Release 0.3.0 (#1)

* Release 0.3.0

* Release 0.3.0

* Release 0.3.0

---------

Co-authored-by: Microsoft Open Source <[email protected]>

CONTRIBUTING.md

@@ -0,0 +1,12 @@
+# Contributing
+
+This project welcomes contributions and suggestions.  Most contributions require you to agree to a
+Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us
+the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.
+
+When you submit a pull request, a CLA bot automatically determines whether you need to provide
+a CLA and decorate the pull request appropriately (for example, status check, comment). Follow the instructions provided by the bot. You need to do this step once across all repos using our CLA.
+
+This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
+For more information, see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or
+contact [[email protected]](mailto:[email protected]) with any more questions or comments.

README.md

@@ -1,33 +1,36 @@
-# Project
+# Workload templates and sample application for Sovereign Landing Zone
 
-> This repo has been populated by an initial template to help get you started. Please
-> make sure to update the content to build a great experience for community-building.
+## Overview
 
-As the maintainer of this project, please make a few updates:
+[Sovereign Landing Zone (SLZ) ](https://github.com/Azure/sovereign-landing-zone) provides an environment offering guardrails through policies and policy sets, security-enforcement, and consistent baseline infrastructure for deploying workloads and applications. SLZ is based on [Azure Landing Zones](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/) and extends it with guardrails and security controls specific to sovereignty requirements.
 
-- Improving this README.MD file to provide a great experience
-- Updating SUPPORT.MD with content about this project's support experience
-- Understanding the security reporting process in SECURITY.MD
-- Remove this section from the README
+To help accelerate customers time-to-value while assisting them in meeting their compliance objectives, the [Microsoft Cloud for Sovereignty](https://learn.microsoft.com/industry/sovereignty) includes ready-to-use workload templates that can be consistently deployed and operated in a repeatable manner. The workload templates are aligned with [Sovereignty Policy Baseline](https://github.com/Azure/sovereign-landing-zone/blob/main/docs/scenarios/Sovereignty-Policy-Baseline.md), [Cloud for Sovereignty policy portfolio](https://github.com/Azure/cloud-for-sovereignty-policy-portfolio), and [Azure Landing Zone default policies](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies).
 
-## Contributing
+We're introducing two templates, and a sample sovereign application for learning purposes and to validate the functionality of SLZ policy sets and their enforcement of the confidentiality of services within the Sovereign Landing Zone.
 
-This project welcomes contributions and suggestions.  Most contributions require you to agree to a
-Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us
-the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.
+You can deploy all applications using the PowerShell and Bicep, and they are fully compatible with SLZ. To learn more about the advantages of using these templates, refer to the following links: 
 
-When you submit a pull request, a CLA bot will automatically determine whether you need to provide
-a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions
-provided by the bot. You will only need to do this once across all repos using our CLA.
+1. [**Azure Lighthouse template**](./workloadAccelerators/lighthouse/docs/lighthouseAccelerator.md)
+2. [**Azure Confidential Virtual Machine AMD-SNP template**](./workloadAccelerators/confidentialVirtualMachine/docs/cvmAccelerator.md)
+3. [**Confidential sample application**](./sovereignApplications/confidential/hrAppWorkload/README.md)
 
-This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
-For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or
-contact [[email protected]](mailto:[email protected]) with any additional questions or comments.
+## Shared responsibility and customer responsibilities
+
+To ensure your data is secure and your privacy controls are addressed, we recommend that you follow a set of best practices when deploying into Azure:
+
+- [Azure security best practices and patterns](https://learn.microsoft.com/azure/security/fundamentals/best-practices-and-patterns)
+- [Microsoft Services in Cybersecurity](https://learn.microsoft.com/azure/security/fundamentals/cyber-services)
+
+Protecting your data also requires that all aspects of your security and compliance program include your cloud infrastructure and data. The following guidance can help you to secure your deployment.
 
 ## Trademarks
 
-This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft 
-trademarks or logos is subject to and must follow 
-[Microsoft's Trademark & Brand Guidelines](https://www.microsoft.com/en-us/legal/intellectualproperty/trademarks/usage/general).
+This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft
+trademarks or logos is subject to and must follow
+[Microsoft's Trademark & Brand Guidelines](https://www.microsoft.com/legal/intellectualproperty/trademarks/usage/general).
 Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship.
 Any use of third-party trademarks or logos are subject to those third-party's policies.
+
+## Preview Notice
+
+**Preview Terms**. The Sovereign Landing Zone workload templates and sample application preview (the "PREVIEW") are licensed to you as part of your [Azure subscription](https://azure.microsoft.com/support/legal/) and subject to terms applicable to "Previews" as detailed in the Universal License Terms for Online Services section of the <u></u>Microsoft Product Terms and the [Microsoft Products and Services Data Protection Addendum ("DPA")](https://www.microsoft.com/licensing/terms/welcome/welcomepage). AS STATED IN THOSE TERMS, PREVIEWS ARE PROVIDED "AS-IS," "WITH ALL FAULTS," AND "AS AVAILABLE," AND ARE EXCLUDED FROM THE SERVICE LEVEL AGREEMENTS AND LIMITED WARRANTY. Previews may employ lesser or different privacy and security measures than those typically present in Azure Services. Unless otherwise noted, you should not use Previews to process Personal Data or other data that is subject to legal or regulatory compliance requirements. The following terms in the [DPA](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) do not apply to Previews: Processing of Personal Data; GDPR, Data Security, and HIPAA Business Associate. We may change or discontinue Previews at any time without notice. We also may choose not to release a Preview into General Availability.

SECURITY.md

@@ -1,20 +1,20 @@
-<!-- BEGIN MICROSOFT SECURITY.MD V0.0.9 BLOCK -->
+<!-- BEGIN MICROSOFT SECURITY.MD V0.0.8 BLOCK -->
 
 ## Security
 
-Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/Microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet) and [Xamarin](https://github.com/xamarin).
+Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/).
 
-If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://aka.ms/security.md/definition), please report it to us as described below.
+If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://aka.ms/opensource/security/definition), please report it to us as described below.
 
 ## Reporting Security Issues
 
 **Please do not report security vulnerabilities through public GitHub issues.**
 
-Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://aka.ms/security.md/msrc/create-report).
+Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://aka.ms/opensource/security/create-report).
 
-If you prefer to submit without logging in, send email to [[email protected]](mailto:[email protected]).  If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://aka.ms/security.md/msrc/pgp).
+If you prefer to submit without logging in, send email to [[email protected]](mailto:[email protected]).  If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://aka.ms/opensource/security/pgpkey).
 
-You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://www.microsoft.com/msrc). 
+You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://aka.ms/opensource/security/msrc). 
 
 Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:
 
@@ -28,14 +28,14 @@ Please include the requested information listed below (as much as you can provid
 
 This information will help us triage your report more quickly.
 
-If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://aka.ms/security.md/msrc/bounty) page for more details about our active programs.
+If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://aka.ms/opensource/security/bounty) page for more details about our active programs.
 
 ## Preferred Languages
 
 We prefer all communications to be in English.
 
 ## Policy
 
-Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://aka.ms/security.md/cvd).
+Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://aka.ms/opensource/security/cvd).
 
 <!-- END MICROSOFT SECURITY.MD BLOCK -->

SUPPORT.md

@@ -1,24 +1,9 @@
-# TODO: The maintainer of this repo has not yet edited this file
-
-**REPO OWNER**: Do you want Customer Service & Support (CSS) support for this product/project?
-
-- **No CSS support:** Fill out this template with information about how to file issues and get help.
-- **Yes CSS support:** Fill out an intake form at [aka.ms/onboardsupport](https://aka.ms/onboardsupport). CSS will work with/help you to determine next steps.
-- **Not sure?** Fill out an intake as though the answer were "Yes". CSS will help you decide.
-
-*Then remove this first heading from this SUPPORT.MD file before publishing your repo.*
-
 # Support
 
 ## How to file issues and get help  
 
-This project uses GitHub Issues to track bugs and feature requests. Please search the existing 
-issues before filing new issues to avoid duplicates.  For new issues, file your bug or 
-feature request as a new Issue.
-
-For help and questions about using this project, please **REPO MAINTAINER: INSERT INSTRUCTIONS HERE 
-FOR HOW TO ENGAGE REPO OWNERS OR COMMUNITY FOR HELP. COULD BE A STACK OVERFLOW TAG OR OTHER
-CHANNEL. WHERE WILL YOU HELP PEOPLE?**.
+This project uses [GitHub issues](https://github.com/Azure/cloud-for-sovereignty-quickstarts/issues) to track bugs and feature requests. Please search the existing issues before filing new issues to avoid duplicates. For new issues, file your bug or feature request as a new Issue. Please provide as much information as possible when filing an issue. Please include screenshots if possible. 
+Project maintainers will aim to respond within 5 business days. 
 
 ## Microsoft Support Policy  
 

common/CRML/README.md

@@ -0,0 +1,9 @@
+# Why Does This Directory Exist & Contain Other Bicep Modules?
+
+This directory exists to host modules that are **not** specific to the Azure Landing Zones modules that are contained within the `infra-as-code/bicep/modules` directory.
+
+The modules inside this directory, `infra-as-code/bicep/CRML` are modules that we are potentially planning to remove from this repo and migrate/consume them from the [Common Azure Resource Modules Library repo](https://github.com/Azure/ResourceModules) as part of future releases, and when features such as the Bicep Public Module Registry are available.
+
+> These are plans/aspirations which are not confirmed and might change, but we are sharing them for clarity and planning purposes 👍
+
+These modules are consumed and called by other modules within this repo. For example, the `customerUsageAttribution` module is called in all modules as you can see from each of those modules `.bicep` files.

common/CRML/customerUsageAttribution/README.md

@@ -0,0 +1,25 @@
+# Module: PID
+
+This module creates a blank deployment which will be called from other modules. The purpose of this deployment is to create a deployment name to be used for Azure [customer usage attribution](https://learn.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution). To disable this, please see [How to disable Telemetry Tracking Using Customer Usage Attribution (PID)](https://github.com/Azure/ALZ-Bicep/wiki/CustomerUsage)
+
+This module does not deploy any resources
+
+## Parameters
+
+This module does not require any inputs
+
+| Parameter | Type | Default | Description | Requirement | Example |
+| --------- | ---- | ------- | ----------- | ----------- | ------- |
+
+
+## Outputs
+
+The module does not generate any outputs
+
+| Output | Type | Example |
+| ------ | ---- | ------- |
+
+## Deployment
+
+This module is intended to be called from other modules as a reusable resource.
+

common/CRML/customerUsageAttribution/bicepconfig.json

@@ -0,0 +1,88 @@
+{
+  "analyzers": {
+    "core": {
+      "enabled": true,
+      "verbose": false,
+      "rules": {
+        "adminusername-should-not-be-literal": {
+          "level": "error"
+        },
+        "no-hardcoded-env-urls": {
+          "level": "error"
+        },
+        "no-unnecessary-dependson": {
+          "level": "error"
+        },
+        "no-unused-params": {
+          "level": "error"
+        },
+        "no-unused-vars": {
+          "level": "error"
+        },
+        "outputs-should-not-contain-secrets": {
+          "level": "error"
+        },
+        "prefer-interpolation": {
+          "level": "error"
+        },
+        "secure-parameter-default": {
+          "level": "error"
+        },
+        "simplify-interpolation": {
+          "level": "error"
+        },
+        "protect-commandtoexecute-secrets": {
+          "level": "error"
+        },
+        "use-stable-vm-image": {
+          "level": "error"
+        },
+        "explicit-values-for-loc-params": {
+          "level": "error"
+        },
+        "no-hardcoded-location": {
+          "level": "error"
+        },
+        "no-loc-expr-outside-params": {
+          "level": "error"
+        },
+        "max-outputs": {
+          "level": "error"
+        },
+        "max-params": {
+          "level": "error"
+        },
+        "max-resources": {
+          "level": "error"
+        },
+        "max-variables": {
+          "level": "error"
+        },
+        "artifacts-parameters":{
+          "level": "error"
+        },
+        "no-unused-existing-resources":{
+          "level": "error"
+        },
+        "prefer-unquoted-property-names":{
+          "level": "error"
+        },
+        "secure-params-in-nested-deploy":{
+          "level": "error"
+        },
+        "secure-secrets-in-params":{
+          "level": "error"
+        },
+        "use-recent-api-versions":{
+          "level": "error"
+        },
+        "use-resource-id-functions":{
+          "level": "error"
+        },
+        "use-stable-resource-identifiers":{
+          "level": "error"
+        }
+      }
+    }
+  }
+}

common/CRML/customerUsageAttribution/cuaIdManagementGroup.bicep

@@ -0,0 +1,13 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+/*
+SUMMARY: Module to add the customer usage attribution (PID) to Management Group deployments.
+DESCRIPTION: This module will create a deployment at the management group level which will add the unique PID and location as the deployment name
+AUTHOR/S: shaunjacob
+VERSION: 1.0.0
+*/
+
+targetScope = 'managementGroup'
+
+// This is an empty deployment by design
+// Reference:  https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution

common/CRML/customerUsageAttribution/cuaIdResourceGroup.bicep

@@ -0,0 +1,13 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+/*
+SUMMARY: Module to add the customer usage attribution (PID) to Resource Group deployments.
+DESCRIPTION: This module will create a deployment at the Resource Group level which will add the unique PID and location as the deployment name
+AUTHOR/S: shaunjacob
+VERSION: 1.0.0
+*/
+
+targetScope = 'resourceGroup'
+
+// This is an empty deployment by design
+// Reference:  https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution

common/CRML/customerUsageAttribution/cuaIdSubscription.bicep

@@ -0,0 +1,13 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+/*
+SUMMARY: Module to add the customer usage attribution (PID) to Subscription deployments.
+DESCRIPTION: This module will create a deployment at the Subscription level which will add the unique PID and location as the deployment name
+AUTHOR/S: shaunjacob
+VERSION: 1.0.0
+*/
+
+targetScope = 'subscription'
+
+// This is an empty deployment by design
+// Reference:  https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution

common/CRML/customerUsageAttribution/cuaIdTenant.bicep

@@ -0,0 +1,13 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+/*
+SUMMARY: Module to add the customer usage attribution (PID) to Tenant deployments.
+DESCRIPTION: This module will create a deployment at the Tenant level which will add the unique PID and location as the deployment name
+AUTHOR/S: shaunjacob
+VERSION: 1.0.0
+*/
+
+targetScope = 'tenant'
+
+// This is an empty deployment by design
+// Reference:  https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution