Azure · jaredfholgate · Mar 11, 2025 · Mar 11, 2025
diff --git a/templates/microsoft_cloud_for_industry/financial_services_landing_zone/README.md b/templates/microsoft_cloud_for_industry/financial_services_landing_zone/README.md
@@ -28,25 +28,6 @@ starter module during Phase 2. A copy of the `inputs.yaml` file to use can be fo
 
 The description of inputs for this module are found in ALZ Accelerator documentation [here](https://aka.ms/fsi/terraform/inputs).
 
-## Custom Compliance
-
-### Custom Policy Sets
-
-An example of the format for the `customer_policy_sets` map is as follows:
-
-```yaml
-customer_policy_sets: {
-  assignment1: {
-    policySetDefinitionId: "/providers/Microsoft.Authorization/policySetDefinitions/d5264498-16f4-418a-b659-fa7ef418175f",
-    policySetAssignmentName: "FedRAMPHigh",
-    policySetAssignmentDisplayName: "FedRAMP High",
-    policySetAssignmentDescription: "FedRAMP High",
-    policySetManagementGroupAssignmentScope: "/providers/Microsoft.management/managementGroups/<MG-ID-SCOPE>",
-    policyParameterFilePath: "./policy_parameters/policySetParameterSampleFile.json"
-  }
-}
-```
-
 ### Policy Exemptions
 
 An example of the format for the `policy_exemptions` map is as follows:
@@ -64,7 +45,83 @@ policy_exemptions: {
 }
 ```
 
-## Customize Application Landing Zones
+## Customize Management Group Configuration
+
+### Default Management Group Configuration
+
+NOTE - management_group_configuration archetypes array can be used for including non-ALZ archetypes.
+ALZ archetypes can be toggled using input variable apply_alz_archetypes_via_architecture_definition_template.
+
+All archetypes(ALZ/FSI) can be found [here](https://github.com/Azure/Azure-Landing-Zones-Library/blob/main/platform/fsi/README.md).
+
+The default format for the `management_group_configuration` map is as follows:
+
+```yaml
+management_group_configuration: {
+  root: {
+    id: "${default_prefix}${optional_postfix}",
+    display_name: "FSI Landing Zone",
+    archetypes: ["fsi_root", "tr_01_logging", "re_01_zonal_residency", "so_04_cmk", "so_01_data_residency"]
+  },
+  platform: {
+    id: "${default_prefix}-platform${optional_postfix}",
+    display_name: "Platform",
+    archetypes: []
+  },
+  landingzones: {
+    id: "${default_prefix}-landingzones${optional_postfix}",
+    display_name: "Landing Zones",
+    archetypes: []
+  },
+  decommissioned: {
+    id: "${default_prefix}-decommissioned${optional_postfix}",
+    display_name: "Decommissioned",
+    archetypes: []
+  },
+  sandbox: {
+    id: "${default_prefix}-sandbox${optional_postfix}",
+    display_name: "Sandbox",
+    archetypes: []
+  },
+  management: {
+    id: "${default_prefix}-platform-management${optional_postfix}",
+    display_name: "Management",
+    archetypes: []
+  },
+  connectivity: {
+    id: "${default_prefix}-platform-connectivity${optional_postfix}",
+    display_name: "Connectivity",
+    archetypes: []
+  },
+  identity: {
+    id: "${default_prefix}-platform-identity${optional_postfix}",
+    display_name: "Identity",
+    archetypes: []
+  },
+  corp: {
+    id: "${default_prefix}-landingzones-corp${optional_postfix}",
+    display_name: "Corp",
+    archetypes: []
+  },
+  online: {
+    id: "${default_prefix}-landingzones-online${optional_postfix}",
+    display_name: "Online",
+    archetypes: []
+  },
+  confidential_corp: {
+    id: "${default_prefix}-landingzones-confidential-corp${optional_postfix}",
+    display_name: "Confidential Corp",
+    archetypes: ["confidential"]
+  },
+  confidential_online: {
+    id: "${default_prefix}-landingzones-confidential-online${optional_postfix}",
+    display_name: "Confidential Online",
+    archetypes: ["confidential"]
+  }
+}
+```
+
+## Customize Application Platform/Landing Zones
 
 ### Landing Zone Management Group Children
 
@@ -73,8 +130,23 @@ An example of the format for the `landing_zone_management_group_children` map is
 ```yaml
 landing_zone_management_group_children: {
   child1: {
-    id: "child1",
-    display_name: "Landing zone child one"
+      id: "${default_prefix}-landingzones-child1${optional_postfix}",
+      display_name: "Landing zone child one",
+      archetypes: []
+  }
+}
+```
+
+### Platform Management Group Children
+
+An example of the format for the `platform_management_group_children` map is as follows:
+
+```yaml
+platform_management_group_children: {
+    security: {
+      id: "${default_prefix}-platform-security${optional_postfix}",
+      display_name: "Security",
+      archetypes: ["confidential"]
   }
 }
 ```
@@ -155,17 +227,24 @@ Any updates should be made to the `inputs.yaml` and run the ALZ powershell & rer
 
 There is no validation done to ensure subnets fall within the hub network CIDR or that subnets do not overlap. These issues will be uncovered during apply.
 
-### Unable to Build Authorizer for Resource Manager API
-
-It is necessary to rerun `az login` after creating subscriptions for terraform to pick up that they exist.
-
-### Unable to Update Address Prefixes
+### Unable to update the bastion subnet
 
-Updating the address prefix on either the hub network or subnets is not supported at this time.
+Workaround:
+Set deploy_bastion= false in inputs file
+Run deployAccelerator command
+Run .\scripts\deploy-local.ps1
+Set deploy_bastion= true in inputs file, update AzureBastionSubnet address_prefix
+Run deployAccelerator command
+Run .\scripts\deploy-local.ps1
 
-### Unable to Change Top Level or Sub Level Management Group Names
+### Unable to update the firewall subnet
 
-Modifying the Top Level or Sub Level Management Group name is not supported at this time.
+Work around:
+Set deploy_bastion= false and enable_firewall = false in inputs file
+Run deployAccelerator command
+Run .\scripts\deploy-local.ps1
+Set deploy_bastion= true and enable_firewall = true in inputs file, update AzureFirewallSubnet address_prefix
+Run deployAccelerator command
 
 ### Tags are Not Applied to All Resources
 
@@ -174,3 +253,58 @@ Certain resources are not receiving the default tags. This will be addressed in
 ### Default Compliance Score is not 100%
 
 Certain resources will show as being out of compliance by default. This will be addressed in a future release.
+
+## Notes about Policy Remediations
+
+1. Policy Definition [migrateToMdeTvm](/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888) will be excluded from remediation as customers must [enable MDFC](https://learn.microsoft.com/en-us/azure/defender-for-cloud/connect-azure-subscription?WT.mc_id=Portal-HubsExtension) on their subscriptions for this policy and then run remediation via Azure portal.
+
+2. Log analytics polices deploy-diag-logscat, deploy-azactivity-log, and tr-01-logging(included with FSI) will be skipped for remediation until customer has set the log_analytics_workspace_resource_id(output after successful deployment of LZ) input and re-run deploy-accelerator/deploy-local.ps1.
+
+3. Updating assignment policies or management group configuration will trigger recreation of azapi policy remediation resources -
+Because customers have the option to include custom policies with built-in policy set definitions, and remediations require the policyReferenceId for policy definitions in policy sets, the policyReferenceId must be queried dynamically and due to Terraform's limitations on creating resources in a for_each, remediations will get recreated as the result of a workaround for allowing this dynamic query.
+Remediation tasks will only be created if a policy is not in compliance.
+
+There is an experimental feature that would allow the dynamic creation of resources in a for_each, but work on this is on-going.
+
+## Notes running on non-global admin service principal
+
+To deploy with lowered permissions using a service principal with "Owner" role assignment at the tenant root management group, set the following environment variable in powershell:
+
+```powershell
+$env:AZAPI_RETRY_GET_AFTER_PUT_MAX_TIME="30m"
+```
+
+## Notes on required permissions for optional security group creation
+
+The following permissions are needed for [security group creation](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group#api-permissions)
+
+Security group creation can be disabled by setting input `management_security_groups = []`. Also, security groups in management_security_groups are case-sensitive.
+
+## Instructions for using custom policies and updating parameter values for ALZ or FSI policies
+
+Custom policies can be added to the `lib` directory in the root of the starter module. Here is an example in the [AVM terraform-azurerm-avm-ptn-alz](https://github.com/Azure/terraform-azurerm-avm-ptn-alz/tree/main/examples/policy-assignment-modification-with-custom-lib/lib) repo.
+
+NOTE - Customers can also include custom [policy set definition](https://github.com/Azure/Azure-Landing-Zones-Library/blob/main/platform/fsi/policy_set_definitions/SO-01-Data-Residency.alz_policy_set_definition.json) and
+[policy definition](https://github.com/Azure/Azure-Landing-Zones-Library/blob/main/platform/alz/policy_definitions/Append-AppService-latestTLS.alz_policy_definition.json) ARM templates into the `lib` directory.
+File names must contain the same format as in the given examples.
+
+Customers can also update policy parameter values for ALZ or FSI policies by including an updated copy of the policy file in the `lib` directory. The new file will overwrite the existing policy file in the module. The new file must contain the same format as the original policy file.
+
+## Instructions updating policy default values
+
+In the starter module locals.tf, customers can update the fsi_policy_default_values for any of the parameters set in this [example](https://github.com/Azure/terraform-azurerm-avm-ptn-alz/blob/main/examples/management/main.tf#L43C4-L50).
+
+```terraform
+fsi_policy_default_values = {
+  fsi_policy_effect                            = jsonencode({ value = var.policy_effect })
+  allowed_locations_for_confidential_computing = jsonencode({ value = var.allowed_locations_for_confidential_computing })
+  allowed_locations                            = jsonencode({ value = var.allowed_locations })
+  ddos_protection_plan_id                      = jsonencode({ value = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/placeholder/providers/Microsoft.Network/ddosProtectionPlans/placeholder" })
+  ddos_protection_plan_effect                  = jsonencode({ value = var.deploy_ddos_protection ? "Audit" : "Disabled" })
+  email_security_contact                       = jsonencode({ value = var.ms_defender_for_cloud_email_security_contact })
+  ama_user_assigned_managed_identity_id        = jsonencode({ value = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/placeholder/providers/Microsoft.ManagedIdentity/userAssignedIdentities/${local.uami_name}" })
+  ama_user_assigned_managed_identity_name      = jsonencode({ value = local.uami_name })
+  log_analytics_workspace_id                   = jsonencode({ value = var.log_analytics_workspace_resource_id })
+  tr_01_log_analytics_workspace_id             = jsonencode({ value = var.log_analytics_workspace_resource_id })
+}
+```
diff --git a/..._for_industry/financial_services_landing_zone/examples/bootstrap/inputs-azure-devops.yaml b/..._for_industry/financial_services_landing_zone/examples/bootstrap/inputs-azure-devops.yaml
@@ -33,8 +33,8 @@ architecture_definition_name: "fsi"
 apply_alz_archetypes_via_architecture_definition_template: true
 
 # Starter Module Specific Variables
-allowed_locations: []
-allowed_locations_for_confidential_computing: []
+allowed_locations: ["<region-1>"]
+allowed_locations_for_confidential_computing: ["<region-1>"]
 az_firewall_policies_enabled: true
 bastion_outbound_ssh_rdp_ports: ["22", "3389"]
 custom_subnets: {
@@ -58,29 +58,93 @@ custom_subnets: {
   }
 }
 customer: "Country/Region"
-customer_policy_sets: {}
-default_postfix: ""
+optional_postfix: ""
 default_prefix: "fsi"
 deploy_bastion: true
+deploy_bootstrap: true
+deploy_dashboard: true
 deploy_ddos_protection: true
 deploy_hub_network: true
 deploy_log_analytics_workspace: true
+deploy_platform: true
 enable_firewall: true
 enable_telemetry: true
 express_route_gateway_config: {name: "noconfigEr"}
 hub_network_address_prefix: "10.20.0.0/16"
 landing_zone_management_group_children: {}
+log_analytics_workspace_resource_id: "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/placeholder/providers/Microsoft.OperationalInsights/workspaces/placeholder-la"
 log_analytics_workspace_retention_in_days: "365"
+management_group_configuration: {
+  root: {
+    id: "${default_prefix}${optional_postfix}",
+    display_name: "FSI Landing Zone",
+    archetypes: ["fsi_root", "tr_01_logging", "re_01_zonal_residency", "so_04_cmk", "so_01_data_residency"]
+  },
+  platform: {
+    id: "${default_prefix}-platform${optional_postfix}",
+    display_name: "Platform",
+    archetypes: []
+  },
+  landingzones: {
+    id: "${default_prefix}-landingzones${optional_postfix}",
+    display_name: "Landing Zones",
+    archetypes: []
+  },
+  decommissioned: {
+    id: "${default_prefix}-decommissioned${optional_postfix}",
+    display_name: "Decommissioned",
+    archetypes: []
+  },
+  sandbox: {
+    id: "${default_prefix}-sandbox${optional_postfix}",
+    display_name: "Sandbox",
+    archetypes: []
+  },
+  management: {
+    id: "${default_prefix}-platform-management${optional_postfix}",
+    display_name: "Management",
+    archetypes: []
+  },
+  connectivity: {
+    id: "${default_prefix}-platform-connectivity${optional_postfix}",
+    display_name: "Connectivity",
+    archetypes: []
+  },
+  identity: {
+    id: "${default_prefix}-platform-identity${optional_postfix}",
+    display_name: "Identity",
+    archetypes: []
+  },
+  corp: {
+    id: "${default_prefix}-landingzones-corp${optional_postfix}",
+    display_name: "Corp",
+    archetypes: []
+  },
+  online: {
+    id: "${default_prefix}-landingzones-online${optional_postfix}",
+    display_name: "Online",
+    archetypes: []
+  },
+  confidential_corp: {
+    id: "${default_prefix}-landingzones-confidential-corp${optional_postfix}",
+    display_name: "Confidential Corp",
+    archetypes: ["confidential"]
+  },
+  confidential_online: {
+    id: "${default_prefix}-landingzones-confidential-online${optional_postfix}",
+    display_name: "Confidential Online",
+    archetypes: ["confidential"]
+  }
+}
+default_security_groups: []
 ms_defender_for_cloud_email_security_contact: "[email protected]"
-policy_assignment_enforcement_mode: "Default"
+platform_management_group_children: {}
 policy_effect: "Deny"
 policy_exemptions: {}
-subscription_billing_scope: ""
-tags: {}
-top_level_management_group_name: "Financial Services Landing Zone"
+tags: {serviceName: "fsi"}
 use_premium_firewall: true
 vpn_gateway_config: {name: "noconfigVpn"}
 
 # Advanced Inputs
-bootstrap_module_version: "v4.1.8"
+bootstrap_module_version: "v4.3.4"
 starter_module_version: "latest"