hisashiyamaguchi/orcaARMTemplate.json

## orcaARMTemplate.json
{
    "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "subscriptionsToOnboard": {
            "type": "array",
            "defaultValue": [
                "5a7e9c2f-cc2f-4c79-a44f-79add00ec7d4"
            ],
            "metadata": {
                "description": "A list of subscription Ids (GUID format)."
            }
        },
        "managementGroupsToOnboard": {
            "type": "array",
            "defaultValue": [],
            "metadata": {
                "description": "A list of management groups Ids to onboard."
            }
        },
        "mode": {
            "type": "string",
            "defaultValue": "SaaS",
            "allowedValues": [
                "SaaS",
                "Orca Pod"
            ],
            "metadata": {
                "description": "The onboarding mode. Select 'Orca Pod' to run the Side-scanners in the scanned subscriptions."
            }
        },
        "extraTags": {
            "type": "object",
            "defaultValue": {},
            "metadata": {
                "description": "Extra tags to apply to every (taggable) resource that is provisioned by the template."
            }
        }
    },
    "variables": {
        "inAccount": "[equals(parameters('mode'), 'Orca Pod')]",
        "subscriptionsToOnboard": "[parameters('subscriptionsToOnboard')]",
        "mspOfferName": "OrcaSecurity",
        "mspOfferDescription": "Orca Security Service",
        "orcaVendorTenantId": "489ba1d3-8ff5-4ba3-b331-3290f66b686b",
        "orcaAppPrincipalId": "c53a842e-1568-4da4-9438-fda5837d5b5b",
        "orcaAppPrincipalIdAtCustomer": "a3c7d925-737b-42b0-b081-8e6745047df1",
        "orcaAppDisplayName": "Orca",
        "orcaAppRoleIds": [
            "acdd72a7-3385-48ef-bd42-f606fba81ae7",
            "3e5e47e6-65f7-47ef-90b5-e5dd4d455f24",
            "91c1777a-f3dc-4fae-b103-61d183457e46",
            "4abbcc35-e782-43d8-92c5-2d3f1bd2253f"
        ],
        "orcaAppDedicatedRgRoleIds": [
            "b24988ac-6180-42a0-ab88-20f7382dd24c"
        ],
        "orcaUserPrincipalId": "",
        "orcaUserDisplayName": "Orca Admin",
        "orcaUserRoleIds": "[variables('orcaAppRoleIds')]",
        "orcaUserDedicatedRgRoleIds": "[variables('orcaAppDedicatedRgRoleIds')]",
        "dedicatedRgName": "",
        "usedDedicatedRgName": "[if(equals(variables('dedicatedRgName'), ''), 'Orca-Security-Not-Created', variables('dedicatedRgName'))]",
        "createDedicatedRg": "[not(equals(variables('dedicatedRgName'), ''))]",
        "setKeyVaultContributorPermissions": true,
        "allowReadAccessKeyVaultKeySecret": false,
        "copy": [
            {
                "name": "appSubscriptionAuthorizations",
                "count": "[length(variables('orcaAppRoleIds'))]",
                "input": {
                    "principalId": "[variables('orcaAppPrincipalId')]",
                    "roleDefinitionId": "[variables('orcaAppRoleIds')[copyIndex('appSubscriptionAuthorizations')]]",
                    "principalIdDisplayName": "[variables('orcaAppDisplayName')]"
                }
            },
            {
                "name": "userSubscriptionAuthorizations",
                "count": "[if(equals(variables('orcaUserPrincipalId'), ''), 0, length(variables('orcaUserRoleIds')))]",
                "input": {
                    "principalId": "[variables('orcaUserPrincipalId')]",
                    "roleDefinitionId": "[variables('orcaUserRoleIds')[copyIndex('userSubscriptionAuthorizations')]]",
                    "principalIdDisplayName": "[variables('orcaUserDisplayName')]"
                }
            },
            {
                "name": "appDedicatedRgAuthorizations",
                "count": "[length(variables('orcaAppDedicatedRgRoleIds'))]",
                "input": {
                    "principalId": "[variables('orcaAppPrincipalId')]",
                    "roleDefinitionId": "[variables('orcaAppDedicatedRgRoleIds')[copyIndex('appDedicatedRgAuthorizations')]]",
                    "principalIdDisplayName": "[variables('orcaAppDisplayName')]"
                }
            },
            {
                "name": "userDedicatedRgAuthorizations",
                "count": "[if(equals(variables('orcaUserPrincipalId'), ''), 0, length(variables('orcaUserDedicatedRgRoleIds')))]",
                "input": {
                    "principalId": "[variables('orcaUserPrincipalId')]",
                    "roleDefinitionId": "[variables('orcaUserDedicatedRgRoleIds')[copyIndex('userDedicatedRgAuthorizations')]]",
                    "principalIdDisplayName": "[variables('orcaUserDisplayName')]"
                }
            }
        ],
        "keyVaultContributorAuthorization": [
            {
                "principalId": "[variables('orcaAppPrincipalId')]",
                "roleDefinitionId": "f25e0fa2-a7c8-4377-a976-54943a77a395",
                "principalIdDisplayName": "[variables('orcaAppDisplayName')]"
            }
        ],
        "conditionalKeyVaultContributorAuthorization": "[if(variables('setKeyVaultContributorPermissions'), variables('keyVaultContributorAuthorization'), createArray())]",
        "subscriptionAuthorizations": "[concat(variables('appSubscriptionAuthorizations'), variables('userSubscriptionAuthorizations'), variables('conditionalKeyVaultContributorAuthorization'))]",
        "dedicatedRgAuthorizations": "[concat(variables('appDedicatedRgAuthorizations'), variables('userDedicatedRgAuthorizations'))]",
        "location": "[deployment().location]",
        "innerTemplate": {
            "$schema": "https://schema.management.azure.com/2018-05-01/subscriptionDeploymentTemplate.json#",
            "contentVersion": "1.0.0.0",
            "parameters": {
                "orcaSpId": {
                    "type": "string",
                    "metadata": {
                        "description": "The principal to assign the role to."
                    }
                },
                "roleDefName": {
                    "type": "string",
                    "metadata": {
                        "description": "Role definition name."
                    }
                },
                "dedicatedRgName": {
                    "type": "string",
                    "metadata": {
                        "description": "Name of the dedicated resource group. May not be empty, even if `createDedicatedRg` is false."
                    }
                },
                "extraTags": {
                    "type": "object",
                    "defaultValue": {},
                    "metadata": {
                        "description": "Additional tags to apply to all generate resources (that can be tagged)."
                    }
                }
            },
            "variables": {
                "ContributorRoleDefinitionId": "[[resourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]"
            },
            "resources": [
                {
                    "type": "Microsoft.Resources/resourceGroups",
                    "apiVersion": "2021-04-01",
                    "name": "[[parameters('dedicatedRgName')]",
                    "location": "[[deployment().location]",
                    "tags": "[[union(createObject('orca-role', 'dedicated-scanner-resource-group'), parameters('extraTags'))]",
                    "properties": {}
                },
                {
                    "type": "Microsoft.Resources/deployments",
                    "apiVersion": "2019-10-01",
                    "name": "[[concat(substring(deployment().name, 17, min(10, length(deployment().name))), '-DedicatedRg-', deployment().location)]",
                    "resourceGroup": "[[parameters('dedicatedRgName')]",
                    "dependsOn": [
                        "[[parameters('dedicatedRgName')]"
                    ],
                    "properties": {
                        "mode": "Incremental",
                        "template": {
                            "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                            "contentVersion": "1.0.0.0",
                            "resources": [
                                {
                                    "type": "Microsoft.Authorization/roleAssignments",
                                    "apiVersion": "2020-04-01-preview",
                                    "name": "[[guid(subscription().id, parameters('dedicatedRgName'), 'dedicated-resource-group')]",
                                    "properties": {
                                        "roleDefinitionId": "[[variables('ContributorRoleDefinitionId')]",
                                        "principalId": "[[parameters('orcaSpId')]",
                                        "principalType": "ServicePrincipal"
                                    }
                                }
                            ]
                        }
                    }
                }
            ]
        },
        "hasManagementGroupsToOnboard": "[not(empty(parameters('managementGroupsToOnboard')))]",
        "hasSubscriptionToOnboard": "[not(empty(parameters('subscriptionsToOnboard')))]",
        "lighthouseOnboarding": false
    },
    "resources": [
        {
            "condition": "[and(variables('lighthouseOnboarding'), variables('hasSubscriptionToOnboard'), not(variables('inAccount')))]",
            "type": "Microsoft.Resources/deployments",
            "apiVersion": "2020-10-01",
            "name": "[concat('OrcaLH', '-', variables('subscriptionsToOnboard')[copyIndex()], '-', deployment().location)]",
            "location": "[variables('location')]",
            "copy": {
                "name": "subscriptionIterator",
                "count": "[length(variables('subscriptionsToOnboard'))]",
                "mode": "Parallel"
            },
            "subscriptionId": "[variables('subscriptionsToOnboard')[copyIndex()]]",
            "properties": {
                "mode": "Incremental",
                "expressionEvaluationOptions": {
                    "scope": "inner"
                },
                "parameters": {
                    "mspOfferName": {
                        "value": "[variables('mspOfferName')]"
                    },
                    "mspOfferDescription": {
                        "value": "[variables('mspOfferDescription')]"
                    },
                    "orcaVendorTenantId": {
                        "value": "[variables('orcaVendorTenantId')]"
                    },
                    "subscriptionAuthorizations": {
                        "value": "[variables('subscriptionAuthorizations')]"
                    },
                    "dedicatedRgAuthorizations": {
                        "value": "[variables('dedicatedRgAuthorizations')]"
                    },
                    "dedicatedRgName": {
                        "value": "[variables('usedDedicatedRgName')]"
                    },
                    "createDedicatedRg": {
                        "value": "[variables('createDedicatedRg')]"
                    },
                    "location": {
                        "value": "[variables('location')]"
                    },
                    "extraTags": {
                        "value": "[parameters('extraTags')]"
                    }
                },
                "templateLink": {
                    "uri": "https://app.us.orcasecurity.io/api/onboarding/azure/template?type=lighthouse_subscription"
                }
            }
        },
        {
            "condition": "[and(variables('hasManagementGroupsToOnboard'), not(variables('inAccount')))]",
            "type": "Microsoft.Resources/deployments",
            "apiVersion": "2020-10-01",
            "name": "orca-top-level-management-groups-onboarding",
            "location": "[variables('location')]",
            "properties": {
                "mode": "Incremental",
                "expressionEvaluationOptions": {
                    "scope": "inner"
                },
                "parameters": {
                    "orcaSpId": {
                        "value": "[variables('orcaAppPrincipalIdAtCustomer')]"
                    },
                    "keyVaultWritePermissions": {
                        "value": "[variables('setKeyVaultContributorPermissions')]"
                    },
                    "allowReadAccessKeyVaultKeySecret": {
                        "value": "[variables('allowReadAccessKeyVaultKeySecret')]"
                    },
                    "dedicatedRgName": {
                        "value": "[variables('usedDedicatedRgName')]"
                    },
                    "managementGroupsToOnboard": {
                        "value": "[parameters('managementGroupsToOnboard')]"
                    },
                    "innerTemplate": {
                        "value": "[variables('innerTemplate')]"
                    },
                    "createDedicatedRg": {
                        "value": "[variables('createDedicatedRg')]"
                    },
                    "extraTags": {
                        "value": "[parameters('extraTags')]"
                    }
                },
                "templateLink": {
                    "uri": "https://app.us.orcasecurity.io/api/onboarding/azure/template?type=mgmt_group"
                }
            }
        },
        {
            "condition": "[and(variables('hasSubscriptionToOnboard'), not(variables('inAccount')))]",
            "type": "Microsoft.Resources/deployments",
            "apiVersion": "2020-10-01",
            "name": "[concat('Orca', '-', variables('subscriptionsToOnboard')[copyIndex()], '-', deployment().location)]",
            "location": "[variables('location')]",
            "copy": {
                "name": "subscriptionIterator",
                "count": "[length(variables('subscriptionsToOnboard'))]",
                "mode": "Parallel"
            },
            "subscriptionId": "[variables('subscriptionsToOnboard')[copyIndex()]]",
            "properties": {
                "mode": "Incremental",
                "expressionEvaluationOptions": {
                    "scope": "inner"
                },
                "parameters": {
                    "orcaSpId": {
                        "value": "[variables('orcaAppPrincipalIdAtCustomer')]"
                    },
                    "allowReadAccessKeyVaultKeySecret": {
                        "value": "[variables('allowReadAccessKeyVaultKeySecret')]"
                    },
                    "keyVaultWritePermissions": {
                        "value": "[variables('setKeyVaultContributorPermissions')]"
                    },
                    "location": {
                        "value": "[variables('location')]"
                    },
                    "dedicatedRgName": {
                        "value": "[variables('usedDedicatedRgName')]"
                    },
                    "createDedicatedRg": {
                        "value": "[variables('createDedicatedRg')]"
                    },
                    "extraTags": {
                        "value": "[parameters('extraTags')]"
                    }
                },
                "templateLink": {
                    "uri": "https://app.us.orcasecurity.io/api/onboarding/azure/template?type=subscription"
                }
            }
        },
        {
            "condition": "[and(variables('hasManagementGroupsToOnboard'), variables('inAccount'))]",
            "type": "Microsoft.Resources/deployments",
            "apiVersion": "2020-10-01",
            "name": "orca-top-level-management-groups-onboarding-inaccount",
            "location": "[variables('location')]",
            "properties": {
                "mode": "Incremental",
                "expressionEvaluationOptions": {
                    "scope": "inner"
                },
                "parameters": {
                    "orcaSpId": {
                        "value": "[variables('orcaAppPrincipalIdAtCustomer')]"
                    },
                    "dedicatedRgName": {
                        "value": "[variables('usedDedicatedRgName')]"
                    },
                    "allowReadAccessKeyVaultKeySecret": {
                        "value": "[variables('allowReadAccessKeyVaultKeySecret')]"
                    },
                    "managementGroupsToOnboard": {
                        "value": "[parameters('managementGroupsToOnboard')]"
                    },
                    "innerTemplate": {
                        "value": "[variables('innerTemplate')]"
                    },
                    "extraTags": {
                        "value": "[parameters('extraTags')]"
                    }
                },
                "templateLink": {
                    "uri": "https://app.us.orcasecurity.io/api/onboarding/azure/template?type=mgmt_group&inaccount=true"
                }
            }
        },
        {
            "condition": "[and(variables('hasSubscriptionToOnboard'), variables('inAccount'))]",
            "type": "Microsoft.Resources/deployments",
            "apiVersion": "2020-10-01",
            "name": "[concat('OrcaIA', '-', variables('subscriptionsToOnboard')[copyIndex()], '-', deployment().location)]",
            "location": "[variables('location')]",
            "copy": {
                "name": "subscriptionIterator",
                "count": "[length(variables('subscriptionsToOnboard'))]",
                "mode": "Parallel"
            },
            "subscriptionId": "[variables('subscriptionsToOnboard')[copyIndex()]]",
            "properties": {
                "mode": "Incremental",
                "expressionEvaluationOptions": {
                    "scope": "inner"
                },
                "parameters": {
                    "orcaSpId": {
                        "value": "[variables('orcaAppPrincipalIdAtCustomer')]"
                    },
                    "allowReadAccessKeyVaultKeySecret": {
                        "value": "[variables('allowReadAccessKeyVaultKeySecret')]"
                    },
                    "keyVaultAutoUpdate": {
                        "value": "[variables('setKeyVaultContributorPermissions')]"
                    },
                    "dedicatedRgName": {
                        "value": "[variables('usedDedicatedRgName')]"
                    },
                    "extraTags": {
                        "value": "[parameters('extraTags')]"
                    }
                },
                "templateLink": {
                    "uri": "https://app.us.orcasecurity.io/api/onboarding/azure/template?type=inaccount"
                }
            }
        }
    ]
}
	{
	"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
	"contentVersion": "1.0.0.0",
	"parameters": {
	"subscriptionsToOnboard": {
	"type": "array",
	"defaultValue": [
	"5a7e9c2f-cc2f-4c79-a44f-79add00ec7d4"
	],
	"metadata": {
	"description": "A list of subscription Ids (GUID format)."
	}
	},
	"managementGroupsToOnboard": {
	"type": "array",
	"defaultValue": [],
	"metadata": {
	"description": "A list of management groups Ids to onboard."
	}
	},
	"mode": {
	"type": "string",
	"defaultValue": "SaaS",
	"allowedValues": [
	"SaaS",
	"Orca Pod"
	],
	"metadata": {
	"description": "The onboarding mode. Select 'Orca Pod' to run the Side-scanners in the scanned subscriptions."
	}
	},
	"extraTags": {
	"type": "object",
	"defaultValue": {},
	"metadata": {
	"description": "Extra tags to apply to every (taggable) resource that is provisioned by the template."
	}
	}
	},
	"variables": {
	"inAccount": "[equals(parameters('mode'), 'Orca Pod')]",
	"subscriptionsToOnboard": "[parameters('subscriptionsToOnboard')]",
	"mspOfferName": "OrcaSecurity",
	"mspOfferDescription": "Orca Security Service",
	"orcaVendorTenantId": "489ba1d3-8ff5-4ba3-b331-3290f66b686b",
	"orcaAppPrincipalId": "c53a842e-1568-4da4-9438-fda5837d5b5b",
	"orcaAppPrincipalIdAtCustomer": "a3c7d925-737b-42b0-b081-8e6745047df1",
	"orcaAppDisplayName": "Orca",
	"orcaAppRoleIds": [
	"acdd72a7-3385-48ef-bd42-f606fba81ae7",
	"3e5e47e6-65f7-47ef-90b5-e5dd4d455f24",
	"91c1777a-f3dc-4fae-b103-61d183457e46",
	"4abbcc35-e782-43d8-92c5-2d3f1bd2253f"
	],
	"orcaAppDedicatedRgRoleIds": [
	"b24988ac-6180-42a0-ab88-20f7382dd24c"
	],
	"orcaUserPrincipalId": "",
	"orcaUserDisplayName": "Orca Admin",
	"orcaUserRoleIds": "[variables('orcaAppRoleIds')]",
	"orcaUserDedicatedRgRoleIds": "[variables('orcaAppDedicatedRgRoleIds')]",
	"dedicatedRgName": "",
	"usedDedicatedRgName": "[if(equals(variables('dedicatedRgName'), ''), 'Orca-Security-Not-Created', variables('dedicatedRgName'))]",
	"createDedicatedRg": "[not(equals(variables('dedicatedRgName'), ''))]",
	"setKeyVaultContributorPermissions": true,
	"allowReadAccessKeyVaultKeySecret": false,
	"copy": [
	{
	"name": "appSubscriptionAuthorizations",
	"count": "[length(variables('orcaAppRoleIds'))]",
	"input": {
	"principalId": "[variables('orcaAppPrincipalId')]",
	"roleDefinitionId": "[variables('orcaAppRoleIds')[copyIndex('appSubscriptionAuthorizations')]]",
	"principalIdDisplayName": "[variables('orcaAppDisplayName')]"
	}
	},
	{
	"name": "userSubscriptionAuthorizations",
	"count": "[if(equals(variables('orcaUserPrincipalId'), ''), 0, length(variables('orcaUserRoleIds')))]",
	"input": {
	"principalId": "[variables('orcaUserPrincipalId')]",
	"roleDefinitionId": "[variables('orcaUserRoleIds')[copyIndex('userSubscriptionAuthorizations')]]",
	"principalIdDisplayName": "[variables('orcaUserDisplayName')]"
	}
	},
	{
	"name": "appDedicatedRgAuthorizations",
	"count": "[length(variables('orcaAppDedicatedRgRoleIds'))]",
	"input": {
	"principalId": "[variables('orcaAppPrincipalId')]",
	"roleDefinitionId": "[variables('orcaAppDedicatedRgRoleIds')[copyIndex('appDedicatedRgAuthorizations')]]",
	"principalIdDisplayName": "[variables('orcaAppDisplayName')]"
	}
	},
	{
	"name": "userDedicatedRgAuthorizations",
	"count": "[if(equals(variables('orcaUserPrincipalId'), ''), 0, length(variables('orcaUserDedicatedRgRoleIds')))]",
	"input": {
	"principalId": "[variables('orcaUserPrincipalId')]",
	"roleDefinitionId": "[variables('orcaUserDedicatedRgRoleIds')[copyIndex('userDedicatedRgAuthorizations')]]",
	"principalIdDisplayName": "[variables('orcaUserDisplayName')]"
	}
	}
	],
	"keyVaultContributorAuthorization": [
	{
	"principalId": "[variables('orcaAppPrincipalId')]",
	"roleDefinitionId": "f25e0fa2-a7c8-4377-a976-54943a77a395",
	"principalIdDisplayName": "[variables('orcaAppDisplayName')]"
	}
	],
	"conditionalKeyVaultContributorAuthorization": "[if(variables('setKeyVaultContributorPermissions'), variables('keyVaultContributorAuthorization'), createArray())]",
	"subscriptionAuthorizations": "[concat(variables('appSubscriptionAuthorizations'), variables('userSubscriptionAuthorizations'), variables('conditionalKeyVaultContributorAuthorization'))]",
	"dedicatedRgAuthorizations": "[concat(variables('appDedicatedRgAuthorizations'), variables('userDedicatedRgAuthorizations'))]",
	"location": "[deployment().location]",
	"innerTemplate": {
	"$schema": "https://schema.management.azure.com/2018-05-01/subscriptionDeploymentTemplate.json#",
	"contentVersion": "1.0.0.0",
	"parameters": {
	"orcaSpId": {
	"type": "string",
	"metadata": {
	"description": "The principal to assign the role to."
	}
	},
	"roleDefName": {
	"type": "string",
	"metadata": {
	"description": "Role definition name."
	}
	},
	"dedicatedRgName": {
	"type": "string",
	"metadata": {
	"description": "Name of the dedicated resource group. May not be empty, even if `createDedicatedRg` is false."
	}
	},
	"extraTags": {
	"type": "object",
	"defaultValue": {},
	"metadata": {
	"description": "Additional tags to apply to all generate resources (that can be tagged)."
	}
	}
	},
	"variables": {
	"ContributorRoleDefinitionId": "[[resourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]"
	},
	"resources": [
	{
	"type": "Microsoft.Resources/resourceGroups",
	"apiVersion": "2021-04-01",
	"name": "[[parameters('dedicatedRgName')]",
	"location": "[[deployment().location]",
	"tags": "[[union(createObject('orca-role', 'dedicated-scanner-resource-group'), parameters('extraTags'))]",
	"properties": {}
	},
	{
	"type": "Microsoft.Resources/deployments",
	"apiVersion": "2019-10-01",
	"name": "[[concat(substring(deployment().name, 17, min(10, length(deployment().name))), '-DedicatedRg-', deployment().location)]",
	"resourceGroup": "[[parameters('dedicatedRgName')]",
	"dependsOn": [
	"[[parameters('dedicatedRgName')]"
	],
	"properties": {
	"mode": "Incremental",
	"template": {
	"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
	"contentVersion": "1.0.0.0",
	"resources": [
	{
	"type": "Microsoft.Authorization/roleAssignments",
	"apiVersion": "2020-04-01-preview",
	"name": "[[guid(subscription().id, parameters('dedicatedRgName'), 'dedicated-resource-group')]",
	"properties": {
	"roleDefinitionId": "[[variables('ContributorRoleDefinitionId')]",
	"principalId": "[[parameters('orcaSpId')]",
	"principalType": "ServicePrincipal"
	}
	}
	]
	}
	}
	}
	]
	},
	"hasManagementGroupsToOnboard": "[not(empty(parameters('managementGroupsToOnboard')))]",
	"hasSubscriptionToOnboard": "[not(empty(parameters('subscriptionsToOnboard')))]",
	"lighthouseOnboarding": false
	},
	"resources": [
	{
	"condition": "[and(variables('lighthouseOnboarding'), variables('hasSubscriptionToOnboard'), not(variables('inAccount')))]",
	"type": "Microsoft.Resources/deployments",
	"apiVersion": "2020-10-01",
	"name": "[concat('OrcaLH', '-', variables('subscriptionsToOnboard')[copyIndex()], '-', deployment().location)]",
	"location": "[variables('location')]",
	"copy": {
	"name": "subscriptionIterator",
	"count": "[length(variables('subscriptionsToOnboard'))]",
	"mode": "Parallel"
	},
	"subscriptionId": "[variables('subscriptionsToOnboard')[copyIndex()]]",
	"properties": {
	"mode": "Incremental",
	"expressionEvaluationOptions": {
	"scope": "inner"
	},
	"parameters": {
	"mspOfferName": {
	"value": "[variables('mspOfferName')]"
	},
	"mspOfferDescription": {
	"value": "[variables('mspOfferDescription')]"
	},
	"orcaVendorTenantId": {
	"value": "[variables('orcaVendorTenantId')]"
	},
	"subscriptionAuthorizations": {
	"value": "[variables('subscriptionAuthorizations')]"
	},
	"dedicatedRgAuthorizations": {
	"value": "[variables('dedicatedRgAuthorizations')]"
	},
	"dedicatedRgName": {
	"value": "[variables('usedDedicatedRgName')]"
	},
	"createDedicatedRg": {
	"value": "[variables('createDedicatedRg')]"
	},
	"location": {
	"value": "[variables('location')]"
	},
	"extraTags": {
	"value": "[parameters('extraTags')]"
	}
	},
	"templateLink": {
	"uri": "https://app.us.orcasecurity.io/api/onboarding/azure/template?type=lighthouse_subscription"
	}
	}
	},
	{
	"condition": "[and(variables('hasManagementGroupsToOnboard'), not(variables('inAccount')))]",
	"type": "Microsoft.Resources/deployments",
	"apiVersion": "2020-10-01",
	"name": "orca-top-level-management-groups-onboarding",
	"location": "[variables('location')]",
	"properties": {
	"mode": "Incremental",
	"expressionEvaluationOptions": {
	"scope": "inner"
	},
	"parameters": {
	"orcaSpId": {
	"value": "[variables('orcaAppPrincipalIdAtCustomer')]"
	},
	"keyVaultWritePermissions": {
	"value": "[variables('setKeyVaultContributorPermissions')]"
	},
	"allowReadAccessKeyVaultKeySecret": {
	"value": "[variables('allowReadAccessKeyVaultKeySecret')]"
	},
	"dedicatedRgName": {
	"value": "[variables('usedDedicatedRgName')]"
	},
	"managementGroupsToOnboard": {
	"value": "[parameters('managementGroupsToOnboard')]"
	},
	"innerTemplate": {
	"value": "[variables('innerTemplate')]"
	},
	"createDedicatedRg": {
	"value": "[variables('createDedicatedRg')]"
	},
	"extraTags": {
	"value": "[parameters('extraTags')]"
	}
	},
	"templateLink": {
	"uri": "https://app.us.orcasecurity.io/api/onboarding/azure/template?type=mgmt_group"
	}
	}
	},
	{
	"condition": "[and(variables('hasSubscriptionToOnboard'), not(variables('inAccount')))]",
	"type": "Microsoft.Resources/deployments",
	"apiVersion": "2020-10-01",
	"name": "[concat('Orca', '-', variables('subscriptionsToOnboard')[copyIndex()], '-', deployment().location)]",
	"location": "[variables('location')]",
	"copy": {
	"name": "subscriptionIterator",
	"count": "[length(variables('subscriptionsToOnboard'))]",
	"mode": "Parallel"
	},
	"subscriptionId": "[variables('subscriptionsToOnboard')[copyIndex()]]",
	"properties": {
	"mode": "Incremental",
	"expressionEvaluationOptions": {
	"scope": "inner"
	},
	"parameters": {
	"orcaSpId": {
	"value": "[variables('orcaAppPrincipalIdAtCustomer')]"
	},
	"allowReadAccessKeyVaultKeySecret": {
	"value": "[variables('allowReadAccessKeyVaultKeySecret')]"
	},
	"keyVaultWritePermissions": {
	"value": "[variables('setKeyVaultContributorPermissions')]"
	},
	"location": {
	"value": "[variables('location')]"
	},
	"dedicatedRgName": {
	"value": "[variables('usedDedicatedRgName')]"
	},
	"createDedicatedRg": {
	"value": "[variables('createDedicatedRg')]"
	},
	"extraTags": {
	"value": "[parameters('extraTags')]"
	}
	},
	"templateLink": {
	"uri": "https://app.us.orcasecurity.io/api/onboarding/azure/template?type=subscription"
	}
	}
	},
	{
	"condition": "[and(variables('hasManagementGroupsToOnboard'), variables('inAccount'))]",
	"type": "Microsoft.Resources/deployments",
	"apiVersion": "2020-10-01",
	"name": "orca-top-level-management-groups-onboarding-inaccount",
	"location": "[variables('location')]",
	"properties": {
	"mode": "Incremental",
	"expressionEvaluationOptions": {
	"scope": "inner"
	},
	"parameters": {
	"orcaSpId": {
	"value": "[variables('orcaAppPrincipalIdAtCustomer')]"
	},
	"dedicatedRgName": {
	"value": "[variables('usedDedicatedRgName')]"
	},
	"allowReadAccessKeyVaultKeySecret": {
	"value": "[variables('allowReadAccessKeyVaultKeySecret')]"
	},
	"managementGroupsToOnboard": {
	"value": "[parameters('managementGroupsToOnboard')]"
	},
	"innerTemplate": {
	"value": "[variables('innerTemplate')]"
	},
	"extraTags": {
	"value": "[parameters('extraTags')]"
	}
	},
	"templateLink": {
	"uri": "https://app.us.orcasecurity.io/api/onboarding/azure/template?type=mgmt_group&inaccount=true"
	}
	}
	},
	{
	"condition": "[and(variables('hasSubscriptionToOnboard'), variables('inAccount'))]",
	"type": "Microsoft.Resources/deployments",
	"apiVersion": "2020-10-01",
	"name": "[concat('OrcaIA', '-', variables('subscriptionsToOnboard')[copyIndex()], '-', deployment().location)]",
	"location": "[variables('location')]",
	"copy": {
	"name": "subscriptionIterator",
	"count": "[length(variables('subscriptionsToOnboard'))]",
	"mode": "Parallel"
	},
	"subscriptionId": "[variables('subscriptionsToOnboard')[copyIndex()]]",
	"properties": {
	"mode": "Incremental",
	"expressionEvaluationOptions": {
	"scope": "inner"
	},
	"parameters": {
	"orcaSpId": {
	"value": "[variables('orcaAppPrincipalIdAtCustomer')]"
	},
	"allowReadAccessKeyVaultKeySecret": {
	"value": "[variables('allowReadAccessKeyVaultKeySecret')]"
	},
	"keyVaultAutoUpdate": {
	"value": "[variables('setKeyVaultContributorPermissions')]"
	},
	"dedicatedRgName": {
	"value": "[variables('usedDedicatedRgName')]"
	},
	"extraTags": {
	"value": "[parameters('extraTags')]"
	}
	},
	"templateLink": {
	"uri": "https://app.us.orcasecurity.io/api/onboarding/azure/template?type=inaccount"
	}
	}
	}
	]
	}