Azure · lisamurphy-msft · Sep 15, 2022 · Sep 14, 2022
@@ -277,28 +277,28 @@ param operationsVirtualNetworkDiagnosticsMetrics array = []
 @description('An array of Network Security Group rules to apply to the Operations Virtual Network. See https://docs.microsoft.com/en-us/azure/templates/microsoft.network/networksecuritygroups/securityrules?tabs=bicep#securityrulepropertiesformat for valid settings.')
 param operationsNetworkSecurityGroupRules array = [
   {
-  name: 'Allow-Traffic-From-Spokes'
-  properties: {
-    access: 'Allow'
-    description: 'Allow traffic from spokes'
-    destinationAddressPrefix: operationsVirtualNetworkAddressPrefix
-    destinationPortRanges: [
-      '22'
-      '80'
-      '443'
-      '3389'
-    ]
-    direction: 'Inbound'
-    priority: 200
-    protocol: '*'
-    sourceAddressPrefixes: [
-      identityVirtualNetworkAddressPrefix
-      sharedServicesVirtualNetworkAddressPrefix
-    ]
-    sourcePortRange: '*'
+    name: 'Allow-Traffic-From-Spokes'
+    properties: {
+      access: 'Allow'
+      description: 'Allow traffic from spokes'
+      destinationAddressPrefix: operationsVirtualNetworkAddressPrefix
+      destinationPortRanges: [
+        '22'
+        '80'
+        '443'
+        '3389'
+      ]
+      direction: 'Inbound'
+      priority: 200
+      protocol: '*'
+      sourceAddressPrefixes: [
+        identityVirtualNetworkAddressPrefix
+        sharedServicesVirtualNetworkAddressPrefix
+      ]
+      sourcePortRange: '*'
+    }
+    type: 'string'
   }
-  type: 'string'
-}
 ]
 
 @description('An array of Network Security Group diagnostic logs to apply to the Operations Virtual Network. See https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-nsg-manage-log#log-categories for valid settings.')
@@ -711,9 +711,9 @@ var spokes = [
 // TAGS
 
 var defaultTags = {
-  'resourcePrefix': resourcePrefix
-  'resourceSuffix': resourceSuffix
-  'DeploymentType': 'MissionLandingZoneARM'
+  resourcePrefix: resourcePrefix
+  resourceSuffix: resourceSuffix
+  DeploymentType: 'MissionLandingZoneARM'
 }
 
 var calculatedTags = union(tags, defaultTags)
@@ -937,7 +937,7 @@ module hubSubscriptionActivityLogging './modules/central-logging.bicep' = {
   ]
 }
 
-module azureMonitorPrivateLink './modules/private-link.bicep' = if ( contains(supportedClouds, environment().name) ){
+module azureMonitorPrivateLink './modules/private-link.bicep' = if (contains(supportedClouds, environment().name)) {
   name: 'azure-monitor-private-link'
   scope: resourceGroup(operationsSubscriptionId, operationsResourceGroupName)
   params: {

@@ -5,32 +5,32 @@ Licensed under the MIT License.
 
 targetScope = 'subscription'
 
-param bundle array = (environment().name == 'AzureCloud') ? [  
-	'AppServices'
-	'Arm'
-	'ContainerRegistry'
-	'Containers'
-	'CosmosDbs'
-	'Dns'
-	'KeyVaults'
-	'KubernetesService'
-	'OpenSourceRelationalDatabases'
-	'SqlServers'
-	'SqlServerVirtualMachines'
-	'StorageAccounts'
-	'VirtualMachines'
-  ] : (environment().name == 'AzureUSGovernment') ? [
-	'Arm'
-	'ContainerRegistry'
-	'Containers'
-	'Dns'
-	'KubernetesService'
-	'OpenSourceRelationalDatabases'
-	'SqlServers'
-	'SqlServerVirtualMachines'
-	'StorageAccounts'
-	'VirtualMachines'
-  ] : []
+param bundle array = (environment().name == 'AzureCloud') ? [
+  'AppServices'
+  'Arm'
+  'ContainerRegistry'
+  'Containers'
+  'CosmosDbs'
+  'Dns'
+  'KeyVaults'
+  'KubernetesService'
+  'OpenSourceRelationalDatabases'
+  'SqlServers'
+  'SqlServerVirtualMachines'
+  'StorageAccounts'
+  'VirtualMachines'
+] : (environment().name == 'AzureUSGovernment') ? [
+  'Arm'
+  'ContainerRegistry'
+  'Containers'
+  'Dns'
+  'KubernetesService'
+  'OpenSourceRelationalDatabases'
+  'SqlServers'
+  'SqlServerVirtualMachines'
+  'StorageAccounts'
+  'VirtualMachines'
+] : []
 
 @description('Turn automatic deployment by Defender of the MMA (OMS VM extension) on or off')
 param enableAutoProvisioning bool = true
@@ -45,7 +45,6 @@ param emailSecurityContact string
 @description('Policy Initiative description field')
 param policySetDescription string = 'The Azure Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Azure Security Benchmark v2, see https://aka.ms/azsecbm. This also serves as the Microsoft Defender for Cloud default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Microsoft Defender.'
 
-
 // defender
 
 resource defenderPricing 'Microsoft.Security/pricings@2018-06-01' = [for name in bundle: {
@@ -64,7 +63,7 @@ resource autoProvision 'Microsoft.Security/autoProvisioningSettings@2017-08-01-p
   }
 }
 
-resource securityWorkspaceSettings  'Microsoft.Security/workspaceSettings@2017-08-01-preview' = {
+resource securityWorkspaceSettings 'Microsoft.Security/workspaceSettings@2017-08-01-preview' = {
   name: 'default'
   properties: {
     workspaceId: logAnalyticsWorkspaceId
@@ -89,6 +88,6 @@ resource securityPoliciesDefault 'Microsoft.Authorization/policyAssignments@2020
     description: policySetDescription
     enforcementMode: 'DoNotEnforce'
     parameters: {}
-    policyDefinitionId: '/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8'
+    policyDefinitionId: tenantResourceId('Microsoft.Authorization/policySetDefinitions', '1f3afdf9-d0c9-4c3d-847f-89da613e70a8')
   }
 }
@@ -11,7 +11,6 @@ param supportedClouds array = [
   'AzureUSGovernment'
 ]
 
-
 resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2021-06-01' existing = {
   name: logAnalyticsWorkspaceName
 }
@@ -20,15 +19,9 @@ resource stg 'Microsoft.Storage/storageAccounts@2021-02-01' existing = {
   name: diagnosticStorageAccountName
 }
 
-resource securityContacts 'Microsoft.Security/securityContacts@2017-08-01-preview' existing = {
-  name: 'securityNotifications'
-  scope: subscription()
-}
-
-
 //// Setting log analytics to collect its own diagnostics to itself and to storage
-resource logAnalyticsDiagnostics 'Microsoft.Insights/diagnosticSettings@2017-05-01-preview' = if ( contains(supportedClouds, environment().name)) {
-  name: 'enable-log-analytics-diagnostics'  
+resource logAnalyticsDiagnostics 'Microsoft.Insights/diagnosticSettings@2017-05-01-preview' = if (contains(supportedClouds, environment().name)) {
+  name: 'enable-log-analytics-diagnostics'
   scope: logAnalyticsWorkspace
   properties: {
     workspaceId: logAnalyticsWorkspace.id

@@ -29,23 +29,23 @@ resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2021-06
 var policyDefinitionID = {
   NISTRev4: {
     id: '/providers/Microsoft.Authorization/policySetDefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f'
-    parameters: json(replace(loadTextContent('policies/NISTRev4-policyAssignmentParameters.json'),'<LAWORKSPACE>', logAnalyticsWorkspace.id))
+    parameters: json(replace(loadTextContent('policies/NISTRev4-policyAssignmentParameters.json'), '<LAWORKSPACE>', logAnalyticsWorkspace.id))
   }
   NISTRev5: {
     id: '/providers/Microsoft.Authorization/policySetDefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f'
     parameters: json(loadTextContent('policies/NISTRev5-policyAssignmentParameters.json'))
   }
   IL5: {
     id: '/providers/Microsoft.Authorization/policySetDefinitions/f9a961fa-3241-4b20-adc4-bbf8ad9d7197'
-    parameters: json(replace(loadTextContent('policies/IL5-policyAssignmentParameters.json'),'<LAWORKSPACE>', logAnalyticsWorkspace.id))
+    parameters: json(replace(loadTextContent('policies/IL5-policyAssignmentParameters.json'), '<LAWORKSPACE>', logAnalyticsWorkspace.id))
   }
   CMMC: {
     id: '/providers/Microsoft.Authorization/policySetDefinitions/b5629c75-5c77-4422-87b9-2509e680f8de'
-    parameters: json(replace(loadTextContent('policies/CMMC-policyAssignmentParameters.json'),'<LAWORKSPACE>', logAnalyticsWorkspace.properties.customerId))
+    parameters: json(replace(loadTextContent('policies/CMMC-policyAssignmentParameters.json'), '<LAWORKSPACE>', logAnalyticsWorkspace.properties.customerId))
   }
 }
 
-var modifiedAssignment = ( environment().name =~ 'AzureCloud' && builtInAssignment =~ 'IL5' ? 'NISTRev4' : builtInAssignment )
+var modifiedAssignment = (environment().name =~ 'AzureCloud' && builtInAssignment =~ 'IL5' ? 'NISTRev4' : builtInAssignment)
 var assignmentName = '${modifiedAssignment} ${resourceGroup().name}'
 var agentVmssAssignmentName = 'Deploy VMSS Agents ${resourceGroup().name}'
 var agentVmAssignmentName = 'Deploy VM Agents ${resourceGroup().name}'
@@ -57,8 +57,8 @@ resource assignment 'Microsoft.Authorization/policyAssignments@2020-09-01' = {
   name: assignmentName
   location: location
   properties: {
-      policyDefinitionId: policyDefinitionID[modifiedAssignment].id
-      parameters: policyDefinitionID[modifiedAssignment].parameters
+    policyDefinitionId: policyDefinitionID[modifiedAssignment].id
+    parameters: policyDefinitionID[modifiedAssignment].parameters
   }
   identity: {
     type: 'SystemAssigned'
@@ -69,7 +69,7 @@ resource vmssAgentAssignment 'Microsoft.Authorization/policyAssignments@2020-09-
   name: agentVmssAssignmentName
   location: location
   properties: {
-    policyDefinitionId: '/providers/Microsoft.Authorization/policySetDefinitions/75714362-cae7-409e-9b99-a8e5075b7fad'
+    policyDefinitionId: tenantResourceId('Microsoft.Authorization/policySetDefinitions', '75714362-cae7-409e-9b99-a8e5075b7fad')
     parameters: {
       logAnalytics_1: {
         value: logAnalyticsWorkspace.id
@@ -85,7 +85,7 @@ resource vmAgentAssignment 'Microsoft.Authorization/policyAssignments@2020-09-01
   name: agentVmAssignmentName
   location: location
   properties: {
-    policyDefinitionId: '/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a'
+    policyDefinitionId: tenantResourceId('Microsoft.Authorization/policySetDefinitions', '55f3eceb-5573-4f18-9695-226972c6d74a')
     parameters: {
       logAnalytics_1: {
         value: logAnalyticsWorkspace.id
@@ -99,34 +99,34 @@ resource vmAgentAssignment 'Microsoft.Authorization/policyAssignments@2020-09-01
 
 // assign the policies assigned idenitity as contributor to each resource group for deploy if not exist and modify policiy remediation
 resource policyRoleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
-  name: guid(contributorRoleDefinitionId,assignmentName)
+  name: guid(contributorRoleDefinitionId, assignmentName)
   scope: resourceGroup()
   properties: {
     roleDefinitionId: contributorRoleDefinitionId
     principalId: (empty(modifiedAssignment) ? '' : assignment.identity.principalId)
     principalType: 'ServicePrincipal'
-    }
   }
+}
 
 resource vmmsPolicyRoleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
-  name: guid(contributorRoleDefinitionId,agentVmssAssignmentName)
+  name: guid(contributorRoleDefinitionId, agentVmssAssignmentName)
   scope: resourceGroup()
   properties: {
     roleDefinitionId: contributorRoleDefinitionId
     principalId: vmssAgentAssignment.identity.principalId
     principalType: 'ServicePrincipal'
-    }
   }
+}
 
 resource vmPolicyRoleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
-  name: guid(contributorRoleDefinitionId,agentVmAssignmentName)
+  name: guid(contributorRoleDefinitionId, agentVmAssignmentName)
   scope: resourceGroup()
   properties: {
     roleDefinitionId: contributorRoleDefinitionId
     principalId: vmAgentAssignment.identity.principalId
     principalType: 'ServicePrincipal'
-    }
   }
+}
 
 module roleAssignment '../modules/role-assignment.bicep' = {
   name: 'Assign-Laws-Role-Policy-${resourceGroup().name}'
@@ -138,7 +138,7 @@ module roleAssignment '../modules/role-assignment.bicep' = {
   }
 }
 
-resource vmPolicyRemediation 'Microsoft.PolicyInsights/remediations@2019-07-01' = if(deployRemediation) {
+resource vmPolicyRemediation 'Microsoft.PolicyInsights/remediations@2019-07-01' = if (deployRemediation) {
   name: 'VM-Agent-Policy-Remediation'
   properties: {
     policyAssignmentId: vmAgentAssignment.id