diff --git a/README.md b/README.md index e134c01dfd..d05ee3afed 100644 --- a/README.md +++ b/README.md @@ -6,6 +6,7 @@ * [Community Calls](https://github.com/Azure/Enterprise-Scale/wiki/Community-Calls) * [Enterprise-Scale Landing Zones - User Guide](https://github.com/Azure/Enterprise-Scale/wiki#enterprise-scale-landing-zones-user-guide) * [Enterprise-Scale Architecture](./docs/EnterpriseScale-Architecture.md) +* [Telemetry Tracking Using Customer Usage Attribution (PID)](https://github.com/Azure/Enterprise-Scale/wiki/Deploying-Enterprise-Scale-CustomerUsage) * [Configure Azure permission for ARM Template deployments](./docs/EnterpriseScale-Setup-azure.md) * [Deploy Reference Implementation](./docs/EnterpriseScale-Deploy-reference-implentations.md) * [Contoso Reference - Scope and Design](./docs/reference/contoso/Readme.md) diff --git a/docs/wiki/Deploying-Enterprise-Scale-CustomerUsage.md b/docs/wiki/Deploying-Enterprise-Scale-CustomerUsage.md new file mode 100644 index 0000000000..fcf384289b --- /dev/null +++ b/docs/wiki/Deploying-Enterprise-Scale-CustomerUsage.md @@ -0,0 +1,30 @@ +## Telemetry Tracking Using Customer Usage Attribution (PID) + +Microsoft can identify the deployments of the Azure Resource Manager templates with the deployed Azure resources. Microsoft can correlate these resources used to support the deployments. Microsoft collects this information to provide the best experiences with their products and to operate their business. The telemetry is collected through [customer usage attribution](https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution). The data is collected and governed by Microsoft's privacy policies, located at the [trust center](https://www.microsoft.com/trustcenter). + +To enable or disable the telemetry via the portal experience (recommended), use the radio toggle to specify your preference. + +Customer Usage Attribution Disabled: +![ESLZ ARM Template Telemetry Opt Out Toggle Control Disabled](./media/cua-portal-experience-disabled.jpg) +Customer Usage Attribution Enabled: +![ESLZ ARM Template Telemetry Opt Out Toggle Control Enabled](./media/cua-portal-experience-enabled.jpg) + + +Alternatively, to enable or disable this tracking via the ARM template experience, we have included a parameter called `telemetryOptOut` in order to opt out of telemetry tracking to the ESLZ ARM Template in this repo with a simple boolean flag. The default value `false` which **enables** the telemetry. If you would like to disable this tracking, then simply set this value to `true` and this module will not be included in deployments and **therefore disables** the telemetry tracking. + +In the `eslzARM.json` file, you will see the following: + +![ESLZ ARM Template parameter example](./media/cua-parameter.png) +![ESLZ ARM Template variable example](./media/cua-variable.png) +![ESLZ ARM Template resource example](./media/cua-resource.png) + + + +If you are happy with leaving telemetry tracking enabled, no changes are required. Please do not edit the module name or value of the variable `cuaID` in any module. + +## Module PID Value Mapping +The following are the unique ID's (also known as PIDs) used in each of the modules. + +| Module Name | PID | +| --------------------------- | ------------------------------------ | +| ALZ Accelerator/ESLZ ARM Deployment | 35c42e79-00b3-42eb-a9ac-e542953efb3c | diff --git a/docs/wiki/Home.md b/docs/wiki/Home.md index 919f167f8a..6569d40246 100644 --- a/docs/wiki/Home.md +++ b/docs/wiki/Home.md @@ -17,6 +17,7 @@ The Enterprise-Scale Landing Zones User Guide aims to provide comprehensive end- * [What happens when you deploy Enterprise-Scale?](https://github.com/Azure/Enterprise-Scale/wiki/How-Enterprise-Scale-Works#what-happens-when-you-deploy-enterprise-scale) * Deploying Enterprise-Scale * [Pre-requisites](https://github.com/Azure/Enterprise-Scale/wiki/Deploying-Enterprise-Scale-Pre-requisites) + * [Telemetry Tracking Using Customer Usage Attribution (PID)](https://github.com/Azure/Enterprise-Scale/wiki/Deploying-Enterprise-Scale-CustomerUsage) * [Deploy Enterprise-Scale without hybrid connectivity to on-premises](https://github.com/Azure/Enterprise-Scale/wiki/Deploying-Enterprise-Scale-Foundation) * [Deploy Enterprise-Scale with a hub and spoke based network topology](https://github.com/Azure/Enterprise-Scale/wiki/Deploying-Enterprise-Scale-HubAndSpoke) * [Deploy Enterprise-Scale with an Azure Virtual WAN based network topology](https://github.com/Azure/Enterprise-Scale/wiki/Deploying-Enterprise-Scale-VWAN) diff --git a/docs/wiki/_Sidebar.md b/docs/wiki/_Sidebar.md index 85359443bf..517e148251 100644 --- a/docs/wiki/_Sidebar.md +++ b/docs/wiki/_Sidebar.md @@ -14,6 +14,7 @@ * [What happens when you deploy Enterprise-Scale?](https://github.com/Azure/Enterprise-Scale/wiki/How-Enterprise-Scale-Works#what-happens-when-you-deploy-enterprise-scale) * Deploying Enterprise-Scale * [Pre-requisites](https://github.com/Azure/Enterprise-Scale/wiki/Deploying-Enterprise-Scale-Pre-requisites) + * [Telemetry Tracking Using Customer Usage Attribution (PID)](https://github.com/Azure/Enterprise-Scale/wiki/Deploying-Enterprise-Scale-CustomerUsage) * [Deploy Enterprise-Scale without hybrid connectivity to on-premises](https://github.com/Azure/Enterprise-Scale/wiki/Deploying-Enterprise-Scale-Foundation) * [Deploy Enterprise-Scale with a hub and spoke based network topology](https://github.com/Azure/Enterprise-Scale/wiki/Deploying-Enterprise-Scale-HubAndSpoke) * [Deploy Enterprise-Scale with an Azure Virtual WAN based network topology](https://github.com/Azure/Enterprise-Scale/wiki/Deploying-Enterprise-Scale-VWAN) diff --git a/docs/wiki/media/cua-parameter.png b/docs/wiki/media/cua-parameter.png new file mode 100644 index 0000000000..3846521db7 Binary files /dev/null and b/docs/wiki/media/cua-parameter.png differ diff --git a/docs/wiki/media/cua-portal-experience-disabled.jpg b/docs/wiki/media/cua-portal-experience-disabled.jpg new file mode 100644 index 0000000000..62438150ad Binary files /dev/null and b/docs/wiki/media/cua-portal-experience-disabled.jpg differ diff --git a/docs/wiki/media/cua-portal-experience-enabled.jpg b/docs/wiki/media/cua-portal-experience-enabled.jpg new file mode 100644 index 0000000000..ba04105312 Binary files /dev/null and b/docs/wiki/media/cua-portal-experience-enabled.jpg differ diff --git a/docs/wiki/media/cua-resource.png b/docs/wiki/media/cua-resource.png new file mode 100644 index 0000000000..66edececca Binary files /dev/null and b/docs/wiki/media/cua-resource.png differ diff --git a/docs/wiki/media/cua-variable.png b/docs/wiki/media/cua-variable.png new file mode 100644 index 0000000000..592b61af89 Binary files /dev/null and b/docs/wiki/media/cua-variable.png differ diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json index ea850b4dfa..fa612ad093 100644 --- a/eslzArm/eslz-portal.json +++ b/eslzArm/eslz-portal.json @@ -78,37 +78,75 @@ }, "visible": true }, - { - "name": "esSingleSubSection", - "type": "Microsoft.Common.Section", - "label": "Single platform subscription", - "elements": [ + { + "name": "esSingleSubSection", + "type": "Microsoft.Common.Section", + "label": "Single platform subscription", + "elements": [ { "name": "subWarning", "type": "Microsoft.Common.InfoBox", "visible": true, "options": { - "icon": "Warning", - "text": "Dedicated subscriptions are recommended for the various platform components to ensure scale, sustainability, and segregation of duties. However, a single subscription can also be used in case this is not a concern (e.g., small enterprises).", - "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/management-group-and-subscription-organization" + "icon": "Warning", + "text": "Dedicated subscriptions are recommended for the various platform components to ensure scale, sustainability, and segregation of duties. However, a single subscription can also be used in case this is not a concern (e.g., small enterprises).", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/management-group-and-subscription-organization" + } + }, + { + "name": "singleSubText", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Select the dedicated, single subscription that will be used for all platform resources during deployment, for security, logging, connectivity, and identity." + } + }, + { + "type": "Microsoft.Common.SubscriptionSelector", + "name": "esSingleSub", + "label": "Single platform subscription" + } + ], + "visible": "[equals(steps('lzSettings').subOrgsOption, 'Single')]" + }, + { + "name": "cuaSection", + "type": "Microsoft.Common.Section", + "label": "Telemetry Tracking Using Customer Usage Attribution (PID)", + "elements": [ + { + "name": "cuaSettingsInfo", + "type": "Microsoft.Common.InfoBox", + "visible": true, + "options": { + "text": "Microsoft can identify the deployments of the Azure Resource Manager templates with the deployed Azure resources. Microsoft collects this information to provide the best experiences with their products and to operate their business. The telemetry is collected through customer usage attribution. The data is collected and governed by Microsoft's privacy policies, located at the trust center. Visit this link to find out more.", + "uri": "https://github.com/Azure/Enterprise-Scale/wiki/Deploying-Enterprise-Scale-CustomerUsage", + "style": "Info" } }, - { - "name": "singleSubText", - "type": "Microsoft.Common.TextBlock", - "visible": true, - "options": { - "text": "Select the dedicated, single subscription that will be used for all platform resources during deployment, for security, logging, connectivity, and identity." - } - }, - { - "type":"Microsoft.Common.SubscriptionSelector", - "name": "esSingleSub", - "label": "Single platform subscription" - } - ], - "visible": "[equals(steps('lzSettings').subOrgsOption, 'Single')]" - } + { + "name": "cuaSettingSelection", + "type": "Microsoft.Common.OptionsGroup", + "visible": true, + "label": "Customer Usage Selection Options", + "defaultValue": "Enabled", + "constraints": { + "allowedValues": [ + { + "label": "Enabled", + "value": "No" + }, + { + "label": "Disabled", + "value": "Yes" + } + ], + "required": true + } + } + ], + "visible": true + } ] }, { @@ -175,19 +213,19 @@ }, "visible": "[equals(steps('esGoalState').esLogAnalytics,'Yes')]" }, - { - "name": "esMgmtSubSection", - "type": "Microsoft.Common.Section", - "label": "Management subscription", - "elements": [ - { - "type":"Microsoft.Common.SubscriptionSelector", - "name": "esMgmtSub", - "label": "Management subscription" - } - ], - "visible": "[and(equals(steps('esGoalState').esLogAnalytics, 'Yes'), not(equals(steps('lzSettings').subOrgsOption, 'Single')))]" - }, + { + "name": "esMgmtSubSection", + "type": "Microsoft.Common.Section", + "label": "Management subscription", + "elements": [ + { + "type": "Microsoft.Common.SubscriptionSelector", + "name": "esMgmtSub", + "label": "Management subscription" + } + ], + "visible": "[and(equals(steps('esGoalState').esLogAnalytics, 'Yes'), not(equals(steps('lzSettings').subOrgsOption, 'Single')))]" + }, { "name": "monitoring", "type": "Microsoft.Common.TextBlock", @@ -804,7 +842,7 @@ "label": "Hub and spoke with Azure Firewall", "value": "vhub" }, - { + { "label": "Hub and spoke with your own third-party NVA", "value": "nva" }, @@ -812,27 +850,27 @@ "label": "Virtual WAN (Microsoft managed)", "value": "vwan" }, - { - "label": "No", - "value": "No" - } + { + "label": "No", + "value": "No" + } ] }, "visible": true }, { - "name": "esNwSubSection", - "type": "Microsoft.Common.Section", - "label": "Connectivity subscription", - "elements": [ - { - "type":"Microsoft.Common.SubscriptionSelector", - "name": "esNwSub", - "label": "Connectivity subscription" - } - ], - "visible": "[and(not(equals(steps('esConnectivityGoalState').esHub, 'No')), not(equals(steps('lzSettings').subOrgsOption, 'Single')))]" - }, + "name": "esNwSubSection", + "type": "Microsoft.Common.Section", + "label": "Connectivity subscription", + "elements": [ + { + "type": "Microsoft.Common.SubscriptionSelector", + "name": "esNwSub", + "label": "Connectivity subscription" + } + ], + "visible": "[and(not(equals(steps('esConnectivityGoalState').esHub, 'No')), not(equals(steps('lzSettings').subOrgsOption, 'Single')))]" + }, { "name": "esAddressHubVWAN", "type": "Microsoft.Common.TextBox", @@ -907,7 +945,7 @@ ] } }, - { + { "name": "esPrivateDns", "type": "Microsoft.Common.OptionsGroup", "label": "Create Private DNS Zones for Azure PaaS services", @@ -926,7 +964,7 @@ } ] } - }, + }, { "name": "esVpnGw", "type": "Microsoft.Common.OptionsGroup", @@ -1422,7 +1460,7 @@ } ] } - }, + }, { "name": "esAzFw", "type": "Microsoft.Common.OptionsGroup", @@ -1515,7 +1553,7 @@ } ] } - }, + }, { "name": "esAddressFw", "type": "Microsoft.Common.TextBox", @@ -1601,18 +1639,18 @@ "visible": true }, { - "name": "esIdentitySubSection", - "type": "Microsoft.Common.Section", - "label": "Identity subscription", - "elements": [ - { - "type":"Microsoft.Common.SubscriptionSelector", - "name": "esIdentitySub", - "label": "Management subscription" - } - ], - "visible": "[and(equals(steps('esIdentityGoalState').esIdentity,'Yes'), not(equals(steps('lzSettings').subOrgsOption, 'Single')))]" - }, + "name": "esIdentitySubSection", + "type": "Microsoft.Common.Section", + "label": "Identity subscription", + "elements": [ + { + "type": "Microsoft.Common.SubscriptionSelector", + "name": "esIdentitySub", + "label": "Management subscription" + } + ], + "visible": "[and(equals(steps('esIdentityGoalState').esIdentity,'Yes'), not(equals(steps('lzSettings').subOrgsOption, 'Single')))]" + }, { "name": "identitypolicies", "type": "Microsoft.Common.TextBlock", @@ -1705,7 +1743,7 @@ }, "visible": "[equals(steps('esIdentityGoalState').esIdentity,'Yes')]" }, - { + { "name": "esIdentityConnectivity", "type": "Microsoft.Common.OptionsGroup", "label": "Create virtual network and connect to the connectivity hub (optional)?", @@ -1725,24 +1763,24 @@ }, "visible": "[and(and(equals(steps('esIdentityGoalState').esIdentity,'Yes'), not(equals(steps('lzSettings').subOrgsOption, 'Single'))), equals(steps('esIdentityGoalState').esIdentity, 'Yes'), not(equals(steps('esConnectivityGoalState').esHub,'No')))]" }, - { - "name": "esIdentityCidr", - "type": "Microsoft.Common.TextBox", - "label": "Virtual network address space", - "placeholder": "", - "defaultValue": "10.110.0.0/24", - "toolTip": "The virtual network's address space, specified as one address prefixes in CIDR notation (e.g. 192.168.1.0/24)", - "constraints": { - "required": true, - "validations": [ + { + "name": "esIdentityCidr", + "type": "Microsoft.Common.TextBox", + "label": "Virtual network address space", + "placeholder": "", + "defaultValue": "10.110.0.0/24", + "toolTip": "The virtual network's address space, specified as one address prefixes in CIDR notation (e.g. 192.168.1.0/24)", + "constraints": { + "required": true, + "validations": [ { "regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:\/(1[0-9]|2[0-9]))$", "message": "Invalid CIDR range. The address prefix must be in the range [10,29]." } ] - }, - "visible": "[and(equals(steps('esIdentityGoalState').esIdentityConnectivity, 'Yes'), not(equals(steps('esConnectivityGoalState').esHub,'No')))]" - } + }, + "visible": "[and(equals(steps('esIdentityGoalState').esIdentityConnectivity, 'Yes'), not(equals(steps('esConnectivityGoalState').esHub,'No')))]" + } ] }, { @@ -1875,7 +1913,7 @@ } ] } - }, + }, { "name": "lzSubsApi", "type": "Microsoft.Solutions.ArmApiControl", @@ -1955,7 +1993,7 @@ } ] } - }, + }, { "name": "esLzPrivateLink", "type": "Microsoft.Common.OptionsGroup", @@ -2243,7 +2281,7 @@ } ] } - }, + }, { "name": "esAzBackup", "type": "Microsoft.Common.OptionsGroup", @@ -2499,10 +2537,11 @@ "singlePlatformSubscriptionId": "[steps('lzSettings').esSingleSubSection.esSingleSub.subscriptionId]", "expressRouteScaleUnit": "[steps('esConnectivityGoalState').esVwanErScaleUnits]", "vpnGateWayScaleUnit": "[steps('esConnectivityGoalState').esVwanGwScaleUnits]", - "enablePrivateDnsZones": "[steps('esConnectivityGoalState').esPrivateDns]", + "enablePrivateDnsZones": "[steps('esConnectivityGoalState').esPrivateDns]", "enablePrivateDnsZonesForLzs": "[steps('lzGoalState').esPrivateDnsZones]", "identityAddressPrefix": "[steps('esIdentityGoalState').esIdentityCidr]", - "corpConnectedLzSubscriptionId": "[if(or(not(contains(steps('lzGoalState').esCorpLzSub,steps('esGoalState').esMgmtSubSection.esMgmtSub.subscriptionId)),not(contains(steps('lzGoalState').esCorpLzSub,steps('esConnectivityGoalState').esNwSubSection.esNwSub.subscriptionId))),steps('lzGoalState').lzConnectedSubs,'')]" + "corpConnectedLzSubscriptionId": "[if(or(not(contains(steps('lzGoalState').esCorpLzSub,steps('esGoalState').esMgmtSubSection.esMgmtSub.subscriptionId)),not(contains(steps('lzGoalState').esCorpLzSub,steps('esConnectivityGoalState').esNwSubSection.esNwSub.subscriptionId))),steps('lzGoalState').lzConnectedSubs,'')]", + "telemetryOptOut": "[steps('lzSettings').cuaSection.cuaSettingSelection]" }, "kind": "Tenant", "location": "[steps('basics').resourceScope.location.name]" diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index d45a068ea7..ff615bb925 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -146,7 +146,7 @@ "Disabled", "DeployIfNotExists" ], - "defaultValue": "Disabled" + "defaultValue": "Disabled" }, "enableAscForStorage": { "type": "string", @@ -154,7 +154,7 @@ "Disabled", "DeployIfNotExists" ], - "defaultValue": "Disabled" + "defaultValue": "Disabled" }, "enableAscForSql": { "type": "string", @@ -162,7 +162,7 @@ "Disabled", "DeployIfNotExists" ], - "defaultValue": "Disabled" + "defaultValue": "Disabled" }, "enableAscForSqlOnVm": { "type": "string", @@ -170,7 +170,7 @@ "Disabled", "DeployIfNotExists" ], - "defaultValue": "Disabled" + "defaultValue": "Disabled" }, "enableAscForKeyVault": { "type": "string", @@ -178,7 +178,7 @@ "Disabled", "DeployIfNotExists" ], - "defaultValue": "Disabled" + "defaultValue": "Disabled" }, "enableAscForArm": { "type": "string", @@ -186,7 +186,7 @@ "Disabled", "DeployIfNotExists" ], - "defaultValue": "Disabled" + "defaultValue": "Disabled" }, "enableAscForDns": { "type": "string", @@ -194,7 +194,7 @@ "Disabled", "DeployIfNotExists" ], - "defaultValue": "Disabled" + "defaultValue": "Disabled" }, "enableAscForContainers": { "type": "string", @@ -202,7 +202,7 @@ "Disabled", "DeployIfNotExists" ], - "defaultValue": "Disabled" + "defaultValue": "Disabled" }, "enableAscForOssDb": { "type": "string", @@ -617,6 +617,17 @@ "Audit", "No" ] + }, + "telemetryOptOut": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ], + "metadata": { + "description": "The customer usage identifier used for telemetry purposes. The default value of False enables telemetry. The value of True disables telemetry." + } } }, "variables": { @@ -643,7 +654,7 @@ "onlineManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').online)]" }, // Declaring all required deployment uri's used for deployments of composite ARM templates for ESLZ - "azPrivateDnsPolicyMapping": { + "azPrivateDnsPolicyMapping": { "https://management.azure.com/": "managementGroupTemplates/policyDefinitions/DINE-PrivateDNSZonesPolicySetDefinition.json", "https://management.usgovcloudapi.net": "managementGroupTemplates/policyDefinitions/gov/fairfaxDINE-PrivateDNSZonesPolicySetDefinition.json" }, @@ -690,7 +701,7 @@ "aksPrivEscalationPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-AksPrivEscalationPolicyAssignment.json')]", "aksPrivilegedPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-AksPrivilegedPolicyAssignment.json')]", "tlsSslPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-DINE-APPEND-TLS-SSL-PolicyAssignment.json')]", - "aksHttpsPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-AksWithoutHttpsPolicyAssignment.json')]", + "aksHttpsPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-AksWithoutHttpsPolicyAssignment.json')]", "ipFwdPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-IPForwardingPolicyAssignment.json')]", "publicEndpointPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, variables('azPublicEndpointArmTemplate'))]", "publicEndpointPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-PublicEndpointPolicyAssignment.json')]", @@ -710,7 +721,7 @@ "databricksSku": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-DatabricksSkuPolicyAssignment.json')]", "databricksPip": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-DatabricksPipPolicyAssignment.json')]", "databricksVnet": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-DatabricksVnetPolicyAssignment.json')]", - "govMdfcPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/gov/fairfaxDINE-MDFCConfigPolicyAssignment.json')]" + "govMdfcPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/gov/fairfaxDINE-MDFCConfigPolicyAssignment.json')]" }, // Declaring deterministic deployment names "deploymentSuffix": "[concat('-', deployment().location, guid(parameters('enterpriseScaleCompanyPrefix')))]", @@ -774,7 +785,8 @@ "dnsZoneRoleAssignmentDeploymentName": "[take(concat('EntScale-DNSZoneRole', variables('deploymentSuffix')), 64)]", "identityPeeringDeploymentName": "[take(concat('EntScale-IDPeering', variables('deploymentSuffix')), 64)]", "identityVwanPeeringDeploymentName": "[take(concat('EntScale-IDVwanPeering', variables('deploymentSuffix')), 64)]", - "corpConnectedLzVwanSubs": "[take(concat('EntScale-CorpConnLzsVwan', variables('deploymentSuffix')), 50)]" + "corpConnectedLzVwanSubs": "[take(concat('EntScale-CorpConnLzsVwan', variables('deploymentSuffix')), 50)]", + "pidCuaDeploymentName": "[take(concat('pid-', variables('cuaid'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'))), 64)]" }, "esLiteDeploymentNames": { "mgmtGroupLiteDeploymentName": "[take(concat('EntScale-MgsLite', variables('deploymentSuffix')), 64)]", @@ -795,8 +807,7 @@ "ddosLiteDeploymentName": "[take(concat('EntScale-DDoSLite', variables('deploymentSuffix')), 64)]", "ddosHubLitePolicyDeploymentName": "[take(concat('EntScale-DDoSHubPolicyLite', variables('deploymentSuffix')), 64)]", "privateDnsZoneRgLiteDeploymentName": "[take(concat('EntScale-PrivDNSRGLite', variables('deploymentSuffix')), 64)]", - "privateDnsZonesLiteDeploymentName": "[take(concat('EntScale-PrivDNSLite', variables('deploymentSuffix')), 35)]" - + "privateDnsZonesLiteDeploymentName": "[take(concat('EntScale-PrivDNSLite', variables('deploymentSuffix')), 35)]" }, // Declaring deterministic names for Resource Groups that will be created for platform resources "platformRgNames": { @@ -830,7 +841,7 @@ // Declaring deterministic resourceId's for platform resources that will be created "singleVsDedicatedMgmtSub": "[if(empty(parameters('managementSubscriptionId')), parameters('singlePlatformSubscriptionId'), parameters('managementSubscriptionId'))]", "singleVsDedicatedConnectivitySub": "[if(empty(parameters('connectivitySubscriptionId')), parameters('singlePlatformSubscriptionId'), parameters('connectivitySubscriptionId'))]", - "singleVsDedicatedIdentitySub": "[if(empty(parameters('identitySubscriptionId')), parameters('singlePlatformSubscriptionId'), parameters('identitySubscriptionId'))]", + "singleVsDedicatedIdentitySub": "[if(empty(parameters('identitySubscriptionId')), parameters('singlePlatformSubscriptionId'), parameters('identitySubscriptionId'))]", "platformResourceIds": { "logAnalyticsResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedMgmtSub'), '/resourceGroups/', variables('platformRgNames').mgmtRg, '/providers/Microsoft.OperationalInsights/workspaces/', variables('platformResourceNames').logAnalyticsWorkspace)]", "automationResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedMgmtSub'), '/resourceGroups/', variables('platformRgNames').mgmtRg, '/providers/Microsoft.Automation/automationAccounts/', variables('platformResourceNames').automationAccount)]", @@ -888,7 +899,8 @@ ], "roleDefinitions": { "networkContributor": "4d97b98b-1d4f-4787-a291-c67834d212e7" - } + }, + "cuaid": "35c42e79-00b3-42eb-a9ac-e542953efb3c" }, "resources": [ /* @@ -913,7 +925,7 @@ } } } - }, + }, /* The following deployments will deploy the required proactive and preventive Azure policies for ESLZ policy driven governance */ @@ -1004,7 +1016,7 @@ } } } - }, + }, { // One of Azure's untold stories..... "type": "Microsoft.Resources/deployments", @@ -1036,7 +1048,7 @@ }, /* The following deployments will organize the dedicated platform subscriptions into their respective management groups - */ + */ { // Placing management subscription into dedicated management group "condition": "[not(empty(parameters('managementSubscriptionId')))]", @@ -1292,7 +1304,7 @@ "location": "[deployment().location]", "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", - "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').platformLiteSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').platformLiteSubscriptionPlacement)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]" ], @@ -1310,7 +1322,7 @@ "value": "[variables('platformResourceIds').logAnalyticsResourceId]" } } - } + } }, { // Assigning Azure Activity Diagnostics Log policy to intermediate root management group if condition is true @@ -1338,7 +1350,7 @@ "value": "[parameters('enterpriseScaleCompanyPrefix')]" } } - } + } }, { // Assigning Azure Security Center configuration policy initiative to intermediate root management group if condition is true @@ -1399,7 +1411,7 @@ "value": "[parameters('enableAscForOssDb')]" } } - } + } }, { // Az Gov Only - Assigning Azure Security Center configuration policy initiative to intermediate root management group if condition is true @@ -1448,8 +1460,8 @@ "value": "[parameters('enableAscForDns')]" } } - } - }, + } + }, /* The following optional deployment will configure virtual network hub into the connectivity subscription */ @@ -1542,7 +1554,7 @@ "value": "[if(equals(parameters('enableDdoS'), 'Yes'), 'Default', 'DoNotEnforce')]" } } - } + } }, { // Creating the virtual network hub (hub and spoke) @@ -1647,7 +1659,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosDeploymentName)]" ], "location": "[deployment().location]", @@ -1708,7 +1720,7 @@ } } } - }, + }, { // Creating the VWAN network hub (Microsoft managed) "condition": "[and(not(empty(parameters('connectivitySubscriptionId'))),equals(parameters('enableHub'), 'vwan'))]", @@ -1722,7 +1734,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosDeploymentName)]" ], "location": "[deployment().location]", @@ -1785,7 +1797,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", @@ -1842,7 +1854,7 @@ } } } - }, + }, /* The following optional deployment will configure and setup AzOps with GitHub for your ESLZ deployment */ @@ -1872,7 +1884,7 @@ "value": "[parameters('principalId')]" } } - } + } }, { // Creating resource group for AzOps @@ -1901,7 +1913,7 @@ "value": "[deployment().location]" } } - } + } }, { // Creating GitHub repository and bootstraps the CICD pipeline @@ -1957,7 +1969,7 @@ "value": "[parameters('repositoryName')]" } } - } + } }, /* The following deployments will deploy and configure the Azure policy governance for the landing zones @@ -2028,7 +2040,7 @@ } } } - }, + }, { // Assigning Azure Monitor for VMs policy initiative to intermediate root management group if condition is true "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'), or(equals(parameters('enableVmMonitoring'), 'Yes'), equals(parameters('enableVmMonitoring'), 'Audit')))]", @@ -2057,7 +2069,7 @@ "value": "[if(equals(parameters('enableVmMonitoring'), 'Yes'), 'Default', 'DoNotEnforce')]" } } - } + } }, { // Assigning Azure Monitor for VMSS policy initiative to intermediate root management group if condition is true @@ -2088,7 +2100,7 @@ } } } - }, + }, { // Assigning Azure Backup policy to landing zones management group if condition is true "condition": "[or(equals(parameters('enableVmBackup'), 'Yes'), equals(parameters('enableVmBackup'), 'Audit'))]", @@ -2112,7 +2124,7 @@ }, "enforcementMode": { "value": "[if(equals(parameters('enableVmBackup'), 'Yes'), 'Default', 'DoNotEnforce')]" - } + } } } }, @@ -2144,7 +2156,7 @@ "value": "[if(equals(parameters('enableLzDdoS'), 'Yes'), 'Default', 'DoNotEnforce')]" } } - } + } }, { // Assigning Azure Policy to prevent Databricks using public IP @@ -2170,7 +2182,7 @@ }, "enforcementMode": { "value": "[if(equals(parameters('denyDatabricksPip'), 'Yes'), 'Default', 'DoNotEnforce')]" - } + } } } }, @@ -2198,7 +2210,7 @@ }, "enforcementMode": { "value": "[if(equals(parameters('denyDatabricksSku'), 'Yes'), 'Default', 'DoNotEnforce')]" - } + } } } }, @@ -2226,10 +2238,10 @@ }, "enforcementMode": { "value": "[if(equals(parameters('denyDatabricksVnet'), 'Yes'), 'Default', 'DoNotEnforce')]" - } + } } } - }, + }, { // Assigning Azure Policy enablement policy for AKS to landing zones management group if condition is true "condition": "[or(equals(parameters('enableAksPolicy'), 'Yes'), equals(parameters('enableAksPolicy'), 'Audit'))]", @@ -2253,7 +2265,7 @@ }, "enforcementMode": { "value": "[if(equals(parameters('enableaksPolicy'), 'Yes'), 'Default', 'DoNotEnforce')]" - } + } } } }, @@ -2301,7 +2313,7 @@ "parameters": { "enforcementMode": { "value": "[if(equals(parameters('denyAksPrivileged'), 'Yes'), 'Default', 'DoNotEnforce')]" - } + } } } }, @@ -2325,7 +2337,7 @@ "parameters": { "enforcementMode": { "value": "[if(equals(parameters('denyHttpIngressForAks'), 'Yes'), 'Default', 'DoNotEnforce')]" - } + } } } }, @@ -2353,7 +2365,7 @@ }, "enforcementMode": { "value": "[if(equals(parameters('enableEncryptionInTransit'), 'Yes'), 'Default', 'DoNotEnforce')]" - } + } } } }, @@ -2378,7 +2390,7 @@ "parameters": { "enforcementMode": { "value": "Default" - } + } } } }, @@ -2406,7 +2418,7 @@ }, "enforcementMode": { "value": "Default" - } + } } } }, @@ -2434,7 +2446,7 @@ }, "enforcementMode": { "value": "Default" - } + } } } }, @@ -2459,7 +2471,7 @@ "parameters": { "enforcementMode": { "value": "Default" - } + } } } }, @@ -2487,7 +2499,7 @@ }, "enforcementMode": { "value": "Default" - } + } } } }, @@ -2514,7 +2526,7 @@ }, "enforcementMode": { "value": "Default" - } + } } } }, @@ -2541,7 +2553,7 @@ }, "enforcementMode": { "value": "Default" - } + } } } }, @@ -2571,7 +2583,7 @@ }, "enforcementMode": { "value": "Default" - } + } } } }, @@ -2599,7 +2611,7 @@ }, "enforcementMode": { "value": "Default" - } + } } } }, @@ -2627,7 +2639,7 @@ }, "enforcementMode": { "value": "Default" - } + } } } }, @@ -2655,7 +2667,7 @@ }, "enforcementMode": { "value": "Default" - } + } } } }, @@ -2674,7 +2686,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').identitySubscriptionPlacement)]" ], @@ -2721,7 +2733,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').identitySubscriptionPlacement)]" ], @@ -2752,7 +2764,7 @@ } } } - }, + }, /* The following deployments will place landing zone subscriptions into online/corp (connected or disconnected) */ @@ -2768,7 +2780,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]" ], "copy": { @@ -2803,7 +2815,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]" ], "copy": { @@ -2838,7 +2850,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]" ], "copy": { @@ -2877,7 +2889,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", @@ -2972,7 +2984,7 @@ } } } - },*/ + },*/ /* **ESLZ Lite Only!** The following section represent optional deployments in case the user select to use a single dedicated subscription for platform resources. @@ -3002,7 +3014,7 @@ }, /* Note: ES Lite only: the following deployments will organize the dedicated platform subscription into the dedicated management groups - */ + */ { // Placing Platform subscription into dedicated management group "condition": "[not(empty(parameters('singlePlatformSubscriptionId')))]", @@ -3032,7 +3044,7 @@ }, /* Note: ES Lite only: the following deployment will create Log Analytics to the platform subscription - */ + */ { // Deploying Log Analytics workspace to platform subscription if condition is true "condition": "[and(equals(parameters('enableLogAnalytics'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))))]", @@ -3075,7 +3087,7 @@ }, /* Note: ES Lite only: the following deployments will deploy Log Analytics solutions to the platform subscription - */ + */ { // Deploying Log Analytics solutions to Log Analytics workspace if condition is true "condition": "[and(and(not(empty(parameters('singlePlatformSubscriptionId'))), equals(parameters('enableLogAnalytics'), 'Yes')), equals(parameters('enableLogAnalytics'), 'Yes'), or(or(or(or(or(equals(parameters('enableSecuritySolution'), 'Yes'), equals(parameters('enableAgentHealth'), 'Yes')), equals(parameters('enableChangeTracking'), 'Yes')), equals(parameters('enableUpdateMgmt'), 'Yes'), equals(parameters('enableActivityLog'), 'Yes')), equals(parameters('enableVmInsights'), 'Yes')), equals(parameters('enableServiceMap'), 'Yes'), equals(parameters('enableSqlAssessment'), 'Yes')))]", @@ -3133,7 +3145,7 @@ }, /* Note: ES Lite only: deploy Log Analytics workspace policy to the platform management group - */ + */ { // Assigning Log Analytics workspace policy to platform management group if condition is true "condition": "[and(equals(parameters('enableLogAnalytics'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))))]", @@ -3179,7 +3191,7 @@ }, /* Note: ES Lite only: deploy RG for DDoS standard protection to platform subscription - */ + */ { // Creating resource group for DDoS Standard Protection "condition": "[and(equals(parameters('enableDdoS'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))))]", @@ -3212,7 +3224,7 @@ }, /* Note: ES Lite only: deploy DDoS standard protection - */ + */ { // Creating DDoS protection plan into the connectivity subscription "condition": "[and(equals(parameters('enableDdoS'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))))]", @@ -3239,7 +3251,7 @@ } } } - }, + }, /* Note: ES Lite only: deploy RG for Private DNS zones to platform subscription */ @@ -3256,7 +3268,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').vwanConnectivityHubLiteDeploymentName)]", @@ -3319,7 +3331,7 @@ }, /* Note: ES Lite only: assign DDoS policy for landing zones - */ + */ { // Assigning DDoS Policy to enforce DDoS on virtual networks if condition evaluates to true "condition": "[and(and(equals(parameters('enableDdoS'), 'Yes'), equals(parameters('enableHub'), 'vhub')), not(empty(parameters('singlePlatformSubscriptionId'))), equals(parameters('enableHub'), 'Yes'))]", @@ -3348,11 +3360,11 @@ "value": "Default" } } - } + } }, /* Note: ES Lite only: deploys hub and spoke - */ + */ { // Configuring and deploying the connectivity hub (hub and spoke) "condition": "[and(not(empty(parameters('singlePlatformSubscriptionId'))),equals(parameters('enableHub'), 'vhub'))]", @@ -3364,7 +3376,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').ddosHubLitePolicyDeploymentName)]" ], "location": "[deployment().location]", @@ -3455,7 +3467,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').ddosHubLitePolicyDeploymentName)]" ], "location": "[deployment().location]", @@ -3531,7 +3543,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').ddosHubLitePolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]" @@ -3592,7 +3604,8 @@ "scope": "[variables('scopes').platformManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]" ], + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]" + ], "properties": { "mode": "Incremental", "templateLink": { @@ -3605,7 +3618,7 @@ }, "enforcementMode": { "value": "Default" - } + } } } }, @@ -3622,7 +3635,7 @@ "location": "[deployment().location]", "dependsOn": [ "policyCompletion", - "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]" + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]" ], "properties": { "mode": "Incremental", @@ -3636,13 +3649,13 @@ }, "enforcementMode": { "value": "Default" - } + } } } }, /* Note: ES Lite only: assign policy to deny RDP from internet to platform MG - */ + */ { // Assigning deny rpd from internet policy landing zones management group if condition is true "condition": "[and(equals(parameters('denyRdpForIdentity'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))))]", @@ -3653,7 +3666,7 @@ "location": "[deployment().location]", "dependsOn": [ "policyCompletion", - "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]" + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]" ], "properties": { "mode": "Incremental", @@ -3667,7 +3680,22 @@ }, "enforcementMode": { "value": "Default" - } + } + } + } + }, + { + "condition": "[equals(parameters('telemetryOptOut'), 'No')]", + "apiVersion": "2020-06-01", + "name": "[variables('deploymentNames').pidCuaDeploymentName]", + "location": "[deployment().location]", + "type": "Microsoft.Resources/deployments", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] } } }