From ee5d42ca8b1d68eaa07aa938e595c2853eb1dbe5 Mon Sep 17 00:00:00 2001
From: Jared Holgate <jaredholgate@microsoft.com>
Date: Thu, 3 Oct 2024 19:47:06 +0100
Subject: [PATCH] docs: add single region config files (#174)

<!-- Thank you for submitting a Pull Request. Please fill out the
template below.-->
## Overview/Summary

Add single region config file examples for VBD and testing

## This PR fixes/adds/changes/removes

N/A

### Breaking Changes

None

## Testing Evidence

Please provide any testing evidence to show that your Pull Request
works/fixes as described and planned (include screenshots, if
appropriate).

## As part of this Pull Request I have

- [ ] Checked for duplicate [Pull
Requests](https://github.com/Azure/alz-terraform-accelerator/pulls)
- [ ] Associated it with relevant
[issues](https://github.com/Azure/alz-terraform-accelerator/issues), for
tracking and closure.
- [ ] Ensured my code/branch is up-to-date with the latest changes in
the `main`
[branch](https://github.com/Azure/alz-terraform-accelerator/tree/main)
- [ ] Performed testing and provided evidence.
- [ ] Updated relevant and associated documentation.
---
 ...nfig-hub-and-spoke-vnet-multi-region.yaml} |   0
 ...nfig-hub-and-spoke-vnet-single-region.yaml | 129 ++++++++++++++++++
 ...l => config-virtual-wan-multi-region.yaml} |   1 +
 .../config-virtual-wan-single-region.yaml     | 120 ++++++++++++++++
 templates/complete_multi_region/variables.tf  |   2 +-
 5 files changed, 251 insertions(+), 1 deletion(-)
 rename templates/complete_multi_region/{config-hub-and-spoke-vnet.yaml => config-hub-and-spoke-vnet-multi-region.yaml} (100%)
 create mode 100644 templates/complete_multi_region/config-hub-and-spoke-vnet-single-region.yaml
 rename templates/complete_multi_region/{config-virtual-wan.yaml => config-virtual-wan-multi-region.yaml} (99%)
 create mode 100644 templates/complete_multi_region/config-virtual-wan-single-region.yaml

diff --git a/templates/complete_multi_region/config-hub-and-spoke-vnet.yaml b/templates/complete_multi_region/config-hub-and-spoke-vnet-multi-region.yaml
similarity index 100%
rename from templates/complete_multi_region/config-hub-and-spoke-vnet.yaml
rename to templates/complete_multi_region/config-hub-and-spoke-vnet-multi-region.yaml
diff --git a/templates/complete_multi_region/config-hub-and-spoke-vnet-single-region.yaml b/templates/complete_multi_region/config-hub-and-spoke-vnet-single-region.yaml
new file mode 100644
index 00000000..7294d268
--- /dev/null
+++ b/templates/complete_multi_region/config-hub-and-spoke-vnet-single-region.yaml
@@ -0,0 +1,129 @@
+# This file contains templated variables to avoid repeating the same hard-coded values.
+# Templated variables are denoted by the dollar curly braces token. The following details each templated variable that you can use:
+# `starter_location_01`: This the primary an Azure location sourced from the `starter_locations` variable. This can be used to set the location of resources.
+# `starter_location_02` to `starter_location_10`: These are the secondary Azure locations sourced from the `starter_locations` variable. This can be used to set the location of resources.
+# `starter_location_01_availability_zones` to `starter_location_10_availability_zones`: These are the availability zones for the Azure locations sourced from the `starter_locations` variable. This can be used to set the availability zones of resources.
+# `default_postfix`: This is a string sourced from the variable `default_postfix`. This can be used to append to resource names for consistency.
+# `root_parent_management_group_id`: This is the id of the management group that the ALZ hierarchy will be nested under.
+# `subscription_id_identity`: The subscription ID of the subscription to deploy the identity resources to, sourced from the variable `subscription_id_identity`.
+# `subscription_id_connectivity`: The subscription ID of the subscription to deploy the connectivity resources to, sourced from the variable `subscription_id_connectivity`.
+# `subscription_id_management`: The subscription ID of the subscription to deploy the management resources to, sourced from the variable `subscription_id_management`.
+---
+management_groups: # `caf-enterprise-scale` module, add inputs as listed on the module registry where necessary.
+
+  # Base variables
+  root_name: alz
+  root_id: Azure-Landing-Zones
+  default_location: ${starter_location_01}
+  subscription_id_connectivity: ${subscription_id_connectivity}
+  subscription_id_identity: ${subscription_id_identity}
+  subscription_id_management: ${subscription_id_management}
+  root_parent_id: ${root_parent_management_group_id}
+  deploy_core_landing_zones: true
+  deploy_corp_landing_zones: true
+  deploy_online_landing_zones: true
+  deploy_management_resources: true
+  deploy_connectivity_resources: false # We are using the AVM patterns for connectivity
+  deploy_identity_resources: true
+
+  # Management resource settings
+  configure_management_resources:
+    location: ${starter_location_01}
+    settings:
+      log_analytics:
+        enabled: true
+        config:
+          retention_in_days: 50
+          enable_monitoring_for_vm: true
+          enable_monitoring_for_vmss: true
+          enabled_sentinel: true
+          enable_solution_for_change_tracking: true
+          enable_solution_for_vm_insights: true
+          enable_solution_for_container_insights: true
+          enable_sentinel: true
+      security_center:
+        config:
+          email_security_contact: "security_contact@replace_me"
+          enable_defender_for_app_services: true
+          enable_defender_for_arm: true
+          enable_defender_for_containers: true
+          enable_defender_for_cosmosdbs: true
+          enable_defender_for_cspm: true
+          enable_defender_for_key_vault: true
+          enable_defender_for_oss_databases: true
+          enable_defender_for_servers: true
+          enable_defender_for_servers_vulnerability_assessments: true
+          enable_defender_for_sql_servers: true
+          enable_defender_for_sql_server_vms: true
+          enable_defender_for_storage: true
+    advanced:
+      asc_export_resource_group_name: rg-asc-export-${starter_location_01}
+      custom_settings_by_resource_type:
+        azurerm_resource_group:
+          management:
+            name: rg-management-${starter_location_01}
+        azurerm_log_analytics_workspace:
+          management:
+            name: law-management-${starter_location_01}
+        azurerm_automation_account:
+          management:
+            name: aa-management-${starter_location_01}
+
+  # Configure Private DNS Zone Resource Ids for Policy Assignments
+  configure_connectivity_resources:
+    settings:
+      dns:
+        config:
+          location: ${starter_location_01}
+    advanced:
+      custom_settings_by_resource_type:
+        azurerm_resource_group:
+          dns:
+            ${starter_location_01}:
+              name: rg-private-dns-${starter_location_01}
+
+# Connectivity settings
+connectivity:
+  hub_and_spoke_vnet: # `avm-ptn-hubnetworking` module, add inputs as listed on the module registry where necessary.
+    hub_virtual_networks:
+      # Primary hub
+      primary:
+        name: vnet-hub-${starter_location_01}
+        resource_group_name: rg-connectivity-${starter_location_01}
+        location: ${starter_location_01}
+        address_space:
+          - 10.0.0.0/16
+        firewall:
+          name: fw-hub-${starter_location_01}
+          sku_name: AZFW_VNet
+          sku_tier: Standard
+          subnet_address_prefix: 10.0.1.0/24
+          zones: ${starter_location_01_availability_zones}
+          firewall_policy:
+            name: fwp-hub-${starter_location_01}
+            dns:
+              proxy_enabled: true
+          default_ip_configuration:
+            public_ip_config:
+              zones: ${starter_location_01_availability_zones}
+              name: pip-hub-fw-${starter_location_01}
+              ip_version: "IPv4"
+        virtual_network_gateway: # `avm-ptn-vnetgateway` module, add inputs as listed on the module registry where necessary.
+          name: vgw-hub-${starter_location_01}
+          subnet_address_prefix: 10.0.2.0/24
+          ip_configurations:
+            default:
+              name: default
+              public_ip:
+                name: pip-hub-vgw-${starter_location_01}
+                zones: ${starter_location_01_availability_zones}
+
+  private_dns:
+    resource_group_name: rg-private-dns-${starter_location_01}
+    locations:
+      primary:
+        location: ${starter_location_01}
+        is_primary: true  # Deploys all zones
+
+# Configure root module settings
+enable_telemetry: true
diff --git a/templates/complete_multi_region/config-virtual-wan.yaml b/templates/complete_multi_region/config-virtual-wan-multi-region.yaml
similarity index 99%
rename from templates/complete_multi_region/config-virtual-wan.yaml
rename to templates/complete_multi_region/config-virtual-wan-multi-region.yaml
index 1e4360cc..b65f3352 100644
--- a/templates/complete_multi_region/config-virtual-wan.yaml
+++ b/templates/complete_multi_region/config-virtual-wan-multi-region.yaml
@@ -98,6 +98,7 @@ connectivity:
         private_dns_virtual_network_address_space: 10.2.0.0/24
         private_dns_virtual_network_subnet_address_space: 10.2.0.0/28
         dns_resolver_name: dpr-hub-${starter_location_01}
+
       secondary:
         name: vnet-hub-${starter_location_02}
         location: ${starter_location_02}
diff --git a/templates/complete_multi_region/config-virtual-wan-single-region.yaml b/templates/complete_multi_region/config-virtual-wan-single-region.yaml
new file mode 100644
index 00000000..9584e748
--- /dev/null
+++ b/templates/complete_multi_region/config-virtual-wan-single-region.yaml
@@ -0,0 +1,120 @@
+# This file contains templated variables to avoid repeating the same hard-coded values.
+# Templated variables are denoted by the dollar curly braces token. The following details each templated variable that you can use:
+# `starter_location_01`: This the primary an Azure location sourced from the `starter_locations` variable. This can be used to set the location of resources.
+# `starter_location_02` to `starter_location_10`: These are the secondary Azure locations sourced from the `starter_locations` variable. This can be used to set the location of resources.
+# `starter_location_01_availability_zones` to `starter_location_10_availability_zones`: These are the availability zones for the Azure locations sourced from the `starter_locations` variable. This can be used to set the availability zones of resources.
+# `default_postfix`: This is a string sourced from the variable `default_postfix`. This can be used to append to resource names for consistency.
+# `root_parent_management_group_id`: This is the id of the management group that the ALZ hierarchy will be nested under.
+# `subscription_id_identity`: The subscription ID of the subscription to deploy the identity resources to, sourced from the variable `subscription_id_identity`.
+# `subscription_id_connectivity`: The subscription ID of the subscription to deploy the connectivity resources to, sourced from the variable `subscription_id_connectivity`.
+# `subscription_id_management`: The subscription ID of the subscription to deploy the management resources to, sourced from the variable `subscription_id_management`.
+---
+management_groups: # `caf-enterprise-scale` module, add inputs as listed on the module registry where necessary.
+
+  # Base variables
+  root_name: alz
+  root_id: Azure-Landing-Zones
+  default_location: ${starter_location_01}
+  subscription_id_connectivity: ${subscription_id_connectivity}
+  subscription_id_identity: ${subscription_id_identity}
+  subscription_id_management: ${subscription_id_management}
+  root_parent_id: ${root_parent_management_group_id}
+  deploy_core_landing_zones: true
+  deploy_corp_landing_zones: true
+  deploy_online_landing_zones: true
+  deploy_management_resources: true
+  deploy_connectivity_resources: false # We are using the AVM patterns for connectivity
+  deploy_identity_resources: true
+
+  # Management resource settings
+  configure_management_resources:
+    location: ${starter_location_01}
+    settings:
+      log_analytics:
+        enabled: true
+        config:
+          retention_in_days: 50
+          enable_monitoring_for_vm: true
+          enable_monitoring_for_vmss: true
+          enabled_sentinel: true
+          enable_solution_for_change_tracking: true
+          enable_solution_for_vm_insights: true
+          enable_solution_for_container_insights: true
+          enable_sentinel: true
+      security_center:
+        config:
+          email_security_contact: "security_contact@replace_me"
+          enable_defender_for_app_services: true
+          enable_defender_for_arm: true
+          enable_defender_for_containers: true
+          enable_defender_for_cosmosdbs: true
+          enable_defender_for_cspm: true
+          enable_defender_for_key_vault: true
+          enable_defender_for_oss_databases: true
+          enable_defender_for_servers: true
+          enable_defender_for_servers_vulnerability_assessments: true
+          enable_defender_for_sql_servers: true
+          enable_defender_for_sql_server_vms: true
+          enable_defender_for_storage: true
+    advanced:
+      asc_export_resource_group_name: rg-asc-export-${starter_location_01}
+      custom_settings_by_resource_type:
+        azurerm_resource_group:
+          management:
+            name: rg-management-${starter_location_01}
+        azurerm_log_analytics_workspace:
+          management:
+            name: law-management-${starter_location_01}
+        azurerm_automation_account:
+          management:
+            name: aa-management-${starter_location_01}
+
+  # Configure Private DNS Zone Resource Ids for Policy Assignments
+  configure_connectivity_resources:
+    settings:
+      dns:
+        config:
+          location: ${starter_location_01}
+    advanced:
+      custom_settings_by_resource_type:
+        azurerm_resource_group:
+          dns:
+            ${starter_location_01}:
+              name: rg-private-dns-${starter_location_01}
+
+# Connectivity settings
+connectivity:
+  virtual_wan: # `avm-ptn-vwan` module, add inputs as listed on the module registry where necessary.
+    virtual_wan_name: vwan-hub-${starter_location_01}
+    resource_group_name: rg-connectivity-${starter_location_01}
+    location: ${starter_location_01}
+
+    virtual_hubs:
+      primary:
+        name: vnet-hub-${starter_location_01}
+        location: ${starter_location_01}
+        address_prefix: 10.0.0.0/16
+        private_dns_virtual_network_name: vnet-hub-private-dns-${starter_location_01}
+        private_dns_virtual_network_address_space: 10.2.0.0/24
+        private_dns_virtual_network_subnet_address_space: 10.2.0.0/28
+        dns_resolver_name: dpr-hub-${starter_location_01}
+
+    firewalls:
+      primary:
+        virtual_hub_key: primary
+        name: fw-hub-${starter_location_01}
+        sku_name: AZFW_Hub
+        sku_tier: Standard
+        zones: ${starter_location_01_availability_zones}
+        firewall_policy:
+          name: fwp-hub-${starter_location_01}
+
+  private_dns:
+    resource_group_name: rg-private-dns-${starter_location_01}
+    locations:
+      primary:
+        location: ${starter_location_01}
+        is_primary: true  # Deploys all zones
+
+# Configure root module settings
+enable_telemetry: true
diff --git a/templates/complete_multi_region/variables.tf b/templates/complete_multi_region/variables.tf
index 1cf7e06d..a702b7db 100644
--- a/templates/complete_multi_region/variables.tf
+++ b/templates/complete_multi_region/variables.tf
@@ -20,7 +20,7 @@ variable "subscription_id_management" {
 
 variable "configuration_file_path" {
   type        = string
-  default     = "config-hub-and-spoke-vnet.yaml"
+  default     = "config-hub-and-spoke-vnet-multi-region.yaml"
   description = "The path of the configuration file|configuration_file_path"
 }