From cb4a19e9708d2354cf0146a02be553b2d1482b52 Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Wed, 13 Nov 2024 16:30:50 -0600 Subject: [PATCH 01/15] Fix private dns zone list in policy assignment --- ...ment_es_deploy_private_dns_zones.tmpl.json | 235 +++++++++++------- 1 file changed, 143 insertions(+), 92 deletions(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json index 4c76928f3..cfe7a93b9 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json @@ -13,164 +13,215 @@ "effect1": { "value": "deployIfNotExists" }, - "azureFilePrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureFilePrivateDnsZoneId]" + "azureAcrPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureAcrPrivateDnsZoneId" }, - "azureAutomationWebhookPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureAutomationWebhookPrivateDnsZoneId]" + "azureAcrDataPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureAcrDataPrivateDnsZoneId" + }, + "azureAppPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureAppPrivateDnsZoneId" + }, + "azureAppServicesPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureAppServicesPrivateDnsZoneId" + }, + "azureArcGuestconfigurationPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureArcGuestconfigurationPrivateDnsZoneId" + }, + "azureArcHybridResourceProviderPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureArcHybridResourceProviderPrivateDnsZoneId" + }, + "azureArcKubernetesConfigurationPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureArcKubernetesConfigurationPrivateDnsZoneId" + }, + "azureAsrPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureAsrPrivateDnsZoneId" }, "azureAutomationDSCHybridPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureAutomationDSCHybridPrivateDnsZoneId]" + "value": "${varPrivateDnsZonesFinalResourceIds}.azureAutomationDSCHybridPrivateDnsZoneId" }, - "azureCosmosSQLPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureCosmosSQLPrivateDnsZoneId]" + "azureAutomationWebhookPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureAutomationWebhookPrivateDnsZoneId" }, - "azureCosmosMongoPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureCosmosMongoPrivateDnsZoneId]" + "azureBatchPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureBatchPrivateDnsZoneId" + }, + "azureBotServicePrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureBotServicePrivateDnsZoneId" + }, + "azureCognitiveSearchPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureCognitiveSearchPrivateDnsZoneId" + }, + "azureCognitiveServicesPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureCognitiveServicesPrivateDnsZoneId" }, "azureCosmosCassandraPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureCosmosCassandraPrivateDnsZoneId]" + "value": "${varPrivateDnsZonesFinalResourceIds}.azureCosmosCassandraPrivateDnsZoneId" }, "azureCosmosGremlinPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureCosmosGremlinPrivateDnsZoneId]" + "value": "${varPrivateDnsZonesFinalResourceIds}.azureCosmosGremlinPrivateDnsZoneId" + }, + "azureCosmosMongoPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureCosmosMongoPrivateDnsZoneId" + }, + "azureCosmosSQLPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureCosmosSQLPrivateDnsZoneId" }, "azureCosmosTablePrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureCosmosTablePrivateDnsZoneId]" + "value": "${varPrivateDnsZonesFinalResourceIds}.azureCosmosTablePrivateDnsZoneId" }, - "azureDataFactoryPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureDataFactoryPrivateDnsZoneId]" + "azureDataExplorerPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureDataExplorerPrivateDnsZoneId" }, "azureDataFactoryPortalPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureDataFactoryPortalPrivateDnsZoneId]" + "value": "${varPrivateDnsZonesFinalResourceIds}.azureDataFactoryPortalPrivateDnsZoneId" + }, + "azureDataFactoryPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureDataFactoryPrivateDnsZoneId" }, "azureDatabricksPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureDatabricksPrivateDnsZoneId]" + "value": "${varPrivateDnsZonesFinalResourceIds}.azureDatabricksPrivateDnsZoneId" }, - "azureHDInsightPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureHDInsightPrivateDnsZoneId]" + "azureDiskAccessPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureDiskAccessPrivateDnsZoneId" }, - "azureMigratePrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureMigratePrivateDnsZoneId]" + "azureEventGridDomainsPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureEventGridDomainsPrivateDnsZoneId" }, - "azureStorageBlobPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageBlobPrivateDnsZoneId]" + "azureEventGridTopicsPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureEventGridTopicsPrivateDnsZoneId" }, - "azureStorageBlobSecPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageBlobSecPrivateDnsZoneId]" + "azureEventHubNamespacePrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureEventHubNamespacePrivateDnsZoneId" }, - "azureStorageQueuePrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageQueuePrivateDnsZoneId]" + "azureFilePrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureFilePrivateDnsZoneId" }, - "azureStorageQueueSecPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageQueueSecPrivateDnsZoneId]" + "azureHDInsightPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureHDInsightPrivateDnsZoneId" }, - "azureStorageFilePrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageFilePrivateDnsZoneId]" + "azureIotCentralPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureIotCentralPrivateDnsZoneId" }, - "azureStorageStaticWebPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageStaticWebPrivateDnsZoneId]" + "azureIotDeviceupdatePrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureIotDeviceupdatePrivateDnsZoneId" }, - "azureStorageStaticWebSecPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageStaticWebSecPrivateDnsZoneId]" + "azureIotHubsPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureIotHubsPrivateDnsZoneId" }, - "azureStorageDFSPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageDFSPrivateDnsZoneId]" + "azureIotPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureIotPrivateDnsZoneId" }, - "azureStorageDFSSecPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageDFSSecPrivateDnsZoneId]" + "azureKeyVaultPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureKeyVaultPrivateDnsZoneId" }, - "azureSynapseSQLPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureSynapseSQLPrivateDnsZoneId]" + "azureKubernetesManagementPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureKubernetesManagementPrivateDnsZoneId" }, - "azureSynapseSQLODPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureSynapseSQLODPrivateDnsZoneId]" + "azureMachineLearningWorkspacePrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureMachineLearningWorkspacePrivateDnsZoneId" }, - "azureSynapseDevPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureSynapseDevPrivateDnsZoneId]" + "azureMachineLearningWorkspaceSecondPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureMachineLearningWorkspaceSecondPrivateDnsZoneId" + }, + "azureManagedGrafanaWorkspacePrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureManagedGrafanaWorkspacePrivateDnsZoneId" }, "azureMediaServicesKeyPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureMediaServicesKeyPrivateDnsZoneId]" + "value": "${varPrivateDnsZonesFinalResourceIds}.azureMediaServicesKeyPrivateDnsZoneId" }, "azureMediaServicesLivePrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureMediaServicesLivePrivateDnsZoneId]" + "value": "${varPrivateDnsZonesFinalResourceIds}.azureMediaServicesLivePrivateDnsZoneId" }, "azureMediaServicesStreamPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureMediaServicesStreamPrivateDnsZoneId]" + "value": "${varPrivateDnsZonesFinalResourceIds}.azureMediaServicesStreamPrivateDnsZoneId" + }, + "azureMigratePrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureMigratePrivateDnsZoneId" }, "azureMonitorPrivateDnsZoneId1": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureMonitorPrivateDnsZoneId1]" + "value": "${varPrivateDnsZonesFinalResourceIds}.azureMonitorPrivateDnsZoneId1" }, "azureMonitorPrivateDnsZoneId2": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureMonitorPrivateDnsZoneId2]" + "value": "${varPrivateDnsZonesFinalResourceIds}.azureMonitorPrivateDnsZoneId2" }, "azureMonitorPrivateDnsZoneId3": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureMonitorPrivateDnsZoneId3]" + "value": "${varPrivateDnsZonesFinalResourceIds}.azureMonitorPrivateDnsZoneId3" }, "azureMonitorPrivateDnsZoneId4": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureMonitorPrivateDnsZoneId4]" + "value": "${varPrivateDnsZonesFinalResourceIds}.azureMonitorPrivateDnsZoneId4" }, "azureMonitorPrivateDnsZoneId5": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureMonitorPrivateDnsZoneId5]" + "value": "${varPrivateDnsZonesFinalResourceIds}.azureMonitorPrivateDnsZoneId5" }, - "azureWebPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureWebPrivateDnsZoneId]" + "azureRedisCachePrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureRedisCachePrivateDnsZoneId" }, - "azureBatchPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureBatchPrivateDnsZoneId]" + "azureServiceBusNamespacePrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureServiceBusNamespacePrivateDnsZoneId" }, - "azureAppPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureAppPrivateDnsZoneId]" + "azureSignalRPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureSignalRPrivateDnsZoneId" }, - "azureAsrPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureAsrPrivateDnsZoneId]" + "azureSiteRecoveryBackupPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureSiteRecoveryBackupPrivateDnsZoneId" }, - "azureIotPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureIotPrivateDnsZoneId]" + "azureSiteRecoveryBlobPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureSiteRecoveryBlobPrivateDnsZoneId" }, - "azureKeyVaultPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureKeyVaultPrivateDnsZoneId]" + "azureSiteRecoveryQueuePrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureSiteRecoveryQueuePrivateDnsZoneId" }, - "azureSignalRPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureSignalRPrivateDnsZoneId]" + "azureStorageBlobPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageBlobPrivateDnsZoneId" }, - "azureAppServicesPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureAppServicesPrivateDnsZoneId]" + "azureStorageBlobSecPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageBlobSecPrivateDnsZoneId" }, - "azureEventGridTopicsPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureEventGridTopicsPrivateDnsZoneId]" + "azureStorageDFSPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageDFSPrivateDnsZoneId" }, - "azureDiskAccessPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureDiskAccessPrivateDnsZoneId]" + "azureStorageDFSSecPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageDFSSecPrivateDnsZoneId" }, - "azureCognitiveServicesPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureCognitiveServicesPrivateDnsZoneId]" + "azureStorageFilePrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageFilePrivateDnsZoneId" }, - "azureIotHubsPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureIotHubsPrivateDnsZoneId]" + "azureStorageQueuePrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageQueuePrivateDnsZoneId" }, - "azureEventGridDomainsPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureEventGridDomainsPrivateDnsZoneId]" + "azureStorageQueueSecPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageQueueSecPrivateDnsZoneId" }, - "azureRedisCachePrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureRedisCachePrivateDnsZoneId]" + "azureStorageStaticWebPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageStaticWebPrivateDnsZoneId" }, - "azureAcrPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureAcrPrivateDnsZoneId]" + "azureStorageStaticWebSecPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageStaticWebSecPrivateDnsZoneId" }, - "azureEventHubNamespacePrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureEventHubNamespacePrivateDnsZoneId]" + "azureStorageTablePrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageTablePrivateDnsZoneId" }, - "azureMachineLearningWorkspacePrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureMachineLearningWorkspacePrivateDnsZoneId]" + "azureStorageTableSecondaryPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageTableSecondaryPrivateDnsZoneId" }, - "azureMachineLearningWorkspaceSecondPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureMachineLearningWorkspaceSecondPrivateDnsZoneId]" + "azureSynapseDevPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureSynapseDevPrivateDnsZoneId" }, - "azureServiceBusNamespacePrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureServiceBusNamespacePrivateDnsZoneId]" + "azureSynapseSQLPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureSynapseSQLPrivateDnsZoneId" }, - "azureCognitiveSearchPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureCognitiveSearchPrivateDnsZoneId]" + "azureSynapseSQLODPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureSynapseSQLODPrivateDnsZoneId" + }, + "azureVirtualDesktopHostpoolPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureVirtualDesktopHostpoolPrivateDnsZoneId" + }, + "azureVirtualDesktopWorkspacePrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureVirtualDesktopWorkspacePrivateDnsZoneId" + }, + "azureWebPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureWebPrivateDnsZoneId" } }, "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones", From fd6168e37f975ba54be37551df215e6bfc96efca Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Fri, 15 Nov 2024 17:03:09 -0600 Subject: [PATCH 02/15] Remove unused dns zone ids and update param names --- .../alzDefaultPolicyAssignments.bicep | 333 ++++++++++-------- ...ment_es_deploy_private_dns_zones.tmpl.json | 9 - 2 files changed, 182 insertions(+), 160 deletions(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep index 841335024..cc7bac20c 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep @@ -98,6 +98,9 @@ param parDdosProtectionPlanId string = '' @description('Resource ID of the Resource Group for Private DNS Zones. Empty to skip assigning the Deploy-Private-DNS-Zones policy.') param parPrivateDnsResourceGroupId string = '' +@description('Location of Private DNS Zones.') +param parPrivateDnsZonesLocation string = 'eastus' + @description('List of Private DNS Zones to audit under the Corp Management Group. This overwrites default values.') param parPrivateDnsZonesNamesToAuditInCorp array = [] @@ -532,60 +535,136 @@ var varPrivateDnsZonesResourceGroupSubscriptionId = !empty(parPrivateDnsResource var varPrivateDnsZonesBaseResourceId = '${parPrivateDnsResourceGroupId}/providers/Microsoft.Network/privateDnsZones/' +var varGeoCodes = { + australiacentral: 'acl' + australiacentral2: 'acl2' + australiaeast: 'ae' + australiasoutheast: 'ase' + brazilsoutheast: 'bse' + brazilsouth: 'brs' + canadacentral: 'cnc' + canadaeast: 'cne' + centralindia: 'inc' + centralus: 'cus' + centraluseuap: 'ccy' + chilecentral: 'clc' + eastasia: 'ea' + eastus: 'eus' + eastus2: 'eus2' + eastus2euap: 'ecy' + francecentral: 'frc' + francesouth: 'frs' + germanynorth: 'gn' + germanywestcentral: 'gwc' + israelcentral: 'ilc' + italynorth: 'itn' + japaneast: 'jpe' + japanwest: 'jpw' + koreacentral: 'krc' + koreasouth: 'krs' + malaysiasouth: 'mys' + malaysiawest: 'myw' + mexicocentral: 'mxc' + newzealandnorth: 'nzn' + northcentralus: 'ncus' + northeurope: 'ne' + norwayeast: 'nwe' + norwaywest: 'nww' + polandcentral: 'plc' + qatarcentral: 'qac' + southafricanorth: 'san' + southafricawest: 'saw' + southcentralus: 'scus' + southeastasia: 'sea' + southindia: 'ins' + spaincentral: 'spc' + swedencentral: 'sdc' + swedensouth: 'sds' + switzerlandnorth: 'szn' + switzerlandwest: 'szw' + taiwannorth: 'twn' + uaecentral: 'uac' + uaenorth: 'uan' + uksouth: 'uks' + ukwest: 'ukw' + westcentralus: 'wcus' + westeurope: 'we' + westindia: 'inw' + westus: 'wus' + westus2: 'wus2' + westus3: 'wus3' +} + +var varSelectedGeoCode = varGeoCodes[?parPrivateDnsZonesLocation] ?? 'changeme' + var varPrivateDnsZonesFinalResourceIds = { - azureFilePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.afs.azure.net' - azureAutomationWebhookPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azure-automation.net' + azureAcrPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azurecr.io' + azureAppPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azconfig.io' + azureAppServicesPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azurewebsites.net' + azureArcGuestconfigurationPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.guestconfiguration.azure.com' + azureArcHybridResourceProviderPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.his.arc.azure.com' + azureArcKubernetesConfigurationPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.dp.kubernetesconfiguration.azure.com' + azureAsrPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.siterecovery.windowsazure.com' azureAutomationDSCHybridPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azure-automation.net' - azureCosmosSQLPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.documents.azure.com' - azureCosmosMongoPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.mongo.cosmos.azure.com' + azureAutomationWebhookPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azure-automation.net' + azureBatchPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.batch.azure.com' + azureBotServicePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.directline.botframework.com' + azureCognitiveSearchPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.search.windows.net' + azureCognitiveServicesPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.cognitiveservices.azure.com' azureCosmosCassandraPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.cassandra.cosmos.azure.com' azureCosmosGremlinPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.gremlin.cosmos.azure.com' + azureCosmosMongoPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.mongo.cosmos.azure.com' + azureCosmosSQLPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.documents.azure.com' azureCosmosTablePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.table.cosmos.azure.com' - azureDataFactoryPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.datafactory.azure.net' azureDataFactoryPortalPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.adf.azure.com' + azureDataFactoryPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.datafactory.azure.net' azureDatabricksPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azuredatabricks.net' + azureDiskAccessPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.blob.core.windows.net' + azureEventGridDomainsPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.eventgrid.azure.net' + azureEventGridTopicsPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.eventgrid.azure.net' + azureEventHubNamespacePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.servicebus.windows.net' + azureFilePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.afs.azure.net' azureHDInsightPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azurehdinsight.net' - azureMigratePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.prod.migration.windowsazure.com' - azureStorageBlobPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.blob.core.windows.net' - azureStorageBlobSecPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.blob.core.windows.net' - azureStorageQueuePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.queue.core.windows.net' - azureStorageQueueSecPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.queue.core.windows.net' - azureStorageFilePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.file.core.windows.net' - azureStorageStaticWebPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.web.core.windows.net' - azureStorageStaticWebSecPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.web.core.windows.net' - azureStorageDFSPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.dfs.core.windows.net' - azureStorageDFSSecPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.dfs.core.windows.net' - azureSynapseSQLPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.sql.azuresynapse.net' - azureSynapseSQLODPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.sql.azuresynapse.net' - azureSynapseDevPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.dev.azuresynapse.net' + azureIotCentralPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azureiotcentral.com' + azureIotDeviceupdatePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azure-devices.net' + azureIotHubsPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azure-devices.net' + azureIotPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azure-devices-provisioning.net' + azureKeyVaultPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.vaultcore.azure.net' + azureMachineLearningWorkspacePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.api.azureml.ms' + azureMachineLearningWorkspaceSecondPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.notebooks.azure.net' + azureManagedGrafanaWorkspacePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.grafana.azure.com' azureMediaServicesKeyPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.media.azure.net' azureMediaServicesLivePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.media.azure.net' azureMediaServicesStreamPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.media.azure.net' + azureMigratePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.prod.migration.windowsazure.com' azureMonitorPrivateDnsZoneId1: '${varPrivateDnsZonesBaseResourceId}privatelink.monitor.azure.com' azureMonitorPrivateDnsZoneId2: '${varPrivateDnsZonesBaseResourceId}privatelink.oms.opinsights.azure.com' azureMonitorPrivateDnsZoneId3: '${varPrivateDnsZonesBaseResourceId}privatelink.ods.opinsights.azure.com' azureMonitorPrivateDnsZoneId4: '${varPrivateDnsZonesBaseResourceId}privatelink.agentsvc.azure-automation.net' azureMonitorPrivateDnsZoneId5: '${varPrivateDnsZonesBaseResourceId}privatelink.blob.core.windows.net' - azureWebPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.webpubsub.azure.com' - azureBatchPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.batch.azure.com' - azureAppPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azconfig.io' - azureAsrPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.siterecovery.windowsazure.com' - azureIotPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azure-devices-provisioning.net' - azureKeyVaultPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.vaultcore.azure.net' - azureSignalRPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.service.signalr.net' - azureAppServicesPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azurewebsites.net' - azureEventGridTopicsPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.eventgrid.azure.net' - azureDiskAccessPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.blob.core.windows.net' - azureCognitiveServicesPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.cognitiveservices.azure.com' - azureIotHubsPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azure-devices.net' - azureEventGridDomainsPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.eventgrid.azure.net' azureRedisCachePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.redis.cache.windows.net' - azureAcrPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azurecr.io' - azureEventHubNamespacePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.servicebus.windows.net' - azureMachineLearningWorkspacePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.api.azureml.ms' - azureMachineLearningWorkspaceSecondPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.notebooks.azure.net' azureServiceBusNamespacePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.servicebus.windows.net' - azureCognitiveSearchPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.search.windows.net' + azureSignalRPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.service.signalr.net' + azureSiteRecoveryBackupPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.${varSelectedGeoCode}.backup.windowsazure.com' + azureSiteRecoveryBlobPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.blob.core.windows.net' + azureSiteRecoveryQueuePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.queue.core.windows.net' + azureStorageBlobPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.blob.core.windows.net' + azureStorageBlobSecPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.blob.core.windows.net' + azureStorageDFSPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.dfs.core.windows.net' + azureStorageDFSSecPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.dfs.core.windows.net' + azureStorageFilePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.file.core.windows.net' + azureStorageQueuePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.queue.core.windows.net' + azureStorageQueueSecPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.queue.core.windows.net' + azureStorageStaticWebPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.web.core.windows.net' + azureStorageStaticWebSecPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.web.core.windows.net' + azureStorageTablePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.table.core.windows.net' + azureStorageTableSecondaryPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.table.core.windows.net' + azureSynapseDevPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.dev.azuresynapse.net' + azureSynapseSQLPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.sql.azuresynapse.net' + azureSynapseSQLODPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.sql.azuresynapse.net' + azureVirtualDesktopHostpoolPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.wvd.microsoft.com' + azureVirtualDesktopWorkspacePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.wvd.microsoft.com' + azureWebPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.webpubsub.azure.com' } // **Scope** @@ -1962,20 +2041,44 @@ module modPolicyAssignmentConnDeployPrivateDnsZones '../../../policy/assignments parPolicyAssignmentDescription: varPolicyAssignmentDeployPrivateDNSZones.libDefinition.properties.description parPolicyAssignmentParameters: varPolicyAssignmentDeployPrivateDNSZones.libDefinition.properties.parameters parPolicyAssignmentParameterOverrides: { - azureFilePrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureFilePrivateDnsZoneId + azureAcrPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureAcrPrivateDnsZoneId } - azureAutomationWebhookPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureAutomationWebhookPrivateDnsZoneId + azureAppPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureAppPrivateDnsZoneId + } + azureAppServicesPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureAppServicesPrivateDnsZoneId + } + azureArcGuestconfigurationPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureArcGuestconfigurationPrivateDnsZoneId + } + azureArcHybridResourceProviderPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureArcHybridResourceProviderPrivateDnsZoneId + } + azureArcKubernetesConfigurationPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureArcKubernetesConfigurationPrivateDnsZoneId + } + azureAsrPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureAsrPrivateDnsZoneId } azureAutomationDSCHybridPrivateDnsZoneId: { value: varPrivateDnsZonesFinalResourceIds.azureAutomationDSCHybridPrivateDnsZoneId } - azureCosmosSQLPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureCosmosSQLPrivateDnsZoneId + azureAutomationWebhookPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureAutomationWebhookPrivateDnsZoneId } - azureCosmosMongoPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureCosmosMongoPrivateDnsZoneId + azureBatchPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureBatchPrivateDnsZoneId + } + azureBotServicePrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureBotServicePrivateDnsZoneId + } + azureCognitiveSearchPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureCognitiveSearchPrivateDnsZoneId + } + azureCognitiveServicesPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureCognitiveServicesPrivateDnsZoneId } azureCosmosCassandraPrivateDnsZoneId: { value: varPrivateDnsZonesFinalResourceIds.azureCosmosCassandraPrivateDnsZoneId @@ -1983,95 +2086,50 @@ module modPolicyAssignmentConnDeployPrivateDnsZones '../../../policy/assignments azureCosmosGremlinPrivateDnsZoneId: { value: varPrivateDnsZonesFinalResourceIds.azureCosmosGremlinPrivateDnsZoneId } + azureCosmosMongoPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureCosmosMongoPrivateDnsZoneId + } + azureCosmosSQLPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureCosmosSQLPrivateDnsZoneId + } azureCosmosTablePrivateDnsZoneId: { value: varPrivateDnsZonesFinalResourceIds.azureCosmosTablePrivateDnsZoneId } - azureDataFactoryPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureDataFactoryPrivateDnsZoneId - } azureDataFactoryPortalPrivateDnsZoneId: { value: varPrivateDnsZonesFinalResourceIds.azureDataFactoryPortalPrivateDnsZoneId } + azureDataFactoryPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureDataFactoryPrivateDnsZoneId + } azureDatabricksPrivateDnsZoneId: { value: varPrivateDnsZonesFinalResourceIds.azureDatabricksPrivateDnsZoneId } - azureHDInsightPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureHDInsightPrivateDnsZoneId - } - azureMigratePrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureMigratePrivateDnsZoneId - } - azureStorageBlobPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureStorageBlobPrivateDnsZoneId - } - azureStorageBlobSecPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureStorageBlobSecPrivateDnsZoneId - } - azureStorageQueuePrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureStorageQueuePrivateDnsZoneId - } - azureStorageQueueSecPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureStorageQueueSecPrivateDnsZoneId - } - azureStorageFilePrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureStorageFilePrivateDnsZoneId - } - azureStorageStaticWebPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureStorageStaticWebPrivateDnsZoneId - } - azureStorageStaticWebSecPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureStorageStaticWebSecPrivateDnsZoneId - } - azureStorageDFSPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureStorageDFSPrivateDnsZoneId - } - azureStorageDFSSecPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureStorageDFSSecPrivateDnsZoneId - } - azureSynapseSQLPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureSynapseSQLPrivateDnsZoneId - } - azureSynapseSQLODPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureSynapseSQLODPrivateDnsZoneId - } - azureSynapseDevPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureSynapseDevPrivateDnsZoneId - } - azureMediaServicesKeyPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureMediaServicesKeyPrivateDnsZoneId - } - azureMediaServicesLivePrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureMediaServicesLivePrivateDnsZoneId - } - azureMediaServicesStreamPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureMediaServicesStreamPrivateDnsZoneId - } - azureMonitorPrivateDnsZoneId1: { - value: varPrivateDnsZonesFinalResourceIds.azureMonitorPrivateDnsZoneId1 + azureDiskAccessPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureDiskAccessPrivateDnsZoneId } - azureMonitorPrivateDnsZoneId2: { - value: varPrivateDnsZonesFinalResourceIds.azureMonitorPrivateDnsZoneId2 + azureEventGridDomainsPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureEventGridDomainsPrivateDnsZoneId } - azureMonitorPrivateDnsZoneId3: { - value: varPrivateDnsZonesFinalResourceIds.azureMonitorPrivateDnsZoneId3 + azureEventGridTopicsPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureEventGridTopicsPrivateDnsZoneId } - azureMonitorPrivateDnsZoneId4: { - value: varPrivateDnsZonesFinalResourceIds.azureMonitorPrivateDnsZoneId4 + azureEventHubNamespacePrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureEventHubNamespacePrivateDnsZoneId } - azureMonitorPrivateDnsZoneId5: { - value: varPrivateDnsZonesFinalResourceIds.azureMonitorPrivateDnsZoneId5 + azureFilePrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureFilePrivateDnsZoneId } - azureWebPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureWebPrivateDnsZoneId + azureHDInsightPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureHDInsightPrivateDnsZoneId } - azureBatchPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureBatchPrivateDnsZoneId + azureIotCentralPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureIotCentralPrivateDnsZoneId } - azureAppPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureAppPrivateDnsZoneId + azureIotDeviceupdatePrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureIotDeviceupdatePrivateDnsZoneId } - azureAsrPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureAsrPrivateDnsZoneId + azureIotHubsPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureIotHubsPrivateDnsZoneId } azureIotPrivateDnsZoneId: { value: varPrivateDnsZonesFinalResourceIds.azureIotPrivateDnsZoneId @@ -2079,48 +2137,21 @@ module modPolicyAssignmentConnDeployPrivateDnsZones '../../../policy/assignments azureKeyVaultPrivateDnsZoneId: { value: varPrivateDnsZonesFinalResourceIds.azureKeyVaultPrivateDnsZoneId } - azureSignalRPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureSignalRPrivateDnsZoneId - } - azureAppServicesPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureAppServicesPrivateDnsZoneId - } - azureEventGridTopicsPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureEventGridTopicsPrivateDnsZoneId + azureMachineLearningWorkspacePrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureMachineLearningWorkspacePrivateDnsZoneId } - azureDiskAccessPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureDiskAccessPrivateDnsZoneId + azureManagedGrafanaWorkspacePrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureManagedGrafanaWorkspacePrivateDnsZoneId } - azureCognitiveServicesPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureCognitiveServicesPrivateDnsZoneId - } - azureIotHubsPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureIotHubsPrivateDnsZoneId + azureMediaServicesKeyPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureMediaServicesKeyPrivateDnsZoneId } - azureEventGridDomainsPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureEventGridDomainsPrivateDnsZoneId + azureMonitorPrivateDnsZoneId1: { + value: varPrivateDnsZonesFinalResourceIds.azureMonitorPrivateDnsZoneId1 } azureRedisCachePrivateDnsZoneId: { value: varPrivateDnsZonesFinalResourceIds.azureRedisCachePrivateDnsZoneId } - azureAcrPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureAcrPrivateDnsZoneId - } - azureEventHubNamespacePrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureEventHubNamespacePrivateDnsZoneId - } - azureMachineLearningWorkspacePrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureMachineLearningWorkspacePrivateDnsZoneId - } - azureMachineLearningWorkspaceSecondPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureMachineLearningWorkspaceSecondPrivateDnsZoneId - } - azureServiceBusNamespacePrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureServiceBusNamespacePrivateDnsZoneId - } - azureCognitiveSearchPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureCognitiveSearchPrivateDnsZoneId - } } parPolicyAssignmentIdentityType: varPolicyAssignmentDeployPrivateDNSZones.libDefinition.identity.type parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployPrivateDNSZones.libDefinition.properties.enforcementMode diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json index cfe7a93b9..49e1efbda 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json @@ -16,9 +16,6 @@ "azureAcrPrivateDnsZoneId": { "value": "${varPrivateDnsZonesFinalResourceIds}.azureAcrPrivateDnsZoneId" }, - "azureAcrDataPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureAcrDataPrivateDnsZoneId" - }, "azureAppPrivateDnsZoneId": { "value": "${varPrivateDnsZonesFinalResourceIds}.azureAppPrivateDnsZoneId" }, @@ -70,9 +67,6 @@ "azureCosmosTablePrivateDnsZoneId": { "value": "${varPrivateDnsZonesFinalResourceIds}.azureCosmosTablePrivateDnsZoneId" }, - "azureDataExplorerPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureDataExplorerPrivateDnsZoneId" - }, "azureDataFactoryPortalPrivateDnsZoneId": { "value": "${varPrivateDnsZonesFinalResourceIds}.azureDataFactoryPortalPrivateDnsZoneId" }, @@ -115,9 +109,6 @@ "azureKeyVaultPrivateDnsZoneId": { "value": "${varPrivateDnsZonesFinalResourceIds}.azureKeyVaultPrivateDnsZoneId" }, - "azureKubernetesManagementPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureKubernetesManagementPrivateDnsZoneId" - }, "azureMachineLearningWorkspacePrivateDnsZoneId": { "value": "${varPrivateDnsZonesFinalResourceIds}.azureMachineLearningWorkspacePrivateDnsZoneId" }, From bb50fc2196cdd17c61fe4c39b778c9129400005a Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Fri, 15 Nov 2024 17:10:15 -0600 Subject: [PATCH 03/15] Remove unused dns zone ids and update param names --- .../alzDefaultPolicyAssignments.bicep | 333 ++++++++++-------- ...ment_es_deploy_private_dns_zones.tmpl.json | 9 - 2 files changed, 182 insertions(+), 160 deletions(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep index 841335024..cc7bac20c 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep @@ -98,6 +98,9 @@ param parDdosProtectionPlanId string = '' @description('Resource ID of the Resource Group for Private DNS Zones. Empty to skip assigning the Deploy-Private-DNS-Zones policy.') param parPrivateDnsResourceGroupId string = '' +@description('Location of Private DNS Zones.') +param parPrivateDnsZonesLocation string = 'eastus' + @description('List of Private DNS Zones to audit under the Corp Management Group. This overwrites default values.') param parPrivateDnsZonesNamesToAuditInCorp array = [] @@ -532,60 +535,136 @@ var varPrivateDnsZonesResourceGroupSubscriptionId = !empty(parPrivateDnsResource var varPrivateDnsZonesBaseResourceId = '${parPrivateDnsResourceGroupId}/providers/Microsoft.Network/privateDnsZones/' +var varGeoCodes = { + australiacentral: 'acl' + australiacentral2: 'acl2' + australiaeast: 'ae' + australiasoutheast: 'ase' + brazilsoutheast: 'bse' + brazilsouth: 'brs' + canadacentral: 'cnc' + canadaeast: 'cne' + centralindia: 'inc' + centralus: 'cus' + centraluseuap: 'ccy' + chilecentral: 'clc' + eastasia: 'ea' + eastus: 'eus' + eastus2: 'eus2' + eastus2euap: 'ecy' + francecentral: 'frc' + francesouth: 'frs' + germanynorth: 'gn' + germanywestcentral: 'gwc' + israelcentral: 'ilc' + italynorth: 'itn' + japaneast: 'jpe' + japanwest: 'jpw' + koreacentral: 'krc' + koreasouth: 'krs' + malaysiasouth: 'mys' + malaysiawest: 'myw' + mexicocentral: 'mxc' + newzealandnorth: 'nzn' + northcentralus: 'ncus' + northeurope: 'ne' + norwayeast: 'nwe' + norwaywest: 'nww' + polandcentral: 'plc' + qatarcentral: 'qac' + southafricanorth: 'san' + southafricawest: 'saw' + southcentralus: 'scus' + southeastasia: 'sea' + southindia: 'ins' + spaincentral: 'spc' + swedencentral: 'sdc' + swedensouth: 'sds' + switzerlandnorth: 'szn' + switzerlandwest: 'szw' + taiwannorth: 'twn' + uaecentral: 'uac' + uaenorth: 'uan' + uksouth: 'uks' + ukwest: 'ukw' + westcentralus: 'wcus' + westeurope: 'we' + westindia: 'inw' + westus: 'wus' + westus2: 'wus2' + westus3: 'wus3' +} + +var varSelectedGeoCode = varGeoCodes[?parPrivateDnsZonesLocation] ?? 'changeme' + var varPrivateDnsZonesFinalResourceIds = { - azureFilePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.afs.azure.net' - azureAutomationWebhookPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azure-automation.net' + azureAcrPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azurecr.io' + azureAppPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azconfig.io' + azureAppServicesPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azurewebsites.net' + azureArcGuestconfigurationPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.guestconfiguration.azure.com' + azureArcHybridResourceProviderPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.his.arc.azure.com' + azureArcKubernetesConfigurationPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.dp.kubernetesconfiguration.azure.com' + azureAsrPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.siterecovery.windowsazure.com' azureAutomationDSCHybridPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azure-automation.net' - azureCosmosSQLPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.documents.azure.com' - azureCosmosMongoPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.mongo.cosmos.azure.com' + azureAutomationWebhookPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azure-automation.net' + azureBatchPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.batch.azure.com' + azureBotServicePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.directline.botframework.com' + azureCognitiveSearchPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.search.windows.net' + azureCognitiveServicesPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.cognitiveservices.azure.com' azureCosmosCassandraPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.cassandra.cosmos.azure.com' azureCosmosGremlinPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.gremlin.cosmos.azure.com' + azureCosmosMongoPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.mongo.cosmos.azure.com' + azureCosmosSQLPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.documents.azure.com' azureCosmosTablePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.table.cosmos.azure.com' - azureDataFactoryPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.datafactory.azure.net' azureDataFactoryPortalPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.adf.azure.com' + azureDataFactoryPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.datafactory.azure.net' azureDatabricksPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azuredatabricks.net' + azureDiskAccessPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.blob.core.windows.net' + azureEventGridDomainsPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.eventgrid.azure.net' + azureEventGridTopicsPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.eventgrid.azure.net' + azureEventHubNamespacePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.servicebus.windows.net' + azureFilePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.afs.azure.net' azureHDInsightPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azurehdinsight.net' - azureMigratePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.prod.migration.windowsazure.com' - azureStorageBlobPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.blob.core.windows.net' - azureStorageBlobSecPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.blob.core.windows.net' - azureStorageQueuePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.queue.core.windows.net' - azureStorageQueueSecPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.queue.core.windows.net' - azureStorageFilePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.file.core.windows.net' - azureStorageStaticWebPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.web.core.windows.net' - azureStorageStaticWebSecPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.web.core.windows.net' - azureStorageDFSPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.dfs.core.windows.net' - azureStorageDFSSecPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.dfs.core.windows.net' - azureSynapseSQLPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.sql.azuresynapse.net' - azureSynapseSQLODPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.sql.azuresynapse.net' - azureSynapseDevPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.dev.azuresynapse.net' + azureIotCentralPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azureiotcentral.com' + azureIotDeviceupdatePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azure-devices.net' + azureIotHubsPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azure-devices.net' + azureIotPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azure-devices-provisioning.net' + azureKeyVaultPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.vaultcore.azure.net' + azureMachineLearningWorkspacePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.api.azureml.ms' + azureMachineLearningWorkspaceSecondPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.notebooks.azure.net' + azureManagedGrafanaWorkspacePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.grafana.azure.com' azureMediaServicesKeyPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.media.azure.net' azureMediaServicesLivePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.media.azure.net' azureMediaServicesStreamPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.media.azure.net' + azureMigratePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.prod.migration.windowsazure.com' azureMonitorPrivateDnsZoneId1: '${varPrivateDnsZonesBaseResourceId}privatelink.monitor.azure.com' azureMonitorPrivateDnsZoneId2: '${varPrivateDnsZonesBaseResourceId}privatelink.oms.opinsights.azure.com' azureMonitorPrivateDnsZoneId3: '${varPrivateDnsZonesBaseResourceId}privatelink.ods.opinsights.azure.com' azureMonitorPrivateDnsZoneId4: '${varPrivateDnsZonesBaseResourceId}privatelink.agentsvc.azure-automation.net' azureMonitorPrivateDnsZoneId5: '${varPrivateDnsZonesBaseResourceId}privatelink.blob.core.windows.net' - azureWebPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.webpubsub.azure.com' - azureBatchPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.batch.azure.com' - azureAppPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azconfig.io' - azureAsrPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.siterecovery.windowsazure.com' - azureIotPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azure-devices-provisioning.net' - azureKeyVaultPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.vaultcore.azure.net' - azureSignalRPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.service.signalr.net' - azureAppServicesPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azurewebsites.net' - azureEventGridTopicsPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.eventgrid.azure.net' - azureDiskAccessPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.blob.core.windows.net' - azureCognitiveServicesPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.cognitiveservices.azure.com' - azureIotHubsPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azure-devices.net' - azureEventGridDomainsPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.eventgrid.azure.net' azureRedisCachePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.redis.cache.windows.net' - azureAcrPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azurecr.io' - azureEventHubNamespacePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.servicebus.windows.net' - azureMachineLearningWorkspacePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.api.azureml.ms' - azureMachineLearningWorkspaceSecondPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.notebooks.azure.net' azureServiceBusNamespacePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.servicebus.windows.net' - azureCognitiveSearchPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.search.windows.net' + azureSignalRPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.service.signalr.net' + azureSiteRecoveryBackupPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.${varSelectedGeoCode}.backup.windowsazure.com' + azureSiteRecoveryBlobPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.blob.core.windows.net' + azureSiteRecoveryQueuePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.queue.core.windows.net' + azureStorageBlobPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.blob.core.windows.net' + azureStorageBlobSecPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.blob.core.windows.net' + azureStorageDFSPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.dfs.core.windows.net' + azureStorageDFSSecPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.dfs.core.windows.net' + azureStorageFilePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.file.core.windows.net' + azureStorageQueuePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.queue.core.windows.net' + azureStorageQueueSecPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.queue.core.windows.net' + azureStorageStaticWebPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.web.core.windows.net' + azureStorageStaticWebSecPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.web.core.windows.net' + azureStorageTablePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.table.core.windows.net' + azureStorageTableSecondaryPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.table.core.windows.net' + azureSynapseDevPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.dev.azuresynapse.net' + azureSynapseSQLPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.sql.azuresynapse.net' + azureSynapseSQLODPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.sql.azuresynapse.net' + azureVirtualDesktopHostpoolPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.wvd.microsoft.com' + azureVirtualDesktopWorkspacePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.wvd.microsoft.com' + azureWebPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.webpubsub.azure.com' } // **Scope** @@ -1962,20 +2041,44 @@ module modPolicyAssignmentConnDeployPrivateDnsZones '../../../policy/assignments parPolicyAssignmentDescription: varPolicyAssignmentDeployPrivateDNSZones.libDefinition.properties.description parPolicyAssignmentParameters: varPolicyAssignmentDeployPrivateDNSZones.libDefinition.properties.parameters parPolicyAssignmentParameterOverrides: { - azureFilePrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureFilePrivateDnsZoneId + azureAcrPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureAcrPrivateDnsZoneId } - azureAutomationWebhookPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureAutomationWebhookPrivateDnsZoneId + azureAppPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureAppPrivateDnsZoneId + } + azureAppServicesPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureAppServicesPrivateDnsZoneId + } + azureArcGuestconfigurationPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureArcGuestconfigurationPrivateDnsZoneId + } + azureArcHybridResourceProviderPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureArcHybridResourceProviderPrivateDnsZoneId + } + azureArcKubernetesConfigurationPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureArcKubernetesConfigurationPrivateDnsZoneId + } + azureAsrPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureAsrPrivateDnsZoneId } azureAutomationDSCHybridPrivateDnsZoneId: { value: varPrivateDnsZonesFinalResourceIds.azureAutomationDSCHybridPrivateDnsZoneId } - azureCosmosSQLPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureCosmosSQLPrivateDnsZoneId + azureAutomationWebhookPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureAutomationWebhookPrivateDnsZoneId } - azureCosmosMongoPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureCosmosMongoPrivateDnsZoneId + azureBatchPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureBatchPrivateDnsZoneId + } + azureBotServicePrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureBotServicePrivateDnsZoneId + } + azureCognitiveSearchPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureCognitiveSearchPrivateDnsZoneId + } + azureCognitiveServicesPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureCognitiveServicesPrivateDnsZoneId } azureCosmosCassandraPrivateDnsZoneId: { value: varPrivateDnsZonesFinalResourceIds.azureCosmosCassandraPrivateDnsZoneId @@ -1983,95 +2086,50 @@ module modPolicyAssignmentConnDeployPrivateDnsZones '../../../policy/assignments azureCosmosGremlinPrivateDnsZoneId: { value: varPrivateDnsZonesFinalResourceIds.azureCosmosGremlinPrivateDnsZoneId } + azureCosmosMongoPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureCosmosMongoPrivateDnsZoneId + } + azureCosmosSQLPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureCosmosSQLPrivateDnsZoneId + } azureCosmosTablePrivateDnsZoneId: { value: varPrivateDnsZonesFinalResourceIds.azureCosmosTablePrivateDnsZoneId } - azureDataFactoryPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureDataFactoryPrivateDnsZoneId - } azureDataFactoryPortalPrivateDnsZoneId: { value: varPrivateDnsZonesFinalResourceIds.azureDataFactoryPortalPrivateDnsZoneId } + azureDataFactoryPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureDataFactoryPrivateDnsZoneId + } azureDatabricksPrivateDnsZoneId: { value: varPrivateDnsZonesFinalResourceIds.azureDatabricksPrivateDnsZoneId } - azureHDInsightPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureHDInsightPrivateDnsZoneId - } - azureMigratePrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureMigratePrivateDnsZoneId - } - azureStorageBlobPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureStorageBlobPrivateDnsZoneId - } - azureStorageBlobSecPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureStorageBlobSecPrivateDnsZoneId - } - azureStorageQueuePrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureStorageQueuePrivateDnsZoneId - } - azureStorageQueueSecPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureStorageQueueSecPrivateDnsZoneId - } - azureStorageFilePrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureStorageFilePrivateDnsZoneId - } - azureStorageStaticWebPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureStorageStaticWebPrivateDnsZoneId - } - azureStorageStaticWebSecPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureStorageStaticWebSecPrivateDnsZoneId - } - azureStorageDFSPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureStorageDFSPrivateDnsZoneId - } - azureStorageDFSSecPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureStorageDFSSecPrivateDnsZoneId - } - azureSynapseSQLPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureSynapseSQLPrivateDnsZoneId - } - azureSynapseSQLODPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureSynapseSQLODPrivateDnsZoneId - } - azureSynapseDevPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureSynapseDevPrivateDnsZoneId - } - azureMediaServicesKeyPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureMediaServicesKeyPrivateDnsZoneId - } - azureMediaServicesLivePrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureMediaServicesLivePrivateDnsZoneId - } - azureMediaServicesStreamPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureMediaServicesStreamPrivateDnsZoneId - } - azureMonitorPrivateDnsZoneId1: { - value: varPrivateDnsZonesFinalResourceIds.azureMonitorPrivateDnsZoneId1 + azureDiskAccessPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureDiskAccessPrivateDnsZoneId } - azureMonitorPrivateDnsZoneId2: { - value: varPrivateDnsZonesFinalResourceIds.azureMonitorPrivateDnsZoneId2 + azureEventGridDomainsPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureEventGridDomainsPrivateDnsZoneId } - azureMonitorPrivateDnsZoneId3: { - value: varPrivateDnsZonesFinalResourceIds.azureMonitorPrivateDnsZoneId3 + azureEventGridTopicsPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureEventGridTopicsPrivateDnsZoneId } - azureMonitorPrivateDnsZoneId4: { - value: varPrivateDnsZonesFinalResourceIds.azureMonitorPrivateDnsZoneId4 + azureEventHubNamespacePrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureEventHubNamespacePrivateDnsZoneId } - azureMonitorPrivateDnsZoneId5: { - value: varPrivateDnsZonesFinalResourceIds.azureMonitorPrivateDnsZoneId5 + azureFilePrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureFilePrivateDnsZoneId } - azureWebPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureWebPrivateDnsZoneId + azureHDInsightPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureHDInsightPrivateDnsZoneId } - azureBatchPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureBatchPrivateDnsZoneId + azureIotCentralPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureIotCentralPrivateDnsZoneId } - azureAppPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureAppPrivateDnsZoneId + azureIotDeviceupdatePrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureIotDeviceupdatePrivateDnsZoneId } - azureAsrPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureAsrPrivateDnsZoneId + azureIotHubsPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureIotHubsPrivateDnsZoneId } azureIotPrivateDnsZoneId: { value: varPrivateDnsZonesFinalResourceIds.azureIotPrivateDnsZoneId @@ -2079,48 +2137,21 @@ module modPolicyAssignmentConnDeployPrivateDnsZones '../../../policy/assignments azureKeyVaultPrivateDnsZoneId: { value: varPrivateDnsZonesFinalResourceIds.azureKeyVaultPrivateDnsZoneId } - azureSignalRPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureSignalRPrivateDnsZoneId - } - azureAppServicesPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureAppServicesPrivateDnsZoneId - } - azureEventGridTopicsPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureEventGridTopicsPrivateDnsZoneId + azureMachineLearningWorkspacePrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureMachineLearningWorkspacePrivateDnsZoneId } - azureDiskAccessPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureDiskAccessPrivateDnsZoneId + azureManagedGrafanaWorkspacePrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureManagedGrafanaWorkspacePrivateDnsZoneId } - azureCognitiveServicesPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureCognitiveServicesPrivateDnsZoneId - } - azureIotHubsPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureIotHubsPrivateDnsZoneId + azureMediaServicesKeyPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureMediaServicesKeyPrivateDnsZoneId } - azureEventGridDomainsPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureEventGridDomainsPrivateDnsZoneId + azureMonitorPrivateDnsZoneId1: { + value: varPrivateDnsZonesFinalResourceIds.azureMonitorPrivateDnsZoneId1 } azureRedisCachePrivateDnsZoneId: { value: varPrivateDnsZonesFinalResourceIds.azureRedisCachePrivateDnsZoneId } - azureAcrPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureAcrPrivateDnsZoneId - } - azureEventHubNamespacePrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureEventHubNamespacePrivateDnsZoneId - } - azureMachineLearningWorkspacePrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureMachineLearningWorkspacePrivateDnsZoneId - } - azureMachineLearningWorkspaceSecondPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureMachineLearningWorkspaceSecondPrivateDnsZoneId - } - azureServiceBusNamespacePrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureServiceBusNamespacePrivateDnsZoneId - } - azureCognitiveSearchPrivateDnsZoneId: { - value: varPrivateDnsZonesFinalResourceIds.azureCognitiveSearchPrivateDnsZoneId - } } parPolicyAssignmentIdentityType: varPolicyAssignmentDeployPrivateDNSZones.libDefinition.identity.type parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployPrivateDNSZones.libDefinition.properties.enforcementMode diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json index cfe7a93b9..49e1efbda 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json @@ -16,9 +16,6 @@ "azureAcrPrivateDnsZoneId": { "value": "${varPrivateDnsZonesFinalResourceIds}.azureAcrPrivateDnsZoneId" }, - "azureAcrDataPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureAcrDataPrivateDnsZoneId" - }, "azureAppPrivateDnsZoneId": { "value": "${varPrivateDnsZonesFinalResourceIds}.azureAppPrivateDnsZoneId" }, @@ -70,9 +67,6 @@ "azureCosmosTablePrivateDnsZoneId": { "value": "${varPrivateDnsZonesFinalResourceIds}.azureCosmosTablePrivateDnsZoneId" }, - "azureDataExplorerPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureDataExplorerPrivateDnsZoneId" - }, "azureDataFactoryPortalPrivateDnsZoneId": { "value": "${varPrivateDnsZonesFinalResourceIds}.azureDataFactoryPortalPrivateDnsZoneId" }, @@ -115,9 +109,6 @@ "azureKeyVaultPrivateDnsZoneId": { "value": "${varPrivateDnsZonesFinalResourceIds}.azureKeyVaultPrivateDnsZoneId" }, - "azureKubernetesManagementPrivateDnsZoneId": { - "value": "${varPrivateDnsZonesFinalResourceIds}.azureKubernetesManagementPrivateDnsZoneId" - }, "azureMachineLearningWorkspacePrivateDnsZoneId": { "value": "${varPrivateDnsZonesFinalResourceIds}.azureMachineLearningWorkspacePrivateDnsZoneId" }, From b0b300685795905edb2a1f9d0e4a054a68d043fe Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Fri, 15 Nov 2024 17:27:50 -0600 Subject: [PATCH 04/15] Update generated docs --- .../generateddocs/alzDefaultPolicyAssignments.bicep.md | 1 + 1 file changed, 1 insertion(+) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md index ef4ce4c5a..44527a9a8 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md @@ -26,6 +26,7 @@ parMsDefenderForCloudEmailSecurityContact | No | Email address for Microso parDdosEnabled | No | Enable/disable DDoS Network Protection. True enforces Enable-DDoS-VNET policy; false disables. parDdosProtectionPlanId | No | Resource ID of the DDoS Protection Plan for Virtual Networks. parPrivateDnsResourceGroupId | No | Resource ID of the Resource Group for Private DNS Zones. Empty to skip assigning the Deploy-Private-DNS-Zones policy. +parPrivateDnsZonesLocation | No | Location of Private DNS Zones. parPrivateDnsZonesNamesToAuditInCorp | No | List of Private DNS Zones to audit under the Corp Management Group. This overwrites default values. parDisableAlzDefaultPolicies | No | Disable all default ALZ policies. parDisableSlzDefaultPolicies | No | Disable all default sovereign policies. From 17e84f72b4609b608f621de5ec2d1d5180ce7ace Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Fri, 15 Nov 2024 17:37:28 -0600 Subject: [PATCH 05/15] Add param to accelerator --- accelerator/.config/ALZ-Powershell-Auto.config.json | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/accelerator/.config/ALZ-Powershell-Auto.config.json b/accelerator/.config/ALZ-Powershell-Auto.config.json index 9e37da45a..896fce068 100644 --- a/accelerator/.config/ALZ-Powershell-Auto.config.json +++ b/accelerator/.config/ALZ-Powershell-Auto.config.json @@ -304,6 +304,10 @@ "Name": "parVirtualWanHubs.value[0].parHubLocation", "Destination": "Parameters" }, + { + "Name": "parPrivateDnsZonesLocatio.value", + "Destination": "Parameters" + }, { "Name": "LOCATION", "Destination": "Environment" From 6d300fc5b2faf3a2ae8e5063d3b5f003404229e7 Mon Sep 17 00:00:00 2001 From: github-actions <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 15 Nov 2024 23:44:18 +0000 Subject: [PATCH 06/15] Generate Parameter Markdowns [oZakari/1618d0f4] --- .../alzDefaultPolicyAssignments.bicep.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md index 44527a9a8..72821abd1 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md @@ -179,6 +179,14 @@ Resource ID of the DDoS Protection Plan for Virtual Networks. Resource ID of the Resource Group for Private DNS Zones. Empty to skip assigning the Deploy-Private-DNS-Zones policy. +### parPrivateDnsZonesLocation + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Location of Private DNS Zones. + +- Default value: `eastus` + ### parPrivateDnsZonesNamesToAuditInCorp ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) @@ -308,6 +316,9 @@ Opt out of deployment telemetry. "parPrivateDnsResourceGroupId": { "value": "" }, + "parPrivateDnsZonesLocation": { + "value": "eastus" + }, "parPrivateDnsZonesNamesToAuditInCorp": { "value": [] }, From c806078aae163ba3438f7a20ad0f850d4ee807c9 Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Fri, 15 Nov 2024 17:51:38 -0600 Subject: [PATCH 07/15] Fix value for param --- accelerator/.config/ALZ-Powershell-Auto.config.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/accelerator/.config/ALZ-Powershell-Auto.config.json b/accelerator/.config/ALZ-Powershell-Auto.config.json index 896fce068..e85d68158 100644 --- a/accelerator/.config/ALZ-Powershell-Auto.config.json +++ b/accelerator/.config/ALZ-Powershell-Auto.config.json @@ -305,7 +305,7 @@ "Destination": "Parameters" }, { - "Name": "parPrivateDnsZonesLocatio.value", + "Name": "parPrivateDnsZonesLocation.value", "Destination": "Parameters" }, { From 1980ddd96083534b4d3eb097faf10e5c979cdceb Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Mon, 18 Nov 2024 13:23:19 -0600 Subject: [PATCH 08/15] Add prefix to dependabot title --- .github/dependabot.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index a4d89087a..0859add3c 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -7,3 +7,6 @@ updates: labels: - "Type: Hygiene :broom:" - "Needs: Attention :wave:" + commit-message: + prefix: 'build: ' + From 64390a49fbd60115be68a75126c4392815500a2a Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Wed, 27 Nov 2024 16:57:56 -0600 Subject: [PATCH 09/15] Update test values --- .../assignments/alzDefaults/alzDefaultPolicyAssignments.bicep | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep index cc7bac20c..4d5debeb8 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep @@ -99,7 +99,7 @@ param parDdosProtectionPlanId string = '' param parPrivateDnsResourceGroupId string = '' @description('Location of Private DNS Zones.') -param parPrivateDnsZonesLocation string = 'eastus' +param parPrivateDnsZonesLocation string @description('List of Private DNS Zones to audit under the Corp Management Group. This overwrites default values.') param parPrivateDnsZonesNamesToAuditInCorp array = [] @@ -595,7 +595,7 @@ var varGeoCodes = { westus3: 'wus3' } -var varSelectedGeoCode = varGeoCodes[?parPrivateDnsZonesLocation] ?? 'changeme' +var varSelectedGeoCode = varGeoCodes[?parPrivateDnsZonesLocation] var varPrivateDnsZonesFinalResourceIds = { azureAcrPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azurecr.io' From 0c52c912fa6d9b8da3756df4b60edce9aff70cb3 Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Wed, 27 Nov 2024 17:00:35 -0600 Subject: [PATCH 10/15] Updated param table --- .../generateddocs/alzDefaultPolicyAssignments.bicep.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md index 72821abd1..d103dba7e 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md @@ -26,7 +26,7 @@ parMsDefenderForCloudEmailSecurityContact | No | Email address for Microso parDdosEnabled | No | Enable/disable DDoS Network Protection. True enforces Enable-DDoS-VNET policy; false disables. parDdosProtectionPlanId | No | Resource ID of the DDoS Protection Plan for Virtual Networks. parPrivateDnsResourceGroupId | No | Resource ID of the Resource Group for Private DNS Zones. Empty to skip assigning the Deploy-Private-DNS-Zones policy. -parPrivateDnsZonesLocation | No | Location of Private DNS Zones. +parPrivateDnsZonesLocation | Yes | Location of Private DNS Zones. parPrivateDnsZonesNamesToAuditInCorp | No | List of Private DNS Zones to audit under the Corp Management Group. This overwrites default values. parDisableAlzDefaultPolicies | No | Disable all default ALZ policies. parDisableSlzDefaultPolicies | No | Disable all default sovereign policies. From 7bedcf97b4b979c332f6c2931041b0ff17c08512 Mon Sep 17 00:00:00 2001 From: github-actions <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 3 Dec 2024 22:04:26 +0000 Subject: [PATCH 11/15] Generate Parameter Markdowns [oZakari/640a1dbc] --- .../generateddocs/alzDefaultPolicyAssignments.bicep.md | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md index 72821abd1..278d61faf 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md @@ -26,7 +26,7 @@ parMsDefenderForCloudEmailSecurityContact | No | Email address for Microso parDdosEnabled | No | Enable/disable DDoS Network Protection. True enforces Enable-DDoS-VNET policy; false disables. parDdosProtectionPlanId | No | Resource ID of the DDoS Protection Plan for Virtual Networks. parPrivateDnsResourceGroupId | No | Resource ID of the Resource Group for Private DNS Zones. Empty to skip assigning the Deploy-Private-DNS-Zones policy. -parPrivateDnsZonesLocation | No | Location of Private DNS Zones. +parPrivateDnsZonesLocation | Yes | Location of Private DNS Zones. parPrivateDnsZonesNamesToAuditInCorp | No | List of Private DNS Zones to audit under the Corp Management Group. This overwrites default values. parDisableAlzDefaultPolicies | No | Disable all default ALZ policies. parDisableSlzDefaultPolicies | No | Disable all default sovereign policies. @@ -181,12 +181,10 @@ Resource ID of the Resource Group for Private DNS Zones. Empty to skip assigning ### parPrivateDnsZonesLocation -![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) Location of Private DNS Zones. -- Default value: `eastus` - ### parPrivateDnsZonesNamesToAuditInCorp ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) @@ -317,7 +315,7 @@ Opt out of deployment telemetry. "value": "" }, "parPrivateDnsZonesLocation": { - "value": "eastus" + "value": "" }, "parPrivateDnsZonesNamesToAuditInCorp": { "value": [] From b71af3e323c53bb3f262242c7204c2c187aed89e Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Tue, 3 Dec 2024 18:33:40 -0600 Subject: [PATCH 12/15] Update logic --- .../alzDefaults/alzDefaultPolicyAssignments.bicep | 4 ++-- .../alzDefaultPolicyAssignments.parameters.min.json | 10 +++++----- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep index 4d5debeb8..2d6d07d4e 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep @@ -99,7 +99,7 @@ param parDdosProtectionPlanId string = '' param parPrivateDnsResourceGroupId string = '' @description('Location of Private DNS Zones.') -param parPrivateDnsZonesLocation string +param parPrivateDnsZonesLocation string = '' @description('List of Private DNS Zones to audit under the Corp Management Group. This overwrites default values.') param parPrivateDnsZonesNamesToAuditInCorp array = [] @@ -595,7 +595,7 @@ var varGeoCodes = { westus3: 'wus3' } -var varSelectedGeoCode = varGeoCodes[?parPrivateDnsZonesLocation] +var varSelectedGeoCode = !empty(parPrivateDnsZonesLocation) ? varGeoCodes[parPrivateDnsZonesLocation] : null var varPrivateDnsZonesFinalResourceIds = { azureAcrPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azurecr.io' diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.min.json b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.min.json index 5651fe41a..e2dbf577e 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.min.json +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.min.json @@ -12,19 +12,19 @@ "value": "eastus" }, "parLogAnalyticsWorkspaceResourceId": { - "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-logging/providers/Microsoft.OperationalInsights/workspaces/alz-log-analytics" + "value": "/subscriptions/69ac80fe-dbff-4971-9cba-9cb384486ba5/resourceGroups/alz-logging/providers/Microsoft.OperationalInsights/workspaces/alz-log-analytics" }, "parDataCollectionRuleVMInsightsResourceId": { - "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-logging/providers/Microsoft.Insights/dataCollectionRules/alz-ama-vmi-dcr" + "value": "/subscriptions/69ac80fe-dbff-4971-9cba-9cb384486ba5/resourceGroups/alz-logging/providers/Microsoft.Insights/dataCollectionRules/alz-ama-vmi-dcr" }, "parDataCollectionRuleChangeTrackingResourceId": { - "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-logging/providers/Microsoft.Insights/dataCollectionRules/alz-ama-ct-dcr" + "value": "/subscriptions/69ac80fe-dbff-4971-9cba-9cb384486ba5/resourceGroups/alz-logging/providers/Microsoft.Insights/dataCollectionRules/alz-ama-ct-dcr" }, "parDataCollectionRuleMDFCSQLResourceId": { - "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-logging/providers/Microsoft.Insights/dataCollectionRules/ama-mdfcsql-default-dcr" + "value": "/subscriptions/69ac80fe-dbff-4971-9cba-9cb384486ba5/resourceGroups/alz-logging/providers/Microsoft.Insights/dataCollectionRules/ama-mdfcsql-default-dcr" }, "parUserAssignedManagedIdentityResourceId": { - "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/alz-logging/providers/Microsoft.ManagedIdentity/userAssignedIdentities/alz-umi-identity" + "value": "/subscriptions/69ac80fe-dbff-4971-9cba-9cb384486ba5/resourcegroups/alz-logging/providers/Microsoft.ManagedIdentity/userAssignedIdentities/alz-umi-identity" }, "parLogAnalyticsWorkspaceLogRetentionInDays": { "value": "365" From a24b95eca1380f6cb470474e048a371298464f27 Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Tue, 3 Dec 2024 19:10:21 -0600 Subject: [PATCH 13/15] Update spacing --- .../assignments/alzDefaults/alzDefaultPolicyAssignments.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep index 2d6d07d4e..3bc659152 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep @@ -595,7 +595,7 @@ var varGeoCodes = { westus3: 'wus3' } -var varSelectedGeoCode = !empty(parPrivateDnsZonesLocation) ? varGeoCodes[parPrivateDnsZonesLocation] : null +var varSelectedGeoCode = !empty(parPrivateDnsZonesLocation) ? varGeoCodes[parPrivateDnsZonesLocation] : null var varPrivateDnsZonesFinalResourceIds = { azureAcrPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azurecr.io' From 83c232e7849a17fb88ffe6f01f8669e7bf174379 Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Tue, 3 Dec 2024 22:34:10 -0600 Subject: [PATCH 14/15] Add params to parameter file --- .../parameters/alzDefaultPolicyAssignments.parameters.all.json | 3 +++ .../parameters/alzDefaultPolicyAssignments.parameters.min.json | 3 +++ 2 files changed, 6 insertions(+) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json index 17556fd5c..127a09341 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json @@ -71,6 +71,9 @@ "parPrivateDnsResourceGroupId": { "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rg-alz-hub-networking-001" }, + "parPrivateDnsZonesLocation": { + "value": "eastus" + }, "parPrivateDnsZonesNamesToAuditInCorp": { "value": [] }, diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.min.json b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.min.json index e2dbf577e..722d45501 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.min.json +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.min.json @@ -37,6 +37,9 @@ }, "parTelemetryOptOut": { "value": false + }, + "parPrivateDnsZonesLocation": { + "value": "eastus" } } } From c6945695e4da84847bb0b84dac6fa938727c0b91 Mon Sep 17 00:00:00 2001 From: github-actions <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 4 Dec 2024 04:42:20 +0000 Subject: [PATCH 15/15] Generate Parameter Markdowns [oZakari/0a582834] --- .../generateddocs/alzDefaultPolicyAssignments.bicep.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md index 47c717bb7..32417151c 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md @@ -26,7 +26,7 @@ parMsDefenderForCloudEmailSecurityContact | No | Email address for Microso parDdosEnabled | No | Enable/disable DDoS Network Protection. True enforces Enable-DDoS-VNET policy; false disables. parDdosProtectionPlanId | No | Resource ID of the DDoS Protection Plan for Virtual Networks. parPrivateDnsResourceGroupId | No | Resource ID of the Resource Group for Private DNS Zones. Empty to skip assigning the Deploy-Private-DNS-Zones policy. -parPrivateDnsZonesLocation | Yes | Location of Private DNS Zones. +parPrivateDnsZonesLocation | No | Location of Private DNS Zones. parPrivateDnsZonesNamesToAuditInCorp | No | List of Private DNS Zones to audit under the Corp Management Group. This overwrites default values. parDisableAlzDefaultPolicies | No | Disable all default ALZ policies. parDisableSlzDefaultPolicies | No | Disable all default sovereign policies. @@ -181,7 +181,7 @@ Resource ID of the Resource Group for Private DNS Zones. Empty to skip assigning ### parPrivateDnsZonesLocation -![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) Location of Private DNS Zones.