diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md index d5977224..c1cf240a 100644 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -23,7 +23,7 @@ Replace this with any testing evidence to show that your Pull Request works/fixe - [ ] Read the [Contribution Guide](https://github.com/Azure/bicep-lz-vending/wiki/contributing) and ensured this PR is compliant with the guide - [ ] Checked for duplicate [Pull Requests](https://github.com/Azure/bicep-lz-vending/pulls) - [ ] Associated it with relevant [GitHub Issues](https://github.com/Azure/bicep-lz-vending/issues) -- [ ] *(ALZ Bicep Core Team Only)* Associated it with relevant [ADO Items](https://aka.ms/alz/bicep/backlog) +- [ ] *(LZ-Vending Core Team Only)* Associated it with relevant [ADO Items](https://aka.ms/lz-vending/backlog) - [ ] Ensured my code/branch is up-to-date with the latest changes in the `main` [branch](https://github.com/Azure/bicep-lz-vending/tree/main) - [ ] Performed testing and provided evidence. - [ ] Updated one or more of the following tests *(if required)* diff --git a/docs/wiki/Example-1-Hub-and-Spoke.md b/docs/wiki/Example-1-Hub-and-Spoke.md index 0f691ea0..ab239ccf 100644 --- a/docs/wiki/Example-1-Hub-and-Spoke.md +++ b/docs/wiki/Example-1-Hub-and-Spoke.md @@ -11,7 +11,7 @@ targetScope = 'managementGroup' @description('Specifies the location for resources.') param location string = 'uksouth' -module sub003 'br/public:lz/sub-vending:1.1.2' = { +module sub003 'br/public:lz/sub-vending:1.2.1' = { name: 'sub-bicep-lz-vending-example-001' params: { subscriptionAliasEnabled: true diff --git a/docs/wiki/Example-2-Virtual-WAN.md b/docs/wiki/Example-2-Virtual-WAN.md index 0f59b5d2..05239aa0 100644 --- a/docs/wiki/Example-2-Virtual-WAN.md +++ b/docs/wiki/Example-2-Virtual-WAN.md @@ -11,7 +11,7 @@ targetScope = 'managementGroup' @description('Specifies the location for resources.') param location string = 'uksouth' -module sub002 'br/public:lz/sub-vending:1.1.2' = { +module sub002 'br/public:lz/sub-vending:1.2.1' = { name: 'sub-bicep-lz-vending-example-002' params: { subscriptionAliasEnabled: true diff --git a/docs/wiki/Example-3-Use-With-Existing-Subscriptions.md b/docs/wiki/Example-3-Use-With-Existing-Subscriptions.md index 0cdbdfc7..668b30b7 100644 --- a/docs/wiki/Example-3-Use-With-Existing-Subscriptions.md +++ b/docs/wiki/Example-3-Use-With-Existing-Subscriptions.md @@ -11,10 +11,11 @@ targetScope = 'managementGroup' @description('Specifies the location for resources.') param location string = 'uksouth' -module sub003 'br/public:lz/sub-vending:1.1.2' = { +module sub003 'br/public:lz/sub-vending:1.2.1' = { name: 'sub003' params: { subscriptionAliasEnabled: false + existingSubscriptionId: 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' subscriptionTags: { test: 'true' } diff --git a/docs/wiki/Example-4-Multiple-VNets-In-Same-Subscription.md b/docs/wiki/Example-4-Multiple-VNets-In-Same-Subscription.md new file mode 100644 index 00000000..64f0401f --- /dev/null +++ b/docs/wiki/Example-4-Multiple-VNets-In-Same-Subscription.md @@ -0,0 +1,62 @@ + +## Example 4 - Landing Zone (Subscription) with Multiple VNets + +### Bicep Module Registry + +Here is a simple example Bicep file for deploying a landing zone (Subscription) with multiple spoke Virtual Networks peered to a Virtual WAN Hub using the [Bicep Module Registry](https://github.com/Azure/bicep-registry-modules): + +```bicep +targetScope = 'managementGroup' + +@description('Specifies the location for resources.') +param location string = 'uksouth' + +module createSubAndFirstVnet 'br/public:lz/sub-vending:1.2.1' = { + name: 'sub-with-multiple-vnets' + params: { + subscriptionAliasEnabled: true + subscriptionBillingScope: '/providers/Microsoft.Billing/billingAccounts/1234567/enrollmentAccounts/123456' + subscriptionAliasName: 'sub-bicep-lz-vending-example-004' + subscriptionDisplayName: 'sub-bicep-lz-vending-example-004' + subscriptionTags: { + test: 'true' + } + subscriptionWorkload: 'Production' + subscriptionManagementGroupAssociationEnabled: true + subscriptionManagementGroupId: 'alz-landingzones-corp' + virtualNetworkEnabled: true + virtualNetworkLocation: location + virtualNetworkResourceGroupName: 'rsg-${location}-net-001' + virtualNetworkName: 'vnet-${location}-001' + virtualNetworkAddressSpace: [ + '10.0.0.0/16' + ] + virtualNetworkResourceGroupLockEnabled: false + virtualNetworkPeeringEnabled: true + hubNetworkResourceId: '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rsg-uks-net-vwan-001/providers/Microsoft.Network/virtualHubs/vhub-uks-001' + } +} + +module createSubAndFirstVnet 'br/public:lz/sub-vending:1.2.1' = { + name: 'additional-vnet' + params: { + subscriptionAliasEnabled: false + existingSubscriptionId: createSubAndFirstVnet.outputs.subscriptionId + subscriptionManagementGroupAssociationEnabled: true + subscriptionManagementGroupId: 'alz-landingzones-corp' + virtualNetworkEnabled: true + virtualNetworkLocation: location + virtualNetworkResourceGroupName: 'rsg-${location}-net-001' + virtualNetworkName: 'vnet-${location}-002' + virtualNetworkAddressSpace: [ + '10.1.0.0/16' + ] + virtualNetworkResourceGroupLockEnabled: false + virtualNetworkPeeringEnabled: true + hubNetworkResourceId: '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rsg-uks-net-vwan-001/providers/Microsoft.Network/virtualHubs/vhub-uks-001' + } +} +``` + + +Back to [Examples](Examples) diff --git a/docs/wiki/Examples.md b/docs/wiki/Examples.md index c6d6b6a3..8d2fcbf1 100644 --- a/docs/wiki/Examples.md +++ b/docs/wiki/Examples.md @@ -3,10 +3,11 @@ Here are some example configurations that demonstrate the module usage. > If there is an example missing from here that you would like to see then please [raise an issue](https://github.com/Azure/bicep-lz-vending/issues/new/choose) on the repo 👍 -| Example | Description | -| ---------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | -| [Hub & Spoke](Example-1-Hub-and-Spoke) | Example of how to create a landing zone (Subscription) with with a spoke Virtual Network peered to a Hub Virtual Network | -| [Virtual WAN](Example-2-Virtual-WAN) | Example of how to create a landing zone (Subscription) with a spoke Virtual Network connected to a Virtual WAN Hub | -| [Use with existing subscriptions](Example-3-Use-With-Existing-Subscriptions) | Example of how to use this module with existing landing zone Subscriptions | +| Example | Description | +| ------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | +| [Hub & Spoke](Example-1-Hub-and-Spoke) | Example of how to create a landing zone (Subscription) with with a spoke Virtual Network peered to a Hub Virtual Network | +| [Virtual WAN](Example-2-Virtual-WAN) | Example of how to create a landing zone (Subscription) with a spoke Virtual Network connected to a Virtual WAN Hub | +| [Use with existing subscriptions](Example-3-Use-With-Existing-Subscriptions) | Example of how to use this module with existing landing zone Subscriptions | +| [Multiple Virtual Networks in Single Subscription](Example-4-Multiple-VNets-In-Same-Subscription) | Example of how to create a landing zone (Subscription) with multiple spoke Virtual Networks | Before deploying, review the [Consumer Guide](https://github.com/azure/bicep-lz-vending/wiki/consumerguide) for guidance on how to consume this module. diff --git a/main.bicep b/main.bicep index b0bd63e9..b5ee96e3 100644 --- a/main.bicep +++ b/main.bicep @@ -298,6 +298,15 @@ param hubNetworkResourceId string = '' ''') param virtualNetworkUseRemoteGateways bool = true +@metadata({ + example: true +}) +@sys.description('''Enables the ability for the Virtual WAN Hub Connection to learn the default route 0.0.0.0/0 from the Hub. + +- Type: Boolean +''') +param virtualNetworkVwanEnableInternetSecurity bool = true + @metadata({ example: '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/xxxxxxxxxx/providers/Microsoft.Network/virtualHubs/xxxxxxxxx/hubRouteTables/xxxxxxxxx' }) @@ -462,6 +471,7 @@ module createSubscriptionResources 'src/self/subResourceWrapper/deploy.bicep' = virtualNetworkPeeringEnabled: virtualNetworkPeeringEnabled hubNetworkResourceId: hubNetworkResourceId virtualNetworkUseRemoteGateways: virtualNetworkUseRemoteGateways + virtualNetworkVwanEnableInternetSecurity: virtualNetworkVwanEnableInternetSecurity virtualNetworkVwanAssociatedRouteTableResourceId: virtualNetworkVwanAssociatedRouteTableResourceId virtualNetworkVwanPropagatedRouteTablesResourceIds: virtualNetworkVwanPropagatedRouteTablesResourceIds virtualNetworkVwanPropagatedLabels: virtualNetworkVwanPropagatedLabels diff --git a/main.bicep.parameters.md b/main.bicep.parameters.md index c780b59d..4e67db51 100644 --- a/main.bicep.parameters.md +++ b/main.bicep.parameters.md @@ -32,6 +32,7 @@ virtualNetworkDdosPlanId | No | The resource ID of an existing DDoS Networ virtualNetworkPeeringEnabled | No | Whether to enable peering/connection with the supplied hub Virtual Network or Virtual WAN Virtual Hub. - Type: Boolean hubNetworkResourceId | No | The resource ID of the Virtual Network or Virtual WAN Hub in the hub to which the created Virtual Network, by this module, will be peered/connected to via Virtual Network Peering or a Virtual WAN Virtual Hub Connection. **Example Expected Values:** - `''` (empty string) - Hub Virtual Network Resource ID: `/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/xxxxxxxxxx/providers/Microsoft.Network/virtualNetworks/xxxxxxxxxx` - Virtual WAN Virtual Hub Resource ID: `/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/xxxxxxxxxx/providers/Microsoft.Network/virtualHubs/xxxxxxxxxx` - Type: String - Default value: `''` *(empty string)* virtualNetworkUseRemoteGateways | No | Enables the use of remote gateways in the specified hub virtual network. > **IMPORTANT:** If no gateways exist in the hub virtual network, set this to `false`, otherwise peering will fail to create. - Type: Boolean +virtualNetworkVwanEnableInternetSecurity | No | Enables the ability for the Virtual WAN Hub Connection to learn the default route 0.0.0.0/0 from the Hub. - Type: Boolean virtualNetworkVwanAssociatedRouteTableResourceId | No | The resource ID of the virtual hub route table to associate to the virtual hub connection (this virtual network). If left blank/empty the `defaultRouteTable` will be associated. - Type: String - Default value: `''` *(empty string)* = Which means if the parameter `virtualNetworkPeeringEnabled` is `true` and also the parameter `hubNetworkResourceId` is not empty then the `defaultRouteTable` will be associated of the provided Virtual Hub in the parameter `hubNetworkResourceId`. - e.g. `/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/xxxxxxxxxx/providers/Microsoft.Network/virtualHubs/xxxxxxxxx/hubRouteTables/defaultRouteTable` virtualNetworkVwanPropagatedRouteTablesResourceIds | No | An array of of objects of virtual hub route table resource IDs to propagate routes to. If left blank/empty the `defaultRouteTable` will be propagated to only. Each object must contain the following `key`: - `id` = The Resource ID of the Virtual WAN Virtual Hub Route Table IDs you wish to propagate too > See below [example in parameter file](#parameter-file) > **IMPORTANT:** If you provide any Route Tables in this array of objects you must ensure you include also the `defaultRouteTable` Resource ID as an object in the array as it is not added by default when a value is provided for this parameter. - Type: `[]` Array - Default value: `[]` *(empty array)* virtualNetworkVwanPropagatedLabels | No | An array of virtual hub route table labels to propagate routes to. If left blank/empty the default label will be propagated to only. - Type: `[]` Array - Default value: `[]` *(empty array)* @@ -316,6 +317,17 @@ Enables the use of remote gateways in the specified hub virtual network. - Type: Boolean +- Default value: `True` + +### virtualNetworkVwanEnableInternetSecurity + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Enables the ability for the Virtual WAN Hub Connection to learn the default route 0.0.0.0/0 from the Hub. + +- Type: Boolean + + - Default value: `True` ### virtualNetworkVwanAssociatedRouteTableResourceId @@ -496,6 +508,9 @@ subscriptionResourceId | string | The Subscription Resource ID that has been cre "virtualNetworkUseRemoteGateways": { "value": true }, + "virtualNetworkVwanEnableInternetSecurity": { + "value": true + }, "virtualNetworkVwanAssociatedRouteTableResourceId": { "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/xxxxxxxxxx/providers/Microsoft.Network/virtualHubs/xxxxxxxxx/hubRouteTables/xxxxxxxxx" }, diff --git a/src/self/subResourceWrapper/deploy.bicep b/src/self/subResourceWrapper/deploy.bicep index 6464bf24..5f89d540 100644 --- a/src/self/subResourceWrapper/deploy.bicep +++ b/src/self/subResourceWrapper/deploy.bicep @@ -65,6 +65,9 @@ param hubNetworkResourceId string = '' @sys.description('Enables the use of remote gateways in the spefcified hub virtual network. If no gateways exsit in the hub virtual network, set this to `false`, otherwise peering will fail to create. Set this to `false` for virtual wan hub connections.') param virtualNetworkUseRemoteGateways bool = true +@sys.description('Enables the ability for the Virtual WAN Hub Connection to learn the default route 0.0.0.0/0 from the Hub.') +param virtualNetworkVwanEnableInternetSecurity bool = true + @sys.description('The resource ID of the virtual hub route table to associate to the virtual hub connection (this virtual network). If left blank/empty default route table will be associated.') param virtualNetworkVwanAssociatedRouteTableResourceId string = '' @@ -206,6 +209,7 @@ module createLzVirtualWanConnection '../../carml/v0.6.0/Microsoft.Network/virtua name: virtualWanHubConnectionName virtualHubName: virtualWanHubName remoteVirtualNetworkId: '/subscriptions/${subscriptionId}/resourceGroups/${virtualNetworkResourceGroupName}/providers/Microsoft.Network/virtualNetworks/${virtualNetworkName}' + enableInternetSecurity: virtualNetworkVwanEnableInternetSecurity routingConfiguration: { associatedRouteTable: { id: virtualWanHubConnectionAssociatedRouteTable diff --git a/src/self/subResourceWrapper/readme.md b/src/self/subResourceWrapper/readme.md index 2a643fa1..a1790565 100644 --- a/src/self/subResourceWrapper/readme.md +++ b/src/self/subResourceWrapper/readme.md @@ -27,6 +27,7 @@ virtualNetworkDdosPlanId | No | The resoruce ID of an existing DDoS Networ virtualNetworkPeeringEnabled | No | Whether to enable peering/connection with the supplied hub virtual network or virtual hub. hubNetworkResourceId | No | The resource ID of the virtual network or virtual wan hub in the hub to which the created virtual network will be peered/connected to via vitrual network peering or a vitrual hub connection. virtualNetworkUseRemoteGateways | No | Enables the use of remote gateways in the spefcified hub virtual network. If no gateways exsit in the hub virtual network, set this to `false`, otherwise peering will fail to create. Set this to `false` for virtual wan hub connections. +virtualNetworkVwanEnableInternetSecurity | No | Enables the ability for the Virtual WAN Hub Connection to learn the default route 0.0.0.0/0 from the Hub. virtualNetworkVwanAssociatedRouteTableResourceId | No | The resource ID of the virtual hub route table to associate to the virtual hub connection (this virtual network). If left blank/empty default route table will be associated. virtualNetworkVwanPropagatedRouteTablesResourceIds | No | An array of virtual hub route table resource IDs to propogate routes to. If left blank/empty default route table will be propogated to only. virtualNetworkVwanPropagatedLabels | No | An array of virtual hub route table labels to propogate routes to. If left blank/empty default label will be propogated to only. @@ -148,6 +149,14 @@ Enables the use of remote gateways in the spefcified hub virtual network. If no - Default value: `True` +### virtualNetworkVwanEnableInternetSecurity + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Enables the ability for the Virtual WAN Hub Connection to learn the default route 0.0.0.0/0 from the Hub. + +- Default value: `True` + ### virtualNetworkVwanAssociatedRouteTableResourceId ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) @@ -251,6 +260,9 @@ Disable telemetry collection by this module. For more information on the telemet "virtualNetworkUseRemoteGateways": { "value": true }, + "virtualNetworkVwanEnableInternetSecurity": { + "value": true + }, "virtualNetworkVwanAssociatedRouteTableResourceId": { "value": "" },