├── .gitattributes ├── .github ├── azFunction │ ├── AzFunctionCode │ │ ├── .funcignore │ │ ├── timerschedule │ │ │ ├── readme.md │ │ │ ├── function.json │ │ │ └── run.ps1 │ │ ├── requirements.psd1 │ │ ├── cancelSubscriptions │ │ │ ├── readme.md │ │ │ ├── function.json │ │ │ └── run.ps1 │ │ ├── host.json │ │ ├── getSubscriptions │ │ │ ├── readme.md │ │ │ └── function.json │ │ ├── getPullRequests │ │ │ ├── function.json │ │ │ ├── readme.md │ │ │ └── run.ps1 │ │ ├── profile.ps1 │ │ └── README.md │ └── README.md ├── dependabot.yml ├── CODEOWNERS ├── actions-config │ ├── gh-ado-sync-config.json │ └── mlc_config.json ├── workflows │ └── pr-title-check.yml └── ISSUE_TEMPLATE │ └── general-feedback-questions-issue-form.yaml ├── docs ├── wiki │ ├── media │ │ ├── bicep-logo.png │ │ ├── bicep-vs-code.png │ │ ├── bicep-structure.png │ │ ├── alz-bicep-watch-demo.gif │ │ ├── alzBicepPolicyUpdate1.PNG │ │ ├── alzBicepPolicyUpdate2.PNG │ │ ├── alzBicepPolicyUpdate3.PNG │ │ ├── alzBicepPolicyUpdate4.PNG │ │ ├── alzBicepPolicyUpdate5.PNG │ │ ├── alzBicepPolicyUpdate6.PNG │ │ ├── alzPolicyAzAdvertizer.png │ │ ├── alz-bicep-release-process.png │ │ ├── alz-update-to-builtin-01.png │ │ ├── high-level-deployment-flow.png │ │ ├── alz-delete-policy-assign-01.png │ │ ├── alz-determine-policy-assign-01.png │ │ ├── alz-determine-policy-assign-02.png │ │ ├── alz-bicep-accelerator-tree-output.png │ │ ├── alz-bicep-accelerator-workflow-hld.png │ │ ├── alz-bicep-accelerator-workflow-lld.png │ │ ├── alz-update-initiative-with-builtin-01.png │ │ ├── alz-update-initiative-with-builtin-02.png │ │ ├── alz-update-initiative-with-builtin-03.png │ │ ├── alz-update-initiative-with-builtin-04.png │ │ └── alz-bicep-accelerator-branching-strategy-diagram.png │ ├── _Footer.md │ └── Accelerator.md └── scripts │ └── callModuleFromACR.example.bicep ├── infra-as-code └── bicep │ ├── modules │ ├── logging │ │ ├── media │ │ │ └── bicepVisualizer.png │ │ ├── parameters │ │ │ ├── logging.parameters.min.json │ │ │ └── mc-logging.parameters.min.json │ │ └── samples │ │ │ ├── minimum.sample.bicep │ │ │ └── generateddocs │ │ │ ├── minimum.sample.bicep.md │ │ │ └── baseline.sample.bicep.md │ ├── publicIp │ │ ├── media │ │ │ └── bicepVisualizer.png │ │ ├── samples │ │ │ ├── minimum.sample.bicep │ │ │ ├── baseline.sample.bicep │ │ │ └── generateddocs │ │ │ │ ├── baseline.sample.bicep.md │ │ │ │ └── minimum.sample.bicep.md │ │ └── parameters │ │ │ ├── publicIp.parameters.min.json │ │ │ └── publicIp.parameters.all.json │ ├── vnetPeering │ │ ├── media │ │ │ ├── bicepVisualizer.png │ │ │ └── exampleDeploymentOutput.png │ │ ├── samples │ │ │ ├── generateddocs │ │ │ │ ├── minimum.sample.bicep.md │ │ │ │ └── baseline.sample.bicep.md │ │ │ ├── minimum.sample.bicep │ │ │ └── baseline.sample.bicep │ │ └── parameters │ │ │ ├── vnetPeering.parameters.all.json │ │ │ └── vnetPeering.parameters.min.json │ ├── hubNetworking │ │ ├── media │ │ │ ├── bicepVisualizer.png │ │ │ ├── exampleDeploymentOutput.png │ │ │ ├── mc-exampleDeploymentOutput.png │ │ │ ├── exampleDeploymentOutputEastus.png │ │ │ └── exampleDeploymentOutputwestus.png │ │ └── samples │ │ │ ├── minimum.sample.bicep │ │ │ └── generateddocs │ │ │ ├── baseline.sample.bicep.md │ │ │ └── minimum.sample.bicep.md │ ├── mgDiagSettings │ │ ├── media │ │ │ └── bicepVisualizer.png │ │ └── parameters │ │ │ ├── mgDiagSettings.parameters.min.json │ │ │ └── mgDiagSettings.parameters.all.json │ ├── resourceGroup │ │ ├── media │ │ │ └── bicepVisualizer.png │ │ ├── samples │ │ │ ├── generateddocs │ │ │ │ ├── baseline.sample.bicep.md │ │ │ │ └── minimum.sample.bicep.md │ │ │ ├── minimum.sample.bicep │ │ │ └── baseline.sample.bicep │ │ ├── parameters │ │ │ ├── resourceGroup.parameters.min.json │ │ │ └── resourceGroup.parameters.all.json │ │ └── README.md │ ├── managementGroups │ │ ├── media │ │ │ ├── bicepVisualizer.png │ │ │ └── exampleDeploymentOutput.png │ │ ├── parameters │ │ │ ├── managementGroups.parameters.min.json │ │ │ └── managementGroups.parameters.all.json │ │ └── samples │ │ │ ├── generateddocs │ │ │ ├── minimum.sample.bicep.md │ │ │ └── baseline.sample.bicep.md │ │ │ └── minimum.sample.bicep │ ├── policy │ │ ├── exemptions │ │ │ ├── media │ │ │ │ └── bicepVisualizer.png │ │ │ └── README.md │ │ ├── assignments │ │ │ ├── media │ │ │ │ └── bicepVisualizer.png │ │ │ ├── alzDefaults │ │ │ │ └── media │ │ │ │ │ └── bicepVisualizer.png │ │ │ ├── workloadSpecific │ │ │ │ ├── media │ │ │ │ │ └── bicepVisualizer.png │ │ │ │ └── parameters │ │ │ │ │ └── workloadSpecificPolicyAssignments.parameters.min.json │ │ │ └── lib │ │ │ │ ├── china │ │ │ │ └── policy_assignments │ │ │ │ │ ├── policy_assignment_es_deploy_asc_monitoring.tmpl.json │ │ │ │ │ ├── policy_assignment_es_deploy_sql_threat.tmpl.json │ │ │ │ │ ├── policy_assignment_es_deploy_sql_security.tmpl.json │ │ │ │ │ ├── policy_assignment_es_deny_resource_types.tmpl.json │ │ │ │ │ ├── policy_assignment_es_deny_appgw_without_waf.tmpl.json │ │ │ │ │ ├── policy_assignment_es_deny_public_endpoints.tmpl.json │ │ │ │ │ ├── policy_assignment_es_deny_rdp_from_internet.tmpl.json │ │ │ │ │ ├── policy_assignment_es_deny_subnet_without_udr.tmpl.json │ │ │ │ │ ├── policy_assignment_es_deny_subnet_without_nsg.tmpl.json │ │ │ │ │ ├── policy_assignment_es_deny_ip_forwarding.tmpl.json │ │ │ │ │ ├── policy_assignment_es_deny_resource_locations.tmpl.json │ │ │ │ │ ├── policy_assignment_es_deny_rsg_locations.tmpl.json │ │ │ │ │ ├── policy_assignment_es_deploy_sql_db_auditing.tmpl.json │ │ │ │ │ ├── policy_assignment_es_deny_public_ip.tmpl.json │ │ │ │ │ ├── policy_assignment_es_enforce_tls_ssl.tmpl.json │ │ │ │ │ ├── policy_assignment_es_deploy_lx_arc_monitoring.tmpl.json │ │ │ │ │ └── policy_assignment_es_deny_http_ingress_aks.tmpl.json │ │ │ │ └── policy_assignments │ │ │ │ ├── policy_assignment_es_deploy_sql_security.tmpl.json │ │ │ │ ├── policy_assignment_es_enforce_gr_sql.tmpl.json │ │ │ │ ├── policy_assignment_es_deploy_sql_tde.tmpl.json │ │ │ │ ├── policy_assignment_es_deploy_asc_monitoring.tmpl.json │ │ │ │ ├── policy_assignment_es_enforce_backup.json │ │ │ │ ├── policy_assignment_es_enforce_gr_mysql.tmpl.json │ │ │ │ ├── policy_assignment_es_deny_resource_types.tmpl.json │ │ │ │ ├── policy_assignment_es_deploy_sql_threat.tmpl.json │ │ │ │ ├── policy_assignment_es_enforce_gr_openai.tmpl.json │ │ │ │ ├── policy_assignment_es_enforce_gr_compute.tmpl.json │ │ │ │ ├── policy_assignment_es_enforce_gr_storage.tmpl.json │ │ │ │ ├── policy_assignment_es_enforce_gr_synapse.tmpl.json │ │ │ │ ├── policy_assignment_es_enforce_gr_apim.tmpl.json │ │ │ │ ├── policy_assignment_es_enforce_gr_cosmosdb.tmpl.json │ │ │ │ ├── policy_assignment_es_enforce_gr_eventhub.tmpl.json │ │ │ │ ├── policy_assignment_es_enforce_gr_eventgrid.tmpl.json │ │ │ │ ├── policy_assignment_es_enforce_gr_keyvault.tmpl.json │ │ │ │ ├── policy_assignment_es_deny_appgw_without_waf.tmpl.json │ │ │ │ ├── policy_assignment_es_enforce_gr_botservice.tmpl.json │ │ │ │ ├── policy_assignment_es_enforce_gr_kubernetes.tmpl.json │ │ │ │ ├── policy_assignment_es_enforce_gr_postgressql.tmpl.json │ │ │ │ ├── policy_assignment_es_enforce_gr_servicebus.tmpl.json │ │ │ │ ├── policy_assignment_es_enforce_gr_appservices.tmpl.json │ │ │ │ ├── policy_assignment_es_enforce_gr_dataexplorer.tmpl.json │ │ │ │ ├── policy_assignment_es_enforce_gr_datafactory.tmpl.json │ │ │ │ ├── policy_assignment_es_audit_res_location_match_rg_location.tmpl.json │ │ │ │ ├── policy_assignment_es_enforce_gr_containerapps.tmpl.json │ │ │ │ ├── policy_assignment_es_enforce_gr_automation.tmpl.json │ │ │ │ ├── policy_assignment_es_enforce_encryption_cmk.tmpl.json │ │ │ │ ├── policy_assignment_es_enforce_gr_machinelearning.tmpl.json │ │ │ │ ├── policy_assignment_es_enforce_gr_virtualdesktop.tmpl.json │ │ │ │ ├── policy_assignment_es_enforce_gr_cognitiveservices.tmpl.json │ │ │ │ ├── policy_assignment_es_enforce_gr_containerinstance.tmpl.json │ │ │ │ ├── policy_assignment_es_enforce_gr_containerregistry.tmpl.json │ │ │ │ ├── policy_assignment_es_deny_public_ip_on_nic.tmpl.json │ │ │ │ ├── policy_assignment_es_enforce_acsb.tmpl.json │ │ │ │ ├── policy_assignment_es_enforce_gr_keyvault_sup.tmpl.json │ │ │ │ ├── policy_assignment_es_enforce_gr_network.tmpl.json │ │ │ │ ├── policy_assignment_es_deny_databricks_vnet.tmpl.json │ │ │ │ ├── policy_assignment_es_deny_public_endpoints.tmpl.json │ │ │ │ ├── policy_assignment_es_enforce_subnet_private.tmpl.json │ │ │ │ ├── policy_assignment_es_deny_rdp_from_internet.tmpl.json │ │ │ │ ├── policy_assignment_es_deny_subnet_without_udr.tmpl.json │ │ │ │ ├── policy_assignment_es_audit_appgw_waf.tmpl.json │ │ │ │ ├── policy_assignment_es_audit_zoneresiliency.tmpl.json │ │ │ │ ├── policy_assignment_es_audit_trustedlaunch.tmpl.json │ │ │ │ ├── policy_assignment_es_deny_subnet_without_nsg.tmpl.json │ │ │ │ ├── policy_assignment_es_deny_mgmtports_internet.tmpl.json │ │ │ │ ├── policy_assignment_es_deny_resource_locations.tmpl.json │ │ │ │ ├── policy_assignment_es_deny_rsg_locations.tmpl.json │ │ │ │ ├── policy_assignment_es_deny_databricks_public_ip.tmpl.json │ │ │ │ ├── policy_assignment_es_deploy_sql_db_auditing.tmpl.json │ │ │ │ ├── policy_assignment_es_deploy_mdfc_sqlatp.tmpl.json │ │ │ │ ├── policy_assignment_es_deny_ip_forwarding.tmpl.json │ │ │ │ ├── policy_assignment_es_deny_public_ip.tmpl.json │ │ │ │ ├── policy_assignment_es_deny_databricks_sku.tmpl.json │ │ │ │ ├── policy_assignment_es_deny_unmanageddisk.tmpl.json │ │ │ │ ├── policy_assignment_es_deploy_mdfc_ossdb.tmpl.json │ │ │ │ ├── policy_assignment_es_enforce_tls_ssl.tmpl.json │ │ │ │ └── policy_assignment_es_deploy_lx_arc_monitoring.tmpl.json │ │ ├── definitions │ │ │ ├── media │ │ │ │ ├── bicepVisualizer.png │ │ │ │ └── exampleDeploymentOutput.png │ │ │ ├── lib │ │ │ │ └── policy_set_definitions │ │ │ │ │ ├── policy_set_definition_es_DenyAction-DeleteProtection.parameters.json │ │ │ │ │ ├── policy_set_definition_es_Enforce-Guardrails-ContainerInstance.parameters.json │ │ │ │ │ ├── policy_set_definition_es_Enforce-Guardrails-PostgreSQL.parameters.json │ │ │ │ │ ├── policy_set_definition_es_Enforce-ALZ-Decomm.parameters.json │ │ │ │ │ ├── policy_set_definition_es_Audit-TrustedLaunch.parameters.json │ │ │ │ │ ├── policy_set_definition_es_Enforce-Guardrails-Compute.parameters.json │ │ │ │ │ ├── policy_set_definition_es_Enforce-Guardrails-MySQL.parameters.json │ │ │ │ │ ├── policy_set_definition_es_Enforce-Guardrails-KeyVault-Sup.parameters.json │ │ │ │ │ ├── policy_set_definition_es_Enforce-Guardrails-ContainerApps.parameters.json │ │ │ │ │ ├── policy_set_definition_es_Enforce-Guardrails-VirtualDesktop.parameters.json │ │ │ │ │ ├── policy_set_definition_es_Enforce-ALZ-Sandbox.parameters.json │ │ │ │ │ ├── policy_set_definition_es_Enforce-ACSB.parameters.json │ │ │ │ │ ├── policy_set_definition_es_Enforce-Guardrails-DataExplorer.parameters.json │ │ │ │ │ ├── policy_set_definition_es_Enforce-Guardrails-ServiceBus.parameters.json │ │ │ │ │ ├── policy_set_definition_es_Enforce-Guardrails-BotService.parameters.json │ │ │ │ │ ├── policy_set_definition_es_Enforce-Guardrails-EventHub.parameters.json │ │ │ │ │ ├── policy_set_definition_es_Enforce-Guardrails-SQL.parameters.json │ │ │ │ │ ├── policy_set_definition_es_Audit-UnusedResourcesCostOptimization.parameters.json │ │ │ │ │ └── policy_set_definition_es_Enforce-Guardrails-DataFactory.parameters.json │ │ │ └── parameters │ │ │ │ ├── customPolicyDefinitions.parameters.min.json │ │ │ │ └── customPolicyDefinitions.parameters.all.json │ │ └── samples │ │ │ ├── generateddocs │ │ │ ├── minimum.sample.bicep.md │ │ │ ├── baseline.sample.bicep.md │ │ │ ├── baseline.policy.sample.bicep.md │ │ │ └── minimum.policy.sample.bicep.md │ │ │ ├── minimum.policy.sample.bicep │ │ │ └── baseline.policy.sample.bicep │ ├── roleAssignments │ │ ├── media │ │ │ ├── bicepVisualizerMg.png │ │ │ ├── bicepVisualizerSub.png │ │ │ ├── bicepVisualizerMgMany.png │ │ │ └── bicepVisualizerSubMany.png │ │ ├── samples │ │ │ ├── generateddocs │ │ │ │ ├── baseline.sample.bicep.md │ │ │ │ └── minimum.sample.bicep.md │ │ │ ├── minimum.sample.bicep │ │ │ └── baseline.sample.bicep │ │ └── parameters │ │ │ ├── roleAssignmentManagementGroup.securityGroup.parameters.min.json │ │ │ ├── roleAssignmentSubscription.securityGroup.parameters.min.json │ │ │ ├── roleAssignmentResourceGroup.securityGroup.parameters.min.json │ │ │ ├── roleAssignmentSubscription.managedIdentity.parameters.min.json │ │ │ ├── roleAssignmentSubscription.servicePrincipal.parameters.min.json │ │ │ ├── roleAssignmentManagementGroup.managedIdentity.parameters.min.json │ │ │ ├── roleAssignmentManagementGroup.servicePrincipal.parameters.min.json │ │ │ ├── roleAssignmentResourceGroup.managedIdentity.parameters.min.json │ │ │ ├── roleAssignmentResourceGroup.servicePrincipal.parameters.min.json │ │ │ ├── roleAssignmentManagementGroupMany.securityGroup.parameters.min.json │ │ │ ├── roleAssignmentManagementGroupMany.managedIdentity.parameters.min.json │ │ │ ├── roleAssignmentManagementGroupMany.servicePrincipal.parameters.min.json │ │ │ ├── roleAssignmentSubscriptionMany.securityGroup.parameters.min.json │ │ │ ├── roleAssignmentSubscriptionMany.managedIdentity.parameters.min.json │ │ │ ├── roleAssignmentSubscriptionMany.servicePrincipal.parameters.min.json │ │ │ ├── roleAssignmentResourceGroupMany.securityGroup.parameters.min.json │ │ │ ├── roleAssignmentResourceGroupMany.managedIdentity.parameters.min.json │ │ │ └── roleAssignmentResourceGroupMany.servicePrincipal.parameters.min.json │ ├── spokeNetworking │ │ ├── media │ │ │ ├── bicepVisualizer.png │ │ │ └── exampleDeploymentOutput.png │ │ ├── parameters │ │ │ └── spokeNetworking.parameters.min.json │ │ └── samples │ │ │ ├── minimum.sample.bicep │ │ │ └── generateddocs │ │ │ ├── baseline.sample.bicep.md │ │ │ └── minimum.sample.bicep.md │ ├── vnetPeeringVwan │ │ ├── media │ │ │ ├── bicepVisualizer.png │ │ │ └── exampleDeploymentOutput.png │ │ ├── samples │ │ │ ├── generateddocs │ │ │ │ ├── baseline.sample.bicep.md │ │ │ │ └── minimum.sample.bicep.md │ │ │ ├── minimum.sample.bicep │ │ │ └── baseline.sample.bicep │ │ └── parameters │ │ │ ├── vnetPeeringVwan.parameters.min.json │ │ │ └── vnetPeeringVwan.parameters.all.json │ ├── vwanConnectivity │ │ ├── media │ │ │ ├── bicepVisualizer.png │ │ │ ├── exampleDeploymentOutput.png │ │ │ ├── mc-exampleDeploymentOutput.png │ │ │ ├── exampleDeploymentOutputConnectivity.png │ │ │ └── mc-exampleDeploymentOutputConnectivity.png │ │ └── samples │ │ │ ├── minimum.sample.bicep │ │ │ └── generateddocs │ │ │ ├── minimum.sample.bicep.md │ │ │ └── baseline.sample.bicep.md │ ├── privateDnsZoneLinks │ │ ├── media │ │ │ └── bicepVisualizer.png │ │ └── parameters │ │ │ ├── privateDnsZoneLinks.parameters.min.json │ │ │ └── privateDnsZoneLinks.parameters.all.json │ ├── customRoleDefinitions │ │ ├── media │ │ │ ├── bicepVisualizer.png │ │ │ └── exampleDeploymentOutput.png │ │ ├── parameters │ │ │ ├── customRoleDefinitions.parameters.all.json │ │ │ └── customRoleDefinitions.parameters.min.json │ │ └── samples │ │ │ ├── generateddocs │ │ │ ├── minimum.sample.bicep.md │ │ │ └── baseline.sample.bicep.md │ │ │ ├── minimum.sample.bicep │ │ │ └── baseline.sample.bicep │ ├── subscriptionPlacement │ │ ├── media │ │ │ └── bicepVisualizer.png │ │ ├── samples │ │ │ ├── generateddocs │ │ │ │ ├── minimum.sample.bicep.md │ │ │ │ └── baseline.sample.bicep.md │ │ │ ├── minimum.sample.bicep │ │ │ └── baseline.sample.bicep │ │ └── parameters │ │ │ ├── subscriptionPlacement.parameters.all.json │ │ │ └── subscriptionPlacement.parameters.min.json │ └── privateDnsZones │ │ └── README.md │ ├── CRML │ ├── containerRegistry │ │ ├── media │ │ │ └── bicepVisualizer.png │ │ └── parameters │ │ │ └── containerRegistry.parameters.all.json │ ├── subscriptionAlias │ │ ├── media │ │ │ ├── bicepVisualizer.png │ │ │ └── exampleDeploymentOutput.png │ │ └── parameters │ │ │ ├── subscriptionAlias.parameters.min.json │ │ │ └── subscriptionAlias.parameters.all.json │ ├── customerUsageAttribution │ │ ├── generateddocs │ │ │ ├── cuaIdTenant.bicep.md │ │ │ ├── cuaIdSubscription.bicep.md │ │ │ ├── cuaIdManagementGroup.bicep.md │ │ │ └── cuaIdResourceGroup.bicep.md │ │ ├── cuaIdTenant.bicep │ │ ├── cuaIdSubscription.bicep │ │ ├── cuaIdResourceGroup.bicep │ │ ├── cuaIdManagementGroup.bicep │ │ └── README.md │ └── README.md │ └── orchestration │ ├── hubPeeredSpoke │ └── media │ │ └── bicepVisualizer.png │ ├── subPlacementAll │ ├── media │ │ └── bicepVisualizer.png │ └── parameters │ │ └── subPlacementAll.parameters.min.json │ └── mgDiagSettingsAll │ ├── media │ └── bicepVisualizer.png │ └── parameters │ └── mgDiagSettingsAll.parameters.min.json ├── version.json ├── accelerator ├── README.md ├── test_modules │ └── managementGroup │ │ └── parameters │ │ └── managementGroup.parameters.all.json └── .github │ └── workflows │ └── alz-bicep-pr2-lint.yml ├── .vscode ├── extensions.json └── tasks.json ├── CODE_OF_CONDUCT.md ├── .editorconfig └── .ps-rule ├── en └── ALZ.MinimumSample.md ├── FalsePositiveNsgBastion.Rule.yaml ├── UnsupportedPipBastion.Rule.yaml └── DiagLogForAutomation.Rule.yaml /.gitattributes: -------------------------------------------------------------------------------- 1 | * text=auto eol=lf 2 | *.bicep -text 3 | *.bicepparam -text 4 | -------------------------------------------------------------------------------- /.github/azFunction/AzFunctionCode/.funcignore: -------------------------------------------------------------------------------- 1 | .git* 2 | .vscode 3 | local.settings.json 4 | test -------------------------------------------------------------------------------- /docs/wiki/media/bicep-logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/docs/wiki/media/bicep-logo.png -------------------------------------------------------------------------------- /docs/wiki/media/bicep-vs-code.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/docs/wiki/media/bicep-vs-code.png -------------------------------------------------------------------------------- /docs/wiki/media/bicep-structure.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/docs/wiki/media/bicep-structure.png -------------------------------------------------------------------------------- /docs/wiki/media/alz-bicep-watch-demo.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/docs/wiki/media/alz-bicep-watch-demo.gif -------------------------------------------------------------------------------- /docs/wiki/media/alzBicepPolicyUpdate1.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/docs/wiki/media/alzBicepPolicyUpdate1.PNG -------------------------------------------------------------------------------- /docs/wiki/media/alzBicepPolicyUpdate2.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/docs/wiki/media/alzBicepPolicyUpdate2.PNG -------------------------------------------------------------------------------- /docs/wiki/media/alzBicepPolicyUpdate3.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/docs/wiki/media/alzBicepPolicyUpdate3.PNG -------------------------------------------------------------------------------- /docs/wiki/media/alzBicepPolicyUpdate4.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/docs/wiki/media/alzBicepPolicyUpdate4.PNG -------------------------------------------------------------------------------- /docs/wiki/media/alzBicepPolicyUpdate5.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/docs/wiki/media/alzBicepPolicyUpdate5.PNG -------------------------------------------------------------------------------- /docs/wiki/media/alzBicepPolicyUpdate6.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/docs/wiki/media/alzBicepPolicyUpdate6.PNG -------------------------------------------------------------------------------- /docs/wiki/media/alzPolicyAzAdvertizer.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/docs/wiki/media/alzPolicyAzAdvertizer.png -------------------------------------------------------------------------------- /docs/wiki/media/alz-bicep-release-process.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/docs/wiki/media/alz-bicep-release-process.png -------------------------------------------------------------------------------- /docs/wiki/media/alz-update-to-builtin-01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/docs/wiki/media/alz-update-to-builtin-01.png -------------------------------------------------------------------------------- /docs/wiki/media/high-level-deployment-flow.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/docs/wiki/media/high-level-deployment-flow.png -------------------------------------------------------------------------------- /docs/wiki/media/alz-delete-policy-assign-01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/docs/wiki/media/alz-delete-policy-assign-01.png -------------------------------------------------------------------------------- /docs/wiki/media/alz-determine-policy-assign-01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/docs/wiki/media/alz-determine-policy-assign-01.png -------------------------------------------------------------------------------- /docs/wiki/media/alz-determine-policy-assign-02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/docs/wiki/media/alz-determine-policy-assign-02.png -------------------------------------------------------------------------------- /docs/wiki/media/alz-bicep-accelerator-tree-output.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/docs/wiki/media/alz-bicep-accelerator-tree-output.png -------------------------------------------------------------------------------- /docs/wiki/media/alz-bicep-accelerator-workflow-hld.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/docs/wiki/media/alz-bicep-accelerator-workflow-hld.png -------------------------------------------------------------------------------- /docs/wiki/media/alz-bicep-accelerator-workflow-lld.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/docs/wiki/media/alz-bicep-accelerator-workflow-lld.png -------------------------------------------------------------------------------- /docs/wiki/media/alz-update-initiative-with-builtin-01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/docs/wiki/media/alz-update-initiative-with-builtin-01.png -------------------------------------------------------------------------------- /docs/wiki/media/alz-update-initiative-with-builtin-02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/docs/wiki/media/alz-update-initiative-with-builtin-02.png -------------------------------------------------------------------------------- /docs/wiki/media/alz-update-initiative-with-builtin-03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/docs/wiki/media/alz-update-initiative-with-builtin-03.png -------------------------------------------------------------------------------- /docs/wiki/media/alz-update-initiative-with-builtin-04.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/docs/wiki/media/alz-update-initiative-with-builtin-04.png -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/logging/media/bicepVisualizer.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/infra-as-code/bicep/modules/logging/media/bicepVisualizer.png -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/publicIp/media/bicepVisualizer.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/infra-as-code/bicep/modules/publicIp/media/bicepVisualizer.png -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/vnetPeering/media/bicepVisualizer.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/infra-as-code/bicep/modules/vnetPeering/media/bicepVisualizer.png -------------------------------------------------------------------------------- /docs/wiki/media/alz-bicep-accelerator-branching-strategy-diagram.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/docs/wiki/media/alz-bicep-accelerator-branching-strategy-diagram.png -------------------------------------------------------------------------------- /infra-as-code/bicep/CRML/containerRegistry/media/bicepVisualizer.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/infra-as-code/bicep/CRML/containerRegistry/media/bicepVisualizer.png -------------------------------------------------------------------------------- /infra-as-code/bicep/CRML/subscriptionAlias/media/bicepVisualizer.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/infra-as-code/bicep/CRML/subscriptionAlias/media/bicepVisualizer.png -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/hubNetworking/media/bicepVisualizer.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/infra-as-code/bicep/modules/hubNetworking/media/bicepVisualizer.png -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/mgDiagSettings/media/bicepVisualizer.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/infra-as-code/bicep/modules/mgDiagSettings/media/bicepVisualizer.png -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/resourceGroup/media/bicepVisualizer.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/infra-as-code/bicep/modules/resourceGroup/media/bicepVisualizer.png -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/managementGroups/media/bicepVisualizer.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/infra-as-code/bicep/modules/managementGroups/media/bicepVisualizer.png -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/exemptions/media/bicepVisualizer.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/infra-as-code/bicep/modules/policy/exemptions/media/bicepVisualizer.png -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/roleAssignments/media/bicepVisualizerMg.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/infra-as-code/bicep/modules/roleAssignments/media/bicepVisualizerMg.png -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/spokeNetworking/media/bicepVisualizer.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/infra-as-code/bicep/modules/spokeNetworking/media/bicepVisualizer.png -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/vnetPeeringVwan/media/bicepVisualizer.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/infra-as-code/bicep/modules/vnetPeeringVwan/media/bicepVisualizer.png -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/vwanConnectivity/media/bicepVisualizer.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/infra-as-code/bicep/modules/vwanConnectivity/media/bicepVisualizer.png -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/media/bicepVisualizer.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/infra-as-code/bicep/modules/policy/assignments/media/bicepVisualizer.png -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/definitions/media/bicepVisualizer.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/infra-as-code/bicep/modules/policy/definitions/media/bicepVisualizer.png -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/privateDnsZoneLinks/media/bicepVisualizer.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/infra-as-code/bicep/modules/privateDnsZoneLinks/media/bicepVisualizer.png -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/roleAssignments/media/bicepVisualizerSub.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/infra-as-code/bicep/modules/roleAssignments/media/bicepVisualizerSub.png -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/vnetPeering/media/exampleDeploymentOutput.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/infra-as-code/bicep/modules/vnetPeering/media/exampleDeploymentOutput.png -------------------------------------------------------------------------------- /infra-as-code/bicep/CRML/subscriptionAlias/media/exampleDeploymentOutput.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/infra-as-code/bicep/CRML/subscriptionAlias/media/exampleDeploymentOutput.png -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/customRoleDefinitions/media/bicepVisualizer.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/infra-as-code/bicep/modules/customRoleDefinitions/media/bicepVisualizer.png -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/hubNetworking/media/exampleDeploymentOutput.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/infra-as-code/bicep/modules/hubNetworking/media/exampleDeploymentOutput.png -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/roleAssignments/media/bicepVisualizerMgMany.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/infra-as-code/bicep/modules/roleAssignments/media/bicepVisualizerMgMany.png -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/roleAssignments/media/bicepVisualizerSubMany.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/infra-as-code/bicep/modules/roleAssignments/media/bicepVisualizerSubMany.png -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/subscriptionPlacement/media/bicepVisualizer.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/infra-as-code/bicep/modules/subscriptionPlacement/media/bicepVisualizer.png -------------------------------------------------------------------------------- /infra-as-code/bicep/orchestration/hubPeeredSpoke/media/bicepVisualizer.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/infra-as-code/bicep/orchestration/hubPeeredSpoke/media/bicepVisualizer.png -------------------------------------------------------------------------------- /infra-as-code/bicep/orchestration/subPlacementAll/media/bicepVisualizer.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/infra-as-code/bicep/orchestration/subPlacementAll/media/bicepVisualizer.png -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/hubNetworking/media/mc-exampleDeploymentOutput.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/infra-as-code/bicep/modules/hubNetworking/media/mc-exampleDeploymentOutput.png -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/managementGroups/media/exampleDeploymentOutput.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/infra-as-code/bicep/modules/managementGroups/media/exampleDeploymentOutput.png -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/spokeNetworking/media/exampleDeploymentOutput.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/infra-as-code/bicep/modules/spokeNetworking/media/exampleDeploymentOutput.png -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/vnetPeeringVwan/media/exampleDeploymentOutput.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/infra-as-code/bicep/modules/vnetPeeringVwan/media/exampleDeploymentOutput.png -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/vwanConnectivity/media/exampleDeploymentOutput.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/infra-as-code/bicep/modules/vwanConnectivity/media/exampleDeploymentOutput.png -------------------------------------------------------------------------------- /infra-as-code/bicep/orchestration/mgDiagSettingsAll/media/bicepVisualizer.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/infra-as-code/bicep/orchestration/mgDiagSettingsAll/media/bicepVisualizer.png -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/hubNetworking/media/exampleDeploymentOutputEastus.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/infra-as-code/bicep/modules/hubNetworking/media/exampleDeploymentOutputEastus.png -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/hubNetworking/media/exampleDeploymentOutputwestus.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/infra-as-code/bicep/modules/hubNetworking/media/exampleDeploymentOutputwestus.png -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/definitions/media/exampleDeploymentOutput.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/infra-as-code/bicep/modules/policy/definitions/media/exampleDeploymentOutput.png -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/vwanConnectivity/media/mc-exampleDeploymentOutput.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/infra-as-code/bicep/modules/vwanConnectivity/media/mc-exampleDeploymentOutput.png -------------------------------------------------------------------------------- /version.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "0.23.2", 3 | "gitTag": "v0.23.2", 4 | "releaseNotes": "https://github.com/Azure/ALZ-Bicep/releases/tag/v0.23.2", 5 | "releaseDateTimeUTC": "20251110T154400000Z" 6 | } 7 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/customRoleDefinitions/media/exampleDeploymentOutput.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/infra-as-code/bicep/modules/customRoleDefinitions/media/exampleDeploymentOutput.png -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/alzDefaults/media/bicepVisualizer.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/infra-as-code/bicep/modules/policy/assignments/alzDefaults/media/bicepVisualizer.png -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/workloadSpecific/media/bicepVisualizer.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/infra-as-code/bicep/modules/policy/assignments/workloadSpecific/media/bicepVisualizer.png -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/vwanConnectivity/media/exampleDeploymentOutputConnectivity.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/infra-as-code/bicep/modules/vwanConnectivity/media/exampleDeploymentOutputConnectivity.png -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/vwanConnectivity/media/mc-exampleDeploymentOutputConnectivity.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ALZ-Bicep/HEAD/infra-as-code/bicep/modules/vwanConnectivity/media/mc-exampleDeploymentOutputConnectivity.png -------------------------------------------------------------------------------- /accelerator/README.md: -------------------------------------------------------------------------------- 1 | # ALZ Bicep Accelerator 2 | 3 | This repo contains the Azure Landing Zones Bicep Accelerator. For additional information on the Accelerator, please refer to the [Wiki](https://github.com/Azure/ALZ-Bicep/wiki/Accelerator). 4 | -------------------------------------------------------------------------------- /.vscode/extensions.json: -------------------------------------------------------------------------------- 1 | { 2 | "recommendations": [ 3 | "ms-azuretools.vscode-bicep", 4 | "vsls-contrib.codetour", 5 | "msazurermtools.azurerm-vscode-tools", 6 | "bencoleman.armview", 7 | "bewhite.psrule-vscode", 8 | "editorconfig.editorconfig" 9 | ] 10 | } 11 | -------------------------------------------------------------------------------- /.github/azFunction/README.md: -------------------------------------------------------------------------------- 1 | # Overview 2 | This folder contains bicep templates and code to create an Azure function to cancel subscriptions created as part of PR validation testing. This is just for internal ALZ-Bicep environment hygiene and not intended as part of the overall ALZ-Bicep accelerator. -------------------------------------------------------------------------------- /.vscode/tasks.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "2.0.0", 3 | "tasks": [ 4 | { 5 | "type": "PSRule", 6 | "problemMatcher": [ 7 | "$PSRule" 8 | ], 9 | "label": "PSRule: Run analysis", 10 | "presentation": { 11 | "panel": "dedicated", 12 | "clear": true 13 | } 14 | } 15 | ] 16 | } 17 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_DenyAction-DeleteProtection.parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "DenyActionDelete-ActivityLogSettings": { 3 | "parameters": {} 4 | }, 5 | "DenyActionDelete-DiagnosticSettings": { 6 | "parameters": {} 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | updates: 3 | - package-ecosystem: "github-actions" 4 | directory: "/" 5 | schedule: 6 | interval: "weekly" 7 | labels: 8 | - "Type: Hygiene :broom:" 9 | - "Needs: Attention :wave:" 10 | commit-message: 11 | prefix: 'build: ' 12 | 13 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/managementGroups/parameters/managementGroups.parameters.min.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "parTelemetryOptOut": { 6 | "value": false 7 | } 8 | } 9 | } -------------------------------------------------------------------------------- /docs/wiki/_Footer.md: -------------------------------------------------------------------------------- 1 | 2 | # This wiki is being actively developed 3 | 4 | If you discover any documentation bugs or would like to request new content, please raise them as an issue on the repo. 5 | 6 | Contributions to this wiki are done through the main repo under [docs/wiki](https://github.com/Azure/ALZ-Bicep/tree/main/docs/wiki). 7 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-ContainerInstance.parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Deny-ContainerInstance-Vnet": { 3 | "parameters": { 4 | "effect": { 5 | "value": "[[parameters('containerInstanceVnet')]" 6 | } 7 | } 8 | } 9 | } 10 | -------------------------------------------------------------------------------- /.github/azFunction/AzFunctionCode/timerschedule/readme.md: -------------------------------------------------------------------------------- 1 | # Overview 2 | This trigger runs every x hours (set by cron syntax in the function.json file). When the trigger runs it creates a queue item in the startjob queue on associated storage as defined by output bindings in the function.json file. This queue item is used to trigger subsequent functions. -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-PostgreSQL.parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Dine-PostgreSql-Adv-Threat-Protection": { 3 | "parameters": { 4 | "effect": { 5 | "value": "[[parameters('postgreSqlAdvThreatProtection')]" 6 | } 7 | } 8 | } 9 | } 10 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.min.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "parTelemetryOptOut": { 6 | "value": false 7 | } 8 | } 9 | } -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/privateDnsZones/README.md: -------------------------------------------------------------------------------- 1 | # Module: Private DNS Zones 2 | 3 | > [!IMPORTANT] 4 | > This module has been removed as of `v0.20.0` and replaced with the AVM Pattern Module of [`avm/ptn/network/private-link-private-dns-zones`](https://github.com/Azure/bicep-registry-modules/tree/main/avm/ptn/network/private-link-private-dns-zones). Please use this module going forward. 5 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-ALZ-Decomm.parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "DecomDenyResources": { 3 | "parameters": { 4 | "listOfResourceTypesAllowed": { 5 | "value": "[[parameters('listOfResourceTypesAllowed')]" 6 | } 7 | } 8 | }, 9 | "DecomShutdownMachines": { 10 | "parameters": {} 11 | } 12 | } 13 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/mgDiagSettings/parameters/mgDiagSettings.parameters.min.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "parLogAnalyticsWorkspaceResourceId": { 6 | "value": "" 7 | }, 8 | "parTelemetryOptOut": { 9 | "value": false 10 | } 11 | } 12 | } 13 | -------------------------------------------------------------------------------- /.github/azFunction/AzFunctionCode/requirements.psd1: -------------------------------------------------------------------------------- 1 | # This file enables modules to be automatically managed by the Functions service. 2 | # See https://aka.ms/functionsmanageddependency for additional information. 3 | # 4 | @{ 5 | # For latest supported version, go to 'https://www.powershellgallery.com/packages/Az'. 6 | # To use the Az module in your function app, please uncomment the line below. 7 | 'Az.Accounts' = '2.*' 8 | } -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.all.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "parAssignableScopeManagementGroupId": { 6 | "value": "alz" 7 | }, 8 | "parTelemetryOptOut": { 9 | "value": false 10 | } 11 | } 12 | } -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.min.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "parAssignableScopeManagementGroupId": { 6 | "value": "alz" 7 | }, 8 | "parTelemetryOptOut": { 9 | "value": false 10 | } 11 | } 12 | } -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/privateDnsZoneLinks/parameters/privateDnsZoneLinks.parameters.min.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "parSpokeVirtualNetworkResourceId": { 6 | "value": "" 7 | }, 8 | "parPrivateDnsZoneResourceIds":{ 9 | "value": [] 10 | } 11 | } 12 | } 13 | -------------------------------------------------------------------------------- /.github/azFunction/AzFunctionCode/cancelSubscriptions/readme.md: -------------------------------------------------------------------------------- 1 | # Overview 2 | This function is triggered by items arriving on the subscriptionsToClose queue as defined in input bindings in the function.json file. Upon triggering the function will cancel the subscription using Azure rest api. If succesful, subscription name and id is placed in the queue canceledSubscriptions on associated storage as specified in output bindings in the function.json file. -------------------------------------------------------------------------------- /.github/azFunction/AzFunctionCode/timerschedule/function.json: -------------------------------------------------------------------------------- 1 | { 2 | "bindings": [ 3 | { 4 | "name": "Timer", 5 | "type": "timerTrigger", 6 | "direction": "in", 7 | "schedule": "0 0 */2 * * *" 8 | }, 9 | { 10 | "type": "queue", 11 | "direction": "out", 12 | "name": "startJob", 13 | "queueName": "startjob", 14 | "connection": "AzureWebJobsStorage" 15 | } 16 | ] 17 | } 18 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.all.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "parTargetManagementGroupId": { 6 | "value": "alz" 7 | }, 8 | "parTelemetryOptOut": { 9 | "value": false 10 | } 11 | } 12 | } -------------------------------------------------------------------------------- /.github/azFunction/AzFunctionCode/host.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "2.0", 3 | "logging": { 4 | "applicationInsights": { 5 | "samplingSettings": { 6 | "isEnabled": true, 7 | "excludedTypes": "Request" 8 | } 9 | } 10 | }, 11 | "extensionBundle": { 12 | "id": "Microsoft.Azure.Functions.ExtensionBundle", 13 | "version": "[2.*, 3.0.0)" 14 | }, 15 | "managedDependency": { 16 | "enabled": true 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Audit-TrustedLaunch.parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "AuditDisksOsTrustedLaunch": { 3 | "parameters": { 4 | "effect": { 5 | "value": "[[parameters('effect')]" 6 | } 7 | } 8 | }, 9 | "AuditTrustedLaunchEnabled": { 10 | "parameters": { 11 | "effect": { 12 | "value": "[[parameters('effect')]" 13 | } 14 | } 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/samples/generateddocs/minimum.sample.bicep.md: -------------------------------------------------------------------------------- 1 | # Azure template 2 | 3 | ## Snippets 4 | 5 | ### Parameter file 6 | 7 | ```json 8 | { 9 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", 10 | "contentVersion": "1.0.0.0", 11 | "metadata": { 12 | "template": "infra-as-code/bicep/modules/policy/samples/minimum.sample.json" 13 | }, 14 | "parameters": {} 15 | } 16 | ``` 17 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/samples/generateddocs/baseline.sample.bicep.md: -------------------------------------------------------------------------------- 1 | # Azure template 2 | 3 | ## Snippets 4 | 5 | ### Parameter file 6 | 7 | ```json 8 | { 9 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", 10 | "contentVersion": "1.0.0.0", 11 | "metadata": { 12 | "template": "infra-as-code/bicep/modules/policy/samples/baseline.sample.json" 13 | }, 14 | "parameters": {} 15 | } 16 | ``` 17 | -------------------------------------------------------------------------------- /infra-as-code/bicep/CRML/customerUsageAttribution/generateddocs/cuaIdTenant.bicep.md: -------------------------------------------------------------------------------- 1 | # Azure template 2 | 3 | ## Snippets 4 | 5 | ### Parameter file 6 | 7 | ```json 8 | { 9 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", 10 | "contentVersion": "1.0.0.0", 11 | "metadata": { 12 | "template": "infra-as-code/bicep/CRML/customerUsageAttribution/cuaIdTenant.json" 13 | }, 14 | "parameters": {} 15 | } 16 | ``` 17 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/vnetPeering/samples/generateddocs/minimum.sample.bicep.md: -------------------------------------------------------------------------------- 1 | # Azure template 2 | 3 | ## Snippets 4 | 5 | ### Parameter file 6 | 7 | ```json 8 | { 9 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", 10 | "contentVersion": "1.0.0.0", 11 | "metadata": { 12 | "template": "infra-as-code/bicep/modules/vnetPeering/samples/minimum.sample.json" 13 | }, 14 | "parameters": {} 15 | } 16 | ``` 17 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Microsoft Open Source Code of Conduct 2 | 3 | This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). 4 | 5 | Resources: 6 | 7 | - [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/) 8 | - [Microsoft Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) 9 | - Contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with questions or concerns 10 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/mgDiagSettings/parameters/mgDiagSettings.parameters.all.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "parLogAnalyticsWorkspaceResourceId": { 6 | "value": "" 7 | }, 8 | "parDiagnosticSettingsName": { 9 | "value": "toLa" 10 | }, 11 | "parTelemetryOptOut": { 12 | "value": false 13 | } 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/samples/generateddocs/baseline.policy.sample.bicep.md: -------------------------------------------------------------------------------- 1 | # Azure template 2 | 3 | ## Snippets 4 | 5 | ### Parameter file 6 | 7 | ```json 8 | { 9 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", 10 | "contentVersion": "1.0.0.0", 11 | "metadata": { 12 | "template": "infra-as-code/bicep/modules/policy/samples/baseline.policy.sample.json" 13 | }, 14 | "parameters": {} 15 | } 16 | ``` 17 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/samples/generateddocs/minimum.policy.sample.bicep.md: -------------------------------------------------------------------------------- 1 | # Azure template 2 | 3 | ## Snippets 4 | 5 | ### Parameter file 6 | 7 | ```json 8 | { 9 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", 10 | "contentVersion": "1.0.0.0", 11 | "metadata": { 12 | "template": "infra-as-code/bicep/modules/policy/samples/minimum.policy.sample.json" 13 | }, 14 | "parameters": {} 15 | } 16 | ``` 17 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/resourceGroup/samples/generateddocs/baseline.sample.bicep.md: -------------------------------------------------------------------------------- 1 | # Azure template 2 | 3 | ## Snippets 4 | 5 | ### Parameter file 6 | 7 | ```json 8 | { 9 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", 10 | "contentVersion": "1.0.0.0", 11 | "metadata": { 12 | "template": "infra-as-code/bicep/modules/resourceGroup/samples/baseline.sample.json" 13 | }, 14 | "parameters": {} 15 | } 16 | ``` 17 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/resourceGroup/samples/generateddocs/minimum.sample.bicep.md: -------------------------------------------------------------------------------- 1 | # Azure template 2 | 3 | ## Snippets 4 | 5 | ### Parameter file 6 | 7 | ```json 8 | { 9 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", 10 | "contentVersion": "1.0.0.0", 11 | "metadata": { 12 | "template": "infra-as-code/bicep/modules/resourceGroup/samples/minimum.sample.json" 13 | }, 14 | "parameters": {} 15 | } 16 | ``` 17 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/vnetPeering/samples/generateddocs/baseline.sample.bicep.md: -------------------------------------------------------------------------------- 1 | # Azure template 2 | 3 | ## Snippets 4 | 5 | ### Parameter file 6 | 7 | ```json 8 | { 9 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", 10 | "contentVersion": "1.0.0.0", 11 | "metadata": { 12 | "template": "infra-as-code/bicep/modules/vnetPeering/samples/baseline.sample.json" 13 | }, 14 | "parameters": {} 15 | } 16 | ``` 17 | -------------------------------------------------------------------------------- /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | # See for instructions on this file https://help.github.com/articles/about-codeowners/ 2 | 3 | # These owners will be the default owners for everything in 4 | # the repo. Unless a later match takes precedence, 5 | # @global-owner1 and @global-owner2 will be requested for 6 | # review when someone opens a pull request. 7 | 8 | .github/CODEOWNERS @Azure/alz-bicep-admin-team 9 | .github/** @Azure/alz-bicep-admin-team 10 | 11 | accelerator/** @Azure/alz-bicep-accelerator-team 12 | -------------------------------------------------------------------------------- /infra-as-code/bicep/CRML/containerRegistry/parameters/containerRegistry.parameters.all.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "parLocation": { 6 | "value": "eastus" 7 | }, 8 | "parAcrSku": { 9 | "value": "Basic" 10 | }, 11 | "parTags": { 12 | "value": { 13 | "Environment": "Live" 14 | } 15 | } 16 | } 17 | } 18 | -------------------------------------------------------------------------------- /infra-as-code/bicep/CRML/customerUsageAttribution/generateddocs/cuaIdSubscription.bicep.md: -------------------------------------------------------------------------------- 1 | # Azure template 2 | 3 | ## Snippets 4 | 5 | ### Parameter file 6 | 7 | ```json 8 | { 9 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", 10 | "contentVersion": "1.0.0.0", 11 | "metadata": { 12 | "template": "infra-as-code/bicep/CRML/customerUsageAttribution/cuaIdSubscription.json" 13 | }, 14 | "parameters": {} 15 | } 16 | ``` 17 | -------------------------------------------------------------------------------- /infra-as-code/bicep/CRML/subscriptionAlias/parameters/subscriptionAlias.parameters.min.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "parSubscriptionName": { 6 | "value": "sub-example-001" 7 | }, 8 | "parSubscriptionBillingScope": { 9 | "value": "/providers/Microsoft.Billing/billingAccounts/XXXXXXX/enrollmentAccounts/XXXXXX" 10 | } 11 | } 12 | } -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/managementGroups/samples/generateddocs/minimum.sample.bicep.md: -------------------------------------------------------------------------------- 1 | # Azure template 2 | 3 | ## Snippets 4 | 5 | ### Parameter file 6 | 7 | ```json 8 | { 9 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", 10 | "contentVersion": "1.0.0.0", 11 | "metadata": { 12 | "template": "infra-as-code/bicep/modules/managementGroups/samples/minimum.sample.json" 13 | }, 14 | "parameters": {} 15 | } 16 | ``` 17 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/roleAssignments/samples/generateddocs/baseline.sample.bicep.md: -------------------------------------------------------------------------------- 1 | # Azure template 2 | 3 | ## Snippets 4 | 5 | ### Parameter file 6 | 7 | ```json 8 | { 9 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", 10 | "contentVersion": "1.0.0.0", 11 | "metadata": { 12 | "template": "infra-as-code/bicep/modules/roleAssignments/samples/baseline.sample.json" 13 | }, 14 | "parameters": {} 15 | } 16 | ``` 17 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/roleAssignments/samples/generateddocs/minimum.sample.bicep.md: -------------------------------------------------------------------------------- 1 | # Azure template 2 | 3 | ## Snippets 4 | 5 | ### Parameter file 6 | 7 | ```json 8 | { 9 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", 10 | "contentVersion": "1.0.0.0", 11 | "metadata": { 12 | "template": "infra-as-code/bicep/modules/roleAssignments/samples/minimum.sample.json" 13 | }, 14 | "parameters": {} 15 | } 16 | ``` 17 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/vnetPeeringVwan/samples/generateddocs/baseline.sample.bicep.md: -------------------------------------------------------------------------------- 1 | # Azure template 2 | 3 | ## Snippets 4 | 5 | ### Parameter file 6 | 7 | ```json 8 | { 9 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", 10 | "contentVersion": "1.0.0.0", 11 | "metadata": { 12 | "template": "infra-as-code/bicep/modules/vnetPeeringVwan/samples/baseline.sample.json" 13 | }, 14 | "parameters": {} 15 | } 16 | ``` 17 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/vnetPeeringVwan/samples/generateddocs/minimum.sample.bicep.md: -------------------------------------------------------------------------------- 1 | # Azure template 2 | 3 | ## Snippets 4 | 5 | ### Parameter file 6 | 7 | ```json 8 | { 9 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", 10 | "contentVersion": "1.0.0.0", 11 | "metadata": { 12 | "template": "infra-as-code/bicep/modules/vnetPeeringVwan/samples/minimum.sample.json" 13 | }, 14 | "parameters": {} 15 | } 16 | ``` 17 | -------------------------------------------------------------------------------- /.github/actions-config/gh-ado-sync-config.json: -------------------------------------------------------------------------------- 1 | { 2 | "log_level": "info", 3 | "ado": { 4 | "organization": "CSUSolEng", 5 | "project": "Azure Landing Zones", 6 | "wit": "GitHub Issue", 7 | "states": { 8 | "new": "New", 9 | "closed": "Closed", 10 | "reopened": "New", 11 | "deleted": "Removed", 12 | "active": "In Progress" 13 | }, 14 | "bypassRules": true, 15 | "autoCreate": true, 16 | "areaPath": "Azure Landing Zones\\Bicep" 17 | } 18 | } -------------------------------------------------------------------------------- /.github/azFunction/AzFunctionCode/getSubscriptions/readme.md: -------------------------------------------------------------------------------- 1 | # Overview 2 | This function is triggered by items arriving on the closedPullRequests queue as defined in input bindings in the function.json file. Upon triggering the function will try to get the subscription state based on subscription name using Get-AzSubscription. If subscription exists and is active, subscription name and id is placed in the queue subscriptionsToClose on associated storage as specified in output bindings in the function.json file. -------------------------------------------------------------------------------- /infra-as-code/bicep/CRML/customerUsageAttribution/generateddocs/cuaIdManagementGroup.bicep.md: -------------------------------------------------------------------------------- 1 | # Azure template 2 | 3 | ## Snippets 4 | 5 | ### Parameter file 6 | 7 | ```json 8 | { 9 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", 10 | "contentVersion": "1.0.0.0", 11 | "metadata": { 12 | "template": "infra-as-code/bicep/CRML/customerUsageAttribution/cuaIdManagementGroup.json" 13 | }, 14 | "parameters": {} 15 | } 16 | ``` 17 | -------------------------------------------------------------------------------- /infra-as-code/bicep/CRML/customerUsageAttribution/generateddocs/cuaIdResourceGroup.bicep.md: -------------------------------------------------------------------------------- 1 | # Azure template 2 | 3 | ## Snippets 4 | 5 | ### Parameter file 6 | 7 | ```json 8 | { 9 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", 10 | "contentVersion": "1.0.0.0", 11 | "metadata": { 12 | "template": "infra-as-code/bicep/CRML/customerUsageAttribution/cuaIdResourceGroup.json" 13 | }, 14 | "parameters": {} 15 | } 16 | ``` 17 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/managementGroups/samples/generateddocs/baseline.sample.bicep.md: -------------------------------------------------------------------------------- 1 | # Azure template 2 | 3 | ## Snippets 4 | 5 | ### Parameter file 6 | 7 | ```json 8 | { 9 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", 10 | "contentVersion": "1.0.0.0", 11 | "metadata": { 12 | "template": "infra-as-code/bicep/modules/managementGroups/samples/baseline.sample.json" 13 | }, 14 | "parameters": {} 15 | } 16 | ``` 17 | -------------------------------------------------------------------------------- /.github/azFunction/AzFunctionCode/getPullRequests/function.json: -------------------------------------------------------------------------------- 1 | { 2 | "bindings": [ 3 | { 4 | "name": "QueueItem", 5 | "type": "queueTrigger", 6 | "direction": "in", 7 | "queueName": "startjob", 8 | "connection": "AzureWebJobsStorage" 9 | }, 10 | { 11 | "type": "queue", 12 | "direction": "out", 13 | "name": "pullRequests", 14 | "queueName": "closedPullRequests", 15 | "connection": "AzureWebJobsStorage" 16 | } 17 | ] 18 | } 19 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/customRoleDefinitions/samples/generateddocs/minimum.sample.bicep.md: -------------------------------------------------------------------------------- 1 | # Azure template 2 | 3 | ## Snippets 4 | 5 | ### Parameter file 6 | 7 | ```json 8 | { 9 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", 10 | "contentVersion": "1.0.0.0", 11 | "metadata": { 12 | "template": "infra-as-code/bicep/modules/customRoleDefinitions/samples/minimum.sample.json" 13 | }, 14 | "parameters": {} 15 | } 16 | ``` 17 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/subscriptionPlacement/samples/generateddocs/minimum.sample.bicep.md: -------------------------------------------------------------------------------- 1 | # Azure template 2 | 3 | ## Snippets 4 | 5 | ### Parameter file 6 | 7 | ```json 8 | { 9 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", 10 | "contentVersion": "1.0.0.0", 11 | "metadata": { 12 | "template": "infra-as-code/bicep/modules/subscriptionPlacement/samples/minimum.sample.json" 13 | }, 14 | "parameters": {} 15 | } 16 | ``` 17 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/customRoleDefinitions/samples/generateddocs/baseline.sample.bicep.md: -------------------------------------------------------------------------------- 1 | # Azure template 2 | 3 | ## Snippets 4 | 5 | ### Parameter file 6 | 7 | ```json 8 | { 9 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", 10 | "contentVersion": "1.0.0.0", 11 | "metadata": { 12 | "template": "infra-as-code/bicep/modules/customRoleDefinitions/samples/baseline.sample.json" 13 | }, 14 | "parameters": {} 15 | } 16 | ``` 17 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/subscriptionPlacement/samples/generateddocs/baseline.sample.bicep.md: -------------------------------------------------------------------------------- 1 | # Azure template 2 | 3 | ## Snippets 4 | 5 | ### Parameter file 6 | 7 | ```json 8 | { 9 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", 10 | "contentVersion": "1.0.0.0", 11 | "metadata": { 12 | "template": "infra-as-code/bicep/modules/subscriptionPlacement/samples/baseline.sample.json" 13 | }, 14 | "parameters": {} 15 | } 16 | ``` 17 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Compute.parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Deny-Disk-Double-Encryption": { 3 | "parameters": { 4 | "effect": { 5 | "value": "[[parameters('diskDoubleEncryption')]" 6 | } 7 | } 8 | }, 9 | "Deny-VmAndVmss-Encryption-Host": { 10 | "parameters": { 11 | "effect": { 12 | "value": "[[parameters('vmAndVmssEncryptionHost')]" 13 | } 14 | } 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-MySQL.parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Deny-MySql-Infra-Encryption": { 3 | "parameters": { 4 | "effect": { 5 | "value": "[[parameters('mySqlInfraEncryption')]" 6 | } 7 | } 8 | }, 9 | "Dine-MySql-Adv-Threat-Protection": { 10 | "parameters": { 11 | "effect": { 12 | "value": "[[parameters('mySqlAdvThreatProtection')]" 13 | } 14 | } 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/resourceGroup/parameters/resourceGroup.parameters.min.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "parLocation": { 6 | "value": "eastus" 7 | }, 8 | "parResourceGroupName": { 9 | "value": "alz-rg" 10 | }, 11 | "parTelemetryOptOut": { 12 | "value": false 13 | } 14 | } 15 | } -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-KeyVault-Sup.parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Modify-KV-Fw": { 3 | "parameters": { 4 | "effect": { 5 | "value": "[[parameters('keyVaultModifyFw')]" 6 | } 7 | } 8 | }, 9 | "Modify-KV-PublicNetworkAccess": { 10 | "parameters": { 11 | "effect": { 12 | "value": "[[parameters('keyVaultManagedHsmDisablePublicNetworkModify')]" 13 | } 14 | } 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/samples/minimum.policy.sample.bicep: -------------------------------------------------------------------------------- 1 | // 2 | // Minimum deployment sample 3 | // 4 | 5 | // Use this sample to deploy the minimum resource configuration. 6 | 7 | targetScope = 'managementGroup' 8 | 9 | // ---------- 10 | // PARAMETERS 11 | // ---------- 12 | 13 | // --------- 14 | // RESOURCES 15 | // --------- 16 | 17 | @description('Minimum resource configuration') 18 | module minimum_policy '../definitions/customPolicyDefinitions.bicep' = { 19 | name: 'minimum_policy' 20 | } 21 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/privateDnsZoneLinks/parameters/privateDnsZoneLinks.parameters.all.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "parSpokeVirtualNetworkResourceId": { 6 | "value": "" 7 | }, 8 | "parPrivateDnsZoneResourceIds":{ 9 | "value": [] 10 | }, 11 | "parPrivateDnsZoneLinkResolutionPolicy": { 12 | "value": "Default" 13 | } 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /.github/azFunction/AzFunctionCode/getSubscriptions/function.json: -------------------------------------------------------------------------------- 1 | { 2 | "bindings": [ 3 | { 4 | "name": "QueueItem", 5 | "type": "queueTrigger", 6 | "direction": "in", 7 | "queueName": "closedPullRequests", 8 | "connection": "AzureWebJobsStorage" 9 | }, 10 | { 11 | "type": "queue", 12 | "direction": "out", 13 | "name": "subscriptionsToClose", 14 | "queueName": "subscriptionsToClose", 15 | "connection": "AzureWebJobsStorage" 16 | } 17 | ] 18 | } 19 | -------------------------------------------------------------------------------- /.github/azFunction/AzFunctionCode/cancelSubscriptions/function.json: -------------------------------------------------------------------------------- 1 | { 2 | "bindings": [ 3 | { 4 | "name": "QueueItem", 5 | "type": "queueTrigger", 6 | "direction": "in", 7 | "queueName": "subscriptionsToClose", 8 | "connection": "AzureWebJobsStorage" 9 | }, 10 | { 11 | "type": "queue", 12 | "direction": "out", 13 | "name": "canceledSubscriptions", 14 | "queueName": "canceledSubscriptions", 15 | "connection": "AzureWebJobsStorage" 16 | } 17 | ] 18 | } 19 | -------------------------------------------------------------------------------- /docs/wiki/Accelerator.md: -------------------------------------------------------------------------------- 1 | 2 | ## Accelerator 3 | 4 | 5 | > [!IMPORTANT] 6 | > The ALZ Bicep Accelerator has been enhanced to streamline the setup of your Version Control System and Azure resources. Comprehensive documentation for the updated ALZ Bicep Accelerator, which continues to utilize the modules in this repository, is now available at [aka.ms/alz/accelerator/docs](https://aka.ms/alz/accelerator/). Visit this link to access the latest guidance and get started quickly! 7 | > 8 | -------------------------------------------------------------------------------- /infra-as-code/bicep/CRML/customerUsageAttribution/cuaIdTenant.bicep: -------------------------------------------------------------------------------- 1 | /* 2 | SUMMARY: Module to add the customer usage attribution (PID) to Tenant deployments. 3 | DESCRIPTION: This module will create a deployment at the Tenant level which will add the unique PID and location as the deployment name 4 | AUTHOR/S: shaunjacob 5 | VERSION: 1.0.0 6 | */ 7 | 8 | targetScope = 'tenant' 9 | 10 | // This is an empty deployment by design 11 | // Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution 12 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/workloadSpecific/parameters/workloadSpecificPolicyAssignments.parameters.min.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "parTopLevelManagementGroupPrefix": { 6 | "value": "alz" 7 | }, 8 | "parTopLevelManagementGroupSuffix": { 9 | "value": "" 10 | }, 11 | "parTelemetryOptOut": { 12 | "value": false 13 | } 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-ContainerApps.parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Deny-ContainerApp-Vnet-Injection": { 3 | "parameters": { 4 | "effect": { 5 | "value": "[[parameters('containerAppsVnetInjection')]" 6 | } 7 | } 8 | }, 9 | "Deny-ContainerApps-Managed-Identity": { 10 | "parameters": { 11 | "effect": { 12 | "value": "[[parameters('containerAppsManagedIdentity')]" 13 | } 14 | } 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/customRoleDefinitions/samples/minimum.sample.bicep: -------------------------------------------------------------------------------- 1 | // 2 | // Minimum deployment sample 3 | // 4 | 5 | // Use this sample to deploy the minimum resource configuration. 6 | 7 | targetScope = 'managementGroup' 8 | 9 | 10 | // ---------- 11 | // PARAMETERS 12 | // ---------- 13 | 14 | // --------- 15 | // RESOURCES 16 | // --------- 17 | 18 | @description('Minimum resource configuration') 19 | module minimum_custom_role_definitions '../customRoleDefinitions.bicep' = { 20 | name: 'custom_role_definition' 21 | } 22 | -------------------------------------------------------------------------------- /infra-as-code/bicep/CRML/customerUsageAttribution/cuaIdSubscription.bicep: -------------------------------------------------------------------------------- 1 | /* 2 | SUMMARY: Module to add the customer usage attribution (PID) to Subscription deployments. 3 | DESCRIPTION: This module will create a deployment at the Subscription level which will add the unique PID and location as the deployment name 4 | AUTHOR/S: shaunjacob 5 | VERSION: 1.0.0 6 | */ 7 | 8 | targetScope = 'subscription' 9 | 10 | // This is an empty deployment by design 11 | // Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution 12 | -------------------------------------------------------------------------------- /infra-as-code/bicep/CRML/customerUsageAttribution/cuaIdResourceGroup.bicep: -------------------------------------------------------------------------------- 1 | /* 2 | SUMMARY: Module to add the customer usage attribution (PID) to Resource Group deployments. 3 | DESCRIPTION: This module will create a deployment at the Resource Group level which will add the unique PID and location as the deployment name 4 | AUTHOR/S: shaunjacob 5 | VERSION: 1.0.0 6 | */ 7 | 8 | targetScope = 'resourceGroup' 9 | 10 | // This is an empty deployment by design 11 | // Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution 12 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-VirtualDesktop.parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Modify-Hostpool-PublicNetworkAccess": { 3 | "parameters": { 4 | "effect": { 5 | "value": "[[parameters('avdHostPoolModifyPublicNetworkAccess')]" 6 | } 7 | } 8 | }, 9 | "Modify-Workspace-PublicNetworkAccess": { 10 | "parameters": { 11 | "effect": { 12 | "value": "[[parameters('avdWorkspaceModifyPublicNetworkAccess')]" 13 | } 14 | } 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/exemptions/README.md: -------------------------------------------------------------------------------- 1 | # Module: Policy Exemptions 2 | 3 | This module defines a Policy Exemptions. 4 | 5 | Module deploys the following resources: 6 | 7 | - Policy Exemptions 8 | 9 | ## Parameters 10 | 11 | - [Link to Parameters](generateddocs/policyExemptions.bicep.md) 12 | 13 | ## Outputs 14 | 15 | None 16 | 17 | ## Deployment 18 | 19 | Module is intended to be called from other modules as a reusable resource. 20 | 21 | ## Bicep Visualizer 22 | 23 | ![Bicep Visualizer](media/bicepVisualizer.png "Bicep Visualizer") 24 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/subscriptionPlacement/parameters/subscriptionPlacement.parameters.all.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "parTargetManagementGroupId": { 6 | "value": "alz-platform-connectivity" 7 | }, 8 | "parSubscriptionIds": { 9 | "value": [ 10 | "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" 11 | ] 12 | }, 13 | "parTelemetryOptOut": { 14 | "value": false 15 | } 16 | } 17 | } -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/subscriptionPlacement/parameters/subscriptionPlacement.parameters.min.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "parTargetManagementGroupId": { 6 | "value": "alz-platform-connectivity" 7 | }, 8 | "parSubscriptionIds": { 9 | "value": [ 10 | "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" 11 | ] 12 | }, 13 | "parTelemetryOptOut": { 14 | "value": false 15 | } 16 | } 17 | } -------------------------------------------------------------------------------- /docs/scripts/callModuleFromACR.example.bicep: -------------------------------------------------------------------------------- 1 | /* 2 | SUMMARY: Sample Bicep file to show how to call a module from Azure Container Registry 3 | DESCRIPTION: 4 | Sample deploys logging and hub network modules 5 | 6 | AUTHOR/S: aultt 7 | VERSION: 1.0.0 8 | */ 9 | 10 | module modLogging 'br:acrwa2dkdhgpzvsm.azurecr.io/bicep/modules/logging:V1' = { 11 | name : 'deploy-logging' 12 | params:{ 13 | } 14 | } 15 | module modHubNetwork 'br:acrwa2dkdhgpzvsm.azurecr.io/bicep/modules/hubnetworking:V1' = { 16 | name : 'deploy-hubnetworking' 17 | params:{ 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /infra-as-code/bicep/CRML/customerUsageAttribution/cuaIdManagementGroup.bicep: -------------------------------------------------------------------------------- 1 | /* 2 | SUMMARY: Module to add the customer usage attribution (PID) to Management Group deployments. 3 | DESCRIPTION: This module will create a deployment at the management group level which will add the unique PID and location as the deployment name 4 | AUTHOR/S: shaunjacob 5 | VERSION: 1.0.0 6 | */ 7 | 8 | targetScope = 'managementGroup' 9 | 10 | // This is an empty deployment by design 11 | // Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution 12 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/vwanConnectivity/samples/minimum.sample.bicep: -------------------------------------------------------------------------------- 1 | // 2 | // Minimum deployment sample 3 | // 4 | 5 | // Use this sample to deploy the minimum resource configuration. 6 | 7 | targetScope = 'resourceGroup' 8 | 9 | // ---------- 10 | // PARAMETERS 11 | // ---------- 12 | param location string = 'westus' 13 | // --------- 14 | // RESOURCES 15 | // --------- 16 | 17 | @description('Minimum resource configuration') 18 | module minimum_vwan_conn '../vwanConnectivity.bicep' = { 19 | name: 'minimum_vwan_conn' 20 | params: { 21 | parLocation: location 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /accelerator/test_modules/managementGroup/parameters/managementGroup.parameters.all.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "parTopLevelManagementGroupPrefix": { 6 | "value": "alz" 7 | }, 8 | "parTopLevelManagementGroupSuffix": { 9 | "value": "" 10 | }, 11 | "parTopLevelManagementGroupDisplayName": { 12 | "value": "Azure Landing Zones" 13 | }, 14 | "parTopLevelManagementGroupParentId": { 15 | "value": "" 16 | } 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-ALZ-Sandbox.parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "SandboxDenyVnetPeering": { 3 | "parameters": { 4 | "effect": { 5 | "value": "[[parameters('effectDenyVnetPeering')]" 6 | } 7 | } 8 | }, 9 | "SandboxNotAllowed": { 10 | "parameters": { 11 | "effect": { 12 | "value": "[[parameters('effectNotAllowedResources')]" 13 | }, 14 | "listOfResourceTypesNotAllowed": { 15 | "value": "[[parameters('listOfResourceTypesNotAllowed')]" 16 | } 17 | } 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/samples/baseline.policy.sample.bicep: -------------------------------------------------------------------------------- 1 | // 2 | // Minimum deployment sample 3 | // 4 | 5 | // Use this sample to deploy the minimum resource configuration. 6 | 7 | targetScope = 'managementGroup' 8 | 9 | // ---------- 10 | // PARAMETERS 11 | // ---------- 12 | 13 | // --------- 14 | // RESOURCES 15 | // --------- 16 | 17 | @description('Baseline resource configuration') 18 | module baseline_policy '../definitions/customPolicyDefinitions.bicep' = { 19 | name: 'minimum_policy' 20 | params: { 21 | parTargetManagementGroupId: 'alz' 22 | parTelemetryOptOut: false 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.securityGroup.parameters.min.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "parRoleDefinitionId": { 6 | "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" 7 | }, 8 | "parAssigneePrincipalType": { 9 | "value": "Group" 10 | }, 11 | "parAssigneeObjectId": { 12 | "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" 13 | }, 14 | "parTelemetryOptOut": { 15 | "value": false 16 | } 17 | } 18 | } -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.securityGroup.parameters.min.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "parRoleDefinitionId": { 6 | "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" 7 | }, 8 | "parAssigneePrincipalType": { 9 | "value": "Group" 10 | }, 11 | "parAssigneeObjectId": { 12 | "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" 13 | }, 14 | "parTelemetryOptOut": { 15 | "value": false 16 | } 17 | } 18 | } -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.securityGroup.parameters.min.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "parRoleDefinitionId": { 6 | "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" 7 | }, 8 | "parAssigneePrincipalType": { 9 | "value": "Group" 10 | }, 11 | "parAssigneeObjectId": { 12 | "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" 13 | }, 14 | "parTelemetryOptOut": { 15 | "value": false 16 | } 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.managedIdentity.parameters.min.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "parRoleDefinitionId": { 6 | "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" 7 | }, 8 | "parAssigneePrincipalType": { 9 | "value": "ServicePrincipal" 10 | }, 11 | "parAssigneeObjectId": { 12 | "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" 13 | }, 14 | "parTelemetryOptOut": { 15 | "value": false 16 | } 17 | } 18 | } -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.servicePrincipal.parameters.min.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "parRoleDefinitionId": { 6 | "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" 7 | }, 8 | "parAssigneePrincipalType": { 9 | "value": "ServicePrincipal" 10 | }, 11 | "parAssigneeObjectId": { 12 | "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" 13 | }, 14 | "parTelemetryOptOut": { 15 | "value": false 16 | } 17 | } 18 | } -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.managedIdentity.parameters.min.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "parRoleDefinitionId": { 6 | "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" 7 | }, 8 | "parAssigneePrincipalType": { 9 | "value": "ServicePrincipal" 10 | }, 11 | "parAssigneeObjectId": { 12 | "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" 13 | }, 14 | "parTelemetryOptOut": { 15 | "value": false 16 | } 17 | } 18 | } -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.servicePrincipal.parameters.min.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "parRoleDefinitionId": { 6 | "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" 7 | }, 8 | "parAssigneePrincipalType": { 9 | "value": "ServicePrincipal" 10 | }, 11 | "parAssigneeObjectId": { 12 | "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" 13 | }, 14 | "parTelemetryOptOut": { 15 | "value": false 16 | } 17 | } 18 | } -------------------------------------------------------------------------------- /infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.min.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "parTopLevelManagementGroupPrefix": { 6 | "value": "alz" 7 | }, 8 | "parLogAnalyticsWorkspaceResourceId": { 9 | "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/alz-logging/providers/microsoft.operationalinsights/workspaces/alz-log-analytics" 10 | }, 11 | "parTelemetryOptOut": { 12 | "value": false 13 | } 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.managedIdentity.parameters.min.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "parRoleDefinitionId": { 6 | "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" 7 | }, 8 | "parAssigneePrincipalType": { 9 | "value": "ServicePrincipal" 10 | }, 11 | "parAssigneeObjectId": { 12 | "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" 13 | }, 14 | "parTelemetryOptOut": { 15 | "value": false 16 | } 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.servicePrincipal.parameters.min.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "parRoleDefinitionId": { 6 | "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" 7 | }, 8 | "parAssigneePrincipalType": { 9 | "value": "ServicePrincipal" 10 | }, 11 | "parAssigneeObjectId": { 12 | "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" 13 | }, 14 | "parTelemetryOptOut": { 15 | "value": false 16 | } 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/customRoleDefinitions/samples/baseline.sample.bicep: -------------------------------------------------------------------------------- 1 | // 2 | // Baseline deployment sample 3 | // 4 | 5 | // Use this sample to deploy the baseline resource configuration. 6 | 7 | targetScope = 'managementGroup' 8 | 9 | 10 | // ---------- 11 | // PARAMETERS 12 | // ---------- 13 | 14 | // --------- 15 | // RESOURCES 16 | // --------- 17 | 18 | @description('Baseline resource configuration') 19 | module baseline_custom_role_definitions '../customRoleDefinitions.bicep' = { 20 | name: 'custom_role_definition' 21 | params: { 22 | parAssignableScopeManagementGroupId: 'alz' 23 | parTelemetryOptOut: false 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/resourceGroup/samples/minimum.sample.bicep: -------------------------------------------------------------------------------- 1 | // 2 | // Minimum deployment sample 3 | // 4 | 5 | // Use this sample to deploy the minimum resource configuration. 6 | 7 | targetScope = 'subscription' 8 | 9 | // ---------- 10 | // PARAMETERS 11 | // ---------- 12 | 13 | 14 | // --------- 15 | // RESOURCES 16 | // --------- 17 | 18 | @description('Minimum resource configuration.') 19 | module minimum_rg'../resourceGroup.bicep' = { 20 | name: 'minimum_rg' 21 | params: { 22 | parLocation: 'westeurope' 23 | parResourceGroupName: 'minimum-rg' 24 | parTags: { 25 | tag1: 'value1' 26 | tag2: 'value2' 27 | } 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /.editorconfig: -------------------------------------------------------------------------------- 1 | root = true 2 | 3 | [*] 4 | indent_size = 2 5 | charset = utf-8 6 | end_of_line = lf 7 | trim_trailing_whitespace = true 8 | insert_final_newline = true 9 | 10 | [*.{yml,yaml}] 11 | indent_size = 2 12 | charset = utf-8 13 | end_of_line = lf 14 | trim_trailing_whitespace = true 15 | insert_final_newline = true 16 | 17 | [**/policy/definitions/lib/**] 18 | indent_size = 2 19 | charset = unset 20 | end_of_line = unset 21 | trim_trailing_whitespace = unset 22 | insert_final_newline = unset 23 | 24 | [**/policy/assignments/lib/**] 25 | indent_size = 2 26 | charset = unset 27 | end_of_line = unset 28 | trim_trailing_whitespace = unset 29 | insert_final_newline = unset 30 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/logging/parameters/logging.parameters.min.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "parLogAnalyticsWorkspaceLocation": { 6 | "value": "eastus" 7 | }, 8 | "parLogAnalyticsWorkspaceLogRetentionInDays": { 9 | "value": 365 10 | }, 11 | "parUserAssignedManagedIdentityName": { 12 | "value": "alz-umi-identity" 13 | }, 14 | "parUserAssignedManagedIdentityLocation": { 15 | "value": "eastus" 16 | }, 17 | "parTelemetryOptOut": { 18 | "value": false 19 | } 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /.github/azFunction/AzFunctionCode/getPullRequests/readme.md: -------------------------------------------------------------------------------- 1 | # Overview 2 | This function is triggered by items arriving on the startjob queue as defined in input bindings in the function.json file. Upon triggering the function will get a number of the latest closed pull requests on the ALZ-Bicep GitHub repo. This is all specified in the run.ps1 file, currently it's set to the last 20 on page 1 (latest). Note that Github API have a maximum of 100 items per page pulled so if a greater number was required, more pages would need to be queried. For each PR the title, PR number and state is placed in the queue closedPullRequests on associated storage as specified in output bindings in the function.json file. -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.min.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "parLogAnalyticsWorkspaceLocation": { 6 | "value": "chinaeast2" 7 | }, 8 | "parLogAnalyticsWorkspaceLogRetentionInDays": { 9 | "value": 365 10 | }, 11 | "parUserAssignedManagedIdentityName": { 12 | "value": "alz-umi-identity" 13 | }, 14 | "parUserAssignedManagedIdentityLocation": { 15 | "value": "chinaeast2" 16 | }, 17 | "parTelemetryOptOut": { 18 | "value": false 19 | } 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/roleAssignments/samples/minimum.sample.bicep: -------------------------------------------------------------------------------- 1 | // 2 | // Minimum deployment sample 3 | // 4 | 5 | // Use this sample to deploy the minimum resource configuration. 6 | 7 | targetScope = 'managementGroup' 8 | 9 | // ---------- 10 | // PARAMETERS 11 | // ---------- 12 | 13 | 14 | // --------- 15 | // RESOURCES 16 | // --------- 17 | 18 | @description('Minimum resource configuration.') 19 | module ra_mg'../roleAssignmentManagementGroup.bicep' = { 20 | name: 'ra_mg' 21 | params: { 22 | parRoleDefinitionId: 'acdd72a7-3385-48ef-bd42-f606fba81ae7' 23 | parAssigneePrincipalType: 'Group' 24 | parAssigneeObjectId: '00000000-0000-0000-0000-000000000000' 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/resourceGroup/samples/baseline.sample.bicep: -------------------------------------------------------------------------------- 1 | // 2 | // Baseline deployment sample 3 | // 4 | 5 | // Use this sample to deploy the minimum resource configuration. 6 | 7 | targetScope = 'subscription' 8 | 9 | // ---------- 10 | // PARAMETERS 11 | // ---------- 12 | 13 | 14 | // --------- 15 | // RESOURCES 16 | // --------- 17 | 18 | @description('Baseline resource configuration.') 19 | module baseline_rg'../resourceGroup.bicep' = { 20 | name: 'baseline_rg' 21 | params: { 22 | parLocation: 'westeurope' 23 | parResourceGroupName: 'baseline-rg' 24 | parTelemetryOptOut: true 25 | parTags: { 26 | tag1: 'value1' 27 | tag2: 'value2' 28 | } 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/logging/samples/minimum.sample.bicep: -------------------------------------------------------------------------------- 1 | // 2 | // Minimum deployment sample 3 | // 4 | 5 | // Use this sample to deploy the minimum resource configuration. 6 | 7 | targetScope = 'resourceGroup' 8 | 9 | @description('The Azure location to deploy to.') 10 | param location string = resourceGroup().location 11 | 12 | // ---------- 13 | // PARAMETERS 14 | // ---------- 15 | 16 | // --------- 17 | // RESOURCES 18 | // --------- 19 | 20 | @description('Minimum resource configuration') 21 | module minimum_logging '../logging.bicep' = { 22 | name: 'minimum_logging' 23 | params: { 24 | parLogAnalyticsWorkspaceLocation: location 25 | parAutomationAccountLocation: location 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /.ps-rule/en/ALZ.MinimumSample.md: -------------------------------------------------------------------------------- 1 | # Ignore minimum sample 2 | 3 | ## SYNOPSIS 4 | 5 | Ignore the minimum sample configuration that may not be WAF compliant. 6 | See [https://github.com/Azure/ALZ-Bicep/blob/main/.ps-rule/en/ALZ.MinimumSample.md](https://github.com/Azure/ALZ-Bicep/blob/main/.ps-rule/en/ALZ.MinimumSample.md). 7 | 8 | ## DESCRIPTION 9 | 10 | The _minimum_ sample provides a basic configuration. 11 | It is typically less complex, and has requires fewer requirements. 12 | This make is most suitable for early development and testing. 13 | 14 | The basic configuration may not have all the features required for alignment to the Well-Architected Framework. 15 | Consider using the _baseline_ sample for enterprise environments. 16 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/subscriptionPlacement/samples/minimum.sample.bicep: -------------------------------------------------------------------------------- 1 | // 2 | // Minimum deployment sample 3 | // 4 | 5 | // Use this sample to deploy the minimum resource configuration. 6 | 7 | targetScope = 'managementGroup' 8 | 9 | // ---------- 10 | // PARAMETERS 11 | // ---------- 12 | 13 | // --------- 14 | // RESOURCES 15 | // --------- 16 | 17 | @description('Minimum resource configuration.') 18 | module sub_placement '../subscriptionPlacement.bicep' = { 19 | name: 'sub_placement' 20 | params: { 21 | parSubscriptionIds: [ 22 | '00000000-0000-0000-0000-000000000000' 23 | '11111111-1111-1111-1111-111111111111' 24 | ] 25 | parTargetManagementGroupId: '22222222-2222-2222-2222-222222222222' 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/vnetPeeringVwan/parameters/vnetPeeringVwan.parameters.min.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "parVirtualWanHubResourceId": { 6 | "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-vwan-eastus/providers/Microsoft.Network/virtualHubs/alz-vhub-eastus" 7 | }, 8 | "parRemoteVirtualNetworkResourceId": { 9 | "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/spokevnet-rg/providers/Microsoft.Network/virtualNetworks/vnet-spoke" 10 | }, 11 | "parTelemetryOptOut": { 12 | "value": false 13 | } 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deploy-ASC-Monitoring", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2019-09-01", 5 | "properties": { 6 | "description": "Enable Monitoring in Microsoft Defender for Cloud.", 7 | "displayName": "Enable Monitoring in Microsoft Defender for Cloud", 8 | "notScopes": [], 9 | "parameters": {}, 10 | "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8", 11 | "scope": null, 12 | "enforcementMode": "Default" 13 | }, 14 | "location": null, 15 | "identity": { 16 | "type": "None" 17 | } 18 | } -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_sql_threat.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deploy-SQL-Threat", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2019-09-01", 5 | "properties": { 6 | "description": "This policy ensures that Threat Detection is enabled on SQL Servers.", 7 | "displayName": "Deploy Threat Detection on SQL servers", 8 | "notScopes": [], 9 | "parameters": {}, 10 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5", 11 | "scope": null, 12 | "enforcementMode": "Default" 13 | }, 14 | "location": null, 15 | "identity": { 16 | "type": "SystemAssigned" 17 | } 18 | } -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/resourceGroup/parameters/resourceGroup.parameters.all.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "parLocation": { 6 | "value": "eastus" 7 | }, 8 | "parResourceGroupName": { 9 | "value": "alz-rg" 10 | }, 11 | "parTags": { 12 | "value": { 13 | "Environment": "Live" 14 | } 15 | }, 16 | "parTelemetryOptOut": { 17 | "value": false 18 | }, 19 | "parResourceLockConfig": { 20 | "value": { 21 | "kind": "None", 22 | "notes": "This lock was created by the ALZ Bicep resourceGroup Module" 23 | } 24 | } 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_sql_security.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deploy-SQL-Security", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2019-09-01", 5 | "properties": { 6 | "description": "Deploy-SQL-Security.", 7 | "displayName": "Deploy-SQL-Security", 8 | "notScopes": [], 9 | "parameters": { 10 | "effect": { 11 | "value": "DeployIfNotExists" 12 | } 13 | }, 14 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f", 15 | "scope": null, 16 | "enforcementMode": "Default" 17 | }, 18 | "location": null, 19 | "identity": { 20 | "type": "SystemAssigned" 21 | } 22 | } -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_security.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deploy-SQL-Security", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2024-04-01", 5 | "properties": { 6 | "description": "Deploy-SQL-Security.", 7 | "displayName": "Deploy-SQL-Security", 8 | "notScopes": [], 9 | "parameters": { 10 | "effect": { 11 | "value": "DeployIfNotExists" 12 | } 13 | }, 14 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f", 15 | "scope": null, 16 | "enforcementMode": "Default" 17 | }, 18 | "location": null, 19 | "identity": { 20 | "type": "SystemAssigned" 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_gr_sql.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Enforce-GR-SQL", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2025-01-01", 5 | "properties": { 6 | "description": "This initiative assignment enables additional ALZ guardrails for SQL.", 7 | "displayName": "Enforce recommended guardrails for SQL", 8 | "notScopes": [], 9 | "parameters": {}, 10 | "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-SQL", 11 | "scope": null, 12 | "enforcementMode": "Default" 13 | }, 14 | "location": null, 15 | "identity": { 16 | "type": "SystemAssigned" 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/spokeNetworking/parameters/spokeNetworking.parameters.min.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "parDisableBgpRoutePropagation": { 6 | "value": false 7 | }, 8 | "parDdosProtectionPlanId": { 9 | "value": "" 10 | }, 11 | "parSpokeNetworkAddressPrefix": { 12 | "value": "10.11.0.0/16" 13 | }, 14 | "parDnsServerIps": { 15 | "value": [] 16 | }, 17 | "parNextHopIpAddress": { 18 | "value": "" 19 | }, 20 | "parTelemetryOptOut": { 21 | "value": false 22 | } 23 | } 24 | } -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/subscriptionPlacement/samples/baseline.sample.bicep: -------------------------------------------------------------------------------- 1 | // 2 | // Baseline deployment sample 3 | // 4 | 5 | // Use this sample to deploy the minimum resource configuration. 6 | 7 | targetScope = 'managementGroup' 8 | 9 | // ---------- 10 | // PARAMETERS 11 | // ---------- 12 | 13 | // --------- 14 | // RESOURCES 15 | // --------- 16 | 17 | @description('Baseline resource configuration.') 18 | module sub_placement '../subscriptionPlacement.bicep' = { 19 | name: 'sub_placement' 20 | params: { 21 | parSubscriptionIds: [ 22 | '00000000-0000-0000-0000-000000000000' 23 | '11111111-1111-1111-1111-111111111111' 24 | ] 25 | parTelemetryOptOut: true 26 | parTargetManagementGroupId: '22222222-2222-2222-2222-222222222222' 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_tde.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deploy-SQL-TDE", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2024-04-01", 5 | "properties": { 6 | "description": "This policy ensures that Transparent Data Encryption is enabled on SQL Servers.", 7 | "displayName": "Deploy TDE on SQL servers", 8 | "notScopes": [], 9 | "parameters": {}, 10 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f", 11 | "definitionVersion": "2.*.*", 12 | "scope": null, 13 | "enforcementMode": "Default" 14 | }, 15 | "location": null, 16 | "identity": { 17 | "type": "SystemAssigned" 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deploy-ASC-Monitoring", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2024-04-01", 5 | "properties": { 6 | "description": "Enable Monitoring in Microsoft Defender for Cloud.", 7 | "displayName": "Enable Monitoring in Microsoft Defender for Cloud", 8 | "notScopes": [], 9 | "parameters": {}, 10 | "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8", 11 | "definitionVersion": "57.*.*", 12 | "scope": null, 13 | "enforcementMode": "Default" 14 | }, 15 | "location": null, 16 | "identity": { 17 | "type": "None" 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_backup.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Enforce-ASR", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2024-04-01", 5 | "properties": { 6 | "description": "This initiative assignment enables recommended ALZ guardrails for Azure Recovery Services.", 7 | "displayName": "Enforce enhanced recovery and backup policies", 8 | "notScopes": [], 9 | "parameters": {}, 10 | "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Backup", 11 | "scope": null, 12 | "enforcementMode": "Default" 13 | }, 14 | "location": null, 15 | "identity": { 16 | "type": "SystemAssigned" 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_gr_mysql.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Enforce-GR-MySQL", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2025-01-01", 5 | "properties": { 6 | "description": "This initiative assignment enables additional ALZ guardrails for MySQL.", 7 | "displayName": "Enforce recommended guardrails for MySQL", 8 | "notScopes": [], 9 | "parameters": {}, 10 | "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MySQL", 11 | "scope": null, 12 | "enforcementMode": "Default" 13 | }, 14 | "location": null, 15 | "identity": { 16 | "type": "SystemAssigned" 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.securityGroup.parameters.min.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "parManagementGroupIds": { 6 | "value": [ 7 | "alz-platform-connectivity", 8 | "alz-platform-identity" 9 | ] 10 | }, 11 | "parRoleDefinitionId": { 12 | "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" 13 | }, 14 | "parAssigneePrincipalType": { 15 | "value": "Group" 16 | }, 17 | "parAssigneeObjectId": { 18 | "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" 19 | }, 20 | "parTelemetryOptOut": { 21 | "value": false 22 | } 23 | } 24 | } -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/hubNetworking/samples/minimum.sample.bicep: -------------------------------------------------------------------------------- 1 | // 2 | // Minimum deployment sample 3 | // 4 | 5 | // Use this sample to deploy the minimum resource configuration. 6 | 7 | targetScope = 'resourceGroup' 8 | 9 | // ---------- 10 | // PARAMETERS 11 | // ---------- 12 | 13 | @description('The Azure location to deploy to.') 14 | param location string = resourceGroup().location 15 | 16 | // --------- 17 | // RESOURCES 18 | // --------- 19 | 20 | @description('Minimum resource configuration') 21 | module minimum_hub_network '../hubNetworking.bicep' = { 22 | name: 'minimum_hub_network' 23 | params: { 24 | parLocation: location 25 | parAzFirewallAvailabilityZones: [] 26 | parAzErGatewayAvailabilityZones: [] 27 | parAzVpnGatewayAvailabilityZones: [] 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_resource_types.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deny-Resource-Types", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2019-09-01", 5 | "properties": { 6 | "description": "Specifies the Resource Types to deny deployment by policy.", 7 | "displayName": "Deny-Resource-Types", 8 | "notScopes": [], 9 | "parameters": { 10 | "effect": { 11 | "value": "deny" 12 | } 13 | }, 14 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749", 15 | "scope": null, 16 | "enforcementMode": "Default" 17 | }, 18 | "location": null, 19 | "identity": { 20 | "type": "None" 21 | } 22 | } -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_resource_types.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deny-Resource-Types", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2024-04-01", 5 | "properties": { 6 | "description": "Specifies the Resource Types to deny deployment by policy.", 7 | "displayName": "Deny-Resource-Types", 8 | "notScopes": [], 9 | "parameters": { 10 | "effect": { 11 | "value": "deny" 12 | } 13 | }, 14 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749", 15 | "scope": null, 16 | "enforcementMode": "Default" 17 | }, 18 | "location": null, 19 | "identity": { 20 | "type": "None" 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_threat.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deploy-SQL-Threat", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2024-04-01", 5 | "properties": { 6 | "description": "This policy ensures that Threat Detection is enabled on SQL Servers.", 7 | "displayName": "Deploy Threat Detection on SQL servers", 8 | "notScopes": [], 9 | "parameters": {}, 10 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5", 11 | "definitionVersion": "2.*.*", 12 | "scope": null, 13 | "enforcementMode": "Default" 14 | }, 15 | "location": null, 16 | "identity": { 17 | "type": "SystemAssigned" 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_gr_openai.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Enforce-GR-OpenAI", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2025-01-01", 5 | "properties": { 6 | "description": "This initiative assignment enables additional ALZ guardrails for OpenAI.", 7 | "displayName": "Enforce recommended guardrails for OpenAI", 8 | "notScopes": [], 9 | "parameters": {}, 10 | "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-OpenAI", 11 | "scope": null, 12 | "enforcementMode": "Default" 13 | }, 14 | "location": null, 15 | "identity": { 16 | "type": "SystemAssigned" 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_gr_compute.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Enforce-GR-Compute", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2025-01-01", 5 | "properties": { 6 | "description": "This initiative assignment enables additional ALZ guardrails for Compute.", 7 | "displayName": "Enforce recommended guardrails for Compute", 8 | "notScopes": [], 9 | "parameters": {}, 10 | "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Compute", 11 | "scope": null, 12 | "enforcementMode": "Default" 13 | }, 14 | "location": null, 15 | "identity": { 16 | "type": "SystemAssigned" 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_gr_storage.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Enforce-GR-Storage", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2025-01-01", 5 | "properties": { 6 | "description": "This initiative assignment enables additional ALZ guardrails for Storage.", 7 | "displayName": "Enforce recommended guardrails for Storage", 8 | "notScopes": [], 9 | "parameters": {}, 10 | "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Storage", 11 | "scope": null, 12 | "enforcementMode": "Default" 13 | }, 14 | "location": null, 15 | "identity": { 16 | "type": "SystemAssigned" 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_gr_synapse.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Enforce-GR-Synapse", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2025-01-01", 5 | "properties": { 6 | "description": "This initiative assignment enables additional ALZ guardrails for Synapse.", 7 | "displayName": "Enforce recommended guardrails for Synapse", 8 | "notScopes": [], 9 | "parameters": {}, 10 | "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Synapse", 11 | "scope": null, 12 | "enforcementMode": "Default" 13 | }, 14 | "location": null, 15 | "identity": { 16 | "type": "SystemAssigned" 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-ACSB.parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "GcIdentity": { 3 | "parameters": {} 4 | }, 5 | "GcLinux": { 6 | "parameters": {} 7 | }, 8 | "GcWindows": { 9 | "parameters": {} 10 | }, 11 | "LinAcsb": { 12 | "parameters": { 13 | "effect": { 14 | "value": "[[parameters('effect')]" 15 | }, 16 | "IncludeArcMachines": { 17 | "value": "[[parameters('includeArcMachines')]" 18 | } 19 | } 20 | }, 21 | "WinAcsb": { 22 | "parameters": { 23 | "effect": { 24 | "value": "[[parameters('effect')]" 25 | }, 26 | "IncludeArcMachines": { 27 | "value": "[[parameters('includeArcMachines')]" 28 | } 29 | } 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_gr_apim.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Enforce-GR-APIM", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2025-01-01", 5 | "properties": { 6 | "description": "This initiative assignment enables additional ALZ guardrails for API Management.", 7 | "displayName": "Enforce recommended guardrails for API Management", 8 | "notScopes": [], 9 | "parameters": {}, 10 | "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-APIM", 11 | "scope": null, 12 | "enforcementMode": "Default" 13 | }, 14 | "location": null, 15 | "identity": { 16 | "type": "SystemAssigned" 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_gr_cosmosdb.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Enforce-GR-CosmosDb", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2025-01-01", 5 | "properties": { 6 | "description": "This initiative assignment enables additional ALZ guardrails for Cosmos DB.", 7 | "displayName": "Enforce recommended guardrails for Cosmos DB", 8 | "notScopes": [], 9 | "parameters": {}, 10 | "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CosmosDb", 11 | "scope": null, 12 | "enforcementMode": "Default" 13 | }, 14 | "location": null, 15 | "identity": { 16 | "type": "SystemAssigned" 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_gr_eventhub.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Enforce-GR-EventHub", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2025-01-01", 5 | "properties": { 6 | "description": "This initiative assignment enables additional ALZ guardrails for Event Hub.", 7 | "displayName": "Enforce recommended guardrails for Event Hub", 8 | "notScopes": [], 9 | "parameters": {}, 10 | "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-EventHub", 11 | "scope": null, 12 | "enforcementMode": "Default" 13 | }, 14 | "location": null, 15 | "identity": { 16 | "type": "SystemAssigned" 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.managedIdentity.parameters.min.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "parManagementGroupIds": { 6 | "value": [ 7 | "alz-platform-connectivity", 8 | "alz-platform-identity" 9 | ] 10 | }, 11 | "parRoleDefinitionId": { 12 | "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" 13 | }, 14 | "parAssigneePrincipalType": { 15 | "value": "ServicePrincipal" 16 | }, 17 | "parAssigneeObjectId": { 18 | "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" 19 | }, 20 | "parTelemetryOptOut": { 21 | "value": false 22 | } 23 | } 24 | } -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.servicePrincipal.parameters.min.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "parManagementGroupIds": { 6 | "value": [ 7 | "alz-platform-connectivity", 8 | "alz-platform-identity" 9 | ] 10 | }, 11 | "parRoleDefinitionId": { 12 | "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" 13 | }, 14 | "parAssigneePrincipalType": { 15 | "value": "ServicePrincipal" 16 | }, 17 | "parAssigneeObjectId": { 18 | "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" 19 | }, 20 | "parTelemetryOptOut": { 21 | "value": false 22 | } 23 | } 24 | } -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_gr_eventgrid.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Enforce-GR-EventGrid", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2025-01-01", 5 | "properties": { 6 | "description": "This initiative assignment enables additional ALZ guardrails for Event Grid.", 7 | "displayName": "Enforce recommended guardrails for Event Grid", 8 | "notScopes": [], 9 | "parameters": {}, 10 | "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-EventGrid", 11 | "scope": null, 12 | "enforcementMode": "Default" 13 | }, 14 | "location": null, 15 | "identity": { 16 | "type": "SystemAssigned" 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_gr_keyvault.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Enforce-GR-KeyVault", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2025-01-01", 5 | "properties": { 6 | "description": "This initiative assignment enables recommended ALZ guardrails for Azure Key Vault.", 7 | "displayName": "Enforce recommended guardrails for Azure Key Vault", 8 | "notScopes": [], 9 | "parameters": {}, 10 | "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault", 11 | "scope": null, 12 | "enforcementMode": "Default" 13 | }, 14 | "location": null, 15 | "identity": { 16 | "type": "None" 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.securityGroup.parameters.min.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "parSubscriptionIds": { 6 | "value": [ 7 | "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", 8 | "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" 9 | ] 10 | }, 11 | "parRoleDefinitionId": { 12 | "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" 13 | }, 14 | "parAssigneePrincipalType": { 15 | "value": "Group" 16 | }, 17 | "parAssigneeObjectId": { 18 | "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" 19 | }, 20 | "parTelemetryOptOut": { 21 | "value": false 22 | } 23 | } 24 | } -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_appgw_without_waf.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deny-AppGW-Without-WAF", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2019-09-01", 5 | "properties": { 6 | "description": "Deny creation of App Gateway without WAF.", 7 | "displayName": "Deny-AppGW-Without-WAF", 8 | "notScopes": [], 9 | "parameters": { 10 | "effect": { 11 | "value": "deny" 12 | } 13 | }, 14 | "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGW-Without-WAF", 15 | "scope": null, 16 | "enforcementMode": "Default" 17 | }, 18 | "location": null, 19 | "identity": { 20 | "type": "None" 21 | } 22 | } -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_appgw_without_waf.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deny-AppGW-Without-WAF", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2024-04-01", 5 | "properties": { 6 | "description": "Deny creation of App Gateway without WAF.", 7 | "displayName": "Deny-AppGW-Without-WAF", 8 | "notScopes": [], 9 | "parameters": { 10 | "effect": { 11 | "value": "deny" 12 | } 13 | }, 14 | "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGW-Without-WAF", 15 | "scope": null, 16 | "enforcementMode": "Default" 17 | }, 18 | "location": null, 19 | "identity": { 20 | "type": "None" 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_gr_botservice.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Enforce-GR-BotService", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2025-01-01", 5 | "properties": { 6 | "description": "This initiative assignment enables additional ALZ guardrails for Bot Service.", 7 | "displayName": "Enforce recommended guardrails for Bot Service", 8 | "notScopes": [], 9 | "parameters": {}, 10 | "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-BotService", 11 | "scope": null, 12 | "enforcementMode": "Default" 13 | }, 14 | "location": null, 15 | "identity": { 16 | "type": "SystemAssigned" 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_gr_kubernetes.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Enforce-GR-Kubernetes", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2025-01-01", 5 | "properties": { 6 | "description": "This initiative assignment enables additional ALZ guardrails for Kubernetes.", 7 | "displayName": "Enforce recommended guardrails for Kubernetes", 8 | "notScopes": [], 9 | "parameters": {}, 10 | "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Kubernetes", 11 | "scope": null, 12 | "enforcementMode": "Default" 13 | }, 14 | "location": null, 15 | "identity": { 16 | "type": "SystemAssigned" 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_gr_postgressql.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Enforce-GR-PostgreSQL", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2025-01-01", 5 | "properties": { 6 | "description": "This initiative assignment enables additional ALZ guardrails for PostgreSQL.", 7 | "displayName": "Enforce recommended guardrails for PostgreSQL", 8 | "notScopes": [], 9 | "parameters": {}, 10 | "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-PostgreSQL", 11 | "scope": null, 12 | "enforcementMode": "Default" 13 | }, 14 | "location": null, 15 | "identity": { 16 | "type": "SystemAssigned" 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_gr_servicebus.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Enforce-GR-ServiceBus", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2025-01-01", 5 | "properties": { 6 | "description": "This initiative assignment enables additional ALZ guardrails for ServiceBus.", 7 | "displayName": "Enforce recommended guardrails for ServiceBus", 8 | "notScopes": [], 9 | "parameters": {}, 10 | "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ServiceBus", 11 | "scope": null, 12 | "enforcementMode": "Default" 13 | }, 14 | "location": null, 15 | "identity": { 16 | "type": "SystemAssigned" 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/vnetPeering/samples/minimum.sample.bicep: -------------------------------------------------------------------------------- 1 | // 2 | // Minimum deployment sample 3 | // 4 | 5 | // Use this sample to deploy the minimum resource configuration. 6 | 7 | targetScope = 'resourceGroup' 8 | 9 | // ---------- 10 | // PARAMETERS 11 | // ---------- 12 | 13 | // --------- 14 | // RESOURCES 15 | // --------- 16 | 17 | @description('Minimum resource configuration') 18 | module minimum_vnet_peering '../vnetPeering.bicep' = { 19 | name: 'minimum_vnet_peering' 20 | params: { 21 | parDestinationVirtualNetworkId: '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx/resourceGroups//providers/Microsoft.Network/virtualNetworks/' 22 | parDestinationVirtualNetworkName: '' 23 | parSourceVirtualNetworkName: '' 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /.ps-rule/FalsePositiveNsgBastion.Rule.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Suppression and rules for unsupported scenarios. 3 | # 4 | 5 | # NOTE: 6 | # For details on authoring suppression groups see: 7 | # https://microsoft.github.io/PSRule/v2/concepts/PSRule/en-US/about_PSRule_SuppressionGroups/ 8 | # https://microsoft.github.io/PSRule/v2/concepts/PSRule/en-US/about_PSRule_Expressions/ 9 | 10 | --- 11 | # Synopsis: Ignore NSG lateral movement rule for Azure Bastion as this is needed for Bastion to work. 12 | apiVersion: github.com/microsoft/PSRule/v1 13 | kind: SuppressionGroup 14 | metadata: 15 | name: ALZ.NSGForBastion 16 | spec: 17 | rule: 18 | - Azure.NSG.LateralTraversal 19 | if: 20 | allOf: 21 | - name: '.' 22 | contains: bastion 23 | - type: '.' 24 | in: 25 | - Microsoft.Network/networkSecurityGroups 26 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_gr_appservices.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Enforce-GR-AppServices", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2025-01-01", 5 | "properties": { 6 | "description": "This initiative assignment enables additional ALZ guardrails for App Services.", 7 | "displayName": "Enforce recommended guardrails for App Services", 8 | "notScopes": [], 9 | "parameters": {}, 10 | "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-AppServices", 11 | "scope": null, 12 | "enforcementMode": "Default" 13 | }, 14 | "location": null, 15 | "identity": { 16 | "type": "SystemAssigned" 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_gr_dataexplorer.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Enforce-GR-DataExpl", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2025-01-01", 5 | "properties": { 6 | "description": "This initiative assignment enables additional ALZ guardrails for Data Explorer.", 7 | "displayName": "Enforce recommended guardrails for Data Explorer", 8 | "notScopes": [], 9 | "parameters": {}, 10 | "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-DataExplorer", 11 | "scope": null, 12 | "enforcementMode": "Default" 13 | }, 14 | "location": null, 15 | "identity": { 16 | "type": "SystemAssigned" 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_gr_datafactory.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Enforce-GR-DataFactory", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2025-01-01", 5 | "properties": { 6 | "description": "This initiative assignment enables additional ALZ guardrails for Data Factory.", 7 | "displayName": "Enforce recommended guardrails for Data Factory", 8 | "notScopes": [], 9 | "parameters": {}, 10 | "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-DataFactory", 11 | "scope": null, 12 | "enforcementMode": "Default" 13 | }, 14 | "location": null, 15 | "identity": { 16 | "type": "SystemAssigned" 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_res_location_match_rg_location.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Audit-Location-Match", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2024-04-01", 5 | "properties": { 6 | "description": "Audit resource location matches resource group location", 7 | "displayName": "Audit that the resource location matches its resource group location", 8 | "notScopes": [], 9 | "parameters": {}, 10 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a", 11 | "definitionVersion": "2.*.*", 12 | "scope": null, 13 | "enforcementMode": "Default" 14 | }, 15 | "location": null, 16 | "identity": { 17 | "type": "None" 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_gr_containerapps.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Enforce-GR-ContApps", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2025-01-01", 5 | "properties": { 6 | "description": "This initiative assignment enables additional ALZ guardrails for Container Apps.", 7 | "displayName": "Enforce recommended guardrails for Container Apps", 8 | "notScopes": [], 9 | "parameters": {}, 10 | "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerApps", 11 | "scope": null, 12 | "enforcementMode": "Default" 13 | }, 14 | "location": null, 15 | "identity": { 16 | "type": "SystemAssigned" 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.managedIdentity.parameters.min.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "parSubscriptionIds": { 6 | "value": [ 7 | "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", 8 | "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" 9 | ] 10 | }, 11 | "parRoleDefinitionId": { 12 | "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" 13 | }, 14 | "parAssigneePrincipalType": { 15 | "value": "ServicePrincipal" 16 | }, 17 | "parAssigneeObjectId": { 18 | "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" 19 | }, 20 | "parTelemetryOptOut": { 21 | "value": false 22 | } 23 | } 24 | } -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.servicePrincipal.parameters.min.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "parSubscriptionIds": { 6 | "value": [ 7 | "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", 8 | "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" 9 | ] 10 | }, 11 | "parRoleDefinitionId": { 12 | "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" 13 | }, 14 | "parAssigneePrincipalType": { 15 | "value": "ServicePrincipal" 16 | }, 17 | "parAssigneeObjectId": { 18 | "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" 19 | }, 20 | "parTelemetryOptOut": { 21 | "value": false 22 | } 23 | } 24 | } -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_gr_automation.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Enforce-GR-Automation", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2025-01-01", 5 | "properties": { 6 | "description": "This initiative assignment enables additional ALZ guardrails for Automation Accounts.", 7 | "displayName": "Enforce recommended guardrails for Automation Accounts", 8 | "notScopes": [], 9 | "parameters": {}, 10 | "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Automation", 11 | "scope": null, 12 | "enforcementMode": "Default" 13 | }, 14 | "location": null, 15 | "identity": { 16 | "type": "SystemAssigned" 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_encryption_cmk.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Enforce-Encryption-CMK", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2025-01-01", 5 | "properties": { 6 | "description": "This initiative assignment enables additional ALZ guardrails for Customer Managed Keys.", 7 | "displayName": "Enforce recommended guardrails for Customer Managed Keys", 8 | "notScopes": [], 9 | "parameters": {}, 10 | "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Enforce-Encryption-CMK_20250218", 11 | "scope": null, 12 | "enforcementMode": "Default" 13 | }, 14 | "location": null, 15 | "identity": { 16 | "type": "SystemAssigned" 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_gr_machinelearning.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Enforce-GR-MachLearn", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2025-01-01", 5 | "properties": { 6 | "description": "This initiative assignment enables additional ALZ guardrails for Machine Learning.", 7 | "displayName": "Enforce recommended guardrails for Machine Learning", 8 | "notScopes": [], 9 | "parameters": {}, 10 | "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MachineLearning", 11 | "scope": null, 12 | "enforcementMode": "Default" 13 | }, 14 | "location": null, 15 | "identity": { 16 | "type": "SystemAssigned" 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_gr_virtualdesktop.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Enforce-GR-VirtualDesk", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2025-01-01", 5 | "properties": { 6 | "description": "This initiative assignment enables additional ALZ guardrails for Virtual Desktop.", 7 | "displayName": "Enforce recommended guardrails for Virtual Desktop", 8 | "notScopes": [], 9 | "parameters": {}, 10 | "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-VirtualDesktop", 11 | "scope": null, 12 | "enforcementMode": "Default" 13 | }, 14 | "location": null, 15 | "identity": { 16 | "type": "SystemAssigned" 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.securityGroup.parameters.min.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "parResourceGroupIds": { 6 | "value": [ 7 | "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/xxxxxxx", 8 | "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/xxxxxxx" 9 | ] 10 | }, 11 | "parRoleDefinitionId": { 12 | "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" 13 | }, 14 | "parAssigneePrincipalType": { 15 | "value": "Group" 16 | }, 17 | "parAssigneeObjectId": { 18 | "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" 19 | }, 20 | "parTelemetryOptOut": { 21 | "value": false 22 | } 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_gr_cognitiveservices.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Enforce-GR-CogServ", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2025-01-01", 5 | "properties": { 6 | "description": "This initiative assignment enables additional ALZ guardrails for Cognitive Services.", 7 | "displayName": "Enforce recommended guardrails for Cognitive Services", 8 | "notScopes": [], 9 | "parameters": {}, 10 | "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CognitiveServices", 11 | "scope": null, 12 | "enforcementMode": "Default" 13 | }, 14 | "location": null, 15 | "identity": { 16 | "type": "SystemAssigned" 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_gr_containerinstance.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Enforce-GR-ContInst", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2025-01-01", 5 | "properties": { 6 | "description": "This initiative assignment enables additional ALZ guardrails for Container Instance.", 7 | "displayName": "Enforce recommended guardrails for Container Instance", 8 | "notScopes": [], 9 | "parameters": {}, 10 | "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerInstance", 11 | "scope": null, 12 | "enforcementMode": "Default" 13 | }, 14 | "location": null, 15 | "identity": { 16 | "type": "SystemAssigned" 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_gr_containerregistry.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Enforce-GR-ContReg", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2025-01-01", 5 | "properties": { 6 | "description": "This initiative assignment enables additional ALZ guardrails for Container Registry.", 7 | "displayName": "Enforce recommended guardrails for Container Registry", 8 | "notScopes": [], 9 | "parameters": {}, 10 | "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerRegistry", 11 | "scope": null, 12 | "enforcementMode": "Default" 13 | }, 14 | "location": null, 15 | "identity": { 16 | "type": "SystemAssigned" 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/publicIp/samples/minimum.sample.bicep: -------------------------------------------------------------------------------- 1 | // 2 | // Minimum deployment sample 3 | // 4 | 5 | // Use this sample to deploy the minimum resource configuration. 6 | 7 | targetScope = 'resourceGroup' 8 | 9 | // ---------- 10 | // PARAMETERS 11 | // ---------- 12 | 13 | @description('The Azure location to deploy to.') 14 | param location string = resourceGroup().location 15 | 16 | // --------- 17 | // RESOURCES 18 | // --------- 19 | 20 | @description('Minimum resource configuration') 21 | module minimum_public_ip '../publicIp.bicep' = { 22 | name: 'minimum_public_ip' 23 | params: { 24 | parPublicIpName: 'pip-minimum-ip' 25 | parLocation: location 26 | parPublicIpProperties: { } 27 | parPublicIpSku: { 28 | name: 'Basic' 29 | tier: 'Regional' 30 | } 31 | parTags: {} 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/resourceGroup/README.md: -------------------------------------------------------------------------------- 1 | # Module: Resource Group 2 | 3 | This module creates a Resource group to be utilized by other modules. 4 | 5 | Module deploys the following resources: 6 | 7 | - Resource Group 8 | 9 | ## Parameters 10 | 11 | - [Link to Parameters](generateddocs/resourceGroup.bicep.md) 12 | 13 | ## Outputs 14 | 15 | The module will generate the following outputs: 16 | 17 | | Output | Type | Example | 18 | | ------ | ---- | ------- | 19 | | outResourceGroupName | string | `Hub` | 20 | | outResourceGroupId | string | `/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx/resourceGroups/Hub` | 21 | 22 | ## Deployment 23 | 24 | Module is intended to be called from other modules as a reusable resource. 25 | 26 | ## Bicep Visualizer 27 | 28 | ![Bicep Visualizer](media/bicepVisualizer.png "Bicep Visualizer") 29 | -------------------------------------------------------------------------------- /.github/actions-config/mlc_config.json: -------------------------------------------------------------------------------- 1 | { 2 | "ignorePatterns": [ 3 | { 4 | "pattern": "^http://localhost" 5 | }, 6 | { 7 | "pattern": "^(https:\\/\\/)?([www.]?)+(microsoft.com\\/)+[\\w\\-\\._~:/?#[\\]@!\\$&'\\(\\)\\*\\+,;=.]+$" 8 | } 9 | { 10 | "pattern": "^mailto:" 11 | } 12 | ], 13 | "httpHeaders": [ 14 | { 15 | "comment": "Workaround as suggested here: https://github.com/tcort/markdown-link-check/issues/201", 16 | "urls": [ 17 | "https://docs.github.com/" 18 | ], 19 | "headers": { 20 | "Accept-Encoding": "zstd, br, gzip, deflate" 21 | } 22 | } 23 | ], 24 | "timeout": "10s", 25 | "retryOn429": true, 26 | "retryCount": 5, 27 | "fallbackRetryDelay": "30s", 28 | "aliveStatusCodes": [ 29 | 200, 30 | 203, 31 | 206 32 | ] 33 | } 34 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_ip_on_nic.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deny-Public-IP-On-NIC", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2024-04-01", 5 | "properties": { 6 | "description": "This policy denies network interfaces from having a public IP associated to it under the assigned scope.", 7 | "displayName": "Deny network interfaces having a public IP associated", 8 | "notScopes": [], 9 | "parameters": {}, 10 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114", 11 | "definitionVersion": "1.*.*", 12 | "scope": null, 13 | "enforcementMode": "Default" 14 | }, 15 | "location": null, 16 | "identity": { 17 | "type": "None" 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_acsb.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Enforce-ACSB", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2024-04-01", 5 | "properties": { 6 | "description": "This initiative assignment enables Azure Compute Security Baseline compliance auditing for Windows and Linux virtual machines.", 7 | "displayName": "Enforce Azure Compute Security Baseline compliance auditing", 8 | "notScopes": [], 9 | "parameters": {}, 10 | "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-ACSB", 11 | "scope": null, 12 | "enforcementMode": "Default" 13 | }, 14 | "location": null, 15 | "identity": { 16 | "type": "SystemAssigned" 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_gr_keyvault_sup.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Enforce-GR-KeyVaultSup", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2025-01-01", 5 | "properties": { 6 | "description": "This initiative assignment enables additional ALZ guardrails for Key Vault Supplementary.", 7 | "displayName": "Enforce recommended guardrails for Key Vault Supplementary", 8 | "notScopes": [], 9 | "parameters": {}, 10 | "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault-Sup", 11 | "scope": null, 12 | "enforcementMode": "Default" 13 | }, 14 | "location": null, 15 | "identity": { 16 | "type": "SystemAssigned" 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-DataExplorer.parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Deny-ADX-Double-Encryption": { 3 | "parameters": { 4 | "effect": { 5 | "value": "[[parameters('adxDoubleEncryption')]" 6 | } 7 | } 8 | }, 9 | "Deny-ADX-Encryption": { 10 | "parameters": { 11 | "effect": { 12 | "value": "[[parameters('adxEncryption')]" 13 | } 14 | } 15 | }, 16 | "Deny-ADX-Sku-without-PL-Support": { 17 | "parameters": { 18 | "effect": { 19 | "value": "[[parameters('adxSku')]" 20 | } 21 | } 22 | }, 23 | "Modify-ADX-Public-Network-Access": { 24 | "parameters": { 25 | "effect": { 26 | "value": "[[parameters('adxModifyPublicNetworkAccess')]" 27 | } 28 | } 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.managedIdentity.parameters.min.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "parResourceGroupIds": { 6 | "value": [ 7 | "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/xxxxxxx", 8 | "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/xxxxxxx" 9 | ] 10 | }, 11 | "parRoleDefinitionId": { 12 | "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" 13 | }, 14 | "parAssigneePrincipalType": { 15 | "value": "ServicePrincipal" 16 | }, 17 | "parAssigneeObjectId": { 18 | "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" 19 | }, 20 | "parTelemetryOptOut": { 21 | "value": false 22 | } 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.servicePrincipal.parameters.min.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "parResourceGroupIds": { 6 | "value": [ 7 | "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/xxxxxxx", 8 | "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/xxxxxxx" 9 | ] 10 | }, 11 | "parRoleDefinitionId": { 12 | "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" 13 | }, 14 | "parAssigneePrincipalType": { 15 | "value": "ServicePrincipal" 16 | }, 17 | "parAssigneeObjectId": { 18 | "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" 19 | }, 20 | "parTelemetryOptOut": { 21 | "value": false 22 | } 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_gr_network.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Enforce-GR-Network", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2025-01-01", 5 | "properties": { 6 | "description": "This initiative assignment enables additional ALZ guardrails for Network and Networking services.", 7 | "displayName": "Enforce recommended guardrails for Network and Networking services", 8 | "notScopes": [], 9 | "parameters": {}, 10 | "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network_20250326", 11 | "scope": null, 12 | "enforcementMode": "Default" 13 | }, 14 | "location": null, 15 | "identity": { 16 | "type": "SystemAssigned" 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-ServiceBus.parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Deny-Sb-Authz-Rules": { 3 | "parameters": { 4 | "effect": { 5 | "value": "[[parameters('serviceBusAuthzRules')]" 6 | } 7 | } 8 | }, 9 | "Deny-Sb-Encryption": { 10 | "parameters": { 11 | "effect": { 12 | "value": "[[parameters('serviceBusDoubleEncryption')]" 13 | } 14 | } 15 | }, 16 | "Deny-Sb-LocalAuth": { 17 | "parameters": { 18 | "effect": { 19 | "value": "[[parameters('serviceBusDenyDisabledLocalAuth')]" 20 | } 21 | } 22 | }, 23 | "Modify-Sb-LocalAuth": { 24 | "parameters": { 25 | "effect": { 26 | "value": "[[parameters('serviceBusModifyDisableLocalAuth')]" 27 | } 28 | } 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_public_endpoints.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deny-Public-Endpoints", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2019-09-01", 5 | "properties": { 6 | "description": "This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints.", 7 | "displayName": "Public network access should be disabled for PaaS services", 8 | "notScopes": [], 9 | "parameters": {}, 10 | "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints", 11 | "scope": null, 12 | "enforcementMode": "Default" 13 | }, 14 | "location": null, 15 | "identity": { 16 | "type": "None" 17 | } 18 | } -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_vnet.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deny-DataB-Vnet", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2024-04-01", 5 | "properties": { 6 | "description": "Enforces the use of vnet injection for Databricks workspaces.", 7 | "displayName": "Enforces the use of vnet injection for Databricks", 8 | "notScopes": [], 9 | "parameters": { 10 | "effect": { 11 | "value": "Deny" 12 | } 13 | }, 14 | "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-VirtualNetwork", 15 | "scope": null, 16 | "enforcementMode": "Default" 17 | }, 18 | "location": null, 19 | "identity": { 20 | "type": "None" 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_endpoints.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deny-Public-Endpoints", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2024-04-01", 5 | "properties": { 6 | "description": "This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints.", 7 | "displayName": "Public network access should be disabled for PaaS services", 8 | "notScopes": [], 9 | "parameters": {}, 10 | "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints", 11 | "scope": null, 12 | "enforcementMode": "Default" 13 | }, 14 | "location": null, 15 | "identity": { 16 | "type": "None" 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /.ps-rule/UnsupportedPipBastion.Rule.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Suppression and rules for unsupported scenarios. 3 | # 4 | 5 | # NOTE: 6 | # For details on authoring suppression groups see: 7 | # https://microsoft.github.io/PSRule/v2/concepts/PSRule/en-US/about_PSRule_SuppressionGroups/ 8 | # https://microsoft.github.io/PSRule/v2/concepts/PSRule/en-US/about_PSRule_Expressions/ 9 | 10 | --- 11 | # Synopsis: Ignore availability zones for Azure Bastion public IP which is not supported. https://github.com/Azure/PSRule.Rules.Azure/issues/1442 12 | apiVersion: github.com/microsoft/PSRule/v1 13 | kind: SuppressionGroup 14 | metadata: 15 | name: ALZ.PublicIPForBastion 16 | spec: 17 | rule: 18 | - Azure.PublicIP.AvailabilityZone 19 | if: 20 | allOf: 21 | - name: '.' 22 | contains: bastion 23 | - type: '.' 24 | in: 25 | - Microsoft.Network/publicIPAddresses 26 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-BotService.parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Audit-BotService-Private-Link": { 3 | "parameters": { 4 | "effect": { 5 | "value": "[[parameters('botServicePrivateLink')]" 6 | } 7 | } 8 | }, 9 | "Deny-BotService-Isolated-Mode": { 10 | "parameters": { 11 | "effect": { 12 | "value": "[[parameters('botServiceIsolatedMode')]" 13 | } 14 | } 15 | }, 16 | "Deny-BotService-Local-Auth": { 17 | "parameters": { 18 | "effect": { 19 | "value": "[[parameters('botServiceLocalAuth')]" 20 | } 21 | } 22 | }, 23 | "Deny-BotService-Valid-Uri": { 24 | "parameters": { 25 | "effect": { 26 | "value": "[[parameters('botServiceValidUri')]" 27 | } 28 | } 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-EventHub.parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Deny-EH-Auth-Rules": { 3 | "parameters": { 4 | "effect": { 5 | "value": "[[parameters('eventHubAuthRules')]" 6 | } 7 | } 8 | }, 9 | "Deny-EH-Double-Encryption": { 10 | "parameters": { 11 | "effect": { 12 | "value": "[[parameters('eventHubNamespacesDoubleEncryption')]" 13 | } 14 | } 15 | }, 16 | "Deny-EH-Local-Auth": { 17 | "parameters": { 18 | "effect": { 19 | "value": "[[parameters('eventHubNamespacesLocalAuth')]" 20 | } 21 | } 22 | }, 23 | "Modify-EH-Local-Auth": { 24 | "parameters": { 25 | "effect": { 26 | "value": "[[parameters('eventHubNamespacesModifyLocalAuth')]" 27 | } 28 | } 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_subnet_private.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Enforce-Subnet-Private", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2024-04-01", 5 | "properties": { 6 | "description": "Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement", 7 | "displayName": "Subnets should be private", 8 | "notScopes": [], 9 | "parameters": {}, 10 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7bca8353-aa3b-429b-904a-9229c4385837", 11 | "definitionVersion": "1.*.*", 12 | "scope": null, 13 | "enforcementMode": "Default" 14 | }, 15 | "location": null, 16 | "identity": { 17 | "type": "None" 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/vnetPeeringVwan/samples/minimum.sample.bicep: -------------------------------------------------------------------------------- 1 | // 2 | // Minimum deployment sample 3 | // 4 | 5 | // Use this sample to deploy the minimum resource configuration. 6 | 7 | targetScope = 'subscription' 8 | 9 | // ---------- 10 | // PARAMETERS 11 | // ---------- 12 | 13 | // --------- 14 | // RESOURCES 15 | // --------- 16 | 17 | @description('Minimum resource configuration') 18 | module minimum_vwa_vnet_peering '../vnetPeeringVwan.bicep' = { 19 | name: 'minimum_vwa_vnet_peering' 20 | params: { 21 | parVirtualWanHubResourceId: '/subscriptions/xxxxxxxxx-b761-4132-9ed1-2c90d07c4885/resourceGroups/rg-vwan/providers/Microsoft.Network/virtualWans/vwan-hub' 22 | parRemoteVirtualNetworkResourceId: '/subscriptions/xxxxxxxx-b761-4132-9ed1-2c90d07c4885/resourceGroups/rg-vnet/providers/Microsoft.Network/virtualNetworks/vnet-remote' 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/managementGroups/samples/minimum.sample.bicep: -------------------------------------------------------------------------------- 1 | // 2 | // Minimum deployment sample 3 | // 4 | 5 | // Use this sample to deploy the minimum resource configuration. 6 | 7 | targetScope = 'tenant' 8 | 9 | // ---------- 10 | // PARAMETERS 11 | // ---------- 12 | 13 | // --------- 14 | // RESOURCES 15 | // --------- 16 | 17 | @description('Minimum resource configuration') 18 | module minimum_managementgroups '../managementGroups.bicep' = { 19 | name: 'minimum_managementGroups' 20 | params: { 21 | parTopLevelManagementGroupParentId: '00000000-0000-0000-0000-000000000000' 22 | parLandingZoneMgChildren: { 23 | 'mg-landingzone': { 24 | displayName: 'Landing Zone' 25 | children: { 26 | 'mg-operations': { 27 | displayName: 'Operations' 28 | } 29 | } 30 | } 31 | } 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_rdp_from_internet.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deny-RDP-From-Internet", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2019-09-01", 5 | "properties": { 6 | "description": "This policy denies any network security rule that allows RDP access from Internet.", 7 | "displayName": "RDP access from the Internet should be blocked", 8 | "notScopes": [], 9 | "parameters": { 10 | "effect": { 11 | "value": "Deny" 12 | } 13 | }, 14 | "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet", 15 | "scope": null, 16 | "enforcementMode": "Default" 17 | }, 18 | "location": null, 19 | "identity": { 20 | "type": "None" 21 | } 22 | } -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_rdp_from_internet.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deny-RDP-From-Internet", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2024-04-01", 5 | "properties": { 6 | "description": "This policy denies any network security rule that allows RDP access from Internet.", 7 | "displayName": "RDP access from the Internet should be blocked", 8 | "notScopes": [], 9 | "parameters": { 10 | "effect": { 11 | "value": "Deny" 12 | } 13 | }, 14 | "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet", 15 | "scope": null, 16 | "enforcementMode": "Default" 17 | }, 18 | "location": null, 19 | "identity": { 20 | "type": "None" 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/spokeNetworking/samples/minimum.sample.bicep: -------------------------------------------------------------------------------- 1 | 2 | 3 | // 4 | // Minimum deployment sample 5 | // 6 | 7 | // Use this sample to deploy the minimum resource configuration. 8 | 9 | targetScope = 'resourceGroup' 10 | 11 | // ---------- 12 | // PARAMETERS 13 | // ---------- 14 | @description('Specifies the location for resources.') 15 | param location string = 'eastus' 16 | // --------- 17 | // RESOURCES 18 | // --------- 19 | 20 | @description('Minimum resource configuration.') 21 | module spoke_nw '../spokeNetworking.bicep' = { 22 | name: 'spoke_nw' 23 | params: { 24 | parLocation: location 25 | parDdosProtectionPlanId: 'ddosProtectionPlanId' 26 | parSpokeNetworkAddressPrefix: '10.1.0.0/16' 27 | parDnsServerIps: [ 28 | '10.1.1.100' 29 | '10.1.1.101' 30 | ] 31 | parNextHopIpAddress: '10.10.10.10' 32 | 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /.ps-rule/DiagLogForAutomation.Rule.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Suppression and rules for unsupported scenarios. 3 | # 4 | 5 | # NOTE: 6 | # For details on authoring suppression groups see: 7 | # https://microsoft.github.io/PSRule/v2/concepts/PSRule/en-US/about_PSRule_SuppressionGroups/ 8 | # https://microsoft.github.io/PSRule/v2/concepts/PSRule/en-US/about_PSRule_Expressions/ 9 | 10 | --- 11 | # Synopsis: Ignore automation account audit diagnostic logs are enabled as these are covered by DINE policies in ALZ 12 | apiVersion: github.com/microsoft/PSRule/v1 13 | kind: SuppressionGroup 14 | metadata: 15 | name: ALZ.DiagLogForAutomation 16 | spec: 17 | rule: 18 | - Azure.Automation.AuditLogs 19 | - Azure.Automation.PlatformLogs 20 | if: 21 | allOf: 22 | - name: '.' 23 | contains: alz-automation-account 24 | - type: '.' 25 | in: 26 | - Microsoft.Automation/automationAccounts 27 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_subnet_without_udr.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deny-Subnet-Without-Udr", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2019-09-01", 5 | "properties": { 6 | "description": "This policy denies the creation of a subnet without a User-Defined Route to control traffic flow.", 7 | "displayName": "Subnets should have a User-Defined Route", 8 | "notScopes": [], 9 | "parameters": { 10 | "effect": { 11 | "value": "Deny" 12 | } 13 | }, 14 | "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr", 15 | "scope": null, 16 | "enforcementMode": "Default" 17 | }, 18 | "location": null, 19 | "identity": { 20 | "type": "None" 21 | } 22 | } -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_subnet_without_udr.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deny-Subnet-Without-Udr", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2024-04-01", 5 | "properties": { 6 | "description": "This policy denies the creation of a subnet without a User-Defined Route to control traffic flow.", 7 | "displayName": "Subnets should have a User-Defined Route", 8 | "notScopes": [], 9 | "parameters": { 10 | "effect": { 11 | "value": "Deny" 12 | } 13 | }, 14 | "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr", 15 | "scope": null, 16 | "enforcementMode": "Default" 17 | }, 18 | "location": null, 19 | "identity": { 20 | "type": "None" 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/publicIp/parameters/publicIp.parameters.min.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "parPublicIpName": { 6 | "value": "alz" 7 | }, 8 | "parPublicIpSku": { 9 | "value": { 10 | "name": "Standard", 11 | "tier": "Regional" 12 | } 13 | }, 14 | "parPublicIpProperties": { 15 | "value": { 16 | "publicIpAddressVersion": "IPv4", 17 | "publicIpAllocationMethod": "Dynamic", 18 | "deleteOption": "Delete", 19 | "idleTimeoutInMinutes": 4 20 | } 21 | }, 22 | "parTelemetryOptOut": { 23 | "value": false 24 | } 25 | } 26 | } -------------------------------------------------------------------------------- /infra-as-code/bicep/CRML/customerUsageAttribution/README.md: -------------------------------------------------------------------------------- 1 | # Module: PID 2 | 3 | This module creates a blank deployment which will be called from other modules. The purpose of this deployment is to create a deployment name to be used for Azure [customer usage attribution](https://learn.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution). To disable this, please see [How to disable Telemetry Tracking Using Customer Usage Attribution (PID)](https://github.com/Azure/ALZ-Bicep/wiki/CustomerUsage) 4 | 5 | This module does not deploy any resources 6 | 7 | ## Parameters 8 | 9 | This module does not require any inputs 10 | 11 | ## Outputs 12 | 13 | The module does not generate any outputs 14 | 15 | | Output | Type | Example | 16 | | ------ | ---- | ------- | 17 | 18 | ## Deployment 19 | 20 | This module is intended to be called from other modules as a reusable resource. 21 | 22 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_appgw_waf.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Audit-AppGW-WAF", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2024-04-01", 5 | "properties": { 6 | "description": "Assign the WAF should be enabled for Application Gateway audit policy.", 7 | "displayName": "Web Application Firewall (WAF) should be enabled for Application Gateway", 8 | "notScopes": [], 9 | "parameters": { 10 | "effect": { 11 | "value": "Audit" 12 | } 13 | }, 14 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66", 15 | "definitionVersion": "2.*.*", 16 | "scope": null, 17 | "enforcementMode": "Default" 18 | }, 19 | "location": null, 20 | "identity": { 21 | "type": "None" 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /.github/azFunction/AzFunctionCode/getPullRequests/run.ps1: -------------------------------------------------------------------------------- 1 | # Input bindings are passed in via param block. 2 | param($QueueItem, $TriggerMetadata) 3 | # Write out the queue message and insertion time to the information log. 4 | Write-Output "PowerShell queue trigger function processed work item: $QueueItem" 5 | Write-Output "Queue item insertion time: $($TriggerMetadata.InsertionTime)" 6 | $perPageCount = 0 7 | $closedPrs = Invoke-RestMethod -Method Get -Uri "https://api.github.com/repos/Azure/ALZ-Bicep/pulls?per_page=$perPageCount&state=closed&page=1" 8 | $closedPrs | Select-Object -unique -Property title, number, state | ForEach-Object { 9 | $body = @{ 10 | prTitle = $PSItem.title 11 | prNumber = $PSItem.number 12 | prState = $PSItem.state 13 | } 14 | Push-OutputBinding -Name pullRequests -Value ([HttpResponseContext]@{ 15 | Body = $body 16 | }) 17 | } -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/vwanConnectivity/samples/generateddocs/minimum.sample.bicep.md: -------------------------------------------------------------------------------- 1 | # Azure template 2 | 3 | ## Parameters 4 | 5 | Parameter name | Required | Description 6 | -------------- | -------- | ----------- 7 | location | No | 8 | 9 | ### location 10 | 11 | ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) 12 | 13 | 14 | 15 | - Default value: `westus` 16 | 17 | ## Snippets 18 | 19 | ### Parameter file 20 | 21 | ```json 22 | { 23 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", 24 | "contentVersion": "1.0.0.0", 25 | "metadata": { 26 | "template": "infra-as-code/bicep/modules/vwanConnectivity/samples/minimum.sample.json" 27 | }, 28 | "parameters": { 29 | "location": { 30 | "value": "westus" 31 | } 32 | } 33 | } 34 | ``` 35 | -------------------------------------------------------------------------------- /.github/azFunction/AzFunctionCode/timerschedule/run.ps1: -------------------------------------------------------------------------------- 1 | # Input bindings are passed in via param block. 2 | param($Timer) 3 | 4 | # Get the current universal time in the default string format 5 | $currentUTCtime = (Get-Date).ToUniversalTime() 6 | 7 | # The 'IsPastDue' porperty is 'true' when the current function invocation is later than scheduled. 8 | if ($Timer.IsPastDue) { 9 | Write-Output "PowerShell timer is running late!" 10 | } 11 | 12 | # Write an information log with the current time. 13 | Write-Output "PowerShell timer trigger function ran! TIME: $currentUTCtime" 14 | $body = @{ 15 | GitHubRepo = "https://api.github.com/repos/Azure/ALZ-Bicep/pulls" 16 | } 17 | # Associate values to output bindings by calling 'Push-OutputBinding'. 18 | Push-OutputBinding -Name startJob -Value ([HttpResponseContext]@{ 19 | #StatusCode = [HttpStatusCode]::OK 20 | Body = $body 21 | }) 22 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_zoneresiliency.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Audit-ZoneResiliency", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2024-04-01", 5 | "properties": { 6 | "description": "Resources should be Zone Resilient.", 7 | "displayName": "Resources should be Zone Resilient", 8 | "notScopes": [], 9 | "parameters": { 10 | "effect": { 11 | "value": "Audit" 12 | }, 13 | "allow": { 14 | "value": "Both" 15 | } 16 | }, 17 | "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/130fb88f-0fc9-4678-bfe1-31022d71c7d5", 18 | "definitionVersion": "1.*.*-preview", 19 | "scope": null, 20 | "enforcementMode": "Default" 21 | }, 22 | "location": null, 23 | "identity": { 24 | "type": "None" 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-SQL.parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Deny-Sql-Aad-Only": { 3 | "parameters": { 4 | "effect": { 5 | "value": "[[parameters('sqlAadOnly')]" 6 | } 7 | } 8 | }, 9 | "Deny-Sql-Managed-Aad-Only": { 10 | "parameters": { 11 | "effect": { 12 | "value": "[[parameters('sqlManagedAadOnly')]" 13 | } 14 | } 15 | }, 16 | "Dine-Sql-Adv-Data": { 17 | "parameters": {} 18 | }, 19 | "Dine-Sql-Managed-Defender": { 20 | "parameters": { 21 | "effect": { 22 | "value": "[[parameters('sqlManagedDefender')]" 23 | } 24 | } 25 | }, 26 | "Modify-Sql-PublicNetworkAccess": { 27 | "parameters": { 28 | "effect": { 29 | "value": "[[parameters('modifySqlPublicNetworkAccess')]" 30 | } 31 | } 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /.github/workflows/pr-title-check.yml: -------------------------------------------------------------------------------- 1 | name: .Platform - Semantic PR Check 2 | 3 | on: 4 | pull_request_target: 5 | types: 6 | - opened 7 | - edited 8 | - synchronize 9 | 10 | permissions: 11 | contents: read 12 | 13 | jobs: 14 | main: 15 | permissions: 16 | pull-requests: read # for amannn/action-semantic-pull-request to analyze PRs 17 | statuses: write # for amannn/action-semantic-pull-request to mark status of analyzed PR 18 | name: Validate PR Title 19 | runs-on: ubuntu-latest 20 | steps: 21 | - name: Harden Runner 22 | uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 23 | with: 24 | egress-policy: audit 25 | 26 | - uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1 27 | env: 28 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 29 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_subnet_without_nsg.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deny-Subnet-Without-Nsg", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2019-09-01", 5 | "properties": { 6 | "description": "This policy denies the creation of a subnet without a Network Security Group to protect traffic across subnets.", 7 | "displayName": "Subnets should have a Network Security Group", 8 | "notScopes": [], 9 | "parameters": { 10 | "effect": { 11 | "value": "Deny" 12 | } 13 | }, 14 | "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg", 15 | "scope": null, 16 | "enforcementMode": "Default" 17 | }, 18 | "location": null, 19 | "identity": { 20 | "type": "None" 21 | } 22 | } -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_trustedlaunch.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Audit-TrustedLaunch", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2024-04-01", 5 | "properties": { 6 | "description": "Trusted Launch improves security of a Virtual Machine which requires VM SKU, OS Disk & OS Image to support it (Gen 2). To learn more about Trusted Launch, visit https://aka.ms/trustedlaunch.", 7 | "displayName": "Audit virtual machines for Trusted Launch support", 8 | "notScopes": [], 9 | "parameters": {}, 10 | "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Audit-TrustedLaunch", 11 | "scope": null, 12 | "enforcementMode": "Default" 13 | }, 14 | "location": null, 15 | "identity": { 16 | "type": "None" 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_subnet_without_nsg.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deny-Subnet-Without-Nsg", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2024-04-01", 5 | "properties": { 6 | "description": "This policy denies the creation of a subnet without a Network Security Group to protect traffic across subnets.", 7 | "displayName": "Subnets should have a Network Security Group", 8 | "notScopes": [], 9 | "parameters": { 10 | "effect": { 11 | "value": "Deny" 12 | } 13 | }, 14 | "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg", 15 | "scope": null, 16 | "enforcementMode": "Default" 17 | }, 18 | "location": null, 19 | "identity": { 20 | "type": "None" 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/vnetPeeringVwan/samples/baseline.sample.bicep: -------------------------------------------------------------------------------- 1 | // 2 | // Baseline deployment sample 3 | // 4 | 5 | // Use this sample to deploy the minimum resource configuration. 6 | 7 | targetScope = 'subscription' 8 | 9 | // ---------- 10 | // PARAMETERS 11 | // ---------- 12 | 13 | // --------- 14 | // RESOURCES 15 | // --------- 16 | 17 | @description('Baseline resource configuration') 18 | module baseline_vwa_vnet_peering '../vnetPeeringVwan.bicep' = { 19 | name: 'baseline_vwa_vnet_peering' 20 | params: { 21 | parVirtualWanHubResourceId: '/subscriptions/xxxxxxx-b761-4132-9ed1-2c90d07c4885/resourceGroups/rg-vwan/providers/Microsoft.Network/virtualWans/vwan-hub' 22 | parRemoteVirtualNetworkResourceId: '/subscriptions/xxxxxxxx-b761-4132-9ed1-2c90d07c4885/resourceGroups/rg-vnet/providers/Microsoft.Network/virtualNetworks/vnet-remote' 23 | parTelemetryOptOut: true 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/vwanConnectivity/samples/generateddocs/baseline.sample.bicep.md: -------------------------------------------------------------------------------- 1 | # Azure template 2 | 3 | ## Parameters 4 | 5 | Parameter name | Required | Description 6 | -------------- | -------- | ----------- 7 | parLocation | No | 8 | 9 | ### parLocation 10 | 11 | ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) 12 | 13 | 14 | 15 | - Default value: `westus` 16 | 17 | ## Snippets 18 | 19 | ### Parameter file 20 | 21 | ```json 22 | { 23 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", 24 | "contentVersion": "1.0.0.0", 25 | "metadata": { 26 | "template": "infra-as-code/bicep/modules/vwanConnectivity/samples/baseline.sample.json" 27 | }, 28 | "parameters": { 29 | "parLocation": { 30 | "value": "westus" 31 | } 32 | } 33 | } 34 | ``` 35 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_mgmtports_internet.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deny-MgmtPorts-Internet", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2024-04-01", 5 | "properties": { 6 | "description": "This policy denies any network security rule that allows management port access from the Internet", 7 | "displayName": "Management port access from the Internet should be blocked", 8 | "notScopes": [], 9 | "parameters": { 10 | "effect": { 11 | "value": "Deny" 12 | } 13 | }, 14 | "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet", 15 | "scope": null, 16 | "enforcementMode": "Default" 17 | }, 18 | "location": null, 19 | "identity": { 20 | "type": "None" 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_resource_locations.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deny-Resource-Locations", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2024-04-01", 5 | "properties": { 6 | "description": "Specifies the allowed locations (regions) where Resources can be deployed.", 7 | "displayName": "Limit allowed locations for Resources", 8 | "notScopes": [], 9 | "parameters": { 10 | "listOfAllowedLocations": { 11 | "value": [ 12 | "uksouth", 13 | "ukwest" 14 | ] 15 | } 16 | }, 17 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c", 18 | "scope": null, 19 | "enforcementMode": "Default" 20 | }, 21 | "location": null, 22 | "identity": { 23 | "type": "None" 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_rsg_locations.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deny-RSG-Locations", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2024-04-01", 5 | "properties": { 6 | "description": "Specifies the allowed locations (regions) where Resource Groups can be deployed.", 7 | "displayName": "Limit allowed locations for Resource Groups", 8 | "notScopes": [], 9 | "parameters": { 10 | "listOfAllowedLocations": { 11 | "value": [ 12 | "uksouth", 13 | "ukwest" 14 | ] 15 | } 16 | }, 17 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988", 18 | "scope": null, 19 | "enforcementMode": "Default" 20 | }, 21 | "location": null, 22 | "identity": { 23 | "type": "None" 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Audit-UnusedResourcesCostOptimization.parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "AuditAzureHybridBenefitUnusedResourcesCostOptimization": { 3 | "parameters": { 4 | "effect": { 5 | "value": "Audit" 6 | } 7 | } 8 | }, 9 | "AuditDisksUnusedResourcesCostOptimization": { 10 | "parameters": { 11 | "effect": { 12 | "value": "[[parameters('effectDisks')]" 13 | } 14 | } 15 | }, 16 | "AuditPublicIpAddressesUnusedResourcesCostOptimization": { 17 | "parameters": { 18 | "effect": { 19 | "value": "[[parameters('effectPublicIpAddresses')]" 20 | } 21 | } 22 | }, 23 | "AuditServerFarmsUnusedResourcesCostOptimization": { 24 | "parameters": { 25 | "effect": { 26 | "value": "[[parameters('effectServerFarms')]" 27 | } 28 | } 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_ip_forwarding.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deny-IP-Forwarding", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2019-09-01", 5 | "properties": { 6 | "description": "This policy denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure's check of the source and destination for a network interface. This should be reviewed by the network security team.", 7 | "displayName": "Network interfaces should disable IP forwarding", 8 | "notScopes": [], 9 | "parameters": {}, 10 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900", 11 | "scope": null, 12 | "enforcementMode": "Default" 13 | }, 14 | "location": null, 15 | "identity": { 16 | "type": "None" 17 | } 18 | } -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_resource_locations.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deny-Resource-Locations", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2019-09-01", 5 | "properties": { 6 | "description": "Specifies the allowed locations (regions) where Resources can be deployed.", 7 | "displayName": "Limit allowed locations for Resources", 8 | "notScopes": [], 9 | "parameters": { 10 | "listOfAllowedLocations": { 11 | "value": [ 12 | "chinanorth", 13 | "chinaeast" 14 | ] 15 | } 16 | }, 17 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c", 18 | "scope": null, 19 | "enforcementMode": "Default" 20 | }, 21 | "location": null, 22 | "identity": { 23 | "type": "None" 24 | } 25 | } -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_rsg_locations.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deny-RSG-Locations", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2019-09-01", 5 | "properties": { 6 | "description": "Specifies the allowed locations (regions) where Resource Groups can be deployed.", 7 | "displayName": "Limit allowed locations for Resource Groups", 8 | "notScopes": [], 9 | "parameters": { 10 | "listOfAllowedLocations": { 11 | "value": [ 12 | "chinanorth", 13 | "chinaeast" 14 | ] 15 | } 16 | }, 17 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988", 18 | "scope": null, 19 | "enforcementMode": "Default" 20 | }, 21 | "location": null, 22 | "identity": { 23 | "type": "None" 24 | } 25 | } -------------------------------------------------------------------------------- /infra-as-code/bicep/CRML/README.md: -------------------------------------------------------------------------------- 1 | # Why Does This Directory Exist & Contain Other Bicep Modules? 2 | 3 | Good question! This directory exists to host modules that are **not** specific to the Azure Landing Zones modules that are contained within the `infra-as-code/bicep/modules` directory. 4 | 5 | The modules inside this directory, `infra-as-code/bicep/CRML` are modules that we are potentially planning, at some point in time, to remove from this repo and migrate/consume them from the [Common Azure Resource Modules Library repo](https://github.com/Azure/ResourceModules) when features like the Bicep Public Module Registry exists. 6 | 7 | > These are only plans/aspirations at this stage, but we are sharing with you for clarity 👍 8 | 9 | These modules are consumed and called by other modules within this repo. For example, the `customerUsageAttribution` module is called in all modules as you can see from each of those modules `.bicep` files. -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_sql_db_auditing.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deploy-SQL-DB-Auditing", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2019-09-01", 5 | "properties": { 6 | "description": "Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log.", 7 | "displayName": "Auditing on SQL server should be enabled", 8 | "notScopes": [], 9 | "parameters": { 10 | "effect": { 11 | "value": "AuditIfNotExists" 12 | } 13 | }, 14 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9", 15 | "scope": null, 16 | "enforcementMode": "Default" 17 | }, 18 | "location": null, 19 | "identity": { 20 | "type": "SystemAssigned" 21 | } 22 | } -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_public_ip.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deny-DataB-Pip", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2024-04-01", 5 | "properties": { 6 | "description": "Prevent the deployment of Databricks workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs.", 7 | "displayName": "Prevent usage of Databricks with public IP", 8 | "notScopes": [], 9 | "parameters": { 10 | "effect": { 11 | "value": "Deny" 12 | } 13 | }, 14 | "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-NoPublicIp", 15 | "scope": null, 16 | "enforcementMode": "Default" 17 | }, 18 | "location": null, 19 | "identity": { 20 | "type": "None" 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_db_auditing.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deploy-SQL-DB-Auditing", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2024-04-01", 5 | "properties": { 6 | "description": "Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log.", 7 | "displayName": "Auditing on SQL server should be enabled", 8 | "notScopes": [], 9 | "parameters": { 10 | "effect": { 11 | "value": "AuditIfNotExists" 12 | } 13 | }, 14 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9", 15 | "scope": null, 16 | "enforcementMode": "Default" 17 | }, 18 | "location": null, 19 | "identity": { 20 | "type": "SystemAssigned" 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/publicIp/samples/baseline.sample.bicep: -------------------------------------------------------------------------------- 1 | // 2 | // Baseline deployment sample 3 | // 4 | 5 | // Use this sample to deploy a Well-Architected aligned resource configuration. 6 | 7 | targetScope = 'resourceGroup' 8 | 9 | // ---------- 10 | // PARAMETERS 11 | // ---------- 12 | 13 | @description('The Azure location to deploy to.') 14 | param location string = resourceGroup().location 15 | 16 | // --------- 17 | // RESOURCES 18 | // --------- 19 | 20 | @description('Baseline resource configuration') 21 | module baseline_public_ip '../publicIp.bicep' = { 22 | name: 'baseline_public_ip' 23 | params: { 24 | parPublicIpName: 'pip-baseline-ip' 25 | parLocation: location 26 | parPublicIpProperties: { } 27 | parPublicIpSku: { 28 | name: 'Standard' 29 | tier: 'Regional' 30 | } 31 | parTags: {} 32 | parAvailabilityZones: [ 33 | '1' 34 | '2' 35 | '3' 36 | ] 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_sqlatp.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deploy-MDFC-SqlAtp", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2024-04-01", 5 | "properties": { 6 | "description": "Enable Azure Defender on your SQL Servers and SQL Managed Instances to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.", 7 | "displayName": "Configure Azure Defender to be enabled on SQL Servers and SQL Managed Instances", 8 | "notScopes": [], 9 | "parameters": {}, 10 | "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97", 11 | "definitionVersion": "3.*.*", 12 | "scope": null, 13 | "enforcementMode": "Default" 14 | }, 15 | "location": null, 16 | "identity": { 17 | "type": "SystemAssigned" 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/general-feedback-questions-issue-form.yaml: -------------------------------------------------------------------------------- 1 | name: General Feedback 2 | description: Tell us what you think! 3 | title: "[PLACEHOLDER] - Place a descriptive title here" 4 | labels: ["feedback"] 5 | body: 6 | - type: markdown 7 | attributes: 8 | value: | 9 | We always appreciate the community involvement! Let us know your feedback. 10 | - type: textarea 11 | id: describe-feedback 12 | attributes: 13 | label: Let us know the feedback or general question 14 | value: "Feedback - Question" 15 | validations: 16 | required: true 17 | - type: checkboxes 18 | id: terms 19 | attributes: 20 | label: Code of Conduct 21 | description: By submitting this issue, you agree to follow our [Code of Conduct](https://github.com/Azure/ALZ-Bicep/blob/main/CODE_OF_CONDUCT.md) 22 | options: 23 | - label: I agree to follow this project's Code of Conduct 24 | required: true 25 | -------------------------------------------------------------------------------- /accelerator/.github/workflows/alz-bicep-pr2-lint.yml: -------------------------------------------------------------------------------- 1 | name: ALZ-Bicep-PR2-Lint 2 | 3 | on: 4 | pull_request: 5 | branches: 6 | - main 7 | workflow_dispatch: {} 8 | 9 | jobs: 10 | ALZ_Bicep_PR2_Lint: 11 | name: Lint Code Base (except Bicep Modules and Files) 12 | runs-on: ubuntu-latest 13 | steps: 14 | - name: Checkout Repo 15 | uses: actions/checkout@v4 16 | with: 17 | fetch-depth: 0 18 | 19 | - name: Run github/super-linter 20 | uses: github/super-linter@v4 21 | env: 22 | VALIDATE_ALL_CODEBASE: false 23 | DEFAULT_BRANCH: main 24 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 25 | VALIDATE_JSON: true 26 | VALIDATE_MARKDOWN: true 27 | VALIDATE_POWERSHELL: true 28 | VALIDATE_YAML: true 29 | VALIDATE_EDITORCONFIG: true 30 | FILTER_REGEX_EXCLUDE: ".*upstream-releases/*|.*generateddocs/.*.bicep.md" 31 | -------------------------------------------------------------------------------- /infra-as-code/bicep/CRML/subscriptionAlias/parameters/subscriptionAlias.parameters.all.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "parSubscriptionName": { 6 | "value": "sub-example-001" 7 | }, 8 | "parSubscriptionBillingScope": { 9 | "value": "/providers/Microsoft.Billing/billingAccounts/XXXXXXX/enrollmentAccounts/XXXXXX" 10 | }, 11 | "parTags": { 12 | "value": { 13 | "Environment": "Live" 14 | } 15 | }, 16 | "parManagementGroupId": { 17 | "value": "mg-example-001" 18 | }, 19 | "parSubscriptionOwnerId": { 20 | "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" 21 | }, 22 | "parSubscriptionOfferType": { 23 | "value": "Production" 24 | }, 25 | "parTenantId": { 26 | "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" 27 | } 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_ip_forwarding.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deny-IP-Forwarding", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2024-04-01", 5 | "properties": { 6 | "description": "This policy denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure's check of the source and destination for a network interface. This should be reviewed by the network security team.", 7 | "displayName": "Network interfaces should disable IP forwarding", 8 | "notScopes": [], 9 | "parameters": {}, 10 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900", 11 | "definitionVersion": "1.*.*", 12 | "scope": null, 13 | "enforcementMode": "Default" 14 | }, 15 | "location": null, 16 | "identity": { 17 | "type": "None" 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deny-Public-IP", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2019-09-01", 5 | "properties": { 6 | "description": "This policy denies creation of Public IPs under the assigned scope.", 7 | "displayName": "Deny the creation of public IP", 8 | "notScopes": [], 9 | "parameters": { 10 | "effect": { 11 | "value": "Deny" 12 | }, 13 | "listOfResourceTypesNotAllowed": { 14 | "value": [ 15 | "Microsoft.Network/publicIPAddresses" 16 | ] 17 | } 18 | }, 19 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749", 20 | "scope": null, 21 | "enforcementMode": "Default" 22 | }, 23 | "location": null, 24 | "identity": { 25 | "type": "None" 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/roleAssignments/samples/baseline.sample.bicep: -------------------------------------------------------------------------------- 1 | // 2 | // Baseline deployment sample 3 | // 4 | 5 | // Use this sample to deploy the minimum resource configuration. 6 | 7 | targetScope = 'managementGroup' 8 | 9 | // ---------- 10 | // PARAMETERS 11 | // ---------- 12 | var roleDefinitionId = '/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635' 13 | var assigneeObjectId = '00000000-0000-0000-0000-000000000000' 14 | // --------- 15 | // RESOURCES 16 | // --------- 17 | 18 | @description('Baseline resource configuration.') 19 | module baseline_ra '../roleAssignmentManagementGroup.bicep' = { 20 | name: 'baseline_ra' 21 | params: { 22 | parRoleDefinitionId: roleDefinitionId 23 | parAssigneePrincipalType: 'Group' 24 | parAssigneeObjectId: assigneeObjectId 25 | parTelemetryOptOut: true 26 | parRoleAssignmentNameGuid: guid(managementGroup().name, roleDefinitionId, assigneeObjectId) 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/spokeNetworking/samples/generateddocs/baseline.sample.bicep.md: -------------------------------------------------------------------------------- 1 | # Azure template 2 | 3 | ## Parameters 4 | 5 | Parameter name | Required | Description 6 | -------------- | -------- | ----------- 7 | location | No | Specifies the location for resources. 8 | 9 | ### location 10 | 11 | ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) 12 | 13 | Specifies the location for resources. 14 | 15 | - Default value: `eastus` 16 | 17 | ## Snippets 18 | 19 | ### Parameter file 20 | 21 | ```json 22 | { 23 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", 24 | "contentVersion": "1.0.0.0", 25 | "metadata": { 26 | "template": "infra-as-code/bicep/modules/spokeNetworking/samples/baseline.sample.json" 27 | }, 28 | "parameters": { 29 | "location": { 30 | "value": "eastus" 31 | } 32 | } 33 | } 34 | ``` 35 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/spokeNetworking/samples/generateddocs/minimum.sample.bicep.md: -------------------------------------------------------------------------------- 1 | # Azure template 2 | 3 | ## Parameters 4 | 5 | Parameter name | Required | Description 6 | -------------- | -------- | ----------- 7 | location | No | Specifies the location for resources. 8 | 9 | ### location 10 | 11 | ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) 12 | 13 | Specifies the location for resources. 14 | 15 | - Default value: `eastus` 16 | 17 | ## Snippets 18 | 19 | ### Parameter file 20 | 21 | ```json 22 | { 23 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", 24 | "contentVersion": "1.0.0.0", 25 | "metadata": { 26 | "template": "infra-as-code/bicep/modules/spokeNetworking/samples/minimum.sample.json" 27 | }, 28 | "parameters": { 29 | "location": { 30 | "value": "eastus" 31 | } 32 | } 33 | } 34 | ``` 35 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/logging/samples/generateddocs/minimum.sample.bicep.md: -------------------------------------------------------------------------------- 1 | # Azure template 2 | 3 | ## Parameters 4 | 5 | Parameter name | Required | Description 6 | -------------- | -------- | ----------- 7 | location | No | The Azure location to deploy to. 8 | 9 | ### location 10 | 11 | ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) 12 | 13 | The Azure location to deploy to. 14 | 15 | - Default value: `[resourceGroup().location]` 16 | 17 | ## Snippets 18 | 19 | ### Parameter file 20 | 21 | ```json 22 | { 23 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", 24 | "contentVersion": "1.0.0.0", 25 | "metadata": { 26 | "template": "infra-as-code/bicep/modules/logging/samples/minimum.sample.json" 27 | }, 28 | "parameters": { 29 | "location": { 30 | "value": "[resourceGroup().location]" 31 | } 32 | } 33 | } 34 | ``` 35 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/vnetPeeringVwan/parameters/vnetPeeringVwan.parameters.all.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "parVirtualWanHubResourceId": { 6 | "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-vwan-eastus/providers/Microsoft.Network/virtualHubs/alz-vhub-eastus" 7 | }, 8 | "parRemoteVirtualNetworkResourceId": { 9 | "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/spokevnet-rg/providers/Microsoft.Network/virtualNetworks/vnet-spoke" 10 | }, 11 | "parVirtualHubConnectionPrefix": { 12 | "value": "" 13 | }, 14 | "parVirtualHubConnectionSuffix": { 15 | "value": "-vhc" 16 | }, 17 | "parEnableInternetSecurity": { 18 | "value": false 19 | }, 20 | "parTelemetryOptOut": { 21 | "value": false 22 | } 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/logging/samples/generateddocs/baseline.sample.bicep.md: -------------------------------------------------------------------------------- 1 | # Azure template 2 | 3 | ## Parameters 4 | 5 | Parameter name | Required | Description 6 | -------------- | -------- | ----------- 7 | location | No | The Azure location to deploy to. 8 | 9 | ### location 10 | 11 | ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) 12 | 13 | The Azure location to deploy to. 14 | 15 | - Default value: `[resourceGroup().location]` 16 | 17 | ## Snippets 18 | 19 | ### Parameter file 20 | 21 | ```json 22 | { 23 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", 24 | "contentVersion": "1.0.0.0", 25 | "metadata": { 26 | "template": "infra-as-code/bicep/modules/logging/samples/baseline.sample.json" 27 | }, 28 | "parameters": { 29 | "location": { 30 | "value": "[resourceGroup().location]" 31 | } 32 | } 33 | } 34 | ``` 35 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/publicIp/samples/generateddocs/baseline.sample.bicep.md: -------------------------------------------------------------------------------- 1 | # Azure template 2 | 3 | ## Parameters 4 | 5 | Parameter name | Required | Description 6 | -------------- | -------- | ----------- 7 | location | No | The Azure location to deploy to. 8 | 9 | ### location 10 | 11 | ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) 12 | 13 | The Azure location to deploy to. 14 | 15 | - Default value: `[resourceGroup().location]` 16 | 17 | ## Snippets 18 | 19 | ### Parameter file 20 | 21 | ```json 22 | { 23 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", 24 | "contentVersion": "1.0.0.0", 25 | "metadata": { 26 | "template": "infra-as-code/bicep/modules/publicIp/samples/baseline.sample.json" 27 | }, 28 | "parameters": { 29 | "location": { 30 | "value": "[resourceGroup().location]" 31 | } 32 | } 33 | } 34 | ``` 35 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/publicIp/samples/generateddocs/minimum.sample.bicep.md: -------------------------------------------------------------------------------- 1 | # Azure template 2 | 3 | ## Parameters 4 | 5 | Parameter name | Required | Description 6 | -------------- | -------- | ----------- 7 | location | No | The Azure location to deploy to. 8 | 9 | ### location 10 | 11 | ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) 12 | 13 | The Azure location to deploy to. 14 | 15 | - Default value: `[resourceGroup().location]` 16 | 17 | ## Snippets 18 | 19 | ### Parameter file 20 | 21 | ```json 22 | { 23 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", 24 | "contentVersion": "1.0.0.0", 25 | "metadata": { 26 | "template": "infra-as-code/bicep/modules/publicIp/samples/minimum.sample.json" 27 | }, 28 | "parameters": { 29 | "location": { 30 | "value": "[resourceGroup().location]" 31 | } 32 | } 33 | } 34 | ``` 35 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deny-Public-IP", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2024-04-01", 5 | "properties": { 6 | "description": "This policy denies creation of Public IPs under the assigned scope.", 7 | "displayName": "Deny the creation of public IP", 8 | "notScopes": [], 9 | "parameters": { 10 | "effect": { 11 | "value": "Deny" 12 | }, 13 | "listOfResourceTypesNotAllowed": { 14 | "value": [ 15 | "Microsoft.Network/publicIPAddresses" 16 | ] 17 | } 18 | }, 19 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749", 20 | "definitionVersion": "2.*.*", 21 | "scope": null, 22 | "enforcementMode": "Default" 23 | }, 24 | "location": null, 25 | "identity": { 26 | "type": "None" 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/hubNetworking/samples/generateddocs/baseline.sample.bicep.md: -------------------------------------------------------------------------------- 1 | # Azure template 2 | 3 | ## Parameters 4 | 5 | Parameter name | Required | Description 6 | -------------- | -------- | ----------- 7 | location | No | The Azure location to deploy to. 8 | 9 | ### location 10 | 11 | ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) 12 | 13 | The Azure location to deploy to. 14 | 15 | - Default value: `[resourceGroup().location]` 16 | 17 | ## Snippets 18 | 19 | ### Parameter file 20 | 21 | ```json 22 | { 23 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", 24 | "contentVersion": "1.0.0.0", 25 | "metadata": { 26 | "template": "infra-as-code/bicep/modules/hubNetworking/samples/baseline.sample.json" 27 | }, 28 | "parameters": { 29 | "location": { 30 | "value": "[resourceGroup().location]" 31 | } 32 | } 33 | } 34 | ``` 35 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/hubNetworking/samples/generateddocs/minimum.sample.bicep.md: -------------------------------------------------------------------------------- 1 | # Azure template 2 | 3 | ## Parameters 4 | 5 | Parameter name | Required | Description 6 | -------------- | -------- | ----------- 7 | location | No | The Azure location to deploy to. 8 | 9 | ### location 10 | 11 | ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) 12 | 13 | The Azure location to deploy to. 14 | 15 | - Default value: `[resourceGroup().location]` 16 | 17 | ## Snippets 18 | 19 | ### Parameter file 20 | 21 | ```json 22 | { 23 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", 24 | "contentVersion": "1.0.0.0", 25 | "metadata": { 26 | "template": "infra-as-code/bicep/modules/hubNetworking/samples/minimum.sample.json" 27 | }, 28 | "parameters": { 29 | "location": { 30 | "value": "[resourceGroup().location]" 31 | } 32 | } 33 | } 34 | ``` 35 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_sku.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deny-DataB-Sku", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2024-04-01", 5 | "properties": { 6 | "description": "Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for Microsoft Entra ID.", 7 | "displayName": "Enforces the use of Premium Databricks workspaces", 8 | "notScopes": [], 9 | "parameters": { 10 | "effect": { 11 | "value": "Deny" 12 | } 13 | }, 14 | "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-Sku", 15 | "scope": null, 16 | "enforcementMode": "Default" 17 | }, 18 | "location": null, 19 | "identity": { 20 | "type": "None" 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/vnetPeering/samples/baseline.sample.bicep: -------------------------------------------------------------------------------- 1 | // 2 | // Minimum deployment sample 3 | // 4 | 5 | // Use this sample to deploy the minimum resource configuration. 6 | 7 | targetScope = 'resourceGroup' 8 | 9 | // ---------- 10 | // PARAMETERS 11 | // ---------- 12 | 13 | // --------- 14 | // RESOURCES 15 | // --------- 16 | 17 | @description('Minimum resource configuration') 18 | module baseline_vnet_peering '../vnetPeering.bicep' = { 19 | name: 'baseline_vnet_peering' 20 | params: { 21 | parDestinationVirtualNetworkId: '/subscriptions/xxxxx-xxxx-xxxx-xx-xxxxxxxx/resourceGroups//providers/Microsoft.Network/virtualNetworks/' 22 | parDestinationVirtualNetworkName: '' 23 | parSourceVirtualNetworkName: '' 24 | parAllowVirtualNetworkAccess: true 25 | parAllowForwardedTraffic: true 26 | parAllowGatewayTransit: false 27 | parUseRemoteGateways: false 28 | parTelemetryOptOut: false 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /infra-as-code/bicep/orchestration/subPlacementAll/parameters/subPlacementAll.parameters.min.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "parTopLevelManagementGroupPrefix": { 6 | "value": "alz" 7 | }, 8 | "parPlatformManagementMgSubs": { 9 | "value": [] 10 | }, 11 | "parPlatformSecurityMgSubs": { 12 | "value": [] 13 | }, 14 | "parPlatformConnectivityMgSubs": { 15 | "value": [] 16 | }, 17 | "parPlatformIdentityMgSubs": { 18 | "value": [] 19 | }, 20 | "parLandingZonesCorpMgSubs": { 21 | "value": [] 22 | }, 23 | "parLandingZonesOnlineMgSubs": { 24 | "value": [] 25 | }, 26 | "parDecommissionedMgSubs": { 27 | "value": [] 28 | }, 29 | "parSandboxMgSubs": { 30 | "value": [] 31 | }, 32 | "parTelemetryOptOut": { 33 | "value": false 34 | } 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_unmanageddisk.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deny-UnmanagedDisk", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2024-04-01", 5 | "properties": { 6 | "description": "Deny virtual machines that do not use managed disk. It checks the managed disk property on virtual machine OS Disk fields.", 7 | "displayName": "Deny virtual machines and virtual machine scale sets that do not use managed disk", 8 | "notScopes": [], 9 | "parameters": {}, 10 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d", 11 | "definitionVersion": "1.*.*", 12 | "scope": null, 13 | "enforcementMode": "Default", 14 | "overrides": [ 15 | { 16 | "kind": "policyEffect", 17 | "value": "Deny" 18 | } 19 | ] 20 | }, 21 | "location": null, 22 | "identity": { 23 | "type": "None" 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/publicIp/parameters/publicIp.parameters.all.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "parLocation": { 6 | "value": "eastus" 7 | }, 8 | "parPublicIpName": { 9 | "value": "alz" 10 | }, 11 | "parPublicIpSku": { 12 | "value": { 13 | "name": "Standard", 14 | "tier": "Regional" 15 | } 16 | }, 17 | "parPublicIpProperties": { 18 | "value": { 19 | "publicIpAddressVersion": "IPv4", 20 | "publicIpAllocationMethod": "Dynamic", 21 | "deleteOption": "Delete", 22 | "idleTimeoutInMinutes": 4 23 | } 24 | }, 25 | "parAvailabilityZones": { 26 | "value": [] 27 | }, 28 | "parTags": { 29 | "value": { 30 | "Environment": "Live" 31 | } 32 | }, 33 | "parTelemetryOptOut": { 34 | "value": false 35 | } 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /.github/azFunction/AzFunctionCode/cancelSubscriptions/run.ps1: -------------------------------------------------------------------------------- 1 | # Input bindings are passed in via param block. 2 | param($QueueItem, $TriggerMetadata) 3 | # Write out the queue message and insertion time to the information log. 4 | Write-Output "PowerShell queue trigger function processed work item: $QueueItem" 5 | $subscriptionId = $QueueItem.Body.subscriptionId 6 | $subscriptionName = $QueueItem.Body.subscriptionName 7 | Write-Output "Subscription to be canceled is $subscriptionName with id: $subscriptionId" 8 | $cancelUri = "https://management.azure.com/subscriptions/$($subscriptionId)/providers/Microsoft.Subscription/cancel?api-version=2020-09-01" 9 | Invoke-AzRestMethod -Uri $cancelUri -Method POST 10 | $body = @{ 11 | subscriptionName = $subscriptionName 12 | subscriptionId = $subscriptionId 13 | } 14 | Push-OutputBinding -Name canceledSubscriptions -Value ([HttpResponseContext]@{ 15 | Body = $body 16 | }) 17 | Write-Output "Queue item insertion time: $($TriggerMetadata.InsertionTime)" 18 | 19 | -------------------------------------------------------------------------------- /.github/azFunction/AzFunctionCode/profile.ps1: -------------------------------------------------------------------------------- 1 | # Azure Functions profile.ps1 2 | # 3 | # This profile.ps1 will get executed every "cold start" of your Function App. 4 | # "cold start" occurs when: 5 | # 6 | # * A Function App starts up for the very first time 7 | # * A Function App starts up after being de-allocated due to inactivity 8 | # 9 | # You can define helper functions, run commands, or specify environment variables 10 | # NOTE: any variables defined that are not environment variables will get reset after the first execution 11 | 12 | # Authenticate with Azure PowerShell using MSI. 13 | # Remove this if you are not planning on using MSI or Azure PowerShell. 14 | if ($env:MSI_SECRET) { 15 | Disable-AzContextAutosave -Scope Process | Out-Null 16 | Connect-AzAccount -Identity 17 | } 18 | 19 | # Uncomment the next line to enable legacy AzureRm alias in Azure PowerShell. 20 | # Enable-AzureRmAlias 21 | 22 | # You can also define functions or aliases that can be referenced in any of your PowerShell functions. 23 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/vnetPeering/parameters/vnetPeering.parameters.all.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "parDestinationVirtualNetworkId": { 6 | "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/HUB_Networking_POC/providers/Microsoft.Network/virtualNetworks/alz-hub-eastus" 7 | }, 8 | "parSourceVirtualNetworkName": { 9 | "value": "vnet-spoke" 10 | }, 11 | "parDestinationVirtualNetworkName": { 12 | "value": "alz-hub-eastus" 13 | }, 14 | "parAllowVirtualNetworkAccess": { 15 | "value": true 16 | }, 17 | "parAllowForwardedTraffic": { 18 | "value": true 19 | }, 20 | "parAllowGatewayTransit": { 21 | "value": false 22 | }, 23 | "parUseRemoteGateways": { 24 | "value": false 25 | }, 26 | "parTelemetryOptOut": { 27 | "value": false 28 | } 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/vnetPeering/parameters/vnetPeering.parameters.min.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "parDestinationVirtualNetworkId": { 6 | "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/HUB_Networking_POC/providers/Microsoft.Network/virtualNetworks/alz-hub-eastus" 7 | }, 8 | "parSourceVirtualNetworkName": { 9 | "value": "vnet-spoke" 10 | }, 11 | "parDestinationVirtualNetworkName": { 12 | "value": "alz-hub-eastus" 13 | }, 14 | "parAllowVirtualNetworkAccess": { 15 | "value": true 16 | }, 17 | "parAllowForwardedTraffic": { 18 | "value": true 19 | }, 20 | "parAllowGatewayTransit": { 21 | "value": false 22 | }, 23 | "parUseRemoteGateways": { 24 | "value": false 25 | }, 26 | "parTelemetryOptOut": { 27 | "value": false 28 | } 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_ossdb.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deploy-MDFC-OssDb", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2024-04-01", 5 | "properties": { 6 | "description": "Enable Advanced Threat Protection on your non-Basic tier open-source relational databases to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. See https://aka.ms/AzDforOpenSourceDBsDocu.", 7 | "displayName": "Configure Advanced Threat Protection to be enabled on open-source relational databases", 8 | "notScopes": [], 9 | "parameters": {}, 10 | "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/e77fc0b3-f7e9-4c58-bc13-cb753ed8e46e", 11 | "definitionVersion": "1.*.*", 12 | "scope": null, 13 | "enforcementMode": "Default" 14 | }, 15 | "location": null, 16 | "identity": { 17 | "type": "SystemAssigned" 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-DataFactory.parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "Deny-Adf-Git": { 3 | "parameters": { 4 | "effect": { 5 | "value": "[[parameters('adfGit')]" 6 | } 7 | } 8 | }, 9 | "Deny-Adf-Linked-Service-Key-Vault": { 10 | "parameters": { 11 | "effect": { 12 | "value": "[[parameters('adfLinkedServiceKeyVault')]" 13 | } 14 | } 15 | }, 16 | "Deny-Adf-Managed-Identity": { 17 | "parameters": { 18 | "effect": { 19 | "value": "[[parameters('adfManagedIdentity')]" 20 | } 21 | } 22 | }, 23 | "Deny-Adf-Sql-Integration": { 24 | "parameters": { 25 | "effect": { 26 | "value": "[[parameters('adfSqlIntegration')]" 27 | } 28 | } 29 | }, 30 | "Modify-Adf-Public-Network-Access": { 31 | "parameters": { 32 | "effect": { 33 | "value": "[[parameters('adfModifyPublicNetworkAccess')]" 34 | } 35 | } 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_enforce_tls_ssl.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Enforce-TLS-SSL", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2019-09-01", 5 | "properties": { 6 | "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing exsistense condition require then the combination of Audit.", 7 | "displayName": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", 8 | "notScopes": [], 9 | "parameters": {}, 10 | "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit", 11 | "scope": null, 12 | "enforcementMode": "Default" 13 | }, 14 | "location": null, 15 | "identity": { 16 | "type": "SystemAssigned" 17 | } 18 | } -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_tls_ssl.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Enforce-TLS-SSL-Q225", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2024-04-01", 5 | "properties": { 6 | "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing exsistense condition require then the combination of Audit.", 7 | "displayName": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", 8 | "notScopes": [], 9 | "parameters": {}, 10 | "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20241211", 11 | "scope": null, 12 | "enforcementMode": "Default" 13 | }, 14 | "location": null, 15 | "identity": { 16 | "type": "SystemAssigned" 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /.github/azFunction/AzFunctionCode/README.md: -------------------------------------------------------------------------------- 1 | # Overview 2 | This folder contains the various functions that are contained in the overall Azure Functions. The following functions are present: 3 | 1. timerschedule; this is a simple timer trigger which runs every five hours, and triggers the next function through placing a queue item in the startjob queue. 4 | 2. getPullRequests; this is a queue based trigger (startjob queue) which gets the latest x closed pull requests from GitHub. PR title, number and state for each is saved in a queue item in the closedPullRequests queue. 5 | 3. getSubscriptions; this is a queue based trigger (closedPullRequests queue), which for each pull request looks for an corresponding, active subscription. If the subscription is found subscription name and id is saved in a queue item in the subscriptionsToClose queue. 6 | 4. cancelSubscriptions; this is a queue based trigger (subscriptionsToClose queue), which for each subscription tries to cancel the subscription. If succesful subscription name and id is saved in a queue item in the canceledSubscriptions queue. -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_lx_arc_monitoring.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deploy-LX-Arc-Monitoring", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2019-09-01", 5 | "properties": { 6 | "description": "Deploy-Linux-Arc-Monitoring.", 7 | "displayName": "Deploy-Linux-Arc-Monitoring", 8 | "notScopes": [], 9 | "parameters": { 10 | "effect": { 11 | "value": "DeployIfNotExists" 12 | }, 13 | "logAnalytics": { 14 | "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/${parTopLevelManagementGroupPrefix}-mgmt/providers/Microsoft.OperationalInsights/workspaces/${parTopLevelManagementGroupPrefix}-la" 15 | } 16 | }, 17 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9d2b61b4-1d14-4a63-be30-d4498e7ad2cf", 18 | "scope": null, 19 | "enforcementMode": "Default" 20 | }, 21 | "location": null, 22 | "identity": { 23 | "type": "SystemAssigned" 24 | } 25 | } -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_lx_arc_monitoring.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deploy-LX-Arc-Monitoring", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2024-04-01", 5 | "properties": { 6 | "description": "Deploy-Linux-Arc-Monitoring.", 7 | "displayName": "Deploy-Linux-Arc-Monitoring", 8 | "notScopes": [], 9 | "parameters": { 10 | "effect": { 11 | "value": "DeployIfNotExists" 12 | }, 13 | "logAnalytics": { 14 | "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/${parTopLevelManagementGroupPrefix}-mgmt/providers/Microsoft.OperationalInsights/workspaces/${parTopLevelManagementGroupPrefix}-la" 15 | } 16 | }, 17 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9d2b61b4-1d14-4a63-be30-d4498e7ad2cf", 18 | "scope": null, 19 | "enforcementMode": "Default" 20 | }, 21 | "location": null, 22 | "identity": { 23 | "type": "SystemAssigned" 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/managementGroups/parameters/managementGroups.parameters.all.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "parTopLevelManagementGroupPrefix": { 6 | "value": "alz" 7 | }, 8 | "parTopLevelManagementGroupSuffix": { 9 | "value": "" 10 | }, 11 | "parTopLevelManagementGroupDisplayName": { 12 | "value": "Azure Landing Zones" 13 | }, 14 | "parTopLevelManagementGroupParentId": { 15 | "value": "" 16 | }, 17 | "parLandingZoneMgAlzDefaultsEnable": { 18 | "value": true 19 | }, 20 | "parPlatformMgAlzDefaultsEnable": { 21 | "value": true 22 | }, 23 | "parLandingZoneMgConfidentialEnable": { 24 | "value": false 25 | }, 26 | "parLandingZoneMgChildren": { 27 | "value": {} 28 | }, 29 | "parPlatformMgChildren": { 30 | "value": {} 31 | }, 32 | "parTelemetryOptOut": { 33 | "value": false 34 | } 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_http_ingress_aks.tmpl.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Enforce-AKS-HTTPS", 3 | "type": "Microsoft.Authorization/policyAssignments", 4 | "apiVersion": "2019-09-01", 5 | "properties": { 6 | "description": "Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc.", 7 | "displayName": "Kubernetes clusters should be accessible only over HTTPS", 8 | "notScopes": [], 9 | "parameters": { 10 | "effect": { 11 | "value": "deny" 12 | } 13 | }, 14 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", 15 | "scope": null, 16 | "enforcementMode": "Default" 17 | }, 18 | "location": null, 19 | "identity": { 20 | "type": "None" 21 | } 22 | } --------------------------------------------------------------------------------