forked from Azure/bicep-lz-vending
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.bicep
707 lines (586 loc) · 28.9 KB
/
main.bicep
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
targetScope = 'managementGroup'
// METADATA - Used by PSDocs
metadata name = '`main.bicep` Parameters'
metadata description = 'This module is designed to accelerate deployment of landing zones (aka Subscriptions) within an Microsoft Entra Tenant.'
metadata details = '''These are the input parameters for the Bicep module: [`main.bicep`](./main.bicep)
This is the orchestration module that is used and called by a consumer of the module to deploy a Landing Zone Subscription and its associated resources, based on the parameter input values that are provided to it at deployment time.
> For more information and examples please see the [wiki](https://github.com/Azure/bicep-lz-vending/wiki)'''
// PARAMETERS
// Subscription Parameters
@metadata({
example: true
})
@sys.description('''Whether to create a new Subscription using the Subscription Alias resource. If `false`, supply an existing Subscription's ID in the parameter named `existingSubscriptionId` instead to deploy resources to an existing Subscription.
- Type: Boolean
''')
param subscriptionAliasEnabled bool = true
@metadata({
example: 'sub-bicep-lz-vending-example-001'
})
@maxLength(63)
@sys.description('''The name of the subscription alias. The string must be comprised of a-z, A-Z, 0-9, - and _. The maximum length is 63 characters.
The string must be comprised of `a-z`, `A-Z`, `0-9`, `-`, `_` and ` ` (space). The maximum length is 63 characters.
> The value for this parameter and the parameter named `subscriptionAliasName` are usually set to the same value for simplicity. But they can be different if required for a reason.
> **Not required when providing an existing Subscription ID via the parameter `existingSubscriptionId`**
- Type: String
- Default value: `''` *(empty string)*
''')
param subscriptionDisplayName string = ''
@metadata({
example: 'sub-bicep-lz-vending-example-001'
})
@maxLength(63)
@sys.description('''The name of the Subscription Alias, that will be created by this module.
The string must be comprised of `a-z`, `A-Z`, `0-9`, `-`, `_` and ` ` (space). The maximum length is 63 characters.
> **Not required when providing an existing Subscription ID via the parameter `existingSubscriptionId`**
- Type: String
- Default value: `''` *(empty string)*
''')
param subscriptionAliasName string = ''
@metadata({
example: 'providers/Microsoft.Billing/billingAccounts/1234567/enrollmentAccounts/123456'
})
@sys.description('''The Billing Scope for the new Subscription alias, that will be created by this module.
A valid Billing Scope starts with `/providers/Microsoft.Billing/billingAccounts/` and is case sensitive.
> See below [example in parameter file](#parameter-file) for an example
> **Not required when providing an existing Subscription ID via the parameter `existingSubscriptionId`**
- Type: String
- Default value: `''` *(empty string)*
''')
param subscriptionBillingScope string = ''
@metadata({
example: 'Production'
})
@allowed([
'DevTest'
'Production'
])
@sys.description('''The workload type can be either `Production` or `DevTest` and is case sensitive.
> **Not required when providing an existing Subscription ID via the parameter `existingSubscriptionId`**
- Type: String
''')
param subscriptionWorkload string = 'Production'
@metadata({
example: 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
})
@maxLength(36)
@sys.description('''The Azure Active Directory Tenant ID (GUID) to which the Subscription should be attached to.
> **Leave blank unless following this scenario only [Programmatically create MCA subscriptions across Azure Active Directory tenants](https://learn.microsoft.com/azure/cost-management-billing/manage/programmatically-create-subscription-microsoft-customer-agreement-across-tenants).**
- Type: String
- Default value: `''` *(empty string)*
''')
param subscriptionTenantId string = ''
@metadata({
example: 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
})
@maxLength(36)
@sys.description('''The Azure Active Directory principals object ID (GUID) to whom should be the Subscription Owner.
> **Leave blank unless following this scenario only [Programmatically create MCA subscriptions across Azure Active Directory tenants](https://learn.microsoft.com/azure/cost-management-billing/manage/programmatically-create-subscription-microsoft-customer-agreement-across-tenants).**
- Type: String
- Default value: `''` *(empty string)*
''')
param subscriptionOwnerId string = ''
@metadata({
example: 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
})
@maxLength(36)
@sys.description('''An existing subscription ID. Use this when you do not want the module to create a new subscription. But do want to manage the management group membership. A subscription ID should be provided in the example format `xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx`.
- Type: String
- Default value: `''` *(empty string)*
''')
param existingSubscriptionId string = ''
// Subscription Resources Wrapper Parameters
@metadata({
example: true
})
@sys.description('''Whether to move the Subscription to the specified Management Group supplied in the parameter `subscriptionManagementGroupId`.
- Type: Boolean
''')
param subscriptionManagementGroupAssociationEnabled bool = true
@metadata({
example: 'alz-landingzones-corp'
})
@sys.description('''The destination Management Group ID for the new Subscription that will be created by this module (or the existing one provided in the parameter `existingSubscriptionId`).
**IMPORTANT:** Do not supply the display name of the Management Group. The Management Group ID forms part of the Azure Resource ID. e.g., `/providers/Microsoft.Management/managementGroups/{managementGroupId}`.
> See below [example in parameter file](#parameter-file) for an example
- Type: String
- Default value: `''` *(empty string)*
''')
param subscriptionManagementGroupId string = ''
@metadata({
example: {
tagKey1: 'value'
'tag-key-2': 'value'
}
})
@sys.description('''An object of Tag key & value pairs to be appended to a Subscription.
> **NOTE:** Tags will only be overwritten if existing tag exists with same key as provided in this parameter; values provided here win.
- Type: `{}` Object
- Default value: `{}` *(empty object)*
''')
param subscriptionTags object = {}
@metadata({
example: true
})
@sys.description('''Whether to create a Virtual Network or not.
If set to `true` ensure you also provide values for the following parameters at a minimum:
- `virtualNetworkResourceGroupName`
- `virtualNetworkResourceGroupLockEnabled`
- `virtualNetworkLocation`
- `virtualNetworkName`
- `virtualNetworkAddressSpace`
> Other parameters may need to be set based on other parameters that you enable that are listed above. Check each parameters documentation for further information.
- Type: Boolean
''')
param virtualNetworkEnabled bool = false
@metadata({
example: 'rg-networking-001'
})
@maxLength(90)
@sys.description('''The name of the Resource Group to create the Virtual Network in that is created by this module.
- Type: String
- Default value: `''` *(empty string)*
''')
param virtualNetworkResourceGroupName string = ''
@metadata({
example: {
tagKey1: 'value'
'tag-key-2': 'value'
}
})
@sys.description('''An object of Tag key & value pairs to be appended to the Resource Group that the Virtual Network is created in.
> **NOTE:** Tags will only be overwritten if existing tag exists with same key as provided in this parameter; values provided here win.
- Type: `{}` Object
- Default value: `{}` *(empty object)*
''')
param virtualNetworkResourceGroupTags object = {}
@metadata({
example: true
})
@sys.description('''Enables the deployment of a `CanNotDelete` resource locks to the Virtual Networks Resource Group that is created by this module.
- Type: Boolean
''')
param virtualNetworkResourceGroupLockEnabled bool = true
@metadata({
example: 'uksouth'
})
@sys.description('''The location of the virtual network. Use region shortnames e.g. `uksouth`, `eastus`, etc. Defaults to the region where the ARM/Bicep deployment is targeted to unless overridden.
- Type: String
''')
param virtualNetworkLocation string = deployment().location
@metadata({
example: 'vnet-example-001'
})
@maxLength(64)
@sys.description('''The name of the virtual network. The string must consist of a-z, A-Z, 0-9, -, _, and . (period) and be between 2 and 64 characters in length.
- Type: String
- Default value: `''` *(empty string)*
''')
param virtualNetworkName string = ''
@metadata({
example: {
tagKey1: 'value'
'tag-key-2': 'value'
}
})
@sys.description('''An object of tag key/value pairs to be set on the Virtual Network that is created.
> **NOTE:** Tags will be overwritten on resource if any exist already.
- Type: `{}` Object
- Default value: `{}` *(empty object)*
''')
param virtualNetworkTags object = {}
@metadata({
example: [
'10.0.0.0/16'
]
})
@sys.description('''The address space of the Virtual Network that will be created by this module, supplied as multiple CIDR blocks in an array, e.g. `["10.0.0.0/16","172.16.0.0/12"]`
- Type: `[]` Array
- Default value: `[]` *(empty array)*
''')
param virtualNetworkAddressSpace array = []
@metadata({
example: [
'10.4.1.4'
'10.2.1.5'
]
})
@sys.description('''The custom DNS servers to use on the Virtual Network, e.g. `["10.4.1.4", "10.2.1.5"]`. If left empty (default) then Azure DNS will be used for the Virtual Network.
- Type: `[]` Array
- Default value: `[]` *(empty array)*
''')
param virtualNetworkDnsServers array = []
@metadata({
example: '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/xxxxxxxxxx/providers/Microsoft.Network/ddosProtectionPlans/xxxxxxxxxx'
})
@sys.description('''The resource ID of an existing DDoS Network Protection Plan that you wish to link to this Virtual Network.
**Example Expected Values:**
- `''` (empty string)
- DDoS Netowrk Protection Plan Resource ID: `/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/xxxxxxxxxx/providers/Microsoft.Network/ddosProtectionPlans/xxxxxxxxxx`
- Type: String
- Default value: `''` *(empty string)*
''')
param virtualNetworkDdosPlanId string = ''
@metadata({
example: true
})
@sys.description('''Whether to enable peering/connection with the supplied hub Virtual Network or Virtual WAN Virtual Hub.
- Type: Boolean
''')
param virtualNetworkPeeringEnabled bool = false
@metadata({
example: '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/xxxxxxxxxx/providers/Microsoft.Network/virtualNetworks/xxxxxxxxxx'
})
@sys.description('''The resource ID of the Virtual Network or Virtual WAN Hub in the hub to which the created Virtual Network, by this module, will be peered/connected to via Virtual Network Peering or a Virtual WAN Virtual Hub Connection.
**Example Expected Values:**
- `''` (empty string)
- Hub Virtual Network Resource ID: `/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/xxxxxxxxxx/providers/Microsoft.Network/virtualNetworks/xxxxxxxxxx`
- Virtual WAN Virtual Hub Resource ID: `/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/xxxxxxxxxx/providers/Microsoft.Network/virtualHubs/xxxxxxxxxx`
- Type: String
- Default value: `''` *(empty string)*
''')
param hubNetworkResourceId string = ''
@metadata({
example: true
})
@sys.description('''Enables the use of remote gateways in the specified hub virtual network.
> **IMPORTANT:** If no gateways exist in the hub virtual network, set this to `false`, otherwise peering will fail to create.
- Type: Boolean
''')
param virtualNetworkUseRemoteGateways bool = true
@metadata({
example: true
})
@sys.description('''Enables the ability for the Virtual WAN Hub Connection to learn the default route 0.0.0.0/0 from the Hub.
- Type: Boolean
''')
param virtualNetworkVwanEnableInternetSecurity bool = true
@metadata({
example: '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/xxxxxxxxxx/providers/Microsoft.Network/virtualHubs/xxxxxxxxx/hubRouteTables/xxxxxxxxx'
})
@sys.description('''The resource ID of the virtual hub route table to associate to the virtual hub connection (this virtual network). If left blank/empty the `defaultRouteTable` will be associated.
- Type: String
- Default value: `''` *(empty string)* = Which means if the parameter `virtualNetworkPeeringEnabled` is `true` and also the parameter `hubNetworkResourceId` is not empty then the `defaultRouteTable` will be associated of the provided Virtual Hub in the parameter `hubNetworkResourceId`.
- e.g. `/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/xxxxxxxxxx/providers/Microsoft.Network/virtualHubs/xxxxxxxxx/hubRouteTables/defaultRouteTable`
''')
param virtualNetworkVwanAssociatedRouteTableResourceId string = ''
@metadata({
example: [
{
id: '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/xxxxxxxxxx/providers/Microsoft.Network/virtualHubs/xxxxxxxxx/hubRouteTables/defaultRouteTable'
}
{
id: '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/xxxxxxxxxx/providers/Microsoft.Network/virtualHubs/xxxxxxxxx/hubRouteTables/xxxxxxxxx'
}
]
})
@sys.description('''An array of of objects of virtual hub route table resource IDs to propagate routes to. If left blank/empty the `defaultRouteTable` will be propagated to only.
Each object must contain the following `key`:
- `id` = The Resource ID of the Virtual WAN Virtual Hub Route Table IDs you wish to propagate too
> See below [example in parameter file](#parameter-file)
> **IMPORTANT:** If you provide any Route Tables in this array of objects you must ensure you include also the `defaultRouteTable` Resource ID as an object in the array as it is not added by default when a value is provided for this parameter.
- Type: `[]` Array
- Default value: `[]` *(empty array)*
''')
param virtualNetworkVwanPropagatedRouteTablesResourceIds array = []
@metadata({
example: [
'default'
'anotherLabel'
]
})
@sys.description('''An array of virtual hub route table labels to propagate routes to. If left blank/empty the default label will be propagated to only.
- Type: `[]` Array
- Default value: `[]` *(empty array)*
''')
param virtualNetworkVwanPropagatedLabels array = []
@metadata({
example: false
})
@sys.description('''Indicates whether routing intent is enabled on the Virtual Hub within the Virtual WAN.
- Type: Boolean
''')
param vHubRoutingIntentEnabled bool = false
@metadata({
example: true
})
@sys.description('''Whether to create role assignments or not. If true, supply the array of role assignment objects in the parameter called `roleAssignments`.
- Type: Boolean
''')
param roleAssignmentEnabled bool = false
@metadata({
example: [
{
principalId: 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
definition: 'Contributor'
relativeScope: ''
}
{
principalId: 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
definition: '/providers/Microsoft.Authorization/roleDefinitions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
relativeScope: ''
}
{
principalId: 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
definition: 'Reader'
relativeScope: '/resourceGroups/rsg-networking-001'
}
{
principalId: 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
definition: '/providers/Microsoft.Authorization/roleDefinitions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
relativeScope: '/resourceGroups/rsg-networking-001'
}
]
})
@sys.description('''Supply an array of objects containing the details of the role assignments to create.
Each object must contain the following `keys`:
- `principalId` = The Object ID of the User, Group, SPN, Managed Identity to assign the RBAC role too.
- `definition` = The Name of built-In RBAC Roles or a Resource ID of a Built-in or custom RBAC Role Definition.
- `relativeScope` = 2 options can be provided for input value:
1. `''` *(empty string)* = Make RBAC Role Assignment to Subscription scope
2. `'/resourceGroups/<RESOURCE GROUP NAME>'` = Make RBAC Role Assignment to specified Resource Group
> See below [example in parameter file](#parameter-file) of various combinations
- Type: `[]` Array
- Default value: `[]` *(empty array)*
''')
param roleAssignments array = []
@metadata({
example: false
})
@sys.description('''Disable telemetry collection by this module.
For more information on the telemetry collected by this module, that is controlled by this parameter, see this page in the wiki: [Telemetry Tracking Using Customer Usage Attribution (PID)](https://github.com/Azure/bicep-lz-vending/wiki/Telemetry)
''')
param disableTelemetry bool = false
@sys.description('Guid for the deployment script resources names based on subscription Id.')
var deploymentScriptResourcesSubGuid = substring((subscriptionAliasEnabled && empty(existingSubscriptionId)) ? createSubscription.outputs.subscriptionId : existingSubscriptionId,0,8)
@sys.description('The name of the resource group to create the deployment script for resource providers registration.')
param deploymentScriptResourceGroupName string = 'rsg-${deployment().location}-ds'
@sys.description('The name of the deployment script to register resource providers')
param deploymentScriptName string = 'ds-${deployment().location}'
@sys.description('The name of the user managed identity for the resource providers registration deployment script.')
param deploymentScriptManagedIdentityName string = 'id-${deployment().location}'
@metadata({
example: {
'Microsoft.Compute' : ['InGuestHotPatchVMPreview']
'Microsoft.Storage' : []
}
})
@sys.description('''
An object of resource providers and resource providers features to register. If left blank/empty, a list of most common resource providers will be registered.
- Type: `{}` Object
- Default value: `{
'Microsoft.ApiManagement' : []
'Microsoft.AppPlatform' : []
'Microsoft.Authorization' : []
'Microsoft.Automation' : []
'Microsoft.AVS' : []
'Microsoft.Blueprint' : []
'Microsoft.BotService' : []
'Microsoft.Cache' : []
'Microsoft.Cdn' : []
'Microsoft.CognitiveServices' : []
'Microsoft.Compute' : []
'Microsoft.ContainerInstance' : []
'Microsoft.ContainerRegistry' : []
'Microsoft.ContainerService' : []
'Microsoft.CostManagement' : []
'Microsoft.CustomProviders' : []
'Microsoft.Databricks' : []
'Microsoft.DataLakeAnalytics' : []
'Microsoft.DataLakeStore' : []
'Microsoft.DataMigration' : []
'Microsoft.DataProtection' : []
'Microsoft.DBforMariaDB' : []
'Microsoft.DBforMySQL' : []
'Microsoft.DBforPostgreSQL' : []
'Microsoft.DesktopVirtualization' : []
'Microsoft.Devices' : []
'Microsoft.DevTestLab' : []
'Microsoft.DocumentDB' : []
'Microsoft.EventGrid' : []
'Microsoft.EventHub' : []
'Microsoft.HDInsight' : []
'Microsoft.HealthcareApis' : []
'Microsoft.GuestConfiguration' : []
'Microsoft.KeyVault' : []
'Microsoft.Kusto' : []
'microsoft.insights' : []
'Microsoft.Logic' : []
'Microsoft.MachineLearningServices' : []
'Microsoft.Maintenance' : []
'Microsoft.ManagedIdentity' : []
'Microsoft.ManagedServices' : []
'Microsoft.Management' : []
'Microsoft.Maps' : []
'Microsoft.MarketplaceOrdering' : []
'Microsoft.Media' : []
'Microsoft.MixedReality' : []
'Microsoft.Network' : []
'Microsoft.NotificationHubs' : []
'Microsoft.OperationalInsights' : []
'Microsoft.OperationsManagement' : []
'Microsoft.PolicyInsights' : []
'Microsoft.PowerBIDedicated' : []
'Microsoft.Relay' : []
'Microsoft.RecoveryServices' : []
'Microsoft.Resources' : []
'Microsoft.Search' : []
'Microsoft.Security' : []
'Microsoft.SecurityInsights' : []
'Microsoft.ServiceBus' : []
'Microsoft.ServiceFabric' : []
'Microsoft.Sql' : []
'Microsoft.Storage' : []
'Microsoft.StreamAnalytics' : []
'Microsoft.TimeSeriesInsights' : []
'Microsoft.Web' : []
}`
''')
param resourceProviders object = {
'Microsoft.ApiManagement' : []
'Microsoft.AppPlatform' : []
'Microsoft.Authorization' : []
'Microsoft.Automation' : []
'Microsoft.AVS' : []
'Microsoft.Blueprint' : []
'Microsoft.BotService' : []
'Microsoft.Cache' : []
'Microsoft.Cdn' : []
'Microsoft.CognitiveServices' : []
'Microsoft.Compute' : []
'Microsoft.ContainerInstance' : []
'Microsoft.ContainerRegistry' : []
'Microsoft.ContainerService' : []
'Microsoft.CostManagement' : []
'Microsoft.CustomProviders' : []
'Microsoft.Databricks' : []
'Microsoft.DataLakeAnalytics' : []
'Microsoft.DataLakeStore' : []
'Microsoft.DataMigration' : []
'Microsoft.DataProtection' : []
'Microsoft.DBforMariaDB' : []
'Microsoft.DBforMySQL' : []
'Microsoft.DBforPostgreSQL' : []
'Microsoft.DesktopVirtualization' : []
'Microsoft.Devices' : []
'Microsoft.DevTestLab' : []
'Microsoft.DocumentDB' : []
'Microsoft.EventGrid' : []
'Microsoft.EventHub' : []
'Microsoft.HDInsight' : []
'Microsoft.HealthcareApis' : []
'Microsoft.GuestConfiguration' : []
'Microsoft.KeyVault' : []
'Microsoft.Kusto' : []
'microsoft.insights' : []
'Microsoft.Logic' : []
'Microsoft.MachineLearningServices' : []
'Microsoft.Maintenance' : []
'Microsoft.ManagedIdentity' : []
'Microsoft.ManagedServices' : []
'Microsoft.Management' : []
'Microsoft.Maps' : []
'Microsoft.MarketplaceOrdering' : []
'Microsoft.Media' : []
'Microsoft.MixedReality' : []
'Microsoft.Network' : []
'Microsoft.NotificationHubs' : []
'Microsoft.OperationalInsights' : []
'Microsoft.OperationsManagement' : []
'Microsoft.PolicyInsights' : []
'Microsoft.PowerBIDedicated' : []
'Microsoft.Relay' : []
'Microsoft.RecoveryServices' : []
'Microsoft.Resources' : []
'Microsoft.Search' : []
'Microsoft.Security' : []
'Microsoft.SecurityInsights' : []
'Microsoft.ServiceBus' : []
'Microsoft.ServiceFabric' : []
'Microsoft.Sql' : []
'Microsoft.Storage' : []
'Microsoft.StreamAnalytics' : []
'Microsoft.TimeSeriesInsights' : []
'Microsoft.Web' : []
}
// VARIABLES
var existingSubscriptionIDEmptyCheck = empty(existingSubscriptionId) ? 'No Subscription ID Provided' : existingSubscriptionId
var cuaPid = '10d75183-0090-47b2-9c1b-48e3a4a36786'
// Deployment name variables
// LIMITS: Tenant = 64, Management Group = 64, Subscription = 64, Resource Group = 64
var deploymentNames = {
createSubscription: take('lz-vend-sub-create-${subscriptionAliasName}-${uniqueString(subscriptionAliasName, subscriptionDisplayName, subscriptionBillingScope, subscriptionWorkload, deployment().name)}', 64)
createSubscriptionResources: take('lz-vend-sub-res-create-${subscriptionAliasName}-${uniqueString(subscriptionAliasName, subscriptionDisplayName, subscriptionBillingScope, subscriptionWorkload, existingSubscriptionId, deployment().name)}', 64)
}
// RESOURCES & MODULES
resource moduleTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (!disableTelemetry) {
name: 'pid-${cuaPid}-${uniqueString(deployment().name, virtualNetworkLocation)}'
location: virtualNetworkLocation
properties: {
mode: 'Incremental'
template: {
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
contentVersion: '1.0.0.0'
resources: []
}
}
}
module createSubscription 'src/self/Microsoft.Subscription/aliases/deploy.bicep' = if (subscriptionAliasEnabled && empty(existingSubscriptionId)) {
scope: managementGroup()
name: deploymentNames.createSubscription
params: {
subscriptionBillingScope: subscriptionBillingScope
subscriptionAliasName: subscriptionAliasName
subscriptionDisplayName: subscriptionDisplayName
subscriptionWorkload: subscriptionWorkload
subscriptionTenantId: subscriptionTenantId
subscriptionOwnerId: subscriptionOwnerId
}
}
module createSubscriptionResources 'src/self/subResourceWrapper/deploy.bicep' = if (subscriptionAliasEnabled || !empty(existingSubscriptionId)) {
name: deploymentNames.createSubscriptionResources
params: {
subscriptionId: (subscriptionAliasEnabled && empty(existingSubscriptionId)) ? createSubscription.outputs.subscriptionId : existingSubscriptionId
subscriptionManagementGroupAssociationEnabled: subscriptionManagementGroupAssociationEnabled
subscriptionManagementGroupId: subscriptionManagementGroupId
subscriptionTags: subscriptionTags
virtualNetworkEnabled: virtualNetworkEnabled
virtualNetworkResourceGroupName: virtualNetworkResourceGroupName
virtualNetworkResourceGroupTags: virtualNetworkResourceGroupTags
virtualNetworkResourceGroupLockEnabled: virtualNetworkResourceGroupLockEnabled
virtualNetworkLocation: virtualNetworkLocation
virtualNetworkName: virtualNetworkName
virtualNetworkTags: virtualNetworkTags
virtualNetworkAddressSpace: virtualNetworkAddressSpace
virtualNetworkDnsServers: virtualNetworkDnsServers
virtualNetworkDdosPlanId: virtualNetworkDdosPlanId
virtualNetworkPeeringEnabled: virtualNetworkPeeringEnabled
hubNetworkResourceId: hubNetworkResourceId
virtualNetworkUseRemoteGateways: virtualNetworkUseRemoteGateways
virtualNetworkVwanEnableInternetSecurity: virtualNetworkVwanEnableInternetSecurity
virtualNetworkVwanAssociatedRouteTableResourceId: virtualNetworkVwanAssociatedRouteTableResourceId
virtualNetworkVwanPropagatedRouteTablesResourceIds: virtualNetworkVwanPropagatedRouteTablesResourceIds
virtualNetworkVwanPropagatedLabels: virtualNetworkVwanPropagatedLabels
vHubRoutingIntentEnabled: vHubRoutingIntentEnabled
roleAssignmentEnabled: roleAssignmentEnabled
roleAssignments: roleAssignments
disableTelemetry: disableTelemetry
deploymentScriptResourceGroupName: '${deploymentScriptResourceGroupName}-${deploymentScriptResourcesSubGuid}'
deploymentScriptName: '${deploymentScriptName}-${deploymentScriptResourcesSubGuid}'
deploymentScriptManagedIdentityName: '${deploymentScriptManagedIdentityName}-${deploymentScriptResourcesSubGuid}'
resourceProviders: resourceProviders
}
}
// OUTPUTS
@sys.description('The Subscription ID that has been created or provided.')
output subscriptionId string = (subscriptionAliasEnabled && empty(existingSubscriptionId)) ? createSubscription.outputs.subscriptionId : contains(existingSubscriptionIDEmptyCheck, 'No Subscription ID Provided') ? existingSubscriptionIDEmptyCheck : '${existingSubscriptionId}'
@sys.description('The Subscription Resource ID that has been created or provided.')
output subscriptionResourceId string = (subscriptionAliasEnabled && empty(existingSubscriptionId)) ? createSubscription.outputs.subscriptionResourceId : contains(existingSubscriptionIDEmptyCheck, 'No Subscription ID Provided') ? existingSubscriptionIDEmptyCheck : '/subscriptions/${existingSubscriptionId}'
@sys.description('The Subscription Owner State. Only used when creating MCA Subscriptions across tenants')
output subscriptionAcceptOwnershipState string = (subscriptionAliasEnabled && empty(existingSubscriptionId) && !empty(subscriptionTenantId) && !empty(subscriptionOwnerId)) ? createSubscription.outputs.subscriptionAcceptOwnershipState : 'N/A'
@sys.description('The Subscription Ownership URL. Only used when creating MCA Subscriptions across tenants')
output subscriptionAcceptOwnershipUrl string = (subscriptionAliasEnabled && empty(existingSubscriptionId) && !empty(subscriptionTenantId) && !empty(subscriptionOwnerId)) ? createSubscription.outputs.subscriptionAcceptOwnershipUrl : 'N/A'
@sys.description('The resource providers that failed to register')
output failedResourceProviders string = !empty(resourceProviders) ? createSubscriptionResources.outputs.failedProviders : ''
@sys.description('The resource providers features that failed to register')
output failedResourceProvidersFeatures string = !empty(resourceProviders) ? createSubscriptionResources.outputs.failedFeatures : ''