Separate Azure Firewall Policy deployment switch & unique telemetry tracking for policy assignments (Azure#289)

SenthuranSivananthan · web-flow · commit 6a90a2fe9d88 · 2022-05-11T10:56:26.000-04:00
diff --git a/.github/workflows/0-everything.yml b/.github/workflows/0-everything.yml
@@ -159,11 +159,21 @@ jobs:
         Install-Module Az -Force
         Install-Module powershell-yaml -Force
 
+    - name: Deploy Azure Firewall Policy
+      if: github.event.inputs.hubNetworkType == 'HubNetworkWithAzureFirewall'
+      run: |
+        ./RunWorkflows.ps1 `
+          -DeployAzureFirewallPolicy `
+          -EnvironmentName '${{github.event.inputs.environmentName}}' `
+          -LoginServicePrincipalJson (ConvertTo-SecureString -String '${{secrets.ALZ_CREDENTIALS}}' -AsPlainText -Force) `
+          -GitHubRepo ${env:GITHUB_REPOSITORY} `
+          -GitHubRef ${env:GITHUB_REF}
+
     - name: Deploy Hub Network with Azure Firewall
       if: github.event.inputs.hubNetworkType == 'HubNetworkWithAzureFirewall'
       run: |
         ./RunWorkflows.ps1 `
-          -Deploy${{github.event.inputs.hubNetworkType}} `
+          -DeployHubNetworkWithAzureFirewall `
           -EnvironmentName '${{github.event.inputs.environmentName}}' `
           -LoginServicePrincipalJson (ConvertTo-SecureString -String '${{secrets.ALZ_CREDENTIALS}}' -AsPlainText -Force) `
           -GitHubRepo ${env:GITHUB_REPOSITORY} `
@@ -173,7 +183,7 @@ jobs:
       if: github.event.inputs.hubNetworkType == 'HubNetworkWithNVA'
       run: |
         ./RunWorkflows.ps1 `
-          -Deploy${{github.event.inputs.hubNetworkType}} `
+          -DeployHubNetworkWithNVA `
           -EnvironmentName '${{github.event.inputs.environmentName}}' `
           -LoginServicePrincipalJson (ConvertTo-SecureString -String '${{secrets.ALZ_CREDENTIALS}}' -AsPlainText -Force) `
           -GitHubRepo ${env:GITHUB_REPOSITORY} `
diff --git a/.github/workflows/5-azure-firewall-policy.yml b/.github/workflows/5-azure-firewall-policy.yml
@@ -0,0 +1,46 @@
+# ----------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT license.
+#
+# THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, 
+# EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES 
+# OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
+# ----------------------------------------------------------------------------------
+# Test
+name: 5 - Azure Firewall Policy
+
+on:
+  workflow_dispatch:
+    inputs:
+      environmentName:
+        type: string
+        description: Environment name (optional), e.g. CanadaESLZ-main
+        required: false
+
+defaults:
+  run:
+    shell: pwsh
+    working-directory: scripts/deployments
+
+jobs:
+  azure-firewall-policy:
+    name: Azure Firewall Policy
+    runs-on: ubuntu-latest
+    steps:
+
+    - name: Checkout
+      uses: actions/checkout@v3
+
+    - name: Configure PowerShell modules
+      run: |
+        Install-Module Az -Force
+        Install-Module powershell-yaml -Force
+
+    - name: Deploy Azure Firewall Policy
+      run: |
+        ./RunWorkflows.ps1 `
+          -DeployAzureFirewallPolicy `
+          -EnvironmentName '${{github.event.inputs.environmentName}}' `
+          -LoginServicePrincipalJson (ConvertTo-SecureString -String '${{secrets.ALZ_CREDENTIALS}}' -AsPlainText -Force) `
+          -GitHubRepo ${env:GITHUB_REPOSITORY} `
+          -GitHubRef ${env:GITHUB_REF}
diff --git a/.github/workflows/README.md b/.github/workflows/README.md
@@ -18,7 +18,8 @@ The following workflows are present in the `.github/workflows` repository folder
 | 1 | Management Groups | `1-management-groups.yml`
 | 2 | Roles | `2-roles.yml`
 | 3 | Logging | `3-logging.yml`
-| 4 | Policy | `policy.yml`
+| 4 | Policy | `4-policy.yml`
+| 5 | Azure Firewall Policy (required for Hub Networking with Azure Firewall) | `5-azure-firewall-policy.yml`
 | 5 | Hub Networking with Azure Firewall | `5-hub-network-with-azure-firewall.yml`
 | 5 | Hub Networking with NVA | `5-hub-network-with-nva.yml`
 | 6 | Subscriptions | `6-subscriptions.yml`
diff --git a/policy/builtin/assignments/asb.bicep b/policy/builtin/assignments/asb.bicep
@@ -32,7 +32,7 @@ var policyScopedId = resourceId('Microsoft.Authorization/policySetDefinitions',
 // Reference:  https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
 var telemetry = json(loadTextContent('../../../config/telemetry.json'))
 module telemetryCustomerUsageAttribution '../../../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {
-  name: 'pid-${telemetry.customerUsageAttribution.modules.policy}'
+  name: 'pid-${telemetry.customerUsageAttribution.modules.policy}-asb'
 }
 
 resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2020-03-01' = {
diff --git a/policy/builtin/assignments/cis-msft-130.bicep b/policy/builtin/assignments/cis-msft-130.bicep
@@ -44,7 +44,7 @@ var policyScopedId = resourceId('Microsoft.Authorization/policySetDefinitions',
 // Reference:  https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
 var telemetry = json(loadTextContent('../../../config/telemetry.json'))
 module telemetryCustomerUsageAttribution '../../../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {
-  name: 'pid-${telemetry.customerUsageAttribution.modules.policy}'
+  name: 'pid-${telemetry.customerUsageAttribution.modules.policy}-cis-msft-130'
 }
 
 resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2020-03-01' = {
diff --git a/policy/builtin/assignments/fedramp-moderate.bicep b/policy/builtin/assignments/fedramp-moderate.bicep
@@ -35,7 +35,7 @@ var policyScopedId = resourceId('Microsoft.Authorization/policySetDefinitions',
 // Reference:  https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
 var telemetry = json(loadTextContent('../../../config/telemetry.json'))
 module telemetryCustomerUsageAttribution '../../../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {
-  name: 'pid-${telemetry.customerUsageAttribution.modules.policy}'
+  name: 'pid-${telemetry.customerUsageAttribution.modules.policy}-fedramp-m'
 }
 
 resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2020-03-01' = {
diff --git a/policy/builtin/assignments/hitrust-hipaa.bicep b/policy/builtin/assignments/hitrust-hipaa.bicep
@@ -47,7 +47,7 @@ var policyScopedId = resourceId('Microsoft.Authorization/policySetDefinitions',
 // Reference:  https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
 var telemetry = json(loadTextContent('../../../config/telemetry.json'))
 module telemetryCustomerUsageAttribution '../../../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {
-  name: 'pid-${telemetry.customerUsageAttribution.modules.policy}'
+  name: 'pid-${telemetry.customerUsageAttribution.modules.policy}-hitrust-hipaa'
 }
 
 resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2020-03-01' = {
diff --git a/policy/builtin/assignments/location.bicep b/policy/builtin/assignments/location.bicep
@@ -31,7 +31,7 @@ var scope = tenantResourceId('Microsoft.Management/managementGroups', policyAssi
 // Reference:  https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
 var telemetry = json(loadTextContent('../../../config/telemetry.json'))
 module telemetryCustomerUsageAttribution '../../../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {
-  name: 'pid-${telemetry.customerUsageAttribution.modules.policy}'
+  name: 'pid-${telemetry.customerUsageAttribution.modules.policy}-location'
 }
 
 resource rgLocationAssignment 'Microsoft.Authorization/policyAssignments@2020-03-01' = {
diff --git a/policy/builtin/assignments/nist80053r4.bicep b/policy/builtin/assignments/nist80053r4.bicep
@@ -41,7 +41,7 @@ var policyScopedId = resourceId('Microsoft.Authorization/policySetDefinitions',
 // Reference:  https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
 var telemetry = json(loadTextContent('../../../config/telemetry.json'))
 module telemetryCustomerUsageAttribution '../../../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {
-  name: 'pid-${telemetry.customerUsageAttribution.modules.policy}'
+  name: 'pid-${telemetry.customerUsageAttribution.modules.policy}-nist-80053-r4'
 }
 
 resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2020-03-01' = {
diff --git a/policy/builtin/assignments/nist80053r5.bicep b/policy/builtin/assignments/nist80053r5.bicep
@@ -35,7 +35,7 @@ var policyScopedId = resourceId('Microsoft.Authorization/policySetDefinitions',
 // Reference:  https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
 var telemetry = json(loadTextContent('../../../config/telemetry.json'))
 module telemetryCustomerUsageAttribution '../../../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {
-  name: 'pid-${telemetry.customerUsageAttribution.modules.policy}'
+  name: 'pid-${telemetry.customerUsageAttribution.modules.policy}-nist-80053-r5'
 }
 
 resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2020-03-01' = {
diff --git a/policy/builtin/assignments/pbmm.bicep b/policy/builtin/assignments/pbmm.bicep
@@ -41,7 +41,7 @@ var policyScopedId = resourceId('Microsoft.Authorization/policySetDefinitions',
 // Reference:  https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
 var telemetry = json(loadTextContent('../../../config/telemetry.json'))
 module telemetryCustomerUsageAttribution '../../../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {
-  name: 'pid-${telemetry.customerUsageAttribution.modules.policy}'
+  name: 'pid-${telemetry.customerUsageAttribution.modules.policy}-pbmm'
 }
 
 resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2020-03-01' = {
diff --git a/policy/custom/assignments/AKS.bicep b/policy/custom/assignments/AKS.bicep
@@ -35,7 +35,7 @@ var policyScopedId = '/providers/Microsoft.Management/managementGroups/${policyD
 // Reference:  https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
 var telemetry = json(loadTextContent('../../../config/telemetry.json'))
 module telemetryCustomerUsageAttribution '../../../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {
-  name: 'pid-${telemetry.customerUsageAttribution.modules.policy}'
+  name: 'pid-${telemetry.customerUsageAttribution.modules.policy}-aks'
 }
 
 resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2020-03-01' = {
diff --git a/policy/custom/assignments/DDoS.bicep b/policy/custom/assignments/DDoS.bicep
@@ -38,7 +38,7 @@ var policyScopedId = '/providers/Microsoft.Management/managementGroups/${policyD
 // Reference:  https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
 var telemetry = json(loadTextContent('../../../config/telemetry.json'))
 module telemetryCustomerUsageAttribution '../../../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {
-  name: 'pid-${telemetry.customerUsageAttribution.modules.policy}'
+  name: 'pid-${telemetry.customerUsageAttribution.modules.policy}-ddos'
 }
 
 resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2020-03-01' = {
diff --git a/policy/custom/assignments/DNSPrivateEndpoints.bicep b/policy/custom/assignments/DNSPrivateEndpoints.bicep
@@ -41,7 +41,7 @@ var policyScopedId = '/providers/Microsoft.Management/managementGroups/${policyD
 // Reference:  https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
 var telemetry = json(loadTextContent('../../../config/telemetry.json'))
 module telemetryCustomerUsageAttribution '../../../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {
-  name: 'pid-${telemetry.customerUsageAttribution.modules.policy}'
+  name: 'pid-${telemetry.customerUsageAttribution.modules.policy}-dns-pe'
 }
 
 resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2020-03-01' = {
diff --git a/policy/custom/assignments/DefenderForCloud.bicep b/policy/custom/assignments/DefenderForCloud.bicep
@@ -35,7 +35,7 @@ var policyScopedId = '/providers/Microsoft.Management/managementGroups/${policyD
 // Reference:  https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
 var telemetry = json(loadTextContent('../../../config/telemetry.json'))
 module telemetryCustomerUsageAttribution '../../../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {
-  name: 'pid-${telemetry.customerUsageAttribution.modules.policy}'
+  name: 'pid-${telemetry.customerUsageAttribution.modules.policy}-mdfc'
 }
 
 resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2020-03-01' = {
diff --git a/policy/custom/assignments/LogAnalytics.bicep b/policy/custom/assignments/LogAnalytics.bicep
@@ -41,7 +41,7 @@ var policyScopedId = '/providers/Microsoft.Management/managementGroups/${policyD
 // Reference:  https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
 var telemetry = json(loadTextContent('../../../config/telemetry.json'))
 module telemetryCustomerUsageAttribution '../../../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {
-  name: 'pid-${telemetry.customerUsageAttribution.modules.policy}'
+  name: 'pid-${telemetry.customerUsageAttribution.modules.policy}-logging'
 }
 
 resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2020-03-01' = {
diff --git a/policy/custom/assignments/Network.bicep b/policy/custom/assignments/Network.bicep
@@ -35,7 +35,7 @@ var policyScopedId = '/providers/Microsoft.Management/managementGroups/${policyD
 // Reference:  https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
 var telemetry = json(loadTextContent('../../../config/telemetry.json'))
 module telemetryCustomerUsageAttribution '../../../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {
-  name: 'pid-${telemetry.customerUsageAttribution.modules.policy}'
+  name: 'pid-${telemetry.customerUsageAttribution.modules.policy}-network'
 }
 
 resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2020-03-01' = {
diff --git a/policy/custom/assignments/Tags.bicep b/policy/custom/assignments/Tags.bicep
@@ -31,7 +31,7 @@ var scope = tenantResourceId('Microsoft.Management/managementGroups', policyAssi
 // Reference:  https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
 var telemetry = json(loadTextContent('../../../config/telemetry.json'))
 module telemetryCustomerUsageAttribution '../../../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {
-  name: 'pid-${telemetry.customerUsageAttribution.modules.policy}'
+  name: 'pid-${telemetry.customerUsageAttribution.modules.policy}-tags'
 }
 
 // Tags Inherited from Subscription to Resource Groups
diff --git a/scripts/deployments/Functions/HubNetworkWithAzureFirewall.ps1 b/scripts/deployments/Functions/HubNetworkWithAzureFirewall.ps1
@@ -59,7 +59,8 @@ function Set-AzureFirewallPolicy {
     -Name "main-$Region" `
     -Location $Region `
     -TemplateFile "$($Context.WorkingDirectory)/landingzones/lz-platform-connectivity-hub-azfw/main-azfw-policy.bicep" `
-    -TemplateParameterFile $ConfigurationFilePath
+    -TemplateParameterFile $ConfigurationFilePath `
+    -Verbose
 }
 
 function Set-HubNetwork-With-AzureFirewall {
diff --git a/scripts/deployments/RunWorkflows.ps1 b/scripts/deployments/RunWorkflows.ps1
@@ -72,7 +72,7 @@ OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
     Deploy management groups interactively.
 
   .EXAMPLE
-    PS> .\RunWorkflows.ps1 -EnvironmentName CanadaESLZ-main -LoginInteractiveTenantId '8188040d-6c67-4c5c-b112-36a304b66dad' -DeployManagementGroups -DeployRoles -DeployLogging -DeployCustomPolicy -DeployBuiltInPolicy -DeployHubNetworkWithAzureFirewall
+    PS> .\RunWorkflows.ps1 -EnvironmentName CanadaESLZ-main -LoginInteractiveTenantId '8188040d-6c67-4c5c-b112-36a304b66dad' -DeployManagementGroups -DeployRoles -DeployLogging -DeployCustomPolicy -DeployBuiltInPolicy -DeployAzureFirewallPolicy -DeployHubNetworkWithAzureFirewall
 
     Deploy all platform components interactively, with Azure Firewall.
 
@@ -105,6 +105,7 @@ Param(
   [switch]$DeployLogging,
   [switch]$DeployCustomPolicy,
   [switch]$DeployBuiltinPolicy,
+  [switch]$DeployAzureFirewallPolicy,
   [switch]$DeployHubNetworkWithNVA,
   [switch]$DeployHubNetworkWithAzureFirewall,
   [string[]]$DeploySubscriptionIds=@(),
@@ -271,20 +272,23 @@ if ($DeployHubNetworkWithNVA) {
     -NvaPassword $NvaPassword
 }
 
+# Azure Firewall Policy
+if ($DeployAzureFirewallPolicy) {
+  # Create Azure Firewall Policy
+  Set-AzureFirewallPolicy `
+    -Context $Context `
+    -Region $Context.Variables['var-hubnetwork-region'] `
+    -SubscriptionId $Context.Variables['var-hubnetwork-subscriptionId'] `
+    -ConfigurationFilePath "$($Context.NetworkingDirectory)/$($Context.Variables['var-hubnetwork-azfwPolicy-configurationFileName'])"
+}
+
 # Hub Networking with Azure Firewall
 if ($DeployHubNetworkWithAzureFirewall) {
   Write-Host "Deploying Hub Networking with Azure Firewall..."
   # Get Logging information using logging config file
   $LoggingConfiguration = Get-LoggingConfiguration `
     -ConfigurationFilePath "$($Context.LoggingDirectory)/$($Context.Variables['var-logging-configurationFileName'])" `
     -SubscriptionId $Context.Variables['var-logging-subscriptionId']
-
-  # Create Azure Firewall Policy
-  Set-AzureFirewallPolicy `
-    -Context $Context `
-    -Region $Context.Variables['var-hubnetwork-region'] `
-    -SubscriptionId $Context.Variables['var-hubnetwork-subscriptionId'] `
-    -ConfigurationFilePath "$($Context.NetworkingDirectory)/$($Context.Variables['var-hubnetwork-azfwPolicy-configurationFileName'])"
   
   # Retrieve Azure Firewall Policy
   $AzureFirewallPolicyConfiguration = Get-AzureFirewallPolicy `

Original file line number	Diff line number	Diff line change
`@@ -32,7 +32,7 @@ var policyScopedId = resourceId('Microsoft.Authorization/policySetDefinitions',`
`32`	`32`	`// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution`
`33`	`33`	`var telemetry = json(loadTextContent('../../../config/telemetry.json'))`
`34`	`34`	`module telemetryCustomerUsageAttribution '../../../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {`
`35`		`- name: 'pid-${telemetry.customerUsageAttribution.modules.policy}'`
	`35`	`+ name: 'pid-${telemetry.customerUsageAttribution.modules.policy}-asb'`
`36`	`36`	`}`
`37`	`37`
`38`	`38`	`resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2020-03-01' = {`
Original file line number	Diff line number	Diff line change
`@@ -44,7 +44,7 @@ var policyScopedId = resourceId('Microsoft.Authorization/policySetDefinitions',`
`44`	`44`	`// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution`
`45`	`45`	`var telemetry = json(loadTextContent('../../../config/telemetry.json'))`
`46`	`46`	`module telemetryCustomerUsageAttribution '../../../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {`
`47`		`- name: 'pid-${telemetry.customerUsageAttribution.modules.policy}'`
	`47`	`+ name: 'pid-${telemetry.customerUsageAttribution.modules.policy}-cis-msft-130'`
`48`	`48`	`}`
`49`	`49`
`50`	`50`	`resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2020-03-01' = {`
Original file line number	Diff line number	Diff line change
`@@ -35,7 +35,7 @@ var policyScopedId = resourceId('Microsoft.Authorization/policySetDefinitions',`
`35`	`35`	`// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution`
`36`	`36`	`var telemetry = json(loadTextContent('../../../config/telemetry.json'))`
`37`	`37`	`module telemetryCustomerUsageAttribution '../../../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {`
`38`		`- name: 'pid-${telemetry.customerUsageAttribution.modules.policy}'`
	`38`	`+ name: 'pid-${telemetry.customerUsageAttribution.modules.policy}-fedramp-m'`
`39`	`39`	`}`
`40`	`40`
`41`	`41`	`resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2020-03-01' = {`
Original file line number	Diff line number	Diff line change
`@@ -47,7 +47,7 @@ var policyScopedId = resourceId('Microsoft.Authorization/policySetDefinitions',`
`47`	`47`	`// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution`
`48`	`48`	`var telemetry = json(loadTextContent('../../../config/telemetry.json'))`
`49`	`49`	`module telemetryCustomerUsageAttribution '../../../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {`
`50`		`- name: 'pid-${telemetry.customerUsageAttribution.modules.policy}'`
	`50`	`+ name: 'pid-${telemetry.customerUsageAttribution.modules.policy}-hitrust-hipaa'`
`51`	`51`	`}`
`52`	`52`
`53`	`53`	`resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2020-03-01' = {`
Original file line number	Diff line number	Diff line change
`@@ -31,7 +31,7 @@ var scope = tenantResourceId('Microsoft.Management/managementGroups', policyAssi`
`31`	`31`	`// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution`
`32`	`32`	`var telemetry = json(loadTextContent('../../../config/telemetry.json'))`
`33`	`33`	`module telemetryCustomerUsageAttribution '../../../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {`
`34`		`- name: 'pid-${telemetry.customerUsageAttribution.modules.policy}'`
	`34`	`+ name: 'pid-${telemetry.customerUsageAttribution.modules.policy}-location'`
`35`	`35`	`}`
`36`	`36`
`37`	`37`	`resource rgLocationAssignment 'Microsoft.Authorization/policyAssignments@2020-03-01' = {`
Original file line number	Diff line number	Diff line change
`@@ -41,7 +41,7 @@ var policyScopedId = resourceId('Microsoft.Authorization/policySetDefinitions',`
`41`	`41`	`// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution`
`42`	`42`	`var telemetry = json(loadTextContent('../../../config/telemetry.json'))`
`43`	`43`	`module telemetryCustomerUsageAttribution '../../../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {`
`44`		`- name: 'pid-${telemetry.customerUsageAttribution.modules.policy}'`
	`44`	`+ name: 'pid-${telemetry.customerUsageAttribution.modules.policy}-nist-80053-r4'`
`45`	`45`	`}`
`46`	`46`
`47`	`47`	`resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2020-03-01' = {`
Original file line number	Diff line number	Diff line change
`@@ -38,7 +38,7 @@ var policyScopedId = '/providers/Microsoft.Management/managementGroups/${policyD`
`38`	`38`	`// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution`
`39`	`39`	`var telemetry = json(loadTextContent('../../../config/telemetry.json'))`
`40`	`40`	`module telemetryCustomerUsageAttribution '../../../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {`
`41`		`- name: 'pid-${telemetry.customerUsageAttribution.modules.policy}'`
	`41`	`+ name: 'pid-${telemetry.customerUsageAttribution.modules.policy}-ddos'`
`42`	`42`	`}`
`43`	`43`
`44`	`44`	`resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2020-03-01' = {`
Original file line number	Diff line number	Diff line change
`@@ -59,7 +59,8 @@ function Set-AzureFirewallPolicy {`
`59`	`59`	-Name "main-$Region" `
`60`	`60`	-Location $Region `
`61`	`61`	-TemplateFile "$($Context.WorkingDirectory)/landingzones/lz-platform-connectivity-hub-azfw/main-azfw-policy.bicep" `
`62`		`- -TemplateParameterFile $ConfigurationFilePath`
	`62`	+ -TemplateParameterFile $ConfigurationFilePath `
	`63`	`+ -Verbose`
`63`	`64`	`}`
`64`	`65`
`65`	`66`	`function Set-HubNetwork-With-AzureFirewall {`