diff --git a/.ps-rule/DiagLogForAutomation.Rule.yaml b/.ps-rule/DiagLogForAutomation.Rule.yaml new file mode 100644 index 000000000..d886c1b7a --- /dev/null +++ b/.ps-rule/DiagLogForAutomation.Rule.yaml @@ -0,0 +1,26 @@ +# +# Suppression and rules for unsupported scenarios. +# + +# NOTE: +# For details on authoring suppression groups see: +# https://microsoft.github.io/PSRule/v2/concepts/PSRule/en-US/about_PSRule_SuppressionGroups/ +# https://microsoft.github.io/PSRule/v2/concepts/PSRule/en-US/about_PSRule_Expressions/ + +--- +# Synopsis: Ignore automation account audit diagnostic logs are enabled as these are covered by DINE policies in ALZ +apiVersion: github.com/microsoft/PSRule/v1 +kind: SuppressionGroup +metadata: + name: ALZ.DiagLogForAutomation +spec: + rule: + - Azure.Automation.AuditLogs + - Azure.Automation.PlatformLogs + if: + allOf: + - name: '.' + contains: alz-automation-account + - type: '.' + in: + - Microsoft.Automation/automationAccounts diff --git a/.ps-rule/ManagedIdentityForAutomation.Rule.yaml b/.ps-rule/ManagedIdentityForAutomation.Rule.yaml new file mode 100644 index 000000000..2d10d94c7 --- /dev/null +++ b/.ps-rule/ManagedIdentityForAutomation.Rule.yaml @@ -0,0 +1,25 @@ +# +# Suppression and rules for unsupported scenarios. +# + +# NOTE: +# For details on authoring suppression groups see: +# https://microsoft.github.io/PSRule/v2/concepts/PSRule/en-US/about_PSRule_SuppressionGroups/ +# https://microsoft.github.io/PSRule/v2/concepts/PSRule/en-US/about_PSRule_Expressions/ + +--- +# Synopsis: Ignore Managed Identity is used for authentication. +apiVersion: github.com/microsoft/PSRule/v1 +kind: SuppressionGroup +metadata: + name: ALZ.ManagedIdentityForAutomation +spec: + rule: + - Azure.Automation.ManagedIdentity + if: + allOf: + - name: '.' + contains: alz-automation-account + - type: '.' + in: + - Microsoft.Automation/automationAccounts diff --git a/infra-as-code/bicep/modules/customRoleDefinitions/samples/baseline.sample.bicep b/infra-as-code/bicep/modules/customRoleDefinitions/samples/baseline.sample.bicep new file mode 100644 index 000000000..c7da5bdd0 --- /dev/null +++ b/infra-as-code/bicep/modules/customRoleDefinitions/samples/baseline.sample.bicep @@ -0,0 +1,25 @@ +// +// Baseline deployment sample +// + +// Use this sample to deploy the baseline resource configuration. + +targetScope = 'managementGroup' + + +// ---------- +// PARAMETERS +// ---------- + +// --------- +// RESOURCES +// --------- + +@description('Baseline resource configuration') +module baseline_custom_role_definitions '../customRoleDefinitions.bicep' = { + name: 'custom_role_definition' + params: { + parAssignableScopeManagementGroupId: 'alz' + parTelemetryOptOut: false + } +} diff --git a/infra-as-code/bicep/modules/customRoleDefinitions/samples/minimum.sample.bicep b/infra-as-code/bicep/modules/customRoleDefinitions/samples/minimum.sample.bicep new file mode 100644 index 000000000..81b71ebc8 --- /dev/null +++ b/infra-as-code/bicep/modules/customRoleDefinitions/samples/minimum.sample.bicep @@ -0,0 +1,21 @@ +// +// Minimum deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'managementGroup' + + +// ---------- +// PARAMETERS +// ---------- + +// --------- +// RESOURCES +// --------- + +@description('Minimum resource configuration') +module minimum_custom_role_definitions '../customRoleDefinitions.bicep' = { + name: 'custom_role_definition' +} diff --git a/infra-as-code/bicep/modules/hubNetworking/samples/baseline.sample.bicep b/infra-as-code/bicep/modules/hubNetworking/samples/baseline.sample.bicep index bf5afa0c9..7babf3d77 100644 --- a/infra-as-code/bicep/modules/hubNetworking/samples/baseline.sample.bicep +++ b/infra-as-code/bicep/modules/hubNetworking/samples/baseline.sample.bicep @@ -79,7 +79,7 @@ module baseline_hub_network_with_ER '../hubNetworking.bicep' = { vpntype: 'RouteBased' vpnGatewayGeneration: 'None' enableBgp: false - activeActive: false + activeActive: true enableBgpRouteTranslationForNat: false enableDnsForwarding: false asn: '65515' @@ -121,7 +121,7 @@ module baseline_hub_network_with_VPN '../hubNetworking.bicep' = { vpntype: 'RouteBased' generation: 'Generation1' enableBgp: false - activeActive: false + activeActive: true enableBgpRouteTranslationForNat: false enableDnsForwarding: false asn: 65515 diff --git a/infra-as-code/bicep/modules/logging/samples/baseline.sample.bicep b/infra-as-code/bicep/modules/logging/samples/baseline.sample.bicep new file mode 100644 index 000000000..f28786d2a --- /dev/null +++ b/infra-as-code/bicep/modules/logging/samples/baseline.sample.bicep @@ -0,0 +1,45 @@ +// +// Baseline deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'resourceGroup' + +@description('The Azure location to deploy to.') +param location string = resourceGroup().location + +// ---------- +// PARAMETERS +// ---------- + +// --------- +// RESOURCES +// --------- + +@description('Baseline resource configuration') +module baseline_logging '../logging.bicep' = { + name: 'baseline_logging' + params: { + parLogAnalyticsWorkspaceLocation: location + parAutomationAccountLocation: location + parLogAnalyticsWorkspaceName: 'alz-log-analytics' + parLogAnalyticsWorkspaceSkuName: 'PerGB2018' + parLogAnalyticsWorkspaceSolutions: [ + 'AgentHealthAssessment' + 'AntiMalware' + 'AzureActivity' + 'ChangeTracking' + 'Security' + 'SecurityInsights' + 'ServiceMap' + 'SQLAdvancedThreatProtection' + 'SQLVulnerabilityAssessment' + 'SQLAssessment' + 'Updates' + 'VMInsights' + ] + parAutomationAccountName: 'alz-automation-account' + parTelemetryOptOut: false + } +} diff --git a/infra-as-code/bicep/modules/logging/samples/minimum.sample.bicep b/infra-as-code/bicep/modules/logging/samples/minimum.sample.bicep new file mode 100644 index 000000000..c7c9f5299 --- /dev/null +++ b/infra-as-code/bicep/modules/logging/samples/minimum.sample.bicep @@ -0,0 +1,27 @@ +// +// Minimum deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'resourceGroup' + +@description('The Azure location to deploy to.') +param location string = resourceGroup().location + +// ---------- +// PARAMETERS +// ---------- + +// --------- +// RESOURCES +// --------- + +@description('Minimum resource configuration') +module minimum_logging '../logging.bicep' = { + name: 'minimum_logging' + params: { + parLogAnalyticsWorkspaceLocation: location + parAutomationAccountLocation: location + } +} diff --git a/infra-as-code/bicep/modules/managementGroups/samples/baseline.sample.bicep b/infra-as-code/bicep/modules/managementGroups/samples/baseline.sample.bicep new file mode 100644 index 000000000..dadf03f24 --- /dev/null +++ b/infra-as-code/bicep/modules/managementGroups/samples/baseline.sample.bicep @@ -0,0 +1,38 @@ +// +// Minimum deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'tenant' + +// ---------- +// PARAMETERS +// ---------- + +// --------- +// RESOURCES +// --------- + +@description('Baseline resource configuration') +module baseline_managementgroups'../managementGroups.bicep' = { + name: 'baseline managementGroups' + params: { + parTopLevelManagementGroupParentId: '00000000-0000-0000-0000-000000000000' + parLandingZoneMgChildren: { + 'mg-landingzone': { + displayName: 'Landing Zone' + children: { + 'mg-operations': { + displayName: 'Operations' + } + } + } + } + parTopLevelManagementGroupPrefix: 'alz' + parTopLevelManagementGroupDisplayName: 'Azure Landing Zones' + parLandingZoneMgAlzDefaultsEnable: true + parLandingZoneMgConfidentialEnable: false + parTelemetryOptOut: false + } +} diff --git a/infra-as-code/bicep/modules/managementGroups/samples/minimum.sample.bicep b/infra-as-code/bicep/modules/managementGroups/samples/minimum.sample.bicep new file mode 100644 index 000000000..1e4d674f6 --- /dev/null +++ b/infra-as-code/bicep/modules/managementGroups/samples/minimum.sample.bicep @@ -0,0 +1,33 @@ +// +// Minimum deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'tenant' + +// ---------- +// PARAMETERS +// ---------- + +// --------- +// RESOURCES +// --------- + +@description('Minimum resource configuration') +module minimum_managementgroups '../managementGroups.bicep' = { + name: 'minimum managementGroups' + params: { + parTopLevelManagementGroupParentId: '00000000-0000-0000-0000-000000000000' + parLandingZoneMgChildren: { + 'mg-landingzone': { + displayName: 'Landing Zone' + children: { + 'mg-operations': { + displayName: 'Operations' + } + } + } + } + } +} diff --git a/infra-as-code/bicep/modules/policy/samples/baseline.policy.sample.bicep b/infra-as-code/bicep/modules/policy/samples/baseline.policy.sample.bicep new file mode 100644 index 000000000..5871760b9 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/samples/baseline.policy.sample.bicep @@ -0,0 +1,24 @@ +// +// Minimum deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'managementGroup' + +// ---------- +// PARAMETERS +// ---------- + +// --------- +// RESOURCES +// --------- + +@description('Baseline resource configuration') +module baseline_policy '../definitions/customPolicyDefinitions.bicep' = { + name: 'minimum policy' + params: { + parTargetManagementGroupId: 'alz' + parTelemetryOptOut: false + } +} diff --git a/infra-as-code/bicep/modules/policy/samples/baseline.sample.bicep b/infra-as-code/bicep/modules/policy/samples/baseline.sample.bicep new file mode 100644 index 000000000..16f91adcf --- /dev/null +++ b/infra-as-code/bicep/modules/policy/samples/baseline.sample.bicep @@ -0,0 +1,37 @@ +// +// Baseline deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'managementGroup' + +// ---------- +// PARAMETERS +// ---------- +var policyAssignmentConfig = loadJsonContent('../assignments/parameters/mc-policyAssignmentManagementGroup.dine.parameters.all.json') + +// --------- +// RESOURCES +// --------- + +@description('Baseline resource configuration') +module minimum_policy '../assignments/policyAssignmentManagementGroup.bicep' = { + name: 'baseline policy' + params: { + parPolicyAssignmentName: policyAssignmentConfig.parameters.parPolicyAssignmentName.value + parPolicyAssignmentDisplayName: policyAssignmentConfig.parameters.parPolicyAssignmentDisplayName.value + parPolicyAssignmentDescription: policyAssignmentConfig.parameters.parPolicyAssignmentDescription.value + parPolicyAssignmentDefinitionId: policyAssignmentConfig.parameters.parPolicyAssignmentDefinitionId.value + parPolicyAssignmentParameters: policyAssignmentConfig.parameters.parPolicyAssignmentParameters + parPolicyAssignmentNonComplianceMessages: policyAssignmentConfig.parameters.parPolicyAssignmentNonComplianceMessages.value + parPolicyAssignmentNotScopes: policyAssignmentConfig.parameters.parPolicyAssignmentNotScopes.value + parTelemetryOptOut: policyAssignmentConfig.parameters.parTelemetryOptOut.value + parPolicyAssignmentParameterOverrides: policyAssignmentConfig.parameters.parPolicyAssignmentParameterOverrides.value + parPolicyAssignmentEnforcementMode: policyAssignmentConfig.parameters.parPolicyAssignmentEnforcementMode.value + parPolicyAssignmentIdentityType: policyAssignmentConfig.parameters.parPolicyAssignmentIdentityType.value + parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: policyAssignmentConfig.parameters.parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs.value + parPolicyAssignmentIdentityRoleAssignmentsSubs: policyAssignmentConfig.parameters.parPolicyAssignmentIdentityRoleAssignmentsSubs.value + parPolicyAssignmentIdentityRoleDefinitionIds: policyAssignmentConfig.parameters.parPolicyAssignmentIdentityRoleDefinitionIds.value + } +} diff --git a/infra-as-code/bicep/modules/policy/samples/minimum.policy.sample.bicep b/infra-as-code/bicep/modules/policy/samples/minimum.policy.sample.bicep new file mode 100644 index 000000000..546093254 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/samples/minimum.policy.sample.bicep @@ -0,0 +1,20 @@ +// +// Minimum deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'managementGroup' + +// ---------- +// PARAMETERS +// ---------- + +// --------- +// RESOURCES +// --------- + +@description('Minimum resource configuration') +module minimum_policy '../definitions/customPolicyDefinitions.bicep' = { + name: 'minimum policy' +} diff --git a/infra-as-code/bicep/modules/policy/samples/minimum.sample.bicep b/infra-as-code/bicep/modules/policy/samples/minimum.sample.bicep new file mode 100644 index 000000000..2ec98f8ef --- /dev/null +++ b/infra-as-code/bicep/modules/policy/samples/minimum.sample.bicep @@ -0,0 +1,31 @@ +// +// Minimum deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'managementGroup' + +// ---------- +// PARAMETERS +// ---------- +var policyAssignmentConfig = loadJsonContent('../assignments/parameters/mc-policyAssignmentManagementGroup.dine.parameters.min.json') + +// --------- +// RESOURCES +// --------- + +@description('Minimum resource configuration') +module minimum_policy '../assignments/policyAssignmentManagementGroup.bicep' = { + name: 'minimum policy' + params: { + parPolicyAssignmentName: policyAssignmentConfig.parameters.parPolicyAssignmentName.value + parPolicyAssignmentDisplayName: policyAssignmentConfig.parameters.parPolicyAssignmentDisplayName.value + parPolicyAssignmentDescription: policyAssignmentConfig.parameters.parPolicyAssignmentDescription.value + parPolicyAssignmentDefinitionId: policyAssignmentConfig.parameters.parPolicyAssignmentDefinitionId.value + parPolicyAssignmentParameters: policyAssignmentConfig.parameters.parPolicyAssignmentParameters + parPolicyAssignmentNonComplianceMessages: policyAssignmentConfig.parameters.parPolicyAssignmentNonComplianceMessages.value + parPolicyAssignmentNotScopes: policyAssignmentConfig.parameters.parPolicyAssignmentNotScopes.value + parTelemetryOptOut: policyAssignmentConfig.parameters.parTelemetryOptOut.value + } +} diff --git a/infra-as-code/bicep/modules/privateDnsZones/samples/baseline.sample.bicep b/infra-as-code/bicep/modules/privateDnsZones/samples/baseline.sample.bicep new file mode 100644 index 000000000..2c397231a --- /dev/null +++ b/infra-as-code/bicep/modules/privateDnsZones/samples/baseline.sample.bicep @@ -0,0 +1,80 @@ +// +// Baseline deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'resourceGroup' + +// ---------- +// PARAMETERS +// ---------- +@description('The Azure Region to deploy the resources into. Default: resourceGroup().location') +param location string = resourceGroup().location +// --------- +// RESOURCES +// --------- + +@description('Baseline resource configuration') +module baseline_private_dns '../privateDnsZones.bicep' = { + name: 'minimum private DNS' + params: { + parLocation: location + parPrivateDnsZones: [ + 'privatelink.azure-automation.net' + 'privatelink.database.windows.net' + 'privatelink.sql.azuresynapse.net' + 'privatelink.dev.azuresynapse.net' + 'privatelink.azuresynapse.net' + 'privatelink.blob.core.windows.net' + 'privatelink.table.core.windows.net' + 'privatelink.queue.core.windows.net' + 'privatelink.file.core.windows.net' + 'privatelink.web.core.windows.net' + 'privatelink.dfs.core.windows.net' + 'privatelink.documents.azure.com' + 'privatelink.mongo.cosmos.azure.com' + 'privatelink.cassandra.cosmos.azure.com' + 'privatelink.gremlin.cosmos.azure.com' + 'privatelink.table.cosmos.azure.com' + 'privatelink.${toLower(location)}.batch.azure.com' + 'privatelink.postgres.database.azure.com' + 'privatelink.mysql.database.azure.com' + 'privatelink.mariadb.database.azure.com' + 'privatelink.vaultcore.azure.net' + 'privatelink.managedhsm.azure.net' + 'privatelink.${toLower(location)}.azmk8s.io' + 'privatelink.siterecovery.windowsazure.com' + 'privatelink.servicebus.windows.net' + 'privatelink.azure-devices.net' + 'privatelink.eventgrid.azure.net' + 'privatelink.azurewebsites.net' + 'privatelink.api.azureml.ms' + 'privatelink.notebooks.azure.net' + 'privatelink.service.signalr.net' + 'privatelink.monitor.azure.com' + 'privatelink.oms.opinsights.azure.com' + 'privatelink.ods.opinsights.azure.com' + 'privatelink.agentsvc.azure-automation.net' + 'privatelink.afs.azure.net' + 'privatelink.datafactory.azure.net' + 'privatelink.adf.azure.com' + 'privatelink.redis.cache.windows.net' + 'privatelink.redisenterprise.cache.azure.net' + 'privatelink.purview.azure.com' + 'privatelink.purviewstudio.azure.com' + 'privatelink.digitaltwins.azure.net' + 'privatelink.azconfig.io' + 'privatelink.cognitiveservices.azure.com' + 'privatelink.azurecr.io' + 'privatelink.search.windows.net' + 'privatelink.azurehdinsight.net' + 'privatelink.media.azure.net' + 'privatelink.his.arc.azure.com' + 'privatelink.guestconfiguration.azure.com' + ] + parTags: {} + parVirtualNetworkIdToLink: '' + parTelemetryOptOut: false + } +} diff --git a/infra-as-code/bicep/modules/privateDnsZones/samples/minimum.sample.bicep b/infra-as-code/bicep/modules/privateDnsZones/samples/minimum.sample.bicep new file mode 100644 index 000000000..bf4226b89 --- /dev/null +++ b/infra-as-code/bicep/modules/privateDnsZones/samples/minimum.sample.bicep @@ -0,0 +1,24 @@ +// +// Minimum deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'resourceGroup' + +// ---------- +// PARAMETERS +// ---------- +@description('The Azure Region to deploy the resources into. Default: resourceGroup().location') +param location string = resourceGroup().location +// --------- +// RESOURCES +// --------- + +@description('Minimum resource configuration') +module minimum_private_dns '../privateDnsZones.bicep' = { + name: 'minimum private DNS' + params: { + parLocation: location + } +} diff --git a/infra-as-code/bicep/modules/resourceGroup/samples/baseline.sample.bicep b/infra-as-code/bicep/modules/resourceGroup/samples/baseline.sample.bicep new file mode 100644 index 000000000..2db656e30 --- /dev/null +++ b/infra-as-code/bicep/modules/resourceGroup/samples/baseline.sample.bicep @@ -0,0 +1,30 @@ +// +// Baseline deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'subscription' + +// ---------- +// PARAMETERS +// ---------- + + +// --------- +// RESOURCES +// --------- + +@description('Baseline resource configuration.') +module baseline_rg'../resourceGroup.bicep' = { + name: 'baseline_rg' + params: { + parLocation: 'westeurope' + parResourceGroupName: 'baseline-rg' + parTelemetryOptOut: true + parTags: { + tag1: 'value1' + tag2: 'value2' + } + } +} diff --git a/infra-as-code/bicep/modules/resourceGroup/samples/minimum.sample.bicep b/infra-as-code/bicep/modules/resourceGroup/samples/minimum.sample.bicep new file mode 100644 index 000000000..b84ff2002 --- /dev/null +++ b/infra-as-code/bicep/modules/resourceGroup/samples/minimum.sample.bicep @@ -0,0 +1,29 @@ +// +// Minimum deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'subscription' + +// ---------- +// PARAMETERS +// ---------- + + +// --------- +// RESOURCES +// --------- + +@description('Minimum resource configuration.') +module minimum_rg'../resourceGroup.bicep' = { + name: 'minimum_rg' + params: { + parLocation: 'westeurope' + parResourceGroupName: 'minimum-rg' + parTags: { + tag1: 'value1' + tag2: 'value2' + } + } +} diff --git a/infra-as-code/bicep/modules/roleAssignments/samples/baseline.sample.bicep b/infra-as-code/bicep/modules/roleAssignments/samples/baseline.sample.bicep new file mode 100644 index 000000000..c74beafaa --- /dev/null +++ b/infra-as-code/bicep/modules/roleAssignments/samples/baseline.sample.bicep @@ -0,0 +1,28 @@ +// +// Baseline deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'managementGroup' + +// ---------- +// PARAMETERS +// ---------- +var roleDefinitionId = '/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635' +var assigneeObjectId = '00000000-0000-0000-0000-000000000000' +// --------- +// RESOURCES +// --------- + +@description('Baseline resource configuration.') +module baseline_ra '../roleAssignmentManagementGroup.bicep' = { + name: 'baseline_ra' + params: { + parRoleDefinitionId: roleDefinitionId + parAssigneePrincipalType: 'Group' + parAssigneeObjectId: assigneeObjectId + parTelemetryOptOut: true + parRoleAssignmentNameGuid: guid(managementGroup().name, roleDefinitionId, assigneeObjectId) + } +} diff --git a/infra-as-code/bicep/modules/roleAssignments/samples/minimum.sample.bicep b/infra-as-code/bicep/modules/roleAssignments/samples/minimum.sample.bicep new file mode 100644 index 000000000..375777b76 --- /dev/null +++ b/infra-as-code/bicep/modules/roleAssignments/samples/minimum.sample.bicep @@ -0,0 +1,26 @@ +// +// Minimum deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'managementGroup' + +// ---------- +// PARAMETERS +// ---------- + + +// --------- +// RESOURCES +// --------- + +@description('Minimum resource configuration.') +module ra_mg'../roleAssignmentManagementGroup.bicep' = { + name: 'ra_mg' + params: { + parRoleDefinitionId: 'acdd72a7-3385-48ef-bd42-f606fba81ae7' + parAssigneePrincipalType: 'Group' + parAssigneeObjectId: '00000000-0000-0000-0000-000000000000' + } +} diff --git a/infra-as-code/bicep/modules/spokeNetworking/samples/baseline.sample.bicep b/infra-as-code/bicep/modules/spokeNetworking/samples/baseline.sample.bicep new file mode 100644 index 000000000..84cbb6f51 --- /dev/null +++ b/infra-as-code/bicep/modules/spokeNetworking/samples/baseline.sample.bicep @@ -0,0 +1,41 @@ + +// +// baseline deployment sample +// + +// Use this sample to deploy the baseline resource configuration. + +targetScope = 'resourceGroup' + +// ---------- +// PARAMETERS +// ---------- +@description('Specifies the location for resources.') +param location string = 'eastus' +// --------- +// RESOURCES +// --------- + +@description('baseline resource configuration.') +module spoke_nw '../spokeNetworking.bicep' = { + name: 'spoke_nw' + params: { + parLocation: location + parDisableBgpRoutePropagation: false + parSpokeNetworkAddressPrefix: '10.1.0.0/16' + parSpokeNetworkName: 'spoke' + parDdosProtectionPlanId: 'ddosProtectionPlanId' + parSpokeToHubRouteTableName: 'spokeToHubRouteTable' + parTelemetryOptOut: false + parTags: { + Environment: 'Dev' + CostCenter: 'IT' + } + parDnsServerIps: [ + '10.1.1.100' + '10.1.1.101' + ] + parNextHopIpAddress: '10.1.0.10' + + } +} diff --git a/infra-as-code/bicep/modules/spokeNetworking/samples/minimum.sample.bicep b/infra-as-code/bicep/modules/spokeNetworking/samples/minimum.sample.bicep new file mode 100644 index 000000000..114a2d1a1 --- /dev/null +++ b/infra-as-code/bicep/modules/spokeNetworking/samples/minimum.sample.bicep @@ -0,0 +1,34 @@ + + +// +// Minimum deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'resourceGroup' + +// ---------- +// PARAMETERS +// ---------- +@description('Specifies the location for resources.') +param location string = 'eastus' +// --------- +// RESOURCES +// --------- + +@description('Minimum resource configuration.') +module spoke_nw '../spokeNetworking.bicep' = { + name: 'spoke_nw' + params: { + parLocation: location + parDdosProtectionPlanId: 'ddosProtectionPlanId' + parSpokeNetworkAddressPrefix: '10.1.0.0/16' + parDnsServerIps: [ + '10.1.1.100' + '10.1.1.101' + ] + parNextHopIpAddress: '10.10.10.10' + + } +} diff --git a/infra-as-code/bicep/modules/subscriptionPlacement/samples/baseline.sample.bicep b/infra-as-code/bicep/modules/subscriptionPlacement/samples/baseline.sample.bicep new file mode 100644 index 000000000..8a30d7223 --- /dev/null +++ b/infra-as-code/bicep/modules/subscriptionPlacement/samples/baseline.sample.bicep @@ -0,0 +1,28 @@ +// +// Baseline deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'managementGroup' + +// ---------- +// PARAMETERS +// ---------- + +// --------- +// RESOURCES +// --------- + +@description('Baseline resource configuration.') +module sub_placement '../subscriptionPlacement.bicep' = { + name: 'sub_placement' + params: { + parSubscriptionIds: [ + '00000000-0000-0000-0000-000000000000' + '11111111-1111-1111-1111-111111111111' + ] + parTelemetryOptOut: true + parTargetManagementGroupId: '22222222-2222-2222-2222-222222222222' + } +} diff --git a/infra-as-code/bicep/modules/subscriptionPlacement/samples/minimum.sample.bicep b/infra-as-code/bicep/modules/subscriptionPlacement/samples/minimum.sample.bicep new file mode 100644 index 000000000..193b38209 --- /dev/null +++ b/infra-as-code/bicep/modules/subscriptionPlacement/samples/minimum.sample.bicep @@ -0,0 +1,27 @@ +// +// Minimum deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'managementGroup' + +// ---------- +// PARAMETERS +// ---------- + +// --------- +// RESOURCES +// --------- + +@description('Minimum resource configuration.') +module sub_placement '../subscriptionPlacement.bicep' = { + name: 'sub_placement' + params: { + parSubscriptionIds: [ + '00000000-0000-0000-0000-000000000000' + '11111111-1111-1111-1111-111111111111' + ] + parTargetManagementGroupId: '22222222-2222-2222-2222-222222222222' + } +} diff --git a/infra-as-code/bicep/modules/vnetPeering/samples/baseline.sample.bicep b/infra-as-code/bicep/modules/vnetPeering/samples/baseline.sample.bicep new file mode 100644 index 000000000..994bd420e --- /dev/null +++ b/infra-as-code/bicep/modules/vnetPeering/samples/baseline.sample.bicep @@ -0,0 +1,30 @@ +// +// Minimum deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'resourceGroup' + +// ---------- +// PARAMETERS +// ---------- + +// --------- +// RESOURCES +// --------- + +@description('Minimum resource configuration') +module baseline_vnet_peering '../vnetPeering.bicep' = { + name: 'baseline_vnet_peering' + params: { + parDestinationVirtualNetworkId: '/subscriptions/xxxxx-xxxx-xxxx-xx-xxxxxxxx/resourceGroups//providers/Microsoft.Network/virtualNetworks/' + parDestinationVirtualNetworkName: '' + parSourceVirtualNetworkName: '' + parAllowVirtualNetworkAccess: true + parAllowForwardedTraffic: true + parAllowGatewayTransit: false + parUseRemoteGateways: false + parTelemetryOptOut: false + } +} diff --git a/infra-as-code/bicep/modules/vnetPeering/samples/minimum.sample.bicep b/infra-as-code/bicep/modules/vnetPeering/samples/minimum.sample.bicep new file mode 100644 index 000000000..c897828dc --- /dev/null +++ b/infra-as-code/bicep/modules/vnetPeering/samples/minimum.sample.bicep @@ -0,0 +1,25 @@ +// +// Minimum deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'resourceGroup' + +// ---------- +// PARAMETERS +// ---------- + +// --------- +// RESOURCES +// --------- + +@description('Minimum resource configuration') +module minimum_vnet_peering '../vnetPeering.bicep' = { + name: 'minimum_vnet_peering' + params: { + parDestinationVirtualNetworkId: '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx/resourceGroups//providers/Microsoft.Network/virtualNetworks/' + parDestinationVirtualNetworkName: '' + parSourceVirtualNetworkName: '' + } +} diff --git a/infra-as-code/bicep/modules/vnetPeeringVwan/samples/baseline.sample.bicep b/infra-as-code/bicep/modules/vnetPeeringVwan/samples/baseline.sample.bicep new file mode 100644 index 000000000..1d466b903 --- /dev/null +++ b/infra-as-code/bicep/modules/vnetPeeringVwan/samples/baseline.sample.bicep @@ -0,0 +1,25 @@ +// +// Baseline deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'subscription' + +// ---------- +// PARAMETERS +// ---------- + +// --------- +// RESOURCES +// --------- + +@description('Baseline resource configuration') +module baseline_vwa_vnet_peering '../vnetPeeringVwan.bicep' = { + name: 'baseline_vwa_vnet_peering' + params: { + parVirtualWanHubResourceId: '/subscriptions/xxxxxxx-b761-4132-9ed1-2c90d07c4885/resourceGroups/rg-vwan/providers/Microsoft.Network/virtualWans/vwan-hub' + parRemoteVirtualNetworkResourceId: '/subscriptions/xxxxxxxx-b761-4132-9ed1-2c90d07c4885/resourceGroups/rg-vnet/providers/Microsoft.Network/virtualNetworks/vnet-remote' + parTelemetryOptOut: true + } +} diff --git a/infra-as-code/bicep/modules/vnetPeeringVwan/samples/minimum.sample.bicep b/infra-as-code/bicep/modules/vnetPeeringVwan/samples/minimum.sample.bicep new file mode 100644 index 000000000..34400a528 --- /dev/null +++ b/infra-as-code/bicep/modules/vnetPeeringVwan/samples/minimum.sample.bicep @@ -0,0 +1,24 @@ +// +// Minimum deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'subscription' + +// ---------- +// PARAMETERS +// ---------- + +// --------- +// RESOURCES +// --------- + +@description('Minimum resource configuration') +module minimum_vwa_vnet_peering '../vnetPeeringVwan.bicep' = { + name: 'minimum_vwa_vnet_peering' + params: { + parVirtualWanHubResourceId: '/subscriptions/xxxxxxxxx-b761-4132-9ed1-2c90d07c4885/resourceGroups/rg-vwan/providers/Microsoft.Network/virtualWans/vwan-hub' + parRemoteVirtualNetworkResourceId: '/subscriptions/xxxxxxxx-b761-4132-9ed1-2c90d07c4885/resourceGroups/rg-vnet/providers/Microsoft.Network/virtualNetworks/vnet-remote' + } +} diff --git a/infra-as-code/bicep/modules/vwanConnectivity/samples/baseline.sample.bicep b/infra-as-code/bicep/modules/vwanConnectivity/samples/baseline.sample.bicep new file mode 100644 index 000000000..1fa7a7c7a --- /dev/null +++ b/infra-as-code/bicep/modules/vwanConnectivity/samples/baseline.sample.bicep @@ -0,0 +1,113 @@ +// +// Minimum deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'resourceGroup' + +// ---------- +// PARAMETERS +// ---------- +param location string = 'westus' +var parCompanyPrefix = 'contoso' +// --------- +// RESOURCES +// --------- + +@description('Minimum resource configuration') +module minimum_vwan_conn '../vwanConnectivity.bicep' = { + name: 'minimum_vwan_conn' + params: { + parLocation: location + parVirtualHubAddressPrefix: '10.100.0.0/23' + parAzFirewallTier: 'Standard' + parVirtualHubEnabled: true + parVpnGatewayEnabled: true + parExpressRouteGatewayEnabled: true + parAzFirewallEnabled: true + parAzFirewallDnsProxyEnabled: true + parVirtualWanName: '${parCompanyPrefix}-vwan-${location}' + parVirtualWanHubName: '${parCompanyPrefix}-vhub-${location}' + parVpnGatewayName: '${parCompanyPrefix}-vpngw-${location}' + parExpressRouteGatewayName: '${parCompanyPrefix}-ergw-${location}' + parAzFirewallName: '${parCompanyPrefix}-fw-${location}' + parAzFirewallAvailabilityZones: [ + '1' + '2' + '3' + ] + parVirtualNetworkIdToLink: '/subscriptions/xxxxxxxxx-b761-4132-9ed1-2c90d07c4885/resourceGroups/rg-vnet/providers/Microsoft.Network/virtualNetworks/vnet' + + parAzFirewallPoliciesName: '${parCompanyPrefix}-azfwpolicy-${location}' + + parVpnGatewayScaleUnit: 1 + + parExpressRouteGatewayScaleUnit: 1 + + parDdosEnabled: true + parDdosPlanName: '${parCompanyPrefix}-ddos-plan' + parPrivateDnsZonesEnabled: true + + parPrivateDnsZonesResourceGroup: resourceGroup().name + parPrivateDnsZones: [ + 'privatelink.azure-automation.net' + 'privatelink.database.windows.net' + 'privatelink.sql.azuresynapse.net' + 'privatelink.dev.azuresynapse.net' + 'privatelink.azuresynapse.net' + 'privatelink.blob.core.windows.net' + 'privatelink.table.core.windows.net' + 'privatelink.queue.core.windows.net' + 'privatelink.file.core.windows.net' + 'privatelink.web.core.windows.net' + 'privatelink.dfs.core.windows.net' + 'privatelink.documents.azure.com' + 'privatelink.mongo.cosmos.azure.com' + 'privatelink.cassandra.cosmos.azure.com' + 'privatelink.gremlin.cosmos.azure.com' + 'privatelink.table.cosmos.azure.com' + 'privatelink.${location}.batch.azure.com' + 'privatelink.postgres.database.azure.com' + 'privatelink.mysql.database.azure.com' + 'privatelink.mariadb.database.azure.com' + 'privatelink.vaultcore.azure.net' + 'privatelink.managedhsm.azure.net' + 'privatelink.${location}.azmk8s.io' + 'privatelink.${location}.backup.windowsazure.com' + 'privatelink.siterecovery.windowsazure.com' + 'privatelink.servicebus.windows.net' + 'privatelink.azure-devices.net' + 'privatelink.eventgrid.azure.net' + 'privatelink.azurewebsites.net' + 'privatelink.api.azureml.ms' + 'privatelink.notebooks.azure.net' + 'privatelink.service.signalr.net' + 'privatelink.monitor.azure.com' + 'privatelink.oms.opinsights.azure.com' + 'privatelink.ods.opinsights.azure.com' + 'privatelink.agentsvc.azure-automation.net' + 'privatelink.afs.azure.net' + 'privatelink.datafactory.azure.net' + 'privatelink.adf.azure.com' + 'privatelink.redis.cache.windows.net' + 'privatelink.redisenterprise.cache.azure.net' + 'privatelink.purview.azure.com' + 'privatelink.purviewstudio.azure.com' + 'privatelink.digitaltwins.azure.net' + 'privatelink.azconfig.io' + 'privatelink.cognitiveservices.azure.com' + 'privatelink.azurecr.io' + 'privatelink.search.windows.net' + 'privatelink.azurehdinsight.net' + 'privatelink.media.azure.net' + 'privatelink.his.arc.azure.com' + 'privatelink.guestconfiguration.azure.com' + ] + + parTags: { + key1: 'value1' + } + parTelemetryOptOut: false + } +} diff --git a/infra-as-code/bicep/modules/vwanConnectivity/samples/minimum.sample.bicep b/infra-as-code/bicep/modules/vwanConnectivity/samples/minimum.sample.bicep new file mode 100644 index 000000000..b97cb040d --- /dev/null +++ b/infra-as-code/bicep/modules/vwanConnectivity/samples/minimum.sample.bicep @@ -0,0 +1,29 @@ +// +// Minimum deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'resourceGroup' + +// ---------- +// PARAMETERS +// ---------- +param location string = 'westus' +// --------- +// RESOURCES +// --------- + +@description('Minimum resource configuration') +module minimum_vwan_conn '../vwanConnectivity.bicep' = { + name: 'minimum_vwan_conn' + params: { + parLocation: location + parAzFirewallAvailabilityZones: [ + '1' + '2' + '3' + ] + parVirtualNetworkIdToLink: '/subscriptions/xxxxxxxxx-b761-4132-9ed1-2c90d07c4885/resourceGroups/rg-vnet/providers/Microsoft.Network/virtualNetworks/vnet' + } +}