Avm deployment script module and private network access

.github/scripts/Wipe-AlzTenant.ps1

@@ -1,9 +1,9 @@
 [CmdletBinding()]
 param (
     #Added this back into parameters as error occurs if multiple tenants are found when using Get-AzTenant
-    [Parameter(Mandatory = $true, Position = 1, HelpMessage = "Please the Insert Tenant ID (GUID) of your Azure AD tenant e.g.'f73a2b89-6c0e-4382-899f-ea227cd6b68f'")]
+    [Parameter(Mandatory = $true, Position = 1, HelpMessage = "Please the Insert Tenant ID (GUID) of your Microsoft Entra tenant e.g.'f73a2b89-6c0e-4382-899f-ea227cd6b68f'")]
     [string]
-    $tenantRootGroupID = "<Insert the Tenant ID (GUID) of your Azure AD tenant>",
+    $tenantRootGroupID = "<Insert the Tenant ID (GUID) of your Microsoft Entra tenant>",
 
     [Parameter(Mandatory = $true, Position = 2, HelpMessage = "Insert the name of your intermediate root Management Group e.g. 'Contoso'")]
     [string]
@@ -52,12 +52,12 @@ $subDeployments | ForEach-Object -Parallel {
 }
 
 
-# Get all AAD Tenant level deployments
+# Get all Microsoft Entra Tenant level deployments
 $tenantDeployments = Get-AzTenantDeployment
 
 Write-Information "Removing all Tenant level deployments"
 
-# For each AAD Tenant level deployment, remove it
+# For each Microsoft Entra Tenant level deployment, remove it
 $tenantDeployments | ForEach-Object -Parallel {
     Write-Information "Removing $($_.DeploymentName) ..."
     Remove-AzTenantDeployment -Id $_.Id
@@ -99,4 +99,4 @@ $StopWatch.Stop()
 
 # Display timer output as table
 Write-Information "Time taken to complete task:"
-$StopWatch.Elapsed | Format-Table
+$StopWatch.Elapsed | Format-Table

.github/workflows/module-tests.yml

@@ -82,6 +82,15 @@ jobs:
             "SUBID=$outputValue" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
           azPSVersion: "10.4.1"
 
+      - name: Azure Login refresh
+        id: loginRefresh
+        uses: azure/login@v1
+        with:
+          client-id: ${{ secrets.ARM_CLIENT_ID }}
+          tenant-id: ${{ secrets.ARM_TENANT_ID }}
+          enable-AzPSSession: true
+          allow-no-subscriptions: true
+
       - name: Pester Tests
         id: pester
         uses: azure/powershell@v1
@@ -116,7 +125,7 @@ jobs:
             $rsgHsName = "rsg-${{ env.ARM_LOCATION }}-net-hs-pr-${{ env.GH_PR_NUMBER }}"
             $rsgVwanName = "rsg-${{ env.ARM_LOCATION }}-net-vwan-pr-${{ env.GH_PR_NUMBER }}"
             $rsgNetworkWatcherName = "NetworkWatcherRG"
-            $guid = $subId.substring(0,8)
+            $guid = $subId.substring(0,6)
             $rsgDeploymentScriptName = "rsg-${{ env.ARM_LOCATION }}-ds-pr-${{ env.GH_PR_NUMBER }}-$guid"
             $allRoleAssignmentsSub = Get-AzRoleAssignment -Scope "/subscriptions/$subId" -ErrorAction SilentlyContinue
             $rbacIdentitiyNotFoundToCleanupContributor = $allRoleAssignmentsSub | Where-Object { $_.ObjectType -eq "Unknown" -and $_.RoleDefinitionName -eq "Contributor" }

README.md

@@ -9,7 +9,7 @@
 >
 > ℹ️ This module is also available on the Bicep Module Registry [here](https://github.com/Azure/bicep-registry-modules/tree/main/modules/lz/sub-vending). Examples also included in our [wiki examples](https://github.com/Azure/bicep-lz-vending/wiki/examples). ℹ️
 
-The landing zone Bicep modules are designed to accelerate deployment of the individual landing zones (aka Subscriptions) within an Azure AD Tenant.
+The landing zone Bicep modules are designed to accelerate deployment of the individual landing zones (aka Subscriptions) within an Microsoft Entra Tenant.
 
 > See the different types of landing zones in the Azure Landing Zones documentation here: [What is an Azure landing zone? - Platform vs. application landing zones](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/#platform-vs-application-landing-zones)
 

docs/wiki/ConsumerGuide.md

@@ -3,11 +3,38 @@
 
 ## Background
 
-This repository has been created to help customers and partners to create, deploy and deliver landing zone Subscriptions into an Azure AD Tenant utilizing [Bicep](https://aka.ms/bicep) as the Infrastructure-as-Code (IaC) tooling and language of choice.
+This repository has been created to help customers and partners to create, deploy and deliver landing zone Subscriptions into an Microsoft Entra Tenant utilizing [Bicep](https://aka.ms/bicep) as the Infrastructure-as-Code (IaC) tooling and language of choice.
 
 ## Ways to Consume `bicep-lz-vending`
 
-There are various ways to consume the Bicep modules included in `bicep-lz-vending`. The options are:
+### Recommended Way to Consume
+
+The recommend way is to consume the module directly from the [Bicep public registry](https://github.com/Azure/bicep-registry-modules/tree/main/modules/lz/sub-vending#examples)
+
+```bicep
+targetScope = 'managementGroup'
+
+module sub001 'br/public:lz/sub-vending:1.5.1' = {
+  name: 'sub001'
+  params: {
+    subscriptionAliasEnabled: true
+    subscriptionBillingScope: '/providers/Microsoft.Billing/billingAccounts/1234567/enrollmentAccounts/123456'
+    subscriptionAliasName: 'sub-test-001'
+    subscriptionDisplayName: 'sub-test-001'
+    subscriptionTags: {
+      example: 'true'
+    }
+    subscriptionWorkload: 'Production'
+    subscriptionManagementGroupAssociationEnabled: true
+    subscriptionManagementGroupId: 'corp'
+    // Other parameter inputs available, see docs
+  }
+}
+```
+
+### Other Ways to Consume
+
+There are a number of other ways to consume the Bicep modules included in `bicep-lz-vending`. The options are:
 
 - Creating your own GitHub Repository & Utilizing the `Invoke-GitHubReleaseFetcher.ps1` script & `gh-release-checker.yml` GitHub Action Workflow
   - See detailed instruction on using this [below](#creating-your-own-github-repository--utilizing-the-invoke-githubreleasefetcherps1-script--gh-release-checkeryml-github-action-workflow)

main.bicep

@@ -4,7 +4,7 @@ targetScope = 'managementGroup'
 
 metadata name = '`main.bicep` Parameters'
 
-metadata description = 'This module is designed to accelerate deployment of landing zones (aka Subscriptions) within an Azure AD Tenant.'
+metadata description = 'This module is designed to accelerate deployment of landing zones (aka Subscriptions) within an Microsoft Entra Tenant.'
 
 metadata details = '''These are the input parameters for the Bicep module: [`main.bicep`](./main.bicep)
 
@@ -429,7 +429,12 @@ param roleAssignmentEnabled bool = false
 
 Each object must contain the following `keys`:
 - `principalId` = The Object ID of the User, Group, SPN, Managed Identity to assign the RBAC role too.
-- `definition` = The Name of built-In RBAC Roles or a Resource ID of a Built-in or custom RBAC Role Definition.
+- `definition` = The Name of one of the pre-defined built-In RBAC Roles or a Resource ID of a Built-in or custom RBAC Role Definition as follows:
+  - You can only provide the RBAC role name of the pre-defined roles (Contributor, Owner, Reader, Network Contributor, Role Based Access Control Administrator (Preview), User Access Administrator, Security Admin). We only provide those roles as they are the most common ones to assign to a new subscription, also to reduce the template size and complexity in case we define each and every Built-in RBAC role.
+  - You can provide the Resource ID of a Built-in or custom RBAC Role Definition
+    - e.g. `/providers/Microsoft.Authorization/roleDefinitions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx`
+  - You can provide the RBAC role Id of a Built-in RBAC Role Definition
+    - e.g. `xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx`
 - `relativeScope` = 2 options can be provided for input value:
     1. `''` *(empty string)* = Make RBAC Role Assignment to Subscription scope
     2. `'/resourceGroups/<RESOURCE GROUP NAME>'` = Make RBAC Role Assignment to specified Resource Group
@@ -451,7 +456,7 @@ For more information on the telemetry collected by this module, that is controll
 param disableTelemetry bool = false
 
 @sys.description('Guid for the deployment script resources names based on subscription Id.')
-var deploymentScriptResourcesSubGuid = substring((subscriptionAliasEnabled && empty(existingSubscriptionId)) ? createSubscription.outputs.subscriptionId : existingSubscriptionId,0,8)
+var deploymentScriptResourcesSubGuid = substring((subscriptionAliasEnabled && empty(existingSubscriptionId)) ? createSubscription.outputs.subscriptionId : existingSubscriptionId,0,6)
 
 @sys.description('The name of the resource group to create the deployment script for resource providers registration.')
 param deploymentScriptResourceGroupName string = 'rsg-${deployment().location}-ds'
@@ -462,6 +467,21 @@ param deploymentScriptName string = 'ds-${deployment().location}'
 @sys.description('The name of the user managed identity for the resource providers registration deployment script.')
 param deploymentScriptManagedIdentityName string = 'id-${deployment().location}'
 
+@maxLength(64)
+@sys.description('The name of the private virtual network for the deployment script. The string must consist of a-z, A-Z, 0-9, -, _, and . (period) and be between 2 and 64 characters in length.')
+param deploymentScriptVirtualNetworkName string = 'vnet-${deployment().location}'
+
+@sys.description('The name of the network security group for the deployment script private subnet.')
+param deploymentScriptNetworkSecurityGroupName string = 'nsg-${deployment().location}'
+
+@sys.description('The address prefix of the private virtual network for the deployment script.')
+param virtualNetworkDeploymentScriptAddressPrefix string = '192.168.0.0/24'
+
+@sys.description('The name of the storage account for the deployment script.')
+param deploymentScriptStorageAccountName string = 'stglzds${deployment().location}'
+
+@sys.description('The location of the deployment script. Use region shortnames e.g. uksouth, eastus, etc.')
+param deploymentScriptLocation string = deployment().location
 
 @metadata({
   example: {
@@ -471,7 +491,7 @@ param deploymentScriptManagedIdentityName string = 'id-${deployment().location}'
 
 })
 @sys.description('''
-An object of resource providers and resource providers features to register. If left blank/empty, a list of most common resource providers will be registered.
+An object of resource providers and resource providers features to register. If left blank/empty, no resource providers will be registered.
 
 - Type: `{}` Object
 - Default value: `{
@@ -682,6 +702,11 @@ module createSubscriptionResources 'src/self/subResourceWrapper/deploy.bicep' =
     deploymentScriptName: '${deploymentScriptName}-${deploymentScriptResourcesSubGuid}'
     deploymentScriptManagedIdentityName: '${deploymentScriptManagedIdentityName}-${deploymentScriptResourcesSubGuid}'
     resourceProviders: resourceProviders
+    deploymentScriptVirtualNetworkName: deploymentScriptVirtualNetworkName
+    deploymentScriptNetworkSecurityGroupName: deploymentScriptNetworkSecurityGroupName
+    deploymentScriptLocation: deploymentScriptLocation
+    virtualNetworkDeploymentScriptAddressPrefix: virtualNetworkDeploymentScriptAddressPrefix
+    deploymentScriptStorageAccountName: '${deploymentScriptStorageAccountName}${deploymentScriptResourcesSubGuid}'
   }
 }