Merge branch 'Azure:main' into main

.github/workflows/release.yml

@@ -0,0 +1,44 @@
+name: Artifacts
+
+on:
+  release:
+    types: [ created ]
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - main
+
+permissions:
+  contents: write
+
+jobs:
+  release:
+    name: Generate Accelerator Release Artifacts
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Zip and Tar
+      run: |
+        mkdir staging
+        cp -r accelerator staging
+        cp -r infra-as-code staging
+        cd staging
+        tar -cvzf ../accelerator.tar.gz .
+        zip -r ../accelerator.zip .
+
+    - name: Upload Artifacts to Action
+      uses: actions/upload-artifact@v4
+      with:
+        name: accelerator
+        path: |
+          accelerator.tar.gz
+          accelerator.zip
+
+    - name: Add Artifacts to Release
+      uses: softprops/action-gh-release@v2
+      if: startsWith(github.ref, 'refs/tags/')
+      with:
+        files: |
+          ./accelerator.tar.gz
+          ./accelerator.zip

.github/workflows/scorecard.yml

@@ -0,0 +1,73 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '20 1 * * 4'
+  push:
+    branches: [ "main" ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+      # Uncomment the permissions below if installing in a private repository.
+      # contents: read
+      # actions: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecard on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional.
+          repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard (optional).
+      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
+        with:
+          sarif_file: results.sarif

README.md

@@ -2,6 +2,7 @@
 
 [![Average time to resolve an issue](http://isitmaintained.com/badge/resolution/azure/alz-bicep.svg)](http://isitmaintained.com/project/azure/alz-bicep "Average time to resolve an issue")
 [![Percentage of issues still open](http://isitmaintained.com/badge/open/azure/alz-bicep.svg)](http://isitmaintained.com/project/azure/alz-bicep "Percentage of issues still open")
+[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/Azure/ALZ-Bicep/badge)](https://scorecard.dev/viewer/?uri=github.com/Azure/ALZ-Bicep)
 
 [![Update Policy Library](https://github.com/Azure/ALZ-Bicep/actions/workflows/update-policy.yml/badge.svg?branch=main)](https://github.com/Azure/ALZ-Bicep/actions/workflows/update-policy.yml)
 ![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/Azure/ALZ-Bicep?style=flat&logo=github)

accelerator/.config/ALZ-Powershell.config.json

@@ -457,6 +457,46 @@
         }
       ]
     },
+    "DataCollectionRuleVMInsightsResourceId": {
+      "Type": "Computed",
+      "Value": "/subscriptions/{%ManagementSubscriptionId%}/resourcegroups/rg-{%Prefix%}-logging/providers/Microsoft.Insights/dataCollectionRules/alz-ama-vmi-dcr",
+      "Targets": [
+        {
+          "Name": "parDataCollectionRuleVMInsightsResourceId.value",
+          "Destination": "Parameters"
+        }
+      ]
+    },
+    "DataCollectionRuleChangeTrackingResourceId": {
+      "Type": "Computed",
+      "Value": "/subscriptions/{%ManagementSubscriptionId%}/resourcegroups/rg-{%Prefix%}-logging/providers/Microsoft.Insights/dataCollectionRules/alz-ama-ct-dcr",
+      "Targets": [
+        {
+          "Name": "parDataCollectionRuleChangeTrackingResourceId.value",
+          "Destination": "Parameters"
+        }
+      ]
+    },
+    "DataCollectionRuleMDFCSQLResourceId": {
+      "Type": "Computed",
+      "Value": "/subscriptions/{%ManagementSubscriptionId%}/resourcegroups/rg-{%Prefix%}-logging/providers/Microsoft.Insights/dataCollectionRules/ama-mdfcsql-default-dcr",
+      "Targets": [
+        {
+          "Name": "parDataCollectionRuleMDFCSQLResourceId.value",
+          "Destination": "Parameters"
+        }
+      ]
+    },
+    "UserAssignedManagedIdentityResourceId": {
+      "Type": "Computed",
+      "Value": "/subscriptions/{%ManagementSubscriptionId%}/resourcegroups/rg-{%Prefix%}-logging/providers/Microsoft.ManagedIdentity/userAssignedIdentities/alz-umi-identity",
+      "Targets": [
+        {
+          "Name": "parUserAssignedManagedIdentityResourceId.value",
+          "Destination": "Parameters"
+        }
+      ]
+    },
     "DdosPretectionPlanId": {
       "Type": "Computed",
       "Value": "/subscriptions/{%ConnectivitySubscriptionId%}/resourceGroups/rg-{%Prefix%}-connectivity/providers/Microsoft.Network/ddosProtectionPlans/alz-ddos-plan",

infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md

@@ -28,7 +28,7 @@ parDdosPlanName | No       | DDoS Plan Name.
 parDdosLock    | No       | Resource Lock Configuration for DDoS Plan.  - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock.  
 parAzFirewallEnabled | No       | Switch to enable/disable Azure Firewall deployment.
 parAzFirewallName | No       | Azure Firewall Name.
-parAzFirewallPoliciesEnabled | No       | Switch to enable/disable Azure Firewall Policies deployment.
+parAzFirewallPoliciesEnabled | No       | Set this to true for the initial deployment as one firewall policy is required. Set this to false in subsequent deployments if using custom policies.
 parAzFirewallPoliciesName | No       | Azure Firewall Policies Name.
 parAzFirewallTier | No       | Azure Firewall Tier associated with the Firewall to deploy.
 parAzFirewallIntelMode | No       | The Azure Firewall Threat Intelligence Mode. If not set, the default value is Alert.
@@ -257,7 +257,7 @@ Azure Firewall Name.
 
 ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
 
-Switch to enable/disable Azure Firewall Policies deployment.
+Set this to true for the initial deployment as one firewall policy is required. Set this to false in subsequent deployments if using custom policies.
 
 - Default value: `True`
 
@@ -295,14 +295,14 @@ The Azure Firewall Threat Intelligence Mode. If not set, the default value is Al
 
 Optional List of Custom Public IPs, which are assigned to firewalls ipConfigurations.
 
-- Allowed values: `1`, `2`, `3`
-
 ### parAzFirewallAvailabilityZones
 
 ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
 
 Availability Zones to deploy the Azure Firewall across. Region must support Availability Zones to use. If it does not then leave empty.
 
+- Allowed values: `1`, `2`, `3`
+
 ### parAzErGatewayAvailabilityZones
 
 ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)

infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep

@@ -160,7 +160,7 @@ param parAzFirewallEnabled bool = true
 @sys.description('Azure Firewall Name.')
 param parAzFirewallName string = '${parCompanyPrefix}-azfw-${parLocation}'
 
-@sys.description('Switch to enable/disable Azure Firewall Policies deployment.')
+@sys.description('Set this to true for the initial deployment as one firewall policy is required. Set this to false in subsequent deployments if using custom policies.')
 param parAzFirewallPoliciesEnabled bool = true
 
 @sys.description('Azure Firewall Policies Name.')
@@ -182,15 +182,14 @@ param parAzFirewallTier string = 'Standard'
 ])
 param parAzFirewallIntelMode string = 'Alert'
 
+@sys.description('Optional List of Custom Public IPs, which are assigned to firewalls ipConfigurations.')
+param parAzFirewallCustomPublicIps array = []
+
 @allowed([
   '1'
   '2'
   '3'
 ])
-
-@sys.description('Optional List of Custom Public IPs, which are assigned to firewalls ipConfigurations.')
-param parAzFirewallCustomPublicIps array = []
-
 @sys.description('Availability Zones to deploy the Azure Firewall across. Region must support Availability Zones to use. If it does not then leave empty.')
 param parAzFirewallAvailabilityZones array = []
 

infra-as-code/bicep/modules/logging/README.md

@@ -4,18 +4,11 @@ Deploys Azure Log Analytics Workspace, Automation Account (linked together) & mu
 
 Automation Account will be linked to Log Analytics Workspace to provide integration for Update Management, Change Tracking and Inventory, and Start/Stop VMs during off-hours for your servers and virtual machines.  Only one mapping can exist between Log Analytics Workspace and Automation Account.
 
+We provision several data collection rules (VM Insights, Change Tracking, and Defender for SQL) as well as a user-assigned managed identity (UAMI). These resources are utilized in tandem with various policies as part of deploying the Azure Monitor Agent (AMA).
+
 The module will deploy the following Log Analytics Workspace solutions by default.  Solutions can be customized as required:
 
-- AgentHealthAssessment
-- AntiMalware
-- ChangeTracking
-- Security
 - SecurityInsights (Azure Sentinel)
-- SQLAdvancedThreatProtection
-- SQLVulnerabilityAssessment
-- SQLAssessment
-- Updates
-- VMInsights
 
  > Only certain regions are supported to link Log Analytics Workspace & Automation Account together (linked workspaces). Reference:  [Supported regions for linked Log Analytics workspace](https://learn.microsoft.com/azure/automation/how-to/region-mappings)
 
@@ -115,7 +108,9 @@ New-AzResourceGroup `
 
 New-AzResourceGroupDeployment @inputObject
 ```
+
 OR
+
 ```powershell
 # For Azure China regions
 # Set Platform management subscripion ID as the the current subscription