Fixing Bicep deploy-time warnings

src/bicep/mlz.bicep

@@ -277,28 +277,28 @@ param operationsVirtualNetworkDiagnosticsMetrics array = []
 @description('An array of Network Security Group rules to apply to the Operations Virtual Network. See https://docs.microsoft.com/en-us/azure/templates/microsoft.network/networksecuritygroups/securityrules?tabs=bicep#securityrulepropertiesformat for valid settings.')
 param operationsNetworkSecurityGroupRules array = [
  {
- name: 'Allow-Traffic-From-Spokes'
- properties: {
- access: 'Allow'
- description: 'Allow traffic from spokes'
- destinationAddressPrefix: operationsVirtualNetworkAddressPrefix
- destinationPortRanges: [
- '22'
- '80'
- '443'
- '3389'
- ]
- direction: 'Inbound'
- priority: 200
- protocol: '*'
- sourceAddressPrefixes: [
- identityVirtualNetworkAddressPrefix
- sharedServicesVirtualNetworkAddressPrefix
- ]
- sourcePortRange: '*'
+ name: 'Allow-Traffic-From-Spokes'
+ properties: {
+ access: 'Allow'
+ description: 'Allow traffic from spokes'
+ destinationAddressPrefix: operationsVirtualNetworkAddressPrefix
+ destinationPortRanges: [
+ '22'
+ '80'
+ '443'
+ '3389'
+ ]
+ direction: 'Inbound'
+ priority: 200
+ protocol: '*'
+ sourceAddressPrefixes: [
+ identityVirtualNetworkAddressPrefix
+ sharedServicesVirtualNetworkAddressPrefix
+ ]
+ sourcePortRange: '*'
+ }
+ type: 'string'
  }
- type: 'string'
-}
 ]
 
 @description('An array of Network Security Group diagnostic logs to apply to the Operations Virtual Network. See https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-nsg-manage-log#log-categories for valid settings.')
@@ -711,9 +711,9 @@ var spokes = [
 // TAGS
 
 var defaultTags = {
- 'resourcePrefix': resourcePrefix
- 'resourceSuffix': resourceSuffix
- 'DeploymentType': 'MissionLandingZoneARM'
+ resourcePrefix: resourcePrefix
+ resourceSuffix: resourceSuffix
+ DeploymentType: 'MissionLandingZoneARM'
 }
 
 var calculatedTags = union(tags, defaultTags)
@@ -937,7 +937,7 @@ module hubSubscriptionActivityLogging './modules/central-logging.bicep' = {
  ]
 }
 
-module azureMonitorPrivateLink './modules/private-link.bicep' = if ( contains(supportedClouds, environment().name) ){
+module azureMonitorPrivateLink './modules/private-link.bicep' = if (contains(supportedClouds, environment().name)) {
  name: 'azure-monitor-private-link'
  scope: resourceGroup(operationsSubscriptionId, operationsResourceGroupName)
  params: {

src/bicep/modules/defender.bicep

@@ -5,32 +5,32 @@ Licensed under the MIT License.
 
 targetScope = 'subscription'
 
-param bundle array = (environment().name == 'AzureCloud') ? [ 
- 'AppServices'
- 'Arm'
- 'ContainerRegistry'
- 'Containers'
- 'CosmosDbs'
- 'Dns'
- 'KeyVaults'
- 'KubernetesService'
- 'OpenSourceRelationalDatabases'
- 'SqlServers'
- 'SqlServerVirtualMachines'
- 'StorageAccounts'
- 'VirtualMachines'
- ] : (environment().name == 'AzureUSGovernment') ? [
- 'Arm'
- 'ContainerRegistry'
- 'Containers'
- 'Dns'
- 'KubernetesService'
- 'OpenSourceRelationalDatabases'
- 'SqlServers'
- 'SqlServerVirtualMachines'
- 'StorageAccounts'
- 'VirtualMachines'
- ] : []
+param bundle array = (environment().name == 'AzureCloud') ? [
+ 'AppServices'
+ 'Arm'
+ 'ContainerRegistry'
+ 'Containers'
+ 'CosmosDbs'
+ 'Dns'
+ 'KeyVaults'
+ 'KubernetesService'
+ 'OpenSourceRelationalDatabases'
+ 'SqlServers'
+ 'SqlServerVirtualMachines'
+ 'StorageAccounts'
+ 'VirtualMachines'
+] : (environment().name == 'AzureUSGovernment') ? [
+ 'Arm'
+ 'ContainerRegistry'
+ 'Containers'
+ 'Dns'
+ 'KubernetesService'
+ 'OpenSourceRelationalDatabases'
+ 'SqlServers'
+ 'SqlServerVirtualMachines'
+ 'StorageAccounts'
+ 'VirtualMachines'
+] : []
 
 @description('Turn automatic deployment by Defender of the MMA (OMS VM extension) on or off')
 param enableAutoProvisioning bool = true
@@ -45,7 +45,6 @@ param emailSecurityContact string
 @description('Policy Initiative description field')
 param policySetDescription string = 'The Azure Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Azure Security Benchmark v2, see https://aka.ms/azsecbm. This also serves as the Microsoft Defender for Cloud default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Microsoft Defender.'
 
-
 // defender
 
 resource defenderPricing 'Microsoft.Security/pricings@2018-06-01' = [for name in bundle: {
@@ -64,7 +63,7 @@ resource autoProvision 'Microsoft.Security/autoProvisioningSettings@2017-08-01-p
  }
 }
 
-resource securityWorkspaceSettings  'Microsoft.Security/workspaceSettings@2017-08-01-preview' = {
+resource securityWorkspaceSettings 'Microsoft.Security/workspaceSettings@2017-08-01-preview' = {
  name: 'default'
  properties: {
  workspaceId: logAnalyticsWorkspaceId
@@ -89,6 +88,6 @@ resource securityPoliciesDefault 'Microsoft.Authorization/policyAssignments@2020
  description: policySetDescription
  enforcementMode: 'DoNotEnforce'
  parameters: {}
- policyDefinitionId: '/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8'
+ policyDefinitionId: tenantResourceId('Microsoft.Authorization/policySetDefinitions', '1f3afdf9-d0c9-4c3d-847f-89da613e70a8')
  }
 }

src/bicep/modules/log-analytics-diagnostic-logging.bicep

@@ -11,7 +11,6 @@ param supportedClouds array = [
  'AzureUSGovernment'
 ]
 
-
 resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2021-06-01' existing = {
  name: logAnalyticsWorkspaceName
 }
@@ -20,15 +19,9 @@ resource stg 'Microsoft.Storage/storageAccounts@2021-02-01' existing = {
  name: diagnosticStorageAccountName
 }
 
-resource securityContacts 'Microsoft.Security/securityContacts@2017-08-01-preview' existing = {
- name: 'securityNotifications'
- scope: subscription()
-}
-
-
 //// Setting log analytics to collect its own diagnostics to itself and to storage
-resource logAnalyticsDiagnostics 'Microsoft.Insights/diagnosticSettings@2017-05-01-preview' = if ( contains(supportedClouds, environment().name)) {
- name: 'enable-log-analytics-diagnostics' 
+resource logAnalyticsDiagnostics 'Microsoft.Insights/diagnosticSettings@2017-05-01-preview' = if (contains(supportedClouds, environment().name)) {
+ name: 'enable-log-analytics-diagnostics'
  scope: logAnalyticsWorkspace
  properties: {
  workspaceId: logAnalyticsWorkspace.id

src/bicep/modules/policy-assignment.bicep

@@ -29,23 +29,23 @@ resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2021-06
 var policyDefinitionID = {
  NISTRev4: {
  id: '/providers/Microsoft.Authorization/policySetDefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f'
- parameters: json(replace(loadTextContent('policies/NISTRev4-policyAssignmentParameters.json'),'<LAWORKSPACE>', logAnalyticsWorkspace.id))
+ parameters: json(replace(loadTextContent('policies/NISTRev4-policyAssignmentParameters.json'), '<LAWORKSPACE>', logAnalyticsWorkspace.id))
  }
  NISTRev5: {
  id: '/providers/Microsoft.Authorization/policySetDefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f'
  parameters: json(loadTextContent('policies/NISTRev5-policyAssignmentParameters.json'))
  }
  IL5: {
  id: '/providers/Microsoft.Authorization/policySetDefinitions/f9a961fa-3241-4b20-adc4-bbf8ad9d7197'
- parameters: json(replace(loadTextContent('policies/IL5-policyAssignmentParameters.json'),'<LAWORKSPACE>', logAnalyticsWorkspace.id))
+ parameters: json(replace(loadTextContent('policies/IL5-policyAssignmentParameters.json'), '<LAWORKSPACE>', logAnalyticsWorkspace.id))
  }
  CMMC: {
  id: '/providers/Microsoft.Authorization/policySetDefinitions/b5629c75-5c77-4422-87b9-2509e680f8de'
- parameters: json(replace(loadTextContent('policies/CMMC-policyAssignmentParameters.json'),'<LAWORKSPACE>', logAnalyticsWorkspace.properties.customerId))
+ parameters: json(replace(loadTextContent('policies/CMMC-policyAssignmentParameters.json'), '<LAWORKSPACE>', logAnalyticsWorkspace.properties.customerId))
  }
 }
 
-var modifiedAssignment = ( environment().name =~ 'AzureCloud' && builtInAssignment =~ 'IL5' ? 'NISTRev4' : builtInAssignment )
+var modifiedAssignment = (environment().name =~ 'AzureCloud' && builtInAssignment =~ 'IL5' ? 'NISTRev4' : builtInAssignment)
 var assignmentName = '${modifiedAssignment} ${resourceGroup().name}'
 var agentVmssAssignmentName = 'Deploy VMSS Agents ${resourceGroup().name}'
 var agentVmAssignmentName = 'Deploy VM Agents ${resourceGroup().name}'
@@ -57,8 +57,8 @@ resource assignment 'Microsoft.Authorization/policyAssignments@2020-09-01' = {
  name: assignmentName
  location: location
  properties: {
-  policyDefinitionId: policyDefinitionID[modifiedAssignment].id
-  parameters: policyDefinitionID[modifiedAssignment].parameters
+ policyDefinitionId: policyDefinitionID[modifiedAssignment].id
+ parameters: policyDefinitionID[modifiedAssignment].parameters
  }
  identity: {
  type: 'SystemAssigned'
@@ -69,7 +69,7 @@ resource vmssAgentAssignment 'Microsoft.Authorization/policyAssignments@2020-09-
  name: agentVmssAssignmentName
  location: location
  properties: {
- policyDefinitionId: '/providers/Microsoft.Authorization/policySetDefinitions/75714362-cae7-409e-9b99-a8e5075b7fad'
+ policyDefinitionId: tenantResourceId('Microsoft.Authorization/policySetDefinitions', '75714362-cae7-409e-9b99-a8e5075b7fad')
  parameters: {
  logAnalytics_1: {
  value: logAnalyticsWorkspace.id
@@ -85,7 +85,7 @@ resource vmAgentAssignment 'Microsoft.Authorization/policyAssignments@2020-09-01
  name: agentVmAssignmentName
  location: location
  properties: {
- policyDefinitionId: '/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a'
+ policyDefinitionId: tenantResourceId('Microsoft.Authorization/policySetDefinitions', '55f3eceb-5573-4f18-9695-226972c6d74a')
  parameters: {
  logAnalytics_1: {
  value: logAnalyticsWorkspace.id
@@ -99,34 +99,34 @@ resource vmAgentAssignment 'Microsoft.Authorization/policyAssignments@2020-09-01
 
 // assign the policies assigned idenitity as contributor to each resource group for deploy if not exist and modify policiy remediation
 resource policyRoleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
- name: guid(contributorRoleDefinitionId,assignmentName)
+ name: guid(contributorRoleDefinitionId, assignmentName)
  scope: resourceGroup()
  properties: {
  roleDefinitionId: contributorRoleDefinitionId
  principalId: (empty(modifiedAssignment) ? '' : assignment.identity.principalId)
  principalType: 'ServicePrincipal'
- }
  }
+}
 
 resource vmmsPolicyRoleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
- name: guid(contributorRoleDefinitionId,agentVmssAssignmentName)
+ name: guid(contributorRoleDefinitionId, agentVmssAssignmentName)
  scope: resourceGroup()
  properties: {
  roleDefinitionId: contributorRoleDefinitionId
  principalId: vmssAgentAssignment.identity.principalId
  principalType: 'ServicePrincipal'
- }
  }
+}
 
 resource vmPolicyRoleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
- name: guid(contributorRoleDefinitionId,agentVmAssignmentName)
+ name: guid(contributorRoleDefinitionId, agentVmAssignmentName)
  scope: resourceGroup()
  properties: {
  roleDefinitionId: contributorRoleDefinitionId
  principalId: vmAgentAssignment.identity.principalId
  principalType: 'ServicePrincipal'
- }
  }
+}
 
 module roleAssignment '../modules/role-assignment.bicep' = {
  name: 'Assign-Laws-Role-Policy-${resourceGroup().name}'
@@ -138,7 +138,7 @@ module roleAssignment '../modules/role-assignment.bicep' = {
  }
 }
 
-resource vmPolicyRemediation 'Microsoft.PolicyInsights/remediations@2019-07-01' = if(deployRemediation) {
+resource vmPolicyRemediation 'Microsoft.PolicyInsights/remediations@2019-07-01' = if (deployRemediation) {
  name: 'VM-Agent-Policy-Remediation'
  properties: {
  policyAssignmentId: vmAgentAssignment.id