Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update to 1.3.0 #33

Merged
merged 113 commits into from
Apr 19, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
113 commits
Select commit Hold shift + click to select a range
fff245d
Diagnostic Settings Policies for PaaS services (#143)
SenthuranSivananthan Jan 21, 2022
c71051b
Private Endpoint for App Service (#144)
hudua Jan 21, 2022
73ce2eb
Flexible policy assignment scope (#147)
SenthuranSivananthan Jan 22, 2022
82dd826
Removed 'privatelink.monitor.azure.com' from Private DNS Zones (#149)
SlavaRoikhman Jan 27, 2022
09f09ed
Automation scripts for Azure DevOps onboarding (#151)
skeeler Jan 31, 2022
61afd59
Snapshot landing zone schema to v0.3.0 (#152)
SenthuranSivananthan Jan 31, 2022
b628c68
Enhance PBMM policy assignment to disable diagnostic settings metrics…
SenthuranSivananthan Feb 4, 2022
d7d5257
Issue #157 - Update scripts documentation (#158)
skeeler Feb 7, 2022
209f61c
Update Deployment Script's Azure CLI version to 2.32.0 (#164)
SenthuranSivananthan Feb 10, 2022
5104f39
Update DevOps Onboarding section of main readme (#162)
skeeler Feb 10, 2022
6061fa0
Repository clean up (#165)
SenthuranSivananthan Feb 10, 2022
e71ed26
Linter: no-loc-expr-outside-params - ensure compliance (#169)
SenthuranSivananthan Feb 17, 2022
edabd87
Support for Tag inheritance from Subscription to Resource Group (#161)
SenthuranSivananthan Feb 18, 2022
488fc6e
Instructions for Azure DevOps Environments (#175)
SenthuranSivananthan Feb 22, 2022
5d7eec3
Update `create-pipelines.bat` onboarding script to auto-provision env…
skeeler Feb 23, 2022
4dd1f4a
Update onboarding doc for logging & networking management group setti…
SenthuranSivananthan Feb 23, 2022
6b6ef29
Snapshot JSON schemas to v0.4.0 (#182)
SenthuranSivananthan Feb 26, 2022
9a141f7
Update onboarding document
autocloudarc Feb 27, 2022
c62dcfc
Configurable management group hierarchy (#186)
skeeler Feb 27, 2022
17846c4
Show Variables fix (#191)
skeeler Feb 28, 2022
5d33909
subscription(generic): add instructions for configuring parameters (#…
autocloudarc Mar 1, 2022
5e7322e
Instructions for backfilling management group hierarchy (#197)
SenthuranSivananthan Mar 2, 2022
d6b1c08
Revise subscription deployment instructions (#201)
SenthuranSivananthan Mar 3, 2022
5753cf0
Ensure values from multiline variables are properly logged (#202)
SenthuranSivananthan Mar 3, 2022
678355f
Fix pipeline scripts reference to `subscription-ci` (#207)
skeeler Mar 5, 2022
81eccd1
Delete Lock for Log Analytics Workspace resource group (#205)
SenthuranSivananthan Mar 5, 2022
27363b7
Support Defender Plan for Cosmos DB (#200)
SenthuranSivananthan Mar 5, 2022
30b9cc2
fixing doc typo in hubnetwork-azfw (#211)
SunChero Mar 11, 2022
97c2904
Backward compatibility when setting pipeline variables from managemen…
SenthuranSivananthan Mar 12, 2022
789b18a
Update OZ subnet name to App Management Zone (#217)
SenthuranSivananthan Mar 24, 2022
0538d4d
Document delete lock usage (#216)
SenthuranSivananthan Mar 24, 2022
bf5e94b
Add instructions for customizing policy set assignments (#215)
SenthuranSivananthan Mar 24, 2022
2e5a56b
Fix formatting (#218)
SenthuranSivananthan Mar 24, 2022
453a0f8
Improve `delete-management-groups.bat` script (#224)
skeeler Mar 30, 2022
f25f957
Private DNS Policy - Change Cosmos DB namespace to Microsoft.Document…
SenthuranSivananthan Mar 31, 2022
0210df4
Flexible policy assignment parameters JSON files (#222)
SenthuranSivananthan Mar 31, 2022
6b36096
Externalize Log Analytics Workspace parameters when loading pipeline …
SenthuranSivananthan Mar 31, 2022
575440e
Initial GC 30-day cloud guardrails compliance/guidance (#226)
ccmsft Mar 31, 2022
d2f959a
Update networking documentation for generic subscription archetype (#…
ghostme Apr 1, 2022
3ce2cf8
Use built-in policy for Cosmos DB for Defender Plan (#232)
SenthuranSivananthan Apr 2, 2022
cb96311
Updating recommendations to reflect licensing reqs (#229)
ccmsft Apr 4, 2022
3259994
Fix order of `platform-connectivity-hub-azfw-policy` pipeline listed …
skeeler Apr 5, 2022
cc5f017
PBMM & HITRUST/HIPAA policy update (#238)
SenthuranSivananthan Apr 8, 2022
bfe1f58
Migrate Logging configuration to JSON parameters file (#236)
SenthuranSivananthan Apr 8, 2022
0e258f9
Update azure-devops-pipelines.md (#242)
skeeler Apr 9, 2022
1c37279
Support logging infrastructure for multiple regions in same subscript…
SenthuranSivananthan Apr 11, 2022
700eb96
Support multiple private dns zone configuration when updating private…
SenthuranSivananthan Apr 12, 2022
89613db
Include new Databricks' log categories for diagnostic settings (#248)
SenthuranSivananthan Apr 13, 2022
38fc344
Azure Active Directory support for Synapse (#259)
mosharafMS Apr 20, 2022
3d9c60d
Migrate Networking configuration to JSON parameters file (#250)
SenthuranSivananthan Apr 20, 2022
7083377
Revise subnet configuration for Generic Subscription archetype (#252)
SenthuranSivananthan Apr 20, 2022
72fe50d
Revise subnet configuration for Machine Learning archetype (#254)
SenthuranSivananthan Apr 20, 2022
1ee5b9e
Revise subnet configuration for Healthcare archetype (#256)
SenthuranSivananthan Apr 20, 2022
3008353
Removed extra configuration files (#260)
SenthuranSivananthan Apr 20, 2022
b33cd36
Update common.yml example (#262)
SenthuranSivananthan Apr 21, 2022
2bc196a
Support for optional subnets in Machine Learning & Healthcare archety…
SenthuranSivananthan Apr 25, 2022
d68824a
Organize deployment parameters for Hub Networking with Azure Firewall…
SenthuranSivananthan Apr 25, 2022
926521a
Updated documentation (#267)
ghostme Apr 27, 2022
60f3b59
Organize deployment parameters for Hub Networking with NVA (#266)
SenthuranSivananthan Apr 27, 2022
3522571
Snapshot ARM parameters JSON schemas (#268)
SenthuranSivananthan Apr 27, 2022
15c2847
PowerShell deployment scripts (#271)
SenthuranSivananthan Apr 29, 2022
db098e1
Powershell deployment script for archetypes (#273)
SenthuranSivananthan Apr 30, 2022
08d8f92
Deployment flow diagram (#274)
SenthuranSivananthan May 2, 2022
1d8dbd7
GitHub workflow implementation (#276)
skeeler May 9, 2022
ce6c27f
Support schema validation (#277)
SenthuranSivananthan May 9, 2022
a9c9419
Add environment configuration override and protect sensitive paramete…
skeeler May 9, 2022
799ad52
Pass-thru secure strings as-is until ready for use (#281)
SenthuranSivananthan May 10, 2022
229b144
Fix DeploySubscriptionIds parameter type casting (#282)
skeeler May 10, 2022
31e8d0a
Correct wiring of the subscriptions-ci pipeline and prompt for NVA fi…
skeeler May 10, 2022
93d2f13
Support jobs in GitHub Actions (#286)
SenthuranSivananthan May 10, 2022
c413307
Ensure multiple subscriptions can be moved to a management in paralle…
SenthuranSivananthan May 10, 2022
6a90a2f
Separate Azure Firewall Policy deployment switch & unique telemetry t…
SenthuranSivananthan May 11, 2022
31a214a
Disable metrics in diagnostic settings for AKS through Policy (#295)
SenthuranSivananthan May 15, 2022
c078a79
Concurrent role deployment with PowerShell & GitHub Actions (#299)
SenthuranSivananthan May 15, 2022
0ce5c1a
Disable fail fast for matrix deployments (#297)
SenthuranSivananthan May 15, 2022
c1a3b99
Flexible policy deployment using PowerShell & GitHub Actions (#300)
SenthuranSivananthan May 16, 2022
62adb00
Log Analytics solutions for SQL servers on machines (#303)
SenthuranSivananthan May 16, 2022
6765c48
Serial defender plan deployments & revised resource/resource group na…
SenthuranSivananthan May 17, 2022
bce747c
Update resource group names for Logging & Networking (#309)
SenthuranSivananthan May 18, 2022
2b11801
Add service health notification info (#310)
SenthuranSivananthan May 19, 2022
e9a0962
Reference the Guardrails Solution Accelerator for 30-day guardrail as…
igomaa May 27, 2022
8fc587a
Fix typo in onboarding guidance (#320)
Ifyagolu Jun 24, 2022
a4e53ff
Update machinelearning.md (#327)
sabyadg Jul 18, 2022
60198bc
Resolve linter warning: prefer-unquoted-property-names (#322)
SenthuranSivananthan Jul 20, 2022
a7f521d
Add missing log categories in diagnostic settings for Azure Firewall …
SenthuranSivananthan Jul 20, 2022
c2afa0d
Support azkms.core.windows.net and IPs in firewall allow list (#329)
SenthuranSivananthan Aug 8, 2022
e069a4b
Support data collection rule (#331)
SenthuranSivananthan Aug 17, 2022
2a6042d
Network security group support for private endpoints subnet (#333)
SenthuranSivananthan Aug 17, 2022
db52627
Suppress false positive linter warning: secure-secrets-in-params (#335)
SenthuranSivananthan Aug 17, 2022
e5fe399
Update diagnostic settings profile name (#337)
SenthuranSivananthan Aug 17, 2022
5851a09
Revised Event Hub Diagnostic Settings policy (#339)
SenthuranSivananthan Aug 17, 2022
b8a9bc9
Version August 2022 schema changes (#342)
skeeler Sep 1, 2022
c714e65
Update CODEOWNERS (#344)
skeeler Oct 14, 2022
12cd557
Add Barry to code owners list (#346)
skeeler Dec 1, 2022
e44c7ea
Update hubnetwork-azfw.md (#345)
obay Dec 1, 2022
0fa01e8
Updated documents, from docs.microsoft.com - to Learn. (#350)
lukemurraynz Feb 6, 2023
5337654
Fixed Linter warnings & build errors (#354)
tredell Feb 24, 2023
f13f6ec
Identity Archetype (#359)
tredell Mar 3, 2023
5680e65
Bug fixes - network routing & ADO Identity Pipelines (#362)
tredell Mar 13, 2023
674f6cb
Update DDoS.bicep (#363)
ylepine Mar 16, 2023
5830bcb
Update identity.md (#365)
DavidChristiansen Apr 25, 2023
db45632
Scripts to generate config from template, support JSON config intelli…
skeeler Jul 10, 2023
a10ba08
update to 1.3.0
wanpengyang Mar 26, 2024
61638d6
extra empty line in the upstream
wanpengyang Mar 26, 2024
28e95e9
comma everytime...
wanpengyang Mar 26, 2024
52278e6
no need for testing
wanpengyang Apr 12, 2024
bea0bf3
test
wanpengyang Apr 12, 2024
80baaf8
Revert "no need for testing"
wanpengyang Apr 12, 2024
48e664f
Revert "test"
wanpengyang Apr 12, 2024
9e4a89d
plan
wanpengyang Apr 12, 2024
de55b4c
add cdssnc-main configs
wanpengyang Apr 17, 2024
c8b29af
add default environmentName
wanpengyang Apr 17, 2024
8949f5d
fix typo
wanpengyang Apr 17, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/0-everything.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ on:
required: false
environmentName:
type: string
description: Environment name (optional), e.g. CanadaESLZ-main
description: Environment name (optional), e.g. CanadaPubSecALZ-main
required: false

defaults:
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/1-management-groups.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,9 @@ on:
inputs:
environmentName:
type: string
description: Environment name (optional), e.g. CanadaESLZ-main
description: Environment name (optional), e.g. CanadaPubSecALZ-main
required: false
default: cdssnc-main

defaults:
run:
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/2-roles.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,9 @@ on:
inputs:
environmentName:
type: string
description: Environment name (optional), e.g. CanadaESLZ-main
description: Environment name (optional), e.g. CanadaPubSecALZ-main
required: false
default: cdssnc-main

defaults:
run:
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/3-logging.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,9 @@ on:
inputs:
environmentName:
type: string
description: Environment name (optional), e.g. CanadaESLZ-main
description: Environment name (optional), e.g. CanadaPubSecALZ-main
required: false
default: cdssnc-main

defaults:
run:
Expand Down
5 changes: 3 additions & 2 deletions .github/workflows/4-policy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,9 +14,10 @@ on:
inputs:
environmentName:
type: string
description: Environment name (optional), e.g. CanadaESLZ-main
description: Environment name (optional), e.g. CanadaPubSecALZ-main
required: false

default: cdssnc-main

defaults:
run:
shell: pwsh
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/5-azure-firewall-policy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,9 @@ on:
inputs:
environmentName:
type: string
description: Environment name (optional), e.g. CanadaESLZ-main
description: Environment name (optional), e.g. CanadaPubSecALZ-main
required: false
default: cdssnc-main

defaults:
run:
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/5-hub-network-with-azure-firewall.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,9 @@ on:
inputs:
environmentName:
type: string
description: Environment name (optional), e.g. CanadaESLZ-main
description: Environment name (optional), e.g. CanadaPubSecALZ-main
required: false
default: cdssnc-main

defaults:
run:
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/5-hub-network-with-nva.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,9 @@ on:
inputs:
environmentName:
type: string
description: Environment name (optional), e.g. CanadaESLZ-main
description: Environment name (optional), e.g. CanadaPubSecALZ-main
required: false
default: cdssnc-main

defaults:
run:
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/6-identity.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,9 @@ on:
inputs:
environmentName:
type: string
description: Environment name (optional), e.g. CanadaESLZ-main
description: Environment name (optional), e.g. CanadaPubSecALZ-main
required: false
default: cdssnc-main

defaults:
run:
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/6-subscriptions.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ on:
type: string
description: Environment name (optional), e.g. CanadaESLZ-main
required: false
default: cdssnc-main

defaults:
run:
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/7-subscriptions.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,9 @@ on:
required: true
environmentName:
type: string
description: Environment name (optional), e.g. CanadaESLZ-main
description: Environment name (optional), e.g. CanadaPubSecALZ-main
required: false
default: cdssnc-main

defaults:
run:
Expand Down
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
experiments/*
**/*.swp
**/*.diff
.vscode/*
/*.sh
/*.ps1
Expand Down
6 changes: 5 additions & 1 deletion .pipelines/templates/jobs/trigger-subscriptions.yml
Original file line number Diff line number Diff line change
Expand Up @@ -89,13 +89,17 @@ jobs:
{
$url = "$($env:SYSTEM_TEAMFOUNDATIONCOLLECTIONURI)$env:SYSTEM_TEAMPROJECTID/_apis/pipelines/$($env:SYSTEM_DEFINITIONID)/runs?api-version=6.0-preview.1"
Write-Host "Invoking pipeline definition with URL: $url"
$paths = $env:SUBSCRIPTION_CHANGES -split ','
$guids = $paths -replace '.*?([0-9a-f]{8}[-]?([0-9a-f]{4}[-]?){3}[0-9a-f]{12}).*', '$1'
$changes = $guids -join ','
$body = @"
{
"templateParameters": {
"subscriptions":"[$env:SUBSCRIPTION_CHANGES]"
"subscriptions":"[$changes]"
},
}
"@
Write-Host "Invoking pipeline definition with body: $body"
$headers = @{ Authorization = "Bearer $env:SYSTEM_ACCESSTOKEN" }
$pipeline = Invoke-RestMethod -Uri $url -Headers $headers -Method Post -Body $body -ContentType application/json
Write-Host "Pipeline invocation result = $($pipeline | ConvertTo-Json -Depth 100)"
Expand Down
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ See the following onboarding guides for setup instructions:
* [Azure DevOps Setup](docs/onboarding/azure-devops-setup.md) provides guidance on considerations and recommended practices when creating and configuring your Azure DevOps Services environment.
* [Azure DevOps Scripts](docs/onboarding/azure-devops-scripts.md) provides guidance on the scripts available to help simplify the onboarding process to Azure Landing Zones design using Azure DevOps pipelines.
* [Azure DevOps Pipelines](docs/onboarding/azure-devops-pipelines.md) provides guidance on the manual steps for onboarding to the Azure Landing Zones design using Azure DevOps Pipelines.
* [Configuration Scripts](docs/onboarding/configuration-scripts.md) provides guidance on the scripts available to help simplify the configuration process of the Azure Landing Zones design.

## Goals

Expand Down
187 changes: 187 additions & 0 deletions config/identity/CanadaPubSecALZ-main/identity.parameters.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,187 @@
{
"$schema": "https://raw.githubusercontent.com/Azure/CanadaPubSecALZ/main/schemas/latest/landingzones/lz-platform-identity.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"serviceHealthAlerts": {
"value": {
"alertRuleName": "Identity Alerts",
"receivers": {
"app": [
"identity@example.com"
],
"sms": [
{
"countryCode": "1",
"phoneNumber": "6135555555"
}
],
"email": [
"identity@example.com"
],
"voice": [
{
"countryCode": "1",
"phoneNumber": "6135555555"
}
]
},
"regions": [
"Global",
"Canada Central",
"Canada East"
],
"resourceGroupName": "service-health-alerts-rg",
"actionGroupName": "Identity Alerts",
"actionGroupShortName": "identity-ag",
"incidentTypes": [
"Incident",
"Security"
],
"alertRuleDescription": "Identity Alerts for Incidents and Security"
}
},
"securityCenter": {
"value": {
"email": "security@example.com",
"phone": "6135555555"
}
},
"subscriptionRoleAssignments": {
"value": [
{
"comments": "Built-in Contributor Role",
"securityGroupObjectIds": [
"b4df54ba-7232-40fa-8f51-f84e8d149322"
],
"roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c"
}
]
},
"subscriptionBudget": {
"value": {
"createBudget": false
}
},
"subscriptionTags": {
"value": {
"ISSO": "isso-tbd",
"ClientOrganization": "client-organization-tag",
"CostCenter": "cost-center-tag",
"DataSensitivity": "data-sensitivity-tag",
"ProjectContact": "project-contact-tag",
"ProjectName": "project-name-tag",
"TechnicalContact": "technical-contact-tag"
}
},
"resourceTags": {
"value": {
"ClientOrganization": "client-organization-tag",
"CostCenter": "cost-center-tag",
"DataSensitivity": "data-sensitivity-tag",
"ProjectContact": "project-contact-tag",
"ProjectName": "project-name-tag",
"TechnicalContact": "technical-contact-tag"
}
},
"resourceGroups": {
"value": {
"automation": "automation",
"networking": "networking",
"networkWatcher": "NetworkWatcherRG",
"backupRecoveryVault": "backup",
"domainControllers": "DomainControllersRG",
"dnsResolver": "dns-resolverRG",
"dnsCondionalForwarders": "dns-CondionalForwardersRG",
"privateDnsZones": "pubsec-dns"
}
},
"automation": {
"value": {
"name": "automation"
}
},
"backupRecoveryVault": {
"value": {
"enabled": true,
"name": "backup-vault"
}
},
"privateDnsZones": {
"value": {
"enabled": false,
"resourceGroupName": "pubsec-dns"
}
},
"privateDnsResolver": {
"value": {
"enabled": true,
"name": "dns-resolver",
"inboundEndpointName": "dns-resolver-Inbound",
"outboundEndpointName": "dns-resolver-Outbound"
}
},
"privateDnsResolverRuleset": {
"value": {
"enabled": true,
"name": "dns-resolver-ruleset",
"linkRuleSetToVnet": true,
"linkRuleSetToVnetName": "dns-resolver-vnet-link",
"forwardingRules": [
{
"name": "default",
"domain": "dontMakeMeThink.local",
"state": "Enabled",
"targetDnsServers": [
{
"ipAddress": "10.99.99.100"
},
{
"ipAddress": "10.99.99.99"
}
]
}
]
}
},
"hubNetwork": {
"value": {
"virtualNetworkId": "/subscriptions/4fd845de-f6c8-4e6d-9a87-c21c4ebf7edd/resourceGroups/pubsec-hub-networking/providers/Microsoft.Network/virtualNetworks/hub-vnet",
"rfc1918IPRange": "10.18.0.0/22",
"rfc6598IPRange": "100.60.0.0/16",
"egressVirtualApplianceIp": "10.18.1.4"
}
},
"network": {
"value": {
"deployVnet": true,
"peerToHubVirtualNetwork": true,
"useRemoteGateway": false,
"name": "id-vnet",
"dnsServers": [
"10.18.1.4"
],
"addressPrefixes": [
"10.15.0.0/24"
],
"subnets": {
"domainControllers": {
"comments": "Identity Subnet for Domain Controllers and VM-Based DNS Servers",
"name": "DomainControllers",
"addressPrefix": "10.15.0.0/27"
},
"dnsResolverInbound": {
"comments": "Azure DNS Resolver Inbound Requests subnet",
"name": "AzureDNSResolver-Inbound",
"addressPrefix": "10.15.0.32/27"
},
"dnsResolverOutbound": {
"comments": "Azure DNS Resolver Outbound Requests subnet",
"name": "AzureDNSResolver-Outbound",
"addressPrefix": "10.15.0.64/27"
},
"optional": []
}
}
}
}
}
Loading
Loading