fix: Add required change tracking solution (#997)

* Add missing change tracking solution

* Changes to workspace solutions

* Fix name of changetracking

* Add umi location param for accelerator

* Formatting

* Generate Parameter Markdowns [oZakari/4b1d31cb]

---------

Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>

Author: oZakari

Diff for: accelerator/.config/ALZ-Powershell-Auto.config.json

@@ -305,6 +305,10 @@
               "Name": "parLocation.value",
               "Destination": "Parameters"
             },
+            {
+              "Name": "parUserAssignedManagedIdentityLocation.value",
+              "Destination": "Parameters"
+            },
             {
               "Name": "parAutomationAccountLocation.value",
               "Destination": "Parameters"

Diff for: infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md

@@ -20,7 +20,8 @@ parLogAnalyticsWorkspaceCapacityReservationLevel | No       | Log Analytics Work
 parLogAnalyticsWorkspaceLogRetentionInDays | No       | Number of days of log retention for Log Analytics Workspace.
 parLogAnalyticsWorkspaceLock | No       | Resource Lock Configuration for Log Analytics Workspace.  - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock.  
 parLogAnalyticsWorkspaceSolutions | No       | Solutions that will be added to the Log Analytics Workspace.
-parLogAnalyticsWorkspaceSolutionsLock | No       | Resource Lock Configuration for Log Analytics Workspace Solutions.  - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock.  
+parSecurityInsightsOnboardingLock | No       | Resource Lock Configuration for Security Insights solution.  - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock.  
+parChangeTrackingSolutionLock | No       | Resource Lock Configuration for Change Tracking solution. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock.  
 parUserAssignedManagedIdentityName | No       | Name of the User Assigned Managed Identity required for authenticating Azure Monitoring Agent to Azure.
 parUserAssignedManagedIdentityLocation | No       | User Assigned Managed Identity location.
 parAutomationAccountEnabled | No       | Switch to enable/disable Automation Account deployment.
@@ -33,7 +34,6 @@ parAutomationAccountLock | No       | Resource Lock Configuration for Automation
 parTags        | No       | Tags you would like to be applied to all resources in this module.
 parAutomationAccountTags | No       | Tags you would like to be applied to Automation Account.
 parLogAnalyticsWorkspaceTags | No       | Tags you would like to be applied to Log Analytics Workspace.
-parUseSentinelClassicPricingTiers | No       | Set Parameter to true to use Sentinel Classic Pricing Tiers, following changes introduced in July 2023 as documented here: https://learn.microsoft.com/azure/sentinel/enroll-simplified-pricing-tier.
 parLogAnalyticsLinkedServiceAutomationAccountName | No       | Log Analytics LinkedService name for Automation Account.
 parTelemetryOptOut | No       | Set Parameter to true to Opt-out of deployment telemetry
 
@@ -176,21 +176,33 @@ Resource Lock Configuration for Log Analytics Workspace.
 
 Solutions that will be added to the Log Analytics Workspace.
 
-- Default value: `SecurityInsights`
+- Default value: `SecurityInsights ChangeTracking`
 
-- Allowed values: `SecurityInsights`
+- Allowed values: `SecurityInsights`, `ChangeTracking`
 
-### parLogAnalyticsWorkspaceSolutionsLock
+### parSecurityInsightsOnboardingLock
 
 ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
 
-Resource Lock Configuration for Log Analytics Workspace Solutions.
+Resource Lock Configuration for Security Insights solution.
 
 - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None.
 - `notes` - Notes about this lock.
 
 
 
+- Default value: `@{kind=None; notes=This lock was created by the ALZ Bicep Logging Module.}`
+
+### parChangeTrackingSolutionLock
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+Resource Lock Configuration for Change Tracking solution.
+- `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None.
+- `notes` - Notes about this lock.
+
+
+
 - Default value: `@{kind=None; notes=This lock was created by the ALZ Bicep Logging Module.}`
 
 ### parUserAssignedManagedIdentityName
@@ -292,14 +304,6 @@ Tags you would like to be applied to Log Analytics Workspace.
 
 - Default value: `[parameters('parTags')]`
 
-### parUseSentinelClassicPricingTiers
-
-![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
-
-Set Parameter to true to use Sentinel Classic Pricing Tiers, following changes introduced in July 2023 as documented here: https://learn.microsoft.com/azure/sentinel/enroll-simplified-pricing-tier.
-
-- Default value: `False`
-
 ### parLogAnalyticsLinkedServiceAutomationAccountName
 
 ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
@@ -403,10 +407,17 @@ outAutomationAccountId | string |
         },
         "parLogAnalyticsWorkspaceSolutions": {
             "value": [
-                "SecurityInsights"
+                "SecurityInsights",
+                "ChangeTracking"
             ]
         },
-        "parLogAnalyticsWorkspaceSolutionsLock": {
+        "parSecurityInsightsOnboardingLock": {
+            "value": {
+                "kind": "None",
+                "notes": "This lock was created by the ALZ Bicep Logging Module."
+            }
+        },
+        "parChangeTrackingSolutionLock": {
             "value": {
                 "kind": "None",
                 "notes": "This lock was created by the ALZ Bicep Logging Module."
@@ -451,9 +462,6 @@ outAutomationAccountId | string |
         "parLogAnalyticsWorkspaceTags": {
             "value": "[parameters('parTags')]"
         },
-        "parUseSentinelClassicPricingTiers": {
-            "value": false
-        },
         "parLogAnalyticsLinkedServiceAutomationAccountName": {
             "value": "Automation"
         },

Diff for: infra-as-code/bicep/modules/logging/logging.bicep

@@ -115,23 +115,36 @@ param parLogAnalyticsWorkspaceLock lockType = {
 
 @allowed([
   'SecurityInsights'
+  'ChangeTracking'
 ])
 @sys.description('Solutions that will be added to the Log Analytics Workspace.')
 param parLogAnalyticsWorkspaceSolutions array = [
   'SecurityInsights'
+  'ChangeTracking'
 ]
 
-@sys.description('''Resource Lock Configuration for Log Analytics Workspace Solutions.
+@sys.description('''Resource Lock Configuration for Security Insights solution.
 
 - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None.
 - `notes` - Notes about this lock.
 
 ''')
-param parLogAnalyticsWorkspaceSolutionsLock lockType = {
+param parSecurityInsightsOnboardingLock lockType = {
   kind: 'None'
   notes: 'This lock was created by the ALZ Bicep Logging Module.'
 }
 
+@sys.description('''Resource Lock Configuration for Change Tracking solution.
+- `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None.
+- `notes` - Notes about this lock.
+
+''')
+param parChangeTrackingSolutionLock lockType = {
+  kind: 'None'
+  notes: 'This lock was created by the ALZ Bicep Logging Module.'
+}
+
+
 @sys.description('Name of the User Assigned Managed Identity required for authenticating Azure Monitoring Agent to Azure.')
 param parUserAssignedManagedIdentityName string = 'alz-logging-mi'
 
@@ -176,9 +189,6 @@ param parAutomationAccountTags object = parTags
 @sys.description('Tags you would like to be applied to Log Analytics Workspace.')
 param parLogAnalyticsWorkspaceTags object = parTags
 
-@sys.description('Set Parameter to true to use Sentinel Classic Pricing Tiers, following changes introduced in July 2023 as documented here: https://learn.microsoft.com/azure/sentinel/enroll-simplified-pricing-tier.')
-param parUseSentinelClassicPricingTiers bool = false
-
 @sys.description('Log Analytics LinkedService name for Automation Account.')
 param parLogAnalyticsLinkedServiceAutomationAccountName string = 'Automation'
 
@@ -654,35 +664,40 @@ resource resSentinelOnboarding 'Microsoft.SecurityInsights/onboardingStates@2024
   properties: {}
 }
 
-resource resLogAnalyticsWorkspaceSolutions 'Microsoft.OperationsManagement/solutions@2015-11-01-preview' = [for solution in parLogAnalyticsWorkspaceSolutions: {
-  name: '${solution}(${resLogAnalyticsWorkspace.name})'
+resource resChangeTrackingSolution 'Microsoft.OperationsManagement/solutions@2015-11-01-preview' = if (contains(parLogAnalyticsWorkspaceSolutions, 'ChangeTracking')) {
+  name: 'ChangeTracking(${resLogAnalyticsWorkspace.name})'
   location: parLogAnalyticsWorkspaceLocation
-  tags: parTags
-  properties: solution == 'SecurityInsights' ? {
-    workspaceResourceId: resLogAnalyticsWorkspace.id
-    sku: parUseSentinelClassicPricingTiers ? null : {
-      name: 'Unified'
-    }
-  } : {
+  properties: {
     workspaceResourceId: resLogAnalyticsWorkspace.id
   }
   plan: {
-    name: '${solution}(${resLogAnalyticsWorkspace.name})'
-    product: 'OMSGallery/${solution}'
+    name: 'ChangeTracking(${resLogAnalyticsWorkspace.name})'
+    product: 'OMSGallery/ChangeTracking'
     publisher: 'Microsoft'
     promotionCode: ''
   }
-}]
+}
+
+
+// Add resource lock for SecurityInsights solution
+resource resSecurityInsightsSolutionLock 'Microsoft.Authorization/locks@2020-05-01' = if (parSecurityInsightsOnboardingLock.kind != 'None' || parGlobalResourceLock.kind != 'None') {
+  scope: resSentinelOnboarding
+  name: parSecurityInsightsOnboardingLock.?name ?? '${resSentinelOnboarding.name}-lock'
+  properties: {
+    level: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.kind : parSecurityInsightsOnboardingLock.kind
+    notes: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.?notes : parSecurityInsightsOnboardingLock.?notes
+  }
+}
 
-// Create a resource lock for each log analytics workspace solutions in parLogAnalyticsWorkspaceSolutions if parGlobalResourceLock.kind != 'None' or if parLogAnalyticsWorkspaceSolutionsLock.kind != 'None'
-resource resLogAnalyticsWorkspaceSolutionsLock 'Microsoft.Authorization/locks@2020-05-01' = [for (solution, index) in parLogAnalyticsWorkspaceSolutions: if (parLogAnalyticsWorkspaceSolutionsLock.kind != 'None' || parGlobalResourceLock.kind != 'None') {
-  scope: resLogAnalyticsWorkspaceSolutions[index]
-  name: parLogAnalyticsWorkspaceSolutionsLock.?name ?? '${resLogAnalyticsWorkspaceSolutions[index].name}-lock'
+// Add resource lock for ChangeTracking solution
+resource resChangeTrackingSolutionLock 'Microsoft.Authorization/locks@2020-05-01' = if (parChangeTrackingSolutionLock.kind != 'None' || parGlobalResourceLock.kind != 'None') {
+  scope: resChangeTrackingSolution
+  name: parChangeTrackingSolutionLock.?name ?? '${resChangeTrackingSolution.name}-lock'
   properties: {
-    level: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.kind : parLogAnalyticsWorkspaceSolutionsLock.kind
-    notes: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.?notes : parLogAnalyticsWorkspaceSolutionsLock.?notes
+    level: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.kind : parChangeTrackingSolutionLock.kind
+    notes: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.?notes : parChangeTrackingSolutionLock.?notes
   }
-}]
+}
 
 resource resLogAnalyticsLinkedServiceForAutomationAccount 'Microsoft.OperationalInsights/workspaces/linkedServices@2023-09-01' = if (parLogAnalyticsWorkspaceLinkAutomationAccount) {
   parent: resLogAnalyticsWorkspace

Diff for: infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json

@@ -19,7 +19,8 @@
     },
     "parLogAnalyticsWorkspaceSolutions": {
       "value": [
-        "SecurityInsights"
+        "SecurityInsights",
+        "ChangeTracking"
       ]
     },
     "parDataCollectionRuleVMInsightsName": {
@@ -34,6 +35,9 @@
     "parUserAssignedManagedIdentityName": {
       "value": "alz-umi-identity"
     },
+    "parUserAssignedManagedIdentityLocation": {
+      "value": "eastus"
+    },
     "parAutomationAccountEnabled": {
       "value": false
     },
@@ -57,8 +61,15 @@
         "Environment": "Live"
       }
     },
-    "parUseSentinelClassicPricingTiers": {
-      "value": false
+    "parLogAnalyticsWorkspaceTags": {
+      "value": {
+        "Environment": "Live"
+      }
+    },
+    "parAutomationAccountTags": {
+      "value": {
+        "Environment": "Live"
+      }
     },
     "parLogAnalyticsLinkedServiceAutomationAccountName": {
       "value": "Automation"
@@ -84,25 +95,31 @@
         "notes": "This lock was created by the ALZ Bicep Logging Module."
       }
     },
-    "parLogAnalyticsWorkspaceSolutionsLock": {
+    "parDataCollectionRuleVMInsightsLock": {
       "value": {
         "kind": "None",
         "notes": "This lock was created by the ALZ Bicep Logging Module."
       }
     },
-    "parDataCollectionRuleVMInsightsLock": {
+    "parDataCollectionRuleChangeTrackingLock": {
       "value": {
         "kind": "None",
         "notes": "This lock was created by the ALZ Bicep Logging Module."
       }
     },
-    "parDataCollectionRuleChangeTrackingLock": {
+    "parDataCollectionRuleMDFCSQLLock": {
       "value": {
         "kind": "None",
         "notes": "This lock was created by the ALZ Bicep Logging Module."
       }
     },
-    "parDataCollectionRuleMDFCSQLLock": {
+    "parSecurityInsightsOnboardingLock": {
+      "value": {
+        "kind": "None",
+        "notes": "This lock was created by the ALZ Bicep Logging Module."
+      }
+    },
+    "parChangeTrackingSolutionLock": {
       "value": {
         "kind": "None",
         "notes": "This lock was created by the ALZ Bicep Logging Module."

Diff for: infra-as-code/bicep/modules/logging/parameters/logging.parameters.min.json

@@ -2,19 +2,17 @@
   "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
   "contentVersion": "1.0.0.0",
   "parameters": {
-    "parLogAnalyticsWorkspaceLogRetentionInDays": {
-      "value": 365
-    },
     "parLogAnalyticsWorkspaceLocation": {
       "value": "eastus"
     },
-    "parLogAnalyticsWorkspaceSolutions": {
-      "value": [
-        "SecurityInsights"
-      ]
+    "parLogAnalyticsWorkspaceLogRetentionInDays": {
+      "value": 365
+    },
+    "parUserAssignedManagedIdentityName": {
+      "value": "alz-umi-identity"
     },
-    "parAutomationAccountLocation": {
-      "value": "eastus2"
+    "parUserAssignedManagedIdentityLocation": {
+      "value": "eastus"
     },
     "parTelemetryOptOut": {
       "value": false