microsoft · marvinbuss · Feb 11, 2023 · Feb 12, 2023 · Feb 13, 2023 · Feb 13, 2023
diff --git a/...referenceImplementations/core/managementGroupTemplates/mgmtGroupStructure/mgmtGroups.json b/...referenceImplementations/core/managementGroupTemplates/mgmtGroupStructure/mgmtGroups.json
@@ -22,7 +22,7 @@
         "landingZoneMgs": {
             "type": "array",
             "defaultValue": [
-                "online",
+                "cloud-native",
                 "corp"
             ],
             "metadata": {
@@ -164,6 +164,33 @@
                     }
                 }
             }
+        },
+        {
+            // One of Azure's untold stories.....
+            "type": "Microsoft.Resources/deployments",
+            "apiVersion": "2020-10-01",
+            "name": "[concat('Consistency-', copyIndex())]",
+            "location": "[deployment().location]",
+            "scope": "[concat('Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]",
+            "dependsOn": [
+                "[resourceId('Microsoft.Management/managementGroups', variables('managementGroups').landingZone)]"
+            ],
+            "copy": {
+                "batchSize": 1,
+                "count": 21,
+                "mode": "Serial",
+                "name": "Consistency"
+            },
+            "properties": {
+                "mode": "Incremental",
+                "template": {
+                    "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
+                    "contentVersion": "1.0.0.0",
+                    "parameters": {},
+                    "resources": [],
+                    "outputs": {}
+                }
+            }
         }
     ],
     "outputs": {}

diff --git a/...renceImplementations/core/managementGroupTemplates/mgmtGroupStructure/mgmtGroupsLite.json b/...renceImplementations/core/managementGroupTemplates/mgmtGroupStructure/mgmtGroupsLite.json
@@ -11,7 +11,7 @@
         "landingZoneMgs": {
             "type": "array",
             "defaultValue": [
-                "online",
+                "cloud-native",
                 "corp"
             ],
             "metadata": {

diff --git a/...tions/core/managementGroupTemplates/policyAssignments/Compliant-ApimPolicyAssignment.json b/...tions/core/managementGroupTemplates/policyAssignments/Compliant-ApimPolicyAssignment.json
@@ -0,0 +1,75 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "topLevelManagementGroupPrefix": {
+            "type": "string",
+            "metadata": {
+                "description": "Provide a company prefix to the intermediate root management group containing the policy definitions."
+            }
+        },
+        "enforcementMode": {
+            "type": "string",
+            "allowedValues": [
+                "Default",
+                "DoNotEnforce"
+            ],
+            "defaultValue": "Default"
+        },
+        "apimDiagnostics": {
+            "type": "string",
+            "defaultValue": "Disabled",
+            "allowedValues": [
+                "DeployIfNotExists",
+                "Disabled"
+            ]
+        },
+        "apimLogAnalyticsWorkspaceId": {
+            "type": "string",
+            "defaultValue": ""
+        },
+        "userAssignedIdentityResourceId": {
+            "type": "string"
+        }
+    },
+    "variables": {
+        "policyDefinitions": {
+            "compliantApim": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-API-Management')]"
+        },
+        "policyAssignmentNames": {
+            "apim": "Compliant-Apim",
+            "description": "This policy initiative is a group of policies that ensures API Management is compliant per FSI Landing Zones",
+            "displayName": "Enforce secure-by-default API Management for Financial Services Industry"
+        }
+    },
+    "resources": [
+        {
+            "type": "Microsoft.Authorization/policyAssignments",
+            "apiVersion": "2022-06-01",
+            "name": "[variables('policyAssignmentNames').apim]",
+            "location": "[deployment().location]",
+            "identity": {
+                "type": "UserAssigned",
+                "userAssignedIdentities": {
+                    "[parameters('userAssignedIdentityResourceId')]": {}
+                }
+            },
+            "properties": {
+                "description": "[variables('policyAssignmentNames').description]",
+                "displayName": "[variables('policyAssignmentNames').displayName]",
+                "policyDefinitionId": "[variables('policyDefinitions').compliantApim]",
+                "enforcementMode": "[parameters('enforcementMode')]",
+                "parameters": {
+                    "apimDiagnostics": {
+                        "value": "[parameters('apimDiagnostics')]"
+                    },
+                    "apimLogAnalyticsWorkspaceId": {
+                        "value": "[parameters('apimLogAnalyticsWorkspaceId')]"
+                    }
+                }
+            }
+        }
+
+    ],
+    "outputs": {}
+}
diff --git a/...core/managementGroupTemplates/policyAssignments/Compliant-AppServicePolicyAssignment.json b/...core/managementGroupTemplates/policyAssignments/Compliant-AppServicePolicyAssignment.json
@@ -0,0 +1,92 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "topLevelManagementGroupPrefix": {
+            "type": "string",
+            "metadata": {
+                "description": "Provide a company prefix to the intermediate root management group containing the policy definitions."
+            }
+        },
+        "enforcementMode": {
+            "type": "string",
+            "allowedValues": [
+                "Default",
+                "DoNotEnforce"
+            ],
+            "defaultValue": "Default"
+        },
+        "functionDiagnostics": {
+            "type": "string",
+            "defaultValue": "Disabled",
+            "allowedValues": [
+                "DeployIfNotExists",
+                "Disabled"
+            ]
+        },
+        "functionLogAnalyticsWorkspaceId": {
+            "type": "string",
+            "defaultValue": ""
+        },
+        "appServiceDiagnostics": {
+            "type": "string",
+            "defaultValue": "Disabled",
+            "allowedValues": [
+                "DeployIfNotExists",
+                "Disabled"
+            ]
+        },
+        "appServiceLogAnalyticsWorkspaceId": {
+            "type": "string",
+            "defaultValue": ""
+        },
+        "userAssignedIdentityResourceId": {
+            "type": "string"
+        }
+    },
+    "variables": {
+        "policyDefinitions": {
+            "compliantAppService": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-App-Service')]"
+        },
+        "policyAssignmentNames": {
+            "appService": "Compliant-AppService",
+            "description": "This policy initiative is a group of policies that ensures App Service is compliant per FSI Landing Zones",
+            "displayName": "Enforce secure-by-default App Service for Financial Services Industry"
+        }
+    },
+    "resources": [
+        {
+            "type": "Microsoft.Authorization/policyAssignments",
+            "apiVersion": "2022-06-01",
+            "name": "[variables('policyAssignmentNames').appService]",
+            "location": "[deployment().location]",
+            "identity": {
+                "type": "UserAssigned",
+                "userAssignedIdentities": {
+                    "[parameters('userAssignedIdentityResourceId')]": {}
+                }
+            },
+            "properties": {
+                "description": "[variables('policyAssignmentNames').description]",
+                "displayName": "[variables('policyAssignmentNames').displayName]",
+                "policyDefinitionId": "[variables('policyDefinitions').compliantAppService]",
+                "enforcementMode": "[parameters('enforcementMode')]",
+                "parameters": {
+                    "functionDiagnostics": {
+                        "value": "[parameters('functionDiagnostics')]"
+                    },
+                    "functionLogAnalyticsWorkspaceId": {
+                        "value": "[parameters('functionLogAnalyticsWorkspaceId')]"
+                    },
+                    "appServiceDiagnostics": {
+                        "value": "[parameters('appServiceDiagnostics')]"
+                    },
+                    "appServiceLogAnalyticsWorkspaceId": {
+                        "value": "[parameters('appServiceLogAnalyticsWorkspaceId')]"
+                    }
+                }
+            }
+        }
+    ],
+    "outputs": {}
+}
diff --git a/...core/managementGroupTemplates/policyAssignments/Compliant-AutomationPolicyAssignment.json b/...core/managementGroupTemplates/policyAssignments/Compliant-AutomationPolicyAssignment.json
@@ -0,0 +1,77 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "topLevelManagementGroupPrefix": {
+            "type": "string",
+            "metadata": {
+                "description": "Provide a company prefix to the intermediate root management group containing the policy definitions."
+            }
+        },
+        "enforcementMode": {
+            "type": "string",
+            "allowedValues": [
+                "Default",
+                "DoNotEnforce"
+            ],
+            "defaultValue": "Default"
+        },
+        "aaLogAnalyticsWorkspaceId": {
+            "type": "string",
+            "metadata": {
+                "description": "Provide the Log Analytics Workspace ID for Key Vault"
+            }
+        },
+        "aaDiagnostics": {
+            "type": "string",
+            "defaultValue": "Disabled",
+            "allowedValues": [
+                "DeployIfNotExists",
+                "Disabled"
+            ]
+        },
+        "userAssignedIdentityResourceId": {
+            "type": "string"
+        }
+    },
+    "variables": {
+        "policyDefinitions": {
+            "compliantAa": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-Automation-Account')]"
+        },
+        "policyAssignmentNames": {
+            "aa": "Compliant-Automation",
+            "description": "This policy initiative is a group of policies that ensures Automation Account is compliant per FSI Landing Zones",
+            "displayName": "Enforce secure-by-default Automation Account for Financial Services Industry"
+        }
+    },
+    "resources": [
+        {
+            "type": "Microsoft.Authorization/policyAssignments",
+            "apiVersion": "2022-06-01",
+            "name": "[variables('policyAssignmentNames').aa]",
+            "location": "[deployment().location]",
+            "identity": {
+                "type": "UserAssigned",
+                "userAssignedIdentities": {
+                    "[parameters('userAssignedIdentityResourceId')]": {}
+                }
+            },
+            "properties": {
+                "description": "[variables('policyAssignmentNames').description]",
+                "displayName": "[variables('policyAssignmentNames').displayName]",
+                "policyDefinitionId": "[variables('policyDefinitions').compliantAa]",
+                "enforcementMode": "[parameters('enforcementMode')]",
+                "parameters": {
+                    "aaLogAnalyticsWorkspaceId": {
+                        "value": "[parameters('aaLogAnalyticsWorkspaceId')]"
+                    },
+                    "aaDiagnostics": {
+                        "value": "[parameters('aaDiagnostics')]"
+                    }
+                }
+            }
+        }
+
+    ],
+    "outputs": {}
+}
diff --git a/...ons/core/managementGroupTemplates/policyAssignments/Compliant-BackupPolicyAssignment.json b/...ons/core/managementGroupTemplates/policyAssignments/Compliant-BackupPolicyAssignment.json
@@ -0,0 +1,63 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "topLevelManagementGroupPrefix": {
+            "type": "string",
+            "metadata": {
+                "description": "Provide a company prefix to the intermediate root management group containing the policy definitions."
+            }
+        },
+        "enforcementMode": {
+            "type": "string",
+            "allowedValues": [
+                "Default",
+                "DoNotEnforce"
+            ],
+            "defaultValue": "Default"
+        },
+        "asrLogAnalyticsWorkspaceId": {
+            "type": "string",
+            "defaultValue": ""
+        },
+        "userAssignedIdentityResourceId": {
+            "type": "string"
+        }
+    },
+    "variables": {
+        "policyDefinitions": {
+            "compliantBackup": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-Backup')]"
+        },
+        "policyAssignmentNames": {
+            "backup": "Compliant-Backup",
+            "description": "This policy initiative is a group of policies that ensures Backup is compliant per FSI Landing Zones",
+            "displayName": "Enforce secure-by-default Backup for Financial Services Industry"
+        }
+    },
+    "resources": [
+        {
+            "type": "Microsoft.Authorization/policyAssignments",
+            "apiVersion": "2022-06-01",
+            "name": "[variables('policyAssignmentNames').backup]",
+            "location": "[deployment().location]",
+            "identity": {
+                "type": "UserAssigned",
+                "userAssignedIdentities": {
+                    "[parameters('userAssignedIdentityResourceId')]": {}
+                }
+            },
+            "properties": {
+                "description": "[variables('policyAssignmentNames').description]",
+                "displayName": "[variables('policyAssignmentNames').displayName]",
+                "policyDefinitionId": "[variables('policyDefinitions').compliantBackup]",
+                "enforcementMode": "[parameters('enforcementMode')]",
+                "parameters": {
+                    "asrLogAnalyticsWorkspaceId": {
+                        "value": "[parameters('asrLogAnalyticsWorkspaceId')]"
+                    }
+                }
+            }
+        }
+    ],
+    "outputs": {}
+}