diff --git a/src/bicep/core/spoke-network.bicep b/src/bicep/core/spoke-network.bicep index bde3b02b..b71b6932 100644 --- a/src/bicep/core/spoke-network.bicep +++ b/src/bicep/core/spoke-network.bicep @@ -2,10 +2,12 @@ Copyright (c) Microsoft Corporation. Licensed under the MIT License. */ +param deployNetworkWatcher bool param firewallSkuTier string param location string param networkSecurityGroupName string param networkSecurityGroupRules array +param networkWatcherName string param routeTableName string param routeTableRouteName string = 'default_route' param routeTableRouteAddressPrefix string = '0.0.0.0/0' @@ -43,6 +45,15 @@ module routeTable '../modules/route-table.bicep' = { } } +module networkWatcher '../modules/network-watcher.bicep' = if (deployNetworkWatcher) { + name: 'networkWatcher' + params: { + location: location + name: networkWatcherName + tags: tags + } +} + module virtualNetwork '../modules/virtual-network.bicep' = { name: 'virtualNetwork' params: { @@ -69,6 +80,9 @@ module virtualNetwork '../modules/virtual-network.bicep' = { vNetDnsServers: vNetDnsServers firewallSkuTier: firewallSkuTier } + dependsOn: [ + networkWatcher + ] } output virtualNetworkName string = virtualNetwork.outputs.name diff --git a/src/bicep/mlz.bicep b/src/bicep/mlz.bicep index 8f90ab90..bc323fd5 100644 --- a/src/bicep/mlz.bicep +++ b/src/bicep/mlz.bicep @@ -101,7 +101,7 @@ param sharedServicesSubnetAddressPrefix string = '10.0.120.0/27' 'Premium' 'Basic' ]) -@description('[Standard/Premium/Basic] The SKU for Azure Firewall. It defaults to "Premium". Selecting a value other than Premium is not recommended for environments that are required to be SCCA compliant.' ) +@description('[Standard/Premium/Basic] The SKU for Azure Firewall. It defaults to "Premium". Selecting a value other than Premium is not recommended for environments that are required to be SCCA compliant.') param firewallSkuTier string @allowed([ @@ -599,6 +599,7 @@ var identityLogStorageAccountPrivateEndpointName = replace(replace(privateEndpoi var identityLogStorageAccountShortName = replace(replace(storageAccountNamingConvention, serviceToken, ''), networkToken, identityShortName) var identityLogStorageAccountUniqueName = replace(identityLogStorageAccountShortName, 'unique_token', uniqueString(resourcePrefix, environmentAbbreviation, identitySubscriptionId)) var identityNetworkSecurityGroupName = replace(replace(networkSecurityGroupNamingConvention, '-${serviceToken}', ''), networkToken, identityName) +var identityNetworkWatcherName = replace(replace(networkWatcherNamingConvention, '-${serviceToken}', ''), networkToken, identityName) var identityResourceGroupName = replace(replace(resourceGroupNamingConvention, '-${serviceToken}', ''), networkToken, identityName) var identityRouteTableName = replace(replace(routeTableNamingConvention, '-${serviceToken}', ''), networkToken, identityName) var identitySubnetName = replace(replace(subnetNamingConvention, '-${serviceToken}', ''), networkToken, identityName) @@ -614,6 +615,7 @@ var operationsLogStorageAccountPrivateEndpointName = replace(replace(privateEndp var operationsLogStorageAccountShortName = replace(replace(storageAccountNamingConvention, serviceToken, ''), networkToken, operationsShortName) var operationsLogStorageAccountUniqueName = replace(operationsLogStorageAccountShortName, 'unique_token', uniqueString(resourcePrefix, environmentAbbreviation, operationsSubscriptionId)) var operationsNetworkSecurityGroupName = replace(replace(networkSecurityGroupNamingConvention, '-${serviceToken}', ''), networkToken, operationsName) +var operationsNetworkWatcherName = replace(replace(networkWatcherNamingConvention, '-${serviceToken}', ''), networkToken, operationsName) var operationsPrivateLinkScopeName = replace(replace(privateLinkScopeName, '-${serviceToken}', ''), networkToken, operationsName) var operationsPrivateLinkScopeNetworkInterfaceName = replace(replace(networkInterfaceNamingConvention, serviceToken, 'pls'), networkToken, operationsName) var operationsPrivateLinkScopePrivateEndpointName = replace(replace(privateEndpointNamingConvention, serviceToken, 'pls'), networkToken, operationsName) @@ -632,6 +634,7 @@ var sharedServicesLogStorageAccountNetworkInterfaceName = replace(replace(networ var sharedServicesLogStorageAccountShortName = replace(replace(storageAccountNamingConvention, serviceToken, ''), networkToken, sharedServicesShortName) var sharedServicesLogStorageAccountUniqueName = replace(sharedServicesLogStorageAccountShortName, 'unique_token', uniqueString(resourcePrefix, environmentAbbreviation, sharedServicesSubscriptionId)) var sharedServicesNetworkSecurityGroupName = replace(replace(networkSecurityGroupNamingConvention, '-${serviceToken}', ''), networkToken, sharedServicesName) +var sharedServicesNetworkWatcherName = replace(replace(networkWatcherNamingConvention, '-${serviceToken}', ''), networkToken, sharedServicesName) var sharedServicesResourceGroupName = replace(replace(resourceGroupNamingConvention, '-${serviceToken}', ''), networkToken, sharedServicesName) var sharedServicesRouteTableName = replace(replace(routeTableNamingConvention, '-${serviceToken}', ''), networkToken, sharedServicesName) var sharedServicesSubnetName = replace(replace(subnetNamingConvention, '-${serviceToken}', ''), networkToken, sharedServicesName) @@ -684,6 +687,7 @@ var spokesCommon = [ name: operationsName subscriptionId: operationsSubscriptionId resourceGroupName: operationsResourceGroupName + deployUniqueResources: contains([ hubSubscriptionId ], operationsSubscriptionId) ? false : true logStorageAccountName: operationsLogStorageAccountName logStorageAccountNetworkInterfaceNamePrefix: operationsLogStorageAccountNetworkInterfaceName logStorageAccountPrivateEndpointNamePrefix: operationsLogStorageAccountPrivateEndpointName @@ -695,6 +699,7 @@ var spokesCommon = [ networkSecurityGroupRules: operationsNetworkSecurityGroupRules networkSecurityGroupDiagnosticsLogs: operationsNetworkSecurityGroupDiagnosticsLogs networkSecurityGroupDiagnosticsMetrics: operationsNetworkSecurityGroupDiagnosticsMetrics + networkWatcherName: operationsNetworkWatcherName routeTableName: operationsRouteTableName subnetName: operationsSubnetName subnetAddressPrefix: operationsSubnetAddressPrefix @@ -705,6 +710,7 @@ var spokesCommon = [ name: sharedServicesName subscriptionId: sharedServicesSubscriptionId resourceGroupName: sharedServicesResourceGroupName + deployUniqueResources: contains([ hubSubscriptionId, operationsSubscriptionId ], sharedServicesSubscriptionId) ? false : true logStorageAccountName: sharedServicesLogStorageAccountName logStorageAccountNetworkInterfaceNamePrefix: sharedServicesLogStorageAccountNetworkInterfaceName logStorageAccountPrivateEndpointNamePrefix: sharedServicesLogStorageAccountPrivateEndpointName @@ -716,6 +722,7 @@ var spokesCommon = [ networkSecurityGroupRules: sharedServicesNetworkSecurityGroupRules networkSecurityGroupDiagnosticsLogs: sharedServicesNetworkSecurityGroupDiagnosticsLogs networkSecurityGroupDiagnosticsMetrics: sharedServicesNetworkSecurityGroupDiagnosticsMetrics + networkWatcherName: sharedServicesNetworkWatcherName routeTableName: sharedServicesRouteTableName subnetName: sharedServicesSubnetName subnetAddressPrefix: sharedServicesSubnetAddressPrefix @@ -728,6 +735,7 @@ var spokesIdentity = deployIdentity ? [ name: identityName subscriptionId: identitySubscriptionId resourceGroupName: identityResourceGroupName + deployUniqueResources: contains([ hubSubscriptionId, operationsSubscriptionId, sharedServicesSubscriptionId ], identitySubscriptionId) ? false : true logStorageAccountName: identityLogStorageAccountName logStorageAccountNetworkInterfaceNamePrefix: identityLogStorageAccountNetworkInterfaceName logStorageAccountPrivateEndpointNamePrefix: identityLogStorageAccountPrivateEndpointName @@ -739,6 +747,7 @@ var spokesIdentity = deployIdentity ? [ networkSecurityGroupRules: identityNetworkSecurityGroupRules networkSecurityGroupDiagnosticsLogs: identityNetworkSecurityGroupDiagnosticsLogs networkSecurityGroupDiagnosticsMetrics: identityNetworkSecurityGroupDiagnosticsMetrics + networkWatcherName: identityNetworkWatcherName routeTableName: identityRouteTableName subnetName: identitySubnetName subnetAddressPrefix: identitySubnetAddressPrefix @@ -860,9 +869,12 @@ module spokeNetworks './core/spoke-network.bicep' = [for spoke in spokes: { name: 'deploy-vnet-${spoke.name}-${deploymentNameSuffix}' scope: resourceGroup(spoke.subscriptionId, spoke.resourceGroupName) params: { + deployNetworkWatcher: spoke.deployUniqueResources + firewallSkuTier: firewallSkuTier location: location networkSecurityGroupName: spoke.networkSecurityGroupName networkSecurityGroupRules: spoke.networkSecurityGroupRules + networkWatcherName: spoke.networkWatcherName routeTableName: spoke.routeTableName routeTableRouteNextHopIpAddress: firewallClientPrivateIpAddress subnetAddressPrefix: spoke.subnetAddressPrefix @@ -872,8 +884,6 @@ module spokeNetworks './core/spoke-network.bicep' = [for spoke in spokes: { tags: calculatedTags virtualNetworkAddressPrefix: spoke.virtualNetworkAddressPrefix virtualNetworkName: spoke.virtualNetworkName - - firewallSkuTier: firewallSkuTier vNetDnsServers: [ hubNetwork.outputs.firewallPrivateIPAddress ] } dependsOn: [ @@ -961,9 +971,9 @@ module azureMonitor './modules/azure-monitor.bicep' = if (contains(supportedClou monitorPrivateDnsZoneId: privateDnsZones.outputs.monitorPrivateDnsZoneId odsPrivateDnsZoneId: privateDnsZones.outputs.odsPrivateDnsZoneId omsPrivateDnsZoneId: privateDnsZones.outputs.omsPrivateDnsZoneId - privateLinkScopeName : operationsPrivateLinkScopeName + privateLinkScopeName: operationsPrivateLinkScopeName privateLinkScopeNetworkInterfaceName: operationsPrivateLinkScopeNetworkInterfaceName - privateLinkScopePrivateEndpointName : operationsPrivateLinkScopePrivateEndpointName + privateLinkScopePrivateEndpointName: operationsPrivateLinkScopePrivateEndpointName subnetResourceId: spokeNetworks[0].outputs.subnetResourceId tags: tags } @@ -1136,7 +1146,7 @@ module hubSubscriptionActivityLogging './modules/central-logging.bicep' = { ] } -module spokeSubscriptionActivityLogging './modules/central-logging.bicep' = [for spoke in spokes: if (spoke.subscriptionId != hubSubscriptionId) { +module spokeSubscriptionActivityLogging './modules/central-logging.bicep' = [for spoke in spokes: if (spoke.deployUniqueResources) { name: 'activity-logs-${spoke.name}-${deploymentNameSuffix}' scope: subscription(spoke.subscriptionId) params: { diff --git a/src/bicep/mlz.json b/src/bicep/mlz.json index d8dcc973..68d6753e 100644 --- a/src/bicep/mlz.json +++ b/src/bicep/mlz.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.25.53.49325", - "templateHash": "6748957602055240740" + "templateHash": "15127050233787149227" } }, "parameters": { @@ -1273,6 +1273,7 @@ "identityLogStorageAccountShortName": "[replace(replace(variables('storageAccountNamingConvention'), variables('serviceToken'), ''), variables('networkToken'), variables('identityShortName'))]", "identityLogStorageAccountUniqueName": "[replace(variables('identityLogStorageAccountShortName'), 'unique_token', uniqueString(parameters('resourcePrefix'), parameters('environmentAbbreviation'), parameters('identitySubscriptionId')))]", "identityNetworkSecurityGroupName": "[replace(replace(variables('networkSecurityGroupNamingConvention'), format('-{0}', variables('serviceToken')), ''), variables('networkToken'), variables('identityName'))]", + "identityNetworkWatcherName": "[replace(replace(variables('networkWatcherNamingConvention'), format('-{0}', variables('serviceToken')), ''), variables('networkToken'), variables('identityName'))]", "identityResourceGroupName": "[replace(replace(variables('resourceGroupNamingConvention'), format('-{0}', variables('serviceToken')), ''), variables('networkToken'), variables('identityName'))]", "identityRouteTableName": "[replace(replace(variables('routeTableNamingConvention'), format('-{0}', variables('serviceToken')), ''), variables('networkToken'), variables('identityName'))]", "identitySubnetName": "[replace(replace(variables('subnetNamingConvention'), format('-{0}', variables('serviceToken')), ''), variables('networkToken'), variables('identityName'))]", @@ -1285,6 +1286,7 @@ "operationsLogStorageAccountShortName": "[replace(replace(variables('storageAccountNamingConvention'), variables('serviceToken'), ''), variables('networkToken'), variables('operationsShortName'))]", "operationsLogStorageAccountUniqueName": "[replace(variables('operationsLogStorageAccountShortName'), 'unique_token', uniqueString(parameters('resourcePrefix'), parameters('environmentAbbreviation'), parameters('operationsSubscriptionId')))]", "operationsNetworkSecurityGroupName": "[replace(replace(variables('networkSecurityGroupNamingConvention'), format('-{0}', variables('serviceToken')), ''), variables('networkToken'), variables('operationsName'))]", + "operationsNetworkWatcherName": "[replace(replace(variables('networkWatcherNamingConvention'), format('-{0}', variables('serviceToken')), ''), variables('networkToken'), variables('operationsName'))]", "operationsPrivateLinkScopeName": "[replace(replace(variables('privateLinkScopeName'), format('-{0}', variables('serviceToken')), ''), variables('networkToken'), variables('operationsName'))]", "operationsPrivateLinkScopeNetworkInterfaceName": "[replace(replace(variables('networkInterfaceNamingConvention'), variables('serviceToken'), 'pls'), variables('networkToken'), variables('operationsName'))]", "operationsPrivateLinkScopePrivateEndpointName": "[replace(replace(variables('privateEndpointNamingConvention'), variables('serviceToken'), 'pls'), variables('networkToken'), variables('operationsName'))]", @@ -1300,6 +1302,7 @@ "sharedServicesLogStorageAccountShortName": "[replace(replace(variables('storageAccountNamingConvention'), variables('serviceToken'), ''), variables('networkToken'), variables('sharedServicesShortName'))]", "sharedServicesLogStorageAccountUniqueName": "[replace(variables('sharedServicesLogStorageAccountShortName'), 'unique_token', uniqueString(parameters('resourcePrefix'), parameters('environmentAbbreviation'), parameters('sharedServicesSubscriptionId')))]", "sharedServicesNetworkSecurityGroupName": "[replace(replace(variables('networkSecurityGroupNamingConvention'), format('-{0}', variables('serviceToken')), ''), variables('networkToken'), variables('sharedServicesName'))]", + "sharedServicesNetworkWatcherName": "[replace(replace(variables('networkWatcherNamingConvention'), format('-{0}', variables('serviceToken')), ''), variables('networkToken'), variables('sharedServicesName'))]", "sharedServicesResourceGroupName": "[replace(replace(variables('resourceGroupNamingConvention'), format('-{0}', variables('serviceToken')), ''), variables('networkToken'), variables('sharedServicesName'))]", "sharedServicesRouteTableName": "[replace(replace(variables('routeTableNamingConvention'), format('-{0}', variables('serviceToken')), ''), variables('networkToken'), variables('sharedServicesName'))]", "sharedServicesSubnetName": "[replace(replace(variables('subnetNamingConvention'), format('-{0}', variables('serviceToken')), ''), variables('networkToken'), variables('sharedServicesName'))]", @@ -1333,6 +1336,7 @@ "name": "[variables('operationsName')]", "subscriptionId": "[parameters('operationsSubscriptionId')]", "resourceGroupName": "[variables('operationsResourceGroupName')]", + "deployUniqueResources": "[if(contains(createArray(parameters('hubSubscriptionId')), parameters('operationsSubscriptionId')), false(), true())]", "logStorageAccountName": "[variables('operationsLogStorageAccountName')]", "logStorageAccountNetworkInterfaceNamePrefix": "[variables('operationsLogStorageAccountNetworkInterfaceName')]", "logStorageAccountPrivateEndpointNamePrefix": "[variables('operationsLogStorageAccountPrivateEndpointName')]", @@ -1344,6 +1348,7 @@ "networkSecurityGroupRules": "[parameters('operationsNetworkSecurityGroupRules')]", "networkSecurityGroupDiagnosticsLogs": "[parameters('operationsNetworkSecurityGroupDiagnosticsLogs')]", "networkSecurityGroupDiagnosticsMetrics": "[parameters('operationsNetworkSecurityGroupDiagnosticsMetrics')]", + "networkWatcherName": "[variables('operationsNetworkWatcherName')]", "routeTableName": "[variables('operationsRouteTableName')]", "subnetName": "[variables('operationsSubnetName')]", "subnetAddressPrefix": "[parameters('operationsSubnetAddressPrefix')]", @@ -1354,6 +1359,7 @@ "name": "[variables('sharedServicesName')]", "subscriptionId": "[parameters('sharedServicesSubscriptionId')]", "resourceGroupName": "[variables('sharedServicesResourceGroupName')]", + "deployUniqueResources": "[if(contains(createArray(parameters('hubSubscriptionId'), parameters('operationsSubscriptionId')), parameters('sharedServicesSubscriptionId')), false(), true())]", "logStorageAccountName": "[variables('sharedServicesLogStorageAccountName')]", "logStorageAccountNetworkInterfaceNamePrefix": "[variables('sharedServicesLogStorageAccountNetworkInterfaceName')]", "logStorageAccountPrivateEndpointNamePrefix": "[variables('sharedServicesLogStorageAccountPrivateEndpointName')]", @@ -1365,6 +1371,7 @@ "networkSecurityGroupRules": "[parameters('sharedServicesNetworkSecurityGroupRules')]", "networkSecurityGroupDiagnosticsLogs": "[parameters('sharedServicesNetworkSecurityGroupDiagnosticsLogs')]", "networkSecurityGroupDiagnosticsMetrics": "[parameters('sharedServicesNetworkSecurityGroupDiagnosticsMetrics')]", + "networkWatcherName": "[variables('sharedServicesNetworkWatcherName')]", "routeTableName": "[variables('sharedServicesRouteTableName')]", "subnetName": "[variables('sharedServicesSubnetName')]", "subnetAddressPrefix": "[parameters('sharedServicesSubnetAddressPrefix')]", @@ -1372,7 +1379,7 @@ "subnetPrivateLinkServiceNetworkPolicies": "Disabled" } ], - "spokesIdentity": "[if(parameters('deployIdentity'), createArray(createObject('name', variables('identityName'), 'subscriptionId', parameters('identitySubscriptionId'), 'resourceGroupName', variables('identityResourceGroupName'), 'logStorageAccountName', variables('identityLogStorageAccountName'), 'logStorageAccountNetworkInterfaceNamePrefix', variables('identityLogStorageAccountNetworkInterfaceName'), 'logStorageAccountPrivateEndpointNamePrefix', variables('identityLogStorageAccountPrivateEndpointName'), 'virtualNetworkName', variables('identityVirtualNetworkName'), 'virtualNetworkAddressPrefix', parameters('identityVirtualNetworkAddressPrefix'), 'virtualNetworkDiagnosticsLogs', parameters('identityVirtualNetworkDiagnosticsLogs'), 'virtualNetworkDiagnosticsMetrics', parameters('identityVirtualNetworkDiagnosticsMetrics'), 'networkSecurityGroupName', variables('identityNetworkSecurityGroupName'), 'networkSecurityGroupRules', parameters('identityNetworkSecurityGroupRules'), 'networkSecurityGroupDiagnosticsLogs', parameters('identityNetworkSecurityGroupDiagnosticsLogs'), 'networkSecurityGroupDiagnosticsMetrics', parameters('identityNetworkSecurityGroupDiagnosticsMetrics'), 'routeTableName', variables('identityRouteTableName'), 'subnetName', variables('identitySubnetName'), 'subnetAddressPrefix', parameters('identitySubnetAddressPrefix'), 'subnetPrivateEndpointNetworkPolicies', 'Disabled', 'subnetPrivateLinkServiceNetworkPolicies', 'Disabled')), createArray())]", + "spokesIdentity": "[if(parameters('deployIdentity'), createArray(createObject('name', variables('identityName'), 'subscriptionId', parameters('identitySubscriptionId'), 'resourceGroupName', variables('identityResourceGroupName'), 'deployUniqueResources', if(contains(createArray(parameters('hubSubscriptionId'), parameters('operationsSubscriptionId'), parameters('sharedServicesSubscriptionId')), parameters('identitySubscriptionId')), false(), true()), 'logStorageAccountName', variables('identityLogStorageAccountName'), 'logStorageAccountNetworkInterfaceNamePrefix', variables('identityLogStorageAccountNetworkInterfaceName'), 'logStorageAccountPrivateEndpointNamePrefix', variables('identityLogStorageAccountPrivateEndpointName'), 'virtualNetworkName', variables('identityVirtualNetworkName'), 'virtualNetworkAddressPrefix', parameters('identityVirtualNetworkAddressPrefix'), 'virtualNetworkDiagnosticsLogs', parameters('identityVirtualNetworkDiagnosticsLogs'), 'virtualNetworkDiagnosticsMetrics', parameters('identityVirtualNetworkDiagnosticsMetrics'), 'networkSecurityGroupName', variables('identityNetworkSecurityGroupName'), 'networkSecurityGroupRules', parameters('identityNetworkSecurityGroupRules'), 'networkSecurityGroupDiagnosticsLogs', parameters('identityNetworkSecurityGroupDiagnosticsLogs'), 'networkSecurityGroupDiagnosticsMetrics', parameters('identityNetworkSecurityGroupDiagnosticsMetrics'), 'networkWatcherName', variables('identityNetworkWatcherName'), 'routeTableName', variables('identityRouteTableName'), 'subnetName', variables('identitySubnetName'), 'subnetAddressPrefix', parameters('identitySubnetAddressPrefix'), 'subnetPrivateEndpointNetworkPolicies', 'Disabled', 'subnetPrivateLinkServiceNetworkPolicies', 'Disabled')), createArray())]", "defaultTags": { "resourcePrefix": "[parameters('resourcePrefix')]", "environmentAbbreviation": "[parameters('environmentAbbreviation')]", @@ -2922,6 +2929,12 @@ }, "mode": "Incremental", "parameters": { + "deployNetworkWatcher": { + "value": "[variables('spokes')[copyIndex()].deployUniqueResources]" + }, + "firewallSkuTier": { + "value": "[parameters('firewallSkuTier')]" + }, "location": { "value": "[parameters('location')]" }, @@ -2931,6 +2944,9 @@ "networkSecurityGroupRules": { "value": "[variables('spokes')[copyIndex()].networkSecurityGroupRules]" }, + "networkWatcherName": { + "value": "[variables('spokes')[copyIndex()].networkWatcherName]" + }, "routeTableName": { "value": "[variables('spokes')[copyIndex()].routeTableName]" }, @@ -2958,9 +2974,6 @@ "virtualNetworkName": { "value": "[variables('spokes')[copyIndex()].virtualNetworkName]" }, - "firewallSkuTier": { - "value": "[parameters('firewallSkuTier')]" - }, "vNetDnsServers": { "value": [ "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.firewallPrivateIPAddress.value]" @@ -2974,10 +2987,13 @@ "_generator": { "name": "bicep", "version": "0.25.53.49325", - "templateHash": "12984866997767801372" + "templateHash": "705252534783500241" } }, "parameters": { + "deployNetworkWatcher": { + "type": "bool" + }, "firewallSkuTier": { "type": "string" }, @@ -2990,6 +3006,9 @@ "networkSecurityGroupRules": { "type": "array" }, + "networkWatcherName": { + "type": "string" + }, "routeTableName": { "type": "string" }, @@ -3205,6 +3224,61 @@ } } }, + { + "condition": "[parameters('deployNetworkWatcher')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "networkWatcher", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "name": { + "value": "[parameters('networkWatcherName')]" + }, + "tags": { + "value": "[parameters('tags')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.25.53.49325", + "templateHash": "7393503353750877364" + } + }, + "parameters": { + "location": { + "type": "string" + }, + "name": { + "type": "string" + }, + "tags": { + "type": "object" + } + }, + "resources": [ + { + "type": "Microsoft.Network/networkWatchers", + "apiVersion": "2021-02-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": {} + } + ] + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -3325,6 +3399,7 @@ }, "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', 'networkSecurityGroup')]", + "[resourceId('Microsoft.Resources/deployments', 'networkWatcher')]", "[resourceId('Microsoft.Resources/deployments', 'routeTable')]" ] } @@ -7809,7 +7884,7 @@ "name": "spokeSubscriptionActivityLogging", "count": "[length(variables('spokes'))]" }, - "condition": "[not(equals(variables('spokes')[copyIndex()].subscriptionId, parameters('hubSubscriptionId')))]", + "condition": "[variables('spokes')[copyIndex()].deployUniqueResources]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "[format('activity-logs-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))]",