From 98296feab7061585d973c131a269221844b68594 Mon Sep 17 00:00:00 2001 From: github-actions Date: Fri, 5 Jul 2024 08:01:39 +0000 Subject: [PATCH 01/11] Update Policy Library (automated) --- .../policy_set_definition_es_Deploy-Private-DNS-Zones.json | 6 +++--- ...t_definition_es_Deploy-Private-DNS-Zones.parameters.json | 6 +++--- .../policy_set_definition_es_Enforce-Backup.json | 2 +- .../policy_set_definition_es_Enforce-Backup.parameters.json | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.json index 78db42184..1029fde0f 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.json @@ -1430,13 +1430,13 @@ "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Arc", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/55c4db33-97b0-437b-8469-c4f4498f5df9", "parameters": { - "privateDnsZoneIdForGuestConfiguration": { + "privateDnsZoneIDForGuestConfiguration": { "value": "[[parameters('azureArcGuestconfigurationPrivateDnsZoneId')]" }, - "privateDnsZoneIdForHybridResourceProvider": { + "privateDnsZoneIDForHybridResourceProvider": { "value": "[[parameters('azureArcHybridResourceProviderPrivateDnsZoneId')]" }, - "privateDnsZoneIdForKubernetesConfiguration": { + "privateDnsZoneIDForKubernetesConfiguration": { "value": "[[parameters('azureArcKubernetesConfigurationPrivateDnsZoneId')]" }, "effect": { diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.parameters.json index e63e3e07e..9a498b1f3 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.parameters.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.parameters.json @@ -31,13 +31,13 @@ }, "DINE-Private-DNS-Azure-Arc": { "parameters": { - "privateDnsZoneIdForGuestConfiguration": { + "privateDnsZoneIDForGuestConfiguration": { "value": "[[parameters('azureArcGuestconfigurationPrivateDnsZoneId')]" }, - "privateDnsZoneIdForHybridResourceProvider": { + "privateDnsZoneIDForHybridResourceProvider": { "value": "[[parameters('azureArcHybridResourceProviderPrivateDnsZoneId')]" }, - "privateDnsZoneIdForKubernetesConfiguration": { + "privateDnsZoneIDForKubernetesConfiguration": { "value": "[[parameters('azureArcKubernetesConfigurationPrivateDnsZoneId')]" }, "effect": { diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Backup.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Backup.json index 926070f11..fa918cd44 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Backup.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Backup.json @@ -63,7 +63,7 @@ "effect": { "value": "[[parameters('effect')]" }, - "CheckLockedImmutabiltyOnly": { + "checkLockedImmutabiltyOnly": { "value": "[[parameters('checkLockedImmutabilityOnly')]" } }, diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Backup.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Backup.parameters.json index 309234ee1..fda226ea8 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Backup.parameters.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Backup.parameters.json @@ -4,7 +4,7 @@ "effect": { "value": "[[parameters('effect')]" }, - "CheckLockedImmutabiltyOnly": { + "checkLockedImmutabiltyOnly": { "value": "[[parameters('checkLockedImmutabilityOnly')]" } } From 92d0662548d45698ed8c0c9777e3a1bb29c7a628 Mon Sep 17 00:00:00 2001 From: github-actions Date: Wed, 14 Aug 2024 08:01:40 +0000 Subject: [PATCH 02/11] Update Policy Library (automated) --- ...nition_es_Enforce-Guardrails-KeyVault.json | 5 ++++- ...tion_es_Enforce-Guardrails-Kubernetes.json | 20 ++++++++++++++++++- ...inition_es_Enforce-Guardrails-Network.json | 14 ++++++++----- ...inition_es_Enforce-Guardrails-Synapse.json | 3 +-- 4 files changed, 33 insertions(+), 9 deletions(-) diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-KeyVault.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-KeyVault.json index 7691b68e1..fec73e728 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-KeyVault.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-KeyVault.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Azure Key Vault", "description": "Enforce recommended guardrails for Azure Key Vault.", "metadata": { - "version": "2.0.0", + "version": "2.1.0", "category": "Key Vault", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -236,8 +236,11 @@ "type": "string", "defaultValue": "Disabled", "allowedValues": [ + "audit", "Audit", + "deny", "Deny", + "disabled", "Disabled" ] }, diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Kubernetes.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Kubernetes.json index 9ea87816f..03888cfeb 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Kubernetes.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Kubernetes.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Kubernetes", "description": "This policy initiative is a group of policies that ensures Kubernetes is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Kubernetes", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -81,8 +81,11 @@ "type": "string", "defaultValue": "Deny", "allowedValues": [ + "audit", "Audit", + "deny", "Deny", + "disabled", "Disabled" ] }, @@ -90,8 +93,11 @@ "type": "string", "defaultValue": "Deny", "allowedValues": [ + "audit", "Audit", + "deny", "Deny", + "disabled", "Disabled" ] }, @@ -99,8 +105,11 @@ "type": "string", "defaultValue": "Deny", "allowedValues": [ + "audit", "Audit", + "deny", "Deny", + "disabled", "Disabled" ] }, @@ -117,8 +126,11 @@ "type": "string", "defaultValue": "Deny", "allowedValues": [ + "audit", "Audit", + "deny", "Deny", + "disabled", "Disabled" ] }, @@ -126,8 +138,11 @@ "type": "string", "defaultValue": "Deny", "allowedValues": [ + "audit", "Audit", + "deny", "Deny", + "disabled", "Disabled" ] }, @@ -144,8 +159,11 @@ "type": "string", "defaultValue": "Deny", "allowedValues": [ + "audit", "Audit", + "deny", "Deny", + "disabled", "Disabled" ] }, diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Network.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Network.json index 3ecf3e359..8b9a3d78c 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Network.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Network.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Network and Networking services", "description": "This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Network", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -56,7 +56,12 @@ }, "vnetModifyDdos": { "type": "string", - "defaultValue": "Modify" + "defaultValue": "Modify", + "allowedValues": [ + "Audit", + "Modify", + "Disabled" + ] }, "ddosPlanResourceId": { "type": "string", @@ -229,9 +234,8 @@ "type": "string", "defaultValue": "Deny", "allowedValues": [ - "Audit", - "Deny", - "Disabled" + "Allow", + "Deny" ] }, "modifyNsgRuleProtocol": { diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Synapse.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Synapse.json index 160708a26..889d0f6c3 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Synapse.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Synapse.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Synapse workspaces", "description": "This policy initiative is a group of policies that ensures Synapse workspaces is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Synapse", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -65,7 +65,6 @@ "defaultValue": "Audit", "allowedValues": [ "Audit", - "Deny", "Disabled" ] }, From 8568d6502a6545f3f959232513abc370ea5520e1 Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Mon, 30 Sep 2024 15:56:23 -0500 Subject: [PATCH 03/11] Change monitor policy names to avoid confusion --- .../policy_assignment_es_deploy_vm_monitor.tmpl.json | 2 +- .../policy_assignment_es_deploy_vmss_monitor.tmpl.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitor.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitor.tmpl.json index bafa57058..2a578b552 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitor.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitor.tmpl.json @@ -1,5 +1,5 @@ { - "name": "Deploy-VM-Monitoring", + "name": "Deploy-VM-Monitor-24", "type": "Microsoft.Authorization/policyAssignments", "apiVersion": "2024-04-01", "properties": { diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitor.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitor.tmpl.json index d3e97457f..3a4e7c9ef 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitor.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitor.tmpl.json @@ -1,5 +1,5 @@ { - "name": "Deploy-VMSS-Monitoring", + "name": "Deploy-VMSS-Monitor-24", "type": "Microsoft.Authorization/policyAssignments", "apiVersion": "2024-04-01", "properties": { From ac341f3a19ebbd21e9ab6fbe23aabc8f6856e2c9 Mon Sep 17 00:00:00 2001 From: github-actions Date: Tue, 1 Oct 2024 08:01:35 +0000 Subject: [PATCH 04/11] Update Policy Library (automated) --- .../lib/policy_assignments/_policyAssignmentsBicepInput.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/_policyAssignmentsBicepInput.txt b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/_policyAssignmentsBicepInput.txt index 266c9a91b..7daad502f 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/_policyAssignmentsBicepInput.txt +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/_policyAssignmentsBicepInput.txt @@ -253,7 +253,7 @@ var varPolicyAssignmentDeployVMChangeTrack = { libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_changetrack.tmpl.json') } -var varPolicyAssignmentDeployVMMonitoring = { +var varPolicyAssignmentDeployVMMonitor24 = { definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/924bfe3a-762f-40e7-86dd-5c8b95eb09e6' libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitor.tmpl.json') } @@ -263,7 +263,7 @@ var varPolicyAssignmentDeployVMSSChangeTrack = { libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_changetrack.tmpl.json') } -var varPolicyAssignmentDeployVMSSMonitoring = { +var varPolicyAssignmentDeployVMSSMonitor24 = { definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/f5bf694c-cca7-4033-b883-3a23327d5485' libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitor.tmpl.json') } From 49ba8cbd1d8113df8d5280f114157d61dc931e54 Mon Sep 17 00:00:00 2001 From: github-actions Date: Thu, 10 Oct 2024 08:02:08 +0000 Subject: [PATCH 05/11] feat: Update Policy Library (automated) --- ...nition_es_Append-AppService-latestTLS.json | 5 +- ...nition_es_Append-Redis-sslEnforcement.json | 4 +- .../policy_definition_es_Deny-EH-minTLS.json | 4 +- .../policy_definition_es_Deny-MySql-http.json | 4 +- .../policy_definition_es_Deny-Redis-http.json | 6 +- .../policy_definition_es_Deny-Sql-minTLS.json | 4 +- ...olicy_definition_es_Deny-SqlMi-minTLS.json | 6 +- ...efinition_es_Deny-VNET-Peer-Cross-Sub.json | 22 ++- ...nition_es_Deploy-MySQL-sslEnforcement.json | 4 +- ...n_es_Deploy-PostgreSQL-sslEnforcement.json | 4 +- ...inition_es_Deploy-Private-DNS-Generic.json | 19 +- ...olicy_definition_es_Deploy-SQL-minTLS.json | 4 +- ...icy_definition_es_Deploy-SqlMi-minTLS.json | 4 +- ...tion_es_Deploy-Storage-sslEnforcement.json | 4 +- .../_policySetDefinitionsBicepInput.txt | 148 +++++++++++++++- ...nition_es_Deploy-MDFC-Config_20240319.json | 19 +- ...eploy-MDFC-Config_20240319.parameters.json | 3 + ..._definition_es_Enforce-Encryption-CMK.json | 24 ++- ..._es_Enforce-Encryption-CMK.parameters.json | 7 + ...tion_es_Enforce-Guardrails-BotService.json | 107 +++++++++++ ...orce-Guardrails-BotService.parameters.json | 30 ++++ ..._Enforce-Guardrails-CognitiveServices.json | 76 +++++++- ...ardrails-CognitiveServices.parameters.json | 28 +++ ...es_Enforce-Guardrails-MachineLearning.json | 166 +++++++++++++++++- ...Guardrails-MachineLearning.parameters.json | 63 +++++++ ...finition_es_Enforce-Guardrails-OpenAI.json | 93 +++++++++- ..._Enforce-Guardrails-OpenAI.parameters.json | 35 ++++ 27 files changed, 854 insertions(+), 39 deletions(-) create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-BotService.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-BotService.parameters.json diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Append-AppService-latestTLS.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Append-AppService-latestTLS.json index 628ae5b66..547cca8cd 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Append-AppService-latestTLS.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Append-AppService-latestTLS.json @@ -9,7 +9,7 @@ "displayName": "AppService append sites with minimum TLS version to enforce.", "description": "Append the AppService sites object to ensure that min Tls version is set to required minimum TLS version. Please note Append does not enforce compliance use then deny.", "metadata": { - "version": "1.1.0", + "version": "1.2.0", "category": "App Service", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -35,6 +35,7 @@ "type": "String", "defaultValue": "1.2", "allowedValues": [ + "1.3", "1.2", "1.0", "1.1" @@ -54,7 +55,7 @@ }, { "field": "Microsoft.Web/sites/config/minTlsVersion", - "notEquals": "[parameters('minTlsVersion')]" + "less": "[parameters('minTlsVersion')]" } ] }, diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Append-Redis-sslEnforcement.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Append-Redis-sslEnforcement.json index 817426388..aac286f37 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Append-Redis-sslEnforcement.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Append-Redis-sslEnforcement.json @@ -9,7 +9,7 @@ "displayName": "Azure Cache for Redis Append a specific min TLS version requirement and enforce TLS.", "description": "Append a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Cache", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -56,7 +56,7 @@ "anyOf": [ { "field": "Microsoft.Cache/Redis/minimumTlsVersion", - "notequals": "[parameters('minimumTlsVersion')]" + "less": "[parameters('minimumTlsVersion')]" } ] } diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-EH-minTLS.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-EH-minTLS.json index a1e8b33e7..6f7e7a29e 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-EH-minTLS.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-EH-minTLS.json @@ -9,7 +9,7 @@ "displayName": "Event Hub namespaces should use a valid TLS version", "description": "Event Hub namespaces should use a valid TLS version.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Event Hub", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -52,7 +52,7 @@ "anyOf": [ { "field": "Microsoft.EventHub/namespaces/minimumTlsVersion", - "notEquals": "[parameters('minTlsVersion')]" + "less": "[parameters('minTlsVersion')]" }, { "field": "Microsoft.EventHub/namespaces/minimumTlsVersion", diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MySql-http.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MySql-http.json index a8da04389..1c98aa2b4 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MySql-http.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MySql-http.json @@ -9,7 +9,7 @@ "displayName": "MySQL database servers enforce SSL connections.", "description": "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -66,7 +66,7 @@ }, { "field": "Microsoft.DBforMySQL/servers/minimalTlsVersion", - "notequals": "[parameters('minimalTlsVersion')]" + "less": "[parameters('minimalTlsVersion')]" } ] } diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Redis-http.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Redis-http.json index 73d491ad7..70055987b 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Redis-http.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Redis-http.json @@ -9,7 +9,7 @@ "displayName": "Azure Cache for Redis only secure connections should be enabled", "description": "Audit enabling of only connections via SSL to Azure Cache for Redis. Validate both minimum TLS version and enableNonSslPort is disabled. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Cache", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -41,7 +41,7 @@ "1.0" ], "metadata": { - "displayName": "Select minumum TLS version for Azure Cache for Redis.", + "displayName": "Select minimum TLS version for Azure Cache for Redis.", "description": "Select minimum TLS version for Azure Cache for Redis." } } @@ -61,7 +61,7 @@ }, { "field": "Microsoft.Cache/Redis/minimumTlsVersion", - "notequals": "[parameters('minimumTlsVersion')]" + "less": "[parameters('minimumTlsVersion')]" } ] } diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Sql-minTLS.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Sql-minTLS.json index f859443e7..f9890d9f4 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Sql-minTLS.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Sql-minTLS.json @@ -9,7 +9,7 @@ "displayName": "Azure SQL Database should have the minimal TLS version set to the highest version", "description": "Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -61,7 +61,7 @@ }, { "field": "Microsoft.Sql/servers/minimalTlsVersion", - "notequals": "[parameters('minimalTlsVersion')]" + "less": "[parameters('minimalTlsVersion')]" } ] } diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-SqlMi-minTLS.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-SqlMi-minTLS.json index 951d1ac18..d1d555201 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-SqlMi-minTLS.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-SqlMi-minTLS.json @@ -7,9 +7,9 @@ "policyType": "Custom", "mode": "Indexed", "displayName": "SQL Managed Instance should have the minimal TLS version set to the highest version", - "description": "Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities.", + "description": "Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -61,7 +61,7 @@ }, { "field": "Microsoft.Sql/managedInstances/minimalTlsVersion", - "notequals": "[parameters('minimalTlsVersion')]" + "less": "[parameters('minimalTlsVersion')]" } ] } diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-VNET-Peer-Cross-Sub.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-VNET-Peer-Cross-Sub.json index d9d6dd82c..47cf20289 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-VNET-Peer-Cross-Sub.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-VNET-Peer-Cross-Sub.json @@ -9,7 +9,7 @@ "displayName": "Deny vNet peering cross subscription.", "description": "This policy denies the creation of vNet Peerings outside of the same subscriptions under the assigned scope.", "metadata": { - "version": "1.0.1", + "version": "1.1.0", "category": "Network", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -31,6 +31,14 @@ "Disabled" ], "defaultValue": "Deny" + }, + "allowedVnets": { + "type": "Array", + "metadata": { + "displayName": "Allowed vNets to peer with", + "description": "Array of allowed vNets that can be peered with. Must be entered using their resource ID. Example: /subscriptions/{subId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}" + }, + "defaultValue": [] } }, "policyRule": { @@ -41,8 +49,16 @@ "equals": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings" }, { - "field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id", - "notcontains": "[subscription().id]" + "allOf": [ + { + "field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id", + "notIn": "[parameters('allowedVnets')]" + }, + { + "field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id", + "notLike": "[concat(subscription().id, '/*')]" + } + ] } ] }, diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-MySQL-sslEnforcement.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-MySQL-sslEnforcement.json index 3dca74215..180fb74d1 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-MySQL-sslEnforcement.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-MySQL-sslEnforcement.json @@ -9,7 +9,7 @@ "displayName": "Azure Database for MySQL server deploy a specific min TLS version and enforce SSL.", "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", "metadata": { - "version": "1.1.0", + "version": "1.2.0", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -61,7 +61,7 @@ }, { "field": "Microsoft.DBforMySQL/servers/minimalTlsVersion", - "notequals": "[parameters('minimalTlsVersion')]" + "less": "[parameters('minimalTlsVersion')]" } ] } diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-PostgreSQL-sslEnforcement.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-PostgreSQL-sslEnforcement.json index 3cf45b5ec..e5a74136f 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-PostgreSQL-sslEnforcement.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-PostgreSQL-sslEnforcement.json @@ -9,7 +9,7 @@ "displayName": "Azure Database for PostgreSQL server deploy a specific min TLS version requirement and enforce SSL ", "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", "metadata": { - "version": "1.1.0", + "version": "1.2.0", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -61,7 +61,7 @@ }, { "field": "Microsoft.DBforPostgreSQL/servers/minimalTlsVersion", - "notEquals": "[parameters('minimalTlsVersion')]" + "less": "[parameters('minimalTlsVersion')]" } ] } diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Private-DNS-Generic.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Private-DNS-Generic.json index caf64db9f..580c205cc 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Private-DNS-Generic.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Private-DNS-Generic.json @@ -9,7 +9,7 @@ "displayName": "Deploy-Private-DNS-Generic", "description": "Configure private DNS zone group to override the DNS resolution for PaaS services private endpoint. See https://aka.ms/pepdnszones for information on values to provide to parameters in this policy.", "metadata": { - "version": "1.0.0", + "version": "2.0.0", "category": "Networking", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -34,8 +34,8 @@ "privateDnsZoneId": { "type": "String", "metadata": { - "displayName": "Private DNS Zone ID for Paas services", - "description": "The private DNS zone name required for specific Paas Services to resolve a private DNS Zone.", + "displayName": "Private DNS Zone ID for PaaS services", + "description": "The private DNS zone name required for specific PaaS Services to resolve a private DNS Zone.", "strongType": "Microsoft.Network/privateDnsZones", "assignPermissions": true } @@ -61,11 +61,24 @@ "description": "The delay in evaluation of the policy. Review delay options at https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effect-deploy-if-not-exists" }, "defaultValue": "PT10M" + }, + "location": { + "type": "String", + "metadata": { + "displayName": "Location (Specify the Private Endpoint location)", + "description": "Specify the Private Endpoint location", + "strongType": "location" + }, + "defaultValue": "northeurope" } }, "policyRule": { "if": { "allOf": [ + { + "field": "location", + "equals": "[parameters('location')]" + }, { "field": "type", "equals": "Microsoft.Network/privateEndpoints" diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-SQL-minTLS.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-SQL-minTLS.json index 48909e0ee..51323d520 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-SQL-minTLS.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-SQL-minTLS.json @@ -9,7 +9,7 @@ "displayName": "SQL servers deploys a specific min TLS version requirement.", "description": "Deploys a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", "metadata": { - "version": "1.1.0", + "version": "1.2.0", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -54,7 +54,7 @@ }, { "field": "Microsoft.Sql/servers/minimalTlsVersion", - "notequals": "[parameters('minimalTlsVersion')]" + "less": "[parameters('minimalTlsVersion')]" } ] }, diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-SqlMi-minTLS.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-SqlMi-minTLS.json index a2e4c61ce..fa69bf9b3 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-SqlMi-minTLS.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-SqlMi-minTLS.json @@ -9,7 +9,7 @@ "displayName": "SQL managed instances deploy a specific min TLS version requirement.", "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL managed instances. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", "metadata": { - "version": "1.2.0", + "version": "1.3.0", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -54,7 +54,7 @@ }, { "field": "Microsoft.Sql/managedInstances/minimalTlsVersion", - "notequals": "[parameters('minimalTlsVersion')]" + "less": "[parameters('minimalTlsVersion')]" } ] }, diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Storage-sslEnforcement.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Storage-sslEnforcement.json index 6e0531aa6..5b624d427 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Storage-sslEnforcement.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Storage-sslEnforcement.json @@ -9,7 +9,7 @@ "displayName": "Azure Storage deploy a specific min TLS version requirement and enforce SSL/HTTPS ", "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Storage. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your Azure Storage.", "metadata": { - "version": "1.2.0", + "version": "1.3.0", "category": "Storage", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -60,7 +60,7 @@ }, { "field": "Microsoft.Storage/storageAccounts/minimumTlsVersion", - "notEquals": "[parameters('minimumTlsVersion')]" + "less": "[parameters('minimumTlsVersion')]" } ] } diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/_policySetDefinitionsBicepInput.txt b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/_policySetDefinitionsBicepInput.txt index f70087457..127a76c21 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/_policySetDefinitionsBicepInput.txt +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/_policySetDefinitionsBicepInput.txt @@ -839,7 +839,7 @@ var varCustomPolicySetDefinitionsArray = [ } { definitionReferenceId: 'defenderForCspm' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/72f8cee7-2937-403d-84a1-a4e3e57f3c21' definitionParameters: varPolicySetDefinitionEsDeployMDFCConfig_20240319Parameters.defenderForCspm.parameters definitionGroups: [] } @@ -1671,6 +1671,12 @@ var varCustomPolicySetDefinitionsArray = [ definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters['Deny-Backup-Cmk'].parameters definitionGroups: [] } + { + definitionReferenceId: 'Deny-BotService-Cmk' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/51522a96-0869-4791-82f3-981000c2c67f' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters['Deny-BotService-Cmk'].parameters + definitionGroups: [] + } { definitionReferenceId: 'Deny-CognitiveSearch-Cmk' definitionId: '/providers/Microsoft.Authorization/policyDefinitions/76a56461-9dc0-40f0-82f5-2453283afa2f' @@ -2393,10 +2399,58 @@ var varCustomPolicySetDefinitionsArray = [ } ] } + { + name: 'Enforce-Guardrails-BotService' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-BotService.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'Audit-BotService-Private-Link' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ad5621d6-a877-4407-aa93-a950b428315e' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsBotServiceParameters['Audit-BotService-Private-Link'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-BotService-Isolated-Mode' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/52152f42-0dda-40d9-976e-abb1acdd611e' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsBotServiceParameters['Deny-BotService-Isolated-Mode'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-BotService-Local-Auth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ffea632e-4e3a-4424-bf78-10e179bb2e1a' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsBotServiceParameters['Deny-BotService-Local-Auth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-BotService-Valid-Uri' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6164527b-e1ee-4882-8673-572f425f5e0a' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsBotServiceParameters['Deny-BotService-Valid-Uri'].parameters + definitionGroups: [] + } + ] + } { name: 'Enforce-Guardrails-CognitiveServices' libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-CognitiveServices.json') libSetChildDefinitions: [ + { + definitionReferenceId: 'Aine-Cognitive-Services-Resource-Logs' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsCognitiveServicesParameters['Aine-Cognitive-Services-Resource-Logs'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Cognitive-Services-Customer-Storage' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsCognitiveServicesParameters['Deny-Cognitive-Services-Customer-Storage'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Cognitive-Services-Managed-Identity' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsCognitiveServicesParameters['Deny-Cognitive-Services-Managed-Identity'].parameters + definitionGroups: [] + } { definitionReferenceId: 'Deny-CognitiveSearch-SKU' definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a049bf77-880b-470f-ba6d-9f21c530cf83' @@ -2409,6 +2463,12 @@ var varCustomPolicySetDefinitionsArray = [ definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsCognitiveServicesParameters['Deny-CongitiveSearch-LocalAuth'].parameters definitionGroups: [] } + { + definitionReferenceId: 'Modify-Cognitive-Services-Local-Auth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsCognitiveServicesParameters['Modify-Cognitive-Services-Local-Auth'].parameters + definitionGroups: [] + } { definitionReferenceId: 'Modify-Cognitive-Services-Public-Network-Access' definitionId: '/providers/Microsoft.Authorization/policyDefinitions/47ba1dd7-28d9-4b07-a8d5-9813bed64e0c' @@ -3051,6 +3111,60 @@ var varCustomPolicySetDefinitionsArray = [ name: 'Enforce-Guardrails-MachineLearning' libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-MachineLearning.json') libSetChildDefinitions: [ + { + definitionReferenceId: 'Aine-ML-Resource-Logs' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/afe0c3be-ba3b-4544-ba52-0c99672a8ad6' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters['Aine-ML-Resource-Logs'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Audit-ML-Private-Link' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/45e05259-1eb5-4f70-9574-baf73e9d219b' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters['Audit-ML-Private-Link'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Audit-ML-Virtual-Network' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7804b5c7-01dc-4723-969b-ae300cc07ff1' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters['Audit-ML-Virtual-Network'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ML-Allowed-Module' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/53c70b02-63dd-11ea-bc55-0242ac130003' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters['Deny-ML-Allowed-Module'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ML-Allowed-Python' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/77eeea86-7e81-4a7d-9067-de844d096752' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters['Deny-ML-Allowed-Python'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ML-Allowed-Registries' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5853517a-63de-11ea-bc55-0242ac130003' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters['Deny-ML-Allowed-Registries'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ML-Allowed-Registry-Deploy' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/19539b54-c61e-4196-9a38-67598701be90' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters['Deny-ML-Allowed-Registry-Deploy'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ML-Idle-Shutdown' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/679ddf89-ab8f-48a5-9029-e76054077449' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters['Deny-ML-Idle-Shutdown'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ML-Legacy-Mode' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e413671a-dd10-4cc1-a943-45b598596cb7' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters['Deny-ML-Legacy-Mode'].parameters + definitionGroups: [] + } { definitionReferenceId: 'Deny-ML-Local-Auth' definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f' @@ -3243,6 +3357,24 @@ var varCustomPolicySetDefinitionsArray = [ name: 'Enforce-Guardrails-OpenAI' libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-OpenAI.json') libSetChildDefinitions: [ + { + definitionReferenceId: 'Aine-AzureAI-Diag-Settings' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1b4d1c4e-934c-4703-944c-27c82c06bebb' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsOpenAIParameters['Aine-AzureAI-Diag-Settings'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Audit-AzureAI-Private-Link' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d6759c02-b87f-42b7-892e-71b3f471d782' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsOpenAIParameters['Audit-AzureAI-Private-Link'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-AzureAI-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsOpenAIParameters['Deny-AzureAI-Network-Access'].parameters + definitionGroups: [] + } { definitionReferenceId: 'Deny-Cognitive-Services-Cust-Storage' definitionId: '/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515' @@ -3273,6 +3405,18 @@ var varCustomPolicySetDefinitionsArray = [ definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsOpenAIParameters['Deny-OpenAi-OutboundNetworkAccess'].parameters definitionGroups: [] } + { + definitionReferenceId: 'Dine-AzureAI-Local-Key' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d45520cb-31ca-44ba-8da2-fcf914608544' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsOpenAIParameters['Dine-AzureAI-Local-Key'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Dine-AzureAI-Local-Key2' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/55eff01b-f2bd-4c32-9203-db285f709d30' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsOpenAIParameters['Dine-AzureAI-Local-Key2'].parameters + definitionGroups: [] + } { definitionReferenceId: 'Modify-Cognitive-Services-Local-Auth' definitionId: '/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555' @@ -3624,6 +3768,8 @@ var varPolicySetDefinitionEsEnforceGuardrailsAppServicesParameters = loadJsonCon var varPolicySetDefinitionEsEnforceGuardrailsAutomationParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Automation.parameters.json') +var varPolicySetDefinitionEsEnforceGuardrailsBotServiceParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-BotService.parameters.json') + var varPolicySetDefinitionEsEnforceGuardrailsCognitiveServicesParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-CognitiveServices.parameters.json') var varPolicySetDefinitionEsEnforceGuardrailsComputeParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Compute.parameters.json') diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config_20240319.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config_20240319.json index ffe9b7f9d..a01eeaf9e 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config_20240319.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config_20240319.json @@ -8,7 +8,7 @@ "displayName": "Deploy Microsoft Defender for Cloud configuration", "description": "Deploy Microsoft Defender for Cloud configuration", "metadata": { - "version": "1.0.0", + "version": "2.1.0", "category": "Security Center", "source": "https://github.com/Azure/Enterprise-Scale/", "replacesPolicy": "Deploy-MDFC-Config", @@ -59,6 +59,18 @@ "description": "The location where the resource group and the export to Log Analytics workspace configuration are created." } }, + "createResourceGroup": { + "type": "Boolean", + "metadata": { + "displayName": "Create resource group", + "description": "If a resource group does not exists in the scope, a new resource group will be created. If the resource group exists and this flag is set to 'true' the policy will re-deploy the resource group. Please note this will reset any Azure Tag on the resource group." + }, + "defaultValue": true, + "allowedValues": [ + true, + false + ] + }, "enableAscForCosmosDbs": { "type": "String", "allowedValues": [ @@ -355,7 +367,7 @@ }, { "policyDefinitionReferenceId": "defenderForCspm", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/72f8cee7-2937-403d-84a1-a4e3e57f3c21", "parameters": { "effect": { "value": "[[parameters('enableAscForCspm')]" @@ -386,6 +398,9 @@ "resourceGroupLocation": { "value": "[[parameters('ascExportResourceGroupLocation')]" }, + "createResourceGroup": { + "value": "[[parameters('createResourceGroup')]" + }, "workspaceResourceId": { "value": "[[parameters('logAnalytics')]" } diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config_20240319.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config_20240319.parameters.json index 5408895e1..49c2d3bc2 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config_20240319.parameters.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config_20240319.parameters.json @@ -7,6 +7,9 @@ "resourceGroupLocation": { "value": "[[parameters('ascExportResourceGroupLocation')]" }, + "createResourceGroup": { + "value": "[[parameters('createResourceGroup')]" + }, "workspaceResourceId": { "value": "[[parameters('logAnalytics')]" } diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Encryption-CMK.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Encryption-CMK.json index cbe71336a..9ad7af052 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Encryption-CMK.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Encryption-CMK.json @@ -8,7 +8,7 @@ "displayName": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", "description": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", "metadata": { - "version": "3.0.0", + "version": "3.1.0", "category": "Encryption", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -329,6 +329,18 @@ "Deny", "Disabled" ] + }, + "botServiceCmk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "audit", + "Deny", + "deny", + "Disabled", + "disabled" + ] } }, "policyDefinitions": [ @@ -621,6 +633,16 @@ } }, "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-BotService-Cmk", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/51522a96-0869-4791-82f3-981000c2c67f", + "parameters": { + "effect": { + "value": "[[parameters('botServiceCmk')]" + } + }, + "groupNames": [] } ], "policyDefinitionGroups": null diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Encryption-CMK.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Encryption-CMK.parameters.json index bb398c41e..fb13a9bb8 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Encryption-CMK.parameters.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Encryption-CMK.parameters.json @@ -69,6 +69,13 @@ } } }, + "Deny-BotService-Cmk": { + "parameters": { + "effect": { + "value": "[[parameters('botServiceCmk')]" + } + } + }, "Deny-CognitiveSearch-Cmk": { "parameters": { "effect": { diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-BotService.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-BotService.json new file mode 100644 index 000000000..2585627fa --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-BotService.json @@ -0,0 +1,107 @@ +{ + "name": "Enforce-Guardrails-BotService", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Bot Service", + "description": "This policy initiative is a group of policies that ensures Bot Service is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Bot Service", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "botServiceValidUri": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "audit", + "Deny", + "deny", + "Disabled", + "disabled" + ] + }, + "botServiceIsolatedMode": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "audit", + "Deny", + "deny", + "Disabled", + "disabled" + ] + }, + "botServiceLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "botServicePrivateLink": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "Deny-BotService-Valid-Uri", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6164527b-e1ee-4882-8673-572f425f5e0a", + "parameters": { + "effect": { + "value": "[[parameters('botServiceValidUri')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-BotService-Isolated-Mode", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/52152f42-0dda-40d9-976e-abb1acdd611e", + "parameters": { + "effect": { + "value": "[[parameters('botServiceIsolatedMode')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-BotService-Local-Auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ffea632e-4e3a-4424-bf78-10e179bb2e1a", + "parameters": { + "effect": { + "value": "[[parameters('botServiceLocalAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Audit-BotService-Private-Link", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ad5621d6-a877-4407-aa93-a950b428315e", + "parameters": { + "effect": { + "value": "[[parameters('botServicePrivateLink')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-BotService.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-BotService.parameters.json new file mode 100644 index 000000000..1833e1f07 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-BotService.parameters.json @@ -0,0 +1,30 @@ +{ + "Audit-BotService-Private-Link": { + "parameters": { + "effect": { + "value": "[[parameters('botServicePrivateLink')]" + } + } + }, + "Deny-BotService-Isolated-Mode": { + "parameters": { + "effect": { + "value": "[[parameters('botServiceIsolatedMode')]" + } + } + }, + "Deny-BotService-Local-Auth": { + "parameters": { + "effect": { + "value": "[[parameters('botServiceLocalAuth')]" + } + } + }, + "Deny-BotService-Valid-Uri": { + "parameters": { + "effect": { + "value": "[[parameters('botServiceValidUri')]" + } + } + } +} diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-CognitiveServices.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-CognitiveServices.json index e468d4919..8f03d6d89 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-CognitiveServices.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-CognitiveServices.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Cognitive Services", "description": "This policy initiative is a group of policies that ensures Cognitive Services is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Cognitive Services", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -44,6 +44,14 @@ "Disabled" ] }, + "cognitiveServicesLocalAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, "modifyCognitiveSearchPublicEndpoint": { "type": "string", "defaultValue": "Modify", @@ -59,6 +67,32 @@ "Modify", "Disabled" ] + }, + "cognitiveServicesManagedIdentity": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "cognitiveServicesCustomerStorage": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "cognitiveServicesResourceLogs": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] } }, "policyDefinitions": [ @@ -111,6 +145,46 @@ } }, "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Cognitive-Services-Managed-Identity", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418", + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesManagedIdentity')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Cognitive-Services-Customer-Storage", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515", + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesCustomerStorage')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-Cognitive-Services-Local-Auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555", + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesLocalAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Aine-Cognitive-Services-Resource-Logs", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4", + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesResourceLogs')]" + } + }, + "groupNames": [] } ], "policyDefinitionGroups": null diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-CognitiveServices.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-CognitiveServices.parameters.json index df234f43e..773d67c0d 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-CognitiveServices.parameters.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-CognitiveServices.parameters.json @@ -1,4 +1,25 @@ { + "Aine-Cognitive-Services-Resource-Logs": { + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesResourceLogs')]" + } + } + }, + "Deny-Cognitive-Services-Customer-Storage": { + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesCustomerStorage')]" + } + } + }, + "Deny-Cognitive-Services-Managed-Identity": { + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesManagedIdentity')]" + } + } + }, "Deny-CognitiveSearch-SKU": { "parameters": { "effect": { @@ -13,6 +34,13 @@ } } }, + "Modify-Cognitive-Services-Local-Auth": { + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesLocalAuth')]" + } + } + }, "Modify-Cognitive-Services-Public-Network-Access": { "parameters": { "effect": { diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-MachineLearning.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-MachineLearning.json index e723eeebe..b5afa0fd9 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-MachineLearning.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-MachineLearning.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Machine Learning", "description": "This policy initiative is a group of policies that ensures Machine Learning is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Machine Learning", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -59,6 +59,80 @@ "Modify", "Disabled" ] + }, + "mlIdleShutdown": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "mlVirtualNetwork": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "mlLegacyMode": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "mlPrivateLink": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "mlResourceLogs": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "mlAllowedRegistryDeploy": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Deny", + "Disabled" + ] + }, + "mlAllowedModule": { + "type": "string", + "defaultValue": "enforceSetting", + "allowedValues": [ + "enforceSetting", + "disabled" + ] + }, + "mlAllowedPython": { + "type": "string", + "defaultValue": "enforceSetting", + "allowedValues": [ + "enforceSetting", + "disabled" + ] + }, + "mlAllowedRegistries": { + "type": "string", + "defaultValue": "enforceSetting", + "allowedValues": [ + "enforceSetting", + "disabled" + ] } }, "policyDefinitions": [ @@ -111,6 +185,96 @@ } }, "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ML-Idle-Shutdown", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/679ddf89-ab8f-48a5-9029-e76054077449", + "parameters": { + "effect": { + "value": "[[parameters('mlIdleShutdown')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Audit-ML-Virtual-Network", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7804b5c7-01dc-4723-969b-ae300cc07ff1", + "parameters": { + "effect": { + "value": "[[parameters('mlVirtualNetwork')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ML-Legacy-Mode", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e413671a-dd10-4cc1-a943-45b598596cb7", + "parameters": { + "effect": { + "value": "[[parameters('mlLegacyMode')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Audit-ML-Private-Link", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/45e05259-1eb5-4f70-9574-baf73e9d219b", + "parameters": { + "effect": { + "value": "[[parameters('mlPrivateLink')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Aine-ML-Resource-Logs", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/afe0c3be-ba3b-4544-ba52-0c99672a8ad6", + "parameters": { + "effect": { + "value": "[[parameters('mlResourceLogs')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ML-Allowed-Registry-Deploy", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/19539b54-c61e-4196-9a38-67598701be90", + "parameters": { + "effect": { + "value": "[[parameters('mlAllowedRegistryDeploy')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ML-Allowed-Module", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/53c70b02-63dd-11ea-bc55-0242ac130003", + "parameters": { + "effect": { + "value": "[[parameters('mlAllowedModule')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ML-Allowed-Python", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/77eeea86-7e81-4a7d-9067-de844d096752", + "parameters": { + "effect": { + "value": "[[parameters('mlAllowedPython')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ML-Allowed-Registries", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5853517a-63de-11ea-bc55-0242ac130003", + "parameters": { + "effect": { + "value": "[[parameters('mlAllowedRegistries')]" + } + }, + "groupNames": [] } ], "policyDefinitionGroups": null diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-MachineLearning.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-MachineLearning.parameters.json index fb3ec82cd..609cf7a81 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-MachineLearning.parameters.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-MachineLearning.parameters.json @@ -1,4 +1,67 @@ { + "Aine-ML-Resource-Logs": { + "parameters": { + "effect": { + "value": "[[parameters('mlResourceLogs')]" + } + } + }, + "Audit-ML-Private-Link": { + "parameters": { + "effect": { + "value": "[[parameters('mlPrivateLink')]" + } + } + }, + "Audit-ML-Virtual-Network": { + "parameters": { + "effect": { + "value": "[[parameters('mlVirtualNetwork')]" + } + } + }, + "Deny-ML-Allowed-Module": { + "parameters": { + "effect": { + "value": "[[parameters('mlAllowedModule')]" + } + } + }, + "Deny-ML-Allowed-Python": { + "parameters": { + "effect": { + "value": "[[parameters('mlAllowedPython')]" + } + } + }, + "Deny-ML-Allowed-Registries": { + "parameters": { + "effect": { + "value": "[[parameters('mlAllowedRegistries')]" + } + } + }, + "Deny-ML-Allowed-Registry-Deploy": { + "parameters": { + "effect": { + "value": "[[parameters('mlAllowedRegistryDeploy')]" + } + } + }, + "Deny-ML-Idle-Shutdown": { + "parameters": { + "effect": { + "value": "[[parameters('mlIdleShutdown')]" + } + } + }, + "Deny-ML-Legacy-Mode": { + "parameters": { + "effect": { + "value": "[[parameters('mlLegacyMode')]" + } + } + }, "Deny-ML-Local-Auth": { "parameters": { "effect": { diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-OpenAI.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-OpenAI.json index 34e8b5ce8..d0d071930 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-OpenAI.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-OpenAI.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Open AI (Cognitive Service)", "description": "This policy initiative is a group of policies that ensures Open AI (Cognitive Service) is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Cognitive Services", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -70,6 +70,47 @@ "Deny", "Disabled" ] + }, + "azureAiNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "azureAiPrivateLink": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "azureAiDisableLocalKey": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "azureAiDisableLocalKey2": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "azureAiDiagSettings": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] } }, "policyDefinitions": [ @@ -132,6 +173,56 @@ } }, "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-AzureAI-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3", + "parameters": { + "effect": { + "value": "[[parameters('azureAiNetworkAccess')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Audit-AzureAI-Private-Link", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d6759c02-b87f-42b7-892e-71b3f471d782", + "parameters": { + "effect": { + "value": "[[parameters('azureAiPrivateLink')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Dine-AzureAI-Local-Key", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d45520cb-31ca-44ba-8da2-fcf914608544", + "parameters": { + "effect": { + "value": "[[parameters('azureAiDisableLocalKey')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Dine-AzureAI-Local-Key2", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/55eff01b-f2bd-4c32-9203-db285f709d30", + "parameters": { + "effect": { + "value": "[[parameters('azureAiDisableLocalKey2')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Aine-AzureAI-Diag-Settings", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b4d1c4e-934c-4703-944c-27c82c06bebb", + "parameters": { + "effect": { + "value": "[[parameters('azureAiDiagSettings')]" + } + }, + "groupNames": [] } ], "policyDefinitionGroups": null diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-OpenAI.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-OpenAI.parameters.json index 3281f8172..944dce77e 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-OpenAI.parameters.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-OpenAI.parameters.json @@ -1,4 +1,25 @@ { + "Aine-AzureAI-Diag-Settings": { + "parameters": { + "effect": { + "value": "[[parameters('azureAiDiagSettings')]" + } + } + }, + "Audit-AzureAI-Private-Link": { + "parameters": { + "effect": { + "value": "[[parameters('azureAiPrivateLink')]" + } + } + }, + "Deny-AzureAI-Network-Access": { + "parameters": { + "effect": { + "value": "[[parameters('azureAiNetworkAccess')]" + } + } + }, "Deny-Cognitive-Services-Cust-Storage": { "parameters": { "effect": { @@ -34,6 +55,20 @@ } } }, + "Dine-AzureAI-Local-Key": { + "parameters": { + "effect": { + "value": "[[parameters('azureAiDisableLocalKey')]" + } + } + }, + "Dine-AzureAI-Local-Key2": { + "parameters": { + "effect": { + "value": "[[parameters('azureAiDisableLocalKey2')]" + } + } + }, "Modify-Cognitive-Services-Local-Auth": { "parameters": { "effect": { From f04171f48eb9cdc9e77138596a8e5755f415c894 Mon Sep 17 00:00:00 2001 From: github-actions Date: Tue, 22 Oct 2024 08:01:30 +0000 Subject: [PATCH 06/11] feat: Update Policy Library (automated) --- .../policy_definition_es_Audit-PrivateLinkDnsZones.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-PrivateLinkDnsZones.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-PrivateLinkDnsZones.json index 5050e82df..e63ca602b 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-PrivateLinkDnsZones.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-PrivateLinkDnsZones.json @@ -73,7 +73,7 @@ "privatelink.gremlin.cosmos.azure.com", "privatelink.guestconfiguration.azure.com", "privatelink.his.arc.azure.com", - "privatelink.dp.kubernetesconfiguration.azure.com", + "privatelink.kubernetesconfiguration.azure.com", "privatelink.managedhsm.azure.net", "privatelink.mariadb.database.azure.com", "privatelink.media.azure.net", From 583bdef96175ee78dea1e4400050b2307c45f0b9 Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Tue, 22 Oct 2024 14:30:41 -0500 Subject: [PATCH 07/11] Updated json values for custompolicydefinitions --- .../definitions/customPolicyDefinitions.bicep | 1411 +++++++++-------- 1 file changed, 779 insertions(+), 632 deletions(-) diff --git a/infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep b/infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep index a05faadfd..e9de8469a 100644 --- a/infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep +++ b/infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep @@ -14,637 +14,637 @@ var varTargetManagementGroupResourceId = tenantResourceId('Microsoft.Management/ // This variable contains a number of objects that load in the custom Azure Policy Defintions that are provided as part of the ESLZ/ALZ reference implementation - this is automatically created in the file 'infra-as-code\bicep\modules\policy\lib\policy_definitions\_policyDefinitionsBicepInput.txt' via a GitHub action, that runs on a daily schedule, and is then manually copied into this variable. var varCustomPolicyDefinitionsArray = [ { - name: 'Append-AppService-httpsonly' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Append-AppService-httpsonly.json') - } - { - name: 'Append-AppService-latestTLS' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Append-AppService-latestTLS.json') - } - { - name: 'Append-KV-SoftDelete' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Append-KV-SoftDelete.json') - } - { - name: 'Append-Redis-disableNonSslPort' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Append-Redis-disableNonSslPort.json') - } - { - name: 'Append-Redis-sslEnforcement' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Append-Redis-sslEnforcement.json') - } - { - name: 'Audit-AzureHybridBenefit' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Audit-AzureHybridBenefit.json') - } - { - name: 'Audit-Disks-UnusedResourcesCostOptimization' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Audit-Disks-UnusedResourcesCostOptimization.json') - } - { - name: 'Audit-MachineLearning-PrivateEndpointId' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Audit-MachineLearning-PrivateEndpointId.json') - } - { - name: 'Audit-PrivateLinkDnsZones' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Audit-PrivateLinkDnsZones.json') - } - { - name: 'Audit-PublicIpAddresses-UnusedResourcesCostOptimization' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Audit-PublicIpAddresses-UnusedResourcesCostOptimization.json') - } - { - name: 'Audit-ServerFarms-UnusedResourcesCostOptimization' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Audit-ServerFarms-UnusedResourcesCostOptimization.json') - } - { - name: 'Deny-AA-child-resources' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AA-child-resources.json') - } - { - name: 'Deny-APIM-TLS' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-APIM-TLS.json') - } - { - name: 'Deny-AppGw-Without-Tls' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AppGw-Without-Tls.json') - } - { - name: 'Deny-AppGW-Without-WAF' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AppGW-Without-WAF.json') - } - { - name: 'Deny-AppService-without-BYOC' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AppService-without-BYOC.json') - } - { - name: 'Deny-AppServiceApiApp-http' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AppServiceApiApp-http.json') - } - { - name: 'Deny-AppServiceFunctionApp-http' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AppServiceFunctionApp-http.json') - } - { - name: 'Deny-AppServiceWebApp-http' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AppServiceWebApp-http.json') - } - { - name: 'Deny-AzFw-Without-Policy' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AzFw-Without-Policy.json') - } - { - name: 'Deny-CognitiveServices-NetworkAcls' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-CognitiveServices-NetworkAcls.json') - } - { - name: 'Deny-CognitiveServices-Resource-Kinds' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-CognitiveServices-Resource-Kinds.json') - } - { - name: 'Deny-CognitiveServices-RestrictOutboundNetworkAccess' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-CognitiveServices-RestrictOutboundNetworkAccess.json') - } - { - name: 'Deny-Databricks-NoPublicIp' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Databricks-NoPublicIp.json') - } - { - name: 'Deny-Databricks-Sku' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Databricks-Sku.json') - } - { - name: 'Deny-Databricks-VirtualNetwork' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Databricks-VirtualNetwork.json') - } - { - name: 'Deny-EH-minTLS' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-EH-minTLS.json') - } - { - name: 'Deny-EH-Premium-CMK' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-EH-Premium-CMK.json') - } - { - name: 'Deny-FileServices-InsecureAuth' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureAuth.json') - } - { - name: 'Deny-FileServices-InsecureKerberos' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureKerberos.json') - } - { - name: 'Deny-FileServices-InsecureSmbChannel' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureSmbChannel.json') - } - { - name: 'Deny-FileServices-InsecureSmbVersions' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureSmbVersions.json') - } - { - name: 'Deny-LogicApp-Public-Network' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-LogicApp-Public-Network.json') - } - { - name: 'Deny-LogicApps-Without-Https' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-LogicApps-Without-Https.json') - } - { - name: 'Deny-MachineLearning-Aks' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-Aks.json') - } - { - name: 'Deny-MachineLearning-Compute-SubnetId' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-Compute-SubnetId.json') - } - { - name: 'Deny-MachineLearning-Compute-VmSize' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-Compute-VmSize.json') - } - { - name: 'Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess.json') - } - { - name: 'Deny-MachineLearning-ComputeCluster-Scale' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-ComputeCluster-Scale.json') - } - { - name: 'Deny-MachineLearning-HbiWorkspace' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-HbiWorkspace.json') - } - { - name: 'Deny-MachineLearning-PublicAccessWhenBehindVnet' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-PublicAccessWhenBehindVnet.json') - } - { - name: 'Deny-MachineLearning-PublicNetworkAccess' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-PublicNetworkAccess.json') - } - { - name: 'Deny-MgmtPorts-From-Internet' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MgmtPorts-From-Internet.json') - } - { - name: 'Deny-MySql-http' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MySql-http.json') - } - { - name: 'Deny-PostgreSql-http' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-PostgreSql-http.json') - } - { - name: 'Deny-Private-DNS-Zones' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Private-DNS-Zones.json') - } - { - name: 'Deny-PublicEndpoint-MariaDB' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-PublicEndpoint-MariaDB.json') - } - { - name: 'Deny-PublicIP' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-PublicIP.json') - } - { - name: 'Deny-RDP-From-Internet' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-RDP-From-Internet.json') - } - { - name: 'Deny-Redis-http' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Redis-http.json') - } - { - name: 'Deny-Service-Endpoints' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Service-Endpoints.json') - } - { - name: 'Deny-Sql-minTLS' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Sql-minTLS.json') - } - { - name: 'Deny-SqlMi-minTLS' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-SqlMi-minTLS.json') - } - { - name: 'Deny-Storage-ContainerDeleteRetentionPolicy' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-ContainerDeleteRetentionPolicy.json') - } - { - name: 'Deny-Storage-CopyScope' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-CopyScope.json') - } - { - name: 'Deny-Storage-CorsRules' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-CorsRules.json') - } - { - name: 'Deny-Storage-LocalUser' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-LocalUser.json') - } - { - name: 'Deny-Storage-minTLS' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-minTLS.json') - } - { - name: 'Deny-Storage-NetworkAclsBypass' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-NetworkAclsBypass.json') - } - { - name: 'Deny-Storage-NetworkAclsVirtualNetworkRules' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-NetworkAclsVirtualNetworkRules.json') - } - { - name: 'Deny-Storage-ResourceAccessRulesResourceId' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-ResourceAccessRulesResourceId.json') - } - { - name: 'Deny-Storage-ResourceAccessRulesTenantId' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-ResourceAccessRulesTenantId.json') - } - { - name: 'Deny-Storage-ServicesEncryption' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-ServicesEncryption.json') - } - { - name: 'Deny-Storage-SFTP' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-SFTP.json') - } - { - name: 'Deny-StorageAccount-CustomDomain' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-StorageAccount-CustomDomain.json') - } - { - name: 'Deny-Subnet-Without-Nsg' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Subnet-Without-Nsg.json') - } - { - name: 'Deny-Subnet-Without-Penp' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Subnet-Without-Penp.json') - } - { - name: 'Deny-Subnet-Without-Udr' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Subnet-Without-Udr.json') - } - { - name: 'Deny-UDR-With-Specific-NextHop' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-UDR-With-Specific-NextHop.json') - } - { - name: 'Deny-VNET-Peer-Cross-Sub' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-VNET-Peer-Cross-Sub.json') - } - { - name: 'Deny-VNET-Peering-To-Non-Approved-VNETs' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-VNET-Peering-To-Non-Approved-VNETs.json') - } - { - name: 'Deny-VNet-Peering' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-VNet-Peering.json') - } - { - name: 'DenyAction-ActivityLogs' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_DenyAction-ActivityLogs.json') - } - { - name: 'DenyAction-DeleteResources' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_DenyAction-DeleteResources.json') - } - { - name: 'DenyAction-DiagnosticLogs' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_DenyAction-DiagnosticLogs.json') - } - { - name: 'Deploy-ASC-SecurityContacts' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-ASC-SecurityContacts.json') - } - { - name: 'Deploy-Budget' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Budget.json') - } - { - name: 'Deploy-Custom-Route-Table' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Custom-Route-Table.json') - } - { - name: 'Deploy-DDoSProtection' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-DDoSProtection.json') - } - { - name: 'Deploy-Diagnostics-AA' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-AA.json') - } - { - name: 'Deploy-Diagnostics-ACI' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ACI.json') - } - { - name: 'Deploy-Diagnostics-ACR' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ACR.json') - } - { - name: 'Deploy-Diagnostics-AnalysisService' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-AnalysisService.json') - } - { - name: 'Deploy-Diagnostics-ApiForFHIR' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ApiForFHIR.json') - } - { - name: 'Deploy-Diagnostics-APIMgmt' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-APIMgmt.json') - } - { - name: 'Deploy-Diagnostics-ApplicationGateway' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ApplicationGateway.json') - } - { - name: 'Deploy-Diagnostics-AVDScalingPlans' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-AVDScalingPlans.json') - } - { - name: 'Deploy-Diagnostics-Bastion' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Bastion.json') - } - { - name: 'Deploy-Diagnostics-CDNEndpoints' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CDNEndpoints.json') - } - { - name: 'Deploy-Diagnostics-CognitiveServices' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CognitiveServices.json') - } - { - name: 'Deploy-Diagnostics-CosmosDB' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CosmosDB.json') - } - { - name: 'Deploy-Diagnostics-Databricks' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Databricks.json') - } - { - name: 'Deploy-Diagnostics-DataExplorerCluster' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DataExplorerCluster.json') - } - { - name: 'Deploy-Diagnostics-DataFactory' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DataFactory.json') - } - { - name: 'Deploy-Diagnostics-DLAnalytics' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DLAnalytics.json') - } - { - name: 'Deploy-Diagnostics-EventGridSub' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-EventGridSub.json') - } - { - name: 'Deploy-Diagnostics-EventGridSystemTopic' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-EventGridSystemTopic.json') - } - { - name: 'Deploy-Diagnostics-EventGridTopic' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-EventGridTopic.json') - } - { - name: 'Deploy-Diagnostics-ExpressRoute' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ExpressRoute.json') - } - { - name: 'Deploy-Diagnostics-Firewall' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Firewall.json') - } - { - name: 'Deploy-Diagnostics-FrontDoor' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-FrontDoor.json') - } - { - name: 'Deploy-Diagnostics-Function' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Function.json') - } - { - name: 'Deploy-Diagnostics-HDInsight' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-HDInsight.json') - } - { - name: 'Deploy-Diagnostics-iotHub' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-iotHub.json') - } - { - name: 'Deploy-Diagnostics-LoadBalancer' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-LoadBalancer.json') - } - { - name: 'Deploy-Diagnostics-LogAnalytics' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-LogAnalytics.json') - } - { - name: 'Deploy-Diagnostics-LogicAppsISE' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-LogicAppsISE.json') - } - { - name: 'Deploy-Diagnostics-MariaDB' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MariaDB.json') - } - { - name: 'Deploy-Diagnostics-MediaService' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MediaService.json') - } - { - name: 'Deploy-Diagnostics-MlWorkspace' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MlWorkspace.json') - } - { - name: 'Deploy-Diagnostics-MySQL' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MySQL.json') - } - { - name: 'Deploy-Diagnostics-NetworkSecurityGroups' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-NetworkSecurityGroups.json') - } - { - name: 'Deploy-Diagnostics-NIC' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-NIC.json') - } - { - name: 'Deploy-Diagnostics-PostgreSQL' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-PostgreSQL.json') - } - { - name: 'Deploy-Diagnostics-PowerBIEmbedded' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-PowerBIEmbedded.json') - } - { - name: 'Deploy-Diagnostics-RedisCache' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-RedisCache.json') - } - { - name: 'Deploy-Diagnostics-Relay' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Relay.json') - } - { - name: 'Deploy-Diagnostics-SignalR' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-SignalR.json') - } - { - name: 'Deploy-Diagnostics-SQLElasticPools' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-SQLElasticPools.json') - } - { - name: 'Deploy-Diagnostics-SQLMI' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-SQLMI.json') - } - { - name: 'Deploy-Diagnostics-TimeSeriesInsights' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-TimeSeriesInsights.json') - } - { - name: 'Deploy-Diagnostics-TrafficManager' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-TrafficManager.json') - } - { - name: 'Deploy-Diagnostics-VirtualNetwork' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VirtualNetwork.json') - } - { - name: 'Deploy-Diagnostics-VM' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VM.json') - } - { - name: 'Deploy-Diagnostics-VMSS' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VMSS.json') - } - { - name: 'Deploy-Diagnostics-VNetGW' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VNetGW.json') - } - { - name: 'Deploy-Diagnostics-VWanS2SVPNGW' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VWanS2SVPNGW.json') - } - { - name: 'Deploy-Diagnostics-WebServerFarm' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WebServerFarm.json') - } - { - name: 'Deploy-Diagnostics-Website' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Website.json') - } - { - name: 'Deploy-Diagnostics-WVDAppGroup' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WVDAppGroup.json') - } - { - name: 'Deploy-Diagnostics-WVDHostPools' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WVDHostPools.json') - } - { - name: 'Deploy-Diagnostics-WVDWorkspace' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WVDWorkspace.json') - } - { - name: 'Deploy-FirewallPolicy' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-FirewallPolicy.json') - } - { - name: 'Deploy-LogicApp-TLS' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-LogicApp-TLS.json') - } - { - name: 'Deploy-MDFC-Arc-SQL-DCR-Association' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-MDFC-Arc-SQL-DCR-Association.json') - } - { - name: 'Deploy-MDFC-Arc-Sql-DefenderSQL-DCR' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-MDFC-Arc-Sql-DefenderSQL-DCR.json') - } - { - name: 'Deploy-MDFC-SQL-AMA' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-MDFC-SQL-AMA.json') - } - { - name: 'Deploy-MDFC-SQL-DefenderSQL-DCR' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-MDFC-SQL-DefenderSQL-DCR.json') - } - { - name: 'Deploy-MDFC-SQL-DefenderSQL' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-MDFC-SQL-DefenderSQL.json') - } - { - name: 'Deploy-MySQL-sslEnforcement' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-MySQL-sslEnforcement.json') - } - { - name: 'Deploy-Nsg-FlowLogs-to-LA' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Nsg-FlowLogs-to-LA.json') - } - { - name: 'Deploy-Nsg-FlowLogs' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Nsg-FlowLogs.json') - } - { - name: 'Deploy-PostgreSQL-sslEnforcement' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-PostgreSQL-sslEnforcement.json') - } - { - name: 'Deploy-Private-DNS-Generic' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Private-DNS-Generic.json') - } - { - name: 'Deploy-Sql-AuditingSettings' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Sql-AuditingSettings.json') - } - { - name: 'Deploy-SQL-minTLS' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-SQL-minTLS.json') - } - { - name: 'Deploy-Sql-SecurityAlertPolicies' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Sql-SecurityAlertPolicies.json') - } - { - name: 'Deploy-Sql-Tde' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Sql-Tde.json') - } - { - name: 'Deploy-Sql-vulnerabilityAssessments_20230706' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Sql-vulnerabilityAssessments_20230706.json') - } - { - name: 'Deploy-Sql-vulnerabilityAssessments' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Sql-vulnerabilityAssessments.json') - } - { - name: 'Deploy-SqlMi-minTLS' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-SqlMi-minTLS.json') - } - { - name: 'Deploy-Storage-sslEnforcement' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Storage-sslEnforcement.json') - } - { - name: 'Deploy-UserAssignedManagedIdentity-VMInsights' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-UserAssignedManagedIdentity-VMInsights.json') - } - { - name: 'Deploy-Vm-autoShutdown' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Vm-autoShutdown.json') - } - { - name: 'Deploy-VNET-HubSpoke' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-VNET-HubSpoke.json') - } - { - name: 'Deploy-Windows-DomainJoin' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Windows-DomainJoin.json') - } - { - name: 'Modify-NSG' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Modify-NSG.json') - } - { - name: 'Modify-UDR' - libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Modify-UDR.json') - } + name: 'Append-AppService-httpsonly' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Append-AppService-httpsonly.json') + } + { + name: 'Append-AppService-latestTLS' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Append-AppService-latestTLS.json') + } + { + name: 'Append-KV-SoftDelete' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Append-KV-SoftDelete.json') + } + { + name: 'Append-Redis-disableNonSslPort' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Append-Redis-disableNonSslPort.json') + } + { + name: 'Append-Redis-sslEnforcement' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Append-Redis-sslEnforcement.json') + } + { + name: 'Audit-AzureHybridBenefit' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Audit-AzureHybridBenefit.json') + } + { + name: 'Audit-Disks-UnusedResourcesCostOptimization' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Audit-Disks-UnusedResourcesCostOptimization.json') + } + { + name: 'Audit-MachineLearning-PrivateEndpointId' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Audit-MachineLearning-PrivateEndpointId.json') + } + { + name: 'Audit-PrivateLinkDnsZones' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Audit-PrivateLinkDnsZones.json') + } + { + name: 'Audit-PublicIpAddresses-UnusedResourcesCostOptimization' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Audit-PublicIpAddresses-UnusedResourcesCostOptimization.json') + } + { + name: 'Audit-ServerFarms-UnusedResourcesCostOptimization' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Audit-ServerFarms-UnusedResourcesCostOptimization.json') + } + { + name: 'Deny-AA-child-resources' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AA-child-resources.json') + } + { + name: 'Deny-APIM-TLS' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-APIM-TLS.json') + } + { + name: 'Deny-AppGw-Without-Tls' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AppGw-Without-Tls.json') + } + { + name: 'Deny-AppGW-Without-WAF' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AppGW-Without-WAF.json') + } + { + name: 'Deny-AppService-without-BYOC' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AppService-without-BYOC.json') + } + { + name: 'Deny-AppServiceApiApp-http' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AppServiceApiApp-http.json') + } + { + name: 'Deny-AppServiceFunctionApp-http' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AppServiceFunctionApp-http.json') + } + { + name: 'Deny-AppServiceWebApp-http' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AppServiceWebApp-http.json') + } + { + name: 'Deny-AzFw-Without-Policy' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AzFw-Without-Policy.json') + } + { + name: 'Deny-CognitiveServices-NetworkAcls' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-CognitiveServices-NetworkAcls.json') + } + { + name: 'Deny-CognitiveServices-Resource-Kinds' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-CognitiveServices-Resource-Kinds.json') + } + { + name: 'Deny-CognitiveServices-RestrictOutboundNetworkAccess' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-CognitiveServices-RestrictOutboundNetworkAccess.json') + } + { + name: 'Deny-Databricks-NoPublicIp' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Databricks-NoPublicIp.json') + } + { + name: 'Deny-Databricks-Sku' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Databricks-Sku.json') + } + { + name: 'Deny-Databricks-VirtualNetwork' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Databricks-VirtualNetwork.json') + } + { + name: 'Deny-EH-minTLS' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-EH-minTLS.json') + } + { + name: 'Deny-EH-Premium-CMK' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-EH-Premium-CMK.json') + } + { + name: 'Deny-FileServices-InsecureAuth' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureAuth.json') + } + { + name: 'Deny-FileServices-InsecureKerberos' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureKerberos.json') + } + { + name: 'Deny-FileServices-InsecureSmbChannel' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureSmbChannel.json') + } + { + name: 'Deny-FileServices-InsecureSmbVersions' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureSmbVersions.json') + } + { + name: 'Deny-LogicApp-Public-Network' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-LogicApp-Public-Network.json') + } + { + name: 'Deny-LogicApps-Without-Https' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-LogicApps-Without-Https.json') + } + { + name: 'Deny-MachineLearning-Aks' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-Aks.json') + } + { + name: 'Deny-MachineLearning-Compute-SubnetId' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-Compute-SubnetId.json') + } + { + name: 'Deny-MachineLearning-Compute-VmSize' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-Compute-VmSize.json') + } + { + name: 'Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess.json') + } + { + name: 'Deny-MachineLearning-ComputeCluster-Scale' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-ComputeCluster-Scale.json') + } + { + name: 'Deny-MachineLearning-HbiWorkspace' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-HbiWorkspace.json') + } + { + name: 'Deny-MachineLearning-PublicAccessWhenBehindVnet' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-PublicAccessWhenBehindVnet.json') + } + { + name: 'Deny-MachineLearning-PublicNetworkAccess' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-PublicNetworkAccess.json') + } + { + name: 'Deny-MgmtPorts-From-Internet' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MgmtPorts-From-Internet.json') + } + { + name: 'Deny-MySql-http' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MySql-http.json') + } + { + name: 'Deny-PostgreSql-http' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-PostgreSql-http.json') + } + { + name: 'Deny-Private-DNS-Zones' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Private-DNS-Zones.json') + } + { + name: 'Deny-PublicEndpoint-MariaDB' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-PublicEndpoint-MariaDB.json') + } + { + name: 'Deny-PublicIP' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-PublicIP.json') + } + { + name: 'Deny-RDP-From-Internet' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-RDP-From-Internet.json') + } + { + name: 'Deny-Redis-http' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Redis-http.json') + } + { + name: 'Deny-Service-Endpoints' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Service-Endpoints.json') + } + { + name: 'Deny-Sql-minTLS' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Sql-minTLS.json') + } + { + name: 'Deny-SqlMi-minTLS' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-SqlMi-minTLS.json') + } + { + name: 'Deny-Storage-ContainerDeleteRetentionPolicy' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-ContainerDeleteRetentionPolicy.json') + } + { + name: 'Deny-Storage-CopyScope' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-CopyScope.json') + } + { + name: 'Deny-Storage-CorsRules' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-CorsRules.json') + } + { + name: 'Deny-Storage-LocalUser' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-LocalUser.json') + } + { + name: 'Deny-Storage-minTLS' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-minTLS.json') + } + { + name: 'Deny-Storage-NetworkAclsBypass' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-NetworkAclsBypass.json') + } + { + name: 'Deny-Storage-NetworkAclsVirtualNetworkRules' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-NetworkAclsVirtualNetworkRules.json') + } + { + name: 'Deny-Storage-ResourceAccessRulesResourceId' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-ResourceAccessRulesResourceId.json') + } + { + name: 'Deny-Storage-ResourceAccessRulesTenantId' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-ResourceAccessRulesTenantId.json') + } + { + name: 'Deny-Storage-ServicesEncryption' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-ServicesEncryption.json') + } + { + name: 'Deny-Storage-SFTP' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-SFTP.json') + } + { + name: 'Deny-StorageAccount-CustomDomain' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-StorageAccount-CustomDomain.json') + } + { + name: 'Deny-Subnet-Without-Nsg' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Subnet-Without-Nsg.json') + } + { + name: 'Deny-Subnet-Without-Penp' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Subnet-Without-Penp.json') + } + { + name: 'Deny-Subnet-Without-Udr' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Subnet-Without-Udr.json') + } + { + name: 'Deny-UDR-With-Specific-NextHop' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-UDR-With-Specific-NextHop.json') + } + { + name: 'Deny-VNET-Peer-Cross-Sub' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-VNET-Peer-Cross-Sub.json') + } + { + name: 'Deny-VNET-Peering-To-Non-Approved-VNETs' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-VNET-Peering-To-Non-Approved-VNETs.json') + } + { + name: 'Deny-VNet-Peering' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-VNet-Peering.json') + } + { + name: 'DenyAction-ActivityLogs' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_DenyAction-ActivityLogs.json') + } + { + name: 'DenyAction-DeleteResources' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_DenyAction-DeleteResources.json') + } + { + name: 'DenyAction-DiagnosticLogs' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_DenyAction-DiagnosticLogs.json') + } + { + name: 'Deploy-ASC-SecurityContacts' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-ASC-SecurityContacts.json') + } + { + name: 'Deploy-Budget' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Budget.json') + } + { + name: 'Deploy-Custom-Route-Table' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Custom-Route-Table.json') + } + { + name: 'Deploy-DDoSProtection' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-DDoSProtection.json') + } + { + name: 'Deploy-Diagnostics-AA' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-AA.json') + } + { + name: 'Deploy-Diagnostics-ACI' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ACI.json') + } + { + name: 'Deploy-Diagnostics-ACR' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ACR.json') + } + { + name: 'Deploy-Diagnostics-AnalysisService' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-AnalysisService.json') + } + { + name: 'Deploy-Diagnostics-ApiForFHIR' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ApiForFHIR.json') + } + { + name: 'Deploy-Diagnostics-APIMgmt' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-APIMgmt.json') + } + { + name: 'Deploy-Diagnostics-ApplicationGateway' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ApplicationGateway.json') + } + { + name: 'Deploy-Diagnostics-AVDScalingPlans' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-AVDScalingPlans.json') + } + { + name: 'Deploy-Diagnostics-Bastion' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Bastion.json') + } + { + name: 'Deploy-Diagnostics-CDNEndpoints' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CDNEndpoints.json') + } + { + name: 'Deploy-Diagnostics-CognitiveServices' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CognitiveServices.json') + } + { + name: 'Deploy-Diagnostics-CosmosDB' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CosmosDB.json') + } + { + name: 'Deploy-Diagnostics-Databricks' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Databricks.json') + } + { + name: 'Deploy-Diagnostics-DataExplorerCluster' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DataExplorerCluster.json') + } + { + name: 'Deploy-Diagnostics-DataFactory' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DataFactory.json') + } + { + name: 'Deploy-Diagnostics-DLAnalytics' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DLAnalytics.json') + } + { + name: 'Deploy-Diagnostics-EventGridSub' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-EventGridSub.json') + } + { + name: 'Deploy-Diagnostics-EventGridSystemTopic' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-EventGridSystemTopic.json') + } + { + name: 'Deploy-Diagnostics-EventGridTopic' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-EventGridTopic.json') + } + { + name: 'Deploy-Diagnostics-ExpressRoute' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ExpressRoute.json') + } + { + name: 'Deploy-Diagnostics-Firewall' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Firewall.json') + } + { + name: 'Deploy-Diagnostics-FrontDoor' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-FrontDoor.json') + } + { + name: 'Deploy-Diagnostics-Function' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Function.json') + } + { + name: 'Deploy-Diagnostics-HDInsight' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-HDInsight.json') + } + { + name: 'Deploy-Diagnostics-iotHub' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-iotHub.json') + } + { + name: 'Deploy-Diagnostics-LoadBalancer' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-LoadBalancer.json') + } + { + name: 'Deploy-Diagnostics-LogAnalytics' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-LogAnalytics.json') + } + { + name: 'Deploy-Diagnostics-LogicAppsISE' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-LogicAppsISE.json') + } + { + name: 'Deploy-Diagnostics-MariaDB' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MariaDB.json') + } + { + name: 'Deploy-Diagnostics-MediaService' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MediaService.json') + } + { + name: 'Deploy-Diagnostics-MlWorkspace' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MlWorkspace.json') + } + { + name: 'Deploy-Diagnostics-MySQL' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MySQL.json') + } + { + name: 'Deploy-Diagnostics-NetworkSecurityGroups' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-NetworkSecurityGroups.json') + } + { + name: 'Deploy-Diagnostics-NIC' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-NIC.json') + } + { + name: 'Deploy-Diagnostics-PostgreSQL' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-PostgreSQL.json') + } + { + name: 'Deploy-Diagnostics-PowerBIEmbedded' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-PowerBIEmbedded.json') + } + { + name: 'Deploy-Diagnostics-RedisCache' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-RedisCache.json') + } + { + name: 'Deploy-Diagnostics-Relay' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Relay.json') + } + { + name: 'Deploy-Diagnostics-SignalR' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-SignalR.json') + } + { + name: 'Deploy-Diagnostics-SQLElasticPools' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-SQLElasticPools.json') + } + { + name: 'Deploy-Diagnostics-SQLMI' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-SQLMI.json') + } + { + name: 'Deploy-Diagnostics-TimeSeriesInsights' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-TimeSeriesInsights.json') + } + { + name: 'Deploy-Diagnostics-TrafficManager' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-TrafficManager.json') + } + { + name: 'Deploy-Diagnostics-VirtualNetwork' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VirtualNetwork.json') + } + { + name: 'Deploy-Diagnostics-VM' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VM.json') + } + { + name: 'Deploy-Diagnostics-VMSS' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VMSS.json') + } + { + name: 'Deploy-Diagnostics-VNetGW' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VNetGW.json') + } + { + name: 'Deploy-Diagnostics-VWanS2SVPNGW' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VWanS2SVPNGW.json') + } + { + name: 'Deploy-Diagnostics-WebServerFarm' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WebServerFarm.json') + } + { + name: 'Deploy-Diagnostics-Website' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Website.json') + } + { + name: 'Deploy-Diagnostics-WVDAppGroup' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WVDAppGroup.json') + } + { + name: 'Deploy-Diagnostics-WVDHostPools' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WVDHostPools.json') + } + { + name: 'Deploy-Diagnostics-WVDWorkspace' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WVDWorkspace.json') + } + { + name: 'Deploy-FirewallPolicy' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-FirewallPolicy.json') + } + { + name: 'Deploy-LogicApp-TLS' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-LogicApp-TLS.json') + } + { + name: 'Deploy-MDFC-Arc-SQL-DCR-Association' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-MDFC-Arc-SQL-DCR-Association.json') + } + { + name: 'Deploy-MDFC-Arc-Sql-DefenderSQL-DCR' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-MDFC-Arc-Sql-DefenderSQL-DCR.json') + } + { + name: 'Deploy-MDFC-SQL-AMA' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-MDFC-SQL-AMA.json') + } + { + name: 'Deploy-MDFC-SQL-DefenderSQL-DCR' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-MDFC-SQL-DefenderSQL-DCR.json') + } + { + name: 'Deploy-MDFC-SQL-DefenderSQL' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-MDFC-SQL-DefenderSQL.json') + } + { + name: 'Deploy-MySQL-sslEnforcement' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-MySQL-sslEnforcement.json') + } + { + name: 'Deploy-Nsg-FlowLogs-to-LA' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Nsg-FlowLogs-to-LA.json') + } + { + name: 'Deploy-Nsg-FlowLogs' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Nsg-FlowLogs.json') + } + { + name: 'Deploy-PostgreSQL-sslEnforcement' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-PostgreSQL-sslEnforcement.json') + } + { + name: 'Deploy-Private-DNS-Generic' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Private-DNS-Generic.json') + } + { + name: 'Deploy-Sql-AuditingSettings' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Sql-AuditingSettings.json') + } + { + name: 'Deploy-SQL-minTLS' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-SQL-minTLS.json') + } + { + name: 'Deploy-Sql-SecurityAlertPolicies' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Sql-SecurityAlertPolicies.json') + } + { + name: 'Deploy-Sql-Tde' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Sql-Tde.json') + } + { + name: 'Deploy-Sql-vulnerabilityAssessments_20230706' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Sql-vulnerabilityAssessments_20230706.json') + } + { + name: 'Deploy-Sql-vulnerabilityAssessments' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Sql-vulnerabilityAssessments.json') + } + { + name: 'Deploy-SqlMi-minTLS' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-SqlMi-minTLS.json') + } + { + name: 'Deploy-Storage-sslEnforcement' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Storage-sslEnforcement.json') + } + { + name: 'Deploy-UserAssignedManagedIdentity-VMInsights' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-UserAssignedManagedIdentity-VMInsights.json') + } + { + name: 'Deploy-Vm-autoShutdown' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Vm-autoShutdown.json') + } + { + name: 'Deploy-VNET-HubSpoke' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-VNET-HubSpoke.json') + } + { + name: 'Deploy-Windows-DomainJoin' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Windows-DomainJoin.json') + } + { + name: 'Modify-NSG' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Modify-NSG.json') + } + { + name: 'Modify-UDR' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Modify-UDR.json') + } ] // This variable contains a number of objects that load in the custom Azure Policy Set/Initiative Defintions that are provided as part of the ESLZ/ALZ reference implementation - this is automatically created in the file 'infra-as-code\bicep\modules\policy\lib\policy_set_definitions\_policySetDefinitionsBicepInput.txt' via a GitHub action, that runs on a daily schedule, and is then manually copied into this variable. @@ -1489,7 +1489,7 @@ var varCustomPolicySetDefinitionsArray = [ } { definitionReferenceId: 'defenderForCspm' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/72f8cee7-2937-403d-84a1-a4e3e57f3c21' definitionParameters: varPolicySetDefinitionEsDeployMDFCConfig_20240319Parameters.defenderForCspm.parameters definitionGroups: [] } @@ -2321,6 +2321,12 @@ var varCustomPolicySetDefinitionsArray = [ definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters['Deny-Backup-Cmk'].parameters definitionGroups: [] } + { + definitionReferenceId: 'Deny-BotService-Cmk' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/51522a96-0869-4791-82f3-981000c2c67f' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters['Deny-BotService-Cmk'].parameters + definitionGroups: [] + } { definitionReferenceId: 'Deny-CognitiveSearch-Cmk' definitionId: '/providers/Microsoft.Authorization/policyDefinitions/76a56461-9dc0-40f0-82f5-2453283afa2f' @@ -3043,10 +3049,58 @@ var varCustomPolicySetDefinitionsArray = [ } ] } + { + name: 'Enforce-Guardrails-BotService' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-BotService.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'Audit-BotService-Private-Link' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ad5621d6-a877-4407-aa93-a950b428315e' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsBotServiceParameters['Audit-BotService-Private-Link'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-BotService-Isolated-Mode' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/52152f42-0dda-40d9-976e-abb1acdd611e' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsBotServiceParameters['Deny-BotService-Isolated-Mode'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-BotService-Local-Auth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ffea632e-4e3a-4424-bf78-10e179bb2e1a' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsBotServiceParameters['Deny-BotService-Local-Auth'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-BotService-Valid-Uri' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6164527b-e1ee-4882-8673-572f425f5e0a' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsBotServiceParameters['Deny-BotService-Valid-Uri'].parameters + definitionGroups: [] + } + ] + } { name: 'Enforce-Guardrails-CognitiveServices' libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-CognitiveServices.json') libSetChildDefinitions: [ + { + definitionReferenceId: 'Aine-Cognitive-Services-Resource-Logs' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsCognitiveServicesParameters['Aine-Cognitive-Services-Resource-Logs'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Cognitive-Services-Customer-Storage' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsCognitiveServicesParameters['Deny-Cognitive-Services-Customer-Storage'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-Cognitive-Services-Managed-Identity' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsCognitiveServicesParameters['Deny-Cognitive-Services-Managed-Identity'].parameters + definitionGroups: [] + } { definitionReferenceId: 'Deny-CognitiveSearch-SKU' definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a049bf77-880b-470f-ba6d-9f21c530cf83' @@ -3059,6 +3113,12 @@ var varCustomPolicySetDefinitionsArray = [ definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsCognitiveServicesParameters['Deny-CongitiveSearch-LocalAuth'].parameters definitionGroups: [] } + { + definitionReferenceId: 'Modify-Cognitive-Services-Local-Auth' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsCognitiveServicesParameters['Modify-Cognitive-Services-Local-Auth'].parameters + definitionGroups: [] + } { definitionReferenceId: 'Modify-Cognitive-Services-Public-Network-Access' definitionId: '/providers/Microsoft.Authorization/policyDefinitions/47ba1dd7-28d9-4b07-a8d5-9813bed64e0c' @@ -3701,6 +3761,60 @@ var varCustomPolicySetDefinitionsArray = [ name: 'Enforce-Guardrails-MachineLearning' libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-MachineLearning.json') libSetChildDefinitions: [ + { + definitionReferenceId: 'Aine-ML-Resource-Logs' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/afe0c3be-ba3b-4544-ba52-0c99672a8ad6' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters['Aine-ML-Resource-Logs'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Audit-ML-Private-Link' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/45e05259-1eb5-4f70-9574-baf73e9d219b' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters['Audit-ML-Private-Link'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Audit-ML-Virtual-Network' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7804b5c7-01dc-4723-969b-ae300cc07ff1' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters['Audit-ML-Virtual-Network'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ML-Allowed-Module' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/53c70b02-63dd-11ea-bc55-0242ac130003' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters['Deny-ML-Allowed-Module'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ML-Allowed-Python' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/77eeea86-7e81-4a7d-9067-de844d096752' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters['Deny-ML-Allowed-Python'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ML-Allowed-Registries' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5853517a-63de-11ea-bc55-0242ac130003' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters['Deny-ML-Allowed-Registries'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ML-Allowed-Registry-Deploy' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/19539b54-c61e-4196-9a38-67598701be90' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters['Deny-ML-Allowed-Registry-Deploy'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ML-Idle-Shutdown' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/679ddf89-ab8f-48a5-9029-e76054077449' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters['Deny-ML-Idle-Shutdown'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-ML-Legacy-Mode' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e413671a-dd10-4cc1-a943-45b598596cb7' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters['Deny-ML-Legacy-Mode'].parameters + definitionGroups: [] + } { definitionReferenceId: 'Deny-ML-Local-Auth' definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f' @@ -3893,6 +4007,24 @@ var varCustomPolicySetDefinitionsArray = [ name: 'Enforce-Guardrails-OpenAI' libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-OpenAI.json') libSetChildDefinitions: [ + { + definitionReferenceId: 'Aine-AzureAI-Diag-Settings' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1b4d1c4e-934c-4703-944c-27c82c06bebb' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsOpenAIParameters['Aine-AzureAI-Diag-Settings'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Audit-AzureAI-Private-Link' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d6759c02-b87f-42b7-892e-71b3f471d782' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsOpenAIParameters['Audit-AzureAI-Private-Link'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Deny-AzureAI-Network-Access' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsOpenAIParameters['Deny-AzureAI-Network-Access'].parameters + definitionGroups: [] + } { definitionReferenceId: 'Deny-Cognitive-Services-Cust-Storage' definitionId: '/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515' @@ -3923,6 +4055,18 @@ var varCustomPolicySetDefinitionsArray = [ definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsOpenAIParameters['Deny-OpenAi-OutboundNetworkAccess'].parameters definitionGroups: [] } + { + definitionReferenceId: 'Dine-AzureAI-Local-Key' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d45520cb-31ca-44ba-8da2-fcf914608544' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsOpenAIParameters['Dine-AzureAI-Local-Key'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'Dine-AzureAI-Local-Key2' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/55eff01b-f2bd-4c32-9203-db285f709d30' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsOpenAIParameters['Dine-AzureAI-Local-Key2'].parameters + definitionGroups: [] + } { definitionReferenceId: 'Modify-Cognitive-Services-Local-Auth' definitionId: '/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555' @@ -4274,6 +4418,8 @@ var varPolicySetDefinitionEsEnforceGuardrailsAppServicesParameters = loadJsonCon var varPolicySetDefinitionEsEnforceGuardrailsAutomationParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Automation.parameters.json') +var varPolicySetDefinitionEsEnforceGuardrailsBotServiceParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-BotService.parameters.json') + var varPolicySetDefinitionEsEnforceGuardrailsCognitiveServicesParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-CognitiveServices.parameters.json') var varPolicySetDefinitionEsEnforceGuardrailsComputeParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Compute.parameters.json') @@ -4320,6 +4466,7 @@ var varPolicySetDefinitionEsEnforceGuardrailsSynapseParameters = loadJsonContent var varPolicySetDefinitionEsEnforceGuardrailsVirtualDesktopParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-VirtualDesktop.parameters.json') + // Customer Usage Attribution Id var varCuaid = '2b136786-9881-412e-84ba-f4c2822e1ac9' From 5b8c82c3fb75f0e22aa8fa46b4228cb28a93c1dc Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Wed, 23 Oct 2024 00:04:03 -0500 Subject: [PATCH 08/11] Remove duplicate AKS Assignment and create subnet private assignment --- .../alzDefaultPolicyAssignments.bicep | 132 ++++++++++-------- .../mc-alzDefaultPolicyAssignments.bicep | 25 ---- .../_mc_policyAssignmentsBicepInput.txt | 5 - ..._assignment_es_deploy_aks_policy.tmpl.json | 22 --- .../_policyAssignmentsBicepInput.txt | 5 - ..._assignment_es_deploy_aks_policy.tmpl.json | 22 --- ...gnment_es_enforce_subnet_private.tmpl.json | 18 +++ 7 files changed, 90 insertions(+), 139 deletions(-) delete mode 100644 infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json delete mode 100644 infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json create mode 100644 infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_subnet_private.tmpl.json diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep index f4a8085ec..20dc8737f 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep @@ -164,6 +164,7 @@ var varModuleDeploymentNames = { modPolicyAssignmentPlatformDeployVmssMonitor: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVmssMonitor-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentPlatformDeployMdfcDefSqlAma: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyDeleteUamiAma-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentPlatformDenyDeleteUAMIAMA: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deny-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentPlatformEnforceSubnetPrivate: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceSubnetPrivate-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentPlatformEnforceGrKeyVault: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceGrKeyVault-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentPlatformEnforceAsr: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployEnforceBackup-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentPlatformEnforceAumCheckUpdates: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployEnforceAumCheckUpdates-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) @@ -179,7 +180,6 @@ var varModuleDeploymentNames = { modPolicyAssignmentLzsDeployVmBackup: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMBackup-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsEnableDdosVnet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enableDDoSVNET-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsDenyStorageHttp: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyStorageHttp-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLzsDeployAksPolicy: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployAKSPolicy-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsDenyPrivEscalationAks: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPrivEscAKS-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsDenyPrivContainersAks: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPrivConAKS-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsEnforceAksHttps: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceAKSHTTPS-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) @@ -195,6 +195,7 @@ var varModuleDeploymentNames = { modPolicyAssignmentLzsDeployVmMonitor: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVmMonitor-Lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsDeployVmssMonitor: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVmssMonitor-Lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsDeployMdfcDefSqlAma: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployMdfcDefSqlAma-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsEnforceSubnetPrivate: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceSubnetPrivate-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsEnforceGrKeyVault: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceGrKeyVault-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsEnforceAsr: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployEnforceBackup-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsAumCheckUpdates: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployEnforceAumCheckUpdates-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) @@ -327,11 +328,6 @@ var varPolicyAssignmentDenyUnmanagedDisk = { libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_unmanageddisk.tmpl.json') } -var varPolicyAssignmentDeployAKSPolicy = { - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7' - libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json') -} - var varPolicyAssignmentDeployASCMonitoring = { definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8' libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json') @@ -422,12 +418,12 @@ var varPolicyAssignmentDeployvmHybrMonitoring = { libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_arc_monitor.tmpl.json') } -var varPolicyAssignmentDeployVMMonitoring = { +var varPolicyAssignmentDeployVMMonitor24 = { definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/924bfe3a-762f-40e7-86dd-5c8b95eb09e6' libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitor.tmpl.json') } -var varPolicyAssignmentDeployVMSSMonitoring = { +var varPolicyAssignmentDeployVMSSMonitor24 = { definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/f5bf694c-cca7-4033-b883-3a23327d5485' libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitor.tmpl.json') } @@ -447,6 +443,11 @@ var varPolicyAssignmentEnableDDoSVNET = { libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enable_ddos_vnet.tmpl.json') } +var varPolicyAssignmentEnforceSubnetPrivate = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7bca8353-aa3b-429b-904a-9229c4385837' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_subnet_private.tmpl.json') +} + var varPolicyAssignmentEnforceACSB = { definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-ACSB' libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_acsb.tmpl.json') @@ -1030,17 +1031,17 @@ module modPolicyAssignmentPlatformDeployVmArcMonitor '../../../policy/assignment } // Module - Policy Assignment - Deploy-VM-Monitor-24 -module modPolicyAssignmentPlatformDeployVmMonitor '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVMMonitoring.libDefinition.name)) { +module modPolicyAssignmentPlatformDeployVmMonitor '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVMMonitor24.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.platform) name: varModuleDeploymentNames.modPolicyAssignmentPlatformDeployVmMonitor params: { - parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVMMonitoring.definitionId - parPolicyAssignmentName: varPolicyAssignmentDeployVMMonitoring.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMMonitoring.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.enforcementMode + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVMMonitor24.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployVMMonitor24.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMMonitor24.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployVMMonitor24.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployVMMonitor24.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMMonitor24.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVMMonitor24.libDefinition.properties.enforcementMode parPolicyAssignmentParameterOverrides: { dcrResourceId: { value: parDataCollectionRuleVMInsightsResourceId @@ -1115,17 +1116,17 @@ module modPolicyAssignmentPlatformDenyDeleteUAMIAMA '../../../policy/assignments } // Module - Policy Assignment - Deploy-VMSS-Monitor-24 -module modPolicyAssignmentPlatformDeployVmssMonitor '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVMSSMonitoring.libDefinition.name)) { +module modPolicyAssignmentPlatformDeployVmssMonitor '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVMSSMonitor24.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.platform) name: varModuleDeploymentNames.modPolicyAssignmentPlatformDeployVmssMonitor params: { - parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVMSSMonitoring.definitionId - parPolicyAssignmentName: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.enforcementMode + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVMSSMonitor24.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployVMSSMonitor24.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMSSMonitor24.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployVMSSMonitor24.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployVMSSMonitor24.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMSSMonitor24.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVMSSMonitor24.libDefinition.properties.enforcementMode parPolicyAssignmentParameterOverrides: { dcrResourceId: { value: parDataCollectionRuleChangeTrackingResourceId @@ -1144,6 +1145,21 @@ module modPolicyAssignmentPlatformDeployVmssMonitor '../../../policy/assignments parTelemetryOptOut: parTelemetryOptOut } } +// Module - Policy Assignment - Enforce-Subnet-Private +module modPolicyAssignmentPlatformEnforceSubnetPrivate '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnforceSubnetPrivate.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.platform) + name: varModuleDeploymentNames.modPolicyAssignmentPlatformEnforceSubnetPrivate + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentEnforceSubnetPrivate.definitionId + parPolicyAssignmentName: varPolicyAssignmentEnforceSubnetPrivate.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentEnforceSubnetPrivate.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentEnforceSubnetPrivate.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentEnforceSubnetPrivate.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceSubnetPrivate.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceSubnetPrivate.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} // Module - Policy Assignment - Enforce-GR-KeyVault module modPolicyAssignmentPlatformEnforceGrKeyVault '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnforceGRKeyVault.libDefinition.name)) { @@ -1459,26 +1475,6 @@ module modPolicyAssignmentLzsDenyStorageHttp '../../../policy/assignments/policy } } -// Module - Policy Assignment - Deploy-AKS-Policy -module modPolicyAssignmentLzsDeployAksPolicy '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployAKSPolicy.libDefinition.name)) { - scope: managementGroup(varManagementGroupIds.landingZones) - name: varModuleDeploymentNames.modPolicyAssignmentLzsDeployAksPolicy - params: { - parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployAKSPolicy.definitionId - parPolicyAssignmentName: varPolicyAssignmentDeployAKSPolicy.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDeployAKSPolicy.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDeployAKSPolicy.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDeployAKSPolicy.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDeployAKSPolicy.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployAKSPolicy.libDefinition.properties.enforcementMode - parPolicyAssignmentIdentityRoleDefinitionIds: [ - varRbacRoleDefinitionIds.aksContributor - varRbacRoleDefinitionIds.aksPolicyAddon - ] - parTelemetryOptOut: parTelemetryOptOut - } -} - // Module - Policy Assignment - Deny-Priv-Escalation-AKS module modPolicyAssignmentLzsDenyPrivEscalationAks '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyPrivEscalationAKS.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.landingZones) @@ -1725,17 +1721,17 @@ module modPolicyAssignmentLzsDeployVmArcMonitor '../../../policy/assignments/pol } // Module - Policy Assignment - Deploy-VM-Monitor-24 -module modPolicyAssignmentLzsDeployVmMonitor '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVMMonitoring.libDefinition.name)) { +module modPolicyAssignmentLzsDeployVmMonitor '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVMMonitor24.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.landingZones) name: varModuleDeploymentNames.modPolicyAssignmentLzsDeployVmMonitor params: { - parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVMMonitoring.definitionId - parPolicyAssignmentName: varPolicyAssignmentDeployVMMonitoring.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMMonitoring.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.enforcementMode + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVMMonitor24.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployVMMonitor24.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMMonitor24.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployVMMonitor24.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployVMMonitor24.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMMonitor24.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVMMonitor24.libDefinition.properties.enforcementMode parPolicyAssignmentParameterOverrides: { dcrResourceId: { value: parDataCollectionRuleVMInsightsResourceId @@ -1756,17 +1752,17 @@ module modPolicyAssignmentLzsDeployVmMonitor '../../../policy/assignments/policy } // Module - Policy Assignment - Deploy-VMSS-Monitor-24 -module modPolicyAssignmentLzsDeployVmssMonitor '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVMSSMonitoring.libDefinition.name)) { +module modPolicyAssignmentLzsDeployVmssMonitor '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVMSSMonitor24.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.landingZones) name: varModuleDeploymentNames.modPolicyAssignmentLzsDeployVmssMonitor params: { - parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVMSSMonitoring.definitionId - parPolicyAssignmentName: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.enforcementMode + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVMSSMonitor24.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployVMSSMonitor24.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMSSMonitor24.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployVMSSMonitor24.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployVMSSMonitor24.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMSSMonitor24.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVMSSMonitor24.libDefinition.properties.enforcementMode parPolicyAssignmentParameterOverrides: { dcrResourceId: { value: parDataCollectionRuleChangeTrackingResourceId @@ -1817,6 +1813,22 @@ module modPolicyAssignmentLzsmDeployMdfcDefSqlAma '../../../policy/assignments/p } } +// Module - Policy Assignment - Enforce-Subnet-Private +module modPolicyAssignmentLzsEnforceSubnetPrivate '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnforceSubnetPrivate.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsEnforceSubnetPrivate + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentEnforceSubnetPrivate.definitionId + parPolicyAssignmentName: varPolicyAssignmentEnforceSubnetPrivate.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentEnforceSubnetPrivate.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentEnforceSubnetPrivate.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentEnforceSubnetPrivate.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceSubnetPrivate.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceSubnetPrivate.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + // Module - Policy Assignment - Enforce-GR-KeyVault module modPolicyAssignmentLzsEnforceGrKeyVault '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnforceGRKeyVault.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.landingZones) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/mc-alzDefaultPolicyAssignments.bicep b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/mc-alzDefaultPolicyAssignments.bicep index 0c75e7a9a..f6132b3ce 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/mc-alzDefaultPolicyAssignments.bicep +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/mc-alzDefaultPolicyAssignments.bicep @@ -68,7 +68,6 @@ var varModuleDeploymentNames = { modPolicyAssignmentLZsDeployVMBackup: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMBackup-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLZsEnableDDoSVNET: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enableDDoSVNET-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLZsDenyStorageHttp: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyStorageHttp-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLZsDeployAKSPolicy: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployAKSPolicy-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLZsDenyPrivEscalationAKS: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPrivEscAKS-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLZsDenyPrivContainersAKS: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPrivConAKS-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLZsEnforceAKSHTTPS: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceAKSHTTPS-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) @@ -129,11 +128,6 @@ var varPolicyAssignmentDenySubnetWithoutNsg = { libDefinition: loadJsonContent(('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_subnet_without_nsg.tmpl.json')) } -var varPolicyAssignmentDeployAKSPolicy = { - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7' - libDefinition: loadJsonContent(('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json')) -} - var varPolicyAssignmentDeployASCMonitoring = { definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8' libDefinition: loadJsonContent(('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json')) @@ -585,25 +579,6 @@ module modPolicyAssignmentLZsDenyStorageHttp '../../../policy/assignments/policy } } -// Module - Policy Assignment - Deploy-AKS-Policy -module modPolicyAssignmentLZsDeployAKSPolicy '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { - scope: managementGroup(varManagementGroupIDs.landingZones) - name: varModuleDeploymentNames.modPolicyAssignmentLZsDeployAKSPolicy - params: { - parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployAKSPolicy.definitionId - parPolicyAssignmentName: varPolicyAssignmentDeployAKSPolicy.libDefinition.name - parPolicyAssignmentDisplayName: varPolicyAssignmentDeployAKSPolicy.libDefinition.properties.displayName - parPolicyAssignmentDescription: varPolicyAssignmentDeployAKSPolicy.libDefinition.properties.description - parPolicyAssignmentParameters: varPolicyAssignmentDeployAKSPolicy.libDefinition.properties.parameters - parPolicyAssignmentIdentityType: varPolicyAssignmentDeployAKSPolicy.libDefinition.identity.type - parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployAKSPolicy.libDefinition.properties.enforcementMode - parPolicyAssignmentIdentityRoleDefinitionIds: [ - varRBACRoleDefinitionIDs.aksContributor - ] - parTelemetryOptOut: parTelemetryOptOut - } -} - // Module - Policy Assignment - Deny-Priv-Escalation-AKS module modPolicyAssignmentLZsDenyPrivEscalationAKS '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { scope: managementGroup(varManagementGroupIDs.landingZones) diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/_mc_policyAssignmentsBicepInput.txt b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/_mc_policyAssignmentsBicepInput.txt index 32fa0350e..c9f4f7f8a 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/_mc_policyAssignmentsBicepInput.txt +++ b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/_mc_policyAssignmentsBicepInput.txt @@ -68,11 +68,6 @@ var varPolicyAssignmentDenySubnetWithoutUdr = { libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_subnet_without_udr.tmpl.json') } -var varPolicyAssignmentDeployAKSPolicy = { - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7' - libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json') -} - var varPolicyAssignmentDeployASCMonitoring = { definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8' libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json') diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json deleted file mode 100644 index ce3dadeb7..000000000 --- a/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "name": "Deploy-AKS-Policy", - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", - "properties": { - "description": "Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc.", - "displayName": "Deploy Azure Policy Add-on to Azure Kubernetes Service clusters", - "notScopes": [], - "parameters": { - "effect": { - "value": "DeployIfNotExists" - } - }, - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7", - "scope": null, - "enforcementMode": "Default" - }, - "location": null, - "identity": { - "type": "SystemAssigned" - } -} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/_policyAssignmentsBicepInput.txt b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/_policyAssignmentsBicepInput.txt index 7daad502f..189e4ac79 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/_policyAssignmentsBicepInput.txt +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/_policyAssignmentsBicepInput.txt @@ -143,11 +143,6 @@ var varPolicyAssignmentDenyUnmanagedDisk = { libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_unmanageddisk.tmpl.json') } -var varPolicyAssignmentDeployAKSPolicy = { - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7' - libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json') -} - var varPolicyAssignmentDeployASCMonitoring = { definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8' libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json') diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json deleted file mode 100644 index 6855d8a9b..000000000 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "name": "Deploy-AKS-Policy", - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2024-04-01", - "properties": { - "description": "Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc.", - "displayName": "Deploy Azure Policy Add-on to Azure Kubernetes Service clusters", - "notScopes": [], - "parameters": { - "effect": { - "value": "DeployIfNotExists" - } - }, - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7", - "scope": null, - "enforcementMode": "Default" - }, - "location": null, - "identity": { - "type": "SystemAssigned" - } -} diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_subnet_private.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_subnet_private.tmpl.json new file mode 100644 index 000000000..faf4c9ea4 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_subnet_private.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Enforce-Subnet-Private", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2024-04-01", + "properties": { + "description": "Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement", + "displayName": "Subnets should be private", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7bca8353-aa3b-429b-904a-9229c4385837", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} From e7e07d23bb69ab2af0c356c9d1ed8dda40a9c3a9 Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Wed, 23 Oct 2024 00:09:05 -0500 Subject: [PATCH 09/11] Added param and logic for category of resource logs --- .../alzDefaults/alzDefaultPolicyAssignments.bicep | 6 +++++- .../generateddocs/alzDefaultPolicyAssignments.bicep.md | 1 + .../alzDefaultPolicyAssignments.parameters.all.json | 3 +++ 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep index 20dc8737f..d44f18d1e 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep @@ -65,6 +65,9 @@ param parLogAnalyticsWorkSpaceAndAutomationAccountLocation string = 'eastus' @description('Resource ID of Log Analytics Workspace.') param parLogAnalyticsWorkspaceResourceId string = '' +@sys.description('Category of logs for supported resource logging for Log Analytics Workspace.') +param parLogAnalyticsWorkspaceResourceCategory string = 'allLogs' + @description('Resource ID for VM Insights Data Collection Rule.') param parDataCollectionRuleVMInsightsResourceId string = '' @@ -380,6 +383,7 @@ var varPolicyAssignmentDeployPrivateDNSZones = { var varPolicyAssignmentDeployResourceDiag = { definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/0884adba-2312-4468-abeb-5422caed1038' + conditionalDefinitionId: '/providers/Microsoft.Authorization/policySetDefinitions/f5b29bc4-feca-4cc6-a58a-772dd5e290a5' libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_resource_diag.tmpl.json') } @@ -740,7 +744,7 @@ module modPolicyAssignmentIntRootDeployResourceDiag '../../../policy/assignments scope: managementGroup(varManagementGroupIds.intRoot) name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployResourceDiag params: { - parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployResourceDiag.definitionId + parPolicyAssignmentDefinitionId: parLogAnalyticsWorkspaceResourceCategory =~ 'allLogs' ? varPolicyAssignmentDeployResourceDiag.definitionId : varPolicyAssignmentDeployResourceDiag.conditionalDefinitionId parPolicyAssignmentName: varPolicyAssignmentDeployResourceDiag.libDefinition.name parPolicyAssignmentDisplayName: varPolicyAssignmentDeployResourceDiag.libDefinition.properties.displayName parPolicyAssignmentDescription: varPolicyAssignmentDeployResourceDiag.libDefinition.properties.description diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md index 59d3e77a6..b73f7b5d2 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md @@ -15,6 +15,7 @@ parLandingZoneChildrenMgAlzDefaultsEnable | No | Assign policies to Corp & parLandingZoneMgConfidentialEnable | No | Assign policies to Confidential Corp and Online groups under Landing Zones. parLogAnalyticsWorkSpaceAndAutomationAccountLocation | No | Location of Log Analytics Workspace & Automation Account. parLogAnalyticsWorkspaceResourceId | No | Resource ID of Log Analytics Workspace. +parLogAnalyticsWorkspaceResourceCategory | No | Category of logs for supported resource logging for Log Analytics Workspace. parDataCollectionRuleVMInsightsResourceId | No | Resource ID for VM Insights Data Collection Rule. parDataCollectionRuleChangeTrackingResourceId | No | Resource ID for Change Tracking Data Collection Rule. parDataCollectionRuleMDFCSQLResourceId | No | Resource ID for MDFC SQL Data Collection Rule. diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json index f847d59bb..17556fd5c 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json @@ -44,6 +44,9 @@ "parLogAnalyticsWorkspaceLogRetentionInDays": { "value": "365" }, + "parLogAnalyticsWorkspaceResourceCategory": { + "value": "allLogs" + }, "parDataCollectionRuleVMInsightsResourceId": { "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-logging/providers/Microsoft.Insights/dataCollectionRules/alz-ama-vmi-dcr" }, From 0454270dacfb524888cbd19b637c42f7fcd31373 Mon Sep 17 00:00:00 2001 From: github-actions <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 23 Oct 2024 05:14:03 +0000 Subject: [PATCH 10/11] Generate Parameter Markdowns [oZakari/c375e413] --- .../alzDefaultPolicyAssignments.bicep.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md index b73f7b5d2..ef4ce4c5a 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md @@ -102,6 +102,14 @@ Location of Log Analytics Workspace & Automation Account. Resource ID of Log Analytics Workspace. +### parLogAnalyticsWorkspaceResourceCategory + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Category of logs for supported resource logging for Log Analytics Workspace. + +- Default value: `allLogs` + ### parDataCollectionRuleVMInsightsResourceId ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) @@ -266,6 +274,9 @@ Opt out of deployment telemetry. "parLogAnalyticsWorkspaceResourceId": { "value": "" }, + "parLogAnalyticsWorkspaceResourceCategory": { + "value": "allLogs" + }, "parDataCollectionRuleVMInsightsResourceId": { "value": "" }, From 53697ba859e61a065193d04cd4bd7983c3c196f5 Mon Sep 17 00:00:00 2001 From: github-actions Date: Wed, 23 Oct 2024 08:01:59 +0000 Subject: [PATCH 11/11] feat: Update Policy Library (automated) --- .../lib/policy_assignments/_policyAssignmentsBicepInput.txt | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/_policyAssignmentsBicepInput.txt b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/_policyAssignmentsBicepInput.txt index 189e4ac79..9852756b3 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/_policyAssignmentsBicepInput.txt +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/_policyAssignmentsBicepInput.txt @@ -313,6 +313,11 @@ var varPolicyAssignmentEnforceSovereignGlobal = { libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_sovereignty_baseline_global.tmpl.json') } +var varPolicyAssignmentEnforceSubnetPrivate = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7bca8353-aa3b-429b-904a-9229c4385837' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_subnet_private.tmpl.json') +} + var varPolicyAssignmentEnforceTLSSSLH224 = { definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509' libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_tls_ssl.tmpl.json')