US 31189 - Add BICEPPARAM files to modules

infra-as-code/bicep/modules/customRoleDefinitions/README.md

@@ -36,16 +36,54 @@ There are two different sets of deployment; one for deploying to Azure global re
 
  | Azure Cloud    | Bicep template                 | Input parameters file                             |
  | -------------- | ------------------------------ | ------------------------------------------------- |
+ | Global regions | customRoleDefinitions.bicep    | parameters/customRoleDefinitions.parameters.all.bicepparam |
  | Global regions | customRoleDefinitions.bicep    | parameters/customRoleDefinitions.parameters.all.json |
+ | China regions  | mc-customRoleDefinitions.bicep | parameters/customRoleDefinitions.parameters.all.bicepparam |
  | China regions  | mc-customRoleDefinitions.bicep | parameters/customRoleDefinitions.parameters.all.json |
 
 In this example, the custom roles will be deployed to the `alz` management group (the intermediate root management group).
 
-Input parameter file `parameters/customRoleDefinitions.parameters.all.json` defines the assignable scope for the roles.  In this case, it will be the same management group (i.e. `alz`) as the one specified for the deployment operation. There is no change in the input parameter file for different Azure clouds because there is no change to the intermediate root management group.
+Input parameter file `parameters/customRoleDefinitions.parameters.all.BICEPPARAM/JSON` defines the assignable scope for the roles.  In this case, it will be the same management group (i.e. `alz`) as the one specified for the deployment operation. There is no change in the input parameter file for different Azure clouds because there is no change to the intermediate root management group.
 
 > For the examples below we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice.
 
-### Azure CLI
+### Azure CLI - BICEPPARAMS
+
+```bash
+# For Azure global regions
+
+# Management Group ID
+MGID="alz"
+
+# Chosen Azure Region
+LOCATION="eastus"
+
+dateYMD=$(date +%Y%m%dT%H%M%S%NZ)
+NAME="alz-CustomRoleDefsDeployment-${dateYMD}"
+TEMPLATEFILE="infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep"
+PARAMETERS="infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.all.bicepparam"
+
+az deployment mg create --name ${NAME:0:63} --location $LOCATION --management-group-id $MGID --template-file $TEMPLATEFILE --parameters $PARAMETERS
+```
+OR
+```bash
+# For Azure China regions
+
+# Management Group ID
+MGID="alz"
+
+# Chosen Azure Region
+LOCATION="chinaeast2"
+
+dateYMD=$(date +%Y%m%dT%H%M%S%NZ)
+NAME="alz-CustomRoleDefsDeployment-${dateYMD}"
+TEMPLATEFILE="infra-as-code/bicep/modules/customRoleDefinitions/mc-customRoleDefinitions.bicep"
+PARAMETERS="infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.all.bicepparam"
+
+az deployment mg create --name ${NAME:0:63} --location $LOCATION --management-group-id $MGID --template-file $TEMPLATEFILE --parameters $PARAMETERS
+```
+
+### Azure CLI - JSON
 
 ```bash
 # For Azure global regions
@@ -81,6 +119,7 @@ PARAMETERS="@infra-as-code/bicep/modules/customRoleDefinitions/parameters/custom
 az deployment mg create --name ${NAME:0:63} --location $LOCATION --management-group-id $MGID --template-file $TEMPLATEFILE --parameters $PARAMETERS
 ```
 
+
 ### PowerShell
 
 ```powershell

infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.all.bicepparam

@@ -0,0 +1,5 @@
+using '../customRoleDefinitions.bicep'
+
+param parAssignableScopeManagementGroupId = 'alz'
+
+param parTelemetryOptOut = false

infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.min.bicepparam

@@ -0,0 +1,5 @@
+using '../customRoleDefinitions.bicep'
+
+param parAssignableScopeManagementGroupId = 'alz'
+
+param parTelemetryOptOut = false

infra-as-code/bicep/modules/customRoleDefinitions/parameters/mc-customRoleDefinitions.parameters.all.bicepparam

@@ -0,0 +1,5 @@
+using '../mc-customRoleDefinitions.bicep'
+
+param parAssignableScopeManagementGroupId = 'alz'
+
+param parTelemetryOptOut = false

infra-as-code/bicep/modules/customRoleDefinitions/parameters/mc-customRoleDefinitions.parameters.min.bicepparam

@@ -0,0 +1,5 @@
+using '../mc-customRoleDefinitions.bicep'
+
+param parAssignableScopeManagementGroupId = 'alz'
+
+param parTelemetryOptOut = false

infra-as-code/bicep/modules/hubNetworking/README.md

@@ -21,7 +21,7 @@ Module deploys the following resources:
 > **NOTE:**
 > - Although there are generated parameter markdowns for Azure Commercial Cloud, this same module can still be used in Azure China. Example parameter are in the [parameters](./parameters/) folder.
 >
-> - When deploying using the `parameters/hubNetworking.parameters.all.json` you must update the `parPrivateDnsZones` parameter by replacing the `xxxxxx` placeholders with the deployment region or geo code, for Azure Backup. Failure to do so will cause these services to be unreachable over private endpoints.
+> - When deploying using the `parameters/hubNetworking.parameters.all.bicepparam` you must update the `parPrivateDnsZones` parameter by replacing the `xxxxxx` placeholders with the deployment region or geo code, for Azure Backup. Failure to do so will cause these services to be unreachable over private endpoints.
 >
 > For example, if deploying to East US the following zone entries:
 > - `privatelink.xxxxxx.azmk8s.io`
@@ -85,12 +85,60 @@ There are two different sets of input parameters; one for deploying to Azure glo
 
  | Azure Cloud    | Bicep template      | Input parameters file                           |
  | -------------- | ------------------- | ----------------------------------------------- |
+ | Global regions | hubNetworking.bicep | parameters/hubNetworking.parameters.all.bicepparam    |
  | Global regions | hubNetworking.bicep | parameters/hubNetworking.parameters.all.json    |
+ | China regions  | hubNetworking.bicep | parameters/mc-hubNetworking.parameters.all.bicepparam |
  | China regions  | hubNetworking.bicep | parameters/mc-hubNetworking.parameters.all.json |
 
 > For the examples below we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice.
 
-### Azure CLI
+### Azure CLI - BICEPPARAMS
+```bash
+# For Azure global regions
+
+# Set Platform connectivity subscription ID as the the current subscription
+ConnectivitySubscriptionId="[your platform connectivity subscription ID]"
+
+az account set --subscription $ConnectivitySubscriptionId
+
+# Set the top level MG Prefix in accordance to your environment. This example assumes default 'alz'.
+TopLevelMGPrefix="alz"
+
+dateYMD=$(date +%Y%m%dT%H%M%S%NZ)
+NAME="alz-HubNetworkingDeploy-${dateYMD}"
+GROUP="rg-$TopLevelMGPrefix-hub-networking-001"
+TEMPLATEFILE="infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep"
+PARAMETERS="infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.bicepparam"
+
+az group create --location eastus \
+   --name $GROUP
+
+az deployment group create --name ${NAME:0:63} --resource-group $GROUP --template-file $TEMPLATEFILE --parameters $PARAMETERS
+```
+OR
+```bash
+# For Azure China regions
+# Set Platform connectivity subscription ID as the the current subscription
+ConnectivitySubscriptionId="[your platform connectivity subscription ID]"
+
+az account set --subscription $ConnectivitySubscriptionId
+
+# Set the top level MG Prefix in accordance to your environment. This example assumes default 'alz'.
+TopLevelMGPrefix="alz"
+
+dateYMD=$(date +%Y%m%dT%H%M%S%NZ)
+NAME="alz-HubNetworkingDeploy-${dateYMD}"
+GROUP="rg-$TopLevelMGPrefix-hub-networking-001"
+TEMPLATEFILE="infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep"
+PARAMETERS="infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.all.bicepparam"
+
+az group create --location chinaeast2 \
+   --name $GROUP
+
+az deployment group create --name ${NAME:0:63} --resource-group $GROUP --template-file $TEMPLATEFILE --parameters $PARAMETERS
+```
+
+### Azure CLI - JSON
 ```bash
 # For Azure global regions
 
@@ -190,6 +238,8 @@ New-AzResourceGroup `
 
 New-AzResourceGroupDeployment @inputObject
 ```
+
+
 ## Example Output in Azure global regions
 
 ![Example Deployment Output](media/exampleDeploymentOutput.png "Example Deployment Output in Azure global regions")

infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.bicepparam

@@ -0,0 +1,201 @@
+using '../hubNetworking.bicep'
+
+param parLocation = 'eastus'
+
+param parCompanyPrefix = 'alz'
+
+param parHubNetworkName = 'alz-hub-eastus'
+
+param parHubNetworkAddressPrefix = '10.20.0.0/16'
+
+param parSubnets = [
+  {
+    name: 'AzureBastionSubnet'
+    ipAddressRange: '10.20.0.0/24'
+    networkSecurityGroupId: ''
+    routeTableId: ''
+  }
+  {
+    name: 'GatewaySubnet'
+    ipAddressRange: '10.20.254.0/24'
+    networkSecurityGroupId: ''
+    routeTableId: ''
+  }
+  {
+    name: 'AzureFirewallSubnet'
+    ipAddressRange: '10.20.255.0/24'
+    networkSecurityGroupId: ''
+    routeTableId: ''
+  }
+  {
+    name: 'AzureFirewallManagementSubnet'
+    ipAddressRange: '10.20.253.0/24'
+    networkSecurityGroupId: ''
+    routeTableId: ''
+  }
+]
+
+param parDnsServerIps = []
+
+param parPublicIpSku = 'Standard'
+
+param parPublicIpPrefix = ''
+
+param parPublicIpSuffix = '-PublicIP'
+
+param parAzBastionEnabled = true
+
+param parAzBastionName = 'alz-bastion'
+
+param parAzBastionSku = 'Standard'
+
+param parAzBastionTunneling = false
+
+param parAzBastionNsgName = 'nsg-AzureBastionSubnet'
+
+param parDdosEnabled = true
+
+param parDdosPlanName = 'alz-ddos-plan'
+
+param parAzFirewallEnabled = true
+
+param parAzFirewallName = 'alz-azfw-eastus'
+
+param parAzFirewallPoliciesName = 'alz-azfwpolicy-eastus'
+
+param parAzFirewallTier = 'Standard'
+
+param parAzFirewallAvailabilityZones = []
+
+param parAzErGatewayAvailabilityZones = []
+
+param parAzVpnGatewayAvailabilityZones = []
+
+param parAzFirewallDnsProxyEnabled = true
+
+param parAzFirewallDnsServers = []
+
+param parHubRouteTableName = 'alz-hub-routetable'
+
+param parDisableBgpRoutePropagation = false
+
+param parPrivateDnsZonesEnabled = true
+
+param parPrivateDnsZones = [
+  'privatelink.xxxxxx.azmk8s.io'
+  'privatelink.xxxxxx.batch.azure.com'
+  'privatelink.xxxxxx.kusto.windows.net'
+  'privatelink.xxxxxx.backup.windowsazure.com'
+  'privatelink.adf.azure.com'
+  'privatelink.afs.azure.net'
+  'privatelink.agentsvc.azure-automation.net'
+  'privatelink.analysis.windows.net'
+  'privatelink.api.azureml.ms'
+  'privatelink.azconfig.io'
+  'privatelink.azure-api.net'
+  'privatelink.azure-automation.net'
+  'privatelink.azurecr.io'
+  'privatelink.azure-devices.net'
+  'privatelink.azure-devices-provisioning.net'
+  'privatelink.azurehdinsight.net'
+  'privatelink.azurehealthcareapis.com'
+  'privatelink.azurestaticapps.net'
+  'privatelink.azuresynapse.net'
+  'privatelink.azurewebsites.net'
+  'privatelink.batch.azure.com'
+  'privatelink.blob.core.windows.net'
+  'privatelink.cassandra.cosmos.azure.com'
+  'privatelink.cognitiveservices.azure.com'
+  'privatelink.database.windows.net'
+  'privatelink.datafactory.azure.net'
+  'privatelink.dev.azuresynapse.net'
+  'privatelink.dfs.core.windows.net'
+  'privatelink.dicom.azurehealthcareapis.com'
+  'privatelink.digitaltwins.azure.net'
+  'privatelink.directline.botframework.com'
+  'privatelink.documents.azure.com'
+  'privatelink.eventgrid.azure.net'
+  'privatelink.file.core.windows.net'
+  'privatelink.gremlin.cosmos.azure.com'
+  'privatelink.guestconfiguration.azure.com'
+  'privatelink.his.arc.azure.com'
+  'privatelink.kubernetesconfiguration.azure.com'
+  'privatelink.managedhsm.azure.net'
+  'privatelink.mariadb.database.azure.com'
+  'privatelink.media.azure.net'
+  'privatelink.mongo.cosmos.azure.com'
+  'privatelink.monitor.azure.com'
+  'privatelink.mysql.database.azure.com'
+  'privatelink.notebooks.azure.net'
+  'privatelink.ods.opinsights.azure.com'
+  'privatelink.oms.opinsights.azure.com'
+  'privatelink.pbidedicated.windows.net'
+  'privatelink.postgres.database.azure.com'
+  'privatelink.prod.migration.windowsazure.com'
+  'privatelink.purview.azure.com'
+  'privatelink.purviewstudio.azure.com'
+  'privatelink.queue.core.windows.net'
+  'privatelink.redis.cache.windows.net'
+  'privatelink.redisenterprise.cache.azure.net'
+  'privatelink.search.windows.net'
+  'privatelink.service.signalr.net'
+  'privatelink.servicebus.windows.net'
+  'privatelink.siterecovery.windowsazure.com'
+  'privatelink.sql.azuresynapse.net'
+  'privatelink.table.core.windows.net'
+  'privatelink.table.cosmos.azure.com'
+  'privatelink.tip1.powerquery.microsoft.com'
+  'privatelink.token.botframework.com'
+  'privatelink.vaultcore.azure.net'
+  'privatelink.web.core.windows.net'
+  'privatelink.webpubsub.azure.com'
+]
+
+param parPrivateDnsZoneAutoMergeAzureBackupZone = true
+
+param parVpnGatewayConfig = {
+  name: 'alz-Vpn-Gateway'
+  gatewayType: 'Vpn'
+  sku: 'VpnGw1'
+  vpnType: 'RouteBased'
+  generation: 'Generation1'
+  enableBgp: false
+  activeActive: false
+  enableBgpRouteTranslationForNat: false
+  enableDnsForwarding: false
+  bgpPeeringAddress: ''
+  bgpsettings: {
+    asn: '65515'
+    bgpPeeringAddress: ''
+    peerWeight: '5'
+  }
+}
+
+param parExpressRouteGatewayConfig = {
+  name: 'alz-ExpressRoute-Gateway'
+  gatewayType: 'ExpressRoute'
+  sku: 'Standard'
+  vpnType: 'RouteBased'
+  generation: 'None'
+  enableBgp: false
+  activeActive: false
+  enableBgpRouteTranslationForNat: false
+  enableDnsForwarding: false
+  bgpPeeringAddress: ''
+  bgpsettings: {
+    asn: '65515'
+    bgpPeeringAddress: ''
+    peerWeight: '5'
+  }
+}
+
+param parTags = {
+  Environment: 'Live'
+}
+
+param parTelemetryOptOut = false
+
+param parBastionOutboundSshRdpPorts = [
+  '22'
+  '3389'
+]