Management Group Diagnostic Settings Enablement - New Module (#321)

* mgDiagSet module to enable Diagnostic Settings to all Management Groups in hierarchy

* removed a space at end of file

* Fixed the logic for enabling default and confidential child MGs

* Changed the name of the files to match the names of the folders

* Changed module path with new name

* Changes to README files

* removed LAW ID used in tests from parameters file

* changes to the high level deployment flow image

* fixed linter error in parameteres file

* Update infra-as-code/bicep/modules/mgDiagSettings/README.md

Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>

* Update infra-as-code/bicep/modules/mgDiagSettings/README.md

Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>

* Update infra-as-code/bicep/modules/mgDiagSettings/README.md

Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>

* Update infra-as-code/bicep/modules/mgDiagSettings/README.md

Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>

* Update infra-as-code/bicep/modules/mgDiagSettings/README.md

Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>

* Update infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.all.json

Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>

* Update infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep

Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>

* Update infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.min.json

Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>

* Update infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep

Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>

* Update infra-as-code/bicep/modules/mgDiagSettings/diagSettings.bicep

Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>

* Update infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.all.json

Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>

* Update infra-as-code/bicep/orchestration/mgDiagSettingsAll/README.md

Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>

* Update infra-as-code/bicep/orchestration/mgDiagSettingsAll/README.md

Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>

* Update infra-as-code/bicep/orchestration/mgDiagSettingsAll/README.md

Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>

* Update infra-as-code/bicep/orchestration/mgDiagSettingsAll/README.md

Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>

* Update infra-as-code/bicep/orchestration/mgDiagSettingsAll/README.md

Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>

* Update infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep

Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>

* Update infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep

Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>

* changed module file name and high level flow diagram

* Update infra-as-code/bicep/orchestration/mgDiagSettingsAll/README.md

Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>

* added telemetry and deployment options to mdDiagSettings README

* changes to mgDiagSettings parameters files

* Added test to validate and CodeTour

* Fixed name of mgDiagSettings.bicep file when called from orchestration module

* Added logic to bicep-build-to-validate.yml

* Added logic to bicep-build-to-validate.yml Fixed typo

* Fixed CRLF and other linter errors

* Update base-unit-validate.yml

* Fixed Format for base-unit-validate.yml

* Update base-unit-validate.yml

* Update base-unit-validate.yml

* add location

* Update mgDiagSettingsAll.parameters.all.json

* Update base-unit-validate.yml

* Update mc-base-unit-validate.yml

* Update mc-base-unit-validate.yml

* Update base-unit-validate.yml

* Update bicep-build-to-validate.yml

* Update mgDiagSettingsAll.parameters.min.json

* Update bicep-build-to-validate.yml

* Update base-unit-validate.yml

* Update base-unit-validate.yml

* Update mc-base-unit-validate.yml

* Update base-unit-validate.yml

* Update mc-base-unit-validate.yml

* Update bicep-build-to-validate.yml

* Update bicep-build-to-validate.yml

* Update base-unit-validate.yml

* Update mc-base-unit-validate.yml

* Update bicep-build-to-validate.yml

Co-authored-by: Luis Chaves <luchaves@microsoft.com>
Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>

.vscode/tours/azurechinacloud-base-validation-pipeline.tour

@@ -37,6 +37,11 @@
       "description": "Validate ALZ logging component deployment. Depends on resource group previously created.",
       "line": 70
     },
+    {
+      "file": "tests/pipelines/mc-base-unit-validate.yml",
+      "description": "Validate ALZ mgDiagSettingsAll component deployment. Depends on Log Analytics Workspace and Management Groups previously created.",
+      "line": 78
+    },
     {
       "file": "tests/pipelines/mc-base-unit-validate.yml",
       "description": "Validate ALZ subscription placement into management group deployment. Depends on management groups previously created.",
@@ -118,4 +123,4 @@
       "line": 193
     }
   ]
-}
+}

.vscode/tours/azurecloud-base-validation-pipeline.tour

@@ -47,6 +47,11 @@
       "description": "Validate ALZ logging component deployment. Depends on resource group previously created.",
       "line": 85
     },
+    {
+      "file": "tests/pipelines/base-unit-validate.yml",
+      "description": "Validate ALZ mgDiagSettingsAll component deployment. Depends on Log Analytics Workspace and Management Groups previously created.",
+      "line": 91
+    },
     {
       "file": "tests/pipelines/base-unit-validate.yml",
       "description": "Validate ALZ subscription placement into management group deployment. Depends on management groups previously created.",
@@ -128,4 +133,4 @@
       "line": 212
     }
   ]
-}
+}

docs/wiki/CustomerUsage.md

@@ -36,6 +36,7 @@ The following are the unique ID's (also known as PIDs) used in each of the modul
 | hubNetworking                   | 2686e846-5fdc-4d4f-b533-16dcb09d6e6c |
 | logging                         | f8087c67-cc41-46b2-994d-66e4b661860d |
 | managementGroups                | 9b7965a0-d77c-41d6-85ef-ec3dfea4845b |
+| mgDiagSettings                  | 5d17f1c2-f17b-4426-9712-0cd2652c4435 |
 | policy-definitions              | 2b136786-9881-412e-84ba-f4c2822e1ac9 |
 | policy-assignments              | 78001e36-9738-429c-a343-45cc84e8a527 |
 | alzDefaultPolicyAssignments     | 98cef979-5a6b-403b-83c7-10c8f04ac9a2 |
@@ -51,3 +52,4 @@ The following are the unique ID's (also known as PIDs) used in each of the modul
 | hubSpoke - Orchestration        | 50ad3b1a-f72c-4de4-8293-8a6399991beb |
 | hubPeeredSpoke - Orchestration  | 8ea6f19a-d698-4c00-9afb-5c92d4766fd2 |
 | SubPlacementAll - Orchestration | bb800623-86ff-4ab4-8901-93c2b70967ae |
+| mgDiagSettingsAll - Orchestration | f49c8dfb-c0ce-4ee0-b316-5e4844474dd0 |

docs/wiki/DeploymentFlow.md

@@ -45,6 +45,7 @@ Modules in this reference implementation must be deployed in the following order
 |   2   | Custom Policy Definitions              | Configures Custom Policy Definitions at the `organization management group`.                                                                                                | Management Groups.                                                     | [infra-as-code/bicep/modules/policy/definitions](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/modules/policy/definitions)                         |
 |   3   | Custom Role Definitions                | Configures custom roles based on Cloud Adoption Framework's recommendations at the `organization management group`.                                                         | Management Groups.                                                     | [infra-as-code/bicep/modules/customRoleDefinitions](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/modules/customRoleDefinitions)                   |
 |   4   | Logging & Sentinel                     | Configures a centrally managed Log Analytics Workspace, Automation Account and Sentinel in the `Logging` subscription.                                                      | Management Groups & Subscription for Log Analytics and Sentinel.       | [infra-as-code/bicep/modules/logging](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/modules/logging)                                               |
+|  4.1  | Management Groups Diagnostic Settings  | Enable Diagnostic Settings for management Groups to the Log Analytics Workspace created in the `Logging` subscription.                                    | Management Groups & Log Analytics Workspace.       | [infra-as-code/bicep/orchestration/mgDiagSettings](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/orchestration/mgDiagSettings)                                               |
 |   5   | Hub Networking                         | Azure supports two types of hub-and-spoke design, VNet hub and Virtual WAN hub. Creates resources in the `Connectivity` subscription.                                       | Management Groups, Subscription for Hub Networking.                    | [See network topology deployment below](#network-topology-deployment)                                                                                                 |
 |   6   | Role Assignments                       | Creates role assignments using built-in and custom role definitions.                                                                                                        | Management Groups & Subscriptions.                                     | [infra-as-code/bicep/modules/roleAssignments](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/modules/roleAssignments)                               |
 |   7   | Subscription Placement                 | Moves one or more subscriptions (based on IDs) to the target Management Groups in your ALZ hierarchy.                                                                       | Management Groups & Subscriptions.                                     | [infra-as-code/bicep/orchestration/subPlacementAll](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/orchestration/subPlacementAll)                   |

infra-as-code/bicep/modules/mgDiagSettings/README.md

@@ -0,0 +1,76 @@
+# Module: Enable Diagnostic Settings on a Management Group
+
+This module enables the supported Diagnostic Settings categories on a Management Group to an existing Azure Log Analytics Workspace.
+> Consider using the `mgDiagSettingsAll` orchestration module instead to simplify configuring the Diagnostic Settings for all your Management Group hierarchy in a single module. [infra-as-code/bicep/orchestration/mgDiagSettingsAll](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/orchestration/mgDiagSettingsAll)
+
+## Parameters
+
+The module requires the following input parameters.
+
+| Parameter                             | Type   | Description                                                                                                                                                                          | Requirements                      | Example                                                                                 |
+| ------------------------------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------- | --------------------------------------------------------------------------------------- |
+| parLogAnalyticsWorkspaceResourceId | string   | Resource ID of the Log Analytics Workspace                                                             | Mandatory input | `/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-logging/providers/Microsoft.OperationalInsights/workspaces/alz-log-analytics`                                                                                 |
+ | parTargetManagementGroupId | string          | Target management group for the subscription.                               | Mandatory input, management group must exist | `alz-platform-connectivity`                                                                                                                                                                    |
+ | parTelemetryOptOut         | bool            | Set Parameter to true to Opt-out of deployment telemetry                    | none                                         | `false`                                                                                                                                                                                        |
+
+## Outputs
+
+*The module will not generate any outputs.*
+
+## Deployment
+
+The inputs for this module are defined in `parameters/mgDiagSettings.parameters.all.json`. The Diagnostic Settings resource will be named toLa but can be changed in the module if desired.
+
+> For the  examples below we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice.
+
+### Azure CLI
+
+```bash
+# For Azure global regions
+az deployment mg create \
+  --template-file infra-as-code/bicep/modules/mgDiagSettings/mgDiagSettings.bicep \
+  --parameters @infra-as-code/bicep/modules/mgDiagSettings/parameters/mgDiagSettings.parameters.all.json \
+  --location eastus \
+  --management-group-id alz
+```
+
+OR
+
+```bash
+# For Azure China regions
+az deployment mg create \
+  --template-file infra-as-code/bicep/modules/mgDiagSettings/mgDiagSettings.bicep \
+  --parameters @infra-as-code/bicep/modules/mgDiagSettings/parameters/mgDiagSettings.parameters.all.json \
+  --location chinaeast2 \
+  --management-group-id alz
+```
+
+### PowerShell
+
+```powershell
+# For Azure global regions
+New-AzManagementGroupDeployment `
+  -TemplateFile infra-as-code/bicep/modules/mgDiagSettings/mgDiagSettings.bicep `
+  -TemplateParameterFile @infra-as-code/bicep/modules/mgDiagSettings/parameters/mgDiagSettings.parameters.all.json `
+  -Location eastus `
+  -ManagementGroupId alz
+```
+
+OR
+
+```powershell
+# For Azure China regions
+New-AzManagementGroupDeployment `
+  -TemplateFile infra-as-code/bicep/modules/mgDiagSettings/mgDiagSettings.bicep `
+  -TemplateParameterFile @infra-as-code/bicep/modules/mgDiagSettings/parameters/mgDiagSettings.parameters.all.json `
+  -Location chinaeast2 `
+  -ManagementGroupId alz
+```
+
+## Validation
+
+To validate if Diagnostic Settings was correctly enabled for any specific management group, a REST API GET call can be used. Documentation and easy way to try this can be found in this link [(Management Group Diagnostic Settings - Get)](https://learn.microsoft.com/rest/api/monitor/management-group-diagnostic-settings/get?tabs=HTTP&tryIt=true&source=docs#code-try-0). There is currently not a direct way to validate this in the Azure Portal, Azure CLI or PowerShell.
+
+## Bicep Visualizer
+
+![Bicep Visualizer](media/bicepVisualizer.png "Bicep Visualizer")

infra-as-code/bicep/modules/mgDiagSettings/bicepconfig.json

@@ -0,0 +1,64 @@
+{
+  "analyzers": {
+    "core": {
+      "enabled": true,
+      "verbose": true,
+      "rules": {
+        "adminusername-should-not-be-literal": {
+          "level": "error"
+        },
+        "no-hardcoded-env-urls": {
+          "level": "error"
+        },
+        "no-unnecessary-dependson": {
+          "level": "error"
+        },
+        "no-unused-params": {
+          "level": "error"
+        },
+        "no-unused-vars": {
+          "level": "error"
+        },
+        "outputs-should-not-contain-secrets": {
+          "level": "error"
+        },
+        "prefer-interpolation": {
+          "level": "error"
+        },
+        "secure-parameter-default": {
+          "level": "error"
+        },
+        "simplify-interpolation": {
+          "level": "error"
+        },
+        "protect-commandtoexecute-secrets": {
+          "level": "error"
+        },
+        "use-stable-vm-image": {
+          "level": "error"
+        },
+        "explicit-values-for-loc-params": {
+          "level": "error"
+        },
+        "no-hardcoded-location": {
+          "level": "error"
+        },
+        "no-loc-expr-outside-params": {
+          "level": "error"
+        },
+        "max-outputs": {
+          "level": "error"
+        },
+        "max-params": {
+          "level": "error"
+        },
+        "max-resources": {
+          "level": "error"
+        },
+        "max-variables": {
+          "level": "error"
+        }
+      }
+    }
+  }
+}

infra-as-code/bicep/modules/mgDiagSettings/mgDiagSettings.bicep

@@ -0,0 +1,34 @@
+targetScope = 'managementGroup'
+
+@description('Log Analytics Workspace Resource ID.')
+param parLogAnalyticsWorkspaceResourceId string
+
+@description('Set Parameter to true to Opt-out of deployment telemetry')
+param parTelemetryOptOut bool = false
+
+// Customer Usage Attribution Id
+var varCuaid = '5d17f1c2-f17b-4426-9712-0cd2652c4435'
+
+resource mgDiagSet 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
+  name: 'toLa'
+  properties: {
+    workspaceId: parLogAnalyticsWorkspaceResourceId
+    logs: [
+      {
+        category: 'Administrative'
+        enabled: true
+      }
+      {
+        category: 'Policy'
+        enabled: true
+      }
+    ]
+  }
+}
+
+// Optional Deployment for Customer Usage Attribution
+module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdManagementGroup.bicep' = if (!parTelemetryOptOut) {
+  #disable-next-line no-loc-expr-outside-params //Only to ensure telemetry data is stored in same location as deployment. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information
+  name: 'pid-${varCuaid}-${uniqueString(deployment().location)}'
+  params: {}
+}

infra-as-code/bicep/modules/mgDiagSettings/parameters/mgDiagSettings.parameters.all.json

@@ -0,0 +1,15 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "parTargetManagementGroupId": {
+      "value": ""
+    },
+    "parLogAnalyticsWorkspaceResourceId": {
+      "value": ""
+    },
+    "parTelemetryOptOut": {
+      "value": false
+    }
+  }
+}

infra-as-code/bicep/modules/mgDiagSettings/parameters/mgDiagSettings.parameters.min.json

@@ -0,0 +1,15 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "parTargetManagementGroupId": {
+      "value": ""
+    },
+    "parLogAnalyticsWorkspaceResourceId": {
+      "value": ""
+    },
+    "parTelemetryOptOut": {
+      "value": false
+    }
+  }
+}

infra-as-code/bicep/orchestration/mgDiagSettingsAll/README.md

@@ -0,0 +1,131 @@
+# Module: Orchestration - mgDiagSettingsAll - Enable diagnostic settings for management groups in the ALZ Management Groups hierarchy
+
+This module acts as an orchestration module that helps enable Diagnostic Settings on the Management Group hierarchy as was defined during the deployment of the Management Group module (this can be deployed via the [`managementGroups.bicep` module](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/modules/managementGroups)), which is also described in the wiki on the [Deployment Flow article](https://github.com/Azure/ALZ-Bicep/wiki/DeploymentFlow).
+
+This is accomplished through a tenant-scoped Azure Resource Manager (ARM) deployment. There are two boolean parameters that should match the options selected during the deployment of Management Group module regarding creation or not of Corp and Online Landing Zones and Confidential Corp and Confidential Online Landing zones.
+It also enables Diagnostic Settings for existing custom child landing zones if those are specified.
+
+
+> This module calls the [`diagSettings.bicep`](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/modules/mgDiagSettings) module multiple times to enable Diagnostic Settings to the desired Management Groups. If you only want to enable Diagnostic Settings at a time to a specified Management Group, then you could consider using the child module directly.
+
+## Parameters
+
+The module requires the following inputs:
+
+| Parameter                             | Type   | Description                                                                                                                                                                          | Requirements                      | Example                                                                                 |
+| ------------------------------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------- | --------------------------------------------------------------------------------------- |
+| parTopLevelManagementGroupPrefix      | string | Prefix for the management group hierarchy.  This management group will be created as part of the deployment.                                                                         | 2-10 characters                   | `alz`                                                                                   |
+| parLandingZoneMgAlzDefaultsEnable     | bool   | Deploys Corp & Online Management Groups beneath Landing Zones Management Group if set to true.                                                                                       | Mandatory input, default: `true`  | `true`                                                                                  |
+| parLandingZoneMgConfidentialEnable    | bool   | Deploys Confidential Corp & Confidential Online Management Groups beneath Landing Zones Management Group if set to true.                                                             | Mandatory input, default: `false` | `false`                                                                                 |
+| parLogAnalyticsWorkspaceResourceId | string   | Resource ID of the Log Analytics Workspace                                                             | Mandatory input | `/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-logging/providers/Microsoft.OperationalInsights/workspaces/alz-log-analytics` |
+| parLandingZoneMgChildren              | array | Dictionary Object to allow additional child Management Groups of Landing Zones Management Group to be deployed.                                                         | Not required input, default `[]`  | {"value": ["pci","avs"]}                                                         |
+| parTelemetryOptOut                    | bool   | Set Parameter to true to Opt-out of deployment telemetry                                                                                                                             | Mandatory input, default: `false` | `false`                                                                                 |
+
+### Diagnostic Settings for Child Landing Zone Management Groups
+
+This module considers the same flexibility used when creating the child Landing Zone Management Groups during deployment of the Management Groups module. The three parameters detailed below should correspond to the values used during Management Groups module deployment. All of these parameters can be used together to enable diagnostic settings on the child Landing Zone Management Groups.
+
+- `parLandingZoneMgAlzDefaultsEnable`
+  - Boolean - defaults to `true`
+  - **Required**
+  - Deploys following child Landing Zone Management groups if set to `true`:
+    - `Corp`
+    - `Online`
+    - *These are the default ALZ Management Groups as per the conceptual architecture*
+- `parLandingZoneMgConfidentialEnable`
+  - Boolean - defaults to `false`
+  - **Required**
+  - Deploys following child Landing Zone Management groups if set to `true`:
+    - `Confidential Corp`
+    - `Confidential Online`
+- `parLandingZoneMgChildren`
+  - Object - default is an empty array `[]`
+  - **Optional**
+  - Deploys whatever you specify in the object as child Landing Zone Management groups.
+
+#### `parLandingZoneMgChildren` Input Examples
+
+Below are some examples of how to use this input parameter in both Bicep & JSON formats.
+
+##### Bicep Example
+
+```bicep
+parLandingZoneMgChildren: {
+  pci: {
+    displayName: 'PCI'
+  }
+  'another-example': {
+    displayName: 'Another Example'
+  }
+}
+```
+
+##### JSON Parameter File Input Example
+
+```json
+    "parLandingZoneMgChildren": {
+      "value": [
+        "pci",
+        "another-example"
+    ]
+  }
+```
+
+## Outputs
+
+*The module will not generate any outputs.*
+
+## Deployment
+
+In this example, the Diagnostic Settings are enabled on the management groups through a tenant-scoped deployment.
+
+> For the examples below we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice.
+
+### Azure CLI
+
+```bash
+# For Azure global regions
+az deployment tenant create \
+  --template-file infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep \
+  --parameters @infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.all.json \
+  --location eastus
+```
+
+OR
+
+```bash
+# For Azure China regions
+az deployment tenant create \
+  --template-file infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep \
+  --parameters @infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.all.json \
+  --location chinaeast2
+```
+
+### PowerShell
+
+```powershell
+# For Azure global regions
+New-AzTenantDeployment `
+  -TemplateFile infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep `
+  -TemplateParameterFile infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.all.json `
+  -Location eastus
+```
+
+OR
+
+```powershell
+# For Azure China regions
+New-AzTenantDeployment `
+  -TemplateFile infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep `
+  -TemplateParameterFile infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.all.json `
+  -Location chinaeast2
+
+```
+
+## Validation
+
+To validate if Diagnostic Settings was correctly enabled for any specific management group, a REST API GET call can be used. Documentation and easy way to try this can be found in this link [(Management Group Diagnostic Settings - Get)](https://learn.microsoft.com/rest/api/monitor/management-group-diagnostic-settings/get?tabs=HTTP&tryIt=true&source=docs#code-try-0). There is currently not a direct way to validate this in the Azure Portal, Azure CLI or PowerShell.
+
+## Bicep Visualizer
+
+![Bicep Visualizer](media/bicepVisualizer.png "Bicep Visualizer")

infra-as-code/bicep/orchestration/mgDiagSettingsAll/bicepconfig.json

@@ -0,0 +1,64 @@
+{
+  "analyzers": {
+    "core": {
+      "enabled": true,
+      "verbose": true,
+      "rules": {
+        "adminusername-should-not-be-literal": {
+          "level": "error"
+        },
+        "no-hardcoded-env-urls": {
+          "level": "error"
+        },
+        "no-unnecessary-dependson": {
+          "level": "error"
+        },
+        "no-unused-params": {
+          "level": "error"
+        },
+        "no-unused-vars": {
+          "level": "error"
+        },
+        "outputs-should-not-contain-secrets": {
+          "level": "error"
+        },
+        "prefer-interpolation": {
+          "level": "error"
+        },
+        "secure-parameter-default": {
+          "level": "error"
+        },
+        "simplify-interpolation": {
+          "level": "error"
+        },
+        "protect-commandtoexecute-secrets": {
+          "level": "error"
+        },
+        "use-stable-vm-image": {
+          "level": "error"
+        },
+        "explicit-values-for-loc-params": {
+          "level": "error"
+        },
+        "no-hardcoded-location": {
+          "level": "error"
+        },
+        "no-loc-expr-outside-params": {
+          "level": "error"
+        },
+        "max-outputs": {
+          "level": "error"
+        },
+        "max-params": {
+          "level": "error"
+        },
+        "max-resources": {
+          "level": "error"
+        },
+        "max-variables": {
+          "level": "error"
+        }
+      }
+    }
+  }
+}

infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep

@@ -0,0 +1,88 @@
+targetScope = 'tenant'
+
+@description('Prefix used for the management group hierarchy in the managementGroups module.')
+@minLength(2)
+@maxLength(10)
+param parTopLevelManagementGroupPrefix string = 'alz'
+
+@description('Dictionary Object to allow additional or different child Management Groups of the Landing Zones Management Group .')
+param parLandingZoneMgChildren array = []
+
+@description('Log Analytics Workspace Resource ID.')
+param parLogAnalyticsWorkspaceResourceId string
+
+@description('Deploys Corp & Online Management Groups beneath Landing Zones Management Group if set to true.')
+param parLandingZoneMgAlzDefaultsEnable bool = true
+
+@description('Deploys Confidential Corp & Confidential Online Management Groups beneath Landing Zones Management Group if set to true.')
+param parLandingZoneMgConfidentialEnable bool = false
+
+@description('Set Parameter to true to Opt-out of deployment telemetry')
+param parTelemetryOptOut bool = false
+
+var varMgIds = {
+  intRoot: parTopLevelManagementGroupPrefix
+  platform: '${parTopLevelManagementGroupPrefix}-platform'
+  platformManagement: '${parTopLevelManagementGroupPrefix}-platform-management'
+  platformConnectivity: '${parTopLevelManagementGroupPrefix}-platform-connectivity'
+  platformIdentity: '${parTopLevelManagementGroupPrefix}-platform-identity'
+  landingZones: '${parTopLevelManagementGroupPrefix}-landingzones'
+  decommissioned: '${parTopLevelManagementGroupPrefix}-decommissioned'
+  sandbox: '${parTopLevelManagementGroupPrefix}-sandbox'
+}
+
+// Used if parLandingZoneMgAlzDefaultsEnable == true
+var varLandingZoneMgChildrenAlzDefault = {
+  landingZonesCorp: '${parTopLevelManagementGroupPrefix}-landingzones-corp'
+  landingZonesOnline: '${parTopLevelManagementGroupPrefix}-landingzones-online'
+}
+
+// Used if parLandingZoneMgConfidentialEnable == true
+var varLandingZoneMgChildrenConfidential = {
+  landingZonesConfidentialCorp: '${parTopLevelManagementGroupPrefix}-landingzones-confidential-corp'
+  landingZonesConfidentialOnline: '${parTopLevelManagementGroupPrefix}-landingzones-confidential-online'
+}
+
+// Used if parLandingZoneMgConfidentialEnable not empty
+var varLandingZoneMgCustomChildren = [for customMg in parLandingZoneMgChildren: {
+  mgId: '${parTopLevelManagementGroupPrefix}-landingzones-${customMg}'
+}]
+
+// Build final object based on input parameters for default and confidential child MGs of LZs
+var varLandingZoneMgDefaultChildrenUnioned = (parLandingZoneMgAlzDefaultsEnable && parLandingZoneMgConfidentialEnable) ? union(varLandingZoneMgChildrenAlzDefault, varLandingZoneMgChildrenConfidential) : (parLandingZoneMgAlzDefaultsEnable && !parLandingZoneMgConfidentialEnable) ? varLandingZoneMgChildrenAlzDefault : (!parLandingZoneMgAlzDefaultsEnable && parLandingZoneMgConfidentialEnable) ? varLandingZoneMgChildrenConfidential : (!parLandingZoneMgAlzDefaultsEnable && !parLandingZoneMgConfidentialEnable) ? {} : {}
+
+// Customer Usage Attribution Id
+var varCuaid = 'f49c8dfb-c0ce-4ee0-b316-5e4844474dd0'
+
+module modMgDiagSet '../../modules/mgDiagSettings/mgDiagSettings.bicep' = [for mgId in items(varMgIds): {
+  scope: managementGroup(mgId.value)
+  name: 'mg-diag-set-${mgId.value}'
+  params: {
+    parLogAnalyticsWorkspaceResourceId: parLogAnalyticsWorkspaceResourceId
+  }
+}]
+
+// Default Children Landing Zone Management Groups
+module modMgLandingZonesDiagSet '../../modules/mgDiagSettings/mgDiagSettings.bicep' = [for childMg in items(varLandingZoneMgDefaultChildrenUnioned): {
+  scope: managementGroup(childMg.value)
+  name: 'mg-diag-set-${childMg.value}'
+  params: {
+    parLogAnalyticsWorkspaceResourceId: parLogAnalyticsWorkspaceResourceId
+  }
+}]
+
+// Custom Children Landing Zone Management Groups
+module modMgChildrenDiagSet '../../modules/mgDiagSettings/mgDiagSettings.bicep' = [for childMg in varLandingZoneMgCustomChildren: {
+  scope: managementGroup(childMg.mgId)
+  name: 'mg-diag-set-${childMg.mgId}'
+  params: {
+    parLogAnalyticsWorkspaceResourceId: parLogAnalyticsWorkspaceResourceId
+  }
+}]
+
+// Optional Deployment for Customer Usage Attribution
+module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdTenant.bicep' = if (!parTelemetryOptOut) {
+  #disable-next-line no-loc-expr-outside-params //Only to ensure telemetry data is stored in same location as deployment. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information //Only to ensure telemetry data is stored in same location as deployment. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information
+  name: 'pid-${varCuaid}-${uniqueString(deployment().location)}'
+  params: {}
+}

infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.all.json

@@ -0,0 +1,24 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "parTopLevelManagementGroupPrefix": {
+      "value": "alz"
+    },
+    "parLandingZoneMgAlzDefaultsEnable": {
+      "value": true
+    },
+    "parLandingZoneMgConfidentialEnable": {
+      "value": false
+    },
+    "parLogAnalyticsWorkspaceResourceId": {
+      "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/alz-logging/providers/microsoft.operationalinsights/workspaces/alz-log-analytics"
+    },
+    "parLandingZoneMgChildren": {
+      "value": []
+    },
+    "parTelemetryOptOut": {
+      "value": false
+    }
+  }
+}

infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.min.json

@@ -0,0 +1,15 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "parTopLevelManagementGroupPrefix": {
+      "value": "alz"
+    },
+    "parLogAnalyticsWorkspaceResourceId": {
+      "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/alz-logging/providers/microsoft.operationalinsights/workspaces/alz-log-analytics"
+    },
+    "parTelemetryOptOut": {
+      "value": false
+    }
+  }
+}

tests/pipelines/base-unit-validate.yml

@@ -14,214 +14,231 @@ variables:
     value: "sub-unit-test-pr-$(System.PullRequest.PullRequestNumber)"
 
 jobs:
-- job: bicep_validate
-  displayName: Validate Bicep Module Deployments for PR
-  pool: 
-    vmImage: ubuntu-latest
-  steps:
-  - task: Bash@3
-    displayName: Login to Azure
-    name: git_azlogin
-    inputs:
-      targetType: 'inline'
-      script: |
-        az login --service-principal --username $(azclilogin) --password $(azclipwd) --tenant $(azclitenant)
+  - job: bicep_validate
+    displayName: Validate Bicep Module Deployments for PR
+    pool:
+      vmImage: ubuntu-latest
+    steps:
+      - task: Bash@3
+        displayName: Login to Azure
+        name: git_azlogin
+        inputs:
+          targetType: "inline"
+          script: |
+            az login --service-principal --username $(azclilogin) --password $(azclipwd) --tenant $(azclitenant)
 
-  - task: Bash@3
-    displayName: Az CLI Create Subscription for PR
-    name: create_subscription
-    inputs:
-      targetType: 'inline'
-      script: |
-        subid=$(az deployment tenant create --name "deploy-$(SubscriptionName)" --location $(Location) --template-file infra-as-code/bicep/CRML/subscriptionAlias/subscriptionAlias.bicep --parameters @infra-as-code/bicep/CRML/subscriptionAlias/parameters/subscriptionAlias.parameters.min.json --parameters parSubscriptionBillingScope=$(ALZ-AZURE-SECRET-EA-BILLING-ACCOUNT) parSubscriptionName=$(SubscriptionName) | jq .properties.outputs.outSubscriptionId.value | tr -d '"')
-        echo $subId
-        echo "##vso[task.setvariable variable=subscriptionId]$subid"
-        
-  - task: Bash@3
-    displayName: Az CLI Refresh subscription list
-    name: refresh_subscription
-    inputs:
-      targetType: 'inline'
-      script: |
-        az account list --refresh        
-        
-  - task: Bash@3    
-    displayName: Az CLI Create Resource Group for PR
-    name: create_rsg
-    inputs:
-      targetType: 'inline'
-      script: |
-        az account set --subscription $(subscriptionId)
-        if [ $(az group exists --name $(ResourceGroupName) ) == false ]; then
-            sleep 300
-        fi
-        az deployment sub create --name "deploy-$(ResourceGroupName)" --template-file infra-as-code/bicep/modules/resourceGroup/resourceGroup.bicep --location $(Location) --parameters parLocation=$(Location) parResourceGroupName=$(ResourceGroupName)
+      - task: Bash@3
+        displayName: Az CLI Create Subscription for PR
+        name: create_subscription
+        inputs:
+          targetType: "inline"
+          script: |
+            subid=$(az deployment tenant create --name "deploy-$(SubscriptionName)" --location $(Location) --template-file infra-as-code/bicep/CRML/subscriptionAlias/subscriptionAlias.bicep --parameters @infra-as-code/bicep/CRML/subscriptionAlias/parameters/subscriptionAlias.parameters.min.json --parameters parSubscriptionBillingScope=$(ALZ-AZURE-SECRET-EA-BILLING-ACCOUNT) parSubscriptionName=$(SubscriptionName) | jq .properties.outputs.outSubscriptionId.value | tr -d '"')
+            echo $subId
+            echo "##vso[task.setvariable variable=subscriptionId]$subid"
 
-  - task: Bash@3     
-    displayName: Az CLI Deploy Management Groups for PR
-    name: create_mgs
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment tenant create --template-file infra-as-code/bicep/modules/managementGroups/managementGroups.bicep --parameters @infra-as-code/bicep/modules/managementGroups/parameters/managementGroups.parameters.all.json parTopLevelManagementGroupPrefix=$(ManagementGroupPrefix) --location $(Location) --name $(ManagementGroupPrefix)
-  
-  - task: Bash@3  
-    displayName: Az CLI Validate Custom Role Definitions for PR
-    name: validate_rbac_roles
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment mg validate --template-file infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep  --parameters @infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.all.json parAssignableScopeManagementGroupId=$(ManagementGroupPrefix) --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
-  
-  - task: Bash@3    
-    displayName: Az CLI Validate Custom Policy Definitions for PR
-    name: validate_policy_defs
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment mg validate --template-file infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep  --parameters @infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.all.json parTargetManagementGroupId=$(ManagementGroupPrefix) --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
-  
-  - task: Bash@3    
-    displayName: Az CLI Validate Logging for PR
-    name: validate_logging
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/logging/logging.bicep --parameters @infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json --name $(ManagementGroupPrefix)
+      - task: Bash@3
+        displayName: Az CLI Refresh subscription list
+        name: refresh_subscription
+        inputs:
+          targetType: "inline"
+          script: |
+            az account list --refresh
 
-  - task: Bash@3    
-    displayName: Az CLI Validate Subscription Placement for PR
-    name: move_sub
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment mg validate --template-file infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.bicep --parameters @infra-as-code/bicep/modules/subscriptionPlacement/parameters/subscriptionPlacement.parameters.all.json parTargetManagementGroupId=$(ManagementGroupPrefix)-platform-connectivity parSubscriptionIds='["$(subscriptionId)"]' --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
+      - task: Bash@3
+        displayName: Az CLI Create Resource Group for PR
+        name: create_rsg
+        inputs:
+          targetType: "inline"
+          script: |
+            az account set --subscription $(subscriptionId)
+            if [ $(az group exists --name $(ResourceGroupName) ) == false ]; then
+                sleep 300
+            fi
+            az deployment sub create --name "deploy-$(ResourceGroupName)" --template-file infra-as-code/bicep/modules/resourceGroup/resourceGroup.bicep --location $(Location) --parameters parLocation=$(Location) parResourceGroupName=$(ResourceGroupName)
 
-  - task: Bash@3    
-    displayName: Az CLI Validate Alz Default policy assignments
-    name: validate_alz_default_policy_assign
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment mg validate --template-file infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep --parameters @infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json parTopLevelManagementGroupPrefix=$(ManagementGroupPrefix) --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
+      - task: Bash@3
+        displayName: Az CLI Register Resource Providers for PR
+        name: register_providers
+        inputs:
+          targetType: "inline"
+          script: |
+            az account set --subscription $(subscriptionId)
+            az provider register -n 'Microsoft.Insights'
 
-  - task: Bash@3    
-    displayName: Az CLI Validate Hub Networking for PR
-    name: validate_hub_network
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep --parameters @infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json --name $(ManagementGroupPrefix)
 
-  - task: Bash@3    
-    displayName: Az CLI Validate vWan Networking for PR
-    name: validate_vwan_network
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep --parameters @infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.all.json --name $(ManagementGroupPrefix)
+      - task: Bash@3
+        displayName: Az CLI Deploy Management Groups for PR
+        name: create_mgs
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment tenant create --template-file infra-as-code/bicep/modules/managementGroups/managementGroups.bicep --parameters @infra-as-code/bicep/modules/managementGroups/parameters/managementGroups.parameters.all.json parTopLevelManagementGroupPrefix=$(ManagementGroupPrefix) --location $(Location) --name $(ManagementGroupPrefix)
 
-  - task: Bash@3              
-    displayName: Az CLI Validate Spoke Networking for PR
-    name: validate_spoke_network
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/spokeNetworking/spokeNetworking.bicep --name $(ManagementGroupPrefix)
+      - task: Bash@3
+        displayName: Az CLI Validate Custom Role Definitions for PR
+        name: validate_rbac_roles
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment mg validate --template-file infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep  --parameters @infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.all.json parAssignableScopeManagementGroupId=$(ManagementGroupPrefix) --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
 
-  - task: Bash@3    
-    displayName: Az CLI Validate vWan Network connection for PR
-    name: validate_vwan_network_connection
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment sub validate --location $(Location) --template-file infra-as-code/bicep/modules/vnetPeeringVwan/vnetPeeringVwan.bicep --parameters @infra-as-code/bicep/modules/vnetPeeringVwan/parameters/vnetPeeringVwan.parameters.all.json parVirtualWanHubResourceId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualHubs/alz-vhub-$(Location)"  parRemoteVirtualNetworkResourceId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualNetworks/vnet-spoke" --name $(ManagementGroupPrefix)
+      - task: Bash@3
+        displayName: Az CLI Validate Custom Policy Definitions for PR
+        name: validate_policy_defs
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment mg validate --template-file infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep  --parameters @infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.all.json parTargetManagementGroupId=$(ManagementGroupPrefix) --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
 
-  - task: Bash@3    
-    displayName: Az CLI Validate vNet Peer for PR
-    name: validate_vnet_peer_spoke_2_hub
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/vnetPeering/vnetPeering.bicep --parameters parDestinationVirtualNetworkId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualNetworks/alz-hub-$(Location)"  parSourceVirtualNetworkName="vnet-spoke" parDestinationVirtualNetworkName="alz-hub-$(Location)" --name $(ManagementGroupPrefix)
+      - task: Bash@3
+        displayName: Az CLI Deploy Logging for PR
+        name: create_logging
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment group create --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/logging/logging.bicep --parameters @infra-as-code/bicep/modules/logging/parameters/logging.parameters.min.json
 
-  - task: Bash@3    
-    displayName: Az CLI Validate Private DNS Zones
-    name: validate_private_dns
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/privateDnsZones/privateDnsZones.bicep --parameters @infra-as-code/bicep/modules/privateDnsZones/parameters/privateDnsZones.parameters.all.json --name $(ManagementGroupPrefix)
+      - task: Bash@3
+        displayName: Az CLI Validate mgDiagSettingsAll for PR
+        name: create_mgDiagSettingsAll
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment tenant validate --template-file infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep --parameters @infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.min.json parTopLevelManagementGroupPrefix="$(ManagementGroupPrefix)" parLogAnalyticsWorkspaceResourceId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.OperationalInsights/workspaces/alz-log-analytics" --location $(Location)
 
-  - task: Bash@3    
-    displayName: Az CLI Validate Public IP
-    name: validate_public_ip
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/publicIp/publicIp.bicep --parameters @infra-as-code/bicep/modules/publicIp/parameters/publicIp.parameters.min.json --name $(ManagementGroupPrefix)
+      - task: Bash@3
+        displayName: Az CLI Validate Subscription Placement for PR
+        name: move_sub
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment mg validate --template-file infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.bicep --parameters @infra-as-code/bicep/modules/subscriptionPlacement/parameters/subscriptionPlacement.parameters.all.json parTargetManagementGroupId=$(ManagementGroupPrefix)-platform-connectivity parSubscriptionIds='["$(subscriptionId)"]' --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
 
-  - task: Bash@3    
-    displayName: Az CLI Validate Role Assignment to single Management Group
-    name: validate_role_assign_single_mg
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment mg validate --template-file infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.bicep --parameters @infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.managedIdentity.parameters.all.json --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
+      - task: Bash@3
+        displayName: Az CLI Validate Alz Default policy assignments
+        name: validate_alz_default_policy_assign
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment mg validate --template-file infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep --parameters @infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json parTopLevelManagementGroupPrefix=$(ManagementGroupPrefix) --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
 
-  - task: Bash@3    
-    displayName: Az CLI Validate Role Assignment to multiple Management Groups
-    name: validate_role_assign_multiple_mg
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment mg validate --template-file infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroupMany.bicep --parameters @infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.managedIdentity.parameters.all.json parManagementGroupIds='("$(ManagementGroupPrefix)-landingzones", "$(ManagementGroupPrefix)-platform")' --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
+      - task: Bash@3
+        displayName: Az CLI Validate Hub Networking for PR
+        name: validate_hub_network
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep --parameters @infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json --name $(ManagementGroupPrefix)
 
-  - task: Bash@3    
-    displayName: Az CLI Validate Role Assignment to single subscription
-    name: validate_role_assign_single_subscription
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment sub validate --template-file infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscription.bicep --parameters @infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.managedIdentity.parameters.all.json --location $(Location) --name $(ManagementGroupPrefix)
+      - task: Bash@3
+        displayName: Az CLI Validate vWan Networking for PR
+        name: validate_vwan_network
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep --parameters @infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.all.json --name $(ManagementGroupPrefix)
 
-  - task: Bash@3    
-    displayName: Az CLI Validate Role Assignment to multiple subscriptions
-    name: validate_role_assign_multiple_subscription
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment mg validate --template-file infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscriptionMany.bicep --parameters @infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.managedIdentity.parameters.all.json parSubscriptionIds='("$(subscriptionId)","$(azvalidatesubscription)")' --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
+      - task: Bash@3
+        displayName: Az CLI Validate Spoke Networking for PR
+        name: validate_spoke_network
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/spokeNetworking/spokeNetworking.bicep --name $(ManagementGroupPrefix)
 
-  - task: Bash@3    
-    displayName: Az CLI Validate hub peered spoke orchestration module
-    name: validate_hub_peer_spoke
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment mg validate --template-file infra-as-code/bicep/orchestration/hubPeeredSpoke/hubPeeredSpoke.bicep --parameters @infra-as-code/bicep/orchestration/hubPeeredSpoke/parameters/hubPeeredSpoke.parameters.all.json parPeeredVnetSubscriptionId="$(subscriptionId)" parHubVirtualNetworkId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualNetworks/alz-hub-$(Location)" parTopLevelManagementGroupPrefix="$(ManagementGroupPrefix)" --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
+      - task: Bash@3
+        displayName: Az CLI Validate vWan Network connection for PR
+        name: validate_vwan_network_connection
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment sub validate --location $(Location) --template-file infra-as-code/bicep/modules/vnetPeeringVwan/vnetPeeringVwan.bicep --parameters @infra-as-code/bicep/modules/vnetPeeringVwan/parameters/vnetPeeringVwan.parameters.all.json parVirtualWanHubResourceId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualHubs/alz-vhub-$(Location)"  parRemoteVirtualNetworkResourceId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualNetworks/vnet-spoke" --name $(ManagementGroupPrefix)
 
-  - task: Bash@3    
-    displayName: Az CLI Validate subPlacementAll orchestration module
-    name: validate_sub_placement_all
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment mg validate --template-file infra-as-code/bicep/orchestration/subPlacementAll/subPlacementAll.bicep --parameters @infra-as-code/bicep/orchestration/subPlacementAll/parameters/subPlacementAll.parameters.all.json parTopLevelManagementGroupPrefix="$(ManagementGroupPrefix)" parPlatformConnectivityMgSubs='["$(subscriptionId)"]' --location $(Location) --management-group-id $(ManagementGroupPrefix) --name "$(ManagementGroupPrefix)-subPlacement"
+      - task: Bash@3
+        displayName: Az CLI Validate vNet Peer for PR
+        name: validate_vnet_peer_spoke_2_hub
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/vnetPeering/vnetPeering.bicep --parameters parDestinationVirtualNetworkId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualNetworks/alz-hub-$(Location)"  parSourceVirtualNetworkName="vnet-spoke" parDestinationVirtualNetworkName="alz-hub-$(Location)" --name $(ManagementGroupPrefix)
 
-- job: bicep_cleanup
-  dependsOn: bicep_validate
-  displayName: Cleanup Bicep Validate Deployment for PR
-  pool: 
-    vmImage: ubuntu-latest
-  steps:
-  - task: AzurePowerShell@5
-    displayName: Az CLI Remove/Cleanup Deployment
-    inputs:
-      azureSubscription: 'azserviceconnection'
-      ScriptType: 'FilePath'
-      ScriptPath: '.github/scripts/Wipe-AlzTenant.ps1'
-      ScriptArguments: '-tenantRootGroupID $(azclitenant) -intermediateRootGroupID "$(ManagementGroupPrefix)" -subscriptionName "$(SubscriptionName)"'
-      azurePowerShellVersion: 'LatestVersion'
-      pwsh: true
+      - task: Bash@3
+        displayName: Az CLI Validate Private DNS Zones
+        name: validate_private_dns
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/privateDnsZones/privateDnsZones.bicep --parameters @infra-as-code/bicep/modules/privateDnsZones/parameters/privateDnsZones.parameters.all.json --name $(ManagementGroupPrefix)
 
+      - task: Bash@3
+        displayName: Az CLI Validate Public IP
+        name: validate_public_ip
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/publicIp/publicIp.bicep --parameters @infra-as-code/bicep/modules/publicIp/parameters/publicIp.parameters.min.json --name $(ManagementGroupPrefix)
+
+      - task: Bash@3
+        displayName: Az CLI Validate Role Assignment to single Management Group
+        name: validate_role_assign_single_mg
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment mg validate --template-file infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.bicep --parameters @infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.managedIdentity.parameters.all.json --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
+
+      - task: Bash@3
+        displayName: Az CLI Validate Role Assignment to multiple Management Groups
+        name: validate_role_assign_multiple_mg
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment mg validate --template-file infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroupMany.bicep --parameters @infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.managedIdentity.parameters.all.json parManagementGroupIds='("$(ManagementGroupPrefix)-landingzones", "$(ManagementGroupPrefix)-platform")' --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
+
+      - task: Bash@3
+        displayName: Az CLI Validate Role Assignment to single subscription
+        name: validate_role_assign_single_subscription
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment sub validate --template-file infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscription.bicep --parameters @infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.managedIdentity.parameters.all.json --location $(Location) --name $(ManagementGroupPrefix)
+
+      - task: Bash@3
+        displayName: Az CLI Validate Role Assignment to multiple subscriptions
+        name: validate_role_assign_multiple_subscription
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment mg validate --template-file infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscriptionMany.bicep --parameters @infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.managedIdentity.parameters.all.json parSubscriptionIds='("$(subscriptionId)","$(azvalidatesubscription)")' --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
+
+      - task: Bash@3
+        displayName: Az CLI Validate hub peered spoke orchestration module
+        name: validate_hub_peer_spoke
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment mg validate --template-file infra-as-code/bicep/orchestration/hubPeeredSpoke/hubPeeredSpoke.bicep --parameters @infra-as-code/bicep/orchestration/hubPeeredSpoke/parameters/hubPeeredSpoke.parameters.all.json parPeeredVnetSubscriptionId="$(subscriptionId)" parHubVirtualNetworkId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualNetworks/alz-hub-$(Location)" parTopLevelManagementGroupPrefix="$(ManagementGroupPrefix)" --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
+
+      - task: Bash@3
+        displayName: Az CLI Validate subPlacementAll orchestration module
+        name: validate_sub_placement_all
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment mg validate --template-file infra-as-code/bicep/orchestration/subPlacementAll/subPlacementAll.bicep --parameters @infra-as-code/bicep/orchestration/subPlacementAll/parameters/subPlacementAll.parameters.all.json parTopLevelManagementGroupPrefix="$(ManagementGroupPrefix)" parPlatformConnectivityMgSubs='["$(subscriptionId)"]' --location $(Location) --management-group-id $(ManagementGroupPrefix) --name "$(ManagementGroupPrefix)-subPlacement"
+
+  - job: bicep_cleanup
+    dependsOn: bicep_validate
+    displayName: Cleanup Bicep Validate Deployment for PR
+    pool:
+      vmImage: ubuntu-latest
+    steps:
+      - task: AzurePowerShell@5
+        displayName: Az CLI Remove/Cleanup Deployment
+        inputs:
+          azureSubscription: "azserviceconnection"
+          ScriptType: "FilePath"
+          ScriptPath: ".github/scripts/Wipe-AlzTenant.ps1"
+          ScriptArguments: '-tenantRootGroupID $(azclitenant) -intermediateRootGroupID "$(ManagementGroupPrefix)" -subscriptionName "$(SubscriptionName)"'
+          azurePowerShellVersion: "LatestVersion"
+          pwsh: true

tests/pipelines/bicep-build-to-validate.yml

@@ -14,270 +14,294 @@ variables:
     value: "sub-unit-test-pr-$(System.PullRequest.PullRequestNumber)"
 
 jobs:
-- job: bicep_deploy
-  displayName: Deploy Bicep Files for PR
-  pool: 
-    vmImage: ubuntu-latest
-  steps:
-  - task: Bash@3
-    displayName: Check for managementGroup Changes
-    name: git_management_diff
-    inputs:
-      targetType: 'inline'
-      script: |
-          git_diff1=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/managementGroups/managementGroups.bicep)
-          git_diff2=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep)
-          git_diff3=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep)
-          git_diff4=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep)
-          git_diff5=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep)
-          git_diff6=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.bicep)
-          git_diff7=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.bicep)
-          git_diff8=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/orchestration/subPlacementAll/subPlacementAll.bicep)
-          if [[ $git_diff1 != '' ]] || [[ $git_diff2 != '' ]] || [[ $git_diff3 != '' ]] || [[ $git_diff4 != '' ]] || [[ $git_diff5 != '' ]] || [[ $git_diff6 != '' ]] || [[ $git_diff7 != '' ]] || [[ $git_diff8 != '' ]]
-            then echo "##vso[task.setvariable variable=gitManagementOutput]setmgmt"
-          fi
-          echo 
+  - job: bicep_deploy
+    displayName: Deploy Bicep Files for PR
+    pool:
+      vmImage: ubuntu-latest
+    steps:
+      - task: Bash@3
+        displayName: Check for managementGroup Changes
+        name: git_management_diff
+        inputs:
+          targetType: "inline"
+          script: |
+            git_diff1=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/managementGroups/managementGroups.bicep)
+            git_diff2=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep)
+            git_diff3=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep)
+            git_diff4=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep)
+            git_diff5=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep)
+            git_diff6=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.bicep)
+            git_diff7=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.bicep)
+            git_diff8=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/orchestration/subPlacementAll/subPlacementAll.bicep)
+            git_diff9=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/mgDiagSettings/mgDiagSettings.bicep)
+            git_diff10=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep)
+            if [[ $git_diff1 != '' ]] || [[ $git_diff2 != '' ]] || [[ $git_diff3 != '' ]] || [[ $git_diff4 != '' ]] || [[ $git_diff5 != '' ]] || [[ $git_diff6 != '' ]] || [[ $git_diff7 != '' ]] || [[ $git_diff8 != '' ]] || [[ $git_diff9 != '' ]] || [[ $git_diff10 != '' ]]
+              then echo "##vso[task.setvariable variable=gitManagementOutput]setmgmt"
+            fi
+            echo
 
-  - task: Bash@3
-    displayName: Check for logging Changes
-    name: git_logging_diff
-    inputs:
-      targetType: 'inline'
-      script: |
-          git_logging=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/logging/logging.bicep)
-          echo "##vso[task.setvariable variable=gitLoggingOUTPUT]$git_logging"
+      - task: Bash@3
+        displayName: Check for logging Changes
+        name: git_logging_diff
+        inputs:
+          targetType: "inline"
+          script: |
+            git_diff_logging1=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/logging/logging.bicep)
+            git_diff_logging2=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/mgDiagSettings/mgDiagSettings.bicep)
+            git_diff_logging3=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep)
+            if [[ $git_diff_logging1 != '' ]] || [[ $git_diff_logging2 != '' ]] || [[ $git_diff_logging3 != '' ]]
+              then echo "##vso[task.setvariable variable=gitLoggingOUTPUT]setlogging"
+            fi
+            echo
 
-  - task: Bash@3
-    displayName: Check for hubNetworking Changes
-    name: git_hubnetworking_diff
-    inputs:
-      targetType: 'inline'
-      script: |
-          git_hub=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep)
-          echo "##vso[task.setvariable variable=gitHubOUTPUT]$git_hub"
+      - task: Bash@3
+        displayName: Check for hubNetworking Changes
+        name: git_hubnetworking_diff
+        inputs:
+          targetType: "inline"
+          script: |
+            git_hub=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep)
+            echo "##vso[task.setvariable variable=gitHubOUTPUT]$git_hub"
 
-  - task: Bash@3
-    displayName: Check for virtual network peer Changes
-    name: git_vnetpeer_diff
-    inputs:
-      targetType: 'inline'
-      script: |
-          git_vnetpeer=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/vnetPeering ':(exclude)*.md' ':(exclude)*.png')
-          echo "##vso[task.setvariable variable=gitVnetPeerOUTPUT]$git_vnetpeer"
+      - task: Bash@3
+        displayName: Check for virtual network peer Changes
+        name: git_vnetpeer_diff
+        inputs:
+          targetType: "inline"
+          script: |
+            git_vnetpeer=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/vnetPeering ':(exclude)*.md' ':(exclude)*.png')
+            echo "##vso[task.setvariable variable=gitVnetPeerOUTPUT]$git_vnetpeer"
 
-  - task: Bash@3
-    displayName: Check for vwanNetworking Changes
-    name: git_vwannetworking_diff
-    inputs:
-      targetType: 'inline'
-      script: |
-          git_vwan=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep )
-          echo "##vso[task.setvariable variable=gitVwanOUTPUT]$git_vwan"
+      - task: Bash@3
+        displayName: Check for vwanNetworking Changes
+        name: git_vwannetworking_diff
+        inputs:
+          targetType: "inline"
+          script: |
+            git_vwan=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep )
+            echo "##vso[task.setvariable variable=gitVwanOUTPUT]$git_vwan"
 
-  - task: Bash@3
-    displayName: Check for vwanNetwork Connection Changes
-    name: git_vwannetworkconnection_diff
-    inputs:
-      targetType: 'inline'
-      script: |
-          git_vwannwc=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/vnetPeeringVwan ':(exclude)*.md' ':(exclude)*.png')
-          echo "##vso[task.setvariable variable=gitVwanNwcOUTPUT]$git_vwannwc"
+      - task: Bash@3
+        displayName: Check for vwanNetwork Connection Changes
+        name: git_vwannetworkconnection_diff
+        inputs:
+          targetType: "inline"
+          script: |
+            git_vwannwc=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/vnetPeeringVwan ':(exclude)*.md' ':(exclude)*.png')
+            echo "##vso[task.setvariable variable=gitVwanNwcOUTPUT]$git_vwannwc"
 
-  - task: Bash@3
-    displayName: Check for spokeNetworking Changes
-    name: git_spokenetworking_diff
-    inputs:
-      targetType: 'inline'
-      script: |
-        git_spoke=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/spokeNetworking/spokeNetworking.bicep)
-        echo "gitSpokeOUTPUT=$git_spoke" >> $GITHUB_ENV
-        echo "##vso[task.setvariable variable=gitSpokeOUTPUT]$git_spoke"
+      - task: Bash@3
+        displayName: Check for spokeNetworking Changes
+        name: git_spokenetworking_diff
+        inputs:
+          targetType: "inline"
+          script: |
+            git_spoke=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/spokeNetworking/spokeNetworking.bicep)
+            echo "gitSpokeOUTPUT=$git_spoke" >> $GITHUB_ENV
+            echo "##vso[task.setvariable variable=gitSpokeOUTPUT]$git_spoke"
 
-  - task: Bash@3
-    displayName: Login to Azure
-    name: git_azlogin
-    inputs:
-      targetType: 'inline'
-      script: |
-        az login --service-principal --username $(azclilogin) --password $(azclipwd) --tenant $(azclitenant)
+      - task: Bash@3
+        displayName: Login to Azure
+        name: git_azlogin
+        inputs:
+          targetType: "inline"
+          script: |
+            az login --service-principal --username $(azclilogin) --password $(azclipwd) --tenant $(azclitenant)
 
-  - task: Bash@3
-    displayName: Az CLI Create Subscription for PR
-    name: create_subscription
-    condition: or(ne(variables['gitManagementOUTPUT'], ''), ne(variables['gitLoggingOUTPUT'], ''), ne(variables['gitSpokeOUTPUT'], ''), ne(variables['gitHubOUTPUT'], ''), ne(variables['gitVwanOUTPUT'], ''), ne(variables['gitVwanNwcOUTPUT'], ''), ne(variables['gitVnetPeerOUTPUT'], ''))
-    inputs:
-      targetType: 'inline'
-      script: |
-        subid=$(az deployment tenant create --name "deploy-$(SubscriptionName)" --location $(Location) --template-file infra-as-code/bicep/CRML/subscriptionAlias/subscriptionAlias.bicep --parameters @infra-as-code/bicep/CRML/subscriptionAlias/parameters/subscriptionAlias.parameters.min.json --parameters parSubscriptionBillingScope=$(ALZ-AZURE-SECRET-EA-BILLING-ACCOUNT) parSubscriptionName=$(SubscriptionName) | jq .properties.outputs.outSubscriptionId.value | tr -d '"')
-        echo $subId
-        echo "##vso[task.setvariable variable=subscriptionId]$subid"
-        echo "##vso[task.setvariable variable=IsDeployed;isoutput=true]$subid"
+      - task: Bash@3
+        displayName: Az CLI Create Subscription for PR
+        name: create_subscription
+        condition: or(ne(variables['gitManagementOUTPUT'], ''), ne(variables['gitLoggingOUTPUT'], ''), ne(variables['gitSpokeOUTPUT'], ''), ne(variables['gitHubOUTPUT'], ''), ne(variables['gitVwanOUTPUT'], ''), ne(variables['gitVwanNwcOUTPUT'], ''), ne(variables['gitVnetPeerOUTPUT'], ''))
+        inputs:
+          targetType: "inline"
+          script: |
+            subid=$(az deployment tenant create --name "deploy-$(SubscriptionName)" --location $(Location) --template-file infra-as-code/bicep/CRML/subscriptionAlias/subscriptionAlias.bicep --parameters @infra-as-code/bicep/CRML/subscriptionAlias/parameters/subscriptionAlias.parameters.min.json --parameters parSubscriptionBillingScope=$(ALZ-AZURE-SECRET-EA-BILLING-ACCOUNT) parSubscriptionName=$(SubscriptionName) | jq .properties.outputs.outSubscriptionId.value | tr -d '"')
+            echo $subId
+            echo "##vso[task.setvariable variable=subscriptionId]$subid"
+            echo "##vso[task.setvariable variable=IsDeployed;isoutput=true]$subid"
 
-  - task: Bash@3
-    displayName: Az CLI Refresh subscription list
-    name: refresh_subscription
-    condition: and(or(ne(variables['gitManagementOUTPUT'], ''), ne(variables['gitLoggingOUTPUT'], ''), ne(variables['gitSpokeOUTPUT'], ''), ne(variables['gitHubOUTPUT'], ''), ne(variables['gitVwanOUTPUT'], ''), ne(variables['gitVwanNwcOUTPUT'], ''), ne(variables['gitVnetPeerOUTPUT'], '')), ne(variables['subscriptionId'], ''))
-    inputs:
-      targetType: 'inline'
-      script: |
-        az account list --refresh        
-        
-  - task: Bash@3    
-    displayName: Az CLI Create Resource Group for PR
-    name: create_rsg
-    condition: and(or(ne(variables['gitManagementOUTPUT'], ''), ne(variables['gitLoggingOUTPUT'], ''), ne(variables['gitSpokeOUTPUT'], ''), ne(variables['gitHubOUTPUT'], ''), ne(variables['gitVwanOUTPUT'], ''), ne(variables['gitVwanNwcOUTPUT'], ''), ne(variables['gitVnetPeerOUTPUT'], '')), ne(variables['subscriptionId'], ''))
-    inputs:
-      targetType: 'inline'
-      script: |
-        az account set --subscription $(subscriptionId)
-        if [ $(az group exists --name $(ResourceGroupName) ) == false ]; then
-            sleep 300
-        fi
-        az group create --name $(ResourceGroupName) --location $(Location)
+      - task: Bash@3
+        displayName: Az CLI Refresh subscription list
+        name: refresh_subscription
+        condition: and(or(ne(variables['gitManagementOUTPUT'], ''), ne(variables['gitLoggingOUTPUT'], ''), ne(variables['gitSpokeOUTPUT'], ''), ne(variables['gitHubOUTPUT'], ''), ne(variables['gitVwanOUTPUT'], ''), ne(variables['gitVwanNwcOUTPUT'], ''), ne(variables['gitVnetPeerOUTPUT'], '')), ne(variables['subscriptionId'], ''))
+        inputs:
+          targetType: "inline"
+          script: |
+            az account list --refresh
 
-  - task: Bash@3     
-    displayName: Az CLI Deploy Management Groups for PR
-    name: create_mgs
-    condition: and(or(ne(variables['gitManagementOUTPUT'], ''), ne(variables['gitLoggingOUTPUT'], ''), ne(variables['gitSpokeOUTPUT'], ''), ne(variables['gitHubOUTPUT'], ''), ne(variables['gitVwanOUTPUT'], ''), ne(variables['gitVwanNwcOUTPUT'], ''), ne(variables['gitVnetPeerOUTPUT'], '')), ne(variables['subscriptionId'], ''))
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment tenant create --template-file infra-as-code/bicep/modules/managementGroups/managementGroups.bicep --parameters @infra-as-code/bicep/modules/managementGroups/parameters/managementGroups.parameters.min.json parTopLevelManagementGroupPrefix=$(ManagementGroupPrefix) --location $(Location)
-  
-  - task: Bash@3  
-    displayName: Az CLI Deploy Custom Role Definitions for PR
-    name: create_rbac_roles
-    condition: and(ne(variables['gitManagementOUTPUT'], ''), ne(variables['subscriptionId'], ''))
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment mg create --template-file infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep  --parameters @infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.min.json parAssignableScopeManagementGroupId=$(ManagementGroupPrefix) --location $(Location) --management-group-id $(ManagementGroupPrefix)
-  
-  - task: Bash@3    
-    displayName: Az CLI Deploy Custom Policy Definitions for PR
-    name: create_policy_defs
-    condition: and(ne(variables['gitManagementOUTPUT'], ''), ne(variables['subscriptionId'], ''))
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment mg create --template-file infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep  --parameters @infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.min.json parTargetManagementGroupId=$(ManagementGroupPrefix) --location $(Location) --management-group-id $(ManagementGroupPrefix) 
-  
-  - task: Bash@3    
-    displayName: Az CLI Deploy Logging for PR
-    name: create_logging
-    condition: and(ne(variables['gitLoggingOUTPUT'], ''), ne(variables['subscriptionId'], ''))
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment group create --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/logging/logging.bicep --parameters @infra-as-code/bicep/modules/logging/parameters/logging.parameters.min.json
+      - task: Bash@3
+        displayName: Az CLI Create Resource Group for PR
+        name: create_rsg
+        condition: and(or(ne(variables['gitManagementOUTPUT'], ''), ne(variables['gitLoggingOUTPUT'], ''), ne(variables['gitSpokeOUTPUT'], ''), ne(variables['gitHubOUTPUT'], ''), ne(variables['gitVwanOUTPUT'], ''), ne(variables['gitVwanNwcOUTPUT'], ''), ne(variables['gitVnetPeerOUTPUT'], '')), ne(variables['subscriptionId'], ''))
+        inputs:
+          targetType: "inline"
+          script: |
+            az account set --subscription $(subscriptionId)
+            if [ $(az group exists --name $(ResourceGroupName) ) == false ]; then
+                sleep 300
+            fi
+            az group create --name $(ResourceGroupName) --location $(Location)
 
-  - task: Bash@3    
-    displayName: Az CLI Subscription Placement for PR
-    name: move_sub
-    condition: and(or(ne(variables['gitManagementOUTPUT'], ''), ne(variables['gitLoggingOUTPUT'], ''), ne(variables['gitSpokeOUTPUT'], ''), ne(variables['gitHubOUTPUT'], ''), ne(variables['gitVwanOUTPUT'], ''), ne(variables['gitVwanNwcOUTPUT'], ''), ne(variables['gitVnetPeerOUTPUT'], '')), ne(variables['subscriptionId'], ''))
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment mg create --template-file infra-as-code/bicep/orchestration/subPlacementAll/subPlacementAll.bicep --parameters @infra-as-code/bicep/orchestration/subPlacementAll/parameters/subPlacementAll.parameters.min.json parTopLevelManagementGroupPrefix="$(ManagementGroupPrefix)" parPlatformConnectivityMgSubs='["$(subscriptionId)"]' --location $(Location) --management-group-id $(ManagementGroupPrefix)
+      - task: Bash@3
+        displayName: Az CLI Register Resource Providers for PR
+        name: register_providers
+        inputs:
+          targetType: "inline"
+          script: |
+            az account set --subscription $(subscriptionId)
+            az provider register -n 'Microsoft.Insights'
 
-  - task: AzurePowerShell@5
-    displayName: Az PwSh alzDefaultPolicyAssignments for PR
-    name: alz_default_policy_assignments
-    condition: and(ne(variables['gitManagementOUTPUT'], ''), ne(variables['subscriptionId'], ''))
-    inputs:
-      azureSubscription: 'azserviceconnection'
-      ScriptType: 'FilePath'
-      ScriptPath: '.github/scripts/Set-AlzDefaultPolicyAssignment.ps1'
-      ScriptArguments: '-ManagementGroupId "$(ManagementGroupPrefix)-platform" -parLocation $(Location) -templateFile ./infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep -parameterFile .\infra-as-code\bicep\modules\policy\assignments\alzDefaults\parameters\alzDefaultPolicyAssignments.parameters.min.json -parTopLevelManagementGroupPrefix $(ManagementGroupPrefix) -parLogAnalyticsWorkSpaceAndAutomationAccountLocation $(Location) -parLogAnalyticsWorkspaceResourceId "/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.OperationalInsights/workspaces/alz-log-analytics" -parDdosProtectionPlanId "/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/ddosProtectionPlans/alz-ddos-plan"'
-      azurePowerShellVersion: 'LatestVersion'
-      pwsh: true
+      - task: Bash@3
+        displayName: Az CLI Deploy Management Groups for PR
+        name: create_mgs
+        condition: and(or(ne(variables['gitManagementOUTPUT'], ''), ne(variables['gitLoggingOUTPUT'], ''), ne(variables['gitSpokeOUTPUT'], ''), ne(variables['gitHubOUTPUT'], ''), ne(variables['gitVwanOUTPUT'], ''), ne(variables['gitVwanNwcOUTPUT'], ''), ne(variables['gitVnetPeerOUTPUT'], '')), ne(variables['subscriptionId'], ''))
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment tenant create --template-file infra-as-code/bicep/modules/managementGroups/managementGroups.bicep --parameters @infra-as-code/bicep/modules/managementGroups/parameters/managementGroups.parameters.min.json parTopLevelManagementGroupPrefix=$(ManagementGroupPrefix) --location $(Location)
 
-  - task: Bash@3    
-    displayName: Az CLI Deploy Hub Networking for PR
-    name: create_hub_network
-    condition: and(or(ne(variables['gitHubOUTPUT'], ''), ne(variables['gitVnetPeerOUTPUT'], '')), ne(variables['subscriptionId'], ''))
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment group create --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep --parameters @infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.min.json
+      - task: Bash@3
+        displayName: Az CLI Deploy Custom Role Definitions for PR
+        name: create_rbac_roles
+        condition: and(ne(variables['gitManagementOUTPUT'], ''), ne(variables['subscriptionId'], ''))
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment mg create --template-file infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep  --parameters @infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.min.json parAssignableScopeManagementGroupId=$(ManagementGroupPrefix) --location $(Location) --management-group-id $(ManagementGroupPrefix)
 
-  - task: Bash@3    
-    displayName: Az CLI Deploy Spoke Networking for PR
-    name: create_spoke_network
-    condition: and(or(ne(variables['gitSpokeOUTPUT'], ''), ne(variables['gitVwanNwcOUTPUT'], ''), ne(variables['gitVwanOUTPUT'], ''), ne(variables['gitVnetPeerOUTPUT'], '')), ne(variables['subscriptionId'], ''))
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment group create --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/spokeNetworking/spokeNetworking.bicep --parameters @infra-as-code/bicep/modules/spokeNetworking/parameters/spokeNetworking.parameters.min.json
-  
-  - task: Bash@3    
-    displayName: Az CLI Deploy vWan Networking for PR
-    name: create_vwan_network
-    condition: and(or(ne(variables['gitVwanOUTPUT'], ''), ne(variables['gitVwanNwcOUTPUT'], '')), ne(variables['subscriptionId'], ''))
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment group create --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep --parameters @infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.min.json parVirtualNetworkIdToLink="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualNetworks/vnet-spoke"
+      - task: Bash@3
+        displayName: Az CLI Deploy Custom Policy Definitions for PR
+        name: create_policy_defs
+        condition: and(ne(variables['gitManagementOUTPUT'], ''), ne(variables['subscriptionId'], ''))
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment mg create --template-file infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep  --parameters @infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.min.json parTargetManagementGroupId=$(ManagementGroupPrefix) --location $(Location) --management-group-id $(ManagementGroupPrefix)
 
-  - task: Bash@3    
-    displayName: Az CLI Deploy vWan Network connection for PR
-    name: create_vwan_network_connection
-    condition: and(ne(variables['gitVwanNwcOUTPUT'], ''), ne(variables['subscriptionId'], ''))
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment sub create --location $(Location) --template-file infra-as-code/bicep/modules/vnetPeeringVwan/vnetPeeringVwan.bicep --parameters @infra-as-code/bicep/modules/vnetPeeringVwan/parameters/vnetPeeringVwan.parameters.min.json parVirtualWanHubResourceId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualHubs/alz-vhub-$(Location)" parRemoteVirtualNetworkResourceId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualNetworks/vnet-spoke"
+      - task: Bash@3
+        displayName: Az CLI Deploy Logging for PR
+        name: create_logging
+        condition: and(ne(variables['gitLoggingOUTPUT'], ''), ne(variables['subscriptionId'], ''))
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment group create --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/logging/logging.bicep --parameters @infra-as-code/bicep/modules/logging/parameters/logging.parameters.min.json
 
-  - task: Bash@3    
-    displayName: Az CLI Deploy vNet Peer for PR spoke to hub
-    name: create_vnet_peer_spoke_2_hub
-    condition: and(ne(variables['gitVnetPeerOUTPUT'], ''), ne(variables['subscriptionId'], ''))
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment group create --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/vnetPeering/vnetPeering.bicep --parameters @infra-as-code/bicep/modules/vnetPeering/parameters/vnetPeering.parameters.min.json parDestinationVirtualNetworkId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualNetworks/alz-hub-$(Location)"
+      - task: Bash@3
+        displayName: Az CLI Deploy mgDiagSettingsAll for PR
+        name: create_mgDiagSettingsAll
+        condition: and(ne(variables['gitLoggingOUTPUT'], ''), ne(variables['subscriptionId'], ''))
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment tenant create --template-file infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep --parameters @infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.min.json parTopLevelManagementGroupPrefix="$(ManagementGroupPrefix)" parLogAnalyticsWorkspaceResourceId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.OperationalInsights/workspaces/alz-log-analytics" --location $(Location)
 
-  - task: Bash@3    
-    displayName: Az CLI Deploy vNet Peer for PR hub to spoke
-    name: create_vnet_peer_hub_2_spoke
-    condition: and(ne(variables['gitVnetPeerOUTPUT'], ''), ne(variables['subscriptionId'], ''))
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment group create --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/vnetPeering/vnetPeering.bicep --parameters @infra-as-code/bicep/modules/vnetPeering/parameters/vnetPeering.parameters.min.json parDestinationVirtualNetworkId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualNetworks/vnet-spoke" parSourceVirtualNetworkName="alz-hub-$(Location)" parDestinationVirtualNetworkName="vnet-spoke"
+      - task: Bash@3
+        displayName: Az CLI Subscription Placement for PR
+        name: move_sub
+        condition: and(or(ne(variables['gitManagementOUTPUT'], ''), ne(variables['gitLoggingOUTPUT'], ''), ne(variables['gitSpokeOUTPUT'], ''), ne(variables['gitHubOUTPUT'], ''), ne(variables['gitVwanOUTPUT'], ''), ne(variables['gitVwanNwcOUTPUT'], ''), ne(variables['gitVnetPeerOUTPUT'], '')), ne(variables['subscriptionId'], ''))
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment mg create --template-file infra-as-code/bicep/orchestration/subPlacementAll/subPlacementAll.bicep --parameters @infra-as-code/bicep/orchestration/subPlacementAll/parameters/subPlacementAll.parameters.min.json parTopLevelManagementGroupPrefix="$(ManagementGroupPrefix)" parPlatformConnectivityMgSubs='["$(subscriptionId)"]' --location $(Location) --management-group-id $(ManagementGroupPrefix)
 
-  # Verify that WhatIf does not find differences between code and environment thats just been deployed
-  - task: Bash@3     
-    displayName: Az CLI After Deployment What-If Management Groups for PR
-    name: whatif_mgs
-    condition: and(or(ne(variables['gitManagementOUTPUT'], ''), ne(variables['gitLoggingOUTPUT'], ''), ne(variables['gitSpokeOUTPUT'], ''), ne(variables['gitHubOUTPUT'], ''), ne(variables['gitVwanOUTPUT'], ''), ne(variables['gitVwanNwcOUTPUT'], ''), ne(variables['gitVnetPeerOUTPUT'], '')), ne(variables['subscriptionId'], ''))
-    inputs:
-      targetType: 'inline'
-      script: |
-        result=$(az deployment tenant what-if --template-file infra-as-code/bicep/modules/managementGroups/managementGroups.bicep --parameters @infra-as-code/bicep/modules/managementGroups/parameters/managementGroups.parameters.min.json parTopLevelManagementGroupPrefix=$(ManagementGroupPrefix) --location $(Location) --exclude-change-types Ignore NoChange --only-show-errors)
-        if [[ $result != *'Resource changes: no change.'* ]]
-        then
-          echo "##vso[task.logissue type=error]WhatIf reports difference between code and environment thats just been deployed"
-          echo "$result"
-          exit 1
-        fi
+      - task: AzurePowerShell@5
+        displayName: Az PwSh alzDefaultPolicyAssignments for PR
+        name: alz_default_policy_assignments
+        condition: and(ne(variables['gitManagementOUTPUT'], ''), ne(variables['subscriptionId'], ''))
+        inputs:
+          azureSubscription: "azserviceconnection"
+          ScriptType: "FilePath"
+          ScriptPath: ".github/scripts/Set-AlzDefaultPolicyAssignment.ps1"
+          ScriptArguments: '-ManagementGroupId "$(ManagementGroupPrefix)-platform" -parLocation $(Location) -templateFile ./infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep -parameterFile .\infra-as-code\bicep\modules\policy\assignments\alzDefaults\parameters\alzDefaultPolicyAssignments.parameters.min.json -parTopLevelManagementGroupPrefix $(ManagementGroupPrefix) -parLogAnalyticsWorkSpaceAndAutomationAccountLocation $(Location) -parLogAnalyticsWorkspaceResourceId "/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.OperationalInsights/workspaces/alz-log-analytics" -parDdosProtectionPlanId "/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/ddosProtectionPlans/alz-ddos-plan"'
+          azurePowerShellVersion: "LatestVersion"
+          pwsh: true
 
-- job: bicep_cleanup
-  dependsOn: bicep_deploy
-  variables:
-    isDeployed: $[ dependencies.bicep_deploy.outputs['create_subscription.IsDeployed'] ]  
-  displayName: Cleanup Bicep Deployment for PR
-  pool: 
-    vmImage: ubuntu-latest
-  steps:
-  - task: AzurePowerShell@5
-    displayName: Az CLI Remove/Cleanup Deployment
-    condition: ne(variables['isDeployed'], '')
-    inputs:
-      azureSubscription: 'azserviceconnection'
-      ScriptType: 'FilePath'
-      ScriptPath: '.github/scripts/Wipe-AlzTenant.ps1'
-      ScriptArguments: '-tenantRootGroupID $(azclitenant) -intermediateRootGroupID "$(ManagementGroupPrefix)" -subscriptionName "$(SubscriptionName)"'
-      azurePowerShellVersion: 'LatestVersion'
-      pwsh: true
+      - task: Bash@3
+        displayName: Az CLI Deploy Hub Networking for PR
+        name: create_hub_network
+        condition: and(or(ne(variables['gitHubOUTPUT'], ''), ne(variables['gitVnetPeerOUTPUT'], '')), ne(variables['subscriptionId'], ''))
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment group create --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep --parameters @infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.min.json
 
+      - task: Bash@3
+        displayName: Az CLI Deploy Spoke Networking for PR
+        name: create_spoke_network
+        condition: and(or(ne(variables['gitSpokeOUTPUT'], ''), ne(variables['gitVwanNwcOUTPUT'], ''), ne(variables['gitVwanOUTPUT'], ''), ne(variables['gitVnetPeerOUTPUT'], '')), ne(variables['subscriptionId'], ''))
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment group create --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/spokeNetworking/spokeNetworking.bicep --parameters @infra-as-code/bicep/modules/spokeNetworking/parameters/spokeNetworking.parameters.min.json
+
+      - task: Bash@3
+        displayName: Az CLI Deploy vWan Networking for PR
+        name: create_vwan_network
+        condition: and(or(ne(variables['gitVwanOUTPUT'], ''), ne(variables['gitVwanNwcOUTPUT'], '')), ne(variables['subscriptionId'], ''))
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment group create --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep --parameters @infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.min.json parVirtualNetworkIdToLink="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualNetworks/vnet-spoke"
+
+      - task: Bash@3
+        displayName: Az CLI Deploy vWan Network connection for PR
+        name: create_vwan_network_connection
+        condition: and(ne(variables['gitVwanNwcOUTPUT'], ''), ne(variables['subscriptionId'], ''))
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment sub create --location $(Location) --template-file infra-as-code/bicep/modules/vnetPeeringVwan/vnetPeeringVwan.bicep --parameters @infra-as-code/bicep/modules/vnetPeeringVwan/parameters/vnetPeeringVwan.parameters.min.json parVirtualWanHubResourceId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualHubs/alz-vhub-$(Location)" parRemoteVirtualNetworkResourceId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualNetworks/vnet-spoke"
+
+      - task: Bash@3
+        displayName: Az CLI Deploy vNet Peer for PR spoke to hub
+        name: create_vnet_peer_spoke_2_hub
+        condition: and(ne(variables['gitVnetPeerOUTPUT'], ''), ne(variables['subscriptionId'], ''))
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment group create --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/vnetPeering/vnetPeering.bicep --parameters @infra-as-code/bicep/modules/vnetPeering/parameters/vnetPeering.parameters.min.json parDestinationVirtualNetworkId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualNetworks/alz-hub-$(Location)"
+
+      - task: Bash@3
+        displayName: Az CLI Deploy vNet Peer for PR hub to spoke
+        name: create_vnet_peer_hub_2_spoke
+        condition: and(ne(variables['gitVnetPeerOUTPUT'], ''), ne(variables['subscriptionId'], ''))
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment group create --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/vnetPeering/vnetPeering.bicep --parameters @infra-as-code/bicep/modules/vnetPeering/parameters/vnetPeering.parameters.min.json parDestinationVirtualNetworkId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualNetworks/vnet-spoke" parSourceVirtualNetworkName="alz-hub-$(Location)" parDestinationVirtualNetworkName="vnet-spoke"
+
+      # Verify that WhatIf does not find differences between code and environment thats just been deployed
+      - task: Bash@3
+        displayName: Az CLI After Deployment What-If Management Groups for PR
+        name: whatif_mgs
+        condition: and(or(ne(variables['gitManagementOUTPUT'], ''), ne(variables['gitLoggingOUTPUT'], ''), ne(variables['gitSpokeOUTPUT'], ''), ne(variables['gitHubOUTPUT'], ''), ne(variables['gitVwanOUTPUT'], ''), ne(variables['gitVwanNwcOUTPUT'], ''), ne(variables['gitVnetPeerOUTPUT'], '')), ne(variables['subscriptionId'], ''))
+        inputs:
+          targetType: "inline"
+          script: |
+            result=$(az deployment tenant what-if --template-file infra-as-code/bicep/modules/managementGroups/managementGroups.bicep --parameters @infra-as-code/bicep/modules/managementGroups/parameters/managementGroups.parameters.min.json parTopLevelManagementGroupPrefix=$(ManagementGroupPrefix) --location $(Location) --exclude-change-types Ignore NoChange --only-show-errors)
+            if [[ $result != *'Resource changes: no change.'* ]]
+            then
+              echo "##vso[task.logissue type=error]WhatIf reports difference between code and environment thats just been deployed"
+              echo "$result"
+              exit 1
+            fi
+
+  - job: bicep_cleanup
+    dependsOn: bicep_deploy
+    variables:
+      isDeployed: $[ dependencies.bicep_deploy.outputs['create_subscription.IsDeployed'] ]
+    displayName: Cleanup Bicep Deployment for PR
+    pool:
+      vmImage: ubuntu-latest
+    steps:
+      - task: AzurePowerShell@5
+        displayName: Az CLI Remove/Cleanup Deployment
+        condition: ne(variables['isDeployed'], '')
+        inputs:
+          azureSubscription: "azserviceconnection"
+          ScriptType: "FilePath"
+          ScriptPath: ".github/scripts/Wipe-AlzTenant.ps1"
+          ScriptArguments: '-tenantRootGroupID $(azclitenant) -intermediateRootGroupID "$(ManagementGroupPrefix)" -subscriptionName "$(SubscriptionName)"'
+          azurePowerShellVersion: "LatestVersion"
+          pwsh: true

tests/pipelines/mc-base-unit-validate.yml

@@ -10,199 +10,215 @@ variables:
     value: "PR-$(System.PullRequest.PullRequestNumber)"
   - name: TopLevelManagementGroupDisplayName
     value: "PR $(System.PullRequest.PullRequestNumber) Azure Landing Zones"
- 
+
 jobs:
-- job: bicep_validate
-  displayName: Validate Bicep Files for PR
-  pool: 
-    vmImage: ubuntu-latest
-  steps:
-  - task: Bash@3
-    displayName: Login to Azure
-    name: git_azlogin
-    inputs:
-      targetType: 'inline'
-      script: |
-        az cloud set --name AzureChinaCloud
-        az login --service-principal --username $(azclilogin) --password $(azclipwd) --tenant $(azclitenant)
+  - job: bicep_validate
+    displayName: Validate Bicep Files for PR
+    pool:
+      vmImage: ubuntu-latest
+    steps:
+      - task: Bash@3
+        displayName: Login to Azure
+        name: git_azlogin
+        inputs:
+          targetType: "inline"
+          script: |
+            az cloud set --name AzureChinaCloud
+            az login --service-principal --username $(azclilogin) --password $(azclipwd) --tenant $(azclitenant)
 
-  - task: Bash@3    
-    displayName: Az CLI Create Resource Group for PR
-    name: create_rsg
-    inputs:
-      targetType: 'inline'
-      script: |
-        az account set --subscription $(subscriptionId)
-        #if [ $(az group exists --name $(ResourceGroupName) ) == false ]; then
-        #    sleep 300
-        #fi
-        az deployment sub create --name "deploy-$(ResourceGroupName)" --template-file infra-as-code/bicep/modules/resourceGroup/resourceGroup.bicep --location $(Location) --parameters parLocation=$(Location) parResourceGroupName=$(ResourceGroupName)
-        
-  - task: Bash@3     
-    displayName: Az CLI Deploy Management Groups for PR
-    name: create_mgs
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment tenant create --template-file infra-as-code/bicep/modules/managementGroups/managementGroups.bicep --parameters @infra-as-code/bicep/modules/managementGroups/parameters/managementGroups.parameters.all.json parTopLevelManagementGroupPrefix=$(ManagementGroupPrefix) --location $(Location) --name $(ManagementGroupPrefix)
-  
-  - task: Bash@3  
-    displayName: Az CLI Validate Custom Role Definitions for PR
-    name: validate_rbac_roles
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment mg validate --template-file infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep --parameters @infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.all.json parAssignableScopeManagementGroupId=$(ManagementGroupPrefix) --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
-  
-  - task: Bash@3    
-    displayName: Az CLI Validate Custom Policy Definitions for PR
-    name: validate_policy_defs
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment mg validate --template-file infra-as-code/bicep/modules/policy/definitions/mc-customPolicyDefinitions.bicep --parameters @infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.all.json parTargetManagementGroupId=$(ManagementGroupPrefix) --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
-  
-  - task: Bash@3    
-    displayName: Az CLI Validate Logging for PR
-    name: validate_logging
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/logging/logging.bicep --parameters @infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.all.json --name $(ManagementGroupPrefix)
+      - task: Bash@3
+        displayName: Az CLI Create Resource Group for PR
+        name: create_rsg
+        inputs:
+          targetType: "inline"
+          script: |
+            az account set --subscription $(subscriptionId)
+            #if [ $(az group exists --name $(ResourceGroupName) ) == false ]; then
+            #    sleep 300
+            #fi
+            az deployment sub create --name "deploy-$(ResourceGroupName)" --template-file infra-as-code/bicep/modules/resourceGroup/resourceGroup.bicep --location $(Location) --parameters parLocation=$(Location) parResourceGroupName=$(ResourceGroupName)
 
-  - task: Bash@3    
-    displayName: Az CLI Validate Subscription Placement for PR
-    name: move_sub
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment mg validate --template-file infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.bicep --parameters @infra-as-code/bicep/modules/subscriptionPlacement/parameters/subscriptionPlacement.parameters.all.json parTargetManagementGroupId=$(ManagementGroupPrefix)-platform-connectivity parSubscriptionIds='["$(subscriptionId)"]' --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
+      - task: Bash@3
+        displayName: Az CLI Register Resource Providers for PR
+        name: register_providers
+        inputs:
+          targetType: "inline"
+          script: |
+            az account set --subscription $(subscriptionId)
+            az provider register -n 'Microsoft.Insights'
 
-  - task: Bash@3    
-    displayName: Az CLI Validate Alz Default policy assignments
-    name: validate_alz_default_policy_assign
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment mg validate --template-file infra-as-code/bicep/modules/policy/assignments/alzDefaults/mc-alzDefaultPolicyAssignments.bicep --parameters @infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json parTopLevelManagementGroupPrefix=$(ManagementGroupPrefix) --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
+      - task: Bash@3
+        displayName: Az CLI Deploy Management Groups for PR
+        name: create_mgs
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment tenant create --template-file infra-as-code/bicep/modules/managementGroups/managementGroups.bicep --parameters @infra-as-code/bicep/modules/managementGroups/parameters/managementGroups.parameters.all.json parTopLevelManagementGroupPrefix=$(ManagementGroupPrefix) --location $(Location) --name $(ManagementGroupPrefix)
 
-  - task: Bash@3    
-    displayName: Az CLI Validate Hub Networking for PR
-    name: validate_hub_network
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep --parameters @infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.all.json --name $(ManagementGroupPrefix)
+      - task: Bash@3
+        displayName: Az CLI Validate Custom Role Definitions for PR
+        name: validate_rbac_roles
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment mg validate --template-file infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep --parameters @infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.all.json parAssignableScopeManagementGroupId=$(ManagementGroupPrefix) --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
 
-  - task: Bash@3    
-    displayName: Az CLI Validate vWan Networking for PR
-    name: validate_vwan_network
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep --parameters @infra-as-code/bicep/modules/vwanConnectivity/parameters/mc-vwanConnectivity.parameters.all.json --name $(ManagementGroupPrefix)
+      - task: Bash@3
+        displayName: Az CLI Validate Custom Policy Definitions for PR
+        name: validate_policy_defs
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment mg validate --template-file infra-as-code/bicep/modules/policy/definitions/mc-customPolicyDefinitions.bicep --parameters @infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.all.json parTargetManagementGroupId=$(ManagementGroupPrefix) --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
 
-  - task: Bash@3              
-    displayName: Az CLI Validate Spoke Networking for PR
-    name: validate_spoke_network
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/spokeNetworking/spokeNetworking.bicep --name $(ManagementGroupPrefix)
+      - task: Bash@3
+        displayName: Az CLI Create Logging for PR
+        name: create_logging
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment group create --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/logging/logging.bicep --parameters @infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.all.json --name $(ManagementGroupPrefix)
 
-  - task: Bash@3    
-    displayName: Az CLI Validate vWan Network connection for PR
-    name: validate_vwan_network_connection
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment sub validate --location $(Location) --template-file infra-as-code/bicep/modules/vnetPeeringVwan/vnetPeeringVwan.bicep --parameters @infra-as-code/bicep/modules/vnetPeeringVwan/parameters/vnetPeeringVwan.parameters.all.json parVirtualWanHubResourceId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualHubs/alz-vhub-$(Location)"  parRemoteVirtualNetworkResourceId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualNetworks/vnet-spoke" --name $(ManagementGroupPrefix)
+      - task: Bash@3
+        displayName: Az CLI Validate mgDiagSettingsAll for PR
+        name: create_mgDiagSettingsAll
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment tenant validate --template-file infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep --parameters @infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.min.json parTopLevelManagementGroupPrefix="$(ManagementGroupPrefix)" parLogAnalyticsWorkspaceResourceId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.OperationalInsights/workspaces/alz-log-analytics" --location $(Location)
 
-  - task: Bash@3    
-    displayName: Az CLI Validate vNet Peer for PR
-    name: validate_vnet_peer_spoke_2_hub
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/vnetPeering/vnetPeering.bicep --parameters parDestinationVirtualNetworkId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualNetworks/alz-hub-eastus"  parSourceVirtualNetworkName="vnet-spoke" parDestinationVirtualNetworkName="alz-hub-eastus" --name $(ManagementGroupPrefix)
+      - task: Bash@3
+        displayName: Az CLI Validate Subscription Placement for PR
+        name: move_sub
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment mg validate --template-file infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.bicep --parameters @infra-as-code/bicep/modules/subscriptionPlacement/parameters/subscriptionPlacement.parameters.all.json parTargetManagementGroupId=$(ManagementGroupPrefix)-platform-connectivity parSubscriptionIds='["$(subscriptionId)"]' --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
 
-  - task: Bash@3    
-    displayName: Az CLI Validate Private DNS Zones
-    name: validate_private_dns
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/privateDnsZones/privateDnsZones.bicep --parameters @infra-as-code/bicep/modules/privateDnsZones/parameters/mc-privateDnsZones.parameters.all.json --name $(ManagementGroupPrefix)
+      - task: Bash@3
+        displayName: Az CLI Validate Alz Default policy assignments
+        name: validate_alz_default_policy_assign
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment mg validate --template-file infra-as-code/bicep/modules/policy/assignments/alzDefaults/mc-alzDefaultPolicyAssignments.bicep --parameters @infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json parTopLevelManagementGroupPrefix=$(ManagementGroupPrefix) --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
 
-  - task: Bash@3    
-    displayName: Az CLI Validate Public IP
-    name: validate_public_ip
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/publicIp/publicIp.bicep --parameters @infra-as-code/bicep/modules/publicIp/parameters/publicIp.parameters.min.json --name $(ManagementGroupPrefix)
+      - task: Bash@3
+        displayName: Az CLI Validate Hub Networking for PR
+        name: validate_hub_network
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep --parameters @infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.all.json --name $(ManagementGroupPrefix)
 
-  - task: Bash@3    
-    displayName: Az CLI Validate Role Assignment to single Management Group
-    name: validate_role_assign_single_mg
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment mg validate --template-file infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.bicep --parameters @infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.managedIdentity.parameters.all.json --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
+      - task: Bash@3
+        displayName: Az CLI Validate vWan Networking for PR
+        name: validate_vwan_network
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep --parameters @infra-as-code/bicep/modules/vwanConnectivity/parameters/mc-vwanConnectivity.parameters.all.json --name $(ManagementGroupPrefix)
 
-  - task: Bash@3    
-    displayName: Az CLI Validate Role Assignment to multiple Management Groups
-    name: validate_role_assign_multiple_mg
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment mg validate --template-file infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroupMany.bicep --parameters @infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.managedIdentity.parameters.all.json parManagementGroupIds='("$(ManagementGroupPrefix)-landingzones", "$(ManagementGroupPrefix)-platform")' --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
+      - task: Bash@3
+        displayName: Az CLI Validate Spoke Networking for PR
+        name: validate_spoke_network
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/spokeNetworking/spokeNetworking.bicep --name $(ManagementGroupPrefix)
 
-  - task: Bash@3    
-    displayName: Az CLI Validate Role Assignment to single subscription
-    name: validate_role_assign_single_subscription
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment sub validate --template-file infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscription.bicep --parameters @infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.managedIdentity.parameters.all.json --location $(Location) --name $(ManagementGroupPrefix)
+      - task: Bash@3
+        displayName: Az CLI Validate vWan Network connection for PR
+        name: validate_vwan_network_connection
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment sub validate --location $(Location) --template-file infra-as-code/bicep/modules/vnetPeeringVwan/vnetPeeringVwan.bicep --parameters @infra-as-code/bicep/modules/vnetPeeringVwan/parameters/vnetPeeringVwan.parameters.all.json parVirtualWanHubResourceId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualHubs/alz-vhub-$(Location)"  parRemoteVirtualNetworkResourceId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualNetworks/vnet-spoke" --name $(ManagementGroupPrefix)
 
-  - task: Bash@3    
-    displayName: Az CLI Validate Role Assignment to multiple subscriptions
-    name: validate_role_assign_multiple_subscription
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment mg validate --template-file infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscriptionMany.bicep --parameters @infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.managedIdentity.parameters.all.json parSubscriptionIds='("$(subscriptionId)","$(azvalidatesubscription)")' --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
+      - task: Bash@3
+        displayName: Az CLI Validate vNet Peer for PR
+        name: validate_vnet_peer_spoke_2_hub
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/vnetPeering/vnetPeering.bicep --parameters parDestinationVirtualNetworkId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualNetworks/alz-hub-eastus"  parSourceVirtualNetworkName="vnet-spoke" parDestinationVirtualNetworkName="alz-hub-eastus" --name $(ManagementGroupPrefix)
 
-  - task: Bash@3    
-    displayName: Az CLI Validate hub peered spoke orchestration module
-    name: validate_hub_peer_spoke
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment mg validate --template-file infra-as-code/bicep/orchestration/hubPeeredSpoke/hubPeeredSpoke.bicep --parameters @infra-as-code/bicep/orchestration/hubPeeredSpoke/parameters/hubPeeredSpoke.parameters.all.json parPeeredVnetSubscriptionId="$(subscriptionId)" parHubVirtualNetworkId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualNetworks/alz-hub-eastus" parTopLevelManagementGroupPrefix="$(ManagementGroupPrefix)" parLocation=$(Location) --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
+      - task: Bash@3
+        displayName: Az CLI Validate Private DNS Zones
+        name: validate_private_dns
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/privateDnsZones/privateDnsZones.bicep --parameters @infra-as-code/bicep/modules/privateDnsZones/parameters/mc-privateDnsZones.parameters.all.json --name $(ManagementGroupPrefix)
 
-  - task: Bash@3    
-    displayName: Az CLI Validate subPlacementAll orchestration module
-    name: validate_sub_placement_all
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment mg validate --template-file infra-as-code/bicep/orchestration/subPlacementAll/subPlacementAll.bicep --parameters @infra-as-code/bicep/orchestration/subPlacementAll/parameters/subPlacementAll.parameters.all.json parTopLevelManagementGroupPrefix="$(ManagementGroupPrefix)" parPlatformConnectivityMgSubs='["$(subscriptionId)"]' --location $(Location) --management-group-id $(ManagementGroupPrefix) --name "$(ManagementGroupPrefix)-subPlacement"
+      - task: Bash@3
+        displayName: Az CLI Validate Public IP
+        name: validate_public_ip
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/publicIp/publicIp.bicep --parameters @infra-as-code/bicep/modules/publicIp/parameters/publicIp.parameters.min.json --name $(ManagementGroupPrefix)
 
-- job: bicep_cleanup
-  dependsOn: bicep_validate
-  displayName: Cleanup Bicep Validate Deployment for PR
-  pool: 
-    vmImage: ubuntu-latest
-  steps:
-  - task: AzurePowerShell@5
-    displayName: Az PowerShell Remove/Cleanup Deployment
-    inputs:
-      azureSubscription: 'mcserviceconnection'
-      ScriptType: 'FilePath'
-      ScriptPath: '.github/scripts/mc-Wipe-AlzTenant.ps1'
-      ScriptArguments: '-tenantRootGroupID $(azclitenant) -intermediateRootGroupID "$(ManagementGroupPrefix)" -subscriptionName "$(subscriptionName)"'
-      azurePowerShellVersion: 'LatestVersion'
-      pwsh: true
+      - task: Bash@3
+        displayName: Az CLI Validate Role Assignment to single Management Group
+        name: validate_role_assign_single_mg
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment mg validate --template-file infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.bicep --parameters @infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.managedIdentity.parameters.all.json --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
 
+      - task: Bash@3
+        displayName: Az CLI Validate Role Assignment to multiple Management Groups
+        name: validate_role_assign_multiple_mg
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment mg validate --template-file infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroupMany.bicep --parameters @infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.managedIdentity.parameters.all.json parManagementGroupIds='("$(ManagementGroupPrefix)-landingzones", "$(ManagementGroupPrefix)-platform")' --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
+
+      - task: Bash@3
+        displayName: Az CLI Validate Role Assignment to single subscription
+        name: validate_role_assign_single_subscription
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment sub validate --template-file infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscription.bicep --parameters @infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.managedIdentity.parameters.all.json --location $(Location) --name $(ManagementGroupPrefix)
+
+      - task: Bash@3
+        displayName: Az CLI Validate Role Assignment to multiple subscriptions
+        name: validate_role_assign_multiple_subscription
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment mg validate --template-file infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscriptionMany.bicep --parameters @infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.managedIdentity.parameters.all.json parSubscriptionIds='("$(subscriptionId)","$(azvalidatesubscription)")' --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
+
+      - task: Bash@3
+        displayName: Az CLI Validate hub peered spoke orchestration module
+        name: validate_hub_peer_spoke
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment mg validate --template-file infra-as-code/bicep/orchestration/hubPeeredSpoke/hubPeeredSpoke.bicep --parameters @infra-as-code/bicep/orchestration/hubPeeredSpoke/parameters/hubPeeredSpoke.parameters.all.json parPeeredVnetSubscriptionId="$(subscriptionId)" parHubVirtualNetworkId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualNetworks/alz-hub-eastus" parTopLevelManagementGroupPrefix="$(ManagementGroupPrefix)" parLocation=$(Location) --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
+
+      - task: Bash@3
+        displayName: Az CLI Validate subPlacementAll orchestration module
+        name: validate_sub_placement_all
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment mg validate --template-file infra-as-code/bicep/orchestration/subPlacementAll/subPlacementAll.bicep --parameters @infra-as-code/bicep/orchestration/subPlacementAll/parameters/subPlacementAll.parameters.all.json parTopLevelManagementGroupPrefix="$(ManagementGroupPrefix)" parPlatformConnectivityMgSubs='["$(subscriptionId)"]' --location $(Location) --management-group-id $(ManagementGroupPrefix) --name "$(ManagementGroupPrefix)-subPlacement"
+
+  - job: bicep_cleanup
+    dependsOn: bicep_validate
+    displayName: Cleanup Bicep Validate Deployment for PR
+    pool:
+      vmImage: ubuntu-latest
+    steps:
+      - task: AzurePowerShell@5
+        displayName: Az PowerShell Remove/Cleanup Deployment
+        inputs:
+          azureSubscription: "mcserviceconnection"
+          ScriptType: "FilePath"
+          ScriptPath: ".github/scripts/mc-Wipe-AlzTenant.ps1"
+          ScriptArguments: '-tenantRootGroupID $(azclitenant) -intermediateRootGroupID "$(ManagementGroupPrefix)" -subscriptionName "$(subscriptionName)"'
+          azurePowerShellVersion: "LatestVersion"
+          pwsh: true