policies. ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Set to true to disable enforcement of all default sovereign policies. +Disable all default sovereign policies. - Default value: `False` @@ -208,25 +195,25 @@ Set to true to disable enforcement of all default sovereign policies. ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Tag name for excluding VMs from this policy’s scope. Use with the Exclusion Tag Value parameter. +Tag name for excluding VMs from this policy’s scope. ### parVmBackupExclusionTagValue ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Tag value for excluding VMs from this policy’s scope (use a comma-separated list for multiple values). Use with the Exclusion Tag Name parameter. +Tag value for excluding VMs from this policy’s scope. Comma-separated list for multiple values. ### parExcludedPolicyAssignments ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Add assignment definition names to exclude specific policies. Find values in the Assigning Policies documentation. +Names of policy assignments to exclude. Found in Assigning Policies documentation. ### parTelemetryOptOut ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Set to true to opt out of deployment telemetry. +Opt out of deployment telemetry. - Default value: `False` diff --git a/infra-as-code/bicep/modules/policy/assignments/generateddocs/policyAssignmentManagementGroup.bicep.md b/infra-as-code/bicep/modules/policy/assignments/generateddocs/policyAssignmentManagementGroup.bicep.md index 99af732b2..13a2cc259 100644 --- a/infra-as-code/bicep/modules/policy/assignments/generateddocs/policyAssignmentManagementGroup.bicep.md +++ b/infra-as-code/bicep/modules/policy/assignments/generateddocs/policyAssignmentManagementGroup.bicep.md @@ -1,82 +1,82 @@ # ALZ Bicep - Management Group Policy Assignments -Module used to assign policy definitions to management groups +Module to assign policy definitions to management groups ## Parameters Parameter name | Required | Description -------------- | -------- | ----------- -parPolicyAssignmentName | Yes | The name of the policy assignment. e.g. "Deny-Public-IP" -parPolicyAssignmentDisplayName | Yes | The display name of the policy assignment. e.g. "Deny the creation of Public IPs" -parPolicyAssignmentDescription | Yes | The description of the policy assignment. e.g. "This policy denies creation of Public IPs under the assigned scope." -parPolicyAssignmentDefinitionId | Yes | The policy definition ID for the policy to be assigned. e.g. "/providers/Microsoft.Authorization/policyDefinitions/9d0a794f-1444-4c96-9534-e35fc8c39c91" or "/providers/Microsoft.Management/managementgroups/alz/providers/Microsoft.Authorization/policyDefinitions/Deny-Public-IP" -parPolicyAssignmentParameters | No | An object containing the parameter values for the policy to be assigned. -parPolicyAssignmentParameterOverrides | No | An object containing parameter values that override those provided to parPolicyAssignmentParameters, usually via a JSON file and loadJsonContent(FILE_PATH). This is only useful when wanting to take values from a source like a JSON file for the majority of the parameters but override specific parameter inputs from other sources or hardcoded. If duplicate parameters exist between parPolicyAssignmentParameters & parPolicyAssignmentParameterOverrides, inputs provided to parPolicyAssignmentParameterOverrides will win. -parPolicyAssignmentNonComplianceMessages | No | An array containing object/s for the non-compliance messages for the policy to be assigned. See https://docs.microsoft.com/en-us/azure/governance/policy/concepts/assignment-structure#non-compliance-messages for more details on use. -parPolicyAssignmentNotScopes | No | An array containing a list of scope Resource IDs to be excluded for the policy assignment. e.g. ['/providers/Microsoft.Management/managementgroups/alz', '/providers/Microsoft.Management/managementgroups/alz-sandbox' ]. -parPolicyAssignmentEnforcementMode | No | The enforcement mode for the policy assignment. See https://aka.ms/EnforcementMode for more details on use. -parPolicyAssignmentOverrides | No | An array containing a list of objects containing the required overrides to be set on the assignment. See https://learn.microsoft.com/azure/governance/policy/concepts/assignment-structure#overrides-preview for more details on use. -parPolicyAssignmentResourceSelectors | No | An array containing a list of objects containing the required resource selectors to be set on the assignment. See https://learn.microsoft.com/azure/governance/policy/concepts/assignment-structure#resource-selectors-preview for more details on use. -parPolicyAssignmentIdentityType | No | The type of identity to be created and associated with the policy assignment. Only required for Modify and DeployIfNotExists policy effects. -parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs | No | An array containing a list of additional Management Group IDs (as the Management Group deployed to is included automatically) that the System-assigned Managed Identity, associated to the policy assignment, will be assigned to additionally. e.g. ['alz', 'alz-sandbox' ]. -parPolicyAssignmentIdentityRoleAssignmentsSubs | No | An array containing a list of Subscription IDs that the System-assigned Managed Identity associated to the policy assignment will be assigned to in addition to the Management Group the policy is deployed/assigned to. e.g. ['8200b669-cbc6-4e6c-b6d8-f4797f924074', '7d58dc5d-93dc-43cd-94fc-57da2e74af0d' ]. -parPolicyAssignmentIdentityRoleAssignmentsResourceGroups | No | An array containing a list of Subscription IDs and Resource Group names seperated by a / (subscription ID/resource group name) that the System-assigned Managed Identity associated to the policy assignment will be assigned to in addition to the Management Group the policy is deployed/assigned to. e.g. ['8200b669-cbc6-4e6c-b6d8-f4797f924074/rg01', '7d58dc5d-93dc-43cd-94fc-57da2e74af0d/rg02' ]. -parPolicyAssignmentIdentityRoleDefinitionIds | No | An array containing a list of RBAC role definition IDs to be assigned to the Managed Identity that is created and associated with the policy assignment. Only required for Modify and DeployIfNotExists policy effects. e.g. ['/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c']. -parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry +parPolicyAssignmentName | Yes | Policy assignment name. +parPolicyAssignmentDisplayName | Yes | Policy assignment display name. +parPolicyAssignmentDescription | Yes | Policy assignment description. +parPolicyAssignmentDefinitionId | Yes | Policy definition ID. +parPolicyAssignmentParameters | No | Parameter values for the assigned policy. +parPolicyAssignmentParameterOverrides | No | Overrides for parameter values in parPolicyAssignmentParameters. +parPolicyAssignmentNonComplianceMessages | No | Non-compliance messages for the assigned policy. +parPolicyAssignmentNotScopes | No | Scope Resource IDs excluded from policy assignment. +parPolicyAssignmentEnforcementMode | No | Enforcement mode for the policy assignment. +parPolicyAssignmentOverrides | No | List of required overrides for the policy assignment. +parPolicyAssignmentResourceSelectors | No | List of required resource selectors for the policy assignment. +parPolicyAssignmentIdentityType | No | Identity type for the policy assignment (required for Modify/DeployIfNotExists effects). +parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs | No | Additional Management Groups for System-assigned Managed Identity role assignments. +parPolicyAssignmentIdentityRoleAssignmentsSubs | No | Subscription IDs for System-assigned Managed Identity role assignments. +parPolicyAssignmentIdentityRoleAssignmentsResourceGroups | No | Subscription IDs and Resource Groups for System-assigned Managed Identity role assignments. +parPolicyAssignmentIdentityRoleDefinitionIds | No | RBAC role definition IDs for Managed Identity role assignments (required for Modify/DeployIfNotExists effects). +parTelemetryOptOut | No | Opt-out of deployment telemetry. ### parPolicyAssignmentName ![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) -The name of the policy assignment. e.g. "Deny-Public-IP" +Policy assignment name. ### parPolicyAssignmentDisplayName ![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) -The display name of the policy assignment. e.g. "Deny the creation of Public IPs" +Policy assignment display name. ### parPolicyAssignmentDescription ![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) -The description of the policy assignment. e.g. "This policy denies creation of Public IPs under the assigned scope." +Policy assignment description. ### parPolicyAssignmentDefinitionId ![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) -The policy definition ID for the policy to be assigned. e.g. "/providers/Microsoft.Authorization/policyDefinitions/9d0a794f-1444-4c96-9534-e35fc8c39c91" or "/providers/Microsoft.Management/managementgroups/alz/providers/Microsoft.Authorization/policyDefinitions/Deny-Public-IP" +Policy definition ID. ### parPolicyAssignmentParameters ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -An object containing the parameter values for the policy to be assigned. +Parameter values for the assigned policy. ### parPolicyAssignmentParameterOverrides ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -An object containing parameter values that override those provided to parPolicyAssignmentParameters, usually via a JSON file and loadJsonContent(FILE_PATH). This is only useful when wanting to take values from a source like a JSON file for the majority of the parameters but override specific parameter inputs from other sources or hardcoded. If duplicate parameters exist between parPolicyAssignmentParameters & parPolicyAssignmentParameterOverrides, inputs provided to parPolicyAssignmentParameterOverrides will win. +Overrides for parameter values in parPolicyAssignmentParameters. ### parPolicyAssignmentNonComplianceMessages ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -An array containing object/s for the non-compliance messages for the policy to be assigned. See https://docs.microsoft.com/en-us/azure/governance/policy/concepts/assignment-structure#non-compliance-messages for more details on use. +Non-compliance messages for the assigned policy. ### parPolicyAssignmentNotScopes ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -An array containing a list of scope Resource IDs to be excluded for the policy assignment. e.g. ['/providers/Microsoft.Management/managementgroups/alz', '/providers/Microsoft.Management/managementgroups/alz-sandbox' ]. +Scope Resource IDs excluded from policy assignment. ### parPolicyAssignmentEnforcementMode ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -The enforcement mode for the policy assignment. See https://aka.ms/EnforcementMode for more details on use. +Enforcement mode for the policy assignment. - Default value: `Default` @@ -86,19 +86,19 @@ The enforcement mode for the policy assignment. See https://aka.ms/EnforcementMo ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -An array containing a list of objects containing the required overrides to be set on the assignment. See https://learn.microsoft.com/azure/governance/policy/concepts/assignment-structure#overrides-preview for more details on use. +List of required overrides for the policy assignment. ### parPolicyAssignmentResourceSelectors ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -An array containing a list of objects containing the required resource selectors to be set on the assignment. See https://learn.microsoft.com/azure/governance/policy/concepts/assignment-structure#resource-selectors-preview for more details on use. +List of required resource selectors for the policy assignment. ### parPolicyAssignmentIdentityType ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -The type of identity to be created and associated with the policy assignment. Only required for Modify and DeployIfNotExists policy effects. +Identity type for the policy assignment (required for Modify/DeployIfNotExists effects). - Default value: `None` @@ -108,31 +108,31 @@ The type of identity to be created and associated with the policy assignment. On ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -An array containing a list of additional Management Group IDs (as the Management Group deployed to is included automatically) that the System-assigned Managed Identity, associated to the policy assignment, will be assigned to additionally. e.g. ['alz', 'alz-sandbox' ]. +Additional Management Groups for System-assigned Managed Identity role assignments. ### parPolicyAssignmentIdentityRoleAssignmentsSubs ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -An array containing a list of Subscription IDs that the System-assigned Managed Identity associated to the policy assignment will be assigned to in addition to the Management Group the policy is deployed/assigned to. e.g. ['8200b669-cbc6-4e6c-b6d8-f4797f924074', '7d58dc5d-93dc-43cd-94fc-57da2e74af0d' ]. +Subscription IDs for System-assigned Managed Identity role assignments. ### parPolicyAssignmentIdentityRoleAssignmentsResourceGroups ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -An array containing a list of Subscription IDs and Resource Group names seperated by a / (subscription ID/resource group name) that the System-assigned Managed Identity associated to the policy assignment will be assigned to in addition to the Management Group the policy is deployed/assigned to. e.g. ['8200b669-cbc6-4e6c-b6d8-f4797f924074/rg01', '7d58dc5d-93dc-43cd-94fc-57da2e74af0d/rg02' ]. +Subscription IDs and Resource Groups for System-assigned Managed Identity role assignments. ### parPolicyAssignmentIdentityRoleDefinitionIds ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -An array containing a list of RBAC role definition IDs to be assigned to the Managed Identity that is created and associated with the policy assignment. Only required for Modify and DeployIfNotExists policy effects. e.g. ['/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c']. +RBAC role definition IDs for Managed Identity role assignments (required for Modify/DeployIfNotExists effects). ### parTelemetryOptOut ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Set Parameter to true to Opt-out of deployment telemetry +Opt-out of deployment telemetry. - Default value: `False` diff --git a/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep b/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep index 99a1a91f7..9c48aeae5 100644 --- a/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep +++ b/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep @@ -1,75 +1,75 @@ targetScope = 'managementGroup' metadata name = 'ALZ Bicep - Management Group Policy Assignments' -metadata description = 'Module used to assign policy definitions to management groups' +metadata description = 'Module to assign policy definitions to management groups' type nonComplianceMessageType = { - @description('The message to display when the policy is non-compliant.') + @description('Message for non-compliance.') message: string - @description('The reference ID of the policy definition.') + @description('Policy definition reference ID.') policyDefinitionReferenceId: string }[] @minLength(1) @maxLength(24) -@sys.description('The name of the policy assignment. e.g. "Deny-Public-IP"') +@description('Policy assignment name.') param parPolicyAssignmentName string -@sys.description('The display name of the policy assignment. e.g. "Deny the creation of Public IPs"') +@description('Policy assignment display name.') param parPolicyAssignmentDisplayName string -@sys.description('The description of the policy assignment. e.g. "This policy denies creation of Public IPs under the assigned scope."') +@description('Policy assignment description.') param parPolicyAssignmentDescription string -@sys.description('The policy definition ID for the policy to be assigned. e.g. "/providers/Microsoft.Authorization/policyDefinitions/9d0a794f-1444-4c96-9534-e35fc8c39c91" or "/providers/Microsoft.Management/managementgroups/alz/providers/Microsoft.Authorization/policyDefinitions/Deny-Public-IP"') +@description('Policy definition ID.') param parPolicyAssignmentDefinitionId string -@sys.description('An object containing the parameter values for the policy to be assigned.') +@description('Parameter values for the assigned policy.') param parPolicyAssignmentParameters object = {} -@sys.description('An object containing parameter values that override those provided to parPolicyAssignmentParameters, usually via a JSON file and loadJsonContent(FILE_PATH). This is only useful when wanting to take values from a source like a JSON file for the majority of the parameters but override specific parameter inputs from other sources or hardcoded. If duplicate parameters exist between parPolicyAssignmentParameters & parPolicyAssignmentParameterOverrides, inputs provided to parPolicyAssignmentParameterOverrides will win.') +@description('Overrides for parameter values in parPolicyAssignmentParameters.') param parPolicyAssignmentParameterOverrides object = {} -@sys.description('An array containing object/s for the non-compliance messages for the policy to be assigned. See https://docs.microsoft.com/en-us/azure/governance/policy/concepts/assignment-structure#non-compliance-messages for more details on use.') +@description('Non-compliance messages for the assigned policy.') param parPolicyAssignmentNonComplianceMessages nonComplianceMessageType = [] -@sys.description('An array containing a list of scope Resource IDs to be excluded for the policy assignment. e.g. [\'/providers/Microsoft.Management/managementgroups/alz\', \'/providers/Microsoft.Management/managementgroups/alz-sandbox\' ].') +@description('Scope Resource IDs excluded from policy assignment.') param parPolicyAssignmentNotScopes array = [] @allowed([ 'Default' 'DoNotEnforce' ]) -@sys.description('The enforcement mode for the policy assignment. See https://aka.ms/EnforcementMode for more details on use.') +@description('Enforcement mode for the policy assignment.') param parPolicyAssignmentEnforcementMode string = 'Default' -@sys.description('An array containing a list of objects containing the required overrides to be set on the assignment. See https://learn.microsoft.com/azure/governance/policy/concepts/assignment-structure#overrides-preview for more details on use.') +@description('List of required overrides for the policy assignment.') param parPolicyAssignmentOverrides array = [] -@sys.description('An array containing a list of objects containing the required resource selectors to be set on the assignment. See https://learn.microsoft.com/azure/governance/policy/concepts/assignment-structure#resource-selectors-preview for more details on use.') +@description('List of required resource selectors for the policy assignment.') param parPolicyAssignmentResourceSelectors array = [] @allowed([ 'None' 'SystemAssigned' ]) -@sys.description('The type of identity to be created and associated with the policy assignment. Only required for Modify and DeployIfNotExists policy effects.') +@description('Identity type for the policy assignment (required for Modify/DeployIfNotExists effects).') param parPolicyAssignmentIdentityType string = 'None' -@sys.description('An array containing a list of additional Management Group IDs (as the Management Group deployed to is included automatically) that the System-assigned Managed Identity, associated to the policy assignment, will be assigned to additionally. e.g. [\'alz\', \'alz-sandbox\' ].') +@description('Additional Management Groups for System-assigned Managed Identity role assignments.') param parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs array = [] -@sys.description('An array containing a list of Subscription IDs that the System-assigned Managed Identity associated to the policy assignment will be assigned to in addition to the Management Group the policy is deployed/assigned to. e.g. [\'8200b669-cbc6-4e6c-b6d8-f4797f924074\', \'7d58dc5d-93dc-43cd-94fc-57da2e74af0d\' ].') +@description('Subscription IDs for System-assigned Managed Identity role assignments.') param parPolicyAssignmentIdentityRoleAssignmentsSubs array = [] -@sys.description('An array containing a list of Subscription IDs and Resource Group names seperated by a / (subscription ID/resource group name) that the System-assigned Managed Identity associated to the policy assignment will be assigned to in addition to the Management Group the policy is deployed/assigned to. e.g. [\'8200b669-cbc6-4e6c-b6d8-f4797f924074/rg01\', \'7d58dc5d-93dc-43cd-94fc-57da2e74af0d/rg02\' ].') +@description('Subscription IDs and Resource Groups for System-assigned Managed Identity role assignments.') param parPolicyAssignmentIdentityRoleAssignmentsResourceGroups array = [] -@sys.description('An array containing a list of RBAC role definition IDs to be assigned to the Managed Identity that is created and associated with the policy assignment. Only required for Modify and DeployIfNotExists policy effects. e.g. [\'/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\'].') +@description('RBAC role definition IDs for Managed Identity role assignments (required for Modify/DeployIfNotExists effects).') param parPolicyAssignmentIdentityRoleDefinitionIds array = [] -@sys.description('Set Parameter to true to Opt-out of deployment telemetry') +@description('Opt-out of deployment telemetry.') param parTelemetryOptOut bool = false var varPolicyAssignmentParametersMerged = union(parPolicyAssignmentParameters, parPolicyAssignmentParameterOverrides) diff --git a/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentManagementGroup.bicep.md b/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentManagementGroup.bicep.md index 734b6d223..e9296ee54 100644 --- a/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentManagementGroup.bicep.md +++ b/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentManagementGroup.bicep.md @@ -7,12 +7,12 @@ Module to assign a role to a Management Group Parameter name | Required | Description -------------- | -------- | ----------- parRoleAssignmentNameGuid | No | GUID for the role assignment name. -parRoleDefinitionId | Yes | Role Definition Id (e.g., Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) -parAssigneePrincipalType | Yes | Principal type of the assignee: 'Group' (Security Group) or 'ServicePrincipal' (Service Principal/Managed Identity). -parAssigneeObjectId | Yes | Object ID of groups, service principals, or managed identities (use principal ID for managed identities). -parTelemetryOptOut | No | Set to true to opt out of deployment telemetry. -parRoleAssignmentCondition | No | Role assignment condition (e.g., Owner, User Access Administrator). Only roles with `write` or `delete` permissions can have a condition. -parRoleAssignmentConditionVersion | No | Role assignment condition version. Only value accepted is '2.0'. +parRoleDefinitionId | Yes | Role Definition ID (e.g., Reader Role ID: acdd72a7-3385-48ef-bd42-f606fba81ae7). +parAssigneePrincipalType | Yes | Principal type: "Group" (Security Group) or "ServicePrincipal" (Service Principal/Managed Identity). +parAssigneeObjectId | Yes | Object ID of the group, service principal, or managed identity. +parTelemetryOptOut | No | Opt out of deployment telemetry. +parRoleAssignmentCondition | No | Role assignment condition (e.g., Owner, User Access Administrator). +parRoleAssignmentConditionVersion | No | Role assignment condition version. Must be "2.0". ### parRoleAssignmentNameGuid @@ -26,13 +26,13 @@ GUID for the role assignment name. ![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) -Role Definition Id (e.g., Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) +Role Definition ID (e.g., Reader Role ID: acdd72a7-3385-48ef-bd42-f606fba81ae7). ### parAssigneePrincipalType ![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) -Principal type of the assignee: 'Group' (Security Group) or 'ServicePrincipal' (Service Principal/Managed Identity). +Principal type: "Group" (Security Group) or "ServicePrincipal" (Service Principal/Managed Identity). - Allowed values: `Group`, `ServicePrincipal` @@ -40,13 +40,13 @@ Principal type of the assignee: 'Group' (Security Group) or 'ServicePrincipal' ( ![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) -Object ID of groups, service principals, or managed identities (use principal ID for managed identities). +Object ID of the group, service principal, or managed identity. ### parTelemetryOptOut ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Set to true to opt out of deployment telemetry. +Opt out of deployment telemetry. - Default value: `False` @@ -54,13 +54,13 @@ Set to true to opt out of deployment telemetry. ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Role assignment condition (e.g., Owner, User Access Administrator). Only roles with `write` or `delete` permissions can have a condition. +Role assignment condition (e.g., Owner, User Access Administrator). ### parRoleAssignmentConditionVersion ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Role assignment condition version. Only value accepted is '2.0'. +Role assignment condition version. Must be "2.0". - Default value: `2.0` diff --git a/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentManagementGroupMany.bicep.md b/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentManagementGroupMany.bicep.md index 2361bea2f..f321663f3 100644 --- a/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentManagementGroupMany.bicep.md +++ b/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentManagementGroupMany.bicep.md @@ -6,31 +6,31 @@ Module to assign a role to multiple Management Groups Parameter name | Required | Description -------------- | -------- | ----------- -parManagementGroupIds | No | List of management group scopes for role assignment (e.g., [alz-platform-connectivity, alz-platform-identity]). -parRoleDefinitionId | Yes | Role Definition Id (e.g., Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) -parAssigneePrincipalType | Yes | Principal type: 'Group' (Security Group) or 'ServicePrincipal' (Service Principal/Managed Identity). -parAssigneeObjectId | Yes | Object ID of groups, service principals, or managed identities (use principal ID for managed identities). -parTelemetryOptOut | No | Set to true to opt out of deployment telemetry. -parRoleAssignmentCondition | No | Role assignment condition (e.g., Owner, User Access Administrator). Only roles with `write` or `delete` permissions can have a condition. -parRoleAssignmentConditionVersion | No | Role assignment condition version. Only value accepted is '2.0'. +parManagementGroupIds | No | List of management group scopes (e.g., [alz-platform-connectivity, alz-platform-identity]). +parRoleDefinitionId | Yes | Role Definition ID (e.g., Reader Role ID: acdd72a7-3385-48ef-bd42-f606fba81ae7). +parAssigneePrincipalType | Yes | Principal type: "Group" (Security Group) or "ServicePrincipal" (Service Principal/Managed Identity). +parAssigneeObjectId | Yes | Object ID of the group, service principal, or managed identity. +parTelemetryOptOut | No | Opt out of deployment telemetry. +parRoleAssignmentCondition | No | Role assignment condition (e.g., Owner, User Access Administrator). +parRoleAssignmentConditionVersion | No | Role assignment condition version. Must be "2.0". ### parManagementGroupIds ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -List of management group scopes for role assignment (e.g., [alz-platform-connectivity, alz-platform-identity]). +List of management group scopes (e.g., [alz-platform-connectivity, alz-platform-identity]). ### parRoleDefinitionId ![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) -Role Definition Id (e.g., Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) +Role Definition ID (e.g., Reader Role ID: acdd72a7-3385-48ef-bd42-f606fba81ae7). ### parAssigneePrincipalType ![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) -Principal type: 'Group' (Security Group) or 'ServicePrincipal' (Service Principal/Managed Identity). +Principal type: "Group" (Security Group) or "ServicePrincipal" (Service Principal/Managed Identity). - Allowed values: `Group`, `ServicePrincipal` @@ -38,13 +38,13 @@ Principal type: 'Group' (Security Group) or 'ServicePrincipal' (Service Principa ![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) -Object ID of groups, service principals, or managed identities (use principal ID for managed identities). +Object ID of the group, service principal, or managed identity. ### parTelemetryOptOut ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Set to true to opt out of deployment telemetry. +Opt out of deployment telemetry. - Default value: `False` @@ -52,13 +52,13 @@ Set to true to opt out of deployment telemetry. ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Role assignment condition (e.g., Owner, User Access Administrator). Only roles with `write` or `delete` permissions can have a condition. +Role assignment condition (e.g., Owner, User Access Administrator). ### parRoleAssignmentConditionVersion ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Role assignment condition version. Only value accepted is '2.0'. +Role assignment condition version. Must be "2.0". - Default value: `2.0` diff --git a/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentSubscription.bicep.md b/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentSubscription.bicep.md index 35f20e6bb..a710aafda 100644 --- a/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentSubscription.bicep.md +++ b/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentSubscription.bicep.md @@ -7,12 +7,12 @@ Module to assign a role to a Subscription Parameter name | Required | Description -------------- | -------- | ----------- parRoleAssignmentNameGuid | No | GUID for the role assignment name. -parRoleDefinitionId | Yes | Role Definition Id (e.g., Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) -parAssigneePrincipalType | Yes | Principal type: 'Group' (Security Group) or 'ServicePrincipal' (Service Principal/Managed Identity). -parAssigneeObjectId | Yes | Object ID of groups, service principals, or managed identities (use principal ID for managed identities). -parTelemetryOptOut | No | Set to true to opt out of deployment telemetry. -parRoleAssignmentCondition | No | Role assignment condition (e.g., Owner, User Access Administrator). Only roles with `write` or `delete` permissions can have a condition. -parRoleAssignmentConditionVersion | No | Role assignment condition version. Only value accepted is '2.0'. +parRoleDefinitionId | Yes | Role Definition ID (e.g., Reader Role ID: acdd72a7-3385-48ef-bd42-f606fba81ae7). +parAssigneePrincipalType | Yes | Principal type: "Group" (Security Group) or "ServicePrincipal" (Service Principal/Managed Identity). +parAssigneeObjectId | Yes | Object ID of the group, service principal, or managed identity. +parTelemetryOptOut | No | Opt out of deployment telemetry. +parRoleAssignmentCondition | No | Role assignment condition (e.g., Owner, User Access Administrator). +parRoleAssignmentConditionVersion | No | Role assignment condition version. Must be "2.0". ### parRoleAssignmentNameGuid @@ -26,13 +26,13 @@ GUID for the role assignment name. ![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) -Role Definition Id (e.g., Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) +Role Definition ID (e.g., Reader Role ID: acdd72a7-3385-48ef-bd42-f606fba81ae7). ### parAssigneePrincipalType ![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) -Principal type: 'Group' (Security Group) or 'ServicePrincipal' (Service Principal/Managed Identity). +Principal type: "Group" (Security Group) or "ServicePrincipal" (Service Principal/Managed Identity). - Allowed values: `Group`, `ServicePrincipal` @@ -40,13 +40,13 @@ Principal type: 'Group' (Security Group) or 'ServicePrincipal' (Service Principa ![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) -Object ID of groups, service principals, or managed identities (use principal ID for managed identities). +Object ID of the group, service principal, or managed identity. ### parTelemetryOptOut ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Set to true to opt out of deployment telemetry. +Opt out of deployment telemetry. - Default value: `False` @@ -54,13 +54,13 @@ Set to true to opt out of deployment telemetry. ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Role assignment condition (e.g., Owner, User Access Administrator). Only roles with `write` or `delete` permissions can have a condition. +Role assignment condition (e.g., Owner, User Access Administrator). ### parRoleAssignmentConditionVersion ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Role assignment condition version. Only value accepted is '2.0'. +Role assignment condition version. Must be "2.0". - Default value: `2.0` diff --git a/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentSubscriptionMany.bicep.md b/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentSubscriptionMany.bicep.md index 427c54975..40c88ffb0 100644 --- a/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentSubscriptionMany.bicep.md +++ b/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentSubscriptionMany.bicep.md @@ -6,31 +6,31 @@ Module to assign a role to multiple Subscriptions Parameter name | Required | Description -------------- | -------- | ----------- -parSubscriptionIds | No | List of subscription IDs for role assignment (e.g., 4f9f8765-911a-4a6d-af60-4bc0473268c0). -parRoleDefinitionId | Yes | Role Definition Id (e.g., Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) -parAssigneePrincipalType | Yes | Principal type: 'Group' (Security Group) or 'ServicePrincipal' (Service Principal/Managed Identity). -parAssigneeObjectId | Yes | Object ID of groups, service principals, or managed identities (use principal ID for managed identities). -parTelemetryOptOut | No | Set to true to opt out of deployment telemetry. -parRoleAssignmentCondition | No | Role assignment condition (e.g., Owner, User Access Administrator). Only roles with `write` or `delete` permissions can have a condition. -parRoleAssignmentConditionVersion | No | Role assignment condition version. Only value accepted is '2.0'. +parSubscriptionIds | No | List of subscription IDs (e.g., 4f9f8765-911a-4a6d-af60-4bc0473268c0). +parRoleDefinitionId | Yes | Role Definition ID (e.g., Reader Role ID: acdd72a7-3385-48ef-bd42-f606fba81ae7). +parAssigneePrincipalType | Yes | Principal type: "Group" (Security Group) or "ServicePrincipal" (Service Principal/Managed Identity). +parAssigneeObjectId | Yes | Object ID of the group, service principal, or managed identity. +parTelemetryOptOut | No | Opt out of deployment telemetry. +parRoleAssignmentCondition | No | Role assignment condition (e.g., Owner, User Access Administrator). +parRoleAssignmentConditionVersion | No | Role assignment condition version. Must be "2.0". ### parSubscriptionIds ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -List of subscription IDs for role assignment (e.g., 4f9f8765-911a-4a6d-af60-4bc0473268c0). +List of subscription IDs (e.g., 4f9f8765-911a-4a6d-af60-4bc0473268c0). ### parRoleDefinitionId ![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) -Role Definition Id (e.g., Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) +Role Definition ID (e.g., Reader Role ID: acdd72a7-3385-48ef-bd42-f606fba81ae7). ### parAssigneePrincipalType ![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) -Principal type: 'Group' (Security Group) or 'ServicePrincipal' (Service Principal/Managed Identity). +Principal type: "Group" (Security Group) or "ServicePrincipal" (Service Principal/Managed Identity). - Allowed values: `Group`, `ServicePrincipal` @@ -38,13 +38,13 @@ Principal type: 'Group' (Security Group) or 'ServicePrincipal' (Service Principa ![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) -Object ID of groups, service principals, or managed identities (use principal ID for managed identities). +Object ID of the group, service principal, or managed identity. ### parTelemetryOptOut ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Set to true to opt out of deployment telemetry. +Opt out of deployment telemetry. - Default value: `False` @@ -52,13 +52,13 @@ Set to true to opt out of deployment telemetry. ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Role assignment condition (e.g., Owner, User Access Administrator). Only roles with `write` or `delete` permissions can have a condition. +Role assignment condition (e.g., Owner, User Access Administrator). ### parRoleAssignmentConditionVersion ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Role assignment condition version. Only value accepted is '2.0'. +Role assignment condition version. Must be "2.0". - Default value: `2.0` diff --git a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.bicep b/infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.bicep index e6b3797dd..f8dcfaf9d 100644 --- a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.bicep +++ b/infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.bicep @@ -3,29 +3,29 @@ targetScope = 'managementGroup' metadata name = 'ALZ Bicep - Role Assignment to a Management Group' metadata description = 'Module to assign a role to a Management Group' -@sys.description('GUID for the role assignment name.') +@description('GUID for the role assignment name.') param parRoleAssignmentNameGuid string = guid(managementGroup().name, parRoleDefinitionId, parAssigneeObjectId) -@sys.description('Role Definition Id (e.g., Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7)') +@description('Role Definition ID (e.g., Reader Role ID: acdd72a7-3385-48ef-bd42-f606fba81ae7).') param parRoleDefinitionId string -@sys.description('Principal type of the assignee: \'Group\' (Security Group) or \'ServicePrincipal\' (Service Principal/Managed Identity).') +@description('Principal type: "Group" (Security Group) or "ServicePrincipal" (Service Principal/Managed Identity).') @allowed([ 'Group' 'ServicePrincipal' ]) param parAssigneePrincipalType string -@sys.description('Object ID of groups, service principals, or managed identities (use principal ID for managed identities).') +@description('Object ID of the group, service principal, or managed identity.') param parAssigneeObjectId string -@sys.description('Set to true to opt out of deployment telemetry.') +@description('Opt out of deployment telemetry.') param parTelemetryOptOut bool = false -@sys.description('Role assignment condition (e.g., Owner, User Access Administrator). Only roles with `write` or `delete` permissions can have a condition.') +@description('Role assignment condition (e.g., Owner, User Access Administrator).') param parRoleAssignmentCondition string = '' -@sys.description('Role assignment condition version. Only value accepted is \'2.0\'.') +@description('Role assignment condition version. Must be "2.0".') param parRoleAssignmentConditionVersion string = '2.0' // Customer Usage Attribution Id diff --git a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroupMany.bicep b/infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroupMany.bicep index 10d0616ed..89eb9b696 100644 --- a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroupMany.bicep +++ b/infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroupMany.bicep @@ -3,29 +3,29 @@ targetScope = 'managementGroup' metadata name = 'ALZ Bicep - Role Assignment to Management Groups' metadata description = 'Module to assign a role to multiple Management Groups' -@sys.description('List of management group scopes for role assignment (e.g., [alz-platform-connectivity, alz-platform-identity]).') +@description('List of management group scopes (e.g., [alz-platform-connectivity, alz-platform-identity]).') param parManagementGroupIds array = [] -@sys.description('Role Definition Id (e.g., Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7)') +@description('Role Definition ID (e.g., Reader Role ID: acdd72a7-3385-48ef-bd42-f606fba81ae7).') param parRoleDefinitionId string -@sys.description('Principal type: \'Group\' (Security Group) or \'ServicePrincipal\' (Service Principal/Managed Identity).') +@description('Principal type: "Group" (Security Group) or "ServicePrincipal" (Service Principal/Managed Identity).') @allowed([ 'Group' 'ServicePrincipal' ]) param parAssigneePrincipalType string -@sys.description('Object ID of groups, service principals, or managed identities (use principal ID for managed identities).') +@description('Object ID of the group, service principal, or managed identity.') param parAssigneeObjectId string -@sys.description('Set to true to opt out of deployment telemetry.') +@description('Opt out of deployment telemetry.') param parTelemetryOptOut bool = false -@sys.description('Role assignment condition (e.g., Owner, User Access Administrator). Only roles with `write` or `delete` permissions can have a condition.') +@description('Role assignment condition (e.g., Owner, User Access Administrator).') param parRoleAssignmentCondition string = '' -@sys.description('Role assignment condition version. Only value accepted is \'2.0\'.') +@description('Role assignment condition version. Must be "2.0".') param parRoleAssignmentConditionVersion string = '2.0' module modRoleAssignment 'roleAssignmentManagementGroup.bicep' = [for parManagementGroupId in parManagementGroupIds: { diff --git a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscription.bicep b/infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscription.bicep index 569ec74d8..c735e786c 100644 --- a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscription.bicep +++ b/infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscription.bicep @@ -3,29 +3,29 @@ targetScope = 'subscription' metadata name = 'ALZ Bicep - Role Assignment to a Subscription' metadata description = 'Module to assign a role to a Subscription' -@sys.description('GUID for the role assignment name.') +@description('GUID for the role assignment name.') param parRoleAssignmentNameGuid string = guid(subscription().subscriptionId, parRoleDefinitionId, parAssigneeObjectId) -@sys.description('Role Definition Id (e.g., Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7)') +@description('Role Definition ID (e.g., Reader Role ID: acdd72a7-3385-48ef-bd42-f606fba81ae7).') param parRoleDefinitionId string -@sys.description('Principal type: \'Group\' (Security Group) or \'ServicePrincipal\' (Service Principal/Managed Identity).') +@description('Principal type: "Group" (Security Group) or "ServicePrincipal" (Service Principal/Managed Identity).') @allowed([ 'Group' 'ServicePrincipal' ]) param parAssigneePrincipalType string -@sys.description('Object ID of groups, service principals, or managed identities (use principal ID for managed identities).') +@description('Object ID of the group, service principal, or managed identity.') param parAssigneeObjectId string -@sys.description('Set to true to opt out of deployment telemetry.') +@description('Opt out of deployment telemetry.') param parTelemetryOptOut bool = false -@sys.description('Role assignment condition (e.g., Owner, User Access Administrator). Only roles with `write` or `delete` permissions can have a condition.') +@description('Role assignment condition (e.g., Owner, User Access Administrator).') param parRoleAssignmentCondition string = '' -@sys.description('Role assignment condition version. Only value accepted is \'2.0\'.') +@description('Role assignment condition version. Must be "2.0".') param parRoleAssignmentConditionVersion string = '2.0' // Customer Usage Attribution Id diff --git a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscriptionMany.bicep b/infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscriptionMany.bicep index 8c45b4233..8fde7541a 100644 --- a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscriptionMany.bicep +++ b/infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscriptionMany.bicep @@ -3,29 +3,29 @@ targetScope = 'managementGroup' metadata name = 'ALZ Bicep - Role Assignment to Subscriptions' metadata description = 'Module to assign a role to multiple Subscriptions' -@sys.description('List of subscription IDs for role assignment (e.g., 4f9f8765-911a-4a6d-af60-4bc0473268c0).') +@description('List of subscription IDs (e.g., 4f9f8765-911a-4a6d-af60-4bc0473268c0).') param parSubscriptionIds array = [] -@sys.description('Role Definition Id (e.g., Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7)') +@description('Role Definition ID (e.g., Reader Role ID: acdd72a7-3385-48ef-bd42-f606fba81ae7).') param parRoleDefinitionId string -@sys.description('Principal type: \'Group\' (Security Group) or \'ServicePrincipal\' (Service Principal/Managed Identity).') +@description('Principal type: "Group" (Security Group) or "ServicePrincipal" (Service Principal/Managed Identity).') @allowed([ 'Group' 'ServicePrincipal' ]) param parAssigneePrincipalType string -@sys.description('Object ID of groups, service principals, or managed identities (use principal ID for managed identities).') +@description('Object ID of the group, service principal, or managed identity.') param parAssigneeObjectId string -@sys.description('Set to true to opt out of deployment telemetry.') +@description('Opt out of deployment telemetry.') param parTelemetryOptOut bool = false -@sys.description('Role assignment condition (e.g., Owner, User Access Administrator). Only roles with `write` or `delete` permissions can have a condition.') +@description('Role assignment condition (e.g., Owner, User Access Administrator).') param parRoleAssignmentCondition string = '' -@sys.description('Role assignment condition version. Only value accepted is \'2.0\'.') +@description('Role assignment condition version. Must be "2.0".') param parRoleAssignmentConditionVersion string = '2.0' module modRoleAssignment 'roleAssignmentSubscription.bicep' = [for subscriptionId in parSubscriptionIds: {