fix: Resolve a variety of bugs and update api version of private dns zone links resource (#896)

* Added tags to AMA resources * Update API version of private dns virtual link * Add additional logic to default to at least 2 zones for pip in case not specified * Add additional role assignments * Add additional management group scopes for ama policies * Add secondary location references * Adding pattern to skip checking for any email
2024-11-07 13:37:08 -06:00 · 2024-11-07 13:37:08 -06:00 · 301891f0de
--- a/.github/actions-config/mlc_config.json
+++ b/.github/actions-config/mlc_config.json
@ -6,6 +6,9 @@
    {
      "pattern": "^(https:\\/\\/)?([www.]?)+(microsoft.com\\/)+[\\w\\-\\._~:/?#[\\]@!\\$&'\\(\\)\\*\\+,;=.]+$"
    }
+    {
+      "pattern": "^mailto:"
+    }
  ],
  "httpHeaders": [
    {
--- a/infra-as-code/bicep/modules/hubNetworking/hubNetworking-multiRegion.bicep
+++ b/infra-as-code/bicep/modules/hubNetworking/hubNetworking-multiRegion.bicep
@ -1265,8 +1265,14 @@ module modGatewayPublicIp '../publicIp/publicIp.bicep' = [
    params: {
      parLocation: parLocation
      parAvailabilityZones: toLower(gateway.gatewayType) == 'expressroute'
-        ? parAzErGatewayAvailabilityZones
-        : toLower(gateway.gatewayType) == 'vpn' ? parAzVpnGatewayAvailabilityZones : []
+      ? (contains(toLower(gateway.sku), 'az') && empty(parAzErGatewayAvailabilityZones)
+          ? ['1', '2']
+          : parAzErGatewayAvailabilityZones)
+      : (toLower(gateway.gatewayType) == 'vpn'
+          ? (contains(toLower(gateway.sku), 'az') && empty(parAzVpnGatewayAvailabilityZones)
+              ? ['1', '2']
+              : parAzVpnGatewayAvailabilityZones)
+          : [])
      parPublicIpName: '${parPublicIpPrefix}${gateway.name}${parPublicIpSuffix}'
      parPublicIpProperties: {
        publicIpAddressVersion: 'IPv4'
@ -1291,8 +1297,14 @@ module modGatewayPublicIpActiveActive '../publicIp/publicIp.bicep' = [
    params: {
      parLocation: parLocation
      parAvailabilityZones: toLower(gateway.gatewayType) == 'expressroute'
-        ? parAzErGatewayAvailabilityZones
-        : toLower(gateway.gatewayType) == 'vpn' ? parAzVpnGatewayAvailabilityZones : []
+      ? (contains(toLower(gateway.sku), 'az') && empty(parAzErGatewayAvailabilityZones)
+          ? ['1', '2']
+          : parAzErGatewayAvailabilityZones)
+      : (toLower(gateway.gatewayType) == 'vpn'
+          ? (contains(toLower(gateway.sku), 'az') && empty(parAzVpnGatewayAvailabilityZones)
+              ? ['1', '2']
+              : parAzVpnGatewayAvailabilityZones)
+          : [])
      parPublicIpName: '${parPublicIpPrefix}${gateway.name}${parPublicIpSuffix}-aa'
      parPublicIpProperties: {
        publicIpAddressVersion: 'IPv4'
@ -1316,8 +1328,14 @@ module modGatewayPublicIpSecondaryLocation '../publicIp/publicIp.bicep' = [
    params: {
      parLocation: parSecondaryLocation
      parAvailabilityZones: toLower(gateway.gatewayType) == 'expressroute'
-        ? parAzErGatewayAvailabilityZonesSecondaryLocation
-        : toLower(gateway.gatewayType) == 'vpn' ? parAzVpnGatewayAvailabilityZonesSecondaryLocation : []
+      ? (contains(toLower(gateway.sku), 'az') && empty(parAzErGatewayAvailabilityZonesSecondaryLocation)
+          ? ['1', '2']
+          : parAzErGatewayAvailabilityZones)
+      : (toLower(gateway.gatewayType) == 'vpn'
+          ? (contains(toLower(gateway.sku), 'az') && empty(parAzVpnGatewayAvailabilityZonesSecondaryLocation)
+              ? ['1', '2']
+              : parAzVpnGatewayAvailabilityZonesSecondaryLocation)
+          : [])
      parPublicIpName: '${parPublicIpPrefixSecondaryLocation}${gateway.name}${parPublicIpSuffix}'
      parPublicIpProperties: {
        publicIpAddressVersion: 'IPv4'
@ -1342,8 +1360,14 @@ module modGatewayPublicIpActiveActiveSecondaryLocation '../publicIp/publicIp.bic
    params: {
      parLocation: parLocation
      parAvailabilityZones: toLower(gateway.gatewayType) == 'expressroute'
-        ? parAzErGatewayAvailabilityZones
-        : toLower(gateway.gatewayType) == 'vpn' ? parAzVpnGatewayAvailabilityZones : []
+      ? (contains(toLower(gateway.sku), 'az') && empty(parAzErGatewayAvailabilityZonesSecondaryLocation)
+          ? ['1', '2']
+          : parAzErGatewayAvailabilityZones)
+      : (toLower(gateway.gatewayType) == 'vpn'
+          ? (contains(toLower(gateway.sku), 'az') && empty(parAzVpnGatewayAvailabilityZonesSecondaryLocation)
+              ? ['1', '2']
+              : parAzVpnGatewayAvailabilityZonesSecondaryLocation)
+          : [])
      parPublicIpName: '${parPublicIpPrefix}${gateway.name}${parPublicIpSuffix}-aa'
      parPublicIpProperties: {
        publicIpAddressVersion: 'IPv4'
--- a/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep
+++ b/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep
@ -696,8 +696,14 @@ module modGatewayPublicIp '../publicIp/publicIp.bicep' = [
    params: {
      parLocation: parLocation
      parAvailabilityZones: toLower(gateway.gatewayType) == 'expressroute'
-        ? parAzErGatewayAvailabilityZones
-        : toLower(gateway.gatewayType) == 'vpn' ? parAzVpnGatewayAvailabilityZones : []
+      ? (contains(toLower(gateway.sku), 'az') && empty(parAzErGatewayAvailabilityZones)
+          ? ['1', '2']
+          : parAzErGatewayAvailabilityZones)
+      : (toLower(gateway.gatewayType) == 'vpn'
+          ? (contains(toLower(gateway.sku), 'az') && empty(parAzVpnGatewayAvailabilityZones)
+              ? ['1', '2']
+              : parAzVpnGatewayAvailabilityZones)
+          : [])
      parPublicIpName: '${parPublicIpPrefix}${gateway.name}${parPublicIpSuffix}'
      parPublicIpProperties: {
        publicIpAddressVersion: 'IPv4'
@ -722,8 +728,14 @@ module modGatewayPublicIpActiveActive '../publicIp/publicIp.bicep' = [
    params: {
      parLocation: parLocation
      parAvailabilityZones: toLower(gateway.gatewayType) == 'expressroute'
-        ? parAzErGatewayAvailabilityZones
-        : toLower(gateway.gatewayType) == 'vpn' ? parAzVpnGatewayAvailabilityZones : []
+      ? (contains(toLower(gateway.sku), 'az') && empty(parAzErGatewayAvailabilityZones)
+          ? ['1', '2']
+          : parAzErGatewayAvailabilityZones)
+      : (toLower(gateway.gatewayType) == 'vpn'
+          ? (contains(toLower(gateway.sku), 'az') && empty(parAzVpnGatewayAvailabilityZones)
+              ? ['1', '2']
+              : parAzVpnGatewayAvailabilityZones)
+          : [])
      parPublicIpName: '${parPublicIpPrefix}${gateway.name}${parPublicIpSuffix}-aa'
      parPublicIpProperties: {
        publicIpAddressVersion: 'IPv4'
--- a/infra-as-code/bicep/modules/logging/logging.bicep
+++ b/infra-as-code/bicep/modules/logging/logging.bicep
@ -187,6 +187,7 @@ var varCuaid = 'f8087c67-cc41-46b2-994d-66e4b661860d'
 resource resUserAssignedManagedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
  name: parUserAssignedManagedIdentityName
  location: parUserAssignedManagedIdentityLocation
+  tags: parTags
 }

 resource resAutomationAccount 'Microsoft.Automation/automationAccounts@2023-11-01' = {
@ -243,6 +244,7 @@ resource resLogAnalyticsWorkspaceLock 'Microsoft.Authorization/locks@2020-05-01'
 resource resDataCollectionRuleVMInsights 'Microsoft.Insights/dataCollectionRules@2021-04-01' = {
  name: parDataCollectionRuleVMInsightsName
  location: parLogAnalyticsWorkspaceLocation
+  tags: parTags
  properties: {
    description: 'Data collection rule for VM Insights'
    dataSources: {
@ -311,6 +313,7 @@ resource resDataCollectionRuleVMInsightsLock 'Microsoft.Authorization/locks@2020
 resource resDataCollectionRuleChangeTracking 'Microsoft.Insights/dataCollectionRules@2021-04-01' = {
  name: parDataCollectionRuleChangeTrackingName
  location: parLogAnalyticsWorkspaceLocation
+  tags: parTags
  properties: {
    description: 'Data collection rule for CT.'
    dataSources: {
@ -582,6 +585,7 @@ resource resDataCollectionRuleChangeTrackingLock 'Microsoft.Authorization/locks@
 resource resDataCollectionRuleMDFCSQL'Microsoft.Insights/dataCollectionRules@2021-04-01' = {
  name: parDataCollectionRuleMDFCSQLName
  location: parLogAnalyticsWorkspaceLocation
+  tags: parTags
  properties: {
    description: 'Data collection rule for Defender for SQL.'
    dataSources: {
--- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep
+++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep
@ -941,6 +941,9 @@ module modPolicyAssignmentPlatformDeployVmArcChangeTrack '../../../policy/assign
      varRbacRoleDefinitionIds.monitoringContributor
      varRbacRoleDefinitionIds.reader
    ]
+    parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: [
+      string(varManagementGroupIds.landingZones)
+    ]
    parTelemetryOptOut: parTelemetryOptOut
  }
 }
@ -972,6 +975,9 @@ module modPolicyAssignmentPlatformDeployVmChangeTrack '../../../policy/assignmen
      varRbacRoleDefinitionIds.managedIdentityOperator
      varRbacRoleDefinitionIds.reader
    ]
+    parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: [
+      string(varManagementGroupIds.landingZones)
+    ]
    parTelemetryOptOut: parTelemetryOptOut
  }
 }
@ -1003,6 +1009,9 @@ module modPolicyAssignmentPlatformDeployVmssChangeTrack '../../../policy/assignm
      varRbacRoleDefinitionIds.managedIdentityOperator
      varRbacRoleDefinitionIds.reader
    ]
+    parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: [
+      string(varManagementGroupIds.landingZones)
+    ]
    parTelemetryOptOut: parTelemetryOptOut
  }
 }
@ -1030,6 +1039,8 @@ module modPolicyAssignmentPlatformDeployVmArcMonitor '../../../policy/assignment
      varRbacRoleDefinitionIds.reader
      varRbacRoleDefinitionIds.connectedMachineResourceAdministrator
    ]
+    parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: [
+      string(varManagementGroupIds.landingZones)    ]
    parTelemetryOptOut: parTelemetryOptOut
  }
 }
@ -1061,6 +1072,9 @@ module modPolicyAssignmentPlatformDeployVmMonitor '../../../policy/assignments/p
      varRbacRoleDefinitionIds.managedIdentityOperator
      varRbacRoleDefinitionIds.reader
    ]
+    parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: [
+      string(varManagementGroupIds.landingZones)
+    ]
    parTelemetryOptOut: parTelemetryOptOut
  }
 }
@ -1095,6 +1109,9 @@ module modPolicyAssignmentPlatformDeployMdfcDefSqlAma '../../../policy/assignmen
      varRbacRoleDefinitionIds.managedIdentityOperator
      varRbacRoleDefinitionIds.reader
    ]
+    parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: [
+      string(varManagementGroupIds.landingZones)
+    ]
    parTelemetryOptOut: parTelemetryOptOut
  }
 }
@ -1146,6 +1163,9 @@ module modPolicyAssignmentPlatformDeployVmssMonitor '../../../policy/assignments
      varRbacRoleDefinitionIds.managedIdentityOperator
      varRbacRoleDefinitionIds.reader
    ]
+    parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: [
+      string(varManagementGroupIds.landingZones)
+    ]
    parTelemetryOptOut: parTelemetryOptOut
  }
 }
@ -1751,6 +1771,9 @@ module modPolicyAssignmentLzsDeployVmMonitor '../../../policy/assignments/policy
      varRbacRoleDefinitionIds.managedIdentityOperator
      varRbacRoleDefinitionIds.reader
    ]
+    parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: [
+      string(varManagementGroupIds.platform)
+    ]
    parTelemetryOptOut: parTelemetryOptOut
  }
 }
@ -1782,6 +1805,9 @@ module modPolicyAssignmentLzsDeployVmssMonitor '../../../policy/assignments/poli
      varRbacRoleDefinitionIds.managedIdentityOperator
      varRbacRoleDefinitionIds.reader
    ]
+    parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: [
+      string(varManagementGroupIds.platform)
+    ]
    parTelemetryOptOut: parTelemetryOptOut
  }
 }
@ -1813,6 +1839,9 @@ module modPolicyAssignmentLzsmDeployMdfcDefSqlAma '../../../policy/assignments/p
      varRbacRoleDefinitionIds.managedIdentityOperator
      varRbacRoleDefinitionIds.reader
    ]
+    parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: [
+      string(varManagementGroupIds.platform)
+    ]
    parTelemetryOptOut: parTelemetryOptOut
  }
 }
--- a/infra-as-code/bicep/modules/privateDnsZoneLinks/privateDnsZoneLinks.bicep
+++ b/infra-as-code/bicep/modules/privateDnsZoneLinks/privateDnsZoneLinks.bicep
@ -30,7 +30,7 @@ param parResourceLockConfig lockType = {

 var varSpokeVirtualNetworkName = split(parSpokeVirtualNetworkResourceId, '/')[8]

-resource resPrivateDnsZoneLinkToSpoke 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2020-06-01' = if (!empty(parPrivateDnsZoneResourceId)) {
+resource resPrivateDnsZoneLinkToSpoke 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2024-06-01' = if (!empty(parPrivateDnsZoneResourceId)) {
  location: 'global'
  name: '${split(parPrivateDnsZoneResourceId, '/')[8]}/dnslink-to-${varSpokeVirtualNetworkName}'
  properties: {