diff --git a/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking-multiRegion.bicep.md b/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking-multiRegion.bicep.md index 0f179b24d..3889fe543 100644 --- a/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking-multiRegion.bicep.md +++ b/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking-multiRegion.bicep.md @@ -57,7 +57,9 @@ parAzFirewallTierSecondaryLocation | No | Azure Firewall Tier associated w parAzFirewallIntelMode | No | The Azure Firewall Threat Intelligence Mode. If not set, the default value is Alert. parAzFirewallIntelModeSecondaryLocation | No | The Azure Firewall Threat Intelligence Mode in the secondary location. If not set, the default value is Alert. parAzFirewallCustomPublicIps | No | Optional List of Custom Public IPs, which are assigned to firewalls ipConfigurations. +parAzFirewallCustomManagementIp | No | Optional Custom Management Public IP resource ID, which is assigned to Azure Firewall managementIpConfiguration. Requires AzureFirewallManagementSubnet to be configured in parSubnets. parAzFirewallCustomPublicIpsSecondaryLocation | No | Optional List of Custom Public IPs, which are assigned to firewalls ipConfigurations in the secondary location. +parAzFirewallCustomManagementIpSecondaryLocation | No | Optional Custom Management Public IP resource ID, which is assigned to Azure Firewall managementIpConfiguration in the secondary location. Requires AzureFirewallManagementSubnet to be configured in parSubnetsSecondaryLocation. parAzFirewallAvailabilityZones | No | Availability Zones to deploy the Azure Firewall across. Region must support Availability Zones to use. If it does not then leave empty. parAzFirewallAvailabilityZonesSecondaryLocation | No | Availability Zones to deploy the Azure Firewall across in the secondary location. Region must support Availability Zones to use. If it does not then leave empty. parAzErGatewayAvailabilityZones | No | Availability Zones to deploy the VPN/ER PIP across. Region must support Availability Zones to use. If it does not then leave empty. Ensure that you select a zonal SKU for the ER/VPN Gateway if using Availability Zones for the PIP. @@ -69,6 +71,7 @@ parAzFirewallDnsProxyEnabledSecondaryLocation | No | Switch to enable/disa parAzFirewallDnsServers | No | Array of custom DNS servers used by Azure Firewall. parAzFirewallDnsServersSecondaryLocation | No | Array of custom DNS servers used by Azure Firewall in the secondary location. parAzureFirewallLock | No | Resource Lock Configuration for Azure Firewall. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. +parAzureFirewallPolicyLock | No | Resource Lock Configuration for Azure Firewall Policy. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. parHubRouteTableName | No | Name of Route table to create for the default route of Hub. parHubRouteTableNameSecondaryLocation | No | Name of Route table to create for the default route of Hub in the secondary location. parDisableBgpRoutePropagation | No | Switch to enable/disable BGP Propagation on route table. @@ -529,12 +532,24 @@ The Azure Firewall Threat Intelligence Mode in the secondary location. If not se Optional List of Custom Public IPs, which are assigned to firewalls ipConfigurations. +### parAzFirewallCustomManagementIp + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Optional Custom Management Public IP resource ID, which is assigned to Azure Firewall managementIpConfiguration. Requires AzureFirewallManagementSubnet to be configured in parSubnets. + ### parAzFirewallCustomPublicIpsSecondaryLocation ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) Optional List of Custom Public IPs, which are assigned to firewalls ipConfigurations in the secondary location. +### parAzFirewallCustomManagementIpSecondaryLocation + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Optional Custom Management Public IP resource ID, which is assigned to Azure Firewall managementIpConfiguration in the secondary location. Requires AzureFirewallManagementSubnet to be configured in parSubnetsSecondaryLocation. + ### parAzFirewallAvailabilityZones ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) @@ -622,6 +637,19 @@ Array of custom DNS servers used by Azure Firewall in the secondary location. +- Default value: `@{kind=None; notes=This lock was created by the ALZ Bicep Hub Networking Module.}` + +### parAzureFirewallPolicyLock + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + + Resource Lock Configuration for Azure Firewall Policy. + +- `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. +- `notes` - Notes about this lock. + + + - Default value: `@{kind=None; notes=This lock was created by the ALZ Bicep Hub Networking Module.}` ### parHubRouteTableName @@ -1095,9 +1123,15 @@ outBastionNsgNameSecondaryLocation | string | "parAzFirewallCustomPublicIps": { "value": [] }, + "parAzFirewallCustomManagementIp": { + "value": "" + }, "parAzFirewallCustomPublicIpsSecondaryLocation": { "value": [] }, + "parAzFirewallCustomManagementIpSecondaryLocation": { + "value": "" + }, "parAzFirewallAvailabilityZones": { "value": [] }, @@ -1134,6 +1168,12 @@ outBastionNsgNameSecondaryLocation | string | "notes": "This lock was created by the ALZ Bicep Hub Networking Module." } }, + "parAzureFirewallPolicyLock": { + "value": { + "kind": "None", + "notes": "This lock was created by the ALZ Bicep Hub Networking Module." + } + }, "parHubRouteTableName": { "value": "[format('{0}-hub-routetable', parameters('parCompanyPrefix'))]" }, diff --git a/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md b/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md index 013a67f4b..3bb5f9013 100644 --- a/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md +++ b/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md @@ -35,12 +35,14 @@ parAzFirewallPoliciesPrivateRanges | No | Private IP addresses/IP ranges t parAzFirewallTier | No | Azure Firewall Tier associated with the Firewall to deploy. parAzFirewallIntelMode | No | The Azure Firewall Threat Intelligence Mode. If not set, the default value is Alert. parAzFirewallCustomPublicIps | No | Optional List of Custom Public IPs, which are assigned to firewalls ipConfigurations. +parAzFirewallCustomManagementIp | Yes | Optional Custom Management Public IP resource ID, which is assigned to Azure Firewall managementIpConfiguration. Requires AzureFirewallManagementSubnet to be configured in parSubnets. parAzFirewallAvailabilityZones | No | Availability Zones to deploy the Azure Firewall across. Region must support Availability Zones to use. If it does not then leave empty. parAzErGatewayAvailabilityZones | No | Availability Zones to deploy the VPN/ER PIP across. Region must support Availability Zones to use. If it does not then leave empty. Ensure that you select a zonal SKU for the ER/VPN Gateway if using Availability Zones for the PIP. parAzVpnGatewayAvailabilityZones | No | Availability Zones to deploy the VPN/ER PIP across. Region must support Availability Zones to use. If it does not then leave empty. Ensure that you select a zonal SKU for the ER/VPN Gateway if using Availability Zones for the PIP. parAzFirewallDnsProxyEnabled | No | Switch to enable/disable Azure Firewall DNS Proxy. parAzFirewallDnsServers | No | Array of custom DNS servers used by Azure Firewall parAzureFirewallLock | No | Resource Lock Configuration for Azure Firewall. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. +parAzureFirewallPolicyLock | No | Resource Lock Configuration for Azure Firewall Policy. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. parHubRouteTableName | No | Name of Route table to create for the default route of Hub. parDisableBgpRoutePropagation | No | Switch to enable/disable BGP Propagation on route table. parHubRouteTableLock | No | Resource Lock Configuration for Hub Route Table. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. @@ -316,6 +318,12 @@ The Azure Firewall Threat Intelligence Mode. If not set, the default value is Al Optional List of Custom Public IPs, which are assigned to firewalls ipConfigurations. +### parAzFirewallCustomManagementIp + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Optional Custom Management Public IP resource ID, which is assigned to Azure Firewall managementIpConfiguration. Requires AzureFirewallManagementSubnet to be configured in parSubnets. + ### parAzFirewallAvailabilityZones ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) @@ -365,6 +373,19 @@ Array of custom DNS servers used by Azure Firewall +- Default value: `@{kind=None; notes=This lock was created by the ALZ Bicep Hub Networking Module.}` + +### parAzureFirewallPolicyLock + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + + Resource Lock Configuration for Azure Firewall Policy. + +- `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. +- `notes` - Notes about this lock. + + + - Default value: `@{kind=None; notes=This lock was created by the ALZ Bicep Hub Networking Module.}` ### parHubRouteTableName @@ -682,6 +703,9 @@ outBastionNsgName | string | "parAzFirewallCustomPublicIps": { "value": [] }, + "parAzFirewallCustomManagementIp": { + "value": "" + }, "parAzFirewallAvailabilityZones": { "value": [] }, @@ -703,6 +727,12 @@ outBastionNsgName | string | "notes": "This lock was created by the ALZ Bicep Hub Networking Module." } }, + "parAzureFirewallPolicyLock": { + "value": { + "kind": "None", + "notes": "This lock was created by the ALZ Bicep Hub Networking Module." + } + }, "parHubRouteTableName": { "value": "[format('{0}-hub-routetable', parameters('parCompanyPrefix'))]" }, diff --git a/infra-as-code/bicep/modules/hubNetworking/hubNetworking-multiRegion.bicep b/infra-as-code/bicep/modules/hubNetworking/hubNetworking-multiRegion.bicep index 1555b46c3..7ab324d2c 100644 --- a/infra-as-code/bicep/modules/hubNetworking/hubNetworking-multiRegion.bicep +++ b/infra-as-code/bicep/modules/hubNetworking/hubNetworking-multiRegion.bicep @@ -361,9 +361,15 @@ param parAzFirewallIntelModeSecondaryLocation string = 'Alert' @sys.description('Optional List of Custom Public IPs, which are assigned to firewalls ipConfigurations.') param parAzFirewallCustomPublicIps array = [] +@sys.description('Optional Custom Management Public IP resource ID, which is assigned to Azure Firewall managementIpConfiguration. Requires AzureFirewallManagementSubnet to be configured in parSubnets.') +param parAzFirewallCustomManagementIp string = '' + @sys.description('Optional List of Custom Public IPs, which are assigned to firewalls ipConfigurations in the secondary location.') param parAzFirewallCustomPublicIpsSecondaryLocation array = [] +@sys.description('Optional Custom Management Public IP resource ID, which is assigned to Azure Firewall managementIpConfiguration in the secondary location. Requires AzureFirewallManagementSubnet to be configured in parSubnetsSecondaryLocation.') +param parAzFirewallCustomManagementIpSecondaryLocation string = '' + @allowed([ '1' '2' @@ -435,6 +441,17 @@ param parAzureFirewallLock lockType = { notes: 'This lock was created by the ALZ Bicep Hub Networking Module.' } +@sys.description(''' Resource Lock Configuration for Azure Firewall Policy. + +- `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. +- `notes` - Notes about this lock. + +''') +param parAzureFirewallPolicyLock lockType = { + kind: 'None' + notes: 'This lock was created by the ALZ Bicep Hub Networking Module.' +} + @sys.description('Name of Route table to create for the default route of Hub.') param parHubRouteTableName string = '${parCompanyPrefix}-hub-routetable' @@ -742,8 +759,10 @@ var varZtnP1TriggerSecondaryLocation = (parDdosEnabledSecondaryLocation && parAz : false var varAzFirewallUseCustomPublicIps = length(parAzFirewallCustomPublicIps) > 0 +var varAzFirewallUseCustomManagementIp = !empty(parAzFirewallCustomManagementIp) var varAzFirewallUseCustomPublicIpsSecondaryLocation = length(parAzFirewallCustomPublicIpsSecondaryLocation) > 0 +var varAzFirewallUseCustomManagementIpSecondaryLocation = !empty(parAzFirewallCustomManagementIpSecondaryLocation) //DDos Protection plan will only be enabled if parDdosEnabled is true. resource resDdosProtectionPlan 'Microsoft.Network/ddosProtectionPlans@2024-05-01' = if (parDdosEnabled) { @@ -1685,7 +1704,7 @@ module modAzureFirewallPublicIpSecondaryLocation '../publicIp/publicIp.bicep' = } } -module modAzureFirewallMgmtPublicIp '../publicIp/publicIp.bicep' = if (parAzFirewallEnabled && (contains( +module modAzureFirewallMgmtPublicIp '../publicIp/publicIp.bicep' = if (parAzFirewallEnabled && !varAzFirewallUseCustomManagementIp && (contains( map(parSubnets, subnets => subnets.name), 'AzureFirewallManagementSubnet' ))) { @@ -1707,7 +1726,7 @@ module modAzureFirewallMgmtPublicIp '../publicIp/publicIp.bicep' = if (parAzFire } } -module modAzureFirewallMgmtPublicIpSecondaryLocation '../publicIp/publicIp.bicep' = if (parAzFirewallEnabledSecondaryLocation && (contains( +module modAzureFirewallMgmtPublicIpSecondaryLocation '../publicIp/publicIp.bicep' = if (parAzFirewallEnabledSecondaryLocation && !varAzFirewallUseCustomManagementIpSecondaryLocation && (contains( map(parSubnetsSecondaryLocation, subnets => subnets.name), 'AzureFirewallManagementSubnet' ))) { @@ -1787,23 +1806,23 @@ resource resFirewallPoliciesSecondaryLocation 'Microsoft.Network/firewallPolicie } } -// Create Azure Firewall Policy resource lock if parAzFirewallEnabled is true and parGlobalResourceLock.kind != 'None' or if parAzureFirewallLock.kind != 'None' -resource resFirewallPoliciesLock 'Microsoft.Authorization/locks@2020-05-01' = if (parAzFirewallEnabled && (parAzureFirewallLock.kind != 'None' || parGlobalResourceLock.kind != 'None')) { +// Create Azure Firewall Policy resource lock if parAzFirewallPoliciesEnabled is true and parGlobalResourceLock.kind != 'None' or if parAzureFirewallPolicyLock.kind != 'None' +resource resFirewallPoliciesLock 'Microsoft.Authorization/locks@2020-05-01' = if (parAzFirewallPoliciesEnabled && (parAzureFirewallPolicyLock.kind != 'None' || parGlobalResourceLock.kind != 'None')) { scope: resFirewallPolicies - name: parAzureFirewallLock.?name ?? '${resFirewallPolicies.name}-lock' + name: parAzureFirewallPolicyLock.?name ?? '${resFirewallPolicies.name}-lock' properties: { - level: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.kind : parAzureFirewallLock.kind - notes: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.?notes : parAzureFirewallLock.?notes + level: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.kind : parAzureFirewallPolicyLock.kind + notes: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.?notes : parAzureFirewallPolicyLock.?notes } } -// Create Azure Firewall Policy resource lock if parAzFirewallEnabled is true and parGlobalResourceLock.kind != 'None' or if parAzureFirewallLock.kind != 'None' -resource resFirewallPoliciesLockSecondaryLocation 'Microsoft.Authorization/locks@2020-05-01' = if (parAzFirewallEnabledSecondaryLocation && (parAzureFirewallLock.kind != 'None' || parGlobalResourceLock.kind != 'None')) { +// Create Azure Firewall Policy resource lock if parAzFirewallPoliciesEnabledSecondaryLocation is true and parGlobalResourceLock.kind != 'None' or if parAzureFirewallPolicyLock.kind != 'None' +resource resFirewallPoliciesLockSecondaryLocation 'Microsoft.Authorization/locks@2020-05-01' = if (parAzFirewallPoliciesEnabledSecondaryLocation && (parAzureFirewallPolicyLock.kind != 'None' || parGlobalResourceLock.kind != 'None')) { scope: resFirewallPoliciesSecondaryLocation - name: parAzureFirewallLock.?name ?? '${resFirewallPoliciesSecondaryLocation.name}-lock' + name: parAzureFirewallPolicyLock.?name ?? '${resFirewallPoliciesSecondaryLocation.name}-lock' properties: { - level: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.kind : parAzureFirewallLock.kind - notes: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.?notes : parAzureFirewallLock.?notes + level: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.kind : parAzureFirewallPolicyLock.kind + notes: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.?notes : parAzureFirewallPolicyLock.?notes } } @@ -1849,24 +1868,30 @@ resource resAzureFirewall 'Microsoft.Network/azureFirewalls@2024-05-01' = if (pa } } ] - managementIpConfiguration: { - name: 'mgmtIpConfig' - properties: { - subnet: { - id: resAzureFirewallMgmtSubnetRef.id - } - publicIPAddress: { - id: parAzFirewallEnabled ? modAzureFirewallMgmtPublicIp.?outputs.outPublicIpId : '' + managementIpConfiguration: (contains(map(parSubnets, subnets => subnets.name), 'AzureFirewallManagementSubnet')) + ? { + name: 'mgmtIpConfig' + properties: { + subnet: { + id: resAzureFirewallMgmtSubnetRef.id + } + publicIPAddress: { + id: parAzFirewallEnabled + ? (varAzFirewallUseCustomManagementIp ? parAzFirewallCustomManagementIp : modAzureFirewallMgmtPublicIp.?outputs.outPublicIpId) + : '' + } + } } - } - } + : null sku: { name: 'AZFW_VNet' tier: parAzFirewallTier } - firewallPolicy: { - id: resFirewallPolicies.id - } + firewallPolicy: (parAzFirewallPoliciesEnabled) + ? { + id: resFirewallPolicies.id + } + : null } } @@ -1915,26 +1940,30 @@ resource resAzureFirewallSecondaryLocation 'Microsoft.Network/azureFirewalls@202 } } ] - managementIpConfiguration: { - name: 'mgmtIpConfig' - properties: { - subnet: { - id: resAzureFirewallMgmtSubnetRefSecondaryLocation.id - } - publicIPAddress: { - id: parAzFirewallEnabledSecondaryLocation - ? modAzureFirewallMgmtPublicIpSecondaryLocation.?outputs.outPublicIpId - : '' + managementIpConfiguration: (contains(map(parSubnetsSecondaryLocation, subnets => subnets.name), 'AzureFirewallManagementSubnet')) + ? { + name: 'mgmtIpConfig' + properties: { + subnet: { + id: resAzureFirewallMgmtSubnetRefSecondaryLocation.id + } + publicIPAddress: { + id: parAzFirewallEnabledSecondaryLocation + ? (varAzFirewallUseCustomManagementIpSecondaryLocation ? parAzFirewallCustomManagementIpSecondaryLocation : modAzureFirewallMgmtPublicIpSecondaryLocation.?outputs.outPublicIpId) + : '' + } + } } - } - } + : null sku: { name: 'AZFW_VNet' tier: parAzFirewallTierSecondaryLocation } - firewallPolicy: { - id: resFirewallPoliciesSecondaryLocation.id - } + firewallPolicy: (parAzFirewallPoliciesEnabledSecondaryLocation) + ? { + id: resFirewallPoliciesSecondaryLocation.id + } + : null } } diff --git a/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep b/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep index 5ae00fcfe..c203f4069 100644 --- a/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep +++ b/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep @@ -250,6 +250,9 @@ param parAzFirewallIntelMode string = 'Alert' @sys.description('Optional List of Custom Public IPs, which are assigned to firewalls ipConfigurations.') param parAzFirewallCustomPublicIps array = [] +@sys.description('Optional Custom Management Public IP resource ID, which is assigned to Azure Firewall managementIpConfiguration. Requires AzureFirewallManagementSubnet to be configured in parSubnets.') +param parAzFirewallCustomManagementIp string? + @allowed([ '1' '2' @@ -291,6 +294,17 @@ param parAzureFirewallLock lockType = { notes: 'This lock was created by the ALZ Bicep Hub Networking Module.' } +@sys.description(''' Resource Lock Configuration for Azure Firewall Policy. + +- `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. +- `notes` - Notes about this lock. + +''') +param parAzureFirewallPolicyLock lockType = { + kind: 'None' + notes: 'This lock was created by the ALZ Bicep Hub Networking Module.' +} + @sys.description('Name of Route table to create for the default route of Hub.') param parHubRouteTableName string = '${parCompanyPrefix}-hub-routetable' @@ -478,6 +492,7 @@ var varZtnP1CuaId = '3ab23b1e-c5c5-42d4-b163-1402384ba2db' var varZtnP1Trigger = (parDdosEnabled && parAzFirewallEnabled && (parAzFirewallTier == 'Premium')) var varAzFirewallUseCustomPublicIps = length(parAzFirewallCustomPublicIps) > 0 +var varAzFirewallUseCustomManagementIp = !empty(parAzFirewallCustomManagementIp) //DDos Protection plan will only be enabled if parDdosEnabled is true. resource resDdosProtectionPlan 'Microsoft.Network/ddosProtectionPlans@2023-02-01' = if (parDdosEnabled) { @@ -936,7 +951,7 @@ module modAzureFirewallPublicIp '../publicIp/publicIp.bicep' = if (parAzFirewall } } -module modAzureFirewallMgmtPublicIp '../publicIp/publicIp.bicep' = if (parAzFirewallEnabled && (contains( +module modAzureFirewallMgmtPublicIp '../publicIp/publicIp.bicep' = if (parAzFirewallEnabled && !varAzFirewallUseCustomManagementIp && (contains( map(parSubnets, subnets => subnets.name), 'AzureFirewallManagementSubnet' ))) { @@ -987,13 +1002,13 @@ resource resFirewallPolicies 'Microsoft.Network/firewallPolicies@2024-05-01' = i } } -// Create Azure Firewall Policy resource lock if parAzFirewallEnabled is true and parGlobalResourceLock.kind != 'None' or if parAzureFirewallLock.kind != 'None' -resource resFirewallPoliciesLock 'Microsoft.Authorization/locks@2020-05-01' = if (parAzFirewallEnabled && (parAzureFirewallLock.kind != 'None' || parGlobalResourceLock.kind != 'None')) { +// Create Azure Firewall Policy resource lock if parAzFirewallPoliciesEnabled is true and parGlobalResourceLock.kind != 'None' or if parAzureFirewallPolicyLock.kind != 'None' +resource resFirewallPoliciesLock 'Microsoft.Authorization/locks@2020-05-01' = if (parAzFirewallPoliciesEnabled && (parAzureFirewallPolicyLock.kind != 'None' || parGlobalResourceLock.kind != 'None')) { scope: resFirewallPolicies - name: parAzureFirewallLock.?name ?? '${resFirewallPolicies.name}-lock' + name: parAzureFirewallPolicyLock.?name ?? '${resFirewallPolicies.name}-lock' properties: { - level: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.kind : parAzureFirewallLock.kind - notes: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.?notes : parAzureFirewallLock.?notes + level: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.kind : parAzureFirewallPolicyLock.kind + notes: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.?notes : parAzureFirewallPolicyLock.?notes } } @@ -1039,24 +1054,30 @@ resource resAzureFirewall 'Microsoft.Network/azureFirewalls@2024-05-01' = if (pa } } ] - managementIpConfiguration: { - name: 'mgmtIpConfig' - properties: { - subnet: { - id: resAzureFirewallMgmtSubnetRef.id - } - publicIPAddress: { - id: parAzFirewallEnabled ? modAzureFirewallMgmtPublicIp.?outputs.outPublicIpId : '' + managementIpConfiguration: (contains(map(parSubnets, subnets => subnets.name), 'AzureFirewallManagementSubnet')) + ? { + name: 'mgmtIpConfig' + properties: { + subnet: { + id: resAzureFirewallMgmtSubnetRef.id + } + publicIPAddress: { + id: parAzFirewallEnabled + ? (parAzFirewallCustomManagementIp ?? modAzureFirewallMgmtPublicIp.?outputs.outPublicIpId) + : '' + } + } } - } - } + : null sku: { name: 'AZFW_VNet' tier: parAzFirewallTier } - firewallPolicy: { - id: resFirewallPolicies.id - } + firewallPolicy: (parAzFirewallPoliciesEnabled) + ? { + id: resFirewallPolicies.id + } + : null } } diff --git a/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json b/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json index 07c4287eb..9cadfc0df 100644 --- a/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json +++ b/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json @@ -90,6 +90,12 @@ "parAzFirewallIntelMode": { "value": "Alert" }, + "parAzFirewallCustomPublicIps": { + "value": [] + }, + "parAzFirewallCustomManagementIp": { + "value": "" + }, "parAzFirewallAvailabilityZones": { "value": [] }, @@ -219,6 +225,12 @@ "notes": "This lock was created by the ALZ Bicep Hub Networking Module." } }, + "parAzureFirewallPolicyLock": { + "value": { + "kind": "None", + "notes": "This lock was created by the ALZ Bicep Hub Networking Module." + } + }, "parHubRouteTableLock": { "value": { "kind": "None", diff --git a/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.az.all.json b/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.az.all.json index 0be95fc51..d02f9a849 100644 --- a/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.az.all.json +++ b/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.az.all.json @@ -90,6 +90,12 @@ "parAzFirewallIntelMode": { "value": "Alert" }, + "parAzFirewallCustomPublicIps": { + "value": [] + }, + "parAzFirewallCustomManagementIp": { + "value": "" + }, "parAzFirewallAvailabilityZones": { "value": [ "1", @@ -231,6 +237,12 @@ "notes": "This lock was created by the ALZ Bicep Hub Networking Module." } }, + "parAzureFirewallPolicyLock": { + "value": { + "kind": "None", + "notes": "This lock was created by the ALZ Bicep Hub Networking Module." + } + }, "parHubRouteTableLock": { "value": { "kind": "None", diff --git a/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.az.multiRegion.all.json b/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.az.multiRegion.all.json index ea0c4e61e..dd62f7a2f 100644 --- a/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.az.multiRegion.all.json +++ b/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.az.multiRegion.all.json @@ -154,6 +154,12 @@ "parAzFirewallIntelMode": { "value": "Alert" }, + "parAzFirewallCustomPublicIps": { + "value": [] + }, + "parAzFirewallCustomManagementIp": { + "value": "" + }, "parAzFirewallAvailabilityZones": { "value": [ "1", @@ -176,6 +182,12 @@ "parAzFirewallIntelModeSecondaryLocation": { "value": "Alert" }, + "parAzFirewallCustomPublicIpsSecondaryLocation": { + "value": [] + }, + "parAzFirewallCustomManagementIpSecondaryLocation": { + "value": "" + }, "parAzFirewallAvailabilityZonesSecondaryLocation": { "value": [ "1", @@ -396,6 +408,12 @@ "notes": "This lock was created by the ALZ Bicep Hub Networking Module." } }, + "parAzureFirewallPolicyLock": { + "value": { + "kind": "None", + "notes": "This lock was created by the ALZ Bicep Hub Networking Module." + } + }, "parHubRouteTableLock": { "value": { "kind": "None", diff --git a/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.min.json b/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.min.json index e144952c1..ebb74b8a3 100644 --- a/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.min.json +++ b/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.min.json @@ -48,6 +48,12 @@ "parDdosEnabled": { "value": true }, + "parAzFirewallCustomPublicIps": { + "value": [] + }, + "parAzFirewallCustomManagementIp": { + "value": "" + }, "parAzFirewallEnabled": { "value": true }, diff --git a/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.all.json b/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.all.json index 92fe59afb..592a38c91 100644 --- a/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.all.json +++ b/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.all.json @@ -90,6 +90,12 @@ "parAzFirewallIntelMode": { "value": "Alert" }, + "parAzFirewallCustomPublicIps": { + "value": [] + }, + "parAzFirewallCustomManagementIp": { + "value": "" + }, "parAzFirewallAvailabilityZones": { "value": [] }, @@ -249,6 +255,12 @@ "notes": "This lock was created by the ALZ Bicep Hub Networking Module." } }, + "parAzureFirewallPolicyLock": { + "value": { + "kind": "None", + "notes": "This lock was created by the ALZ Bicep Hub Networking Module." + } + }, "parHubRouteTableLock": { "value": { "kind": "None", diff --git a/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.min.json b/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.min.json index fa870421d..f85d46939 100644 --- a/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.min.json +++ b/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.min.json @@ -51,6 +51,12 @@ "parDdosEnabled": { "value": false }, + "parAzFirewallCustomPublicIps": { + "value": [] + }, + "parAzFirewallCustomManagementIp": { + "value": "" + }, "parAzFirewallEnabled": { "value": true }, diff --git a/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md b/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md index 4375c68f1..b832862d8 100644 --- a/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md +++ b/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md @@ -21,7 +21,6 @@ parLogAnalyticsWorkspaceCapacityReservationLevel | No | Log Analytics Work parLogAnalyticsWorkspaceLogRetentionInDays | No | Number of days of log retention for Log Analytics Workspace. parLogAnalyticsWorkspaceLock | No | Resource Lock Configuration for Log Analytics Workspace. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. parLogAnalyticsWorkspaceSolutions | No | Solutions that will be added to the Log Analytics Workspace. -parSecurityInsightsOnboardingLock | No | Resource Lock Configuration for Security Insights solution. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. parChangeTrackingSolutionLock | No | Resource Lock Configuration for Change Tracking solution. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. parUserAssignedManagedIdentityName | No | Name of the User Assigned Managed Identity required for authenticating Azure Monitoring Agent to Azure. parUserAssignedManagedIdentityLocation | No | User Assigned Managed Identity location. @@ -191,19 +190,6 @@ Solutions that will be added to the Log Analytics Workspace. - Allowed values: `SecurityInsights`, `ChangeTracking` -### parSecurityInsightsOnboardingLock - -![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) - -Resource Lock Configuration for Security Insights solution. - -- `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. -- `notes` - Notes about this lock. - - - -- Default value: `@{kind=None; notes=This lock was created by the ALZ Bicep Logging Module.}` - ### parChangeTrackingSolutionLock ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) @@ -425,12 +411,6 @@ outAutomationAccountId | string | "ChangeTracking" ] }, - "parSecurityInsightsOnboardingLock": { - "value": { - "kind": "None", - "notes": "This lock was created by the ALZ Bicep Logging Module." - } - }, "parChangeTrackingSolutionLock": { "value": { "kind": "None", diff --git a/infra-as-code/bicep/modules/logging/logging.bicep b/infra-as-code/bicep/modules/logging/logging.bicep index 9c2ce95d2..5a14dc5b0 100644 --- a/infra-as-code/bicep/modules/logging/logging.bicep +++ b/infra-as-code/bicep/modules/logging/logging.bicep @@ -130,17 +130,6 @@ param parLogAnalyticsWorkspaceSolutions array = [ 'ChangeTracking' ] -@sys.description('''Resource Lock Configuration for Security Insights solution. - -- `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. -- `notes` - Notes about this lock. - -''') -param parSecurityInsightsOnboardingLock lockType = { - kind: 'None' - notes: 'This lock was created by the ALZ Bicep Logging Module.' -} - @sys.description('''Resource Lock Configuration for Change Tracking solution. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. @@ -211,7 +200,7 @@ resource resUserAssignedManagedIdentity 'Microsoft.ManagedIdentity/userAssignedI tags: parTags } -resource resAutomationAccount 'Microsoft.Automation/automationAccounts@2023-11-01' = if (parAutomationAccountEnabled) { +resource resAutomationAccount 'Microsoft.Automation/automationAccounts@2024-10-23' = if (parAutomationAccountEnabled) { name: parAutomationAccountName location: parAutomationAccountLocation tags: parAutomationAccountTags @@ -239,7 +228,7 @@ resource resAutomationAccountLock 'Microsoft.Authorization/locks@2020-05-01' = i } } -resource resLogAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2023-09-01' = { +resource resLogAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2025-07-01' = { name: parLogAnalyticsWorkspaceName location: parLogAnalyticsWorkspaceLocation tags: parLogAnalyticsWorkspaceTags @@ -262,6 +251,7 @@ resource resLogAnalyticsWorkspaceLock 'Microsoft.Authorization/locks@2020-05-01' } } +#disable-next-line use-recent-api-versions resource resDataCollectionRuleVMInsightsPerfAndMap 'Microsoft.Insights/dataCollectionRules@2021-04-01' = if (parDataCollectionRuleVMInsightsExperience == 'PerfAndMap') { name: parDataCollectionRuleVMInsightsName location: parLogAnalyticsWorkspaceLocation @@ -321,6 +311,7 @@ resource resDataCollectionRuleVMInsightsPerfAndMap 'Microsoft.Insights/dataColle } } +#disable-next-line use-recent-api-versions resource resDataCollectionRuleVMInsightsPerfOnly 'Microsoft.Insights/dataCollectionRules@2021-04-01' = if (parDataCollectionRuleVMInsightsExperience == 'PerfOnly') { name: parDataCollectionRuleVMInsightsName location: parLogAnalyticsWorkspaceLocation @@ -382,6 +373,7 @@ resource resDataCollectionRuleVMInsightsPerfOnlyLock 'Microsoft.Authorization/lo } } +#disable-next-line use-recent-api-versions resource resDataCollectionRuleChangeTracking 'Microsoft.Insights/dataCollectionRules@2021-04-01' = { name: parDataCollectionRuleChangeTrackingName location: parLogAnalyticsWorkspaceLocation @@ -654,6 +646,7 @@ resource resDataCollectionRuleChangeTrackingLock 'Microsoft.Authorization/locks@ } } +#disable-next-line use-recent-api-versions resource resDataCollectionRuleMDFCSQL'Microsoft.Insights/dataCollectionRules@2021-04-01' = { name: parDataCollectionRuleMDFCSQLName location: parLogAnalyticsWorkspaceLocation @@ -716,7 +709,7 @@ resource resDataCollectionRuleMDFCSQLLock 'Microsoft.Authorization/locks@2020-05 } // Onboard the Log Analytics Workspace to Sentinel if SecurityInsights is in parLogAnalyticsWorkspaceSolutions -resource resSentinelOnboarding 'Microsoft.SecurityInsights/onboardingStates@2024-03-01' = if (contains(parLogAnalyticsWorkspaceSolutions, 'SecurityInsights')) { +resource resSentinelOnboarding 'Microsoft.SecurityInsights/onboardingStates@2025-09-01' = if (contains(parLogAnalyticsWorkspaceSolutions, 'SecurityInsights')) { name: 'default' scope: resLogAnalyticsWorkspace properties: {} @@ -736,19 +729,8 @@ resource resChangeTrackingSolution 'Microsoft.OperationsManagement/solutions@201 } } - -// Add resource lock for SecurityInsights solution -resource resSecurityInsightsSolutionLock 'Microsoft.Authorization/locks@2020-05-01' = if (parSecurityInsightsOnboardingLock.kind != 'None' || parGlobalResourceLock.kind != 'None') { - scope: resSentinelOnboarding - name: parSecurityInsightsOnboardingLock.?name ?? '${resSentinelOnboarding.name}-lock' - properties: { - level: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.kind : parSecurityInsightsOnboardingLock.kind - notes: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.?notes : parSecurityInsightsOnboardingLock.?notes - } -} - // Add resource lock for ChangeTracking solution -resource resChangeTrackingSolutionLock 'Microsoft.Authorization/locks@2020-05-01' = if (parChangeTrackingSolutionLock.kind != 'None' || parGlobalResourceLock.kind != 'None') { +resource resChangeTrackingSolutionLock 'Microsoft.Authorization/locks@2020-05-01' = if (contains(parLogAnalyticsWorkspaceSolutions, 'ChangeTracking') && (parChangeTrackingSolutionLock.kind != 'None' || parGlobalResourceLock.kind != 'None')) { scope: resChangeTrackingSolution name: parChangeTrackingSolutionLock.?name ?? '${resChangeTrackingSolution.name}-lock' properties: { @@ -757,7 +739,7 @@ resource resChangeTrackingSolutionLock 'Microsoft.Authorization/locks@2020-05-01 } } -resource resLogAnalyticsLinkedServiceForAutomationAccount 'Microsoft.OperationalInsights/workspaces/linkedServices@2023-09-01' = if (parLogAnalyticsWorkspaceLinkAutomationAccount) { +resource resLogAnalyticsLinkedServiceForAutomationAccount 'Microsoft.OperationalInsights/workspaces/linkedServices@2025-07-01' = if (parLogAnalyticsWorkspaceLinkAutomationAccount) { parent: resLogAnalyticsWorkspace name: parLogAnalyticsLinkedServiceAutomationAccountName properties: { diff --git a/infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json b/infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json index cf54ceacd..5c3701b0e 100644 --- a/infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json +++ b/infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json @@ -116,12 +116,6 @@ "notes": "This lock was created by the ALZ Bicep Logging Module." } }, - "parSecurityInsightsOnboardingLock": { - "value": { - "kind": "None", - "notes": "This lock was created by the ALZ Bicep Logging Module." - } - }, "parChangeTrackingSolutionLock": { "value": { "kind": "None", diff --git a/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.all.json b/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.all.json index daa271326..90b8269ab 100644 --- a/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.all.json +++ b/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.all.json @@ -107,12 +107,6 @@ "notes": "This lock was created by the ALZ Bicep Logging Module." } }, - "parSecurityInsightsOnboardingLock": { - "value": { - "kind": "None", - "notes": "This lock was created by the ALZ Bicep Logging Module." - } - }, "parChangeTrackingSolutionLock": { "value": { "kind": "None", diff --git a/infra-as-code/bicep/modules/vwanConnectivity/generateddocs/vwanConnectivity.bicep.md b/infra-as-code/bicep/modules/vwanConnectivity/generateddocs/vwanConnectivity.bicep.md index fbded4f36..8812ed302 100644 --- a/infra-as-code/bicep/modules/vwanConnectivity/generateddocs/vwanConnectivity.bicep.md +++ b/infra-as-code/bicep/modules/vwanConnectivity/generateddocs/vwanConnectivity.bicep.md @@ -27,6 +27,7 @@ parAzFirewallPoliciesName | No | Azure Firewall Policies Name. This is use parAzFirewallPoliciesAutoLearn | No | The operation mode for automatically learning private ranges to not be SNAT. parAzFirewallPoliciesPrivateRanges | No | Private IP addresses/IP ranges to which traffic will not be SNAT. parAzureFirewallLock | No | Resource Lock Configuration for Azure Firewall. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. +parAzureFirewallPolicyLock | No | Resource Lock Configuration for Azure Firewall Policy. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. parVpnGatewayScaleUnit | No | The scale unit for this VPN Gateway. parExpressRouteGatewayScaleUnit | No | The scale unit for this ExpressRoute Gateway. parDdosEnabled | No | Switch to enable/disable DDoS Network Protection deployment. @@ -248,6 +249,19 @@ Resource Lock Configuration for Azure Firewall. +- Default value: `@{kind=None; notes=This lock was created by the ALZ Bicep vWAN Connectivity Module.}` + +### parAzureFirewallPolicyLock + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + + Resource Lock Configuration for Azure Firewall Policy. + +- `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. +- `notes` - Notes about this lock. + + + - Default value: `@{kind=None; notes=This lock was created by the ALZ Bicep vWAN Connectivity Module.}` ### parVpnGatewayScaleUnit @@ -498,6 +512,12 @@ outAzFwPrivateIps | array | "notes": "This lock was created by the ALZ Bicep vWAN Connectivity Module." } }, + "parAzureFirewallPolicyLock": { + "value": { + "kind": "None", + "notes": "This lock was created by the ALZ Bicep vWAN Connectivity Module." + } + }, "parVpnGatewayScaleUnit": { "value": 1 }, diff --git a/infra-as-code/bicep/modules/vwanConnectivity/parameters/mc-vwanConnectivity.parameters.all.json b/infra-as-code/bicep/modules/vwanConnectivity/parameters/mc-vwanConnectivity.parameters.all.json index 8f8119e15..2883bc545 100644 --- a/infra-as-code/bicep/modules/vwanConnectivity/parameters/mc-vwanConnectivity.parameters.all.json +++ b/infra-as-code/bicep/modules/vwanConnectivity/parameters/mc-vwanConnectivity.parameters.all.json @@ -160,6 +160,12 @@ "notes": "This lock was created by the ALZ Bicep vWAN Connectivity Module." } }, + "parAzureFirewallPolicyLock": { + "value": { + "kind": "None", + "notes": "This lock was created by the ALZ Bicep vWAN Connectivity Module." + } + }, "parVpnGatewayLock": { "value": { "kind": "None", diff --git a/infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.all.json b/infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.all.json index 911358269..3466a16c0 100644 --- a/infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.all.json +++ b/infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.all.json @@ -131,6 +131,12 @@ "notes": "This lock was created by the ALZ Bicep vWAN Connectivity Module." } }, + "parAzureFirewallPolicyLock": { + "value": { + "kind": "None", + "notes": "This lock was created by the ALZ Bicep vWAN Connectivity Module." + } + }, "parVpnGatewayLock": { "value": { "kind": "None", diff --git a/infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.az.all.json b/infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.az.all.json index a00cb460c..337e9ec4b 100644 --- a/infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.az.all.json +++ b/infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.az.all.json @@ -132,6 +132,12 @@ "notes": "This lock was created by the ALZ Bicep vWAN Connectivity Module." } }, + "parAzureFirewallPolicyLock": { + "value": { + "kind": "None", + "notes": "This lock was created by the ALZ Bicep vWAN Connectivity Module." + } + }, "parVpnGatewayLock": { "value": { "kind": "None", diff --git a/infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.az.multiRegion.all.json b/infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.az.multiRegion.all.json index 386ad5c5f..b3abf529e 100644 --- a/infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.az.multiRegion.all.json +++ b/infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.az.multiRegion.all.json @@ -160,6 +160,12 @@ "notes": "This lock was created by the ALZ Bicep vWAN Connectivity Module." } }, + "parAzureFirewallPolicyLock": { + "value": { + "kind": "None", + "notes": "This lock was created by the ALZ Bicep vWAN Connectivity Module." + } + }, "parVpnGatewayLock": { "value": { "kind": "None", diff --git a/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep b/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep index 000cf8624..e187066cf 100644 --- a/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep +++ b/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep @@ -284,6 +284,17 @@ param parAzureFirewallLock lockType = { notes: 'This lock was created by the ALZ Bicep vWAN Connectivity Module.' } +@sys.description(''' Resource Lock Configuration for Azure Firewall Policy. + +- `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. +- `notes` - Notes about this lock. + +''') +param parAzureFirewallPolicyLock lockType = { + kind: 'None' + notes: 'This lock was created by the ALZ Bicep vWAN Connectivity Module.' +} + @sys.description('The scale unit for this VPN Gateway.') param parVpnGatewayScaleUnit int = 1 @@ -597,14 +608,14 @@ resource resFirewallPolicies 'Microsoft.Network/firewallPolicies@2024-05-01' = [ } ] -// Create Azure Firewall Policy resource lock if parAzFirewallEnabled is true and parGlobalResourceLock.kind != 'None' or if parAzureFirewallLock.kind != 'None' +// Create Azure Firewall Policy resource lock if parAzFirewallEnabled is true and parGlobalResourceLock.kind != 'None' or if parAzureFirewallPolicyLock.kind != 'None' resource resFirewallPoliciesLock 'Microsoft.Authorization/locks@2020-05-01' = [ - for (hub, i) in parVirtualWanHubs: if ((parVirtualHubEnabled && parVirtualWanHubs[i].parAzFirewallEnabled) && (parAzureFirewallLock.kind != 'None' || parGlobalResourceLock.kind != 'None')) { + for (hub, i) in parVirtualWanHubs: if ((parVirtualHubEnabled && parVirtualWanHubs[i].parAzFirewallEnabled) && (parAzureFirewallPolicyLock.kind != 'None' || parGlobalResourceLock.kind != 'None')) { scope: resFirewallPolicies[i] - name: parAzureFirewallLock.?name ?? '${resFirewallPolicies[i].name}-lock' + name: parAzureFirewallPolicyLock.?name ?? '${resFirewallPolicies[i].name}-lock' properties: { - level: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.kind : parAzureFirewallLock.kind - notes: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.?notes : parAzureFirewallLock.?notes + level: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.kind : parAzureFirewallPolicyLock.kind + notes: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.?notes : parAzureFirewallPolicyLock.?notes } } ] @@ -639,13 +650,13 @@ resource resFirewallPoliciesSharedGlobal 'Microsoft.Network/firewallPolicies@202 } } -// Create Azure Firewall Policy resource lock if parAzFirewallEnabled is true and parGlobalResourceLock.kind != 'None' or if parAzureFirewallLock.kind != 'None' -resource resFirewallPoliciesLockSharedGlobal 'Microsoft.Authorization/locks@2020-05-01' = if ((parVirtualHubEnabled && parVirtualWanHubs[0].parAzFirewallEnabled && parAzFirewallPolicyDeploymentStyle == 'SharedGlobal') && (parAzureFirewallLock.kind != 'None' || parGlobalResourceLock.kind != 'None')) { +// Create Azure Firewall Policy resource lock if parAzFirewallEnabled is true and parGlobalResourceLock.kind != 'None' or if parAzureFirewallPolicyLock.kind != 'None' +resource resFirewallPoliciesLockSharedGlobal 'Microsoft.Authorization/locks@2020-05-01' = if ((parVirtualHubEnabled && parVirtualWanHubs[0].parAzFirewallEnabled && parAzFirewallPolicyDeploymentStyle == 'SharedGlobal') && (parAzureFirewallPolicyLock.kind != 'None' || parGlobalResourceLock.kind != 'None')) { scope: resFirewallPoliciesSharedGlobal - name: parAzureFirewallLock.?name ?? '${resFirewallPoliciesSharedGlobal.name}-lock' + name: parAzureFirewallPolicyLock.?name ?? '${resFirewallPoliciesSharedGlobal.name}-lock' properties: { - level: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.kind : parAzureFirewallLock.kind - notes: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.?notes : parAzureFirewallLock.?notes + level: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.kind : parAzureFirewallPolicyLock.kind + notes: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.?notes : parAzureFirewallPolicyLock.?notes } } @@ -668,11 +679,13 @@ resource resAzureFirewall 'Microsoft.Network/azureFirewalls@2024-05-01' = [ virtualHub: { id: parVirtualHubEnabled ? resVhub[i].id : '' } - firewallPolicy: { - id: (parVirtualHubEnabled && hub.parAzFirewallEnabled && parAzFirewallPolicyDeploymentStyle == 'SharedGlobal') - ? resFirewallPoliciesSharedGlobal.id - : resFirewallPolicies[i].id - } + firewallPolicy: (parVirtualHubEnabled && hub.parAzFirewallEnabled) + ? { + id: (parAzFirewallPolicyDeploymentStyle == 'SharedGlobal') + ? resFirewallPoliciesSharedGlobal.id + : resFirewallPolicies[i].id + } + : null } } ]