Identity Archetype (Azure#359)

* Squashed commit of the following: commit 6d6b3e49855c365f49a4674534b985bacf9cd74c Author: Barry Willis <bawillis@microsoft.com> Date: Mon Feb 27 08:07:45 2023 -0800 changed the areacode on the logging service health alerts architype commit 86b4505c2ffd5127978883c0bc6a1f9b0e7d3268 Author: Barry Willis <bawillis@microsoft.com> Date: Fri Feb 24 16:39:08 2023 -0800 prepping for testing in ESLZ test environment commit 0f92b6bf70aee1377b4d49db436fa7024f1bfd25 Merge: 2a3584a 7749e7b Author: Barry Willis <bawillis@microsoft.com> Date: Fri Feb 24 16:10:37 2023 -0800 Merge remote-tracking branch 'origin/main' into IdentityLZ commit 7749e7b Merge: f6555a4 5337654 Author: Barry Willis <bawillis@microsoft.com> Date: Fri Feb 24 16:08:54 2023 -0800 Merge remote-tracking branch 'github-CanadaPubSecALZ/main' commit f6555a4 Author: Barry Willis <bawillis@microsoft.com> Date: Mon Feb 13 12:30:20 2023 -0800 Added the patch version to the AKS versions in the Data Archetypes commit 8edcb63 Author: Barry Willis <bawillis@microsoft.com> Date: Mon Feb 13 11:32:54 2023 -0800 Changed hte AKS version to only have the Major.Minor commit 37123d7 Author: Barry Willis <bawillis@microsoft.com> Date: Mon Feb 13 11:17:38 2023 -0800 updated AKS version in the Data Archetypes commit 459b3c6 Author: Barry Willis <bawillis@microsoft.com> Date: Mon Feb 13 08:55:13 2023 -0800 changed the servcie health number prefix to 604 commit cccf886 Author: Barry Willis <bawillis@microsoft.com> Date: Mon Feb 13 07:42:52 2023 -0800 changed the invalid dummy service alert phone number to a valid phone number commit 8e9628d Author: Barry Willis <bawillis@microsoft.com> Date: Mon Feb 13 07:01:36 2023 -0800 fixed linter warnings in policy files commit 6c2b2f7 Author: Barry Willis <bawillis@microsoft.com> Date: Sat Feb 11 15:36:36 2023 -0800 Commit 95556ddd: changed the extensionResourceId function to tenantResourceId for all built-in polify definitions commit c58ba48 Author: Barry Willis <bawillis@microsoft.com> Date: Sat Feb 11 15:09:56 2023 -0800 Fixed the AKS policy deployment commit f9e8418 Author: Barry Willis <bawillis@microsoft.com> Date: Sat Feb 11 14:04:22 2023 -0800 Fixed Bug on policy defnition commit 1a3c82e Author: Barry Willis <bawillis@microsoft.com> Date: Fri Feb 10 19:09:02 2023 -0800 updated the linter rules commit 20e1880 Author: Barry Willis <bawillis@microsoft.com> Date: Fri Feb 10 18:52:18 2023 -0800 fixed the remaining linter errors in the policy definitions commit 1610a28 Author: Barry Willis <bawillis@microsoft.com> Date: Fri Feb 10 18:27:14 2023 -0800 fixed the remaining linter warnings commit 9f0e049 Author: Barry Willis <bawillis@microsoft.com> Date: Fri Feb 10 17:31:21 2023 -0800 fixed BCP321 warning commit 466d7b0 Author: Barry Willis <bawillis@microsoft.com> Date: Fri Feb 10 17:22:46 2023 -0800 changed the pOlicyScopedId var to be set by using the MGResourceID Function commit 9362967 Author: Barry Willis <bawillis@microsoft.com> Date: Fri Feb 10 16:48:26 2023 -0800 Fixed Role Definition Id References to use the ResourceId function commit 4bcbc28 Author: Barry Willis <bawillis@microsoft.com> Date: Fri Feb 10 16:07:33 2023 -0800 Fixed BCP321 Linter warning in networking files commit 2a3584a7cac9c5822c7a226bc8a5d44f52d69a65 Author: Barry Willis <bawillis@microsoft.com> Date: Fri Feb 10 15:07:43 2023 -0800 Removed Linter exception BCP321 - will fix in the linter PR commit a0b48ec7710a5ee8023a066e4cb5394074002c1e Author: Barry Willis <bawillis@microsoft.com> Date: Fri Feb 10 10:39:36 2023 -0800 Fixed the bugs with conditionally deploying DNS Resolver commit 4f24be78f48465b404c529b276db66496c9958db Author: Barry Willis <bawillis@microsoft.com> Date: Wed Feb 8 15:29:38 2023 -0800 Updated documentation and made the DNS Resolver subnets optional commit 03fcb5e50b0670c67d1850063dd828ffa6945cf8 Merge: dfe0d9a 0fa01e8 Author: Barry Willis <bawillis@microsoft.com> Date: Mon Feb 6 16:58:41 2023 -0800 Merge remote-tracking branch 'origin/main' into IdentityLZ commit dfe0d9acab086df1d9dfbfbdae5770fbf5da999a Author: Barry Willis <bawillis@microsoft.com> Date: Wed Jan 11 15:52:06 2023 -0800 added Schema validation to the identity config file commit fb88630b5d707db6b7f4ab1aa2455ff79920d5b3 Author: Barry Willis <bawillis@microsoft.com> Date: Mon Jan 9 10:28:13 2023 -0800 changed the DNS Resolver ruleset to be an object-array commit 78aaf4d6cdeff8d9832d8a309f26c10cefe97a22 Author: Barry Willis <bawillis@microsoft.com> Date: Sat Jan 7 13:57:37 2023 -0800 first pass at creating conditional forwarding rulesets in the Identity LZ commit e7b554d04daee83a55a985073ec0c59084c7f3c2 Author: Barry Willis <bawillis@microsoft.com> Date: Fri Jan 6 08:54:27 2023 -0800 Configured Subnet Delegation for Az DNS Resolver commit 978ab9925f876945ba02280493f7deba1c07e7ee Author: Barry Willis <bawillis@microsoft.com> Date: Thu Jan 5 19:52:24 2023 -0800 added Private DNS Resolver to the Identity LZ commit 9735d58fc04d7a587a76a5387deb112c466390fe Author: Barry Willis <bawillis@microsoft.com> Date: Thu Jan 5 13:19:05 2023 -0800 Removed the optional Subnet commit 4cd57ed41a09672b3cfbc1792c2edbdc3569a060 Author: Barry Willis <bawillis@microsoft.com> Date: Thu Jan 5 13:09:36 2023 -0800 first cut at the identity LZ framework commit a119eea02fca28a2028362f484aa2835c9313c1d Author: Barry Willis <bawillis@microsoft.com> Date: Wed Dec 21 11:54:58 2022 -0800 added identitypathfromroot in the branch config file commit 75b6ccc2ab6efd55037e0a5a938d49f2eef32de4 Author: Barry Willis <bawillis@microsoft.com> Date: Wed Dec 21 11:35:12 2022 -0800 Added: identity vars display Changed: location reference to identity param file commit e0cfc41b5a83c4c331689fcafa5edc9928e93d39 Author: Barry Willis <bawillis@microsoft.com> Date: Wed Dec 21 11:22:35 2022 -0800 fixed misconfigured working directory commit fb58b16999aeb9cc6b6b81647c76e95024e1267c Author: Barry Willis <bawillis@microsoft.com> Date: Wed Dec 21 11:18:46 2022 -0800 removed schema validation to test deployment commit 240189de7e30fa57654c3ec76ec37c762ff80133 Author: Barry Willis <bawillis@microsoft.com> Date: Wed Dec 21 11:15:43 2022 -0800 fixed bug - neworking region is now identity region commit 89e63b5976cb5cdc4e85d0b25c01234ffe4853d7 Author: Barry Willis <bawillis@microsoft.com> Date: Wed Dec 21 11:11:48 2022 -0800 initial identity lz deployment commit d4b40b26b893b78d7a9250dffe24c3e9ce06d690 Author: Barry Willis <bawillis@microsoft.com> Date: Wed Dec 21 11:03:29 2022 -0800 Added default region for Identity Subscription commit 41e611818d09181b1a455f612425cae20f0683f7 Author: Barry Willis <bawillis@microsoft.com> Date: Wed Dec 21 08:29:33 2022 -0800 Changed bastion subnet range in identity subnet commit f5a43f2d44803e80db8a043d31e5c9f72fc51675 Author: Barry Willis <bawillis@microsoft.com> Date: Wed Dec 21 07:33:03 2022 -0800 Param file for Identity LZ commit 13d084b0fe74f39ca1423b2eb9f333a2b760b1f2 Author: Barry Willis <bawillis@microsoft.com> Date: Tue Dec 20 15:19:23 2022 +0000 Deleted identity.parameteres.json commit 5ba9a12fa8e8e02f60f3f2afea43681cc84d7446 Merge: 002b2be e395307 Author: Barry Willis <bawillis@microsoft.com> Date: Tue Dec 20 07:18:40 2022 -0800 Merge branch 'IdentityLZ' of https://dev.azure.com/Tredell/CanadaALZ/_git/CanadaALZ into IdentityLZ commit 002b2be1bb5b555a334f35cbb505e7a68f321649 Author: Barry Willis <bawillis@microsoft.com> Date: Tue Dec 20 07:18:32 2022 -0800 id-lz - created param section for id lz commit e395307b1c12786cc28cf3d4b00586dde69739d5 Author: Barry Willis <bawillis@microsoft.com> Date: Tue Dec 20 07:13:54 2022 -0800 id-lz - created param section for id lz commit 7f4a43eb4fdc7f6f37ebab8e661981cccbee9f50 Author: Barry Willis <bawillis@microsoft.com> Date: Mon Dec 19 14:54:57 2022 -0800 disabled privatelink infrastructure to be deployed in hub lz commit db85049ac94b5c394d586b6960343bc1286997f1 Author: Barry Willis <bawillis@microsoft.com> Date: Mon Dec 19 14:46:36 2022 -0800 Configured hub networking parameter files commit 8d772e868803d1b712013f7db21044d48ab730d2 Author: Barry Willis <bawillis@microsoft.com> Date: Mon Dec 19 14:07:43 2022 -0800 removed comment from json - not supported commit 89cde8d92704f1a41a123af46da6dd90568d99cb Author: Barry Willis <bawillis@microsoft.com> Date: Mon Dec 19 12:56:47 2022 -0800 Configuring Policies for deployment to Test enviornment commit ba781ee844a4abd403071e072645988b63ada494 Author: Barry Willis <bawillis@microsoft.com> Date: Mon Dec 19 12:40:53 2022 -0800 added a default security Group commit 1269da21e08fdf4c29a53b38a4d18722c64461e0 Author: Barry Willis <bawillis@microsoft.com> Date: Mon Dec 19 12:26:14 2022 -0800 setting up logging for my test environment commit 4d6a41f4133380223f5895dba270cbce4ae5a39b Author: Barry Willis <bawillis@microsoft.com> Date: Mon Dec 19 12:13:08 2022 -0800 testing the path to the logging configuraiton file commit 75d0b99caf6aed5f809c28566cad35569d78be58 Author: Barry Willis <bawillis@microsoft.com> Date: Mon Dec 19 12:00:14 2022 -0800 added the full path to the logging parameters file commit 32e8382bcb8deaaaab0c7bc1c2791483ef439971 Author: Barry Willis <bawillis@microsoft.com> Date: Mon Dec 19 11:55:00 2022 -0800 path to logging parameters file was incorrect commit 5757d36a486e7f3b707f00848d19cfe64de83358 Author: Barry Willis <bawillis@microsoft.com> Date: Mon Dec 19 11:37:20 2022 -0800 Changed MG Root to match test enviornment commit 1fdd02db1638420decf5ab021fb617b95920aada Author: Barry Willis <bawillis@microsoft.com> Date: Mon Dec 19 11:09:46 2022 -0800 Adding config file for IdentityLZ branch * PowerShell Deployment Files created * GitHub Action Pipelines modified to add the Identity Archetype * made the Identity GitHub Action optional * put the boolean option in single quotes * fixed a few bugs (BCP321 & references to the wrong tenant) * changed the sub id for the logging subscription * Removed the hardcoded reference to the LAW in the identity param file * updated the param file with the LAW ID * disabled private dns zone deployment in the identity sub * removed the config files from my custom branch * uncommented the validation in the Identity ADO Pipeline * removed commented trigger code from ADO Identity Pipeline * renenabled the dployment of the DNSPrivateEndPoints policyset * removed the provider registration for containerservices in the deploy-identity-pipeline yaml * added an explanation comment to the dnsforwardingruleset file * Added telemetry tracking for the identity subscription * fixed cut and paste errors * Updated test cases & documentation * added the consistency check & pull request checks for github actions * fixed spelling error
cds-snc · Mar 3, 2023 · f13f6ec · f13f6ec
1 parent 5337654
commit f13f6ec
Show file tree

Hide file tree

Showing 33 changed files with 3,224 additions and 10 deletions.
diff --git a/.github/workflows/0-everything.yml b/.github/workflows/0-everything.yml
@@ -20,6 +20,11 @@ on:
           - "HubNetworkWithNVA"
           - "HubNetworkWithAzureFirewall"
         default: "HubNetworkWithAzureFirewall"
+      deployIdentity:
+        type: boolean
+        description: "Deploy Identity Subscription"
+        required: true
+        default: false
       subscriptionIds:
         type: string
         description: Subscription ID(s) (optional), e.g. "abcd", "1234"
@@ -306,6 +311,34 @@ jobs:
           -NvaUsername (ConvertTo-SecureString -String '${{secrets.NVA_USERNAME}}' -AsPlainText -Force) `
           -NvaPassword (ConvertTo-SecureString -String '${{secrets.NVA_PASSWORD}} '-AsPlainText -Force)
 
+  identity:
+    name: Identity
+    if: github.event.inputs.deployIdentity == 'true'
+
+    needs:
+      - Logging
+      - HubNetworking
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v3
+
+    - name: Configure PowerShell modules
+      run: |
+        Install-Module Az -Force
+        Install-Module powershell-yaml -Force
+
+    - name: Deploy Identity
+      run: |
+        ./RunWorkflows.ps1 `
+          -DeployIdentity `
+          -EnvironmentName '${{github.event.inputs.environmentName}}' `
+          -LoginServicePrincipalJson (ConvertTo-SecureString -String '${{secrets.ALZ_CREDENTIALS}}' -AsPlainText -Force) `
+          -GitHubRepo ${env:GITHUB_REPOSITORY} `
+          -GitHubRef ${env:GITHUB_REF}
+
   SubscriptionMatrix:
     if: github.event.inputs.subscriptionIds != ''
 

diff --git a/.github/workflows/6-identity.yml b/.github/workflows/6-identity.yml
@@ -0,0 +1,46 @@
+# ----------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT license.
+#
+# THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, 
+# EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES 
+# OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
+# ----------------------------------------------------------------------------------
+
+name: 6 - Identity
+
+on:
+  workflow_dispatch:
+    inputs:
+      environmentName:
+        type: string
+        description: Environment name (optional), e.g. CanadaESLZ-main
+        required: false
+
+defaults:
+  run:
+    shell: pwsh
+    working-directory: scripts/deployments
+
+jobs:
+  identity:
+    name: Identity
+    runs-on: ubuntu-latest
+    steps:
+
+    - name: Checkout
+      uses: actions/checkout@v3
+
+    - name: Configure PowerShell modules
+      run: |
+        Install-Module Az -Force
+        Install-Module powershell-yaml -Force
+
+    - name: Deploy Identity
+      run: |
+        ./RunWorkflows.ps1 `
+          -DeployIdentity `
+          -EnvironmentName '${{github.event.inputs.environmentName}}' `
+          -LoginServicePrincipalJson (ConvertTo-SecureString -String '${{secrets.ALZ_CREDENTIALS}}' -AsPlainText -Force) `
+          -GitHubRepo ${env:GITHUB_REPOSITORY} `
+          -GitHubRef ${env:GITHUB_REF}
diff --git a/.github/workflows/6-subscriptions.yml → .github/workflows/7-subscriptions.yml b/.github/workflows/6-subscriptions.yml → .github/workflows/7-subscriptions.yml
diff --git a/.github/workflows/README.md b/.github/workflows/README.md
@@ -22,7 +22,8 @@ The following workflows are present in the `.github/workflows` repository folder
 | 5 | Azure Firewall Policy (required for Hub Networking with Azure Firewall) | `5-azure-firewall-policy.yml`
 | 5 | Hub Networking with Azure Firewall | `5-hub-network-with-azure-firewall.yml`
 | 5 | Hub Networking with NVA | `5-hub-network-with-nva.yml`
-| 6 | Subscriptions | `6-subscriptions.yml`
+| 6 | Identity | `6-identity.yml`
+| 7 | Subscriptions | `7-subscriptions.yml`
 
 With the exception of the `Everything` workflow, all other workflows need to be run in the order specified. For example, the `Policy` workflow is dependent on resources deployed by the `Logging` workflow. Think of it as a layered approach; once the layer is deployed, it only requires re-running if some configuration at that layer changes.
 

diff --git a/.github/workflows/consistency-check.yml b/.github/workflows/consistency-check.yml
@@ -9,6 +9,7 @@ env:
   SCHEMA_FOLDER: schemas/latest/landingzones
   LOGGING_PATH_FROM_ROOT: config/logging
   NETWORKING_PATH_FROM_ROOT: config/networking
+  IDENTITY_PATH_FROM_ROOT: config/identity
   SUBSCRIPTIONS_PATH_FROM_ROOT: config/subscriptions
 
 jobs:
@@ -82,6 +83,14 @@ jobs:
               Get-Content -Raw $_ | Test-Json -SchemaFile $HubNetworkWithNVASchemaFile
           }
 
+          $IdentityFileFilter="*.json"
+          $IdentitySchemaFile="${{env.SCHEMA_FOLDER}}/lz-platform-identity.json"
+
+          Get-ChildItem -Recurse -Filter $IdentityFileFilter -Path "${{env.IDENTITY_PATH_FROM_ROOT}}" | ForEach-Object {
+              Write-Host "Validating: $_ with $IdentitySchemaFile"
+              Get-Content -Raw $_ | Test-Json -SchemaFile $IdentitySchemaFile
+          }
+
           $GenericSubscriptionFileFilter="*generic-subscription*.json"
           $GenericSubscriptionSchemaFile="${{env.SCHEMA_FOLDER}}/lz-generic-subscription.json"
 

diff --git a/.github/workflows/pull-request-check.yml b/.github/workflows/pull-request-check.yml
@@ -12,6 +12,7 @@ env:
   SCHEMA_FOLDER: schemas/latest/landingzones
   LOGGING_PATH_FROM_ROOT: config/logging
   NETWORKING_PATH_FROM_ROOT: config/networking
+  IDENTITY_PATH_FROM_ROOT: config/identity
   SUBSCRIPTIONS_PATH_FROM_ROOT: config/subscriptions
 
 jobs:
@@ -84,6 +85,14 @@ jobs:
               Write-Host "Validating: $_ with $HubNetworkWithNVASchemaFile"
               Get-Content -Raw $_ | Test-Json -SchemaFile $HubNetworkWithNVASchemaFile
           }
+
+          $IdentityFileFilter="*.json"
+          $IdentitySchemaFile="${{env.SCHEMA_FOLDER}}/lz-platform-identity.json"
+
+          Get-ChildItem -Recurse -Filter $IdentityFileFilter -Path "${{env.IDENTITY_PATH_FROM_ROOT}}" | ForEach-Object {
+              Write-Host "Validating: $_ with $IdentitySchemaFile"
+              Get-Content -Raw $_ | Test-Json -SchemaFile $IdentitySchemaFile
+          }
           
           $GenericSubscriptionFileFilter="*generic-subscription*.json"
           $GenericSubscriptionSchemaFile="${{env.SCHEMA_FOLDER}}/lz-generic-subscription.json"

diff --git a/.pipelines/platform-identity.yml b/.pipelines/platform-identity.yml
@@ -0,0 +1,64 @@
+# ----------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT license.
+#
+# THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, 
+# EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES 
+# OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
+# ----------------------------------------------------------------------------------
+
+trigger: none
+
+pr: none
+
+variables:
+- name: devops-org-name
+  value: ${{ replace(replace(variables['System.CollectionUri'], 'https://dev.azure.com/' , ''), '/', '') }}
+- name: logging-config-directory
+  value: $(System.DefaultWorkingDirectory)/$(loggingPathFromRoot)/${{ variables['devops-org-name'] }}-${{ variables['Build.SourceBranchName'] }}
+- name: identity-config-directory
+  value: $(System.DefaultWorkingDirectory)/$(identityPathFromRoot)/${{ variables['devops-org-name'] }}-${{ variables['Build.SourceBranchName'] }}
+- name: variable-template-file
+  value: ${{ variables['devops-org-name'] }}-${{ variables['Build.SourceBranchName'] }}.yml
+- template: ../config/variables/common.yml
+- template: ../config/variables/${{ variables['variable-template-file'] }}
+
+
+pool:
+  vmImage: $[ variables.vmImage ]
+
+stages:
+
+- stage: DeployNetworkingStage
+  displayName: Deploy Networking Stage
+
+  jobs:
+
+  - deployment: DeployIdentityJob
+    displayName: Deploy Identity Job
+    environment: ${{ variables['Build.SourceBranchName'] }}
+    strategy:
+      runOnce:
+        deploy:
+          steps:
+          - checkout: self
+
+          - template: templates/steps/load-variables.yml
+
+          - template: templates/steps/load-log-analytics-vars.yml
+            parameters:
+              logAnalyticsSubscriptionId: $(var-logging-subscriptionId)
+              logAnalyticsConfigurationFile: ${{ variables['logging-config-directory'] }}/$(var-logging-configurationFileName)
+
+          - template: templates/steps/show-variables.yml
+            parameters:
+              json: ${{ convertToJson(variables) }}
+
+          - template: templates/steps/deploy-platform-identity.yml
+            parameters:
+              workingDir: $(System.DefaultWorkingDirectory)/landingzones
+              deployOperation: ${{ variables['deployOperation'] }}
+              identityManagementGroupId: $(var-identity-managementGroupId)
+              identitySubscriptionId: $(var-identity-subscriptionId)
+              identityRegion: $(var-identity-region)
+              identityConfigurationPath: ${{ variables['identity-config-directory'] }}/$(var-identity-configurationFileName)
diff --git a/.pipelines/policy.yml b/.pipelines/policy.yml
@@ -96,7 +96,7 @@ stages:
     - template: templates/steps/define-policyset.yml
       parameters:
         description: 'Define Policy Set'
-        deployTemplates: [AKS, DefenderForCloud, LogAnalytics, Network, DNSPrivateEndpoints, Tags]
+        deployTemplates: [AKS, DefenderForCloud, DNSPrivateEndpoints, LogAnalytics, Network, Tags]
         deployOperation: ${{ variables['deployOperation'] }}
         workingDir: $(System.DefaultWorkingDirectory)/policy/custom/definitions/policyset
 

diff --git a/.pipelines/templates/steps/deploy-platform-identity.yml b/.pipelines/templates/steps/deploy-platform-identity.yml
@@ -0,0 +1,83 @@
+# ----------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT license.
+#
+# THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, 
+# EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES 
+# OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
+# ----------------------------------------------------------------------------------
+
+parameters:
+  - name: workingDir
+    type: string
+  - name: deployOperation
+    type: string
+    default: create
+    values:
+      - create
+      - what-if
+  - name: identityManagementGroupId
+    type: string
+  - name: identitySubscriptionId
+    type: string
+  - name: identityRegion
+    type: string
+  - name: identityConfigurationPath
+    type: string
+
+steps:
+
+- task: PowerShell@2
+  displayName: Validate identity Parameters
+  inputs:
+    targetType: 'inline'
+    script: |
+      $schemaFile="$(Build.SourcesDirectory)/schemas/latest/landingzones/lz-platform-identity.json"
+
+      Write-Host "Parameters File: ${{ parameters.identityConfigurationPath }}"
+      Write-Host "Schema File: ${schemaFile}"
+
+      Get-Content -Raw "${{ parameters.identityConfigurationPath }}" | Test-Json -SchemaFile "${schemaFile}"
+
+- template: ./move-subscription.yml
+  parameters:
+    managementGroup: ${{ parameters.identityManagementGroupId }}
+    subscriptionGuid: ${{ parameters.identitySubscriptionId }}
+    subscriptionLocation: ${{ parameters.identityRegion }}
+    templateDirectory: $(Build.SourcesDirectory)/landingzones/utils/mg-move
+    templateFile: move-subscription.bicep
+    workingDir: ${{ parameters.workingDir }}/utils/mg-move
+
+- task: AzureCLI@2
+  displayName: Configure Identity LZ
+  inputs:
+    azureSubscription: $(serviceConnection)
+    scriptType: 'bash'
+    scriptLocation: 'inlineScript'
+    inlineScript: |
+      $(var-bashPreInjectScript)
+
+      # Check if the log analytics workspace id is provided in the parameters json.
+      # If present, then do no change it.  Otherwise add it to the json parameter file.
+      LOG_ANALYTICS_WORKSPACE_RESOURCE_ID_IN_PARAMETERS=`jq -r .parameters.logAnalyticsWorkspaceResourceId.value ${{ parameters.identityConfigurationPath }}`   
+
+      if [[ $LOG_ANALYTICS_WORKSPACE_RESOURCE_ID_IN_PARAMETERS != null && "$LOG_ANALYTICS_WORKSPACE_RESOURCE_ID_IN_PARAMETERS" != "" ]];
+      then
+        echo "Log Analytics Workspace Resource ID is set in ${{ parameters.identityConfigurationPath }} to $LOG_ANALYTICS_WORKSPACE_RESOURCE_ID_IN_PARAMETERS"
+      else
+        echo "Log Analytics Workspace Resource ID is not set in ${{ parameters.identityConfigurationPath }}.  Updating ${{ parameters.identityConfigurationPath }} with $(var-logging-logAnalyticsWorkspaceResourceId)"
+
+        # use jq to update the json parameter file
+        echo "$( jq '.parameters.logAnalyticsWorkspaceResourceId.value = "$(var-logging-logAnalyticsWorkspaceResourceId)"' ${{ parameters.identityConfigurationPath }} )" > ${{ parameters.identityConfigurationPath }}
+      fi
+
+      echo "Deploying main.bicep using ${{ parameters.deployOperation}} operation using ${{ parameters.identityConfigurationPath  }}..."
+      
+      az deployment sub ${{ parameters.deployOperation }} \
+      --location ${{ parameters.identityRegion }} \
+      --subscription ${{ parameters.identitySubscriptionId }} \
+      --template-file main.bicep \
+      --parameters @${{ parameters.identityConfigurationPath }}
+          
+      $(var-bashPostInjectScript)
+    workingDirectory: '${{ parameters.workingDir }}/lz-platform-identity'
diff --git a/.pipelines/templates/steps/show-variables.yml b/.pipelines/templates/steps/show-variables.yml
@@ -70,4 +70,10 @@ steps:
       echo
       printenv -0 | grep -zi '^var-hubnetwork-nva-' | xargs -0 -L 1 echo
 
+      echo
+      echo
+      echo "IDENTITY"
+      echo
+      printenv -0 | grep -zi '^var-identity-' | xargs -0 -L 1 echo
+
       $(var-bashPostInjectScript)
diff --git a/azresources/network/dns-forwarding-ruleset.bicep b/azresources/network/dns-forwarding-ruleset.bicep
@@ -0,0 +1,57 @@
+// ----------------------------------------------------------------------------------
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+//
+// THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, 
+// EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES 
+// OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
+// ----------------------------------------------------------------------------------
+
+param name string
+param location string = resourceGroup().location
+
+@description('Outbound endpoint id')
+param outEndpointId string
+
+param forwardingRuleSet array
+
+param linkRuleSetToVnet bool = false
+param linkName string = ''
+param vnetId string = '' 
+
+
+
+resource ruleset 'Microsoft.Network/dnsForwardingRulesets@2022-07-01' = {
+  name: name
+  location: location
+  properties: {
+    dnsResolverOutboundEndpoints: [
+      {
+        id: outEndpointId
+      }
+    ]
+  }
+}
+
+resource fwRule 'Microsoft.Network/dnsForwardingRulesets/forwardingRules@2022-07-01' = [for rule in forwardingRuleSet: {
+  name: rule.name
+  parent: ruleset
+  properties: {
+    forwardingRuleState: rule.state
+    domainName: endsWith(rule.domain, '.') ? rule.domain : '${rule.domain}.' //Adding a '.' at the end of the domain name if it is not present
+    targetDnsServers: rule.targetDnsServers
+  }
+}]
+
+
+module dnsResolverLinkVnet 'dnsresolver-vnet-link.bicep'= if(linkRuleSetToVnet){
+  name:'deploy-private-dns-resolver-vnet-link'
+  params:{
+    forwardingRulesetName: ruleset.name
+    linkName: linkName
+    vnetId: vnetId
+  }
+}
+
+output ruleSetName string = ruleset.name
+