feat: sixDotOne (#1115)

## This PR fixes/adds/changes/removes Latest policy refresh. See https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/milestone/13 ## Testing Evidence Please provide any testing evidence to show that your Pull Request works/fixes as described and planned (include screenshots, if appropriate). ## As part of this Pull Request I have - [ ] Checked for duplicate [Pull Requests](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/pulls) - [ ] Associated it with relevant [issues](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/issues), for tracking and closure. - [ ] Ensured my code/branch is up-to-date with the latest changes in the `main` [branch](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/tree/main) - [ ] Performed testing and provided evidence. - [ ] Updated relevant and associated documentation. --------- Co-authored-by: cae-pr-creator[bot] <126156663+cae-pr-creator[bot]@users.noreply.github.com> Co-authored-by: github-actions <action@github.com> Co-authored-by: Nicolas Neunert <60450456+gittyNico@users.noreply.github.com> Co-authored-by: paul-e-martin <34447549+paul-e-martin@users.noreply.github.com>
2024-09-02 13:28:45 +01:00 · 2024-09-02 13:28:45 +01:00 · dc0c89d9fe
--- a/README.md
+++ b/README.md
@ -654,11 +654,14 @@ object({
      log_analytics = optional(object({
        enabled = optional(bool, true)
        config = optional(object({
-          retention_in_days          = optional(number, 30)
-          enable_monitoring_for_vm   = optional(bool, true)
-          enable_monitoring_for_vmss = optional(bool, true)
-          enable_sentinel            = optional(bool, true)
-          enable_change_tracking     = optional(bool, true)
+          retention_in_days                      = optional(number, 30)
+          enable_monitoring_for_vm               = optional(bool, true)
+          enable_monitoring_for_vmss             = optional(bool, true)
+          enable_sentinel                        = optional(bool, true)
+          enable_change_tracking                 = optional(bool, true)
+          enable_solution_for_vm_insights        = optional(bool, true)
+          enable_solution_for_container_insights = optional(bool, true)
+          sentinel_customer_managed_key_enabled  = optional(bool, false) # not used at this time
        }), {})
      }), {})
      security_center = optional(object({
@ -1103,6 +1106,8 @@ The following resources are used by this module:
 - [azurerm_resource_group.connectivity](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) (resource)
 - [azurerm_resource_group.management](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) (resource)
 - [azurerm_resource_group.virtual_wan](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) (resource)
+- [azurerm_role_assignment.ama_managed_identity_operator](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) (resource)
+- [azurerm_role_assignment.ama_reader](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) (resource)
 - [azurerm_role_assignment.enterprise_scale](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) (resource)
 - [azurerm_role_assignment.policy_assignment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) (resource)
 - [azurerm_role_assignment.private_dns_zone_contributor_connectivity](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) (resource)
--- a/locals.management.tf
+++ b/locals.management.tf
@ -66,3 +66,11 @@ locals {
    if resource.managed_by_module
  }
 }
+
+# locals {
+#   azapi_sentinel_onboarding = {
+#     for resource in module.management_resources.configuration.azapi_sentinel_onboarding :
+#     resource.resource_id => resource
+#     if resource.managed_by_module
+#   }
+# }
--- a/locals.role_assignments.tf
+++ b/locals.role_assignments.tf
@ -44,4 +44,5 @@ locals {

 locals {
  connectivity_mg_exists = length([for k, v in local.es_landing_zones_map : v if(v.id == "${var.root_id}-connectivity")]) > 0
-}
+  platform_mg_exists     = length([for k, v in local.es_landing_zones_map : v if(v.id == "${var.root_id}-platform")]) > 0
+}
--- a/main.tf
+++ b/main.tf
@ -75,12 +75,13 @@ module "connectivity_resources" {
  tags     = local.connectivity_resources_tags

  # Optional input variables (advanced configuration)
-  resource_prefix                           = lookup(local.connectivity_resources_advanced, "resource_prefix", local.empty_string)
-  resource_suffix                           = lookup(local.connectivity_resources_advanced, "resource_suffix", local.empty_string)
-  existing_ddos_protection_plan_resource_id = lookup(local.connectivity_resources_advanced, "existing_ddos_protection_plan_resource_id", local.empty_string)
-  existing_virtual_wan_resource_id          = lookup(local.connectivity_resources_advanced, "existing_virtual_wan_resource_id", local.empty_string)
-  existing_virtual_wan_resource_group_name  = lookup(local.connectivity_resources_advanced, "existing_virtual_wan_resource_group_name", local.empty_string)
-  resource_group_per_virtual_hub_location   = lookup(local.connectivity_resources_advanced, "resource_group_per_virtual_hub_location", false)
-  custom_azure_backup_geo_codes             = lookup(local.connectivity_resources_advanced, "custom_azure_backup_geo_codes", local.empty_map)
-  custom_settings_by_resource_type          = lookup(local.connectivity_resources_advanced, "custom_settings_by_resource_type", local.empty_map)
+  resource_prefix                                 = lookup(local.connectivity_resources_advanced, "resource_prefix", local.empty_string)
+  resource_suffix                                 = lookup(local.connectivity_resources_advanced, "resource_suffix", local.empty_string)
+  existing_ddos_protection_plan_resource_id       = lookup(local.connectivity_resources_advanced, "existing_ddos_protection_plan_resource_id", local.empty_string)
+  existing_virtual_wan_resource_id                = lookup(local.connectivity_resources_advanced, "existing_virtual_wan_resource_id", local.empty_string)
+  existing_virtual_wan_resource_group_name        = lookup(local.connectivity_resources_advanced, "existing_virtual_wan_resource_group_name", local.empty_string)
+  resource_group_per_virtual_hub_location         = lookup(local.connectivity_resources_advanced, "resource_group_per_virtual_hub_location", false)
+  custom_azure_backup_geo_codes                   = lookup(local.connectivity_resources_advanced, "custom_azure_backup_geo_codes", local.empty_map)
+  custom_privatelink_azurestaticapps_partitionids = lookup(local.connectivity_resources_advanced, "custom_privatelink_azurestaticapps_partitionids", null)
+  custom_settings_by_resource_type                = lookup(local.connectivity_resources_advanced, "custom_settings_by_resource_type", local.empty_map)
 }
--- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.tmpl.json
+++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.tmpl.json
@ -1430,13 +1430,13 @@
        "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Arc",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/55c4db33-97b0-437b-8469-c4f4498f5df9",
        "parameters": {
-          "privateDnsZoneIdForGuestConfiguration": {
+          "privateDnsZoneIDForGuestConfiguration": {
            "value": "[parameters('azureArcGuestconfigurationPrivateDnsZoneId')]"
          },
-          "privateDnsZoneIdForHybridResourceProvider": {
+          "privateDnsZoneIDForHybridResourceProvider": {
            "value": "[parameters('azureArcHybridResourceProviderPrivateDnsZoneId')]"
          },
-          "privateDnsZoneIdForKubernetesConfiguration": {
+          "privateDnsZoneIDForKubernetesConfiguration": {
            "value": "[parameters('azureArcKubernetesConfigurationPrivateDnsZoneId')]"
          },
          "effect": {
--- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_backup.tmpl.json
+++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_backup.tmpl.json
@ -63,7 +63,7 @@
          "effect": {
            "value": "[parameters('effect')]"
          },
-          "CheckLockedImmutabiltyOnly": {
+          "checkLockedImmutabiltyOnly": {
            "value": "[parameters('checkLockedImmutabilityOnly')]"
          }
        },
--- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_keyvault.tmpl.json
+++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_keyvault.tmpl.json
@ -8,7 +8,7 @@
    "displayName": "Enforce recommended guardrails for Azure Key Vault",
    "description": "Enforce recommended guardrails for Azure Key Vault.",
    "metadata": {
-      "version": "2.0.0",
+      "version": "2.1.0",
      "category": "Key Vault",
      "source": "https://github.com/Azure/Enterprise-Scale/",
      "alzCloudEnvironments": [
@ -236,8 +236,11 @@
        "type": "string",
        "defaultValue": "Disabled",
        "allowedValues": [
+          "audit",
          "Audit",
+          "deny",
          "Deny",
+          "disabled",
          "Disabled"
        ]
      },
--- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_kubernetes.tmpl.json
+++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_kubernetes.tmpl.json
@ -8,7 +8,7 @@
    "displayName": "Enforce recommended guardrails for Kubernetes",
    "description": "This policy initiative is a group of policies that ensures Kubernetes is compliant per regulated Landing Zones.",
    "metadata": {
-      "version": "1.0.0",
+      "version": "1.1.0",
      "category": "Kubernetes",
      "source": "https://github.com/Azure/Enterprise-Scale/",
      "alzCloudEnvironments": [
@ -81,8 +81,11 @@
        "type": "string",
        "defaultValue": "Deny",
        "allowedValues": [
+          "audit",
          "Audit",
+          "deny",
          "Deny",
+          "disabled",
          "Disabled"
        ]
      },
@ -90,8 +93,11 @@
        "type": "string",
        "defaultValue": "Deny",
        "allowedValues": [
+          "audit",
          "Audit",
+          "deny",
          "Deny",
+          "disabled",
          "Disabled"
        ]
      },
@ -99,8 +105,11 @@
        "type": "string",
        "defaultValue": "Deny",
        "allowedValues": [
+          "audit",
          "Audit",
+          "deny",
          "Deny",
+          "disabled",
          "Disabled"
        ]
      },
@ -117,8 +126,11 @@
        "type": "string",
        "defaultValue": "Deny",
        "allowedValues": [
+          "audit",
          "Audit",
+          "deny",
          "Deny",
+          "disabled",
          "Disabled"
        ]
      },
@ -126,8 +138,11 @@
        "type": "string",
        "defaultValue": "Deny",
        "allowedValues": [
+          "audit",
          "Audit",
+          "deny",
          "Deny",
+          "disabled",
          "Disabled"
        ]
      },
@ -144,8 +159,11 @@
        "type": "string",
        "defaultValue": "Deny",
        "allowedValues": [
+          "audit",
          "Audit",
+          "deny",
          "Deny",
+          "disabled",
          "Disabled"
        ]
      },
--- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_network.tmpl.json
+++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_network.tmpl.json
@ -8,7 +8,7 @@
    "displayName": "Enforce recommended guardrails for Network and Networking services",
    "description": "This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.",
    "metadata": {
-      "version": "1.0.0",
+      "version": "1.1.0",
      "category": "Network",
      "source": "https://github.com/Azure/Enterprise-Scale/",
      "alzCloudEnvironments": [
@ -56,7 +56,12 @@
      },
      "vnetModifyDdos": {
        "type": "string",
-        "defaultValue": "Modify"
+        "defaultValue": "Modify",
+        "allowedValues": [
+          "Audit",
+          "Modify",
+          "Disabled"
+        ]
      },
      "ddosPlanResourceId": {
        "type": "string",
@ -229,9 +234,8 @@
        "type": "string",
        "defaultValue": "Deny",
        "allowedValues": [
-          "Audit",
-          "Deny",
-          "Disabled"
+          "Allow",
+          "Deny"
        ]
      },
      "modifyNsgRuleProtocol": {
--- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_synapse.tmpl.json
+++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_synapse.tmpl.json
@ -8,7 +8,7 @@
    "displayName": "Enforce recommended guardrails for Synapse workspaces",
    "description": "This policy initiative is a group of policies that ensures Synapse workspaces is compliant per regulated Landing Zones.",
    "metadata": {
-      "version": "1.0.0",
+      "version": "1.1.0",
      "category": "Synapse",
      "source": "https://github.com/Azure/Enterprise-Scale/",
      "alzCloudEnvironments": [
@ -65,7 +65,6 @@
        "defaultValue": "Audit",
        "allowedValues": [
          "Audit",
-          "Deny",
          "Disabled"
        ]
      },
--- a/modules/connectivity/README.md
+++ b/modules/connectivity/README.md
@ -49,6 +49,25 @@ Type: `map(string)`

 Default: `{}`

+### <a name="input_custom_privatelink_azurestaticapps_partitionids"></a> [custom\_privatelink\_azurestaticapps\_partitionids](#input\_custom\_privatelink\_azurestaticapps\_partitionids)
+
+Description: As a uncertanty in the partition id for the azure static web app, this variable is used to specify the partition ids deployed for the azure static web app private DNS zones.  
+For more information, please refer to: https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns#web and https://learn.microsoft.com/en-us/azure/static-web-apps/private-endpoint
+
+Type: `list(number)`
+
+Default:
+
+```json
+[
+  1,
+  2,
+  3,
+  4,
+  5
+]
+```
+
 ### <a name="input_custom_settings_by_resource_type"></a> [custom\_settings\_by\_resource\_type](#input\_custom\_settings\_by\_resource\_type)

 Description: If specified, allows full customization of common settings for all resources (by type) deployed by this module.
--- a/modules/connectivity/locals.tf
+++ b/modules/connectivity/locals.tf
@ -12,20 +12,21 @@ locals {
 # NOTE: Need to catch error for resource_suffix when
 # no value for subscription_id is provided.
 locals {
-  enabled                                   = var.enabled
-  root_id                                   = var.root_id
-  subscription_id                           = coalesce(var.subscription_id, "00000000-0000-0000-0000-000000000000")
-  settings                                  = var.settings
-  location                                  = lower(var.location)
-  tags                                      = var.tags
-  resource_prefix                           = coalesce(var.resource_prefix, local.root_id)
-  resource_suffix                           = var.resource_suffix != local.empty_string ? "-${var.resource_suffix}" : local.empty_string
-  existing_ddos_protection_plan_resource_id = var.existing_ddos_protection_plan_resource_id
-  existing_virtual_wan_resource_id          = var.existing_virtual_wan_resource_id != null ? var.existing_virtual_wan_resource_id : local.empty_string
-  existing_virtual_wan_resource_group_name  = var.existing_virtual_wan_resource_group_name != null ? var.existing_virtual_wan_resource_group_name : local.empty_string
-  resource_group_per_virtual_hub_location   = var.resource_group_per_virtual_hub_location
-  custom_azure_backup_geo_codes             = var.custom_azure_backup_geo_codes
-  custom_settings                           = var.custom_settings_by_resource_type
+  enabled                                         = var.enabled
+  root_id                                         = var.root_id
+  subscription_id                                 = coalesce(var.subscription_id, "00000000-0000-0000-0000-000000000000")
+  settings                                        = var.settings
+  location                                        = lower(var.location)
+  tags                                            = var.tags
+  resource_prefix                                 = coalesce(var.resource_prefix, local.root_id)
+  resource_suffix                                 = var.resource_suffix != local.empty_string ? "-${var.resource_suffix}" : local.empty_string
+  existing_ddos_protection_plan_resource_id       = var.existing_ddos_protection_plan_resource_id
+  existing_virtual_wan_resource_id                = var.existing_virtual_wan_resource_id != null ? var.existing_virtual_wan_resource_id : local.empty_string
+  existing_virtual_wan_resource_group_name        = var.existing_virtual_wan_resource_group_name != null ? var.existing_virtual_wan_resource_group_name : local.empty_string
+  resource_group_per_virtual_hub_location         = var.resource_group_per_virtual_hub_location
+  custom_azure_backup_geo_codes                   = var.custom_azure_backup_geo_codes
+  custom_privatelink_azurestaticapps_partitionids = var.custom_privatelink_azurestaticapps_partitionids
+  custom_settings                                 = var.custom_settings_by_resource_type
 }

 # Logic to help keep code DRY
@ -419,7 +420,6 @@ locals {
            # Resource definition attributes
            resource_group_name                           = local.resource_group_names_by_scope_and_location["connectivity"][location]
            virtual_network_name                          = local.virtual_network_name[location]
-            private_endpoint_network_policies_enabled     = try(local.custom_settings.azurerm_subnet["connectivity"][location][subnet.name].private_endpoint_network_policies_enabled, null)
            private_link_service_network_policies_enabled = try(local.custom_settings.azurerm_subnet["connectivity"][location][subnet.name].private_link_service_network_policies_enabled, null)
            service_endpoints                             = try(local.custom_settings.azurerm_subnet["connectivity"][location][subnet.name].service_endpoints, null)
            service_endpoint_policy_ids                   = try(local.custom_settings.azurerm_subnet["connectivity"][location][subnet.name].service_endpoint_policy_ids, null)
@ -440,7 +440,6 @@ locals {
          address_prefixes                              = [hub_network.config.virtual_network_gateway.config.address_prefix, ]
          resource_group_name                           = local.resource_group_names_by_scope_and_location["connectivity"][location]
          virtual_network_name                          = local.virtual_network_name[location]
-          private_endpoint_network_policies_enabled     = try(local.custom_settings.azurerm_subnet["connectivity"][location]["GatewaySubnet"].private_endpoint_network_policies_enabled, null)
          private_link_service_network_policies_enabled = try(local.custom_settings.azurerm_subnet["connectivity"][location]["GatewaySubnet"].private_link_service_network_policies_enabled, null)
          service_endpoints                             = try(local.custom_settings.azurerm_subnet["connectivity"][location]["GatewaySubnet"].service_endpoints, null)
          service_endpoint_policy_ids                   = try(local.custom_settings.azurerm_subnet["connectivity"][location]["GatewaySubnet"].service_endpoint_policy_ids, null)
@ -460,7 +459,6 @@ locals {
          address_prefixes                              = [hub_network.config.azure_firewall.config.address_prefix, ]
          resource_group_name                           = local.resource_group_names_by_scope_and_location["connectivity"][location]
          virtual_network_name                          = local.virtual_network_name[location]
-          private_endpoint_network_policies_enabled     = try(local.custom_settings.azurerm_subnet["connectivity"][location]["AzureFirewallSubnet"].private_endpoint_network_policies_enabled, null)
          private_link_service_network_policies_enabled = try(local.custom_settings.azurerm_subnet["connectivity"][location]["AzureFirewallSubnet"].private_link_service_network_policies_enabled, null)
          service_endpoints                             = try(local.custom_settings.azurerm_subnet["connectivity"][location]["AzureFirewallSubnet"].service_endpoints, null)
          service_endpoint_policy_ids                   = try(local.custom_settings.azurerm_subnet["connectivity"][location]["AzureFirewallSubnet"].service_endpoint_policy_ids, null)
@ -480,7 +478,6 @@ locals {
          address_prefixes                              = [hub_network.config.azure_firewall.config.address_management_prefix, ]
          resource_group_name                           = local.resource_group_names_by_scope_and_location["connectivity"][location]
          virtual_network_name                          = local.virtual_network_name[location]
-          private_endpoint_network_policies_enabled     = try(local.custom_settings.azurerm_subnet["connectivity"][location]["AzureFirewallManagementSubnet"].private_endpoint_network_policies_enabled, null)
          private_link_service_network_policies_enabled = try(local.custom_settings.azurerm_subnet["connectivity"][location]["AzureFirewallManagementSubnet"].private_link_service_network_policies_enabled, null)
          service_endpoints                             = try(local.custom_settings.azurerm_subnet["connectivity"][location]["AzureFirewallManagementSubnet"].service_endpoints, null)
          service_endpoint_policy_ids                   = try(local.custom_settings.azurerm_subnet["connectivity"][location]["AzureFirewallManagementSubnet"].service_endpoint_policy_ids, null)
@ -1518,6 +1515,10 @@ locals {
      for location in local.private_link_locations :
      "privatelink.${location}.azmk8s.io"
    ]
+    azure_web_apps_static_sites = concat(["privatelink.azurestaticapps.net"], [
+      for partitionid in local.custom_privatelink_azurestaticapps_partitionids :
+      "privatelink.${partitionid}.azurestaticapps.net"
+    ])
  }
  # The lookup_private_link_group_id_by_service local doesn't currently
  # do anything but is planned to control policy configuration for
@ -1681,7 +1682,7 @@ locals {
    [
      for location, virtual_hub_config in local.virtual_hubs_by_location :
      [
-        for spoke_resource_id in virtual_hub_config.config.spoke_virtual_network_resource_ids :
+        for spoke_resource_id in concat(virtual_hub_config.config.spoke_virtual_network_resource_ids, virtual_hub_config.config.secure_spoke_virtual_network_resource_ids) :
        {
          resource_id       = spoke_resource_id
          name              = "${split("/", spoke_resource_id)[2]}-${uuidv5("url", spoke_resource_id)}"
--- a/modules/connectivity/variables.tf
+++ b/modules/connectivity/variables.tf
@ -367,6 +367,16 @@ DESCRIPTION
  default     = {}
 }

+variable "custom_privatelink_azurestaticapps_partitionids" {
+  type        = list(number)
+  nullable    = false
+  description = <<DESCRIPTION
+As a uncertanty in the partition id for the azure static web app, this variable is used to specify the partition ids deployed for the azure static web app private DNS zones.
+For more information, please refer to: https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns#web and https://learn.microsoft.com/en-us/azure/static-web-apps/private-endpoint
+DESCRIPTION
+  default     = [1, 2, 3, 4, 5]
+}
+
 variable "custom_settings_by_resource_type" {
  type        = any
  description = "If specified, allows full customization of common settings for all resources (by type) deployed by this module."
--- a/modules/management/README.md
+++ b/modules/management/README.md
@ -130,11 +130,14 @@ object({
    log_analytics = optional(object({
      enabled = optional(bool, true)
      config = optional(object({
-        retention_in_days          = optional(number, 30)
-        enable_monitoring_for_vm   = optional(bool, true)
-        enable_monitoring_for_vmss = optional(bool, true)
-        enable_sentinel            = optional(bool, true)
-        enable_change_tracking     = optional(bool, true)
+        retention_in_days                      = optional(number, 30)
+        enable_monitoring_for_vm               = optional(bool, true)
+        enable_monitoring_for_vmss             = optional(bool, true)
+        enable_sentinel                        = optional(bool, true)
+        enable_change_tracking                 = optional(bool, true)
+        enable_solution_for_vm_insights        = optional(bool, true)
+        enable_solution_for_container_insights = optional(bool, true)
+        sentinel_customer_managed_key_enabled  = optional(bool, false)
      }), {})
    }), {})
    security_center = optional(object({
--- a/modules/management/locals.tf
+++ b/modules/management/locals.tf
@ -54,8 +54,10 @@ locals {
  deploy_log_analytics_linked_service = local.deploy_monitoring_resources && local.link_log_analytics_to_automation_account
  deploy_automation_account           = local.deploy_monitoring_resources && local.existing_automation_account_resource_id == local.empty_string
  deploy_azure_monitor_solutions = {
-    SecurityInsights = local.deploy_monitoring_resources && local.settings.log_analytics.config.enable_sentinel
-    ChangeTracking   = local.deploy_monitoring_resources && local.settings.log_analytics.config.enable_change_tracking
+    ChangeTracking    = local.deploy_monitoring_resources && local.settings.log_analytics.config.enable_change_tracking
+    VMInsights        = local.deploy_monitoring_resources && local.settings.log_analytics.config.enable_solution_for_vm_insights
+    ContainerInsights = local.deploy_monitoring_resources && local.settings.log_analytics.config.enable_solution_for_container_insights
+    SecurityInsights  = local.deploy_monitoring_resources && local.settings.log_analytics.config.enable_sentinel
  }
  deploy_security_settings                              = local.settings.security_center.enabled
  deploy_defender_for_app_services                      = local.settings.security_center.config.enable_defender_for_app_services
@ -91,7 +93,6 @@ locals {
  }
 }

-
 # Configuration settings for resource type:
 #  - azurerm_log_analytics_workspace
 locals {
@ -677,6 +678,21 @@ locals {
  }
 }

+# Sentinel onboarding
+locals {
+  azapi_sentinel_onboarding_resource_id = "${local.log_analytics_workspace_resource_id}/Microsoft.SecurityInsights/onboardingStates/default"
+  azapi_sentinel_onboarding = {
+    type = "Microsoft.SecurityInsights/onboardingStates@2024-03-01"
+    body = {
+      properties = {
+        customerManagedKey = try(local.settings.log_analytics.config.sentinel_customer_managed_key_enabled, false)
+      }
+    }
+    name      = "default"
+    parent_id = local.log_analytics_workspace_resource_id
+  }
+}
+
 # Template file variable outputs
 locals {
  template_file_variables = {
@ -800,6 +816,18 @@ locals {
        managed_by_module = local.deploy_mdfc_defender_for_sql_dcr
      }
    ]
+    azapi_sentinel_onboarding = [
+      {
+        resource_id   = local.azapi_sentinel_onboarding_resource_id
+        resource_name = basename(local.azapi_sentinel_onboarding_resource_id)
+        template = {
+          for key, value in local.azapi_sentinel_onboarding :
+          key => value
+          if local.deploy_azure_monitor_solutions.SecurityInsights
+        }
+        managed_by_module = local.deploy_azure_monitor_solutions.SecurityInsights
+      }
+    ]
    archetype_config_overrides = local.archetype_config_overrides
    template_file_variables    = local.template_file_variables
  }
--- a/modules/management/variables.tf
+++ b/modules/management/variables.tf
@ -53,11 +53,14 @@ variable "settings" {
    log_analytics = optional(object({
      enabled = optional(bool, true)
      config = optional(object({
-        retention_in_days          = optional(number, 30)
-        enable_monitoring_for_vm   = optional(bool, true)
-        enable_monitoring_for_vmss = optional(bool, true)
-        enable_sentinel            = optional(bool, true)
-        enable_change_tracking     = optional(bool, true)
+        retention_in_days                      = optional(number, 30)
+        enable_monitoring_for_vm               = optional(bool, true)
+        enable_monitoring_for_vmss             = optional(bool, true)
+        enable_sentinel                        = optional(bool, true)
+        enable_change_tracking                 = optional(bool, true)
+        enable_solution_for_vm_insights        = optional(bool, true)
+        enable_solution_for_container_insights = optional(bool, true)
+        sentinel_customer_managed_key_enabled  = optional(bool, false)
      }), {})
    }), {})
    security_center = optional(object({
--- a/resources.connectivity.tf
+++ b/resources.connectivity.tf
@ -55,7 +55,6 @@ resource "azurerm_subnet" "connectivity" {
  address_prefixes     = each.value.template.address_prefixes

  # Optional resource attributes
-  private_endpoint_network_policies_enabled     = each.value.template.private_endpoint_network_policies_enabled
  private_link_service_network_policies_enabled = each.value.template.private_link_service_network_policies_enabled
  service_endpoints                             = each.value.template.service_endpoints
  service_endpoint_policy_ids                   = each.value.template.service_endpoint_policy_ids
--- a/resources.management.tf
+++ b/resources.management.tf
@ -167,3 +167,20 @@ resource "azapi_resource" "data_collection_rule" {

  depends_on = [azurerm_log_analytics_workspace.management]
 }
+
+# Delaying until next major release as this will be a breaking change requiring state manipulation
+# as the old LA solution will have to be removed from state, but we cannot use the removed block as
+# it does not support interpolation for map keys.
+#
+# resource "azapi_resource" "sentinel_onboarding" {
+#   for_each  = local.azapi_sentinel_onboarding
+#   name      = each.value.template.name
+#   parent_id = each.value.template.parent_id
+#   type      = each.value.template.type
+#   body      = each.value.template.body
+
+#   depends_on = [
+#     azurerm_log_analytics_workspace.management,
+#     azurerm_log_analytics_solution.management,
+#   ]
+# }
--- a/resources.role_assignments.tf
+++ b/resources.role_assignments.tf
@ -33,7 +33,7 @@ module "role_assignments_for_policy" {
  policy_assignment_id = each.key
  scope_id             = azurerm_management_group_policy_assignment.enterprise_scale[each.key].management_group_id
  principal_id = (
-    lookup(azurerm_management_group_policy_assignment.enterprise_scale[each.key].identity[0], "type") == "UserAssigned"
+    lookup(azurerm_management_group_policy_assignment.enterprise_scale[each.key].identity[0], "type", "") == "UserAssigned"
    ? jsondecode(data.azapi_resource.user_msi[each.key].output).properties.principalId # workarround as azurerm_management_group_policy_assignment does not export the principal_id when using UserAssigned identity
    : azurerm_management_group_policy_assignment.enterprise_scale[each.key].identity[0].principal_id
  )
@ -55,7 +55,7 @@ module "role_assignments_for_policy" {

 # The data source will retrieve the principalId of a user msi
 # used for the policy assignment
-# 
+#
 data "azapi_resource" "user_msi" {
  for_each = {
    for ik, iv in local.es_role_assignments_by_policy_assignment : ik => iv
@ -114,4 +114,32 @@ resource "azurerm_role_assignment" "private_dns_zone_contributor_connectivity" {
    time_sleep.after_azurerm_policy_assignment,
    azurerm_role_assignment.policy_assignment,
  ]
-}
+}
+
+resource "azurerm_role_assignment" "ama_reader" {
+  for_each             = local.platform_mg_exists ? { for k, v in azurerm_management_group_policy_assignment.enterprise_scale : k => v if endswith(k, "Deploy-VM-Monitoring") } : {}
+  role_definition_name = "Reader"
+  scope                = "/providers/Microsoft.Management/managementGroups/${var.root_id}-platform"
+  principal_id         = each.value.identity[0].principal_id
+  depends_on = [
+    time_sleep.after_azurerm_management_group,
+    time_sleep.after_azurerm_policy_definition,
+    time_sleep.after_azurerm_policy_set_definition,
+    time_sleep.after_azurerm_policy_assignment,
+    azurerm_role_assignment.policy_assignment,
+  ]
+}
+
+resource "azurerm_role_assignment" "ama_managed_identity_operator" {
+  for_each             = local.platform_mg_exists ? { for k, v in azurerm_management_group_policy_assignment.enterprise_scale : k => v if endswith(k, "Deploy-VM-Monitoring") } : {}
+  role_definition_name = "Managed Identity Operator"
+  scope                = "/providers/Microsoft.Management/managementGroups/${var.root_id}-platform"
+  principal_id         = each.value.identity[0].principal_id
+  depends_on = [
+    time_sleep.after_azurerm_management_group,
+    time_sleep.after_azurerm_policy_definition,
+    time_sleep.after_azurerm_policy_set_definition,
+    time_sleep.after_azurerm_policy_assignment,
+    azurerm_role_assignment.policy_assignment,
+  ]
+}
--- a/variables.tf
+++ b/variables.tf
@ -26,8 +26,8 @@ variable "root_name" {
  default     = "Enterprise-Scale"

  validation {
-    condition     = can(regex("^[A-Za-z][A-Za-z0-9- ._]{1,22}[A-Za-z0-9]?$", var.root_name))
-    error_message = "Value must be between 2 to 24 characters long, start with a letter, end with a letter or number, and can only contain space, hyphen, underscore or period characters."
+    condition     = can(regex("^[A-Za-z][A-Za-z0-9- ._]{1,34}[A-Za-z0-9]?$", var.root_name))
+    error_message = "Value must be between 2 to 35 characters long, start with a letter, end with a letter or number, and can only contain space, hyphen, underscore or period characters."
  }
 }

@ -85,11 +85,14 @@ variable "configure_management_resources" {
      log_analytics = optional(object({
        enabled = optional(bool, true)
        config = optional(object({
-          retention_in_days          = optional(number, 30)
-          enable_monitoring_for_vm   = optional(bool, true)
-          enable_monitoring_for_vmss = optional(bool, true)
-          enable_sentinel            = optional(bool, true)
-          enable_change_tracking     = optional(bool, true)
+          retention_in_days                      = optional(number, 30)
+          enable_monitoring_for_vm               = optional(bool, true)
+          enable_monitoring_for_vmss             = optional(bool, true)
+          enable_sentinel                        = optional(bool, true)
+          enable_change_tracking                 = optional(bool, true)
+          enable_solution_for_vm_insights        = optional(bool, true)
+          enable_solution_for_container_insights = optional(bool, true)
+          sentinel_customer_managed_key_enabled  = optional(bool, false) # not used at this time
        }), {})
      }), {})
      security_center = optional(object({