feat: azFw Basic SKU - Bicep (#207)

* feat: azFw Basic SKU - Bicep

* feat: Fw Basic - ARM implementation

* DOCS: fix heading

README.md

@@ -13,7 +13,6 @@ This repository provides both enterprise architecture guidelines and a reference
     - [Step 2. Configure and test the deployment in your own environment](#step-2-configure-and-test-the-deployment-in-your-own-environment)
       - [Deploy with Azure Portal (Bicep/ARM)](#deploy-with-azure-portal-biceparm)
       - [Locally deploy with Bicep](#locally-deploy-with-bicep)
-      - [Locally deploy with Terraform](#locally-deploy-with-terraform)
     - [Step 3. Configure GitHub Actions](#step-3-configure-github-actions)
     - [App Patterns](#app-patterns)
   - [Got a feedback](#got-a-feedback)
@@ -89,7 +88,7 @@ Before deploying the Bicep IaC artifacts, you need to review and customize the v
 The expandable table below summarizes the available parameters and the possible values that can be set.
 
 <details>
-<summary><h4>Bicep Configuration Parameters Table</h4></summary>
+<summary>Bicep Configuration Parameters Table</summary>
 
 | Name | Description | Example | 
 |------|-------------|---------|
@@ -101,7 +100,8 @@ The expandable table below summarizes the available parameters and the possible
 |firewallInternalIp|If you select to create a new Hub, the UDR for locking the egress traffic will be created as well, no matter what value you set to that variable. However, if you select to connect to an existing hub, then you need to provide the internal IP of the azure firewal so that the deployment can create the UDR for locking down egress traffic. If not given, no UDR will be created||
 |vnetHubAddressSpace|If you deploy a new hub, you need to set the appropriate CIDR of the newly created Hub virtual network|10.242.0.0/20|
 |subnetHubFirewallAddressSpace|CIDR of the subnet that will host the azure Firewall|10.242.0.0/26|
-|subnetHubBastionAddressSpace|CIDR of the subnet that will host the Bastion Service|10.242.0.64/26|
+|subnetHubFirewallManagementAddressSpace|CIDR to use for the AzureFirewallManagementSubnet, which is required by AzFW Basic|10.242.0.64/26|
+|subnetHubBastionAddressSpace|CIDR of the subnet that will host the Bastion Service|10.242.0.128/26|
 |vnetSpokeAddressSpace|CIDR of the spoke vnet that will hold the app services plan and the rest supporting services (and their private endpoints)|10.240.0.0/20|
 |subnetSpokeAppSvcAddressSpace|CIDR of the subnet that will hold the app services plan. ATTENTION: If you deploy ASEv3 this CIDR should be x.x.x.x/24 |10.240.0.0/26 (*USE 10.240.0.0/24 if deployAseV3=true*)|
 |subnetSpokeDevOpsAddressSpace|CIDR of the subnet that will hold devOps agents etc|10.240.10.128/26|
@@ -119,7 +119,7 @@ The expandable table below summarizes the available parameters and the possible
 
 </details>
 <details>
-<summary><h4> Locally deploy with Terraform</h4></summary>
+<summary> Locally deploy with Terraform </summary>
 1. Ensure you are logged in to Azure CLI and have selected the correct subscription.
 1. Navigate to the Terraform deployment directory (same directory as the `main.tf` file).
     - [scenarios/secure-baseline-multitenant/terraform/hub](scenarios/secure-baseline-multitenant/terraform/hub/)

scenarios/secure-baseline-multitenant/azure-resource-manager/README.md

@@ -27,7 +27,8 @@ The table below summarizes the available parameters and the possible values that
 |firewallInternalIp|If you select to create a new Hub, the UDR for locking the egress traffic will be created as well, no matter what value you set to that variable. However, if you select to connect to an existing hub, then you need to provide the internal IP of the azure firewall so that the deployment can create the UDR for locking down egress traffic. If not given, no UDR will be created||
 |vnetHubAddressSpace|If you deploy a new hub, you need to set the appropriate CIDR of the newly created Hub virtual network|10.242.0.0/20|
 |subnetHubFirewallAddressSpace|CIDR of the subnet that will host the azure Firewall|10.242.0.0/26|
-|subnetHubBastionAddressSpace|CIDR of the subnet that will host the Bastion Service|10.242.0.64/26|
+|subnetHubFirewallManagementAddressSpace|CIDR to use for the AzureFirewallManagementSubnet, which is required by AzFW Basic|10.242.0.64/26|
+|subnetHubBastionAddressSpace|CIDR of the subnet that will host the Bastion Service|10.242.0.128/26|
 |vnetSpokeAddressSpace|CIDR of the spoke vnet that will hold the app services plan and the rest supporting services (and their private endpoints)|10.240.0.0/20|
 |subnetSpokeAppSvcAddressSpace|CIDR of the subnet that will hold the app services plan|10.240.0.0/26|
 |subnetSpokeDevOpsAddressSpace|CIDR of the subnet that will hold devOps agents etc|10.240.10.128/26|

scenarios/secure-baseline-multitenant/azure-resource-manager/build-arm-json.azcli

@@ -32,4 +32,10 @@ for webapp_id in $webapp_ids; do
 done
 
 
- # test
+ # test
+
+#  https://portal.azure.com/#view/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/URL_TEMPLATE/uiFormDefinitionUri/CUSTOM_UI_DEF_JSON
+# <!-- URL_TEMPLATE: The URL Encoded version of the URI to the remote Azure ARM deployment template -->
+# <!-- CUSTOM_UI_DEF_JSON: The URL Encoded version of the URI to the custom UI Definition json file -->
+
+# <!-- The actual link for our sample deployment  -->

scenarios/secure-baseline-multitenant/azure-resource-manager/main-portal-ux.json

@@ -378,12 +378,33 @@
                             "infoMessages": [],
                             "visible": "[equals(steps('networking').sectionHubSelector.deployHub, 'deployNew')]"
                         },
+                        {
+                            "name": "subnetHubFirewallManagementAddressSpace",
+                            "type": "Microsoft.Common.TextBox",
+                            "label": "Azure Firewall Management Subnet Address Prefix (azFW Basic)",
+                            "subLabel": "",
+                            "defaultValue": "10.242.0.64/26",
+                            "toolTip": "CIDR to use for the Azure Firewall Management subnet  (Azure Firewall Basic). Optional if you want to use an existing hub vnet (vnetHubResourceId)",
+                            "constraints": {
+                                "required": true,
+                                "regex": "",
+                                "validationMessage": "",
+                                "validations": [
+                                    {
+                                        "regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:\/(2[0-6]))$",
+                                        "message": "Invalid CIDR range. The address prefix must be in the range [20,26]."
+                                    }
+                                ]
+                            },
+                            "infoMessages": [],
+                            "visible": "[equals(steps('networking').sectionHubSelector.deployHub, 'deployNew')]"
+                        },
                         {
                             "name": "subnetHubBastionAddressSpace",
                             "type": "Microsoft.Common.TextBox",
                             "label": "Hub Subnet CIDR for Bastion Service",
                             "subLabel": "",
-                            "defaultValue": "10.242.0.64/26",
+                            "defaultValue": "10.242.0.128/26",
                             "toolTip": "CIDR of the subnet hosting the Bastion Service - optional if you want to use an existing hub vnet (vnetHubResourceId)",
                             "constraints": {
                                 "required": false,
@@ -1168,6 +1189,7 @@
                 "environmentName": "[steps('basics').environmentName]",
                 "vnetHubAddressSpace": "[steps('networking').vnetHubAddressSpace]",
                 "subnetHubFirewallAddressSpace": "[steps('networking').subnetHubFirewallAddressSpace]",
+                "subnetHubFirewallManagementAddressSpace": "[steps('networking').subnetHubFirewallManagementAddressSpace]",
                 "subnetHubBastionAddressSpace": "[steps('networking').subnetHubBastionAddressSpace]",
                 "vnetSpokeAddressSpace": "[steps('networking').vnetSpokeAddressSpace]",
                 "subnetSpokeAppSvcAddressSpace": "[if( equals ( steps('basics').appSvcPlanSection.deployAseV3, true), steps('networking').subnetSpokeAppSvcAddressSpaceAse , steps('networking').subnetSpokeAppSvcAddressSpace )]",