Updates to allow optional identity resources (#838)

Author: jamasten

src/bicep/form/mlz.portal.json

@@ -100,10 +100,20 @@
                     "text": "The Identity spoke can be used to house Active Directory and other AuthN and AuthZ solutions."
                   }
                 },
+                {
+                  "name": "deployIdentity",
+                  "type": "Microsoft.Common.CheckBox",
+                  "label": "Deploy identity resources?",
+                  "toolTip": "Check here to create the identity resources.",
+                  "constraints": {
+                    "required": false
+                  }
+                },
                 {
                   "name": "identitySubscriptionId",
                   "label": "Identity Subscription",
                   "type": "Microsoft.Common.DropDown",
+                  "visible": "[steps('basics').identitySection.deployIdentity]",
                   "defaultValue": "",
                   "toolTip": "Select the Subscription for your Mission Landing Zone Identity network.",
                   "multiselect": false,
@@ -195,11 +205,11 @@
                   "name": "location",
                   "type": "Microsoft.Common.LocationSelector",
                   "label": "Location",
-                  "toolTip": "Select the location for the AVD session hosts.",
+                  "toolTip": "Select the deployment location for MLZ.",
                   "resourceTypes": [
-                      "Microsoft.Compute/virtualMachines"
+                    "Microsoft.Compute/virtualMachines"
                   ]
-              }
+                }
               ]
             },
             {
@@ -444,6 +454,7 @@
               "name": "identityVirtualNetwork",
               "label": "Identity Virtual Network",
               "type": "Microsoft.Common.Section",
+              "visible": "[steps('basics').identitySection.deployIdentity]",
               "elements": [
                 {
                   "name": "virtualNetworkAddressCidrRange",
@@ -992,6 +1003,7 @@
       "parameters": {
         "bastionHostSubnetAddressPrefix": "[steps('remoteAccess').azureBastionSubnetSection.bastionSubnetAddressCidrRange]",
         "deployDefender": "[steps('compliance').defenderSection.deployDefender]",
+        "deployIdentity": "[steps('basics').identitySection.deployIdentity]",
         "deployPolicy": "[steps('compliance').policySection.deployPolicy]",
         "deployRemoteAccess": "[steps('remoteAccess').remoteAccessSection.deployRemoteAccess]",
         "deploySentinel": "[steps('compliance').sentinelSection.deploySentinel]",
@@ -1004,7 +1016,7 @@
         "hubVirtualNetworkAddressPrefix": "[steps('networking').hubVirtualNetwork.virtualNetworkAddressCidrRange]",
         "hybridUseBenefit": "[steps('remoteAccess').windowsVmSection.hybridUseBenefit]",
         "identitySubnetAddressPrefix": "[steps('networking').identityVirtualNetwork.subnetAddressCidrRange]",
-        "identitySubscriptionId": "[replace(steps('basics').identitySection.identitySubscriptionId, '/subscriptions/', '')]",
+        "identitySubscriptionId": "[if(steps('basics').identitySection.deployIdentity, replace(steps('basics').identitySection.identitySubscriptionId, '/subscriptions/', ''), replace(steps('basics').hubSection.hubSubscriptionId, '/subscriptions/', ''))]",
         "identityVirtualNetworkAddressPrefix": "[steps('networking').identityVirtualNetwork.virtualNetworkAddressCidrRange]",
         "linuxVmAdminPasswordOrKey": "[if(equals(steps('remoteAccess').linuxVmSection.linuxVmAdminPasswordOrKey.authenticationType, 'password'), steps('remoteAccess').linuxVmSection.linuxVmAdminPasswordOrKey.password, steps('remoteAccess').linuxVmSection.linuxVmAdminPasswordOrKey.sshPublicKey)]",
         "linuxVmAdminUsername": "[steps('remoteAccess').linuxVmSection.linuxVmAdminUsername]",

src/bicep/mlz.bicep

@@ -48,6 +48,9 @@ param supportedClouds array = [
   'AzureUSGovernment'
 ]
 
+@description('Choose to deploy the identity resources. The identity resoures are not required if you plan to use cloud identities.')
+param deployIdentity bool
+
 // RESOURCE NAMING PARAMETERS
 
 @description('A suffix to use for naming deployments uniquely. It defaults to the Bicep resolution of the "utcNow()" function.')
@@ -655,26 +658,8 @@ var bastionHostPublicIPAddressAllocationMethod = 'Static'
 
 // SPOKES
 
-var spokes = [
-  {
-    name: identityName
-    subscriptionId: identitySubscriptionId
-    resourceGroupName: identityResourceGroupName
-    logStorageAccountName: identityLogStorageAccountName
-    virtualNetworkName: identityVirtualNetworkName
-    virtualNetworkAddressPrefix: identityVirtualNetworkAddressPrefix
-    virtualNetworkDiagnosticsLogs: identityVirtualNetworkDiagnosticsLogs
-    virtualNetworkDiagnosticsMetrics: identityVirtualNetworkDiagnosticsMetrics
-    networkSecurityGroupName: identityNetworkSecurityGroupName
-    networkSecurityGroupRules: identityNetworkSecurityGroupRules
-    networkSecurityGroupDiagnosticsLogs: identityNetworkSecurityGroupDiagnosticsLogs
-    networkSecurityGroupDiagnosticsMetrics: identityNetworkSecurityGroupDiagnosticsMetrics
-    routeTableName: identityRouteTableName
-    subnetName: identitySubnetName
-    subnetAddressPrefix: identitySubnetAddressPrefix
-    subnetPrivateEndpointNetworkPolicies: 'Disabled'
-    subnetPrivateLinkServiceNetworkPolicies: 'Disabled'
-  }
+var spokes = union(spokesCommon, spokesIdentity)
+var spokesCommon = [
   {
     name: operationsName
     subscriptionId: operationsSubscriptionId
@@ -714,6 +699,27 @@ var spokes = [
     subnetPrivateLinkServiceNetworkPolicies: 'Disabled'
   }
 ]
+var spokesIdentity = deployIdentity ? [
+  {
+    name: identityName
+    subscriptionId: identitySubscriptionId
+    resourceGroupName: identityResourceGroupName
+    logStorageAccountName: identityLogStorageAccountName
+    virtualNetworkName: identityVirtualNetworkName
+    virtualNetworkAddressPrefix: identityVirtualNetworkAddressPrefix
+    virtualNetworkDiagnosticsLogs: identityVirtualNetworkDiagnosticsLogs
+    virtualNetworkDiagnosticsMetrics: identityVirtualNetworkDiagnosticsMetrics
+    networkSecurityGroupName: identityNetworkSecurityGroupName
+    networkSecurityGroupRules: identityNetworkSecurityGroupRules
+    networkSecurityGroupDiagnosticsLogs: identityNetworkSecurityGroupDiagnosticsLogs
+    networkSecurityGroupDiagnosticsMetrics: identityNetworkSecurityGroupDiagnosticsMetrics
+    routeTableName: identityRouteTableName
+    subnetName: identitySubnetName
+    subnetAddressPrefix: identitySubnetAddressPrefix
+    subnetPrivateEndpointNetworkPolicies: 'Disabled'
+    subnetPrivateLinkServiceNetworkPolicies: 'Disabled'
+  }
+] : []
 
 // TAGS
 
@@ -880,9 +886,19 @@ module privateDnsZones './modules/private-dns.bicep' = {
   name: 'deploy-private-dns-zones-${deploymentNameSuffix}'
   scope: resourceGroup(hubSubscriptionId, hubResourceGroupName)
   params: {
-    vnetName: hubNetwork.outputs.virtualNetworkName
+    deployIdentity: deployIdentity
+    deploymentNameSuffix: deploymentNameSuffix
+    hubVirtualNetworkName: hubNetwork.outputs.virtualNetworkName
+    hubVirtualNetworkResourceGroupName: hubResourceGroupName
+    hubVirtualNetworkSubscriptionId: hubSubscriptionId
+    identityVirtualNetworkName: deployIdentity ? spokes[2].virtualNetworkName : ''
+    identityVirtualNetworkResourceGroupName: identityResourceGroupName
+    identityVirtualNetworkSubscriptionId: identitySubscriptionId
     tags: tags
   }
+  dependsOn: [
+    spokeNetworks
+  ]
 }
 
 // OPERATIONS CMK DEPENDANCIES
@@ -897,7 +913,7 @@ module operationsCustomerManagedKeys './core/operations-customer-managed-keys.bi
     keyVaultPrivateDnsZoneResourceId: privateDnsZones.outputs.keyvaultDnsPrivateDnsZoneId
     location: location
     resourcePrefix: resourcePrefix
-    subnetResourceId: spokeNetworks[1].outputs.subnetResourceId
+    subnetResourceId: spokeNetworks[0].outputs.subnetResourceId
     tags: calculatedTags
     userAssignedIdentityName: operationsUserAssignedIdentityName
   }
@@ -921,7 +937,7 @@ module azureMonitor './modules/azure-monitor.bicep' = if (contains(supportedClou
     location: location
     tags: tags
     resourcePrefix: resourcePrefix
-    subnetResourceId: spokeNetworks[1].outputs.subnetResourceId
+    subnetResourceId: spokeNetworks[0].outputs.subnetResourceId
   }
   dependsOn: [
     logAnalyticsWorkspace