Azure
/
appservice-landing-zone-accelerator
зеркало из https://github.com/Azure/appservice-landing-zone-accelerator.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Custom UX portal deployment - multitenant scenario (#148)

This commit is contained in:
Thodoris Theodorou 2023-05-21 00:03:46 +03:00 коммит произвёл GitHub
Родитель 37b4ad9e87
Коммит b5dd82d753
5 изменённых файлов: 1217 добавлений и 153 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
scenarios/secure-baseline-multitenant/README.md
Просмотреть файл

@ -7,7 +7,7 @@ You can deploy the current LZA directly in your azure subscription by hitting th
### Deploy to Azure via Portal
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fappservice-landing-zone-accelerator%2Fmain%2Fscenarios%2Fsecure-baseline-multitenant%2Fazure-resource-manager%2Fmain.json)
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#view/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fthotheod%2Fappservice-landing-zone-accelerator%2Fmain%2Fscenarios%2Fsecure-baseline-multitenant%2Fazure-resource-manager%2Fmain.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2Fthotheod%2Fappservice-landing-zone-accelerator%2Fmain%2Fscenarios%2Fsecure-baseline-multitenant%2Fazure-resource-manager%2Fmain-portal-ux.json)
### Using Codespaces via Azure Dev CLI

3
scenarios/secure-baseline-multitenant/azure-resource-manager/README.md
Просмотреть файл

@ -1,7 +1,8 @@
# Multitenant App Service Secure Baseline - ARM Implementation
You can deploy the current LZA directly in your azure subscription by hitting the button below.
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fappservice-landing-zone-accelerator%2Fmain%2Fscenarios%2Fsecure-baseline-multitenant%2Fazure-resource-manager%2Fmain.json)
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#view/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fthotheod%2Fappservice-landing-zone-accelerator%2Fmain%2Fscenarios%2Fsecure-baseline-multitenant%2Fazure-resource-manager%2Fmain.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2Fthotheod%2Fappservice-landing-zone-accelerator%2Fmain%2Fscenarios%2Fsecure-baseline-multitenant%2Fazure-resource-manager%2Fmain-portal-ux.json)
Alternatively, you can clone the repo and follow the instractions below

870
scenarios/secure-baseline-multitenant/azure-resource-manager/main-portal-ux.json Normal file
Просмотреть файл

@ -0,0 +1,870 @@
{
"$schema": "https://schema.management.azure.com/schemas/2021-09-09/uiFormDefinition.schema.json#",
"view": {
"kind": "Form",
"properties": {
"title": "App Service LZA - Secure Baseline multitenant ",
"steps": [
{
"name": "basics",
"label": "Deployment settings",
"elements": [
{
"name": "resourceScope",
"type": "Microsoft.Common.ResourceScope"
},
{
"name": "getSubscriptions",
"type": "Microsoft.Solutions.ArmApiControl",
"request": {
"method": "POST",
"path": "providers/Microsoft.ResourceGraph/resources?api-version=2021-03-01",
"body": {
"query": "ResourceContainers | where type =~ 'microsoft.resources/subscriptions' | where properties.state =~ 'enabled' | project label=tostring(name), description=subscriptionId, value=subscriptionId | order by label asc"
}
}
},
{
"name": "getLocations",
"type": "Microsoft.Solutions.ArmApiControl",
"request": {
"method": "GET",
"path": "locations?api-version=2019-11-01"
}
},
{
"name": "workloadName",
"type": "Microsoft.Common.TextBox",
"label": "Workload Name",
"subLabel": "",
"defaultValue": "",
"toolTip": "suffix (max 10 characters long) that will be used to name the resources in a pattern like <resourceAbbreviation>-<workloadName>",
"constraints": {
"required": true,
"regex": "",
"validationMessage": "",
"validations": [
{
"isValid": "[or(or(empty(steps('basics').workloadName),and(not(startsWith(steps('basics').workloadName,'[[')),startsWith(steps('basics').workloadName,'['),endsWith(steps('basics').workloadName,']'),greater(indexOf(steps('basics').workloadName,'('),-1),greater(indexOf(steps('basics').workloadName,')'),-1))),lessOrEquals(length(steps('basics').workloadName),10))]",
"message": "The value must have a length of at most 10."
}
]
},
"infoMessages": [],
"visible": true
},
{
"name": "environmentName",
"type": "Microsoft.Common.DropDown",
"label": "Environment Name",
"subLabel": "",
"defaultValue": "test",
"toolTip": "Required. The name of the Environment Name (e.g. \"dev\", \"test\", \"prod\", \"preprod\", \"staging\", \"uat\", \"dr\", \"qa\"). Up to 8 characters long.",
"constraints": {
"allowedValues": [
{
"label": "dev",
"value": "dev"
},
{
"label": "dr",
"value": "dr"
},
{
"label": "preprod",
"value": "preprod"
},
{
"label": "prod",
"value": "prod"
},
{
"label": "qa",
"value": "qa"
},
{
"label": "staging",
"value": "staging"
},
{
"label": "test",
"value": "test"
},
{
"label": "uat",
"value": "uat"
}
],
"required": true,
"validations": [
{
"isValid": "[or(or(empty(steps('basics').environmentName),and(not(startsWith(steps('basics').environmentName,'[[')),startsWith(steps('basics').environmentName,'['),endsWith(steps('basics').environmentName,']'),greater(indexOf(steps('basics').environmentName,'('),-1),greater(indexOf(steps('basics').environmentName,')'),-1))),lessOrEquals(length(steps('basics').environmentName),8))]",
"message": "The value must have a length of at most 8."
}
]
},
"infoMessages": [],
"visible": true
},
{
"name": "appSvcPlanSection",
"type": "Microsoft.Common.Section",
"label": "App Service Plan settings",
"elements": [
{
"name": "appSvcPlanSettings",
"type": "Microsoft.Common.TextBlock",
"visible": true,
"options": {
"text": "Select one of the predefined SKUs for your App Service Plan, and the desired underlying OS (Linux or Windows). If you wish to deploy a Zone Redundant App Service, select one of the SKUs with the suffix _AZ.",
"link": {
"label": "Learn more for Availability Zones",
"uri": "https://azure.github.io/AppService/2021/08/25/App-service-support-for-availability-zones.html"
}
}
},
{
"name": "webAppPlanSku",
"type": "Microsoft.Common.DropDown",
"label": "Web App Plan Sku",
"subLabel": "",
"defaultValue": "S1",
"toolTip": "Defines the name, tier, size, family and capacity of the App Service Plan. Plans ending to _AZ, are deplying at least three instances in three Availability Zones. EP* is only for functions",
"constraints": {
"required": false,
"allowedValues": [
{
"label": "S1",
"value": "S1"
},
{
"label": "S2",
"value": "S2"
},
{
"label": "S3",
"value": "S3"
},
{
"label": "P1V3",
"value": "P1V3"
},
{
"label": "P2V3",
"value": "P2V3"
},
{
"label": "P3V3",
"value": "P3V3"
},
{
"label": "P1V3_AZ",
"value": "P1V3_AZ"
},
{
"label": "P2V3_AZ",
"value": "P2V3_AZ"
},
{
"label": "P3V3_AZ",
"value": "P3V3_AZ"
}
],
"validations": []
},
"infoMessages": [],
"visible": true
},
{
"name": "webAppBaseOs",
"type": "Microsoft.Common.DropDown",
"label": "Web App Base Os",
"subLabel": "",
"defaultValue": "Windows",
"toolTip": "Kind of server OS of the App Service Plan",
"constraints": {
"required": false,
"allowedValues": [
{
"label": "Windows",
"value": "Windows"
},
{
"label": "Linux",
"value": "Linux"
}
],
"validations": []
},
"infoMessages": [],
"visible": true
}
]
}
]
},
{
"name": "networking",
"label": "Network settings",
"elements": [
{
"name": "sectionHubSelector",
"type": "Microsoft.Common.Section",
"label": "Create a new Hub or use an existing one?",
"elements": [
{
"name": "textHubSelector",
"type": "Microsoft.Common.TextBlock",
"visible": true,
"options": {
"text": "Do you want to deploy a new Hub (with all the necessary resources, i.e. Virtual Network, Azure Firewall, Azure Bastion etc), or do you prefer use an existing one? The existing hub must be in the same region, and have Azure Firewall, and Azure Bastion deployed in it.",
"link": {
"label": "More info for the Hub resources, at the Architecture Diagram",
"uri": "https://github.com/thotheod/appservice-landing-zone-accelerator/tree/main/scenarios/secure-baseline-multitenant#architecture"
}
}
},
{
"name": "deployHub",
"type": "Microsoft.Common.OptionsGroup",
"visible": true,
"label": "Deploy a new Hub, or use an existing one?",
"defaultValue": "New",
"constraints": {
"allowedValues": [
{
"label": "New",
"value": "deployNew"
},
{
"label": "Existing",
"value": "useExisting"
}
]
}
}
]
},
{
"name": "sectionHubNew",
"type": "Microsoft.Common.Section",
"label": "CIDR Settings for new Hub network and subnets",
"visible": "[equals(steps('networking').sectionHubSelector.deployHub, 'deployNew')]",
"elements": [
{
"name": "textHubNew",
"type": "Microsoft.Common.TextBlock",
"visible": true,
"options": {
"text": "You can accept the default address spaces, as shown below, or you can use your own.",
"link": {
"label": "What address ranges can I use in my Virtual Networks?",
"uri": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-faq#what-address-ranges-can-i-use-in-my-vnets"
}
}
}
]
},
{
"name": "vnetHubAddressSpace",
"type": "Microsoft.Common.TextBox",
"label": "Hub Virtual Network Address Space",
"subLabel": "",
"defaultValue": "10.242.0.0/20",
"toolTip": "CIDR of the HUB vnet i.e. 192.168.0.0/24 - optional if you want to use an existing hub vnet (vnetHubResourceId)",
"constraints": {
"required": false,
"regex": "",
"validationMessage": "",
"validations": [
{
"regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:\/(1[0-9]|2[0-4]))$",
"message": "Invalid CIDR range. The address prefix must be in the range [10,24]."
}
]
},
"infoMessages": [],
"visible": "[equals(steps('networking').sectionHubSelector.deployHub, 'deployNew')]"
},
{
"name": "subnetHubFirewallAddressSpace",
"type": "Microsoft.Common.TextBox",
"label": "Hub Subnet CIDR for Azure Firewall",
"subLabel": "",
"defaultValue": "10.242.0.0/26",
"toolTip": "CIDR of the subnet hosting the azure Firewall - optional if you want to use an existing hub vnet (vnetHubResourceId)",
"constraints": {
"required": false,
"regex": "",
"validationMessage": "",
"validations": [
{
"regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:\/(2[0-6]))$",
"message": "Invalid CIDR range. The address prefix must be in the range [20,26]."
}
]
},
"infoMessages": [],
"visible": "[equals(steps('networking').sectionHubSelector.deployHub, 'deployNew')]"
},
{
"name": "subnetHubBastionAddressSpace",
"type": "Microsoft.Common.TextBox",
"label": "Hub Subnet CIDR for Bastion Service",
"subLabel": "",
"defaultValue": "10.242.0.64/26",
"toolTip": "CIDR of the subnet hosting the Bastion Service - optional if you want to use an existing hub vnet (vnetHubResourceId)",
"constraints": {
"required": false,
"regex": "",
"validationMessage": "",
"validations": [
{
"regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:\/(2[0-6]))$",
"message": "Invalid CIDR range. The address prefix must be in the range [20,26]."
}
]
},
"infoMessages": [],
"visible": "[equals(steps('networking').sectionHubSelector.deployHub, 'deployNew')]"
},
{
"name": "sectionHubExisting",
"type": "Microsoft.Common.Section",
"label": "Information for the existing Hub resources",
"visible": "[equals(steps('networking').sectionHubSelector.deployHub, 'useExisting')]",
"elements": []
},
{
"name": "vnetHubResourceId",
"type": "Microsoft.Common.TextBox",
"label": "Hub Vnet Resource Id",
"subLabel": "",
"defaultValue": "",
"toolTip": "Default is empty. If empty, then a new hub will be created. If given, no new hub will be created and we create the peering between spoke and and existing hub vnet",
"constraints": {
"required": false,
"regex": "",
"validationMessage": "",
"validations": []
},
"infoMessages": [],
"visible": "[equals(steps('networking').sectionHubSelector.deployHub, 'useExisting')]"
},
{
"name": "firewallInternalIp",
"type": "Microsoft.Common.TextBox",
"label": "Firewall Internal IP",
"subLabel": "",
"defaultValue": "",
"toolTip": "Internal IP of the Azure firewall deployed in Hub. Used for creating UDR to route all vnet egress traffic through Firewall. If empty no UDR",
"constraints": {
"required": false,
"regex": "",
"validationMessage": "",
"validations": []
},
"infoMessages": [],
"visible": "[equals(steps('networking').sectionHubSelector.deployHub, 'useExisting')]"
},
{
"name": "sectionSpoke",
"type": "Microsoft.Common.Section",
"label": "CIDR Settings for the Spoke network and subnets",
"visible": true,
"elements": [
{
"name": "textSpoke",
"type": "Microsoft.Common.TextBlock",
"visible": true,
"options": {
"text": "You can accept the default address spaces, as shown below, or you can use your own.",
"link": {
"label": "What address ranges can I use in my Virtual Networks?",
"uri": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-faq#what-address-ranges-can-i-use-in-my-vnets"
}
}
}
]
},
{
"name": "vnetSpokeAddressSpace",
"type": "Microsoft.Common.TextBox",
"label": "Spoke Virtual Network Address Space",
"subLabel": "",
"defaultValue": "10.240.0.0/20",
"toolTip": "CIDR of the SPOKE vnet i.e. 192.168.0.0/24",
"constraints": {
"required": true,
"regex": "",
"validationMessage": "",
"validations": [
{
"regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:\/(1[0-9]|2[0-4]))$",
"message": "Invalid CIDR range. The address prefix must be in the range [10,24]."
}
]
},
"infoMessages": [],
"visible": true
},
{
"name": "subnetSpokeAppSvcAddressSpace",
"type": "Microsoft.Common.TextBox",
"label": "Spoke Subnet CIDR for Azure App Service",
"subLabel": "",
"defaultValue": "10.240.0.0/26",
"toolTip": "CIDR of the subnet that will hold the app services plan",
"constraints": {
"required": true,
"regex": "",
"validationMessage": "",
"validations": [
{
"regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:\/(2[0-6]))$",
"message": "Invalid CIDR range. The address prefix must be in the range [20,26]."
}
]
},
"infoMessages": [],
"visible": true
},
{
"name": "subnetSpokeDevOpsAddressSpace",
"type": "Microsoft.Common.TextBox",
"label": "Spoke Subnet CIDR for Dev Ops agent (VM)",
"subLabel": "",
"defaultValue": "10.240.10.128/26",
"toolTip": "CIDR of the subnet that will hold devOps agents etc ",
"constraints": {
"required": true,
"regex": "",
"validationMessage": "",
"validations": [
{
"regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:\/(2[0-6]))$",
"message": "Invalid CIDR range. The address prefix must be in the range [20,26]."
}
]
},
"infoMessages": [],
"visible": true
},
{
"name": "subnetSpokePrivateEndpointAddressSpace",
"type": "Microsoft.Common.TextBox",
"label": "Spoke Subnet CIDR for Azure Private Endpoints",
"subLabel": "",
"defaultValue": "10.240.11.0/24",
"toolTip": "CIDR of the subnet that will hold the private endpoints of the supporting services",
"constraints": {
"required": true,
"regex": "",
"validationMessage": "",
"validations": [
{
"regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:\/(2[0-6]))$",
"message": "Invalid CIDR range. The address prefix must be in the range [20,26]."
}
]
},
"infoMessages": [],
"visible": true
}
]
},
{
"name": "extra",
"label": "Extra settings",
"elements": [
{
"name": "location",
"type": "Microsoft.Common.TextBox",
"label": "Location",
"subLabel": "",
"defaultValue": "[steps('basics').resourceScope.location.displayName]",
"toolTip": "Azure region where the resources will be deployed in",
"constraints": {
"required": false,
"regex": "",
"validationMessage": "",
"validations": []
},
"infoMessages": [],
"visible": false
},
{
"name": "numericSuffix",
"type": "Microsoft.Common.TextBox",
"label": "Numeric Suffix",
"subLabel": "",
"defaultValue": "",
"toolTip": "Optional. A numeric suffix (e.g. \"001\") to be appended on the naming generated for the resources. Defaults to empty.",
"constraints": {
"required": false,
"regex": "",
"validationMessage": "",
"validations": []
},
"infoMessages": [],
"visible": false
},
{
"name": "jumpBoxSection",
"type": "Microsoft.Common.Section",
"label": "Jump-box Virtual Machine/DevOps agent settings",
"elements": [
{
"name": "deployJumpHost",
"type": "Microsoft.Common.DropDown",
"label": "Deploy Jump Box?",
"subLabel": "",
"defaultValue": "Yes",
"toolTip": "set to true if you want to deploy a jumpbox/devops VM",
"constraints": {
"required": false,
"allowedValues": [
{
"label": "Yes",
"value": true
},
{
"label": "No",
"value": false
}
],
"validations": []
},
"infoMessages": [],
"visible": true
},
{
"name": "windowsVmCredentials",
"type": "Microsoft.Common.TextBlock",
"visible": "[equals(steps('extra').jumpBoxSection.deployJumpHost, true)]",
"options": {
"text": "Give the CredentialsCombo for your windows Jump-box. The VM will be AAD Joined, so you can use your AAD credentials to login. The password must contain at least 12 characters, with at least 1 uppercase, 1 lowercase and 1 number.",
"link": {
"label": "Learn more for Windows VM Password Policy",
"uri": "https://learn.microsoft.com/en-us/azure/virtual-machines/windows/faq#what-are-the-password-requirements-when-creating-a-vm-"
}
}
},
{
"name": "adminUsername",
"type": "Microsoft.Compute.UserNameTextBox",
"label": "Admin Username",
"defaultValue": "azureuser",
"toolTip": "",
"constraints": {
"required": true,
"regex": "^[a-z0-9A-Z]{8,15}$",
"validationMessage": "Only alphanumeric characters are allowed, and the value must be 8-15 characters long."
},
"osPlatform": "Windows",
"visible": "[equals(steps('extra').jumpBoxSection.deployJumpHost, true)]"
},
{
"name": "vmCredentials",
"type": "Microsoft.Compute.CredentialsCombo",
"label": {
"password": "Password",
"confirmPassword": "Confirm password"
},
"toolTip": {
"password": ""
},
"constraints": {
"required": true,
"customPasswordRegex": "^(?=.*\\d)(?=.*[a-z])(?=.*[A-Z])[\\w~@#$%^&*+=|{}:;!.?\\()\\[\\]-]{12,}$",
"customValidationMessage": "The password must contain at least 12 characters, with at least 1 uppercase, 1 lowercase and 1 number."
},
"options": {
"hideConfirmation": false
},
"osPlatform": "Windows",
"visible": "[equals(steps('extra').jumpBoxSection.deployJumpHost, true)]"
}
]
},
{
"name": "sqlServerIntroSection",
"type": "Microsoft.Common.Section",
"label": "Azure SQL Server deployment feature flag",
"elements": [
{
"name": "sqlServerIntro",
"type": "Microsoft.Common.TextBlock",
"visible": true,
"options": {
"text": "Select if you wish to deploy an Azure SQL Server with a default database. This will require more time in the deployment."
}
},
{
"name": "deployAzureSql",
"type": "Microsoft.Common.DropDown",
"label": "Deploy Azure Sql Server?",
"subLabel": "",
"defaultValue": "No",
"toolTip": "Set to true if you want to deploy a azure SQL server and default database",
"constraints": {
"required": false,
"allowedValues": [
{
"label": "Yes",
"value": true
},
{
"label": "No",
"value": false
}
],
"validations": []
},
"infoMessages": [],
"visible": true
}
]
},
{
"name": "sqlServerDeploySection",
"type": "Microsoft.Common.Section",
"label": "SQL Server settings",
"visible": "[equals(steps('extra').sqlServerIntroSection.deployAzureSql, true)]",
"elements": [
{
"name": "sqlServerAuthentication",
"type": "Microsoft.Common.TextBlock",
"visible": true,
"options": {
"text": "Select the authentication method for the SQL Server administrator. Azure AD for SQL Server administrator authentication is suggested."
}
},
{
"name": "azureSqlAuthentication",
"type": "Microsoft.Common.DropDown",
"label": "Azure Sql Server Authentication",
"subLabel": "",
"defaultValue": "Azure AD",
"toolTip": "Select Azure AD for SQL Server administrator authentication for better security and passwordless access. If you select SQL Server local user, you will need to provide a password for the SQL Server administrator.",
"constraints": {
"required": false,
"allowedValues": [
{
"label": "Azure AD",
"value": "AAD"
},
{
"label": "SQL Server local user",
"value": "local"
}
],
"validations": []
},
"infoMessages": [],
"visible": true
},
{
"name": "sqlServerAdministratorsExplanation",
"type": "Microsoft.Common.TextBlock",
"visible": "[equals(steps('extra').sqlServerDeploySection.azureSqlAuthentication, 'AAD')]",
"options": {
"text": "Replace AAD_SQL_ADMIN_GROUP with Azure AD group where your Azure administrators are members, sid value (xxxx-xxxx-xxxx-xxxx-xxxx) with Azure AD object ID of that group. The current tenantId value is already filled in."
}
},
{
"name": "sqlServerAdministrators",
"type": "Microsoft.Common.TextBox",
"label": "Sql Server Administrators",
"subLabel": "",
"defaultValue": "[concat('{\n\t\"login\": \"AAD_SQL_ADMIN_GROUP\",\n\t\"sid\": \"xxxx-xxxx-xxxx-xxxx-xxxx\",\n\t\"tenantId\": \"', steps('basics').resourceScope.subscription.tenantId, '\"\n}')]",
"multiLine": true,
"toolTip": "Replace AAD_SQL_ADMIN_GROUP with Azure AD group where your Azure administrators are members, sid value with Azure AD object ID of that group and tenantId value with Azure AD tenant ID where the group is located",
"constraints": {
"required": false,
"regex": "",
"validationMessage": "",
"validations": []
},
"infoMessages": [],
"visible": "[equals(steps('extra').sqlServerDeploySection.azureSqlAuthentication, 'AAD')]"
},
{
"name": "sqlAdminLogin",
"type": "Microsoft.Common.TextBox",
"label": "Sql Admin Login",
"subLabel": "",
"defaultValue": "sqluser",
"toolTip": "Conditional. If sqlServerAdministrators is given, this is not required. ",
"constraints": {
"required": false,
"regex": "",
"validationMessage": "",
"validations": []
},
"infoMessages": [],
"visible": "[equals(steps('extra').sqlServerDeploySection.azureSqlAuthentication, 'local')]"
},
{
"name": "sqlAdminPassword",
"type": "Microsoft.Common.PasswordBox",
"label": {
"password": "Sql Admin Password",
"confirmPassword": "Confirm password"
},
"defaultValue": "[newGuid()]",
"toolTip": "Conditional. If sqlServerAdministrators is given, this is not required -check password policy: https://learn.microsoft.com/en-us/sql/relational-databases/security/password-policy?view=azuresqldb-current",
"constraints": {
"required": false,
"regex": "",
"validationMessage": "",
"validations": []
},
"options": {
"hideConfirmation": true
},
"visible": "[equals(steps('extra').sqlServerDeploySection.azureSqlAuthentication, 'local')]"
}
]
}
]
},
{
"name": "flags",
"label": "Deployment feature flags",
"elements": [
{
"name": "enableEgressLockdown",
"type": "Microsoft.Common.DropDown",
"label": "Enable Egress Lockdown",
"subLabel": "",
"defaultValue": "false",
"toolTip": "set to true if you want to intercept all outbound traffic with azure firewall",
"constraints": {
"required": false,
"allowedValues": [
{
"label": "true",
"value": true
},
{
"label": "false",
"value": false
}
],
"validations": []
},
"infoMessages": [],
"visible": true
},
{
"name": "deployRedis",
"type": "Microsoft.Common.DropDown",
"label": "Deploy Redis",
"subLabel": "",
"defaultValue": "false",
"toolTip": "set to true if you want to a redis cache",
"constraints": {
"required": false,
"allowedValues": [
{
"label": "true",
"value": true
},
{
"label": "false",
"value": false
}
],
"validations": []
},
"infoMessages": [],
"visible": true
},
{
"name": "deployAppConfig",
"type": "Microsoft.Common.DropDown",
"label": "Deploy App Config",
"subLabel": "",
"defaultValue": "false",
"toolTip": "set to true if you want to deploy application configuration",
"constraints": {
"required": false,
"allowedValues": [
{
"label": "true",
"value": true
},
{
"label": "false",
"value": false
}
],
"validations": []
},
"infoMessages": [],
"visible": true
},
{
"name": "autoApproveAfdPrivateEndpoint",
"type": "Microsoft.Common.DropDown",
"label": "Auto Approve Afd Private Endpoint",
"subLabel": "",
"defaultValue": "true",
"toolTip": "set to true if you want to auto approve the Private Endpoint of the AFD",
"constraints": {
"required": false,
"allowedValues": [
{
"label": "true",
"value": true
},
{
"label": "false",
"value": false
}
],
"validations": []
},
"infoMessages": [],
"visible": true
}
]
}
]
},
"outputs": {
"parameters": {
"workloadName": "[steps('basics').workloadName]",
"location": "[steps('extra').location]",
"environmentName": "[steps('basics').environmentName]",
"vnetHubAddressSpace": "[steps('networking').vnetHubAddressSpace]",
"subnetHubFirewallAddressSpace": "[steps('networking').subnetHubFirewallAddressSpace]",
"subnetHubBastionAddressSpace": "[steps('networking').subnetHubBastionAddressSpace]",
"vnetSpokeAddressSpace": "[steps('networking').vnetSpokeAddressSpace]",
"subnetSpokeAppSvcAddressSpace": "[steps('networking').subnetSpokeAppSvcAddressSpace]",
"subnetSpokeDevOpsAddressSpace": "[steps('networking').subnetSpokeDevOpsAddressSpace]",
"subnetSpokePrivateEndpointAddressSpace": "[steps('networking').subnetSpokePrivateEndpointAddressSpace]",
"numericSuffix": "[steps('extra').numericSuffix]",
"vnetHubResourceId": "[steps('networking').vnetHubResourceId]",
"firewallInternalIp": "[steps('networking').firewallInternalIp]",
"webAppPlanSku": "[steps('basics').appSvcPlanSection.webAppPlanSku]",
"webAppBaseOs": "[steps('basics').appSvcPlanSection.webAppBaseOs]",
"adminUsername": "[steps('extra').jumpBoxSection.adminUsername]",
"adminPassword": "[if( equals ( steps('extra').jumpBoxSection.deployJumpHost, true), steps('extra').jumpBoxSection.vmCredentials.password , 'Pass@word123$' )]",
"sqlServerAdministrators": "[steps('extra').sqlServerDeploySection.sqlServerAdministrators]",
"sqlAdminLogin": "[steps('extra').sqlServerDeploySection.sqlAdminLogin]",
"sqlAdminPassword": "[steps('extra').sqlServerDeploySection.sqlAdminPassword]",
"deployAzureSql": "[steps('extra').sqlServerIntroSection.deployAzureSql]",
"deployJumpHost": "[steps('extra').jumpBoxSection.deployJumpHost]",
"enableEgressLockdown": "[steps('flags').enableEgressLockdown]",
"deployRedis": "[steps('flags').deployRedis]",
"deployAppConfig": "[steps('flags').deployAppConfig]",
"autoApproveAfdPrivateEndpoint": "[steps('flags').autoApproveAfdPrivateEndpoint]"
},
"kind": "Subscription",
"location": "[steps('basics').resourceScope.location.name]",
"subscriptionId": "[steps('basics').resourceScope.subscription.id]"
}
}
}

457
scenarios/secure-baseline-multitenant/azure-resource-manager/main.json
Просмотреть файл

@ -4,8 +4,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.16.2.56959",
"templateHash": "13674677836285162148"
"version": "0.17.1.54307",
"templateHash": "14607136235440263125"
}
},
"parameters": {
@ -24,12 +24,12 @@
"description": "Azure region where the resources will be deployed in"
}
},
"environment": {
"environmentName": {
"type": "string",
"defaultValue": "test",
"maxLength": 8,
"metadata": {
"description": "Required. The name of the environment (e.g. \"dev\", \"test\", \"prod\", \"preprod\", \"staging\", \"uat\", \"dr\", \"qa\"). Up to 8 characters long."
"description": "Required. The name of the environmentName (e.g. \"dev\", \"test\", \"prod\", \"preprod\", \"staging\", \"uat\", \"dr\", \"qa\"). Up to 8 characters long."
}
},
"vnetHubAddressSpace": {
@ -167,42 +167,35 @@
},
"sqlAdminPassword": {
"type": "securestring",
"defaultValue": "",
"defaultValue": "[newGuid()]",
"metadata": {
"description": "Conditional. If sqlServerAdministrators is given, this is not required -check password policy: https://learn.microsoft.com/en-us/sql/relational-databases/security/password-policy?view=azuresqldb-current"
}
},
"enableEgressLockdown": {
"type": "bool",
"defaultValue": true,
"defaultValue": false,
"metadata": {
"description": "set to true if you want to intercept all outbound traffic with azure firewall"
}
},
"enableWaf": {
"type": "bool",
"defaultValue": true,
"metadata": {
"description": "set to true if you want to deploy a WAF in front of the app service"
}
},
"deployRedis": {
"type": "bool",
"defaultValue": true,
"defaultValue": false,
"metadata": {
"description": "set to true if you want to a redis cache"
}
},
"deployAzureSql": {
"type": "bool",
"defaultValue": true,
"defaultValue": false,
"metadata": {
"description": "set to true if you want to deploy a azure SQL server and default database"
}
},
"deployAppConfig": {
"type": "bool",
"defaultValue": true,
"defaultValue": false,
"metadata": {
"description": "set to true if you want to deploy application configuration"
}
@ -213,20 +206,27 @@
"metadata": {
"description": "set to true if you want to deploy a jumpbox/devops VM"
}
},
"autoApproveAfdPrivateEndpoint": {
"type": "bool",
"defaultValue": true,
"metadata": {
"description": "set to true if you want to auto approve the Private Endpoint of the AFD"
}
}
},
"variables": {
"tags": "[union(createObject('workloadName', parameters('workloadName'), 'environment', parameters('environment')), parameters('resourceTags'))]",
"resourceSuffix": "[format('{0}-{1}-{2}', parameters('workloadName'), parameters('environment'), parameters('location'))]",
"tags": "[union(createObject('workloadName', parameters('workloadName'), 'environment', parameters('environmentName')), parameters('resourceTags'))]",
"resourceSuffix": "[format('{0}-{1}-{2}', parameters('workloadName'), parameters('environmentName'), parameters('location'))]",
"hubResourceGroupName": "[format('rg-hub-{0}', variables('resourceSuffix'))]",
"spokeResourceGroupName": "[format('rg-spoke-{0}', variables('resourceSuffix'))]",
"defaultSuffixes": [
"[parameters('workloadName')]",
"[parameters('environment')]",
"[parameters('environmentName')]",
"**location**"
],
"namingSuffixes": "[if(empty(parameters('numericSuffix')), variables('defaultSuffixes'), concat(variables('defaultSuffixes'), createArray(parameters('numericSuffix'))))]",
"administrators": "[if(empty(parameters('sqlServerAdministrators')), createObject(), union(createObject('administratorType', 'ActiveDirectory', 'principalType', 'Group', 'azureADOnlyAuthentication', true()), parameters('sqlServerAdministrators')))]",
"administrators": "[if(or(empty(parameters('sqlServerAdministrators')), equals(parameters('sqlServerAdministrators').sid, 'xxxx-xxxx-xxxx-xxxx-xxxx')), createObject(), union(createObject('administratorType', 'ActiveDirectory', 'principalType', 'Group', 'azureADOnlyAuthentication', false()), parameters('sqlServerAdministrators')))]",
"enableTelemetry": true,
"telemetryId": "[format('cf7e9f0a-f872-49db-b72f-f2e318189a6d-{0}-msb', parameters('location'))]"
},
@ -288,8 +288,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.16.2.56959",
"templateHash": "9719569569769228244"
"version": "0.17.1.54307",
"templateHash": "9105389791545313673"
}
},
"parameters": {
@ -1461,8 +1461,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.16.2.56959",
"templateHash": "11184193868083752560"
"version": "0.17.1.54307",
"templateHash": "5647597518375120293"
}
},
"parameters": {
@ -1857,8 +1857,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.16.2.56959",
"templateHash": "4505074342483300661"
"version": "0.17.1.54307",
"templateHash": "10598031696640381029"
}
},
"parameters": {
@ -1993,8 +1993,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.16.2.56959",
"templateHash": "2972889301818770629"
"version": "0.17.1.54307",
"templateHash": "6201606284384486522"
}
},
"parameters": {
@ -2103,8 +2103,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.16.2.56959",
"templateHash": "3191079448864327129"
"version": "0.17.1.54307",
"templateHash": "9758115776705728804"
}
},
"parameters": {
@ -2297,8 +2297,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.16.2.56959",
"templateHash": "13267832854844280149"
"version": "0.17.1.54307",
"templateHash": "12368266901679986884"
}
},
"parameters": {
@ -2454,8 +2454,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.16.2.56959",
"templateHash": "4443179309014750991"
"version": "0.17.1.54307",
"templateHash": "16272670385761547337"
}
},
"parameters": {
@ -2735,8 +2735,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.16.2.56959",
"templateHash": "3191079448864327129"
"version": "0.17.1.54307",
"templateHash": "9758115776705728804"
}
},
"parameters": {
@ -3035,9 +3035,6 @@
"enableEgressLockdown": {
"value": "[parameters('enableEgressLockdown')]"
},
"enableWaf": {
"value": "[parameters('enableWaf')]"
},
"deployJumpHost": {
"value": "[parameters('deployJumpHost')]"
},
@ -3049,6 +3046,9 @@
},
"deployAppConfig": {
"value": "[parameters('deployAppConfig')]"
},
"autoApproveAfdPrivateEndpoint": {
"value": "[parameters('autoApproveAfdPrivateEndpoint')]"
}
},
"template": {
@ -3057,8 +3057,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.16.2.56959",
"templateHash": "2989242971228964026"
"version": "0.17.1.54307",
"templateHash": "16445129936569211151"
}
},
"parameters": {
@ -3122,13 +3122,6 @@
"description": "Create (or not) a UDR for the App Service Subnet, to route all egress traffic through Hub Azure Firewall"
}
},
"enableWaf": {
"type": "bool",
"defaultValue": true,
"metadata": {
"description": "Enable or disable WAF policies for the deployed Azure Front Door"
}
},
"deployRedis": {
"type": "bool",
"metadata": {
@ -3215,6 +3208,13 @@
"metadata": {
"description": "Conditional. If sqlServerAdministrators is given, this is not required"
}
},
"autoApproveAfdPrivateEndpoint": {
"type": "bool",
"defaultValue": true,
"metadata": {
"description": "set to true if you want to auto approve the Private Endpoint of the AFD"
}
}
},
"variables": {
@ -3240,7 +3240,8 @@
"frontDoorEndPoint": "[format('webAppLza-{0}', take(uniqueString(resourceGroup().id, subscription().id), 6))]",
"frontDoorWaf": "[parameters('naming').frontDoorFirewallPolicy.name]",
"routeTable": "[parameters('naming').routeTable.name]",
"routeEgressLockdown": "[format('{0}-egress-lockdown', parameters('naming').route.name)]"
"routeEgressLockdown": "[format('{0}-egress-lockdown', parameters('naming').route.name)]",
"idAfdApprovePeAutoApprover": "[take(format('{0}-AfdApprovePe', parameters('naming').userAssignedManagedIdentity.name), 128)]"
},
"udrRoutes": [
{
@ -3318,8 +3319,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.16.2.56959",
"templateHash": "4505074342483300661"
"version": "0.17.1.54307",
"templateHash": "10598031696640381029"
}
},
"parameters": {
@ -3455,8 +3456,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.16.2.56959",
"templateHash": "14705061201439979519"
"version": "0.17.1.54307",
"templateHash": "16318526785325373726"
}
},
"parameters": {
@ -3567,8 +3568,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.16.2.56959",
"templateHash": "13267832854844280149"
"version": "0.17.1.54307",
"templateHash": "12368266901679986884"
}
},
"parameters": {
@ -3732,8 +3733,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.16.2.56959",
"templateHash": "3551814942507049314"
"version": "0.17.1.54307",
"templateHash": "18167978876521385399"
}
},
"parameters": {
@ -3814,8 +3815,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.16.2.56959",
"templateHash": "4717235356068819284"
"version": "0.17.1.54307",
"templateHash": "4337185038207822605"
}
},
"parameters": {
@ -3977,8 +3978,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.16.2.56959",
"templateHash": "3350979249194752063"
"version": "0.17.1.54307",
"templateHash": "698709463730837083"
}
},
"parameters": {
@ -4106,8 +4107,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.16.2.56959",
"templateHash": "2555381514048861303"
"version": "0.17.1.54307",
"templateHash": "14445154365330656192"
}
},
"parameters": {
@ -4299,8 +4300,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.16.2.56959",
"templateHash": "11990347735305558759"
"version": "0.17.1.54307",
"templateHash": "18367502449983650133"
}
},
"parameters": {
@ -4371,7 +4372,7 @@
"type": "string",
"defaultValue": "",
"metadata": {
"description": "Default is empty. If empty no Private endpoint will be created fro the resoure. Otherwise, the subnet where the private endpoint will be attached to"
"description": "Default is empty. If empty no Private Endpoint will be created for the resoure. Otherwise, the subnet where the private endpoint will be attached to"
}
},
"virtualNetworkLinks": {
@ -4439,10 +4440,24 @@
"webAppDnsZoneName": "privatelink.azurewebsites.net",
"appConfigurationDnsZoneName": "privatelink.azconfig.io",
"slotName": "staging",
"redisConnStr": "[if(not(empty(parameters('redisConnectionStringSecretName'))), createObject('redisConnectionStringSecret', format('@Microsoft.KeyVault(VaultName={0};SecretName={1})', parameters('keyvaultName'), parameters('redisConnectionStringSecretName'))), createObject())]",
"sqlConnStr": "[if(not(empty(parameters('sqlDbConnectionString'))), createObject('sqlDefaultDbConnectionString', parameters('sqlDbConnectionString')), createObject())]"
"redisConnStr": "[if(not(empty(parameters('redisConnectionStringSecretName'))), createObject('redisConnectionStringSecret', format('@Microsoft.KeyVault(VaultName={0};SecretName={1})', parameters('keyvaultName'), parameters('redisConnectionStringSecretName'))), createObject())]"
},
"resources": [
{
"condition": "[not(empty(parameters('sqlDbConnectionString')))]",
"type": "Microsoft.Web/sites/config",
"apiVersion": "2019-08-01",
"name": "[format('{0}/{1}', parameters('webAppName'), 'connectionstrings')]",
"properties": {
"sqlDbConnectionString": {
"value": "[parameters('sqlDbConnectionString')]",
"type": "SQLAzure"
}
},
"dependsOn": [
"[resourceId('Microsoft.Resources/deployments', take(format('{0}-webApp-Deployment', parameters('webAppName')), 64))]"
]
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2022-09-01",
@ -4472,8 +4487,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.16.2.56959",
"templateHash": "13015998551084451564"
"version": "0.17.1.54307",
"templateHash": "5493405942198387733"
}
},
"parameters": {
@ -4662,8 +4677,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.16.2.56959",
"templateHash": "2591205770313272324"
"version": "0.17.1.54307",
"templateHash": "8203858587180465886"
}
},
"parameters": {
@ -5027,7 +5042,7 @@
}
},
"appSettingsKeyValuePairs": {
"value": "[union(variables('redisConnStr'), variables('sqlConnStr'))]"
"value": "[variables('redisConnStr')]"
},
"slots": {
"value": [
@ -5043,8 +5058,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.16.2.56959",
"templateHash": "6836195621805660254"
"version": "0.17.1.54307",
"templateHash": "14737079603874479965"
}
},
"parameters": {
@ -5480,8 +5495,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.16.2.56959",
"templateHash": "2412663229298344797"
"version": "0.17.1.54307",
"templateHash": "14165506043480703418"
}
},
"parameters": {
@ -5641,8 +5656,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.16.2.56959",
"templateHash": "14291674756930944623"
"version": "0.17.1.54307",
"templateHash": "4018853689576160044"
}
},
"parameters": {
@ -6039,8 +6054,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.16.2.56959",
"templateHash": "1095699817988342150"
"version": "0.17.1.54307",
"templateHash": "15599280375124632122"
}
},
"parameters": {
@ -6275,8 +6290,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.16.2.56959",
"templateHash": "4668263605694295146"
"version": "0.17.1.54307",
"templateHash": "18120221178179977349"
}
},
"parameters": {
@ -6387,8 +6402,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.16.2.56959",
"templateHash": "3350979249194752063"
"version": "0.17.1.54307",
"templateHash": "698709463730837083"
}
},
"parameters": {
@ -6516,8 +6531,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.16.2.56959",
"templateHash": "2555381514048861303"
"version": "0.17.1.54307",
"templateHash": "14445154365330656192"
}
},
"parameters": {
@ -6656,8 +6671,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.16.2.56959",
"templateHash": "2555381514048861303"
"version": "0.17.1.54307",
"templateHash": "14445154365330656192"
}
},
"parameters": {
@ -6790,8 +6805,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.16.2.56959",
"templateHash": "14510220128670688044"
"version": "0.17.1.54307",
"templateHash": "9895518615263357712"
}
},
"parameters": {
@ -6978,8 +6993,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.16.2.56959",
"templateHash": "3350979249194752063"
"version": "0.17.1.54307",
"templateHash": "698709463730837083"
}
},
"parameters": {
@ -7086,9 +7101,7 @@
"tags": {
"value": "[parameters('tags')]"
},
"privateDnsZonesId": {
"value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('vnetHubSplitTokens')[2], variables('vnetHubSplitTokens')[4]), 'Microsoft.Resources/deployments', take(format('{0}-PrivateDnsZoneDeployment', replace(variables('appConfigurationDnsZoneName'), '.', '-')), 64)), '2022-09-01').outputs.privateDnsZonesId.value]"
},
"privateDnsZonesId": "[if(and(not(empty(parameters('subnetPrivateEndpointId'))), parameters('deployAppConfig')), createObject('value', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('vnetHubSplitTokens')[2], variables('vnetHubSplitTokens')[4]), 'Microsoft.Resources/deployments', take(format('{0}-PrivateDnsZoneDeployment', replace(variables('appConfigurationDnsZoneName'), '.', '-')), 64)), '2022-09-01').outputs.privateDnsZonesId.value), createObject('value', ''))]",
"privateLinkServiceId": "[if(and(not(empty(parameters('subnetPrivateEndpointId'))), parameters('deployAppConfig')), createObject('value', reference(resourceId('Microsoft.Resources/deployments', take(format('{0}-app-configuration-Deployment', parameters('appConfigurationName')), 64)), '2022-09-01').outputs.resourceId.value), createObject('value', ''))]",
"snetId": {
"value": "[parameters('subnetPrivateEndpointId')]"
@ -7103,8 +7116,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.16.2.56959",
"templateHash": "2555381514048861303"
"version": "0.17.1.54307",
"templateHash": "14445154365330656192"
}
},
"parameters": {
@ -7232,8 +7245,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.16.2.56959",
"templateHash": "11864612487936299852"
"version": "0.17.1.54307",
"templateHash": "757317532981319179"
}
},
"parameters": {
@ -7358,8 +7371,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.16.2.56959",
"templateHash": "11864612487936299852"
"version": "0.17.1.54307",
"templateHash": "757317532981319179"
}
},
"parameters": {
@ -7482,8 +7495,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.16.2.56959",
"templateHash": "11864612487936299852"
"version": "0.17.1.54307",
"templateHash": "757317532981319179"
}
},
"parameters": {
@ -7608,8 +7621,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.16.2.56959",
"templateHash": "11864612487936299852"
"version": "0.17.1.54307",
"templateHash": "757317532981319179"
}
},
"parameters": {
@ -7784,7 +7797,9 @@
"skuName": {
"value": "Premium_AzureFrontDoor"
},
"wafPolicyName": "[if(parameters('enableWaf'), createObject('value', variables('resourceNames').frontDoorWaf), createObject('value', ''))]"
"wafPolicyName": {
"value": "[variables('resourceNames').frontDoorWaf]"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
@ -7792,8 +7807,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.16.2.56959",
"templateHash": "3484995656345562412"
"version": "0.17.1.54307",
"templateHash": "13232520068507076660"
}
},
"parameters": {
@ -7860,7 +7875,7 @@
"type": "string",
"maxLength": 128,
"metadata": {
"description": "Name of the WAF policy to create. Set empty string if not WAF policy is required. Alphanumerics only!"
"description": "Name of the WAF policy to create."
}
},
"wafRuleSetAction": {
@ -8126,11 +8141,25 @@
]
},
{
"condition": "[not(empty(parameters('wafPolicyName')))]",
"type": "Microsoft.Cdn/profiles/securityPolicies",
"apiVersion": "2022-11-01-preview",
"name": "[format('{0}/{1}', parameters('afdName'), 'afdWafSecurityPolicy')]",
"properties": "[if(not(empty(parameters('wafPolicyName'))), createObject('parameters', createObject('wafPolicy', if(not(empty(parameters('wafPolicyName'))), createObject('id', resourceId('Microsoft.Network/FrontDoorWebApplicationFirewallPolicies', parameters('wafPolicyName'))), createObject()), 'associations', createArray(createObject('domains', variables('endPointIdsForWaf'), 'patternsToMatch', createArray('/*'))), 'type', 'WebApplicationFirewall')), createObject())]",
"properties": {
"parameters": {
"wafPolicy": {
"id": "[resourceId('Microsoft.Network/FrontDoorWebApplicationFirewallPolicies', parameters('wafPolicyName'))]"
},
"associations": [
{
"domains": "[variables('endPointIdsForWaf')]",
"patternsToMatch": [
"/*"
]
}
],
"type": "WebApplicationFirewall"
}
},
"dependsOn": [
"[resourceId('Microsoft.Cdn/profiles/afdEndpoints', parameters('afdName'), parameters('endpointName'))]",
"[resourceId('Microsoft.Cdn/profiles', parameters('afdName'))]",
@ -8153,7 +8182,6 @@
]
},
{
"condition": "[not(empty(parameters('wafPolicyName')))]",
"type": "Microsoft.Network/FrontDoorWebApplicationFirewallPolicies",
"apiVersion": "2022-05-01",
"name": "[parameters('wafPolicyName')]",
@ -8256,6 +8284,137 @@
"[resourceId('Microsoft.Resources/deployments', 'webAppModule-Deployment')]"
]
},
{
"condition": "[parameters('autoApproveAfdPrivateEndpoint')]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2022-09-01",
"name": "[take(format('autoApproveAfdPe-{0}-deployment', variables('resourceNames').frontDoor), 64)]",
"properties": {
"expressionEvaluationOptions": {
"scope": "inner"
},
"mode": "Incremental",
"parameters": {
"location": {
"value": "[parameters('location')]"
},
"idAfdPeAutoApproverName": {
"value": "[variables('resourceNames').idAfdApprovePeAutoApprover]"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.17.1.54307",
"templateHash": "13580836858218228590"
}
},
"parameters": {
"location": {
"type": "string",
"metadata": {
"description": "Optional. The location to deploy the Redis cache service."
}
},
"utcValue": {
"type": "string",
"defaultValue": "[utcNow()]",
"metadata": {
"description": "Default value is OK. Sets how the deployment script should be forced to execute even if the script resource has not changed. Can be current time stamp"
}
},
"idAfdPeAutoApproverName": {
"type": "string",
"defaultValue": "[guid(resourceGroup().id, 'userAssignedIdentity')]",
"metadata": {
"description": "Optional. The name of the user-assigned identity to be used to auto-approve the private endpoint connection of the AFD. Changing this forces a new resource to be created."
}
}
},
"variables": {
"roleAssignmentName": "[guid(resourceGroup().id, 'contributor')]",
"contributorRoleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
"deploymentScriptName": "runAfdApproval"
},
"resources": [
{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities",
"apiVersion": "2018-11-30",
"name": "[parameters('idAfdPeAutoApproverName')]",
"location": "[parameters('location')]",
"metadata": {
"description": "The User Assigned MAnaged Identity that will be given Contributor role on the Resource Group in order to auto-approve the Private Endpoint Connection of the AFD."
}
},
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2020-04-01-preview",
"name": "[variables('roleAssignmentName')]",
"properties": {
"roleDefinitionId": "[variables('contributorRoleDefinitionId')]",
"principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('idAfdPeAutoApproverName')), '2018-11-30').principalId]",
"principalType": "ServicePrincipal"
},
"dependsOn": [
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('idAfdPeAutoApproverName'))]"
],
"metadata": {
"description": "The role assignment that will be created to give the User Assigned Managed Identity Contributor role on the Resource Group in order to auto-approve the Private Endpoint Connection of the AFD."
}
},
{
"type": "Microsoft.Resources/deploymentScripts",
"apiVersion": "2020-10-01",
"name": "[variables('deploymentScriptName')]",
"location": "[parameters('location')]",
"kind": "AzureCLI",
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('idAfdPeAutoApproverName')))]": {}
}
},
"properties": {
"forceUpdateTag": "[parameters('utcValue')]",
"azCliVersion": "2.47.0",
"timeout": "PT30M",
"environmentVariables": [
{
"name": "ResourceGroupName",
"value": "[resourceGroup().name]"
}
],
"scriptContent": "rg_name=\"$ResourceGroupName\"; webapp_id=$(az webapp list -g $rg_name --query \"[].id\" -o tsv); fd_conn_id=$(az network private-endpoint-connection list --id $webapp_id --query \"[?properties.provisioningState == 'Pending'].{id:id}\" -o tsv);az network private-endpoint-connection approve --id $fd_conn_id --description \"ApprovedByCli\"",
"cleanupPreference": "OnSuccess",
"retentionInterval": "P1D"
},
"dependsOn": [
"[resourceId('Microsoft.Authorization/roleAssignments', variables('roleAssignmentName'))]",
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('idAfdPeAutoApproverName'))]"
],
"metadata": {
"description": "The deployment script that will be used to auto-approve the Private Endpoint Connection of the AFD."
}
}
],
"outputs": {
"logs": {
"type": "string",
"metadata": {
"description": "The output of the deployment script that will be used to auto-approve the Private Endpoint Connection of the AFD."
},
"value": "[reference(resourceId('Microsoft.Resources/deploymentScripts/logs', variables('deploymentScriptName'), 'default'), '2020-10-01').log]"
}
}
}
},
"dependsOn": [
"[resourceId('Microsoft.Resources/deployments', take(format('AzureFrontDoor-{0}-deployment', variables('resourceNames').frontDoor), 64))]"
]
},
{
"condition": "[parameters('deployJumpHost')]",
"type": "Microsoft.Resources/deployments",
@ -8301,8 +8460,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.16.2.56959",
"templateHash": "1629132559186839816"
"version": "0.17.1.54307",
"templateHash": "15659440928257256549"
}
},
"parameters": {
@ -8409,8 +8568,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.16.2.56959",
"templateHash": "4027121501079573246"
"version": "0.17.1.54307",
"templateHash": "16391892586398122206"
}
},
"parameters": {
@ -8604,8 +8763,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.16.2.56959",
"templateHash": "11141289975918923488"
"version": "0.17.1.54307",
"templateHash": "10954988008367803769"
}
},
"parameters": {
@ -8743,8 +8902,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.16.2.56959",
"templateHash": "4668263605694295146"
"version": "0.17.1.54307",
"templateHash": "18120221178179977349"
}
},
"parameters": {
@ -8855,8 +9014,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.16.2.56959",
"templateHash": "11864612487936299852"
"version": "0.17.1.54307",
"templateHash": "757317532981319179"
}
},
"parameters": {
@ -8980,8 +9139,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.16.2.56959",
"templateHash": "11864612487936299852"
"version": "0.17.1.54307",
"templateHash": "757317532981319179"
}
},
"parameters": {
@ -9106,8 +9265,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.16.2.56959",
"templateHash": "11864612487936299852"
"version": "0.17.1.54307",
"templateHash": "757317532981319179"
}
},
"parameters": {
@ -9264,8 +9423,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.16.2.56959",
"templateHash": "12437269983621298607"
"version": "0.17.1.54307",
"templateHash": "6589372805357964201"
}
},
"parameters": {
@ -9363,8 +9522,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.16.2.56959",
"templateHash": "14416598177533215902"
"version": "0.17.1.54307",
"templateHash": "10925798244505841343"
}
},
"parameters": {
@ -9700,8 +9859,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.16.2.56959",
"templateHash": "3350979249194752063"
"version": "0.17.1.54307",
"templateHash": "698709463730837083"
}
},
"parameters": {
@ -9829,8 +9988,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.16.2.56959",
"templateHash": "2555381514048861303"
"version": "0.17.1.54307",
"templateHash": "14445154365330656192"
}
},
"parameters": {
@ -10042,8 +10201,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.16.2.56959",
"templateHash": "16477297883216356896"
"version": "0.17.1.54307",
"templateHash": "14050016351388336452"
}
},
"parameters": {
@ -10164,8 +10323,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.16.2.56959",
"templateHash": "14118292929852725599"
"version": "0.17.1.54307",
"templateHash": "1692445394927047818"
}
},
"parameters": {
@ -10407,8 +10566,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.16.2.56959",
"templateHash": "3350979249194752063"
"version": "0.17.1.54307",
"templateHash": "698709463730837083"
}
},
"parameters": {
@ -10536,8 +10695,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.16.2.56959",
"templateHash": "2555381514048861303"
"version": "0.17.1.54307",
"templateHash": "14445154365330656192"
}
},
"parameters": {
@ -10694,8 +10853,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.16.2.56959",
"templateHash": "2096898644630702913"
"version": "0.17.1.54307",
"templateHash": "9746862502566108013"
}
},
"parameters": {
@ -10753,8 +10912,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.16.2.56959",
"templateHash": "3361441087899058428"
"version": "0.17.1.54307",
"templateHash": "13181302078385014318"
}
},
"parameters": {
@ -10833,8 +10992,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.16.2.56959",
"templateHash": "3361441087899058428"
"version": "0.17.1.54307",
"templateHash": "13181302078385014318"
}
},
"parameters": {

38
scenarios/secure-baseline-multitenant/azure-resource-manager/main.parameters.jsonc
Просмотреть файл

@ -2,76 +2,110 @@
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
// max length: 10. Suffix that will be used to name the resources in a pattern like <resourceAbbreviation>-<workloadName>
"workloadName" : {
"value": "appSvc-LZA"
},
//Required. The name of the environmentName (e.g. "dev", "test", "prod", "preprod", "staging", "uat", "dr", "qa"). Up to 8 characters long.
"environmentName": {
"value": "${AZURE_ENV_NAME}"
"value": "dev"
},
//If empty, then a new hub will be deployed. If given, no new hub will be created and we create the peering between spoke and and existing hub vnet
"vnetHubResourceId": {
"value": ""
},
//If vnetHubResourceId empty, this value is irrelevant. If vnetHubResourceId has value and we need UDR, then the internal IP of the azFW needs to be set. Otherwise no UDR will be created
"firewallInternalIp": {
"value": ""
},
"vnetHubAddressSpace": {
"value": "10.242.0.0/20"
},
// Feature Flags
// set to true if you want to intercept all outbound traffic with azure firewall
"enableEgressLockdown" : {
"value": "true"
},
// set to true if you want to a redis cache
"deployRedis": {
"value": "false"
},
// set to true if you want to deploy a azure SQL server and default database
"deployAzureSql": {
"value": "true"
},
// set to true if you want to deploy application configuration
"deployAppConfig": {
"value": "true"
},
// set to true if you want to deploy a jumpbox/devops VM
"deployJumpHost": {
"value": "true"
},
// set to true if you want to auto approve the Private Endpoint of the AFD Premium
"autoApproveAfdPrivateEndpoint": {
"value": "true"
},
// CIDR of the subnet that will host the azure Firewall
"subnetHubFirewallAddressSpace": {
"value": "10.242.0.0/26"
},
// CIDR of the subnet that will host the Bastion Service
"subnetHubBastionAddressSpace": {
"value": "10.242.0.64/26"
},
//CIDR of the spoke vnet that will hold the app services plan and the rest supporting services (and their private endpoints)
"vnetSpokeAddressSpace": {
"value": "10.240.0.0/20"
},
//CIDR of the subnet that will hold the app services plan
"subnetSpokeAppSvcAddressSpace": {
"value": "10.240.0.0/26"
},
// //CIDRof the subnet that will hold the private link for the AFD Premium
// "subnetSpokeAfdIngressAddressSpace": {
// "value": "10.240.0.64/26"
// },
//CIDR of the subnet that will hold devOps agents etc
"subnetSpokeDevOpsAddressSpace": {
"value": "10.240.10.128/26"
},
//CIDR of the subnet that will hold the private endpoints of the supporting services
"subnetSpokePrivateEndpointAddressSpace": {
"value": "10.240.11.0/24"
},
// Defines the name, tier, size, family and capacity of the App Service Plan. Plans ending to _AZ, are deplying at least three instances in three Availability Zones. EP* is only for functions'
// select one from: 'S1', 'S2', 'S3', 'P1V3', 'P2V3', 'P3V3', 'P1V3_AZ', 'P2V3_AZ', 'P3V3_AZ'
"webAppPlanSku": {
"value": "S1"
},
// two options: Windows or Linux
"webAppBaseOs" :
{
"value": "Windows"
},
// admin username of the VM agent deployed in the Spoke
"adminUsername": {
"value": "azureuser"
},
// admin password of the VM agent deployed in the Spoke
"adminPassword": {
"value": "SuperStrong@Password42!"
"value": "strongpassword"
},
//Resource tags that we might need to add to all resources (i.e. Environment, Cost center, application name etc)
"resourceTags": {
"value": {
"deployment": "bicep"
}
},
// The Azure Active Directory (AAD) administrator group used for SQL Server authentication
"sqlServerAdministrators": {
"value": {
// Azure AD group where your Azure administrators are members
"login": "Azure AD SQL Admins",
// Azure AD object ID of the group
"sid": "xxx-xxxx-xxxx-xxxx",
// Azure AD tenant ID where the group is located
"tenantId": "xxxx-xxxxxx-xxxxx-xxxxx-xxx"
}
}