From c151f035b535da02486f08d771232af661bc234c Mon Sep 17 00:00:00 2001 From: Zach Trocinski <30884663+oZakari@users.noreply.github.com> Date: Wed, 4 Dec 2024 17:25:05 -0600 Subject: [PATCH 1/4] fix: Add missing private dns zones to applicable policy assignment and module (#903) * Fix private dns zone list in policy assignment * Remove unused dns zone ids and update param names * Remove unused dns zone ids and update param names * Update generated docs * Add param to accelerator * Generate Parameter Markdowns [oZakari/1618d0f4] * Fix value for param * Add prefix to dependabot title * Update test values * Updated param table * Generate Parameter Markdowns [oZakari/640a1dbc] * Update logic * Update spacing * Add params to parameter file * Generate Parameter Markdowns [oZakari/0a582834] --------- Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com> --- .github/dependabot.yml | 3 + .../.config/ALZ-Powershell-Auto.config.json | 4 + .../alzDefaultPolicyAssignments.bicep | 333 ++++++++++-------- .../alzDefaultPolicyAssignments.bicep.md | 10 + ...faultPolicyAssignments.parameters.all.json | 3 + ...faultPolicyAssignments.parameters.min.json | 13 +- ...ment_es_deploy_private_dns_zones.tmpl.json | 228 +++++++----- 7 files changed, 345 insertions(+), 249 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index a4d89087a..0859add3c 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -7,3 +7,6 @@ updates: labels: - "Type: Hygiene :broom:" - "Needs: Attention :wave:" + commit-message: + prefix: 'build: ' + diff --git a/accelerator/.config/ALZ-Powershell-Auto.config.json b/accelerator/.config/ALZ-Powershell-Auto.config.json index 9e37da45a..e85d68158 100644 --- a/accelerator/.config/ALZ-Powershell-Auto.config.json +++ b/accelerator/.config/ALZ-Powershell-Auto.config.json @@ -304,6 +304,10 @@ "Name": "parVirtualWanHubs.value[0].parHubLocation", "Destination": "Parameters" }, + { + "Name": "parPrivateDnsZonesLocation.value", + "Destination": "Parameters" + }, { "Name": "LOCATION", "Destination": "Environment" diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep index 841335024..3bc659152 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep @@ -98,6 +98,9 @@ param parDdosProtectionPlanId string = '' @description('Resource ID of the Resource Group for Private DNS Zones. Empty to skip assigning the Deploy-Private-DNS-Zones policy.') param parPrivateDnsResourceGroupId string = '' +@description('Location of Private DNS Zones.') +param parPrivateDnsZonesLocation string = '' + @description('List of Private DNS Zones to audit under the Corp Management Group. This overwrites default values.') param parPrivateDnsZonesNamesToAuditInCorp array = [] @@ -532,60 +535,136 @@ var varPrivateDnsZonesResourceGroupSubscriptionId = !empty(parPrivateDnsResource var varPrivateDnsZonesBaseResourceId = '${parPrivateDnsResourceGroupId}/providers/Microsoft.Network/privateDnsZones/' +var varGeoCodes = { + australiacentral: 'acl' + australiacentral2: 'acl2' + australiaeast: 'ae' + australiasoutheast: 'ase' + brazilsoutheast: 'bse' + brazilsouth: 'brs' + canadacentral: 'cnc' + canadaeast: 'cne' + centralindia: 'inc' + centralus: 'cus' + centraluseuap: 'ccy' + chilecentral: 'clc' + eastasia: 'ea' + eastus: 'eus' + eastus2: 'eus2' + eastus2euap: 'ecy' + francecentral: 'frc' + francesouth: 'frs' + germanynorth: 'gn' + germanywestcentral: 'gwc' + israelcentral: 'ilc' + italynorth: 'itn' + japaneast: 'jpe' + japanwest: 'jpw' + koreacentral: 'krc' + koreasouth: 'krs' + malaysiasouth: 'mys' + malaysiawest: 'myw' + mexicocentral: 'mxc' + newzealandnorth: 'nzn' + northcentralus: 'ncus' + northeurope: 'ne' + norwayeast: 'nwe' + norwaywest: 'nww' + polandcentral: 'plc' + qatarcentral: 'qac' + southafricanorth: 'san' + southafricawest: 'saw' + southcentralus: 'scus' + southeastasia: 'sea' + southindia: 'ins' + spaincentral: 'spc' + swedencentral: 'sdc' + swedensouth: 'sds' + switzerlandnorth: 'szn' + switzerlandwest: 'szw' + taiwannorth: 'twn' + uaecentral: 'uac' + uaenorth: 'uan' + uksouth: 'uks' + ukwest: 'ukw' + westcentralus: 'wcus' + westeurope: 'we' + westindia: 'inw' + westus: 'wus' + westus2: 'wus2' + westus3: 'wus3' +} + +var varSelectedGeoCode = !empty(parPrivateDnsZonesLocation) ? varGeoCodes[parPrivateDnsZonesLocation] : null + var varPrivateDnsZonesFinalResourceIds = { - azureFilePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.afs.azure.net' - azureAutomationWebhookPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azure-automation.net' + azureAcrPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azurecr.io' + azureAppPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azconfig.io' + azureAppServicesPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azurewebsites.net' + azureArcGuestconfigurationPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.guestconfiguration.azure.com' + azureArcHybridResourceProviderPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.his.arc.azure.com' + azureArcKubernetesConfigurationPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.dp.kubernetesconfiguration.azure.com' + azureAsrPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.siterecovery.windowsazure.com' azureAutomationDSCHybridPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azure-automation.net' - azureCosmosSQLPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.documents.azure.com' - azureCosmosMongoPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.mongo.cosmos.azure.com' + azureAutomationWebhookPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azure-automation.net' + azureBatchPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.batch.azure.com' + azureBotServicePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.directline.botframework.com' + azureCognitiveSearchPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.search.windows.net' + azureCognitiveServicesPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.cognitiveservices.azure.com' azureCosmosCassandraPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.cassandra.cosmos.azure.com' azureCosmosGremlinPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.gremlin.cosmos.azure.com' + azureCosmosMongoPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.mongo.cosmos.azure.com' + azureCosmosSQLPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.documents.azure.com' azureCosmosTablePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.table.cosmos.azure.com' - azureDataFactoryPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.datafactory.azure.net' azureDataFactoryPortalPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.adf.azure.com' + azureDataFactoryPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.datafactory.azure.net' azureDatabricksPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azuredatabricks.net' + azureDiskAccessPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.blob.core.windows.net' + azureEventGridDomainsPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.eventgrid.azure.net' + azureEventGridTopicsPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.eventgrid.azure.net' + azureEventHubNamespacePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.servicebus.windows.net' + azureFilePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.afs.azure.net' azureHDInsightPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azurehdinsight.net' - azureMigratePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.prod.migration.windowsazure.com' - azureStorageBlobPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.blob.core.windows.net' - azureStorageBlobSecPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.blob.core.windows.net' - azureStorageQueuePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.queue.core.windows.net' - azureStorageQueueSecPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.queue.core.windows.net' - azureStorageFilePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.file.core.windows.net' - azureStorageStaticWebPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.web.core.windows.net' - azureStorageStaticWebSecPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.web.core.windows.net' - azureStorageDFSPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.dfs.core.windows.net' - azureStorageDFSSecPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.dfs.core.windows.net' - azureSynapseSQLPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.sql.azuresynapse.net' - azureSynapseSQLODPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.sql.azuresynapse.net' - azureSynapseDevPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.dev.azuresynapse.net' + azureIotCentralPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azureiotcentral.com' + azureIotDeviceupdatePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azure-devices.net' + azureIotHubsPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azure-devices.net' + azureIotPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azure-devices-provisioning.net' + azureKeyVaultPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.vaultcore.azure.net' + azureMachineLearningWorkspacePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.api.azureml.ms' + azureMachineLearningWorkspaceSecondPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.notebooks.azure.net' + azureManagedGrafanaWorkspacePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.grafana.azure.com' azureMediaServicesKeyPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.media.azure.net' azureMediaServicesLivePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.media.azure.net' azureMediaServicesStreamPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.media.azure.net' + azureMigratePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.prod.migration.windowsazure.com' azureMonitorPrivateDnsZoneId1: '${varPrivateDnsZonesBaseResourceId}privatelink.monitor.azure.com' azureMonitorPrivateDnsZoneId2: '${varPrivateDnsZonesBaseResourceId}privatelink.oms.opinsights.azure.com' azureMonitorPrivateDnsZoneId3: '${varPrivateDnsZonesBaseResourceId}privatelink.ods.opinsights.azure.com' azureMonitorPrivateDnsZoneId4: '${varPrivateDnsZonesBaseResourceId}privatelink.agentsvc.azure-automation.net' azureMonitorPrivateDnsZoneId5: '${varPrivateDnsZonesBaseResourceId}privatelink.blob.core.windows.net' - azureWebPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.webpubsub.azure.com' - azureBatchPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.batch.azure.com' - azureAppPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azconfig.io' - azureAsrPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.siterecovery.windowsazure.com' - azureIotPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azure-devices-provisioning.net' - azureKeyVaultPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.vaultcore.azure.net' - azureSignalRPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.service.signalr.net' - azureAppServicesPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azurewebsites.net' - azureEventGridTopicsPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.eventgrid.azure.net' - azureDiskAccessPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.blob.core.windows.net' - azureCognitiveServicesPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.cognitiveservices.azure.com' - azureIotHubsPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azure-devices.net' - azureEventGridDomainsPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.eventgrid.azure.net' azureRedisCachePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.redis.cache.windows.net' - azureAcrPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azurecr.io' - azureEventHubNamespacePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.servicebus.windows.net' - azureMachineLearningWorkspacePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.api.azureml.ms' - azureMachineLearningWorkspaceSecondPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.notebooks.azure.net' azureServiceBusNamespacePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.servicebus.windows.net' - azureCognitiveSearchPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.search.windows.net' + azureSignalRPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.service.signalr.net' + azureSiteRecoveryBackupPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.${varSelectedGeoCode}.backup.windowsazure.com' + azureSiteRecoveryBlobPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.blob.core.windows.net' + azureSiteRecoveryQueuePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.queue.core.windows.net' + azureStorageBlobPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.blob.core.windows.net' + azureStorageBlobSecPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.blob.core.windows.net' + azureStorageDFSPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.dfs.core.windows.net' + azureStorageDFSSecPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.dfs.core.windows.net' + azureStorageFilePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.file.core.windows.net' + azureStorageQueuePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.queue.core.windows.net' + azureStorageQueueSecPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.queue.core.windows.net' + azureStorageStaticWebPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.web.core.windows.net' + azureStorageStaticWebSecPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.web.core.windows.net' + azureStorageTablePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.table.core.windows.net' + azureStorageTableSecondaryPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.table.core.windows.net' + azureSynapseDevPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.dev.azuresynapse.net' + azureSynapseSQLPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.sql.azuresynapse.net' + azureSynapseSQLODPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.sql.azuresynapse.net' + azureVirtualDesktopHostpoolPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.wvd.microsoft.com' + azureVirtualDesktopWorkspacePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.wvd.microsoft.com' + azureWebPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.webpubsub.azure.com' } // **Scope** @@ -1962,20 +2041,44 @@ module modPolicyAssignmentConnDeployPrivateDnsZones '../../../policy/assignments parPolicyAssignmentDescription: varPolicyAssignmentDeployPrivateDNSZones.libDefinition.properties.description parPolicyAssignmentParameters: varPolicyAssignmentDeployPrivateDNSZones.libDefinition.properties.parameters parPolicyAssignmentParameterOverrides: { - azureFilePrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureFilePrivateDnsZoneId + azureAcrPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureAcrPrivateDnsZoneId } - azureAutomationWebhookPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureAutomationWebhookPrivateDnsZoneId + azureAppPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureAppPrivateDnsZoneId + } + azureAppServicesPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureAppServicesPrivateDnsZoneId + } + azureArcGuestconfigurationPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureArcGuestconfigurationPrivateDnsZoneId + } + azureArcHybridResourceProviderPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureArcHybridResourceProviderPrivateDnsZoneId + } + azureArcKubernetesConfigurationPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureArcKubernetesConfigurationPrivateDnsZoneId + } + azureAsrPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureAsrPrivateDnsZoneId } azureAutomationDSCHybridPrivateDnsZoneId: { value: varPrivateDnsZonesFinalResourceIds.azureAutomationDSCHybridPrivateDnsZoneId } - azureCosmosSQLPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureCosmosSQLPrivateDnsZoneId + azureAutomationWebhookPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureAutomationWebhookPrivateDnsZoneId } - azureCosmosMongoPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureCosmosMongoPrivateDnsZoneId + azureBatchPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureBatchPrivateDnsZoneId + } + azureBotServicePrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureBotServicePrivateDnsZoneId + } + azureCognitiveSearchPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureCognitiveSearchPrivateDnsZoneId + } + azureCognitiveServicesPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureCognitiveServicesPrivateDnsZoneId } azureCosmosCassandraPrivateDnsZoneId: { value: varPrivateDnsZonesFinalResourceIds.azureCosmosCassandraPrivateDnsZoneId @@ -1983,95 +2086,50 @@ module modPolicyAssignmentConnDeployPrivateDnsZones '../../../policy/assignments azureCosmosGremlinPrivateDnsZoneId: { value: varPrivateDnsZonesFinalResourceIds.azureCosmosGremlinPrivateDnsZoneId } + azureCosmosMongoPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureCosmosMongoPrivateDnsZoneId + } + azureCosmosSQLPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureCosmosSQLPrivateDnsZoneId + } azureCosmosTablePrivateDnsZoneId: { value: varPrivateDnsZonesFinalResourceIds.azureCosmosTablePrivateDnsZoneId } - azureDataFactoryPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureDataFactoryPrivateDnsZoneId - } azureDataFactoryPortalPrivateDnsZoneId: { value: varPrivateDnsZonesFinalResourceIds.azureDataFactoryPortalPrivateDnsZoneId } + azureDataFactoryPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureDataFactoryPrivateDnsZoneId + } azureDatabricksPrivateDnsZoneId: { value: varPrivateDnsZonesFinalResourceIds.azureDatabricksPrivateDnsZoneId } - azureHDInsightPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureHDInsightPrivateDnsZoneId - } - azureMigratePrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureMigratePrivateDnsZoneId - } - azureStorageBlobPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureStorageBlobPrivateDnsZoneId - } - azureStorageBlobSecPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureStorageBlobSecPrivateDnsZoneId - } - azureStorageQueuePrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureStorageQueuePrivateDnsZoneId - } - azureStorageQueueSecPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureStorageQueueSecPrivateDnsZoneId - } - azureStorageFilePrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureStorageFilePrivateDnsZoneId - } - azureStorageStaticWebPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureStorageStaticWebPrivateDnsZoneId - } - azureStorageStaticWebSecPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureStorageStaticWebSecPrivateDnsZoneId - } - azureStorageDFSPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureStorageDFSPrivateDnsZoneId - } - azureStorageDFSSecPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureStorageDFSSecPrivateDnsZoneId - } - azureSynapseSQLPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureSynapseSQLPrivateDnsZoneId - } - azureSynapseSQLODPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureSynapseSQLODPrivateDnsZoneId - } - azureSynapseDevPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureSynapseDevPrivateDnsZoneId - } - azureMediaServicesKeyPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureMediaServicesKeyPrivateDnsZoneId - } - azureMediaServicesLivePrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureMediaServicesLivePrivateDnsZoneId - } - azureMediaServicesStreamPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureMediaServicesStreamPrivateDnsZoneId - } - azureMonitorPrivateDnsZoneId1: { - value: varPrivateDnsZonesFinalResourceIds.azureMonitorPrivateDnsZoneId1 + azureDiskAccessPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureDiskAccessPrivateDnsZoneId } - azureMonitorPrivateDnsZoneId2: { - value: varPrivateDnsZonesFinalResourceIds.azureMonitorPrivateDnsZoneId2 + azureEventGridDomainsPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureEventGridDomainsPrivateDnsZoneId } - azureMonitorPrivateDnsZoneId3: { - value: varPrivateDnsZonesFinalResourceIds.azureMonitorPrivateDnsZoneId3 + azureEventGridTopicsPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureEventGridTopicsPrivateDnsZoneId } - azureMonitorPrivateDnsZoneId4: { - value: varPrivateDnsZonesFinalResourceIds.azureMonitorPrivateDnsZoneId4 + azureEventHubNamespacePrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureEventHubNamespacePrivateDnsZoneId } - azureMonitorPrivateDnsZoneId5: { - value: varPrivateDnsZonesFinalResourceIds.azureMonitorPrivateDnsZoneId5 + azureFilePrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureFilePrivateDnsZoneId } - azureWebPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureWebPrivateDnsZoneId + azureHDInsightPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureHDInsightPrivateDnsZoneId } - azureBatchPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureBatchPrivateDnsZoneId + azureIotCentralPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureIotCentralPrivateDnsZoneId } - azureAppPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureAppPrivateDnsZoneId + azureIotDeviceupdatePrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureIotDeviceupdatePrivateDnsZoneId } - azureAsrPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureAsrPrivateDnsZoneId + azureIotHubsPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureIotHubsPrivateDnsZoneId } azureIotPrivateDnsZoneId: { value: varPrivateDnsZonesFinalResourceIds.azureIotPrivateDnsZoneId @@ -2079,48 +2137,21 @@ module modPolicyAssignmentConnDeployPrivateDnsZones '../../../policy/assignments azureKeyVaultPrivateDnsZoneId: { value: varPrivateDnsZonesFinalResourceIds.azureKeyVaultPrivateDnsZoneId } - azureSignalRPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureSignalRPrivateDnsZoneId - } - azureAppServicesPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureAppServicesPrivateDnsZoneId - } - azureEventGridTopicsPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureEventGridTopicsPrivateDnsZoneId + azureMachineLearningWorkspacePrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureMachineLearningWorkspacePrivateDnsZoneId } - azureDiskAccessPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureDiskAccessPrivateDnsZoneId + azureManagedGrafanaWorkspacePrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureManagedGrafanaWorkspacePrivateDnsZoneId } - azureCognitiveServicesPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureCognitiveServicesPrivateDnsZoneId - } - azureIotHubsPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureIotHubsPrivateDnsZoneId + azureMediaServicesKeyPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureMediaServicesKeyPrivateDnsZoneId } - azureEventGridDomainsPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureEventGridDomainsPrivateDnsZoneId + azureMonitorPrivateDnsZoneId1: { + value: varPrivateDnsZonesFinalResourceIds.azureMonitorPrivateDnsZoneId1 } azureRedisCachePrivateDnsZoneId: { value: varPrivateDnsZonesFinalResourceIds.azureRedisCachePrivateDnsZoneId } - azureAcrPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureAcrPrivateDnsZoneId - } - azureEventHubNamespacePrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureEventHubNamespacePrivateDnsZoneId - } - azureMachineLearningWorkspacePrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureMachineLearningWorkspacePrivateDnsZoneId - } - azureMachineLearningWorkspaceSecondPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureMachineLearningWorkspaceSecondPrivateDnsZoneId - } - azureServiceBusNamespacePrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureServiceBusNamespacePrivateDnsZoneId - } - azureCognitiveSearchPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureCognitiveSearchPrivateDnsZoneId - } } parPolicyAssignmentIdentityType: varPolicyAssignmentDeployPrivateDNSZones.libDefinition.identity.type parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployPrivateDNSZones.libDefinition.properties.enforcementMode diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md index ef4ce4c5a..32417151c 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md @@ -26,6 +26,7 @@ parMsDefenderForCloudEmailSecurityContact | No | Email address for Microso parDdosEnabled | No | Enable/disable DDoS Network Protection. True enforces Enable-DDoS-VNET policy; false disables. parDdosProtectionPlanId | No | Resource ID of the DDoS Protection Plan for Virtual Networks. parPrivateDnsResourceGroupId | No | Resource ID of the Resource Group for Private DNS Zones. Empty to skip assigning the Deploy-Private-DNS-Zones policy. +parPrivateDnsZonesLocation | No | Location of Private DNS Zones. parPrivateDnsZonesNamesToAuditInCorp | No | List of Private DNS Zones to audit under the Corp Management Group. This overwrites default values. parDisableAlzDefaultPolicies | No | Disable all default ALZ policies. parDisableSlzDefaultPolicies | No | Disable all default sovereign policies. @@ -178,6 +179,12 @@ Resource ID of the DDoS Protection Plan for Virtual Networks. Resource ID of the Resource Group for Private DNS Zones. Empty to skip assigning the Deploy-Private-DNS-Zones policy. +### parPrivateDnsZonesLocation + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Location of Private DNS Zones. + ### parPrivateDnsZonesNamesToAuditInCorp ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) @@ -307,6 +314,9 @@ Opt out of deployment telemetry. "parPrivateDnsResourceGroupId": { "value": "" }, + "parPrivateDnsZonesLocation": { + "value": "" + }, "parPrivateDnsZonesNamesToAuditInCorp": { "value": [] }, diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json index 17556fd5c..127a09341 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json @@ -71,6 +71,9 @@ "parPrivateDnsResourceGroupId": { "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rg-alz-hub-networking-001" }, + "parPrivateDnsZonesLocation": { + "value": "eastus" + }, "parPrivateDnsZonesNamesToAuditInCorp": { "value": [] }, diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.min.json b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.min.json index 5651fe41a..722d45501 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.min.json +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.min.json @@ -12,19 +12,19 @@ "value": "eastus" }, "parLogAnalyticsWorkspaceResourceId": { - "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-logging/providers/Microsoft.OperationalInsights/workspaces/alz-log-analytics" + "value": "/subscriptions/69ac80fe-dbff-4971-9cba-9cb384486ba5/resourceGroups/alz-logging/providers/Microsoft.OperationalInsights/workspaces/alz-log-analytics" }, "parDataCollectionRuleVMInsightsResourceId": { - "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-logging/providers/Microsoft.Insights/dataCollectionRules/alz-ama-vmi-dcr" + "value": "/subscriptions/69ac80fe-dbff-4971-9cba-9cb384486ba5/resourceGroups/alz-logging/providers/Microsoft.Insights/dataCollectionRules/alz-ama-vmi-dcr" }, "parDataCollectionRuleChangeTrackingResourceId": { - "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-logging/providers/Microsoft.Insights/dataCollectionRules/alz-ama-ct-dcr" + "value": "/subscriptions/69ac80fe-dbff-4971-9cba-9cb384486ba5/resourceGroups/alz-logging/providers/Microsoft.Insights/dataCollectionRules/alz-ama-ct-dcr" }, "parDataCollectionRuleMDFCSQLResourceId": { - "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-logging/providers/Microsoft.Insights/dataCollectionRules/ama-mdfcsql-default-dcr" + "value": "/subscriptions/69ac80fe-dbff-4971-9cba-9cb384486ba5/resourceGroups/alz-logging/providers/Microsoft.Insights/dataCollectionRules/ama-mdfcsql-default-dcr" }, "parUserAssignedManagedIdentityResourceId": { - "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/alz-logging/providers/Microsoft.ManagedIdentity/userAssignedIdentities/alz-umi-identity" + "value": "/subscriptions/69ac80fe-dbff-4971-9cba-9cb384486ba5/resourcegroups/alz-logging/providers/Microsoft.ManagedIdentity/userAssignedIdentities/alz-umi-identity" }, "parLogAnalyticsWorkspaceLogRetentionInDays": { "value": "365" @@ -37,6 +37,9 @@ }, "parTelemetryOptOut": { "value": false + }, + "parPrivateDnsZonesLocation": { + "value": "eastus" } } } diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json index 4c76928f3..49e1efbda 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json @@ -13,164 +13,206 @@ "effect1": { "value": "deployIfNotExists" }, - "azureFilePrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureFilePrivateDnsZoneId]" + "azureAcrPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureAcrPrivateDnsZoneId" }, - "azureAutomationWebhookPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureAutomationWebhookPrivateDnsZoneId]" + "azureAppPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureAppPrivateDnsZoneId" + }, + "azureAppServicesPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureAppServicesPrivateDnsZoneId" + }, + "azureArcGuestconfigurationPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureArcGuestconfigurationPrivateDnsZoneId" + }, + "azureArcHybridResourceProviderPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureArcHybridResourceProviderPrivateDnsZoneId" + }, + "azureArcKubernetesConfigurationPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureArcKubernetesConfigurationPrivateDnsZoneId" + }, + "azureAsrPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureAsrPrivateDnsZoneId" }, "azureAutomationDSCHybridPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureAutomationDSCHybridPrivateDnsZoneId]" + "value": "${varPrivateDnsZonesFinalResourceIds}.azureAutomationDSCHybridPrivateDnsZoneId" }, - "azureCosmosSQLPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureCosmosSQLPrivateDnsZoneId]" + "azureAutomationWebhookPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureAutomationWebhookPrivateDnsZoneId" }, - "azureCosmosMongoPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureCosmosMongoPrivateDnsZoneId]" + "azureBatchPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureBatchPrivateDnsZoneId" + }, + "azureBotServicePrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureBotServicePrivateDnsZoneId" + }, + "azureCognitiveSearchPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureCognitiveSearchPrivateDnsZoneId" + }, + "azureCognitiveServicesPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureCognitiveServicesPrivateDnsZoneId" }, "azureCosmosCassandraPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureCosmosCassandraPrivateDnsZoneId]" + "value": "${varPrivateDnsZonesFinalResourceIds}.azureCosmosCassandraPrivateDnsZoneId" }, "azureCosmosGremlinPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureCosmosGremlinPrivateDnsZoneId]" + "value": "${varPrivateDnsZonesFinalResourceIds}.azureCosmosGremlinPrivateDnsZoneId" }, - "azureCosmosTablePrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureCosmosTablePrivateDnsZoneId]" + "azureCosmosMongoPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureCosmosMongoPrivateDnsZoneId" }, - "azureDataFactoryPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureDataFactoryPrivateDnsZoneId]" + "azureCosmosSQLPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureCosmosSQLPrivateDnsZoneId" + }, + "azureCosmosTablePrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureCosmosTablePrivateDnsZoneId" }, "azureDataFactoryPortalPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureDataFactoryPortalPrivateDnsZoneId]" + "value": "${varPrivateDnsZonesFinalResourceIds}.azureDataFactoryPortalPrivateDnsZoneId" + }, + "azureDataFactoryPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureDataFactoryPrivateDnsZoneId" }, "azureDatabricksPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureDatabricksPrivateDnsZoneId]" + "value": "${varPrivateDnsZonesFinalResourceIds}.azureDatabricksPrivateDnsZoneId" }, - "azureHDInsightPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureHDInsightPrivateDnsZoneId]" + "azureDiskAccessPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureDiskAccessPrivateDnsZoneId" }, - "azureMigratePrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureMigratePrivateDnsZoneId]" + "azureEventGridDomainsPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureEventGridDomainsPrivateDnsZoneId" }, - "azureStorageBlobPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageBlobPrivateDnsZoneId]" + "azureEventGridTopicsPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureEventGridTopicsPrivateDnsZoneId" }, - "azureStorageBlobSecPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageBlobSecPrivateDnsZoneId]" + "azureEventHubNamespacePrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureEventHubNamespacePrivateDnsZoneId" }, - "azureStorageQueuePrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageQueuePrivateDnsZoneId]" + "azureFilePrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureFilePrivateDnsZoneId" }, - "azureStorageQueueSecPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageQueueSecPrivateDnsZoneId]" + "azureHDInsightPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureHDInsightPrivateDnsZoneId" }, - "azureStorageFilePrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageFilePrivateDnsZoneId]" + "azureIotCentralPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureIotCentralPrivateDnsZoneId" }, - "azureStorageStaticWebPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageStaticWebPrivateDnsZoneId]" + "azureIotDeviceupdatePrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureIotDeviceupdatePrivateDnsZoneId" }, - "azureStorageStaticWebSecPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageStaticWebSecPrivateDnsZoneId]" + "azureIotHubsPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureIotHubsPrivateDnsZoneId" }, - "azureStorageDFSPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageDFSPrivateDnsZoneId]" + "azureIotPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureIotPrivateDnsZoneId" }, - "azureStorageDFSSecPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageDFSSecPrivateDnsZoneId]" + "azureKeyVaultPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureKeyVaultPrivateDnsZoneId" }, - "azureSynapseSQLPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureSynapseSQLPrivateDnsZoneId]" + "azureMachineLearningWorkspacePrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureMachineLearningWorkspacePrivateDnsZoneId" }, - "azureSynapseSQLODPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureSynapseSQLODPrivateDnsZoneId]" + "azureMachineLearningWorkspaceSecondPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureMachineLearningWorkspaceSecondPrivateDnsZoneId" }, - "azureSynapseDevPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureSynapseDevPrivateDnsZoneId]" + "azureManagedGrafanaWorkspacePrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureManagedGrafanaWorkspacePrivateDnsZoneId" }, "azureMediaServicesKeyPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureMediaServicesKeyPrivateDnsZoneId]" + "value": "${varPrivateDnsZonesFinalResourceIds}.azureMediaServicesKeyPrivateDnsZoneId" }, "azureMediaServicesLivePrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureMediaServicesLivePrivateDnsZoneId]" + "value": "${varPrivateDnsZonesFinalResourceIds}.azureMediaServicesLivePrivateDnsZoneId" }, "azureMediaServicesStreamPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureMediaServicesStreamPrivateDnsZoneId]" + "value": "${varPrivateDnsZonesFinalResourceIds}.azureMediaServicesStreamPrivateDnsZoneId" + }, + "azureMigratePrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureMigratePrivateDnsZoneId" }, "azureMonitorPrivateDnsZoneId1": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureMonitorPrivateDnsZoneId1]" + "value": "${varPrivateDnsZonesFinalResourceIds}.azureMonitorPrivateDnsZoneId1" }, "azureMonitorPrivateDnsZoneId2": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureMonitorPrivateDnsZoneId2]" + "value": "${varPrivateDnsZonesFinalResourceIds}.azureMonitorPrivateDnsZoneId2" }, "azureMonitorPrivateDnsZoneId3": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureMonitorPrivateDnsZoneId3]" + "value": "${varPrivateDnsZonesFinalResourceIds}.azureMonitorPrivateDnsZoneId3" }, "azureMonitorPrivateDnsZoneId4": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureMonitorPrivateDnsZoneId4]" + "value": "${varPrivateDnsZonesFinalResourceIds}.azureMonitorPrivateDnsZoneId4" }, "azureMonitorPrivateDnsZoneId5": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureMonitorPrivateDnsZoneId5]" + "value": "${varPrivateDnsZonesFinalResourceIds}.azureMonitorPrivateDnsZoneId5" }, - "azureWebPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureWebPrivateDnsZoneId]" + "azureRedisCachePrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureRedisCachePrivateDnsZoneId" }, - "azureBatchPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureBatchPrivateDnsZoneId]" + "azureServiceBusNamespacePrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureServiceBusNamespacePrivateDnsZoneId" }, - "azureAppPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureAppPrivateDnsZoneId]" + "azureSignalRPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureSignalRPrivateDnsZoneId" }, - "azureAsrPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureAsrPrivateDnsZoneId]" + "azureSiteRecoveryBackupPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureSiteRecoveryBackupPrivateDnsZoneId" }, - "azureIotPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureIotPrivateDnsZoneId]" + "azureSiteRecoveryBlobPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureSiteRecoveryBlobPrivateDnsZoneId" }, - "azureKeyVaultPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureKeyVaultPrivateDnsZoneId]" + "azureSiteRecoveryQueuePrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureSiteRecoveryQueuePrivateDnsZoneId" }, - "azureSignalRPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureSignalRPrivateDnsZoneId]" + "azureStorageBlobPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageBlobPrivateDnsZoneId" }, - "azureAppServicesPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureAppServicesPrivateDnsZoneId]" + "azureStorageBlobSecPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageBlobSecPrivateDnsZoneId" }, - "azureEventGridTopicsPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureEventGridTopicsPrivateDnsZoneId]" + "azureStorageDFSPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageDFSPrivateDnsZoneId" }, - "azureDiskAccessPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureDiskAccessPrivateDnsZoneId]" + "azureStorageDFSSecPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageDFSSecPrivateDnsZoneId" }, - "azureCognitiveServicesPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureCognitiveServicesPrivateDnsZoneId]" + "azureStorageFilePrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageFilePrivateDnsZoneId" }, - "azureIotHubsPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureIotHubsPrivateDnsZoneId]" + "azureStorageQueuePrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageQueuePrivateDnsZoneId" }, - "azureEventGridDomainsPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureEventGridDomainsPrivateDnsZoneId]" + "azureStorageQueueSecPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageQueueSecPrivateDnsZoneId" }, - "azureRedisCachePrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureRedisCachePrivateDnsZoneId]" + "azureStorageStaticWebPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageStaticWebPrivateDnsZoneId" }, - "azureAcrPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureAcrPrivateDnsZoneId]" + "azureStorageStaticWebSecPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageStaticWebSecPrivateDnsZoneId" }, - "azureEventHubNamespacePrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureEventHubNamespacePrivateDnsZoneId]" + "azureStorageTablePrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageTablePrivateDnsZoneId" }, - "azureMachineLearningWorkspacePrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureMachineLearningWorkspacePrivateDnsZoneId]" + "azureStorageTableSecondaryPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageTableSecondaryPrivateDnsZoneId" }, - "azureMachineLearningWorkspaceSecondPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureMachineLearningWorkspaceSecondPrivateDnsZoneId]" + "azureSynapseDevPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureSynapseDevPrivateDnsZoneId" }, - "azureServiceBusNamespacePrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureServiceBusNamespacePrivateDnsZoneId]" + "azureSynapseSQLPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureSynapseSQLPrivateDnsZoneId" }, - "azureCognitiveSearchPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureCognitiveSearchPrivateDnsZoneId]" + "azureSynapseSQLODPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureSynapseSQLODPrivateDnsZoneId" + }, + "azureVirtualDesktopHostpoolPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureVirtualDesktopHostpoolPrivateDnsZoneId" + }, + "azureVirtualDesktopWorkspacePrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureVirtualDesktopWorkspacePrivateDnsZoneId" + }, + "azureWebPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureWebPrivateDnsZoneId" } }, "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones", From ec39ad74b987427bff4ba93eb7935eff96f7cfa7 Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Fri, 6 Dec 2024 16:31:15 -0600 Subject: [PATCH 2/4] Transition back vnetGatewayConfig reference --- .../hubNetworking-multiRegion.bicep | 16 ++++++++++++---- .../modules/hubNetworking/hubNetworking.bicep | 8 ++++++-- .../parameters/hubNetworking.parameters.all.json | 8 ++++++-- .../hubNetworking.parameters.az.all.json | 8 ++++++-- ...Networking.parameters.az.multiRegion.all.json | 12 +++++++++--- .../parameters/hubNetworking.parameters.min.json | 8 ++++++-- .../mc-hubNetworking.parameters.all.json | 8 ++++++-- .../mc-hubNetworking.parameters.min.json | 8 ++++++-- ...zDefaultPolicyAssignments.parameters.min.json | 10 +++++----- 9 files changed, 62 insertions(+), 24 deletions(-) diff --git a/infra-as-code/bicep/modules/hubNetworking/hubNetworking-multiRegion.bicep b/infra-as-code/bicep/modules/hubNetworking/hubNetworking-multiRegion.bicep index 71f617086..6a0aa8163 100644 --- a/infra-as-code/bicep/modules/hubNetworking/hubNetworking-multiRegion.bicep +++ b/infra-as-code/bicep/modules/hubNetworking/hubNetworking-multiRegion.bicep @@ -454,6 +454,8 @@ param parVpnGatewayConfig object = { peerWeight: 5 } vpnClientConfiguration: {} + ipConfigurationName: 'vnetGatewayConfig' + ipConfigurationActiveActiveName: 'vnetGatewayConfig2' } //ASN must be 65515 if deploying VPN & ER for co-existence to work: https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-coexist-resource-manager#limits-and-limitations @@ -475,6 +477,8 @@ param parVpnGatewayConfigSecondaryLocation object = { peerWeight: 5 } vpnClientConfiguration: {} + ipConfigurationName: 'vnetGatewayConfig' + ipConfigurationActiveActiveName: 'vnetGatewayConfig2' } @sys.description('Switch to enable/disable ExpressRoute virtual network gateway deployment.') @@ -500,6 +504,8 @@ param parExpressRouteGatewayConfig object = { bgpPeeringAddress: '' peerWeight: '5' } + ipConfigurationName: 'vnetGatewayConfig' + ipConfigurationActiveActiveName: 'vnetGatewayConfig2' } @sys.description('Configuration for ExpressRoute virtual network gateway to be deployed in secondary location.') @@ -519,6 +525,8 @@ param parExpressRouteGatewayConfigSecondaryLocation object = { bgpPeeringAddress: '' peerWeight: '5' } + ipConfigurationName: 'vnetGatewayConfig' + ipConfigurationActiveActiveName: 'vnetGatewayConfig2' } @sys.description('''Resource Lock Configuration for ExpressRoute Virtual Network Gateway. @@ -1422,7 +1430,7 @@ resource resGateway 'Microsoft.Network/virtualNetworkGateways@2024-01-01' = [ [ { id: resHubVnet.id - name: 'vnetGatewayConfig1' + name: gateway.ipConfigurationName properties: { publicIPAddress: { id: modGatewayPublicIp[i].outputs.outPublicIpId // Primary Public IP @@ -1438,7 +1446,7 @@ resource resGateway 'Microsoft.Network/virtualNetworkGateways@2024-01-01' = [ ? [ { id: resHubVnet.id - name: 'vnetGatewayConfig2' + name: gateway.ipConfigurationActiveActiveName properties: { publicIPAddress: { id: modGatewayPublicIpActiveActive[i].outputs.outPublicIpId // Secondary Public IP @@ -1492,7 +1500,7 @@ resource resGatewaySecondaryLocation 'Microsoft.Network/virtualNetworkGateways@2 [ { id: resHubVnetSecondaryLocation.id - name: 'vnetGatewayConfig1' + name: gateway.ipConfigurationName properties: { publicIPAddress: { id: modGatewayPublicIpSecondaryLocation[i].outputs.outPublicIpId // Primary Public IP @@ -1508,7 +1516,7 @@ resource resGatewaySecondaryLocation 'Microsoft.Network/virtualNetworkGateways@2 ? [ { id: resHubVnetSecondaryLocation.id - name: 'vnetGatewayConfig2' + name: gateway.ipConfigurationActiveActiveName properties: { publicIPAddress: { id: modGatewayPublicIpActiveActiveSecondaryLocation[i].outputs.outPublicIpId // Secondary Public IP diff --git a/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep b/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep index 05d0a130d..e383a279e 100644 --- a/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep +++ b/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep @@ -301,6 +301,8 @@ param parVpnGatewayConfig object = { peerWeight: 5 } vpnClientConfiguration: {} + ipConfigurationName: 'vnetGatewayConfig' + ipConfigurationActiveActiveName: 'vnetGatewayConfig2' } @sys.description('Switch to enable/disable ExpressRoute virtual network gateway deployment.') @@ -323,6 +325,8 @@ param parExpressRouteGatewayConfig object = { bgpPeeringAddress: '' peerWeight: '5' } + ipConfigurationName: 'vnetGatewayConfig' + ipConfigurationActiveActiveName: 'vnetGatewayConfig2' } @sys.description('''Resource Lock Configuration for ExpressRoute Virtual Network Gateway. @@ -791,7 +795,7 @@ resource resGateway 'Microsoft.Network/virtualNetworkGateways@2024-01-01' = [ [ { id: resHubVnet.id - name: 'vnetGatewayConfig1' + name: gateway.ipConfigurationName properties: { publicIPAddress: { id: modGatewayPublicIp[i].outputs.outPublicIpId // Primary Public IP @@ -807,7 +811,7 @@ resource resGateway 'Microsoft.Network/virtualNetworkGateways@2024-01-01' = [ ? [ { id: resHubVnet.id - name: 'vnetGatewayConfig2' + name: gateway.ipConfigurationActiveActiveName properties: { publicIPAddress: { id: modGatewayPublicIpActiveActive[i].outputs.outPublicIpId // Secondary Public IP diff --git a/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json b/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json index 5e93eb89d..79ab5161e 100644 --- a/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json +++ b/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json @@ -137,7 +137,9 @@ "bgpPeeringAddress": "", "peerWeight": "5" }, - "vpnClientConfiguration": {} + "vpnClientConfiguration": {}, + "ipConfigurationName": "vnetGatewayConfig", + "ipConfigurationActiveActiveName": "vnetGatewayConfig2" } }, "parExpressRouteGatewayEnabled": { @@ -159,7 +161,9 @@ "asn": "65515", "bgpPeeringAddress": "", "peerWeight": "5" - } + }, + "ipConfigurationName": "vnetGatewayConfig", + "ipConfigurationActiveActiveName": "vnetGatewayConfig2" } }, "parTags": { diff --git a/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.az.all.json b/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.az.all.json index ec30bd6ca..8508b72ce 100644 --- a/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.az.all.json +++ b/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.az.all.json @@ -149,7 +149,9 @@ "bgpPeeringAddress": "", "peerWeight": "5" }, - "vpnClientConfiguration": {} + "vpnClientConfiguration": {}, + "ipConfigurationName": "vnetGatewayConfig", + "ipConfigurationActiveActiveName": "vnetGatewayConfig2" } }, "parExpressRouteGatewayEnabled": { @@ -171,7 +173,9 @@ "asn": "65515", "bgpPeeringAddress": "", "peerWeight": "5" - } + }, + "ipConfigurationName": "vnetGatewayConfig", + "ipConfigurationActiveActiveName": "vnetGatewayConfig2" } }, "parTags": { diff --git a/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.az.multiRegion.all.json b/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.az.multiRegion.all.json index b4ca1f4de..6110e1d32 100644 --- a/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.az.multiRegion.all.json +++ b/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.az.multiRegion.all.json @@ -264,7 +264,9 @@ "bgpPeeringAddress": "", "peerWeight": "5" }, - "vpnClientConfiguration": {} + "vpnClientConfiguration": {}, + "ipConfigurationName": "vnetGatewayConfig", + "ipConfigurationActiveActiveName": "vnetGatewayConfig2" } }, "parVpnGatewayConfigSecondaryLocation": { @@ -284,7 +286,9 @@ "bgpPeeringAddress": "", "peerWeight": "5" }, - "vpnClientConfiguration": {} + "vpnClientConfiguration": {}, + "ipConfigurationName": "vnetGatewayConfig", + "ipConfigurationActiveActiveName": "vnetGatewayConfig2" } }, "parExpressRouteGatewayEnabled": { @@ -306,7 +310,9 @@ "asn": "65515", "bgpPeeringAddress": "", "peerWeight": "5" - } + }, + "ipConfigurationName": "vnetGatewayConfig", + "ipConfigurationActiveActiveName": "vnetGatewayConfig2" } }, "parExpressRouteGatewayEnabledSecondaryLocation": { diff --git a/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.min.json b/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.min.json index c59fbe5df..898bf0c01 100644 --- a/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.min.json +++ b/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.min.json @@ -94,7 +94,9 @@ "asn": "65515", "bgpPeeringAddress": "", "peerWeight": "5" - } + }, + "ipConfigurationName": "vnetGatewayConfig", + "ipConfigurationActiveActiveName": "vnetGatewayConfig2" } }, "parExpressRouteGatewayEnabled": { @@ -116,7 +118,9 @@ "asn": "65515", "bgpPeeringAddress": "", "peerWeight": "5" - } + }, + "ipConfigurationName": "vnetGatewayConfig", + "ipConfigurationActiveActiveName": "vnetGatewayConfig2" } }, "parTelemetryOptOut": { diff --git a/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.all.json b/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.all.json index 7fe471466..3c1ce5f83 100644 --- a/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.all.json +++ b/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.all.json @@ -170,7 +170,9 @@ "bgpPeeringAddress": "", "peerWeight": "5" }, - "vpnClientConfiguration": {} + "vpnClientConfiguration": {}, + "ipConfigurationName": "vnetGatewayConfig", + "ipConfigurationActiveActiveName": "vnetGatewayConfig2" } }, "parExpressRouteGatewayEnabled": { @@ -192,7 +194,9 @@ "asn": "65515", "bgpPeeringAddress": "", "peerWeight": "5" - } + }, + "ipConfigurationName": "vnetGatewayConfig", + "ipConfigurationActiveActiveName": "vnetGatewayConfig2" } }, "parTags": { diff --git a/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.min.json b/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.min.json index 463ae0dcc..d268f6879 100644 --- a/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.min.json +++ b/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.min.json @@ -130,7 +130,9 @@ "asn": "65515", "bgpPeeringAddress": "", "peerWeight": "5" - } + }, + "ipConfigurationName": "vnetGatewayConfig", + "ipConfigurationActiveActiveName": "vnetGatewayConfig2" } }, "parExpressRouteGatewayEnabled": { @@ -152,7 +154,9 @@ "asn": "65515", "bgpPeeringAddress": "", "peerWeight": "5" - } + }, + "ipConfigurationName": "vnetGatewayConfig", + "ipConfigurationActiveActiveName": "vnetGatewayConfig2" } }, "parTelemetryOptOut": { diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.min.json b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.min.json index 722d45501..908542c10 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.min.json +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.min.json @@ -12,19 +12,19 @@ "value": "eastus" }, "parLogAnalyticsWorkspaceResourceId": { - "value": "/subscriptions/69ac80fe-dbff-4971-9cba-9cb384486ba5/resourceGroups/alz-logging/providers/Microsoft.OperationalInsights/workspaces/alz-log-analytics" + "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-logging/providers/Microsoft.OperationalInsights/workspaces/alz-log-analytics" }, "parDataCollectionRuleVMInsightsResourceId": { - "value": "/subscriptions/69ac80fe-dbff-4971-9cba-9cb384486ba5/resourceGroups/alz-logging/providers/Microsoft.Insights/dataCollectionRules/alz-ama-vmi-dcr" + "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-logging/providers/Microsoft.Insights/dataCollectionRules/alz-ama-vmi-dcr" }, "parDataCollectionRuleChangeTrackingResourceId": { - "value": "/subscriptions/69ac80fe-dbff-4971-9cba-9cb384486ba5/resourceGroups/alz-logging/providers/Microsoft.Insights/dataCollectionRules/alz-ama-ct-dcr" + "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-logging/providers/Microsoft.Insights/dataCollectionRules/alz-ama-ct-dcr" }, "parDataCollectionRuleMDFCSQLResourceId": { - "value": "/subscriptions/69ac80fe-dbff-4971-9cba-9cb384486ba5/resourceGroups/alz-logging/providers/Microsoft.Insights/dataCollectionRules/ama-mdfcsql-default-dcr" + "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-logging/providers/Microsoft.Insights/dataCollectionRules/ama-mdfcsql-default-dcr" }, "parUserAssignedManagedIdentityResourceId": { - "value": "/subscriptions/69ac80fe-dbff-4971-9cba-9cb384486ba5/resourcegroups/alz-logging/providers/Microsoft.ManagedIdentity/userAssignedIdentities/alz-umi-identity" + "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/alz-logging/providers/Microsoft.ManagedIdentity/userAssignedIdentities/alz-umi-identity" }, "parLogAnalyticsWorkspaceLogRetentionInDays": { "value": "365" From 912b677f9036621321188ec467325694c89faaec Mon Sep 17 00:00:00 2001 From: github-actions <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 6 Dec 2024 22:45:16 +0000 Subject: [PATCH 3/4] Generate Parameter Markdowns [oZakari/c151f035] --- .../hubNetworking-multiRegion.bicep.md | 24 ++++++++++++------- .../generateddocs/hubNetworking.bicep.md | 12 ++++++---- 2 files changed, 24 insertions(+), 12 deletions(-) diff --git a/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking-multiRegion.bicep.md b/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking-multiRegion.bicep.md index f06180266..3cbf8420d 100644 --- a/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking-multiRegion.bicep.md +++ b/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking-multiRegion.bicep.md @@ -735,7 +735,7 @@ Switch to enable/disable VPN virtual network gateway deployment in secondary loc Configuration for VPN virtual network gateway to be deployed. -- Default value: `@{name=[format('{0}-Vpn-Gateway-{1}', parameters('parCompanyPrefix'), parameters('parLocation'))]; gatewayType=Vpn; sku=VpnGw1; vpnType=RouteBased; generation=Generation1; enableBgp=False; activeActive=False; enableBgpRouteTranslationForNat=False; enableDnsForwarding=False; bgpPeeringAddress=; bgpsettings=; vpnClientConfiguration=}` +- Default value: `@{name=[format('{0}-Vpn-Gateway-{1}', parameters('parCompanyPrefix'), parameters('parLocation'))]; gatewayType=Vpn; sku=VpnGw1; vpnType=RouteBased; generation=Generation1; enableBgp=False; activeActive=False; enableBgpRouteTranslationForNat=False; enableDnsForwarding=False; bgpPeeringAddress=; bgpsettings=; vpnClientConfiguration=; ipConfigurationName=vnetGatewayConfig; ipConfigurationActiveActiveName=vnetGatewayConfig2}` ### parVpnGatewayConfigSecondaryLocation @@ -743,7 +743,7 @@ Configuration for VPN virtual network gateway to be deployed. Configuration for VPN virtual network gateway to be deployed in secondary location. -- Default value: `@{name=[format('{0}-Vpn-Gateway-{1}', parameters('parCompanyPrefix'), parameters('parSecondaryLocation'))]; gatewayType=Vpn; sku=VpnGw1; vpnType=RouteBased; generation=Generation1; enableBgp=False; activeActive=False; enableBgpRouteTranslationForNat=False; enableDnsForwarding=False; bgpPeeringAddress=; bgpsettings=; vpnClientConfiguration=}` +- Default value: `@{name=[format('{0}-Vpn-Gateway-{1}', parameters('parCompanyPrefix'), parameters('parSecondaryLocation'))]; gatewayType=Vpn; sku=VpnGw1; vpnType=RouteBased; generation=Generation1; enableBgp=False; activeActive=False; enableBgpRouteTranslationForNat=False; enableDnsForwarding=False; bgpPeeringAddress=; bgpsettings=; vpnClientConfiguration=; ipConfigurationName=vnetGatewayConfig; ipConfigurationActiveActiveName=vnetGatewayConfig2}` ### parExpressRouteGatewayEnabled @@ -767,7 +767,7 @@ Switch to enable/disable ExpressRoute virtual network gateway deployment in seco Configuration for ExpressRoute virtual network gateway to be deployed. -- Default value: `@{name=[format('{0}-ExpressRoute-Gateway', parameters('parCompanyPrefix'))]; gatewayType=ExpressRoute; sku=ErGw1AZ; vpnType=RouteBased; vpnGatewayGeneration=None; enableBgp=False; activeActive=False; enableBgpRouteTranslationForNat=False; enableDnsForwarding=False; bgpPeeringAddress=; bgpsettings=}` +- Default value: `@{name=[format('{0}-ExpressRoute-Gateway', parameters('parCompanyPrefix'))]; gatewayType=ExpressRoute; sku=ErGw1AZ; vpnType=RouteBased; vpnGatewayGeneration=None; enableBgp=False; activeActive=False; enableBgpRouteTranslationForNat=False; enableDnsForwarding=False; bgpPeeringAddress=; bgpsettings=; ipConfigurationName=vnetGatewayConfig; ipConfigurationActiveActiveName=vnetGatewayConfig2}` ### parExpressRouteGatewayConfigSecondaryLocation @@ -775,7 +775,7 @@ Configuration for ExpressRoute virtual network gateway to be deployed. Configuration for ExpressRoute virtual network gateway to be deployed in secondary location. -- Default value: `@{name=[format('{0}-ExpressRoute-Gateway', parameters('parCompanyPrefix'))]; gatewayType=ExpressRoute; sku=ErGw1AZ; vpnType=RouteBased; vpnGatewayGeneration=None; enableBgp=False; activeActive=False; enableBgpRouteTranslationForNat=False; enableDnsForwarding=False; bgpPeeringAddress=; bgpsettings=}` +- Default value: `@{name=[format('{0}-ExpressRoute-Gateway', parameters('parCompanyPrefix'))]; gatewayType=ExpressRoute; sku=ErGw1AZ; vpnType=RouteBased; vpnGatewayGeneration=None; enableBgp=False; activeActive=False; enableBgpRouteTranslationForNat=False; enableDnsForwarding=False; bgpPeeringAddress=; bgpsettings=; ipConfigurationName=vnetGatewayConfig; ipConfigurationActiveActiveName=vnetGatewayConfig2}` ### parVirtualNetworkGatewayLock @@ -1173,7 +1173,9 @@ outBastionNsgNameSecondaryLocation | string | "bgpPeeringAddress": "", "peerWeight": 5 }, - "vpnClientConfiguration": {} + "vpnClientConfiguration": {}, + "ipConfigurationName": "vnetGatewayConfig", + "ipConfigurationActiveActiveName": "vnetGatewayConfig2" } }, "parVpnGatewayConfigSecondaryLocation": { @@ -1193,7 +1195,9 @@ outBastionNsgNameSecondaryLocation | string | "bgpPeeringAddress": "", "peerWeight": 5 }, - "vpnClientConfiguration": {} + "vpnClientConfiguration": {}, + "ipConfigurationName": "vnetGatewayConfig", + "ipConfigurationActiveActiveName": "vnetGatewayConfig2" } }, "parExpressRouteGatewayEnabled": { @@ -1218,7 +1222,9 @@ outBastionNsgNameSecondaryLocation | string | "asn": "65515", "bgpPeeringAddress": "", "peerWeight": "5" - } + }, + "ipConfigurationName": "vnetGatewayConfig", + "ipConfigurationActiveActiveName": "vnetGatewayConfig2" } }, "parExpressRouteGatewayConfigSecondaryLocation": { @@ -1237,7 +1243,9 @@ outBastionNsgNameSecondaryLocation | string | "asn": "65515", "bgpPeeringAddress": "", "peerWeight": "5" - } + }, + "ipConfigurationName": "vnetGatewayConfig", + "ipConfigurationActiveActiveName": "vnetGatewayConfig2" } }, "parVirtualNetworkGatewayLock": { diff --git a/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md b/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md index bd7acda70..bc13b6d65 100644 --- a/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md +++ b/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md @@ -454,7 +454,7 @@ Switch to enable/disable VPN virtual network gateway deployment. Configuration for VPN virtual network gateway to be deployed. -- Default value: `@{name=[format('{0}-Vpn-Gateway', parameters('parCompanyPrefix'))]; gatewayType=Vpn; sku=VpnGw1; vpnType=RouteBased; generation=Generation1; enableBgp=False; activeActive=False; enableBgpRouteTranslationForNat=False; enableDnsForwarding=False; bgpPeeringAddress=; bgpsettings=; vpnClientConfiguration=}` +- Default value: `@{name=[format('{0}-Vpn-Gateway', parameters('parCompanyPrefix'))]; gatewayType=Vpn; sku=VpnGw1; vpnType=RouteBased; generation=Generation1; enableBgp=False; activeActive=False; enableBgpRouteTranslationForNat=False; enableDnsForwarding=False; bgpPeeringAddress=; bgpsettings=; vpnClientConfiguration=; ipConfigurationName=vnetGatewayConfig; ipConfigurationActiveActiveName=vnetGatewayConfig2}` ### parExpressRouteGatewayEnabled @@ -470,7 +470,7 @@ Switch to enable/disable ExpressRoute virtual network gateway deployment. Configuration for ExpressRoute virtual network gateway to be deployed. -- Default value: `@{name=[format('{0}-ExpressRoute-Gateway', parameters('parCompanyPrefix'))]; gatewayType=ExpressRoute; sku=ErGw1AZ; vpnType=RouteBased; vpnGatewayGeneration=None; enableBgp=False; activeActive=False; enableBgpRouteTranslationForNat=False; enableDnsForwarding=False; bgpPeeringAddress=; bgpsettings=}` +- Default value: `@{name=[format('{0}-ExpressRoute-Gateway', parameters('parCompanyPrefix'))]; gatewayType=ExpressRoute; sku=ErGw1AZ; vpnType=RouteBased; vpnGatewayGeneration=None; enableBgp=False; activeActive=False; enableBgpRouteTranslationForNat=False; enableDnsForwarding=False; bgpPeeringAddress=; bgpsettings=; ipConfigurationName=vnetGatewayConfig; ipConfigurationActiveActiveName=vnetGatewayConfig2}` ### parVirtualNetworkGatewayLock @@ -733,7 +733,9 @@ outBastionNsgName | string | "bgpPeeringAddress": "", "peerWeight": 5 }, - "vpnClientConfiguration": {} + "vpnClientConfiguration": {}, + "ipConfigurationName": "vnetGatewayConfig", + "ipConfigurationActiveActiveName": "vnetGatewayConfig2" } }, "parExpressRouteGatewayEnabled": { @@ -755,7 +757,9 @@ outBastionNsgName | string | "asn": "65515", "bgpPeeringAddress": "", "peerWeight": "5" - } + }, + "ipConfigurationName": "vnetGatewayConfig", + "ipConfigurationActiveActiveName": "vnetGatewayConfig2" } }, "parVirtualNetworkGatewayLock": { From d9c8bc05534d9cf7cc1897530d7a6a205c75ec9a Mon Sep 17 00:00:00 2001 From: Zach Trocinski <30884663+oZakari@users.noreply.github.com> Date: Tue, 17 Dec 2024 21:11:29 -0600 Subject: [PATCH 4/4] Remove duplicate `parPrivateDnsZonesLocation` entry. --- .../alzDefaultPolicyAssignments.parameters.min.json | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.min.json b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.min.json index 4ec6776a2..9f615a632 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.min.json +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.min.json @@ -38,11 +38,8 @@ "parPrivateDnsZonesLocation": { "value": "eastus" }, - "parPrivateDnsZonesLocation": { - "value": "eastus" - }, "parTelemetryOptOut": { - "value": false + "value": false } } }