diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/_policyDefinitionsBicepInput.txt b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/_policyDefinitionsBicepInput.txt index 48319f427..f32e276fc 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/_policyDefinitionsBicepInput.txt +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/_policyDefinitionsBicepInput.txt @@ -138,6 +138,10 @@ name: 'Deny-VNET-Peer-Cross-Sub' libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deny_vnet_peer_cross_sub.json')) } +{ + name: 'Deny-VNET-Peering-To-Non-Approved-VNETs' + libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deny_vnet_peering_to_non_approved_vnets.json')) +} { name: 'Deny-VNet-Peering' libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deny_vnet_peering.json')) diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_deny_vnet_peering_to_non_approved_vnets.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_deny_vnet_peering_to_non_approved_vnets.json new file mode 100644 index 000000000..74c5ee0a2 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_deny_vnet_peering_to_non_approved_vnets.json @@ -0,0 +1,82 @@ +{ + "name": "Deny-VNET-Peering-To-Non-Approved-VNETs", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Deny vNet peering to non-approved vNets", + "description": "This policy denies the creation of vNet Peerings to non-approved vNets under the assigned scope.", + "metadata": { + "version": "1.0.0", + "category": "Network" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "allowedVnets": { + "type": "Array", + "metadata": { + "displayName": "Allowed vNets to peer with", + "description": "Array of allowed vNets that can be peered with. Must be entered using their resource ID. Example: /subscriptions/{subId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}" + }, + "defaultValue": [] + } + }, + "policyRule": { + "if": { + "anyOf": [ + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings" + }, + { + "not": { + "field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id", + "in": "[parameters('allowedVnets')]" + } + } + ] + }, + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + }, + { + "not": { + "field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings[*].remoteVirtualNetwork.id", + "in": "[parameters('allowedVnets')]" + } + }, + { + "not": { + "field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings[*].remoteVirtualNetwork.id", + "exists": false + } + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file