Add connectivity and identity capabilities, plus fixes (#142)

* Add Policy Assignment for Deny-Public-IP * Update archetype definition for identity * Update description on management module variable * Add identity child module * Update order of values * Integrate identity module * Add root_id to identity module Fix missing integration for parameters Fix missing integration for enforcement_mode * Add dependency to fix #109 * Update comments for solutions depends_on block * Add super-linter outputs to gitignore * Update to latest version of github/super-linter * Add initial connectivity-hub-spoke logic * Improve coverage for custom settings * Fix resource type for virtualNetworkGateways * Update for future Virtual WAN support * Add initial connectivity support to module * Add Azure Firewall to connectivity resources * Update Azure logo * Add diagrams for connectivity and identity * Add workflow dispatch to Wiki Sync * Add connectivity and identity info * Initial connectivity and identity content for wiki * Fix linting errors * Enable running Wiki Sync in forks * Update env values * Update module descriptions * Remove logo from readme * Update module version references and root IDs * Refine wiki examples * Update default resource count * Update default values and formatting * Rename management and connectivity resources * Add connectivity resources to outputs * Linting fix for outputs * Add multi-provider support to module * Add multi-provider support to test framework * Update OPA test baseline * Fix linting error * Update provider aliases * Remove configuration_aliases * Update provider config * Update terraform.tf * Remove provider declarations * Update test matrix strategy * Initial wiki update for release v0.4.0 * Fix link for upgrade guide * Initial readme update for release v0.4.0 * Update resource changes * Update provider configuration details in wiki * Update provider configuration details in readme * Add DNS resources to connectivity * adding variables page * Add outbound virtual network peering from hubs * Rename enable_ddos_protection_standard flag * Update variables doc in Wiki * Resolve linting errors * Seperate role assignments by type for #90 This update will create separation between Role Assignments created for Policy vs. user-defined. * Simplify regex pattern * Update policy assignment resource to latest type * Use default location when no private_link_locations * Add dependency for virtual network links * Add new resources to outputs * Update test framework for new connectivity resources * Improve logic to generate outputs * Further improve logic to generate outputs * Remove old comments * Improve custom settings consistency * Add single platform subscription support * Update description in comments * Add new policy source to library tools * Add utility to update ProviderApiVersions.zip * Add WhatIf support * Fix incorrect scope on DNS links * Add logic to handle standard resources for policy imports * Major policy refresh from ES * Update Deploy-Log-Analytics Policy Assignment * Add Corp, Online and SAP landing zones * Fix sku error on Deploy-Log-Analytics policy * Update Policy Assignment Deploy-ASC-Defender Rename to Deploy-ASC-Configuration * removed duplicate "management" key in custom name for management resource group (#140) Co-authored-by: wuest01 <jonas.wueste@bertelsmann.de> * Update Policy Assignments and Archetypes * Fix incorrect casing on pricingTierVMs parameter * Add archetype_config_overrides for connectivity * Add connectivity and identity to parameters and enforcement_mode * Add base tags and update corresponding wiki pages * Add language to fenced code blocks * Add disable_base_module_tags * Fix incorrect whitespace character * Update planned_values.json to reflect latest tests * Update variables documentation * Updating mgmt pages, sidebar, and upgrade to 0.4.0 links (#137) Add management documentation to wiki * Update examples * Fix linting errors * Update to fix #104 * Add latest release information Co-authored-by: sblair01 <cerruleancity@gmail.com> Co-authored-by: jwueste <37145409+jwueste@users.noreply.github.com> Co-authored-by: wuest01 <jonas.wueste@bertelsmann.de>
2021-08-06 16:36:38 +01:00 · 2021-08-06 16:36:38 +01:00 · e4019d8f89
--- a/.github/scripts/EnterpriseScaleLibraryTools/EnterpriseScaleLibraryTools.psm1
+++ b/.github/scripts/EnterpriseScaleLibraryTools/EnterpriseScaleLibraryTools.psm1
@ -703,6 +703,24 @@ function GetObjectByResourceTypeFromJson {
                -ResourceObject (RemoveEscaping -InputObject $policySetDefinition) `
                -ResourceType ("Microsoft.Authorization/policySetDefinitions")
        }
+        foreach (
+            $policySetDefinition in $objectFromJson.resources |
+            Where-Object { $_.type -eq "Microsoft.Authorization/policyDefinitions" } |
+            Where-Object { $_.name -ne "[variables('policies').policyDefinitions[copyIndex()].name]" }
+        ) {
+            ProcessObjectByResourceType `
+                -ResourceObject (RemoveEscaping -InputObject $policySetDefinition) `
+                -ResourceType ("Microsoft.Authorization/policyDefinitions")
+        }
+        foreach (
+            $policySetDefinition in $objectFromJson.resources |
+            Where-Object { $_.type -eq "Microsoft.Authorization/policySetDefinitions" } |
+            Where-Object { $_.name -ne "[variables('initiatives').policySetDefinitions[copyIndex()].name]" }
+        ) {
+            ProcessObjectByResourceType `
+                -ResourceObject (RemoveEscaping -InputObject $policySetDefinition) `
+                -ResourceType ("Microsoft.Authorization/policySetDefinitions")
+        }
    }
    # The following block handles processing generic files where the source content is unknown
    # High probability of incorrect format if this happens.
@ -735,6 +753,13 @@ function Invoke-UseCacheFromModule {
    [ProviderApiVersions]::LoadCacheFromDirectory($Directory)
 }

+function Invoke-UpdateCacheInModule {
+    param (
+        [String]$Directory = "./"
+    )
+    [ProviderApiVersions]::SaveCacheToDirectory($Directory)
+}
+
 function ConvertTo-LibraryArtifact {
    [CmdletBinding()]
    param (
@ -826,6 +851,7 @@ $functionsToExport = @(
    "ConvertTo-LibraryArtifact"
    "Export-LibraryArtifact"
    "Invoke-UseCacheFromModule"
+    "Invoke-UpdateCacheInModule"
 )

 # Export module members
--- a/.github/scripts/EnterpriseScaleLibraryTools/ProviderApiVersions.zip
+++ b/.github/scripts/EnterpriseScaleLibraryTools/ProviderApiVersions.zip
--- a/.github/scripts/Invoke-LibraryUpdate.ps1
+++ b/.github/scripts/Invoke-LibraryUpdate.ps1
@ -23,6 +23,7 @@
 param (
    [Parameter()][String]$TargetModulePath = "$PWD/terraform-azurerm-caf-enterprise-scale",
    [Parameter()][String]$SourceModulePath = "$PWD/enterprise-scale",
+    [Parameter()][Switch]$Reset,
    [Parameter()][Switch]$UseCacheFromModule
 )

@ -56,26 +57,47 @@ $defaultConfig = @{
    recurse        = $false
 }

+# File locations from Enterprise-scale repository for
+# resources, organised by type
+$policyDefinitionFilePaths = (Get-ChildItem -Path "$SourceModulePath/eslzArm/managementGroupTemplates/policyDefinitions").FullName
+$policySetDefinitionFilePaths = (Get-ChildItem -Path "$SourceModulePath/eslzArm/managementGroupTemplates/policyDefinitions").FullName
+
 # The esltConfig array controls the foreach loop used to run
 # Export-LibraryArtifact. Each object provides a set of values
 # used to configure each run of Export-LibraryArtifact within
 # the loop. If a value needed by Export-LibraryArtifact is
 # missing, it will use the default value specified in the
 # defaultConfig object.
-$esltConfig = @(
-    @{
-        inputPath      = $SourceModulePath + "/docs/reference/wingtip/armTemplates/auxiliary/policies.json"
+$esltConfig = @()
+# Add Policy Definition source files to $esltConfig
+$esltConfig += $policyDefinitionFilePaths | ForEach-Object {
+    [PsCustomObject]@{
+        inputPath      = $_
        typeFilter     = "Microsoft.Authorization/policyDefinitions"
        fileNamePrefix = "policy_definitions/policy_definition_es_"
    }
-    @{
-        inputPath      = $SourceModulePath + "/docs/reference/wingtip/armTemplates/auxiliary/policies.json"
+}
+# Add Policy Set Definition source files to $esltConfig
+$esltConfig += $policySetDefinitionFilePaths | ForEach-Object {
+    [PsCustomObject]@{
+        inputPath      = $_
        typeFilter     = "Microsoft.Authorization/policySetDefinitions"
        fileNamePrefix = "policy_set_definitions/policy_set_definition_es_"
        fileNameSuffix = ".tmpl.json"
    }
-)
+}

+# If the -Reset parameter is set, delete all existing
+# artefacts (by resource type) from the library
+if ($Reset) {
+    Write-Information "Deleting existing Policy Definitions from library." -InformationAction Continue
+    Remove-Item -Path "$TargetModulePath/modules/archetypes/lib/policy_definitions/" -Recurse -Force
+    Write-Information "Deleting existing Policy Set Definitions from library." -InformationAction Continue
+    Remove-Item -Path "$TargetModulePath/modules/archetypes/lib/policy_set_definitions/" -Recurse -Force
+}
+
+# Process the files added to $esltConfig, to add content
+# to the library
 foreach ($config in $esltConfig) {
    Export-LibraryArtifact `
        -InputPath ($config.inputPath ?? $defaultConfig.inputPath) `
@ -88,3 +110,28 @@ foreach ($config in $esltConfig) {
        -Recurse:($config.recurse ?? $defaultConfig.recurse) `
        -WhatIf:$WhatIfPreference
 }
+
+# Get a list of current Policy Definition names
+$policyDefinitionFiles = Get-ChildItem -Path "$TargetModulePath/modules/archetypes/lib/policy_definitions/"
+$policyDefinitionNames = $policyDefinitionFiles | ForEach-Object {
+    (Get-Content -Path $_ | ConvertFrom-Json).Name
+}
+
+# Get a list of current Policy Set Definition names
+$policySetDefinitionFiles = Get-ChildItem -Path "$TargetModulePath/modules/archetypes/lib/policy_set_definitions/"
+$policySetDefinitionNames = $policySetDefinitionFiles | ForEach-Object {
+    (Get-Content -Path $_ | ConvertFrom-Json).Name
+}
+
+# Update the es_root archetype definition to reflect
+# the current list of Policy Definitions and Policy
+# Set Definitions
+$esRootFilePath = $TargetModulePath + "/modules/archetypes/lib/archetype_definitions/archetype_definition_es_root.tmpl.json"
+Write-Information "Loading `"es_root`" archetype definition." -InformationAction Continue
+$esRootConfig = Get-Content -Path $esRootFilePath | ConvertFrom-Json
+Write-Information "Updating Policy Definitions in `"es_root`" archetype definition." -InformationAction Continue
+$esRootConfig.es_root.policy_definitions = $policyDefinitionNames
+Write-Information "Updating Policy Set Definitions in `"es_root`" archetype definition." -InformationAction Continue
+$esRootConfig.es_root.policy_set_definitions = $policySetDefinitionNames
+Write-Information "Saving `"es_root`" archetype definition." -InformationAction Continue
+$esRootConfig | ConvertTo-Json -Depth 10 | Out-File -FilePath $esRootFilePath -Force
--- a/.github/scripts/Update-ProviderApiVersionsZip.ps1
+++ b/.github/scripts/Update-ProviderApiVersionsZip.ps1
@ -0,0 +1,30 @@
+#!/usr/bin/pwsh
+
+#
+# PowerShell Script
+# - Update the ProviderApiVersions.zip file stored in the module
+#
+# Requires an authentication session PowerShell session to Azure
+# and should be run from the same location as the script unless
+# the -Directory parameter is specified.
+#
+
+[CmdletBinding(SupportsShouldProcess)]
+param (
+    [Parameter()][String]$Directory = "$PWD/EnterpriseScaleLibraryTools"
+)
+
+$ErrorActionPreference = "Stop"
+
+# This script relies on a custom set of classes and functions
+# defined within the EnterpriseScaleLibraryTools PowerShell
+# module.
+$esltModulePath = "$Directory/EnterpriseScaleLibraryTools.psm1"
+Import-Module $esltModulePath -ErrorAction Stop
+
+Write-Information "Updating ProviderApiVersions in module." -InformationAction Continue
+if ($PSCmdlet.ShouldProcess($Directory)) {
+    Invoke-UpdateCacheInModule($Directory)
+}
+
+Write-Information "... Complete" -InformationAction Continue
--- a/.github/workflows/update-policy.yml
+++ b/.github/workflows/update-policy.yml
@ -64,7 +64,8 @@ jobs:
          ${{ github.repository }}/.github/scripts/Invoke-LibraryUpdate.ps1 `
            -TargetModulePath ${{ github.workspace }}/${{ github.repository }} `
            -SourceModulePath ${{ github.workspace }}/${{ env.remote_repository }} `
-            -UseCacheFromModule
+            -UseCacheFromModule `
+            -Reset
        shell: pwsh

      - name: Check for changes
--- a/.github/workflows/wiki-sync.yml
+++ b/.github/workflows/wiki-sync.yml
@ -6,11 +6,12 @@ on:
      - main
    paths:
      - "docs/wiki/**"
+  workflow_dispatch: {}

 env:
-  wiki_source_repo: "Azure/terraform-azurerm-caf-enterprise-scale"
-  wiki_source_repo_dir: "Azure/terraform-azurerm-caf-enterprise-scale/docs/wiki"
-  wiki_target_repo: "Azure/terraform-azurerm-caf-enterprise-scale.wiki"
+  wiki_source_repo: "${{ github.repository }}"
+  wiki_source_repo_dir: "${{ github.repository }}/docs/wiki"
+  wiki_target_repo: "${{ github.repository }}.wiki"
  github_user_name: "github-actions"
  github_email: "github-actions@github.com"
  github_commit_message: "GitHub Action syncing wiki from docs/wiki"
@ -18,7 +19,7 @@ env:
 jobs:
  sync-wiki:
    name: Sync Wiki
-    if: github.repository == 'Azure/terraform-azurerm-caf-enterprise-scale'
+    if: github.repository == 'Azure/terraform-azurerm-caf-enterprise-scale' || github.event_name == 'workflow_dispatch'
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Source Repo
@ -50,4 +51,3 @@ jobs:
          git commit -m "$github_commit_message [$GITHUB_ACTOR/${GITHUB_SHA::8}]"
          git push --set-upstream https://$GITHUB_TOKEN@github.com/$wiki_target_repo.git master
        working-directory: ${{ env.wiki_target_repo }}
-          
--- a/.gitignore
+++ b/.gitignore
@ -43,4 +43,4 @@ override.tf.json
 # Ignore Super-Linter log
 **/super-linter.report
 **/super-linter.report/*
-**/super-linter.log
+**/super-linter.log
--- a/README.md
+++ b/README.md
@ -5,6 +5,17 @@

 > **MODULE UPGRADE NOTES**
 >
+> The `v0.4.0` release represents a major milestone for the module, introducing capabilities for deploying `Identity` and `Connectivity` solutions from the Enterprise-scale architecture.
+> The following breaking changes should be noted when upgrading from `v0.3.x`:
+> - The minimum supported version of Terraform is now set to `0.15.0`
+> - The minimum supported version of the AzureRM Provider is now set to `2.66.0`
+> - Resources have been renamed to support multiple providers within the module
+> - The [`azurerm_policy_assignment`][azurerm_policy_assignment] resource type has been replaced by the new [`azurerm_management_group_policy_assignment`][azurerm_management_group_policy_assignment] resource type
+>
+> These changes were necessary to support the latest features for Availability Zone configuration settings on the [`azurerm_public_ip`][azurerm_public_ip] resources, allow integration of multiple providers within the module to enable deploying resources to multiple Subscriptions, and to future proof against deprecation of the [`azurerm_policy_assignment`][azurerm_policy_assignment] resource.
+> We believe this provides the best end-user experience going forward, so to make the transition as easy as possible, we have also provided documentation explaining how to [upgrade from v0.3.3 to v0.4.0][wiki_upgrade_from_v0_3_3_to_v0_4_0].
+> We strongly recommend to review this, along with the [release notes][release_notes_v0_4_0] and test your deployment before upgrading.
+>
 > The `v0.3.0` release focuses mainly on updating the test framework, but also introduces a breaking change which removes the need (and support for) wrapping user-defined parameters in `jsonencode()`.
 > When upgrading to this release, please ensure to update your code to use native HCL values as documented in the [release notes][release_notes_v0_3_0].
 >
@ -20,14 +31,23 @@ For detailed information about how to use, configure and extend this module, ple
  - [Getting Started][wiki_getting_started]
  - [Module Variables][wiki_module_variables]
  - [Archetype Definitions][wiki_archetype_definitions]
-  - [Deploy Management Resources][wiki_deploy_management_resources]
+  - [Core Resources][wiki_core_resources]
+  - [Management Resources][wiki_management_resources]
+  - [Connectivity Resources][wiki_connectivity_resources]
+  - [Identity Resources][wiki_identity_resources]
  - [Upgrade from v0.0.8 to v0.1.0][wiki_upgrade_from_v0_0_8_to_v0_1_0]
  - [Upgrade from v0.1.2 to v0.2.0][wiki_upgrade_from_v0_1_2_to_v0_2_0]
+  - [Upgrade from v0.3.3 to v0.4.0][wiki_upgrade_from_v0_3_3_to_v0_4_0]
 - [Examples][wiki_examples]
  - [Deploy Default Configuration][wiki_deploy_default_configuration]
  - [Deploy Demo Landing Zone Archetypes][wiki_deploy_demo_landing_zone_archetypes]
  - [Deploy Custom Landing Zone Archetypes][wiki_deploy_custom_landing_zone_archetypes]
+  - [Deploy Management Resources][wiki_deploy_management_resources]
+  - [Deploy Connectivity Resources][wiki_deploy_connectivity_resources]
+  - [Deploy Identity Resources][wiki_deploy_identity_resources]
+  - [Expand Built-in Archetype Definitions][wiki_expand_built_in_archetype_definitions]
  - [Deploy Using Module Nesting][wiki_deploy_using_module_nesting]
+  - [Override Module Role Assignments][wiki_override_module_role_assignments]
 - [Frequently Asked Questions][wiki_frequently_asked_questions]
 - [Troubleshooting][wiki_troubleshooting]
 - [Contributing][wiki_contributing]
@ -38,13 +58,16 @@ For detailed information about how to use, configure and extend this module, ple

 ## Overview

-The [Terraform Module for Cloud Adoption Framework Enterprise-scale][terraform-registry-caf-enterprise-scale] provides an opinionated approach for delivering Azure landing zones using Terraform.
-Depending on the selected options, this module is able to deploy different groups of resources as needed.
+The [Terraform Module for Cloud Adoption Framework Enterprise-scale][terraform-registry-caf-enterprise-scale] provides an opinionated approach for deploying and managing the core platform capabilities of [Cloud Adoption Framework enterprise-scale landing zone architecture][ESLZ-Architecture] using Terraform.
+
+Depending on selected options, this module can deploy different groups of resources as needed.

 This is currently split logically into the following capabilities:

- Core resources
- Management resources
+- [Core Resources](#core-resources)
+- [Management Resources](#management-resources)
+- [Connectivity Resources](#connectivity-resources)
+- [Identity Resources](#identity-resources)

 The following sections outline the different resource types deployed and managed by this module, depending on the configuration options specified.

@ -60,13 +83,13 @@ The following resource types are deployed and managed by this module when using
 | --- | -------------- | ------------------ |
 | Management Groups | [`Microsoft.Management/managementGroups`][arm_management_group] | [`azurerm_management_group`][azurerm_management_group] |
 | Management Group Subscriptions | [`Microsoft.Management/managementGroups/subscriptions`][arm_management_group_subscriptions] | [`azurerm_management_group`][azurerm_management_group] |
-| Policy Assignments | [`Microsoft.Authorization/policyAssignments`][arm_policy_assignment] | [`azurerm_policy_assignment`][azurerm_policy_assignment] |
+| Policy Assignments | [`Microsoft.Authorization/policyAssignments`][arm_policy_assignment] | [`azurerm_management_group_policy_assignment`][azurerm_management_group_policy_assignment] |
 | Policy Definitions | [`Microsoft.Authorization/policyDefinitions`][arm_policy_definition] | [`azurerm_policy_definition`][azurerm_policy_definition] |
 | Policy Set Definitions | [`Microsoft.Authorization/policySetDefinitions`][arm_policy_set_definition] | [`azurerm_policy_set_definition`][azurerm_policy_set_definition] |
 | Role Assignments | [`Microsoft.Authorization/roleAssignments`][arm_role_assignment] | [`azurerm_role_assignment`][azurerm_role_assignment] |
 | Role Definitions | [`Microsoft.Authorization/roleDefinitions`][arm_role_definition] | [`azurerm_role_definition`][azurerm_role_definition] |

-The exact number of resources created depends on the module configuration, but you can expect upwards of `100` resources to be created by this module for a default installation based on the example below.
+The exact number of resources created depends on the module configuration, but you can expect upwards of 200 resources to be created by this module for a default installation based on the example below.

 > **NOTE:** None of these resources are deployed at the Subscription scope, however Terraform still requires a Subscription to establish an authenticated session with Azure.

@ -89,9 +112,46 @@ The following resource types are deployed and managed by this module when the Ma

 Please refer to the [Deploy Management Resources][wiki_deploy_management_resources] page on our Wiki for more information about how to use this capability.

+### Connectivity resources
+
+From release `v0.4.0` onwards, the module includes new functionality to enable deployment of [Network topology and connectivity][ESLZ-Connectivity] resources into the current Subscription context.
+This is currently limited to the Hub & Spoke network topology, but the addition of Virtual WAN capabilities is on our roadmap (date TBC).
+
+![Enterprise-scale Connectivity Landing Zone Architecture][TFAES-Connectivity]
+
+> **NOTE:** The module currently only configures the networking hub, and dependent resources for the `Connectivity` Subscription.
+> To ensure we achieve the right balance of managing resources via Terraform vs. Azure Policy, we are still working on how best to handle the creation of spoke Virtual Networks and Virtual Network Peering.
+> Improving this story is our next priority on the product roadmap.
+
+The following resource types are deployed and managed by this module when the Connectivity resources capabilities are enabled:
+
+|     | Azure Resource | Terraform Resource |
+| --- | -------------- | ------------------ |
+| Resource Groups | [`Microsoft.Resources/resourceGroups`][arm_resource_group] | [`azurerm_resource_group`][azurerm_resource_group] |
+| Virtual Networks | [`Microsoft.Network/virtualNetworks`][arm_virtual_network] | [`azurerm_virtual_network`][azurerm_virtual_network] |
+| Subnets | [`Microsoft.Network/virtualNetworks/subnets`][arm_subnet] | [`azurerm_subnet`][azurerm_subnet] |
+| Virtual Network Gateways | [`Microsoft.Network/virtualNetworkGateways`][arm_virtual_network_gateway] | [`azurerm_virtual_network_gateway`][azurerm_virtual_network_gateway] |
+| Azure Firewalls | [`Microsoft.Network/azureFirewalls`][arm_firewall] | [`azurerm_firewall`][azurerm_firewall] |
+| Public IP Addresses | [`Microsoft.Network/publicIPAddresses`][arm_public_ip] | [`azurerm_public_ip`][azurerm_public_ip] |
+| DDoS Protection Plans | [`Microsoft.Network/ddosProtectionPlans`][arm_ddos_protection_plan] | [`azurerm_network_ddos_protection_plan`][azurerm_network_ddos_protection_plan] |
+| DNS Zones (pending) | [`Microsoft.Network/dnsZones`][arm_dns_zone] | [`azurerm_dns_zone`][azurerm_dns_zone] |
+| Virtual Network Peerings (pending) | [`Microsoft.Network/virtualNetworks/virtualNetworkPeerings`][arm_virtual_network_peering] | [`azurerm_virtual_network_peering`][azurerm_virtual_network_peering] |
+
+Please refer to the [Deploy Connectivity Resources][wiki_deploy_connectivity_resources] page on our Wiki for more information about how to use this capability.
+
+### Identity resources
+
+From release `v0.4.0` onwards, the module includes new functionality to enable deployment of [Identity and access management][ESLZ-Identity] resources into the current Subscription context.
+
+![Enterprise-scale Identity Landing Zone Architecture][TFAES-Identity]
+
+No additional resources are deployed by this capability, however policy settings relating to the `Identity` Management Group can now be easily updated via the `configure_identity_resources` input variable.
+
+Please refer to the [Deploy Identity Resources][wiki_deploy_identity_resources] page on our Wiki for more information about how to use this capability.
+
 ## Terraform versions

-This module has been tested using Terraform `0.13.2` and AzureRM Provider `2.41.0` as a baseline, and various versions to up the most recent at the time of release.
+This module has been tested using Terraform `0.15.0` and AzureRM Provider `2.66.0` as a baseline, and various versions to up the most recent at the time of release.
 In some cases, individual versions of the AzureRM provider may cause errors.
 If this happens, we advise upgrading to the latest version and checking our [troubleshooting][wiki_troubleshooting] guide before [raising an issue](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/issues).

@ -100,6 +160,8 @@ If this happens, we advise upgrading to the latest version and checking our [tro

 As a basic starting point, we recommend starting with the following configuration in your root module.

+This will deploy the core components only.
+
 > **NOTE:** For production use we highly recommend using the Terraform Registry and pinning to the latest stable version, as per the example below.
 > Pinning to the `main` branch in GitHub will give you the latest updates quicker, but increases the likelihood of unplanned changes to your environment and unforeseen issues.

@ -113,7 +175,7 @@ terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
-      version = ">= 2.41.0"
+      version = ">= 2.66.0"
    }
  }
 }
@ -127,7 +189,7 @@ provider "azurerm" {
 # current Tenant ID used as the ID for the "Tenant Root Group"
 # Management Group.

-data "azurerm_client_config" "current" {}
+data "azurerm_client_config" "core" {}

 # Use variables to customise the deployment

@ -146,9 +208,15 @@ variable "root_name" {

 module "enterprise_scale" {
  source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "0.3.3"
+  version = "0.4.0"

-  root_parent_id = data.azurerm_client_config.current.tenant_id
+  providers = {
+    azurerm              = azurerm
+    azurerm.connectivity = azurerm
+    azurerm.management   = azurerm
+  }
+
+  root_parent_id = data.azurerm_client_config.core.tenant_id
  root_id        = var.root_id
  root_name      = var.root_name

@ -165,21 +233,25 @@ module "enterprise_scale" {

 [Contributing Guide][TFAES-CONTRIBUTING]

-
 [//]: # (*****************************)
 [//]: # (INSERT IMAGE REFERENCES BELOW)
 [//]: # (*****************************)

-[TFAES-Overview]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/media/terraform-caf-enterprise-scale-overview.png "Diagram showing the core Cloud Adoption Framework Enterprise-scale Landing Zone architecture deployed by this module."
-[TFAES-Management]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/media/terraform-caf-enterprise-scale-management.png "Diagram showing the Management resources for Cloud Adoption Framework Enterprise-scale Landing Zone architecture deployed by this module."
+[TFAES-Overview]:     ./docs/wiki/media/terraform-caf-enterprise-scale-overview.png "Diagram showing the core Cloud Adoption Framework Enterprise-scale Landing Zone architecture deployed by this module."
+[TFAES-Management]:   ./docs/wiki/media/terraform-caf-enterprise-scale-management.png "Diagram showing the Management resources for Cloud Adoption Framework Enterprise-scale Landing Zone architecture deployed by this module."
+[TFAES-Connectivity]: ./docs/wiki/media/terraform-caf-enterprise-scale-connectivity.png "Diagram showing the Connectivity resources for Cloud Adoption Framework Enterprise-scale Landing Zone architecture deployed by this module."
+[TFAES-Identity]:     ./docs/wiki/media/terraform-caf-enterprise-scale-identity.png "Diagram showing the Identity resources for Cloud Adoption Framework Enterprise-scale Landing Zone architecture deployed by this module."

 [//]: # (************************)
 [//]: # (INSERT LINK LABELS BELOW)
 [//]: # (************************)

 [terraform-registry-caf-enterprise-scale]: https://registry.terraform.io/modules/Azure/caf-enterprise-scale/azurerm/latest "Terraform Registry: Terraform Module for Cloud Adoption Framework Enterprise-scale"
+
 [ESLZ-Architecture]: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/architecture
-[ESLZ-Management]: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/management-and-monitoring
+[ESLZ-Management]:   https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/management-and-monitoring
+[ESLZ-Connectivity]: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity
+[ESLZ-Identity]:     https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/identity-and-access-management

 [arm_management_group]:               https://docs.microsoft.com/en-us/azure/templates/microsoft.management/managementgroups
 [arm_management_group_subscriptions]: https://docs.microsoft.com/en-us/azure/templates/microsoft.management/managementgroups/subscriptions
@ -193,42 +265,74 @@ module "enterprise_scale" {
 [arm_log_analytics_solution]:         https://docs.microsoft.com/en-us/azure/templates/microsoft.operationsmanagement/solutions
 [arm_automation_account]:             https://docs.microsoft.com/en-us/azure/templates/microsoft.automation/automationaccounts
 [arm_log_analytics_linked_service]:   https://docs.microsoft.com/en-us/azure/templates/microsoft.operationalinsights/workspaces/linkedservices
+[arm_virtual_network]:                https://docs.microsoft.com/en-us/azure/templates/microsoft.network/virtualnetworks
+[arm_subnet]:                         https://docs.microsoft.com/en-us/azure/templates/microsoft.network/virtualnetworks/subnets
+[arm_virtual_network_gateway]:        https://docs.microsoft.com/en-us/azure/templates/microsoft.network/virtualnetworkgateways
+[arm_firewall]:                       https://docs.microsoft.com/en-us/azure/templates/microsoft.network/azurefirewalls
+[arm_public_ip]:                      https://docs.microsoft.com/en-us/azure/templates/microsoft.network/publicipaddresses
+[arm_ddos_protection_plan]:           https://docs.microsoft.com/en-us/azure/templates/microsoft.network/ddosprotectionplans
+[arm_dns_zone]:                       https://docs.microsoft.com/en-us/azure/templates/microsoft.network/dnszones
+[arm_virtual_network_peering]:        https://docs.microsoft.com/en-us/azure/templates/microsoft.network/virtualnetworks/virtualnetworkpeerings

-[azurerm_management_group]:             https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group
-[azurerm_policy_assignment]:            https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/policy_assignment
-[azurerm_policy_definition]:            https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/policy_definition
-[azurerm_policy_set_definition]:        https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/policy_set_definition
-[azurerm_role_assignment]:              https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment
-[azurerm_role_definition]:              https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition
-[azurerm_resource_group]:               https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group
-[azurerm_log_analytics_workspace]:      https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/log_analytics_workspace
-[azurerm_log_analytics_solution]:       https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/log_analytics_solution
-[azurerm_automation_account]:           https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/automation_account
-[azurerm_log_analytics_linked_service]: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/log_analytics_linked_service
+[azurerm_management_group]:                   https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group
+[azurerm_management_group_policy_assignment]: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group_policy_assignment
+[azurerm_policy_assignment]:                  https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/policy_assignment
+[azurerm_policy_definition]:                  https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/policy_definition
+[azurerm_policy_set_definition]:              https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/policy_set_definition
+[azurerm_role_assignment]:                    https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment
+[azurerm_role_definition]:                    https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition
+[azurerm_resource_group]:                     https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group
+[azurerm_log_analytics_workspace]:            https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/log_analytics_workspace
+[azurerm_log_analytics_solution]:             https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/log_analytics_solution
+[azurerm_automation_account]:                 https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/automation_account
+[azurerm_log_analytics_linked_service]:       https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/log_analytics_linked_service
+[azurerm_virtual_network]:                    https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network
+[azurerm_subnet]:                             https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet
+[azurerm_virtual_network_gateway]:            https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network_gateway
+[azurerm_firewall]:                           https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall
+[azurerm_public_ip]:                          https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip
+[azurerm_network_ddos_protection_plan]:       https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_ddos_protection_plan
+[azurerm_dns_zone]:                           https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_zone
+[azurerm_virtual_network_peering]:            https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network_peering

 [TFAES-LICENSE]:      https://github.com/Azure/terraform-azurerm-enterprise-scale/blob/main/LICENSE
 [TFAES-CONTRIBUTING]: https://github.com/Azure/terraform-azurerm-enterprise-scale/blob/main/CONTRIBUTING
-[TFAES-Library]:       https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/tree/main/modules/terraform-azurerm-caf-enterprise-scale-archetypes/lib
+[TFAES-Library]:      https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/tree/main/modules/terraform-azurerm-caf-enterprise-scale-archetypes/lib

-[wiki_home]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/Home "Wiki - Home"
-[wiki_user_guide]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/User-Guide "Wiki - User Guide"
-[wiki_getting_started]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Getting-Started "Wiki - Getting Started"
-[wiki_module_variables]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Module-Variables "Wiki - Module Variables"
-[wiki_archetype_definitions]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Archetype-Definitions "Wiki - Archetype Definitions"
-[wiki_upgrade_from_v0_0_8_to_v0_1_0]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Upgrade-from-v0.0.8-to-v0.1.0 "Wiki - Upgrade from v0.0.8 to v0.1.0"
-[wiki_upgrade_from_v0_1_2_to_v0_2_0]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Upgrade-from-v0.1.2-to-v0.2.0 "Wiki - Upgrade from v0.1.2 to v0.2.0"
-[wiki_deploy_management_resources]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Deploy-Management-Resources "Wiki - Deploy Management Resources"
-[wiki_examples]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/Examples "Wiki - Examples"
-[wiki_deploy_default_configuration]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Default-Configuration "Wiki - Deploy Default Configuration"
-[wiki_deploy_demo_landing_zone_archetypes]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Demo-Landing-Zone-Archetypes "Wiki - Deploy Demo Landing Zone Archetypes"
+<!--
+The following link references should be copied from `_sidebar.md` in the `./docs/wiki/` folder.
+Replace `./` with `https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/` when copying to here.
+-->
+
+[wiki_home]:                                  https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/Home "Wiki - Home"
+[wiki_user_guide]:                            https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/User-Guide "Wiki - User Guide"
+[wiki_getting_started]:                       https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Getting-Started "Wiki - Getting Started"
+[wiki_module_variables]:                      https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Module-Variables "Wiki - Module Variables"
+[wiki_archetype_definitions]:                 https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Archetype-Definitions "Wiki - Archetype Definitions"
+[wiki_upgrade_from_v0_0_8_to_v0_1_0]:         https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Upgrade-from-v0.0.8-to-v0.1.0 "Wiki - Upgrade from v0.0.8 to v0.1.0"
+[wiki_upgrade_from_v0_1_2_to_v0_2_0]:         https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Upgrade-from-v0.1.2-to-v0.2.0 "Wiki - Upgrade from v0.1.2 to v0.2.0"
+[wiki_upgrade_from_v0_3_3_to_v0_4_0]:         https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Upgrade-from-v0.3.3-to-v0.4.0 "Wiki - Upgrade from v0.3.3 to v0.4.0"
+[wiki_core_resources]:                        https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Core-Resources "Wiki - Core Resources"
+[wiki_management_resources]:                  https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Management-Resources "Wiki - Management Resources"
+[wiki_connectivity_resources]:                https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Connectivity-Resources "Wiki - Connectivity Resources"
+[wiki_identity_resources]:                    https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Identity-Resources "Wiki - Identity Resources"
+[wiki_examples]:                              https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/Examples "Wiki - Examples"
+[wiki_deploy_default_configuration]:          https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Default-Configuration "Wiki - Deploy Default Configuration"
+[wiki_deploy_demo_landing_zone_archetypes]:   https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Demo-Landing-Zone-Archetypes "Wiki - Deploy Demo Landing Zone Archetypes"
 [wiki_deploy_custom_landing_zone_archetypes]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Custom-Landing-Zone-Archetypes "Wiki - Deploy Custom Landing Zone Archetypes"
-[wiki_deploy_using_module_nesting]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Using-Module-Nesting "Wiki - Deploy Using Module Nesting"
-[wiki_frequently_asked_questions]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/Frequently-Asked-Questions "Wiki - Frequently Asked Questions"
-[wiki_troubleshooting]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/Troubleshooting "Wiki - Troubleshooting"
-[wiki_contributing]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/Contributing "Wiki - Contributing"
-[wiki_raising_an_issue]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/Raising-an-Issue "Wiki - Raising an Issue"
-[wiki_feature_requests]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/Feature-Requests "Wiki - Feature Requests"
-[wiki_contributing_to_code]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/Contributing-to-Code "Wiki - Contributing to Code"
-[wiki_contributing_to_documentation]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/Contributing-to-Documentation "Wiki - Contributing to Documentation"
+[wiki_deploy_management_resources]:           https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Management-Resources "Wiki - Deploy Management Resources"
+[wiki_deploy_connectivity_resources]:         https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Connectivity-Resources "Wiki - Deploy Connectivity Resources"
+[wiki_deploy_identity_resources]:             https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Identity-Resources "Wiki - Deploy Identity Resources"
+[wiki_deploy_using_module_nesting]:           https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Using-Module-Nesting "Wiki - Deploy Using Module Nesting"
+[wiki_frequently_asked_questions]:            https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/Frequently-Asked-Questions "Wiki - Frequently Asked Questions"
+[wiki_troubleshooting]:                       https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/Troubleshooting "Wiki - Troubleshooting"
+[wiki_contributing]:                          https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/Contributing "Wiki - Contributing"
+[wiki_raising_an_issue]:                      https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/Raising-an-Issue "Wiki - Raising an Issue"
+[wiki_feature_requests]:                      https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/Feature-Requests "Wiki - Feature Requests"
+[wiki_contributing_to_code]:                  https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/Contributing-to-Code "Wiki - Contributing to Code"
+[wiki_contributing_to_documentation]:         https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/Contributing-to-Documentation "Wiki - Contributing to Documentation"
+[wiki_expand_built_in_archetype_definitions]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Expand-Built-in-Archetype-Definitions "Wiki - Expand Built-in Archetype Definitions"
+[wiki_override_module_role_assignments]:      https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Override-Module-Role-Assignments "Wiki - Override Module Role Assignments"

-[release_notes_v0_3_0]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/releases/tag/v0.3.0 "Release notes for v0.3.0"
+[release_notes_v0_3_0]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/releases/tag/v0.3.0 "Release notes for v0.3.0"
+[release_notes_v0_4_0]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/releases/tag/v0.4.0 "Release notes for v0.4.0"
--- a/docs/wiki/Examples.md
+++ b/docs/wiki/Examples.md
@ -6,11 +6,16 @@ Use the links below to explore these examples in more detail.

 - [Deploy Default Configuration][wiki_deploy_default_configuration]
 - [Deploy Demo Landing Zone Archetypes][wiki_deploy_demo_landing_zone_archetypes]
+- [Deploy Management Resoures][wiki_deploy_management_resources]

 ### Intermediate (Level 200)

 - [Deploy Custom Landing Zone Archetypes][wiki_deploy_custom_landing_zone_archetypes]
 - [Expand Built-in Archetype Definitions][wiki_expand_built_in_archetype_definitions]
+- [Deploy Management Resources][wiki_deploy_management_resources]
+- [Deploy Connectivity Resources][wiki_deploy_connectivity_resources]
+- [Deploy Identity Resources][wiki_deploy_identity_resources]
+- [Deploy Custom Management Landing Zone][wiki_deploy_custom_management_landing_zone]

 ### Advanced (Level 300)

@ -20,9 +25,15 @@ Use the links below to explore these examples in more detail.
 [//]: # "************************"
 [//]: # "INSERT LINK LABELS BELOW"
 [//]: # "************************"
-[wiki_deploy_default_configuration]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Default-Configuration "Wiki - Deploy Default Configuration"
-[wiki_deploy_demo_landing_zone_archetypes]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Demo-Landing-Zone-Archetypes "Wiki - Deploy Demo Landing Zone Archetypes"
-[wiki_deploy_custom_landing_zone_archetypes]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Custom-Landing-Zone-Archetypes "Wiki - Deploy Custom Landing Zone Archetypes"
-[wiki_deploy_using_module_nesting]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Using-Module-Nesting "Wiki - Deploy Using Module Nesting"
-[wiki_expand_built_in_archetype_definitions]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Expand-Built-in-Archetype-Definitions "Wiki - Expand Built-in Archetype Definitions"
-[wiki_override_module_role_assignments]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Override-Module-Role-Assignments "Wiki - Override Module Role Assignments"
+
+[wiki_deploy_default_configuration]:          ./%5BExamples%5D-Deploy-Default-Configuration "Wiki - Deploy Default Configuration"
+[wiki_deploy_demo_landing_zone_archetypes]:   ./%5BExamples%5D-Deploy-Demo-Landing-Zone-Archetypes "Wiki - Deploy Demo Landing Zone Archetypes"
+[wiki_deploy_custom_landing_zone_archetypes]: ./%5BExamples%5D-Deploy-Custom-Landing-Zone-Archetypes "Wiki - Deploy Custom Landing Zone Archetypes"
+[wiki_deploy_management_resources]:           ./%5BExamples%5D-Deploy-Management-Resources "Wiki - Deploy Management Resources"
+[wiki_deploy_connectivity_resources]:         ./%5BExamples%5D-Deploy-Connectivity-Resources "Wiki - Deploy Connectivity Resources"
+[wiki_deploy_identity_resources]:             ./%5BExamples%5D-Deploy-Identity-Resources "Wiki - Deploy Identity Resources"
+[wiki_deploy_using_module_nesting]:           ./%5BExamples%5D-Deploy-Using-Module-Nesting "Wiki - Deploy Using Module Nesting"
+[wiki_expand_built_in_archetype_definitions]: ./%5BExamples%5D-Expand-Built-in-Archetype-Definitions "Wiki - Expand Built-in Archetype Definitions"
+[wiki_override_module_role_assignments]:      ./%5BExamples%5D-Override-Module-Role-Assignments "Wiki - Override Module Role Assignments"
+[wiki_deploy_management_resources]:           ./%5BExamples%5D-Deploy-Management-Resources.md "Wiki - Deploy Management Resources"
+[wiki_deploy_custom_management_landing_zone]: ./%5BExamples%5D-Deploy-Custom-Management-Landing-Zone.md "Wiki - Deploy Custom Management Landing Zone"
--- a/docs/wiki/Home.md
+++ b/docs/wiki/Home.md
@ -1,11 +1,20 @@
 # Terraform Module for Cloud Adoption Framework Enterprise-scale

-The [Terraform Module for Cloud Adoption Framework Enterprise-scale][terraform-registry-caf-enterprise-scale] provides an opinionated approach for delivering the core platform capabilities needed to start building Azure landing zones using Terraform.
-
-This module deploys the foundations of the [Cloud Adoption Framework enterprise-scale landing zone architecture][ESLZ-Architecture], with a focus on the central resource hierarchy and governance:
+The [Terraform Module for Cloud Adoption Framework Enterprise-scale][terraform-registry-caf-enterprise-scale] provides an opinionated approach for deploying and managing the core platform capabilities of [Cloud Adoption Framework enterprise-scale landing zone architecture][ESLZ-Architecture] using Terraform, with a focus on the central resource hierarchy:

 ![Enterprise-scale Landing Zone Architecture][TFAES-Overview]

+Depending on selected options, this module can deploy different groups of resources as needed.
+
+This is currently split logically into the following capabilities:
+
+- [Core Resources][wiki_core_resources]
+- [Management Resources][wiki_management_resources]
+- [Connectivity Resources][wiki_connectivity_resources]
+- [Identity Resources][wiki_identity_resources]
+
+Please click on each of the above links for more details.
+
 ## Critical design areas

 The module provides a consistent approach for deploying and managing resources relating to the following Enterprise-scale critical design areas:
@ -21,59 +30,10 @@ The module provides a consistent approach for deploying and managing resources r
  - Link Log Analytics workspace to the Automation Account
  - Deploy recommended Log Analytics Solutions
  - Enable Azure Defender
-
-## Resources
-
-The [Terraform Module for Cloud Adoption Framework Enterprise-scale][terraform-registry-caf-enterprise-scale] provides an opinionated approach for delivering Azure landing zones using Terraform.
-Depending on the selected options, this module is able to deploy different groups of resources as needed.
-
-This is currently split logically into the following capabilities:
-
- Core resources
- Management resources
-
-The following sections outline the different resource types deployed and managed by this module, depending on the configuration options specified.
-
-### Core resources
-
-The core capability of this module deploys the foundations of the [Cloud Adoption Framework enterprise-scale landing zone architecture][ESLZ-Architecture], with a focus on the central resource hierarchy and governance:
-
-![Enterprise-scale Core Landing Zones Architecture][TFAES-Overview]
-
-The following resource types are deployed and managed by this module when using the core capabilities:
-
-|     | Azure Resource | Terraform Resource |
-| --- | -------------- | ------------------ |
-| Management Groups | [`Microsoft.Management/managementGroups`][arm_management_group] | [`azurerm_management_group`][azurerm_management_group] |
-| Management Group Subscriptions | [`Microsoft.Management/managementGroups/subscriptions`][arm_management_group_subscriptions] | [`azurerm_management_group`][azurerm_management_group] |
-| Policy Assignments | [`Microsoft.Authorization/policyAssignments`][arm_policy_assignment] | [`azurerm_policy_assignment`][azurerm_policy_assignment] |
-| Policy Definitions | [`Microsoft.Authorization/policyDefinitions`][arm_policy_definition] | [`azurerm_policy_definition`][azurerm_policy_definition] |
-| Policy Set Definitions | [`Microsoft.Authorization/policySetDefinitions`][arm_policy_set_definition] | [`azurerm_policy_set_definition`][azurerm_policy_set_definition] |
-| Role Assignments | [`Microsoft.Authorization/roleAssignments`][arm_role_assignment] | [`azurerm_role_assignment`][azurerm_role_assignment] |
-| Role Definitions | [`Microsoft.Authorization/roleDefinitions`][arm_role_definition] | [`azurerm_role_definition`][azurerm_role_definition] |
-
-The exact number of resources created depends on the module configuration, but you can expect upwards of `100` resources to be created by this module for a default installation based on the example below.
-
-> **NOTE:** None of these resources are deployed at the Subscription scope, however Terraform still requires a Subscription to establish an authenticated session with Azure.
-
-### Management resources
-
-From release `v0.2.0` onwards, the module includes new functionality to enable deployment of [Management and monitoring][ESLZ-Management] resources into the current Subscription context.
-This brings the benefit of being able to manage the full lifecycle of these resources using Terraform, with native integration into the corresponding Policy Assignments to ensure full policy compliance.
-
-![Enterprise-scale Management Landing Zone Architecture][TFAES-Management]
-
-The following resource types are deployed and managed by this module when the Management resources capabilities are enabled:
-
-|     | Azure Resource | Terraform Resource |
-| --- | -------------- | ------------------ |
-| Resource Groups | [`Microsoft.Resources/resourceGroups`][arm_resource_group] | [`azurerm_resource_group`][azurerm_resource_group] |
-| Log Analytics Workspace | [`Microsoft.OperationalInsights/workspaces`][arm_log_analytics_workspace] | [`azurerm_log_analytics_workspace`][azurerm_log_analytics_workspace] |
-| Log Analytics Solutions | [`Microsoft.OperationsManagement/solutions`][arm_log_analytics_solution] | [`azurerm_log_analytics_solution`][azurerm_log_analytics_solution] |
-| Automation Account | [`Microsoft.Automation/automationAccounts`][arm_automation_account] | [`azurerm_automation_account`][azurerm_automation_account] |
-| Log Analytics Linked Service | [`Microsoft.OperationalInsights/workspaces /linkedServices`][arm_log_analytics_linked_service] | [`azurerm_log_analytics_linked_service`][azurerm_log_analytics_linked_service] |
-
-Please refer to the [Deploy Management Resources](./%5BUser-Guide%5D-Deploy-Management-Resources) page on our Wiki for more information about how to use this capability.
+- [Network topology and connectivity][network-topology-and-connectivity]
+  - Create a centralised hub for hybrid connectivity
+  - Secure network using Azure Firewall
+  - Centrally managed DNS zones

 ## Next steps

@ -83,18 +43,18 @@ Check out the [User Guide](./User-Guide), or go straight to our [Examples](./Exa
 [//]: # (INSERT IMAGE REFERENCES BELOW)
 [//]: # (*****************************)

-[TFAES-Overview]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/media/terraform-caf-enterprise-scale-overview.png "Diagram showing the Cloud Adoption Framework Enterprise-scale Landing Zone architecture deployed by this module."
-[TFAES-Management]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/media/terraform-caf-enterprise-scale-management.png "Diagram showing the Management resources for Cloud Adoption Framework Enterprise-scale Landing Zone architecture deployed by this module."
+[TFAES-Overview]: ./media/terraform-caf-enterprise-scale-overview.png "Diagram showing the Cloud Adoption Framework Enterprise-scale Landing Zone architecture deployed by this module."

 [//]: # (************************)
 [//]: # (INSERT LINK LABELS BELOW)
 [//]: # (************************)

-[ESLZ-Architecture]: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/architecture "Enterprise-scale Reference Architecture"
-[terraform-registry-caf-enterprise-scale]: https://registry.terraform.io/modules/Azure/caf-enterprise-scale/azurerm/latest "Terraform Registry: Terraform Module for Cloud Adoption Framework Enterprise-scale"
+[ESLZ-Architecture]:                              https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/architecture "Enterprise-scale Reference Architecture"
+[terraform-registry-caf-enterprise-scale]:        https://registry.terraform.io/modules/Azure/caf-enterprise-scale/azurerm/latest "Terraform Registry: Terraform Module for Cloud Adoption Framework Enterprise-scale"
 [management-group-and-subscription-organization]: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/management-group-and-subscription-organization "Cloud Adoption Framework: Management group and subscription organization"
-[identity-and-access-management]: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/identity-and-access-management "Cloud Adoption Framework: Identity and access management"
-[management-and-monitoring]: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/management-and-monitoring "Cloud Adoption Framework: Management and monitoring"
+[identity-and-access-management]:                 https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/identity-and-access-management "Cloud Adoption Framework: Identity and access management"
+[management-and-monitoring]:                      https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/management-and-monitoring "Cloud Adoption Framework: Management and monitoring"
+[network-topology-and-connectivity]:              https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity "Cloud Adoption Framework: Network topology and connectivity"

 [arm_management_group]:               https://docs.microsoft.com/en-us/azure/templates/microsoft.management/managementgroups
 [arm_management_group_subscriptions]: https://docs.microsoft.com/en-us/azure/templates/microsoft.management/managementgroups/subscriptions
@ -120,3 +80,8 @@ Check out the [User Guide](./User-Guide), or go straight to our [Examples](./Exa
 [azurerm_log_analytics_solution]:       https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/log_analytics_solution
 [azurerm_automation_account]:           https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/automation_account
 [azurerm_log_analytics_linked_service]: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/log_analytics_linked_service
+
+[wiki_core_resources]:         ./%5BUser-Guide%5D-Core-Resources "Wiki - Core Resources"
+[wiki_management_resources]:   ./%5BUser-Guide%5D-Management-Resources "Wiki - Management Resources"
+[wiki_connectivity_resources]: ./%5BUser-Guide%5D-Connectivity-Resources "Wiki - Connectivity Resources"
+[wiki_identity_resources]:     ./%5BUser-Guide%5D-Identity-Resources "Wiki - Identity Resources"
--- a/docs/wiki/User-Guide.md
+++ b/docs/wiki/User-Guide.md
@ -1,43 +1,77 @@
 ## Table of Contents

- [Getting Started][Getting Started]
- [Module Variables][Module Variables]
-  - [root_parent_id][root_parent_id]
-  - [archetype_config_overrides][archetype_config_overrides]
-  - [custom_landing_zones][custom_landing_zones]
-  - [default_location][default_location]
-  - [deploy_core_landing_zones][deploy_core_landing_zones]
-  - [deploy_demo_landing_zones][deploy_demo_landing_zones]
-  - [library_path][library_path]
-  - [root_id][root_id]
-  - [root_name][root_name]
-  - [subscription_id_overrides][subscription_id_overrides]
-  - [template_file_variables][template_file_variables]
-  - [create_duration_delay][template_file_variables]
-  - [destroy_duration_delay][template_file_variables]
- [Archetype Definitions][Archetype Definitions]
- [Upgrade from v0.0.8 to v0.1.0][Upgrade from v0.0.8 to v0.1.0]
-
+- [Getting Started][wiki_getting_started]
+- [Core Resources][wiki_module_variables]
+- [Module Variables][wiki_module_variables]
+  - [root_parent_id][wiki_module_variables_root_parent_id]
+  - [archetype_config_overrides][wiki_module_variables_archetype_config_overrides]
+  - [configure_connectivity_resources][wiki_module_variables_configure_connectivity_resources]
+  - [configure_identity_resources][wiki_module_variables_configure_identity_resources]
+  - [configure_management_resources][wiki_module_variables_configure_management_resources]
+  - [create_duration_delay][wiki_module_variables_create_duration_delay]
+  - [custom_landing_zones][wiki_module_variables_custom_landing_zones]
+  - [custom_policy_roles][wiki_module_variables_custom_policy_roles]
+  - [default_location][wiki_module_variables_default_location]
+  - [default_tags][wiki_module_variables_default_tags]
+  - [deploy_core_landing_zones][wiki_module_variables_deploy_core_landing_zones]
+  - [deploy_demo_landing_zones][wiki_module_variables_deploy_demo_landing_zones]
+  - [deploy_connectivity_resources][wiki_module_variables_deploy_connectivity_resources]
+  - [deploy_identity_resources][wiki_module_variables_deploy_identity_resources]
+  - [deploy_management_resources][wiki_module_variables_deploy_management_resources]
+  - [destroy_duration_delay][wiki_module_variables_template_file_variables]
+  - [library_path][wiki_module_variables_library_path]
+  - [root_id][wiki_module_variables_root_id]
+  - [root_name][wiki_module_variables_root_name]
+  - [subscription_id_connectivity][wiki_module_variables_subscription_id_connectivity]
+  - [subscription_id_identity][wiki_module_variables_subscription_id_identity]
+  - [subscription_id_management][wiki_module_variables_subscription_id_management]
+  - [subscription_id_overrides][wiki_module_variables_subscription_id_overrides]
+  - [template_file_variables][wiki_module_variables_template_file_variables]
+- [Archetype Definitions][wiki_archetype_definitions]
+- [Core Resources][wiki_core_resources]
+- [Management Resources][wiki_management_resources]
+- [Connectivity Resources][wiki_connectivity_resources]
+- [Identity Resources][wiki_identity_resources]
+- [Upgrade from v0.0.8 to v0.1.0][wiki_upgrade_from_v0_0_8_to_v0_1_0]
+- [Upgrade from v0.1.2 to v0.2.0][wiki_upgrade_from_v0_1_2_to_v0_2_0]
+- [Upgrade from v0.3.3 to v0.4.0][wiki_upgrade_from_v0_3_3_to_v0_4_0]

 [//]: # (************************)
 [//]: # (INSERT LINK LABELS BELOW)
 [//]: # (************************)

-[Getting Started]: ./%5BUser-Guide%5D-Getting-Started "Getting Started"
-[Module Variables]: ./%5BUser-Guide%5D-Module-Variables "Module Variables"
-[Archetype Definitions]: ./%5BUser-Guide%5D-Archetype-Definitions "Archetype Definitions"
-[Upgrade from v0.0.8 to v0.1.0]: ./%5BUser-Guide%5D-Upgrade-from-v0.0.8-to-v0.1.0.md "Upgrade from v0.0.8 to v0.1.0"
+[wiki_getting_started]:               ./%5BUser-Guide%5D-Getting-Started "Getting Started"
+[wiki_module_variables]:              ./%5BUser-Guide%5D-Module-Variables "Module Variables"
+[wiki_archetype_definitions]:         ./%5BUser-Guide%5D-Archetype-Definitions "Archetype Definitions"
+[wiki_core_resources]:                ./%5BUser-Guide%5D-Core-Resources "Wiki - Core Resources"
+[wiki_management_resources]:          ./%5BUser-Guide%5D-Management-Resources "Wiki - Management Resources"
+[wiki_connectivity_resources]:        ./%5BUser-Guide%5D-Connectivity-Resources "Wiki - Connectivity Resources"
+[wiki_identity_resources]:            ./%5BUser-Guide%5D-Identity-Resources "Wiki - Identity Resources"
+[wiki_upgrade_from_v0_0_8_to_v0_1_0]: ./%5BUser-Guide%5D-Upgrade-from-v0.0.8-to-v0.1.0 "Upgrade from v0.0.8 to v0.1.0"
+[wiki_upgrade_from_v0_1_2_to_v0_2_0]: ./%5BUser-Guide%5D-Upgrade-from-v0.1.2-to-v0.2.0 "Upgrade from v0.1.2 to v0.2.0"
+[wiki_upgrade_from_v0_3_3_to_v0_4_0]: ./%5BUser-Guide%5D-Upgrade-from-v0.3.3-to-v0.4.0 "Upgrade from v0.3.3 to v0.4.0"

-[root_parent_id]: ./%5BVariables%5D-root_parent_id "Instructions for how to use the root_parent_id variable."
-[root_id]: ./%5BVariables%5D-root_id "Instructions for how to use the root_id variable."
-[root_name]: ./%5BVariables%5D-root_name "Instructions for how to use the root_name variable."
-[deploy_core_landing_zones]: ./%5BVariables%5D-deploy_core_landing_zones "Instructions for how to use the deploy_core_landing_zones variable."
-[archetype_config_overrides]: ./%5BVariables%5D-archetype_config_overrides "Instructions for how to use the archetype_config_overrides variable."
-[subscription_id_overrides]: ./%5BVariables%5D-subscription_id_overrides "Instructions for how to use the subscription_id_overrides variable."
-[deploy_demo_landing_zones]: ./%5BVariables%5D-deploy_demo_landing_zones "Instructions for how to use the deploy_demo_landing_zones variable."
-[custom_landing_zones]: ./%5BVariables%5D-custom_landing_zones "Instructions for how to use the custom_landing_zones variable."
-[library_path]: ./%5BVariables%5D-library_path "Instructions for how to use the library_path variable."
-[template_file_variables]: ./%5BVariables%5D-template_file_variables "Instructions for how to use the template_file_variables variable."
-[default_location]: ./%5BVariables%5D-default_location "Instructions for how to use the default_location variable."
-[create_duration_delay]: ./%5BVariables%5D-create_duration_delay "Instructions for how to use the create_duration_delay variable."
-[destroy_duration_delay]: ./%5BVariables%5D-destroy_duration_delay "Instructions for how to use the destroy_duration_delay variable."
+[wiki_module_variables_root_parent_id]:                   ./%5BVariables%5D-root_parent_id "Instructions for how to use the root_parent_id variable."
+[wiki_module_variables_archetype_config_overrides]:       ./%5BVariables%5D-archetype_config_overrides "Instructions for how to use the archetype_config_overrides variable."
+[wiki_module_variables_configure_connectivity_resources]: ./%5BVariables%5D-configure_connectivity_resources "Instructions for how to use the configure_connectivity_resources variable."
+[wiki_module_variables_configure_identity_resources]:     ./%5BVariables%5D-configure_identity_resources "Instructions for how to use the configure_identity_resources variable."
+[wiki_module_variables_configure_management_resources]:   ./%5BVariables%5D-configure_management_resources "Instructions for how to use the configure_management_resources variable."
+[wiki_module_variables_create_duration_delay]:            ./%5BVariables%5D-create_duration_delay "Instructions for how to use the create_duration_delay variable."
+[wiki_module_variables_custom_landing_zones]:             ./%5BVariables%5D-custom_landing_zones "Instructions for how to use the custom_landing_zones variable."
+[wiki_module_variables_custom_policy_roles]:              ./%5BVariables%5D-custom_policy_roles "Instructions for how to use the custom_policy_roles variable."
+[wiki_module_variables_default_location]:                 ./%5BVariables%5D-default_location "Instructions for how to use the default_location variable."
+[wiki_module_variables_default_tags]:                     ./%5BVariables%5D-default_tags "Instructions for how to use the default_tags variable."
+[wiki_module_variables_deploy_core_landing_zones]:        ./%5BVariables%5D-deploy_core_landing_zones "Instructions for how to use the deploy_core_landing_zones variable."
+[wiki_module_variables_deploy_demo_landing_zones]:        ./%5BVariables%5D-deploy_demo_landing_zones "Instructions for how to use the deploy_demo_landing_zones variable."
+[wiki_module_variables_deploy_connectivity_resources]:    ./%5BVariables%5D-deploy_connectivity_resources "Instructions for how to use the deploy_connectivity_resources variable."
+[wiki_module_variables_deploy_identity_resources]:        ./%5BVariables%5D-deploy_identity_resources "Instructions for how to use the deploy_identity_resources variable."
+[wiki_module_variables_deploy_management_resources]:      ./%5BVariables%5D-deploy_management_resources "Instructions for how to use the deploy_management_resources variable."
+[wiki_module_variables_destroy_duration_delay]:           ./%5BVariables%5D-destroy_duration_delay "Instructions for how to use the destroy_duration_delay variable."
+[wiki_module_variables_library_path]:                     ./%5BVariables%5D-library_path "Instructions for how to use the library_path variable."
+[wiki_module_variables_root_id]:                          ./%5BVariables%5D-root_id "Instructions for how to use the root_id variable."
+[wiki_module_variables_root_name]:                        ./%5BVariables%5D-root_name "Instructions for how to use the root_name variable."
+[wiki_module_variables_subscription_id_connectivity]:     ./%5BVariables%5D-subscription_id_connectivity "Instructions for how to use the subscription_id_connectivity variable."
+[wiki_module_variables_subscription_id_identity]:         ./%5BVariables%5D-subscription_id_identity "Instructions for how to use the subscription_id_identity variable."
+[wiki_module_variables_subscription_id_management]:       ./%5BVariables%5D-subscription_id_management "Instructions for how to use the subscription_id_management variable."
+[wiki_module_variables_subscription_id_overrides]:        ./%5BVariables%5D-subscription_id_overrides "Instructions for how to use the subscription_id_overrides variable."
+[wiki_module_variables_template_file_variables]:          ./%5BVariables%5D-template_file_variables "Instructions for how to use the template_file_variables variable."
--- a/docs/wiki/[Examples]-Deploy-Connectivity-Resources.md
+++ b/docs/wiki/[Examples]-Deploy-Connectivity-Resources.md
@ -0,0 +1 @@
+_coming soon_
--- a/docs/wiki/[Examples]-Deploy-Custom-Landing-Zone-Archetypes.md
+++ b/docs/wiki/[Examples]-Deploy-Custom-Landing-Zone-Archetypes.md
@ -6,17 +6,17 @@ In this example, we take a default configuration and make the following changes:

 - Create a new custom archetype definition named `customer_online` which will create two Policy Assignments, `Deny-Resource-Locations` and `Deny-RSG-Locations` at the associated scope with a set of pre-configured default parameter values.
 - Add a new Management Group for standard workloads using the `customer_online` archetype definition:
-  - Management Group ID: `myorg-3-online-example-1`
-  - Management Group Name: `MYORG-3 Online Example 1`
-  - Parent Management Group ID: `myorg-3-landing-zones`
+  - Management Group ID: `myorg-online-example-1`
+  - Management Group Name: `MYORG Online Example 1`
+  - Parent Management Group ID: `myorg-landing-zones`
  - Allowed location list: _default_
 - Add a new Management Group for geo-restricted workloads using the `customer_online` archetype definition:
-  - Management Group ID: `myorg-3-online-example-2`
-  - Management Group Name: `MYORG-3 Online Example 2`
-  - Parent Management Group ID: `myorg-3-landing-zones`
+  - Management Group ID: `myorg-online-example-2`
+  - Management Group Name: `MYORG Online Example 2`
+  - Parent Management Group ID: `myorg-landing-zones`
  - Allowed location list: `["eastus"]`

-> IMPORTANT: Ensure the module version is set to the latest
+> IMPORTANT: Ensure the module version is set to the latest, and don't forget to run `terraform init` if upgrading to a later version of the module.

 ![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/Azure/terraform-azurerm-caf-enterprise-scale?style=flat-square)

@ -43,7 +43,7 @@ terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
-      version = ">= 2.46.1"
+      version = ">= 2.66.0"
    }
  }
 }
@ -62,12 +62,12 @@ The `variables.tf` file is used to declare a couple of example variables which a

 variable "root_id" {
  type    = string
-  default = "myorg-3"
+  default = "myorg"
 }

 variable "root_name" {
  type    = string
-  default = "My Organization 3"
+  default = "My Organization"
 }
 ```

@ -87,16 +87,22 @@ To allow the declaration of custom templates, you must create a custom library f
 # current Tenant ID used as the ID for the "Tenant Root Group"
 # Management Group.

-data "azurerm_client_config" "current" {}
+data "azurerm_client_config" "core" {}

 # Declare the Terraform Module for Cloud Adoption Framework
 # Enterprise-scale and provide a base configuration.

 module "enterprise_scale" {
  source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "0.3.3"
+  version = "0.4.0"

-  root_parent_id = data.azurerm_client_config.current.tenant_id
+  providers = {
+    azurerm              = azurerm
+    azurerm.connectivity = azurerm
+    azurerm.management   = azurerm
+  }
+
+  root_parent_id = data.azurerm_client_config.core.tenant_id
  root_id        = var.root_id
  root_name      = var.root_name
  library_path   = "${path.root}/lib"
@ -184,4 +190,26 @@ For more details about working with archetype definitions, please refer to the [

 You have successfully created the default Management Group resource hierarchy including additional Management Groups for demonstrating custom Landing Zone archetypes, along with the recommended Azure Policy and Access control (IAM) settings for Enterprise-scale.

-> TIP: The exact number of resources created depends on the module configuration, but you can expect upwards of 140 resources to be created by this module for a default installation.
+> TIP: The exact number of resources created depends on the module configuration, but you can expect upwards of 200 resources to be created by this module for a default installation.
+
+## Next steps
+
+Looking for further inspiration? Why not try some of our more advanced examples?
+
+- [Deploy management resources][wiki_deploy_management_resources]
+- [Deploy connectivity resources][wiki_deploy_connectivity_resources]
+- [Deploy identity resources][wiki_deploy_identity_resources]
+- [Expand the built-in archetype definitions][wiki_expand_built_in_archetype_definitions]
+- [Override Role Assignments for Policies with Managed Identity][wiki_override_module_role_assignments]
+- [Use module nesting to break up your deployment][wiki_deploy_using_module_nesting]
+
+[//]: # "************************"
+[//]: # "INSERT LINK LABELS BELOW"
+[//]: # "************************"
+
+[wiki_deploy_management_resources]:           ./%5BExamples%5D-Deploy-Management-Resources "Wiki - Deploy Management Resources"
+[wiki_deploy_connectivity_resources]:         ./%5BExamples%5D-Deploy-Connectivity-Resources "Wiki - Deploy Connectivity Resources"
+[wiki_deploy_identity_resources]:             ./%5BExamples%5D-Deploy-Identity-Resources "Wiki - Deploy Identity Resources"
+[wiki_deploy_using_module_nesting]:           ./%5BExamples%5D-Deploy-Using-Module-Nesting "Wiki - Deploy Using Module Nesting"
+[wiki_expand_built_in_archetype_definitions]: ./%5BExamples%5D-Expand-Built-in-Archetype-Definitions "Wiki - Expand Built-in Archetype Definitions"
+[wiki_override_module_role_assignments]:      ./%5BExamples%5D-Override-Module-Role-Assignments "Wiki - Override Module Role Assignments"
--- a/docs/wiki/[Examples]-Deploy-Custom-Management-Landing-Zone.md
+++ b/docs/wiki/[Examples]-Deploy-Custom-Management-Landing-Zone.md
@ -0,0 +1,130 @@
+## Overview
+
+This page describes how to deploy Enterprise-scale management resources custom configuration, including guidance on how to apply Log Analytics and Azure Security Center preferences.
+In this example, we take a default configuration and make the following code changes:
+
+### Enable and configure management resources (Level 200)
+- Set and enable the `configure_management_resources`  variable
+- Add parameters for enabling/disabling management resources
+- Add parameters to set location and resource tags
+- Create custom configurations for Log Analytics and ASC
+
+
+The module allows for further configuration of log analytics and azure security center by setting the `configure_management_resources` variable.
+This configuration requires three mandatory variables:
+     location: where the resource group will be deployed
+     advanced:  [tbd]
+     tags: add any specific tag that the resources permit
+
+For this configuration you must pass in both log analytics and security center. If you want to disable
+either or both of these resources, set the enabled flag to *false*.
+
+```hcl
+    settings = {
+      log_analytics = {
+        enabled = false
+     }
+```
+If you've already deployed management resources, this will allow you to enable or disable specific parameters.
+Every parameter set to true will create new principal id's that will force replacement in place of the existing
+roles and policies to reassign them to the log analytics and sentinel resources specified. Likewise, if set to false, existing configurations will be removed.  
+
+If location is not specified, the resources will default to *eastus*
+```hcl
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = ">= 2.66.0"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {}
+}
+
+    #Pull current Tenant ID from connection settings and store to data source
+    
+    data "azurerm_client_config" core {}
+
+    module "enterprise_scale" {
+      source = "Azure/caf-enterprise-scale/azurerm"
+      version = "0.4.0"
+
+    root_parent_id = data.azurerm_client_config.current.tenant_id
+    root_id = "var.root_id" 
+    root_name = "var.root_name"
+    deploy_management_resources = "true"
+    subscription_id_management = [] 
+    configure_management_resources = {
+        settings = {
+      log_analytics = {
+        enabled = true
+        config = {
+          retention_in_days                           = 30
+          enable_monitoring_for_arc                   = true
+          enable_monitoring_for_vm                    = true
+          enable_monitoring_for_vmss                  = true
+          enable_solution_for_agent_health_assessment = true
+          enable_solution_for_anti_malware            = false
+          enable_solution_for_azure_activity          = true
+          enable_solution_for_change_tracking         = true
+          enable_solution_for_service_map             = false
+          enable_solution_for_sql_assessment          = true
+          enable_solution_for_updates                 = true
+          enable_solution_for_vm_insights             = true
+          enable_sentinel                             = true
+        }
+      }
+      security_center = {
+        enabled = true
+        config = {
+          email_security_contact             = "email@replace_me.com"
+          enable_defender_for_acr            = true
+          enable_defender_for_app_services   = true
+          enable_defender_for_arm            = true
+          enable_defender_for_dns            = true
+          enable_defender_for_key_vault      = true
+          enable_defender_for_kubernetes     = false
+          enable_defender_for_servers        = true
+          enable_defender_for_sql_servers    = true
+          enable_defender_for_sql_server_vms = true
+          enable_defender_for_storage        = true
+        }
+      }
+        }
+    location = "eastus"
+      advanced = null
+      tags     = null
+      }
+    }
+```
+You should now have a deployment as seen below
+
+![Deploy-Default-Configuration](./media/examples-deploy-management-resources.png)
+
+IMPORTANT: Log Analytics and Security Center policies must enabled in order to deploy
+
+If you are using an `archetype_exclusion_root.json` in your code, make sure to  not disable Log Analytics or Security Center policies when using this module. ASC and Log Analytics will fail to deploy if the required policies are not in place. Here is an example of an exclusion that will not deploy Log Analytics or Security Center:
+
+```json
+{
+  "exclude_es_root": {
+    "policy_assignments": [
+      "Deploy-ASC-Monitoring",
+      "Deploy-ASC-Defender",
+      "Deploy-Log-Analytics"
+    ],
+    "policy_definitions": [],
+    "policy_set_definitions": [],
+    "role_definitions": [],
+    "archetype_config": {
+      "parameters": {},
+      "access_control": {}
+    }
+  }
+}
+```
+
+The module will see that it's not allowed to assign the required policies and will **not** create the resources. This follows the Enterprise Scale principle of governance by default ensuring that deploy if not exist create the resources and their required dependencies automatically.
--- a/docs/wiki/[Examples]-Deploy-Default-Configuration.md
+++ b/docs/wiki/[Examples]-Deploy-Default-Configuration.md
@ -5,7 +5,7 @@ You can then start to customize your deployment once you've got this up and runn

 This is a good starting point when first discovering what resources are created by this module.

-> IMPORTANT: Ensure the module version is set to the latest
+> IMPORTANT: Ensure the module version is set to the latest, and don't forget to run `terraform init` if upgrading to a later version of the module.

 ![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/Azure/terraform-azurerm-caf-enterprise-scale?style=flat-square)

@ -25,7 +25,7 @@ terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
-      version = ">= 2.46.1"
+      version = ">= 2.66.0"
    }
  }
 }
@ -37,18 +37,24 @@ provider "azurerm" {
 # You can use the azurerm_client_config data resource to dynamically
 # extract the current Tenant ID from your connection settings.

-data "azurerm_client_config" "current" {}
+data "azurerm_client_config" "core" {}

 # Call the caf-enterprise-scale module directly from the Terraform Registry
 # pinning to the latest version

 module "enterprise_scale" {
  source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "0.3.3"
+  version = "0.4.0"

-  root_parent_id = data.azurerm_client_config.current.tenant_id
-  root_id        = "myorg-1"
-  root_name      = "My Organization 1"
+  providers = {
+    azurerm              = azurerm
+    azurerm.connectivity = azurerm
+    azurerm.management   = azurerm
+  }
+
+  root_parent_id = data.azurerm_client_config.core.tenant_id
+  root_id        = "myorg"
+  root_name      = "My Organization"

 }
 ```
@ -59,4 +65,8 @@ module "enterprise_scale" {

 You have successfully created the default Management Group resource hierarchy, along with the recommended Azure Policy and Access control (IAM) settings for Enterprise-scale.

-> TIP: The exact number of resources created depends on the module configuration, but you can expect upwards of 140 resources to be created by this module for a default installation.
+> TIP: The exact number of resources created depends on the module configuration, but you can expect upwards of 200 resources to be created by this module for a default installation.
+
+## Next steps
+
+Go to our next example to learn how to deploy the [demo landing zone archetypes](./%5BExamples%5D-Deploy-Demo-Landing-Zone-Archetypes).
--- a/docs/wiki/[Examples]-Deploy-Demo-Landing-Zone-Archetypes.md
+++ b/docs/wiki/[Examples]-Deploy-Demo-Landing-Zone-Archetypes.md
@ -8,7 +8,7 @@ This page describes how to deploy Enterprise-scale with a starter configuration

 These demo Landing Zone archetypes provides a good way to learn about archetypes within the Enterprise-scale architecture but should not be used for production workloads.

-> IMPORTANT: Ensure the module version is set to the latest
+> IMPORTANT: Ensure the module version is set to the latest, and don't forget to run `terraform init` if upgrading to a later version of the module.

 ![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/Azure/terraform-azurerm-caf-enterprise-scale?style=flat-square)

@ -32,7 +32,7 @@ terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
-      version = ">= 2.46.1"
+      version = ">= 2.66.0"
    }
  }
 }
@ -44,18 +44,24 @@ provider "azurerm" {
 # You can use the azurerm_client_config data resource to dynamically
 # extract the current Tenant ID from your connection settings.

-data "azurerm_client_config" "current" {}
+data "azurerm_client_config" "core" {}

 # Declare the Terraform Module for Cloud Adoption Framework
 # Enterprise-scale and provide a base configuration.

 module "enterprise_scale" {
  source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "0.3.3"
+  version = "0.4.0"

-  root_parent_id = data.azurerm_client_config.current.tenant_id
-  root_id        = "myorg-2"
-  root_name      = "My Organization 2"
+  providers = {
+    azurerm              = azurerm
+    azurerm.connectivity = azurerm
+    azurerm.management   = azurerm
+  }
+
+  root_parent_id = data.azurerm_client_config.core.tenant_id
+  root_id        = "myorg"
+  root_name      = "My Organization"

  deploy_demo_landing_zones = true

@ -68,4 +74,8 @@ module "enterprise_scale" {

 You have successfully created the default Management Group resource hierarchy including additional Management Groups for demonstrating Landing Zone archetypes, along with the recommended Azure Policy and Access control (IAM) settings for Enterprise-scale.

-> TIP: The exact number of resources created depends on the module configuration, but you can expect upwards of 140 resources to be created by this module for a default installation.
+> TIP: The exact number of resources created depends on the module configuration, but you can expect upwards of 200 resources to be created by this module for a default installation.
+
+## Next steps
+
+Go to our next example to learn how to create your own [custom landing zone archetypes](./%5BExamples%5D-Deploy-Custom-Landing-Zone-Archetypes).
--- a/docs/wiki/[Examples]-Deploy-Identity-Resources.md
+++ b/docs/wiki/[Examples]-Deploy-Identity-Resources.md
@ -0,0 +1 @@
+_coming soon_
--- a/docs/wiki/[Examples]-Deploy-Management-Resources.md
+++ b/docs/wiki/[Examples]-Deploy-Management-Resources.md
@ -0,0 +1,94 @@
+## Overview
+
+This page describes how to deploy Enterprise-scale with the [Management resources][] created in the current Subscription context and using the default configuration settings.
+
+In this example, we take a default configuration and make the following changes:
+
+- Enable  `deploy_management_resources` which enable the creation of all Management resources. This includes:
+  - Resource Group to contain all Management resources.
+  - Log Analytics workspace to use for centralised logging.
+  - Automation Account to enable additional capabilities as part of the included Solutions for Azure Monitor.
+  - Recommended Solutions for Azure Monitor.
+- Set the `subscription_id_management` value to ensure policies are updated with the correct values.
+
+The module updates the `parameters` and `enforcement_mode` for a number of Policy Assignments, to enable features within Log Analytics and Sentinel including but not limited to:
+- Enable monitoring for devices managed through Azure Arc;
+- Enable monitoring for VMs;
+- Enable monitoring for VMSS;
+- Enable Azure Defender for various supported services;
+- much more...
+
+> IMPORTANT: Ensure the module version is set to the latest, and don't forget to run `terraform init` if upgrading to a later version of the module.
+
+![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/Azure/terraform-azurerm-caf-enterprise-scale?style=flat-square)
+
+## Example root module
+
+To create the Management resources, `deploy_managagement_resources` must be set to `true`, and the `subscription_id_management` is also required.
+
+To keep this example simple, the root module for this example is based on a single file:
+
+**`main.tf`**
+
+```hcl
+# We strongly recommend using the required_providers block to set the
+# Azure Provider source and version being used.
+
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = ">= 2.66.0"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {}
+}
+
+# You can use the azurerm_client_config data resource to dynamically
+# extract the current Tenant ID from your connection settings.
+
+data "azurerm_client_config" "core" {}
+
+# Call the caf-enterprise-scale module directly from the Terraform Registry
+# pinning to the latest version
+
+module "enterprise_scale" {
+  source  = "Azure/caf-enterprise-scale/azurerm"
+  version = "0.4.0"
+
+  providers = {
+    azurerm              = azurerm
+    azurerm.connectivity = azurerm
+    azurerm.management   = azurerm
+  }
+
+  root_parent_id = data.azurerm_client_config.core.tenant_id
+  root_id        = "myorg"
+  root_name      = "My Organization"
+
+  deploy_management_resources    = true
+  subscription_id_management     = data.azurerm_client_config.core.subscription_id
+
+}
+```
+
+## **Deployed Management Groups**
+
+![Deploy-Default-Configuration](./media/examples-deploy-default-configuration.png)
+
+You have successfully created the default Management Group resource hierarchy, along with the recommended Azure Policy and Access control (IAM) settings for Enterprise-scale.
+
+> TIP: The exact number of resources created depends on the module configuration, but you can expect upwards of 200 resources to be created by this module for a default installation.
+
+## **Deployed Management resources**
+
+*\<image coming soon\>*
+
+You have also successfully created the default set of Management resources in your current Subscription context.
+
+## Next steps
+
+Go to our next example to learn how to deploy the [Management resources with custom settings](./%5BExamples%5D-Deploy-Custom-Management-Resources).
--- a/docs/wiki/[Examples]-Deploy-Using-Module-Nesting.md
+++ b/docs/wiki/[Examples]-Deploy-Using-Module-Nesting.md
@ -12,7 +12,13 @@ The extra code needed to extend your configuration, is the following:

 module "enterprise_scale_nested_landing_zone" {
  source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "0.3.3"
+  version = "0.4.0"
+
+  providers = {
+    azurerm              = azurerm
+    azurerm.connectivity = azurerm
+    azurerm.management   = azurerm
+  }


  root_parent_id            = "${var.root_id}-landing-zones"
@ -50,7 +56,7 @@ In this example, we set and update the following values:

 Check the **`main.tf`** later on the example, for the full modules declaration.

-> IMPORTANT: Ensure the module version is set to the latest
+> IMPORTANT: Ensure the module version is set to the latest, and don't forget to run `terraform init` if upgrading to a later version of the module.

 ![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/Azure/terraform-azurerm-caf-enterprise-scale?style=flat-square)

@ -77,7 +83,7 @@ terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
-      version = ">= 2.46.1"
+      version = ">= 2.66.0"
    }
  }
 }
@ -96,12 +102,12 @@ The `variables.tf` file is used to declare a couple of example variables which a

 variable "root_id" {
  type    = string
-  default = "myorg-3"
+  default = "myorg"
 }

 variable "root_name" {
  type    = string
-  default = "My Organization 3"
+  default = "My Organization"
 }
 ```

@ -121,16 +127,22 @@ To allow the declaration of custom templates, you must create a custom library f
 # current Tenant ID used as the ID for the "Tenant Root Group"
 # Management Group.

-data "azurerm_client_config" "current" {}
+data "azurerm_client_config" "core" {}

 # Declare the Terraform Module for Cloud Adoption Framework
 # Enterprise-scale and provide a base configuration.

 module "enterprise_scale" {
  source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "0.3.3"
+  version = "0.4.0"

-  root_parent_id = data.azurerm_client_config.current.tenant_id
+  providers = {
+    azurerm              = azurerm
+    azurerm.connectivity = azurerm
+    azurerm.management   = azurerm
+  }
+
+  root_parent_id = data.azurerm_client_config.core.tenant_id
  root_id        = var.root_id
  root_name      = var.root_name
  library_path   = "${path.root}/lib"
@ -171,7 +183,13 @@ module "enterprise_scale" {

 module "enterprise_scale_nested_landing_zone" {
  source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "0.3.3"
+  version = "0.4.0"
+
+  providers = {
+    azurerm              = azurerm
+    azurerm.connectivity = azurerm
+    azurerm.management   = azurerm
+  }


  root_parent_id            = "${var.root_id}-landing-zones"
@ -249,4 +267,4 @@ For more details about working with archetype definitions, please refer to the [

 You have successfully created the default Management Group resource hierarchy including additional Management Groups for demonstrating custom Landing Zone archetypes, along with the recommended Azure Policy and Access control (IAM) settings for Enterprise-scale, using module nesting.

-> TIP: The exact number of resources created depends on the module configuration, but you can expect upwards of 140 resources to be created by this module for a default installation.
+> TIP: The exact number of resources created depends on the module configuration, but you can expect upwards of 200 resources to be created by this module for a default installation.
--- a/docs/wiki/[Examples]-Expand-built-in-archetype-definitions.md
+++ b/docs/wiki/[Examples]-Expand-built-in-archetype-definitions.md
@ -41,7 +41,7 @@ We will update the built-in configuration by adding 2 new settings:

 - Create an exclusion `exclude_es_landing_zones` which will **remove** a set of Policy Assignments `Deny-Priv-Escalation-AKS`, `Deny-Priv-Containers-AKS` and `Deny-http-Ingress-AKS`.

-> IMPORTANT: Ensure the module version is set to the latest.
+> IMPORTANT: Ensure the module version is set to the latest, and don't forget to run `terraform init` if upgrading to a later version of the module..

 ![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/Azure/terraform-azurerm-caf-enterprise-scale?style=flat-square)

@ -73,7 +73,7 @@ terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
-      version = ">= 2.46.1"
+      version = ">= 2.66.0"
    }
  }
 }
@ -85,18 +85,24 @@ provider "azurerm" {
 # You can use the azurerm_client_config data resource to dynamically
 # extract the current Tenant ID from your connection settings.

-data "azurerm_client_config" "current" {}
+data "azurerm_client_config" "core" {}

 # Call the caf-enterprise-scale module directly from the Terraform Registry
 # pinning to the latest version

 module "enterprise_scale" {
  source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "0.3.3"
+  version = "0.4.0"

-  root_parent_id = data.azurerm_client_config.current.tenant_id
-  root_id        = "myorg-1"
-  root_name      = "My Organization 1"
+  providers = {
+    azurerm              = azurerm
+    azurerm.connectivity = azurerm
+    azurerm.management   = azurerm
+  }
+
+  root_parent_id = data.azurerm_client_config.core.tenant_id
+  root_id        = "myorg"
+  root_name      = "My Organization"
  library_path   = "${path.root}/lib"

 }
@ -183,4 +189,4 @@ In this example, we want to remove the policy assignments `"Deny-Priv-Escalation

 You have successfully expanded the archetype(s) by adding or removing configuration settings from the built-in archetype definitions for Enterprise-scale.

-> TIP: The exact number of resources created depends on the module configuration, but you can expect upwards of 140 resources to be created by this module for a default installation.
+> TIP: The exact number of resources created depends on the module configuration, but you can expect upwards of 200 resources to be created by this module for a default installation.
--- a/docs/wiki/[Examples]-Override-Module-Role-Assignments.md
+++ b/docs/wiki/[Examples]-Override-Module-Role-Assignments.md
@ -24,7 +24,7 @@ We will update the built-in configuration following these steps:

 - Enable the role assignment override with `custom_policy_roles`

-> IMPORTANT: Ensure the module version is set to the latest.
+> IMPORTANT: Ensure the module version is set to the latest, and don't forget to run `terraform init` if upgrading to a later version of the module..

 ![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/Azure/terraform-azurerm-caf-enterprise-scale?style=flat-square)

@ -51,7 +51,7 @@ terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
-      version = ">= 2.46.1"
+      version = ">= 2.66.0"
    }
  }
 }
@ -70,12 +70,12 @@ The `variables.tf` file is used to declare a couple of example variables which a

 variable "root_id" {
  type    = string
-  default = "myorg-3"
+  default = "myorg"
 }

 variable "root_name" {
  type    = string
-  default = "My Organization 3"
+  default = "My Organization"
 }
 ```

@ -95,16 +95,22 @@ To allow the declaration of custom templates, you must create a custom library f
 # current Tenant ID used as the ID for the "Tenant Root Group"
 # Management Group.

-data "azurerm_client_config" "current" {}
+data "azurerm_client_config" "core" {}

 # Declare the Terraform Module for Cloud Adoption Framework
 # Enterprise-scale and provide a base configuration.

 module "enterprise_scale" {
  source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "0.2.2"
+  version = "0.4.0"

-  root_parent_id = data.azurerm_client_config.current.tenant_id
+  providers = {
+    azurerm              = azurerm
+    azurerm.connectivity = azurerm
+    azurerm.management   = azurerm
+  }
+
+  root_parent_id = data.azurerm_client_config.core.tenant_id
  root_id        = var.root_id
  root_name      = var.root_name
  library_path   = "${path.root}/lib"
--- a/docs/wiki/[User-Guide]-Connectivity-Resources.md
+++ b/docs/wiki/[User-Guide]-Connectivity-Resources.md
@ -0,0 +1,64 @@
+## Overview
+
+From release `v0.4.0` onwards, the module includes new functionality to enable deployment of [Network topology and connectivity][ESLZ-Connectivity] resources into the current Subscription context.
+This is currently limited to the Hub & Spoke network topology, but the addition of Virtual WAN capabilities is on our roadmap (date TBC).
+
+![Enterprise-scale Connectivity Landing Zone Architecture][TFAES-Connectivity]
+
+> **NOTE:** The module currently only configures the networking hub, and dependent resources for the `Connectivity` Subscription.
+> To ensure we achieve the right balance of managing resources via Terraform vs. Azure Policy, we are still working on how best to handle the creation of spoke Virtual Networks and Virtual Network Peering.
+> Improving this story is our next priority on the product roadmap.
+
+## Resource types
+
+The following resource types are deployed and managed by this module when the Connectivity resources capabilities are enabled:
+
+|     | Azure Resource | Terraform Resource |
+| --- | -------------- | ------------------ |
+| Resource Groups | [`Microsoft.Resources/resourceGroups`][arm_resource_group] | [`azurerm_resource_group`][azurerm_resource_group] |
+| Virtual Networks | [`Microsoft.Network/virtualNetworks`][arm_virtual_network] | [`azurerm_virtual_network`][azurerm_virtual_network] |
+| Subnets | [`Microsoft.Network/virtualNetworks/subnets`][arm_subnet] | [`azurerm_subnet`][azurerm_subnet] |
+| Virtual Network Gateways | [`Microsoft.Network/virtualNetworkGateways`][arm_virtual_network_gateway] | [`azurerm_virtual_network_gateway`][azurerm_virtual_network_gateway] |
+| Azure Firewalls | [`Microsoft.Network/azureFirewalls`][arm_firewall] | [`azurerm_firewall`][azurerm_firewall] |
+| Public IP Addresses | [`Microsoft.Network/publicIPAddresses`][arm_public_ip] | [`azurerm_public_ip`][azurerm_public_ip] |
+| DDoS Protection Plans | [`Microsoft.Network/ddosProtectionPlans`][arm_ddos_protection_plan] | [`azurerm_network_ddos_protection_plan`][azurerm_network_ddos_protection_plan] |
+| DNS Zones (pending) | [`Microsoft.Network/dnsZones`][arm_dns_zone] | [`azurerm_dns_zone`][azurerm_dns_zone] |
+| Virtual Network Peerings (pending) | [`Microsoft.Network/virtualNetworks/virtualNetworkPeerings`][arm_virtual_network_peering] | [`azurerm_virtual_network_peering`][azurerm_virtual_network_peering] |
+
+## Next steps
+
+Please refer to [Deploy Connectivity Examples][wiki_deploy_connectivity_resources] for examples showing how to use this capability.
+
+ [//]: # (*****************************)
+ [//]: # (INSERT IMAGE REFERENCES BELOW)
+ [//]: # (*****************************)
+
+[TFAES-Connectivity]: ./media/terraform-caf-enterprise-scale-connectivity.png "Diagram showing the Connectivity resources for Cloud Adoption Framework Enterprise-scale Landing Zone architecture deployed by this module."
+
+ [//]: # (************************)
+ [//]: # (INSERT LINK LABELS BELOW)
+ [//]: # (************************)
+
+[ESLZ-Connectivity]: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity
+
+[arm_resource_group]:                 https://docs.microsoft.com/en-us/azure/templates/microsoft.resources/resourcegroups
+[arm_virtual_network]:                https://docs.microsoft.com/en-us/azure/templates/microsoft.network/virtualnetworks
+[arm_subnet]:                         https://docs.microsoft.com/en-us/azure/templates/microsoft.network/virtualnetworks/subnets
+[arm_virtual_network_gateway]:        https://docs.microsoft.com/en-us/azure/templates/microsoft.network/virtualnetworkgateways
+[arm_firewall]:                       https://docs.microsoft.com/en-us/azure/templates/microsoft.network/azurefirewalls
+[arm_public_ip]:                      https://docs.microsoft.com/en-us/azure/templates/microsoft.network/publicipaddresses
+[arm_ddos_protection_plan]:           https://docs.microsoft.com/en-us/azure/templates/microsoft.network/ddosprotectionplans
+[arm_dns_zone]:                       https://docs.microsoft.com/en-us/azure/templates/microsoft.network/dnszones
+[arm_virtual_network_peering]:        https://docs.microsoft.com/en-us/azure/templates/microsoft.network/virtualnetworks/virtualnetworkpeerings
+
+[azurerm_resource_group]:               https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group
+[azurerm_virtual_network]:              https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network
+[azurerm_subnet]:                       https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet
+[azurerm_virtual_network_gateway]:      https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network_gateway
+[azurerm_firewall]:                     https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall
+[azurerm_public_ip]:                    https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip
+[azurerm_network_ddos_protection_plan]: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_ddos_protection_plan
+[azurerm_dns_zone]:                     https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_zone
+[azurerm_virtual_network_peering]:      https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network_peering
+
+[wiki_deploy_connectivity_resources]:         https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Connectivity-Resources "Wiki - Deploy Connectivity Resources"
--- a/docs/wiki/[User-Guide]-Core-Resources.md
+++ b/docs/wiki/[User-Guide]-Core-Resources.md
@ -0,0 +1,56 @@
+## Overview
+
+The core capability of this module deploys the foundations of the [Cloud Adoption Framework enterprise-scale landing zone architecture][ESLZ-Architecture], with a focus on the central resource hierarchy and governance:
+
+![Enterprise-scale Core Landing Zones Architecture][TFAES-Overview]
+
+## Resource types
+
+The following resource types are deployed and managed by this module when using the core capabilities:
+
+|     | Azure Resource | Terraform Resource |
+| --- | -------------- | ------------------ |
+| Management Groups | [`Microsoft.Management/managementGroups`][arm_management_group] | [`azurerm_management_group`][azurerm_management_group] |
+| Management Group Subscriptions | [`Microsoft.Management/managementGroups/subscriptions`][arm_management_group_subscriptions] | [`azurerm_management_group`][azurerm_management_group] |
+| Policy Assignments | [`Microsoft.Authorization/policyAssignments`][arm_policy_assignment] | [`azurerm_policy_assignment`][azurerm_policy_assignment] |
+| Policy Definitions | [`Microsoft.Authorization/policyDefinitions`][arm_policy_definition] | [`azurerm_policy_definition`][azurerm_policy_definition] |
+| Policy Set Definitions | [`Microsoft.Authorization/policySetDefinitions`][arm_policy_set_definition] | [`azurerm_policy_set_definition`][azurerm_policy_set_definition] |
+| Role Assignments | [`Microsoft.Authorization/roleAssignments`][arm_role_assignment] | [`azurerm_role_assignment`][azurerm_role_assignment] |
+| Role Definitions | [`Microsoft.Authorization/roleDefinitions`][arm_role_definition] | [`azurerm_role_definition`][azurerm_role_definition] |
+
+The exact number of resources created depends on the module configuration, but you can expect upwards of `180` resources to be created by this module for a default installation based on the example below.
+
+> **NOTE:** None of these resources are deployed at the Subscription scope, however Terraform still requires a Subscription to establish an authenticated session with Azure.
+
+## Next Steps
+
+Please refer to [Deploy Default Configuration][wiki_deploy_default_configuration] for examples showing how to use this capability.
+
+ [//]: # (*****************************)
+ [//]: # (INSERT IMAGE REFERENCES BELOW)
+ [//]: # (*****************************)
+
+[TFAES-Overview]: ./media/terraform-caf-enterprise-scale-overview.png "Diagram showing the core Cloud Adoption Framework Enterprise-scale Landing Zone architecture deployed by this module."
+
+ [//]: # (************************)
+ [//]: # (INSERT LINK LABELS BELOW)
+ [//]: # (************************)
+
+[ESLZ-Architecture]: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/architecture
+
+[arm_management_group]:               https://docs.microsoft.com/en-us/azure/templates/microsoft.management/managementgroups
+[arm_management_group_subscriptions]: https://docs.microsoft.com/en-us/azure/templates/microsoft.management/managementgroups/subscriptions
+[arm_policy_assignment]:              https://docs.microsoft.com/en-us/azure/templates/microsoft.authorization/policyassignments
+[arm_policy_definition]:              https://docs.microsoft.com/en-us/azure/templates/microsoft.authorization/policydefinitions
+[arm_policy_set_definition]:          https://docs.microsoft.com/en-us/azure/templates/microsoft.authorization/policysetdefinitions
+[arm_role_assignment]:                https://docs.microsoft.com/en-us/azure/templates/microsoft.authorization/roleassignments
+[arm_role_definition]:                https://docs.microsoft.com/en-us/azure/templates/microsoft.authorization/roledefinitions
+
+[azurerm_management_group]:      https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group
+[azurerm_policy_assignment]:     https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/policy_assignment
+[azurerm_policy_definition]:     https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/policy_definition
+[azurerm_policy_set_definition]: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/policy_set_definition
+[azurerm_role_assignment]:       https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment
+[azurerm_role_definition]:       https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition
+
+[wiki_deploy_default_configuration]: ./%5BExamples%5D-Deploy-Default-Configuration "Wiki - Deploy Default Configuration"
--- a/docs/wiki/[User-Guide]-Deploy-Management-Resources.md
+++ b/docs/wiki/[User-Guide]-Deploy-Management-Resources.md
@ -1 +1,11 @@
-_coming soon_
+## This page has been moved
+
+Please go to the new [Management Resources][wiki_management_resources] page for more information, or [Deploy Management Resources][wiki_deploy_management_resources] for examples.
+
+
+[//]: # "************************"
+[//]: # "INSERT LINK LABELS BELOW"
+[//]: # "************************"
+
+[wiki_management_resources]:        ./%5BUser-Guide%5D-Management-Resources "Wiki - Management Resources"
+[wiki_deploy_management_resources]: ./%5BExamples%5D-Deploy-Management-Resources "Wiki - Deploy Management Resources"
--- a/docs/wiki/[User-Guide]-Getting-Started.md
+++ b/docs/wiki/[User-Guide]-Getting-Started.md
@ -2,36 +2,41 @@

 Before getting started with this module, please take note of the following considerations:

-1. This module requires a minimum `azurerm` provider version of `2.41.0`.
+1. This module requires a minimum `azurerm` provider version of `2.66.0`.

-2. This module requires a minimum Terraform version `0.13.2`.
+1. This module requires a minimum Terraform version `0.15.0`.

    > **NOTE:** New releases of the module may contain features which require the minimum supported versions to be increased, but changes will be clearly documented in the release notes, user guide, and readme.

-3. This module has a single mandatory variable `root_parent_id` which is used to set the parent ID to use as the root for deployment. All other variables are optional but can be used to customise your deployment.
+1. This module has a single mandatory variable `root_parent_id` which is used to set the parent ID to use as the root for deployment. All other variables are optional but can be used to customise your deployment.

-4. We recommend providing the `root_parent_id` value needed by the module using one of the following options:
+1. We recommend providing the `root_parent_id` value needed by the module using one of the following options:
    - Explicitly using an input variable in your root module, with the value specified via command-line using `-var 'root_parent_id={{ tenant_id }}'` or your preferred method of specifying variables at runtime.
    - Implicitly using the `azurerm_client_config` data resource in your root module to extract the `tenant_id` value from the current logged in user context (_see our [examples](./Examples)_).

      > **NOTE:** Using the `azurerm_subscription` data resource to provide a `tenant_id` value from the current context for `root_parent_id` should be avoided. This has been observed to generate a warning that Terraform cannot determine the number of resources to create during the `plan` stage.
      > Terraform will ask to run `terraform apply -target=resource` against the `azurerm_subscription` data resource. This is due to the `root_parent_id` being used within the module to generate values which are used as `keys` within the `for-each` loops for resource creation. To avoid this error, please use one of the recommended methods above.

-5. As of version `0.0.8` this module now supports the creation of Role Assignments for any valid Policy Assignment deployed using the module.
+1. As of version `0.0.8` this module now supports the creation of Role Assignments for any valid Policy Assignment deployed using the module.
 This feature enumerates the appropriate role(s) needed by the assigned Policy Definition or Policy Set Definition and creates the necessary Role Assignments for the auto-generated Managed Identity at the same scope as the Policy Assignment.
 This capability provides feature parity with the Azure Portal experience when creating Policy Assignments using the `DeployIfNotExists` or `Modify` effects.
 If the Policy Assignment needs to interact with resources not under the same scope as the Policy Assignment, you will need to create additional Role Assignments at the appropriate scope.

-6. In release version `0.1.0` onwards, there are a number of major updates to policies and roles which should be considered before upgrading.
+1. In release version `0.1.0` onwards, there are a number of major updates to policies and roles which should be considered before upgrading.
 Please refer to the [upgrade guide][wiki_upgrade_from_v0_0_8_to_v0_1_0] for more information.

-7. In release version `0.2.0` onwards, there are further updates to policies which should be considered before upgrading.
+1. In release version `0.2.0` onwards, there are further updates to policies which should be considered before upgrading.
 Please refer to the [upgrade guide][wiki_upgrade_from_v0_1_2_to_v0_2_0] for more information.

-8. Release version `0.2.0` also adds new functionality to enable deployment of [Management and monitoring][ESLZ-Management] resources into the current Subscription context.
-Please refer to the [Deploy Management Resources][wiki_deploy_management_resources] page on our Wiki for more information about how to use this.
+1. Release version `0.2.0` also adds new functionality to enable deployment of [Management and monitoring][ESLZ-Management] resources into the current Subscription context.
+Please refer to the [Deploy Management Resources][wiki_management_resources] page on our Wiki for more information about how to use this.

-9. The `v0.3.0` release focuses mainly on updating the test framework, but also introduces a breaking change which removes the need (and support for) wrapping user-defined parameters in `jsonencode()`. When upgrading to this release, please ensure to update your code to use native HCL values as documented in the [release notes](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/releases/tag/v0.3.0).
+1. The `v0.3.0` release focuses mainly on updating the test framework, but also introduces a breaking change which removes the need (and support for) wrapping user-defined parameters in `jsonencode()`.
+When upgrading to this release, please ensure to update your code to use native HCL values as documented in the [release notes](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/releases/tag/v0.3.0).
+
+1. In release version `0.4.0` onwards, we have added significant new functionality to support deployment of [Identity][wiki_identity_resources] and [Connectivity][wiki_connectivity_resources] resources directly into the specified Subscriptions.
+There are also updates to policies which should be considered before upgrading.
+Please refer to the [upgrade guide][wiki_upgrade_from_v0_3_3_to_v0_4_0] for more information.

 ## Provisioning Instructions

@ -40,7 +45,14 @@ Copy and paste the following 'module' block into your Terraform configuration, i
 ```hcl
 module "caf-enterprise-scale" {
  source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "0.3.3"
+  version = "0.4.0"
+
+  providers = {
+    azurerm              = azurerm
+    azurerm.connectivity = azurerm
+    azurerm.management   = azurerm
+  }
+
  # insert the 1 required variable here
 }
 ```
@ -51,9 +63,15 @@ For more detailed instructions, follow the [next steps](#next-steps) listed belo

 Learn how to use the [Module Variables](%5BUser-Guide%5D-Module-Variables) to customise the module configuration.

-
-[wiki_upgrade_from_v0_0_8_to_v0_1_0]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Upgrade-from-v0.0.8-to-v0.1.0 "Wiki - Upgrade from v0.0.8 to v0.1.0"
-[wiki_upgrade_from_v0_1_2_to_v0_2_0]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Upgrade-from-v0.1.2-to-v0.2.0 "Wiki - Upgrade from v0.1.2 to v0.2.0"
-[wiki_deploy_management_resources]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Deploy-Management-Resources "Wiki - Deploy Management Resources"
+[//]: # "************************"
+[//]: # "INSERT LINK LABELS BELOW"
+[//]: # "************************"

 [ESLZ-Management]: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/management-and-monitoring
+
+[wiki_management_resources]:                  ./%5BUser-Guide%5D-Management-Resources "Wiki - Management Resources"
+[wiki_connectivity_resources]:                ./%5BUser-Guide%5D-Connectivity-Resources "Wiki - Connectivity Resources"
+[wiki_identity_resources]:                    ./%5BUser-Guide%5D-Identity-Resources "Wiki - Identity Resources"
+[wiki_upgrade_from_v0_0_8_to_v0_1_0]:         ./%5BUser-Guide%5D-Upgrade-from-v0.0.8-to-v0.1.0 "Wiki - Upgrade from v0.0.8 to v0.1.0"
+[wiki_upgrade_from_v0_1_2_to_v0_2_0]:         ./%5BUser-Guide%5D-Upgrade-from-v0.1.2-to-v0.2.0 "Wiki - Upgrade from v0.1.2 to v0.2.0"
+[wiki_upgrade_from_v0_3_3_to_v0_4_0]:         ./%5BUser-Guide%5D-Upgrade-from-v0.3.3-to-v0.4.0 "Wiki - Upgrade from v0.3.3 to v0.4.0"
--- a/docs/wiki/[User-Guide]-Identity-Resources.md
+++ b/docs/wiki/[User-Guide]-Identity-Resources.md
@ -0,0 +1,23 @@
+## Overview
+
+From release `v0.4.0` onwards, the module includes new functionality to enable deployment of [Identity and access management][ESLZ-Identity] resources into the current Subscription context.
+
+![Enterprise-scale Identity Landing Zone Architecture][TFAES-Identity]
+
+No additional resources are deployed by this capability, however policy settings relating to the `Identity` Management Group can now be easily updated via the `configure_identity_resources` input variable.
+
+Please refer to the [Deploy Identity Resources][wiki_deploy_identity_resources] page on our Wiki for more information about how to use this capability.
+
+ [//]: # (*****************************)
+ [//]: # (INSERT IMAGE REFERENCES BELOW)
+ [//]: # (*****************************)
+
+[TFAES-Identity]: ./media/terraform-caf-enterprise-scale-identity.png "Diagram showing the Identity resources for Cloud Adoption Framework Enterprise-scale Landing Zone architecture deployed by this module."
+
+ [//]: # (************************)
+ [//]: # (INSERT LINK LABELS BELOW)
+ [//]: # (************************)
+
+[ESLZ-Identity]: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/identity-and-access-management
+
+[wiki_deploy_identity_resources]: ./%5BExamples%5D-Deploy-Identity-Resources "Wiki - Deploy Identity Resources"
--- a/docs/wiki/[User-Guide]-Management-Resources.md
+++ b/docs/wiki/[User-Guide]-Management-Resources.md
@ -0,0 +1,49 @@
+## Overview
+
+From release `v0.2.0` onwards, the module includes new functionality to enable deployment of [Management and monitoring][ESLZ-Management] resources into the current Subscription context.
+This brings the benefit of being able to manage the full lifecycle of these resources using Terraform, with native integration into the corresponding Policy Assignments to ensure full policy compliance.
+
+![Enterprise-scale Management Landing Zone Architecture][TFAES-Management]
+
+## Resource types
+
+The following resource types are deployed and managed by this module when the Management resources capabilities are enabled:
+
+|     | Azure Resource | Terraform Resource |
+| --- | -------------- | ------------------ |
+| Resource Groups | [`Microsoft.Resources/resourceGroups`][arm_resource_group] | [`azurerm_resource_group`][azurerm_resource_group] |
+| Log Analytics Workspace | [`Microsoft.OperationalInsights/workspaces`][arm_log_analytics_workspace] | [`azurerm_log_analytics_workspace`][azurerm_log_analytics_workspace] |
+| Log Analytics Solutions | [`Microsoft.OperationsManagement/solutions`][arm_log_analytics_solution] | [`azurerm_log_analytics_solution`][azurerm_log_analytics_solution] |
+| Automation Account | [`Microsoft.Automation/automationAccounts`][arm_automation_account] | [`azurerm_automation_account`][azurerm_automation_account] |
+| Log Analytics Linked Service | [`Microsoft.OperationalInsights/workspaces /linkedServices`][arm_log_analytics_linked_service] | [`azurerm_log_analytics_linked_service`][azurerm_log_analytics_linked_service] |
+
+## Next steps
+
+Please refer to [Deploy Management Resources][wiki_deploy_management_resources] for examples showing how to use this capability.
+
+ [//]: # (*****************************)
+ [//]: # (INSERT IMAGE REFERENCES BELOW)
+ [//]: # (*****************************)
+
+[TFAES-Management]:./media/terraform-caf-enterprise-scale-management.png "Diagram showing the Management resources for Cloud Adoption Framework Enterprise-scale Landing Zone architecture deployed by this module."
+
+ [//]: # (************************)
+ [//]: # (INSERT LINK LABELS BELOW)
+ [//]: # (************************)
+
+[ESLZ-Management]:   https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/management-and-monitoring
+
+[arm_resource_group]:                 https://docs.microsoft.com/en-us/azure/templates/microsoft.resources/resourcegroups
+[arm_log_analytics_workspace]:        https://docs.microsoft.com/en-us/azure/templates/microsoft.operationalinsights/workspaces
+[arm_log_analytics_solution]:         https://docs.microsoft.com/en-us/azure/templates/microsoft.operationsmanagement/solutions
+[arm_automation_account]:             https://docs.microsoft.com/en-us/azure/templates/microsoft.automation/automationaccounts
+[arm_log_analytics_linked_service]:   https://docs.microsoft.com/en-us/azure/templates/microsoft.operationalinsights/workspaces/linkedservices
+
+[azurerm_resource_group]:               https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group
+[azurerm_log_analytics_workspace]:      https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/log_analytics_workspace
+[azurerm_log_analytics_solution]:       https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/log_analytics_solution
+[azurerm_automation_account]:           https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/automation_account
+[azurerm_log_analytics_linked_service]: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/log_analytics_linked_service
+
+
+[wiki_deploy_management_resources]:           https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Management-Resources "Wiki - Deploy Management Resources"
--- a/docs/wiki/[User-Guide]-Module-Variables.md
+++ b/docs/wiki/[User-Guide]-Module-Variables.md
@ -1,4 +1,14 @@
-The module can be customised using the following input variables (click on each `input name` for more details):
+## Overview
+
+The module can be customised using the input variables listed below (click on each `input name` for more details).
+
+To provide the depth of configuration options needed by the module without creating too many different input variables, we decided to use a number of complex `object({})` type variables.
+Whilst these may look intimidating at first, these are all configured with default values and only need to be updated if you want to start customising the deployment.
+In all cases, the default values can simply be copied into your configuration and edited as required.
+
+> To make your code easier to maintain, we recommend using [Local Values][local_values] in your root module to store custom values, rather than putting these in-line within the module block.
+> This helps to improve readability of the module block, and also makes these values re-usable when using multiple instances of the module to build out your Enterprise-scale platform on Azure.
+> Only use [Input Variables][input_variables] for simple values which need to be changed across multiple deployments (e.g. environment-specific values).

 ## Required Inputs

@ -26,6 +36,198 @@ Default: `{}`

 <br>

+<!-- markdownlint-disable-next-line MD013 -->
+[**configure_connectivity_resources**][configure_connectivity_resources] `object({ settings = object({ hub_networks = list( object({ enabled = bool, config = object({ address_space = list(string), location = string, link_to_ddos_protection_plan = bool, dns_servers = list(string), bgp_community = string, subnets = list( object({ name = string, address_prefixes = list(string), network_security_group_id = string, route_table_id = string }) ), virtual_network_gateway = object({ enabled = bool, config = object({ address_prefix = string, gateway_sku_expressroute = string, gateway_sku_vpn = string }) }), azure_firewall = object({ enabled = bool, config = object({ address_prefix = string, enable_dns_proxy = bool, availability_zones = object({ zone_1 = bool, zone_2 = bool, zone_3 = bool }) }) }), spoke_virtual_network_resource_ids = list(string), enable_outbound_virtual_network_peering = bool }) }) ) vwan_hub_networks = list(object({})), ddos_protection_plan = object({ enabled = bool, config = object({ location = string }) }), dns = object({ enabled = bool, config = object({ location = string, enable_private_link_by_service = object({ azure_automation_webhook = bool, azure_automation_dscandhybridworker = bool, azure_sql_database_sqlserver = bool, azure_synapse_analytics_sqlserver = bool, azure_synapse_analytics_sql = bool, storage_account_blob = bool, storage_account_table = bool, storage_account_queue = bool, storage_account_file = bool, storage_account_web = bool, azure_data_lake_file_system_gen2 = bool, azure_cosmos_db_sql = bool, azure_cosmos_db_mongodb = bool, azure_cosmos_db_cassandra = bool, azure_cosmos_db_gremlin = bool, azure_cosmos_db_table = bool, azure_database_for_postgresql_server = bool, azure_database_for_mysql_server = bool, azure_database_for_mariadb_server = bool, azure_key_vault = bool, azure_kubernetes_service_management = bool, azure_search_service = bool, azure_container_registry = bool, azure_app_configuration_stores = bool, azure_backup = bool, azure_site_recovery = bool, azure_event_hubs_namespace = bool, azure_service_bus_namespace = bool, azure_iot_hub = bool, azure_relay_namespace = bool, azure_event_grid_topic = bool, azure_event_grid_domain = bool, azure_web_apps_sites = bool, azure_machine_learning_workspace = bool, signalr = bool, azure_monitor = bool, cognitive_services_account = bool, azure_file_sync = bool, azure_data_factory = bool, azure_data_factory_portal = bool, azure_cache_for_redis = bool }) private_link_locations = list(string), public_dns_zones = list(string), private_dns_zones = list(string), enable_private_dns_zone_virtual_network_link_on_hubs = bool, enable_private_dns_zone_virtual_network_link_on_spokes = bool }) }) }), location = any, tags     = any, advanced = any })`
+
+If specified, will customize the \"Connectivity\" landing zone settings and resources.
+
+Default:
+
+```hcl
+{
+  settings = {
+    hub_networks = [
+      {
+        enabled = true
+        config = {
+          address_space                = ["10.100.0.0/16", ]
+          location                     = ""
+          link_to_ddos_protection_plan = false
+          dns_servers                  = []
+          bgp_community                = ""
+          subnets                      = []
+          virtual_network_gateway = {
+            enabled = false
+            config = {
+              address_prefix           = "10.100.1.0/24"
+              gateway_sku_expressroute = "ErGw2AZ"
+              gateway_sku_vpn          = "VpnGw3"
+            }
+          }
+          azure_firewall = {
+            enabled = false
+            config = {
+              address_prefix   = "10.100.0.0/24"
+              enable_dns_proxy = true
+              availability_zones = {
+                zone_1 = true
+                zone_2 = true
+                zone_3 = true
+              }
+            }
+          }
+          spoke_virtual_network_resource_ids      = []
+          enable_outbound_virtual_network_peering = false
+        }
+      },
+    ]
+    vwan_hub_networks = []
+    ddos_protection_plan = {
+      enabled = false
+      config = {
+        location = ""
+      }
+    }
+    dns = {
+      enabled = true
+      config = {
+        location = ""
+        enable_private_link_by_service = {
+          azure_automation_webhook             = true
+          azure_automation_dscandhybridworker  = true
+          azure_sql_database_sqlserver         = true
+          azure_synapse_analytics_sqlserver    = true
+          azure_synapse_analytics_sql          = true
+          storage_account_blob                 = true
+          storage_account_table                = true
+          storage_account_queue                = true
+          storage_account_file                 = true
+          storage_account_web                  = true
+          azure_data_lake_file_system_gen2     = true
+          azure_cosmos_db_sql                  = true
+          azure_cosmos_db_mongodb              = true
+          azure_cosmos_db_cassandra            = true
+          azure_cosmos_db_gremlin              = true
+          azure_cosmos_db_table                = true
+          azure_database_for_postgresql_server = true
+          azure_database_for_mysql_server      = true
+          azure_database_for_mariadb_server    = true
+          azure_key_vault                      = true
+          azure_kubernetes_service_management  = true
+          azure_search_service                 = true
+          azure_container_registry             = true
+          azure_app_configuration_stores       = true
+          azure_backup                         = true
+          azure_site_recovery                  = true
+          azure_event_hubs_namespace           = true
+          azure_service_bus_namespace          = true
+          azure_iot_hub                        = true
+          azure_relay_namespace                = true
+          azure_event_grid_topic               = true
+          azure_event_grid_domain              = true
+          azure_web_apps_sites                 = true
+          azure_machine_learning_workspace     = true
+          signalr                              = true
+          azure_monitor                        = true
+          cognitive_services_account           = true
+          azure_file_sync                      = true
+          azure_data_factory                   = true
+          azure_data_factory_portal            = true
+          azure_cache_for_redis                = true
+        }
+        private_link_locations                                 = []
+        public_dns_zones                                       = []
+        private_dns_zones                                      = []
+        enable_private_dns_zone_virtual_network_link_on_hubs   = true
+        enable_private_dns_zone_virtual_network_link_on_spokes = true
+      }
+    }
+  }
+  location = null
+  tags     = null
+  advanced = null
+}
+```
+
+<br>
+
+[**configure_identity_resources**][configure_identity_resources] `object({ settings = object({ identity = object({ enabled = bool config = object({ enable_deny_public_ip = bool enable_deny_rdp_from_internet = bool enable_deny_subnet_without_nsg = bool enable_deploy_azure_backup_on_vms = bool }) }) }) })`
+
+If specified, will customize the \"Identity\" landing zone settings.
+
+Default:
+
+```hcl
+{
+  settings = {
+    identity = {
+      enabled = true
+      config = {
+        enable_deny_public_ip             = true
+        enable_deny_rdp_from_internet     = true
+        enable_deny_subnet_without_nsg    = true
+        enable_deploy_azure_backup_on_vms = true
+      }
+    }
+  }
+}
+```
+
+<br>
+
+<!-- markdownlint-disable-next-line MD013 -->
+[**configure_management_resources**][configure_management_resources] `object({ settings = object({ log_analytics = object({ enabled = bool config = object({ retention_in_days = number enable_monitoring_for_arc = bool enable_monitoring_for_vm = bool enable_monitoring_for_vmss = bool enable_solution_for_agent_health_assessment = bool enable_solution_for_anti_malware = bool enable_solution_for_azure_activity = bool enable_solution_for_change_tracking = bool enable_solution_for_service_map = bool enable_solution_for_sql_assessment = bool enable_solution_for_updates = bool enable_solution_for_vm_insights = bool enable_sentinel = bool }) }) security_center = object({ enabled = bool config = object({ email_security_contact = string enable_defender_for_acr = bool enable_defender_for_app_services = bool enable_defender_for_arm = bool enable_defender_for_dns = bool enable_defender_for_key_vault = bool enable_defender_for_kubernetes = bool enable_defender_for_servers = bool enable_defender_for_sql_servers = bool enable_defender_for_sql_server_vms = bool enable_defender_for_storage = bool }) }) }) location = any tags = any advanced = any })`
+
+If specified, will customize the \"Management\" landing zone settings and resources.
+
+Default:
+
+```hcl
+{
+  settings = {
+    log_analytics = {
+      enabled = true
+      config = {
+        retention_in_days                           = 30
+        enable_monitoring_for_arc                   = true
+        enable_monitoring_for_vm                    = true
+        enable_monitoring_for_vmss                  = true
+        enable_solution_for_agent_health_assessment = true
+        enable_solution_for_anti_malware            = true
+        enable_solution_for_azure_activity          = true
+        enable_solution_for_change_tracking         = true
+        enable_solution_for_service_map             = true
+        enable_solution_for_sql_assessment          = true
+        enable_solution_for_updates                 = true
+        enable_solution_for_vm_insights             = true
+        enable_sentinel                             = true
+      }
+    }
+    security_center = {
+      enabled = true
+      config = {
+        email_security_contact             = "security_contact@replace_me"
+        enable_defender_for_acr            = true
+        enable_defender_for_app_services   = true
+        enable_defender_for_arm            = true
+        enable_defender_for_dns            = true
+        enable_defender_for_key_vault      = true
+        enable_defender_for_kubernetes     = true
+        enable_defender_for_servers        = true
+        enable_defender_for_sql_servers    = true
+        enable_defender_for_sql_server_vms = true
+        enable_defender_for_storage        = true
+      }
+    }
+  }
+  location = null
+  tags     = null
+  advanced = null
+}
+```
+
+<br>
+
 [**create_duration_delay**][create_duration_delay] `map(string)`

 Used to tune `terraform apply` when faced with errors caused by API caching or eventual consistency. Sets a custom delay period after creation of the specified resource type.
@ -53,6 +255,14 @@ Default: `{}`

 <br>

+[**custom_policy_roles**][custom_policy_roles] `map(list(string))`
+
+If specified, the custom_policy_roles variable overrides which Role Definition ID(s) (value) to assign for Policy Assignments with a Managed Identity, if the assigned \"policyDefinitionId\" (key) is included in this variable.
+
+Default: `{}`
+
+<br>
+
 [**default_location**][default_location] `string`

 If specified, will use set the default location used for resource deployments where needed. #check_value will use set the default == is wording right?
@ -61,6 +271,22 @@ Default: `"eastus"`

 <br>

+[**default_tags**][default_tags] `map(string)`
+
+If specified, will set the default tags for all resources deployed by this module where supported.
+
+Default: `{}`
+
+<br>
+
+[**deploy_connectivity_resources**][deploy_core_landing_zones] `bool`
+
+If set to true, will deploy the \"Connectivity\" landing zone settings and add resources into the current Subscription context.
+
+Default: `false`
+
+<br>
+
 [**deploy_core_landing_zones**][deploy_core_landing_zones] `bool`

 If set to true, will include the core Enterprise-scale Management Group hierarchy.
@ -77,6 +303,22 @@ Default: `false`

 <br>

+[**deploy_identity_resources**][deploy_identity_resources] `bool`
+
+If set to true, will deploy the \"Identity\" landing zone settings.
+
+Default: `false`
+
+<br>
+
+[**deploy_management_resources**][deploy_management_resources] `bool`
+
+If set to true, will deploy the \"Management\" landing zone settings and add resources into the current Subscription context.
+
+Default: `false`
+
+<br>
+
 [**destroy_duration_delay**][destroy_duration_delay] `map(string)`

 Used to tune terraform deploy when faced with errors caused by API caching or eventual consistency. Sets a custom delay period after destruction of the specified resource type. ##check_value tune terraform deploy == terraform destroy?
@ -96,11 +338,20 @@ Default:

 <br>

+[**disable_base_module_tags**][disable_base_module_tags] `bool`
+
+If set to true, will remove the base module tags applied to all resources deployed by the module which support tags.
+
+Default: `false`
+
+<br>
+
 [**library_path**][library_path] `string`

 If specified, sets the path to a custom library folder for archetype artefacts. #check_value artefacts == is it artifacts? Update the code vars code

 Default: `""`
+
 <br>

 [**root_id**][root_id] `string`
@ -119,6 +370,30 @@ Default: `"Enterprise-Scale"`

 <br>

+[**subscription_id_connectivity**][subscription_id_connectivity] `string`
+
+If specified, identifies the Platform subscription for \"Connectivity\" for resource deployment and correct placement in the Management Group hierarchy.
+
+Default: `""`
+
+<br>
+
+[**subscription_id_identity**][subscription_id_identity] `string`
+
+If specified, identifies the Platform subscription for \"Identity\" for resource deployment and correct placement in the Management Group hierarchy.
+
+Default: `""`
+
+<br>
+
+[**subscription_id_management**][subscription_id_management] `string`
+
+If specified, identifies the Platform subscription for \"Management\" for resource deployment and correct placement in the Management Group hierarchy.
+
+Default: `""`
+
+<br>
+
 [**subscription_id_overrides**][subscription_id_overrides] `map(list(string))`

 If specified, will be used to assign subscription_ids to the default Enterprise-scale Management Groups.
@ -144,17 +419,34 @@ Now you understand how to customize your deployment using the input variables, c
 [//]: # "************************"
 [//]: # "INSERT LINK LABELS BELOW"
 [//]: # "************************"
+
 [estf-inputs]: https://registry.terraform.io/modules/Azure/caf-enterprise-scale/azurerm/latest?tab=inputs "Terraform Registry: Terraform Module for Cloud Adoption Framework Enterprise-scale - Inputs"
-[root_parent_id]: ./%5BVariables%5D-root_parent_id "Instructions for how to use the root_parent_id variable."
-[root_id]: ./%5BVariables%5D-root_id "Instructions for how to use the root_id variable."
-[root_name]: ./%5BVariables%5D-root_name "Instructions for how to use the root_name variable."
-[deploy_core_landing_zones]: ./%5BVariables%5D-deploy_core_landing_zones "Instructions for how to use the deploy_core_landing_zones variable."
-[archetype_config_overrides]: ./%5BVariables%5D-archetype_config_overrides "Instructions for how to use the archetype_config_overrides variable."
-[subscription_id_overrides]: ./%5BVariables%5D-subscription_id_overrides "Instructions for how to use the subscription_id_overrides variable."
-[deploy_demo_landing_zones]: ./%5BVariables%5D-deploy_demo_landing_zones "Instructions for how to use the deploy_demo_landing_zones variable."
-[custom_landing_zones]: ./%5BVariables%5D-custom_landing_zones "Instructions for how to use the custom_landing_zones variable."
-[library_path]: ./%5BVariables%5D-library_path "Instructions for how to use the library_path variable."
-[template_file_variables]: ./%5BVariables%5D-template_file_variables "Instructions for how to use the template_file_variables variable."
-[default_location]: ./%5BVariables%5D-default_location "Instructions for how to use the default_location variable."
-[create_duration_delay]: ./%5BVariables%5D-create_duration_delay "Instructions for how to use the create_duration_delay variable."
-[destroy_duration_delay]: ./%5BVariables%5D-destroy_duration_delay "Instructions for how to use the destroy_duration_delay variable."
+
+[local_values]:    https://www.terraform.io/docs/language/values/locals.html "Local Values"
+[input_variables]: https://www.terraform.io/docs/language/values/variables.html "Input Variables"
+
+[root_parent_id]:                   ./%5BVariables%5D-root_parent_id "Instructions for how to use the root_parent_id variable."
+[archetype_config_overrides]:       ./%5BVariables%5D-archetype_config_overrides "Instructions for how to use the archetype_config_overrides variable."
+[configure_connectivity_resources]: ./%5BVariables%5D-configure_connectivity_resources "Instructions for how to use the configure_connectivity_resources variable."
+[configure_identity_resources]:     ./%5BVariables%5D-configure_identity_resources "Instructions for how to use the configure_identity_resources variable."
+[configure_management_resources]:   ./%5BVariables%5D-configure_management_resources "Instructions for how to use the configure_management_resources variable."
+[create_duration_delay]:            ./%5BVariables%5D-create_duration_delay "Instructions for how to use the create_duration_delay variable."
+[custom_landing_zones]:             ./%5BVariables%5D-custom_landing_zones "Instructions for how to use the custom_landing_zones variable."
+[custom_policy_roles]:              ./%5BVariables%5D-custom_policy_roles "Instructions for how to use the custom_policy_roles variable."
+[default_location]:                 ./%5BVariables%5D-default_location "Instructions for how to use the default_location variable."
+[default_tags]:                     ./%5BVariables%5D-default_tags "Instructions for how to use the default_tags variable."
+[deploy_core_landing_zones]:        ./%5BVariables%5D-deploy_core_landing_zones "Instructions for how to use the deploy_core_landing_zones variable."
+[deploy_demo_landing_zones]:        ./%5BVariables%5D-deploy_demo_landing_zones "Instructions for how to use the deploy_demo_landing_zones variable."
+[deploy_connectivity_resources]:    ./%5BVariables%5D-deploy_connectivity_resources "Instructions for how to use the deploy_connectivity_resources variable."
+[deploy_identity_resources]:        ./%5BVariables%5D-deploy_identity_resources "Instructions for how to use the deploy_identity_resources variable."
+[deploy_management_resources]:      ./%5BVariables%5D-deploy_management_resources "Instructions for how to use the deploy_management_resources variable."
+[destroy_duration_delay]:           ./%5BVariables%5D-destroy_duration_delay "Instructions for how to use the destroy_duration_delay variable."
+[disable_base_module_tags]:         ./%5BVariables%5D-disable_base_module_tags "Instructions for how to use the disable_base_module_tags variable."
+[library_path]:                     ./%5BVariables%5D-library_path "Instructions for how to use the library_path variable."
+[root_id]:                          ./%5BVariables%5D-root_id "Instructions for how to use the root_id variable."
+[root_name]:                        ./%5BVariables%5D-root_name "Instructions for how to use the root_name variable."
+[subscription_id_connectivity]:     ./%5BVariables%5D-subscription_id_connectivity "Instructions for how to use the subscription_id_connectivity variable."
+[subscription_id_identity]:         ./%5BVariables%5D-subscription_id_identity "Instructions for how to use the subscription_id_identity variable."
+[subscription_id_management]:       ./%5BVariables%5D-subscription_id_management "Instructions for how to use the subscription_id_management variable."
+[subscription_id_overrides]:        ./%5BVariables%5D-subscription_id_overrides "Instructions for how to use the subscription_id_overrides variable."
+[template_file_variables]:          ./%5BVariables%5D-template_file_variables "Instructions for how to use the template_file_variables variable."
--- a/docs/wiki/[User-Guide]-Provider-Configuration.md
+++ b/docs/wiki/[User-Guide]-Provider-Configuration.md
@ -0,0 +1,147 @@
+## Overview
+
+As of release `v0.4.0`, the [Terraform Module for Cloud Adoption Framework Enterprise-scale][terraform-registry-caf-enterprise-scale] now uses multiple provider aliases to allow resources to be deployed directly to the intended Subscription, without the need to specify multiple instances of the module.
+
+This change is intended to simplify deployments using a single pipeline to create all resources, as it is no longer necessary to share the configuration inputs across multiple instances of the module to achieve consistency between the resources created, and associated policies.
+
+The module utilises 3 providers in total:
+
+| Resource category | Provider |
+| ----------------- | -------- |
+| [Core][wiki_core_resources]                 | `azurerm` *(default)*  |
+| [Connectivity][wiki_connectivity_resources] | `azurerm.connectivity` |
+| [Management][wiki_management_resources]     | `azurerm.management`   |
+| [Identity][wiki_identity_resources]         | *n/a (no resources)*   |
+
+Regardless of how you plan to use the module, you must map your provider(s) to the module providers. Failure to do so will result in one or both of the following error when running `terraform init`:
+
+```shell
+╷
+│ Error: No configuration for provider azurerm.connectivity
+│
+│   on main.tf line 13:
+│   13: module "enterprise_scale" {
+│
+│ Configuration required for module.enterprise_scale.provider["registry.terraform.io/hashicorp/azurerm"].connectivity.
+│ Add a provider named azurerm.connectivity to the providers map for module.enterprise_scale in the root module.
+╵
+
+╷
+│ Error: No configuration for provider azurerm.management
+│
+│   on main.tf line 13:
+│   13: module "enterprise_scale" {
+│
+│ Configuration required for module.enterprise_scale.provider["registry.terraform.io/hashicorp/azurerm"].management.
+│ Add a provider named azurerm.management to the providers map for module.enterprise_scale in the root module.
+╵
+```
+
+The following section covers typical configuration scenarios.
+
+## Provider configuration examples
+
+### Single Subscription deployment
+
+The following example shows how you can map a single (default) provider from the root module using the providers object:
+
+```hcl
+# Declare a standard provider block using your preferred configuration.
+# This will be used for all resource deployments.
+provider {
+  features {}
+}
+
+# Map each module provider to your default `azurerm` provider using the providers input object.
+module "caf-enterprise-scale" {
+  source  = "Azure/caf-enterprise-scale/azurerm"
+  version = "0.4.0"
+
+  providers = {
+    azurerm              = azurerm
+    azurerm.connectivity = azurerm
+    azurerm.management   = azurerm
+  }
+
+  # insert the required input variables here
+}
+```
+
+For more detailed instructions, follow the [next steps](#next-steps) listed below or go straight to our [Examples](./Examples).
+
+### Multi-Subscription deployment
+
+Terraform is unable to deploy resources across multiple Subscriptions using a single `provider` configuration.
+
+You must be authenticated to the Subscription where you want each set of resources to be deployed.
+
+- You must always provide a base provider configuration for the "Core resources". Although no "Core resources" are deployed in this Subscription, it is used for authentication to the Azure API.
+
+- When setting `deploy_connectivity_resources = true`, you must also ensure you map the `azurerm.connectivity` provider to authenticate against the same Subscription as specified in `subscription_id_connectivity`.
+
+- When setting `deploy_management_resources = true`, you must also ensure you map the `azurerm.management` provider to authenticate against the same Subscription as specified in `subscription_id_management`.
+
+Although this may bring additional complexity to the module, this also enables the module to deploy resources across multiple Subscriptions.
+This is an important part of the [Cloud Adoption Framework enterprise-scale landing zone architecture][ESLZ-Architecture].
+
+Details of how to [configure authentication settings][authenticating_to_azure] can be found in the AzureRM Provider documentation.
+
+The following example shows how you might configure multiple `provider` blocks and map them to the module for a Multi-Subscription deployment:
+
+```hcl
+# Declare a standard provider block using your preferred configuration.
+# This will be used for the deployment of all "Core resources".
+provider {
+  features {}
+}
+
+# Declare an aliased provider block using your preferred configuration.
+# This will be used for the deployment of all "Connectivity resources" to the specified `subscription_id`.
+provider {
+  alias           = "connectivity"
+  subscription_id = "00000000-0000-0000-0000-000000000000"
+  features {}
+}
+
+# Declare a standard provider block using your preferred configuration.
+# This will be used for the deployment of all "Management resources" to the specified `subscription_id`.
+provider {
+  alias           = "management"
+  subscription_id = "11111111-1111-1111-1111-111111111111"
+  features {}
+}
+
+# Map each module provider to their corresponding `azurerm` provider using the providers input object
+module "caf-enterprise-scale" {
+  source  = "Azure/caf-enterprise-scale/azurerm"
+  version = "0.4.0"
+
+  providers = {
+    azurerm              = azurerm
+    azurerm.connectivity = azurerm.connectivity
+    azurerm.management   = azurerm.management
+  }
+
+  # insert the required input variables here
+}
+```
+
+For more detailed instructions, follow the [next steps](#next-steps) listed below or go straight to our [Examples](./Examples).
+
+## Next steps
+
+Learn how to use the [Module Variables](%5BUser-Guide%5D-Module-Variables) to customise the module configuration.
+
+[//]: # "************************"
+[//]: # "INSERT LINK LABELS BELOW"
+[//]: # "************************"
+
+[ESLZ-Architecture]: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/architecture "Cloud Adoption Framework enterprise-scale landing zone architecture"
+
+[terraform-registry-caf-enterprise-scale]: https://registry.terraform.io/modules/Azure/caf-enterprise-scale/azurerm/latest "Terraform Registry: Terraform Module for Cloud Adoption Framework Enterprise-scale"
+[authenticating_to_azure]:                 https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs#authenticating-to-azure "Terraform Registry: Azure Provider (Authenticating to Azure)"
+
+[wiki_core_resources]:                        ./%5BUser-Guide%5D-Core-Resources "Wiki - Core Resources"
+[wiki_management_resources]:                  ./%5BUser-Guide%5D-Management-Resources "Wiki - Management Resources"
+[wiki_connectivity_resources]:                ./%5BUser-Guide%5D-Connectivity-Resources "Wiki - Connectivity Resources"
+[wiki_identity_resources]:                    ./%5BUser-Guide%5D-Identity-Resources "Wiki - Identity Resources"
--- a/docs/wiki/[User-Guide]-Upgrade-from-v0.3.3-to-v0.4.0.md
+++ b/docs/wiki/[User-Guide]-Upgrade-from-v0.3.3-to-v0.4.0.md
@ -0,0 +1,289 @@
+## Overview
+
+As part of upgrade from release 0.3.3 to 0.4.0, the [Terraform Module for Cloud Adoption Framework Enterprise-scale][terraform-registry-caf-enterprise-scale] includes a number of breaking changes.
+
+This update provides a number of new features, helps keep this module up to date with the latest reference architecture published in the [Azure/Enterprise-Scale][azure/enterprise-scale] repository, and to support the latest releases of Terraform and the AzureRM Provider.
+
+## Required actions
+
+Anyone using this module should be aware of the following when planning to upgrade from release 0.3.3 to 0.4.0:
+
+1. A select number of policies and roles provided as part of this module will be redeployed.
+Please carefully review the output of `terraform plan` to ensure there are no issues with any custom configuration within your root module.
+
+1. The following library template types will need checking for references to policies as listed in the [resource changes](#resource-changes) section below:
+    1. Archetype Definitions
+    1. Policy Assignments
+    1. Policy Set Definitions
+
+1. All Policy Assignments (and associated Role Assignments where a Managed Identity is required for policies with DeployIfNotExists or Modify effects) will be recreated to support moving these from the [`azurerm_policy_assignment` (deprecated)][azurerm_policy_assignment] to [`azurerm_management_group_policy_assignment`][azurerm_management_group_policy_assignment] resource types.
+
+1. Adds provider configuration within the module, allowing creation of resources across multiple Subscriptions. This impacts existing [Management and monitoring][ESLZ-Management] resources.
+To avoid the need to re-create these resources, please review the [management resources](#management-resources) section below.
+Please also review the [provider configuration][wiki_provider_configuration] page for more detail on how you should configure this in your module declaration.
+
+1. Adds new functionality to enable deployment of [Network topology and connectivity][ESLZ-Connectivity] resources into the connectivity Subscription context.
+Currently based on the hub & spoke deployment model.
+
+1. Adds new functionality to manage Policy Assignments as part of delivering the [Identity and access management][ESLZ-Identity]
+
+## Resource changes
+
+The following changes have been made within the module which may cause issues when using custom archetype definitions:
+
+- The following Policy Definition changes have been included in the `es_root` archetype definition:
+  - `Audit-MachineLearning-PrivateEndpointId` added
+  - `Deny-MachineLearning-Aks` added
+  - `Deny-MachineLearning-Compute-SubnetId` added
+  - `Deny-MachineLearning-Compute-VmSize` added
+  - `Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess` added
+  - `Deny-MachineLearning-ComputeCluster-Scale` added
+  - `Deny-MachineLearning-HbiWorkspace` added
+  - `Deny-MachineLearning-PublicAccessWhenBehindVnet` added
+  - `Deny-PublicEndpoint-Aks` removed
+  - `Deny-PublicEndpoint-CosmosDB` removed
+  - `Deny-PublicEndpoint-KeyVault` removed
+  - `Deny-PublicEndpoint-MySQL` removed
+  - `Deny-PublicEndpoint-PostgreSql` removed
+  - `Deny-PublicEndpoint-Sql` removed
+  - `Deny-PublicEndpoint-Storage` removed
+  - `Deploy-Default-Udr` added
+  - `Deploy-Diagnostics-ActivityLog` removed
+  - `Deploy-Diagnostics-AKS` removed
+  - `Deploy-Diagnostics-Batch` removed
+  - `Deploy-Diagnostics-DataLakeStore` removed
+  - `Deploy-Diagnostics-EventHub` removed
+  - `Deploy-Diagnostics-KeyVault` removed
+  - `Deploy-Diagnostics-LogicAppsWF` removed
+  - `Deploy-Diagnostics-RecoveryVault` removed
+  - `Deploy-Diagnostics-SearchServices` removed
+  - `Deploy-Diagnostics-ServiceBus` removed
+  - `Deploy-Diagnostics-SQLDBs` removed
+  - `Deploy-Diagnostics-StreamAnalytics` removed
+  - `Deploy-DNSZoneGroup-For-Blob-PrivateEndpoint` removed
+  - `Deploy-DNSZoneGroup-For-File-PrivateEndpoint` removed
+  - `Deploy-DNSZoneGroup-For-KeyVault-PrivateEndpoint` removed
+  - `Deploy-DNSZoneGroup-For-Queue-PrivateEndpoint` removed
+  - `Deploy-DNSZoneGroup-For-Sql-PrivateEndpoint` removed
+  - `Deploy-DNSZoneGroup-For-Table-PrivateEndpoint` removed
+  - `Deploy-HUB` removed
+  - `Deploy-LA-Config` removed
+  - `Deploy-Log-Analytics` removed
+  - `Deploy-vHUB` removed
+  - `Deploy-vNet` removed
+  - `Deploy-vWAN` removed
+
+- The following Policy Set Definition changes have been included in the `es_root` archetype definition:
+  - `Deny-PublicEndpoints` replaced with `Deny-PublicPaaSEndpoints`
+  - `Deploy-Diag-LogAnalytics` replaced with `Deploy-Diagnostics-LogAnalytics`
+  - `Deploy-Private-DNS-Zones` added
+
+- The following Policy Assignment changes have been included `es_connectivity` archetype definition:
+  - `Enable-DDoS-VNET` added
+
+- The following Policy Assignment changes have been included `es_corp` archetype definition:
+  - `Deny-Public-Endpoints` added
+  - `Deploy-Private-DNS-Zones` added
+
+- The following Policy Assignment changes have been included `es_identity` archetype definition:
+  - `Deny-Public-IP` added
+  - `Deny-RDP-From-Internet` added
+  - `Deny-Subnet-Without-Nsg` added
+  - `Deploy-VM-Backup` added
+
+- The following Policy Assignment changes have been included `es_landing_zones` archetype definition:
+  - `Deny-http-Ingress-AKS` removed and replaced by `Enforce-AKS-HTTPS`
+  - `Deploy-SQL-Security` removed
+  - `Deploy-SQL-Threat` added
+  - `Enable-DDoS-VNET` added
+  - `Enforce-TLS-SSL` added
+
+> NOTE: All references to resource names are **_Case Sensitive_**. Failure to use the correct case will result in an `Invalid index` error when running `terraform plan`, such as the following example:
+
+```shell
+Error: Invalid index
+
+  on ../../modules/archetypes/locals.policy_definitions.tf line 82, in locals:
+  82:       template    = local.archetype_policy_definitions_map[policy]
+    |----------------
+    | local.archetype_policy_definitions_map is object with 100 attributes
+
+The given key does not identify an element in this collection value.
+```
+
+### Resource type: `azurerm_policy_assignment`
+
+All `azurerm_policy_assignment` resources have been replaced by the `azurerm_management_group_policy_assignment` resource type.
+
+Please see the next section for a list of further changes.
+
+### Resource type: `azurerm_management_group_policy_assignment`
+
+All `azurerm_policy_assignment` resources have been replaced by the `azurerm_management_group_policy_assignment` resource type.
+
+In addition to the resource type change, the following Policy Assignment changes are included in this update:
+- `Deny-http-Ingress-AKS` has been renamed to `Enforce-AKS-HTTPS`
+- `Deny-IP-Forwarding` updated display name and description fields
+- `Deny-Priv-Containers-AKS` updated display name and description fields
+- `Deny-Priv-Escalation-AKS` updated display name and description fields
+- `Deny-Public-Endpoints` added
+- `Deny-Public-IP` added
+- `Deny-RDP-From-Internet` updated display name and description fields
+- `Deny-Storage-http` updated display name and description fields
+- `Deny-Subnet-Without-Nsg` updated display name and description fields
+- `Deny-Subnet-Without-Udr` updated display name and description fields
+- `Deploy-AKS-Policy` updated display name and description fields
+- `Deploy-ASC-Configuration` added (replaces `Deploy-ASC-Defender`)
+- `Deploy-Private-DNS-Zones` added (still in development)
+- `Deploy-SQL-DB-Auditing` updated display name and description fields
+- `Deploy-SQL-Threat` added
+- `Deploy-VM-Backup` updated display name and description fields
+- `Deploy-VM-Monitoring` updated display name and description fields
+- `Deploy-VMSS-Monitoring` updated display name and description fields
+- `Deploy-AzActivity-Log` updated to use new built-in Policy Definition
+- `Deploy-Log-Analytics` updated to use new built-in Policy Definition
+- `Deploy-Resource-Diag` updated to use new custom `Deploy-Diagnostics-LogAnalytics` Policy Set Definition
+- `Enable-DDoS-VNET` added
+- `Enforce-TLS-SSL` added
+
+### Resource type: `azurerm_policy_definition`
+
+All Policy Definition templates were updated to the latest `apiVersion` of `2021-06-01`, although no impact as Terraform uses the Go SDK for interaction with Azure APIs.
+
+A number of Policy Definition `description` fields were also updated, which will result in an in-place update of these.
+
+The following Policy Definition changes are included in this update:
+- `Append-AppService-latestTLS` has been updated from `Indexed` to `All` for the `mode` attribute.
+- `Audit-MachineLearning-PrivateEndpointId` added
+- `Deny-MachineLearning-Aks` added
+- `Deny-MachineLearning-Compute-SubnetId` added
+- `Deny-MachineLearning-Compute-VmSize` added
+- `Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess` added
+- `Deny-MachineLearning-ComputeCluster-Scale` added
+- `Deny-MachineLearning-HbiWorkspace` added
+- `Deny-MachineLearning-PublicAccessWhenBehindVnet` added
+- `Deploy-Default-Udr` added
+- `Deny-PublicEndpoint-Aks` removed
+- `Deny-PublicEndpoint-CosmosDB` removed
+- `Deny-PublicEndpoint-KeyVault` removed
+- `Deny-PublicEndpoint-MySQL` removed
+- `Deny-PublicEndpoint-PostgreSql` removed
+- `Deny-PublicEndpoint-Sql` removed
+- `Deny-PublicEndpoint-Storage` removed
+- `Deny-Subnet-Without-Nsg` now includes a new `excludedSubnets` parameter to allow exclusions (default value = `["GatewaySubnet", "AzureFirewallSubnet", "AzureFirewallManagementSubnet"]`)
+- `Deny-Subnet-Without-Udr` now includes a new `excludedSubnets` parameter to allow exclusions (default value = `["AzureBastionSubnet"]`)
+- `Deny-VNET-Peer-Cross-Sub` has been updated from `Indexed` to `All` for the `mode` attribute.
+- `Deny-VNet-Peering` has been updated from `Indexed` to `All` for the `mode` attribute.
+- `Deploy-Default-Udr` added
+- `Deploy-Diagnostics-ActivityLog` removed
+- `Deploy-Diagnostics-AKS` removed
+- `Deploy-Diagnostics-Batch` removed
+- `Deploy-Diagnostics-DataLakeStore` removed
+- `Deploy-Diagnostics-EventHub` removed
+- `Deploy-Diagnostics-KeyVault` removed
+- `Deploy-Diagnostics-LogicAppsWF` removed
+- `Deploy-Diagnostics-RecoveryVault` removed
+- `Deploy-Diagnostics-SearchServices` removed
+- `Deploy-Diagnostics-ServiceBus` removed
+- `Deploy-Diagnostics-SQLDBs` removed
+- `Deploy-Diagnostics-StreamAnalytics` removed
+- `Deploy-DNSZoneGroup-For-Blob-PrivateEndpoint` removed
+- `Deploy-DNSZoneGroup-For-File-PrivateEndpoint` removed
+- `Deploy-DNSZoneGroup-For-KeyVault-PrivateEndpoint` removed
+- `Deploy-DNSZoneGroup-For-Queue-PrivateEndpoint` removed
+- `Deploy-DNSZoneGroup-For-Sql-PrivateEndpoint` removed
+- `Deploy-DNSZoneGroup-For-Table-PrivateEndpoint` removed
+- `Deploy-HUB` removed
+- `Deploy-LA-Config` removed
+- `Deploy-Log-Analytics` removed
+- `Deploy-vHUB` removed
+- `Deploy-vNet` removed
+- `Deploy-VNET-HubSpoke` update with new `parameters` and `policyRule` configuration
+- `Deploy-vWAN` removed
+
+### Resource type: `azurerm_policy_set_definition`
+
+All Policy Set Definition templates were updated to the latest `apiVersion` of `2021-06-01`, although no impact as Terraform uses the Go SDK for interaction with Azure APIs.
+
+A number of Policy Set Definition `description` fields were also updated, which will result in an in-place update of these.
+
+The following Policy Definition changes are included in this update:
+
+- `Deny-PublicEndpoints` renamed to `Deny-PublicPaaSEndpoints` and updated with new configuration to reflect Policy Definition updates
+- `Deploy-Diag-LogAnalytics` renamed to `Deploy-Diagnostics-LogAnalytics` and updated with new configuration to reflect Policy Definition updates
+- `Deploy-Private-DNS-Zones` added
+- `Enforce-Encryption-CMK` updated to replace invalid unicode (whitespace) character
+
+### Management resources
+
+As part of enabling support for multiple providers within the module to allow resources to be deployed to multiple Subscriptions within a single module declaration, it has been necessary to rename some resources within the module. These are all resources relating to the management solution within the module.
+
+The following resources have been renamed:
+
+| v0.3.x | v0.4.x |
+| --- | --- |
+| azurerm_automation_account.enterprise_scale[\*] | azurerm_automation_account.management[\*] |
+| azurerm_log_analytics_linked_service.enterprise_scale[\*] | azurerm_log_analytics_linked_service.management[\*] |
+| azurerm_log_analytics_solution.enterprise_scale[\*] | azurerm_log_analytics_solution.management[\*] |
+| azurerm_log_analytics_workspace.enterprise_scale[\*] | azurerm_log_analytics_workspace.management[\*] |
+| azurerm_resource_group.enterprise_scale[\*] | azurerm_resource_group.management[\*] |
+
+This was necessary to allow the module to support deploying resources into different Subscriptions using dedicated providers for the `core`, `management`, and `connectivity` capabilities.
+
+> **NOTE:** The `identity` capability doesn't deploy any resources, as it configures Azure Policy on the Identity Management Group only. As such, `identity` doesn't have a dedicated provider.
+
+To prevent the need to redeploy these resources, you can simply run the `terraform state mv` command to move each updated resource within the state file before running `terraform plan` and `terraform apply` using the updated module version.
+
+The following PowerShell script can be used to assist with this process, using a RegEx pattern to extract a list of the resources which should be updated, and then moving them to the target name:
+
+```powershell
+[regex]$pattern = "(?<=module.([^.]+).(azurerm_resource_group|azurerm_log_analytics_workspace|azurerm_automation_account|azurerm_log_analytics_linked_service|azurerm_log_analytics_solution).)enterprise_scale"
+
+[array]$(terraform state list) | ForEach-Object {
+    if ($pattern.IsMatch($_)) {
+        $newName = $pattern.Replace($_, "management")
+        Write-Host "Found resource to move..."
+        Write-Host " - Current resource name : $($_)"
+        Write-Host " - New resource name     : $($newName)"
+        # Comment out the following line to check the script is proposing the expected resource moves.
+        terraform state mv $($_ -replace '"', '\"') $($newName -replace '"', '\"')
+    }
+}
+```
+
+> **IMPORTANT:** Whilst every effort has been made to ensure this script works correctly in a test environment, it may behave differently in your environment.
+> Therefore we strongly recommend to backup your Terraform State files before attempting to run/use this script.
+> As described in the MIT license associated with this repository, this script is provided as-is with no warranty or liability associated with its use.
+
+Unfortunately it is not possible to take this approach with the [`azurerm_policy_assignment` (deprecated)][azurerm_policy_assignment] resources, as these are being changed to a different resource type. As such, these resources will be redeployed as part of the upgrade process.
+
+To provide consistency across `Connectivity`, `Identity`, and `Management` resource configuration, the \[*currently undocumented*\] `configure_management_resources.advanced.custom_settings_by_resource_type` configuration object has also been updated to follow a consistent schema.
+
+### Outputs
+
+In line with the changes above, the module outputs have also been restructured to better reflect the resource naming.
+
+This includes:
+
+- Management Groups are now output by the actual resource name (i.e. `level_1`, `level_2`, `level_3`, `level_4`, `level_5`, `level_6` instead of `enterprise_scale`)
+- Additional outputs are added to reflect the updated `management` resources and new `connectivity` resources.
+
+## Next steps
+
+Take a look at the latest [User Guide](./User-Guide) documentation and our [Examples](./Examples) to understand the latest module configuration options, and review your implementation against the changes documented on this page.
+
+[//]: # "************************"
+[//]: # "INSERT LINK LABELS BELOW"
+[//]: # "************************"
+
+[terraform-registry-caf-enterprise-scale]: https://registry.terraform.io/modules/Azure/caf-enterprise-scale/azurerm/latest "Terraform Registry: Terraform Module for Cloud Adoption Framework Enterprise-scale"
+[azure/enterprise-scale]: https://github.com/Azure/Enterprise-Scale
+
+[ESLZ-Management]:   https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/management-and-monitoring
+[ESLZ-Connectivity]: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity
+[ESLZ-Identity]:     https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/identity-and-access-management
+
+[azurerm_management_group_policy_assignment]: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group_policy_assignment
+[azurerm_policy_assignment]:                  https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/policy_assignment
+
+[wiki_provider_configuration]: ./%5BUser-Guide%5D-Provider-Configuration "Wiki - Provider Configuration"
--- a/docs/wiki/[Variables]-archetype_config_overrides.md
+++ b/docs/wiki/[Variables]-archetype_config_overrides.md
@ -47,4 +47,5 @@ The [`archetype_config`](https://github.com/Azure/terraform-azurerm-caf-enterpri
 [//]: # "************************"
 [//]: # "INSERT LINK LABELS BELOW"
 [//]: # "************************"
+
 [this_page]: # "Link for the current page."
--- a/docs/wiki/[Variables]-configure_connectivity_resources.md
+++ b/docs/wiki/[Variables]-configure_connectivity_resources.md
@ -0,0 +1 @@
+_coming soon_
--- a/docs/wiki/[Variables]-configure_identity_resources.md
+++ b/docs/wiki/[Variables]-configure_identity_resources.md
@ -0,0 +1 @@
+_coming soon_
--- a/docs/wiki/[Variables]-configure_management_resources.md
+++ b/docs/wiki/[Variables]-configure_management_resources.md
@ -0,0 +1 @@
+_coming soon_
--- a/docs/wiki/[Variables]-create_duration_delay.md
+++ b/docs/wiki/[Variables]-create_duration_delay.md
@ -43,4 +43,5 @@ Change the delay period of the specified resource type.
 [//]: # "************************"
 [//]: # "INSERT LINK LABELS BELOW"
 [//]: # "************************"
+
 [this_page]: # "Link for the current page."
--- a/docs/wiki/[Variables]-custom_landing_zones.md
+++ b/docs/wiki/[Variables]-custom_landing_zones.md
@ -45,7 +45,7 @@ The main block parameters are `display_name`, `parent_management_group_id`, `sub

 ```hcl
  custom_landing_zones = {
-    myorg-1-customer-corp = {
+    myorg-customer-corp = {
      display_name               = ""
      parent_management_group_id = ""
      subscription_ids           = []
@ -61,4 +61,5 @@ The main block parameters are `display_name`, `parent_management_group_id`, `sub
 [//]: # "************************"
 [//]: # "INSERT LINK LABELS BELOW"
 [//]: # "************************"
+
 [this_page]: # "Link for the current page."
--- a/docs/wiki/[Variables]-custom_policy_roles.md
+++ b/docs/wiki/[Variables]-custom_policy_roles.md
@ -0,0 +1 @@
+_coming soon_
--- a/docs/wiki/[Variables]-default_location.md
+++ b/docs/wiki/[Variables]-default_location.md
@ -2,7 +2,8 @@

 [**default_location**](#overview) `string` (optional)

-Set the Azure region in which region bound resources will be deployed.
+If specified, will set the Azure region in which region bound resources will be deployed.
+Please see: [https://azure.microsoft.com/en-gb/global-infrastructure/geographies/][msdocs_azure_geographies]

 ## Default value

@ -16,7 +17,7 @@ None

 ## Usage

-Set the value to your [Azure region](https://azure.microsoft.com/en-gb/global-infrastructure/geographies/) of choice.
+Set the value to your [Azure region][msdocs_azure_geographies] of choice.

 ```hcl
  default_location = "uksouth"
@ -27,4 +28,7 @@ Set the value to your [Azure region](https://azure.microsoft.com/en-gb/global-in
 [//]: # "************************"
 [//]: # "INSERT LINK LABELS BELOW"
 [//]: # "************************"
+
 [this_page]: # "Link for the current page."
+
+[msdocs_azure_geographies]: https://azure.microsoft.com/en-gb/global-infrastructure/geographies/ "Find the Azure geography that meets your needs"
--- a/docs/wiki/[Variables]-default_tags.md
+++ b/docs/wiki/[Variables]-default_tags.md
@ -0,0 +1,47 @@
+## Overview
+
+[**default_tags**](#overview) `map(string)` (optional)
+
+Set the default tags to apply to all resources created by the module, where supported. Please refer to the [Tag support for Azure resources][msdocs_azure_tag_support] documentation for more information on which resources support tags.
+
+## Default value
+
+`{}`
+
+## Validation
+
+None
+
+## Usage
+
+Create a custom tag block containing the tags of your choice.
+
+```hcl
+  default_tags = {
+      myTagName = "MyTagValue"
+  }
+```
+
+Tags must meet the supported [tagging limitations][msdocs_azure_tag_limitations] set by the platform.
+
+Although not set by the `default_tags` input variable, the module will apply a set of base tags to all resources allowing you to easily identify that they were created by this module, including the module version as per the below example:
+
+```hcl
+{
+   deployedBy = "terraform/azure/caf-enterprise-scale/{{module_version}}"
+}
+```
+
+This helps you to easily identify which resources are managed by the module when working interactively with resources through the Portal, Azure Powershell, AZ CLI, or any other SDK.
+Although we advise against this, this can be disabled by setting the input variable [`disable_base_module_tags = true`][disable_base_module_tags] in the module block.
+
+[//]: # "************************"
+[//]: # "INSERT LINK LABELS BELOW"
+[//]: # "************************"
+
+[this_page]: # "Link for the current page."
+
+[msdocs_azure_tag_support]:     https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-support "Tag support for Azure resources"
+[msdocs_azure_tag_limitations]: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json#limitations "Use tags to organize your Azure resources and management hierarchy #Limitations"
+
+[disable_base_module_tags]: ./%5BVariables%5D-disable_base_module_tags "Instructions for how to use the disable_base_module_tags variable."
--- a/docs/wiki/[Variables]-deploy_connectivity_resources.md
+++ b/docs/wiki/[Variables]-deploy_connectivity_resources.md
@ -0,0 +1,35 @@
+## Overview
+
+[**deploy_connectivity_resources**](#overview) `bool` (optional)
+
+If set to true, will enable the "Connectivity" landing zone settings and add "Connectivity" resources into the current Subscription context.
+
+## Default value
+
+`false`
+
+## Validation
+
+None
+
+## Usage
+
+Simply add the `deploy_connectivity_resources` input variable to the module block, and set the value to either true or false.
+
+```hcl
+deploy_connectivity_resources = true
+```
+
+Setting this value to true will update the input parameters on a number of related Policy Assignments.
+To ensure the correct values are generated, be careful to ensure you provide the correct value for [`subscription_id_connectivity`][subscription_id_connectivity]. In a standard deployment, this will be the same as the Subscription ID from the current context.
+
+The resources deployed by this module and their corresponding configuration settings also depend on which options are selected in the [`configure_connectivity_resources`][configure_connectivity_resources] input variable.
+
+[//]: # "************************"
+[//]: # "INSERT LINK LABELS BELOW"
+[//]: # "************************"
+
+[this_page]: # "Link for the current page."
+
+[subscription_id_connectivity]:     ./%5BVariables%5D-subscription_id_connectivity "Instructions for how to use the subscription_id_connectivity variable."
+[configure_connectivity_resources]: ./%5BVariables%5D-configure_connectivity_resources "Instructions for how to use the configure_connectivity_resources variable."
--- a/docs/wiki/[Variables]-deploy_core_landing_zones.md
+++ b/docs/wiki/[Variables]-deploy_core_landing_zones.md
@ -32,4 +32,5 @@ This is for advanced scenarios such as:
 [//]: # "************************"
 [//]: # "INSERT LINK LABELS BELOW"
 [//]: # "************************"
+
 [this_page]: # "Link for the current page."
--- a/docs/wiki/[Variables]-deploy_demo_landing_zones.md
+++ b/docs/wiki/[Variables]-deploy_demo_landing_zones.md
@ -27,4 +27,5 @@ To see the effect of this change, please refer to the [Demo landing zones exampl
 [//]: # "************************"
 [//]: # "INSERT LINK LABELS BELOW"
 [//]: # "************************"
+
 [this_page]: # "Link for the current page."
--- a/docs/wiki/[Variables]-deploy_identity_resources.md
+++ b/docs/wiki/[Variables]-deploy_identity_resources.md
@ -0,0 +1,34 @@
+## Overview
+
+[**deploy_identity_resources**](#overview) `bool` (optional)
+
+If set to true, will enable the "Identity" landing zone settings.
+
+## Default value
+
+`false`
+
+## Validation
+
+None
+
+## Usage
+
+Simply add the `deploy_identity_resources` input variable to the module block, and set the value to either true or false.
+
+```hcl
+deploy_identity_resources = true
+```
+
+Setting this value to true will update the input parameters on a number of related Policy Assignments.
+
+No additional resources are deployed by this module when setting this value to `true`, however their corresponding configuration settings also depend on which options are selected in the [`configure_identity_resources`][configure_identity_resources] input variable.
+
+[//]: # "************************"
+[//]: # "INSERT LINK LABELS BELOW"
+[//]: # "************************"
+
+[this_page]: # "Link for the current page."
+
+[subscription_id_identity]:     ./%5BVariables%5D-subscription_id_identity "Instructions for how to use the subscription_id_identity variable."
+[configure_identity_resources]: ./%5BVariables%5D-configure_identity_resources "Instructions for how to use the configure_identity_resources variable."
--- a/docs/wiki/[Variables]-deploy_management_resources.md
+++ b/docs/wiki/[Variables]-deploy_management_resources.md
@ -0,0 +1,35 @@
+## Overview
+
+[**deploy_management_resources**](#overview) `bool` (optional)
+
+If set to true, will enable the "Management" landing zone settings and add "Management" resources into the current Subscription context.
+
+## Default value
+
+`false`
+
+## Validation
+
+None
+
+## Usage
+
+Simply add the `deploy_management_resources` input variable to the module block, and set the value to either true or false.
+
+```hcl
+deploy_management_resources = true
+```
+
+Setting this value to true will update the input parameters on a number of related Policy Assignments.
+To ensure the correct values are generated, be careful to ensure you provide the correct value for [`subscription_id_management`][subscription_id_management]. In a standard deployment, this will be the same as the Subscription ID from the current context.
+
+The resources deployed by this module and their corresponding configuration settings also depend on which options are selected in the [`configure_management_resources`][configure_management_resources] input variable.
+
+[//]: # "************************"
+[//]: # "INSERT LINK LABELS BELOW"
+[//]: # "************************"
+
+[this_page]: # "Link for the current page."
+
+[subscription_id_management]:     ./%5BVariables%5D-subscription_id_management "Instructions for how to use the subscription_id_management variable."
+[configure_management_resources]: ./%5BVariables%5D-configure_management_resources "Instructions for how to use the configure_management_resources variable."
--- a/docs/wiki/[Variables]-destroy_duration_delay.md
+++ b/docs/wiki/[Variables]-destroy_duration_delay.md
@ -35,4 +35,5 @@ In the following, we set a 30s delay after the destruction of `azurerm_policy_as
 [//]: # "************************"
 [//]: # "INSERT LINK LABELS BELOW"
 [//]: # "************************"
+
 [this_page]: # "Link for the current page."
--- a/docs/wiki/[Variables]-disable_base_module_tags.md
+++ b/docs/wiki/[Variables]-disable_base_module_tags.md
@ -0,0 +1,43 @@
+## Overview
+
+[**disable_base_module_tags**](#overview) `bool` (optional)
+
+If set to true, will remove the base module tags applied to all resources deployed by the module which support tags.
+
+## Default value
+
+`false`
+
+## Validation
+
+None
+
+## Usage
+
+Although not set by the `default_tags` input variable, the module will apply a set of base tags to all resources allowing you to easily identify that they were created by this module, including the module version as per the below example:
+
+```hcl
+{
+   deployedBy = "terraform/azure/caf-enterprise-scale/{{module_version}}"
+}
+```
+
+This helps you to easily identify which resources are managed by the module when working interactively with resources through the Portal, Azure Powershell, AZ CLI, or any other SDK.
+Although we advise against this, this can be disabled by setting the input variable [`disable_base_module_tags = true`][disable_base_module_tags] in the module block.
+
+To prevent the module from appending the base module tags, simply set the following input variable in your module block:
+
+```hcl
+disable_base_module_tags = true
+```
+
+[//]: # "************************"
+[//]: # "INSERT LINK LABELS BELOW"
+[//]: # "************************"
+
+[this_page]: # "Link for the current page."
+
+[msdocs_azure_tag_support]:     https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-support "Tag support for Azure resources"
+[msdocs_azure_tag_limitations]: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json#limitations "Use tags to organize your Azure resources and management hierarchy #Limitations"
+
+[disable_base_module_tags]: ./%5BVariables%5D-disable_base_module_tags "Instructions for how to use the disable_base_module_tags variable."
--- a/docs/wiki/[Variables]-library_path.md
+++ b/docs/wiki/[Variables]-library_path.md
@ -25,4 +25,5 @@ Set the path to a custom directory within your root module.
 [//]: # "************************"
 [//]: # "INSERT LINK LABELS BELOW"
 [//]: # "************************"
+
 [this_page]: # "Link for the current page."
--- a/docs/wiki/[Variables]-root_id.md
+++ b/docs/wiki/[Variables]-root_id.md
@ -16,10 +16,10 @@ The `root_id` must be a string between 2 to 10 characters long and can only cont

 ## Usage

-To set a custom Name (ID) value for the Enterprise-scale "root" Management Group to `myorg-1`, set the value of `root_id` as below:
+To set a custom Name (ID) value for the Enterprise-scale "root" Management Group to `myorg`, set the value of `root_id` as below:

 ```hcl
-  root_id = "myorg-1"
+  root_id = "myorg"
 ```

 > WARNING: Changing this value will cause Terraform to re-create <u>all</u> resources managed by this module
@ -27,4 +27,5 @@ To set a custom Name (ID) value for the Enterprise-scale "root" Management Group
 [//]: # "************************"
 [//]: # "INSERT LINK LABELS BELOW"
 [//]: # "************************"
+
 [this_page]: # "Link for the current page."
--- a/docs/wiki/[Variables]-root_name.md
+++ b/docs/wiki/[Variables]-root_name.md
@ -16,14 +16,15 @@ The `root_name` value must be a string between 2 to 24 characters long, start wi

 ## Usage

-To set a custom Display Name value for the Enterprise-scale "root" Management Group to `My Organization 1`, set the value of `root_name` as below:
+To set a custom Display Name value for the Enterprise-scale "root" Management Group to `My Organization`, set the value of `root_name` as below:

 ```hcl
-  root_name = "My Organization 1"
+  root_name = "My Organization"

 ```

 [//]: # "************************"
 [//]: # "INSERT LINK LABELS BELOW"
 [//]: # "************************"
+
 [this_page]: # "Link for the current page."
--- a/docs/wiki/[Variables]-root_parent_id.md
+++ b/docs/wiki/[Variables]-root_parent_id.md
@ -36,4 +36,5 @@ The following shows how you would configure the `root_parent_id` to the core "La
 [//]: # "************************"
 [//]: # "INSERT LINK LABELS BELOW"
 [//]: # "************************"
+
 [this_page]: # "Link for the current page."
--- a/docs/wiki/[Variables]-subscription_id_connectivity.md
+++ b/docs/wiki/[Variables]-subscription_id_connectivity.md
@ -0,0 +1,33 @@
+## Overview
+
+[**subscription_id_connectivity**](#overview) `string` (optional)
+
+If specified, identifies the Platform subscription for \"Connectivity\" for resource deployment and correct placement in the Management Group hierarchy.
+
+## Default value
+
+`""`
+
+## Validation
+
+The `subscription_id_connectivity` value must be a valid GUID, matching the following RegEx:
+
+`^[a-z0-9-]{36}$`
+
+## Usage
+
+To identify the Connectivity Subscription by ID, set the `subscription_id_connectivity` input variable in the module block and specify the desired Subscription ID as the value.
+
+```hcl
+  subscription_id_connectivity = "00000000-0000-0000-0000-000000000000"
+```
+
+> **NOTE:** This input variable is used to control the data model for setting up the correct values for Policy Assignments and to move the Subscription to the "Connectivity" Management Group, but does not control which Subscription the resources are deployed into. To ensure resources are deployed in the correct Subscription, please refer to our guidance on [Provider Configuration][wiki_provider_configuration].
+
+[//]: # "************************"
+[//]: # "INSERT LINK LABELS BELOW"
+[//]: # "************************"
+
+[this_page]: # "Link for the current page."
+
+[wiki_provider_configuration]: ./%5BUser-Guide%5D-Provider-Configuration "Wiki - Provider Configuration"
--- a/docs/wiki/[Variables]-subscription_id_identity.md
+++ b/docs/wiki/[Variables]-subscription_id_identity.md
@ -0,0 +1,31 @@
+## Overview
+
+[**subscription_id_identity**](#overview) `string` (optional)
+
+If specified, identifies the Platform subscription for \"Identity\" for resource deployment and correct placement in the Management Group hierarchy.
+
+## Default value
+
+`""`
+
+## Validation
+
+The `subscription_id_identity` value must be a valid GUID, matching the following RegEx:
+
+`^[a-z0-9-]{36}$`
+
+## Usage
+
+To identify the Identity Subscription by ID, set the `subscription_id_identity` input variable in the module block and specify the desired Subscription ID as the value.
+
+```hcl
+  subscription_id_identity = "00000000-0000-0000-0000-000000000000"
+```
+
+> **NOTE:** This input variable is used to control the data model for setting up the correct values for Policy Assignments and to move the Subscription to the "Identity" Management Group. No additional resources are deployed to this Subscription.
+
+[//]: # "************************"
+[//]: # "INSERT LINK LABELS BELOW"
+[//]: # "************************"
+
+[this_page]: # "Link for the current page."
--- a/docs/wiki/[Variables]-subscription_id_management.md
+++ b/docs/wiki/[Variables]-subscription_id_management.md
@ -0,0 +1,33 @@
+## Overview
+
+[**subscription_id_management**](#overview) `string` (optional)
+
+If specified, identifies the Platform subscription for \"Management\" for resource deployment and correct placement in the Management Group hierarchy.
+
+## Default value
+
+`""`
+
+## Validation
+
+The `subscription_id_management` value must be a valid GUID, matching the following RegEx:
+
+`^[a-z0-9-]{36}$`
+
+## Usage
+
+To identify the Management Subscription by ID, set the `subscription_id_management` input variable in the module block and specify the desired Subscription ID as the value.
+
+```hcl
+  subscription_id_management = "00000000-0000-0000-0000-000000000000"
+```
+
+> **NOTE:** This input variable is used to control the data model for setting up the correct values for Policy Assignments and to move the Subscription to the "Management" Management Group, but does not control which Subscription the resources are deployed into. To ensure resources are deployed in the correct Subscription, please refer to our guidance on [Provider Configuration][wiki_provider_configuration].
+
+[//]: # "************************"
+[//]: # "INSERT LINK LABELS BELOW"
+[//]: # "************************"
+
+[this_page]: # "Link for the current page."
+
+[wiki_provider_configuration]: ./%5BUser-Guide%5D-Provider-Configuration "Wiki - Provider Configuration"
--- a/docs/wiki/[Variables]-subscription_id_overrides.md
+++ b/docs/wiki/[Variables]-subscription_id_overrides.md
@ -35,4 +35,5 @@ A full list of default Management Groups:
 [//]: # "************************"
 [//]: # "INSERT LINK LABELS BELOW"
 [//]: # "************************"
+
 [this_page]: # "Link for the current page."
--- a/docs/wiki/[Variables]-template_file_variables.md
+++ b/docs/wiki/[Variables]-template_file_variables.md
@ -14,9 +14,62 @@ None

 ## Usage

-_coming soon_
+The module includes a set of built-in template file variables which are based on the following map object:
+
+```hcl
+  builtin_template_file_variables = {
+    root_scope_id             = basename(local.root_id)
+    root_scope_resource_id    = local.root_id
+    current_scope_id          = basename(local.scope_id)
+    current_scope_resource_id = local.scope_id
+    default_location          = local.default_location
+    location                  = local.default_location
+    builtin                   = local.builtin_library_path
+    builtin_library_path      = local.builtin_library_path
+    custom                    = local.custom_library_path
+    custom_library_path       = local.custom_library_path
+  }
+```
+
+For any template file in the library, these values are used to substitute the template variable with the actual value when the file is loaded into the module.
+
+The template variables available for use within the template files can be extended by setting the `template_file_variables` input variable in your module block, with a custom `map(string)` object value. As long as the key matches the variable used in the template, the value should be inserted during import.
+
+To specify custom template variables, simply add the following input variable to the module block:
+
+```hcl
+  template_file_variables = {
+    myCustomValue1 = "This is a custom template value"
+    myCustomValue2 = "Must be a valid string value"
+  }
+```
+
+As an example, if you had a simple template file like the following:
+
+```json
+{
+    "myRootScopeId": "${root_scope_id}",
+    "myRootScopeResourceId": "${root_scope_resource_id}",
+    "myCustomValue1": "${myCustomValue1}",
+    "myCustomValue2": "${myCustomValue3}"
+}
+```
+
+And were to import this in a run where the `root_id` input variable was set to `"myTemplateDemo"`, the template function would convert it to the following during import:
+
+```json
+{
+    "myRootScopeId": "myTemplateDemo",
+    "myRootScopeResourceId": "/providers/Microsoft.Management/managementGroups/myTemplateDemo",
+    "myCustomValue1": "This is a custom template value",
+    "myCustomValue2": "Must be a valid string value"
+}
+```
+
+> **NOTE:** We have intentionally ordered the `merge()` values to ensure `builtin_template_file_variables` values are applied in preference over any conflicting values provided in `template_file_variables`. This is to prevent unexpected module behaviour. Please ensure to use unique template variable names to avoid unexpected results.

 [//]: # "************************"
 [//]: # "INSERT LINK LABELS BELOW"
 [//]: # "************************"
+
 [this_page]: # "Link for the current page."
--- a/docs/wiki/_Footer.md
+++ b/docs/wiki/_Footer.md
@ -1,2 +1,3 @@
-**This wiki is being actively developed**  
+**This wiki is being actively developed**
+
 If you discover any documentation bugs or would like to request new content, please raise them as an [issue](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/issues) or feel free to contribute to the wiki via a [pull request](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/pulls). The wiki docs are located in the repository in the `docs/wiki/` folder.
--- a/docs/wiki/_Sidebar.md
+++ b/docs/wiki/_Sidebar.md
@ -6,14 +6,22 @@
 - [User Guide][wiki_user_guide]
  - [Getting Started][wiki_getting_started]
  - [Module Variables][wiki_module_variables]
+  - [Provider Configuration][wiki_provider_configuration]
  - [Archetype Definitions][wiki_archetype_definitions]
-  - [Deploy Management Resources][wiki_deploy_management_resources]
+  - [Core Resources][wiki_core_resources]
+  - [Management Resources][wiki_management_resources]
+  - [Connectivity Resources][wiki_connectivity_resources]
+  - [Identity Resources][wiki_identity_resources]
  - [Upgrade from v0.0.8 to v0.1.0][wiki_upgrade_from_v0_0_8_to_v0_1_0]
  - [Upgrade from v0.1.2 to v0.2.0][wiki_upgrade_from_v0_1_2_to_v0_2_0]
+  - [Upgrade from v0.3.3 to v0.4.0][wiki_upgrade_from_v0_3_3_to_v0_4_0]
 - [Examples][wiki_examples]
  - [Deploy Default Configuration][wiki_deploy_default_configuration]
  - [Deploy Demo Landing Zone Archetypes][wiki_deploy_demo_landing_zone_archetypes]
  - [Deploy Custom Landing Zone Archetypes][wiki_deploy_custom_landing_zone_archetypes]
+  - [Deploy Management Resources][wiki_deploy_management_resources]
+  - [Deploy Connectivity Resources][wiki_deploy_connectivity_resources]
+  - [Deploy Identity Resources][wiki_deploy_identity_resources]
  - [Expand Built-in Archetype Definitions][wiki_expand_built_in_archetype_definitions]
  - [Deploy Using Module Nesting][wiki_deploy_using_module_nesting]
  - [Override Module Role Assignments][wiki_override_module_role_assignments]
@ -28,25 +36,34 @@
 [//]: # "************************"
 [//]: # "INSERT LINK LABELS BELOW"
 [//]: # "************************"
-[wiki_home]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/Home "Wiki - Home"
-[wiki_user_guide]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/User-Guide "Wiki - User Guide"
-[wiki_getting_started]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Getting-Started "Wiki - Getting Started"
-[wiki_module_variables]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Module-Variables "Wiki - Module Variables"
-[wiki_archetype_definitions]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Archetype-Definitions "Wiki - Archetype Definitions"
-[wiki_upgrade_from_v0_0_8_to_v0_1_0]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Upgrade-from-v0.0.8-to-v0.1.0 "Wiki - Upgrade from v0.0.8 to v0.1.0"
-[wiki_upgrade_from_v0_1_2_to_v0_2_0]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Upgrade-from-v0.1.2-to-v0.2.0 "Wiki - Upgrade from v0.1.2 to v0.2.0"
-[wiki_deploy_management_resources]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Deploy-Management-Resources "Wiki - Deploy Management Resources"
-[wiki_examples]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/Examples "Wiki - Examples"
-[wiki_deploy_default_configuration]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Default-Configuration "Wiki - Deploy Default Configuration"
-[wiki_deploy_demo_landing_zone_archetypes]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Demo-Landing-Zone-Archetypes "Wiki - Deploy Demo Landing Zone Archetypes"
-[wiki_deploy_custom_landing_zone_archetypes]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Custom-Landing-Zone-Archetypes "Wiki - Deploy Custom Landing Zone Archetypes"
-[wiki_deploy_using_module_nesting]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Using-Module-Nesting "Wiki - Deploy Using Module Nesting"
-[wiki_frequently_asked_questions]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/Frequently-Asked-Questions "Wiki - Frequently Asked Questions"
-[wiki_troubleshooting]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/Troubleshooting "Wiki - Troubleshooting"
-[wiki_contributing]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/Contributing "Wiki - Contributing"
-[wiki_raising_an_issue]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/Raising-an-Issue "Wiki - Raising an Issue"
-[wiki_feature_requests]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/Feature-Requests "Wiki - Feature Requests"
-[wiki_contributing_to_code]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/Contributing-to-Code "Wiki - Contributing to Code"
-[wiki_contributing_to_documentation]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/Contributing-to-Documentation "Wiki - Contributing to Documentation"
-[wiki_expand_built_in_archetype_definitions]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Expand-Built-in-Archetype-Definitions "Wiki - Expand Built-in Archetype Definitions"
-[wiki_override_module_role_assignments]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Override-Module-Role-Assignments "Wiki - Override Module Role Assignments"
+
+[wiki_home]:                                  ./Home "Wiki - Home"
+[wiki_user_guide]:                            ./User-Guide "Wiki - User Guide"
+[wiki_getting_started]:                       ./%5BUser-Guide%5D-Getting-Started "Wiki - Getting Started"
+[wiki_module_variables]:                      ./%5BUser-Guide%5D-Module-Variables "Wiki - Module Variables"
+[wiki_provider_configuration]:                ./%5BUser-Guide%5D-Provider-Configuration "Wiki - Provider Configuration"
+[wiki_archetype_definitions]:                 ./%5BUser-Guide%5D-Archetype-Definitions "Wiki - Archetype Definitions"
+[wiki_core_resources]:                        ./%5BUser-Guide%5D-Core-Resources "Wiki - Core Resources"
+[wiki_management_resources]:                  ./%5BUser-Guide%5D-Management-Resources "Wiki - Management Resources"
+[wiki_connectivity_resources]:                ./%5BUser-Guide%5D-Connectivity-Resources "Wiki - Connectivity Resources"
+[wiki_identity_resources]:                    ./%5BUser-Guide%5D-Identity-Resources "Wiki - Identity Resources"
+[wiki_upgrade_from_v0_0_8_to_v0_1_0]:         ./%5BUser-Guide%5D-Upgrade-from-v0.0.8-to-v0.1.0 "Wiki - Upgrade from v0.0.8 to v0.1.0"
+[wiki_upgrade_from_v0_1_2_to_v0_2_0]:         ./%5BUser-Guide%5D-Upgrade-from-v0.1.2-to-v0.2.0 "Wiki - Upgrade from v0.1.2 to v0.2.0"
+[wiki_upgrade_from_v0_3_3_to_v0_4_0]:         ./%5BUser-Guide%5D-Upgrade-from-v0.3.3-to-v0.4.0 "Wiki - Upgrade from v0.3.3 to v0.4.0"
+[wiki_examples]:                              ./Examples "Wiki - Examples"
+[wiki_deploy_default_configuration]:          ./%5BExamples%5D-Deploy-Default-Configuration "Wiki - Deploy Default Configuration"
+[wiki_deploy_demo_landing_zone_archetypes]:   ./%5BExamples%5D-Deploy-Demo-Landing-Zone-Archetypes "Wiki - Deploy Demo Landing Zone Archetypes"
+[wiki_deploy_custom_landing_zone_archetypes]: ./%5BExamples%5D-Deploy-Custom-Landing-Zone-Archetypes "Wiki - Deploy Custom Landing Zone Archetypes"
+[wiki_deploy_management_resources]:           ./%5BExamples%5D-Deploy-Management-Resources "Wiki - Deploy Management Resources"
+[wiki_deploy_connectivity_resources]:         ./%5BExamples%5D-Deploy-Connectivity-Resources "Wiki - Deploy Connectivity Resources"
+[wiki_deploy_identity_resources]:             ./%5BExamples%5D-Deploy-Identity-Resources "Wiki - Deploy Identity Resources"
+[wiki_deploy_using_module_nesting]:           ./%5BExamples%5D-Deploy-Using-Module-Nesting "Wiki - Deploy Using Module Nesting"
+[wiki_frequently_asked_questions]:            ./Frequently-Asked-Questions "Wiki - Frequently Asked Questions"
+[wiki_troubleshooting]:                       ./Troubleshooting "Wiki - Troubleshooting"
+[wiki_contributing]:                          ./Contributing "Wiki - Contributing"
+[wiki_raising_an_issue]:                      ./Raising-an-Issue "Wiki - Raising an Issue"
+[wiki_feature_requests]:                      ./Feature-Requests "Wiki - Feature Requests"
+[wiki_contributing_to_code]:                  ./Contributing-to-Code "Wiki - Contributing to Code"
+[wiki_contributing_to_documentation]:         ./Contributing-to-Documentation "Wiki - Contributing to Documentation"
+[wiki_expand_built_in_archetype_definitions]: ./%5BExamples%5D-Expand-Built-in-Archetype-Definitions "Wiki - Expand Built-in Archetype Definitions"
+[wiki_override_module_role_assignments]:      ./%5BExamples%5D-Override-Module-Role-Assignments "Wiki - Override Module Role Assignments"
--- a/docs/wiki/media/azure.svg
+++ b/docs/wiki/media/azure.svg
@ -1 +1 @@
-<svg height="67.176529" viewBox="0 0 86.68106 67.17653" width="86.681061" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><clipPath id="a"><path d="m0 80.087h229.403v-80.087h-229.403z"/></clipPath><g clip-path="url(#a)" fill="#0072c6" transform="matrix(1.3333333 0 0 -1.3333333 -20.000133 86.979464)"><path d="m0 0 50.159-.004-27.016 46.822-8.228-22.606 15.799-18.796z" transform="translate(29.8519 14.8562)"/><path d="m0 0-19.307-16.2-16.534-28.638h14.912v-.045z" transform="translate(50.8411 65.2346)"/></g></svg>
+<svg xmlns="http://www.w3.org/2000/svg" width="60px" height="60px" viewBox="0 0 96 96"><defs><linearGradient id="e399c19f-b68f-429d-b176-18c2117ff73c" x1="-1032.172" x2="-1059.213" y1="145.312" y2="65.426" gradientTransform="matrix(1 0 0 -1 1075 158)" gradientUnits="userSpaceOnUse"><stop offset="0" stop-color="#114a8b"></stop><stop offset="1" stop-color="#0669bc"></stop></linearGradient><linearGradient id="ac2a6fc2-ca48-4327-9a3c-d4dcc3256e15" x1="-1023.725" x2="-1029.98" y1="108.083" y2="105.968" gradientTransform="matrix(1 0 0 -1 1075 158)" gradientUnits="userSpaceOnUse"><stop offset="0" stop-opacity=".3"></stop><stop offset=".071" stop-opacity=".2"></stop><stop offset=".321" stop-opacity=".1"></stop><stop offset=".623" stop-opacity=".05"></stop><stop offset="1" stop-opacity="0"></stop></linearGradient><linearGradient id="a7fee970-a784-4bb1-af8d-63d18e5f7db9" x1="-1027.165" x2="-997.482" y1="147.642" y2="68.561" gradientTransform="matrix(1 0 0 -1 1075 158)" gradientUnits="userSpaceOnUse"><stop offset="0" stop-color="#3ccbf4"></stop><stop offset="1" stop-color="#2892df"></stop></linearGradient></defs><path fill="url(#e399c19f-b68f-429d-b176-18c2117ff73c)" d="M33.338 6.544h26.038l-27.03 80.087a4.152 4.152 0 0 1-3.933 2.824H8.149a4.145 4.145 0 0 1-3.928-5.47L29.404 9.368a4.152 4.152 0 0 1 3.934-2.825z"></path><path fill="#0078d4" d="M71.175 60.261h-41.29a1.911 1.911 0 0 0-1.305 3.309l26.532 24.764a4.171 4.171 0 0 0 2.846 1.121h23.38z"></path><path fill="url(#ac2a6fc2-ca48-4327-9a3c-d4dcc3256e15)" d="M33.338 6.544a4.118 4.118 0 0 0-3.943 2.879L4.252 83.917a4.14 4.14 0 0 0 3.908 5.538h20.787a4.443 4.443 0 0 0 3.41-2.9l5.014-14.777 17.91 16.705a4.237 4.237 0 0 0 2.666.972H81.24L71.024 60.261l-29.781.007L59.47 6.544z"></path><path fill="url(#a7fee970-a784-4bb1-af8d-63d18e5f7db9)" d="M66.595 9.364a4.145 4.145 0 0 0-3.928-2.82H33.648a4.146 4.146 0 0 1 3.928 2.82l25.184 74.62a4.146 4.146 0 0 1-3.928 5.472h29.02a4.146 4.146 0 0 0 3.927-5.472z"></path></svg>
--- a/docs/wiki/media/examples-deploy-custom-demo-landing-zone-archetypes.png
+++ b/docs/wiki/media/examples-deploy-custom-demo-landing-zone-archetypes.png
--- a/docs/wiki/media/examples-deploy-default-configuration.png
+++ b/docs/wiki/media/examples-deploy-default-configuration.png
--- a/docs/wiki/media/examples-deploy-demo-landing-zone-archetypes.png
+++ b/docs/wiki/media/examples-deploy-demo-landing-zone-archetypes.png
--- a/docs/wiki/media/examples-deploy-management-resources.png
+++ b/docs/wiki/media/examples-deploy-management-resources.png
--- a/docs/wiki/media/terraform-caf-enterprise-scale-connectivity.png
+++ b/docs/wiki/media/terraform-caf-enterprise-scale-connectivity.png
--- a/docs/wiki/media/terraform-caf-enterprise-scale-identity.png
+++ b/docs/wiki/media/terraform-caf-enterprise-scale-identity.png
--- a/locals.connectivity.tf
+++ b/locals.connectivity.tf
@ -0,0 +1,175 @@
+# The following locals are used to extract the Resource Group
+# configuration from the solution module outputs.
+locals {
+  es_connectivity_resource_groups = module.connectivity_resources.configuration.azurerm_resource_group
+}
+
+# The following locals are used to build the map of Resource
+# Groups to deploy.
+locals {
+  azurerm_resource_group_connectivity = {
+    for resource in local.es_connectivity_resource_groups :
+    resource.resource_id => resource
+    if resource.managed_by_module
+  }
+}
+
+# The following locals are used to extract the Virtual Network
+# configuration from the solution module outputs.
+locals {
+  es_connectivity_virtual_network = module.connectivity_resources.configuration.azurerm_virtual_network
+}
+
+# The following locals are used to build the map of Virtual
+# Networks to deploy.
+locals {
+  azurerm_virtual_network_connectivity = {
+    for resource in local.es_connectivity_virtual_network :
+    resource.resource_id => resource
+    if resource.managed_by_module
+  }
+}
+
+# The following locals are used to extract the Subnets
+# configuration from the solution module outputs.
+locals {
+  es_connectivity_subnet = module.connectivity_resources.configuration.azurerm_subnet
+}
+
+# The following locals are used to build the map of Subnets
+# to deploy.
+locals {
+  azurerm_subnet_connectivity = {
+    for resource in local.es_connectivity_subnet :
+    resource.resource_id => resource
+    if resource.managed_by_module
+  }
+}
+
+# The following locals are used to extract the Virtual Network
+# Gateway configuration from the solution module outputs.
+locals {
+  es_connectivity_virtual_network_gateway = module.connectivity_resources.configuration.azurerm_virtual_network_gateway
+}
+
+# The following locals are used to build the map of Virtual
+# Network Gateways to deploy.
+locals {
+  azurerm_virtual_network_gateway_connectivity = {
+    for resource in local.es_connectivity_virtual_network_gateway :
+    resource.resource_id => resource
+    if resource.managed_by_module
+  }
+}
+
+# The following locals are used to extract the Public IP
+# configuration from the solution module outputs.
+locals {
+  es_connectivity_public_ip = module.connectivity_resources.configuration.azurerm_public_ip
+}
+
+# The following locals are used to build the map of Public
+# IPs to deploy.
+locals {
+  azurerm_public_ip_connectivity = {
+    for resource in local.es_connectivity_public_ip :
+    resource.resource_id => resource
+    if resource.managed_by_module
+  }
+}
+
+# The following locals are used to extract the Azure Firewall
+# configuration from the solution module outputs.
+locals {
+  es_connectivity_firewall = module.connectivity_resources.configuration.azurerm_firewall
+}
+
+# The following locals are used to build the map of Azure
+# Firewalls to deploy.
+locals {
+  azurerm_firewall_connectivity = {
+    for resource in local.es_connectivity_firewall :
+    resource.resource_id => resource
+    if resource.managed_by_module
+  }
+}
+
+# The following locals are used to extract the DDoS Protection
+# Plan configuration from the solution module outputs.
+locals {
+  es_connectivity_network_ddos_protection_plan = module.connectivity_resources.configuration.azurerm_network_ddos_protection_plan
+}
+
+# The following locals are used to build the map of DDoS
+# Protection Plans to deploy.
+locals {
+  azurerm_network_ddos_protection_plan_connectivity = {
+    for resource in local.es_connectivity_network_ddos_protection_plan :
+    resource.resource_id => resource
+    if resource.managed_by_module
+  }
+}
+
+# The following locals are used to extract the Private DNS Zone
+# configuration from the solution module outputs.
+locals {
+  es_connectivity_private_dns_zone = module.connectivity_resources.configuration.azurerm_private_dns_zone
+}
+
+# The following locals are used to build the map of Private DNS
+# Zones to deploy.
+locals {
+  azurerm_private_dns_zone_connectivity = {
+    for resource in local.es_connectivity_private_dns_zone :
+    resource.resource_id => resource
+    if resource.managed_by_module
+  }
+}
+
+# The following locals are used to extract the Public DNS Zone
+# configuration from the solution module outputs.
+locals {
+  es_connectivity_dns_zone = module.connectivity_resources.configuration.azurerm_dns_zone
+}
+
+# The following locals are used to build the map of Public DNS
+# Zones to deploy.
+locals {
+  azurerm_dns_zone_connectivity = {
+    for resource in local.es_connectivity_dns_zone :
+    resource.resource_id => resource
+    if resource.managed_by_module
+  }
+}
+
+# The following locals are used to extract the Private DNS Zone
+# Virtual Network Links configuration from the solution module outputs.
+locals {
+  es_connectivity_private_dns_zone_virtual_network_link = module.connectivity_resources.configuration.azurerm_private_dns_zone_virtual_network_link
+}
+
+# The following locals are used to build the map of Private DNS Zone
+# Virtual Network Links to deploy.
+locals {
+  azurerm_private_dns_zone_virtual_network_link_connectivity = {
+    for resource in local.es_connectivity_private_dns_zone_virtual_network_link :
+    resource.resource_id => resource
+    if resource.managed_by_module
+  }
+}
+
+# The following locals are used to extract the Virtual Network
+# Peering configuration from the solution module outputs.
+locals {
+  es_connectivity_virtual_network_peering = module.connectivity_resources.configuration.azurerm_virtual_network_peering
+}
+
+# The following locals are used to build the map of Virtual
+# Network Peerings to deploy.
+locals {
+  azurerm_virtual_network_peering_connectivity = {
+    for resource in local.es_connectivity_virtual_network_peering :
+    resource.resource_id => resource
+    if resource.managed_by_module
+  }
+}
--- a/locals.management.tf
+++ b/locals.management.tf
@ -1,14 +1,30 @@
+# The following locals are used to extract the Resource Group
+# configuration from the solution module outputs.
+locals {
+  es_management_resource_groups = module.management_resources.configuration.azurerm_resource_group
+}
+
+# The following locals are used to build the map of Resource
+# Groups to deploy.
+locals {
+  azurerm_resource_group_management = {
+    for resource in local.es_management_resource_groups :
+    resource.resource_id => resource
+    if resource.managed_by_module
+  }
+}
+
 # The following locals are used to extract the Log Analytics
 # configuration from the solution module outputs.
 locals {
-  es_log_analytics_workspaces = module.management_resources.configuration.azurerm_log_analytics_workspace
+  es_management_log_analytics_workspaces = module.management_resources.configuration.azurerm_log_analytics_workspace
 }

 # The following locals are used to build the map of Log
 # Analytics workspaces to deploy.
 locals {
-  azurerm_log_analytics_workspace_enterprise_scale = {
-    for resource in local.es_log_analytics_workspaces :
+  azurerm_log_analytics_workspace_management = {
+    for resource in local.es_management_log_analytics_workspaces :
    resource.resource_id => resource
    if resource.managed_by_module
  }
@ -17,14 +33,14 @@ locals {
 # The following locals are used to extract the Log Analytics
 # Solutions configuration from the solution module outputs.
 locals {
-  es_log_analytics_solution = module.management_resources.configuration.azurerm_log_analytics_solution
+  es_management_log_analytics_solution = module.management_resources.configuration.azurerm_log_analytics_solution
 }

 # The following locals are used to build the map of Log
 # Analytics workspaces to deploy.
 locals {
-  azurerm_log_analytics_solution_enterprise_scale = {
-    for resource in local.es_log_analytics_solution :
+  azurerm_log_analytics_solution_management = {
+    for resource in local.es_management_log_analytics_solution :
    resource.resource_id => resource
    if resource.managed_by_module
  }
@ -33,14 +49,14 @@ locals {
 # The following locals are used to extract the Automation
 # Account configuration from the solution module outputs.
 locals {
-  es_automation_account = module.management_resources.configuration.azurerm_automation_account
+  es_management_automation_account = module.management_resources.configuration.azurerm_automation_account
 }

 # The following locals are used to build the map of Log
 # Analytics workspaces to deploy.
 locals {
-  azurerm_automation_account_enterprise_scale = {
-    for resource in local.es_automation_account :
+  azurerm_automation_account_management = {
+    for resource in local.es_management_automation_account :
    resource.resource_id => resource
    if resource.managed_by_module
  }
@ -49,14 +65,14 @@ locals {
 # The following locals are used to extract the Log Analytics
 # Linked Service configuration from the solution module outputs.
 locals {
-  es_log_analytics_linked_service = module.management_resources.configuration.azurerm_log_analytics_linked_service
+  es_management_log_analytics_linked_service = module.management_resources.configuration.azurerm_log_analytics_linked_service
 }

 # The following locals are used to build the map of Log
 # Analytics workspaces to deploy.
 locals {
-  azurerm_log_analytics_linked_service_enterprise_scale = {
-    for resource in local.es_log_analytics_linked_service :
+  azurerm_log_analytics_linked_service_management = {
+    for resource in local.es_management_log_analytics_linked_service :
    resource.resource_id => resource
    if resource.managed_by_module
  }
--- a/locals.management_groups.tf
+++ b/locals.management_groups.tf
@ -38,7 +38,7 @@ locals {
      access_control = local.empty_map
    }
    "${local.root_id}-connectivity" = {
-      archetype_id   = "es_connectivity_foundation"
+      archetype_id   = "es_connectivity"
      parameters     = local.empty_map
      access_control = local.empty_map
    }
@ -52,18 +52,33 @@ locals {
      parameters     = local.empty_map
      access_control = local.empty_map
    }
+    "${local.root_id}-corp" = {
+      archetype_id   = "es_corp"
+      parameters     = local.empty_map
+      access_control = local.empty_map
+    }
+    "${local.root_id}-online" = {
+      archetype_id   = "es_online"
+      parameters     = local.empty_map
+      access_control = local.empty_map
+    }
+    "${local.root_id}-sap" = {
+      archetype_id   = "es_sap"
+      parameters     = local.empty_map
+      access_control = local.empty_map
+    }
    "${local.root_id}-demo-corp" = {
-      archetype_id   = "es_demo_corp"
+      archetype_id   = "es_corp"
      parameters     = local.empty_map
      access_control = local.empty_map
    }
    "${local.root_id}-demo-online" = {
-      archetype_id   = "es_demo_online"
+      archetype_id   = "es_online"
      parameters     = local.empty_map
      access_control = local.empty_map
    }
    "${local.root_id}-demo-sap" = {
-      archetype_id   = "es_demo_sap"
+      archetype_id   = "es_sap"
      parameters     = local.empty_map
      access_control = local.empty_map
    }
@ -93,6 +108,9 @@ locals {
    "${local.root_id}-connectivity"   = local.empty_list
    "${local.root_id}-management"     = local.empty_list
    "${local.root_id}-identity"       = local.empty_list
+    "${local.root_id}-corp"           = local.empty_list
+    "${local.root_id}-online"         = local.empty_list
+    "${local.root_id}-sap"            = local.empty_list
    "${local.root_id}-demo-corp"      = local.empty_list
    "${local.root_id}-demo-online"    = local.empty_list
    "${local.root_id}-demo-sap"       = local.empty_list
@ -107,6 +125,38 @@ locals {
  )
 }

+# The following locals are used to determine Management Group
+# placement for the platform Subscriptions. Preference of
+# placement is based on the following:
+#   1. Management
+#   2. Connectivity
+#   3. Identity
+# If a duplicate value is found in any of these scopes, the
+# value will be discarded as per the described logic.
+locals {
+  subscription_ids_management = distinct(compact(concat(
+    [local.subscription_id_management],
+    local.es_subscription_ids_map["${local.root_id}-management"],
+  )))
+  subscription_ids_connectivity = [
+    for id in distinct(compact(concat(
+      [local.subscription_id_connectivity],
+      local.es_subscription_ids_map["${local.root_id}-connectivity"],
+    ))) :
+    id
+    if !contains(local.subscription_ids_management, id)
+  ]
+  subscription_ids_identity = [
+    for id in distinct(compact(concat(
+      [local.subscription_id_identity],
+      local.es_subscription_ids_map["${local.root_id}-identity"],
+    ))) :
+    id
+    if !contains(local.subscription_ids_management, id) &&
+    !contains(local.subscription_ids_connectivity, id)
+  ]
+}
+
 # The following locals are used to define the core Enterprise
 # -scale Management Groups deployed by the module and uses
 # logic to determine the full Management Group deployment
@ -147,47 +197,63 @@ locals {
    "${local.root_id}-connectivity" = {
      display_name               = "Connectivity"
      parent_management_group_id = "${local.root_id}-platform"
-      subscription_ids = distinct(compact(concat(
-        [local.subscription_id_connectivity],
-        local.es_subscription_ids_map["${local.root_id}-connectivity"],
-      )))
-      archetype_config = local.es_archetype_config_map["${local.root_id}-connectivity"]
+      subscription_ids           = local.subscription_ids_connectivity
+      archetype_config           = local.es_archetype_config_map["${local.root_id}-connectivity"]
    }
    "${local.root_id}-management" = {
      display_name               = "Management"
      parent_management_group_id = "${local.root_id}-platform"
-      subscription_ids = distinct(compact(concat(
-        [local.subscription_id_management],
-        local.es_subscription_ids_map["${local.root_id}-management"],
-      )))
-      archetype_config = local.es_archetype_config_map["${local.root_id}-management"]
+      subscription_ids           = local.subscription_ids_management
+      archetype_config           = local.es_archetype_config_map["${local.root_id}-management"]
    }
    "${local.root_id}-identity" = {
      display_name               = "Identity"
      parent_management_group_id = "${local.root_id}-platform"
-      subscription_ids = distinct(compact(concat(
-        [local.subscription_id_identity],
-        local.es_subscription_ids_map["${local.root_id}-identity"],
-      )))
-      archetype_config = local.es_archetype_config_map["${local.root_id}-identity"]
+      subscription_ids           = local.subscription_ids_identity
+      archetype_config           = local.es_archetype_config_map["${local.root_id}-identity"]
+    }
+  }
+  # Optional "Landing Zone" Enterprise-scale Management Groups
+  es_corp_landing_zones = {
+    "${local.root_id}-corp" = {
+      display_name               = "Corp"
+      parent_management_group_id = "${local.root_id}-landing-zones"
+      subscription_ids           = local.es_subscription_ids_map["${local.root_id}-corp"]
+      archetype_config           = local.es_archetype_config_map["${local.root_id}-corp"]
+    }
+  }
+  es_online_landing_zones = {
+    "${local.root_id}-online" = {
+      display_name               = "Online"
+      parent_management_group_id = "${local.root_id}-landing-zones"
+      subscription_ids           = local.es_subscription_ids_map["${local.root_id}-online"]
+      archetype_config           = local.es_archetype_config_map["${local.root_id}-online"]
+    }
+  }
+  es_sap_landing_zones = {
+    "${local.root_id}-sap" = {
+      display_name               = "SAP"
+      parent_management_group_id = "${local.root_id}-landing-zones"
+      subscription_ids           = local.es_subscription_ids_map["${local.root_id}-sap"]
+      archetype_config           = local.es_archetype_config_map["${local.root_id}-sap"]
    }
  }
  # Optional demo "Landing Zone" Enterprise-scale Management Groups
  es_demo_landing_zones = {
    "${local.root_id}-demo-corp" = {
-      display_name               = "Corp"
+      display_name               = "Corp (Demo)"
      parent_management_group_id = "${local.root_id}-landing-zones"
      subscription_ids           = local.es_subscription_ids_map["${local.root_id}-demo-corp"]
      archetype_config           = local.es_archetype_config_map["${local.root_id}-demo-corp"]
    }
    "${local.root_id}-demo-online" = {
-      display_name               = "Online"
+      display_name               = "Online (Demo)"
      parent_management_group_id = "${local.root_id}-landing-zones"
      subscription_ids           = local.es_subscription_ids_map["${local.root_id}-demo-online"]
      archetype_config           = local.es_archetype_config_map["${local.root_id}-demo-online"]
    }
    "${local.root_id}-demo-sap" = {
-      display_name               = "SAP"
+      display_name               = "SAP (Demo)"
      parent_management_group_id = "${local.root_id}-landing-zones"
      subscription_ids           = local.es_subscription_ids_map["${local.root_id}-demo-sap"]
      archetype_config           = local.es_archetype_config_map["${local.root_id}-demo-sap"]
@ -195,13 +261,19 @@ locals {
  }
  # Logic to determine whether to include the core Enterprise-scale
  # Management Groups as part of the deployment
-  es_core_landing_zones_to_include = local.deploy_core_landing_zones ? local.es_core_landing_zones : null
+  es_core_landing_zones_to_include   = local.deploy_core_landing_zones ? local.es_core_landing_zones : null
+  es_corp_landing_zones_to_include   = local.deploy_core_landing_zones && local.deploy_corp_landing_zones ? local.es_corp_landing_zones : null
+  es_online_landing_zones_to_include = local.deploy_core_landing_zones && local.deploy_online_landing_zones ? local.es_online_landing_zones : null
+  es_sap_landing_zones_to_include    = local.deploy_core_landing_zones && local.deploy_sap_landing_zones ? local.es_sap_landing_zones : null
  # Logic to determine whether to include the demo "Landing Zone"
  # Enterprise-scale Management Groups as part of the deployment
-  es_demo_landing_zones_to_include = local.deploy_demo_landing_zones ? local.es_demo_landing_zones : null
+  es_demo_landing_zones_to_include = local.deploy_core_landing_zones && local.deploy_demo_landing_zones ? local.es_demo_landing_zones : null
  # Local map containing all Management Groups to deploy
  es_landing_zones_merge = merge(
    local.es_core_landing_zones_to_include,
+    local.es_corp_landing_zones_to_include,
+    local.es_online_landing_zones_to_include,
+    local.es_sap_landing_zones_to_include,
    local.es_demo_landing_zones_to_include,
    local.custom_landing_zones,
  )
@ -219,6 +291,8 @@ locals {
        archetype_id   = value.archetype_config.archetype_id
        access_control = value.archetype_config.access_control
        parameters = merge(
+          try(module.connectivity_resources.configuration.archetype_config_overrides[key].parameters, null),
+          try(module.identity_resources.configuration.archetype_config_overrides[key].parameters, null),
          try(module.management_resources.configuration.archetype_config_overrides[key].parameters, null),
          value.archetype_config.parameters,
        )
--- a/locals.policy_assignments.tf
+++ b/locals.policy_assignments.tf
@ -13,12 +13,17 @@ locals {
 }

 # The following locals are used to build the map of Policy
-# Assignments to deploy.
+# Assignments to deploy and then split them by scope type.
 locals {
  azurerm_policy_assignment_enterprise_scale = {
    for assignment in local.es_policy_assignments :
    assignment.resource_id => assignment
  }
+  azurerm_management_group_policy_assignment_enterprise_scale = {
+    for pak, pav in local.azurerm_policy_assignment_enterprise_scale :
+    pak => pav
+    if length(regexall(local.regex_scope_is_management_group, pav.scope_id)) > 0
+  }
 }

 # To support the creation of Role Assignments for Policy Assignments
@ -81,7 +86,7 @@ locals {
    for policy_set_definition_id in keys(transpose(local.policy_assignments_with_managed_identity_using_external_policy_set_definition)) :
    policy_set_definition_id => {
      name                  = basename(policy_set_definition_id)
-      management_group_name = try(regex(local.regex_extract_provider_scope, policy_set_definition_id), null)
+      management_group_name = regex(local.regex_split_resource_id, policy_set_definition_id)[0] == "/providers/Microsoft.Management/managementGroups/" ? regex(local.regex_split_resource_id, policy_set_definition_id)[1] : null
    }
  }
 }
@ -130,7 +135,7 @@ locals {
    for policy_definition_id in local.external_policy_definition_ids_from_policy_set_definitions :
    policy_definition_id => {
      name                  = basename(policy_definition_id)
-      management_group_name = try(regex(local.regex_extract_provider_scope, policy_definition_id), null)
+      management_group_name = regex(local.regex_split_resource_id, policy_definition_id)[0] == "/providers/Microsoft.Management/managementGroups/" ? regex(local.regex_split_resource_id, policy_definition_id)[1] : null
    }
  }
  # From Policy Assignments using Policy Definitions
@ -138,7 +143,7 @@ locals {
    for policy_definition_id in keys(transpose(local.policy_assignments_with_managed_identity_using_external_policy_definition)) :
    policy_definition_id => {
      name                  = basename(policy_definition_id)
-      management_group_name = try(regex(local.regex_extract_provider_scope, policy_definition_id), null)
+      management_group_name = regex(local.regex_split_resource_id, policy_definition_id)[0] == "/providers/Microsoft.Management/managementGroups/" ? regex(local.regex_split_resource_id, policy_definition_id)[1] : null
    }
  }
  # Then create a single list containing all Policy Definitions to lookup from Azure
@ -212,9 +217,12 @@ locals {

 # Generate a list of principal_id values by Policy Assignment
 locals {
+  merge_policy_assignments_by_type = merge(
+    azurerm_management_group_policy_assignment.enterprise_scale,
+  )
  principal_id_by_policy_assignment = {
-    for pak, pav in azurerm_policy_assignment.enterprise_scale :
-    pak => pav.identity[0].principal_id
+    for pak, pav in local.merge_policy_assignments_by_type :
+    pak => try(pav.identity[0].principal_id, null)
  }
 }

--- a/locals.resource_groups.tf
+++ b/locals.resource_groups.tf
@ -1,22 +0,0 @@
-# The following locals are used to extract the Resource Group
-# configuration from the solution module outputs.
-locals {
-  es_resource_groups = concat(
-    # module.connectivity_hub_spoke_resources.configuration.azurerm_resource_group,
-    # module.connectivity_virtual_wan_resources.configuration.azurerm_resource_group,
-    # module.identity_resources.configuration.azurerm_resource_group,
-    # module.landing_zone_hub_spoke_resources.configuration.azurerm_resource_group,
-    # module.landing_zone_virtual_wan_resources.configuration.azurerm_resource_group,
-    module.management_resources.configuration.azurerm_resource_group,
-  )
-}
-
-# The following locals are used to build the map of Resource
-# Groups to deploy.
-locals {
-  azurerm_resource_group_enterprise_scale = {
-    for resource in local.es_resource_groups :
-    resource.resource_id => resource
-    if resource.managed_by_module
-  }
-}
--- a/locals.role_assignments.tf
+++ b/locals.role_assignments.tf
@ -9,7 +9,6 @@ locals {
  es_role_assignments = concat(
    local.es_role_assignments_by_management_group,
    local.es_role_assignments_by_subscription,
-    local.es_role_assignments_by_policy_assignment,
  )
 }

@ -20,4 +19,8 @@ locals {
    for assignment in local.es_role_assignments :
    assignment.resource_id => assignment
  }
+  azurerm_role_assignment_policy_assignment = {
+    for assignment in local.es_role_assignments_by_policy_assignment :
+    assignment.resource_id => assignment
+  }
 }
--- a/locals.tf
+++ b/locals.tf
@ -9,24 +9,53 @@ locals {
 # The following locals are used to convert provided input
 # variables to locals before use elsewhere in the module
 locals {
-  root_id                        = var.root_id
-  root_name                      = var.root_name
-  root_parent_id                 = var.root_parent_id
-  deploy_core_landing_zones      = var.deploy_core_landing_zones
-  deploy_demo_landing_zones      = var.deploy_demo_landing_zones
-  deploy_management_resources    = var.deploy_management_resources
-  configure_management_resources = var.configure_management_resources
-  archetype_config_overrides     = var.archetype_config_overrides
-  subscription_id_overrides      = var.subscription_id_overrides
-  subscription_id_connectivity   = var.subscription_id_connectivity
-  subscription_id_identity       = var.subscription_id_identity
-  subscription_id_management     = var.subscription_id_management
-  custom_landing_zones           = var.custom_landing_zones
-  custom_policy_roles            = var.custom_policy_roles
-  library_path                   = var.library_path
-  template_file_variables        = var.template_file_variables
-  default_location               = var.default_location
-  default_tags                   = var.default_tags
+  root_id                          = var.root_id
+  root_name                        = var.root_name
+  root_parent_id                   = var.root_parent_id
+  deploy_core_landing_zones        = var.deploy_core_landing_zones
+  deploy_corp_landing_zones        = var.deploy_corp_landing_zones
+  deploy_online_landing_zones      = var.deploy_online_landing_zones
+  deploy_sap_landing_zones         = var.deploy_sap_landing_zones
+  deploy_demo_landing_zones        = var.deploy_demo_landing_zones
+  deploy_management_resources      = var.deploy_management_resources
+  deploy_identity_resources        = var.deploy_identity_resources
+  deploy_connectivity_resources    = var.deploy_connectivity_resources
+  configure_management_resources   = var.configure_management_resources
+  configure_identity_resources     = var.configure_identity_resources
+  configure_connectivity_resources = var.configure_connectivity_resources
+  archetype_config_overrides       = var.archetype_config_overrides
+  subscription_id_overrides        = var.subscription_id_overrides
+  subscription_id_connectivity     = var.subscription_id_connectivity
+  subscription_id_identity         = var.subscription_id_identity
+  subscription_id_management       = var.subscription_id_management
+  custom_landing_zones             = var.custom_landing_zones
+  custom_policy_roles              = var.custom_policy_roles
+  library_path                     = var.library_path
+  template_file_variables = merge(
+    module.connectivity_resources.configuration.template_file_variables,
+    var.template_file_variables,
+  )
+  default_location         = var.default_location
+  default_tags             = var.default_tags
+  disable_base_module_tags = var.disable_base_module_tags
+}
+
+# The following locals are used to define a set of module
+# tags applied to all resources unless disabled by the
+# input variable "disable_module_tags" and prepare the
+# tag blocks for each sub-module
+locals {
+  base_module_tags = {
+    deployedBy = "terraform/azure/caf-enterprise-scale/v0.4.0"
+  }
+  connectivity_resources_tags = merge(
+    local.disable_base_module_tags ? local.empty_map : local.base_module_tags,
+    coalesce(local.configure_connectivity_resources.tags, local.default_tags),
+  )
+  management_resources_tags = merge(
+    local.disable_base_module_tags ? local.empty_map : local.base_module_tags,
+    coalesce(local.configure_management_resources.tags, local.default_tags),
+  )
 }

 # The following locals are used to define base Azure
@ -45,7 +74,18 @@ locals {
 # The following locals are used to define RegEx
 # patterns used within this module
 locals {
-  regex_extract_provider_scope = "(?i)/(?=.*/providers/)[^/]+/[\\S]+(?=.*/providers/)"
+  # The following regex is designed to consistently
+  # split a resource_id into the following capture
+  # groups, regardless of resource type:
+  # [0] Resource scope, type substring (e.g. "/providers/Microsoft.Management/managementGroups/")
+  # [1] Resource scope, name substring (e.g. "group1")
+  # [2] Resource, type substring (e.g. "/providers/Microsoft.Authorization/policyAssignments/")
+  # [3] Resource, name substring (e.g. "assignment1")
+  regex_split_resource_id         = "(?i)((?:/[^/]+){0,8}/)?([^/]+)?((?:/[^/]+){3}/)([^/]+)$"
+  regex_scope_is_management_group = "(?i)(/providers/Microsoft.Management/managementGroups/)([^/]+)$"
+  # regex_scope_is_subscription     = "(?i)(/subscriptions/)([^/]+)$"
+  # regex_scope_is_resource_group   = "(?i)(/subscriptions/[^/]+/resourceGroups/)([^/]+)$"
+  # regex_scope_is_resource         = "(?i)(/subscriptions/[^/]+/resourceGroups(?:/[^/]+){4}/)([^/]+)$"
 }

 # The following locals are used to identify known
--- a/main.tf
+++ b/main.tf
@ -12,11 +12,15 @@ module "management_group_archetypes" {
  scope_id                = each.key
  archetype_id            = each.value.archetype_config.archetype_id
  parameters              = each.value.archetype_config.parameters
-  enforcement_mode        = try(module.management_resources.configuration.archetype_config_overrides[basename(each.key)].enforcement_mode, null)
  access_control          = each.value.archetype_config.access_control
  library_path            = local.library_path
  template_file_variables = local.template_file_variables
  default_location        = local.default_location
+  enforcement_mode = merge(
+    try(module.connectivity_resources.configuration.archetype_config_overrides[basename(each.key)].enforcement_mode, null),
+    try(module.identity_resources.configuration.archetype_config_overrides[basename(each.key)].enforcement_mode, null),
+    try(module.management_resources.configuration.archetype_config_overrides[basename(each.key)].enforcement_mode, null),
+  )
 }

 # The following module is used to generate the configuration
@ -25,7 +29,7 @@ module "management_group_archetypes" {
 module "management_resources" {
  source = "./modules/management"

-  # Mandatory input variables 
+  # Mandatory input variables
  enabled         = local.deploy_management_resources
  root_id         = local.root_id
  subscription_id = local.subscription_id_management
@ -33,7 +37,7 @@ module "management_resources" {

  # Optional input variables (basic configuration)
  location = coalesce(local.configure_management_resources.location, local.default_location)
-  tags     = coalesce(local.configure_management_resources.tags, local.default_tags)
+  tags     = local.management_resources_tags

  # Optional input variables (advanced configuration)
  resource_prefix                              = try(local.configure_management_resources.advanced.resource_prefix, local.empty_string)
@ -44,3 +48,38 @@ module "management_resources" {
  link_log_analytics_to_automation_account     = try(local.configure_management_resources.advanced.link_log_analytics_to_automation_account, true)
  custom_settings_by_resource_type             = try(local.configure_management_resources.advanced.custom_settings_by_resource_type, local.empty_map)
 }
+
+# The following module is used to generate the configuration
+# data used to deploy platform resources based on the
+# "identity" landing zone archetype.
+module "identity_resources" {
+  source = "./modules/identity"
+
+  # Mandatory input variables
+  enabled  = local.deploy_identity_resources
+  root_id  = local.root_id
+  settings = local.configure_identity_resources.settings
+}
+
+# The following module is used to generate the configuration
+# data used to deploy platform resources based on the
+# "connectivity" landing zone archetype.
+module "connectivity_resources" {
+  source = "./modules/connectivity"
+
+  # Mandatory input variables
+  enabled         = local.deploy_connectivity_resources
+  root_id         = local.root_id
+  subscription_id = local.subscription_id_connectivity
+  settings        = local.configure_connectivity_resources.settings
+
+  # Optional input variables (basic configuration)
+  location = coalesce(local.configure_connectivity_resources.location, local.default_location)
+  tags     = local.connectivity_resources_tags
+
+  # Optional input variables (advanced configuration)
+  resource_prefix                           = try(local.configure_connectivity_resources.advanced.resource_prefix, local.empty_string)
+  resource_suffix                           = try(local.configure_connectivity_resources.advanced.resource_suffix, local.empty_string)
+  existing_ddos_protection_plan_resource_id = try(local.configure_connectivity_resources.advanced.existing_resource_group_name, local.empty_string)
+  custom_settings_by_resource_type          = try(local.configure_connectivity_resources.advanced.custom_settings_by_resource_type, local.empty_map)
+}
--- a/modules/archetypes/lib/archetype_definitions/archetype_definition_es_connectivity_foundation.tmpl.json
+++ b/modules/archetypes/lib/archetype_definitions/archetype_definition_es_connectivity_foundation.tmpl.json
@ -1,6 +1,8 @@
 {
-    "es_connectivity_foundation": {
-        "policy_assignments": [],
+    "es_connectivity": {
+        "policy_assignments": [
+            "Enable-DDoS-VNET"
+        ],
        "policy_definitions": [],
        "policy_set_definitions": [],
        "role_definitions": [],
--- a/modules/archetypes/lib/archetype_definitions/archetype_definition_es_connectivity_vwan.tmpl.json
+++ b/modules/archetypes/lib/archetype_definitions/archetype_definition_es_connectivity_vwan.tmpl.json
@ -1,12 +0,0 @@
-{
-    "es_connectivity_vwan": {
-        "policy_assignments": [],
-        "policy_definitions": [],
-        "policy_set_definitions": [],
-        "role_definitions": [],
-        "archetype_config": {
-            "parameters": {},
-            "access_control": {}
-        }
-    }
-}
--- a/modules/archetypes/lib/archetype_definitions/archetype_definition_es_connectivity_hub_and_spoke.tmpl.json
+++ b/modules/archetypes/lib/archetype_definitions/archetype_definition_es_connectivity_hub_and_spoke.tmpl.json
@ -1,6 +1,9 @@
 {
-    "es_connectivity_hub_and_spoke": {
-        "policy_assignments": [],
+    "es_corp": {
+        "policy_assignments": [
+            "Deny-Public-Endpoints",
+            "Deploy-Private-DNS-Zones"
+        ],
        "policy_definitions": [],
        "policy_set_definitions": [],
        "role_definitions": [],
--- a/modules/archetypes/lib/archetype_definitions/archetype_definition_es_demo_online.tmpl.json
+++ b/modules/archetypes/lib/archetype_definitions/archetype_definition_es_demo_online.tmpl.json
@ -1,12 +0,0 @@
-{
-    "es_demo_online": {
-        "policy_assignments": [],
-        "policy_definitions": [],
-        "policy_set_definitions": [],
-        "role_definitions": [],
-        "archetype_config": {
-            "parameters": {},
-            "access_control": {}
-        }
-    }
-}
--- a/modules/archetypes/lib/archetype_definitions/archetype_definition_es_identity.tmpl.json
+++ b/modules/archetypes/lib/archetype_definitions/archetype_definition_es_identity.tmpl.json
@ -1,6 +1,11 @@
 {
    "es_identity": {
-        "policy_assignments": [],
+        "policy_assignments": [
+            "Deny-Public-IP",
+            "Deny-RDP-From-Internet",
+            "Deny-Subnet-Without-Nsg",
+            "Deploy-VM-Backup"
+        ],
        "policy_definitions": [],
        "policy_set_definitions": [],
        "role_definitions": [],
--- a/modules/archetypes/lib/archetype_definitions/archetype_definition_es_landing_zones.tmpl.json
+++ b/modules/archetypes/lib/archetype_definitions/archetype_definition_es_landing_zones.tmpl.json
@ -7,11 +7,13 @@
            "Deny-Subnet-Without-Nsg",
            "Deploy-AKS-Policy",
            "Deploy-SQL-DB-Auditing",
+            "Deploy-SQL-Threat",
            "Deploy-VM-Backup",
-            "Deploy-SQL-Security",
            "Deny-Priv-Escalation-AKS",
            "Deny-Priv-Containers-AKS",
-            "Deny-http-Ingress-AKS"
+            "Enable-DDoS-VNET",
+            "Enforce-AKS-HTTPS",
+            "Enforce-TLS-SSL"
        ],
        "policy_definitions": [],
        "policy_set_definitions": [],
--- a/modules/archetypes/lib/archetype_definitions/archetype_definition_es_demo_sap.tmpl.json
+++ b/modules/archetypes/lib/archetype_definitions/archetype_definition_es_demo_sap.tmpl.json
@ -1,5 +1,5 @@
 {
-    "es_demo_sap": {
+    "es_online": {
        "policy_assignments": [],
        "policy_definitions": [],
        "policy_set_definitions": [],
--- a/modules/archetypes/lib/archetype_definitions/archetype_definition_es_root.tmpl.json
+++ b/modules/archetypes/lib/archetype_definitions/archetype_definition_es_root.tmpl.json
@ -1,171 +1,141 @@
 {
-    "es_root": {
-        "policy_assignments": [
-            "Deploy-ASC-Monitoring",
-            "Deploy-ASC-Defender",
-            "Deploy-AzActivity-Log",
-            "Deploy-LX-Arc-Monitoring",
-            "Deploy-Resource-Diag",
-            "Deploy-VM-Monitoring",
-            "Deploy-VMSS-Monitoring",
-            "Deploy-WS-Arc-Monitoring"
-        ],
-        "policy_definitions": [
-            "Append-AppService-httpsonly",
-            "Append-AppService-latestTLS",
-            "Append-KV-SoftDelete",
-            "Append-Redis-disableNonSslPort",
-            "Append-Redis-sslEnforcement",
-            "Audit-MachineLearning-PrivateEndpointId",
-            "Deny-AA-child-resources",
-            "Deny-AppGW-Without-WAF",
-            "Deny-AppServiceApiApp-http",
-            "Deny-AppServiceFunctionApp-http",
-            "Deny-AppServiceWebApp-http",
-            "Deny-MachineLearning-Aks",
-            "Deny-MachineLearning-Compute-SubnetId",
-            "Deny-MachineLearning-Compute-VmSize",
-            "Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess",
-            "Deny-MachineLearning-ComputeCluster-Scale",
-            "Deny-MachineLearning-HbiWorkspace",
-            "Deny-MachineLearning-PublicAccessWhenBehindVnet",
-            "Deny-MySql-http",
-            "Deny-PostgreSql-http",
-            "Deny-Private-DNS-Zones",
-            "Deny-PublicEndpoint-Aks",
-            "Deny-PublicEndpoint-CosmosDB",
-            "Deny-PublicEndpoint-KeyVault",
-            "Deny-PublicEndpoint-MariaDB",
-            "Deny-PublicEndpoint-MySQL",
-            "Deny-PublicEndpoint-PostgreSql",
-            "Deny-PublicEndpoint-Sql",
-            "Deny-PublicEndpoint-Storage",
-            "Deny-PublicIP",
-            "Deny-RDP-From-Internet",
-            "Deny-Redis-http",
-            "Deny-Sql-minTLS",
-            "Deny-SqlMi-minTLS",
-            "Deny-Storage-minTLS",
-            "Deny-Subnet-Without-Nsg",
-            "Deny-Subnet-Without-Udr",
-            "Deny-VNET-Peer-Cross-Sub",
-            "Deny-VNet-Peering",
-            "Deploy-ASC-Defender-ACR",
-            "Deploy-ASC-Defender-AKS",
-            "Deploy-ASC-Defender-AKV",
-            "Deploy-ASC-Defender-AppSrv",
-            "Deploy-ASC-Defender-ARM",
-            "Deploy-ASC-Defender-DNS",
-            "Deploy-ASC-Defender-SA",
-            "Deploy-ASC-Defender-Sql",
-            "Deploy-ASC-Defender-SQLVM",
-            "Deploy-ASC-Defender-VMs",
-            "Deploy-ASC-SecurityContacts",
-            "Deploy-Budget",
-            "Deploy-DDoSProtection",
-            "Deploy-Default-Udr",
-            "Deploy-Diagnostics-AA",
-            "Deploy-Diagnostics-ACI",
-            "Deploy-Diagnostics-ACR",
-            "Deploy-Diagnostics-ActivityLog",
-            "Deploy-Diagnostics-AKS",
-            "Deploy-Diagnostics-AnalysisService",
-            "Deploy-Diagnostics-ApiForFHIR",
-            "Deploy-Diagnostics-APIMgmt",
-            "Deploy-Diagnostics-ApplicationGateway",
-            "Deploy-Diagnostics-Batch",
-            "Deploy-Diagnostics-CDNEndpoints",
-            "Deploy-Diagnostics-CognitiveServices",
-            "Deploy-Diagnostics-CosmosDB",
-            "Deploy-Diagnostics-Databricks",
-            "Deploy-Diagnostics-DataExplorerCluster",
-            "Deploy-Diagnostics-DataFactory",
-            "Deploy-Diagnostics-DataLakeStore",
-            "Deploy-Diagnostics-DLAnalytics",
-            "Deploy-Diagnostics-EventGridSub",
-            "Deploy-Diagnostics-EventGridSystemTopic",
-            "Deploy-Diagnostics-EventGridTopic",
-            "Deploy-Diagnostics-EventHub",
-            "Deploy-Diagnostics-ExpressRoute",
-            "Deploy-Diagnostics-Firewall",
-            "Deploy-Diagnostics-FrontDoor",
-            "Deploy-Diagnostics-Function",
-            "Deploy-Diagnostics-HDInsight",
-            "Deploy-Diagnostics-iotHub",
-            "Deploy-Diagnostics-KeyVault",
-            "Deploy-Diagnostics-LoadBalancer",
-            "Deploy-Diagnostics-LogicAppsISE",
-            "Deploy-Diagnostics-LogicAppsWF",
-            "Deploy-Diagnostics-MariaDB",
-            "Deploy-Diagnostics-MediaService",
-            "Deploy-Diagnostics-MlWorkspace",
-            "Deploy-Diagnostics-MySQL",
-            "Deploy-Diagnostics-NetworkSecurityGroups",
-            "Deploy-Diagnostics-NIC",
-            "Deploy-Diagnostics-PostgreSQL",
-            "Deploy-Diagnostics-PowerBIEmbedded",
-            "Deploy-Diagnostics-RecoveryVault",
-            "Deploy-Diagnostics-RedisCache",
-            "Deploy-Diagnostics-Relay",
-            "Deploy-Diagnostics-SearchServices",
-            "Deploy-Diagnostics-ServiceBus",
-            "Deploy-Diagnostics-SignalR",
-            "Deploy-Diagnostics-SQLDBs",
-            "Deploy-Diagnostics-SQLElasticPools",
-            "Deploy-Diagnostics-SQLMI",
-            "Deploy-Diagnostics-StreamAnalytics",
-            "Deploy-Diagnostics-TimeSeriesInsights",
-            "Deploy-Diagnostics-TrafficManager",
-            "Deploy-Diagnostics-VirtualNetwork",
-            "Deploy-Diagnostics-VM",
-            "Deploy-Diagnostics-VMSS",
-            "Deploy-Diagnostics-VNetGW",
-            "Deploy-Diagnostics-WebServerFarm",
-            "Deploy-Diagnostics-Website",
-            "Deploy-Diagnostics-WVDAppGroup",
-            "Deploy-Diagnostics-WVDHostPools",
-            "Deploy-Diagnostics-WVDWorkspace",
-            "Deploy-DNSZoneGroup-For-Blob-PrivateEndpoint",
-            "Deploy-DNSZoneGroup-For-File-PrivateEndpoint",
-            "Deploy-DNSZoneGroup-For-KeyVault-PrivateEndpoint",
-            "Deploy-DNSZoneGroup-For-Queue-PrivateEndpoint",
-            "Deploy-DNSZoneGroup-For-Sql-PrivateEndpoint",
-            "Deploy-DNSZoneGroup-For-Table-PrivateEndpoint",
-            "Deploy-FirewallPolicy",
-            "Deploy-HUB",
-            "Deploy-LA-Config",
-            "Deploy-Log-Analytics",
-            "Deploy-MySQL-sslEnforcement",
-            "Deploy-Nsg-FlowLogs-to-LA",
-            "Deploy-Nsg-FlowLogs",
-            "Deploy-PostgreSQL-sslEnforcement",
-            "Deploy-Sql-AuditingSettings",
-            "Deploy-SQL-minTLS",
-            "Deploy-Sql-SecurityAlertPolicies",
-            "Deploy-Sql-Tde",
-            "Deploy-Sql-vulnerabilityAssessments",
-            "Deploy-SqlMi-minTLS",
-            "Deploy-Storage-sslEnforcement",
-            "Deploy-vHUB",
-            "Deploy-VNET-HubSpoke",
-            "Deploy-vNet",
-            "Deploy-vWAN",
-            "Deploy-Windows-DomainJoin"
-        ],
-        "policy_set_definitions": [
-            "Deny-PublicEndpoints",
-            "Deploy-ASC-Config",
-            "Deploy-Diag-LogAnalytics",
-            "Deploy-Sql-Security",
-            "Enforce-Encryption-CMK",
-            "Enforce-EncryptTransit"
-        ],
-        "role_definitions": [
-            "Network-Subnet-Contributor"
-        ],
-        "archetype_config": {
-            "parameters": {},
-            "access_control": {}
-        }
+  "es_root": {
+    "policy_assignments": [
+      "Deploy-ASC-Monitoring",
+      "Deploy-ASC-Configuration",
+      "Deploy-AzActivity-Log",
+      "Deploy-LX-Arc-Monitoring",
+      "Deploy-Resource-Diag",
+      "Deploy-VM-Monitoring",
+      "Deploy-VMSS-Monitoring",
+      "Deploy-WS-Arc-Monitoring"
+    ],
+    "policy_definitions": [
+      "Append-AppService-httpsonly",
+      "Append-AppService-latestTLS",
+      "Append-KV-SoftDelete",
+      "Append-Redis-disableNonSslPort",
+      "Append-Redis-sslEnforcement",
+      "Audit-MachineLearning-PrivateEndpointId",
+      "Deny-AA-child-resources",
+      "Deny-AppGW-Without-WAF",
+      "Deny-AppServiceApiApp-http",
+      "Deny-AppServiceFunctionApp-http",
+      "Deny-AppServiceWebApp-http",
+      "Deny-MachineLearning-Aks",
+      "Deny-MachineLearning-Compute-SubnetId",
+      "Deny-MachineLearning-Compute-VmSize",
+      "Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess",
+      "Deny-MachineLearning-ComputeCluster-Scale",
+      "Deny-MachineLearning-HbiWorkspace",
+      "Deny-MachineLearning-PublicAccessWhenBehindVnet",
+      "Deny-MySql-http",
+      "Deny-PostgreSql-http",
+      "Deny-Private-DNS-Zones",
+      "Deny-PublicEndpoint-MariaDB",
+      "Deny-PublicIP",
+      "Deny-RDP-From-Internet",
+      "Deny-Redis-http",
+      "Deny-Sql-minTLS",
+      "Deny-SqlMi-minTLS",
+      "Deny-Storage-minTLS",
+      "Deny-Subnet-Without-Nsg",
+      "Deny-Subnet-Without-Udr",
+      "Deny-VNET-Peer-Cross-Sub",
+      "Deny-VNet-Peering",
+      "Deploy-ASC-Defender-ACR",
+      "Deploy-ASC-Defender-AKS",
+      "Deploy-ASC-Defender-AKV",
+      "Deploy-ASC-Defender-AppSrv",
+      "Deploy-ASC-Defender-ARM",
+      "Deploy-ASC-Defender-DNS",
+      "Deploy-ASC-Defender-SA",
+      "Deploy-ASC-Defender-Sql",
+      "Deploy-ASC-Defender-SQLVM",
+      "Deploy-ASC-Defender-VMs",
+      "Deploy-ASC-SecurityContacts",
+      "Deploy-Budget",
+      "Deploy-DDoSProtection",
+      "Deploy-Default-Udr",
+      "Deploy-Diagnostics-AA",
+      "Deploy-Diagnostics-ACI",
+      "Deploy-Diagnostics-ACR",
+      "Deploy-Diagnostics-AnalysisService",
+      "Deploy-Diagnostics-ApiForFHIR",
+      "Deploy-Diagnostics-APIMgmt",
+      "Deploy-Diagnostics-ApplicationGateway",
+      "Deploy-Diagnostics-CDNEndpoints",
+      "Deploy-Diagnostics-CognitiveServices",
+      "Deploy-Diagnostics-CosmosDB",
+      "Deploy-Diagnostics-Databricks",
+      "Deploy-Diagnostics-DataExplorerCluster",
+      "Deploy-Diagnostics-DataFactory",
+      "Deploy-Diagnostics-DLAnalytics",
+      "Deploy-Diagnostics-EventGridSub",
+      "Deploy-Diagnostics-EventGridSystemTopic",
+      "Deploy-Diagnostics-EventGridTopic",
+      "Deploy-Diagnostics-ExpressRoute",
+      "Deploy-Diagnostics-Firewall",
+      "Deploy-Diagnostics-FrontDoor",
+      "Deploy-Diagnostics-Function",
+      "Deploy-Diagnostics-HDInsight",
+      "Deploy-Diagnostics-iotHub",
+      "Deploy-Diagnostics-LoadBalancer",
+      "Deploy-Diagnostics-LogicAppsISE",
+      "Deploy-Diagnostics-MariaDB",
+      "Deploy-Diagnostics-MediaService",
+      "Deploy-Diagnostics-MlWorkspace",
+      "Deploy-Diagnostics-MySQL",
+      "Deploy-Diagnostics-NetworkSecurityGroups",
+      "Deploy-Diagnostics-NIC",
+      "Deploy-Diagnostics-PostgreSQL",
+      "Deploy-Diagnostics-PowerBIEmbedded",
+      "Deploy-Diagnostics-RedisCache",
+      "Deploy-Diagnostics-Relay",
+      "Deploy-Diagnostics-SignalR",
+      "Deploy-Diagnostics-SQLElasticPools",
+      "Deploy-Diagnostics-SQLMI",
+      "Deploy-Diagnostics-TimeSeriesInsights",
+      "Deploy-Diagnostics-TrafficManager",
+      "Deploy-Diagnostics-VirtualNetwork",
+      "Deploy-Diagnostics-VM",
+      "Deploy-Diagnostics-VMSS",
+      "Deploy-Diagnostics-VNetGW",
+      "Deploy-Diagnostics-WebServerFarm",
+      "Deploy-Diagnostics-Website",
+      "Deploy-Diagnostics-WVDAppGroup",
+      "Deploy-Diagnostics-WVDHostPools",
+      "Deploy-Diagnostics-WVDWorkspace",
+      "Deploy-FirewallPolicy",
+      "Deploy-MySQL-sslEnforcement",
+      "Deploy-Nsg-FlowLogs-to-LA",
+      "Deploy-Nsg-FlowLogs",
+      "Deploy-PostgreSQL-sslEnforcement",
+      "Deploy-Sql-AuditingSettings",
+      "Deploy-SQL-minTLS",
+      "Deploy-Sql-SecurityAlertPolicies",
+      "Deploy-Sql-Tde",
+      "Deploy-Sql-vulnerabilityAssessments",
+      "Deploy-SqlMi-minTLS",
+      "Deploy-Storage-sslEnforcement",
+      "Deploy-VNET-HubSpoke",
+      "Deploy-Windows-DomainJoin"
+    ],
+    "policy_set_definitions": [
+      "Deny-PublicPaaSEndpoints",
+      "Deploy-ASC-Config",
+      "Deploy-Diagnostics-LogAnalytics",
+      "Deploy-Private-DNS-Zones",
+      "Deploy-Sql-Security",
+      "Enforce-Encryption-CMK",
+      "Enforce-EncryptTransit"
+    ],
+    "role_definitions": [
+      "Network-Subnet-Contributor"
+    ],
+    "archetype_config": {
+      "parameters": {},
+      "access_control": {}
    }
+  }
 }
--- a/modules/archetypes/lib/archetype_definitions/archetype_definition_es_demo_corp.tmpl.json
+++ b/modules/archetypes/lib/archetype_definitions/archetype_definition_es_demo_corp.tmpl.json
@ -1,5 +1,5 @@
 {
-    "es_demo_corp": {
+    "es_sap": {
        "policy_assignments": [],
        "policy_definitions": [],
        "policy_set_definitions": [],
--- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_http_ingress_aks.tmpl.json
+++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_http_ingress_aks.tmpl.json
@ -1,10 +1,10 @@
 {
-  "name": "Deny-http-Ingress-AKS",
+  "name": "Enforce-AKS-HTTPS",
  "type": "Microsoft.Authorization/policyAssignments",
  "apiVersion": "2019-09-01",
  "properties": {
-    "description": "Enforce-Https-Ingress-AKS.",
-    "displayName": "Enforce-Https-Ingress-AKS",
+    "description": "Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc.",
+    "displayName": "Kubernetes clusters should be accessible only over HTTPS",
    "notScopes": [],
    "parameters": {
      "effect": {
--- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_ip_forwarding.tmpl.json
+++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_ip_forwarding.tmpl.json
@ -3,8 +3,8 @@
  "type": "Microsoft.Authorization/policyAssignments",
  "apiVersion": "2019-09-01",
  "properties": {
-    "description": "Network interfaces should disable IP forwarding.",
-    "displayName": "Deny-IP-Forwarding",
+    "description": "This policy denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure's check of the source and destination for a network interface. This should be reviewed by the network security team.",
+    "displayName": "Network interfaces should disable IP forwarding",
    "notScopes": [],
    "parameters": {},
    "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900",
--- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_priv_containers_aks.tmpl.json
+++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_priv_containers_aks.tmpl.json
@ -3,8 +3,8 @@
  "type": "Microsoft.Authorization/policyAssignments",
  "apiVersion": "2019-09-01",
  "properties": {
-    "description": "Deny-Privileged-Containers-AKS.",
-    "displayName": "Deny-Privileged-Containers-AKS",
+    "description": "Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
+    "displayName": "Kubernetes cluster should not allow privileged containers",
    "notScopes": [],
    "parameters": {
      "effect": {
--- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_priv_escalation_aks.tmpl.json
+++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_priv_escalation_aks.tmpl.json
@ -3,8 +3,8 @@
  "type": "Microsoft.Authorization/policyAssignments",
  "apiVersion": "2019-09-01",
  "properties": {
-    "description": "Deny-Privileged-Escalations-AKS.",
-    "displayName": "Deny-Privileged-Escalations-AKS",
+    "description": "Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
+    "displayName": "Kubernetes clusters should not allow container privilege escalation",
    "notScopes": [],
    "parameters": {
      "effect": {
--- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_public_endpoints.tmpl.json
+++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_public_endpoints.tmpl.json
@ -0,0 +1,18 @@
+{
+  "name": "Deny-Public-Endpoints",
+  "type": "Microsoft.Authorization/policyAssignments",
+  "apiVersion": "2019-09-01",
+  "properties": {
+    "description": "This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints.",
+    "displayName": "Public network access should be disabled for PaaS services",
+    "notScopes": [],
+    "parameters": {},
+    "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints",
+    "scope": "${current_scope_resource_id}",
+    "enforcementMode": "Default"
+  },
+  "location": "${default_location}",
+  "identity": {
+    "type": "None"
+  }
+}
--- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json
+++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json
@ -0,0 +1,18 @@
+{
+  "name": "Deny-Public-IP",
+  "type": "Microsoft.Authorization/policyAssignments",
+  "apiVersion": "2019-09-01",
+  "properties": {
+    "description": "This policy denies creation of Public IPs under the assigned scope.",
+    "displayName": "Deny the creation of public IP",
+    "notScopes": [],
+    "parameters": {},
+    "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP",
+    "scope": "${current_scope_resource_id}",
+    "enforcementMode": "Default"
+  },
+  "location": "${default_location}",
+  "identity": {
+    "type": "None"
+  }
+}
--- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_rdp_from_internet.tmpl.json
+++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_rdp_from_internet.tmpl.json
@ -3,8 +3,8 @@
  "type": "Microsoft.Authorization/policyAssignments",
  "apiVersion": "2019-09-01",
  "properties": {
-    "description": "Deny RDP access from the Internet.",
-    "displayName": "Deny-RDP-From-Internet",
+    "description": "This policy denies any network security rule that allows RDP access from Internet.",
+    "displayName": "RDP access from the Internet should be blocked",
    "notScopes": [],
    "parameters": {},
    "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet",
--- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_storage_http.tmpl.json
+++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_storage_http.tmpl.json
@ -3,8 +3,8 @@
  "type": "Microsoft.Authorization/policyAssignments",
  "apiVersion": "2019-09-01",
  "properties": {
-    "description": "Enforce-Secure-Storage.",
-    "displayName": "Enforce-Secure-Storage",
+    "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.",
+    "displayName": "Secure transfer to storage accounts should be enabled",
    "notScopes": [],
    "parameters": {},
    "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9",
--- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_subnet_without_nsg.tmpl.json
+++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_subnet_without_nsg.tmpl.json
@ -3,8 +3,8 @@
  "type": "Microsoft.Authorization/policyAssignments",
  "apiVersion": "2019-09-01",
  "properties": {
-    "description": "Deny provisioning of subnet without NSG attached.",
-    "displayName": "Deny-Subnet-Without-Nsg",
+    "description": "This policy denies the creation of a subnet without a Network Security Group to protect traffic across subnets.",
+    "displayName": "Subnets should have a Network Security Group",
    "notScopes": [],
    "parameters": {},
    "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg",
--- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_subnet_without_udr.tmpl.json
+++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_subnet_without_udr.tmpl.json
@ -3,8 +3,8 @@
  "type": "Microsoft.Authorization/policyAssignments",
  "apiVersion": "2019-09-01",
  "properties": {
-    "description": "Deny provisioning of subnet without UDR attached.",
-    "displayName": "Deny-Subnet-Without-Udr",
+    "description": "This policy denies the creation of a subnet without a User-Defined Route to control traffic flow.",
+    "displayName": "Subnets should have a User-Defined Route",
    "notScopes": [],
    "parameters": {},
    "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr",
--- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json
+++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json
@ -3,8 +3,8 @@
  "type": "Microsoft.Authorization/policyAssignments",
  "apiVersion": "2019-09-01",
  "properties": {
-    "description": "Deploy-AKS-Policy.",
-    "displayName": "Deploy-AKS-Policy",
+    "description": "Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc.",
+    "displayName": "Deploy Azure Policy Add-on to Azure Kubernetes Service clusters",
    "notScopes": [],
    "parameters": {},
    "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7",
--- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_asc_configuration.tmpl.json
+++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_asc_configuration.tmpl.json
@ -0,0 +1,61 @@
+{
+  "name": "Deploy-ASC-Configuration",
+  "type": "Microsoft.Authorization/policyAssignments",
+  "apiVersion": "2019-09-01",
+  "properties": {
+    "description": "Deploy ASC configuration for Azure Defender and Security Contacts.",
+    "displayName": "Deploy Azure Security Center configuration",
+    "notScopes": [],
+    "parameters": {
+      "emailSecurityContact": {
+        "value": "security_contact@replace_me"
+      },
+      "logAnalytics": {
+        "value": "${root_scope_id}-la"
+      },
+      "ascExportResourceGroupName": {
+        "value": "${root_scope_id}-asc-export"
+      },
+      "ascExportResourceGroupLocation": {
+        "value": "${default_location}"
+      },
+      "pricingTierContainerRegistry": {
+        "value": "Free"
+      },
+      "pricingTierAppServices": {
+        "value": "Free"
+      },
+      "pricingTierArm": {
+        "value": "Free"
+      },
+      "pricingTierDns": {
+        "value": "Free"
+      },
+      "pricingTierKeyVaults": {
+        "value": "Free"
+      },
+      "pricingTierKubernetesService": {
+        "value": "Free"
+      },
+      "pricingTierVMs": {
+        "value": "Free"
+      },
+      "pricingTierSqlServers": {
+        "value": "Free"
+      },
+      "pricingTierSqlServerVirtualMachines": {
+        "value": "Free"
+      },
+      "pricingTierStorageAccounts": {
+        "value": "Free"
+      }
+    },
+    "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-ASC-Config",
+    "scope": "${current_scope_resource_id}",
+    "enforcementMode": null
+  },
+  "location": "${default_location}",
+  "identity": {
+    "type": "SystemAssigned"
+  }
+}
--- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_asc_defender.tmpl.json
+++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_asc_defender.tmpl.json
@ -1,31 +0,0 @@
-{
-  "name": "Deploy-ASC-Defender",
-  "type": "Microsoft.Authorization/policyAssignments",
-  "apiVersion": "2019-09-01",
-  "properties": {
-    "description": "Deploy-ASC-Defender.",
-    "displayName": "Deploy-ASC-Defender",
-    "notScopes": [],
-    "parameters": {
-      "emailSecurityContact": {
-        "value": "security_contact@replace_me"
-      },
-      "logAnalytics": {
-        "value": "${root_scope_id}-la"
-      },
-      "ascExportResourceGroupName": {
-        "value": "${root_scope_id}-asc-export"
-      },
-      "ascExportResourceGroupLocation": {
-        "value": "${default_location}"
-      }
-    },
-    "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-ASC-Config",
-    "scope": "${current_scope_resource_id}",
-    "enforcementMode": null
-  },
-  "location": "${default_location}",
-  "identity": {
-    "type": "SystemAssigned"
-  }
-}
--- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_azactivity_log.tmpl.json
+++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_azactivity_log.tmpl.json
@ -11,7 +11,7 @@
        "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/${root_scope_id}-mgmt/providers/Microsoft.OperationalInsights/workspaces/${root_scope_id}-la"
      }
    },
-    "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ActivityLog",
+    "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2465583e-4e78-4c15-b6be-a36cbc7c8b0f",
    "scope": "${current_scope_resource_id}",
    "enforcementMode": null
  },
--- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_log_analytics.tmpl.json
+++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_log_analytics.tmpl.json
@ -19,9 +19,12 @@
      "automationRegion": {
        "value": "${default_location}"
      },
-      "retentionInDays": {
+      "dataRetention": {
        "value": "30"
      },
+      "sku": {
+        "value": "pergb2018"
+      },
      "rgName": {
        "value": "${root_scope_id}-mgmt"
      },
@ -29,7 +32,7 @@
        "value": "DeployIfNotExists"
      }
    },
-    "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Log-Analytics",
+    "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8e3e61b3-0b32-22d5-4edf-55f87fdb5955",
    "scope": "${current_scope_resource_id}",
    "enforcementMode": null
  },
--- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json
+++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json
@ -0,0 +1,79 @@
+{
+  "name": "Deploy-Private-DNS-Zones",
+  "type": "Microsoft.Authorization/policyAssignments",
+  "apiVersion": "2019-09-01",
+  "properties": {
+    "description": "This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones.",
+    "displayName": "Configure Azure PaaS services to use private DNS zones",
+    "notScopes": [],
+    "parameters": {
+      "azureFilePrivateDnsZoneId": {
+        "value": "${private_dns_zone_prefix}privatelink.afs.azure.net"
+      },
+      "azureWebPrivateDnsZoneId": {
+        "value": "${private_dns_zone_prefix}privatelink.webpubsub.azure.com"
+      },
+      "azureBatchPrivateDnsZoneId": {
+        "value": "${private_dns_zone_prefix}privatelink.${default_location}.batch.azure.com"
+      },
+      "azureAppPrivateDnsZoneId": {
+        "value": "${private_dns_zone_prefix}privatelink.azconfig.io"
+      },
+      "azureAsrPrivateDnsZoneId": {
+        "value": "${private_dns_zone_prefix}${default_location}.privatelink.siterecovery.windowsazure.com"
+      },
+      "azureIoTPrivateDnsZoneId": {
+        "value": "${private_dns_zone_prefix}privatelink.azure-devices-provisioning.net"
+      },
+      "azureKeyVaultPrivateDnsZoneId": {
+        "value": "${private_dns_zone_prefix}privatelink.vaultcore.azure.net"
+      },
+      "azureSignalRPrivateDnsZoneId": {
+        "value": "${private_dns_zone_prefix}privatelink.service.signalr.net"
+      },
+      "azureAppServicesPrivateDnsZoneId": {
+        "value": "${private_dns_zone_prefix}privatelink.azurewebsites.net"
+      },
+      "azureEventGridTopicsPrivateDnsZoneId": {
+        "value": "${private_dns_zone_prefix}privatelink.eventgrid.azure.net"
+      },
+      "azureDiskAccessPrivateDnsZoneId": {
+        "value": "${private_dns_zone_prefix}privatelink.blob.core.windows.net"
+      },
+      "azureCognitiveServicesPrivateDnsZoneId": {
+        "value": "${private_dns_zone_prefix}privatelink.cognitiveservices.azure.com"
+      },
+      "azureIotHubsPrivateDnsZoneId": {
+        "value": "${private_dns_zone_prefix}privatelink.azure-devices.net"
+      },
+      "azureEventGridDomainsPrivateDnsZoneId": {
+        "value": "${private_dns_zone_prefix}privatelink.eventgrid.azure.net"
+      },
+      "azureRedisCachePrivateDnsZoneId": {
+        "value": "${private_dns_zone_prefix}privatelink.redis.cache.windows.net"
+      },
+      "azureAcrPrivateDnsZoneId": {
+        "value": "${private_dns_zone_prefix}privatelink.azurecr.io"
+      },
+      "azureEventHubNamespacePrivateDnsZoneId": {
+        "value": "${private_dns_zone_prefix}privatelink.servicebus.windows.net"
+      },
+      "azureMachineLearningWorkspacePrivateDnsZoneId": {
+        "value": "${private_dns_zone_prefix}privatelink.api.azureml.ms"
+      },
+      "azureServiceBusNamespacePrivateDnsZoneId": {
+        "value": "${private_dns_zone_prefix}privatelink.servicebus.windows.net"
+      },
+      "azureCognitiveSearchPrivateDnsZoneId": {
+        "value": "${private_dns_zone_prefix}privatelink.search.windows.net"
+      }
+    },
+    "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones",
+    "scope": "${current_scope_resource_id}",
+    "enforcementMode": null
+  },
+  "location": "${default_location}",
+  "identity": {
+    "type": "SystemAssigned"
+  }
+}
--- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_resource_diag.tmpl.json
+++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_resource_diag.tmpl.json
@ -11,7 +11,7 @@
        "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/${root_scope_id}-mgmt/providers/Microsoft.OperationalInsights/workspaces/${root_scope_id}-la"
      }
    },
-    "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diag-LogAnalytics",
+    "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics",
    "scope": "${current_scope_resource_id}",
    "enforcementMode": null
  },
--- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_sql_db_auditing.tmpl.json
+++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_sql_db_auditing.tmpl.json
@ -3,8 +3,8 @@
  "type": "Microsoft.Authorization/policyAssignments",
  "apiVersion": "2019-09-01",
  "properties": {
-    "description": "Deploy-SQL-Audit.",
-    "displayName": "Deploy-SQL-Audit",
+    "description": "Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log.",
+    "displayName": "Auditing on SQL server should be enabled",
    "notScopes": [],
    "parameters": {},
    "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9",
--- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_sql_threat.tmpl.json
+++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_sql_threat.tmpl.json
@ -0,0 +1,18 @@
+{
+  "name": "Deploy-SQL-Threat",
+  "type": "Microsoft.Authorization/policyAssignments",
+  "apiVersion": "2019-09-01",
+  "properties": {
+    "description": "This policy ensures that Threat Detection is enabled on SQL Servers.",
+    "displayName": "Deploy Threat Detection on SQL servers",
+    "notScopes": [],
+    "parameters": {},
+    "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5",
+    "scope": "${current_scope_resource_id}",
+    "enforcementMode": null
+  },
+  "location": "${default_location}",
+  "identity": {
+    "type": "SystemAssigned"
+  }
+}
--- a/Показать больше
+++ b/Показать больше