fix: Resolve a variety of bugs and update api version of private dns zone links resource (Azure#896)

oZakari · web-flow · commit 301891f0deb5 · 2024-11-07T13:37:08.000-06:00
* Added tags to AMA resources

* Update API version of private dns virtual link

* Add additional logic to default to at least 2 zones for pip in case not specified

* Add additional role assignments

* Add additional management group scopes for ama policies

* Add secondary location references

* Adding pattern to skip checking for any email
diff --git a/.github/actions-config/mlc_config.json b/.github/actions-config/mlc_config.json
@@ -6,6 +6,9 @@
     {
       "pattern": "^(https:\\/\\/)?([www.]?)+(microsoft.com\\/)+[\\w\\-\\._~:/?#[\\]@!\\$&'\\(\\)\\*\\+,;=.]+$"
     }
+    {
+      "pattern": "^mailto:"
+    }
   ],
   "httpHeaders": [
     {
@@ -27,4 +30,4 @@
     203,
     206
   ]
-}
+}
diff --git a/infra-as-code/bicep/modules/hubNetworking/hubNetworking-multiRegion.bicep b/infra-as-code/bicep/modules/hubNetworking/hubNetworking-multiRegion.bicep
@@ -1265,8 +1265,14 @@ module modGatewayPublicIp '../publicIp/publicIp.bicep' = [
     params: {
       parLocation: parLocation
       parAvailabilityZones: toLower(gateway.gatewayType) == 'expressroute'
-        ? parAzErGatewayAvailabilityZones
-        : toLower(gateway.gatewayType) == 'vpn' ? parAzVpnGatewayAvailabilityZones : []
+      ? (contains(toLower(gateway.sku), 'az') && empty(parAzErGatewayAvailabilityZones)
+          ? ['1', '2']
+          : parAzErGatewayAvailabilityZones)
+      : (toLower(gateway.gatewayType) == 'vpn'
+          ? (contains(toLower(gateway.sku), 'az') && empty(parAzVpnGatewayAvailabilityZones)
+              ? ['1', '2']
+              : parAzVpnGatewayAvailabilityZones)
+          : [])
       parPublicIpName: '${parPublicIpPrefix}${gateway.name}${parPublicIpSuffix}'
       parPublicIpProperties: {
         publicIpAddressVersion: 'IPv4'
@@ -1291,8 +1297,14 @@ module modGatewayPublicIpActiveActive '../publicIp/publicIp.bicep' = [
     params: {
       parLocation: parLocation
       parAvailabilityZones: toLower(gateway.gatewayType) == 'expressroute'
-        ? parAzErGatewayAvailabilityZones
-        : toLower(gateway.gatewayType) == 'vpn' ? parAzVpnGatewayAvailabilityZones : []
+      ? (contains(toLower(gateway.sku), 'az') && empty(parAzErGatewayAvailabilityZones)
+          ? ['1', '2']
+          : parAzErGatewayAvailabilityZones)
+      : (toLower(gateway.gatewayType) == 'vpn'
+          ? (contains(toLower(gateway.sku), 'az') && empty(parAzVpnGatewayAvailabilityZones)
+              ? ['1', '2']
+              : parAzVpnGatewayAvailabilityZones)
+          : [])
       parPublicIpName: '${parPublicIpPrefix}${gateway.name}${parPublicIpSuffix}-aa'
       parPublicIpProperties: {
         publicIpAddressVersion: 'IPv4'
@@ -1316,8 +1328,14 @@ module modGatewayPublicIpSecondaryLocation '../publicIp/publicIp.bicep' = [
     params: {
       parLocation: parSecondaryLocation
       parAvailabilityZones: toLower(gateway.gatewayType) == 'expressroute'
-        ? parAzErGatewayAvailabilityZonesSecondaryLocation
-        : toLower(gateway.gatewayType) == 'vpn' ? parAzVpnGatewayAvailabilityZonesSecondaryLocation : []
+      ? (contains(toLower(gateway.sku), 'az') && empty(parAzErGatewayAvailabilityZonesSecondaryLocation)
+          ? ['1', '2']
+          : parAzErGatewayAvailabilityZones)
+      : (toLower(gateway.gatewayType) == 'vpn'
+          ? (contains(toLower(gateway.sku), 'az') && empty(parAzVpnGatewayAvailabilityZonesSecondaryLocation)
+              ? ['1', '2']
+              : parAzVpnGatewayAvailabilityZonesSecondaryLocation)
+          : [])
       parPublicIpName: '${parPublicIpPrefixSecondaryLocation}${gateway.name}${parPublicIpSuffix}'
       parPublicIpProperties: {
         publicIpAddressVersion: 'IPv4'
@@ -1342,8 +1360,14 @@ module modGatewayPublicIpActiveActiveSecondaryLocation '../publicIp/publicIp.bic
     params: {
       parLocation: parLocation
       parAvailabilityZones: toLower(gateway.gatewayType) == 'expressroute'
-        ? parAzErGatewayAvailabilityZones
-        : toLower(gateway.gatewayType) == 'vpn' ? parAzVpnGatewayAvailabilityZones : []
+      ? (contains(toLower(gateway.sku), 'az') && empty(parAzErGatewayAvailabilityZonesSecondaryLocation)
+          ? ['1', '2']
+          : parAzErGatewayAvailabilityZones)
+      : (toLower(gateway.gatewayType) == 'vpn'
+          ? (contains(toLower(gateway.sku), 'az') && empty(parAzVpnGatewayAvailabilityZonesSecondaryLocation)
+              ? ['1', '2']
+              : parAzVpnGatewayAvailabilityZonesSecondaryLocation)
+          : [])
       parPublicIpName: '${parPublicIpPrefix}${gateway.name}${parPublicIpSuffix}-aa'
       parPublicIpProperties: {
         publicIpAddressVersion: 'IPv4'
diff --git a/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep b/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep
@@ -696,8 +696,14 @@ module modGatewayPublicIp '../publicIp/publicIp.bicep' = [
     params: {
       parLocation: parLocation
       parAvailabilityZones: toLower(gateway.gatewayType) == 'expressroute'
-        ? parAzErGatewayAvailabilityZones
-        : toLower(gateway.gatewayType) == 'vpn' ? parAzVpnGatewayAvailabilityZones : []
+      ? (contains(toLower(gateway.sku), 'az') && empty(parAzErGatewayAvailabilityZones)
+          ? ['1', '2']
+          : parAzErGatewayAvailabilityZones)
+      : (toLower(gateway.gatewayType) == 'vpn'
+          ? (contains(toLower(gateway.sku), 'az') && empty(parAzVpnGatewayAvailabilityZones)
+              ? ['1', '2']
+              : parAzVpnGatewayAvailabilityZones)
+          : [])
       parPublicIpName: '${parPublicIpPrefix}${gateway.name}${parPublicIpSuffix}'
       parPublicIpProperties: {
         publicIpAddressVersion: 'IPv4'
@@ -722,8 +728,14 @@ module modGatewayPublicIpActiveActive '../publicIp/publicIp.bicep' = [
     params: {
       parLocation: parLocation
       parAvailabilityZones: toLower(gateway.gatewayType) == 'expressroute'
-        ? parAzErGatewayAvailabilityZones
-        : toLower(gateway.gatewayType) == 'vpn' ? parAzVpnGatewayAvailabilityZones : []
+      ? (contains(toLower(gateway.sku), 'az') && empty(parAzErGatewayAvailabilityZones)
+          ? ['1', '2']
+          : parAzErGatewayAvailabilityZones)
+      : (toLower(gateway.gatewayType) == 'vpn'
+          ? (contains(toLower(gateway.sku), 'az') && empty(parAzVpnGatewayAvailabilityZones)
+              ? ['1', '2']
+              : parAzVpnGatewayAvailabilityZones)
+          : [])
       parPublicIpName: '${parPublicIpPrefix}${gateway.name}${parPublicIpSuffix}-aa'
       parPublicIpProperties: {
         publicIpAddressVersion: 'IPv4'
diff --git a/infra-as-code/bicep/modules/logging/logging.bicep b/infra-as-code/bicep/modules/logging/logging.bicep
@@ -187,6 +187,7 @@ var varCuaid = 'f8087c67-cc41-46b2-994d-66e4b661860d'
 resource resUserAssignedManagedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
   name: parUserAssignedManagedIdentityName
   location: parUserAssignedManagedIdentityLocation
+  tags: parTags
 }
 
 resource resAutomationAccount 'Microsoft.Automation/automationAccounts@2023-11-01' = {
@@ -243,6 +244,7 @@ resource resLogAnalyticsWorkspaceLock 'Microsoft.Authorization/locks@2020-05-01'
 resource resDataCollectionRuleVMInsights 'Microsoft.Insights/dataCollectionRules@2021-04-01' = {
   name: parDataCollectionRuleVMInsightsName
   location: parLogAnalyticsWorkspaceLocation
+  tags: parTags
   properties: {
     description: 'Data collection rule for VM Insights'
     dataSources: {
@@ -311,6 +313,7 @@ resource resDataCollectionRuleVMInsightsLock 'Microsoft.Authorization/locks@2020
 resource resDataCollectionRuleChangeTracking 'Microsoft.Insights/dataCollectionRules@2021-04-01' = {
   name: parDataCollectionRuleChangeTrackingName
   location: parLogAnalyticsWorkspaceLocation
+  tags: parTags
   properties: {
     description: 'Data collection rule for CT.'
     dataSources: {
@@ -582,6 +585,7 @@ resource resDataCollectionRuleChangeTrackingLock 'Microsoft.Authorization/locks@
 resource resDataCollectionRuleMDFCSQL'Microsoft.Insights/dataCollectionRules@2021-04-01' = {
   name: parDataCollectionRuleMDFCSQLName
   location: parLogAnalyticsWorkspaceLocation
+  tags: parTags
   properties: {
     description: 'Data collection rule for Defender for SQL.'
     dataSources: {
diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep
@@ -941,6 +941,9 @@ module modPolicyAssignmentPlatformDeployVmArcChangeTrack '../../../policy/assign
       varRbacRoleDefinitionIds.monitoringContributor
       varRbacRoleDefinitionIds.reader
     ]
+    parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: [
+      string(varManagementGroupIds.landingZones)
+    ]
     parTelemetryOptOut: parTelemetryOptOut
   }
 }
@@ -972,6 +975,9 @@ module modPolicyAssignmentPlatformDeployVmChangeTrack '../../../policy/assignmen
       varRbacRoleDefinitionIds.managedIdentityOperator
       varRbacRoleDefinitionIds.reader
     ]
+    parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: [
+      string(varManagementGroupIds.landingZones)
+    ]
     parTelemetryOptOut: parTelemetryOptOut
   }
 }
@@ -1003,6 +1009,9 @@ module modPolicyAssignmentPlatformDeployVmssChangeTrack '../../../policy/assignm
       varRbacRoleDefinitionIds.managedIdentityOperator
       varRbacRoleDefinitionIds.reader
     ]
+    parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: [
+      string(varManagementGroupIds.landingZones)
+    ]
     parTelemetryOptOut: parTelemetryOptOut
   }
 }
@@ -1030,6 +1039,8 @@ module modPolicyAssignmentPlatformDeployVmArcMonitor '../../../policy/assignment
       varRbacRoleDefinitionIds.reader
       varRbacRoleDefinitionIds.connectedMachineResourceAdministrator
     ]
+    parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: [
+      string(varManagementGroupIds.landingZones)    ]
     parTelemetryOptOut: parTelemetryOptOut
   }
 }
@@ -1061,6 +1072,9 @@ module modPolicyAssignmentPlatformDeployVmMonitor '../../../policy/assignments/p
       varRbacRoleDefinitionIds.managedIdentityOperator
       varRbacRoleDefinitionIds.reader
     ]
+    parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: [
+      string(varManagementGroupIds.landingZones)
+    ]
     parTelemetryOptOut: parTelemetryOptOut
   }
 }
@@ -1095,6 +1109,9 @@ module modPolicyAssignmentPlatformDeployMdfcDefSqlAma '../../../policy/assignmen
       varRbacRoleDefinitionIds.managedIdentityOperator
       varRbacRoleDefinitionIds.reader
     ]
+    parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: [
+      string(varManagementGroupIds.landingZones)
+    ]
     parTelemetryOptOut: parTelemetryOptOut
   }
 }
@@ -1146,6 +1163,9 @@ module modPolicyAssignmentPlatformDeployVmssMonitor '../../../policy/assignments
       varRbacRoleDefinitionIds.managedIdentityOperator
       varRbacRoleDefinitionIds.reader
     ]
+    parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: [
+      string(varManagementGroupIds.landingZones)
+    ]
     parTelemetryOptOut: parTelemetryOptOut
   }
 }
@@ -1751,6 +1771,9 @@ module modPolicyAssignmentLzsDeployVmMonitor '../../../policy/assignments/policy
       varRbacRoleDefinitionIds.managedIdentityOperator
       varRbacRoleDefinitionIds.reader
     ]
+    parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: [
+      string(varManagementGroupIds.platform)
+    ]
     parTelemetryOptOut: parTelemetryOptOut
   }
 }
@@ -1782,6 +1805,9 @@ module modPolicyAssignmentLzsDeployVmssMonitor '../../../policy/assignments/poli
       varRbacRoleDefinitionIds.managedIdentityOperator
       varRbacRoleDefinitionIds.reader
     ]
+    parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: [
+      string(varManagementGroupIds.platform)
+    ]
     parTelemetryOptOut: parTelemetryOptOut
   }
 }
@@ -1813,6 +1839,9 @@ module modPolicyAssignmentLzsmDeployMdfcDefSqlAma '../../../policy/assignments/p
       varRbacRoleDefinitionIds.managedIdentityOperator
       varRbacRoleDefinitionIds.reader
     ]
+    parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: [
+      string(varManagementGroupIds.platform)
+    ]
     parTelemetryOptOut: parTelemetryOptOut
   }
 }
diff --git a/infra-as-code/bicep/modules/privateDnsZoneLinks/privateDnsZoneLinks.bicep b/infra-as-code/bicep/modules/privateDnsZoneLinks/privateDnsZoneLinks.bicep
@@ -30,7 +30,7 @@ param parResourceLockConfig lockType = {
 
 var varSpokeVirtualNetworkName = split(parSpokeVirtualNetworkResourceId, '/')[8]
 
-resource resPrivateDnsZoneLinkToSpoke 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2020-06-01' = if (!empty(parPrivateDnsZoneResourceId)) {
+resource resPrivateDnsZoneLinkToSpoke 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2024-06-01' = if (!empty(parPrivateDnsZoneResourceId)) {
   location: 'global'
   name: '${split(parPrivateDnsZoneResourceId, '/')[8]}/dnslink-to-${varSpokeVirtualNetworkName}'
   properties: {

Original file line number	Diff line number	Diff line change
`@@ -6,6 +6,9 @@`
`6`	`6`	`{`
`7`	`7`	`"pattern": "^(https:\\/\\/)?([www.]?)+(microsoft.com\\/)+[\\w\\-\\._~:/?#[\\]@!\\$&'\\(\\)\\*\\+,;=.]+$"`
`8`	`8`	`}`
	`9`	`+ {`
	`10`	`+ "pattern": "^mailto:"`
	`11`	`+ }`
`9`	`12`	`],`
`10`	`13`	`"httpHeaders": [`
`11`	`14`	`{`
`@@ -27,4 +30,4 @@`
`27`	`30`	`203,`
`28`	`31`	`206`
`29`	`32`	`]`
`30`		`-}`
	`33`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -941,6 +941,9 @@ module modPolicyAssignmentPlatformDeployVmArcChangeTrack '../../../policy/assign`
`941`	`941`	`varRbacRoleDefinitionIds.monitoringContributor`
`942`	`942`	`varRbacRoleDefinitionIds.reader`
`943`	`943`	`]`
	`944`	`+ parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: [`
	`945`	`+ string(varManagementGroupIds.landingZones)`
	`946`	`+ ]`
`944`	`947`	`parTelemetryOptOut: parTelemetryOptOut`
`945`	`948`	`}`
`946`	`949`	`}`
`@@ -972,6 +975,9 @@ module modPolicyAssignmentPlatformDeployVmChangeTrack '../../../policy/assignmen`
`972`	`975`	`varRbacRoleDefinitionIds.managedIdentityOperator`
`973`	`976`	`varRbacRoleDefinitionIds.reader`
`974`	`977`	`]`
	`978`	`+ parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: [`
	`979`	`+ string(varManagementGroupIds.landingZones)`
	`980`	`+ ]`
`975`	`981`	`parTelemetryOptOut: parTelemetryOptOut`
`976`	`982`	`}`
`977`	`983`	`}`
`@@ -1003,6 +1009,9 @@ module modPolicyAssignmentPlatformDeployVmssChangeTrack '../../../policy/assignm`
`1003`	`1009`	`varRbacRoleDefinitionIds.managedIdentityOperator`
`1004`	`1010`	`varRbacRoleDefinitionIds.reader`
`1005`	`1011`	`]`
	`1012`	`+ parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: [`
	`1013`	`+ string(varManagementGroupIds.landingZones)`
	`1014`	`+ ]`
`1006`	`1015`	`parTelemetryOptOut: parTelemetryOptOut`
`1007`	`1016`	`}`
`1008`	`1017`	`}`
`@@ -1030,6 +1039,8 @@ module modPolicyAssignmentPlatformDeployVmArcMonitor '../../../policy/assignment`
`1030`	`1039`	`varRbacRoleDefinitionIds.reader`
`1031`	`1040`	`varRbacRoleDefinitionIds.connectedMachineResourceAdministrator`
`1032`	`1041`	`]`
	`1042`	`+ parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: [`
	`1043`	`+ string(varManagementGroupIds.landingZones) ]`
`1033`	`1044`	`parTelemetryOptOut: parTelemetryOptOut`
`1034`	`1045`	`}`
`1035`	`1046`	`}`
`@@ -1061,6 +1072,9 @@ module modPolicyAssignmentPlatformDeployVmMonitor '../../../policy/assignments/p`
`1061`	`1072`	`varRbacRoleDefinitionIds.managedIdentityOperator`
`1062`	`1073`	`varRbacRoleDefinitionIds.reader`
`1063`	`1074`	`]`
	`1075`	`+ parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: [`
	`1076`	`+ string(varManagementGroupIds.landingZones)`
	`1077`	`+ ]`
`1064`	`1078`	`parTelemetryOptOut: parTelemetryOptOut`
`1065`	`1079`	`}`
`1066`	`1080`	`}`
`@@ -1095,6 +1109,9 @@ module modPolicyAssignmentPlatformDeployMdfcDefSqlAma '../../../policy/assignmen`
`1095`	`1109`	`varRbacRoleDefinitionIds.managedIdentityOperator`
`1096`	`1110`	`varRbacRoleDefinitionIds.reader`
`1097`	`1111`	`]`
	`1112`	`+ parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: [`
	`1113`	`+ string(varManagementGroupIds.landingZones)`
	`1114`	`+ ]`
`1098`	`1115`	`parTelemetryOptOut: parTelemetryOptOut`
`1099`	`1116`	`}`
`1100`	`1117`	`}`
`@@ -1146,6 +1163,9 @@ module modPolicyAssignmentPlatformDeployVmssMonitor '../../../policy/assignments`
`1146`	`1163`	`varRbacRoleDefinitionIds.managedIdentityOperator`
`1147`	`1164`	`varRbacRoleDefinitionIds.reader`
`1148`	`1165`	`]`
	`1166`	`+ parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: [`
	`1167`	`+ string(varManagementGroupIds.landingZones)`
	`1168`	`+ ]`
`1149`	`1169`	`parTelemetryOptOut: parTelemetryOptOut`
`1150`	`1170`	`}`
`1151`	`1171`	`}`
`@@ -1751,6 +1771,9 @@ module modPolicyAssignmentLzsDeployVmMonitor '../../../policy/assignments/policy`
`1751`	`1771`	`varRbacRoleDefinitionIds.managedIdentityOperator`
`1752`	`1772`	`varRbacRoleDefinitionIds.reader`
`1753`	`1773`	`]`
	`1774`	`+ parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: [`
	`1775`	`+ string(varManagementGroupIds.platform)`
	`1776`	`+ ]`
`1754`	`1777`	`parTelemetryOptOut: parTelemetryOptOut`
`1755`	`1778`	`}`
`1756`	`1779`	`}`
`@@ -1782,6 +1805,9 @@ module modPolicyAssignmentLzsDeployVmssMonitor '../../../policy/assignments/poli`
`1782`	`1805`	`varRbacRoleDefinitionIds.managedIdentityOperator`
`1783`	`1806`	`varRbacRoleDefinitionIds.reader`
`1784`	`1807`	`]`
	`1808`	`+ parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: [`
	`1809`	`+ string(varManagementGroupIds.platform)`
	`1810`	`+ ]`
`1785`	`1811`	`parTelemetryOptOut: parTelemetryOptOut`
`1786`	`1812`	`}`
`1787`	`1813`	`}`
`@@ -1813,6 +1839,9 @@ module modPolicyAssignmentLzsmDeployMdfcDefSqlAma '../../../policy/assignments/p`
`1813`	`1839`	`varRbacRoleDefinitionIds.managedIdentityOperator`
`1814`	`1840`	`varRbacRoleDefinitionIds.reader`
`1815`	`1841`	`]`
	`1842`	`+ parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: [`
	`1843`	`+ string(varManagementGroupIds.platform)`
	`1844`	`+ ]`
`1816`	`1845`	`parTelemetryOptOut: parTelemetryOptOut`
`1817`	`1846`	`}`
`1818`	`1847`	`}`