Fixed Image Version reference in VM Template property (Azure#1023)

* Added image definition ID to vm template

* Fixed value for galleryItemId

* Changed param for image version

docs/deployment-guide-bicep.md

@@ -246,12 +246,7 @@ Mission Landing Zone can be deployed using the Azure Portal or with command-line
 
 The Azure Portal can be used to deploy Mission Landing Zone. The buttons below invoke an Azure Portal input form that maps user input values to the MLZ ARM template that was compiled from the Bicep template.
 
-<!-- markdownlint-disable MD013 -->
-<!-- allow for longer lines to acommodate button links -->
-| Azure Commercial | Azure Government |
-| :--- | :--- |
-| [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#blade/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fmain%2Fsrc%2Fbicep%2Fmlz.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fmain%2Fsrc%2Fbicep%2Fform%2Fmlz.portal.json) | [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#blade/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fmain%2Fsrc%2Fbicep%2Fmlz.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fmain%2Fsrc%2Fbicep%2Fform%2Fmlz.portal.json) |
-<!-- markdownlint-enable MD013 -->
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#blade/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fmain%2Fsrc%2Fbicep%2Fmlz.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fmain%2Fsrc%2Fbicep%2Fform%2Fmlz.portal.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#blade/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fmain%2Fsrc%2Fbicep%2Fmlz.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fmain%2Fsrc%2Fbicep%2Fform%2Fmlz.portal.json)
 
 ### Command Line Deployment Using the Azure CLI or PowerShell
 

docs/scca.md

@@ -30,23 +30,23 @@ REQ ID | BCAP Security Requirements | Azure Technologies | Mission LZ
 2.1.1.4 | The BCAP shall provide the capability to detect and prevent IP Address Spoofing and IP Route Hijacking | Network Security Groups | ✔️
 2.1.1.5 | The BCAP shall provide the capability to prevent device identity policy infringement (prevent rogue device access) | Microsoft Defender for Cloud and network route configuration | ✔️
 2.1.1.6 | The BCAP shall provide the capability to detect and prevent passive and active network enumeration scanning originating from within the CSE | Microsoft Defender for Cloud | ✔️
-2.1.1.7 | The BCAP shall provide the capability to detect and prevent unauthorized data exfiltration from the DISN to an end-point inside CSE | N/A |
+2.1.1.7 | The BCAP shall provide the capability to detect and prevent unauthorized data exfiltration from the DISN to an end-point inside CSE | N/A | N/A
 2.1.1.8 | The BCAP and/or BCAP Management System shall provide the capability to sense, correlate, and warn on advanced persistent threats | Microsoft Defender for Cloud | ✔️
 2.1.1.9 | The BCAP shall provide the capability to detect custom traffic and activity signatures | Microsoft Defender for Cloud | ✔️
 2.1.1.10 | The BCAP shall provide an interface to conduct ports, protocols, and service management (PPSM) activities in order to provide control for BCND providers | Azure Firewall <br/> Network Security Groups <br/> Network Watcher | ✔️
-2.1.1.11 | The BCAP shall provide full packet capture (FPC) for traversing communications | N/A |
+2.1.1.11 | The BCAP shall provide full packet capture (FPC) for traversing communications | N/A | N/A
 2.1.1.12 | The BCAP shall provide network packet flow metrics and statistics for all traversing communications | Azure Firewall <br/> Log Analytics <br/> Network Watcher | ✔️
-2.1.1.13 | The BCAP shall provide the capability to detect and prevent application session hijacking | N/A |
+2.1.1.13 | The BCAP shall provide the capability to detect and prevent application session hijacking | N/A | N/A
 
 ## VDSS Controls
 
 REQ ID | VDSS Security Requirements | Azure Technologies | Mission LZ
 -------|----------------------------|--------------------|-----------
 2.1.2.1 | The VDSS shall maintain virtual separation of all management, user, and data traffic. | Azure Virtual Network <br/> Azure Firewall <br/> Network Security Groups | ✔️
 2.1.2.2 | The VDSS shall allow the use of encryption for segmentation of management traffic. | Azure Virtual Network (default) | ✔️
-2.1.2.3 | The VDSS shall provide a reverse proxy capability to handle access requests from client systems | N/A |
-2.1.2.4 | The VDSS shall provide a capability to inspect and filter application layer conversations based on a predefined set of rules (including HTTP) to identify and block malicious content | N/A |
-2.1.2.5 | The VDSS shall provide a capability that can distinguish and block unauthorized application layer traffic | N/A |
+2.1.2.3 | The VDSS shall provide a reverse proxy capability to handle access requests from client systems | N/A | N/A
+2.1.2.4 | The VDSS shall provide a capability to inspect and filter application layer conversations based on a predefined set of rules (including HTTP) to identify and block malicious content | N/A | N/A
+2.1.2.5 | The VDSS shall provide a capability that can distinguish and block unauthorized application layer traffic | N/A | N/A
 2.1.2.6 | The VDSS shall provide a capability that monitors network and system activities to detect and report malicious activities for traffic entering and exiting Mission Owner virtual private networks/enclaves | Azure Monitor <br/> Microsoft Defender for Cloud <br/> Network Watcher | ✔️
 2.1.2.7 | The VDSS shall provide a capability that monitors network and system activities to stop or block detected malicious activity | Microsoft Defender for Cloud | ✔️
 2.1.2.8 | The VDSS shall inspect and filter traffic traversing between mission owner virtual private networks/enclaves. | Azure Firewall <br/> Log Analytics | ✔️
@@ -55,8 +55,8 @@ REQ ID | VDSS Security Requirements | Azure Technologies | Mission LZ
 2.1.2.11 | The VDSS shall provide a monitoring capability that captures log files and event data for cybersecurity analysis | Azure Monitor <br/> Azure Log Analytics <br/> Azure Activity Logs | ✔️
 2.1.2.12 | The VDSS shall provide or feed security information and event data to an allocated archiving system for common collection, storage, and access to event logs by privileged users performing Boundary and Mission CND activities | Microsoft Defender for Cloud <br/> Azure Log Analytics | ✔️
 2.1.2.13 | The VDSS shall provide a FIPS-140-2 compliant encryption key management system for storage of DoD generated and assigned server private encryption key credentials for access and use by the Web Application Firewall (WAF) in the execution of SSL/TLS break and inspection of encrypted communication sessions. | Azure Key Vault | ✔️
-2.1.2.14 | The VDSS shall provide the capability to detect and identify application session hijacking | N/A |
-2.1.2.15 | The VDSS shall provide a DoD DMZ Extension to support to support Internet Facing Applications (IFAs) | N/A |
+2.1.2.14 | The VDSS shall provide the capability to detect and identify application session hijacking | N/A | N/A
+2.1.2.15 | The VDSS shall provide a DoD DMZ Extension to support to support Internet Facing Applications (IFAs) | N/A | N/A
 2.1.2.16 | The VDSS shall provide full packet capture (FPC) or cloud service equivalent FPC capability for recording and interpreting traversing communications | Azure Firewall | ✔️
 2.1.2.17 | The VDSS shall provide network packet flow metrics and statistics for all traversing communications | Azure Firewall <br/> Network Watcher | ✔️
 2.1.2.18 | The VDSS shall provide for the inspection of traffic entering and exiting each mission owner virtual private network. | Azure Firewall <br/> Network Watcher | ✔️
@@ -65,21 +65,21 @@ REQ ID | VDSS Security Requirements | Azure Technologies | Mission LZ
 
 REQ ID | VDMS Security Requirements | Azure Technologies | Mission LZ
 -------|----------------------------|--------------------|-----------
-2.1.3.1 | The VDMS shall provide Assured Compliance Assessment Solution (ACAS), or approved equivalent, to conduct continuous monitoring for all enclaves within the CSE | Azure Policy <br/> Azure Blueprints |
+2.1.3.1 | The VDMS shall provide Assured Compliance Assessment Solution (ACAS), or approved equivalent, to conduct continuous monitoring for all enclaves within the CSE | Azure Policy <br/> Azure Blueprints | N/A
 2.1.3.2 | The VDMS shall provide Host Based Security System (HBSS), or approved equivalent, to manage endpoint security for all enclaves within the CSE | Microsoft Defender for Cloud | ✔️
-2.1.3.3 | The VDMS shall provide identity services to include an Online Certificate Status Protocol (OCloud Workload Security) responder for remote system DoD Common Access Card (CAC) two-factor authentication of DoD privileged users to systems instantiated within the CSE | Multi-Factor Authentication |
-2.1.3.4 | The VDMS shall provide a configuration and update management system to serve systems and applications for all enclaves within the CSE | N/A
+2.1.3.3 | The VDMS shall provide identity services to include an Online Certificate Status Protocol (OCloud Workload Security) responder for remote system DoD Common Access Card (CAC) two-factor authentication of DoD privileged users to systems instantiated within the CSE | Multi-Factor Authentication | N/A
+2.1.3.4 | The VDMS shall provide a configuration and update management system to serve systems and applications for all enclaves within the CSE | N/A | N/A
 2.1.3.5 | The VDMS shall provide logical domain services to include directory access, directory federation, Dynamic Host Configuration Protocol (DHCP), and Domain Name System (DNS) for all enclaves within the CSE | Microsoft Entra ID (AAD) <br/> Azure DNS | ✔️
 2.1.3.6 | The VDMS shall provide a network for managing systems and applications within the CSE that is logically separate from the user and data networks. | Virtual Network <br/> Azure Subnets | ✔️
 2.1.3.7 | The VDMS shall provide a system, security, application, and user activity event logging and archiving system for common collection, storage, and access to event logs by privileged users performing BCP and MCP activities. | Azure Log Analytics <br/> Microsoft Defender for Cloud | ✔️
-2.1.3.8 | The VDMS shall provide for the exchange of DoD privileged user authentication and authorization attributes with the CSP's Identity and access management system to enable cloud system provisioning, deployment, and configuration | Microsoft Entra ID Connect |
+2.1.3.8 | The VDMS shall provide for the exchange of DoD privileged user authentication and authorization attributes with the CSP's Identity and access management system to enable cloud system provisioning, deployment, and configuration | Microsoft Entra ID Connect | N/A
 2.1.3.9 | The VDMS shall implement the technical capabilities necessary to execute the mission and objectives of the TCCM role. | Microsoft Entra ID | ✔️
 
 ## TCCM Controls
 
 REQ ID | TCCM Security Requirements | Azure Technologies | Mission LZ
 -------|----------------------------|--------------------|-----------
-2.1.4.1 | The TCCM shall develop and maintain a Cloud Credential Management Plan (CCMP)to address the implementation of policies, plans, and procedures that will be applied to mission owner customer portal account credential management | N/A |
+2.1.4.1 | The TCCM shall develop and maintain a Cloud Credential Management Plan (CCMP)to address the implementation of policies, plans, and procedures that will be applied to mission owner customer portal account credential management | N/A | N/A
 2.1.4.2 | The TCCM shall collect, audit, and archive all Customer Portal activity logs and alerts  | Azure Log Analytics | ✔️
 2.1.4.3 | The TCCM shall ensure activity log alerts are shared with, forwarded to, or retrievable by DoD privileged users engaged in MCP and BCP activities | Azure Log Analytics | ✔️
 2.1.4.4 | The TCCM shall, as necessary for information sharing, create log repository access accounts for access to activity log data by privileged users performing both MCP and BCP activities | Azure Log Analytics | ✔️

src/bicep/add-ons/azureVirtualDesktop/artifacts/Get-Validations.ps1

@@ -22,7 +22,7 @@ Param(
 
     [parameter(Mandatory)]
     [string]
-    $ImageDefinitionResourceId,
+    $ImageVersionResourceId,
 
     [parameter(Mandatory)]
     [string]
@@ -195,8 +195,9 @@ try
 
     # Validates the custom image if applicable
     # https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch-faq?tabs=PowerShell#how-can-i-validate-if-os-image-supports-trusted-launch
-    if($ImageDefinitionResourceId -ne 'NotApplicable')
+    if($ImageVersionResourceId -ne 'NotApplicable')
     {
+        $ImageDefinitionResourceId = $ImageVersionResourceId -replace "/versions/.*", ""
         $ImageDefinition = Get-AzGalleryImageDefinition -ResourceId $ImageDefinitionResourceId
         $SecurityType = ($ImageDefinition.Features | Where-Object {$_.Name -eq 'SecurityType'}).Value
         $HyperVGeneration = $ImageDefinition.HyperVGeneration

src/bicep/add-ons/azureVirtualDesktop/modules/logic.bicep

@@ -11,6 +11,7 @@ param hostPoolType string
 param imageOffer string
 param imagePublisher string
 param imageSku string
+param imageVersionResourceId string
 param locations object
 param locationVirtualMachines string
 param networkName string
@@ -42,8 +43,14 @@ var endAvSetRange = (sessionHostCount + sessionHostIndex) / maxAvSetMembers // T
 var availabilitySetsCount = length(range(beginAvSetRange, (endAvSetRange - beginAvSetRange) + 1))
 
 // OTHER LOGIC & COMPUTED VALUES
+var customImageId = empty(imageVersionResourceId) ? 'null' : '"${imageVersionResourceId}"'
 var fileShares = fileShareNames[fslogixContainerType]
 var fslogix = fslogixStorageService == 'None' || !contains(activeDirectorySolution, 'DomainServices') ? false : true
+var galleryImageOffer = empty(imageVersionResourceId) ? '"${imageOffer}"' : 'null'
+var galleryImagePublisher = empty(imageVersionResourceId) ? '"${imagePublisher}"' : 'null'
+var galleryImageSku = empty(imageVersionResourceId) ? '"${imageSku}"' : 'null'
+var galleryItemId = empty(imageVersionResourceId) ? '"${imagePublisher}.${imageOffer}${imageSku}"' : 'null'
+var imageType = empty(imageVersionResourceId) ? '"Gallery"' : '"CustomImage"'
 var netbios = split(domainName, '.')[0]
 var pooledHostPool = split(hostPoolType, ' ')[0] == 'Pooled' ? true : false
 var resourceGroups = union(resourceGroupsCommon, resourceGroupsNetworking, resourceGroupsStorage)
@@ -73,7 +80,7 @@ var storageService = split(fslogixStorageService, ' ')[0]
 var storageSuffix = environment().suffixes.storage
 var timeDifference = locations[locationVirtualMachines].timeDifference
 var timeZone = locations[locationVirtualMachines].timeZone
-var vmTemplate = '{"domain":"${domainName}","galleryImageOffer":"${imageOffer}","galleryImagePublisher":"${imagePublisher}","galleryImageSKU":"${imageSku}","imageType":"Gallery","imageUri":null,"customImageId":null,"namePrefix":"${sessionHostNamePrefix}","osDiskType":"${diskSku}","useManagedDisks":true,"VirtualMachineSize":{"id":"${virtualMachineSize}","cores":null,"ram":null},"galleryItemId":"${imagePublisher}.${imageOffer}${imageSku}"}'
+var vmTemplate = '{"domain":"${domainName}","galleryImageOffer":${galleryImageOffer},"galleryImagePublisher":${galleryImagePublisher},"galleryImageSKU":${galleryImageSku},"imageType":${imageType},"customImageId":${customImageId},"namePrefix":"${sessionHostNamePrefix}","osDiskType":"${diskSku}","vmSize":{"id":"${virtualMachineSize}","cores":null,"ram":null,"rdmaEnabled": false,"supportsMemoryPreservingMaintenance": true},"galleryItemId":${galleryItemId},"hibernate":false,"diskSizeGB":0,"securityType":"TrustedLaunch","secureBoot":true,"vTPM":true,"vmInfrastructureType":"Cloud","virtualProcessorCount":null,"memoryGB":null,"maximumMemoryGB":null,"minimumMemoryGB":null,"dynamicMemoryConfig":false}'
 
 output availabilitySetsCount int = availabilitySetsCount
 output beginAvSetRange int = beginAvSetRange

src/bicep/add-ons/azureVirtualDesktop/modules/management/management.bicep

@@ -28,7 +28,7 @@ param fslogix bool
 param fslogixStorageService string
 param hostPoolName string
 param hostPoolType string
-param imageDefinitionResourceId string
+param imageVersionResourceId string
 param keyVaultName string
 param keyVaultNetworkInterfaceName string
 param keyVaultPrivateDnsZoneResourceId string
@@ -260,7 +260,7 @@ module validations '../common/customScriptExtensions.bicep' = {
       '${artifactsUri}Get-Validations.ps1'
     ]
     location: locationVirtualMachines
-    parameters: '-ActiveDirectorySolution ${activeDirectorySolution} -CpuCountMax ${CpuCountMax} -CpuCountMin ${CpuCountMin} -DomainName ${empty(domainName) ? 'NotApplicable' : domainName} -Environment ${environment().name} -ImageDefinitionResourceId ${empty(imageDefinitionResourceId) ? 'NotApplicable' : imageDefinitionResourceId} -Location ${locationVirtualMachines} -SessionHostCount ${sessionHostCount} -StorageService ${storageService} -SubscriptionId ${subscription().subscriptionId} -TenantId ${tenant().tenantId} -UserAssignedIdentityClientId ${deploymentUserAssignedIdentity.outputs.clientId} -VirtualMachineSize ${virtualMachineSize} -VirtualNetworkName ${VirtualNetworkName} -VirtualNetworkResourceGroupName ${VirtualNetworkResourceGroupName} -WorkspaceFeedName ${workspaceFeedName} -WorkspaceResourceGroupName ${resourceGroupFeedWorkspace}'
+    parameters: '-ActiveDirectorySolution ${activeDirectorySolution} -CpuCountMax ${CpuCountMax} -CpuCountMin ${CpuCountMin} -DomainName ${empty(domainName) ? 'NotApplicable' : domainName} -Environment ${environment().name} -imageVersionResourceId ${empty(imageVersionResourceId) ? 'NotApplicable' : imageVersionResourceId} -Location ${locationVirtualMachines} -SessionHostCount ${sessionHostCount} -StorageService ${storageService} -SubscriptionId ${subscription().subscriptionId} -TenantId ${tenant().tenantId} -UserAssignedIdentityClientId ${deploymentUserAssignedIdentity.outputs.clientId} -VirtualMachineSize ${virtualMachineSize} -VirtualNetworkName ${VirtualNetworkName} -VirtualNetworkResourceGroupName ${VirtualNetworkResourceGroupName} -WorkspaceFeedName ${workspaceFeedName} -WorkspaceResourceGroupName ${resourceGroupFeedWorkspace}'
     scriptFileName: 'Get-Validations.ps1'
     tags: contains(tags, 'Microsoft.Compute/virtualMachines') ? tags['Microsoft.Compute/virtualMachines'] : {}
     userAssignedIdentityClientId: deploymentUserAssignedIdentity.outputs.clientId

src/bicep/add-ons/azureVirtualDesktop/modules/sessionHosts/sessionHosts.bicep

@@ -30,10 +30,10 @@ param fslogixContainerType string
 param hostPoolName string
 param hostPoolType string
 param hybridRunbookWorkerGroupName string
-param imageDefinitionResourceId string
 param imageOffer string
 param imagePublisher string
 param imageSku string
+param imageVersionResourceId string
 param location string
 param logAnalyticsWorkspaceName string
 param managementVirtualMachineName string
@@ -140,7 +140,7 @@ module virtualMachines 'virtualMachines.bicep' = [for i in range(1, sessionHostB
     fslogixContainerType: fslogixContainerType
     hostPoolName: hostPoolName
     hostPoolType: hostPoolType
-    imageDefinitionResourceId: imageDefinitionResourceId
+    imageVersionResourceId: imageVersionResourceId
     imageOffer: imageOffer
     imagePublisher: imagePublisher
     imageSku: imageSku