Skip to content

Commit

Permalink
Update Policy Library (automated) (#639)
Browse files Browse the repository at this point in the history 
Co-authored-by: github-actions <action@github.com>
Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>
Co-authored-by: Jack Tracey <jack@jacktracey.co.uk>
Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
  • Loading branch information
@cae-pr-creator @actions-user
@jtracey93 @github-actions
5 people authored Oct 5, 2023
1 parent b0409fa commit 8dbc3da
Show file tree
Hide file tree
Showing 42 changed files with 386 additions and 60 deletions.
3 changes: 2 additions & 1 deletion infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -282,7 +282,7 @@ Resource Group Name for Private DNS Zones.

Array of DNS Zones to provision in Hub Virtual Network. Default: All known Azure Private DNS Zones

- Default value: `[format('privatelink.{0}.azmk8s.io', toLower(parameters('parLocation')))] [format('privatelink.{0}.batch.azure.com', toLower(parameters('parLocation')))] [format('privatelink.{0}.kusto.windows.net', toLower(parameters('parLocation')))] privatelink.adf.azure.com privatelink.afs.azure.net privatelink.agentsvc.azure-automation.net privatelink.analysis.windows.net privatelink.api.azureml.ms privatelink.azconfig.io privatelink.azure-api.net privatelink.azure-automation.net privatelink.azurecr.io privatelink.azure-devices.net privatelink.azure-devices-provisioning.net privatelink.azurehdinsight.net privatelink.azurehealthcareapis.com privatelink.azurestaticapps.net privatelink.azuresynapse.net privatelink.azurewebsites.net privatelink.batch.azure.com privatelink.blob.core.windows.net privatelink.cassandra.cosmos.azure.com privatelink.cognitiveservices.azure.com privatelink.database.windows.net privatelink.datafactory.azure.net privatelink.dev.azuresynapse.net privatelink.dfs.core.windows.net privatelink.dicom.azurehealthcareapis.com privatelink.digitaltwins.azure.net privatelink.directline.botframework.com privatelink.documents.azure.com privatelink.eventgrid.azure.net privatelink.file.core.windows.net privatelink.gremlin.cosmos.azure.com privatelink.guestconfiguration.azure.com privatelink.his.arc.azure.com privatelink.kubernetesconfiguration.azure.com privatelink.managedhsm.azure.net privatelink.mariadb.database.azure.com privatelink.media.azure.net privatelink.mongo.cosmos.azure.com privatelink.monitor.azure.com privatelink.mysql.database.azure.com privatelink.notebooks.azure.net privatelink.ods.opinsights.azure.com privatelink.oms.opinsights.azure.com privatelink.pbidedicated.windows.net privatelink.postgres.database.azure.com privatelink.prod.migration.windowsazure.com privatelink.purview.azure.com privatelink.purviewstudio.azure.com privatelink.queue.core.windows.net privatelink.redis.cache.windows.net privatelink.redisenterprise.cache.azure.net privatelink.search.windows.net privatelink.service.signalr.net privatelink.servicebus.windows.net privatelink.siterecovery.windowsazure.com privatelink.sql.azuresynapse.net privatelink.table.core.windows.net privatelink.table.cosmos.azure.com privatelink.tip1.powerquery.microsoft.com privatelink.token.botframework.com privatelink.vaultcore.azure.net privatelink.web.core.windows.net privatelink.webpubsub.azure.com`
- Default value: `[format('privatelink.{0}.azmk8s.io', toLower(parameters('parLocation')))] [format('privatelink.{0}.batch.azure.com', toLower(parameters('parLocation')))] [format('privatelink.{0}.kusto.windows.net', toLower(parameters('parLocation')))] privatelink.adf.azure.com privatelink.afs.azure.net privatelink.agentsvc.azure-automation.net privatelink.analysis.windows.net privatelink.api.azureml.ms privatelink.azconfig.io privatelink.azure-api.net privatelink.azure-automation.net privatelink.azurecr.io privatelink.azure-devices.net privatelink.azure-devices-provisioning.net privatelink.azuredatabricks.net privatelink.azurehdinsight.net privatelink.azurehealthcareapis.com privatelink.azurestaticapps.net privatelink.azuresynapse.net privatelink.azurewebsites.net privatelink.batch.azure.com privatelink.blob.core.windows.net privatelink.cassandra.cosmos.azure.com privatelink.cognitiveservices.azure.com privatelink.database.windows.net privatelink.datafactory.azure.net privatelink.dev.azuresynapse.net privatelink.dfs.core.windows.net privatelink.dicom.azurehealthcareapis.com privatelink.digitaltwins.azure.net privatelink.directline.botframework.com privatelink.documents.azure.com privatelink.eventgrid.azure.net privatelink.file.core.windows.net privatelink.gremlin.cosmos.azure.com privatelink.guestconfiguration.azure.com privatelink.his.arc.azure.com privatelink.kubernetesconfiguration.azure.com privatelink.managedhsm.azure.net privatelink.mariadb.database.azure.com privatelink.media.azure.net privatelink.mongo.cosmos.azure.com privatelink.monitor.azure.com privatelink.mysql.database.azure.com privatelink.notebooks.azure.net privatelink.ods.opinsights.azure.com privatelink.oms.opinsights.azure.com privatelink.pbidedicated.windows.net privatelink.postgres.database.azure.com privatelink.prod.migration.windowsazure.com privatelink.purview.azure.com privatelink.purviewstudio.azure.com privatelink.queue.core.windows.net privatelink.redis.cache.windows.net privatelink.redisenterprise.cache.azure.net privatelink.search.windows.net privatelink.service.signalr.net privatelink.servicebus.windows.net privatelink.siterecovery.windowsazure.com privatelink.sql.azuresynapse.net privatelink.table.core.windows.net privatelink.table.cosmos.azure.com privatelink.tip1.powerquery.microsoft.com privatelink.token.botframework.com privatelink.vaultcore.azure.net privatelink.web.core.windows.net privatelink.webpubsub.azure.com`

### parPrivateDnsZoneAutoMergeAzureBackupZone

Expand Down Expand Up @@ -494,6 +494,7 @@ outHubVirtualNetworkId | string |
"privatelink.azurecr.io",
"privatelink.azure-devices.net",
"privatelink.azure-devices-provisioning.net",
"privatelink.azuredatabricks.net",
"privatelink.azurehdinsight.net",
"privatelink.azurehealthcareapis.com",
"privatelink.azurestaticapps.net",
Expand Down
15 changes: 8 additions & 7 deletions infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep
View file
Original file line number Diff line number Diff line change
Expand Up @@ -157,6 +157,7 @@ param parPrivateDnsZones array = [
'privatelink.azurecr.io'
'privatelink.azure-devices.net'
'privatelink.azure-devices-provisioning.net'
'privatelink.azuredatabricks.net'
'privatelink.azurehdinsight.net'
'privatelink.azurehealthcareapis.com'
'privatelink.azurestaticapps.net'
Expand Down Expand Up @@ -595,15 +596,15 @@ resource resGateway 'Microsoft.Network/virtualNetworkGateways@2023-02-01' = [for
tier: gateway.sku
}
vpnClientConfiguration: (gateway.gatewayType == 'VPN') ? {
vpnClientAddressPool: contains(gateway.vpnClientConfiguration, 'vpnClientAddressPool') ? gateway.vpnClientConfiguration.vpnClientAddressPool: ''
vpnClientProtocols: contains(gateway.vpnClientConfiguration, 'vpnClientProtocols') ? gateway.vpnClientConfiguration.vpnClientProtocols: ''
vpnAuthenticationTypes: contains(gateway.vpnClientConfiguration, 'vpnAuthenticationTypes') ? gateway.vpnClientConfiguration.vpnAuthenticationTypes: ''
vpnClientAddressPool: contains(gateway.vpnClientConfiguration, 'vpnClientAddressPool') ? gateway.vpnClientConfiguration.vpnClientAddressPool : ''
vpnClientProtocols: contains(gateway.vpnClientConfiguration, 'vpnClientProtocols') ? gateway.vpnClientConfiguration.vpnClientProtocols : ''
vpnAuthenticationTypes: contains(gateway.vpnClientConfiguration, 'vpnAuthenticationTypes') ? gateway.vpnClientConfiguration.vpnAuthenticationTypes : ''
aadTenant: contains(gateway.vpnClientConfiguration, 'aadTenant') ? gateway.vpnClientConfiguration.aadTenant : ''
aadAudience: contains(gateway.vpnClientConfiguration, 'aadAudience') ? gateway.vpnClientConfiguration.aadAudience : ''
aadIssuer: contains(gateway.vpnClientConfiguration, 'aadIssuer') ? gateway.vpnClientConfiguration.aadIssuer: ''
vpnClientRootCertificates: contains(gateway.vpnClientConfiguration, 'vpnClientRootCertificates') ? gateway.vpnClientConfiguration.vpnClientRootCertificates: ''
radiusServerAddress: contains(gateway.vpnClientConfiguration, 'radiusServerAddress') ? gateway.vpnClientConfiguration.radiusServerAddress: ''
radiusServerSecret: contains(gateway.vpnClientConfiguration, 'radiusServerSecret') ? gateway.vpnClientConfiguration.radiusServerSecret: ''
aadIssuer: contains(gateway.vpnClientConfiguration, 'aadIssuer') ? gateway.vpnClientConfiguration.aadIssuer : ''
vpnClientRootCertificates: contains(gateway.vpnClientConfiguration, 'vpnClientRootCertificates') ? gateway.vpnClientConfiguration.vpnClientRootCertificates : ''
radiusServerAddress: contains(gateway.vpnClientConfiguration, 'radiusServerAddress') ? gateway.vpnClientConfiguration.radiusServerAddress : ''
radiusServerSecret: contains(gateway.vpnClientConfiguration, 'radiusServerSecret') ? gateway.vpnClientConfiguration.radiusServerSecret : ''
} : null
ipConfigurations: [
{
Expand Down
1 change: 1 addition & 0 deletions infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,7 @@
"privatelink.azurecr.io",
"privatelink.azure-devices.net",
"privatelink.azure-devices-provisioning.net",
"privatelink.azuredatabricks.net",
"privatelink.azurehdinsight.net",
"privatelink.azurehealthcareapis.com",
"privatelink.azurestaticapps.net",
Expand Down
43 changes: 36 additions & 7 deletions infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep
View file
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,7 @@ var varModuleDeploymentNames = {
modPolicyAssignmentIdentDenySubnetWithoutNsg: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denySubnetNoNSG-ident-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
modPolicyAssignmentIdentDeployVmBackup: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMBackup-ident-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
modPolicyAssignmentMgmtDeployLogAnalytics: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployLAW-mgmt-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
modPolicyAssignmentMgmtEnforceGrKeyVault: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceGrKeyVault-mgmt-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
modPolicyAssignmentLzsDenyIpForwarding: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyIPForward-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
modPolicyAssignmentLzsDenyMgmtPortsFromInternet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyMgmtFromInet-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
modPolicyAssignmentLzsDenySubnetWithoutNsg: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denySubnetNoNSG-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
Expand Down Expand Up @@ -323,6 +324,10 @@ var varRbacRoleDefinitionIds = {
logAnalyticsContributor: '92aaf0da-9dab-42b6-94a3-d43ce8d16293'
sqlSecurityManager: '056cd41c-7e88-42e1-933e-88ba6a50c9c3'
vmContributor: '9980e02c-c2be-4d73-94e8-173b1dc7cf3c'
monitoringContributor: '749f88d5-cbae-40b8-bcfc-e573ddc772fa'
aksPolicyAddon: '18ed5180-3e48-46fd-8541-4ea054d57064'
sqlDbContributor: '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec'
backupContributor: '5e467623-bb1f-42f4-a55d-6e525e11384b'
}

// Management Groups Variables - Used For Policy Assignments
Expand Down Expand Up @@ -358,6 +363,7 @@ var varPrivateDnsZonesFinalResourceIds = {
azureCosmosTablePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.table.cosmos.azure.com'
azureDataFactoryPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.datafactory.azure.net'
azureDataFactoryPortalPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.adf.azure.com'
azureDatabricksPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azuredatabricks.net'
azureHDInsightPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azurehdinsight.net'
azureMigratePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.prod.migration.windowsazure.com'
azureStorageBlobPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.blob.core.windows.net'
Expand Down Expand Up @@ -484,7 +490,8 @@ module modPolicyAssignmentIntRootDeployAzActivityLog '../../../policy/assignment
}
parPolicyAssignmentIdentityType: varPolicyAssignmentDeployAzActivityLog.libDefinition.identity.type
parPolicyAssignmentIdentityRoleDefinitionIds: [
varRbacRoleDefinitionIds.owner
varRbacRoleDefinitionIds.logAnalyticsContributor
varRbacRoleDefinitionIds.monitoringContributor
]
parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployAzActivityLog.libDefinition.properties.enforcementMode
parTelemetryOptOut: parTelemetryOptOut
Expand Down Expand Up @@ -525,7 +532,8 @@ module modPolicyAssignmentIntRootDeployResourceDiag '../../../policy/assignments
parPolicyAssignmentIdentityType: varPolicyAssignmentDeployResourceDiag.libDefinition.identity.type
parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployResourceDiag.libDefinition.properties.enforcementMode
parPolicyAssignmentIdentityRoleDefinitionIds: [
varRbacRoleDefinitionIds.owner
varRbacRoleDefinitionIds.logAnalyticsContributor
varRbacRoleDefinitionIds.monitoringContributor
]
parTelemetryOptOut: parTelemetryOptOut
}
Expand All @@ -549,7 +557,7 @@ module modPolicyAssignmentIntRootDeployVmMonitoring '../../../policy/assignments
parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMMonitoring.libDefinition.identity.type
parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.enforcementMode
parPolicyAssignmentIdentityRoleDefinitionIds: [
varRbacRoleDefinitionIds.owner
varRbacRoleDefinitionIds.logAnalyticsContributor
]
parTelemetryOptOut: parTelemetryOptOut
}
Expand All @@ -573,7 +581,7 @@ module modPolicyAssignmentIntRootDeployVmssMonitoring '../../../policy/assignmen
parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.identity.type
parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.enforcementMode
parPolicyAssignmentIdentityRoleDefinitionIds: [
varRbacRoleDefinitionIds.owner
varRbacRoleDefinitionIds.logAnalyticsContributor
]
parTelemetryOptOut: parTelemetryOptOut
}
Expand Down Expand Up @@ -780,7 +788,8 @@ module modPolicyAssignmentIdentDeployVmBackup '../../../policy/assignments/polic
parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMBackup.libDefinition.identity.type
parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVMBackup.libDefinition.properties.enforcementMode
parPolicyAssignmentIdentityRoleDefinitionIds: [
varRbacRoleDefinitionIds.owner
varRbacRoleDefinitionIds.backupContributor
varRbacRoleDefinitionIds.vmContributor
]
parTelemetryOptOut: parTelemetryOptOut
}
Expand Down Expand Up @@ -820,12 +829,28 @@ module modPolicyAssignmentMgmtDeployLogAnalytics '../../../policy/assignments/po
parPolicyAssignmentIdentityType: varPolicyAssignmentDeployLogAnalytics.libDefinition.identity.type
parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployLogAnalytics.libDefinition.properties.enforcementMode
parPolicyAssignmentIdentityRoleDefinitionIds: [
varRbacRoleDefinitionIds.owner
varRbacRoleDefinitionIds.contributor
]
parTelemetryOptOut: parTelemetryOptOut
}
}

// Module - Policy Assignment - Enforce-GR-KeyVault
module modPolicyAssignmentMgmtEnforceGrKeyVault '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnforceGRKeyVault.libDefinition.name)) {
scope: managementGroup(varManagementGroupIds.platformManagement)
name: varModuleDeploymentNames.modPolicyAssignmentMgmtEnforceGrKeyVault
params: {
parPolicyAssignmentDefinitionId: varPolicyAssignmentEnforceGRKeyVault.definitionId
parPolicyAssignmentName: varPolicyAssignmentEnforceGRKeyVault.libDefinition.name
parPolicyAssignmentDisplayName: varPolicyAssignmentEnforceGRKeyVault.libDefinition.properties.displayName
parPolicyAssignmentDescription: varPolicyAssignmentEnforceGRKeyVault.libDefinition.properties.description
parPolicyAssignmentParameters: varPolicyAssignmentEnforceGRKeyVault.libDefinition.properties.parameters
parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceGRKeyVault.libDefinition.identity.type
parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceGRKeyVault.libDefinition.properties.enforcementMode
parTelemetryOptOut: parTelemetryOptOut
}
}

// Modules - Policy Assignments - Landing Zones Management Group
// Module - Policy Assignment - Deny-IP-Forwarding
module modPolicyAssignmentLzsDenyIpForwarding '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyIPForwarding.libDefinition.name)) {
Expand Down Expand Up @@ -956,6 +981,7 @@ module modPolicyAssignmentLzsDeployAksPolicy '../../../policy/assignments/policy
parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployAKSPolicy.libDefinition.properties.enforcementMode
parPolicyAssignmentIdentityRoleDefinitionIds: [
varRbacRoleDefinitionIds.aksContributor
varRbacRoleDefinitionIds.aksPolicyAddon
]
parTelemetryOptOut: parTelemetryOptOut
}
Expand Down Expand Up @@ -1085,7 +1111,7 @@ module modPolicyAssignmentLzsDeploySqlTde '../../../policy/assignments/policyAss
parPolicyAssignmentIdentityType: varPolicyAssignmentDeploySQLTDE.libDefinition.identity.type
parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeploySQLTDE.libDefinition.properties.enforcementMode
parPolicyAssignmentIdentityRoleDefinitionIds: [
varRbacRoleDefinitionIds.sqlSecurityManager
varRbacRoleDefinitionIds.sqlDbContributor
]
parTelemetryOptOut: parTelemetryOptOut
}
Expand Down Expand Up @@ -1181,6 +1207,9 @@ module modPolicyAssignmentConnDeployPrivateDnsZones '../../../policy/assignments
azureDataFactoryPortalPrivateDnsZoneId: {
value: varPrivateDnsZonesFinalResourceIds.azureDataFactoryPortalPrivateDnsZoneId
}
azureDatabricksPrivateDnsZoneId: {
value: varPrivateDnsZonesFinalResourceIds.azureDatabricksPrivateDnsZoneId
}
azureHDInsightPrivateDnsZoneId: {
value: varPrivateDnsZonesFinalResourceIds.azureHDInsightPrivateDnsZoneId
}
Expand Down
1 change: 1 addition & 0 deletions ...policy/assignments/lib/policy_assignments/policy_assignment_es_audit_pednszones.tmpl.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
"privatelink.azurecr.io",
"privatelink.azure-devices.net",
"privatelink.azure-devices-provisioning.net",
"privatelink.azuredatabricks.net",
"privatelink.azurehdinsight.net",
"privatelink.azurehealthcareapis.com",
"privatelink.azurestaticapps.net",
Expand Down
3 changes: 3 additions & 0 deletions ...ssignments/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,9 @@
"azureDataFactoryPortalPrivateDnsZoneId": {
"value": "${varPrivateDnsZonesFinalResourceIds}.azureDataFactoryPortalPrivateDnsZoneId]"
},
"azureDatabricksPrivateDnsZoneId": {
"value": "${varPrivateDnsZonesFinalResourceIds}.azureDatabricksPrivateDnsZoneId]"
},
"azureHDInsightPrivateDnsZoneId": {
"value": "${varPrivateDnsZonesFinalResourceIds}.azureHDInsightPrivateDnsZoneId]"
},
Expand Down
Loading

0 comments on commit 8dbc3da

Please sign in to comment.