From 7a86224b58137c31cbacaa232b50bd642b41fb39 Mon Sep 17 00:00:00 2001 From: Senthuran Sivananthan Date: Fri, 1 Apr 2022 14:21:03 -0400 Subject: [PATCH 1/3] Use built-in policy for Cosmos DB for Defender Plan --- .../azurepolicy.config.json | 4 -- .../azurepolicy.parameters.json | 26 ------- .../azurepolicy.rules.json | 69 ------------------- .../policyset/DefenderForCloud.bicep | 9 +-- .../DefenderForCloud.parameters.json | 6 +- 5 files changed, 3 insertions(+), 111 deletions(-) delete mode 100644 policy/custom/definitions/policy/DefenderForCloud-Deploy-DefenderPlan-CosmosDB/azurepolicy.config.json delete mode 100644 policy/custom/definitions/policy/DefenderForCloud-Deploy-DefenderPlan-CosmosDB/azurepolicy.parameters.json delete mode 100644 policy/custom/definitions/policy/DefenderForCloud-Deploy-DefenderPlan-CosmosDB/azurepolicy.rules.json diff --git a/policy/custom/definitions/policy/DefenderForCloud-Deploy-DefenderPlan-CosmosDB/azurepolicy.config.json b/policy/custom/definitions/policy/DefenderForCloud-Deploy-DefenderPlan-CosmosDB/azurepolicy.config.json deleted file mode 100644 index 8ec9513c..00000000 --- a/policy/custom/definitions/policy/DefenderForCloud-Deploy-DefenderPlan-CosmosDB/azurepolicy.config.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "name": "Configure Microsoft Defender for Cosmos DB to be enabled", - "mode": "all" -} \ No newline at end of file diff --git a/policy/custom/definitions/policy/DefenderForCloud-Deploy-DefenderPlan-CosmosDB/azurepolicy.parameters.json b/policy/custom/definitions/policy/DefenderForCloud-Deploy-DefenderPlan-CosmosDB/azurepolicy.parameters.json deleted file mode 100644 index e26bb99e..00000000 --- a/policy/custom/definitions/policy/DefenderForCloud-Deploy-DefenderPlan-CosmosDB/azurepolicy.parameters.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "pricingTier": { - "type": "string", - "metadata": { - "displayName": "Azure Defender pricing tier", - "description": "Azure Defender pricing tier" - }, - "allowedValues": [ - "Standard", - "Free" - ], - "defaultValue": "Standard" - }, - "effect": { - "type": "string", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - }, - "allowedValues": [ - "DeployIfNotExists", - "Disabled" - ], - "defaultValue": "DeployIfNotExists" - } -} \ No newline at end of file diff --git a/policy/custom/definitions/policy/DefenderForCloud-Deploy-DefenderPlan-CosmosDB/azurepolicy.rules.json b/policy/custom/definitions/policy/DefenderForCloud-Deploy-DefenderPlan-CosmosDB/azurepolicy.rules.json deleted file mode 100644 index 673ab77c..00000000 --- a/policy/custom/definitions/policy/DefenderForCloud-Deploy-DefenderPlan-CosmosDB/azurepolicy.rules.json +++ /dev/null @@ -1,69 +0,0 @@ -{ - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Resources/subscriptions" - } - ] - }, - "then": { - "effect": "[parameters('effect')]", - "details": { - "type": "Microsoft.Security/pricings", - "name": "CosmosDbs", - "deploymentScope": "Subscription", - "existenceScope": "Subscription", - "roleDefinitionIds": [ - "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd" - ], - "existenceCondition": { - "allOf": [ - { - "field": "Microsoft.Security/pricings/pricingTier", - "equals": "[parameters('pricingTier')]" - }, - { - "field": "type", - "equals": "Microsoft.Security/pricings" - } - ] - }, - "deployment": { - "location": "canadacentral", - "properties": { - "mode": "incremental", - "parameters": { - "pricingTier": { - "value": "[parameters('pricingTier')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "pricingTier": { - "type": "string", - "metadata": { - "description": "Azure Defender pricing tier" - } - } - }, - "variables": {}, - "resources": [ - { - "type": "Microsoft.Security/pricings", - "apiVersion": "2018-06-01", - "name": "CosmosDbs", - "properties": { - "pricingTier": "[parameters('pricingTier')]" - } - } - ], - "outputs": {} - } - } - } - } - } -} \ No newline at end of file diff --git a/policy/custom/definitions/policyset/DefenderForCloud.bicep b/policy/custom/definitions/policyset/DefenderForCloud.bicep index 182a7514..853dbee4 100644 --- a/policy/custom/definitions/policyset/DefenderForCloud.bicep +++ b/policy/custom/definitions/policyset/DefenderForCloud.bicep @@ -9,11 +9,6 @@ targetScope = 'managementGroup' -@description('Management Group scope for the policy definition.') -param policyDefinitionManagementGroupId string - -var customPolicyDefinitionMgScope = tenantResourceId('Microsoft.Management/managementGroups', policyDefinitionManagementGroupId) - resource ascAzureDefender 'Microsoft.Authorization/policySetDefinitions@2020-03-01' = { name: 'custom-enable-azure-defender' properties: { @@ -173,8 +168,8 @@ resource ascAzureDefender 'Microsoft.Authorization/policySetDefinitions@2020-03- groupNames: [ 'EXTRA' ] - policyDefinitionId: extensionResourceId(customPolicyDefinitionMgScope, 'Microsoft.Authorization/policyDefinitions', 'DefenderForCloud-Deploy-DefenderPlan-CosmosDB') - policyDefinitionReferenceId: toLower(replace('Configure Microsoft Defender for Cosmos DB to be enabled', ' ', '-')) + policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542' + policyDefinitionReferenceId: toLower(replace('Configure Microsoft Defender for Azure Cosmos DB to be enabled', ' ', '-')) parameters: {} } ] diff --git a/policy/custom/definitions/policyset/DefenderForCloud.parameters.json b/policy/custom/definitions/policyset/DefenderForCloud.parameters.json index 434f8920..1be78a2d 100644 --- a/policy/custom/definitions/policyset/DefenderForCloud.parameters.json +++ b/policy/custom/definitions/policyset/DefenderForCloud.parameters.json @@ -1,9 +1,5 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", "contentVersion": "1.0.0.0", - "parameters": { - "policyDefinitionManagementGroupId": { - "value": "{{var-topLevelManagementGroupName}}" - } - } + "parameters": {} } \ No newline at end of file From 08d1908c0a371be01537fabe7f840cc8d529a459 Mon Sep 17 00:00:00 2001 From: Senthuran Sivananthan Date: Fri, 1 Apr 2022 14:21:43 -0400 Subject: [PATCH 2/3] Add branch config --- .../CanadaESLZ-cosmosDBDefenderPlan.yml | 316 ++++++++++++++++++ 1 file changed, 316 insertions(+) create mode 100644 config/variables/CanadaESLZ-cosmosDBDefenderPlan.yml diff --git a/config/variables/CanadaESLZ-cosmosDBDefenderPlan.yml b/config/variables/CanadaESLZ-cosmosDBDefenderPlan.yml new file mode 100644 index 00000000..0f385516 --- /dev/null +++ b/config/variables/CanadaESLZ-cosmosDBDefenderPlan.yml @@ -0,0 +1,316 @@ +# ---------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT license. +# +# THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, +# EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES +# OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. +# ---------------------------------------------------------------------------------- + +# Environment YAML files can be used to supplement +# the variables specified in 'config/variables/common.yml'. You can: +# * Override existing common-vars.yml variable value settings, and +# * Create new variable values not present in common-vars.yml +# +# The naming convention for these YAML files is: +# {organization}-{branch}.yml +# +# where {organization} is the organization variable from the +# common.yml file +# and {branch} is the Azure Repos branch name used by the +# currently executing pipeline. + +variables: + + # Management Groups + var-managementgroup-hierarchy: > + { + "name": "Tenant Root Group", + "id": "343ddfdb-bef5-46d9-99cf-ed67d5948783", + "children": [ + { + "name": "Azure Landing Zones for Canadian Public Sector", + "id": "pubsec", + "children": [ + { + "name": "Platform", "id": "pubsecPlatform", + "children": [ + { "name": "Identity", "id": "pubsecPlatformIdentity", "children": [] }, + { "name": "Connectivity", "id": "pubsecPlatformConnectivity", "children": [] }, + { "name": "Management", "id": "pubsecPlatformManagement", "children": [] } + ] + }, + { + "name": "LandingZones", "id": "pubsecLandingZones", + "children": [ + { "name": "DevTest", "id": "pubsecLandingZonesDevTest", "children": [] }, + { "name": "QA", "id": "pubsecLandingZonesQA", "children": [] }, + { "name": "Prod", "id": "pubsecLandingZonesProd", "children": [] } + ] + }, + { + "name": "Sandbox", "id": "pubsecSandbox", + "children": [] + } + ] + } + ] + } + + # Logging + var-logging-managementGroupId: pubsecPlatformManagement + var-logging-subscriptionId: bc0a4f9f-07fa-4284-b1bd-fbad38578d3a + var-logging-logAnalyticsResourceGroupName: pubsec-central-logging-rg + var-logging-logAnalyticsWorkspaceName: log-analytics-workspace + var-logging-logAnalyticsRetentionInDays: 730 + var-logging-logAnalyticsAutomationAccountName: automation-account + var-logging-diagnosticSettingsforNetworkSecurityGroupsStoragePrefix: pubsecnsg + var-logging-serviceHealthAlerts: > + { + "resourceGroupName": "pubsec-service-health", + "incidentTypes": [ "Incident", "Security" ], + "regions": [ "Global", "Canada East", "Canada Central" ], + "receivers": { + "app": [ "alzcanadapubsec@microsoft.com" ], + "email": [ "alzcanadapubsec@microsoft.com" ], + "sms": [ + { "countryCode": "1", "phoneNumber": "5555555555" } + ], + "voice": [ + { "countryCode": "1", "phoneNumber": "5555555555" } + ] + }, + "actionGroupName": "ALZ action group", + "actionGroupShortName": "alz-alert", + "alertRuleName": "ALZ alert rule", + "alertRuleDescription": "Alert rule for Azure Landing Zone" + } + var-logging-securityCenter: > + { + "email": "alzcanadapubsec@microsoft.com", + "phone": "5555555555" + } + var-logging-subscriptionRoleAssignments: > + [ + { + "comments": "Built-in Contributor Role", + "roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "securityGroupObjectIds": [ + "38f33f7e-a471-4630-8ce9-c6653495a2ee" + ] + } + ] + var-logging-subscriptionBudget: > + { + "createBudget": false, + "name": "MonthlySubscriptionBudget", + "amount": 1000, + "timeGrain": "Monthly", + "contactEmails": [ "alzcanadapubsec@microsoft.com" ] + } + var-logging-subscriptionTags: > + { + "ISSO": "isso-tbd" + } + var-logging-resourceTags: > + { + "ClientOrganization": "client-organization-tag", + "CostCenter": "cost-center-tag", + "DataSensitivity": "data-sensitivity-tag", + "ProjectContact": "project-contact-tag", + "ProjectName": "project-name-tag", + "TechnicalContact": "technical-contact-tag" + } + + # Hub Networking + var-hubnetwork-managementGroupId: pubsecPlatformConnectivity + var-hubnetwork-subscriptionId: ed7f4eed-9010-4227-b115-2a5e37728f27 + var-hubnetwork-serviceHealthAlerts: > + { + "resourceGroupName": "pubsec-service-health", + "incidentTypes": [ "Incident", "Security" ], + "regions": [ "Global", "Canada East", "Canada Central" ], + "receivers": { + "app": [ "alzcanadapubsec@microsoft.com" ], + "email": [ "alzcanadapubsec@microsoft.com" ], + "sms": [ + { "countryCode": "1", "phoneNumber": "5555555555" } + ], + "voice": [ + { "countryCode": "1", "phoneNumber": "5555555555" } + ] + }, + "actionGroupName": "ALZ action group", + "actionGroupShortName": "alz-alert", + "alertRuleName": "ALZ alert rule", + "alertRuleDescription": "Alert rule for Azure Landing Zone" + } + var-hubnetwork-securityCenter: > + { + "email": "alzcanadapubsec@microsoft.com", + "phone": "5555555555" + } + var-hubnetwork-subscriptionRoleAssignments: > + [ + { + "comments": "Built-in Contributor Role", + "roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "securityGroupObjectIds": [ + "38f33f7e-a471-4630-8ce9-c6653495a2ee" + ] + } + ] + var-hubnetwork-subscriptionBudget: > + { + "createBudget": false, + "name": "MonthlySubscriptionBudget", + "amount": 1000, + "timeGrain": "Monthly", + "contactEmails": [ "alzcanadapubsec@microsoft.com" ] + } + var-hubnetwork-subscriptionTags: > + { + "ISSO": "isso-tbd" + } + var-hubnetwork-resourceTags: > + { + "ClientOrganization": "client-organization-tag", + "CostCenter": "cost-center-tag", + "DataSensitivity": "data-sensitivity-tag", + "ProjectContact": "project-contact-tag", + "ProjectName": "project-name-tag", + "TechnicalContact": "technical-contact-tag" + } + + ## Hub Networking - Private Dns Zones + var-hubnetwork-deployPrivateDnsZones: true + var-hubnetwork-rgPrivateDnsZonesName: pubsec-dns-rg + + ## Hub Networking - DDOS + var-hubnetwork-deployDdosStandard: false + var-hubnetwork-rgDdosName: pubsec-ddos-rg + var-hubnetwork-ddosPlanName: ddos-plan + + ## Hub Networking - Public Zone + var-hubnetwork-rgPazName: pubsec-public-access-zone-rg + + ## Hub Networking - Management Restricted Zone Virtual Network + var-hubnetwork-rgMrzName: pubsec-management-restricted-zone-rg + var-hubnetwork-mrzVnetName: management-restricted-vnet + var-hubnetwork-mrzVnetAddressPrefixRFC1918: 10.18.4.0/22 + + var-hubnetwork-mrzMazSubnetName: MazSubnet + var-hubnetwork-mrzMazSubnetAddressPrefix: 10.18.4.0/25 + + var-hubnetwork-mrzInfSubnetName: InfSubnet + var-hubnetwork-mrzInfSubnetAddressPrefix: 10.18.4.128/25 + + var-hubnetwork-mrzSecSubnetName: SecSubnet + var-hubnetwork-mrzSecSubnetAddressPrefix: 10.18.5.0/26 + + var-hubnetwork-mrzLogSubnetName: LogSubnet + var-hubnetwork-mrzLogSubnetAddressPrefix: 10.18.5.64/26 + + var-hubnetwork-mrzMgmtSubnetName: MgmtSubnet + var-hubnetwork-mrzMgmtSubnetAddressPrefix: 10.18.5.128/26 + + var-hubnetwork-bastionName: bastion + var-hubnetwork-bastionSku: Standard + var-hubnetwork-bastionScaleUnits: 2 + + #################################################################################### + ### Hub Networking with Azure Firewall ### + #################################################################################### + var-hubnetwork-azfw-rgPolicyName: pubsec-azure-firewall-policy-rg + var-hubnetwork-azfw-policyName: pubsecAzureFirewallPolicy + + var-hubnetwork-azfw-rgHubName: pubsec-hub-networking-rg + var-hubnetwork-azfw-hubVnetName: hub-vnet + var-hubnetwork-azfw-hubVnetAddressPrefixRFC1918: 10.18.0.0/22 + var-hubnetwork-azfw-hubVnetAddressPrefixRFC6598: 100.60.0.0/16 + var-hubnetwork-azfw-hubVnetAddressPrefixBastion: 192.168.0.0/16 + + var-hubnetwork-azfw-hubPazSubnetName: PAZSubnet + var-hubnetwork-azfw-hubPazSubnetAddressPrefix: 100.60.1.0/24 + + var-hubnetwork-azfw-hubGatewaySubnetPrefix: 10.18.0.0/27 + var-hubnetwork-azfw-hubAzureFirewallSubnetAddressPrefix: 10.18.1.0/24 + var-hubnetwork-azfw-hubAzureFirewallManagementSubnetAddressPrefix: 10.18.2.0/26 + var-hubnetwork-azfw-hubBastionSubnetAddressPrefix: 192.168.0.0/24 + + var-hubnetwork-azfw-azureFirewallName: pubsecAzureFirewall + var-hubnetwork-azfw-azureFirewallZones: '["1", "2", "3"]' + var-hubnetwork-azfw-azureFirewallForcedTunnelingEnabled: false + var-hubnetwork-azfw-azureFirewallForcedTunnelingNextHop: 10.17.1.4 + + #################################################################################### + ### Hub Networking with Fortinet Firewalls ### + #################################################################################### + + ## Hub Networking - Core Virtual Network + var-hubnetwork-nva-rgHubName: pubsec-hub-networking-rg + var-hubnetwork-nva-hubVnetName: hub-vnet + var-hubnetwork-nva-hubVnetAddressPrefixRFC1918: 10.18.0.0/22 + var-hubnetwork-nva-hubVnetAddressPrefixRFC6598: 100.60.0.0/16 + var-hubnetwork-nva-hubVnetAddressPrefixBastion: 192.168.0.0/16 + + var-hubnetwork-nva-hubEanSubnetName: EanSubnet + var-hubnetwork-nva-hubEanSubnetAddressPrefix: 10.18.0.0/27 + + var-hubnetwork-nva-hubPublicSubnetName: PublicSubnet + var-hubnetwork-nva-hubPublicSubnetAddressPrefix: 100.60.0.0/24 + + var-hubnetwork-nva-hubPazSubnetName: PAZSubnet + var-hubnetwork-nva-hubPazSubnetAddressPrefix: 100.60.1.0/24 + + var-hubnetwork-nva-hubDevIntSubnetName: DevIntSubnet + var-hubnetwork-nva-hubDevIntSubnetAddressPrefix: 10.18.0.64/27 + + var-hubnetwork-nva-hubProdIntSubnetName: PrdIntSubnet + var-hubnetwork-nva-hubProdIntSubnetAddressPrefix: 10.18.0.32/27 + + var-hubnetwork-nva-hubMrzIntSubnetName: MrzSubnet + var-hubnetwork-nva-hubMrzIntSubnetAddressPrefix: 10.18.0.96/27 + + var-hubnetwork-nva-hubHASubnetName: HASubnet + var-hubnetwork-nva-hubHASubnetAddressPrefix: 10.18.0.128/28 + + var-hubnetwork-nva-hubGatewaySubnetPrefix: 10.18.1.0/27 + + var-hubnetwork-nva-hubBastionSubnetAddressPrefix: 192.168.0.0/24 + + ## Hub Networking - Firewall Virtual Appliances + var-hubnetwork-nva-deployFirewallVMs: false + var-hubnetwork-nva-useFortigateFW: false + + ### Hub Networking - Firewall Virtual Appliances - For Non-production Traffic + var-hubnetwork-nva-fwDevILBName: pubsecDevFWILB + var-hubnetwork-nva-fwDevVMSku: Standard_D8s_v4 + var-hubnetwork-nva-fwDevVM1Name: pubsecDevFW1 + var-hubnetwork-nva-fwDevVM2Name: pubsecDevFW2 + var-hubnetwork-nva-fwDevILBExternalFacingIP: 100.60.0.7 + var-hubnetwork-nva-fwDevVM1ExternalFacingIP: 100.60.0.8 + var-hubnetwork-nva-fwDevVM2ExternalFacingIP: 100.60.0.9 + var-hubnetwork-nva-fwDevVM1MrzIntIP: 10.18.0.104 + var-hubnetwork-nva-fwDevVM2MrzIntIP: 10.18.0.105 + var-hubnetwork-nva-fwDevILBDevIntIP: 10.18.0.68 + var-hubnetwork-nva-fwDevVM1DevIntIP: 10.18.0.69 + var-hubnetwork-nva-fwDevVM2DevIntIP: 10.18.0.70 + var-hubnetwork-nva-fwDevVM1HAIP: 10.18.0.134 + var-hubnetwork-nva-fwDevVM2HAIP: 10.18.0.135 + + ### Hub Networking - Firewall Virtual Appliances - For Production Traffic + var-hubnetwork-nva-fwProdILBName: pubsecProdFWILB + var-hubnetwork-nva-fwProdVMSku: Standard_F8s_v2 + var-hubnetwork-nva-fwProdVM1Name: pubsecProdFW1 + var-hubnetwork-nva-fwProdVM2Name: pubsecProdFW2 + var-hubnetwork-nva-fwProdILBExternalFacingIP: 100.60.0.4 + var-hubnetwork-nva-fwProdVM1ExternalFacingIP: 100.60.0.5 + var-hubnetwork-nva-fwProdVM2ExternalFacingIP: 100.60.0.6 + var-hubnetwork-nva-fwProdVM1MrzIntIP: 10.18.0.101 + var-hubnetwork-nva-fwProdVM2MrzIntIP: 10.18.0.102 + var-hubnetwork-nva-fwProdILBPrdIntIP: 10.18.0.36 + var-hubnetwork-nva-fwProdVM1PrdIntIP: 10.18.0.37 + var-hubnetwork-nva-fwProdVM2PrdIntIP: 10.18.0.38 + var-hubnetwork-nva-fwProdVM1HAIP: 10.18.0.132 + var-hubnetwork-nva-fwProdVM2HAIP: 10.18.0.133 \ No newline at end of file From 4e17901611a46bb7702ec328a35534e84e2b8d10 Mon Sep 17 00:00:00 2001 From: Senthuran Sivananthan Date: Fri, 1 Apr 2022 15:35:27 -0400 Subject: [PATCH 3/3] Remove branch config --- .../CanadaESLZ-cosmosDBDefenderPlan.yml | 316 ------------------ 1 file changed, 316 deletions(-) delete mode 100644 config/variables/CanadaESLZ-cosmosDBDefenderPlan.yml diff --git a/config/variables/CanadaESLZ-cosmosDBDefenderPlan.yml b/config/variables/CanadaESLZ-cosmosDBDefenderPlan.yml deleted file mode 100644 index 0f385516..00000000 --- a/config/variables/CanadaESLZ-cosmosDBDefenderPlan.yml +++ /dev/null @@ -1,316 +0,0 @@ -# ---------------------------------------------------------------------------------- -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT license. -# -# THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, -# EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. -# ---------------------------------------------------------------------------------- - -# Environment YAML files can be used to supplement -# the variables specified in 'config/variables/common.yml'. You can: -# * Override existing common-vars.yml variable value settings, and -# * Create new variable values not present in common-vars.yml -# -# The naming convention for these YAML files is: -# {organization}-{branch}.yml -# -# where {organization} is the organization variable from the -# common.yml file -# and {branch} is the Azure Repos branch name used by the -# currently executing pipeline. - -variables: - - # Management Groups - var-managementgroup-hierarchy: > - { - "name": "Tenant Root Group", - "id": "343ddfdb-bef5-46d9-99cf-ed67d5948783", - "children": [ - { - "name": "Azure Landing Zones for Canadian Public Sector", - "id": "pubsec", - "children": [ - { - "name": "Platform", "id": "pubsecPlatform", - "children": [ - { "name": "Identity", "id": "pubsecPlatformIdentity", "children": [] }, - { "name": "Connectivity", "id": "pubsecPlatformConnectivity", "children": [] }, - { "name": "Management", "id": "pubsecPlatformManagement", "children": [] } - ] - }, - { - "name": "LandingZones", "id": "pubsecLandingZones", - "children": [ - { "name": "DevTest", "id": "pubsecLandingZonesDevTest", "children": [] }, - { "name": "QA", "id": "pubsecLandingZonesQA", "children": [] }, - { "name": "Prod", "id": "pubsecLandingZonesProd", "children": [] } - ] - }, - { - "name": "Sandbox", "id": "pubsecSandbox", - "children": [] - } - ] - } - ] - } - - # Logging - var-logging-managementGroupId: pubsecPlatformManagement - var-logging-subscriptionId: bc0a4f9f-07fa-4284-b1bd-fbad38578d3a - var-logging-logAnalyticsResourceGroupName: pubsec-central-logging-rg - var-logging-logAnalyticsWorkspaceName: log-analytics-workspace - var-logging-logAnalyticsRetentionInDays: 730 - var-logging-logAnalyticsAutomationAccountName: automation-account - var-logging-diagnosticSettingsforNetworkSecurityGroupsStoragePrefix: pubsecnsg - var-logging-serviceHealthAlerts: > - { - "resourceGroupName": "pubsec-service-health", - "incidentTypes": [ "Incident", "Security" ], - "regions": [ "Global", "Canada East", "Canada Central" ], - "receivers": { - "app": [ "alzcanadapubsec@microsoft.com" ], - "email": [ "alzcanadapubsec@microsoft.com" ], - "sms": [ - { "countryCode": "1", "phoneNumber": "5555555555" } - ], - "voice": [ - { "countryCode": "1", "phoneNumber": "5555555555" } - ] - }, - "actionGroupName": "ALZ action group", - "actionGroupShortName": "alz-alert", - "alertRuleName": "ALZ alert rule", - "alertRuleDescription": "Alert rule for Azure Landing Zone" - } - var-logging-securityCenter: > - { - "email": "alzcanadapubsec@microsoft.com", - "phone": "5555555555" - } - var-logging-subscriptionRoleAssignments: > - [ - { - "comments": "Built-in Contributor Role", - "roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c", - "securityGroupObjectIds": [ - "38f33f7e-a471-4630-8ce9-c6653495a2ee" - ] - } - ] - var-logging-subscriptionBudget: > - { - "createBudget": false, - "name": "MonthlySubscriptionBudget", - "amount": 1000, - "timeGrain": "Monthly", - "contactEmails": [ "alzcanadapubsec@microsoft.com" ] - } - var-logging-subscriptionTags: > - { - "ISSO": "isso-tbd" - } - var-logging-resourceTags: > - { - "ClientOrganization": "client-organization-tag", - "CostCenter": "cost-center-tag", - "DataSensitivity": "data-sensitivity-tag", - "ProjectContact": "project-contact-tag", - "ProjectName": "project-name-tag", - "TechnicalContact": "technical-contact-tag" - } - - # Hub Networking - var-hubnetwork-managementGroupId: pubsecPlatformConnectivity - var-hubnetwork-subscriptionId: ed7f4eed-9010-4227-b115-2a5e37728f27 - var-hubnetwork-serviceHealthAlerts: > - { - "resourceGroupName": "pubsec-service-health", - "incidentTypes": [ "Incident", "Security" ], - "regions": [ "Global", "Canada East", "Canada Central" ], - "receivers": { - "app": [ "alzcanadapubsec@microsoft.com" ], - "email": [ "alzcanadapubsec@microsoft.com" ], - "sms": [ - { "countryCode": "1", "phoneNumber": "5555555555" } - ], - "voice": [ - { "countryCode": "1", "phoneNumber": "5555555555" } - ] - }, - "actionGroupName": "ALZ action group", - "actionGroupShortName": "alz-alert", - "alertRuleName": "ALZ alert rule", - "alertRuleDescription": "Alert rule for Azure Landing Zone" - } - var-hubnetwork-securityCenter: > - { - "email": "alzcanadapubsec@microsoft.com", - "phone": "5555555555" - } - var-hubnetwork-subscriptionRoleAssignments: > - [ - { - "comments": "Built-in Contributor Role", - "roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c", - "securityGroupObjectIds": [ - "38f33f7e-a471-4630-8ce9-c6653495a2ee" - ] - } - ] - var-hubnetwork-subscriptionBudget: > - { - "createBudget": false, - "name": "MonthlySubscriptionBudget", - "amount": 1000, - "timeGrain": "Monthly", - "contactEmails": [ "alzcanadapubsec@microsoft.com" ] - } - var-hubnetwork-subscriptionTags: > - { - "ISSO": "isso-tbd" - } - var-hubnetwork-resourceTags: > - { - "ClientOrganization": "client-organization-tag", - "CostCenter": "cost-center-tag", - "DataSensitivity": "data-sensitivity-tag", - "ProjectContact": "project-contact-tag", - "ProjectName": "project-name-tag", - "TechnicalContact": "technical-contact-tag" - } - - ## Hub Networking - Private Dns Zones - var-hubnetwork-deployPrivateDnsZones: true - var-hubnetwork-rgPrivateDnsZonesName: pubsec-dns-rg - - ## Hub Networking - DDOS - var-hubnetwork-deployDdosStandard: false - var-hubnetwork-rgDdosName: pubsec-ddos-rg - var-hubnetwork-ddosPlanName: ddos-plan - - ## Hub Networking - Public Zone - var-hubnetwork-rgPazName: pubsec-public-access-zone-rg - - ## Hub Networking - Management Restricted Zone Virtual Network - var-hubnetwork-rgMrzName: pubsec-management-restricted-zone-rg - var-hubnetwork-mrzVnetName: management-restricted-vnet - var-hubnetwork-mrzVnetAddressPrefixRFC1918: 10.18.4.0/22 - - var-hubnetwork-mrzMazSubnetName: MazSubnet - var-hubnetwork-mrzMazSubnetAddressPrefix: 10.18.4.0/25 - - var-hubnetwork-mrzInfSubnetName: InfSubnet - var-hubnetwork-mrzInfSubnetAddressPrefix: 10.18.4.128/25 - - var-hubnetwork-mrzSecSubnetName: SecSubnet - var-hubnetwork-mrzSecSubnetAddressPrefix: 10.18.5.0/26 - - var-hubnetwork-mrzLogSubnetName: LogSubnet - var-hubnetwork-mrzLogSubnetAddressPrefix: 10.18.5.64/26 - - var-hubnetwork-mrzMgmtSubnetName: MgmtSubnet - var-hubnetwork-mrzMgmtSubnetAddressPrefix: 10.18.5.128/26 - - var-hubnetwork-bastionName: bastion - var-hubnetwork-bastionSku: Standard - var-hubnetwork-bastionScaleUnits: 2 - - #################################################################################### - ### Hub Networking with Azure Firewall ### - #################################################################################### - var-hubnetwork-azfw-rgPolicyName: pubsec-azure-firewall-policy-rg - var-hubnetwork-azfw-policyName: pubsecAzureFirewallPolicy - - var-hubnetwork-azfw-rgHubName: pubsec-hub-networking-rg - var-hubnetwork-azfw-hubVnetName: hub-vnet - var-hubnetwork-azfw-hubVnetAddressPrefixRFC1918: 10.18.0.0/22 - var-hubnetwork-azfw-hubVnetAddressPrefixRFC6598: 100.60.0.0/16 - var-hubnetwork-azfw-hubVnetAddressPrefixBastion: 192.168.0.0/16 - - var-hubnetwork-azfw-hubPazSubnetName: PAZSubnet - var-hubnetwork-azfw-hubPazSubnetAddressPrefix: 100.60.1.0/24 - - var-hubnetwork-azfw-hubGatewaySubnetPrefix: 10.18.0.0/27 - var-hubnetwork-azfw-hubAzureFirewallSubnetAddressPrefix: 10.18.1.0/24 - var-hubnetwork-azfw-hubAzureFirewallManagementSubnetAddressPrefix: 10.18.2.0/26 - var-hubnetwork-azfw-hubBastionSubnetAddressPrefix: 192.168.0.0/24 - - var-hubnetwork-azfw-azureFirewallName: pubsecAzureFirewall - var-hubnetwork-azfw-azureFirewallZones: '["1", "2", "3"]' - var-hubnetwork-azfw-azureFirewallForcedTunnelingEnabled: false - var-hubnetwork-azfw-azureFirewallForcedTunnelingNextHop: 10.17.1.4 - - #################################################################################### - ### Hub Networking with Fortinet Firewalls ### - #################################################################################### - - ## Hub Networking - Core Virtual Network - var-hubnetwork-nva-rgHubName: pubsec-hub-networking-rg - var-hubnetwork-nva-hubVnetName: hub-vnet - var-hubnetwork-nva-hubVnetAddressPrefixRFC1918: 10.18.0.0/22 - var-hubnetwork-nva-hubVnetAddressPrefixRFC6598: 100.60.0.0/16 - var-hubnetwork-nva-hubVnetAddressPrefixBastion: 192.168.0.0/16 - - var-hubnetwork-nva-hubEanSubnetName: EanSubnet - var-hubnetwork-nva-hubEanSubnetAddressPrefix: 10.18.0.0/27 - - var-hubnetwork-nva-hubPublicSubnetName: PublicSubnet - var-hubnetwork-nva-hubPublicSubnetAddressPrefix: 100.60.0.0/24 - - var-hubnetwork-nva-hubPazSubnetName: PAZSubnet - var-hubnetwork-nva-hubPazSubnetAddressPrefix: 100.60.1.0/24 - - var-hubnetwork-nva-hubDevIntSubnetName: DevIntSubnet - var-hubnetwork-nva-hubDevIntSubnetAddressPrefix: 10.18.0.64/27 - - var-hubnetwork-nva-hubProdIntSubnetName: PrdIntSubnet - var-hubnetwork-nva-hubProdIntSubnetAddressPrefix: 10.18.0.32/27 - - var-hubnetwork-nva-hubMrzIntSubnetName: MrzSubnet - var-hubnetwork-nva-hubMrzIntSubnetAddressPrefix: 10.18.0.96/27 - - var-hubnetwork-nva-hubHASubnetName: HASubnet - var-hubnetwork-nva-hubHASubnetAddressPrefix: 10.18.0.128/28 - - var-hubnetwork-nva-hubGatewaySubnetPrefix: 10.18.1.0/27 - - var-hubnetwork-nva-hubBastionSubnetAddressPrefix: 192.168.0.0/24 - - ## Hub Networking - Firewall Virtual Appliances - var-hubnetwork-nva-deployFirewallVMs: false - var-hubnetwork-nva-useFortigateFW: false - - ### Hub Networking - Firewall Virtual Appliances - For Non-production Traffic - var-hubnetwork-nva-fwDevILBName: pubsecDevFWILB - var-hubnetwork-nva-fwDevVMSku: Standard_D8s_v4 - var-hubnetwork-nva-fwDevVM1Name: pubsecDevFW1 - var-hubnetwork-nva-fwDevVM2Name: pubsecDevFW2 - var-hubnetwork-nva-fwDevILBExternalFacingIP: 100.60.0.7 - var-hubnetwork-nva-fwDevVM1ExternalFacingIP: 100.60.0.8 - var-hubnetwork-nva-fwDevVM2ExternalFacingIP: 100.60.0.9 - var-hubnetwork-nva-fwDevVM1MrzIntIP: 10.18.0.104 - var-hubnetwork-nva-fwDevVM2MrzIntIP: 10.18.0.105 - var-hubnetwork-nva-fwDevILBDevIntIP: 10.18.0.68 - var-hubnetwork-nva-fwDevVM1DevIntIP: 10.18.0.69 - var-hubnetwork-nva-fwDevVM2DevIntIP: 10.18.0.70 - var-hubnetwork-nva-fwDevVM1HAIP: 10.18.0.134 - var-hubnetwork-nva-fwDevVM2HAIP: 10.18.0.135 - - ### Hub Networking - Firewall Virtual Appliances - For Production Traffic - var-hubnetwork-nva-fwProdILBName: pubsecProdFWILB - var-hubnetwork-nva-fwProdVMSku: Standard_F8s_v2 - var-hubnetwork-nva-fwProdVM1Name: pubsecProdFW1 - var-hubnetwork-nva-fwProdVM2Name: pubsecProdFW2 - var-hubnetwork-nva-fwProdILBExternalFacingIP: 100.60.0.4 - var-hubnetwork-nva-fwProdVM1ExternalFacingIP: 100.60.0.5 - var-hubnetwork-nva-fwProdVM2ExternalFacingIP: 100.60.0.6 - var-hubnetwork-nva-fwProdVM1MrzIntIP: 10.18.0.101 - var-hubnetwork-nva-fwProdVM2MrzIntIP: 10.18.0.102 - var-hubnetwork-nva-fwProdILBPrdIntIP: 10.18.0.36 - var-hubnetwork-nva-fwProdVM1PrdIntIP: 10.18.0.37 - var-hubnetwork-nva-fwProdVM2PrdIntIP: 10.18.0.38 - var-hubnetwork-nva-fwProdVM1HAIP: 10.18.0.132 - var-hubnetwork-nva-fwProdVM2HAIP: 10.18.0.133 \ No newline at end of file