From fc355564e9233c4faafecbf8fc73f8664424d3bc Mon Sep 17 00:00:00 2001 From: Barry Willis Date: Tue, 22 Aug 2023 13:53:59 -0700 Subject: [PATCH 1/9] Configured variables for my dev environment --- config/variables/CanadaPubSecALZ-main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/config/variables/CanadaPubSecALZ-main.yml b/config/variables/CanadaPubSecALZ-main.yml index 010a4503..0fe391f0 100644 --- a/config/variables/CanadaPubSecALZ-main.yml +++ b/config/variables/CanadaPubSecALZ-main.yml @@ -3,17 +3,17 @@ variables: var-hubnetwork-managementGroupId: Connectivity var-hubnetwork-azfw-configurationFileName: hub-azfw/hub-network.parameters.json var-hubnetwork-nva-configurationFileName: hub-nva/hub-network.parameters.json - var-hubnetwork-subscriptionId: 4fd845de-f6c8-4e6d-9a87-c21c4ebf7edd + var-hubnetwork-subscriptionId: a0c1a4a0-74bc-422b-8e8d-71f1d016e69d var-hubnetwork-azfwPolicy-configurationFileName: hub-azfw-policy/azure-firewall-policy.parameters.json var-logging-managementGroupId: Management - var-logging-subscriptionId: 91e1aaa2-a0a0-4770-8d90-02daa39bf57a + var-logging-subscriptionId: 8dda93c7-1801-480d-a82a-2620875371fa deploymentRegion: canadacentral var-identity-managementGroupId: Identity var-logging-diagnosticSettingsforNetworkSecurityGroupsStoragePrefix: pubsecnsg var-logging-configurationFileName: logging.parameters.json var-managementgroup-hierarchy: |- { - "id": "0d466ba2-7ea1-420f-9820-2583fc040733", + "id": "61e54fa4-fa93-43b3-9775-a60c5495ffdc", "name": "Tenant Root Group", "children": [ { @@ -74,5 +74,5 @@ variables: var-logging-region: canadacentral var-identity-configurationFileName: identity.parameters.json var-identity-region: canadacentral - var-identity-subscriptionId: 2987c7a3-1e43-4b28-b983-ac0925e37d03 + var-identity-subscriptionId: 7281b8be-c687-468b-9519-a8e6b28f66c9 From 3dc9677ba2254fd0b64e94f5b988fe0b5cee2647 Mon Sep 17 00:00:00 2001 From: Barry Willis Date: Tue, 22 Aug 2023 14:49:15 -0700 Subject: [PATCH 2/9] created config file for my dev environment --- config/variables/CanadaPubSecALZ-main.yml | 8 +-- config/variables/Tredell-main.yml | 78 +++++++++++++++++++++++ 2 files changed, 82 insertions(+), 4 deletions(-) create mode 100644 config/variables/Tredell-main.yml diff --git a/config/variables/CanadaPubSecALZ-main.yml b/config/variables/CanadaPubSecALZ-main.yml index 0fe391f0..010a4503 100644 --- a/config/variables/CanadaPubSecALZ-main.yml +++ b/config/variables/CanadaPubSecALZ-main.yml @@ -3,17 +3,17 @@ variables: var-hubnetwork-managementGroupId: Connectivity var-hubnetwork-azfw-configurationFileName: hub-azfw/hub-network.parameters.json var-hubnetwork-nva-configurationFileName: hub-nva/hub-network.parameters.json - var-hubnetwork-subscriptionId: a0c1a4a0-74bc-422b-8e8d-71f1d016e69d + var-hubnetwork-subscriptionId: 4fd845de-f6c8-4e6d-9a87-c21c4ebf7edd var-hubnetwork-azfwPolicy-configurationFileName: hub-azfw-policy/azure-firewall-policy.parameters.json var-logging-managementGroupId: Management - var-logging-subscriptionId: 8dda93c7-1801-480d-a82a-2620875371fa + var-logging-subscriptionId: 91e1aaa2-a0a0-4770-8d90-02daa39bf57a deploymentRegion: canadacentral var-identity-managementGroupId: Identity var-logging-diagnosticSettingsforNetworkSecurityGroupsStoragePrefix: pubsecnsg var-logging-configurationFileName: logging.parameters.json var-managementgroup-hierarchy: |- { - "id": "61e54fa4-fa93-43b3-9775-a60c5495ffdc", + "id": "0d466ba2-7ea1-420f-9820-2583fc040733", "name": "Tenant Root Group", "children": [ { @@ -74,5 +74,5 @@ variables: var-logging-region: canadacentral var-identity-configurationFileName: identity.parameters.json var-identity-region: canadacentral - var-identity-subscriptionId: 7281b8be-c687-468b-9519-a8e6b28f66c9 + var-identity-subscriptionId: 2987c7a3-1e43-4b28-b983-ac0925e37d03 diff --git a/config/variables/Tredell-main.yml b/config/variables/Tredell-main.yml new file mode 100644 index 00000000..0fe391f0 --- /dev/null +++ b/config/variables/Tredell-main.yml @@ -0,0 +1,78 @@ +variables: + var-hubnetwork-region: canadacentral + var-hubnetwork-managementGroupId: Connectivity + var-hubnetwork-azfw-configurationFileName: hub-azfw/hub-network.parameters.json + var-hubnetwork-nva-configurationFileName: hub-nva/hub-network.parameters.json + var-hubnetwork-subscriptionId: a0c1a4a0-74bc-422b-8e8d-71f1d016e69d + var-hubnetwork-azfwPolicy-configurationFileName: hub-azfw-policy/azure-firewall-policy.parameters.json + var-logging-managementGroupId: Management + var-logging-subscriptionId: 8dda93c7-1801-480d-a82a-2620875371fa + deploymentRegion: canadacentral + var-identity-managementGroupId: Identity + var-logging-diagnosticSettingsforNetworkSecurityGroupsStoragePrefix: pubsecnsg + var-logging-configurationFileName: logging.parameters.json + var-managementgroup-hierarchy: |- + { + "id": "61e54fa4-fa93-43b3-9775-a60c5495ffdc", + "name": "Tenant Root Group", + "children": [ + { + "id": "pubsec", + "name": "Canadian Public Sector Azure Landing Zones", + "children": [ + { + "id": "Platform", + "name": "Platform", + "children": [ + { + "id": "Management", + "name": "Management", + "children": [] + }, + { + "id": "Connectivity", + "name": "Connectivity", + "children": [] + }, + { + "id": "Identity", + "name": "Identity", + "children": [] + } + ] + }, + { + "id": "LandingZones", + "name": "LandingZones", + "children": [ + { + "id": "DevTest", + "name": "DevTest", + "children": [] + }, + { + "id": "QA", + "name": "QA", + "children": [] + }, + { + "id": "Prod", + "name": "Prod", + "children": [] + } + ] + }, + { + "id": "Sandbox", + "name": "Sandbox", + "children": [] + } + ] + } + ] + } + var-logging-region: canadacentral + var-identity-configurationFileName: identity.parameters.json + var-identity-region: canadacentral + var-identity-subscriptionId: 7281b8be-c687-468b-9519-a8e6b28f66c9 + From 4643d94c67c873730aeeb06dfe08d3015cddd548 Mon Sep 17 00:00:00 2001 From: Barry Willis Date: Tue, 22 Aug 2023 15:11:40 -0700 Subject: [PATCH 3/9] filtered the policies to be deployed --- .pipelines/policy.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.pipelines/policy.yml b/.pipelines/policy.yml index 495f3469..851d10e7 100644 --- a/.pipelines/policy.yml +++ b/.pipelines/policy.yml @@ -96,14 +96,14 @@ stages: - template: templates/steps/define-policyset.yml parameters: description: 'Define Policy Set' - deployTemplates: [AKS, DefenderForCloud, DNSPrivateEndpoints, LogAnalytics, Network, Tags] + deployTemplates: [DNSPrivateEndpoints] deployOperation: ${{ variables['deployOperation'] }} workingDir: $(System.DefaultWorkingDirectory)/policy/custom/definitions/policyset - template: templates/steps/assign-policy.yml parameters: description: 'Assign Policy Set' - deployTemplates: [AKS, DefenderForCloud, LogAnalytics, Network, Tags] + deployTemplates: [] deployOperation: ${{ variables['deployOperation'] }} policyAssignmentManagementGroupScope: $(var-topLevelManagementGroupName) workingDir: $(System.DefaultWorkingDirectory)/policy/custom/assignments @@ -130,7 +130,7 @@ stages: - template: templates/steps/assign-policy.yml parameters: description: 'Assign Policy Set' - deployTemplates: [asb, cis-msft-130, location, nist80053r4, nist80053r5, pbmm, hitrust-hipaa, fedramp-moderate] + deployTemplates: [] deployOperation: ${{ variables['deployOperation'] }} policyAssignmentManagementGroupScope: $(var-topLevelManagementGroupName) workingDir: $(System.DefaultWorkingDirectory)/policy/builtin/assignments From c1a4037a835de3aabd981c16992d4ad09bb4a590 Mon Sep 17 00:00:00 2001 From: Barry Willis Date: Tue, 22 Aug 2023 15:29:16 -0700 Subject: [PATCH 4/9] Configured a full set of param files for my dev environemnt --- .../Tredell-main/identity.parameters.json | 187 ++++++++++ .../Tredell-main/logging.parameters.json | 149 ++++++++ .../azure-firewall-policy.parameters.json | 22 ++ .../hub-azfw/hub-network.parameters.json | 231 +++++++++++++ .../hub-nva/hub-network.parameters.json | 318 ++++++++++++++++++ 5 files changed, 907 insertions(+) create mode 100644 config/identity/Tredell-main/identity.parameters.json create mode 100644 config/logging/Tredell-main/logging.parameters.json create mode 100644 config/networking/Tredell-main/hub-azfw-policy/azure-firewall-policy.parameters.json create mode 100644 config/networking/Tredell-main/hub-azfw/hub-network.parameters.json create mode 100644 config/networking/Tredell-main/hub-nva/hub-network.parameters.json diff --git a/config/identity/Tredell-main/identity.parameters.json b/config/identity/Tredell-main/identity.parameters.json new file mode 100644 index 00000000..667946b3 --- /dev/null +++ b/config/identity/Tredell-main/identity.parameters.json @@ -0,0 +1,187 @@ +{ + "$schema": "https://raw.githubusercontent.com/Azure/CanadaPubSecALZ/main/schemas/latest/landingzones/lz-platform-identity.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "serviceHealthAlerts": { + "value": { + "alertRuleName": "Identity Alerts", + "receivers": { + "app": [ + "identity@example.com" + ], + "sms": [ + { + "countryCode": "1", + "phoneNumber": "6135555555" + } + ], + "email": [ + "identity@example.com" + ], + "voice": [ + { + "countryCode": "1", + "phoneNumber": "6135555555" + } + ] + }, + "regions": [ + "Global", + "Canada Central", + "Canada East" + ], + "resourceGroupName": "service-health-alerts-rg", + "actionGroupName": "Identity Alerts", + "actionGroupShortName": "identity-ag", + "incidentTypes": [ + "Incident", + "Security" + ], + "alertRuleDescription": "Identity Alerts for Incidents and Security" + } + }, + "securityCenter": { + "value": { + "email": "security@example.com", + "phone": "6135555555" + } + }, + "subscriptionRoleAssignments": { + "value": [ + { + "comments": "Built-in Contributor Role", + "securityGroupObjectIds": [ + "b4df54ba-7232-40fa-8f51-f84e8d149322" + ], + "roleDefinitionId": "e31589a0-2517-4893-9ebe-c66835fae93f" + } + ] + }, + "subscriptionBudget": { + "value": { + "createBudget": false + } + }, + "subscriptionTags": { + "value": { + "ISSO": "isso-tbd", + "ClientOrganization": "client-organization-tag", + "CostCenter": "cost-center-tag", + "DataSensitivity": "data-sensitivity-tag", + "ProjectContact": "project-contact-tag", + "ProjectName": "project-name-tag", + "TechnicalContact": "technical-contact-tag" + } + }, + "resourceTags": { + "value": { + "ClientOrganization": "client-organization-tag", + "CostCenter": "cost-center-tag", + "DataSensitivity": "data-sensitivity-tag", + "ProjectContact": "project-contact-tag", + "ProjectName": "project-name-tag", + "TechnicalContact": "technical-contact-tag" + } + }, + "resourceGroups": { + "value": { + "automation": "automation", + "networking": "networking", + "networkWatcher": "NetworkWatcherRG", + "backupRecoveryVault": "backup", + "domainControllers": "DomainControllersRG", + "dnsResolver": "dns-resolverRG", + "dnsCondionalForwarders": "dns-CondionalForwardersRG", + "privateDnsZones": "pubsec-dns" + } + }, + "automation": { + "value": { + "name": "automation" + } + }, + "backupRecoveryVault": { + "value": { + "enabled": true, + "name": "backup-vault" + } + }, + "privateDnsZones": { + "value": { + "enabled": false, + "resourceGroupName": "pubsec-dns" + } + }, + "privateDnsResolver": { + "value": { + "enabled": true, + "name": "dns-resolver", + "inboundEndpointName": "dns-resolver-Inbound", + "outboundEndpointName": "dns-resolver-Outbound" + } + }, + "privateDnsResolverRuleset": { + "value": { + "enabled": true, + "name": "dns-resolver-ruleset", + "linkRuleSetToVnet": true, + "linkRuleSetToVnetName": "dns-resolver-vnet-link", + "forwardingRules": [ + { + "name": "default", + "domain": "dontMakeMeThink.local", + "state": "Enabled", + "targetDnsServers": [ + { + "ipAddress": "10.99.99.100" + }, + { + "ipAddress": "10.99.99.99" + } + ] + } + ] + } + }, + "hubNetwork": { + "value": { + "virtualNetworkId": "/subscriptions/4fd845de-f6c8-4e6d-9a87-c21c4ebf7edd/resourceGroups/pubsec-hub-networking/providers/Microsoft.Network/virtualNetworks/hub-vnet", + "rfc1918IPRange": "10.18.0.0/22", + "rfc6598IPRange": "100.60.0.0/16", + "egressVirtualApplianceIp": "10.18.1.4" + } + }, + "network": { + "value": { + "deployVnet": true, + "peerToHubVirtualNetwork": true, + "useRemoteGateway": false, + "name": "id-vnet", + "dnsServers": [ + "10.18.1.4" + ], + "addressPrefixes": [ + "10.15.0.0/24" + ], + "subnets": { + "domainControllers": { + "comments": "Identity Subnet for Domain Controllers and VM-Based DNS Servers", + "name": "DomainControllers", + "addressPrefix": "10.15.0.0/27" + }, + "dnsResolverInbound": { + "comments": "Azure DNS Resolver Inbound Requests subnet", + "name": "AzureDNSResolver-Inbound", + "addressPrefix": "10.15.0.32/27" + }, + "dnsResolverOutbound": { + "comments": "Azure DNS Resolver Outbound Requests subnet", + "name": "AzureDNSResolver-Outbound", + "addressPrefix": "10.15.0.64/27" + }, + "optional": [] + } + } + } + } +} diff --git a/config/logging/Tredell-main/logging.parameters.json b/config/logging/Tredell-main/logging.parameters.json new file mode 100644 index 00000000..274d6977 --- /dev/null +++ b/config/logging/Tredell-main/logging.parameters.json @@ -0,0 +1,149 @@ +{ + "$schema": "https://raw.githubusercontent.com/Azure/CanadaPubSecALZ/main/schemas/latest/landingzones/lz-platform-logging.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "serviceHealthAlerts": { + "value": { + "alertRuleName": "Logging Alerts", + "receivers": { + "app": [ + "logging@example.com" + ], + "sms": [ + { + "countryCode": "1", + "phoneNumber": "6135555555" + } + ], + "email": [ + "logging@example.com" + ], + "voice": [ + { + "countryCode": "1", + "phoneNumber": "6135555555" + } + ] + }, + "regions": [ + "Global", + "Canada Central", + "Canada East" + ], + "resourceGroupName": "service-health-alerts-rg", + "actionGroupName": "Logging Alerts", + "actionGroupShortName": "logging-ag", + "incidentTypes": [ + "Incident", + "Security" + ], + "alertRuleDescription": "Logging Alerts for Incidents and Security" + } + }, + "securityCenter": { + "value": { + "email": "security@example.com", + "phone": "6135555555" + } + }, + "subscriptionRoleAssignments": { + "value": [ + { + "comments": "Built-in Contributor Role", + "securityGroupObjectIds": [ + "9e16fb9d-7ea4-43fb-a92c-a5dbe308f921" + ], + "roleDefinitionId": "14f270f8-e90d-4657-a94e-085266d5e3e0" + } + ] + }, + "subscriptionBudget": { + "value": { + "createBudget": false + } + }, + "subscriptionTags": { + "value": { + "ISSO": "isso-tbd" + } + }, + "resourceTags": { + "value": { + "ClientOrganization": "client-organization-tag", + "CostCenter": "cost-center-tag", + "DataSensitivity": "data-sensitivity-tag", + "ProjectContact": "project-contact-tag", + "ProjectName": "project-name-tag", + "TechnicalContact": "technical-contact-tag" + } + }, + "logAnalyticsResourceGroupName": { + "value": "pubsec-central-logging" + }, + "logAnalyticsWorkspaceName": { + "value": "log-analytics-workspace" + }, + "logAnalyticsRetentionInDays": { + "value": 30 + }, + "logAnalyticsAutomationAccountName": { + "value": "automation-account" + }, + "dataCollectionRule": { + "value": { + "enabled": false, + "name": "DCR-AzureMonitorLogs", + "windowsEventLogs": [ + { + "streams": [ + "Microsoft-Event" + ], + "xPathQueries": [ + "Application!*[System[(Level=1 or Level=2 or Level=3)]]", + "Security!*[System[(band(Keywords,13510798882111488))]]", + "System!*[System[(Level=1 or Level=2 or Level=3)]]" + ], + "name": "eventLogsDataSource" + } + ], + "syslog": [ + { + "streams": [ + "Microsoft-Syslog" + ], + "facilityNames": [ + "auth", + "authpriv", + "cron", + "daemon", + "mark", + "kern", + "local0", + "local1", + "local2", + "local3", + "local4", + "local5", + "local6", + "local7", + "lpr", + "mail", + "news", + "syslog", + "user", + "uucp" + ], + "logLevels": [ + "Warning", + "Error", + "Critical", + "Alert", + "Emergency" + ], + "name": "sysLogsDataSource" + } + ] + } + } + } +} diff --git a/config/networking/Tredell-main/hub-azfw-policy/azure-firewall-policy.parameters.json b/config/networking/Tredell-main/hub-azfw-policy/azure-firewall-policy.parameters.json new file mode 100644 index 00000000..becb6455 --- /dev/null +++ b/config/networking/Tredell-main/hub-azfw-policy/azure-firewall-policy.parameters.json @@ -0,0 +1,22 @@ +{ + "$schema": "https://raw.githubusercontent.com/Azure/CanadaPubSecALZ/main/schemas/latest/landingzones/lz-platform-connectivity-hub-azfw-policy.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceTags": { + "value": { + "ClientOrganization": "client-organization-tag", + "CostCenter": "cost-center-tag", + "DataSensitivity": "data-sensitivity-tag", + "ProjectContact": "project-contact-tag", + "ProjectName": "project-name-tag", + "TechnicalContact": "technical-contact-tag" + } + }, + "resourceGroupName": { + "value": "pubsec-azure-firewall-policy" + }, + "policyName": { + "value": "pubsecAzureFirewallPolicy" + } + } +} diff --git a/config/networking/Tredell-main/hub-azfw/hub-network.parameters.json b/config/networking/Tredell-main/hub-azfw/hub-network.parameters.json new file mode 100644 index 00000000..395a199c --- /dev/null +++ b/config/networking/Tredell-main/hub-azfw/hub-network.parameters.json @@ -0,0 +1,231 @@ +{ + "$schema": "https://raw.githubusercontent.com/Azure/CanadaPubSecALZ/main/schemas/latest/landingzones/lz-platform-connectivity-hub-azfw.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "serviceHealthAlerts": { + "value": { + "alertRuleName": "Networking Alerts", + "receivers": { + "app": [ + "networking@example.com" + ], + "sms": [ + { + "countryCode": "1", + "phoneNumber": "6135555555" + } + ], + "email": [ + "networking@example.com" + ], + "voice": [ + { + "countryCode": "1", + "phoneNumber": "6135555555" + } + ] + }, + "regions": [ + "Global", + "Canada Central", + "Canada East" + ], + "resourceGroupName": "service-health-alerts-rg", + "actionGroupName": "Networking Alerts", + "actionGroupShortName": "network-ag", + "incidentTypes": [ + "Incident", + "Security" + ], + "alertRuleDescription": "Networking Alerts for Incidents and Security" + } + }, + "securityCenter": { + "value": { + "email": "security@example.com", + "phone": "6135555555" + } + }, + "subscriptionRoleAssignments": { + "value": [ + { + "comments": "Built-in Contributor Role", + "securityGroupObjectIds": [ + "12d01649-fdb7-4769-afe5-66248082a064" + ], + "roleDefinitionId": "e31589a0-2517-4893-9ebe-c66835fae93f" + } + ] + }, + "subscriptionBudget": { + "value": { + "createBudget": false + } + }, + "subscriptionTags": { + "value": { + "ISSO": "isso-tbd" + } + }, + "resourceTags": { + "value": { + "ClientOrganization": "client-organization-tag", + "CostCenter": "cost-center-tag", + "DataSensitivity": "data-sensitivity-tag", + "ProjectContact": "project-contact-tag", + "ProjectName": "project-name-tag", + "TechnicalContact": "technical-contact-tag" + } + }, + "privateDnsZones": { + "value": { + "enabled": true, + "resourceGroupName": "private-dns-rg" + } + }, + "ddosStandard": { + "value": { + "resourceGroupName": "ddos-rg", + "enabled": false, + "planName": "ddos-plan" + } + }, + "publicAccessZone": { + "value": { + "enabled": true, + "resourceGroupName": "pubsec-public-access-zone" + } + }, + "managementRestrictedZone": { + "value": { + "enabled": true, + "resourceGroupName": "pubsec-management-restricted-zone", + "network": { + "name": "management-restricted-vnet", + "addressPrefixes": [ + "10.18.4.0/22" + ], + "subnets": [ + { + "comments": "Management (Access Zone) Subnet", + "name": "MazSubnet", + "addressPrefix": "10.18.4.0/25", + "nsg": { + "enabled": true + }, + "udr": { + "enabled": true + } + }, + { + "comments": "Infrastructure Services (Restricted Zone) Subnet", + "name": "InfSubnet", + "addressPrefix": "10.18.4.128/25", + "nsg": { + "enabled": true + }, + "udr": { + "enabled": true + } + }, + { + "comments": "Security Services (Restricted Zone) Subnet", + "name": "SecSubnet", + "addressPrefix": "10.18.5.0/26", + "nsg": { + "enabled": true + }, + "udr": { + "enabled": true + } + }, + { + "comments": "Logging Services (Restricted Zone) Subnet", + "name": "LogSubnet", + "addressPrefix": "10.18.5.64/26", + "nsg": { + "enabled": true + }, + "udr": { + "enabled": true + } + }, + { + "comments": "Core Management Interfaces (Restricted Zone) Subnet", + "name": "MgmtSubnet", + "addressPrefix": "10.18.5.128/26", + "nsg": { + "enabled": true + }, + "udr": { + "enabled": true + } + } + ] + } + } + }, + "hub": { + "value": { + "resourceGroupName": "pubsec-hub-networking", + "bastion": { + "enabled": true, + "name": "bastion", + "sku": "Standard", + "scaleUnits": 2 + }, + "azureFirewall": { + "name": "pubsecAzureFirewall", + "availabilityZones": [ + "1", + "2", + "3" + ], + "forcedTunnelingEnabled": false, + "forcedTunnelingNextHop": "10.17.1.4" + }, + "network": { + "name": "hub-vnet", + "addressPrefixes": [ + "10.18.0.0/22", + "100.60.0.0/16" + ], + "addressPrefixBastion": "192.168.0.0/16", + "subnets": { + "gateway": { + "comments": "Gateway Subnet used for VPN and/or Express Route connectivity", + "name": "GatewaySubnet", + "addressPrefix": "10.18.0.0/27" + }, + "firewall": { + "comments": "Azure Firewall", + "name": "AzureFirewallSubnet", + "addressPrefix": "10.18.1.0/24" + }, + "firewallManagement": { + "comments": "Azure Firewall Management", + "name": "AzureFirewallManagementSubnet", + "addressPrefix": "10.18.2.0/26" + }, + "bastion": { + "comments": "Azure Bastion", + "name": "AzureBastionSubnet", + "addressPrefix": "192.168.0.0/24" + }, + "publicAccess": { + "comments": "Public Access Zone (Application Gateway)", + "name": "PAZSubnet", + "addressPrefix": "100.60.1.0/24" + }, + "optional": [] + } + } + } + }, + "networkWatcher": { + "value": { + "resourceGroupName": "NetworkWatcherRG" + } + } + } +} diff --git a/config/networking/Tredell-main/hub-nva/hub-network.parameters.json b/config/networking/Tredell-main/hub-nva/hub-network.parameters.json new file mode 100644 index 00000000..43fe4b59 --- /dev/null +++ b/config/networking/Tredell-main/hub-nva/hub-network.parameters.json @@ -0,0 +1,318 @@ +{ + "$schema": "https://raw.githubusercontent.com/Azure/CanadaPubSecALZ/main/schemas/latest/landingzones/lz-platform-connectivity-hub-nva.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "serviceHealthAlerts": { + "value": { + "alertRuleName": "Networking Alerts", + "receivers": { + "app": [ + "networking@example.com" + ], + "sms": [ + { + "countryCode": "1", + "phoneNumber": "6135555555" + } + ], + "email": [ + "networking@example.com" + ], + "voice": [ + { + "countryCode": "1", + "phoneNumber": "6135555555" + } + ] + }, + "regions": [ + "Global", + "Canada Central", + "Canada East" + ], + "resourceGroupName": "service-health-alerts-rg", + "actionGroupName": "Networking Alerts", + "actionGroupShortName": "network-ag", + "incidentTypes": [ + "Incident", + "Security" + ], + "alertRuleDescription": "Networking Alerts for Incidents and Security" + } + }, + "securityCenter": { + "value": { + "email": "security@example.com", + "phone": "6135555555" + } + }, + "subscriptionRoleAssignments": { + "value": [ + { + "comments": "Built-in Contributor Role", + "securityGroupObjectIds": [ + "12d01649-fdb7-4769-afe5-66248082a064" + ], + "roleDefinitionId": "e31589a0-2517-4893-9ebe-c66835fae93f" + } + ] + }, + "subscriptionBudget": { + "value": { + "createBudget": false + } + }, + "subscriptionTags": { + "value": { + "ISSO": "isso-tbd" + } + }, + "resourceTags": { + "value": { + "ClientOrganization": "client-organization-tag", + "CostCenter": "cost-center-tag", + "DataSensitivity": "data-sensitivity-tag", + "ProjectContact": "project-contact-tag", + "ProjectName": "project-name-tag", + "TechnicalContact": "technical-contact-tag" + } + }, + "privateDnsZones": { + "value": { + "enabled": true, + "resourceGroupName": "private-dns-rg" + } + }, + "ddosStandard": { + "value": { + "resourceGroupName": "ddos-rg", + "enabled": false, + "planName": "ddos-plan" + } + }, + "publicAccessZone": { + "value": { + "enabled": true, + "resourceGroupName": "pubsec-public-access-zone" + } + }, + "managementRestrictedZone": { + "value": { + "enabled": true, + "resourceGroupName": "pubsec-management-restricted-zone", + "network": { + "name": "management-restricted-vnet", + "addressPrefixes": [ + "10.18.4.0/22" + ], + "subnets": [ + { + "comments": "Management (Access Zone) Subnet", + "name": "MazSubnet", + "addressPrefix": "10.18.4.0/25", + "nsg": { + "enabled": true + }, + "udr": { + "enabled": true + } + }, + { + "comments": "Infrastructure Services (Restricted Zone) Subnet", + "name": "InfSubnet", + "addressPrefix": "10.18.4.128/25", + "nsg": { + "enabled": true + }, + "udr": { + "enabled": true + } + }, + { + "comments": "Security Services (Restricted Zone) Subnet", + "name": "SecSubnet", + "addressPrefix": "10.18.5.0/26", + "nsg": { + "enabled": true + }, + "udr": { + "enabled": true + } + }, + { + "comments": "Logging Services (Restricted Zone) Subnet", + "name": "LogSubnet", + "addressPrefix": "10.18.5.64/26", + "nsg": { + "enabled": true + }, + "udr": { + "enabled": true + } + }, + { + "comments": "Core Management Interfaces (Restricted Zone) Subnet", + "name": "MgmtSubnet", + "addressPrefix": "10.18.5.128/26", + "nsg": { + "enabled": true + }, + "udr": { + "enabled": true + } + } + ] + } + } + }, + "hub": { + "value": { + "resourceGroupName": "pubsec-hub-networking", + "bastion": { + "enabled": true, + "name": "bastion", + "sku": "Standard", + "scaleUnits": 2 + }, + "network": { + "name": "hub-vnet", + "addressPrefixes": [ + "10.18.0.0/22", + "100.60.0.0/16" + ], + "addressPrefixBastion": "192.168.0.0/16", + "subnets": { + "gateway": { + "comments": "Gateway Subnet used for VPN and/or Express Route connectivity", + "name": "GatewaySubnet", + "addressPrefix": "10.18.1.0/27" + }, + "bastion": { + "comments": "Azure Bastion", + "name": "AzureBastionSubnet", + "addressPrefix": "192.168.0.0/24" + }, + "public": { + "comments": "Public Subnet Name (External Facing (Internet/Ground))", + "name": "PublicSubnet", + "addressPrefix": "100.60.0.0/24" + }, + "publicAccessZone": { + "comments": "Public Access Zone (i.e. Application Gateway)", + "name": "PAZSubnet", + "addressPrefix": "100.60.1.0/24" + }, + "externalAccessNetwork": { + "comments": "External Access Network", + "name": "EanSubnet", + "addressPrefix": "10.18.0.0/27" + }, + "nonProductionInternal": { + "comments": "Non-production Internal for firewall appliances (Internal Facing Non-Production Traffic)", + "name": "DevIntSubnet", + "addressPrefix": "10.18.0.64/27" + }, + "productionInternal": { + "comments": "Production Internal for firewall appliances (Internal Facing Production Traffic)", + "name": "PrdIntSubnet", + "addressPrefix": "10.18.0.32/27" + }, + "managementRestrictedZoneInternal": { + "comments": "Management Restricted Zone", + "name": "MrzSubnet", + "addressPrefix": "10.18.0.96/27" + }, + "highAvailability": { + "comments": "High Availability (Firewall to Firewall heartbeat)", + "name": "HASubnet", + "addressPrefix": "10.18.0.128/28" + }, + "optional": [] + } + }, + "nvaFirewall": { + "image": { + "publisher": "fortinet", + "offer": "fortinet_fortigate-vm_v5", + "sku": "fortinet_fg-vm", + "version": "6.4.5", + "plan": "fortinet_fg-vm" + }, + "nonProduction": { + "internalLoadBalancer": { + "name": "pubsecDevFWILB", + "tcpProbe": { + "name": "lbprobe", + "port": 8008, + "intervalInSeconds": 5, + "numberOfProbes": 2 + }, + "internalIp": "10.18.0.68", + "externalIp": "100.60.0.7" + }, + "deployVirtualMachines": false, + "virtualMachines": [ + { + "name": "pubsecDevFW1", + "vmSku": "Standard_D8s_v4", + "internalIp": "10.18.0.69", + "externalIp": "100.60.0.8", + "mrzInternalIp": "10.18.0.104", + "highAvailabilityIp": "10.18.0.134", + "availabilityZone": "2" + }, + { + "name": "pubsecDevFW2", + "vmSku": "Standard_D8s_v4", + "internalIp": "10.18.0.70", + "externalIp": "100.60.0.9", + "mrzInternalIp": "10.18.0.105", + "highAvailabilityIp": "10.18.0.135", + "availabilityZone": "3" + } + ] + }, + "production": { + "internalLoadBalancer": { + "name": "pubsecProdFWILB", + "tcpProbe": { + "name": "lbprobe", + "port": 8008, + "intervalInSeconds": 5, + "numberOfProbes": 2 + }, + "internalIp": "10.18.0.36", + "externalIp": "100.60.0.4" + }, + "deployVirtualMachines": false, + "virtualMachines": [ + { + "name": "pubsecProdFW1", + "vmSku": "Standard_F8s_v2", + "internalIp": "10.18.0.37", + "externalIp": "100.60.0.5", + "mrzInternalIp": "10.18.0.101", + "highAvailabilityIp": "10.18.0.132", + "availabilityZone": "1" + }, + { + "name": "pubsecProdFW2", + "vmSku": "Standard_F8s_v2", + "internalIp": "10.18.0.38", + "externalIp": "100.60.0.6", + "mrzInternalIp": "10.18.0.102", + "highAvailabilityIp": "10.18.0.133", + "availabilityZone": "2" + } + ] + } + } + } + }, + "networkWatcher": { + "value": { + "resourceGroupName": "NetworkWatcherRG" + } + } + } +} From 45b8d1d18023f28bc77191846731cbe2934aa56d Mon Sep 17 00:00:00 2001 From: Barry Willis Date: Tue, 22 Aug 2023 15:35:15 -0700 Subject: [PATCH 5/9] contributor role reference had the wrong ID --- config/logging/Tredell-main/logging.parameters.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/logging/Tredell-main/logging.parameters.json b/config/logging/Tredell-main/logging.parameters.json index 274d6977..7b6082c2 100644 --- a/config/logging/Tredell-main/logging.parameters.json +++ b/config/logging/Tredell-main/logging.parameters.json @@ -51,7 +51,7 @@ { "comments": "Built-in Contributor Role", "securityGroupObjectIds": [ - "9e16fb9d-7ea4-43fb-a92c-a5dbe308f921" + "b24988ac-6180-42a0-ab88-20f7382dd24c" ], "roleDefinitionId": "14f270f8-e90d-4657-a94e-085266d5e3e0" } From bab1657562f82b4b6143e7ac5420095418c81dcc Mon Sep 17 00:00:00 2001 From: Barry Willis Date: Tue, 22 Aug 2023 15:46:57 -0700 Subject: [PATCH 6/9] fixed a bug with role definition IDs --- config/identity/Tredell-main/identity.parameters.json | 4 ++-- config/logging/Tredell-main/logging.parameters.json | 4 ++-- .../Tredell-main/hub-azfw/hub-network.parameters.json | 4 ++-- .../Tredell-main/hub-nva/hub-network.parameters.json | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/config/identity/Tredell-main/identity.parameters.json b/config/identity/Tredell-main/identity.parameters.json index 667946b3..285f26f1 100644 --- a/config/identity/Tredell-main/identity.parameters.json +++ b/config/identity/Tredell-main/identity.parameters.json @@ -51,9 +51,9 @@ { "comments": "Built-in Contributor Role", "securityGroupObjectIds": [ - "b4df54ba-7232-40fa-8f51-f84e8d149322" + "e13967fe-4a8e-4051-b85b-a6bd7c3e57fa" ], - "roleDefinitionId": "e31589a0-2517-4893-9ebe-c66835fae93f" + "roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c" } ] }, diff --git a/config/logging/Tredell-main/logging.parameters.json b/config/logging/Tredell-main/logging.parameters.json index 7b6082c2..1ac00939 100644 --- a/config/logging/Tredell-main/logging.parameters.json +++ b/config/logging/Tredell-main/logging.parameters.json @@ -51,9 +51,9 @@ { "comments": "Built-in Contributor Role", "securityGroupObjectIds": [ - "b24988ac-6180-42a0-ab88-20f7382dd24c" + "14f270f8-e90d-4657-a94e-085266d5e3e0" ], - "roleDefinitionId": "14f270f8-e90d-4657-a94e-085266d5e3e0" + "roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c" } ] }, diff --git a/config/networking/Tredell-main/hub-azfw/hub-network.parameters.json b/config/networking/Tredell-main/hub-azfw/hub-network.parameters.json index 395a199c..27c971f8 100644 --- a/config/networking/Tredell-main/hub-azfw/hub-network.parameters.json +++ b/config/networking/Tredell-main/hub-azfw/hub-network.parameters.json @@ -51,9 +51,9 @@ { "comments": "Built-in Contributor Role", "securityGroupObjectIds": [ - "12d01649-fdb7-4769-afe5-66248082a064" + "e31589a0-2517-4893-9ebe-c66835fae93f" ], - "roleDefinitionId": "e31589a0-2517-4893-9ebe-c66835fae93f" + "roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c" } ] }, diff --git a/config/networking/Tredell-main/hub-nva/hub-network.parameters.json b/config/networking/Tredell-main/hub-nva/hub-network.parameters.json index 43fe4b59..079c1f0e 100644 --- a/config/networking/Tredell-main/hub-nva/hub-network.parameters.json +++ b/config/networking/Tredell-main/hub-nva/hub-network.parameters.json @@ -51,9 +51,9 @@ { "comments": "Built-in Contributor Role", "securityGroupObjectIds": [ - "12d01649-fdb7-4769-afe5-66248082a064" + "e31589a0-2517-4893-9ebe-c66835fae93f" ], - "roleDefinitionId": "e31589a0-2517-4893-9ebe-c66835fae93f" + "roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c" } ] }, From 1e53dd8ade48d1b71389c9b6eb662fe5f6a21e1c Mon Sep 17 00:00:00 2001 From: Barry Willis Date: Wed, 13 Sep 2023 13:25:42 -0700 Subject: [PATCH 7/9] Bug: removed diagnostic log config requirement from Eventgrid/subscriptions --- policy/builtin/assignments/pbmm.bicep | 2 +- policy/custom/definitions/policyset/LogAnalytics.bicep | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/policy/builtin/assignments/pbmm.bicep b/policy/builtin/assignments/pbmm.bicep index 1086f5e9..13501fb3 100644 --- a/policy/builtin/assignments/pbmm.bicep +++ b/policy/builtin/assignments/pbmm.bicep @@ -84,7 +84,7 @@ resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2020-03- 'Microsoft.DataFactory/factories' 'Microsoft.DataLakeAnalytics/accounts' 'Microsoft.DataLakeStore/accounts' - 'Microsoft.EventGrid/eventSubscriptions' + // 'Microsoft.EventGrid/eventSubscriptions' # Removed since it doesn't have any logs 'Microsoft.EventGrid/topics' 'Microsoft.EventHub/namespaces' 'Microsoft.Network/expressRouteCircuits' diff --git a/policy/custom/definitions/policyset/LogAnalytics.bicep b/policy/custom/definitions/policyset/LogAnalytics.bicep index 86391d2a..2d3f5338 100644 --- a/policy/custom/definitions/policyset/LogAnalytics.bicep +++ b/policy/custom/definitions/policyset/LogAnalytics.bicep @@ -56,7 +56,7 @@ resource policyset_name 'Microsoft.Authorization/policySetDefinitions@2020-03-01 'Microsoft.DataLakeAnalytics/accounts' 'Microsoft.DataLakeStore/accounts' 'Microsoft.EventGrid/systemTopics' - 'Microsoft.EventGrid/eventSubscriptions' + //'Microsoft.EventGrid/eventSubscriptions' # Removed since it doesn't have any logs 'Microsoft.EventGrid/topics' 'Microsoft.EventHub/namespaces' 'Microsoft.Network/expressRouteCircuits' From 8862450f66260fc115cb11c301cdb0ba84185bba Mon Sep 17 00:00:00 2001 From: Barry Willis Date: Wed, 13 Sep 2023 14:10:39 -0700 Subject: [PATCH 8/9] removed my environment customizations --- .../Tredell-main/identity.parameters.json | 187 ---------- .../Tredell-main/logging.parameters.json | 149 -------- .../azure-firewall-policy.parameters.json | 22 -- .../hub-azfw/hub-network.parameters.json | 231 ------------- .../hub-nva/hub-network.parameters.json | 318 ------------------ 5 files changed, 907 deletions(-) delete mode 100644 config/identity/Tredell-main/identity.parameters.json delete mode 100644 config/logging/Tredell-main/logging.parameters.json delete mode 100644 config/networking/Tredell-main/hub-azfw-policy/azure-firewall-policy.parameters.json delete mode 100644 config/networking/Tredell-main/hub-azfw/hub-network.parameters.json delete mode 100644 config/networking/Tredell-main/hub-nva/hub-network.parameters.json diff --git a/config/identity/Tredell-main/identity.parameters.json b/config/identity/Tredell-main/identity.parameters.json deleted file mode 100644 index 285f26f1..00000000 --- a/config/identity/Tredell-main/identity.parameters.json +++ /dev/null @@ -1,187 +0,0 @@ -{ - "$schema": "https://raw.githubusercontent.com/Azure/CanadaPubSecALZ/main/schemas/latest/landingzones/lz-platform-identity.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "serviceHealthAlerts": { - "value": { - "alertRuleName": "Identity Alerts", - "receivers": { - "app": [ - "identity@example.com" - ], - "sms": [ - { - "countryCode": "1", - "phoneNumber": "6135555555" - } - ], - "email": [ - "identity@example.com" - ], - "voice": [ - { - "countryCode": "1", - "phoneNumber": "6135555555" - } - ] - }, - "regions": [ - "Global", - "Canada Central", - "Canada East" - ], - "resourceGroupName": "service-health-alerts-rg", - "actionGroupName": "Identity Alerts", - "actionGroupShortName": "identity-ag", - "incidentTypes": [ - "Incident", - "Security" - ], - "alertRuleDescription": "Identity Alerts for Incidents and Security" - } - }, - "securityCenter": { - "value": { - "email": "security@example.com", - "phone": "6135555555" - } - }, - "subscriptionRoleAssignments": { - "value": [ - { - "comments": "Built-in Contributor Role", - "securityGroupObjectIds": [ - "e13967fe-4a8e-4051-b85b-a6bd7c3e57fa" - ], - "roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c" - } - ] - }, - "subscriptionBudget": { - "value": { - "createBudget": false - } - }, - "subscriptionTags": { - "value": { - "ISSO": "isso-tbd", - "ClientOrganization": "client-organization-tag", - "CostCenter": "cost-center-tag", - "DataSensitivity": "data-sensitivity-tag", - "ProjectContact": "project-contact-tag", - "ProjectName": "project-name-tag", - "TechnicalContact": "technical-contact-tag" - } - }, - "resourceTags": { - "value": { - "ClientOrganization": "client-organization-tag", - "CostCenter": "cost-center-tag", - "DataSensitivity": "data-sensitivity-tag", - "ProjectContact": "project-contact-tag", - "ProjectName": "project-name-tag", - "TechnicalContact": "technical-contact-tag" - } - }, - "resourceGroups": { - "value": { - "automation": "automation", - "networking": "networking", - "networkWatcher": "NetworkWatcherRG", - "backupRecoveryVault": "backup", - "domainControllers": "DomainControllersRG", - "dnsResolver": "dns-resolverRG", - "dnsCondionalForwarders": "dns-CondionalForwardersRG", - "privateDnsZones": "pubsec-dns" - } - }, - "automation": { - "value": { - "name": "automation" - } - }, - "backupRecoveryVault": { - "value": { - "enabled": true, - "name": "backup-vault" - } - }, - "privateDnsZones": { - "value": { - "enabled": false, - "resourceGroupName": "pubsec-dns" - } - }, - "privateDnsResolver": { - "value": { - "enabled": true, - "name": "dns-resolver", - "inboundEndpointName": "dns-resolver-Inbound", - "outboundEndpointName": "dns-resolver-Outbound" - } - }, - "privateDnsResolverRuleset": { - "value": { - "enabled": true, - "name": "dns-resolver-ruleset", - "linkRuleSetToVnet": true, - "linkRuleSetToVnetName": "dns-resolver-vnet-link", - "forwardingRules": [ - { - "name": "default", - "domain": "dontMakeMeThink.local", - "state": "Enabled", - "targetDnsServers": [ - { - "ipAddress": "10.99.99.100" - }, - { - "ipAddress": "10.99.99.99" - } - ] - } - ] - } - }, - "hubNetwork": { - "value": { - "virtualNetworkId": "/subscriptions/4fd845de-f6c8-4e6d-9a87-c21c4ebf7edd/resourceGroups/pubsec-hub-networking/providers/Microsoft.Network/virtualNetworks/hub-vnet", - "rfc1918IPRange": "10.18.0.0/22", - "rfc6598IPRange": "100.60.0.0/16", - "egressVirtualApplianceIp": "10.18.1.4" - } - }, - "network": { - "value": { - "deployVnet": true, - "peerToHubVirtualNetwork": true, - "useRemoteGateway": false, - "name": "id-vnet", - "dnsServers": [ - "10.18.1.4" - ], - "addressPrefixes": [ - "10.15.0.0/24" - ], - "subnets": { - "domainControllers": { - "comments": "Identity Subnet for Domain Controllers and VM-Based DNS Servers", - "name": "DomainControllers", - "addressPrefix": "10.15.0.0/27" - }, - "dnsResolverInbound": { - "comments": "Azure DNS Resolver Inbound Requests subnet", - "name": "AzureDNSResolver-Inbound", - "addressPrefix": "10.15.0.32/27" - }, - "dnsResolverOutbound": { - "comments": "Azure DNS Resolver Outbound Requests subnet", - "name": "AzureDNSResolver-Outbound", - "addressPrefix": "10.15.0.64/27" - }, - "optional": [] - } - } - } - } -} diff --git a/config/logging/Tredell-main/logging.parameters.json b/config/logging/Tredell-main/logging.parameters.json deleted file mode 100644 index 1ac00939..00000000 --- a/config/logging/Tredell-main/logging.parameters.json +++ /dev/null @@ -1,149 +0,0 @@ -{ - "$schema": "https://raw.githubusercontent.com/Azure/CanadaPubSecALZ/main/schemas/latest/landingzones/lz-platform-logging.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "serviceHealthAlerts": { - "value": { - "alertRuleName": "Logging Alerts", - "receivers": { - "app": [ - "logging@example.com" - ], - "sms": [ - { - "countryCode": "1", - "phoneNumber": "6135555555" - } - ], - "email": [ - "logging@example.com" - ], - "voice": [ - { - "countryCode": "1", - "phoneNumber": "6135555555" - } - ] - }, - "regions": [ - "Global", - "Canada Central", - "Canada East" - ], - "resourceGroupName": "service-health-alerts-rg", - "actionGroupName": "Logging Alerts", - "actionGroupShortName": "logging-ag", - "incidentTypes": [ - "Incident", - "Security" - ], - "alertRuleDescription": "Logging Alerts for Incidents and Security" - } - }, - "securityCenter": { - "value": { - "email": "security@example.com", - "phone": "6135555555" - } - }, - "subscriptionRoleAssignments": { - "value": [ - { - "comments": "Built-in Contributor Role", - "securityGroupObjectIds": [ - "14f270f8-e90d-4657-a94e-085266d5e3e0" - ], - "roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c" - } - ] - }, - "subscriptionBudget": { - "value": { - "createBudget": false - } - }, - "subscriptionTags": { - "value": { - "ISSO": "isso-tbd" - } - }, - "resourceTags": { - "value": { - "ClientOrganization": "client-organization-tag", - "CostCenter": "cost-center-tag", - "DataSensitivity": "data-sensitivity-tag", - "ProjectContact": "project-contact-tag", - "ProjectName": "project-name-tag", - "TechnicalContact": "technical-contact-tag" - } - }, - "logAnalyticsResourceGroupName": { - "value": "pubsec-central-logging" - }, - "logAnalyticsWorkspaceName": { - "value": "log-analytics-workspace" - }, - "logAnalyticsRetentionInDays": { - "value": 30 - }, - "logAnalyticsAutomationAccountName": { - "value": "automation-account" - }, - "dataCollectionRule": { - "value": { - "enabled": false, - "name": "DCR-AzureMonitorLogs", - "windowsEventLogs": [ - { - "streams": [ - "Microsoft-Event" - ], - "xPathQueries": [ - "Application!*[System[(Level=1 or Level=2 or Level=3)]]", - "Security!*[System[(band(Keywords,13510798882111488))]]", - "System!*[System[(Level=1 or Level=2 or Level=3)]]" - ], - "name": "eventLogsDataSource" - } - ], - "syslog": [ - { - "streams": [ - "Microsoft-Syslog" - ], - "facilityNames": [ - "auth", - "authpriv", - "cron", - "daemon", - "mark", - "kern", - "local0", - "local1", - "local2", - "local3", - "local4", - "local5", - "local6", - "local7", - "lpr", - "mail", - "news", - "syslog", - "user", - "uucp" - ], - "logLevels": [ - "Warning", - "Error", - "Critical", - "Alert", - "Emergency" - ], - "name": "sysLogsDataSource" - } - ] - } - } - } -} diff --git a/config/networking/Tredell-main/hub-azfw-policy/azure-firewall-policy.parameters.json b/config/networking/Tredell-main/hub-azfw-policy/azure-firewall-policy.parameters.json deleted file mode 100644 index becb6455..00000000 --- a/config/networking/Tredell-main/hub-azfw-policy/azure-firewall-policy.parameters.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "$schema": "https://raw.githubusercontent.com/Azure/CanadaPubSecALZ/main/schemas/latest/landingzones/lz-platform-connectivity-hub-azfw-policy.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "resourceTags": { - "value": { - "ClientOrganization": "client-organization-tag", - "CostCenter": "cost-center-tag", - "DataSensitivity": "data-sensitivity-tag", - "ProjectContact": "project-contact-tag", - "ProjectName": "project-name-tag", - "TechnicalContact": "technical-contact-tag" - } - }, - "resourceGroupName": { - "value": "pubsec-azure-firewall-policy" - }, - "policyName": { - "value": "pubsecAzureFirewallPolicy" - } - } -} diff --git a/config/networking/Tredell-main/hub-azfw/hub-network.parameters.json b/config/networking/Tredell-main/hub-azfw/hub-network.parameters.json deleted file mode 100644 index 27c971f8..00000000 --- a/config/networking/Tredell-main/hub-azfw/hub-network.parameters.json +++ /dev/null @@ -1,231 +0,0 @@ -{ - "$schema": "https://raw.githubusercontent.com/Azure/CanadaPubSecALZ/main/schemas/latest/landingzones/lz-platform-connectivity-hub-azfw.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "serviceHealthAlerts": { - "value": { - "alertRuleName": "Networking Alerts", - "receivers": { - "app": [ - "networking@example.com" - ], - "sms": [ - { - "countryCode": "1", - "phoneNumber": "6135555555" - } - ], - "email": [ - "networking@example.com" - ], - "voice": [ - { - "countryCode": "1", - "phoneNumber": "6135555555" - } - ] - }, - "regions": [ - "Global", - "Canada Central", - "Canada East" - ], - "resourceGroupName": "service-health-alerts-rg", - "actionGroupName": "Networking Alerts", - "actionGroupShortName": "network-ag", - "incidentTypes": [ - "Incident", - "Security" - ], - "alertRuleDescription": "Networking Alerts for Incidents and Security" - } - }, - "securityCenter": { - "value": { - "email": "security@example.com", - "phone": "6135555555" - } - }, - "subscriptionRoleAssignments": { - "value": [ - { - "comments": "Built-in Contributor Role", - "securityGroupObjectIds": [ - "e31589a0-2517-4893-9ebe-c66835fae93f" - ], - "roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c" - } - ] - }, - "subscriptionBudget": { - "value": { - "createBudget": false - } - }, - "subscriptionTags": { - "value": { - "ISSO": "isso-tbd" - } - }, - "resourceTags": { - "value": { - "ClientOrganization": "client-organization-tag", - "CostCenter": "cost-center-tag", - "DataSensitivity": "data-sensitivity-tag", - "ProjectContact": "project-contact-tag", - "ProjectName": "project-name-tag", - "TechnicalContact": "technical-contact-tag" - } - }, - "privateDnsZones": { - "value": { - "enabled": true, - "resourceGroupName": "private-dns-rg" - } - }, - "ddosStandard": { - "value": { - "resourceGroupName": "ddos-rg", - "enabled": false, - "planName": "ddos-plan" - } - }, - "publicAccessZone": { - "value": { - "enabled": true, - "resourceGroupName": "pubsec-public-access-zone" - } - }, - "managementRestrictedZone": { - "value": { - "enabled": true, - "resourceGroupName": "pubsec-management-restricted-zone", - "network": { - "name": "management-restricted-vnet", - "addressPrefixes": [ - "10.18.4.0/22" - ], - "subnets": [ - { - "comments": "Management (Access Zone) Subnet", - "name": "MazSubnet", - "addressPrefix": "10.18.4.0/25", - "nsg": { - "enabled": true - }, - "udr": { - "enabled": true - } - }, - { - "comments": "Infrastructure Services (Restricted Zone) Subnet", - "name": "InfSubnet", - "addressPrefix": "10.18.4.128/25", - "nsg": { - "enabled": true - }, - "udr": { - "enabled": true - } - }, - { - "comments": "Security Services (Restricted Zone) Subnet", - "name": "SecSubnet", - "addressPrefix": "10.18.5.0/26", - "nsg": { - "enabled": true - }, - "udr": { - "enabled": true - } - }, - { - "comments": "Logging Services (Restricted Zone) Subnet", - "name": "LogSubnet", - "addressPrefix": "10.18.5.64/26", - "nsg": { - "enabled": true - }, - "udr": { - "enabled": true - } - }, - { - "comments": "Core Management Interfaces (Restricted Zone) Subnet", - "name": "MgmtSubnet", - "addressPrefix": "10.18.5.128/26", - "nsg": { - "enabled": true - }, - "udr": { - "enabled": true - } - } - ] - } - } - }, - "hub": { - "value": { - "resourceGroupName": "pubsec-hub-networking", - "bastion": { - "enabled": true, - "name": "bastion", - "sku": "Standard", - "scaleUnits": 2 - }, - "azureFirewall": { - "name": "pubsecAzureFirewall", - "availabilityZones": [ - "1", - "2", - "3" - ], - "forcedTunnelingEnabled": false, - "forcedTunnelingNextHop": "10.17.1.4" - }, - "network": { - "name": "hub-vnet", - "addressPrefixes": [ - "10.18.0.0/22", - "100.60.0.0/16" - ], - "addressPrefixBastion": "192.168.0.0/16", - "subnets": { - "gateway": { - "comments": "Gateway Subnet used for VPN and/or Express Route connectivity", - "name": "GatewaySubnet", - "addressPrefix": "10.18.0.0/27" - }, - "firewall": { - "comments": "Azure Firewall", - "name": "AzureFirewallSubnet", - "addressPrefix": "10.18.1.0/24" - }, - "firewallManagement": { - "comments": "Azure Firewall Management", - "name": "AzureFirewallManagementSubnet", - "addressPrefix": "10.18.2.0/26" - }, - "bastion": { - "comments": "Azure Bastion", - "name": "AzureBastionSubnet", - "addressPrefix": "192.168.0.0/24" - }, - "publicAccess": { - "comments": "Public Access Zone (Application Gateway)", - "name": "PAZSubnet", - "addressPrefix": "100.60.1.0/24" - }, - "optional": [] - } - } - } - }, - "networkWatcher": { - "value": { - "resourceGroupName": "NetworkWatcherRG" - } - } - } -} diff --git a/config/networking/Tredell-main/hub-nva/hub-network.parameters.json b/config/networking/Tredell-main/hub-nva/hub-network.parameters.json deleted file mode 100644 index 079c1f0e..00000000 --- a/config/networking/Tredell-main/hub-nva/hub-network.parameters.json +++ /dev/null @@ -1,318 +0,0 @@ -{ - "$schema": "https://raw.githubusercontent.com/Azure/CanadaPubSecALZ/main/schemas/latest/landingzones/lz-platform-connectivity-hub-nva.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "serviceHealthAlerts": { - "value": { - "alertRuleName": "Networking Alerts", - "receivers": { - "app": [ - "networking@example.com" - ], - "sms": [ - { - "countryCode": "1", - "phoneNumber": "6135555555" - } - ], - "email": [ - "networking@example.com" - ], - "voice": [ - { - "countryCode": "1", - "phoneNumber": "6135555555" - } - ] - }, - "regions": [ - "Global", - "Canada Central", - "Canada East" - ], - "resourceGroupName": "service-health-alerts-rg", - "actionGroupName": "Networking Alerts", - "actionGroupShortName": "network-ag", - "incidentTypes": [ - "Incident", - "Security" - ], - "alertRuleDescription": "Networking Alerts for Incidents and Security" - } - }, - "securityCenter": { - "value": { - "email": "security@example.com", - "phone": "6135555555" - } - }, - "subscriptionRoleAssignments": { - "value": [ - { - "comments": "Built-in Contributor Role", - "securityGroupObjectIds": [ - "e31589a0-2517-4893-9ebe-c66835fae93f" - ], - "roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c" - } - ] - }, - "subscriptionBudget": { - "value": { - "createBudget": false - } - }, - "subscriptionTags": { - "value": { - "ISSO": "isso-tbd" - } - }, - "resourceTags": { - "value": { - "ClientOrganization": "client-organization-tag", - "CostCenter": "cost-center-tag", - "DataSensitivity": "data-sensitivity-tag", - "ProjectContact": "project-contact-tag", - "ProjectName": "project-name-tag", - "TechnicalContact": "technical-contact-tag" - } - }, - "privateDnsZones": { - "value": { - "enabled": true, - "resourceGroupName": "private-dns-rg" - } - }, - "ddosStandard": { - "value": { - "resourceGroupName": "ddos-rg", - "enabled": false, - "planName": "ddos-plan" - } - }, - "publicAccessZone": { - "value": { - "enabled": true, - "resourceGroupName": "pubsec-public-access-zone" - } - }, - "managementRestrictedZone": { - "value": { - "enabled": true, - "resourceGroupName": "pubsec-management-restricted-zone", - "network": { - "name": "management-restricted-vnet", - "addressPrefixes": [ - "10.18.4.0/22" - ], - "subnets": [ - { - "comments": "Management (Access Zone) Subnet", - "name": "MazSubnet", - "addressPrefix": "10.18.4.0/25", - "nsg": { - "enabled": true - }, - "udr": { - "enabled": true - } - }, - { - "comments": "Infrastructure Services (Restricted Zone) Subnet", - "name": "InfSubnet", - "addressPrefix": "10.18.4.128/25", - "nsg": { - "enabled": true - }, - "udr": { - "enabled": true - } - }, - { - "comments": "Security Services (Restricted Zone) Subnet", - "name": "SecSubnet", - "addressPrefix": "10.18.5.0/26", - "nsg": { - "enabled": true - }, - "udr": { - "enabled": true - } - }, - { - "comments": "Logging Services (Restricted Zone) Subnet", - "name": "LogSubnet", - "addressPrefix": "10.18.5.64/26", - "nsg": { - "enabled": true - }, - "udr": { - "enabled": true - } - }, - { - "comments": "Core Management Interfaces (Restricted Zone) Subnet", - "name": "MgmtSubnet", - "addressPrefix": "10.18.5.128/26", - "nsg": { - "enabled": true - }, - "udr": { - "enabled": true - } - } - ] - } - } - }, - "hub": { - "value": { - "resourceGroupName": "pubsec-hub-networking", - "bastion": { - "enabled": true, - "name": "bastion", - "sku": "Standard", - "scaleUnits": 2 - }, - "network": { - "name": "hub-vnet", - "addressPrefixes": [ - "10.18.0.0/22", - "100.60.0.0/16" - ], - "addressPrefixBastion": "192.168.0.0/16", - "subnets": { - "gateway": { - "comments": "Gateway Subnet used for VPN and/or Express Route connectivity", - "name": "GatewaySubnet", - "addressPrefix": "10.18.1.0/27" - }, - "bastion": { - "comments": "Azure Bastion", - "name": "AzureBastionSubnet", - "addressPrefix": "192.168.0.0/24" - }, - "public": { - "comments": "Public Subnet Name (External Facing (Internet/Ground))", - "name": "PublicSubnet", - "addressPrefix": "100.60.0.0/24" - }, - "publicAccessZone": { - "comments": "Public Access Zone (i.e. Application Gateway)", - "name": "PAZSubnet", - "addressPrefix": "100.60.1.0/24" - }, - "externalAccessNetwork": { - "comments": "External Access Network", - "name": "EanSubnet", - "addressPrefix": "10.18.0.0/27" - }, - "nonProductionInternal": { - "comments": "Non-production Internal for firewall appliances (Internal Facing Non-Production Traffic)", - "name": "DevIntSubnet", - "addressPrefix": "10.18.0.64/27" - }, - "productionInternal": { - "comments": "Production Internal for firewall appliances (Internal Facing Production Traffic)", - "name": "PrdIntSubnet", - "addressPrefix": "10.18.0.32/27" - }, - "managementRestrictedZoneInternal": { - "comments": "Management Restricted Zone", - "name": "MrzSubnet", - "addressPrefix": "10.18.0.96/27" - }, - "highAvailability": { - "comments": "High Availability (Firewall to Firewall heartbeat)", - "name": "HASubnet", - "addressPrefix": "10.18.0.128/28" - }, - "optional": [] - } - }, - "nvaFirewall": { - "image": { - "publisher": "fortinet", - "offer": "fortinet_fortigate-vm_v5", - "sku": "fortinet_fg-vm", - "version": "6.4.5", - "plan": "fortinet_fg-vm" - }, - "nonProduction": { - "internalLoadBalancer": { - "name": "pubsecDevFWILB", - "tcpProbe": { - "name": "lbprobe", - "port": 8008, - "intervalInSeconds": 5, - "numberOfProbes": 2 - }, - "internalIp": "10.18.0.68", - "externalIp": "100.60.0.7" - }, - "deployVirtualMachines": false, - "virtualMachines": [ - { - "name": "pubsecDevFW1", - "vmSku": "Standard_D8s_v4", - "internalIp": "10.18.0.69", - "externalIp": "100.60.0.8", - "mrzInternalIp": "10.18.0.104", - "highAvailabilityIp": "10.18.0.134", - "availabilityZone": "2" - }, - { - "name": "pubsecDevFW2", - "vmSku": "Standard_D8s_v4", - "internalIp": "10.18.0.70", - "externalIp": "100.60.0.9", - "mrzInternalIp": "10.18.0.105", - "highAvailabilityIp": "10.18.0.135", - "availabilityZone": "3" - } - ] - }, - "production": { - "internalLoadBalancer": { - "name": "pubsecProdFWILB", - "tcpProbe": { - "name": "lbprobe", - "port": 8008, - "intervalInSeconds": 5, - "numberOfProbes": 2 - }, - "internalIp": "10.18.0.36", - "externalIp": "100.60.0.4" - }, - "deployVirtualMachines": false, - "virtualMachines": [ - { - "name": "pubsecProdFW1", - "vmSku": "Standard_F8s_v2", - "internalIp": "10.18.0.37", - "externalIp": "100.60.0.5", - "mrzInternalIp": "10.18.0.101", - "highAvailabilityIp": "10.18.0.132", - "availabilityZone": "1" - }, - { - "name": "pubsecProdFW2", - "vmSku": "Standard_F8s_v2", - "internalIp": "10.18.0.38", - "externalIp": "100.60.0.6", - "mrzInternalIp": "10.18.0.102", - "highAvailabilityIp": "10.18.0.133", - "availabilityZone": "2" - } - ] - } - } - } - }, - "networkWatcher": { - "value": { - "resourceGroupName": "NetworkWatcherRG" - } - } - } -} From b9317d43df7357e5f352fc42d9accf6fd1028392 Mon Sep 17 00:00:00 2001 From: Barry Willis Date: Wed, 13 Sep 2023 14:18:59 -0700 Subject: [PATCH 9/9] reverting changes --- .pipelines/policy.yml | 6 +-- config/variables/Tredell-main.yml | 78 ------------------------------- 2 files changed, 3 insertions(+), 81 deletions(-) delete mode 100644 config/variables/Tredell-main.yml diff --git a/.pipelines/policy.yml b/.pipelines/policy.yml index 851d10e7..495f3469 100644 --- a/.pipelines/policy.yml +++ b/.pipelines/policy.yml @@ -96,14 +96,14 @@ stages: - template: templates/steps/define-policyset.yml parameters: description: 'Define Policy Set' - deployTemplates: [DNSPrivateEndpoints] + deployTemplates: [AKS, DefenderForCloud, DNSPrivateEndpoints, LogAnalytics, Network, Tags] deployOperation: ${{ variables['deployOperation'] }} workingDir: $(System.DefaultWorkingDirectory)/policy/custom/definitions/policyset - template: templates/steps/assign-policy.yml parameters: description: 'Assign Policy Set' - deployTemplates: [] + deployTemplates: [AKS, DefenderForCloud, LogAnalytics, Network, Tags] deployOperation: ${{ variables['deployOperation'] }} policyAssignmentManagementGroupScope: $(var-topLevelManagementGroupName) workingDir: $(System.DefaultWorkingDirectory)/policy/custom/assignments @@ -130,7 +130,7 @@ stages: - template: templates/steps/assign-policy.yml parameters: description: 'Assign Policy Set' - deployTemplates: [] + deployTemplates: [asb, cis-msft-130, location, nist80053r4, nist80053r5, pbmm, hitrust-hipaa, fedramp-moderate] deployOperation: ${{ variables['deployOperation'] }} policyAssignmentManagementGroupScope: $(var-topLevelManagementGroupName) workingDir: $(System.DefaultWorkingDirectory)/policy/builtin/assignments diff --git a/config/variables/Tredell-main.yml b/config/variables/Tredell-main.yml deleted file mode 100644 index 0fe391f0..00000000 --- a/config/variables/Tredell-main.yml +++ /dev/null @@ -1,78 +0,0 @@ -variables: - var-hubnetwork-region: canadacentral - var-hubnetwork-managementGroupId: Connectivity - var-hubnetwork-azfw-configurationFileName: hub-azfw/hub-network.parameters.json - var-hubnetwork-nva-configurationFileName: hub-nva/hub-network.parameters.json - var-hubnetwork-subscriptionId: a0c1a4a0-74bc-422b-8e8d-71f1d016e69d - var-hubnetwork-azfwPolicy-configurationFileName: hub-azfw-policy/azure-firewall-policy.parameters.json - var-logging-managementGroupId: Management - var-logging-subscriptionId: 8dda93c7-1801-480d-a82a-2620875371fa - deploymentRegion: canadacentral - var-identity-managementGroupId: Identity - var-logging-diagnosticSettingsforNetworkSecurityGroupsStoragePrefix: pubsecnsg - var-logging-configurationFileName: logging.parameters.json - var-managementgroup-hierarchy: |- - { - "id": "61e54fa4-fa93-43b3-9775-a60c5495ffdc", - "name": "Tenant Root Group", - "children": [ - { - "id": "pubsec", - "name": "Canadian Public Sector Azure Landing Zones", - "children": [ - { - "id": "Platform", - "name": "Platform", - "children": [ - { - "id": "Management", - "name": "Management", - "children": [] - }, - { - "id": "Connectivity", - "name": "Connectivity", - "children": [] - }, - { - "id": "Identity", - "name": "Identity", - "children": [] - } - ] - }, - { - "id": "LandingZones", - "name": "LandingZones", - "children": [ - { - "id": "DevTest", - "name": "DevTest", - "children": [] - }, - { - "id": "QA", - "name": "QA", - "children": [] - }, - { - "id": "Prod", - "name": "Prod", - "children": [] - } - ] - }, - { - "id": "Sandbox", - "name": "Sandbox", - "children": [] - } - ] - } - ] - } - var-logging-region: canadacentral - var-identity-configurationFileName: identity.parameters.json - var-identity-region: canadacentral - var-identity-subscriptionId: 7281b8be-c687-468b-9519-a8e6b28f66c9 -