From 1894ae7407b3311b47dd5c5f45d6ecb70d3c2212 Mon Sep 17 00:00:00 2001
From: Sacha Narinx <Springstone@users.noreply.github.com>
Date: Sun, 7 Jan 2024 16:39:02 +0400
Subject: [PATCH] Portal Accelerator Bug Fixes (#1520)

Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>
---
 docs/wiki/Whats-new.md   |  2 ++
 eslzArm/eslz-portal.json |  2 +-
 eslzArm/eslzArm.json     | 48 +++++++++++++++++++++++++++++++++++++++-
 3 files changed, 50 insertions(+), 2 deletions(-)

diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md
index f69986b06d..e99e75ee6d 100644
--- a/docs/wiki/Whats-new.md
+++ b/docs/wiki/Whats-new.md
@@ -45,6 +45,8 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones:
 
 #### Tooling
 
+- Bug fix for Portal Accelerator, removing region restrictions for VPN Gateways when deploying regional (not AZ).
+- Bug fix for Portal Accelerator deployment when deploying using a single platform subscription. Previously, a single tenant deployment would have three failed deployments for diagnostic settings which were looking for non-existent management groups (Management, Identity and Connectivity). This has been fixed and the deployment will now succeed.
 - Added drop down selection option for Azure Private Link Private DNS Zones as part of portal based ALZ deployment experience where you can select to deploy or not to deploy a subset of Private Link Private DNS zones.
 
 ### December 2023
diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json
index edc9da0a5f..741393e937 100644
--- a/eslzArm/eslz-portal.json
+++ b/eslzArm/eslz-portal.json
@@ -1931,7 +1931,7 @@
                             "selectAll": false,
                             "filter": false,
                             "multiLine": true,
-                            "visible": "[and(and(equals(steps('connectivity').enableVpnGw, 'Yes'), not(equals(steps('connectivity').enableHub, 'vwan'))), equals(steps('connectivity').enableVpnGw,'Yes'), equals(steps('connectivity').gwRegionalOrAz, 'Regional') ,contains(split('canadacentral,centralus,eastus,eastus2,southcentralus,westus2,francecentral,germanywestcentral,northeurope,westeurope,uksouth,southafricanorth,japaneast,southeastasia,australiaeast,italynorth', ','), steps('connectivity').connectivityLocation))]",
+                            "visible": "[and(and(equals(steps('connectivity').enableVpnGw, 'Yes'), not(equals(steps('connectivity').enableHub, 'vwan'))), equals(steps('connectivity').enableVpnGw,'Yes'), equals(steps('connectivity').gwRegionalOrAz, 'Regional'))]",
                             "toolTip": "Select the required SKU for the VPN gateway.",
                             "constraints": {
                                 "allowedValues": [
diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json
index 81e783f1bd..aeaf204ea9 100644
--- a/eslzArm/eslzArm.json
+++ b/eslzArm/eslzArm.json
@@ -859,13 +859,28 @@
             "decommissioned": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-', 'decommissioned')]",
             "sandboxes": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-', 'sandboxes')]"
         },
+        "mgmtGroupsLite": {
+            "eslzRoot": "[parameters('enterpriseScaleCompanyPrefix')]",
+            "platform": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-', 'platform')]",
+            "lzs": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-', 'landingzones')]",
+            "corp": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-', 'corp')]",
+            "online": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-', 'online')]",
+            "decommissioned": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-', 'decommissioned')]",
+            "sandboxes": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-', 'sandboxes')]"
+        },
         "copy": [
             {
                 "name": "mgmtGroupsArray",
                 "count": "[length(items(variables('mgmtGroups')))]",
                 "input": "[items(variables('mgmtGroups'))[copyIndex('mgmtGroupsArray')].value]"
+            },
+            {
+                "name": "mgmtGroupsESLiteArray",
+                "count": "[length(items(variables('mgmtGroupsLite')))]",
+                "input": "[items(variables('mgmtGroupsLite'))[copyIndex('mgmtGroupsESLiteArray')].value]"
             }
         ],
+        
         // Declaring scopes that will be used for optional deployments, such as platform components (monitoring, networking, identity), policy assignments, subscription placement etc.
         "scopes": {
             "eslzRootManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').eslzRoot)]",
@@ -1654,7 +1669,7 @@
         },
         {
             // Deploying Diagnostic Settings to management groups if Log Analytics was deployed via a loop
-            "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'))]",
+            "condition": "[and(empty(parameters('singlePlatformSubscriptionId')), not(empty(parameters('managementSubscriptionId'))), equals(parameters('enableLogAnalytics'), 'Yes'))]",
             "type": "Microsoft.Resources/deployments",
             "apiVersion": "2020-10-01",
             "name": "[take(concat(variables('mgmtGroupsArray')[copyIndex()], variables('deploymentNames').diagnosticSettingsforMGsDeploymentName), 64)]",
@@ -1683,6 +1698,37 @@
                 }
             }
         },
+        {
+            // Deploying Diagnostic Settings to ESLite management groups if Log Analytics was deployed via a loop
+            "condition": "[and(not(empty(parameters('singlePlatformSubscriptionId'))), empty(parameters('managementSubscriptionId')), equals(parameters('enableLogAnalytics'), 'Yes'))]",
+            "type": "Microsoft.Resources/deployments",
+            "apiVersion": "2020-10-01",
+            "name": "[take(concat(variables('mgmtGroupsESLiteArray')[copyIndex()], variables('deploymentNames').diagnosticSettingsforMGsDeploymentName), 64)]",
+            "scope": "[concat('Microsoft.Management/managementGroups/', variables('mgmtGroupsESLiteArray')[copyIndex()])]",
+            "location": "[deployment().location]",
+            "dependsOn": [
+                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]",
+                "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').platformLiteSubscriptionPlacement)]",
+                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]",
+                "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]"
+            ],
+            "copy": {
+                "name": "mgDiagSettings",
+                "count": "[length(variables('mgmtGroupsESLiteArray'))]"
+            },
+            "properties": {
+                "mode": "Incremental",
+                "templateLink": {
+                    "contentVersion": "1.0.0.0",
+                    "uri": "[variables('deploymentUris').diagnosticSettingsforManagementGroups]"
+                },
+                "parameters": {
+                    "logAnalyticsResourceId": {
+                        "value": "[variables('platformResourceIds').logAnalyticsResourceId]"
+                    }
+                }
+            }
+        },
         {
             // Assigning Microsoft Cloud Security Benchmark policy to intermediate root management group if condition is true
             "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), or(equals(parameters('enableLogAnalytics'), 'Yes'), equals(parameters('enableAsc'), 'Yes')))]",