Management Group Diagnostic Settings Enablement - New Module (#321)

* mgDiagSet module to enable Diagnostic Settings to all Management Groups in hierarchy

* removed a space at end of file

* Fixed the logic for enabling default and confidential child MGs

* Changed the name of the files to match the names of the folders

* Changed module path with new name

* Changes to README files

* removed LAW ID used in tests from parameters file

* changes to the high level deployment flow image

* fixed linter error in parameteres file

* Update infra-as-code/bicep/modules/mgDiagSettings/README.md

Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>

* Update infra-as-code/bicep/modules/mgDiagSettings/README.md

Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>

* Update infra-as-code/bicep/modules/mgDiagSettings/README.md

Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>

* Update infra-as-code/bicep/modules/mgDiagSettings/README.md

Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>

* Update infra-as-code/bicep/modules/mgDiagSettings/README.md

Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>

* Update infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.all.json

Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>

* Update infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep

Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>

* Update infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.min.json

Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>

* Update infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep

Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>

* Update infra-as-code/bicep/modules/mgDiagSettings/diagSettings.bicep

Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>

* Update infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.all.json

Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>

* Update infra-as-code/bicep/orchestration/mgDiagSettingsAll/README.md

Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>

* Update infra-as-code/bicep/orchestration/mgDiagSettingsAll/README.md

Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>

* Update infra-as-code/bicep/orchestration/mgDiagSettingsAll/README.md

Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>

* Update infra-as-code/bicep/orchestration/mgDiagSettingsAll/README.md

Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>

* Update infra-as-code/bicep/orchestration/mgDiagSettingsAll/README.md

Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>

* Update infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep

Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>

* Update infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep

Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>

* changed module file name and high level flow diagram

* Update infra-as-code/bicep/orchestration/mgDiagSettingsAll/README.md

Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>

* added telemetry and deployment options to mdDiagSettings README

* changes to mgDiagSettings parameters files

* Added test to validate and CodeTour

* Fixed name of mgDiagSettings.bicep file when called from orchestration module

* Added logic to bicep-build-to-validate.yml

* Added logic to bicep-build-to-validate.yml Fixed typo

* Fixed CRLF and other linter errors

* Update base-unit-validate.yml

* Fixed Format for base-unit-validate.yml

* Update base-unit-validate.yml

* Update base-unit-validate.yml

* add location

* Update mgDiagSettingsAll.parameters.all.json

* Update base-unit-validate.yml

* Update mc-base-unit-validate.yml

* Update mc-base-unit-validate.yml

* Update base-unit-validate.yml

* Update bicep-build-to-validate.yml

* Update mgDiagSettingsAll.parameters.min.json

* Update bicep-build-to-validate.yml

* Update base-unit-validate.yml

* Update base-unit-validate.yml

* Update mc-base-unit-validate.yml

* Update base-unit-validate.yml

* Update mc-base-unit-validate.yml

* Update bicep-build-to-validate.yml

* Update bicep-build-to-validate.yml

* Update base-unit-validate.yml

* Update mc-base-unit-validate.yml

* Update bicep-build-to-validate.yml

Co-authored-by: Luis Chaves <luchaves@microsoft.com>
Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>

.vscode/tours/azurechinacloud-base-validation-pipeline.tour

@@ -37,6 +37,11 @@
       "description": "Validate ALZ logging component deployment. Depends on resource group previously created.",
       "line": 70
     },
+    {
+      "file": "tests/pipelines/mc-base-unit-validate.yml",
+      "description": "Validate ALZ mgDiagSettingsAll component deployment. Depends on Log Analytics Workspace and Management Groups previously created.",
+      "line": 78
+    },
     {
       "file": "tests/pipelines/mc-base-unit-validate.yml",
       "description": "Validate ALZ subscription placement into management group deployment. Depends on management groups previously created.",
@@ -118,4 +123,4 @@
       "line": 193
     }
   ]
-}
+}

.vscode/tours/azurecloud-base-validation-pipeline.tour

@@ -47,6 +47,11 @@
       "description": "Validate ALZ logging component deployment. Depends on resource group previously created.",
       "line": 85
     },
+    {
+      "file": "tests/pipelines/base-unit-validate.yml",
+      "description": "Validate ALZ mgDiagSettingsAll component deployment. Depends on Log Analytics Workspace and Management Groups previously created.",
+      "line": 91
+    },
     {
       "file": "tests/pipelines/base-unit-validate.yml",
       "description": "Validate ALZ subscription placement into management group deployment. Depends on management groups previously created.",
@@ -128,4 +133,4 @@
       "line": 212
     }
   ]
-}
+}

docs/wiki/CustomerUsage.md

@@ -36,6 +36,7 @@ The following are the unique ID's (also known as PIDs) used in each of the modul
 | hubNetworking                   | 2686e846-5fdc-4d4f-b533-16dcb09d6e6c |
 | logging                         | f8087c67-cc41-46b2-994d-66e4b661860d |
 | managementGroups                | 9b7965a0-d77c-41d6-85ef-ec3dfea4845b |
+| mgDiagSettings                  | 5d17f1c2-f17b-4426-9712-0cd2652c4435 |
 | policy-definitions              | 2b136786-9881-412e-84ba-f4c2822e1ac9 |
 | policy-assignments              | 78001e36-9738-429c-a343-45cc84e8a527 |
 | alzDefaultPolicyAssignments     | 98cef979-5a6b-403b-83c7-10c8f04ac9a2 |
@@ -51,3 +52,4 @@ The following are the unique ID's (also known as PIDs) used in each of the modul
 | hubSpoke - Orchestration        | 50ad3b1a-f72c-4de4-8293-8a6399991beb |
 | hubPeeredSpoke - Orchestration  | 8ea6f19a-d698-4c00-9afb-5c92d4766fd2 |
 | SubPlacementAll - Orchestration | bb800623-86ff-4ab4-8901-93c2b70967ae |
+| mgDiagSettingsAll - Orchestration | f49c8dfb-c0ce-4ee0-b316-5e4844474dd0 |

docs/wiki/DeploymentFlow.md

@@ -45,6 +45,7 @@ Modules in this reference implementation must be deployed in the following order
 |   2   | Custom Policy Definitions              | Configures Custom Policy Definitions at the `organization management group`.                                                                                                | Management Groups.                                                     | [infra-as-code/bicep/modules/policy/definitions](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/modules/policy/definitions)                         |
 |   3   | Custom Role Definitions                | Configures custom roles based on Cloud Adoption Framework's recommendations at the `organization management group`.                                                         | Management Groups.                                                     | [infra-as-code/bicep/modules/customRoleDefinitions](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/modules/customRoleDefinitions)                   |
 |   4   | Logging & Sentinel                     | Configures a centrally managed Log Analytics Workspace, Automation Account and Sentinel in the `Logging` subscription.                                                      | Management Groups & Subscription for Log Analytics and Sentinel.       | [infra-as-code/bicep/modules/logging](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/modules/logging)                                               |
+|  4.1  | Management Groups Diagnostic Settings  | Enable Diagnostic Settings for management Groups to the Log Analytics Workspace created in the `Logging` subscription.                                    | Management Groups & Log Analytics Workspace.       | [infra-as-code/bicep/orchestration/mgDiagSettings](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/orchestration/mgDiagSettings)                                               |
 |   5   | Hub Networking                         | Azure supports two types of hub-and-spoke design, VNet hub and Virtual WAN hub. Creates resources in the `Connectivity` subscription.                                       | Management Groups, Subscription for Hub Networking.                    | [See network topology deployment below](#network-topology-deployment)                                                                                                 |
 |   6   | Role Assignments                       | Creates role assignments using built-in and custom role definitions.                                                                                                        | Management Groups & Subscriptions.                                     | [infra-as-code/bicep/modules/roleAssignments](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/modules/roleAssignments)                               |
 |   7   | Subscription Placement                 | Moves one or more subscriptions (based on IDs) to the target Management Groups in your ALZ hierarchy.                                                                       | Management Groups & Subscriptions.                                     | [infra-as-code/bicep/orchestration/subPlacementAll](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/orchestration/subPlacementAll)                   |

infra-as-code/bicep/modules/mgDiagSettings/README.md

@@ -0,0 +1,76 @@
+# Module: Enable Diagnostic Settings on a Management Group
+
+This module enables the supported Diagnostic Settings categories on a Management Group to an existing Azure Log Analytics Workspace.
+> Consider using the `mgDiagSettingsAll` orchestration module instead to simplify configuring the Diagnostic Settings for all your Management Group hierarchy in a single module. [infra-as-code/bicep/orchestration/mgDiagSettingsAll](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/orchestration/mgDiagSettingsAll)
+
+## Parameters
+
+The module requires the following input parameters.
+
+| Parameter                             | Type   | Description                                                                                                                                                                          | Requirements                      | Example                                                                                 |
+| ------------------------------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------- | --------------------------------------------------------------------------------------- |
+| parLogAnalyticsWorkspaceResourceId | string   | Resource ID of the Log Analytics Workspace                                                             | Mandatory input | `/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-logging/providers/Microsoft.OperationalInsights/workspaces/alz-log-analytics`                                                                                 |
+ | parTargetManagementGroupId | string          | Target management group for the subscription.                               | Mandatory input, management group must exist | `alz-platform-connectivity`                                                                                                                                                                    |
+ | parTelemetryOptOut         | bool            | Set Parameter to true to Opt-out of deployment telemetry                    | none                                         | `false`                                                                                                                                                                                        |
+
+## Outputs
+
+*The module will not generate any outputs.*
+
+## Deployment
+
+The inputs for this module are defined in `parameters/mgDiagSettings.parameters.all.json`. The Diagnostic Settings resource will be named toLa but can be changed in the module if desired.
+
+> For the  examples below we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice.
+
+### Azure CLI
+
+```bash
+# For Azure global regions
+az deployment mg create \
+  --template-file infra-as-code/bicep/modules/mgDiagSettings/mgDiagSettings.bicep \
+  --parameters @infra-as-code/bicep/modules/mgDiagSettings/parameters/mgDiagSettings.parameters.all.json \
+  --location eastus \
+  --management-group-id alz
+```
+
+OR
+
+```bash
+# For Azure China regions
+az deployment mg create \
+  --template-file infra-as-code/bicep/modules/mgDiagSettings/mgDiagSettings.bicep \
+  --parameters @infra-as-code/bicep/modules/mgDiagSettings/parameters/mgDiagSettings.parameters.all.json \
+  --location chinaeast2 \
+  --management-group-id alz
+```
+
+### PowerShell
+
+```powershell
+# For Azure global regions
+New-AzManagementGroupDeployment `
+  -TemplateFile infra-as-code/bicep/modules/mgDiagSettings/mgDiagSettings.bicep `
+  -TemplateParameterFile @infra-as-code/bicep/modules/mgDiagSettings/parameters/mgDiagSettings.parameters.all.json `
+  -Location eastus `
+  -ManagementGroupId alz
+```
+
+OR
+
+```powershell
+# For Azure China regions
+New-AzManagementGroupDeployment `
+  -TemplateFile infra-as-code/bicep/modules/mgDiagSettings/mgDiagSettings.bicep `
+  -TemplateParameterFile @infra-as-code/bicep/modules/mgDiagSettings/parameters/mgDiagSettings.parameters.all.json `
+  -Location chinaeast2 `
+  -ManagementGroupId alz
+```
+
+## Validation
+
+To validate if Diagnostic Settings was correctly enabled for any specific management group, a REST API GET call can be used. Documentation and easy way to try this can be found in this link [(Management Group Diagnostic Settings - Get)](https://learn.microsoft.com/rest/api/monitor/management-group-diagnostic-settings/get?tabs=HTTP&tryIt=true&source=docs#code-try-0). There is currently not a direct way to validate this in the Azure Portal, Azure CLI or PowerShell.
+
+## Bicep Visualizer
+
+![Bicep Visualizer](media/bicepVisualizer.png "Bicep Visualizer")

infra-as-code/bicep/modules/mgDiagSettings/bicepconfig.json

@@ -0,0 +1,64 @@
+{
+  "analyzers": {
+    "core": {
+      "enabled": true,
+      "verbose": true,
+      "rules": {
+        "adminusername-should-not-be-literal": {
+          "level": "error"
+        },
+        "no-hardcoded-env-urls": {
+          "level": "error"
+        },
+        "no-unnecessary-dependson": {
+          "level": "error"
+        },
+        "no-unused-params": {
+          "level": "error"
+        },
+        "no-unused-vars": {
+          "level": "error"
+        },
+        "outputs-should-not-contain-secrets": {
+          "level": "error"
+        },
+        "prefer-interpolation": {
+          "level": "error"
+        },
+        "secure-parameter-default": {
+          "level": "error"
+        },
+        "simplify-interpolation": {
+          "level": "error"
+        },
+        "protect-commandtoexecute-secrets": {
+          "level": "error"
+        },
+        "use-stable-vm-image": {
+          "level": "error"
+        },
+        "explicit-values-for-loc-params": {
+          "level": "error"
+        },
+        "no-hardcoded-location": {
+          "level": "error"
+        },
+        "no-loc-expr-outside-params": {
+          "level": "error"
+        },
+        "max-outputs": {
+          "level": "error"
+        },
+        "max-params": {
+          "level": "error"
+        },
+        "max-resources": {
+          "level": "error"
+        },
+        "max-variables": {
+          "level": "error"
+        }
+      }
+    }
+  }
+}

infra-as-code/bicep/modules/mgDiagSettings/mgDiagSettings.bicep

@@ -0,0 +1,34 @@
+targetScope = 'managementGroup'
+
+@description('Log Analytics Workspace Resource ID.')
+param parLogAnalyticsWorkspaceResourceId string
+
+@description('Set Parameter to true to Opt-out of deployment telemetry')
+param parTelemetryOptOut bool = false
+
+// Customer Usage Attribution Id
+var varCuaid = '5d17f1c2-f17b-4426-9712-0cd2652c4435'
+
+resource mgDiagSet 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
+  name: 'toLa'
+  properties: {
+    workspaceId: parLogAnalyticsWorkspaceResourceId
+    logs: [
+      {
+        category: 'Administrative'
+        enabled: true
+      }
+      {
+        category: 'Policy'
+        enabled: true
+      }
+    ]
+  }
+}
+
+// Optional Deployment for Customer Usage Attribution
+module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdManagementGroup.bicep' = if (!parTelemetryOptOut) {
+  #disable-next-line no-loc-expr-outside-params //Only to ensure telemetry data is stored in same location as deployment. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information
+  name: 'pid-${varCuaid}-${uniqueString(deployment().location)}'
+  params: {}
+}

infra-as-code/bicep/modules/mgDiagSettings/parameters/mgDiagSettings.parameters.all.json

@@ -0,0 +1,15 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "parTargetManagementGroupId": {
+      "value": ""
+    },
+    "parLogAnalyticsWorkspaceResourceId": {
+      "value": ""
+    },
+    "parTelemetryOptOut": {
+      "value": false
+    }
+  }
+}

infra-as-code/bicep/modules/mgDiagSettings/parameters/mgDiagSettings.parameters.min.json

@@ -0,0 +1,15 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "parTargetManagementGroupId": {
+      "value": ""
+    },
+    "parLogAnalyticsWorkspaceResourceId": {
+      "value": ""
+    },
+    "parTelemetryOptOut": {
+      "value": false
+    }
+  }
+}

infra-as-code/bicep/orchestration/mgDiagSettingsAll/README.md

@@ -0,0 +1,131 @@
+# Module: Orchestration - mgDiagSettingsAll - Enable diagnostic settings for management groups in the ALZ Management Groups hierarchy
+
+This module acts as an orchestration module that helps enable Diagnostic Settings on the Management Group hierarchy as was defined during the deployment of the Management Group module (this can be deployed via the [`managementGroups.bicep` module](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/modules/managementGroups)), which is also described in the wiki on the [Deployment Flow article](https://github.com/Azure/ALZ-Bicep/wiki/DeploymentFlow).
+
+This is accomplished through a tenant-scoped Azure Resource Manager (ARM) deployment. There are two boolean parameters that should match the options selected during the deployment of Management Group module regarding creation or not of Corp and Online Landing Zones and Confidential Corp and Confidential Online Landing zones.
+It also enables Diagnostic Settings for existing custom child landing zones if those are specified.
+
+
+> This module calls the [`diagSettings.bicep`](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/modules/mgDiagSettings) module multiple times to enable Diagnostic Settings to the desired Management Groups. If you only want to enable Diagnostic Settings at a time to a specified Management Group, then you could consider using the child module directly.
+
+## Parameters
+
+The module requires the following inputs:
+
+| Parameter                             | Type   | Description                                                                                                                                                                          | Requirements                      | Example                                                                                 |
+| ------------------------------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------- | --------------------------------------------------------------------------------------- |
+| parTopLevelManagementGroupPrefix      | string | Prefix for the management group hierarchy.  This management group will be created as part of the deployment.                                                                         | 2-10 characters                   | `alz`                                                                                   |
+| parLandingZoneMgAlzDefaultsEnable     | bool   | Deploys Corp & Online Management Groups beneath Landing Zones Management Group if set to true.                                                                                       | Mandatory input, default: `true`  | `true`                                                                                  |
+| parLandingZoneMgConfidentialEnable    | bool   | Deploys Confidential Corp & Confidential Online Management Groups beneath Landing Zones Management Group if set to true.                                                             | Mandatory input, default: `false` | `false`                                                                                 |
+| parLogAnalyticsWorkspaceResourceId | string   | Resource ID of the Log Analytics Workspace                                                             | Mandatory input | `/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-logging/providers/Microsoft.OperationalInsights/workspaces/alz-log-analytics` |
+| parLandingZoneMgChildren              | array | Dictionary Object to allow additional child Management Groups of Landing Zones Management Group to be deployed.                                                         | Not required input, default `[]`  | {"value": ["pci","avs"]}                                                         |
+| parTelemetryOptOut                    | bool   | Set Parameter to true to Opt-out of deployment telemetry                                                                                                                             | Mandatory input, default: `false` | `false`                                                                                 |
+
+### Diagnostic Settings for Child Landing Zone Management Groups
+
+This module considers the same flexibility used when creating the child Landing Zone Management Groups during deployment of the Management Groups module. The three parameters detailed below should correspond to the values used during Management Groups module deployment. All of these parameters can be used together to enable diagnostic settings on the child Landing Zone Management Groups.
+
+- `parLandingZoneMgAlzDefaultsEnable`
+  - Boolean - defaults to `true`
+  - **Required**
+  - Deploys following child Landing Zone Management groups if set to `true`:
+    - `Corp`
+    - `Online`
+    - *These are the default ALZ Management Groups as per the conceptual architecture*
+- `parLandingZoneMgConfidentialEnable`
+  - Boolean - defaults to `false`
+  - **Required**
+  - Deploys following child Landing Zone Management groups if set to `true`:
+    - `Confidential Corp`
+    - `Confidential Online`
+- `parLandingZoneMgChildren`
+  - Object - default is an empty array `[]`
+  - **Optional**
+  - Deploys whatever you specify in the object as child Landing Zone Management groups.
+
+#### `parLandingZoneMgChildren` Input Examples
+
+Below are some examples of how to use this input parameter in both Bicep & JSON formats.
+
+##### Bicep Example
+
+```bicep
+parLandingZoneMgChildren: {
+  pci: {
+    displayName: 'PCI'
+  }
+  'another-example': {
+    displayName: 'Another Example'
+  }
+}
+```
+
+##### JSON Parameter File Input Example
+
+```json
+    "parLandingZoneMgChildren": {
+      "value": [
+        "pci",
+        "another-example"
+    ]
+  }
+```
+
+## Outputs
+
+*The module will not generate any outputs.*
+
+## Deployment
+
+In this example, the Diagnostic Settings are enabled on the management groups through a tenant-scoped deployment.
+
+> For the examples below we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice.
+
+### Azure CLI
+
+```bash
+# For Azure global regions
+az deployment tenant create \
+  --template-file infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep \
+  --parameters @infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.all.json \
+  --location eastus
+```
+
+OR
+
+```bash
+# For Azure China regions
+az deployment tenant create \
+  --template-file infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep \
+  --parameters @infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.all.json \
+  --location chinaeast2
+```
+
+### PowerShell
+
+```powershell
+# For Azure global regions
+New-AzTenantDeployment `
+  -TemplateFile infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep `
+  -TemplateParameterFile infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.all.json `
+  -Location eastus
+```
+
+OR
+
+```powershell
+# For Azure China regions
+New-AzTenantDeployment `
+  -TemplateFile infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep `
+  -TemplateParameterFile infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.all.json `
+  -Location chinaeast2
+
+```
+
+## Validation
+
+To validate if Diagnostic Settings was correctly enabled for any specific management group, a REST API GET call can be used. Documentation and easy way to try this can be found in this link [(Management Group Diagnostic Settings - Get)](https://learn.microsoft.com/rest/api/monitor/management-group-diagnostic-settings/get?tabs=HTTP&tryIt=true&source=docs#code-try-0). There is currently not a direct way to validate this in the Azure Portal, Azure CLI or PowerShell.
+
+## Bicep Visualizer
+
+![Bicep Visualizer](media/bicepVisualizer.png "Bicep Visualizer")

infra-as-code/bicep/orchestration/mgDiagSettingsAll/bicepconfig.json

@@ -0,0 +1,64 @@
+{
+  "analyzers": {
+    "core": {
+      "enabled": true,
+      "verbose": true,
+      "rules": {
+        "adminusername-should-not-be-literal": {
+          "level": "error"
+        },
+        "no-hardcoded-env-urls": {
+          "level": "error"
+        },
+        "no-unnecessary-dependson": {
+          "level": "error"
+        },
+        "no-unused-params": {
+          "level": "error"
+        },
+        "no-unused-vars": {
+          "level": "error"
+        },
+        "outputs-should-not-contain-secrets": {
+          "level": "error"
+        },
+        "prefer-interpolation": {
+          "level": "error"
+        },
+        "secure-parameter-default": {
+          "level": "error"
+        },
+        "simplify-interpolation": {
+          "level": "error"
+        },
+        "protect-commandtoexecute-secrets": {
+          "level": "error"
+        },
+        "use-stable-vm-image": {
+          "level": "error"
+        },
+        "explicit-values-for-loc-params": {
+          "level": "error"
+        },
+        "no-hardcoded-location": {
+          "level": "error"
+        },
+        "no-loc-expr-outside-params": {
+          "level": "error"
+        },
+        "max-outputs": {
+          "level": "error"
+        },
+        "max-params": {
+          "level": "error"
+        },
+        "max-resources": {
+          "level": "error"
+        },
+        "max-variables": {
+          "level": "error"
+        }
+      }
+    }
+  }
+}

infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep

@@ -0,0 +1,88 @@
+targetScope = 'tenant'
+
+@description('Prefix used for the management group hierarchy in the managementGroups module.')
+@minLength(2)
+@maxLength(10)
+param parTopLevelManagementGroupPrefix string = 'alz'
+
+@description('Dictionary Object to allow additional or different child Management Groups of the Landing Zones Management Group .')
+param parLandingZoneMgChildren array = []
+
+@description('Log Analytics Workspace Resource ID.')
+param parLogAnalyticsWorkspaceResourceId string
+
+@description('Deploys Corp & Online Management Groups beneath Landing Zones Management Group if set to true.')
+param parLandingZoneMgAlzDefaultsEnable bool = true
+
+@description('Deploys Confidential Corp & Confidential Online Management Groups beneath Landing Zones Management Group if set to true.')
+param parLandingZoneMgConfidentialEnable bool = false
+
+@description('Set Parameter to true to Opt-out of deployment telemetry')
+param parTelemetryOptOut bool = false
+
+var varMgIds = {
+  intRoot: parTopLevelManagementGroupPrefix
+  platform: '${parTopLevelManagementGroupPrefix}-platform'
+  platformManagement: '${parTopLevelManagementGroupPrefix}-platform-management'
+  platformConnectivity: '${parTopLevelManagementGroupPrefix}-platform-connectivity'
+  platformIdentity: '${parTopLevelManagementGroupPrefix}-platform-identity'
+  landingZones: '${parTopLevelManagementGroupPrefix}-landingzones'
+  decommissioned: '${parTopLevelManagementGroupPrefix}-decommissioned'
+  sandbox: '${parTopLevelManagementGroupPrefix}-sandbox'
+}
+
+// Used if parLandingZoneMgAlzDefaultsEnable == true
+var varLandingZoneMgChildrenAlzDefault = {
+  landingZonesCorp: '${parTopLevelManagementGroupPrefix}-landingzones-corp'
+  landingZonesOnline: '${parTopLevelManagementGroupPrefix}-landingzones-online'
+}
+
+// Used if parLandingZoneMgConfidentialEnable == true
+var varLandingZoneMgChildrenConfidential = {
+  landingZonesConfidentialCorp: '${parTopLevelManagementGroupPrefix}-landingzones-confidential-corp'
+  landingZonesConfidentialOnline: '${parTopLevelManagementGroupPrefix}-landingzones-confidential-online'
+}
+
+// Used if parLandingZoneMgConfidentialEnable not empty
+var varLandingZoneMgCustomChildren = [for customMg in parLandingZoneMgChildren: {
+  mgId: '${parTopLevelManagementGroupPrefix}-landingzones-${customMg}'
+}]
+
+// Build final object based on input parameters for default and confidential child MGs of LZs
+var varLandingZoneMgDefaultChildrenUnioned = (parLandingZoneMgAlzDefaultsEnable && parLandingZoneMgConfidentialEnable) ? union(varLandingZoneMgChildrenAlzDefault, varLandingZoneMgChildrenConfidential) : (parLandingZoneMgAlzDefaultsEnable && !parLandingZoneMgConfidentialEnable) ? varLandingZoneMgChildrenAlzDefault : (!parLandingZoneMgAlzDefaultsEnable && parLandingZoneMgConfidentialEnable) ? varLandingZoneMgChildrenConfidential : (!parLandingZoneMgAlzDefaultsEnable && !parLandingZoneMgConfidentialEnable) ? {} : {}
+
+// Customer Usage Attribution Id
+var varCuaid = 'f49c8dfb-c0ce-4ee0-b316-5e4844474dd0'
+
+module modMgDiagSet '../../modules/mgDiagSettings/mgDiagSettings.bicep' = [for mgId in items(varMgIds): {
+  scope: managementGroup(mgId.value)
+  name: 'mg-diag-set-${mgId.value}'
+  params: {
+    parLogAnalyticsWorkspaceResourceId: parLogAnalyticsWorkspaceResourceId
+  }
+}]
+
+// Default Children Landing Zone Management Groups
+module modMgLandingZonesDiagSet '../../modules/mgDiagSettings/mgDiagSettings.bicep' = [for childMg in items(varLandingZoneMgDefaultChildrenUnioned): {
+  scope: managementGroup(childMg.value)
+  name: 'mg-diag-set-${childMg.value}'
+  params: {
+    parLogAnalyticsWorkspaceResourceId: parLogAnalyticsWorkspaceResourceId
+  }
+}]
+
+// Custom Children Landing Zone Management Groups
+module modMgChildrenDiagSet '../../modules/mgDiagSettings/mgDiagSettings.bicep' = [for childMg in varLandingZoneMgCustomChildren: {
+  scope: managementGroup(childMg.mgId)
+  name: 'mg-diag-set-${childMg.mgId}'
+  params: {
+    parLogAnalyticsWorkspaceResourceId: parLogAnalyticsWorkspaceResourceId
+  }
+}]
+
+// Optional Deployment for Customer Usage Attribution
+module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdTenant.bicep' = if (!parTelemetryOptOut) {
+  #disable-next-line no-loc-expr-outside-params //Only to ensure telemetry data is stored in same location as deployment. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information //Only to ensure telemetry data is stored in same location as deployment. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information
+  name: 'pid-${varCuaid}-${uniqueString(deployment().location)}'
+  params: {}
+}

infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.all.json

@@ -0,0 +1,24 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "parTopLevelManagementGroupPrefix": {
+      "value": "alz"
+    },
+    "parLandingZoneMgAlzDefaultsEnable": {
+      "value": true
+    },
+    "parLandingZoneMgConfidentialEnable": {
+      "value": false
+    },
+    "parLogAnalyticsWorkspaceResourceId": {
+      "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/alz-logging/providers/microsoft.operationalinsights/workspaces/alz-log-analytics"
+    },
+    "parLandingZoneMgChildren": {
+      "value": []
+    },
+    "parTelemetryOptOut": {
+      "value": false
+    }
+  }
+}

infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.min.json

@@ -0,0 +1,15 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "parTopLevelManagementGroupPrefix": {
+      "value": "alz"
+    },
+    "parLogAnalyticsWorkspaceResourceId": {
+      "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/alz-logging/providers/microsoft.operationalinsights/workspaces/alz-log-analytics"
+    },
+    "parTelemetryOptOut": {
+      "value": false
+    }
+  }
+}

tests/pipelines/base-unit-validate.yml

@@ -14,214 +14,231 @@ variables:
     value: "sub-unit-test-pr-$(System.PullRequest.PullRequestNumber)"
 
 jobs:
-- job: bicep_validate
+  - job: bicep_validate
-  displayName: Validate Bicep Module Deployments for PR
+    displayName: Validate Bicep Module Deployments for PR
-  pool: 
+    pool:
-    vmImage: ubuntu-latest
+      vmImage: ubuntu-latest
-  steps:
+    steps:
-  - task: Bash@3
+      - task: Bash@3
-    displayName: Login to Azure
+        displayName: Login to Azure
-    name: git_azlogin
+        name: git_azlogin
-    inputs:
+        inputs:
-      targetType: 'inline'
+          targetType: "inline"
-      script: |
+          script: |
-        az login --service-principal --username $(azclilogin) --password $(azclipwd) --tenant $(azclitenant)
+            az login --service-principal --username $(azclilogin) --password $(azclipwd) --tenant $(azclitenant)
 
-  - task: Bash@3
+      - task: Bash@3
-    displayName: Az CLI Create Subscription for PR
+        displayName: Az CLI Create Subscription for PR
-    name: create_subscription
+        name: create_subscription
-    inputs:
+        inputs:
-      targetType: 'inline'
+          targetType: "inline"
-      script: |
+          script: |
-        subid=$(az deployment tenant create --name "deploy-$(SubscriptionName)" --location $(Location) --template-file infra-as-code/bicep/CRML/subscriptionAlias/subscriptionAlias.bicep --parameters @infra-as-code/bicep/CRML/subscriptionAlias/parameters/subscriptionAlias.parameters.min.json --parameters parSubscriptionBillingScope=$(ALZ-AZURE-SECRET-EA-BILLING-ACCOUNT) parSubscriptionName=$(SubscriptionName) | jq .properties.outputs.outSubscriptionId.value | tr -d '"')
+            subid=$(az deployment tenant create --name "deploy-$(SubscriptionName)" --location $(Location) --template-file infra-as-code/bicep/CRML/subscriptionAlias/subscriptionAlias.bicep --parameters @infra-as-code/bicep/CRML/subscriptionAlias/parameters/subscriptionAlias.parameters.min.json --parameters parSubscriptionBillingScope=$(ALZ-AZURE-SECRET-EA-BILLING-ACCOUNT) parSubscriptionName=$(SubscriptionName) | jq .properties.outputs.outSubscriptionId.value | tr -d '"')
-        echo $subId
+            echo $subId
-        echo "##vso[task.setvariable variable=subscriptionId]$subid"
+            echo "##vso[task.setvariable variable=subscriptionId]$subid"
-        
-  - task: Bash@3
-    displayName: Az CLI Refresh subscription list
-    name: refresh_subscription
-    inputs:
-      targetType: 'inline'
-      script: |
-        az account list --refresh        
-        
-  - task: Bash@3    
-    displayName: Az CLI Create Resource Group for PR
-    name: create_rsg
-    inputs:
-      targetType: 'inline'
-      script: |
-        az account set --subscription $(subscriptionId)
-        if [ $(az group exists --name $(ResourceGroupName) ) == false ]; then
-            sleep 300
-        fi
-        az deployment sub create --name "deploy-$(ResourceGroupName)" --template-file infra-as-code/bicep/modules/resourceGroup/resourceGroup.bicep --location $(Location) --parameters parLocation=$(Location) parResourceGroupName=$(ResourceGroupName)
 
-  - task: Bash@3     
+      - task: Bash@3
-    displayName: Az CLI Deploy Management Groups for PR
+        displayName: Az CLI Refresh subscription list
-    name: create_mgs
+        name: refresh_subscription
-    inputs:
+        inputs:
-      targetType: 'inline'
+          targetType: "inline"
-      script: |
+          script: |
-        az deployment tenant create --template-file infra-as-code/bicep/modules/managementGroups/managementGroups.bicep --parameters @infra-as-code/bicep/modules/managementGroups/parameters/managementGroups.parameters.all.json parTopLevelManagementGroupPrefix=$(ManagementGroupPrefix) --location $(Location) --name $(ManagementGroupPrefix)
+            az account list --refresh
-  
-  - task: Bash@3  
-    displayName: Az CLI Validate Custom Role Definitions for PR
-    name: validate_rbac_roles
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment mg validate --template-file infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep  --parameters @infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.all.json parAssignableScopeManagementGroupId=$(ManagementGroupPrefix) --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
-  
-  - task: Bash@3    
-    displayName: Az CLI Validate Custom Policy Definitions for PR
-    name: validate_policy_defs
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment mg validate --template-file infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep  --parameters @infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.all.json parTargetManagementGroupId=$(ManagementGroupPrefix) --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
-  
-  - task: Bash@3    
-    displayName: Az CLI Validate Logging for PR
-    name: validate_logging
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/logging/logging.bicep --parameters @infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json --name $(ManagementGroupPrefix)
 
-  - task: Bash@3    
+      - task: Bash@3
-    displayName: Az CLI Validate Subscription Placement for PR
+        displayName: Az CLI Create Resource Group for PR
-    name: move_sub
+        name: create_rsg
-    inputs:
+        inputs:
-      targetType: 'inline'
+          targetType: "inline"
-      script: |
+          script: |
-        az deployment mg validate --template-file infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.bicep --parameters @infra-as-code/bicep/modules/subscriptionPlacement/parameters/subscriptionPlacement.parameters.all.json parTargetManagementGroupId=$(ManagementGroupPrefix)-platform-connectivity parSubscriptionIds='["$(subscriptionId)"]' --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
+            az account set --subscription $(subscriptionId)
+            if [ $(az group exists --name $(ResourceGroupName) ) == false ]; then
+                sleep 300
+            fi
+            az deployment sub create --name "deploy-$(ResourceGroupName)" --template-file infra-as-code/bicep/modules/resourceGroup/resourceGroup.bicep --location $(Location) --parameters parLocation=$(Location) parResourceGroupName=$(ResourceGroupName)
 
-  - task: Bash@3    
+      - task: Bash@3
-    displayName: Az CLI Validate Alz Default policy assignments
+        displayName: Az CLI Register Resource Providers for PR
-    name: validate_alz_default_policy_assign
+        name: register_providers
-    inputs:
+        inputs:
-      targetType: 'inline'
+          targetType: "inline"
-      script: |
+          script: |
-        az deployment mg validate --template-file infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep --parameters @infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json parTopLevelManagementGroupPrefix=$(ManagementGroupPrefix) --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
+            az account set --subscription $(subscriptionId)
+            az provider register -n 'Microsoft.Insights'
 
-  - task: Bash@3    
-    displayName: Az CLI Validate Hub Networking for PR
-    name: validate_hub_network
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep --parameters @infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json --name $(ManagementGroupPrefix)
 
-  - task: Bash@3    
+      - task: Bash@3
-    displayName: Az CLI Validate vWan Networking for PR
+        displayName: Az CLI Deploy Management Groups for PR
-    name: validate_vwan_network
+        name: create_mgs
-    inputs:
+        inputs:
-      targetType: 'inline'
+          targetType: "inline"
-      script: |
+          script: |
-        az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep --parameters @infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.all.json --name $(ManagementGroupPrefix)
+            az deployment tenant create --template-file infra-as-code/bicep/modules/managementGroups/managementGroups.bicep --parameters @infra-as-code/bicep/modules/managementGroups/parameters/managementGroups.parameters.all.json parTopLevelManagementGroupPrefix=$(ManagementGroupPrefix) --location $(Location) --name $(ManagementGroupPrefix)
 
-  - task: Bash@3              
+      - task: Bash@3
-    displayName: Az CLI Validate Spoke Networking for PR
+        displayName: Az CLI Validate Custom Role Definitions for PR
-    name: validate_spoke_network
+        name: validate_rbac_roles
-    inputs:
+        inputs:
-      targetType: 'inline'
+          targetType: "inline"
-      script: |
+          script: |
-        az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/spokeNetworking/spokeNetworking.bicep --name $(ManagementGroupPrefix)
+            az deployment mg validate --template-file infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep  --parameters @infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.all.json parAssignableScopeManagementGroupId=$(ManagementGroupPrefix) --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
 
-  - task: Bash@3    
+      - task: Bash@3
-    displayName: Az CLI Validate vWan Network connection for PR
+        displayName: Az CLI Validate Custom Policy Definitions for PR
-    name: validate_vwan_network_connection
+        name: validate_policy_defs
-    inputs:
+        inputs:
-      targetType: 'inline'
+          targetType: "inline"
-      script: |
+          script: |
-        az deployment sub validate --location $(Location) --template-file infra-as-code/bicep/modules/vnetPeeringVwan/vnetPeeringVwan.bicep --parameters @infra-as-code/bicep/modules/vnetPeeringVwan/parameters/vnetPeeringVwan.parameters.all.json parVirtualWanHubResourceId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualHubs/alz-vhub-$(Location)"  parRemoteVirtualNetworkResourceId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualNetworks/vnet-spoke" --name $(ManagementGroupPrefix)
+            az deployment mg validate --template-file infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep  --parameters @infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.all.json parTargetManagementGroupId=$(ManagementGroupPrefix) --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
 
-  - task: Bash@3    
+      - task: Bash@3
-    displayName: Az CLI Validate vNet Peer for PR
+        displayName: Az CLI Deploy Logging for PR
-    name: validate_vnet_peer_spoke_2_hub
+        name: create_logging
-    inputs:
+        inputs:
-      targetType: 'inline'
+          targetType: "inline"
-      script: |
+          script: |
-        az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/vnetPeering/vnetPeering.bicep --parameters parDestinationVirtualNetworkId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualNetworks/alz-hub-$(Location)"  parSourceVirtualNetworkName="vnet-spoke" parDestinationVirtualNetworkName="alz-hub-$(Location)" --name $(ManagementGroupPrefix)
+            az deployment group create --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/logging/logging.bicep --parameters @infra-as-code/bicep/modules/logging/parameters/logging.parameters.min.json
 
-  - task: Bash@3    
+      - task: Bash@3
-    displayName: Az CLI Validate Private DNS Zones
+        displayName: Az CLI Validate mgDiagSettingsAll for PR
-    name: validate_private_dns
+        name: create_mgDiagSettingsAll
-    inputs:
+        inputs:
-      targetType: 'inline'
+          targetType: "inline"
-      script: |
+          script: |
-        az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/privateDnsZones/privateDnsZones.bicep --parameters @infra-as-code/bicep/modules/privateDnsZones/parameters/privateDnsZones.parameters.all.json --name $(ManagementGroupPrefix)
+            az deployment tenant validate --template-file infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep --parameters @infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.min.json parTopLevelManagementGroupPrefix="$(ManagementGroupPrefix)" parLogAnalyticsWorkspaceResourceId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.OperationalInsights/workspaces/alz-log-analytics" --location $(Location)
 
-  - task: Bash@3    
+      - task: Bash@3
-    displayName: Az CLI Validate Public IP
+        displayName: Az CLI Validate Subscription Placement for PR
-    name: validate_public_ip
+        name: move_sub
-    inputs:
+        inputs:
-      targetType: 'inline'
+          targetType: "inline"
-      script: |
+          script: |
-        az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/publicIp/publicIp.bicep --parameters @infra-as-code/bicep/modules/publicIp/parameters/publicIp.parameters.min.json --name $(ManagementGroupPrefix)
+            az deployment mg validate --template-file infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.bicep --parameters @infra-as-code/bicep/modules/subscriptionPlacement/parameters/subscriptionPlacement.parameters.all.json parTargetManagementGroupId=$(ManagementGroupPrefix)-platform-connectivity parSubscriptionIds='["$(subscriptionId)"]' --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
 
-  - task: Bash@3    
+      - task: Bash@3
-    displayName: Az CLI Validate Role Assignment to single Management Group
+        displayName: Az CLI Validate Alz Default policy assignments
-    name: validate_role_assign_single_mg
+        name: validate_alz_default_policy_assign
-    inputs:
+        inputs:
-      targetType: 'inline'
+          targetType: "inline"
-      script: |
+          script: |
-        az deployment mg validate --template-file infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.bicep --parameters @infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.managedIdentity.parameters.all.json --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
+            az deployment mg validate --template-file infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep --parameters @infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json parTopLevelManagementGroupPrefix=$(ManagementGroupPrefix) --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
 
-  - task: Bash@3    
+      - task: Bash@3
-    displayName: Az CLI Validate Role Assignment to multiple Management Groups
+        displayName: Az CLI Validate Hub Networking for PR
-    name: validate_role_assign_multiple_mg
+        name: validate_hub_network
-    inputs:
+        inputs:
-      targetType: 'inline'
+          targetType: "inline"
-      script: |
+          script: |
-        az deployment mg validate --template-file infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroupMany.bicep --parameters @infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.managedIdentity.parameters.all.json parManagementGroupIds='("$(ManagementGroupPrefix)-landingzones", "$(ManagementGroupPrefix)-platform")' --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
+            az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep --parameters @infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json --name $(ManagementGroupPrefix)
 
-  - task: Bash@3    
+      - task: Bash@3
-    displayName: Az CLI Validate Role Assignment to single subscription
+        displayName: Az CLI Validate vWan Networking for PR
-    name: validate_role_assign_single_subscription
+        name: validate_vwan_network
-    inputs:
+        inputs:
-      targetType: 'inline'
+          targetType: "inline"
-      script: |
+          script: |
-        az deployment sub validate --template-file infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscription.bicep --parameters @infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.managedIdentity.parameters.all.json --location $(Location) --name $(ManagementGroupPrefix)
+            az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep --parameters @infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.all.json --name $(ManagementGroupPrefix)
 
-  - task: Bash@3    
+      - task: Bash@3
-    displayName: Az CLI Validate Role Assignment to multiple subscriptions
+        displayName: Az CLI Validate Spoke Networking for PR
-    name: validate_role_assign_multiple_subscription
+        name: validate_spoke_network
-    inputs:
+        inputs:
-      targetType: 'inline'
+          targetType: "inline"
-      script: |
+          script: |
-        az deployment mg validate --template-file infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscriptionMany.bicep --parameters @infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.managedIdentity.parameters.all.json parSubscriptionIds='("$(subscriptionId)","$(azvalidatesubscription)")' --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
+            az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/spokeNetworking/spokeNetworking.bicep --name $(ManagementGroupPrefix)
 
-  - task: Bash@3    
+      - task: Bash@3
-    displayName: Az CLI Validate hub peered spoke orchestration module
+        displayName: Az CLI Validate vWan Network connection for PR
-    name: validate_hub_peer_spoke
+        name: validate_vwan_network_connection
-    inputs:
+        inputs:
-      targetType: 'inline'
+          targetType: "inline"
-      script: |
+          script: |
-        az deployment mg validate --template-file infra-as-code/bicep/orchestration/hubPeeredSpoke/hubPeeredSpoke.bicep --parameters @infra-as-code/bicep/orchestration/hubPeeredSpoke/parameters/hubPeeredSpoke.parameters.all.json parPeeredVnetSubscriptionId="$(subscriptionId)" parHubVirtualNetworkId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualNetworks/alz-hub-$(Location)" parTopLevelManagementGroupPrefix="$(ManagementGroupPrefix)" --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
+            az deployment sub validate --location $(Location) --template-file infra-as-code/bicep/modules/vnetPeeringVwan/vnetPeeringVwan.bicep --parameters @infra-as-code/bicep/modules/vnetPeeringVwan/parameters/vnetPeeringVwan.parameters.all.json parVirtualWanHubResourceId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualHubs/alz-vhub-$(Location)"  parRemoteVirtualNetworkResourceId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualNetworks/vnet-spoke" --name $(ManagementGroupPrefix)
 
-  - task: Bash@3    
+      - task: Bash@3
-    displayName: Az CLI Validate subPlacementAll orchestration module
+        displayName: Az CLI Validate vNet Peer for PR
-    name: validate_sub_placement_all
+        name: validate_vnet_peer_spoke_2_hub
-    inputs:
+        inputs:
-      targetType: 'inline'
+          targetType: "inline"
-      script: |
+          script: |
-        az deployment mg validate --template-file infra-as-code/bicep/orchestration/subPlacementAll/subPlacementAll.bicep --parameters @infra-as-code/bicep/orchestration/subPlacementAll/parameters/subPlacementAll.parameters.all.json parTopLevelManagementGroupPrefix="$(ManagementGroupPrefix)" parPlatformConnectivityMgSubs='["$(subscriptionId)"]' --location $(Location) --management-group-id $(ManagementGroupPrefix) --name "$(ManagementGroupPrefix)-subPlacement"
+            az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/vnetPeering/vnetPeering.bicep --parameters parDestinationVirtualNetworkId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualNetworks/alz-hub-$(Location)"  parSourceVirtualNetworkName="vnet-spoke" parDestinationVirtualNetworkName="alz-hub-$(Location)" --name $(ManagementGroupPrefix)
 
-- job: bicep_cleanup
+      - task: Bash@3
-  dependsOn: bicep_validate
+        displayName: Az CLI Validate Private DNS Zones
-  displayName: Cleanup Bicep Validate Deployment for PR
+        name: validate_private_dns
-  pool: 
+        inputs:
-    vmImage: ubuntu-latest
+          targetType: "inline"
-  steps:
+          script: |
-  - task: AzurePowerShell@5
+            az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/privateDnsZones/privateDnsZones.bicep --parameters @infra-as-code/bicep/modules/privateDnsZones/parameters/privateDnsZones.parameters.all.json --name $(ManagementGroupPrefix)
-    displayName: Az CLI Remove/Cleanup Deployment
-    inputs:
-      azureSubscription: 'azserviceconnection'
-      ScriptType: 'FilePath'
-      ScriptPath: '.github/scripts/Wipe-AlzTenant.ps1'
-      ScriptArguments: '-tenantRootGroupID $(azclitenant) -intermediateRootGroupID "$(ManagementGroupPrefix)" -subscriptionName "$(SubscriptionName)"'
-      azurePowerShellVersion: 'LatestVersion'
-      pwsh: true
 
+      - task: Bash@3
+        displayName: Az CLI Validate Public IP
+        name: validate_public_ip
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/publicIp/publicIp.bicep --parameters @infra-as-code/bicep/modules/publicIp/parameters/publicIp.parameters.min.json --name $(ManagementGroupPrefix)
+
+      - task: Bash@3
+        displayName: Az CLI Validate Role Assignment to single Management Group
+        name: validate_role_assign_single_mg
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment mg validate --template-file infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.bicep --parameters @infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.managedIdentity.parameters.all.json --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
+
+      - task: Bash@3
+        displayName: Az CLI Validate Role Assignment to multiple Management Groups
+        name: validate_role_assign_multiple_mg
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment mg validate --template-file infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroupMany.bicep --parameters @infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.managedIdentity.parameters.all.json parManagementGroupIds='("$(ManagementGroupPrefix)-landingzones", "$(ManagementGroupPrefix)-platform")' --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
+
+      - task: Bash@3
+        displayName: Az CLI Validate Role Assignment to single subscription
+        name: validate_role_assign_single_subscription
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment sub validate --template-file infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscription.bicep --parameters @infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.managedIdentity.parameters.all.json --location $(Location) --name $(ManagementGroupPrefix)
+
+      - task: Bash@3
+        displayName: Az CLI Validate Role Assignment to multiple subscriptions
+        name: validate_role_assign_multiple_subscription
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment mg validate --template-file infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscriptionMany.bicep --parameters @infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.managedIdentity.parameters.all.json parSubscriptionIds='("$(subscriptionId)","$(azvalidatesubscription)")' --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
+
+      - task: Bash@3
+        displayName: Az CLI Validate hub peered spoke orchestration module
+        name: validate_hub_peer_spoke
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment mg validate --template-file infra-as-code/bicep/orchestration/hubPeeredSpoke/hubPeeredSpoke.bicep --parameters @infra-as-code/bicep/orchestration/hubPeeredSpoke/parameters/hubPeeredSpoke.parameters.all.json parPeeredVnetSubscriptionId="$(subscriptionId)" parHubVirtualNetworkId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualNetworks/alz-hub-$(Location)" parTopLevelManagementGroupPrefix="$(ManagementGroupPrefix)" --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
+
+      - task: Bash@3
+        displayName: Az CLI Validate subPlacementAll orchestration module
+        name: validate_sub_placement_all
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment mg validate --template-file infra-as-code/bicep/orchestration/subPlacementAll/subPlacementAll.bicep --parameters @infra-as-code/bicep/orchestration/subPlacementAll/parameters/subPlacementAll.parameters.all.json parTopLevelManagementGroupPrefix="$(ManagementGroupPrefix)" parPlatformConnectivityMgSubs='["$(subscriptionId)"]' --location $(Location) --management-group-id $(ManagementGroupPrefix) --name "$(ManagementGroupPrefix)-subPlacement"
+
+  - job: bicep_cleanup
+    dependsOn: bicep_validate
+    displayName: Cleanup Bicep Validate Deployment for PR
+    pool:
+      vmImage: ubuntu-latest
+    steps:
+      - task: AzurePowerShell@5
+        displayName: Az CLI Remove/Cleanup Deployment
+        inputs:
+          azureSubscription: "azserviceconnection"
+          ScriptType: "FilePath"
+          ScriptPath: ".github/scripts/Wipe-AlzTenant.ps1"
+          ScriptArguments: '-tenantRootGroupID $(azclitenant) -intermediateRootGroupID "$(ManagementGroupPrefix)" -subscriptionName "$(SubscriptionName)"'
+          azurePowerShellVersion: "LatestVersion"
+          pwsh: true

tests/pipelines/bicep-build-to-validate.yml

@@ -14,270 +14,294 @@ variables:
     value: "sub-unit-test-pr-$(System.PullRequest.PullRequestNumber)"
 
 jobs:
-- job: bicep_deploy
+  - job: bicep_deploy
-  displayName: Deploy Bicep Files for PR
+    displayName: Deploy Bicep Files for PR
-  pool: 
+    pool:
-    vmImage: ubuntu-latest
+      vmImage: ubuntu-latest
-  steps:
+    steps:
-  - task: Bash@3
+      - task: Bash@3
-    displayName: Check for managementGroup Changes
+        displayName: Check for managementGroup Changes
-    name: git_management_diff
+        name: git_management_diff
-    inputs:
+        inputs:
-      targetType: 'inline'
+          targetType: "inline"
-      script: |
+          script: |
-          git_diff1=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/managementGroups/managementGroups.bicep)
+            git_diff1=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/managementGroups/managementGroups.bicep)
-          git_diff2=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep)
+            git_diff2=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep)
-          git_diff3=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep)
+            git_diff3=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep)
-          git_diff4=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep)
+            git_diff4=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep)
-          git_diff5=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep)
+            git_diff5=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep)
-          git_diff6=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.bicep)
+            git_diff6=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.bicep)
-          git_diff7=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.bicep)
+            git_diff7=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.bicep)
-          git_diff8=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/orchestration/subPlacementAll/subPlacementAll.bicep)
+            git_diff8=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/orchestration/subPlacementAll/subPlacementAll.bicep)
-          if [[ $git_diff1 != '' ]] || [[ $git_diff2 != '' ]] || [[ $git_diff3 != '' ]] || [[ $git_diff4 != '' ]] || [[ $git_diff5 != '' ]] || [[ $git_diff6 != '' ]] || [[ $git_diff7 != '' ]] || [[ $git_diff8 != '' ]]
+            git_diff9=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/mgDiagSettings/mgDiagSettings.bicep)
-            then echo "##vso[task.setvariable variable=gitManagementOutput]setmgmt"
+            git_diff10=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep)
-          fi
+            if [[ $git_diff1 != '' ]] || [[ $git_diff2 != '' ]] || [[ $git_diff3 != '' ]] || [[ $git_diff4 != '' ]] || [[ $git_diff5 != '' ]] || [[ $git_diff6 != '' ]] || [[ $git_diff7 != '' ]] || [[ $git_diff8 != '' ]] || [[ $git_diff9 != '' ]] || [[ $git_diff10 != '' ]]
-          echo 
+              then echo "##vso[task.setvariable variable=gitManagementOutput]setmgmt"
+            fi
+            echo
 
-  - task: Bash@3
+      - task: Bash@3
-    displayName: Check for logging Changes
+        displayName: Check for logging Changes
-    name: git_logging_diff
+        name: git_logging_diff
-    inputs:
+        inputs:
-      targetType: 'inline'
+          targetType: "inline"
-      script: |
+          script: |
-          git_logging=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/logging/logging.bicep)
+            git_diff_logging1=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/logging/logging.bicep)
-          echo "##vso[task.setvariable variable=gitLoggingOUTPUT]$git_logging"
+            git_diff_logging2=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/mgDiagSettings/mgDiagSettings.bicep)
+            git_diff_logging3=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep)
+            if [[ $git_diff_logging1 != '' ]] || [[ $git_diff_logging2 != '' ]] || [[ $git_diff_logging3 != '' ]]
+              then echo "##vso[task.setvariable variable=gitLoggingOUTPUT]setlogging"
+            fi
+            echo
 
-  - task: Bash@3
+      - task: Bash@3
-    displayName: Check for hubNetworking Changes
+        displayName: Check for hubNetworking Changes
-    name: git_hubnetworking_diff
+        name: git_hubnetworking_diff
-    inputs:
+        inputs:
-      targetType: 'inline'
+          targetType: "inline"
-      script: |
+          script: |
-          git_hub=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep)
+            git_hub=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep)
-          echo "##vso[task.setvariable variable=gitHubOUTPUT]$git_hub"
+            echo "##vso[task.setvariable variable=gitHubOUTPUT]$git_hub"
 
-  - task: Bash@3
+      - task: Bash@3
-    displayName: Check for virtual network peer Changes
+        displayName: Check for virtual network peer Changes
-    name: git_vnetpeer_diff
+        name: git_vnetpeer_diff
-    inputs:
+        inputs:
-      targetType: 'inline'
+          targetType: "inline"
-      script: |
+          script: |
-          git_vnetpeer=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/vnetPeering ':(exclude)*.md' ':(exclude)*.png')
+            git_vnetpeer=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/vnetPeering ':(exclude)*.md' ':(exclude)*.png')
-          echo "##vso[task.setvariable variable=gitVnetPeerOUTPUT]$git_vnetpeer"
+            echo "##vso[task.setvariable variable=gitVnetPeerOUTPUT]$git_vnetpeer"
 
-  - task: Bash@3
+      - task: Bash@3
-    displayName: Check for vwanNetworking Changes
+        displayName: Check for vwanNetworking Changes
-    name: git_vwannetworking_diff
+        name: git_vwannetworking_diff
-    inputs:
+        inputs:
-      targetType: 'inline'
+          targetType: "inline"
-      script: |
+          script: |
-          git_vwan=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep )
+            git_vwan=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep )
-          echo "##vso[task.setvariable variable=gitVwanOUTPUT]$git_vwan"
+            echo "##vso[task.setvariable variable=gitVwanOUTPUT]$git_vwan"
 
-  - task: Bash@3
+      - task: Bash@3
-    displayName: Check for vwanNetwork Connection Changes
+        displayName: Check for vwanNetwork Connection Changes
-    name: git_vwannetworkconnection_diff
+        name: git_vwannetworkconnection_diff
-    inputs:
+        inputs:
-      targetType: 'inline'
+          targetType: "inline"
-      script: |
+          script: |
-          git_vwannwc=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/vnetPeeringVwan ':(exclude)*.md' ':(exclude)*.png')
+            git_vwannwc=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/vnetPeeringVwan ':(exclude)*.md' ':(exclude)*.png')
-          echo "##vso[task.setvariable variable=gitVwanNwcOUTPUT]$git_vwannwc"
+            echo "##vso[task.setvariable variable=gitVwanNwcOUTPUT]$git_vwannwc"
 
-  - task: Bash@3
+      - task: Bash@3
-    displayName: Check for spokeNetworking Changes
+        displayName: Check for spokeNetworking Changes
-    name: git_spokenetworking_diff
+        name: git_spokenetworking_diff
-    inputs:
+        inputs:
-      targetType: 'inline'
+          targetType: "inline"
-      script: |
+          script: |
-        git_spoke=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/spokeNetworking/spokeNetworking.bicep)
+            git_spoke=$(git diff --name-only HEAD^ HEAD infra-as-code/bicep/modules/spokeNetworking/spokeNetworking.bicep)
-        echo "gitSpokeOUTPUT=$git_spoke" >> $GITHUB_ENV
+            echo "gitSpokeOUTPUT=$git_spoke" >> $GITHUB_ENV
-        echo "##vso[task.setvariable variable=gitSpokeOUTPUT]$git_spoke"
+            echo "##vso[task.setvariable variable=gitSpokeOUTPUT]$git_spoke"
 
-  - task: Bash@3
+      - task: Bash@3
-    displayName: Login to Azure
+        displayName: Login to Azure
-    name: git_azlogin
+        name: git_azlogin
-    inputs:
+        inputs:
-      targetType: 'inline'
+          targetType: "inline"
-      script: |
+          script: |
-        az login --service-principal --username $(azclilogin) --password $(azclipwd) --tenant $(azclitenant)
+            az login --service-principal --username $(azclilogin) --password $(azclipwd) --tenant $(azclitenant)
 
-  - task: Bash@3
+      - task: Bash@3
-    displayName: Az CLI Create Subscription for PR
+        displayName: Az CLI Create Subscription for PR
-    name: create_subscription
+        name: create_subscription
-    condition: or(ne(variables['gitManagementOUTPUT'], ''), ne(variables['gitLoggingOUTPUT'], ''), ne(variables['gitSpokeOUTPUT'], ''), ne(variables['gitHubOUTPUT'], ''), ne(variables['gitVwanOUTPUT'], ''), ne(variables['gitVwanNwcOUTPUT'], ''), ne(variables['gitVnetPeerOUTPUT'], ''))
+        condition: or(ne(variables['gitManagementOUTPUT'], ''), ne(variables['gitLoggingOUTPUT'], ''), ne(variables['gitSpokeOUTPUT'], ''), ne(variables['gitHubOUTPUT'], ''), ne(variables['gitVwanOUTPUT'], ''), ne(variables['gitVwanNwcOUTPUT'], ''), ne(variables['gitVnetPeerOUTPUT'], ''))
-    inputs:
+        inputs:
-      targetType: 'inline'
+          targetType: "inline"
-      script: |
+          script: |
-        subid=$(az deployment tenant create --name "deploy-$(SubscriptionName)" --location $(Location) --template-file infra-as-code/bicep/CRML/subscriptionAlias/subscriptionAlias.bicep --parameters @infra-as-code/bicep/CRML/subscriptionAlias/parameters/subscriptionAlias.parameters.min.json --parameters parSubscriptionBillingScope=$(ALZ-AZURE-SECRET-EA-BILLING-ACCOUNT) parSubscriptionName=$(SubscriptionName) | jq .properties.outputs.outSubscriptionId.value | tr -d '"')
+            subid=$(az deployment tenant create --name "deploy-$(SubscriptionName)" --location $(Location) --template-file infra-as-code/bicep/CRML/subscriptionAlias/subscriptionAlias.bicep --parameters @infra-as-code/bicep/CRML/subscriptionAlias/parameters/subscriptionAlias.parameters.min.json --parameters parSubscriptionBillingScope=$(ALZ-AZURE-SECRET-EA-BILLING-ACCOUNT) parSubscriptionName=$(SubscriptionName) | jq .properties.outputs.outSubscriptionId.value | tr -d '"')
-        echo $subId
+            echo $subId
-        echo "##vso[task.setvariable variable=subscriptionId]$subid"
+            echo "##vso[task.setvariable variable=subscriptionId]$subid"
-        echo "##vso[task.setvariable variable=IsDeployed;isoutput=true]$subid"
+            echo "##vso[task.setvariable variable=IsDeployed;isoutput=true]$subid"
 
-  - task: Bash@3
+      - task: Bash@3
-    displayName: Az CLI Refresh subscription list
+        displayName: Az CLI Refresh subscription list
-    name: refresh_subscription
+        name: refresh_subscription
-    condition: and(or(ne(variables['gitManagementOUTPUT'], ''), ne(variables['gitLoggingOUTPUT'], ''), ne(variables['gitSpokeOUTPUT'], ''), ne(variables['gitHubOUTPUT'], ''), ne(variables['gitVwanOUTPUT'], ''), ne(variables['gitVwanNwcOUTPUT'], ''), ne(variables['gitVnetPeerOUTPUT'], '')), ne(variables['subscriptionId'], ''))
+        condition: and(or(ne(variables['gitManagementOUTPUT'], ''), ne(variables['gitLoggingOUTPUT'], ''), ne(variables['gitSpokeOUTPUT'], ''), ne(variables['gitHubOUTPUT'], ''), ne(variables['gitVwanOUTPUT'], ''), ne(variables['gitVwanNwcOUTPUT'], ''), ne(variables['gitVnetPeerOUTPUT'], '')), ne(variables['subscriptionId'], ''))
-    inputs:
+        inputs:
-      targetType: 'inline'
+          targetType: "inline"
-      script: |
+          script: |
-        az account list --refresh        
+            az account list --refresh
-        
-  - task: Bash@3    
-    displayName: Az CLI Create Resource Group for PR
-    name: create_rsg
-    condition: and(or(ne(variables['gitManagementOUTPUT'], ''), ne(variables['gitLoggingOUTPUT'], ''), ne(variables['gitSpokeOUTPUT'], ''), ne(variables['gitHubOUTPUT'], ''), ne(variables['gitVwanOUTPUT'], ''), ne(variables['gitVwanNwcOUTPUT'], ''), ne(variables['gitVnetPeerOUTPUT'], '')), ne(variables['subscriptionId'], ''))
-    inputs:
-      targetType: 'inline'
-      script: |
-        az account set --subscription $(subscriptionId)
-        if [ $(az group exists --name $(ResourceGroupName) ) == false ]; then
-            sleep 300
-        fi
-        az group create --name $(ResourceGroupName) --location $(Location)
 
-  - task: Bash@3     
+      - task: Bash@3
-    displayName: Az CLI Deploy Management Groups for PR
+        displayName: Az CLI Create Resource Group for PR
-    name: create_mgs
+        name: create_rsg
-    condition: and(or(ne(variables['gitManagementOUTPUT'], ''), ne(variables['gitLoggingOUTPUT'], ''), ne(variables['gitSpokeOUTPUT'], ''), ne(variables['gitHubOUTPUT'], ''), ne(variables['gitVwanOUTPUT'], ''), ne(variables['gitVwanNwcOUTPUT'], ''), ne(variables['gitVnetPeerOUTPUT'], '')), ne(variables['subscriptionId'], ''))
+        condition: and(or(ne(variables['gitManagementOUTPUT'], ''), ne(variables['gitLoggingOUTPUT'], ''), ne(variables['gitSpokeOUTPUT'], ''), ne(variables['gitHubOUTPUT'], ''), ne(variables['gitVwanOUTPUT'], ''), ne(variables['gitVwanNwcOUTPUT'], ''), ne(variables['gitVnetPeerOUTPUT'], '')), ne(variables['subscriptionId'], ''))
-    inputs:
+        inputs:
-      targetType: 'inline'
+          targetType: "inline"
-      script: |
+          script: |
-        az deployment tenant create --template-file infra-as-code/bicep/modules/managementGroups/managementGroups.bicep --parameters @infra-as-code/bicep/modules/managementGroups/parameters/managementGroups.parameters.min.json parTopLevelManagementGroupPrefix=$(ManagementGroupPrefix) --location $(Location)
+            az account set --subscription $(subscriptionId)
-  
+            if [ $(az group exists --name $(ResourceGroupName) ) == false ]; then
-  - task: Bash@3  
+                sleep 300
-    displayName: Az CLI Deploy Custom Role Definitions for PR
+            fi
-    name: create_rbac_roles
+            az group create --name $(ResourceGroupName) --location $(Location)
-    condition: and(ne(variables['gitManagementOUTPUT'], ''), ne(variables['subscriptionId'], ''))
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment mg create --template-file infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep  --parameters @infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.min.json parAssignableScopeManagementGroupId=$(ManagementGroupPrefix) --location $(Location) --management-group-id $(ManagementGroupPrefix)
-  
-  - task: Bash@3    
-    displayName: Az CLI Deploy Custom Policy Definitions for PR
-    name: create_policy_defs
-    condition: and(ne(variables['gitManagementOUTPUT'], ''), ne(variables['subscriptionId'], ''))
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment mg create --template-file infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep  --parameters @infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.min.json parTargetManagementGroupId=$(ManagementGroupPrefix) --location $(Location) --management-group-id $(ManagementGroupPrefix) 
-  
-  - task: Bash@3    
-    displayName: Az CLI Deploy Logging for PR
-    name: create_logging
-    condition: and(ne(variables['gitLoggingOUTPUT'], ''), ne(variables['subscriptionId'], ''))
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment group create --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/logging/logging.bicep --parameters @infra-as-code/bicep/modules/logging/parameters/logging.parameters.min.json
 
-  - task: Bash@3    
+      - task: Bash@3
-    displayName: Az CLI Subscription Placement for PR
+        displayName: Az CLI Register Resource Providers for PR
-    name: move_sub
+        name: register_providers
-    condition: and(or(ne(variables['gitManagementOUTPUT'], ''), ne(variables['gitLoggingOUTPUT'], ''), ne(variables['gitSpokeOUTPUT'], ''), ne(variables['gitHubOUTPUT'], ''), ne(variables['gitVwanOUTPUT'], ''), ne(variables['gitVwanNwcOUTPUT'], ''), ne(variables['gitVnetPeerOUTPUT'], '')), ne(variables['subscriptionId'], ''))
+        inputs:
-    inputs:
+          targetType: "inline"
-      targetType: 'inline'
+          script: |
-      script: |
+            az account set --subscription $(subscriptionId)
-        az deployment mg create --template-file infra-as-code/bicep/orchestration/subPlacementAll/subPlacementAll.bicep --parameters @infra-as-code/bicep/orchestration/subPlacementAll/parameters/subPlacementAll.parameters.min.json parTopLevelManagementGroupPrefix="$(ManagementGroupPrefix)" parPlatformConnectivityMgSubs='["$(subscriptionId)"]' --location $(Location) --management-group-id $(ManagementGroupPrefix)
+            az provider register -n 'Microsoft.Insights'
 
-  - task: AzurePowerShell@5
+      - task: Bash@3
-    displayName: Az PwSh alzDefaultPolicyAssignments for PR
+        displayName: Az CLI Deploy Management Groups for PR
-    name: alz_default_policy_assignments
+        name: create_mgs
-    condition: and(ne(variables['gitManagementOUTPUT'], ''), ne(variables['subscriptionId'], ''))
+        condition: and(or(ne(variables['gitManagementOUTPUT'], ''), ne(variables['gitLoggingOUTPUT'], ''), ne(variables['gitSpokeOUTPUT'], ''), ne(variables['gitHubOUTPUT'], ''), ne(variables['gitVwanOUTPUT'], ''), ne(variables['gitVwanNwcOUTPUT'], ''), ne(variables['gitVnetPeerOUTPUT'], '')), ne(variables['subscriptionId'], ''))
-    inputs:
+        inputs:
-      azureSubscription: 'azserviceconnection'
+          targetType: "inline"
-      ScriptType: 'FilePath'
+          script: |
-      ScriptPath: '.github/scripts/Set-AlzDefaultPolicyAssignment.ps1'
+            az deployment tenant create --template-file infra-as-code/bicep/modules/managementGroups/managementGroups.bicep --parameters @infra-as-code/bicep/modules/managementGroups/parameters/managementGroups.parameters.min.json parTopLevelManagementGroupPrefix=$(ManagementGroupPrefix) --location $(Location)
-      ScriptArguments: '-ManagementGroupId "$(ManagementGroupPrefix)-platform" -parLocation $(Location) -templateFile ./infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep -parameterFile .\infra-as-code\bicep\modules\policy\assignments\alzDefaults\parameters\alzDefaultPolicyAssignments.parameters.min.json -parTopLevelManagementGroupPrefix $(ManagementGroupPrefix) -parLogAnalyticsWorkSpaceAndAutomationAccountLocation $(Location) -parLogAnalyticsWorkspaceResourceId "/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.OperationalInsights/workspaces/alz-log-analytics" -parDdosProtectionPlanId "/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/ddosProtectionPlans/alz-ddos-plan"'
-      azurePowerShellVersion: 'LatestVersion'
-      pwsh: true
 
-  - task: Bash@3    
+      - task: Bash@3
-    displayName: Az CLI Deploy Hub Networking for PR
+        displayName: Az CLI Deploy Custom Role Definitions for PR
-    name: create_hub_network
+        name: create_rbac_roles
-    condition: and(or(ne(variables['gitHubOUTPUT'], ''), ne(variables['gitVnetPeerOUTPUT'], '')), ne(variables['subscriptionId'], ''))
+        condition: and(ne(variables['gitManagementOUTPUT'], ''), ne(variables['subscriptionId'], ''))
-    inputs:
+        inputs:
-      targetType: 'inline'
+          targetType: "inline"
-      script: |
+          script: |
-        az deployment group create --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep --parameters @infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.min.json
+            az deployment mg create --template-file infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep  --parameters @infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.min.json parAssignableScopeManagementGroupId=$(ManagementGroupPrefix) --location $(Location) --management-group-id $(ManagementGroupPrefix)
 
-  - task: Bash@3    
+      - task: Bash@3
-    displayName: Az CLI Deploy Spoke Networking for PR
+        displayName: Az CLI Deploy Custom Policy Definitions for PR
-    name: create_spoke_network
+        name: create_policy_defs
-    condition: and(or(ne(variables['gitSpokeOUTPUT'], ''), ne(variables['gitVwanNwcOUTPUT'], ''), ne(variables['gitVwanOUTPUT'], ''), ne(variables['gitVnetPeerOUTPUT'], '')), ne(variables['subscriptionId'], ''))
+        condition: and(ne(variables['gitManagementOUTPUT'], ''), ne(variables['subscriptionId'], ''))
-    inputs:
+        inputs:
-      targetType: 'inline'
+          targetType: "inline"
-      script: |
+          script: |
-        az deployment group create --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/spokeNetworking/spokeNetworking.bicep --parameters @infra-as-code/bicep/modules/spokeNetworking/parameters/spokeNetworking.parameters.min.json
+            az deployment mg create --template-file infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep  --parameters @infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.min.json parTargetManagementGroupId=$(ManagementGroupPrefix) --location $(Location) --management-group-id $(ManagementGroupPrefix)
-  
-  - task: Bash@3    
-    displayName: Az CLI Deploy vWan Networking for PR
-    name: create_vwan_network
-    condition: and(or(ne(variables['gitVwanOUTPUT'], ''), ne(variables['gitVwanNwcOUTPUT'], '')), ne(variables['subscriptionId'], ''))
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment group create --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep --parameters @infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.min.json parVirtualNetworkIdToLink="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualNetworks/vnet-spoke"
 
-  - task: Bash@3    
+      - task: Bash@3
-    displayName: Az CLI Deploy vWan Network connection for PR
+        displayName: Az CLI Deploy Logging for PR
-    name: create_vwan_network_connection
+        name: create_logging
-    condition: and(ne(variables['gitVwanNwcOUTPUT'], ''), ne(variables['subscriptionId'], ''))
+        condition: and(ne(variables['gitLoggingOUTPUT'], ''), ne(variables['subscriptionId'], ''))
-    inputs:
+        inputs:
-      targetType: 'inline'
+          targetType: "inline"
-      script: |
+          script: |
-        az deployment sub create --location $(Location) --template-file infra-as-code/bicep/modules/vnetPeeringVwan/vnetPeeringVwan.bicep --parameters @infra-as-code/bicep/modules/vnetPeeringVwan/parameters/vnetPeeringVwan.parameters.min.json parVirtualWanHubResourceId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualHubs/alz-vhub-$(Location)" parRemoteVirtualNetworkResourceId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualNetworks/vnet-spoke"
+            az deployment group create --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/logging/logging.bicep --parameters @infra-as-code/bicep/modules/logging/parameters/logging.parameters.min.json
 
-  - task: Bash@3    
+      - task: Bash@3
-    displayName: Az CLI Deploy vNet Peer for PR spoke to hub
+        displayName: Az CLI Deploy mgDiagSettingsAll for PR
-    name: create_vnet_peer_spoke_2_hub
+        name: create_mgDiagSettingsAll
-    condition: and(ne(variables['gitVnetPeerOUTPUT'], ''), ne(variables['subscriptionId'], ''))
+        condition: and(ne(variables['gitLoggingOUTPUT'], ''), ne(variables['subscriptionId'], ''))
-    inputs:
+        inputs:
-      targetType: 'inline'
+          targetType: "inline"
-      script: |
+          script: |
-        az deployment group create --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/vnetPeering/vnetPeering.bicep --parameters @infra-as-code/bicep/modules/vnetPeering/parameters/vnetPeering.parameters.min.json parDestinationVirtualNetworkId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualNetworks/alz-hub-$(Location)"
+            az deployment tenant create --template-file infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep --parameters @infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.min.json parTopLevelManagementGroupPrefix="$(ManagementGroupPrefix)" parLogAnalyticsWorkspaceResourceId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.OperationalInsights/workspaces/alz-log-analytics" --location $(Location)
 
-  - task: Bash@3    
+      - task: Bash@3
-    displayName: Az CLI Deploy vNet Peer for PR hub to spoke
+        displayName: Az CLI Subscription Placement for PR
-    name: create_vnet_peer_hub_2_spoke
+        name: move_sub
-    condition: and(ne(variables['gitVnetPeerOUTPUT'], ''), ne(variables['subscriptionId'], ''))
+        condition: and(or(ne(variables['gitManagementOUTPUT'], ''), ne(variables['gitLoggingOUTPUT'], ''), ne(variables['gitSpokeOUTPUT'], ''), ne(variables['gitHubOUTPUT'], ''), ne(variables['gitVwanOUTPUT'], ''), ne(variables['gitVwanNwcOUTPUT'], ''), ne(variables['gitVnetPeerOUTPUT'], '')), ne(variables['subscriptionId'], ''))
-    inputs:
+        inputs:
-      targetType: 'inline'
+          targetType: "inline"
-      script: |
+          script: |
-        az deployment group create --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/vnetPeering/vnetPeering.bicep --parameters @infra-as-code/bicep/modules/vnetPeering/parameters/vnetPeering.parameters.min.json parDestinationVirtualNetworkId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualNetworks/vnet-spoke" parSourceVirtualNetworkName="alz-hub-$(Location)" parDestinationVirtualNetworkName="vnet-spoke"
+            az deployment mg create --template-file infra-as-code/bicep/orchestration/subPlacementAll/subPlacementAll.bicep --parameters @infra-as-code/bicep/orchestration/subPlacementAll/parameters/subPlacementAll.parameters.min.json parTopLevelManagementGroupPrefix="$(ManagementGroupPrefix)" parPlatformConnectivityMgSubs='["$(subscriptionId)"]' --location $(Location) --management-group-id $(ManagementGroupPrefix)
 
-  # Verify that WhatIf does not find differences between code and environment thats just been deployed
+      - task: AzurePowerShell@5
-  - task: Bash@3     
+        displayName: Az PwSh alzDefaultPolicyAssignments for PR
-    displayName: Az CLI After Deployment What-If Management Groups for PR
+        name: alz_default_policy_assignments
-    name: whatif_mgs
+        condition: and(ne(variables['gitManagementOUTPUT'], ''), ne(variables['subscriptionId'], ''))
-    condition: and(or(ne(variables['gitManagementOUTPUT'], ''), ne(variables['gitLoggingOUTPUT'], ''), ne(variables['gitSpokeOUTPUT'], ''), ne(variables['gitHubOUTPUT'], ''), ne(variables['gitVwanOUTPUT'], ''), ne(variables['gitVwanNwcOUTPUT'], ''), ne(variables['gitVnetPeerOUTPUT'], '')), ne(variables['subscriptionId'], ''))
+        inputs:
-    inputs:
+          azureSubscription: "azserviceconnection"
-      targetType: 'inline'
+          ScriptType: "FilePath"
-      script: |
+          ScriptPath: ".github/scripts/Set-AlzDefaultPolicyAssignment.ps1"
-        result=$(az deployment tenant what-if --template-file infra-as-code/bicep/modules/managementGroups/managementGroups.bicep --parameters @infra-as-code/bicep/modules/managementGroups/parameters/managementGroups.parameters.min.json parTopLevelManagementGroupPrefix=$(ManagementGroupPrefix) --location $(Location) --exclude-change-types Ignore NoChange --only-show-errors)
+          ScriptArguments: '-ManagementGroupId "$(ManagementGroupPrefix)-platform" -parLocation $(Location) -templateFile ./infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep -parameterFile .\infra-as-code\bicep\modules\policy\assignments\alzDefaults\parameters\alzDefaultPolicyAssignments.parameters.min.json -parTopLevelManagementGroupPrefix $(ManagementGroupPrefix) -parLogAnalyticsWorkSpaceAndAutomationAccountLocation $(Location) -parLogAnalyticsWorkspaceResourceId "/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.OperationalInsights/workspaces/alz-log-analytics" -parDdosProtectionPlanId "/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/ddosProtectionPlans/alz-ddos-plan"'
-        if [[ $result != *'Resource changes: no change.'* ]]
+          azurePowerShellVersion: "LatestVersion"
-        then
+          pwsh: true
-          echo "##vso[task.logissue type=error]WhatIf reports difference between code and environment thats just been deployed"
-          echo "$result"
-          exit 1
-        fi
 
-- job: bicep_cleanup
+      - task: Bash@3
-  dependsOn: bicep_deploy
+        displayName: Az CLI Deploy Hub Networking for PR
-  variables:
+        name: create_hub_network
-    isDeployed: $[ dependencies.bicep_deploy.outputs['create_subscription.IsDeployed'] ]  
+        condition: and(or(ne(variables['gitHubOUTPUT'], ''), ne(variables['gitVnetPeerOUTPUT'], '')), ne(variables['subscriptionId'], ''))
-  displayName: Cleanup Bicep Deployment for PR
+        inputs:
-  pool: 
+          targetType: "inline"
-    vmImage: ubuntu-latest
+          script: |
-  steps:
+            az deployment group create --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep --parameters @infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.min.json
-  - task: AzurePowerShell@5
-    displayName: Az CLI Remove/Cleanup Deployment
-    condition: ne(variables['isDeployed'], '')
-    inputs:
-      azureSubscription: 'azserviceconnection'
-      ScriptType: 'FilePath'
-      ScriptPath: '.github/scripts/Wipe-AlzTenant.ps1'
-      ScriptArguments: '-tenantRootGroupID $(azclitenant) -intermediateRootGroupID "$(ManagementGroupPrefix)" -subscriptionName "$(SubscriptionName)"'
-      azurePowerShellVersion: 'LatestVersion'
-      pwsh: true
 
+      - task: Bash@3
+        displayName: Az CLI Deploy Spoke Networking for PR
+        name: create_spoke_network
+        condition: and(or(ne(variables['gitSpokeOUTPUT'], ''), ne(variables['gitVwanNwcOUTPUT'], ''), ne(variables['gitVwanOUTPUT'], ''), ne(variables['gitVnetPeerOUTPUT'], '')), ne(variables['subscriptionId'], ''))
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment group create --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/spokeNetworking/spokeNetworking.bicep --parameters @infra-as-code/bicep/modules/spokeNetworking/parameters/spokeNetworking.parameters.min.json
+
+      - task: Bash@3
+        displayName: Az CLI Deploy vWan Networking for PR
+        name: create_vwan_network
+        condition: and(or(ne(variables['gitVwanOUTPUT'], ''), ne(variables['gitVwanNwcOUTPUT'], '')), ne(variables['subscriptionId'], ''))
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment group create --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep --parameters @infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.min.json parVirtualNetworkIdToLink="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualNetworks/vnet-spoke"
+
+      - task: Bash@3
+        displayName: Az CLI Deploy vWan Network connection for PR
+        name: create_vwan_network_connection
+        condition: and(ne(variables['gitVwanNwcOUTPUT'], ''), ne(variables['subscriptionId'], ''))
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment sub create --location $(Location) --template-file infra-as-code/bicep/modules/vnetPeeringVwan/vnetPeeringVwan.bicep --parameters @infra-as-code/bicep/modules/vnetPeeringVwan/parameters/vnetPeeringVwan.parameters.min.json parVirtualWanHubResourceId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualHubs/alz-vhub-$(Location)" parRemoteVirtualNetworkResourceId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualNetworks/vnet-spoke"
+
+      - task: Bash@3
+        displayName: Az CLI Deploy vNet Peer for PR spoke to hub
+        name: create_vnet_peer_spoke_2_hub
+        condition: and(ne(variables['gitVnetPeerOUTPUT'], ''), ne(variables['subscriptionId'], ''))
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment group create --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/vnetPeering/vnetPeering.bicep --parameters @infra-as-code/bicep/modules/vnetPeering/parameters/vnetPeering.parameters.min.json parDestinationVirtualNetworkId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualNetworks/alz-hub-$(Location)"
+
+      - task: Bash@3
+        displayName: Az CLI Deploy vNet Peer for PR hub to spoke
+        name: create_vnet_peer_hub_2_spoke
+        condition: and(ne(variables['gitVnetPeerOUTPUT'], ''), ne(variables['subscriptionId'], ''))
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment group create --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/vnetPeering/vnetPeering.bicep --parameters @infra-as-code/bicep/modules/vnetPeering/parameters/vnetPeering.parameters.min.json parDestinationVirtualNetworkId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualNetworks/vnet-spoke" parSourceVirtualNetworkName="alz-hub-$(Location)" parDestinationVirtualNetworkName="vnet-spoke"
+
+      # Verify that WhatIf does not find differences between code and environment thats just been deployed
+      - task: Bash@3
+        displayName: Az CLI After Deployment What-If Management Groups for PR
+        name: whatif_mgs
+        condition: and(or(ne(variables['gitManagementOUTPUT'], ''), ne(variables['gitLoggingOUTPUT'], ''), ne(variables['gitSpokeOUTPUT'], ''), ne(variables['gitHubOUTPUT'], ''), ne(variables['gitVwanOUTPUT'], ''), ne(variables['gitVwanNwcOUTPUT'], ''), ne(variables['gitVnetPeerOUTPUT'], '')), ne(variables['subscriptionId'], ''))
+        inputs:
+          targetType: "inline"
+          script: |
+            result=$(az deployment tenant what-if --template-file infra-as-code/bicep/modules/managementGroups/managementGroups.bicep --parameters @infra-as-code/bicep/modules/managementGroups/parameters/managementGroups.parameters.min.json parTopLevelManagementGroupPrefix=$(ManagementGroupPrefix) --location $(Location) --exclude-change-types Ignore NoChange --only-show-errors)
+            if [[ $result != *'Resource changes: no change.'* ]]
+            then
+              echo "##vso[task.logissue type=error]WhatIf reports difference between code and environment thats just been deployed"
+              echo "$result"
+              exit 1
+            fi
+
+  - job: bicep_cleanup
+    dependsOn: bicep_deploy
+    variables:
+      isDeployed: $[ dependencies.bicep_deploy.outputs['create_subscription.IsDeployed'] ]
+    displayName: Cleanup Bicep Deployment for PR
+    pool:
+      vmImage: ubuntu-latest
+    steps:
+      - task: AzurePowerShell@5
+        displayName: Az CLI Remove/Cleanup Deployment
+        condition: ne(variables['isDeployed'], '')
+        inputs:
+          azureSubscription: "azserviceconnection"
+          ScriptType: "FilePath"
+          ScriptPath: ".github/scripts/Wipe-AlzTenant.ps1"
+          ScriptArguments: '-tenantRootGroupID $(azclitenant) -intermediateRootGroupID "$(ManagementGroupPrefix)" -subscriptionName "$(SubscriptionName)"'
+          azurePowerShellVersion: "LatestVersion"
+          pwsh: true

tests/pipelines/mc-base-unit-validate.yml

@@ -10,199 +10,215 @@ variables:
     value: "PR-$(System.PullRequest.PullRequestNumber)"
   - name: TopLevelManagementGroupDisplayName
     value: "PR $(System.PullRequest.PullRequestNumber) Azure Landing Zones"
- 
+
 jobs:
-- job: bicep_validate
+  - job: bicep_validate
-  displayName: Validate Bicep Files for PR
+    displayName: Validate Bicep Files for PR
-  pool: 
+    pool:
-    vmImage: ubuntu-latest
+      vmImage: ubuntu-latest
-  steps:
+    steps:
-  - task: Bash@3
+      - task: Bash@3
-    displayName: Login to Azure
+        displayName: Login to Azure
-    name: git_azlogin
+        name: git_azlogin
-    inputs:
+        inputs:
-      targetType: 'inline'
+          targetType: "inline"
-      script: |
+          script: |
-        az cloud set --name AzureChinaCloud
+            az cloud set --name AzureChinaCloud
-        az login --service-principal --username $(azclilogin) --password $(azclipwd) --tenant $(azclitenant)
+            az login --service-principal --username $(azclilogin) --password $(azclipwd) --tenant $(azclitenant)
 
-  - task: Bash@3    
+      - task: Bash@3
-    displayName: Az CLI Create Resource Group for PR
+        displayName: Az CLI Create Resource Group for PR
-    name: create_rsg
+        name: create_rsg
-    inputs:
+        inputs:
-      targetType: 'inline'
+          targetType: "inline"
-      script: |
+          script: |
-        az account set --subscription $(subscriptionId)
+            az account set --subscription $(subscriptionId)
-        #if [ $(az group exists --name $(ResourceGroupName) ) == false ]; then
+            #if [ $(az group exists --name $(ResourceGroupName) ) == false ]; then
-        #    sleep 300
+            #    sleep 300
-        #fi
+            #fi
-        az deployment sub create --name "deploy-$(ResourceGroupName)" --template-file infra-as-code/bicep/modules/resourceGroup/resourceGroup.bicep --location $(Location) --parameters parLocation=$(Location) parResourceGroupName=$(ResourceGroupName)
+            az deployment sub create --name "deploy-$(ResourceGroupName)" --template-file infra-as-code/bicep/modules/resourceGroup/resourceGroup.bicep --location $(Location) --parameters parLocation=$(Location) parResourceGroupName=$(ResourceGroupName)
-        
-  - task: Bash@3     
-    displayName: Az CLI Deploy Management Groups for PR
-    name: create_mgs
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment tenant create --template-file infra-as-code/bicep/modules/managementGroups/managementGroups.bicep --parameters @infra-as-code/bicep/modules/managementGroups/parameters/managementGroups.parameters.all.json parTopLevelManagementGroupPrefix=$(ManagementGroupPrefix) --location $(Location) --name $(ManagementGroupPrefix)
-  
-  - task: Bash@3  
-    displayName: Az CLI Validate Custom Role Definitions for PR
-    name: validate_rbac_roles
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment mg validate --template-file infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep --parameters @infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.all.json parAssignableScopeManagementGroupId=$(ManagementGroupPrefix) --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
-  
-  - task: Bash@3    
-    displayName: Az CLI Validate Custom Policy Definitions for PR
-    name: validate_policy_defs
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment mg validate --template-file infra-as-code/bicep/modules/policy/definitions/mc-customPolicyDefinitions.bicep --parameters @infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.all.json parTargetManagementGroupId=$(ManagementGroupPrefix) --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
-  
-  - task: Bash@3    
-    displayName: Az CLI Validate Logging for PR
-    name: validate_logging
-    inputs:
-      targetType: 'inline'
-      script: |
-        az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/logging/logging.bicep --parameters @infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.all.json --name $(ManagementGroupPrefix)
 
-  - task: Bash@3    
+      - task: Bash@3
-    displayName: Az CLI Validate Subscription Placement for PR
+        displayName: Az CLI Register Resource Providers for PR
-    name: move_sub
+        name: register_providers
-    inputs:
+        inputs:
-      targetType: 'inline'
+          targetType: "inline"
-      script: |
+          script: |
-        az deployment mg validate --template-file infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.bicep --parameters @infra-as-code/bicep/modules/subscriptionPlacement/parameters/subscriptionPlacement.parameters.all.json parTargetManagementGroupId=$(ManagementGroupPrefix)-platform-connectivity parSubscriptionIds='["$(subscriptionId)"]' --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
+            az account set --subscription $(subscriptionId)
+            az provider register -n 'Microsoft.Insights'
 
-  - task: Bash@3    
+      - task: Bash@3
-    displayName: Az CLI Validate Alz Default policy assignments
+        displayName: Az CLI Deploy Management Groups for PR
-    name: validate_alz_default_policy_assign
+        name: create_mgs
-    inputs:
+        inputs:
-      targetType: 'inline'
+          targetType: "inline"
-      script: |
+          script: |
-        az deployment mg validate --template-file infra-as-code/bicep/modules/policy/assignments/alzDefaults/mc-alzDefaultPolicyAssignments.bicep --parameters @infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json parTopLevelManagementGroupPrefix=$(ManagementGroupPrefix) --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
+            az deployment tenant create --template-file infra-as-code/bicep/modules/managementGroups/managementGroups.bicep --parameters @infra-as-code/bicep/modules/managementGroups/parameters/managementGroups.parameters.all.json parTopLevelManagementGroupPrefix=$(ManagementGroupPrefix) --location $(Location) --name $(ManagementGroupPrefix)
 
-  - task: Bash@3    
+      - task: Bash@3
-    displayName: Az CLI Validate Hub Networking for PR
+        displayName: Az CLI Validate Custom Role Definitions for PR
-    name: validate_hub_network
+        name: validate_rbac_roles
-    inputs:
+        inputs:
-      targetType: 'inline'
+          targetType: "inline"
-      script: |
+          script: |
-        az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep --parameters @infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.all.json --name $(ManagementGroupPrefix)
+            az deployment mg validate --template-file infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep --parameters @infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.all.json parAssignableScopeManagementGroupId=$(ManagementGroupPrefix) --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
 
-  - task: Bash@3    
+      - task: Bash@3
-    displayName: Az CLI Validate vWan Networking for PR
+        displayName: Az CLI Validate Custom Policy Definitions for PR
-    name: validate_vwan_network
+        name: validate_policy_defs
-    inputs:
+        inputs:
-      targetType: 'inline'
+          targetType: "inline"
-      script: |
+          script: |
-        az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep --parameters @infra-as-code/bicep/modules/vwanConnectivity/parameters/mc-vwanConnectivity.parameters.all.json --name $(ManagementGroupPrefix)
+            az deployment mg validate --template-file infra-as-code/bicep/modules/policy/definitions/mc-customPolicyDefinitions.bicep --parameters @infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.all.json parTargetManagementGroupId=$(ManagementGroupPrefix) --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
 
-  - task: Bash@3              
+      - task: Bash@3
-    displayName: Az CLI Validate Spoke Networking for PR
+        displayName: Az CLI Create Logging for PR
-    name: validate_spoke_network
+        name: create_logging
-    inputs:
+        inputs:
-      targetType: 'inline'
+          targetType: "inline"
-      script: |
+          script: |
-        az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/spokeNetworking/spokeNetworking.bicep --name $(ManagementGroupPrefix)
+            az deployment group create --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/logging/logging.bicep --parameters @infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.all.json --name $(ManagementGroupPrefix)
 
-  - task: Bash@3    
+      - task: Bash@3
-    displayName: Az CLI Validate vWan Network connection for PR
+        displayName: Az CLI Validate mgDiagSettingsAll for PR
-    name: validate_vwan_network_connection
+        name: create_mgDiagSettingsAll
-    inputs:
+        inputs:
-      targetType: 'inline'
+          targetType: "inline"
-      script: |
+          script: |
-        az deployment sub validate --location $(Location) --template-file infra-as-code/bicep/modules/vnetPeeringVwan/vnetPeeringVwan.bicep --parameters @infra-as-code/bicep/modules/vnetPeeringVwan/parameters/vnetPeeringVwan.parameters.all.json parVirtualWanHubResourceId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualHubs/alz-vhub-$(Location)"  parRemoteVirtualNetworkResourceId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualNetworks/vnet-spoke" --name $(ManagementGroupPrefix)
+            az deployment tenant validate --template-file infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep --parameters @infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.min.json parTopLevelManagementGroupPrefix="$(ManagementGroupPrefix)" parLogAnalyticsWorkspaceResourceId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.OperationalInsights/workspaces/alz-log-analytics" --location $(Location)
 
-  - task: Bash@3    
+      - task: Bash@3
-    displayName: Az CLI Validate vNet Peer for PR
+        displayName: Az CLI Validate Subscription Placement for PR
-    name: validate_vnet_peer_spoke_2_hub
+        name: move_sub
-    inputs:
+        inputs:
-      targetType: 'inline'
+          targetType: "inline"
-      script: |
+          script: |
-        az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/vnetPeering/vnetPeering.bicep --parameters parDestinationVirtualNetworkId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualNetworks/alz-hub-eastus"  parSourceVirtualNetworkName="vnet-spoke" parDestinationVirtualNetworkName="alz-hub-eastus" --name $(ManagementGroupPrefix)
+            az deployment mg validate --template-file infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.bicep --parameters @infra-as-code/bicep/modules/subscriptionPlacement/parameters/subscriptionPlacement.parameters.all.json parTargetManagementGroupId=$(ManagementGroupPrefix)-platform-connectivity parSubscriptionIds='["$(subscriptionId)"]' --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
 
-  - task: Bash@3    
+      - task: Bash@3
-    displayName: Az CLI Validate Private DNS Zones
+        displayName: Az CLI Validate Alz Default policy assignments
-    name: validate_private_dns
+        name: validate_alz_default_policy_assign
-    inputs:
+        inputs:
-      targetType: 'inline'
+          targetType: "inline"
-      script: |
+          script: |
-        az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/privateDnsZones/privateDnsZones.bicep --parameters @infra-as-code/bicep/modules/privateDnsZones/parameters/mc-privateDnsZones.parameters.all.json --name $(ManagementGroupPrefix)
+            az deployment mg validate --template-file infra-as-code/bicep/modules/policy/assignments/alzDefaults/mc-alzDefaultPolicyAssignments.bicep --parameters @infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json parTopLevelManagementGroupPrefix=$(ManagementGroupPrefix) --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
 
-  - task: Bash@3    
+      - task: Bash@3
-    displayName: Az CLI Validate Public IP
+        displayName: Az CLI Validate Hub Networking for PR
-    name: validate_public_ip
+        name: validate_hub_network
-    inputs:
+        inputs:
-      targetType: 'inline'
+          targetType: "inline"
-      script: |
+          script: |
-        az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/publicIp/publicIp.bicep --parameters @infra-as-code/bicep/modules/publicIp/parameters/publicIp.parameters.min.json --name $(ManagementGroupPrefix)
+            az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep --parameters @infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.all.json --name $(ManagementGroupPrefix)
 
-  - task: Bash@3    
+      - task: Bash@3
-    displayName: Az CLI Validate Role Assignment to single Management Group
+        displayName: Az CLI Validate vWan Networking for PR
-    name: validate_role_assign_single_mg
+        name: validate_vwan_network
-    inputs:
+        inputs:
-      targetType: 'inline'
+          targetType: "inline"
-      script: |
+          script: |
-        az deployment mg validate --template-file infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.bicep --parameters @infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.managedIdentity.parameters.all.json --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
+            az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep --parameters @infra-as-code/bicep/modules/vwanConnectivity/parameters/mc-vwanConnectivity.parameters.all.json --name $(ManagementGroupPrefix)
 
-  - task: Bash@3    
+      - task: Bash@3
-    displayName: Az CLI Validate Role Assignment to multiple Management Groups
+        displayName: Az CLI Validate Spoke Networking for PR
-    name: validate_role_assign_multiple_mg
+        name: validate_spoke_network
-    inputs:
+        inputs:
-      targetType: 'inline'
+          targetType: "inline"
-      script: |
+          script: |
-        az deployment mg validate --template-file infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroupMany.bicep --parameters @infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.managedIdentity.parameters.all.json parManagementGroupIds='("$(ManagementGroupPrefix)-landingzones", "$(ManagementGroupPrefix)-platform")' --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
+            az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/spokeNetworking/spokeNetworking.bicep --name $(ManagementGroupPrefix)
 
-  - task: Bash@3    
+      - task: Bash@3
-    displayName: Az CLI Validate Role Assignment to single subscription
+        displayName: Az CLI Validate vWan Network connection for PR
-    name: validate_role_assign_single_subscription
+        name: validate_vwan_network_connection
-    inputs:
+        inputs:
-      targetType: 'inline'
+          targetType: "inline"
-      script: |
+          script: |
-        az deployment sub validate --template-file infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscription.bicep --parameters @infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.managedIdentity.parameters.all.json --location $(Location) --name $(ManagementGroupPrefix)
+            az deployment sub validate --location $(Location) --template-file infra-as-code/bicep/modules/vnetPeeringVwan/vnetPeeringVwan.bicep --parameters @infra-as-code/bicep/modules/vnetPeeringVwan/parameters/vnetPeeringVwan.parameters.all.json parVirtualWanHubResourceId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualHubs/alz-vhub-$(Location)"  parRemoteVirtualNetworkResourceId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualNetworks/vnet-spoke" --name $(ManagementGroupPrefix)
 
-  - task: Bash@3    
+      - task: Bash@3
-    displayName: Az CLI Validate Role Assignment to multiple subscriptions
+        displayName: Az CLI Validate vNet Peer for PR
-    name: validate_role_assign_multiple_subscription
+        name: validate_vnet_peer_spoke_2_hub
-    inputs:
+        inputs:
-      targetType: 'inline'
+          targetType: "inline"
-      script: |
+          script: |
-        az deployment mg validate --template-file infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscriptionMany.bicep --parameters @infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.managedIdentity.parameters.all.json parSubscriptionIds='("$(subscriptionId)","$(azvalidatesubscription)")' --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
+            az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/vnetPeering/vnetPeering.bicep --parameters parDestinationVirtualNetworkId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualNetworks/alz-hub-eastus"  parSourceVirtualNetworkName="vnet-spoke" parDestinationVirtualNetworkName="alz-hub-eastus" --name $(ManagementGroupPrefix)
 
-  - task: Bash@3    
+      - task: Bash@3
-    displayName: Az CLI Validate hub peered spoke orchestration module
+        displayName: Az CLI Validate Private DNS Zones
-    name: validate_hub_peer_spoke
+        name: validate_private_dns
-    inputs:
+        inputs:
-      targetType: 'inline'
+          targetType: "inline"
-      script: |
+          script: |
-        az deployment mg validate --template-file infra-as-code/bicep/orchestration/hubPeeredSpoke/hubPeeredSpoke.bicep --parameters @infra-as-code/bicep/orchestration/hubPeeredSpoke/parameters/hubPeeredSpoke.parameters.all.json parPeeredVnetSubscriptionId="$(subscriptionId)" parHubVirtualNetworkId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualNetworks/alz-hub-eastus" parTopLevelManagementGroupPrefix="$(ManagementGroupPrefix)" parLocation=$(Location) --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
+            az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/privateDnsZones/privateDnsZones.bicep --parameters @infra-as-code/bicep/modules/privateDnsZones/parameters/mc-privateDnsZones.parameters.all.json --name $(ManagementGroupPrefix)
 
-  - task: Bash@3    
+      - task: Bash@3
-    displayName: Az CLI Validate subPlacementAll orchestration module
+        displayName: Az CLI Validate Public IP
-    name: validate_sub_placement_all
+        name: validate_public_ip
-    inputs:
+        inputs:
-      targetType: 'inline'
+          targetType: "inline"
-      script: |
+          script: |
-        az deployment mg validate --template-file infra-as-code/bicep/orchestration/subPlacementAll/subPlacementAll.bicep --parameters @infra-as-code/bicep/orchestration/subPlacementAll/parameters/subPlacementAll.parameters.all.json parTopLevelManagementGroupPrefix="$(ManagementGroupPrefix)" parPlatformConnectivityMgSubs='["$(subscriptionId)"]' --location $(Location) --management-group-id $(ManagementGroupPrefix) --name "$(ManagementGroupPrefix)-subPlacement"
+            az deployment group validate --resource-group $(ResourceGroupName) --template-file infra-as-code/bicep/modules/publicIp/publicIp.bicep --parameters @infra-as-code/bicep/modules/publicIp/parameters/publicIp.parameters.min.json --name $(ManagementGroupPrefix)
 
-- job: bicep_cleanup
+      - task: Bash@3
-  dependsOn: bicep_validate
+        displayName: Az CLI Validate Role Assignment to single Management Group
-  displayName: Cleanup Bicep Validate Deployment for PR
+        name: validate_role_assign_single_mg
-  pool: 
+        inputs:
-    vmImage: ubuntu-latest
+          targetType: "inline"
-  steps:
+          script: |
-  - task: AzurePowerShell@5
+            az deployment mg validate --template-file infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.bicep --parameters @infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.managedIdentity.parameters.all.json --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
-    displayName: Az PowerShell Remove/Cleanup Deployment
-    inputs:
-      azureSubscription: 'mcserviceconnection'
-      ScriptType: 'FilePath'
-      ScriptPath: '.github/scripts/mc-Wipe-AlzTenant.ps1'
-      ScriptArguments: '-tenantRootGroupID $(azclitenant) -intermediateRootGroupID "$(ManagementGroupPrefix)" -subscriptionName "$(subscriptionName)"'
-      azurePowerShellVersion: 'LatestVersion'
-      pwsh: true
 
+      - task: Bash@3
+        displayName: Az CLI Validate Role Assignment to multiple Management Groups
+        name: validate_role_assign_multiple_mg
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment mg validate --template-file infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroupMany.bicep --parameters @infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.managedIdentity.parameters.all.json parManagementGroupIds='("$(ManagementGroupPrefix)-landingzones", "$(ManagementGroupPrefix)-platform")' --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
+
+      - task: Bash@3
+        displayName: Az CLI Validate Role Assignment to single subscription
+        name: validate_role_assign_single_subscription
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment sub validate --template-file infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscription.bicep --parameters @infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.managedIdentity.parameters.all.json --location $(Location) --name $(ManagementGroupPrefix)
+
+      - task: Bash@3
+        displayName: Az CLI Validate Role Assignment to multiple subscriptions
+        name: validate_role_assign_multiple_subscription
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment mg validate --template-file infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscriptionMany.bicep --parameters @infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.managedIdentity.parameters.all.json parSubscriptionIds='("$(subscriptionId)","$(azvalidatesubscription)")' --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
+
+      - task: Bash@3
+        displayName: Az CLI Validate hub peered spoke orchestration module
+        name: validate_hub_peer_spoke
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment mg validate --template-file infra-as-code/bicep/orchestration/hubPeeredSpoke/hubPeeredSpoke.bicep --parameters @infra-as-code/bicep/orchestration/hubPeeredSpoke/parameters/hubPeeredSpoke.parameters.all.json parPeeredVnetSubscriptionId="$(subscriptionId)" parHubVirtualNetworkId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.Network/virtualNetworks/alz-hub-eastus" parTopLevelManagementGroupPrefix="$(ManagementGroupPrefix)" parLocation=$(Location) --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
+
+      - task: Bash@3
+        displayName: Az CLI Validate subPlacementAll orchestration module
+        name: validate_sub_placement_all
+        inputs:
+          targetType: "inline"
+          script: |
+            az deployment mg validate --template-file infra-as-code/bicep/orchestration/subPlacementAll/subPlacementAll.bicep --parameters @infra-as-code/bicep/orchestration/subPlacementAll/parameters/subPlacementAll.parameters.all.json parTopLevelManagementGroupPrefix="$(ManagementGroupPrefix)" parPlatformConnectivityMgSubs='["$(subscriptionId)"]' --location $(Location) --management-group-id $(ManagementGroupPrefix) --name "$(ManagementGroupPrefix)-subPlacement"
+
+  - job: bicep_cleanup
+    dependsOn: bicep_validate
+    displayName: Cleanup Bicep Validate Deployment for PR
+    pool:
+      vmImage: ubuntu-latest
+    steps:
+      - task: AzurePowerShell@5
+        displayName: Az PowerShell Remove/Cleanup Deployment
+        inputs:
+          azureSubscription: "mcserviceconnection"
+          ScriptType: "FilePath"
+          ScriptPath: ".github/scripts/mc-Wipe-AlzTenant.ps1"
+          ScriptArguments: '-tenantRootGroupID $(azclitenant) -intermediateRootGroupID "$(ManagementGroupPrefix)" -subscriptionName "$(subscriptionName)"'
+          azurePowerShellVersion: "LatestVersion"
+          pwsh: true