Skip to content

Commit

Permalink
Updated documents, from docs.microsoft.com - to Learn. (Azure#350)
Browse files Browse the repository at this point in the history
Updated documents, from docs.microsoft.com - to Learn.
  • Loading branch information
lukemurraynz authored Feb 6, 2023
1 parent e44c7ea commit 0fa01e8
Show file tree
Hide file tree
Showing 56 changed files with 398 additions and 398 deletions.
8 changes: 4 additions & 4 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,14 +2,14 @@

## Introduction

The purpose of the reference implementation is to guide Canadian Public Sector customers on building Landing Zones in their Azure environment. The reference implementation is based on [Cloud Adoption Framework for Azure](https://docs.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/) and provides an opinionated implementation that enables ITSG-33 regulatory compliance by using [NIST SP 800-53 Rev. 4](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4) and [Canada Federal PBMM](https://docs.microsoft.com/azure/governance/policy/samples/canada-federal-pbmm) Regulatory Compliance Policy Sets.
The purpose of the reference implementation is to guide Canadian Public Sector customers on building Landing Zones in their Azure environment. The reference implementation is based on [Cloud Adoption Framework for Azure](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/) and provides an opinionated implementation that enables ITSG-33 regulatory compliance by using [NIST SP 800-53 Rev. 4](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4) and [Canada Federal PBMM](https://learn.microsoft.com/azure/governance/policy/samples/canada-federal-pbmm) Regulatory Compliance Policy Sets.

Architecture supported up to Treasury Board of Canada Secretariat (TBS) Cloud Profile 3 - Cloud Only Applications. This profile is applicable to Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) with [characteristics](https://github.com/canada-ca/cloud-guardrails/blob/master/EN/00_Applicable-Scope.md):

* Cloud-based services hosting sensitive (up to Protected B) information
* No direct system to system network interconnections required with GC data centers

> This implementation is specific to **Canadian Public Sector departments**. Please see [Implement Cloud Adoption Framework enterprise-scale landing zones in Azure](https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/implementation) if you are looking for implementation for other industries or customers.
> This implementation is specific to **Canadian Public Sector departments**. Please see [Implement Cloud Adoption Framework enterprise-scale landing zones in Azure](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/implementation) if you are looking for implementation for other industries or customers.
## Architecture

Expand Down Expand Up @@ -54,7 +54,7 @@ multiple types of workloads including App Dev and Data & AI.

* Automatic approval for Canada Federal PBMM nor Authority to Operate (ATO). Customers must collect evidence, customize to meet their departmental requirements and submit for Authority to Operate based on their risk profile, requirements and process.

* Compliant on all Azure Policies when the reference implementation is deployed. This is due to the shared responsibility of cloud and customers can choose the Azure Policies to exclude. For example, using Azure Firewall is an Azure Policy that will be non-compliant since majority of the Public Sector customers use Network Virtual Appliances such as Fortinet. Customers must review [Microsoft Defender for Cloud Regulatory Compliance dashboard](https://docs.microsoft.com/azure/defender-for-cloud/update-regulatory-compliance-packages) and apply appropriate exemptions.
* Compliant on all Azure Policies when the reference implementation is deployed. This is due to the shared responsibility of cloud and customers can choose the Azure Policies to exclude. For example, using Azure Firewall is an Azure Policy that will be non-compliant since majority of the Public Sector customers use Network Virtual Appliances such as Fortinet. Customers must review [Microsoft Defender for Cloud Regulatory Compliance dashboard](https://learn.microsoft.com/azure/defender-for-cloud/update-regulatory-compliance-packages) and apply appropriate exemptions.

## Contributing

Expand All @@ -64,7 +64,7 @@ See [Contributing Reference Implementation](CONTRIBUTING.md) for information on

**November 11, 2021 onward**

> Microsoft can identify the deployments of the Azure Resource Manager and Bicep templates with the deployed Azure resources. Microsoft can correlate these resources used to support the deployments. Microsoft collects this information to provide the best experiences with their products and to operate their business. The telemetry is collected through [customer usage attribution](https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution). The data is collected and governed by Microsoft's privacy policies, located at [https://www.microsoft.com/trustcenter](https://www.microsoft.com/trustcenter).
> Microsoft can identify the deployments of the Azure Resource Manager and Bicep templates with the deployed Azure resources. Microsoft can correlate these resources used to support the deployments. Microsoft collects this information to provide the best experiences with their products and to operate their business. The telemetry is collected through [customer usage attribution](https://learn.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution). The data is collected and governed by Microsoft's privacy policies, located at [https://www.microsoft.com/trustcenter](https://www.microsoft.com/trustcenter).
>
> If you don't wish to send usage data to Microsoft, you can set the `customerUsageAttribution.enabled` setting to `false` in `config/telemetry.json`. Learn more in our [Azure DevOps Pipelines](docs/onboarding/azure-devops-pipelines.md#telemetry) onboarding guide.
>
Expand Down
2 changes: 1 addition & 1 deletion SECURITY.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@

Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/Microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/).

If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://docs.microsoft.com/en-us/previous-versions/tn-archive/cc751383(v=technet.10)), please report it to us as described below.
If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://learn.microsoft.com/en-us/previous-versions/tn-archive/cc751383(v=technet.10)), please report it to us as described below.

## Reporting Security Issues

Expand Down
2 changes: 1 addition & 1 deletion azresources/compute/web/appservice-linux-container.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ resource app 'Microsoft.Web/sites@2021-02-01' = {
clientAffinityEnabled: true
siteConfig: {
// for Linux Apps Azure DNS private zones only works if Route All is enabled.
// https://docs.microsoft.com/azure/app-service/web-sites-integrate-with-vnet#azure-dns-private-zones
// https://learn.microsoft.com/azure/app-service/web-sites-integrate-with-vnet#azure-dns-private-zones
linuxFxVersion: 'DOCKER|mcr.microsoft.com/appsvc/staticsite:latest'
vnetRouteAllEnabled: true
use32BitWorkerProcess: false
Expand Down
2 changes: 1 addition & 1 deletion azresources/compute/web/appservice-linux.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ resource app 'Microsoft.Web/sites@2020-06-01' = {
clientAffinityEnabled: true
siteConfig: {
// for Linux Apps Azure DNS private zones only works if Route All is enabled.
// https://docs.microsoft.com/azure/app-service/web-sites-integrate-with-vnet#azure-dns-private-zones
// https://learn.microsoft.com/azure/app-service/web-sites-integrate-with-vnet#azure-dns-private-zones
vnetRouteAllEnabled: true

linuxFxVersion: stack
Expand Down
2 changes: 1 addition & 1 deletion azresources/containers/acr/acr-with-cmk.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ param tempKeyVaultName string = 'tmpkv${uniqueString(utcNow())}'

/*
Create a temporary key vault and key to setup CMK. These will be deleted at the end of deployment using deployment script.
See: https://docs.microsoft.com/en-us/azure/container-registry/container-registry-customer-managed-keys#advanced-scenario-key-vault-firewall
See: https://learn.microsoft.com/en-us/azure/container-registry/container-registry-customer-managed-keys#advanced-scenario-key-vault-firewall
*/
module tempAkv '../../security/key-vault.bicep' = {
name: 'deploy-keyvault-temp'
Expand Down
2 changes: 1 addition & 1 deletion azresources/containers/aks/main.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -118,7 +118,7 @@ module identity '../../iam/user-assigned-identity.bicep' = {
}
}

// assign permissions to identity per https://docs.microsoft.com/en-us/azure/aks/private-clusters#configure-private-dns-zone
// assign permissions to identity per https://learn.microsoft.com/en-us/azure/aks/private-clusters#configure-private-dns-zone
module rbacPrivateDnsZoneContributor '../../iam/resource/private-dns-zone-role-assignment-to-sp.bicep' = {
name: 'rbac-private-dns-zone-contributor-${name}'
scope: resourceGroup(privateDnsZoneSubscriptionId, privateZoneDnsResourceGroupName)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,4 +9,4 @@
targetScope = 'managementGroup'

// This is an empty deployment by design
// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
// Reference: https://learn.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
Original file line number Diff line number Diff line change
Expand Up @@ -9,4 +9,4 @@
targetScope = 'resourceGroup'

// This is an empty deployment by design
// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
// Reference: https://learn.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
Original file line number Diff line number Diff line change
Expand Up @@ -9,4 +9,4 @@
targetScope = 'subscription'

// This is an empty deployment by design
// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
// Reference: https://learn.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
Original file line number Diff line number Diff line change
Expand Up @@ -9,4 +9,4 @@
targetScope = 'tenant'

// This is an empty deployment by design
// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
// Reference: https://learn.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
12 changes: 6 additions & 6 deletions docs/archetypes/authoring-guide.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Archetype Authoring Guide

[Azure landing zones](https://docs.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/) are the output of a multi-subscription Azure environment that accounts for scale, security governance, networking, and identity. Therefore, deploying an archetype will result in an Azure landing zone that can be enhanced, scaled and refined based on business need.
[Azure landing zones](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/) are the output of a multi-subscription Azure environment that accounts for scale, security governance, networking, and identity. Therefore, deploying an archetype will result in an Azure landing zone that can be enhanced, scaled and refined based on business need.

This reference implementation provides a number of archetypes that can be used as-is or customized further to suit business needs. Archetypes are self-contained Bicep deployment templates that are used to configure multiple subscriptions. Archetypes provide the ability to configure new subscriptions with use case specific architecture in a repeatable method. One archetype can be used to configure many subscriptions.

Expand Down Expand Up @@ -233,7 +233,7 @@ module subScaffold '../scaffold-subscription.bicep' = {

## JSON Schema for deployment parameters

Spoke archetypes are deployed to a subscription using a JSON parameters file. This parameters file defines all configuration expected by the archetype in order to deploy and configure a subscription. An archetype can have an arbitrary number of parameters (up to a [maximum of 256 parameters](https://docs.microsoft.com/azure/azure-resource-manager/templates/best-practices#template-limits)).
Spoke archetypes are deployed to a subscription using a JSON parameters file. This parameters file defines all configuration expected by the archetype in order to deploy and configure a subscription. An archetype can have an arbitrary number of parameters (up to a [maximum of 256 parameters](https://learn.microsoft.com/azure/azure-resource-manager/templates/best-practices#template-limits)).

While these parameters offer customization benefits, they incur overhead when defining input values and correlating them to the resources that are deployed. To keep all related parameters together and to make them contextual, we've chosen to use `object` parameter type. This type can contain simple and complex nested types and offers greater flexibility when defining many related parameters together. For example:

Expand Down Expand Up @@ -270,7 +270,7 @@ A complex object parameter used for configuring Service Health alerts:
}
```

Azure Resource Manager templates (and by extension Bicep) does not support parameter validation for `object` type. Therefore, it's not possible to depend on Azure Resource Manager to perform pre-deployment validation. The input validation supported for parameters are described in [Azure Docs](https://docs.microsoft.com/azure/azure-resource-manager/templates/parameters).
Azure Resource Manager templates (and by extension Bicep) does not support parameter validation for `object` type. Therefore, it's not possible to depend on Azure Resource Manager to perform pre-deployment validation. The input validation supported for parameters are described in [Azure Docs](https://learn.microsoft.com/azure/azure-resource-manager/templates/parameters).

As a result, we could either

Expand All @@ -286,7 +286,7 @@ We chose to check the input parameters prior to deployment to identify misconfig

## Telemetry

This reference implementation is instrumented to track deployment telemetry per module through [customer usage attribution](https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution). When a new archetype is developed, the telemetry settings must be updated to reference the tracking id. Telemetry configuration is located at [`config/telemetry.json`](../../config/telemetry.json).
This reference implementation is instrumented to track deployment telemetry per module through [customer usage attribution](https://learn.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution). When a new archetype is developed, the telemetry settings must be updated to reference the tracking id. Telemetry configuration is located at [`config/telemetry.json`](../../config/telemetry.json).

To support per-module tracking, we've split each archetype to be tracked independently. At the moment, a single tracking id is used for all modules and can be modified in the future when required.

Expand Down Expand Up @@ -321,7 +321,7 @@ To support per-module tracking, we've split each archetype to be tracked indepen

```bicep
// Telemetry - Azure customer usage attribution
// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
// Reference: https://learn.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution

var telemetry = json(loadTextContent('../../config/telemetry.json'))
module telemetryCustomerUsageAttribution '../../azresources/telemetry/customer-usage-attribution-subscription.bicep' = if (telemetry.customerUsageAttribution.enabled) {
Expand All @@ -335,7 +335,7 @@ module telemetryCustomerUsageAttribution '../../azresources/telemetry/customer-u

> Use the [Onboarding Guide for Azure DevOps](../onboarding/azure-devops-pipelines.md) to configure the `subscription` pipeline. This pipeline will deploy workload archetypes such as Generic Subscription, Machine Learning and Healthcare.
Azure Resource Manager (ARM) parameters files provide deployment information to setup subscriptions. Deployment information can include `location`, `resource group names`, `resource names` and `networking`. You can find more information in [Azure Docs](https://docs.microsoft.com/azure/azure-resource-manager/templates/parameter-files) on ARM parameter files.
Azure Resource Manager (ARM) parameters files provide deployment information to setup subscriptions. Deployment information can include `location`, `resource group names`, `resource names` and `networking`. You can find more information in [Azure Docs](https://learn.microsoft.com/azure/azure-resource-manager/templates/parameter-files) on ARM parameter files.

These parameter files are located in [config/subscription](../../config/subscriptions) folder. This folder is configurable in `common.yml` and you can override in environment configuration files using the `subscriptionsPathFromRoot` setting. By default it is set to `config/subscriptions`.

Expand Down
6 changes: 3 additions & 3 deletions docs/archetypes/generic-subscription.md
Original file line number Diff line number Diff line change
Expand Up @@ -92,15 +92,15 @@ Reference implementation uses parameter files with `object` parameters to consol

### Delete Locks

As an administrator, you can lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. The lock overrides any permissions the user might have. You can set the lock level to `CanNotDelete` or `ReadOnly`. Please see [Azure Docs](https://docs.microsoft.com/azure/azure-resource-manager/management/lock-resources) for more information.
As an administrator, you can lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. The lock overrides any permissions the user might have. You can set the lock level to `CanNotDelete` or `ReadOnly`. Please see [Azure Docs](https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources) for more information.

**This archetype does not use `CanNotDelete` nor `ReadOnly` locks as part of the deployment. You may customize the deployment templates when it's required for your environment.**

### Service Health

[Service health notifications](https://docs.microsoft.com/azure/service-health/service-health-notifications-properties) are published by Azure, and contain information about the resources under your subscription. Service health notifications can be informational or actionable, depending on the category.
[Service health notifications](https://learn.microsoft.com/azure/service-health/service-health-notifications-properties) are published by Azure, and contain information about the resources under your subscription. Service health notifications can be informational or actionable, depending on the category.

Our examples configure service health alerts for `Security` and `Incident`. However, these categories can be customized based on your need. Please review the possible options in [Azure Docs](https://docs.microsoft.com/azure/service-health/service-health-notifications-properties#details-on-service-health-level-information).
Our examples configure service health alerts for `Security` and `Incident`. However, these categories can be customized based on your need. Please review the possible options in [Azure Docs](https://learn.microsoft.com/azure/service-health/service-health-notifications-properties#details-on-service-health-level-information).

### Deployment Scenarios

Expand Down
Loading

0 comments on commit 0fa01e8

Please sign in to comment.