From 068f0b2beaf95f63240abe190c46b1c398056721 Mon Sep 17 00:00:00 2001 From: "Jason Masten (from Dev Box)" Date: Tue, 6 Feb 2024 13:50:13 -0500 Subject: [PATCH] Moved CMK resources to HUB --- .../core/hub-customer-managed-keys.bicep | 52 +++++++++++++++++++ src/bicep/mlz.bicep | 44 ++++++++-------- src/bicep/mlz.json | 52 +++++++++---------- 3 files changed, 99 insertions(+), 49 deletions(-) create mode 100644 src/bicep/core/hub-customer-managed-keys.bicep diff --git a/src/bicep/core/hub-customer-managed-keys.bicep b/src/bicep/core/hub-customer-managed-keys.bicep new file mode 100644 index 000000000..d4a7fcd7b --- /dev/null +++ b/src/bicep/core/hub-customer-managed-keys.bicep @@ -0,0 +1,52 @@ +/* +Copyright (c) Microsoft Corporation. +Licensed under the MIT License. +*/ + +param diskEncryptionSetName string +param deploymentNameSuffix string +param keyVaultName string +param keyVaultPrivateDnsZoneResourceId string +param location string +param resourcePrefix string +param subnetResourceId string +param tags object +param userAssignedIdentityName string + +module keyVault '../modules/key-vault.bicep' = { + name: 'deploy-key-vault-${deploymentNameSuffix}' + params: { + keyVaultName: keyVaultName + keyVaultPrivateDnsZoneResourceId: keyVaultPrivateDnsZoneResourceId + location: location + resourcePrefix: resourcePrefix + subnetResourceId: subnetResourceId + tags: tags + } +} + +module diskEncryptionSet '../modules/disk-encryption-set.bicep' = { + name: 'deploy-disk-encryption-set_${deploymentNameSuffix}' + params: { + deploymentNameSuffix: deploymentNameSuffix + diskEncryptionSetName: diskEncryptionSetName + keyUrl: keyVault.outputs.keyUriWithVersion + keyVaultResourceId: keyVault.outputs.keyVaultResourceId + location: location + tags: contains(tags, 'Microsoft.Compute/diskEncryptionSets') ? tags['Microsoft.Compute/diskEncryptionSets'] : {} + } +} + +module userAssignedIdentity '../modules/user-assigned-identity.bicep' = { + name: 'deploy-user-assigned-identity-${deploymentNameSuffix}' + params: { + location: location + name: userAssignedIdentityName + tags: tags + } +} + +output diskEncryptionSetResourceId string = diskEncryptionSet.outputs.resourceId +output keyVaultUri string = keyVault.outputs.keyVaultUri +output storageKeyName string = keyVault.outputs.storageKeyName +output userAssignedIdentityResourceId string = userAssignedIdentity.outputs.resourceId diff --git a/src/bicep/mlz.bicep b/src/bicep/mlz.bicep index ef54ad93e..9a32638e1 100644 --- a/src/bicep/mlz.bicep +++ b/src/bicep/mlz.bicep @@ -564,6 +564,10 @@ var virtualNetworkNamingConvention = replace(namingConvention, resourceToken, 'v var hubName = 'hub' var hubShortName = 'hub' +var hubDiskEncryptionSetName = replace(diskEncryptionSetNamingConvention, nameToken, hubName) +var hubKeyVaultName = take(hubKeyVaultUniqueName, 24) +var hubKeyVaultShortName = replace(keyVaultNamingConvention, nameToken, hubShortName) +var hubKeyVaultUniqueName = replace(hubKeyVaultShortName, 'unique_token', uniqueString(resourcePrefix, resourceSuffix, hubSubscriptionId)) var hubLogStorageAccountName = take(hubLogStorageAccountUniqueName, 24) var hubLogStorageAccountShortName = replace(storageAccountNamingConvention, nameToken, hubShortName) var hubLogStorageAccountUniqueName = replace(hubLogStorageAccountShortName, 'unique_token', uniqueString(resourcePrefix, resourceSuffix, hubSubscriptionId)) @@ -572,6 +576,7 @@ var hubNetworkSecurityGroupName = replace(networkSecurityGroupNamingConvention, var hubResourceGroupName = replace(resourceGroupNamingConvention, nameToken, hubName) var hubRouteTableName = replace(routeTableNamingConvention, nameToken, hubName) var hubSubnetName = replace(subnetNamingConvention, nameToken, hubName) +var hubUserAssignedIdentityName = replace(userAssignedIdentityNamingConvention, nameToken, hubName) var hubVirtualNetworkName = replace(virtualNetworkNamingConvention, nameToken, hubName) // IDENTITY NAMES @@ -591,10 +596,6 @@ var identityVirtualNetworkName = replace(virtualNetworkNamingConvention, nameTok var operationsName = 'operations' var operationsShortName = 'ops' -var operationsDiskEncryptionSetName = replace(diskEncryptionSetNamingConvention, nameToken, operationsName) -var operationsKeyVaultName = take(operationsKeyVaultUniqueName, 24) -var operationsKeyVaultShortName = replace(keyVaultNamingConvention, nameToken, operationsShortName) -var operationsKeyVaultUniqueName = replace(operationsKeyVaultShortName, 'unique_token', uniqueString(resourcePrefix, resourceSuffix, operationsSubscriptionId)) var operationsLogStorageAccountName = take(operationsLogStorageAccountUniqueName, 24) var operationsLogStorageAccountShortName = replace(storageAccountNamingConvention, nameToken, operationsShortName) var operationsLogStorageAccountUniqueName = replace(operationsLogStorageAccountShortName, 'unique_token', uniqueString(resourcePrefix, resourceSuffix, operationsSubscriptionId)) @@ -602,7 +603,7 @@ var operationsNetworkSecurityGroupName = replace(networkSecurityGroupNamingConve var operationsResourceGroupName = replace(resourceGroupNamingConvention, nameToken, operationsName) var operationsRouteTableName = replace(routeTableNamingConvention, nameToken, operationsName) var operationsSubnetName = replace(subnetNamingConvention, nameToken, operationsName) -var operationsUserAssignedIdentityName = replace(userAssignedIdentityNamingConvention, nameToken, operationsName) + var operationsVirtualNetworkName = replace(virtualNetworkNamingConvention, nameToken, operationsName) // SHARED SERVICES NAMES @@ -904,25 +905,22 @@ module privateDnsZones './modules/private-dns.bicep' = { ] } -// OPERATIONS CMK DEPENDANCIES +// CUSTOMER MANAGED KEYS -module operationsCustomerManagedKeys './core/operations-customer-managed-keys.bicep' = { - name: 'deploy-cmk-ops-${deploymentNameSuffix}' - scope: resourceGroup(operationsSubscriptionId, operationsResourceGroupName) +module customerManagedKeys './core/hub-customer-managed-keys.bicep' = { + name: 'deploy-cmk-hub-${deploymentNameSuffix}' + scope: resourceGroup(hubSubscriptionId, hubResourceGroupName) params: { deploymentNameSuffix: deploymentNameSuffix - diskEncryptionSetName: operationsDiskEncryptionSetName - keyVaultName: operationsKeyVaultName + diskEncryptionSetName: hubDiskEncryptionSetName + keyVaultName: hubKeyVaultName keyVaultPrivateDnsZoneResourceId: privateDnsZones.outputs.keyvaultDnsPrivateDnsZoneId location: location resourcePrefix: resourcePrefix - subnetResourceId: spokeNetworks[0].outputs.subnetResourceId + subnetResourceId: hubNetwork.outputs.subnetResourceId tags: calculatedTags - userAssignedIdentityName: operationsUserAssignedIdentityName + userAssignedIdentityName: hubUserAssignedIdentityName } - dependsOn: [ - spokeNetworks - ] } // AZURE MONITOR @@ -994,7 +992,7 @@ module remoteAccess './core/remote-access.bicep' = if (deployRemoteAccess) { windowsVmSku: windowsVmSku windowsVmStorageAccountType: windowsVmStorageAccountType windowsVmVersion: windowsVmVersion - diskEncryptionSetResourceId: operationsCustomerManagedKeys.outputs.diskEncryptionSetResourceId + diskEncryptionSetResourceId: customerManagedKeys.outputs.diskEncryptionSetResourceId hybridUseBenefit: hybridUseBenefit linuxDiskName: linuxDiskName windowsDiskName: windowsDiskName @@ -1011,16 +1009,16 @@ module hubStorage './core/hub-storage.bicep' = { scope: resourceGroup(hubSubscriptionId, hubResourceGroupName) params: { blobsPrivateDnsZoneResourceId: privateDnsZones.outputs.blobPrivateDnsZoneId - keyVaultUri: operationsCustomerManagedKeys.outputs.keyVaultUri + keyVaultUri: customerManagedKeys.outputs.keyVaultUri location: location logStorageAccountName: hubLogStorageAccountName logStorageSkuName: logStorageSkuName resourcePrefix: resourcePrefix - storageEncryptionKeyName: operationsCustomerManagedKeys.outputs.storageKeyName + storageEncryptionKeyName: customerManagedKeys.outputs.storageKeyName subnetResourceId: hubNetwork.outputs.subnetResourceId tablesPrivateDnsZoneResourceId: privateDnsZones.outputs.tablePrivateDnsZoneId tags: calculatedTags - userAssignedIdentityResourceId: operationsCustomerManagedKeys.outputs.userAssignedIdentityResourceId + userAssignedIdentityResourceId: customerManagedKeys.outputs.userAssignedIdentityResourceId } dependsOn: [ remoteAccess @@ -1034,16 +1032,16 @@ module spokeStorage './core/spoke-storage.bicep' = [for (spoke, i) in spokes: { scope: resourceGroup(spoke.subscriptionId, spoke.resourceGroupName) params: { blobsPrivateDnsZoneResourceId: privateDnsZones.outputs.blobPrivateDnsZoneId - keyVaultUri: operationsCustomerManagedKeys.outputs.keyVaultUri + keyVaultUri: customerManagedKeys.outputs.keyVaultUri location: location logStorageAccountName: spoke.logStorageAccountName logStorageSkuName: logStorageSkuName resourcePrefix: resourcePrefix - storageEncryptionKeyName: operationsCustomerManagedKeys.outputs.storageKeyName + storageEncryptionKeyName: customerManagedKeys.outputs.storageKeyName subnetResourceId: spokeNetworks[i].outputs.subnetResourceId tablesPrivateDnsZoneResourceId: privateDnsZones.outputs.tablePrivateDnsZoneId tags: tags - userAssignedIdentityResourceId: operationsCustomerManagedKeys.outputs.userAssignedIdentityResourceId + userAssignedIdentityResourceId: customerManagedKeys.outputs.userAssignedIdentityResourceId } dependsOn: [ remoteAccess diff --git a/src/bicep/mlz.json b/src/bicep/mlz.json index 279e10106..cf99a1910 100644 --- a/src/bicep/mlz.json +++ b/src/bicep/mlz.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "9930725311433878151" + "templateHash": "17762422065056010338" } }, "parameters": { @@ -1241,6 +1241,10 @@ "virtualNetworkNamingConvention": "[replace(variables('namingConvention'), variables('resourceToken'), 'vnet')]", "hubName": "hub", "hubShortName": "hub", + "hubDiskEncryptionSetName": "[replace(variables('diskEncryptionSetNamingConvention'), variables('nameToken'), variables('hubName'))]", + "hubKeyVaultName": "[take(variables('hubKeyVaultUniqueName'), 24)]", + "hubKeyVaultShortName": "[replace(variables('keyVaultNamingConvention'), variables('nameToken'), variables('hubShortName'))]", + "hubKeyVaultUniqueName": "[replace(variables('hubKeyVaultShortName'), 'unique_token', uniqueString(parameters('resourcePrefix'), parameters('resourceSuffix'), parameters('hubSubscriptionId')))]", "hubLogStorageAccountName": "[take(variables('hubLogStorageAccountUniqueName'), 24)]", "hubLogStorageAccountShortName": "[replace(variables('storageAccountNamingConvention'), variables('nameToken'), variables('hubShortName'))]", "hubLogStorageAccountUniqueName": "[replace(variables('hubLogStorageAccountShortName'), 'unique_token', uniqueString(parameters('resourcePrefix'), parameters('resourceSuffix'), parameters('hubSubscriptionId')))]", @@ -1249,6 +1253,7 @@ "hubResourceGroupName": "[replace(variables('resourceGroupNamingConvention'), variables('nameToken'), variables('hubName'))]", "hubRouteTableName": "[replace(variables('routeTableNamingConvention'), variables('nameToken'), variables('hubName'))]", "hubSubnetName": "[replace(variables('subnetNamingConvention'), variables('nameToken'), variables('hubName'))]", + "hubUserAssignedIdentityName": "[replace(variables('userAssignedIdentityNamingConvention'), variables('nameToken'), variables('hubName'))]", "hubVirtualNetworkName": "[replace(variables('virtualNetworkNamingConvention'), variables('nameToken'), variables('hubName'))]", "identityName": "identity", "identityShortName": "id", @@ -1262,10 +1267,6 @@ "identityVirtualNetworkName": "[replace(variables('virtualNetworkNamingConvention'), variables('nameToken'), variables('identityName'))]", "operationsName": "operations", "operationsShortName": "ops", - "operationsDiskEncryptionSetName": "[replace(variables('diskEncryptionSetNamingConvention'), variables('nameToken'), variables('operationsName'))]", - "operationsKeyVaultName": "[take(variables('operationsKeyVaultUniqueName'), 24)]", - "operationsKeyVaultShortName": "[replace(variables('keyVaultNamingConvention'), variables('nameToken'), variables('operationsShortName'))]", - "operationsKeyVaultUniqueName": "[replace(variables('operationsKeyVaultShortName'), 'unique_token', uniqueString(parameters('resourcePrefix'), parameters('resourceSuffix'), parameters('operationsSubscriptionId')))]", "operationsLogStorageAccountName": "[take(variables('operationsLogStorageAccountUniqueName'), 24)]", "operationsLogStorageAccountShortName": "[replace(variables('storageAccountNamingConvention'), variables('nameToken'), variables('operationsShortName'))]", "operationsLogStorageAccountUniqueName": "[replace(variables('operationsLogStorageAccountShortName'), 'unique_token', uniqueString(parameters('resourcePrefix'), parameters('resourceSuffix'), parameters('operationsSubscriptionId')))]", @@ -1273,7 +1274,6 @@ "operationsResourceGroupName": "[replace(variables('resourceGroupNamingConvention'), variables('nameToken'), variables('operationsName'))]", "operationsRouteTableName": "[replace(variables('routeTableNamingConvention'), variables('nameToken'), variables('operationsName'))]", "operationsSubnetName": "[replace(variables('subnetNamingConvention'), variables('nameToken'), variables('operationsName'))]", - "operationsUserAssignedIdentityName": "[replace(variables('userAssignedIdentityNamingConvention'), variables('nameToken'), variables('operationsName'))]", "operationsVirtualNetworkName": "[replace(variables('virtualNetworkNamingConvention'), variables('nameToken'), variables('operationsName'))]", "sharedServicesName": "sharedServices", "sharedServicesShortName": "svcs", @@ -4221,9 +4221,9 @@ { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix'))]", - "subscriptionId": "[parameters('operationsSubscriptionId')]", - "resourceGroup": "[variables('operationsResourceGroupName')]", + "name": "[format('deploy-cmk-hub-{0}', parameters('deploymentNameSuffix'))]", + "subscriptionId": "[parameters('hubSubscriptionId')]", + "resourceGroup": "[variables('hubResourceGroupName')]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -4234,10 +4234,10 @@ "value": "[parameters('deploymentNameSuffix')]" }, "diskEncryptionSetName": { - "value": "[variables('operationsDiskEncryptionSetName')]" + "value": "[variables('hubDiskEncryptionSetName')]" }, "keyVaultName": { - "value": "[variables('operationsKeyVaultName')]" + "value": "[variables('hubKeyVaultName')]" }, "keyVaultPrivateDnsZoneResourceId": { "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.keyvaultDnsPrivateDnsZoneId.value]" @@ -4249,13 +4249,13 @@ "value": "[parameters('resourcePrefix')]" }, "subnetResourceId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[0].subscriptionId, variables('spokes')[0].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[0].name, parameters('deploymentNameSuffix'))), '2022-09-01').outputs.subnetResourceId.value]" + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.subnetResourceId.value]" }, "tags": { "value": "[variables('calculatedTags')]" }, "userAssignedIdentityName": { - "value": "[variables('operationsUserAssignedIdentityName')]" + "value": "[variables('hubUserAssignedIdentityName')]" } }, "template": { @@ -4859,8 +4859,8 @@ } }, "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix')))]", - "spokeNetworks" + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))]", + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix')))]" ] }, { @@ -5183,7 +5183,7 @@ "value": "[parameters('windowsVmVersion')]" }, "diskEncryptionSetResourceId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.diskEncryptionSetResourceId.value]" + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.diskEncryptionSetResourceId.value]" }, "hybridUseBenefit": { "value": "[parameters('hybridUseBenefit')]" @@ -6299,9 +6299,9 @@ }, "dependsOn": [ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-azure-monitor-{0}', parameters('deploymentNameSuffix')))]", + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-hub-{0}', parameters('deploymentNameSuffix')))]", "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))]", - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]", - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix')))]" + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-laws-{0}', parameters('deploymentNameSuffix')))]" ] }, { @@ -6320,7 +6320,7 @@ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.blobPrivateDnsZoneId.value]" }, "keyVaultUri": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.keyVaultUri.value]" + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.keyVaultUri.value]" }, "location": { "value": "[parameters('location')]" @@ -6335,7 +6335,7 @@ "value": "[parameters('resourcePrefix')]" }, "storageEncryptionKeyName": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.storageKeyName.value]" + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.storageKeyName.value]" }, "subnetResourceId": { "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.subnetResourceId.value]" @@ -6347,7 +6347,7 @@ "value": "[variables('calculatedTags')]" }, "userAssignedIdentityResourceId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.userAssignedIdentityResourceId.value]" + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.userAssignedIdentityResourceId.value]" } }, "template": { @@ -6629,8 +6629,8 @@ } }, "dependsOn": [ + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-hub-{0}', parameters('deploymentNameSuffix')))]", "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-vnet-hub-{0}', parameters('deploymentNameSuffix')))]", - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix')))]", "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix')))]", "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-remote-access-{0}', parameters('deploymentNameSuffix')))]" ] @@ -6655,7 +6655,7 @@ "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.blobPrivateDnsZoneId.value]" }, "keyVaultUri": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.keyVaultUri.value]" + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.keyVaultUri.value]" }, "location": { "value": "[parameters('location')]" @@ -6670,7 +6670,7 @@ "value": "[parameters('resourcePrefix')]" }, "storageEncryptionKeyName": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.storageKeyName.value]" + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.storageKeyName.value]" }, "subnetResourceId": { "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix'))), '2022-09-01').outputs.subnetResourceId.value]" @@ -6682,7 +6682,7 @@ "value": "[parameters('tags')]" }, "userAssignedIdentityResourceId": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.userAssignedIdentityResourceId.value]" + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.userAssignedIdentityResourceId.value]" } }, "template": { @@ -6964,7 +6964,7 @@ } }, "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('operationsSubscriptionId'), variables('operationsResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-ops-{0}', parameters('deploymentNameSuffix')))]", + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-cmk-hub-{0}', parameters('deploymentNameSuffix')))]", "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-private-dns-zones-{0}', parameters('deploymentNameSuffix')))]", "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('hubSubscriptionId'), variables('hubResourceGroupName')), 'Microsoft.Resources/deployments', format('deploy-remote-access-{0}', parameters('deploymentNameSuffix')))]", "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('spokes')[copyIndex()].subscriptionId, variables('spokes')[copyIndex()].resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-vnet-{0}-{1}', variables('spokes')[copyIndex()].name, parameters('deploymentNameSuffix')))]"