cds-snc
diff --git a/‎.pipelines/templates/steps/deploy-platform-connectivity-hub-azfw.yml‎
Lines changed: 9 additions & 9 deletions b/‎.pipelines/templates/steps/deploy-platform-connectivity-hub-azfw.yml‎
Lines changed: 9 additions & 9 deletions
diff --git a/‎config/networking/CanadaESLZ-main/hub-azfw/hub-network.parameters.json‎
Lines changed: 138 additions & 109 deletions b/‎config/networking/CanadaESLZ-main/hub-azfw/hub-network.parameters.json‎
Lines changed: 138 additions & 109 deletions
@@ -75,7 +75,7 @@ steps:
 
       # Check if the Azure Firewall Policy Id is provided in the parameters json.
       # If present, then do no change it.  Otherwise add it to the json parameter file.
-      AZURE_FIREWALL_POLICY_RESOURCE_ID_IN_PARAMETERS=`jq -r .parameters.azureFirewallExistingPolicyId.value ${{ parameters.networkingConfigurationPath }}`   
+      AZURE_FIREWALL_POLICY_RESOURCE_ID_IN_PARAMETERS=`jq -r .parameters.hub.value.azureFirewall.firewallPolicyId ${{ parameters.networkingConfigurationPath }}`   
 
       if [[ $AZURE_FIREWALL_POLICY_RESOURCE_ID_IN_PARAMETERS != null && "$AZURE_FIREWALL_POLICY_RESOURCE_ID_IN_PARAMETERS" != "" ]];
       then
@@ -98,7 +98,7 @@ steps:
         echo "Azure Firewall Policy Id: $AZURE_FIREWALL_POLICY_ID"
 
         # use jq to update the json parameter file
-        echo "$( jq '.parameters.azureFirewallExistingPolicyId.value = "'$AZURE_FIREWALL_POLICY_ID'"' ${{ parameters.networkingConfigurationPath }} )" > ${{ parameters.networkingConfigurationPath }}
+        echo "$( jq '.parameters.hub.value.azureFirewall.firewallPolicyId = "'$AZURE_FIREWALL_POLICY_ID'"' ${{ parameters.networkingConfigurationPath }} )" > ${{ parameters.networkingConfigurationPath }}
       fi
 
       # Check if the log analytics workspace id is provided in the parameters json.
@@ -127,16 +127,16 @@ steps:
     workingDirectory: '${{ parameters.workingDir }}/lz-platform-connectivity-hub-azfw'
 
 - task: AzureCLI@2
-  displayName: Azure Policy - Enable Private DNS Zone Policies (if deployPrivateDnsZones=true in config)
+  displayName: Azure Policy - Enable Private DNS Zone Policies (if privateDnsZones.enabled=true in config)
   inputs:
     azureSubscription: $(serviceConnection)
     scriptType: 'bash'
     scriptLocation: 'inlineScript'
     inlineScript: |
       $(var-bashPreInjectScript)
 
-      DEPLOY_PRIVATE_DNS_ZONES=`jq -r .parameters.deployPrivateDnsZones.value ${{ parameters.networkingConfigurationPath }}`
-      PRIVATE_DNS_ZONES_RESOURCE_GROUP=`jq -r .parameters.rgPrivateDnsZonesName.value ${{ parameters.networkingConfigurationPath }}`   
+      DEPLOY_PRIVATE_DNS_ZONES=`jq -r .parameters.privateDnsZones.value.enabled ${{ parameters.networkingConfigurationPath }}`
+      PRIVATE_DNS_ZONES_RESOURCE_GROUP=`jq -r .parameters.privateDnsZones.value.resourceGroupName ${{ parameters.networkingConfigurationPath }}`   
 
       case $DEPLOY_PRIVATE_DNS_ZONES in
         (true)
@@ -164,22 +164,22 @@ steps:
     workingDirectory: '$(System.DefaultWorkingDirectory)/policy/custom/assignments'
 
 - task: AzureCLI@2
-  displayName: Azure Policy - Enable DDoS Standard (if deployDdosStandard=true in config)
+  displayName: Azure Policy - Enable DDoS Standard (if ddosStandard.enabled=true in config)
   inputs:
     azureSubscription: $(serviceConnection)
     scriptType: 'bash'
     scriptLocation: 'inlineScript'
     inlineScript: |
       $(var-bashPreInjectScript)
 
-      DEPLOY_DDOS_STANDARD=`jq -r .parameters.deployDdosStandard.value ${{ parameters.networkingConfigurationPath }}`
+      DEPLOY_DDOS_STANDARD=`jq -r .parameters.ddosStandard.value.enabled ${{ parameters.networkingConfigurationPath }}`
 
       case $DEPLOY_DDOS_STANDARD in
         (true)
           echo "DDoS Standard is enabled, creating Azure Policy assignment to protect for all Virtual Networks in '$(var-topLevelManagementGroupName)' management group."
 
-          DDOS_STANDARD_RESOURCE_GROUP_NAME=`jq -r .parameters.rgDdosName.value ${{ parameters.networkingConfigurationPath }}`
-          DDOS_STANDARD_PLAN_NAME=`jq -r .parameters.ddosPlanName.value ${{ parameters.networkingConfigurationPath }}`
+          DDOS_STANDARD_RESOURCE_GROUP_NAME=`jq -r .parameters.ddosStandard.value.resourceGroupName ${{ parameters.networkingConfigurationPath }}`
+          DDOS_STANDARD_PLAN_NAME=`jq -r .parameters.ddosStandard.value.planName ${{ parameters.networkingConfigurationPath }}`
 
           # Identify the Resource Id for DDOS Standard Plan
           DDOS_PLAN_ID=`az network ddos-protection show -g $DDOS_STANDARD_RESOURCE_GROUP_NAME -n $DDOS_STANDARD_PLAN_NAME --subscription ${{ parameters.networkingSubscriptionId }} --query id -o tsv`
 
@@ -77,120 +77,149 @@
         "TechnicalContact": "technical-contact-tag"
       }
     },
-    "deployPrivateDnsZones": {
-      "value": true
-    },
-    "rgPrivateDnsZonesName": {
-      "value": "pubsec-dns-rg"
-    },
-    "deployDdosStandard": {
-      "value": false
-    },
-    "rgDdosName": {
-      "value": "pubsec-ddos-rg"
-    },
-    "ddosPlanName": {
-      "value": "ddos-plan"
-    },
-    "bastionName": {
-      "value": "bastion"
-    },
-    "bastionSku": {
-      "value": "Standard"
-    },
-    "bastionScaleUnits": {
-      "value": 2
-    },
-    "rgPazName": {
-      "value": "pubsec-public-access-zone-rg"
-    },
-    "rgMrzName": {
-      "value": "pubsec-management-restricted-zone-rg"
-    },
-    "mrzVnetName": {
-      "value": "management-restricted-vnet"
-    },
-    "mrzVnetAddressPrefixRFC1918": {
-      "value": "10.18.4.0/22"
-    },
-    "mrzMazSubnetName": {
-      "value": "MazSubnet"
-    },
-    "mrzMazSubnetAddressPrefix": {
-      "value": "10.18.4.0/25"
-    },
-    "mrzInfSubnetName": {
-      "value": "InfSubnet"
-    },
-    "mrzInfSubnetAddressPrefix": {
-      "value": "10.18.4.128/25"
-    },
-    "mrzSecSubnetName": {
-      "value": "SecSubnet"
-    },
-    "mrzSecSubnetAddressPrefix": {
-      "value": "10.18.5.0/26"
-    },
-    "mrzLogSubnetName": {
-      "value": "LogSubnet"
-    },
-    "mrzLogSubnetAddressPrefix": {
-      "value": "10.18.5.64/26"
-    },
-    "mrzMgmtSubnetName": {
-      "value": "MgmtSubnet"
-    },
-    "mrzMgmtSubnetAddressPrefix": {
-      "value": "10.18.5.128/26"
-    },
-    "rgHubName": {
-      "value": "pubsec-hub-networking-rg"
-    },
-    "hubVnetName": {
-      "value": "hub-vnet"
-    },
-    "hubVnetAddressPrefixRFC1918": {
-      "value": "10.18.0.0/22"
-    },
-    "hubVnetAddressPrefixRFC6598": {
-      "value": "100.60.0.0/16"
-    },
-    "hubVnetAddressPrefixBastion": {
-      "value": "192.168.0.0/16"
-    },
-    "hubPazSubnetName": {
-      "value": "PAZSubnet"
-    },
-    "hubPazSubnetAddressPrefix": {
-      "value": "100.60.1.0/24"
-    },
-    "hubGatewaySubnetAddressPrefix": {
-      "value": "10.18.0.0/27"
-    },
-    "hubAzureFirewallSubnetAddressPrefix": {
-      "value": "10.18.1.0/24"
-    },
-    "hubAzureFirewallManagementSubnetAddressPrefix": {
-      "value": "10.18.2.0/26"
+    "privateDnsZones": {
+      "value": {
+        "enabled": true,
+        "resourceGroupName": "pubsec-dns-rg"
+      }
     },
-    "hubBastionSubnetAddressPrefix": {
-      "value": "192.168.0.0/24"
+    "ddosStandard": {
+      "value": {
+        "enabled": false,
+        "resourceGroupName": "pubsec-ddos-rg",
+        "planName": "ddos-plan"
+      }
     },
-    "azureFirewallName": {
-      "value": "pubsecAzureFirewall"
+    "publicAccessZone": {
+      "value": {
+        "enabled": true,
+        "resourceGroupName": "pubsec-public-access-zone-rg"
+      }
     },
-    "azureFirewallZones": {
-      "value": [
-        "1",
-        "2",
-        "3"
-      ]
+    "managementRestrictedZone": {
+      "value": {
+        "enabled": true,
+        "resourceGroupName": "pubsec-management-restricted-zone-rg",
+        "network": {
+          "name": "management-restricted-vnet",
+          "addressPrefixes": ["10.18.4.0/22"],
+          "subnets": [
+            {
+              "comments": "Management (Access Zone) Subnet",
+              "name": "MazSubnet",
+              "addressPrefix": "10.18.4.0/25",
+              "nsg": {
+                  "enabled": true
+              },
+              "udr": {
+                  "enabled": true
+              }
+            },
+            {
+              "comments": "Infrastructure Services (Restricted Zone) Subnet",
+              "name": "InfSubnet",
+              "addressPrefix": "10.18.4.128/25",
+              "nsg": {
+                  "enabled": true
+              },
+              "udr": {
+                  "enabled": true
+              }
+            },
+            {
+              "comments": "Security Services (Restricted Zone) Subnet",
+              "name": "SecSubnet",
+              "addressPrefix": "10.18.5.0/26",
+              "nsg": {
+                  "enabled": true
+              },
+              "udr": {
+                  "enabled": true
+              }
+            },
+            {
+              "comments": "Logging Services (Restricted Zone) Subnet",
+              "name": "LogSubnet",
+              "addressPrefix": "10.18.5.64/26",
+              "nsg": {
+                  "enabled": true
+              },
+              "udr": {
+                  "enabled": true
+              }
+            },
+            {
+              "comments": "Core Management Interfaces (Restricted Zone) Subnet",
+              "name": "MgmtSubnet",
+              "addressPrefix": "10.18.5.128/26",
+              "nsg": {
+                  "enabled": true
+              },
+              "udr": {
+                  "enabled": true
+              }
+            }
+          ]
+        }
+      }
     },
-    "azureFirewallForcedTunnelingEnabled": {
-      "value": false
+    "hub": {
+      "value": {
+        "resourceGroupName": "pubsec-hub-networking-rg",
+        "bastion": {
+          "enabled": true,
+          "name": "bastion",
+          "sku": "Standard",
+          "scaleUnits": 2
+        },
+        "azureFirewall": {
+          "name": "pubsecAzureFirewall",
+          "availabilityZones": ["1", "2", "3"],
+          "forcedTunnelingEnabled": false,
+          "forcedTunnelingNextHop": "10.17.1.4"
+        },
+        "network": {
+          "name": "hub-vnet",
+          "addressPrefixes": [
+            "10.18.0.0/22",
+            "100.60.0.0/16"
+          ],
+          "addressPrefixBastion": "192.168.0.0/16",
+          "subnets": {
+            "gateway": {
+              "comments": "Gateway Subnet used for VPN and/or Express Route connectivity",
+              "name": "GatewaySubnet",
+              "addressPrefix": "10.18.0.0/27"
+            },
+            "firewall": {
+              "comments": "Azure Firewall",
+              "name": "AzureFirewallSubnet",
+              "addressPrefix": "10.18.1.0/24"
+            },
+            "firewallManagement": {
+              "comments": "Azure Firewall Management",
+              "name": "AzureFirewallManagementSubnet",
+              "addressPrefix": "10.18.2.0/26"
+            },
+            "bastion": {
+              "comments": "Azure Bastion",
+              "name": "AzureBastionSubnet",
+              "addressPrefix": "192.168.0.0/24"
+            },
+            "publicAccess": {
+              "comments": "Public Access Zone (Application Gateway)",
+              "name": "PAZSubnet",
+              "addressPrefix": "100.60.1.0/24"
+            },
+            "optional": []
+          }
+        }
+      }
     },
-    "azureFirewallForcedTunnelingNextHop": {
-      "value": "10.17.1.4"
+    "networkWatcher": {
+      "value": {
+        "resourceGroupName": "NetworkWatcherRG"
+      }
     }
   }
 }