Update Policy Library (automated) (#459)

Co-authored-by: github-actions <action@github.com> Co-authored-by: Jack Tracey <jack@jacktracey.co.uk> Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>
Azure · Feb 27, 2023 · 327bf7f · 327bf7f
1 parent c4b5e8b
commit 327bf7f
Show file tree

Hide file tree

Showing 13 changed files with 395 additions and 107 deletions.
diff --git a/.../bicep/modules/policy/assignments/lib/policy_assignments/_policyAssignmentsBicepInput.txt b/.../bicep/modules/policy/assignments/lib/policy_assignments/_policyAssignmentsBicepInput.txt
diff --git a/infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep b/infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep
@@ -839,12 +839,36 @@ var varCustomPolicySetDefinitionsArray = [
         definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.SQLMDeployDiagnosticLogDeployLogAnalytics.parameters
         definitionGroups: []
       }
+      {
+        definitionReferenceId: 'StorageAccountBlobServicesDeployDiagnosticLogDeployLogAnalytics'
+        definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb'
+        definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.StorageAccountBlobServicesDeployDiagnosticLogDeployLogAnalytics.parameters
+        definitionGroups: []
+      }
       {
         definitionReferenceId: 'StorageAccountDeployDiagnosticLogDeployLogAnalytics'
-        definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474'
+        definitionId: '/providers/Microsoft.Authorization/policyDefinitions/59759c62-9a22-4cdf-ae64-074495983fef'
         definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.StorageAccountDeployDiagnosticLogDeployLogAnalytics.parameters
         definitionGroups: []
       }
+      {
+        definitionReferenceId: 'StorageAccountFileServicesDeployDiagnosticLogDeployLogAnalytics'
+        definitionId: '/providers/Microsoft.Authorization/policyDefinitions/25a70cc8-2bd4-47f1-90b6-1478e4662c96'
+        definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.StorageAccountFileServicesDeployDiagnosticLogDeployLogAnalytics.parameters
+        definitionGroups: []
+      }
+      {
+        definitionReferenceId: 'StorageAccountQueueServicesDeployDiagnosticLogDeployLogAnalytics'
+        definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7bd000e3-37c7-4928-9f31-86c4b77c5c45'
+        definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.StorageAccountQueueServicesDeployDiagnosticLogDeployLogAnalytics.parameters
+        definitionGroups: []
+      }
+      {
+        definitionReferenceId: 'StorageAccountTableServicesDeployDiagnosticLogDeployLogAnalytics'
+        definitionId: '/providers/Microsoft.Authorization/policyDefinitions/2fb86bf3-d221-43d1-96d1-2434af34eaa0'
+        definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.StorageAccountTableServicesDeployDiagnosticLogDeployLogAnalytics.parameters
+        definitionGroups: []
+      }
       {
         definitionReferenceId: 'StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics'
         definitionId: '/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673'

diff --git a/...icy_definitions/policy_definition_es_Deny-MachineLearning-PublicAccessWhenBehindVnet.json b/...icy_definitions/policy_definition_es_Deny-MachineLearning-PublicAccessWhenBehindVnet.json
@@ -6,10 +6,10 @@
   "properties": {
     "policyType": "Custom",
     "mode": "Indexed",
-    "displayName": "Deny public acces behind vnet to Azure Machine Learning workspace",
+    "displayName": "Deny public access behind vnet to Azure Machine Learning workspace",
     "description": "Deny public access behind vnet to Azure Machine Learning workspaces.",
     "metadata": {
-      "version": "1.0.0",
+      "version": "1.0.1",
       "category": "Machine Learning",
       "source": "https://github.com/Azure/Enterprise-Scale/",
       "alzCloudEnvironments": [

diff --git a/.../definitions/lib/policy_definitions/policy_definition_es_Deploy-ASC-SecurityContacts.json b/.../definitions/lib/policy_definitions/policy_definition_es_Deploy-ASC-SecurityContacts.json
@@ -9,7 +9,7 @@
     "displayName": "Deploy Microsoft Defender for Cloud Security Contacts",
     "description": "Deploy Microsoft Defender for Cloud Security Contacts",
     "metadata": {
-      "version": "1.0.0",
+      "version": "1.1.0",
       "category": "Security Center",
       "source": "https://github.com/Azure/Enterprise-Scale/",
       "alzCloudEnvironments": [
@@ -101,6 +101,9 @@
               "parameters": {
                 "emailSecurityContact": {
                   "value": "[parameters('emailSecurityContact')]"
+                },
+                "minimalSeverity": {
+                  "value": "[parameters('minimalSeverity')]"
                 }
               },
               "template": {
@@ -112,6 +115,12 @@
                     "metadata": {
                       "description": "Security contacts email address"
                     }
+                  },
+                  "minimalSeverity": {
+                    "type": "string",
+                    "metadata": {
+                      "description": "Minimal severity level reported"
+                    }
                   }
                 },
                 "variables": {},

diff --git a/...finitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DataFactory.json b/...finitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DataFactory.json
@@ -9,7 +9,7 @@
     "displayName": "Deploy Diagnostic Settings for Data Factory to Log Analytics workspace",
     "description": "Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled",
     "metadata": {
-      "version": "1.1.0",
+      "version": "1.2.0",
       "category": "Monitoring",
       "source": "https://github.com/Azure/Enterprise-Scale/",
       "alzCloudEnvironments": [
@@ -185,6 +185,14 @@
                         {
                           "category": "SSISIntegrationRuntimeLogs",
                           "enabled": "[parameters('logsEnabled')]"
+                        },
+                        {
+                          "category": "SandboxPipelineRuns",
+                          "enabled": "[parameters('logsEnabled')]"
+                        },
+                        {
+                          "category": "SandboxActivityRuns",
+                          "enabled": "[parameters('logsEnabled')]"
                         }
                       ]
                     }

diff --git a/...efinitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Databricks.json b/...efinitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Databricks.json
@@ -9,7 +9,7 @@
     "displayName": "Deploy Diagnostic Settings for Databricks to Log Analytics workspace",
     "description": "Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled",
     "metadata": {
-      "version": "1.2.0",
+      "version": "1.3.0",
       "category": "Monitoring",
       "source": "https://github.com/Azure/Enterprise-Scale/",
       "alzCloudEnvironments": [
@@ -219,6 +219,26 @@
                         {
                           "category": "webTerminal",
                           "enabled": "[parameters('logsEnabled')]"
+                        },
+                        {
+                          "category": "serverlessRealTimeInference",
+                          "enabled": "[parameters('logsEnabled')]"
+                        },
+                        {
+                          "category": "clusterLibraries",
+                          "enabled": "[parameters('logsEnabled')]"
+                        },
+                        {
+                          "category": "partnerHub",
+                          "enabled": "[parameters('logsEnabled')]"
+                        },
+                        {
+                          "category": "clamAVScan",
+                          "enabled": "[parameters('logsEnabled')]"
+                        },
+                        {
+                          "category": "capsule8Dataplane",
+                          "enabled": "[parameters('logsEnabled')]"
                         }
                       ]
                     }

diff --git a/...efinitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-PostgreSQL.json b/...efinitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-PostgreSQL.json
@@ -9,7 +9,7 @@
     "displayName": "Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace",
     "description": "Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled",
     "metadata": {
-      "version": "1.1.0",
+      "version": "2.0.0",
       "category": "Monitoring",
       "source": "https://github.com/Azure/Enterprise-Scale/",
       "alzCloudEnvironments": [
@@ -74,8 +74,16 @@
     },
     "policyRule": {
       "if": {
-        "field": "type",
-        "equals": "Microsoft.DBforPostgreSQL/servers"
+        "anyOf": [
+          {
+            "field": "type",
+            "equals": "Microsoft.DBforPostgreSQL/flexibleServers"
+          },
+          {
+            "field": "type",
+            "equals": "Microsoft.DBforPostgreSQL/servers"
+          }
+        ]
       },
       "then": {
         "effect": "[parameters('effect')]",
@@ -112,6 +120,9 @@
                   "resourceName": {
                     "type": "String"
                   },
+                  "resourceType": {
+                    "type": "String"
+                  },
                   "logAnalytics": {
                     "type": "String"
                   },
@@ -131,8 +142,37 @@
                 "variables": {},
                 "resources": [
                   {
+                    "condition": "[startsWith(parameters('resourceType'),'Microsoft.DBforPostgreSQL/flexibleServers')]",
+                    "type": "Microsoft.DBforPostgreSQL/flexibleServers/providers/diagnosticSettings",
+                    "apiVersion": "2021-05-01-preview",
+                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
+                    "location": "[parameters('location')]",
+                    "dependsOn": [],
+                    "properties": {
+                      "workspaceId": "[parameters('logAnalytics')]",
+                      "metrics": [
+                        {
+                          "category": "AllMetrics",
+                          "enabled": "[parameters('metricsEnabled')]",
+                          "retentionPolicy": {
+                            "days": 0,
+                            "enabled": false
+                          },
+                          "timeGrain": null
+                        }
+                      ],
+                      "logs": [
+                        {
+                          "category": "PostgreSQLLogs",
+                          "enabled": "[parameters('logsEnabled')]"
+                        }
+                      ]
+                    }
+                  },
+                  {
+                    "condition": "[startsWith(parameters('resourceType'),'Microsoft.DBforPostgreSQL/servers')]",
                     "type": "Microsoft.DBforPostgreSQL/servers/providers/diagnosticSettings",
-                    "apiVersion": "2017-05-01-preview",
+                    "apiVersion": "2021-05-01-preview",
                     "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                     "location": "[parameters('location')]",
                     "dependsOn": [],
@@ -178,6 +218,9 @@
                 "resourceName": {
                   "value": "[field('name')]"
                 },
+                "resourceType": {
+                  "value": "[field('type')]"
+                },
                 "profileName": {
                   "value": "[parameters('profileName')]"
                 },

diff --git a/...cy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VNetGW.json b/...cy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VNetGW.json
@@ -9,7 +9,7 @@
     "displayName": "Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace",
     "description": "Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.",
     "metadata": {
-      "version": "1.1.0",
+      "version": "1.1.1",
       "category": "Monitoring",
       "source": "https://github.com/Azure/Enterprise-Scale/",
       "alzCloudEnvironments": [
@@ -166,10 +166,6 @@
                           "category": "RouteDiagnosticLog",
                           "enabled": "[parameters('logsEnabled')]"
                         },
-                        {
-                          "category": "RouteDiagnosticLog",
-                          "enabled": "[parameters('logsEnabled')]"
-                        },
                         {
                           "category": "TunnelDiagnosticLog",
                           "enabled": "[parameters('logsEnabled')]"