update folder

src/bicep/add-ons/ZTA/modules/tier3.bicep → src/bicep/add-ons/Imaging/modules/tier3.bicep

@@ -2,7 +2,6 @@
 Copyright (c) Microsoft Corporation.
 Licensed under the MIT License.
 */
-
 targetScope = 'resourceGroup'
 /*
 
@@ -27,56 +26,34 @@ param resourcePrefix string = 'zta'
 @description('A suffix, 3 to 6 characters in length, to append to resource names (e.g. "dev", "test", "prod", "mlz"). It defaults to "mlz".')
 param resourceSuffix string = 'mlz'
 
-@description('The region to deploy resources into. It defaults to the deployment location.')
-param location string
-
-@description('The subscription ID for the Identity Network and resources. It defaults to the deployment subscription.')
-param workloadSubscriptionId string
-
-@description('MLZ Deployment output variables in json format. It defaults to the deploymentVariables.json.')
+param deployDefender bool
+param deploymentNameSuffix string = utcNow()
+param deployPolicy bool
+param emailSecurityContact string
+param existingResourceGroup bool
+param firewallPrivateIPAddress string
+param hubResourceGroupName string
 param hubSubscriptionId string
-
-@description('The name of the hub virtual network. It defaults to the deployment output variable.')
 param hubVirtualNetworkName string
-
-@description('The resource ID of the hub virtual network. It defaults to the deployment output variable.')
 param hubVirtualNetworkResourceId string
-
-@description('The resource ID of the log analytics workspace. It defaults to the deployment output variable.')
-param logAnalyticsWorkspaceResourceId string
-
-@description('The name of the log analytics workspace. It defaults to the deployment output variable.')
+param location string
 param logAnalyticsWorkspaceName string
-
-@description('The private IP address of the firewall. It defaults to the deployment output variable.')
-param firewallPrivateIPAddress string
-
-@description('[NISTRev4/NISTRev5/IL5/CMMC] Built-in policy assignments to assign, it defaults to "NISTRev4". IL5 is only available for AzureUsGovernment and will switch to NISTRev4 if tried in AzureCloud.')
+param logAnalyticsWorkspaceResourceId string
+param logStorageSkuName string = 'Standard_GRS'
+param networkSecurityGroupDiagnosticsMetrics array = []
+param networkSecurityGroupRules array = []
 param policy string
-
-@description('When set to "true", deploys the Azure Policy set defined at by the parameter "policy" to the resource groups generated in the deployment. It defaults to "false".')
-param deployPolicy bool
-
-@description('When set to "true", enables Microsoft Defender for Cloud for the subscriptions used in the deployment. It defaults to "false".')
-param deployDefender bool
-
-@description('Email address of the contact, in the form of [email protected]')
-param emailSecurityContact string
-
-@description('The address prefix for the network spoke vnet.')
+param resourceGroupName string
+param subnetAddressPrefix string
+param subnetServiceEndpoints array = []
+param tags object = {}
 param virtualNetworkAddressPrefix string
-
-@description('An array of Network Diagnostic Logs to enable for the workload Virtual Network. See https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#logs for valid settings.')
 param virtualNetworkDiagnosticsLogs array = []
-
-@description('An array of Network Diagnostic Metrics to enable for the workload Virtual Network. See https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#metrics for valid settings.')
 param virtualNetworkDiagnosticsMetrics array = []
-
 param vNetDnsServers array = [firewallPrivateIPAddress]
-
-@description('An array of Network Security Group rules to apply to the workload Virtual Network. See https://docs.microsoft.com/en-us/azure/templates/microsoft.network/networksecuritygroups/securityrules?tabs=bicep#securityrulepropertiesformat for valid settings.')
-param networkSecurityGroupRules array = []
-
+param workloadLogStorageAccountNameParameter string = 'null'
+param workloadName string = 'zta'
+param workloadSubscriptionId string
 @description('An array of Network Security Group diagnostic logs to apply to the workload Virtual Network. See https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-nsg-manage-log#log-categories for valid settings.')
 param networkSecurityGroupDiagnosticsLogs array = [
   {
@@ -88,36 +65,6 @@ param networkSecurityGroupDiagnosticsLogs array = [
     enabled: true
   }
 ]
-@description('An array of Network Security Group diagnostic logs to apply to the SharedServices Virtual Network. See https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-nsg-manage-log#log-categories for valid settings.')
-param networkSecurityGroupDiagnosticsMetrics array = []
-
-@description('The CIDR Virtual Network Address Prefix for the Workload Virtual Network.')
-param subnetAddressPrefix string
-
-@description('An array of Service Endpoints to enable for the Operations subnet. See https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview for valid settings.')
-param subnetServiceEndpoints array = []
-
-@description('The Storage Account SKU to use for log storage. It defaults to "Standard_GRS". See https://docs.microsoft.com/en-us/rest/api/storagerp/srp_sku_types for valid settings.')
-param logStorageSkuName string = 'Standard_GRS'
-
-@description('A string dictionary of tags to add to deployed resources. See https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json#arm-templates for valid settings.')
-param tags object = {}
-
-@description('A suffix to use for naming deployments uniquely. It defaults to the Bicep resolution of the "utcNow()" function.')
-param deploymentNameSuffix string = utcNow()
-
-@description('The name of the tier 3 workload')
-param workloadName string = 'zta'
-
-@maxLength(24)
-@description('The name of the Storage Account if using this Parameter. Otherwise it will be a calculated value.')
-param workloadLogStorageAccountNameParameter string = 'null'
-
-param existingResourceGroup bool
-
-param resourceGroupName string
-
-param hubResourceGroupName string
 
 
 /*
@@ -134,23 +81,18 @@ param hubResourceGroupName string
 var resourceToken = 'resource_token'
 var nameToken = 'name_token'
 var namingConvention = '${toLower(resourcePrefix)}-${resourceToken}-${nameToken}-${toLower(resourceSuffix)}'
-
 var virtualNetworkNamingConvention = replace(namingConvention, resourceToken, 'vnet')
 var networkSecurityGroupNamingConvention = replace(namingConvention, resourceToken, 'nsg')
 var storageAccountNamingConvention = toLower('${resourcePrefix}st${nameToken}unique_storage_token')
 var subnetNamingConvention = replace(namingConvention, resourceToken, 'snet')
-
 var workloadLogStorageAccountNameTemplate = replace(storageAccountNamingConvention, nameToken, toLower(workloadName))
 var workloadLogStorageAccountUniqueName = replace(workloadLogStorageAccountNameTemplate, 'unique_storage_token', uniqueString(resourcePrefix, resourceSuffix, workloadSubscriptionId))
 var workloadLogStorageAccountNameVariable = take(workloadLogStorageAccountUniqueName, 23)
 var workloadVirtualNetworkName = replace(virtualNetworkNamingConvention, nameToken, workloadName)
 var workloadNetworkSecurityGroupName = replace(networkSecurityGroupNamingConvention, nameToken, workloadName)
 var workloadSubnetName = replace(subnetNamingConvention, nameToken, workloadName)
 var logAnalyticsWorkspaceResourceId_split = split(logAnalyticsWorkspaceResourceId, '/')
-
-
 var workloadLogStorageAccountName = 'null' != workloadLogStorageAccountNameParameter ? workloadLogStorageAccountNameParameter : workloadLogStorageAccountNameVariable
-
 var defaultTags = {
   DeploymentType: 'MissionLandingZoneARM'
 }

src/bicep/add-ons/ZTA/solution.bicep → src/bicep/add-ons/Imaging/solution.bicep

@@ -12,6 +12,9 @@ param automationAccountName string
 @description('The private DNS zone resource ID for the automation account resource.')
 param automationAccountPrivateDnsZoneResourceId string
 
+@description('The name of the Azure Firewall.')
+param azureFirewallName string
+
 @description('The resource ID of the compute gallery image.')
 param computeGalleryImageResourceId string = ''
 
@@ -30,6 +33,14 @@ param diskEncryptionSetResourceId string = ''
 @description('The distribution group for email notifications.')
 param distributionGroup string = ''
 
+
+@description('Defender for Cloud enabled.')
+param deployDefender bool = false
+
+@description('Deploy Policy enabled.')
+param deployPolicy bool = false
+
+
 @description('The suffix to append to deployment names.')
 param deploymentNameSuffix string = utcNow('yyMMddHHs')
 
@@ -43,15 +54,30 @@ param domainJoinUserPrincipalName string = ''
 @description('The domain name to join.')
 param domainName string = ''
 
+@description('The email address for the security contact.')
+param emailSecurityContact string
+
 @description('Determines whether to enable build automation.')
 param enableBuildAutomation bool
 
 @description('Determines whether to exclude the image from the latest version.')
 param excludeFromLatest bool = true
 
+@description('Determines whether to use an existing resource group.')
+param existingResourceGroup bool = false
+
 @description('The array of policy assignment IDs to exempt to prevent issues with the build process.')
 param exemptPolicyAssignmentIds array = []
 
+@description('The hub resource group name.')
+param hubResourceGroupName string
+
+@description('The name of hub subscription.')
+param hubSubscriptionId string
+
+@description('The hub virtual network name.')
+param hubVirtualNetworkName string
+
 @description('Determines whether to use the hybrid use benefit.')
 param hybridUseBenefit bool
 
@@ -128,11 +154,12 @@ param location string = deployment().location
 @description('The resource ID of the log analytics workspace if using build automation and desired.')
 param logAnalyticsWorkspaceResourceId string = ''
 
+@description('The log analytics workspace name.')
+param logAnalyticsWorkspaceName string
 
 @description('The resource ID of the log analytics workspace if using build automation and desired.')
 param spokelogAnalyticsWorkspaceResourceId string
 
-
 @description('The marketplace image offer.')
 param marketplaceImageOffer string = ''
 
@@ -145,21 +172,25 @@ param marketplaceImageSKU string = ''
 @description('The file name of the msrdcwebrtcsvc installer in Azure Blobs.')
 param msrdcwebrtcsvcInstaller string = ''
 
-@description('Determines whether to use an existing resource group.')
-param existingResourceGroup bool = false
-
 @description('The file name of the Office installer in Azure Blobs.')
 param officeInstaller string = ''
 
 @description('The distinguished name of the organizational unit to join.')
 param oUPath string = ''
 
+@description('The policy name')
+param policy string = ''
+
 @description('The count of replicas for the image version resource.')
 param replicaCount int
 
 @description('The name of the resource group.')
 param resourceGroupName string
 
+@description('The prefix for the resource names.')
+param resourcePrefix string
+
+
 @allowed([
   'AzureComputeGallery'
   'AzureMarketplace'
@@ -170,6 +201,9 @@ param sourceImageType string
 @description('The resource ID of the storage account where the installers and scripts are stored in Azure Blobs.')
 param storageAccountResourceId string
 
+@description('The subnet address prefix.')
+param subnetAddressPrefix string
+
 @description('The key value pairs of meta data to apply to the resources.')
 param tags object = {}
 
@@ -185,36 +219,15 @@ param vcRedistInstaller string = ''
 @description('The file name of the vDOT installer in Azure Blobs.')
 param vDOTInstaller string = ''
 
+@description('The virtual network address prefix.')
+param virtualNetworkAddressPrefix string
+
 @description('The size of the image virtual machine.')
 param virtualMachineSize string
 
-param deployDefender bool = false
-
-param deployPolicy bool = false
-
-param emailSecurityContact string
-
-param hubSubscriptionId string
-
-param hubVirtualNetworkName string
-
-param logAnalyticsWorkspaceName string
-
-param policy string = ''
-
-param resourcePrefix string
-
-param hubResourceGroupName string
-
-param subnetAddressPrefix string
-
-param virtualNetworkAddressPrefix string
-
+@description('The workload subscription id.')
 param workloadSubscriptionId string
 
-@description('The name of the Azure Firewall.')
-param azureFirewallName string
-
 var imageDefinitionName = empty(computeGalleryImageResourceId) ? '${imageDefinitionNamePrefix}-${marketplaceImageSKU}' : '${imageDefinitionNamePrefix}-${split(computeGalleryImageResourceId, '/')[10]}'
 var imageVirtualMachineName = take('vmimg-${uniqueString(deploymentNameSuffix)}', 15)
 var managementVirtualMachineName = empty(hybridWorkerName) ? take('vmmgt-${uniqueString(deploymentNameSuffix)}', 15) : hybridWorkerName