Added network watcher to unique spokes (#902)

* Added network watcher to unique spokes * GitHub Action: Build Bicep to JSON --------- Co-authored-by: github-actions <github-actions@github.com>
2024-02-19 17:54:02 -05:00 · 2024-02-19 17:54:02 -05:00 · 5dcb1ca04e
--- a/src/bicep/core/spoke-network.bicep
+++ b/src/bicep/core/spoke-network.bicep
@ -2,10 +2,12 @@
 Copyright (c) Microsoft Corporation.
 Licensed under the MIT License.
 */
+param deployNetworkWatcher bool
 param firewallSkuTier string
 param location string
 param networkSecurityGroupName string
 param networkSecurityGroupRules array
+param networkWatcherName string
 param routeTableName string
 param routeTableRouteName string = 'default_route'
 param routeTableRouteAddressPrefix string = '0.0.0.0/0'
@ -43,6 +45,15 @@ module routeTable '../modules/route-table.bicep' = {
  }
 }

+module networkWatcher '../modules/network-watcher.bicep' = if (deployNetworkWatcher) {
+  name: 'networkWatcher'
+  params: {
+    location: location
+    name: networkWatcherName
+    tags: tags
+  }
+}
+
 module virtualNetwork '../modules/virtual-network.bicep' = {
  name: 'virtualNetwork'
  params: {
@ -69,6 +80,9 @@ module virtualNetwork '../modules/virtual-network.bicep' = {
    vNetDnsServers: vNetDnsServers
    firewallSkuTier: firewallSkuTier
  }
+  dependsOn: [
+    networkWatcher
+  ]
 }

 output virtualNetworkName string = virtualNetwork.outputs.name
--- a/src/bicep/mlz.bicep
+++ b/src/bicep/mlz.bicep
@ -101,7 +101,7 @@ param sharedServicesSubnetAddressPrefix string = '10.0.120.0/27'
  'Premium'
  'Basic'
 ])
-@description('[Standard/Premium/Basic] The SKU for Azure Firewall. It defaults to "Premium". Selecting a value other than Premium is not recommended for environments that are required to be SCCA compliant.' )
+@description('[Standard/Premium/Basic] The SKU for Azure Firewall. It defaults to "Premium". Selecting a value other than Premium is not recommended for environments that are required to be SCCA compliant.')
 param firewallSkuTier string

@allowed([
@ -599,6 +599,7 @@ var identityLogStorageAccountPrivateEndpointName = replace(replace(privateEndpoi
 var identityLogStorageAccountShortName = replace(replace(storageAccountNamingConvention, serviceToken, ''), networkToken, identityShortName)
 var identityLogStorageAccountUniqueName = replace(identityLogStorageAccountShortName, 'unique_token', uniqueString(resourcePrefix, environmentAbbreviation, identitySubscriptionId))
 var identityNetworkSecurityGroupName = replace(replace(networkSecurityGroupNamingConvention, '-${serviceToken}', ''), networkToken, identityName)
+var identityNetworkWatcherName = replace(replace(networkWatcherNamingConvention, '-${serviceToken}', ''), networkToken, identityName)
 var identityResourceGroupName = replace(replace(resourceGroupNamingConvention, '-${serviceToken}', ''), networkToken, identityName)
 var identityRouteTableName = replace(replace(routeTableNamingConvention, '-${serviceToken}', ''), networkToken, identityName)
 var identitySubnetName = replace(replace(subnetNamingConvention, '-${serviceToken}', ''), networkToken, identityName)
@ -614,6 +615,7 @@ var operationsLogStorageAccountPrivateEndpointName = replace(replace(privateEndp
 var operationsLogStorageAccountShortName = replace(replace(storageAccountNamingConvention, serviceToken, ''), networkToken, operationsShortName)
 var operationsLogStorageAccountUniqueName = replace(operationsLogStorageAccountShortName, 'unique_token', uniqueString(resourcePrefix, environmentAbbreviation, operationsSubscriptionId))
 var operationsNetworkSecurityGroupName = replace(replace(networkSecurityGroupNamingConvention, '-${serviceToken}', ''), networkToken, operationsName)
+var operationsNetworkWatcherName = replace(replace(networkWatcherNamingConvention, '-${serviceToken}', ''), networkToken, operationsName)
 var operationsPrivateLinkScopeName = replace(replace(privateLinkScopeName, '-${serviceToken}', ''), networkToken, operationsName)
 var operationsPrivateLinkScopeNetworkInterfaceName = replace(replace(networkInterfaceNamingConvention, serviceToken, 'pls'), networkToken, operationsName)
 var operationsPrivateLinkScopePrivateEndpointName = replace(replace(privateEndpointNamingConvention, serviceToken, 'pls'), networkToken, operationsName)
@ -632,6 +634,7 @@ var sharedServicesLogStorageAccountNetworkInterfaceName = replace(replace(networ
 var sharedServicesLogStorageAccountShortName = replace(replace(storageAccountNamingConvention, serviceToken, ''), networkToken, sharedServicesShortName)
 var sharedServicesLogStorageAccountUniqueName = replace(sharedServicesLogStorageAccountShortName, 'unique_token', uniqueString(resourcePrefix, environmentAbbreviation, sharedServicesSubscriptionId))
 var sharedServicesNetworkSecurityGroupName = replace(replace(networkSecurityGroupNamingConvention, '-${serviceToken}', ''), networkToken, sharedServicesName)
+var sharedServicesNetworkWatcherName = replace(replace(networkWatcherNamingConvention, '-${serviceToken}', ''), networkToken, sharedServicesName)
 var sharedServicesResourceGroupName = replace(replace(resourceGroupNamingConvention, '-${serviceToken}', ''), networkToken, sharedServicesName)
 var sharedServicesRouteTableName = replace(replace(routeTableNamingConvention, '-${serviceToken}', ''), networkToken, sharedServicesName)
 var sharedServicesSubnetName = replace(replace(subnetNamingConvention, '-${serviceToken}', ''), networkToken, sharedServicesName)
@ -684,6 +687,7 @@ var spokesCommon = [
    name: operationsName
    subscriptionId: operationsSubscriptionId
    resourceGroupName: operationsResourceGroupName
+    deployUniqueResources: contains([ hubSubscriptionId ], operationsSubscriptionId) ? false : true
    logStorageAccountName: operationsLogStorageAccountName
    logStorageAccountNetworkInterfaceNamePrefix: operationsLogStorageAccountNetworkInterfaceName
    logStorageAccountPrivateEndpointNamePrefix: operationsLogStorageAccountPrivateEndpointName
@ -695,6 +699,7 @@ var spokesCommon = [
    networkSecurityGroupRules: operationsNetworkSecurityGroupRules
    networkSecurityGroupDiagnosticsLogs: operationsNetworkSecurityGroupDiagnosticsLogs
    networkSecurityGroupDiagnosticsMetrics: operationsNetworkSecurityGroupDiagnosticsMetrics
+    networkWatcherName: operationsNetworkWatcherName
    routeTableName: operationsRouteTableName
    subnetName: operationsSubnetName
    subnetAddressPrefix: operationsSubnetAddressPrefix
@ -705,6 +710,7 @@ var spokesCommon = [
    name: sharedServicesName
    subscriptionId: sharedServicesSubscriptionId
    resourceGroupName: sharedServicesResourceGroupName
+    deployUniqueResources: contains([ hubSubscriptionId, operationsSubscriptionId ], sharedServicesSubscriptionId) ? false : true
    logStorageAccountName: sharedServicesLogStorageAccountName
    logStorageAccountNetworkInterfaceNamePrefix: sharedServicesLogStorageAccountNetworkInterfaceName
    logStorageAccountPrivateEndpointNamePrefix: sharedServicesLogStorageAccountPrivateEndpointName
@ -716,6 +722,7 @@ var spokesCommon = [
    networkSecurityGroupRules: sharedServicesNetworkSecurityGroupRules
    networkSecurityGroupDiagnosticsLogs: sharedServicesNetworkSecurityGroupDiagnosticsLogs
    networkSecurityGroupDiagnosticsMetrics: sharedServicesNetworkSecurityGroupDiagnosticsMetrics
+    networkWatcherName: sharedServicesNetworkWatcherName
    routeTableName: sharedServicesRouteTableName
    subnetName: sharedServicesSubnetName
    subnetAddressPrefix: sharedServicesSubnetAddressPrefix
@ -728,6 +735,7 @@ var spokesIdentity = deployIdentity ? [
    name: identityName
    subscriptionId: identitySubscriptionId
    resourceGroupName: identityResourceGroupName
+    deployUniqueResources: contains([ hubSubscriptionId, operationsSubscriptionId, sharedServicesSubscriptionId ], identitySubscriptionId) ? false : true
    logStorageAccountName: identityLogStorageAccountName
    logStorageAccountNetworkInterfaceNamePrefix: identityLogStorageAccountNetworkInterfaceName
    logStorageAccountPrivateEndpointNamePrefix: identityLogStorageAccountPrivateEndpointName
@ -739,6 +747,7 @@ var spokesIdentity = deployIdentity ? [
    networkSecurityGroupRules: identityNetworkSecurityGroupRules
    networkSecurityGroupDiagnosticsLogs: identityNetworkSecurityGroupDiagnosticsLogs
    networkSecurityGroupDiagnosticsMetrics: identityNetworkSecurityGroupDiagnosticsMetrics
+    networkWatcherName: identityNetworkWatcherName
    routeTableName: identityRouteTableName
    subnetName: identitySubnetName
    subnetAddressPrefix: identitySubnetAddressPrefix
@ -860,9 +869,12 @@ module spokeNetworks './core/spoke-network.bicep' = [for spoke in spokes: {
  name: 'deploy-vnet-${spoke.name}-${deploymentNameSuffix}'
  scope: resourceGroup(spoke.subscriptionId, spoke.resourceGroupName)
  params: {
+    deployNetworkWatcher: spoke.deployUniqueResources
+    firewallSkuTier: firewallSkuTier
    location: location
    networkSecurityGroupName: spoke.networkSecurityGroupName
    networkSecurityGroupRules: spoke.networkSecurityGroupRules
+    networkWatcherName: spoke.networkWatcherName
    routeTableName: spoke.routeTableName
    routeTableRouteNextHopIpAddress: firewallClientPrivateIpAddress
    subnetAddressPrefix: spoke.subnetAddressPrefix
@ -872,8 +884,6 @@ module spokeNetworks './core/spoke-network.bicep' = [for spoke in spokes: {
    tags: calculatedTags
    virtualNetworkAddressPrefix: spoke.virtualNetworkAddressPrefix
    virtualNetworkName: spoke.virtualNetworkName
-
-    firewallSkuTier: firewallSkuTier
    vNetDnsServers: [ hubNetwork.outputs.firewallPrivateIPAddress ]
  }
  dependsOn: [
@ -961,9 +971,9 @@ module azureMonitor './modules/azure-monitor.bicep' = if (contains(supportedClou
    monitorPrivateDnsZoneId: privateDnsZones.outputs.monitorPrivateDnsZoneId
    odsPrivateDnsZoneId: privateDnsZones.outputs.odsPrivateDnsZoneId
    omsPrivateDnsZoneId: privateDnsZones.outputs.omsPrivateDnsZoneId
-    privateLinkScopeName : operationsPrivateLinkScopeName
+    privateLinkScopeName: operationsPrivateLinkScopeName
    privateLinkScopeNetworkInterfaceName: operationsPrivateLinkScopeNetworkInterfaceName
-    privateLinkScopePrivateEndpointName : operationsPrivateLinkScopePrivateEndpointName
+    privateLinkScopePrivateEndpointName: operationsPrivateLinkScopePrivateEndpointName
    subnetResourceId: spokeNetworks[0].outputs.subnetResourceId
    tags: tags
  }
@ -1136,7 +1146,7 @@ module hubSubscriptionActivityLogging './modules/central-logging.bicep' = {
  ]
 }

-module spokeSubscriptionActivityLogging './modules/central-logging.bicep' = [for spoke in spokes: if (spoke.subscriptionId != hubSubscriptionId) {
+module spokeSubscriptionActivityLogging './modules/central-logging.bicep' = [for spoke in spokes: if (spoke.deployUniqueResources) {
  name: 'activity-logs-${spoke.name}-${deploymentNameSuffix}'
  scope: subscription(spoke.subscriptionId)
  params: {
--- a/src/bicep/mlz.json
+++ b/src/bicep/mlz.json
@ -5,7 +5,7 @@
    "_generator": {
      "name": "bicep",
      "version": "0.25.53.49325",
-      "templateHash": "6748957602055240740"
+      "templateHash": "15127050233787149227"
    }
  },
  "parameters": {
@ -1273,6 +1273,7 @@
    "identityLogStorageAccountShortName": "[replace(replace(variables('storageAccountNamingConvention'), variables('serviceToken'), ''), variables('networkToken'), variables('identityShortName'))]",
    "identityLogStorageAccountUniqueName": "[replace(variables('identityLogStorageAccountShortName'), 'unique_token', uniqueString(parameters('resourcePrefix'), parameters('environmentAbbreviation'), parameters('identitySubscriptionId')))]",
    "identityNetworkSecurityGroupName": "[replace(replace(variables('networkSecurityGroupNamingConvention'), format('-{0}', variables('serviceToken')), ''), variables('networkToken'), variables('identityName'))]",
+    "identityNetworkWatcherName": "[replace(replace(variables('networkWatcherNamingConvention'), format('-{0}', variables('serviceToken')), ''), variables('networkToken'), variables('identityName'))]",
    "identityResourceGroupName": "[replace(replace(variables('resourceGroupNamingConvention'), format('-{0}', variables('serviceToken')), ''), variables('networkToken'), variables('identityName'))]",
    "identityRouteTableName": "[replace(replace(variables('routeTableNamingConvention'), format('-{0}', variables('serviceToken')), ''), variables('networkToken'), variables('identityName'))]",
    "identitySubnetName": "[replace(replace(variables('subnetNamingConvention'), format('-{0}', variables('serviceToken')), ''), variables('networkToken'), variables('identityName'))]",
@ -1285,6 +1286,7 @@
    "operationsLogStorageAccountShortName": "[replace(replace(variables('storageAccountNamingConvention'), variables('serviceToken'), ''), variables('networkToken'), variables('operationsShortName'))]",
    "operationsLogStorageAccountUniqueName": "[replace(variables('operationsLogStorageAccountShortName'), 'unique_token', uniqueString(parameters('resourcePrefix'), parameters('environmentAbbreviation'), parameters('operationsSubscriptionId')))]",
    "operationsNetworkSecurityGroupName": "[replace(replace(variables('networkSecurityGroupNamingConvention'), format('-{0}', variables('serviceToken')), ''), variables('networkToken'), variables('operationsName'))]",
+    "operationsNetworkWatcherName": "[replace(replace(variables('networkWatcherNamingConvention'), format('-{0}', variables('serviceToken')), ''), variables('networkToken'), variables('operationsName'))]",
    "operationsPrivateLinkScopeName": "[replace(replace(variables('privateLinkScopeName'), format('-{0}', variables('serviceToken')), ''), variables('networkToken'), variables('operationsName'))]",
    "operationsPrivateLinkScopeNetworkInterfaceName": "[replace(replace(variables('networkInterfaceNamingConvention'), variables('serviceToken'), 'pls'), variables('networkToken'), variables('operationsName'))]",
    "operationsPrivateLinkScopePrivateEndpointName": "[replace(replace(variables('privateEndpointNamingConvention'), variables('serviceToken'), 'pls'), variables('networkToken'), variables('operationsName'))]",
@ -1300,6 +1302,7 @@
    "sharedServicesLogStorageAccountShortName": "[replace(replace(variables('storageAccountNamingConvention'), variables('serviceToken'), ''), variables('networkToken'), variables('sharedServicesShortName'))]",
    "sharedServicesLogStorageAccountUniqueName": "[replace(variables('sharedServicesLogStorageAccountShortName'), 'unique_token', uniqueString(parameters('resourcePrefix'), parameters('environmentAbbreviation'), parameters('sharedServicesSubscriptionId')))]",
    "sharedServicesNetworkSecurityGroupName": "[replace(replace(variables('networkSecurityGroupNamingConvention'), format('-{0}', variables('serviceToken')), ''), variables('networkToken'), variables('sharedServicesName'))]",
+    "sharedServicesNetworkWatcherName": "[replace(replace(variables('networkWatcherNamingConvention'), format('-{0}', variables('serviceToken')), ''), variables('networkToken'), variables('sharedServicesName'))]",
    "sharedServicesResourceGroupName": "[replace(replace(variables('resourceGroupNamingConvention'), format('-{0}', variables('serviceToken')), ''), variables('networkToken'), variables('sharedServicesName'))]",
    "sharedServicesRouteTableName": "[replace(replace(variables('routeTableNamingConvention'), format('-{0}', variables('serviceToken')), ''), variables('networkToken'), variables('sharedServicesName'))]",
    "sharedServicesSubnetName": "[replace(replace(variables('subnetNamingConvention'), format('-{0}', variables('serviceToken')), ''), variables('networkToken'), variables('sharedServicesName'))]",
@ -1333,6 +1336,7 @@
        "name": "[variables('operationsName')]",
        "subscriptionId": "[parameters('operationsSubscriptionId')]",
        "resourceGroupName": "[variables('operationsResourceGroupName')]",
+        "deployUniqueResources": "[if(contains(createArray(parameters('hubSubscriptionId')), parameters('operationsSubscriptionId')), false(), true())]",
        "logStorageAccountName": "[variables('operationsLogStorageAccountName')]",
        "logStorageAccountNetworkInterfaceNamePrefix": "[variables('operationsLogStorageAccountNetworkInterfaceName')]",
        "logStorageAccountPrivateEndpointNamePrefix": "[variables('operationsLogStorageAccountPrivateEndpointName')]",
@ -1344,6 +1348,7 @@
        "networkSecurityGroupRules": "[parameters('operationsNetworkSecurityGroupRules')]",
        "networkSecurityGroupDiagnosticsLogs": "[parameters('operationsNetworkSecurityGroupDiagnosticsLogs')]",
        "networkSecurityGroupDiagnosticsMetrics": "[parameters('operationsNetworkSecurityGroupDiagnosticsMetrics')]",
+        "networkWatcherName": "[variables('operationsNetworkWatcherName')]",
        "routeTableName": "[variables('operationsRouteTableName')]",
        "subnetName": "[variables('operationsSubnetName')]",
        "subnetAddressPrefix": "[parameters('operationsSubnetAddressPrefix')]",
@ -1354,6 +1359,7 @@
        "name": "[variables('sharedServicesName')]",
        "subscriptionId": "[parameters('sharedServicesSubscriptionId')]",
        "resourceGroupName": "[variables('sharedServicesResourceGroupName')]",
+        "deployUniqueResources": "[if(contains(createArray(parameters('hubSubscriptionId'), parameters('operationsSubscriptionId')), parameters('sharedServicesSubscriptionId')), false(), true())]",
        "logStorageAccountName": "[variables('sharedServicesLogStorageAccountName')]",
        "logStorageAccountNetworkInterfaceNamePrefix": "[variables('sharedServicesLogStorageAccountNetworkInterfaceName')]",
        "logStorageAccountPrivateEndpointNamePrefix": "[variables('sharedServicesLogStorageAccountPrivateEndpointName')]",
@ -1365,6 +1371,7 @@
        "networkSecurityGroupRules": "[parameters('sharedServicesNetworkSecurityGroupRules')]",
        "networkSecurityGroupDiagnosticsLogs": "[parameters('sharedServicesNetworkSecurityGroupDiagnosticsLogs')]",
        "networkSecurityGroupDiagnosticsMetrics": "[parameters('sharedServicesNetworkSecurityGroupDiagnosticsMetrics')]",
+        "networkWatcherName": "[variables('sharedServicesNetworkWatcherName')]",
        "routeTableName": "[variables('sharedServicesRouteTableName')]",
        "subnetName": "[variables('sharedServicesSubnetName')]",
        "subnetAddressPrefix": "[parameters('sharedServicesSubnetAddressPrefix')]",
@ -1372,7 +1379,7 @@
        "subnetPrivateLinkServiceNetworkPolicies": "Disabled"
      }
    ],
-    "spokesIdentity": "[if(parameters('deployIdentity'), createArray(createObject('name', variables('identityName'), 'subscriptionId', parameters('identitySubscriptionId'), 'resourceGroupName', variables('identityResourceGroupName'), 'logStorageAccountName', variables('identityLogStorageAccountName'), 'logStorageAccountNetworkInterfaceNamePrefix', variables('identityLogStorageAccountNetworkInterfaceName'), 'logStorageAccountPrivateEndpointNamePrefix', variables('identityLogStorageAccountPrivateEndpointName'), 'virtualNetworkName', variables('identityVirtualNetworkName'), 'virtualNetworkAddressPrefix', parameters('identityVirtualNetworkAddressPrefix'), 'virtualNetworkDiagnosticsLogs', parameters('identityVirtualNetworkDiagnosticsLogs'), 'virtualNetworkDiagnosticsMetrics', parameters('identityVirtualNetworkDiagnosticsMetrics'), 'networkSecurityGroupName', variables('identityNetworkSecurityGroupName'), 'networkSecurityGroupRules', parameters('identityNetworkSecurityGroupRules'), 'networkSecurityGroupDiagnosticsLogs', parameters('identityNetworkSecurityGroupDiagnosticsLogs'), 'networkSecurityGroupDiagnosticsMetrics', parameters('identityNetworkSecurityGroupDiagnosticsMetrics'), 'routeTableName', variables('identityRouteTableName'), 'subnetName', variables('identitySubnetName'), 'subnetAddressPrefix', parameters('identitySubnetAddressPrefix'), 'subnetPrivateEndpointNetworkPolicies', 'Disabled', 'subnetPrivateLinkServiceNetworkPolicies', 'Disabled')), createArray())]",
+    "spokesIdentity": "[if(parameters('deployIdentity'), createArray(createObject('name', variables('identityName'), 'subscriptionId', parameters('identitySubscriptionId'), 'resourceGroupName', variables('identityResourceGroupName'), 'deployUniqueResources', if(contains(createArray(parameters('hubSubscriptionId'), parameters('operationsSubscriptionId'), parameters('sharedServicesSubscriptionId')), parameters('identitySubscriptionId')), false(), true()), 'logStorageAccountName', variables('identityLogStorageAccountName'), 'logStorageAccountNetworkInterfaceNamePrefix', variables('identityLogStorageAccountNetworkInterfaceName'), 'logStorageAccountPrivateEndpointNamePrefix', variables('identityLogStorageAccountPrivateEndpointName'), 'virtualNetworkName', variables('identityVirtualNetworkName'), 'virtualNetworkAddressPrefix', parameters('identityVirtualNetworkAddressPrefix'), 'virtualNetworkDiagnosticsLogs', parameters('identityVirtualNetworkDiagnosticsLogs'), 'virtualNetworkDiagnosticsMetrics', parameters('identityVirtualNetworkDiagnosticsMetrics'), 'networkSecurityGroupName', variables('identityNetworkSecurityGroupName'), 'networkSecurityGroupRules', parameters('identityNetworkSecurityGroupRules'), 'networkSecurityGroupDiagnosticsLogs', parameters('identityNetworkSecurityGroupDiagnosticsLogs'), 'networkSecurityGroupDiagnosticsMetrics', parameters('identityNetworkSecurityGroupDiagnosticsMetrics'), 'networkWatcherName', variables('identityNetworkWatcherName'), 'routeTableName', variables('identityRouteTableName'), 'subnetName', variables('identitySubnetName'), 'subnetAddressPrefix', parameters('identitySubnetAddressPrefix'), 'subnetPrivateEndpointNetworkPolicies', 'Disabled', 'subnetPrivateLinkServiceNetworkPolicies', 'Disabled')), createArray())]",
    "defaultTags": {
      "resourcePrefix": "[parameters('resourcePrefix')]",
      "environmentAbbreviation": "[parameters('environmentAbbreviation')]",
@ -2922,6 +2929,12 @@
        },
        "mode": "Incremental",
        "parameters": {
+          "deployNetworkWatcher": {
+            "value": "[variables('spokes')[copyIndex()].deployUniqueResources]"
+          },
+          "firewallSkuTier": {
+            "value": "[parameters('firewallSkuTier')]"
+          },
          "location": {
            "value": "[parameters('location')]"
          },
@ -2931,6 +2944,9 @@
          "networkSecurityGroupRules": {
            "value": "[variables('spokes')[copyIndex()].networkSecurityGroupRules]"
          },
+          "networkWatcherName": {
+            "value": "[variables('spokes')[copyIndex()].networkWatcherName]"
+          },
          "routeTableName": {
            "value": "[variables('spokes')[copyIndex()].routeTableName]"
          },
@ -2958,9 +2974,6 @@
          "virtualNetworkName": {
            "value": "[variables('spokes')[copyIndex()].virtualNetworkName]"
          },
-          "firewallSkuTier": {
-            "value": "[parameters('firewallSkuTier')]"
-          },
          "vNetDnsServers": {
            "value": [
              "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.firewallPrivateIPAddress.value]"
@ -2974,10 +2987,13 @@
            "_generator": {
              "name": "bicep",
              "version": "0.25.53.49325",
-              "templateHash": "12984866997767801372"
+              "templateHash": "705252534783500241"
            }
          },
          "parameters": {
+            "deployNetworkWatcher": {
+              "type": "bool"
+            },
            "firewallSkuTier": {
              "type": "string"
            },
@ -2990,6 +3006,9 @@
            "networkSecurityGroupRules": {
              "type": "array"
            },
+            "networkWatcherName": {
+              "type": "string"
+            },
            "routeTableName": {
              "type": "string"
            },
@ -3205,6 +3224,61 @@
                }
              }
            },
+            {
+              "condition": "[parameters('deployNetworkWatcher')]",
+              "type": "Microsoft.Resources/deployments",
+              "apiVersion": "2022-09-01",
+              "name": "networkWatcher",
+              "properties": {
+                "expressionEvaluationOptions": {
+                  "scope": "inner"
+                },
+                "mode": "Incremental",
+                "parameters": {
+                  "location": {
+                    "value": "[parameters('location')]"
+                  },
+                  "name": {
+                    "value": "[parameters('networkWatcherName')]"
+                  },
+                  "tags": {
+                    "value": "[parameters('tags')]"
+                  }
+                },
+                "template": {
+                  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+                  "contentVersion": "1.0.0.0",
+                  "metadata": {
+                    "_generator": {
+                      "name": "bicep",
+                      "version": "0.25.53.49325",
+                      "templateHash": "7393503353750877364"
+                    }
+                  },
+                  "parameters": {
+                    "location": {
+                      "type": "string"
+                    },
+                    "name": {
+                      "type": "string"
+                    },
+                    "tags": {
+                      "type": "object"
+                    }
+                  },
+                  "resources": [
+                    {
+                      "type": "Microsoft.Network/networkWatchers",
+                      "apiVersion": "2021-02-01",
+                      "name": "[parameters('name')]",
+                      "location": "[parameters('location')]",
+                      "tags": "[parameters('tags')]",
+                      "properties": {}
+                    }
+                  ]
+                }
+              }
+            },
            {
              "type": "Microsoft.Resources/deployments",
              "apiVersion": "2022-09-01",
@ -3325,6 +3399,7 @@
              },
              "dependsOn": [
                "[resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup')]",
+                "[resourceId('Microsoft.Resources/deployments', 'networkWatcher')]",
                "[resourceId('Microsoft.Resources/deployments', 'routeTable')]"
              ]
            }
@ -7809,7 +7884,7 @@
        "name": "spokeSubscriptionActivityLogging",
        "count": "[length(variables('spokes'))]"
      },
-      "condition": "[not(equals(variables('spokes')[copyIndex()].subscriptionId, parameters('hubSubscriptionId')))]",
+      "condition": "[variables('spokes')[copyIndex()].deployUniqueResources]",
      "type": "Microsoft.Resources/deployments",
      "apiVersion": "2022-09-01",
      "name": "[format('activity-logs-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))]",