Release 1.1.1 (#19)

* Release 1.1.1 * Release 1.1.1 * Release 1.1.1 --------- Co-authored-by: Microsoft Open Source <[email protected]>
Azure · May 30, 2024 · 81d4f19 · 81d4f19
1 parent cbac464
commit 81d4f19
Show file tree

Hide file tree

Showing 12 changed files with 39 additions and 16 deletions.
diff --git a/docs/02-Architecture.md b/docs/02-Architecture.md
@@ -21,4 +21,4 @@ The SLZ deploys under the [tenant root group](https://learn.microsoft.com/azure/
 
 [Overview of the Sovereign Landing Zone deployment](03-Deployment-Overview.md)
 
-### [Legal Notice](./NOTICE.md)
+### [Microsoft Legal Notice](./NOTICE.md)
diff --git a/docs/08-Deploy-SLZ.md b/docs/08-Deploy-SLZ.md
@@ -17,6 +17,6 @@ Please reference [Frequently Asked Questions](12-FAQ.md) for commons errors and
 
 ## Next step
 
-[Deploy Customize Policies](09-Customize-Policies.md)
+[Deploy Customized Policies](09-Customize-Policies.md)
 
 ### [Microsoft Legal Notice](./NOTICE.md)
diff --git a/docs/10-Compliance-Dashboard.md b/docs/10-Compliance-Dashboard.md
@@ -34,4 +34,4 @@ The compliance dashboard is customizable and [can be extended](scenarios/Extendi
 
 [Conclusion](11-Conclusion.md)
 
-## [Microsoft Legal Notice](./NOTICE.md)
+### [Microsoft Legal Notice](./NOTICE.md)
diff --git a/docs/11-Conclusion.md b/docs/11-Conclusion.md
@@ -8,4 +8,4 @@ You can now improve upon on your [compliance policies](09-Customize-Policies.md)
 
 Visit our [Frequently Asked Questions](12-FAQ.md) page for common queries or [Scenarios](scenarios/README.md) for common post-deployment operations. Log a [GitHub Issue](https://github.com/Azure/sovereign-landing-zone/issues) for any problems you are encountering getting started with or managing your SLZ deployment.
 
-## [Microsoft Legal Notice](./NOTICE.md)
+### [Microsoft Legal Notice](./NOTICE.md)
diff --git a/docs/12-FAQ.md b/docs/12-FAQ.md
@@ -98,7 +98,7 @@ This error is likely to occur if the subscriptions being created in the Bootstra
 
 ### What are the allowed Azure resource types for confidential management groups (Confidential Corp and Confidential Online)?
 
-For an overview of confidential computing resources in Azure please refer to this [documentation.](https://learn.microsoft.com/azure/confidential-computing/overview-azure-products) The list used by the SLZ can be found [here](../modules/compliance/policyAssignments/policy_assignment_deploy_slz_confidential_defaults.tmpl.json), and the list can be customized to meet an organization's needs.
+For an overview of confidential computing resources in Azure please refer to this [documentation.](https://learn.microsoft.com/azure/confidential-computing/overview-azure-products) The list used by the SLZ can be found [here](../../dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_sovereignty_baseline_conf.tmpl.json), and the list can be customized to meet an organization's needs.
 
 ### What information should I consider removing from my failed deployment details logs?
 
@@ -225,4 +225,4 @@ While we are working on a resolution, users can mitigate this by setting the `pa
 
 You will need to assign an Azure `Reader` role the user at the top-level management group scope. Please follow instructions here on how to add an Azure role: [Azure Role Based Access Control](https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal)
 
-## [Microsoft Legal Notice](./NOTICE.md)
+### [Microsoft Legal Notice](./NOTICE.md)
diff --git a/docs/13-Troubleshooting.md b/docs/13-Troubleshooting.md
@@ -16,6 +16,19 @@ When an error occurs, the error message will most often be presented in a human
 
 ![SLZ Error in Logs](images/determine-error-message.png)
 
+## Bicep Errors
+
+### Using a type union declaration requires enabling EXPERIMENTAL feature "UserDefinedTypes".
+
+Commonly, this is caused by having 2 versions of Bicep installed where one version is not being updated. This can be checked by running:
+
+```
+az bicep version
+bicep --version
+```
+
+Make sure both installs have the [required minimal version.](./05-Permissions-Tooling.md#tooling-required)
+
 ## Bootstrap Errors
 
 ### User is not authorized to create subscriptions on this enrollment account.
@@ -64,4 +77,4 @@ This error means that the SLZ Global Defaults policy assignment has been configu
 
 Once a valid value is provided, run the SLZ compliance deployment step to update the policy assignment, then rerun the SLZ deployment. This error is related to the other ones where policy is blocking the resource.
 
-## [Microsoft Legal Notice](./NOTICE.md)
+### [Microsoft Legal Notice](./NOTICE.md)
diff --git a/docs/scenarios/Sovereignty-Baseline-Policy-Initiatives.md b/docs/scenarios/Sovereignty-Baseline-Policy-Initiatives.md
@@ -22,8 +22,8 @@ The following parameters are useful for configuring the policy baseline:
 
 The related policies are in the `dashboard-Data Residency` group within these files:
 
-* [SLZ Global Defaults](../../modules/compliance/policySetDefinitions/slzGlobalDefaults.json)
-* [SLZ Confidential Defaults](../../modules/compliance/policySetDefinitions/slzConfidentialDefaults.json)
+* [SLZ Global Defaults](https://learn.microsoft.com/azure/governance/policy/samples/mcfs-baseline-global#so1---data-residency)
+* [SLZ Confidential Defaults](https://learn.microsoft.com/azure/governance/policy/samples/mcfs-baseline-confidential#so1---data-residency)
 
 ### SO-2
 
@@ -37,17 +37,17 @@ There is no policy in the baseline that supports this and it is intended to be a
 
 The related policies are in the `dashboard-Confidential Computing` group within these files:
 
-* [SLZ Confidential Defaults](../../modules/compliance/policySetDefinitions/slzConfidentialDefaults.json)
+* [SLZ Confidential Defaults](https://learn.microsoft.com/azure/governance/policy/samples/mcfs-baseline-confidential#so3---customer-managed-keys)
 
-**Note** The resources are intended to be restricted to only those that have SKUs backed by confidential computing or do not process customer data. If this list is too restrictive, users are recommended to add other approved resources to the [allowed resources list](../../modules/compliance/policyAssignments/policy_assignment_deploy_slz_confidential_defaults.tmpl.json) in the assignment definition.
+**Note** The resources are intended to be restricted to only those that have SKUs backed by confidential computing or do not process customer data. If this list is too restrictive, users are recommended to add other approved resources to the [allowed resources list](../../dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_sovereignty_baseline_conf.tmpl.json) in the assignment definition.
 
 ### SO-4
 
 **The customer must have exclusive control over deciding which identities can access keys used to decrypt customer-defined sensitive data.**
 
 The related policies are in the `dashboard-Key Management` group within these files:
 
-* [SLZ Confidential Defaults](../../modules/compliance/policySetDefinitions/slzConfidentialDefaults.json)
+* [SLZ Confidential Defaults](https://learn.microsoft.com/azure/governance/policy/samples/mcfs-baseline-confidential#so4---azure-confidential-computing)
 
 ## Improvement Ideas
 

diff --git a/modules/dashboard/dashboard.bicep b/modules/dashboard/dashboard.bicep
@@ -84,6 +84,7 @@ var varDefaultTitles = [
           }
         }
       }
+      partHeader: {}
     }
   }
   {
@@ -254,6 +255,7 @@ var varDefaultTitles = [
           }
         }
       }
+      partHeader: {}
     }
   }
   {
@@ -526,6 +528,7 @@ var varDefaultTitles = [
           }
         }
       }
+      partHeader: {}
     }
   }
   {
@@ -697,6 +700,7 @@ var varDefaultTitles = [
           }
         }
       }
+      partHeader: {}
     }
   }
   {
@@ -915,7 +919,7 @@ resource resDashboard 'Microsoft.Portal/dashboards@2020-09-01-preview' = {
             colSpan: part.position.colSpan
             rowSpan: part.position.rowSpan
           }
-          #disable-next-line BCP037
+          #disable-next-line BCP036 BCP037
           metadata: contains(part.metadata.type, 'MarkdownPart') ? {
             inputs: part.metadata.inputs
             type: part.metadata.type

diff --git a/orchestration/defaultCompliance/defaultCompliance.bicep b/orchestration/defaultCompliance/defaultCompliance.bicep
@@ -156,7 +156,7 @@ module modAlzPolicyAssignments '../../dependencies/infra-as-code/bicep/modules/p
 }
 
 // The following module is used to deploy the policy exemptions
-module modPolicyExemptionsConfidentialOnline '../../modules/compliance/policyExemptions.bicep' = {
+module modPolicyExemptionsConfidentialOnline '../../modules/compliance/policyExemptions.bicep' = if (varDeploySlzBuiltInPolicies) {
   scope: managementGroup(varPolicyExemptionConfidentialOnlineManagementGroup)
   name: take('${parDeploymentPrefix}-deploy-policy-exemptions${parDeploymentSuffix}', 64)
   params: {
@@ -171,7 +171,7 @@ module modPolicyExemptionsConfidentialOnline '../../modules/compliance/policyExe
 }
 
 // The following module is used to deploy the policy exemptions
-module modPolicyExemptionsConfidentialCorp '../../modules/compliance/policyExemptions.bicep' = {
+module modPolicyExemptionsConfidentialCorp '../../modules/compliance/policyExemptions.bicep' = if (varDeploySlzBuiltInPolicies) {
   scope: managementGroup(varPolicyExemptionConfidentialCorpManagementGroup)
   name: take('${parDeploymentPrefix}-deploy-policy-exemptions${parDeploymentSuffix}', 64)
   params: {

diff --git a/orchestration/scripts/New-Platform.ps1 b/orchestration/scripts/New-Platform.ps1
@@ -98,6 +98,7 @@ function New-Platform {
         parVpnGatewayAsn                                 = [string]::IsNullOrEmpty($parParameters.parVpnGatewayConfig.value.asn) ? 65515 : $parParameters.parVpnGatewayConfig.value.asn
         parVpnGatewayBgpPeeringAddress                   = $parParameters.parVpnGatewayConfig.value.bgpPeeringAddress
         parVpnGatewayPeerWeight                          = [string]::IsNullOrEmpty($parParameters.parVpnGatewayConfig.value.peerWeight) ? 5 : $parParameters.parVpnGatewayConfig.value.peerWeight
+        parVpnGatewayClientConfiguration                 = $parParameters.parVpnGatewayConfig.value.vpnClientConfiguration
         parBastionOutboundSshRdpPorts                    = $parParameters.parBastionOutboundSshRdpPorts.value
         parDeployLogAnalyticsWorkspace                   = $parParameters.parDeployLogAnalyticsWorkspace.value
         parTags                                          = Convert-ToHashTable($parParameters.parTags.value)

diff --git a/orchestration/scripts/parameters/sovereignLandingZone.parameters.json b/orchestration/scripts/parameters/sovereignLandingZone.parameters.json
@@ -411,7 +411,8 @@
         "enableDnsForwarding": false,
         "asn": 65515,
         "bgpPeeringAddress": "",
-        "peerWeight": 5
+        "peerWeight": 5,
+        "vpnClientConfiguration": null
       },
       "value": null,
       "description": "Optional configuration options for the VPN Gateway."

diff --git a/orchestration/sovereignPlatform/sovereignPlatform.bicep b/orchestration/sovereignPlatform/sovereignPlatform.bicep
@@ -187,6 +187,9 @@ param parVpnGatewayBgpPeeringAddress string = ''
 @description('Bgp peer weight. Default: 5')
 param parVpnGatewayPeerWeight int = 5
 
+@description('Vpn Client Configuration. Default: {}')
+param parVpnGatewayClientConfiguration object = {}
+
 @description('Enable Firewall. Default:True')
 param parEnableFirewall bool = true
 
@@ -412,6 +415,7 @@ module modHubNetworking '../../dependencies/infra-as-code/bicep/modules/hubNetwo
         bgpPeeringAddress: parVpnGatewayBgpPeeringAddress
         peerWeight: parVpnGatewayPeerWeight
       }
+      vpnClientConfiguration: parVpnGatewayClientConfiguration
     }
   }
   dependsOn: [