diff --git a/docs/02-Architecture.md b/docs/02-Architecture.md index 8a5ca611..7dc031eb 100644 --- a/docs/02-Architecture.md +++ b/docs/02-Architecture.md @@ -21,4 +21,4 @@ The SLZ deploys under the [tenant root group](https://learn.microsoft.com/azure/ [Overview of the Sovereign Landing Zone deployment](03-Deployment-Overview.md) -### [Legal Notice](./NOTICE.md) +### [Microsoft Legal Notice](./NOTICE.md) diff --git a/docs/08-Deploy-SLZ.md b/docs/08-Deploy-SLZ.md index 8c79e4c0..32ec25c7 100644 --- a/docs/08-Deploy-SLZ.md +++ b/docs/08-Deploy-SLZ.md @@ -17,6 +17,6 @@ Please reference [Frequently Asked Questions](12-FAQ.md) for commons errors and ## Next step -[Deploy Customize Policies](09-Customize-Policies.md) +[Deploy Customized Policies](09-Customize-Policies.md) ### [Microsoft Legal Notice](./NOTICE.md) diff --git a/docs/10-Compliance-Dashboard.md b/docs/10-Compliance-Dashboard.md index e1594ae8..182e10fa 100644 --- a/docs/10-Compliance-Dashboard.md +++ b/docs/10-Compliance-Dashboard.md @@ -34,4 +34,4 @@ The compliance dashboard is customizable and [can be extended](scenarios/Extendi [Conclusion](11-Conclusion.md) -## [Microsoft Legal Notice](./NOTICE.md) +### [Microsoft Legal Notice](./NOTICE.md) diff --git a/docs/11-Conclusion.md b/docs/11-Conclusion.md index 94513ed4..55e8fecc 100644 --- a/docs/11-Conclusion.md +++ b/docs/11-Conclusion.md @@ -8,4 +8,4 @@ You can now improve upon on your [compliance policies](09-Customize-Policies.md) Visit our [Frequently Asked Questions](12-FAQ.md) page for common queries or [Scenarios](scenarios/README.md) for common post-deployment operations. Log a [GitHub Issue](https://github.com/Azure/sovereign-landing-zone/issues) for any problems you are encountering getting started with or managing your SLZ deployment. -## [Microsoft Legal Notice](./NOTICE.md) +### [Microsoft Legal Notice](./NOTICE.md) diff --git a/docs/12-FAQ.md b/docs/12-FAQ.md index 7eab475a..4571cf87 100644 --- a/docs/12-FAQ.md +++ b/docs/12-FAQ.md @@ -98,7 +98,7 @@ This error is likely to occur if the subscriptions being created in the Bootstra ### What are the allowed Azure resource types for confidential management groups (Confidential Corp and Confidential Online)? -For an overview of confidential computing resources in Azure please refer to this [documentation.](https://learn.microsoft.com/azure/confidential-computing/overview-azure-products) The list used by the SLZ can be found [here](../modules/compliance/policyAssignments/policy_assignment_deploy_slz_confidential_defaults.tmpl.json), and the list can be customized to meet an organization's needs. +For an overview of confidential computing resources in Azure please refer to this [documentation.](https://learn.microsoft.com/azure/confidential-computing/overview-azure-products) The list used by the SLZ can be found [here](../../dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_sovereignty_baseline_conf.tmpl.json), and the list can be customized to meet an organization's needs. ### What information should I consider removing from my failed deployment details logs? @@ -225,4 +225,4 @@ While we are working on a resolution, users can mitigate this by setting the `pa You will need to assign an Azure `Reader` role the user at the top-level management group scope. Please follow instructions here on how to add an Azure role: [Azure Role Based Access Control](https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal) -## [Microsoft Legal Notice](./NOTICE.md) +### [Microsoft Legal Notice](./NOTICE.md) diff --git a/docs/13-Troubleshooting.md b/docs/13-Troubleshooting.md index e25fff6f..cffc4de1 100644 --- a/docs/13-Troubleshooting.md +++ b/docs/13-Troubleshooting.md @@ -16,6 +16,19 @@ When an error occurs, the error message will most often be presented in a human ![SLZ Error in Logs](images/determine-error-message.png) +## Bicep Errors + +### Using a type union declaration requires enabling EXPERIMENTAL feature "UserDefinedTypes". + +Commonly, this is caused by having 2 versions of Bicep installed where one version is not being updated. This can be checked by running: + +``` +az bicep version +bicep --version +``` + +Make sure both installs have the [required minimal version.](./05-Permissions-Tooling.md#tooling-required) + ## Bootstrap Errors ### User is not authorized to create subscriptions on this enrollment account. @@ -64,4 +77,4 @@ This error means that the SLZ Global Defaults policy assignment has been configu Once a valid value is provided, run the SLZ compliance deployment step to update the policy assignment, then rerun the SLZ deployment. This error is related to the other ones where policy is blocking the resource. -## [Microsoft Legal Notice](./NOTICE.md) +### [Microsoft Legal Notice](./NOTICE.md) diff --git a/docs/scenarios/Sovereignty-Baseline-Policy-Initiatives.md b/docs/scenarios/Sovereignty-Baseline-Policy-Initiatives.md index 6f164a17..b6bd2821 100644 --- a/docs/scenarios/Sovereignty-Baseline-Policy-Initiatives.md +++ b/docs/scenarios/Sovereignty-Baseline-Policy-Initiatives.md @@ -22,8 +22,8 @@ The following parameters are useful for configuring the policy baseline: The related policies are in the `dashboard-Data Residency` group within these files: -* [SLZ Global Defaults](../../modules/compliance/policySetDefinitions/slzGlobalDefaults.json) -* [SLZ Confidential Defaults](../../modules/compliance/policySetDefinitions/slzConfidentialDefaults.json) +* [SLZ Global Defaults](https://learn.microsoft.com/azure/governance/policy/samples/mcfs-baseline-global#so1---data-residency) +* [SLZ Confidential Defaults](https://learn.microsoft.com/azure/governance/policy/samples/mcfs-baseline-confidential#so1---data-residency) ### SO-2 @@ -37,9 +37,9 @@ There is no policy in the baseline that supports this and it is intended to be a The related policies are in the `dashboard-Confidential Computing` group within these files: -* [SLZ Confidential Defaults](../../modules/compliance/policySetDefinitions/slzConfidentialDefaults.json) +* [SLZ Confidential Defaults](https://learn.microsoft.com/azure/governance/policy/samples/mcfs-baseline-confidential#so3---customer-managed-keys) -**Note** The resources are intended to be restricted to only those that have SKUs backed by confidential computing or do not process customer data. If this list is too restrictive, users are recommended to add other approved resources to the [allowed resources list](../../modules/compliance/policyAssignments/policy_assignment_deploy_slz_confidential_defaults.tmpl.json) in the assignment definition. +**Note** The resources are intended to be restricted to only those that have SKUs backed by confidential computing or do not process customer data. If this list is too restrictive, users are recommended to add other approved resources to the [allowed resources list](../../dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_sovereignty_baseline_conf.tmpl.json) in the assignment definition. ### SO-4 @@ -47,7 +47,7 @@ The related policies are in the `dashboard-Confidential Computing` group within The related policies are in the `dashboard-Key Management` group within these files: -* [SLZ Confidential Defaults](../../modules/compliance/policySetDefinitions/slzConfidentialDefaults.json) +* [SLZ Confidential Defaults](https://learn.microsoft.com/azure/governance/policy/samples/mcfs-baseline-confidential#so4---azure-confidential-computing) ## Improvement Ideas diff --git a/modules/dashboard/dashboard.bicep b/modules/dashboard/dashboard.bicep index 1d0fd654..6b5cda1e 100644 --- a/modules/dashboard/dashboard.bicep +++ b/modules/dashboard/dashboard.bicep @@ -84,6 +84,7 @@ var varDefaultTitles = [ } } } + partHeader: {} } } { @@ -254,6 +255,7 @@ var varDefaultTitles = [ } } } + partHeader: {} } } { @@ -526,6 +528,7 @@ var varDefaultTitles = [ } } } + partHeader: {} } } { @@ -697,6 +700,7 @@ var varDefaultTitles = [ } } } + partHeader: {} } } { @@ -915,7 +919,7 @@ resource resDashboard 'Microsoft.Portal/dashboards@2020-09-01-preview' = { colSpan: part.position.colSpan rowSpan: part.position.rowSpan } - #disable-next-line BCP037 + #disable-next-line BCP036 BCP037 metadata: contains(part.metadata.type, 'MarkdownPart') ? { inputs: part.metadata.inputs type: part.metadata.type diff --git a/orchestration/defaultCompliance/defaultCompliance.bicep b/orchestration/defaultCompliance/defaultCompliance.bicep index 30ea933b..0896688a 100644 --- a/orchestration/defaultCompliance/defaultCompliance.bicep +++ b/orchestration/defaultCompliance/defaultCompliance.bicep @@ -156,7 +156,7 @@ module modAlzPolicyAssignments '../../dependencies/infra-as-code/bicep/modules/p } // The following module is used to deploy the policy exemptions -module modPolicyExemptionsConfidentialOnline '../../modules/compliance/policyExemptions.bicep' = { +module modPolicyExemptionsConfidentialOnline '../../modules/compliance/policyExemptions.bicep' = if (varDeploySlzBuiltInPolicies) { scope: managementGroup(varPolicyExemptionConfidentialOnlineManagementGroup) name: take('${parDeploymentPrefix}-deploy-policy-exemptions${parDeploymentSuffix}', 64) params: { @@ -171,7 +171,7 @@ module modPolicyExemptionsConfidentialOnline '../../modules/compliance/policyExe } // The following module is used to deploy the policy exemptions -module modPolicyExemptionsConfidentialCorp '../../modules/compliance/policyExemptions.bicep' = { +module modPolicyExemptionsConfidentialCorp '../../modules/compliance/policyExemptions.bicep' = if (varDeploySlzBuiltInPolicies) { scope: managementGroup(varPolicyExemptionConfidentialCorpManagementGroup) name: take('${parDeploymentPrefix}-deploy-policy-exemptions${parDeploymentSuffix}', 64) params: { diff --git a/orchestration/scripts/New-Platform.ps1 b/orchestration/scripts/New-Platform.ps1 index df0b4c26..79ec6a2e 100644 --- a/orchestration/scripts/New-Platform.ps1 +++ b/orchestration/scripts/New-Platform.ps1 @@ -98,6 +98,7 @@ function New-Platform { parVpnGatewayAsn = [string]::IsNullOrEmpty($parParameters.parVpnGatewayConfig.value.asn) ? 65515 : $parParameters.parVpnGatewayConfig.value.asn parVpnGatewayBgpPeeringAddress = $parParameters.parVpnGatewayConfig.value.bgpPeeringAddress parVpnGatewayPeerWeight = [string]::IsNullOrEmpty($parParameters.parVpnGatewayConfig.value.peerWeight) ? 5 : $parParameters.parVpnGatewayConfig.value.peerWeight + parVpnGatewayClientConfiguration = $parParameters.parVpnGatewayConfig.value.vpnClientConfiguration parBastionOutboundSshRdpPorts = $parParameters.parBastionOutboundSshRdpPorts.value parDeployLogAnalyticsWorkspace = $parParameters.parDeployLogAnalyticsWorkspace.value parTags = Convert-ToHashTable($parParameters.parTags.value) diff --git a/orchestration/scripts/parameters/sovereignLandingZone.parameters.json b/orchestration/scripts/parameters/sovereignLandingZone.parameters.json index 4faedf39..b124f961 100644 --- a/orchestration/scripts/parameters/sovereignLandingZone.parameters.json +++ b/orchestration/scripts/parameters/sovereignLandingZone.parameters.json @@ -411,7 +411,8 @@ "enableDnsForwarding": false, "asn": 65515, "bgpPeeringAddress": "", - "peerWeight": 5 + "peerWeight": 5, + "vpnClientConfiguration": null }, "value": null, "description": "Optional configuration options for the VPN Gateway." diff --git a/orchestration/sovereignPlatform/sovereignPlatform.bicep b/orchestration/sovereignPlatform/sovereignPlatform.bicep index 83c6255f..e4e21518 100644 --- a/orchestration/sovereignPlatform/sovereignPlatform.bicep +++ b/orchestration/sovereignPlatform/sovereignPlatform.bicep @@ -187,6 +187,9 @@ param parVpnGatewayBgpPeeringAddress string = '' @description('Bgp peer weight. Default: 5') param parVpnGatewayPeerWeight int = 5 +@description('Vpn Client Configuration. Default: {}') +param parVpnGatewayClientConfiguration object = {} + @description('Enable Firewall. Default:True') param parEnableFirewall bool = true @@ -412,6 +415,7 @@ module modHubNetworking '../../dependencies/infra-as-code/bicep/modules/hubNetwo bgpPeeringAddress: parVpnGatewayBgpPeeringAddress peerWeight: parVpnGatewayPeerWeight } + vpnClientConfiguration: parVpnGatewayClientConfiguration } } dependsOn: [