From f8ca1d1cb938d6738105f9c4dd5bb6290ba1bdbc Mon Sep 17 00:00:00 2001 From: Jack Tracey Date: Mon, 14 Feb 2022 19:25:51 +0000 Subject: [PATCH 1/7] update linting rules --- .../CRML/containerRegistry/bicepconfig.json | 23 ++++++++++++++++++- .../customerUsageAttribution/bicepconfig.json | 23 ++++++++++++++++++- .../CRML/subscriptionAlias/bicepconfig.json | 23 ++++++++++++++++++- .../customRoleDefinitions/bicepconfig.json | 23 ++++++++++++++++++- .../modules/hubNetworking/bicepconfig.json | 23 ++++++++++++++++++- .../bicep/modules/logging/bicepconfig.json | 23 ++++++++++++++++++- .../modules/managementGroups/bicepconfig.json | 23 ++++++++++++++++++- .../assignments/alzDefaults/bicepconfig.json | 23 ++++++++++++++++++- .../policy/assignments/bicepconfig.json | 23 ++++++++++++++++++- .../policy/definitions/bicepconfig.json | 23 ++++++++++++++++++- .../bicep/modules/publicIp/bicepconfig.json | 23 ++++++++++++++++++- .../modules/resourceGroup/bicepconfig.json | 23 ++++++++++++++++++- .../modules/roleAssignments/bicepconfig.json | 23 ++++++++++++++++++- .../modules/spokeNetworking/bicepconfig.json | 23 ++++++++++++++++++- .../subscriptionPlacement/bicepconfig.json | 23 ++++++++++++++++++- .../orchestration/hubSpoke/bicepconfig.json | 2 +- .../virtualNetworkPeer/bicepconfig.json | 23 ++++++++++++++++++- 17 files changed, 353 insertions(+), 17 deletions(-) diff --git a/infra-as-code/bicep/CRML/containerRegistry/bicepconfig.json b/infra-as-code/bicep/CRML/containerRegistry/bicepconfig.json index 3b1174a57..2c0ef2c34 100644 --- a/infra-as-code/bicep/CRML/containerRegistry/bicepconfig.json +++ b/infra-as-code/bicep/CRML/containerRegistry/bicepconfig.json @@ -31,11 +31,32 @@ "simplify-interpolation": { "level": "error" }, - "use-protectedsettings-for-commandtoexecute-secrets": { + "protect-commandtoexecute-secrets": { "level": "error" }, "use-stable-vm-image": { "level": "error" + }, + "explicit-values-for-loc-params": { + "level": "error" + }, + "no-hardcoded-location": { + "level": "error" + }, + "no-loc-expr-outside-params": { + "level": "error" + }, + "max-outputs": { + "level": "error" + }, + "max-params": { + "level": "error" + }, + "max-resources": { + "level": "error" + }, + "max-variables": { + "level": "error" } } } diff --git a/infra-as-code/bicep/CRML/customerUsageAttribution/bicepconfig.json b/infra-as-code/bicep/CRML/customerUsageAttribution/bicepconfig.json index 3b1174a57..2c0ef2c34 100644 --- a/infra-as-code/bicep/CRML/customerUsageAttribution/bicepconfig.json +++ b/infra-as-code/bicep/CRML/customerUsageAttribution/bicepconfig.json @@ -31,11 +31,32 @@ "simplify-interpolation": { "level": "error" }, - "use-protectedsettings-for-commandtoexecute-secrets": { + "protect-commandtoexecute-secrets": { "level": "error" }, "use-stable-vm-image": { "level": "error" + }, + "explicit-values-for-loc-params": { + "level": "error" + }, + "no-hardcoded-location": { + "level": "error" + }, + "no-loc-expr-outside-params": { + "level": "error" + }, + "max-outputs": { + "level": "error" + }, + "max-params": { + "level": "error" + }, + "max-resources": { + "level": "error" + }, + "max-variables": { + "level": "error" } } } diff --git a/infra-as-code/bicep/CRML/subscriptionAlias/bicepconfig.json b/infra-as-code/bicep/CRML/subscriptionAlias/bicepconfig.json index 3b1174a57..2c0ef2c34 100644 --- a/infra-as-code/bicep/CRML/subscriptionAlias/bicepconfig.json +++ b/infra-as-code/bicep/CRML/subscriptionAlias/bicepconfig.json @@ -31,11 +31,32 @@ "simplify-interpolation": { "level": "error" }, - "use-protectedsettings-for-commandtoexecute-secrets": { + "protect-commandtoexecute-secrets": { "level": "error" }, "use-stable-vm-image": { "level": "error" + }, + "explicit-values-for-loc-params": { + "level": "error" + }, + "no-hardcoded-location": { + "level": "error" + }, + "no-loc-expr-outside-params": { + "level": "error" + }, + "max-outputs": { + "level": "error" + }, + "max-params": { + "level": "error" + }, + "max-resources": { + "level": "error" + }, + "max-variables": { + "level": "error" } } } diff --git a/infra-as-code/bicep/modules/customRoleDefinitions/bicepconfig.json b/infra-as-code/bicep/modules/customRoleDefinitions/bicepconfig.json index 3b1174a57..2c0ef2c34 100644 --- a/infra-as-code/bicep/modules/customRoleDefinitions/bicepconfig.json +++ b/infra-as-code/bicep/modules/customRoleDefinitions/bicepconfig.json @@ -31,11 +31,32 @@ "simplify-interpolation": { "level": "error" }, - "use-protectedsettings-for-commandtoexecute-secrets": { + "protect-commandtoexecute-secrets": { "level": "error" }, "use-stable-vm-image": { "level": "error" + }, + "explicit-values-for-loc-params": { + "level": "error" + }, + "no-hardcoded-location": { + "level": "error" + }, + "no-loc-expr-outside-params": { + "level": "error" + }, + "max-outputs": { + "level": "error" + }, + "max-params": { + "level": "error" + }, + "max-resources": { + "level": "error" + }, + "max-variables": { + "level": "error" } } } diff --git a/infra-as-code/bicep/modules/hubNetworking/bicepconfig.json b/infra-as-code/bicep/modules/hubNetworking/bicepconfig.json index 9d6a524e5..a33498c39 100644 --- a/infra-as-code/bicep/modules/hubNetworking/bicepconfig.json +++ b/infra-as-code/bicep/modules/hubNetworking/bicepconfig.json @@ -57,11 +57,32 @@ "simplify-interpolation": { "level": "error" }, - "use-protectedsettings-for-commandtoexecute-secrets": { + "protect-commandtoexecute-secrets": { "level": "error" }, "use-stable-vm-image": { "level": "error" + }, + "explicit-values-for-loc-params": { + "level": "error" + }, + "no-hardcoded-location": { + "level": "error" + }, + "no-loc-expr-outside-params": { + "level": "error" + }, + "max-outputs": { + "level": "error" + }, + "max-params": { + "level": "error" + }, + "max-resources": { + "level": "error" + }, + "max-variables": { + "level": "error" } } } diff --git a/infra-as-code/bicep/modules/logging/bicepconfig.json b/infra-as-code/bicep/modules/logging/bicepconfig.json index 3b1174a57..2c0ef2c34 100644 --- a/infra-as-code/bicep/modules/logging/bicepconfig.json +++ b/infra-as-code/bicep/modules/logging/bicepconfig.json @@ -31,11 +31,32 @@ "simplify-interpolation": { "level": "error" }, - "use-protectedsettings-for-commandtoexecute-secrets": { + "protect-commandtoexecute-secrets": { "level": "error" }, "use-stable-vm-image": { "level": "error" + }, + "explicit-values-for-loc-params": { + "level": "error" + }, + "no-hardcoded-location": { + "level": "error" + }, + "no-loc-expr-outside-params": { + "level": "error" + }, + "max-outputs": { + "level": "error" + }, + "max-params": { + "level": "error" + }, + "max-resources": { + "level": "error" + }, + "max-variables": { + "level": "error" } } } diff --git a/infra-as-code/bicep/modules/managementGroups/bicepconfig.json b/infra-as-code/bicep/modules/managementGroups/bicepconfig.json index 3b1174a57..2c0ef2c34 100644 --- a/infra-as-code/bicep/modules/managementGroups/bicepconfig.json +++ b/infra-as-code/bicep/modules/managementGroups/bicepconfig.json @@ -31,11 +31,32 @@ "simplify-interpolation": { "level": "error" }, - "use-protectedsettings-for-commandtoexecute-secrets": { + "protect-commandtoexecute-secrets": { "level": "error" }, "use-stable-vm-image": { "level": "error" + }, + "explicit-values-for-loc-params": { + "level": "error" + }, + "no-hardcoded-location": { + "level": "error" + }, + "no-loc-expr-outside-params": { + "level": "error" + }, + "max-outputs": { + "level": "error" + }, + "max-params": { + "level": "error" + }, + "max-resources": { + "level": "error" + }, + "max-variables": { + "level": "error" } } } diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/bicepconfig.json b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/bicepconfig.json index 3b1174a57..2c0ef2c34 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/bicepconfig.json +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/bicepconfig.json @@ -31,11 +31,32 @@ "simplify-interpolation": { "level": "error" }, - "use-protectedsettings-for-commandtoexecute-secrets": { + "protect-commandtoexecute-secrets": { "level": "error" }, "use-stable-vm-image": { "level": "error" + }, + "explicit-values-for-loc-params": { + "level": "error" + }, + "no-hardcoded-location": { + "level": "error" + }, + "no-loc-expr-outside-params": { + "level": "error" + }, + "max-outputs": { + "level": "error" + }, + "max-params": { + "level": "error" + }, + "max-resources": { + "level": "error" + }, + "max-variables": { + "level": "error" } } } diff --git a/infra-as-code/bicep/modules/policy/assignments/bicepconfig.json b/infra-as-code/bicep/modules/policy/assignments/bicepconfig.json index 3b1174a57..2c0ef2c34 100644 --- a/infra-as-code/bicep/modules/policy/assignments/bicepconfig.json +++ b/infra-as-code/bicep/modules/policy/assignments/bicepconfig.json @@ -31,11 +31,32 @@ "simplify-interpolation": { "level": "error" }, - "use-protectedsettings-for-commandtoexecute-secrets": { + "protect-commandtoexecute-secrets": { "level": "error" }, "use-stable-vm-image": { "level": "error" + }, + "explicit-values-for-loc-params": { + "level": "error" + }, + "no-hardcoded-location": { + "level": "error" + }, + "no-loc-expr-outside-params": { + "level": "error" + }, + "max-outputs": { + "level": "error" + }, + "max-params": { + "level": "error" + }, + "max-resources": { + "level": "error" + }, + "max-variables": { + "level": "error" } } } diff --git a/infra-as-code/bicep/modules/policy/definitions/bicepconfig.json b/infra-as-code/bicep/modules/policy/definitions/bicepconfig.json index 3b1174a57..2c0ef2c34 100644 --- a/infra-as-code/bicep/modules/policy/definitions/bicepconfig.json +++ b/infra-as-code/bicep/modules/policy/definitions/bicepconfig.json @@ -31,11 +31,32 @@ "simplify-interpolation": { "level": "error" }, - "use-protectedsettings-for-commandtoexecute-secrets": { + "protect-commandtoexecute-secrets": { "level": "error" }, "use-stable-vm-image": { "level": "error" + }, + "explicit-values-for-loc-params": { + "level": "error" + }, + "no-hardcoded-location": { + "level": "error" + }, + "no-loc-expr-outside-params": { + "level": "error" + }, + "max-outputs": { + "level": "error" + }, + "max-params": { + "level": "error" + }, + "max-resources": { + "level": "error" + }, + "max-variables": { + "level": "error" } } } diff --git a/infra-as-code/bicep/modules/publicIp/bicepconfig.json b/infra-as-code/bicep/modules/publicIp/bicepconfig.json index 3b1174a57..2c0ef2c34 100644 --- a/infra-as-code/bicep/modules/publicIp/bicepconfig.json +++ b/infra-as-code/bicep/modules/publicIp/bicepconfig.json @@ -31,11 +31,32 @@ "simplify-interpolation": { "level": "error" }, - "use-protectedsettings-for-commandtoexecute-secrets": { + "protect-commandtoexecute-secrets": { "level": "error" }, "use-stable-vm-image": { "level": "error" + }, + "explicit-values-for-loc-params": { + "level": "error" + }, + "no-hardcoded-location": { + "level": "error" + }, + "no-loc-expr-outside-params": { + "level": "error" + }, + "max-outputs": { + "level": "error" + }, + "max-params": { + "level": "error" + }, + "max-resources": { + "level": "error" + }, + "max-variables": { + "level": "error" } } } diff --git a/infra-as-code/bicep/modules/resourceGroup/bicepconfig.json b/infra-as-code/bicep/modules/resourceGroup/bicepconfig.json index 3b1174a57..2c0ef2c34 100644 --- a/infra-as-code/bicep/modules/resourceGroup/bicepconfig.json +++ b/infra-as-code/bicep/modules/resourceGroup/bicepconfig.json @@ -31,11 +31,32 @@ "simplify-interpolation": { "level": "error" }, - "use-protectedsettings-for-commandtoexecute-secrets": { + "protect-commandtoexecute-secrets": { "level": "error" }, "use-stable-vm-image": { "level": "error" + }, + "explicit-values-for-loc-params": { + "level": "error" + }, + "no-hardcoded-location": { + "level": "error" + }, + "no-loc-expr-outside-params": { + "level": "error" + }, + "max-outputs": { + "level": "error" + }, + "max-params": { + "level": "error" + }, + "max-resources": { + "level": "error" + }, + "max-variables": { + "level": "error" } } } diff --git a/infra-as-code/bicep/modules/roleAssignments/bicepconfig.json b/infra-as-code/bicep/modules/roleAssignments/bicepconfig.json index 3b1174a57..2c0ef2c34 100644 --- a/infra-as-code/bicep/modules/roleAssignments/bicepconfig.json +++ b/infra-as-code/bicep/modules/roleAssignments/bicepconfig.json @@ -31,11 +31,32 @@ "simplify-interpolation": { "level": "error" }, - "use-protectedsettings-for-commandtoexecute-secrets": { + "protect-commandtoexecute-secrets": { "level": "error" }, "use-stable-vm-image": { "level": "error" + }, + "explicit-values-for-loc-params": { + "level": "error" + }, + "no-hardcoded-location": { + "level": "error" + }, + "no-loc-expr-outside-params": { + "level": "error" + }, + "max-outputs": { + "level": "error" + }, + "max-params": { + "level": "error" + }, + "max-resources": { + "level": "error" + }, + "max-variables": { + "level": "error" } } } diff --git a/infra-as-code/bicep/modules/spokeNetworking/bicepconfig.json b/infra-as-code/bicep/modules/spokeNetworking/bicepconfig.json index 3b1174a57..2c0ef2c34 100644 --- a/infra-as-code/bicep/modules/spokeNetworking/bicepconfig.json +++ b/infra-as-code/bicep/modules/spokeNetworking/bicepconfig.json @@ -31,11 +31,32 @@ "simplify-interpolation": { "level": "error" }, - "use-protectedsettings-for-commandtoexecute-secrets": { + "protect-commandtoexecute-secrets": { "level": "error" }, "use-stable-vm-image": { "level": "error" + }, + "explicit-values-for-loc-params": { + "level": "error" + }, + "no-hardcoded-location": { + "level": "error" + }, + "no-loc-expr-outside-params": { + "level": "error" + }, + "max-outputs": { + "level": "error" + }, + "max-params": { + "level": "error" + }, + "max-resources": { + "level": "error" + }, + "max-variables": { + "level": "error" } } } diff --git a/infra-as-code/bicep/modules/subscriptionPlacement/bicepconfig.json b/infra-as-code/bicep/modules/subscriptionPlacement/bicepconfig.json index 3b1174a57..2c0ef2c34 100644 --- a/infra-as-code/bicep/modules/subscriptionPlacement/bicepconfig.json +++ b/infra-as-code/bicep/modules/subscriptionPlacement/bicepconfig.json @@ -31,11 +31,32 @@ "simplify-interpolation": { "level": "error" }, - "use-protectedsettings-for-commandtoexecute-secrets": { + "protect-commandtoexecute-secrets": { "level": "error" }, "use-stable-vm-image": { "level": "error" + }, + "explicit-values-for-loc-params": { + "level": "error" + }, + "no-hardcoded-location": { + "level": "error" + }, + "no-loc-expr-outside-params": { + "level": "error" + }, + "max-outputs": { + "level": "error" + }, + "max-params": { + "level": "error" + }, + "max-resources": { + "level": "error" + }, + "max-variables": { + "level": "error" } } } diff --git a/infra-as-code/bicep/modules/unstable/orchestration/hubSpoke/bicepconfig.json b/infra-as-code/bicep/modules/unstable/orchestration/hubSpoke/bicepconfig.json index d7b134720..a1d8d4751 100644 --- a/infra-as-code/bicep/modules/unstable/orchestration/hubSpoke/bicepconfig.json +++ b/infra-as-code/bicep/modules/unstable/orchestration/hubSpoke/bicepconfig.json @@ -57,7 +57,7 @@ "simplify-interpolation": { "level": "off" }, - "use-protectedsettings-for-commandtoexecute-secrets": { + "protect-commandtoexecute-secrets": { "level": "off" }, "use-stable-vm-image": { diff --git a/infra-as-code/bicep/modules/virtualNetworkPeer/bicepconfig.json b/infra-as-code/bicep/modules/virtualNetworkPeer/bicepconfig.json index 3b1174a57..2c0ef2c34 100644 --- a/infra-as-code/bicep/modules/virtualNetworkPeer/bicepconfig.json +++ b/infra-as-code/bicep/modules/virtualNetworkPeer/bicepconfig.json @@ -31,11 +31,32 @@ "simplify-interpolation": { "level": "error" }, - "use-protectedsettings-for-commandtoexecute-secrets": { + "protect-commandtoexecute-secrets": { "level": "error" }, "use-stable-vm-image": { "level": "error" + }, + "explicit-values-for-loc-params": { + "level": "error" + }, + "no-hardcoded-location": { + "level": "error" + }, + "no-loc-expr-outside-params": { + "level": "error" + }, + "max-outputs": { + "level": "error" + }, + "max-params": { + "level": "error" + }, + "max-resources": { + "level": "error" + }, + "max-variables": { + "level": "error" } } } From 70d06d3aa26d659bb41720c1dc2f134e9403e6b9 Mon Sep 17 00:00:00 2001 From: Jack Tracey Date: Mon, 14 Feb 2022 19:26:48 +0000 Subject: [PATCH 2/7] update linting in contrib guide --- docs/wiki/Contributing.md | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/docs/wiki/Contributing.md b/docs/wiki/Contributing.md index b29b21c3e..7992a17ac 100644 --- a/docs/wiki/Contributing.md +++ b/docs/wiki/Contributing.md @@ -216,11 +216,32 @@ To author Bicep modules that are in-line with the requirements for this project, "simplify-interpolation": { "level": "error" }, - "use-protectedsettings-for-commandtoexecute-secrets": { + "protect-commandtoexecute-secrets": { "level": "error" }, "use-stable-vm-image": { "level": "error" + }, + "explicit-values-for-loc-params": { + "level": "error" + }, + "no-hardcoded-location": { + "level": "error" + }, + "no-loc-expr-outside-params": { + "level": "error" + }, + "max-outputs": { + "level": "error" + }, + "max-params": { + "level": "error" + }, + "max-resources": { + "level": "error" + }, + "max-variables": { + "level": "error" } } } From a61daf3efeac648d38b50bd813721811e09e9fee Mon Sep 17 00:00:00 2001 From: Jack Tracey Date: Mon, 14 Feb 2022 19:27:47 +0000 Subject: [PATCH 3/7] add linter overrides --- .../modules/customRoleDefinitions/customRoleDefinitions.bicep | 1 + infra-as-code/bicep/modules/logging/logging.bicep | 1 + .../bicep/modules/managementGroups/managementGroups.bicep | 1 + .../assignments/alzDefaults/alzDefaultPolicyAssignments.bicep | 2 ++ .../policy/assignments/policyAssignmentManagementGroup.bicep | 2 ++ .../modules/policy/definitions/custom-policy-definitions.bicep | 1 + .../modules/roleAssignments/roleAssignmentManagementGroup.bicep | 1 + .../modules/subscriptionPlacement/subscriptionPlacement.bicep | 1 + .../bicep/modules/virtualNetworkPeer/virtualNetworkPeer.bicep | 1 + 9 files changed, 11 insertions(+) diff --git a/infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep b/infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep index 719234fb1..70a20e820 100644 --- a/infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep +++ b/infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep @@ -55,6 +55,7 @@ module modRolesSecurityOperationsRole 'definitions/caf-security-operations-role. // Optional Deployment for Customer Usage Attribution module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdManagementGroup.bicep' = if (!parTelemetryOptOut) { + #disable-next-line no-loc-expr-outside-params name: 'pid-${varCuaid}-${uniqueString(deployment().location)}' params: {} } diff --git a/infra-as-code/bicep/modules/logging/logging.bicep b/infra-as-code/bicep/modules/logging/logging.bicep index 73c1c19f0..280a166a1 100644 --- a/infra-as-code/bicep/modules/logging/logging.bicep +++ b/infra-as-code/bicep/modules/logging/logging.bicep @@ -118,6 +118,7 @@ resource resLogAnalyticsLinkedServiceForAutomationAccount 'Microsoft.Operational // Optional Deployment for Customer Usage Attribution module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdResourceGroup.bicep' = if (!parTelemetryOptOut) { + #disable-next-line no-loc-expr-outside-params name: 'pid-${varCuaid}-${uniqueString(resourceGroup().location)}' params: {} } diff --git a/infra-as-code/bicep/modules/managementGroups/managementGroups.bicep b/infra-as-code/bicep/modules/managementGroups/managementGroups.bicep index e5841932c..f5ba5dcb2 100644 --- a/infra-as-code/bicep/modules/managementGroups/managementGroups.bicep +++ b/infra-as-code/bicep/modules/managementGroups/managementGroups.bicep @@ -203,6 +203,7 @@ resource resLandingZonesOnlineMG 'Microsoft.Management/managementGroups@2021-04- // Optional Deployment for Customer Usage Attribution module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdTenant.bicep' = if (!parTelemetryOptOut) { + #disable-next-line no-loc-expr-outside-params name: 'pid-${varCuaid}-${uniqueString(deployment().location)}' params: {} } diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep index 17c44dabf..63bab5002 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep @@ -47,6 +47,7 @@ var varCuaid = '98cef979-5a6b-403b-83c7-10c8f04ac9a2' // Orchestration Module Variables var varDeploymentNameWrappers = { basePrefix: 'ALZBicep' + #disable-next-line no-loc-expr-outside-params baseSuffixTenantAndManagementGroup: '${deployment().location}-${uniqueString(deployment().location, parTopLevelManagementGroupPrefix)}' } @@ -222,6 +223,7 @@ targetScope = 'managementGroup' // Optional Deployment for Customer Usage Attribution module modCustomerUsageAttribution '../../../../CRML/customerUsageAttribution/cuaIdManagementGroup.bicep' = if (!parTelemetryOptOut) { + #disable-next-line no-loc-expr-outside-params name: 'pid-${varCuaid}-${uniqueString(deployment().location)}' params: {} } diff --git a/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep b/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep index 4263a8ed4..2f3835463 100644 --- a/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep +++ b/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep @@ -82,6 +82,7 @@ resource resPolicyAssignment 'Microsoft.Authorization/policyAssignments@2020-09- identity: { type: varPolicyIdentity } + #disable-next-line no-loc-expr-outside-params location: deployment().location } @@ -109,6 +110,7 @@ module modPolicyIdentityRoleAssignmentSubsMany '../../roleAssignments/roleAssign // Optional Deployment for Customer Usage Attribution module modCustomerUsageAttribution '../../../CRML/customerUsageAttribution/cuaIdManagementGroup.bicep' = if (!parTelemetryOptOut) { + #disable-next-line no-loc-expr-outside-params name: 'pid-${varCuaid}-${uniqueString(deployment().location, parPolicyAssignmentName)}' params: {} } diff --git a/infra-as-code/bicep/modules/policy/definitions/custom-policy-definitions.bicep b/infra-as-code/bicep/modules/policy/definitions/custom-policy-definitions.bicep index 93a3daacb..57a0e4a6b 100644 --- a/infra-as-code/bicep/modules/policy/definitions/custom-policy-definitions.bicep +++ b/infra-as-code/bicep/modules/policy/definitions/custom-policy-definitions.bicep @@ -1240,6 +1240,7 @@ resource resPolicySetDefinitions 'Microsoft.Authorization/policySetDefinitions@2 // Optional Deployment for Customer Usage Attribution module modCustomerUsageAttribution '../../../CRML/customerUsageAttribution/cuaIdManagementGroup.bicep' = if (!parTelemetryOptOut) { + #disable-next-line no-loc-expr-outside-params name: 'pid-${varCuaid}-${uniqueString(deployment().location)}' params: {} } diff --git a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.bicep b/infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.bicep index 82f3d4474..ae7104a56 100644 --- a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.bicep +++ b/infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.bicep @@ -45,6 +45,7 @@ resource resRoleAssignment 'Microsoft.Authorization/roleAssignments@2020-08-01-p // Optional Deployment for Customer Usage Attribution module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdManagementGroup.bicep' = if (!parTelemetryOptOut) { + #disable-next-line no-loc-expr-outside-params name: 'pid-${varCuaid}-${uniqueString(deployment().location, parRoleAssignmentNameGuid)}' params: {} } diff --git a/infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.bicep b/infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.bicep index 2995cfac6..f69d701bd 100644 --- a/infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.bicep +++ b/infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.bicep @@ -29,6 +29,7 @@ resource resSubscriptionPlacement 'Microsoft.Management/managementGroups/subscri // Optional Deployment for Customer Usage Attribution module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdManagementGroup.bicep' = if (!parTelemetryOptOut) { + #disable-next-line no-loc-expr-outside-params name: 'pid-${varCuaid}-${uniqueString(deployment().location)}' params: {} } diff --git a/infra-as-code/bicep/modules/virtualNetworkPeer/virtualNetworkPeer.bicep b/infra-as-code/bicep/modules/virtualNetworkPeer/virtualNetworkPeer.bicep index e212139c2..77c274626 100644 --- a/infra-as-code/bicep/modules/virtualNetworkPeer/virtualNetworkPeer.bicep +++ b/infra-as-code/bicep/modules/virtualNetworkPeer/virtualNetworkPeer.bicep @@ -45,6 +45,7 @@ resource resVirtualNetworkPeer 'Microsoft.Network/virtualNetworks/virtualNetwork // Optional Deployment for Customer Usage Attribution module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdResourceGroup.bicep' = if (!parTelemetryOptOut) { + #disable-next-line no-loc-expr-outside-params name: 'pid-${varCuaid}-${uniqueString(resourceGroup().location)}' params: {} } From 3133a2ddfa654af85607bd7bc30b82cd341b9eea Mon Sep 17 00:00:00 2001 From: Jack Tracey Date: Mon, 14 Feb 2022 19:28:16 +0000 Subject: [PATCH 4/7] update spoke networking module --- .../bicep/modules/spokeNetworking/README.md | 23 ++++++++++--------- .../spokeNetworking/spokeNetworking.bicep | 9 +++++--- .../spokeNetworking.parameters.example.json | 3 +++ 3 files changed, 21 insertions(+), 14 deletions(-) diff --git a/infra-as-code/bicep/modules/spokeNetworking/README.md b/infra-as-code/bicep/modules/spokeNetworking/README.md index e6feefdd9..90292a924 100644 --- a/infra-as-code/bicep/modules/spokeNetworking/README.md +++ b/infra-as-code/bicep/modules/spokeNetworking/README.md @@ -12,17 +12,18 @@ Module deploys the following resources: The module requires the following inputs: - | Parameter | Type | Default | Description | Requirement | Example | - | ---------------------------- | ------ | ------------------ | ------------------------------------------------------------------- | ----------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- | - | parBGPRoutePropagation | bool | false | Switch to enable BGP Route Propagation on VNet Route Table | None | false | - | parTags | object | Empty object `{}` | Array of Tags to be applied to all resources in the Spoke Network | None | `{"key": "value"}` | - | parDdosProtectionPlanId | string | Empty string `''` | Existing DDoS Protection plan to utilize | None | `/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/Hub_Networking_POC/providers/Microsoft.Network/ddosProtectionPlans/alz-Ddos-Plan` | - | parSpokeNetworkAddressPrefix | string | '10.11.0.0/16' | CIDR for Spoke Network | None | '10.11.0.0/16' | - | parSpokeNetworkName | string | 'vnet-spoke' | The Name of the Spoke Virtual Network. | None | 'vnet-spoke' | - | parDNSServerIPArray | array | Empty array `[]` | Array IP DNS Servers to use for VNet DNS Resolution | None | `['10.10.1.4', '10.20.1.5']` | - | parNextHopIPAddress | string | Empty string `''` | IP Address where network traffic should route to leverage DNS Proxy | None | '192.168.50.4' | - | parSpokeToHubRouteTableName | string | 'rtb-spoke-to-hub' | Name of Route table to create for the default route of Hub. | None | 'rtb-spoke-to-hub ' | - | parTelemetryOptOut | bool | false | Set Parameter to true to Opt-out of deployment telemetry | None | false | + | Parameter | Type | Default | Description | Requirement | Example | + | ---------------------------- | ------ | -------------------------- | ------------------------------------------------------------------- | ----------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- | + | parRegion | string | `resourceGroup().location` | The Azure Region to deploy the resources into | None | `eastus` | + | parBGPRoutePropagation | bool | false | Switch to enable BGP Route Propagation on VNet Route Table | None | false | + | parTags | object | Empty object `{}` | Array of Tags to be applied to all resources in the Spoke Network | None | `{"key": "value"}` | + | parDdosProtectionPlanId | string | Empty string `''` | Existing DDoS Protection plan to utilize | None | `/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/Hub_Networking_POC/providers/Microsoft.Network/ddosProtectionPlans/alz-Ddos-Plan` | + | parSpokeNetworkAddressPrefix | string | '10.11.0.0/16' | CIDR for Spoke Network | None | '10.11.0.0/16' | + | parSpokeNetworkName | string | 'vnet-spoke' | The Name of the Spoke Virtual Network. | None | 'vnet-spoke' | + | parDNSServerIPArray | array | Empty array `[]` | Array IP DNS Servers to use for VNet DNS Resolution | None | `['10.10.1.4', '10.20.1.5']` | + | parNextHopIPAddress | string | Empty string `''` | IP Address where network traffic should route to leverage DNS Proxy | None | '192.168.50.4' | + | parSpokeToHubRouteTableName | string | 'rtb-spoke-to-hub' | Name of Route table to create for the default route of Hub. | None | 'rtb-spoke-to-hub ' | + | parTelemetryOptOut | bool | false | Set Parameter to true to Opt-out of deployment telemetry | None | false | ## Outputs diff --git a/infra-as-code/bicep/modules/spokeNetworking/spokeNetworking.bicep b/infra-as-code/bicep/modules/spokeNetworking/spokeNetworking.bicep index a02fd6456..7f4f8eadb 100644 --- a/infra-as-code/bicep/modules/spokeNetworking/spokeNetworking.bicep +++ b/infra-as-code/bicep/modules/spokeNetworking/spokeNetworking.bicep @@ -6,13 +6,16 @@ DESCRIPTION: The following components will be options in this deployment UDR - if Firewall is enabled Private DNS Link AUTHOR/S: aultt, jtracey93 -VERSION: 1.1.0 +VERSION: 1.2.0 - Changed default value of parNetworkDNSEnableProxy to false. Defaulting to false allow for testing on its own - Changed default value of parDdosEnabled to false. Defaulting to false to allow for testing on its own - Added parSpokeNetworkName to allow customer input flexibility - Removed unrequired bool switches */ +@description('The Azure Region to deploy the resources into. Default: resourceGroup().location') +param parRegion string = resourceGroup().location + @description('Switch which allows BGP Route Propagation to be disabled on the route table') param parBGPRoutePropagation bool = false @@ -47,7 +50,7 @@ var varCuaid = '0c428583-f2a1-4448-975c-2d6262fd193a' //If Azure Firewall is enabled and Network Dns Proxy is enabled dns will be configured to point to AzureFirewall resource resSpokeVirtualNetwork 'Microsoft.Network/virtualNetworks@2021-02-01' = { name: parSpokeNetworkName - location: resourceGroup().location + location: parRegion properties: { addressSpace: { addressPrefixes: [ @@ -66,7 +69,7 @@ resource resSpokeVirtualNetwork 'Microsoft.Network/virtualNetworks@2021-02-01' = resource resSpoketoHubRouteTable 'Microsoft.Network/routeTables@2021-02-01' = if (!empty(parNextHopIPAddress)) { name: parSpoketoHubRouteTableName - location: resourceGroup().location + location: parRegion tags: parTags properties: { routes: [ diff --git a/infra-as-code/bicep/modules/spokeNetworking/spokeNetworking.parameters.example.json b/infra-as-code/bicep/modules/spokeNetworking/spokeNetworking.parameters.example.json index 16c7cc169..34c95126e 100644 --- a/infra-as-code/bicep/modules/spokeNetworking/spokeNetworking.parameters.example.json +++ b/infra-as-code/bicep/modules/spokeNetworking/spokeNetworking.parameters.example.json @@ -2,6 +2,9 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", "contentVersion": "1.0.0.0", "parameters": { + "parRegion": { + "value": "eastus" + }, "parBGPRoutePropagation": { "value": false }, From 7010fd5eeb09a2cf130d01dc9d0aac391b71c4e5 Mon Sep 17 00:00:00 2001 From: Jack Tracey Date: Mon, 14 Feb 2022 19:28:37 +0000 Subject: [PATCH 5/7] update public IP module --- infra-as-code/bicep/modules/publicIp/README.md | 4 ++-- infra-as-code/bicep/modules/publicIp/publicIp.bicep | 9 +++++---- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/infra-as-code/bicep/modules/publicIp/README.md b/infra-as-code/bicep/modules/publicIp/README.md index 216ac1749..705142d00 100644 --- a/infra-as-code/bicep/modules/publicIp/README.md +++ b/infra-as-code/bicep/modules/publicIp/README.md @@ -15,9 +15,9 @@ The module requires the following inputs: | parPublicIPName | string | none | Name associated with the Public IP to be created | 1-80 char | alz-bastion-PublicIP | | parPublicIPSku | object | none | SKU of IP to deploy to Azure | Standard or Basic | Standard | | parPublicIPProperties | object | none | N/A | - | location | string | resourceGroup().location | Location where Public IP address will be deployed | Valid Azure Region | eastus2 | + | parLocation | string | resourceGroup().location | Location where Public IP address will be deployed | Valid Azure Region | `eastus2` | | parTags | object | none | Tags to be appended to resource after it is created | none | {"Environment" : "Development"} | - | parTelemetryOptOut | bool | `false` | Set Parameter to true to Opt-out of deployment telemetry | none | `false` | + | parTelemetryOptOut | bool | `false` | Set Parameter to true to Opt-out of deployment telemetry | none | `false` | ## Outputs diff --git a/infra-as-code/bicep/modules/publicIp/publicIp.bicep b/infra-as-code/bicep/modules/publicIp/publicIp.bicep index 604237432..bdd3241fd 100644 --- a/infra-as-code/bicep/modules/publicIp/publicIp.bicep +++ b/infra-as-code/bicep/modules/publicIp/publicIp.bicep @@ -2,8 +2,8 @@ SUMMARY: Module to deploy create a public IP address DESCRIPTION: The following components will be options in this deployment Public IP Address -AUTHOR/S: aultt -VERSION: 1.0.0 +AUTHOR/S: aultt, jtracey93 +VERSION: 1.0.1 */ @description('Name of Public IP to create in Azure. Default: None') @@ -16,7 +16,7 @@ param parPublicIPSku object param parPublicIPProperties object @description('Azure Region to deploy Public IP Address to. Default: Current Resource Group') -param location string = resourceGroup().location +param parLocation string = resourceGroup().location @description('Tags to be applied to resource when deployed. Default: None') param parTags object @@ -30,13 +30,14 @@ var varCuaid = '3f85b84c-6bad-4c42-86bf-11c233241c22' resource resPublicIP 'Microsoft.Network/publicIPAddresses@2021-02-01' ={ name: parPublicIPName tags: parTags - location: location + location: parLocation sku: parPublicIPSku properties: parPublicIPProperties } // Optional Deployment for Customer Usage Attribution module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdResourceGroup.bicep' = if (!parTelemetryOptOut) { + #disable-next-line no-loc-expr-outside-params name: 'pid-${varCuaid}-${uniqueString(resourceGroup().location, parPublicIPName)}' params: {} } From b632bd9056b0900486e0b0ca0123d46f1fe808d6 Mon Sep 17 00:00:00 2001 From: Jack Tracey Date: Mon, 14 Feb 2022 19:29:57 +0000 Subject: [PATCH 6/7] update hub networking module and conditional fixes --- .../bicep/modules/hubNetworking/README.md | 11 +- .../modules/hubNetworking/hubNetworking.bicep | 173 +++++++++--------- .../hubNetworking.parameters.example.json | 7 +- 3 files changed, 98 insertions(+), 93 deletions(-) diff --git a/infra-as-code/bicep/modules/hubNetworking/README.md b/infra-as-code/bicep/modules/hubNetworking/README.md index db4de0df0..9554509c1 100644 --- a/infra-as-code/bicep/modules/hubNetworking/README.md +++ b/infra-as-code/bicep/modules/hubNetworking/README.md @@ -18,6 +18,7 @@ The module requires the following inputs: | Parameter | Type | Default | Description | Requirement | Example | | ----------------------------- | ------ | ---------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------- | ---------------------------- | + | parRegion | string | `resourceGroup().location` | The Azure Region to deploy the resources into | None | `eastus` | | parBastionEnabled | bool | true | Switch to enable deployment of Bastion Service | None | true | | parDdosEnabled | bool | true | Switch to enable deployment of distributed denial of service attacks service | None | true | | parAzureFirewallEnabled | bool | true | Switch to enable deployment of Azure Firewall | None | true | @@ -30,10 +31,10 @@ The module requires the following inputs: | parPublicIPSku | string | Standard | SKU or Tier of Public IP to deploy | Standard or Basic | Standard | | parTags | object | Empty Array [] | List of tags (Key Value Pairs) to be applied to resources | None | environment: 'development' | | parHubNetworkAddressPrefix | string | 10.10.0.0/16 | CIDR range for Hub Network | CIDR Notation | 10.10.0.0/16 | - | parHubNetworkName | string | ${parCompanyPrefix}-hub-${resourceGroup().location} | Name prefix for Virtual Network. Prefix will be appended with the region. | 2-50 char | alz-hub-eastus2 | - | parAzureFirewallName | string | ${parCompanyPrefix}-azure-firewall | Name associated with Azure Firewall | 1-80 char | alz-azure-firewall | + | parHubNetworkName | string | `${parCompanyPrefix}-hub-${parRegion} ` | Name prefix for Virtual Network. Prefix will be appended with the region. | 2-50 char | alz-hub-eastus | + | parAzureFirewallName | string | `${parCompanyPrefix}-azure-firewall ` | Name associated with Azure Firewall | 1-80 char | alz-azure-firewall | | parAzureFirewallTier | string | Standard | Tier associated with the Firewall to be deployed. | Standard or Premium | Premium | - | parHubRouteTableName | string | ${parCompanyPrefix}-hub-routetable | Name of route table to be associated with Hub Network | 1-80 char | alz-hub-routetable | + | parHubRouteTableName | string | `${parCompanyPrefix}-hub-routetable` | Name of route table to be associated with Hub Network | 1-80 char | alz-hub-routetable | | parVpnGatewayConfig | object | See example parameters file [`hubNetworking.parameters.json`](hubNetworking.parameters.example.json) | Configuration for VPN virtual network gateway to be deployed. If a VPN virtual network gateway is not desired an empty object should be used as the input parameter in the parameter file, i.e. "parVpnGatewayConfig": {"value": {} }''' | None | See Default | | parExpressRouteGatewayConfig | object | See example parameters file [`hubNetworking.parameters.json`](hubNetworking.parameters.example.json) | Configuration for ExpressRoute virtual network gateway to be deployed. If a ExpressRoute virtual network gateway is not desired an empty object should be used as the input parameter in the parameter file, i.e. "parExpressRouteGatewayConfig": {"value": {} }''' | None | See Default | | parSubnets | array | See example parameters file [`hubNetworking.parameters.json`](hubNetworking.parameters.example.json) | Array of objects to provide for a dynamic set of subnets | Must provide array of objects | See Default | @@ -76,7 +77,7 @@ There are two different sets of input parameters; one for deploying to Azure glo ConnectivitySubscriptionId="[your platform management subscription ID]" az account set --subscription $ConnectivitySubscriptionId -az group create --location eastus2 \ +az group create --location eastus \ --name Hub_Networking_POC az deployment group create \ @@ -110,7 +111,7 @@ $ConnectivitySubscriptionId = "[your platform management subscription ID]" Select-AzSubscription -SubscriptionId $ConnectivitySubscriptionId New-AzResourceGroup -Name 'Hub_Networking_POC' ` - -Location 'EastUs2' + -Location 'eastus' New-AzResourceGroupDeployment ` -TemplateFile infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep ` diff --git a/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep b/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep index 8f2580edc..b98e8c32d 100644 --- a/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep +++ b/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep @@ -9,9 +9,11 @@ DESCRIPTION: The following components will be options in this deployment DDos Standard Plan Bastion AUTHOR/S: aultt, jtracey93 -VERSION: 1.1.0 +VERSION: 1.2.0 */ +@description('The Azure Region to deploy the resources into. Default: resourceGroup().location') +param parRegion string = resourceGroup().location @description('Switch which allows Bastion deployment to be disabled. Default: true') param parBastionEnabled bool = true @@ -29,7 +31,7 @@ param parAzureFirewallEnabled bool = true param parNetworkDNSEnableProxy bool = true @description('Switch which allows BGP Propagation to be disabled on the route tables: Default: false') -param parDisableBGPRoutePropagation bool = false +param parDisableBGPRoutePropagation bool = false @description('Switch which allows Private DNS Zones to be disabled. Default: true') param parPrivateDNSZonesEnabled bool = true @@ -40,23 +42,23 @@ param parPrivateDNSZonesEnabled bool = true "value": {} }''') param parVpnGatewayConfig object = { - name: '${parCompanyPrefix}-Vpn-Gateway' - gatewaytype: 'Vpn' - sku: 'VpnGw1' - vpntype: 'RouteBased' - generation: 'Generation1' - enableBgp: false - activeActive: false - enableBgpRouteTranslationForNat: false - enableDnsForwarding: false + name: '${parCompanyPrefix}-Vpn-Gateway' + gatewaytype: 'Vpn' + sku: 'VpnGw1' + vpntype: 'RouteBased' + generation: 'Generation1' + enableBgp: false + activeActive: false + enableBgpRouteTranslationForNat: false + enableDnsForwarding: false + asn: 65515 + bgpPeeringAddress: '' + bgpsettings: { asn: 65515 bgpPeeringAddress: '' - bgpsettings: { - asn: 65515 - bgpPeeringAddress: '' - peerWeight: 5 - } + peerWeight: 5 } +} @description('''Configuration for ExpressRoute virtual network gateway to be deployed. If a ExpressRoute virtual network gateway is not desired an empty object should be used as the input parameter in the parameter file, i.e. "parExpressRouteGatewayConfig": { @@ -100,11 +102,11 @@ param parTags object = {} @description('The IP address range for all virtual networks to use. Default: 10.10.0.0/16') param parHubNetworkAddressPrefix string = '10.10.0.0/16' -@description('Prefix Used for Hub Network. Default: {parCompanyPrefix}-hub-{resourceGroup().location}') -param parHubNetworkName string = '${parCompanyPrefix}-hub-${resourceGroup().location}' +@description('Prefix Used for Hub Network. Default: {parCompanyPrefix}-hub-{parRegion}') +param parHubNetworkName string = '${parCompanyPrefix}-hub-${parRegion}' @description('Azure Firewall Name. Default: {parCompanyPrefix}-azure-firewall ') -param parAzureFirewallName string ='${parCompanyPrefix}-azure-firewall' +param parAzureFirewallName string = '${parCompanyPrefix}-azure-firewall' @description('Azure Firewall Tier associated with the Firewall to deploy. Default: Standard ') @allowed([ @@ -120,7 +122,7 @@ param parHubRouteTableName string = '${parCompanyPrefix}-hub-routetable' param parSubnets array = [ { name: 'AzureBastionSubnet' - ipAddressRange: '10.10.15.0/24' + ipAddressRange: '10.10.15.0/24' } { name: 'GatewaySubnet' @@ -136,7 +138,7 @@ param parSubnets array = [ param parBastionName string = '${parCompanyPrefix}-bastion' @description('Array of DNS Zones to provision in Hub Virtual Network. Default: All known Azure Private DNS Zones') -param parPrivateDnsZones array =[ +param parPrivateDnsZones array = [ 'privatelink.azure-automation.net' 'privatelink.database.windows.net' 'privatelink.sql.azuresynapse.net' @@ -152,13 +154,13 @@ param parPrivateDnsZones array =[ 'privatelink.cassandra.cosmos.azure.com' 'privatelink.gremlin.cosmos.azure.com' 'privatelink.table.cosmos.azure.com' - 'privatelink.${resourceGroup().location}.batch.azure.com' + 'privatelink.${parRegion}.batch.azure.com' 'privatelink.postgres.database.azure.com' 'privatelink.mysql.database.azure.com' 'privatelink.mariadb.database.azure.com' 'privatelink.vaultcore.azure.net' - 'privatelink.${resourceGroup().location}.azmk8s.io' - '${resourceGroup().location}.privatelink.siterecovery.windowsazure.com' + 'privatelink.${parRegion}.azmk8s.io' + '${parRegion}.privatelink.siterecovery.windowsazure.com' 'privatelink.servicebus.windows.net' 'privatelink.azure-devices.net' 'privatelink.eventgrid.azure.net' @@ -206,21 +208,20 @@ var varGwConfig = [ // Customer Usage Attribution Id var varCuaid = '2686e846-5fdc-4d4f-b533-16dcb09d6e6c' - -resource resDDoSProtectionPlan 'Microsoft.Network/ddosProtectionPlans@2021-02-01' = if(parDDoSEnabled) { +resource resDDoSProtectionPlan 'Microsoft.Network/ddosProtectionPlans@2021-02-01' = if (parDDoSEnabled) { name: parDDoSPlanName - location: resourceGroup().location - tags: parTags + location: parRegion + tags: parTags } //DDos Protection plan will only be enabled if parDDoSEnabled is true. resource resHubVirtualNetwork 'Microsoft.Network/virtualNetworks@2021-02-01' = { name: parHubNetworkName - location: resourceGroup().location + location: parRegion tags: parTags - properties:{ - addressSpace:{ - addressPrefixes:[ + properties: { + addressSpace: { + addressPrefixes: [ parHubNetworkAddressPrefix ] } @@ -231,87 +232,88 @@ resource resHubVirtualNetwork 'Microsoft.Network/virtualNetworks@2021-02-01' = { enableDdosProtection: parDDoSEnabled ddosProtectionPlan: (parDDoSEnabled) ? { id: resDDoSProtectionPlan.id - } : null + } : null } } -module modBastionPublicIP '../publicIp/publicIp.bicep' ={ +module modBastionPublicIP '../publicIp/publicIp.bicep' = if (parBastionEnabled) { name: 'deploy-Bastion-Public-IP' - params:{ + params: { + parLocation: parRegion parPublicIPName: '${parBastionName}-PublicIP' parPublicIPSku: { name: parPublicIPSku } parPublicIPProperties: { publicIPAddressVersion: 'IPv4' - publicIPAllocationMethod: 'Static' + publicIPAllocationMethod: 'Static' } parTags: parTags + parTelemetryOptOut: parTelemetryOptOut } } - resource resBastionSubnetRef 'Microsoft.Network/virtualNetworks/subnets@2021-02-01' existing = { parent: resHubVirtualNetwork name: 'AzureBastionSubnet' -} +} // AzureBastionSubnet is required to deploy Bastion service. This subnet must exist in the parsubnets array if you enable Bastion Service. // There is a minimum subnet requirement of /27 prefix. // If you are deploying standard this needs to be larger. https://docs.microsoft.com/en-us/azure/bastion/configuration-settings#subnet -resource resBastion 'Microsoft.Network/bastionHosts@2021-02-01' = if(parBastionEnabled){ - location: resourceGroup().location +resource resBastion 'Microsoft.Network/bastionHosts@2021-02-01' = if (parBastionEnabled) { + location: parRegion name: parBastionName tags: parTags - sku:{ + sku: { name: parBastionSku } properties: { - dnsName: uniqueString(resourceGroup().id) - ipConfigurations: [ - { - name: 'IpConf' - properties: { - subnet: { - id: resBastionSubnetRef.id - } - publicIPAddress: { - id: modBastionPublicIP.outputs.outPublicIPID - } - } + dnsName: uniqueString(resourceGroup().id) + ipConfigurations: [ + { + name: 'IpConf' + properties: { + subnet: { + id: resBastionSubnetRef.id } - ] + publicIPAddress: { + id: parBastionEnabled ? modBastionPublicIP.outputs.outPublicIPID : '' + } + } + } + ] } } - resource resGatewaySubnetRef 'Microsoft.Network/virtualNetworks/subnets@2021-02-01' existing = { parent: resHubVirtualNetwork name: 'GatewaySubnet' -} +} -module modGatewayPublicIP '../publicIp/publicIp.bicep' = [for (gateway,i) in varGwConfig: if ((gateway.name != 'noconfigVpn') && (gateway.name != 'noconfigEr')){ +module modGatewayPublicIP '../publicIp/publicIp.bicep' = [for (gateway, i) in varGwConfig: if ((gateway.name != 'noconfigVpn') && (gateway.name != 'noconfigEr')) { name: 'deploy-Gateway-Public-IP-${i}' params: { + parLocation: parRegion parPublicIPName: '${gateway.name}-PublicIP' - location: resourceGroup().location parPublicIPProperties: { publicIPAddressVersion: 'IPv4' publicIPAllocationMethod: 'Static' } parPublicIPSku: { - name: parPublicIPSku + name: parPublicIPSku } parTags: parTags + parTelemetryOptOut: parTelemetryOptOut } }] //Minumum subnet size is /27 supporting documentation https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub -resource resGateway 'Microsoft.Network/virtualNetworkGateways@2021-02-01' = [for (gateway,i) in varGwConfig: if ((gateway.name != 'noconfigVpn') && (gateway.name != 'noconfigEr')){ +resource resGateway 'Microsoft.Network/virtualNetworkGateways@2021-02-01' = [for (gateway, i) in varGwConfig: if ((gateway.name != 'noconfigVpn') && (gateway.name != 'noconfigEr')) { name: gateway.name - location: resourceGroup().location + location: parRegion tags: parTags - properties:{ + properties: { activeActive: gateway.activeActive enableBgp: gateway.enableBgp enableBgpRouteTranslationForNat: gateway.enableBgpRouteTranslationForNat @@ -320,19 +322,19 @@ resource resGateway 'Microsoft.Network/virtualNetworkGateways@2021-02-01' = [for gatewayType: gateway.gatewayType vpnGatewayGeneration: (gateway.gatewayType == 'VPN') ? gateway.generation : 'None' vpnType: gateway.vpntype - sku:{ - name: gateway.sku + sku: { + name: gateway.sku tier: gateway.sku } - ipConfigurations:[ + ipConfigurations: [ { id: resHubVirtualNetwork.id name: 'vnetGatewayConfig' - properties:{ - publicIPAddress:{ + properties: { + publicIPAddress: { id: (((gateway.name != 'noconfigVpn') && (gateway.name != 'noconfigEr')) ? modGatewayPublicIP[i].outputs.outPublicIPID : 'na') } - subnet:{ + subnet: { id: resGatewaySubnetRef.id } } @@ -344,32 +346,32 @@ resource resGateway 'Microsoft.Network/virtualNetworkGateways@2021-02-01' = [for resource resAzureFirewallSubnetRef 'Microsoft.Network/virtualNetworks/subnets@2021-02-01' existing = { parent: resHubVirtualNetwork name: 'AzureFirewallSubnet' -} +} -module modAzureFirewallPublicIP '../publicIp/publicIp.bicep' = if(parAzureFirewallEnabled){ +module modAzureFirewallPublicIP '../publicIp/publicIp.bicep' = if (parAzureFirewallEnabled) { name: 'deploy-Firewall-Public-IP' params: { + parLocation: parRegion parPublicIPName: '${parAzureFirewallName}-PublicIP' - location: resourceGroup().location parPublicIPProperties: { publicIPAddressVersion: 'IPv4' publicIPAllocationMethod: 'Static' } parPublicIPSku: { - name: parPublicIPSku + name: parPublicIPSku } parTags: parTags + parTelemetryOptOut: parTelemetryOptOut } } - // AzureFirewallSubnet is required to deploy Azure Firewall . This subnet must exist in the parsubnets array if you deploy. // There is a minimum subnet requirement of /26 prefix. -resource resAzureFirewall 'Microsoft.Network/azureFirewalls@2021-02-01' = if(parAzureFirewallEnabled){ +resource resAzureFirewall 'Microsoft.Network/azureFirewalls@2021-02-01' = if (parAzureFirewallEnabled) { name: parAzureFirewallName - location: resourceGroup().location + location: parRegion tags: parTags - properties:{ + properties: { networkRuleCollections: [ { name: 'VmInternetAccess' @@ -408,7 +410,7 @@ resource resAzureFirewall 'Microsoft.Network/azureFirewalls@2021-02-01' = if(par id: resAzureFirewallSubnetRef.id } publicIPAddress: { - id: modAzureFirewallPublicIP.outputs.outPublicIPID + id: parAzureFirewallEnabled ? modAzureFirewallPublicIP.outputs.outPublicIPID : '' } } } @@ -419,15 +421,15 @@ resource resAzureFirewall 'Microsoft.Network/azureFirewalls@2021-02-01' = if(par tier: parAzureFirewallTier } additionalProperties: { - 'Network.DNS.EnableProxy': '${parNetworkDNSEnableProxy}' + 'Network.DNS.EnableProxy': '${parNetworkDNSEnableProxy}' } } } //If Azure Firewall is enabled we will deploy a RouteTable to redirect Traffic to the Firewall. -resource resHubRouteTable 'Microsoft.Network/routeTables@2021-02-01' = if(parAzureFirewallEnabled) { +resource resHubRouteTable 'Microsoft.Network/routeTables@2021-02-01' = if (parAzureFirewallEnabled) { name: parHubRouteTableName - location: resourceGroup().location + location: parRegion tags: parTags properties: { routes: [ @@ -444,15 +446,13 @@ resource resHubRouteTable 'Microsoft.Network/routeTables@2021-02-01' = if(parAzu } } - -resource resPrivateDnsZones 'Microsoft.Network/privateDnsZones@2020-06-01' = [for privateDnsZone in parPrivateDnsZones: if(parPrivateDNSZonesEnabled) { +resource resPrivateDnsZones 'Microsoft.Network/privateDnsZones@2020-06-01' = [for privateDnsZone in parPrivateDnsZones: if (parPrivateDNSZonesEnabled) { name: privateDnsZone location: 'global' tags: parTags }] - -resource resVirtualNetworkLink 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2020-06-01' = [for privateDnsZoneName in parPrivateDnsZones: if(parPrivateDNSZonesEnabled) { +resource resVirtualNetworkLink 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2020-06-01' = [for privateDnsZoneName in parPrivateDnsZones: if (parPrivateDNSZonesEnabled) { name: '${privateDnsZoneName}/${privateDnsZoneName}' location: 'global' properties: { @@ -461,11 +461,12 @@ resource resVirtualNetworkLink 'Microsoft.Network/privateDnsZones/virtualNetwork id: resHubVirtualNetwork.id } } -dependsOn: resPrivateDnsZones + dependsOn: resPrivateDnsZones }] // Optional Deployment for Customer Usage Attribution module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdResourceGroup.bicep' = if (!parTelemetryOptOut) { + #disable-next-line no-loc-expr-outside-params name: 'pid-${varCuaid}-${uniqueString(resourceGroup().location)}' params: {} } @@ -476,7 +477,7 @@ output outAzureFirewallPrivateIP string = parAzureFirewallEnabled ? resAzureFire //If Azure Firewall is enabled we will deploy a RouteTable to redirect Traffic to the Firewall. output outAzureFirewallName string = parAzureFirewallEnabled ? parAzureFirewallName : '' -output outPrivateDnsZones array = [for i in range(0,length(parPrivateDnsZones)): { +output outPrivateDnsZones array = [for i in range(0, length(parPrivateDnsZones)): { name: resPrivateDnsZones[i].name id: resPrivateDnsZones[i].id }] diff --git a/infra-as-code/bicep/modules/hubNetworking/hubNetworking.parameters.example.json b/infra-as-code/bicep/modules/hubNetworking/hubNetworking.parameters.example.json index c9d691678..b45328059 100644 --- a/infra-as-code/bicep/modules/hubNetworking/hubNetworking.parameters.example.json +++ b/infra-as-code/bicep/modules/hubNetworking/hubNetworking.parameters.example.json @@ -2,6 +2,9 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", "contentVersion": "1.0.0.0", "parameters": { + "parRegion": { + "value": "eastus" + }, "parBastionEnabled": { "value": true }, @@ -58,7 +61,7 @@ "value": "alz" }, "parDdosPlanName": { - "value": "alz-Ddos-Plan" + "value": "alz-ddos-Plan" }, "parBastionSku": { "value": "Standard" @@ -75,7 +78,7 @@ "value": "10.20.0.0/16" }, "parHubNetworkName": { - "value": "alz-hub-eastus2" + "value": "alz-hub-eastus" }, "parAzureFirewallName": { "value": "alz-azure-firewall" From 7e992a8ad2bd031dc4ef37822facaa0fdaa31861 Mon Sep 17 00:00:00 2001 From: Jack Tracey <41163455+jtracey93@users.noreply.github.com> Date: Mon, 14 Feb 2022 21:29:40 +0000 Subject: [PATCH 7/7] Remove white space --- infra-as-code/bicep/modules/hubNetworking/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/infra-as-code/bicep/modules/hubNetworking/README.md b/infra-as-code/bicep/modules/hubNetworking/README.md index 9554509c1..dd16b9458 100644 --- a/infra-as-code/bicep/modules/hubNetworking/README.md +++ b/infra-as-code/bicep/modules/hubNetworking/README.md @@ -31,8 +31,8 @@ The module requires the following inputs: | parPublicIPSku | string | Standard | SKU or Tier of Public IP to deploy | Standard or Basic | Standard | | parTags | object | Empty Array [] | List of tags (Key Value Pairs) to be applied to resources | None | environment: 'development' | | parHubNetworkAddressPrefix | string | 10.10.0.0/16 | CIDR range for Hub Network | CIDR Notation | 10.10.0.0/16 | - | parHubNetworkName | string | `${parCompanyPrefix}-hub-${parRegion} ` | Name prefix for Virtual Network. Prefix will be appended with the region. | 2-50 char | alz-hub-eastus | - | parAzureFirewallName | string | `${parCompanyPrefix}-azure-firewall ` | Name associated with Azure Firewall | 1-80 char | alz-azure-firewall | + | parHubNetworkName | string | `${parCompanyPrefix}-hub-${parRegion}` | Name prefix for Virtual Network. Prefix will be appended with the region. | 2-50 char | alz-hub-eastus | + | parAzureFirewallName | string | `${parCompanyPrefix}-azure-firewall` | Name associated with Azure Firewall | 1-80 char | alz-azure-firewall | | parAzureFirewallTier | string | Standard | Tier associated with the Firewall to be deployed. | Standard or Premium | Premium | | parHubRouteTableName | string | `${parCompanyPrefix}-hub-routetable` | Name of route table to be associated with Hub Network | 1-80 char | alz-hub-routetable | | parVpnGatewayConfig | object | See example parameters file [`hubNetworking.parameters.json`](hubNetworking.parameters.example.json) | Configuration for VPN virtual network gateway to be deployed. If a VPN virtual network gateway is not desired an empty object should be used as the input parameter in the parameter file, i.e. "parVpnGatewayConfig": {"value": {} }''' | None | See Default |