From 8dbc3dacc495aeabfe45d451e94354ad39c0da35 Mon Sep 17 00:00:00 2001 From: "cae-pr-creator[bot]" <126156663+cae-pr-creator[bot]@users.noreply.github.com> Date: Thu, 5 Oct 2023 15:17:32 +0100 Subject: [PATCH] Update Policy Library (automated) (#639) Co-authored-by: github-actions Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com> Co-authored-by: Jack Tracey Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com> --- .../generateddocs/hubNetworking.bicep.md | 3 +- .../modules/hubNetworking/hubNetworking.bicep | 15 +++--- .../hubNetworking.parameters.all.json | 1 + .../alzDefaultPolicyAssignments.bicep | 43 ++++++++++++++--- ...y_assignment_es_audit_pednszones.tmpl.json | 1 + ...ment_es_deploy_private_dns_zones.tmpl.json | 3 ++ .../definitions/customPolicyDefinitions.bicep | 46 +++++++++++++++++-- .../_policyDefinitionsBicepInput.txt | 8 ++++ ...finition_es_Audit-PrivateLinkDnsZones.json | 3 +- ...y-MachineLearning-PublicNetworkAccess.json | 3 +- ...ition_es_Deny-MgmtPorts-From-Internet.json | 1 + ...cy_definition_es_Deny-PostgreSql-http.json | 4 +- ...nition_es_Deny-PublicEndpoint-MariaDB.json | 3 +- .../policy_definition_es_Deny-PublicIP.json | 3 +- ..._definition_es_Deny-RDP-From-Internet.json | 3 +- ...definition_es_DenyAction-ActivityLogs.json | 38 +++++++++++++++ ...finition_es_DenyAction-DiagnosticLogs.json | 38 +++++++++++++++ ...nition_es_Deploy-Diagnostics-CosmosDB.json | 6 ++- ...nition_es_Deploy-MySQL-sslEnforcement.json | 4 +- ...finition_es_Deploy-Nsg-FlowLogs-to-LA.json | 3 +- ...icy_definition_es_Deploy-Nsg-FlowLogs.json | 3 +- ...n_es_Deploy-PostgreSQL-sslEnforcement.json | 4 +- ...olicy_definition_es_Deploy-SQL-minTLS.json | 4 +- .../policy_definition_es_Deploy-Sql-Tde.json | 1 + ...icy_definition_es_Deploy-SqlMi-minTLS.json | 5 +- ...tion_es_Deploy-Storage-sslEnforcement.json | 4 +- .../_policySetDefinitionsBicepInput.txt | 38 +++++++++++++-- ...nition_es_DenyAction-DeleteProtection.json | 37 +++++++++++++++ ...enyAction-DeleteProtection.parameters.json | 8 ++++ ..._set_definition_es_Deploy-MDFC-Config.json | 6 +-- ...tion_es_Deploy-MDFC-Config.parameters.json | 2 +- ...efinition_es_Deploy-Private-DNS-Zones.json | 43 ++++++++++++++++- ...s_Deploy-Private-DNS-Zones.parameters.json | 26 +++++++++++ .../generateddocs/privateDnsZones.bicep.md | 3 +- .../privateDnsZones.parameters.all.json | 1 + .../privateDnsZones.parameters.min.json | 1 + .../privateDnsZones/privateDnsZones.bicep | 4 +- .../samples/baseline.sample.bicep | 1 + .../generateddocs/vwanConnectivity.bicep.md | 3 +- .../vwanConnectivity.parameters.all.json | 1 + .../samples/baseline.sample.bicep | 21 +++++---- .../vwanConnectivity/vwanConnectivity.bicep | 1 + 42 files changed, 386 insertions(+), 60 deletions(-) create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_DenyAction-ActivityLogs.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_DenyAction-DiagnosticLogs.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_DenyAction-DeleteProtection.json create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_DenyAction-DeleteProtection.parameters.json diff --git a/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md b/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md index 69e2481f6..0f68d217d 100644 --- a/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md +++ b/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md @@ -282,7 +282,7 @@ Resource Group Name for Private DNS Zones. Array of DNS Zones to provision in Hub Virtual Network. Default: All known Azure Private DNS Zones -- Default value: `[format('privatelink.{0}.azmk8s.io', toLower(parameters('parLocation')))] [format('privatelink.{0}.batch.azure.com', toLower(parameters('parLocation')))] [format('privatelink.{0}.kusto.windows.net', toLower(parameters('parLocation')))] privatelink.adf.azure.com privatelink.afs.azure.net privatelink.agentsvc.azure-automation.net privatelink.analysis.windows.net privatelink.api.azureml.ms privatelink.azconfig.io privatelink.azure-api.net privatelink.azure-automation.net privatelink.azurecr.io privatelink.azure-devices.net privatelink.azure-devices-provisioning.net privatelink.azurehdinsight.net privatelink.azurehealthcareapis.com privatelink.azurestaticapps.net privatelink.azuresynapse.net privatelink.azurewebsites.net privatelink.batch.azure.com privatelink.blob.core.windows.net privatelink.cassandra.cosmos.azure.com privatelink.cognitiveservices.azure.com privatelink.database.windows.net privatelink.datafactory.azure.net privatelink.dev.azuresynapse.net privatelink.dfs.core.windows.net privatelink.dicom.azurehealthcareapis.com privatelink.digitaltwins.azure.net privatelink.directline.botframework.com privatelink.documents.azure.com privatelink.eventgrid.azure.net privatelink.file.core.windows.net privatelink.gremlin.cosmos.azure.com privatelink.guestconfiguration.azure.com privatelink.his.arc.azure.com privatelink.kubernetesconfiguration.azure.com privatelink.managedhsm.azure.net privatelink.mariadb.database.azure.com privatelink.media.azure.net privatelink.mongo.cosmos.azure.com privatelink.monitor.azure.com privatelink.mysql.database.azure.com privatelink.notebooks.azure.net privatelink.ods.opinsights.azure.com privatelink.oms.opinsights.azure.com privatelink.pbidedicated.windows.net privatelink.postgres.database.azure.com privatelink.prod.migration.windowsazure.com privatelink.purview.azure.com privatelink.purviewstudio.azure.com privatelink.queue.core.windows.net privatelink.redis.cache.windows.net privatelink.redisenterprise.cache.azure.net privatelink.search.windows.net privatelink.service.signalr.net privatelink.servicebus.windows.net privatelink.siterecovery.windowsazure.com privatelink.sql.azuresynapse.net privatelink.table.core.windows.net privatelink.table.cosmos.azure.com privatelink.tip1.powerquery.microsoft.com privatelink.token.botframework.com privatelink.vaultcore.azure.net privatelink.web.core.windows.net privatelink.webpubsub.azure.com` +- Default value: `[format('privatelink.{0}.azmk8s.io', toLower(parameters('parLocation')))] [format('privatelink.{0}.batch.azure.com', toLower(parameters('parLocation')))] [format('privatelink.{0}.kusto.windows.net', toLower(parameters('parLocation')))] privatelink.adf.azure.com privatelink.afs.azure.net privatelink.agentsvc.azure-automation.net privatelink.analysis.windows.net privatelink.api.azureml.ms privatelink.azconfig.io privatelink.azure-api.net privatelink.azure-automation.net privatelink.azurecr.io privatelink.azure-devices.net privatelink.azure-devices-provisioning.net privatelink.azuredatabricks.net privatelink.azurehdinsight.net privatelink.azurehealthcareapis.com privatelink.azurestaticapps.net privatelink.azuresynapse.net privatelink.azurewebsites.net privatelink.batch.azure.com privatelink.blob.core.windows.net privatelink.cassandra.cosmos.azure.com privatelink.cognitiveservices.azure.com privatelink.database.windows.net privatelink.datafactory.azure.net privatelink.dev.azuresynapse.net privatelink.dfs.core.windows.net privatelink.dicom.azurehealthcareapis.com privatelink.digitaltwins.azure.net privatelink.directline.botframework.com privatelink.documents.azure.com privatelink.eventgrid.azure.net privatelink.file.core.windows.net privatelink.gremlin.cosmos.azure.com privatelink.guestconfiguration.azure.com privatelink.his.arc.azure.com privatelink.kubernetesconfiguration.azure.com privatelink.managedhsm.azure.net privatelink.mariadb.database.azure.com privatelink.media.azure.net privatelink.mongo.cosmos.azure.com privatelink.monitor.azure.com privatelink.mysql.database.azure.com privatelink.notebooks.azure.net privatelink.ods.opinsights.azure.com privatelink.oms.opinsights.azure.com privatelink.pbidedicated.windows.net privatelink.postgres.database.azure.com privatelink.prod.migration.windowsazure.com privatelink.purview.azure.com privatelink.purviewstudio.azure.com privatelink.queue.core.windows.net privatelink.redis.cache.windows.net privatelink.redisenterprise.cache.azure.net privatelink.search.windows.net privatelink.service.signalr.net privatelink.servicebus.windows.net privatelink.siterecovery.windowsazure.com privatelink.sql.azuresynapse.net privatelink.table.core.windows.net privatelink.table.cosmos.azure.com privatelink.tip1.powerquery.microsoft.com privatelink.token.botframework.com privatelink.vaultcore.azure.net privatelink.web.core.windows.net privatelink.webpubsub.azure.com` ### parPrivateDnsZoneAutoMergeAzureBackupZone @@ -494,6 +494,7 @@ outHubVirtualNetworkId | string | "privatelink.azurecr.io", "privatelink.azure-devices.net", "privatelink.azure-devices-provisioning.net", + "privatelink.azuredatabricks.net", "privatelink.azurehdinsight.net", "privatelink.azurehealthcareapis.com", "privatelink.azurestaticapps.net", diff --git a/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep b/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep index 6f52dd847..6bc2e09e1 100644 --- a/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep +++ b/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep @@ -157,6 +157,7 @@ param parPrivateDnsZones array = [ 'privatelink.azurecr.io' 'privatelink.azure-devices.net' 'privatelink.azure-devices-provisioning.net' + 'privatelink.azuredatabricks.net' 'privatelink.azurehdinsight.net' 'privatelink.azurehealthcareapis.com' 'privatelink.azurestaticapps.net' @@ -595,15 +596,15 @@ resource resGateway 'Microsoft.Network/virtualNetworkGateways@2023-02-01' = [for tier: gateway.sku } vpnClientConfiguration: (gateway.gatewayType == 'VPN') ? { - vpnClientAddressPool: contains(gateway.vpnClientConfiguration, 'vpnClientAddressPool') ? gateway.vpnClientConfiguration.vpnClientAddressPool: '' - vpnClientProtocols: contains(gateway.vpnClientConfiguration, 'vpnClientProtocols') ? gateway.vpnClientConfiguration.vpnClientProtocols: '' - vpnAuthenticationTypes: contains(gateway.vpnClientConfiguration, 'vpnAuthenticationTypes') ? gateway.vpnClientConfiguration.vpnAuthenticationTypes: '' + vpnClientAddressPool: contains(gateway.vpnClientConfiguration, 'vpnClientAddressPool') ? gateway.vpnClientConfiguration.vpnClientAddressPool : '' + vpnClientProtocols: contains(gateway.vpnClientConfiguration, 'vpnClientProtocols') ? gateway.vpnClientConfiguration.vpnClientProtocols : '' + vpnAuthenticationTypes: contains(gateway.vpnClientConfiguration, 'vpnAuthenticationTypes') ? gateway.vpnClientConfiguration.vpnAuthenticationTypes : '' aadTenant: contains(gateway.vpnClientConfiguration, 'aadTenant') ? gateway.vpnClientConfiguration.aadTenant : '' aadAudience: contains(gateway.vpnClientConfiguration, 'aadAudience') ? gateway.vpnClientConfiguration.aadAudience : '' - aadIssuer: contains(gateway.vpnClientConfiguration, 'aadIssuer') ? gateway.vpnClientConfiguration.aadIssuer: '' - vpnClientRootCertificates: contains(gateway.vpnClientConfiguration, 'vpnClientRootCertificates') ? gateway.vpnClientConfiguration.vpnClientRootCertificates: '' - radiusServerAddress: contains(gateway.vpnClientConfiguration, 'radiusServerAddress') ? gateway.vpnClientConfiguration.radiusServerAddress: '' - radiusServerSecret: contains(gateway.vpnClientConfiguration, 'radiusServerSecret') ? gateway.vpnClientConfiguration.radiusServerSecret: '' + aadIssuer: contains(gateway.vpnClientConfiguration, 'aadIssuer') ? gateway.vpnClientConfiguration.aadIssuer : '' + vpnClientRootCertificates: contains(gateway.vpnClientConfiguration, 'vpnClientRootCertificates') ? gateway.vpnClientConfiguration.vpnClientRootCertificates : '' + radiusServerAddress: contains(gateway.vpnClientConfiguration, 'radiusServerAddress') ? gateway.vpnClientConfiguration.radiusServerAddress : '' + radiusServerSecret: contains(gateway.vpnClientConfiguration, 'radiusServerSecret') ? gateway.vpnClientConfiguration.radiusServerSecret : '' } : null ipConfigurations: [ { diff --git a/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json b/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json index d59dd8313..87c8e8a14 100644 --- a/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json +++ b/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json @@ -128,6 +128,7 @@ "privatelink.azurecr.io", "privatelink.azure-devices.net", "privatelink.azure-devices-provisioning.net", + "privatelink.azuredatabricks.net", "privatelink.azurehdinsight.net", "privatelink.azurehealthcareapis.com", "privatelink.azurestaticapps.net", diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep index 4d15e41af..64df915e7 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep @@ -96,6 +96,7 @@ var varModuleDeploymentNames = { modPolicyAssignmentIdentDenySubnetWithoutNsg: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denySubnetNoNSG-ident-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentIdentDeployVmBackup: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMBackup-ident-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentMgmtDeployLogAnalytics: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployLAW-mgmt-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentMgmtEnforceGrKeyVault: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceGrKeyVault-mgmt-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsDenyIpForwarding: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyIPForward-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsDenyMgmtPortsFromInternet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyMgmtFromInet-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsDenySubnetWithoutNsg: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denySubnetNoNSG-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) @@ -323,6 +324,10 @@ var varRbacRoleDefinitionIds = { logAnalyticsContributor: '92aaf0da-9dab-42b6-94a3-d43ce8d16293' sqlSecurityManager: '056cd41c-7e88-42e1-933e-88ba6a50c9c3' vmContributor: '9980e02c-c2be-4d73-94e8-173b1dc7cf3c' + monitoringContributor: '749f88d5-cbae-40b8-bcfc-e573ddc772fa' + aksPolicyAddon: '18ed5180-3e48-46fd-8541-4ea054d57064' + sqlDbContributor: '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec' + backupContributor: '5e467623-bb1f-42f4-a55d-6e525e11384b' } // Management Groups Variables - Used For Policy Assignments @@ -358,6 +363,7 @@ var varPrivateDnsZonesFinalResourceIds = { azureCosmosTablePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.table.cosmos.azure.com' azureDataFactoryPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.datafactory.azure.net' azureDataFactoryPortalPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.adf.azure.com' + azureDatabricksPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azuredatabricks.net' azureHDInsightPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azurehdinsight.net' azureMigratePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.prod.migration.windowsazure.com' azureStorageBlobPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.blob.core.windows.net' @@ -484,7 +490,8 @@ module modPolicyAssignmentIntRootDeployAzActivityLog '../../../policy/assignment } parPolicyAssignmentIdentityType: varPolicyAssignmentDeployAzActivityLog.libDefinition.identity.type parPolicyAssignmentIdentityRoleDefinitionIds: [ - varRbacRoleDefinitionIds.owner + varRbacRoleDefinitionIds.logAnalyticsContributor + varRbacRoleDefinitionIds.monitoringContributor ] parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployAzActivityLog.libDefinition.properties.enforcementMode parTelemetryOptOut: parTelemetryOptOut @@ -525,7 +532,8 @@ module modPolicyAssignmentIntRootDeployResourceDiag '../../../policy/assignments parPolicyAssignmentIdentityType: varPolicyAssignmentDeployResourceDiag.libDefinition.identity.type parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployResourceDiag.libDefinition.properties.enforcementMode parPolicyAssignmentIdentityRoleDefinitionIds: [ - varRbacRoleDefinitionIds.owner + varRbacRoleDefinitionIds.logAnalyticsContributor + varRbacRoleDefinitionIds.monitoringContributor ] parTelemetryOptOut: parTelemetryOptOut } @@ -549,7 +557,7 @@ module modPolicyAssignmentIntRootDeployVmMonitoring '../../../policy/assignments parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMMonitoring.libDefinition.identity.type parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.enforcementMode parPolicyAssignmentIdentityRoleDefinitionIds: [ - varRbacRoleDefinitionIds.owner + varRbacRoleDefinitionIds.logAnalyticsContributor ] parTelemetryOptOut: parTelemetryOptOut } @@ -573,7 +581,7 @@ module modPolicyAssignmentIntRootDeployVmssMonitoring '../../../policy/assignmen parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.identity.type parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.enforcementMode parPolicyAssignmentIdentityRoleDefinitionIds: [ - varRbacRoleDefinitionIds.owner + varRbacRoleDefinitionIds.logAnalyticsContributor ] parTelemetryOptOut: parTelemetryOptOut } @@ -780,7 +788,8 @@ module modPolicyAssignmentIdentDeployVmBackup '../../../policy/assignments/polic parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMBackup.libDefinition.identity.type parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVMBackup.libDefinition.properties.enforcementMode parPolicyAssignmentIdentityRoleDefinitionIds: [ - varRbacRoleDefinitionIds.owner + varRbacRoleDefinitionIds.backupContributor + varRbacRoleDefinitionIds.vmContributor ] parTelemetryOptOut: parTelemetryOptOut } @@ -820,12 +829,28 @@ module modPolicyAssignmentMgmtDeployLogAnalytics '../../../policy/assignments/po parPolicyAssignmentIdentityType: varPolicyAssignmentDeployLogAnalytics.libDefinition.identity.type parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployLogAnalytics.libDefinition.properties.enforcementMode parPolicyAssignmentIdentityRoleDefinitionIds: [ - varRbacRoleDefinitionIds.owner + varRbacRoleDefinitionIds.contributor ] parTelemetryOptOut: parTelemetryOptOut } } +// Module - Policy Assignment - Enforce-GR-KeyVault +module modPolicyAssignmentMgmtEnforceGrKeyVault '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnforceGRKeyVault.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.platformManagement) + name: varModuleDeploymentNames.modPolicyAssignmentMgmtEnforceGrKeyVault + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentEnforceGRKeyVault.definitionId + parPolicyAssignmentName: varPolicyAssignmentEnforceGRKeyVault.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentEnforceGRKeyVault.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentEnforceGRKeyVault.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentEnforceGRKeyVault.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceGRKeyVault.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceGRKeyVault.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + // Modules - Policy Assignments - Landing Zones Management Group // Module - Policy Assignment - Deny-IP-Forwarding module modPolicyAssignmentLzsDenyIpForwarding '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyIPForwarding.libDefinition.name)) { @@ -956,6 +981,7 @@ module modPolicyAssignmentLzsDeployAksPolicy '../../../policy/assignments/policy parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployAKSPolicy.libDefinition.properties.enforcementMode parPolicyAssignmentIdentityRoleDefinitionIds: [ varRbacRoleDefinitionIds.aksContributor + varRbacRoleDefinitionIds.aksPolicyAddon ] parTelemetryOptOut: parTelemetryOptOut } @@ -1085,7 +1111,7 @@ module modPolicyAssignmentLzsDeploySqlTde '../../../policy/assignments/policyAss parPolicyAssignmentIdentityType: varPolicyAssignmentDeploySQLTDE.libDefinition.identity.type parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeploySQLTDE.libDefinition.properties.enforcementMode parPolicyAssignmentIdentityRoleDefinitionIds: [ - varRbacRoleDefinitionIds.sqlSecurityManager + varRbacRoleDefinitionIds.sqlDbContributor ] parTelemetryOptOut: parTelemetryOptOut } @@ -1181,6 +1207,9 @@ module modPolicyAssignmentConnDeployPrivateDnsZones '../../../policy/assignments azureDataFactoryPortalPrivateDnsZoneId: { value: varPrivateDnsZonesFinalResourceIds.azureDataFactoryPortalPrivateDnsZoneId } + azureDatabricksPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureDatabricksPrivateDnsZoneId + } azureHDInsightPrivateDnsZoneId: { value: varPrivateDnsZonesFinalResourceIds.azureHDInsightPrivateDnsZoneId } diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_pednszones.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_pednszones.tmpl.json index b7b2c607b..cbb601958 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_pednszones.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_pednszones.tmpl.json @@ -20,6 +20,7 @@ "privatelink.azurecr.io", "privatelink.azure-devices.net", "privatelink.azure-devices-provisioning.net", + "privatelink.azuredatabricks.net", "privatelink.azurehdinsight.net", "privatelink.azurehealthcareapis.com", "privatelink.azurestaticapps.net", diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json index 930f9b486..63a0cd415 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json @@ -43,6 +43,9 @@ "azureDataFactoryPortalPrivateDnsZoneId": { "value": "${varPrivateDnsZonesFinalResourceIds}.azureDataFactoryPortalPrivateDnsZoneId]" }, + "azureDatabricksPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureDatabricksPrivateDnsZoneId]" + }, "azureHDInsightPrivateDnsZoneId": { "value": "${varPrivateDnsZonesFinalResourceIds}.azureHDInsightPrivateDnsZoneId]" }, diff --git a/infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep b/infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep index 038513e81..27e51d8c4 100644 --- a/infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep +++ b/infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep @@ -217,6 +217,14 @@ var varCustomPolicyDefinitionsArray = [ name: 'Deny-VNet-Peering' libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-VNet-Peering.json') } + { + name: 'DenyAction-ActivityLogs' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_DenyAction-ActivityLogs.json') + } + { + name: 'DenyAction-DiagnosticLogs' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_DenyAction-DiagnosticLogs.json') + } { name: 'Deploy-ASC-SecurityContacts' libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-ASC-SecurityContacts.json') @@ -669,6 +677,24 @@ var varCustomPolicySetDefinitionsArray = [ } ] } + { + name: 'DenyAction-DeleteProtection' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_DenyAction-DeleteProtection.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'DenyActionDelete-ActivityLogSettings' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogs' + definitionParameters: varPolicySetDefinitionEsDenyActionDeleteProtectionParameters['DenyActionDelete-ActivityLogSettings'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DenyActionDelete-DiagnosticSettings' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticLogs' + definitionParameters: varPolicySetDefinitionEsDenyActionDeleteProtectionParameters['DenyActionDelete-DiagnosticSettings'].parameters + definitionGroups: [] + } + ] + } { name: 'Deploy-Diagnostics-LogAnalytics' libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-Diagnostics-LogAnalytics.json') @@ -1184,9 +1210,9 @@ var varCustomPolicySetDefinitionsArray = [ definitionGroups: [] } { - definitionReferenceId: 'defenderForStorageAccounts' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3' - definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForStorageAccounts.parameters + definitionReferenceId: 'defenderForStorageAccountsV2' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForStorageAccountsV2.parameters definitionGroups: [] } { @@ -1291,6 +1317,18 @@ var varCustomPolicySetDefinitionsArray = [ definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Cosmos-Table'].parameters definitionGroups: [] } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Databrics-Browser-AuthN' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Databrics-Browser-AuthN'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Databrics-UI-Api' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Databrics-UI-Api'].parameters + definitionGroups: [] + } { definitionReferenceId: 'DINE-Private-DNS-Azure-DataFactory' definitionId: '/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4' @@ -1889,6 +1927,8 @@ var varPolicySetDefinitionEsAuditUnusedResourcesCostOptimizationParameters = loa var varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deny-PublicPaaSEndpoints.parameters.json') +var varPolicySetDefinitionEsDenyActionDeleteProtectionParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_DenyAction-DeleteProtection.parameters.json') + var varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-Diagnostics-LogAnalytics.parameters.json') var varPolicySetDefinitionEsDeployMDFCConfigParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config.parameters.json') diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/_policyDefinitionsBicepInput.txt b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/_policyDefinitionsBicepInput.txt index 9c66f5a44..9229258cb 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/_policyDefinitionsBicepInput.txt +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/_policyDefinitionsBicepInput.txt @@ -202,6 +202,14 @@ name: 'Deny-VNet-Peering' libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-VNet-Peering.json') } +{ + name: 'DenyAction-ActivityLogs' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_DenyAction-ActivityLogs.json') +} +{ + name: 'DenyAction-DiagnosticLogs' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_DenyAction-DiagnosticLogs.json') +} { name: 'Deploy-ASC-SecurityContacts' libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-ASC-SecurityContacts.json') diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-PrivateLinkDnsZones.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-PrivateLinkDnsZones.json index 21e247a0d..b23924b95 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-PrivateLinkDnsZones.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-PrivateLinkDnsZones.json @@ -9,7 +9,7 @@ "displayName": "Audit the creation of Private Link Private DNS Zones", "description": "This policy audits the creation of a Private Link Private DNS Zones in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription", "metadata": { - "version": "1.0.0", + "version": "1.0.1", "category": "Network", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -50,6 +50,7 @@ "privatelink.azurecr.io", "privatelink.azure-devices.net", "privatelink.azure-devices-provisioning.net", + "privatelink.azuredatabricks.net", "privatelink.azurehdinsight.net", "privatelink.azurehealthcareapis.com", "privatelink.azurestaticapps.net", diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-PublicNetworkAccess.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-PublicNetworkAccess.json index c31c8140f..6c99bd678 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-PublicNetworkAccess.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-PublicNetworkAccess.json @@ -7,12 +7,13 @@ "policyType": "Custom", "mode": "Indexed", "displayName": "[Deprecated] Azure Machine Learning should have disabled public network access", - "description": "Denies public network access for Azure Machine Learning workspaces.", + "description": "Denies public network access for Azure Machine Learning workspaces. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/438c38d2-3772-465a-a9cc-7a6666a275ce.html", "metadata": { "version": "1.0.0-deprecated", "category": "Machine Learning", "source": "https://github.com/Azure/Enterprise-Scale/", "deprecated": true, + "supersededBy": "438c38d2-3772-465a-a9cc-7a6666a275ce", "alzCloudEnvironments": [ "AzureCloud" ] diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MgmtPorts-From-Internet.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MgmtPorts-From-Internet.json index 86e8a8473..731cbbc69 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MgmtPorts-From-Internet.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MgmtPorts-From-Internet.json @@ -12,6 +12,7 @@ "version": "2.1.0", "category": "Network", "source": "https://github.com/Azure/Enterprise-Scale/", + "replacesPolicy": "Deny-RDP-From-Internet", "alzCloudEnvironments": [ "AzureCloud", "AzureChinaCloud", diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-PostgreSql-http.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-PostgreSql-http.json index fb396d6a8..5d2bc16ba 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-PostgreSql-http.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-PostgreSql-http.json @@ -42,8 +42,8 @@ "TLSEnforcementDisabled" ], "metadata": { - "displayName": "Select version minimum TLS for MySQL server", - "description": "Select version minimum TLS version Azure Database for MySQL server to enforce" + "displayName": "Select version minimum TLS for PostgreSQL server", + "description": "Select version minimum TLS version Azure Database for PostgreSQL server to enforce" } } }, diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-PublicEndpoint-MariaDB.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-PublicEndpoint-MariaDB.json index eea5b4fbe..a98c694ce 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-PublicEndpoint-MariaDB.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-PublicEndpoint-MariaDB.json @@ -7,12 +7,13 @@ "policyType": "Custom", "mode": "Indexed", "displayName": "[Deprecated] Public network access should be disabled for MariaDB", - "description": "This policy denies the creation of Maria DB accounts with exposed public endpoints", + "description": "This policy denies the creation of Maria DB accounts with exposed public endpoints. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/fdccbe47-f3e3-4213-ad5d-ea459b2fa077.html", "metadata": { "version": "1.0.0-deprecated", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", "deprecated": true, + "supersededBy": "fdccbe47-f3e3-4213-ad5d-ea459b2fa077", "alzCloudEnvironments": [ "AzureCloud", "AzureChinaCloud", diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-PublicIP.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-PublicIP.json index 7c8acd8ec..a997d2dc3 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-PublicIP.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-PublicIP.json @@ -7,9 +7,10 @@ "policyType": "Custom", "mode": "Indexed", "displayName": "[Deprecated] Deny the creation of public IP", - "description": "[Deprecated] This policy denies creation of Public IPs under the assigned scope.", + "description": "[Deprecated] This policy denies creation of Public IPs under the assigned scope. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/6c112d4e-5bc7-47ae-a041-ea2d9dccd749.html using appropriate assignment parameters.", "metadata": { "deprecated": true, + "supersededBy": "6c112d4e-5bc7-47ae-a041-ea2d9dccd749", "version": "1.0.0-deprecated", "category": "Network", "source": "https://github.com/Azure/Enterprise-Scale/", diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-RDP-From-Internet.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-RDP-From-Internet.json index a4efda102..1b9439960 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-RDP-From-Internet.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-RDP-From-Internet.json @@ -7,9 +7,10 @@ "policyType": "Custom", "mode": "All", "displayName": "[Deprecated] RDP access from the Internet should be blocked", - "description": "This policy denies any network security rule that allows RDP access from Internet. This policy is superceded by new custom ALZ policy 'Deny-MgmtPorts-From-Internet'.", + "description": "This policy denies any network security rule that allows RDP access from Internet. This policy is superseded by https://www.azadvertizer.net/azpolicyadvertizer/Deny-MgmtPorts-From-Internet.html", "metadata": { "deprecated": true, + "supersededBy": "Deny-MgmtPorts-From-Internet", "version": "1.0.1-deprecated", "category": "Network", "source": "https://github.com/Azure/Enterprise-Scale/", diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_DenyAction-ActivityLogs.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_DenyAction-ActivityLogs.json new file mode 100644 index 000000000..c097e97de --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_DenyAction-ActivityLogs.json @@ -0,0 +1,38 @@ +{ + "name": "DenyAction-ActivityLogs", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "DenyAction implementation on Activity Logs", + "description": "This is a DenyAction implementation policy on Activity Logs.", + "metadata": { + "deprecated": false, + "version": "1.0.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": {}, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Resources/subscriptions/providers/diagnosticSettings" + }, + "then": { + "effect": "denyAction", + "details": { + "actionNames": [ + "delete" + ] + } + } + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_DenyAction-DiagnosticLogs.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_DenyAction-DiagnosticLogs.json new file mode 100644 index 000000000..a33f10c1f --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_DenyAction-DiagnosticLogs.json @@ -0,0 +1,38 @@ +{ + "name": "DenyAction-DiagnosticLogs", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "DenyAction implementation on Diagnostic Logs.", + "description": "DenyAction implementation on Diagnostic Logs.", + "metadata": { + "deprecated": false, + "version": "1.0.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": {}, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Insights/diagnosticSettings" + }, + "then": { + "effect": "denyAction", + "details": { + "actionNames": [ + "delete" + ] + } + } + } + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CosmosDB.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CosmosDB.json index 7979a23cd..0c5e86c70 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CosmosDB.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CosmosDB.json @@ -9,7 +9,7 @@ "displayName": "Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace", "description": "Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", "metadata": { - "version": "1.1.0", + "version": "1.2.0", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -181,6 +181,10 @@ { "category": "GremlinRequests", "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "TableApiRequests", + "enabled": "[parameters('logsEnabled')]" } ] } diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-MySQL-sslEnforcement.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-MySQL-sslEnforcement.json index 7e7290ea0..3dca74215 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-MySQL-sslEnforcement.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-MySQL-sslEnforcement.json @@ -9,7 +9,7 @@ "displayName": "Azure Database for MySQL server deploy a specific min TLS version and enforce SSL.", "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -84,7 +84,7 @@ ] }, "roleDefinitionIds": [ - "/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" + "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" ], "deployment": { "properties": { diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Nsg-FlowLogs-to-LA.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Nsg-FlowLogs-to-LA.json index 055961f33..d78dde160 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Nsg-FlowLogs-to-LA.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Nsg-FlowLogs-to-LA.json @@ -7,9 +7,10 @@ "policyType": "Custom", "mode": "Indexed", "displayName": "[Deprecated] Deploys NSG flow logs and traffic analytics to Log Analytics", - "description": "[Deprecated] Deprecated by built-in policy. Deploys NSG flow logs and traffic analytics to Log Analytics with a specified retention period.", + "description": "[Deprecated] Deprecated by built-in policy. Deploys NSG flow logs and traffic analytics to Log Analytics with a specified retention period. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/e920df7f-9a64-4066-9b58-52684c02a091.html", "metadata": { "deprecated": true, + "supersededBy": "e920df7f-9a64-4066-9b58-52684c02a091", "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Nsg-FlowLogs.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Nsg-FlowLogs.json index 2a504dd4e..347fd2dc3 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Nsg-FlowLogs.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Nsg-FlowLogs.json @@ -7,9 +7,10 @@ "policyType": "Custom", "mode": "Indexed", "displayName": "[Deprecated] Deploys NSG flow logs and traffic analytics", - "description": "[Deprecated] Deprecated by built-in policy. Deploys NSG flow logs and traffic analytics to a storageaccountid with a specified retention period.", + "description": "[Deprecated] Deprecated by built-in policy. Deploys NSG flow logs and traffic analytics to a storageaccountid with a specified retention period. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/e920df7f-9a64-4066-9b58-52684c02a091.html", "metadata": { "deprecated": true, + "supersededBy": "e920df7f-9a64-4066-9b58-52684c02a091", "version": "1.0.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-PostgreSQL-sslEnforcement.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-PostgreSQL-sslEnforcement.json index d644cc23c..3cf45b5ec 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-PostgreSQL-sslEnforcement.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-PostgreSQL-sslEnforcement.json @@ -9,7 +9,7 @@ "displayName": "Azure Database for PostgreSQL server deploy a specific min TLS version requirement and enforce SSL ", "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -85,7 +85,7 @@ }, "name": "current", "roleDefinitionIds": [ - "/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" + "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" ], "deployment": { "properties": { diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-SQL-minTLS.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-SQL-minTLS.json index 07fa3ffb2..48909e0ee 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-SQL-minTLS.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-SQL-minTLS.json @@ -9,7 +9,7 @@ "displayName": "SQL servers deploys a specific min TLS version requirement.", "description": "Deploys a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -72,7 +72,7 @@ }, "name": "current", "roleDefinitionIds": [ - "/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" + "/providers/microsoft.authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437" ], "deployment": { "properties": { diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Sql-Tde.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Sql-Tde.json index 8415c4fa6..cf6bcde52 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Sql-Tde.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Sql-Tde.json @@ -10,6 +10,7 @@ "description": "Deploy the Transparent Data Encryption when it is not enabled in the deployment. Please use this policy instead https://www.azadvertizer.net/azpolicyadvertizer/86a912f6-9a06-4e26-b447-11b16ba8659f.html", "metadata": { "deprecated": true, + "supersededBy": "86a912f6-9a06-4e26-b447-11b16ba8659f", "version": "1.1.1-deprecated", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-SqlMi-minTLS.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-SqlMi-minTLS.json index 237c536c7..a2e4c61ce 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-SqlMi-minTLS.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-SqlMi-minTLS.json @@ -9,7 +9,7 @@ "displayName": "SQL managed instances deploy a specific min TLS version requirement.", "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL managed instances. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", "metadata": { - "version": "1.0.0", + "version": "1.2.0", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -62,6 +62,7 @@ "effect": "[parameters('effect')]", "details": { "type": "Microsoft.Sql/managedInstances", + "evaluationDelay": "AfterProvisioningSuccess", "existenceCondition": { "allOf": [ { @@ -72,7 +73,7 @@ }, "name": "current", "roleDefinitionIds": [ - "/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" + "/providers/microsoft.authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d" ], "deployment": { "properties": { diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Storage-sslEnforcement.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Storage-sslEnforcement.json index 8835ff5eb..6e0531aa6 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Storage-sslEnforcement.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Storage-sslEnforcement.json @@ -9,7 +9,7 @@ "displayName": "Azure Storage deploy a specific min TLS version requirement and enforce SSL/HTTPS ", "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Storage. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your Azure Storage.", "metadata": { - "version": "1.1.0", + "version": "1.2.0", "category": "Storage", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -84,7 +84,7 @@ }, "name": "current", "roleDefinitionIds": [ - "/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" + "/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab" ], "deployment": { "properties": { diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/_policySetDefinitionsBicepInput.txt b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/_policySetDefinitionsBicepInput.txt index bae78e816..538e2aeac 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/_policySetDefinitionsBicepInput.txt +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/_policySetDefinitionsBicepInput.txt @@ -155,6 +155,24 @@ var varCustomPolicySetDefinitionsArray = [ } ] } + { + name: 'DenyAction-DeleteProtection' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_DenyAction-DeleteProtection.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'DenyActionDelete-ActivityLogSettings' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogs' + definitionParameters: varPolicySetDefinitionEsDenyActionDeleteProtectionParameters['DenyActionDelete-ActivityLogSettings'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DenyActionDelete-DiagnosticSettings' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticLogs' + definitionParameters: varPolicySetDefinitionEsDenyActionDeleteProtectionParameters['DenyActionDelete-DiagnosticSettings'].parameters + definitionGroups: [] + } + ] + } { name: 'Deploy-Diagnostics-LogAnalytics' libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-Diagnostics-LogAnalytics.json') @@ -670,9 +688,9 @@ var varCustomPolicySetDefinitionsArray = [ definitionGroups: [] } { - definitionReferenceId: 'defenderForStorageAccounts' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3' - definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForStorageAccounts.parameters + definitionReferenceId: 'defenderForStorageAccountsV2' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForStorageAccountsV2.parameters definitionGroups: [] } { @@ -777,6 +795,18 @@ var varCustomPolicySetDefinitionsArray = [ definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Cosmos-Table'].parameters definitionGroups: [] } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Databrics-Browser-AuthN' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Databrics-Browser-AuthN'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Databrics-UI-Api' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Databrics-UI-Api'].parameters + definitionGroups: [] + } { definitionReferenceId: 'DINE-Private-DNS-Azure-DataFactory' definitionId: '/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4' @@ -1376,6 +1406,8 @@ var varPolicySetDefinitionEsAuditUnusedResourcesCostOptimizationParameters = loa var varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deny-PublicPaaSEndpoints.parameters.json') +var varPolicySetDefinitionEsDenyActionDeleteProtectionParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_DenyAction-DeleteProtection.parameters.json') + var varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-Diagnostics-LogAnalytics.parameters.json') var varPolicySetDefinitionEsDeployMDFCConfigParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config.parameters.json') diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_DenyAction-DeleteProtection.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_DenyAction-DeleteProtection.json new file mode 100644 index 000000000..b19006ed4 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_DenyAction-DeleteProtection.json @@ -0,0 +1,37 @@ +{ + "name": "DenyAction-DeleteProtection", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "DenyAction Delete - Activity Log Settings and Diagnostic Settings", + "description": "Enforces DenyAction - Delete on Activity Log Settings and Diagnostic Settings.", + "metadata": { + "version": "1.0.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": {}, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "DenyActionDelete-DiagnosticSettings", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticLogs", + "parameters": {}, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DenyActionDelete-ActivityLogSettings", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogs", + "parameters": {}, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_DenyAction-DeleteProtection.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_DenyAction-DeleteProtection.parameters.json new file mode 100644 index 000000000..3c9ca1d02 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_DenyAction-DeleteProtection.parameters.json @@ -0,0 +1,8 @@ +{ + "DenyActionDelete-ActivityLogSettings": { + "parameters": {} + }, + "DenyActionDelete-DiagnosticSettings": { + "parameters": {} + } +} diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config.json index b3c58776e..56b991bcc 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config.json @@ -8,7 +8,7 @@ "displayName": "Deploy Microsoft Defender for Cloud configuration", "description": "Deploy Microsoft Defender for Cloud configuration", "metadata": { - "version": "5.0.1", + "version": "6.0.0.", "category": "Security Center", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -294,8 +294,8 @@ "groupNames": [] }, { - "policyDefinitionReferenceId": "defenderForStorageAccounts", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3", + "policyDefinitionReferenceId": "defenderForStorageAccountsV2", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390", "parameters": { "effect": { "value": "[[parameters('enableAscForStorage')]" diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config.parameters.json index b87208583..38f85e270 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config.parameters.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config.parameters.json @@ -106,7 +106,7 @@ } } }, - "defenderForStorageAccounts": { + "defenderForStorageAccountsV2": { "parameters": { "effect": { "value": "[[parameters('enableAscForStorage')]" diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.json index f3a2c9d7f..d633aa9c8 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.json @@ -8,7 +8,7 @@ "displayName": "Configure Azure PaaS services to use private DNS zones", "description": "This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones", "metadata": { - "version": "1.1.1", + "version": "2.1.1", "category": "Network", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -106,6 +106,15 @@ "description": "Private DNS Zone Identifier" } }, + "azureDatabricksPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureDatabricksPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, "azureHDInsightPrivateDnsZoneId": { "type": "string", "defaultValue": "", @@ -662,6 +671,38 @@ }, "groupNames": [] }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Databrics-UI-Api", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureDatabricksPrivateDnsZoneId')]" + }, + "groupId": { + "value": "databricks_ui_api" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Databrics-Browser-AuthN", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureDatabricksPrivateDnsZoneId')]" + }, + "groupId": { + "value": "browser_authentication" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-HDInsight", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11", diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.parameters.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.parameters.json index d52cb9670..ea78797cc 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.parameters.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.parameters.json @@ -150,6 +150,32 @@ } } }, + "DINE-Private-DNS-Azure-Databrics-Browser-AuthN": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureDatabricksPrivateDnsZoneId')]" + }, + "groupId": { + "value": "browser_authentication" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Databrics-UI-Api": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureDatabricksPrivateDnsZoneId')]" + }, + "groupId": { + "value": "databricks_ui_api" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, "DINE-Private-DNS-Azure-DataFactory": { "parameters": { "privateDnsZoneId": { diff --git a/infra-as-code/bicep/modules/privateDnsZones/generateddocs/privateDnsZones.bicep.md b/infra-as-code/bicep/modules/privateDnsZones/generateddocs/privateDnsZones.bicep.md index 46fd9d657..19094cf95 100644 --- a/infra-as-code/bicep/modules/privateDnsZones/generateddocs/privateDnsZones.bicep.md +++ b/infra-as-code/bicep/modules/privateDnsZones/generateddocs/privateDnsZones.bicep.md @@ -28,7 +28,7 @@ The Azure Region to deploy the resources into. Array of custom DNS Zones to provision in Hub Virtual Network. -- Default value: `[format('privatelink.{0}.azmk8s.io', toLower(parameters('parLocation')))] [format('privatelink.{0}.batch.azure.com', toLower(parameters('parLocation')))] [format('privatelink.{0}.kusto.windows.net', toLower(parameters('parLocation')))] privatelink.adf.azure.com privatelink.afs.azure.net privatelink.agentsvc.azure-automation.net privatelink.analysis.windows.net privatelink.api.azureml.ms privatelink.azconfig.io privatelink.azure-api.net privatelink.azure-automation.net privatelink.azurecr.io privatelink.azure-devices.net privatelink.azure-devices-provisioning.net privatelink.azurehdinsight.net privatelink.azurehealthcareapis.com privatelink.azurestaticapps.net privatelink.azuresynapse.net privatelink.azurewebsites.net privatelink.batch.azure.com privatelink.blob.core.windows.net privatelink.cassandra.cosmos.azure.com privatelink.cognitiveservices.azure.com privatelink.database.windows.net privatelink.datafactory.azure.net privatelink.dev.azuresynapse.net privatelink.dfs.core.windows.net privatelink.dicom.azurehealthcareapis.com privatelink.digitaltwins.azure.net privatelink.directline.botframework.com privatelink.documents.azure.com privatelink.eventgrid.azure.net privatelink.file.core.windows.net privatelink.gremlin.cosmos.azure.com privatelink.guestconfiguration.azure.com privatelink.his.arc.azure.com privatelink.kubernetesconfiguration.azure.com privatelink.managedhsm.azure.net privatelink.mariadb.database.azure.com privatelink.media.azure.net privatelink.mongo.cosmos.azure.com privatelink.monitor.azure.com privatelink.mysql.database.azure.com privatelink.notebooks.azure.net privatelink.ods.opinsights.azure.com privatelink.oms.opinsights.azure.com privatelink.pbidedicated.windows.net privatelink.postgres.database.azure.com privatelink.prod.migration.windowsazure.com privatelink.purview.azure.com privatelink.purviewstudio.azure.com privatelink.queue.core.windows.net privatelink.redis.cache.windows.net privatelink.redisenterprise.cache.azure.net privatelink.search.windows.net privatelink.service.signalr.net privatelink.servicebus.windows.net privatelink.siterecovery.windowsazure.com privatelink.sql.azuresynapse.net privatelink.table.core.windows.net privatelink.table.cosmos.azure.com privatelink.tip1.powerquery.microsoft.com privatelink.token.botframework.com privatelink.vaultcore.azure.net privatelink.web.core.windows.net privatelink.webpubsub.azure.com` +- Default value: `[format('privatelink.{0}.azmk8s.io', toLower(parameters('parLocation')))] [format('privatelink.{0}.batch.azure.com', toLower(parameters('parLocation')))] [format('privatelink.{0}.kusto.windows.net', toLower(parameters('parLocation')))] privatelink.adf.azure.com privatelink.afs.azure.net privatelink.agentsvc.azure-automation.net privatelink.analysis.windows.net privatelink.api.azureml.ms privatelink.azconfig.io privatelink.azure-api.net privatelink.azure-automation.net privatelink.azurecr.io privatelink.azure-devices.net privatelink.azure-devices-provisioning.net privatelink.azuredatabricks.net privatelink.azurehdinsight.net privatelink.azurehealthcareapis.com privatelink.azurestaticapps.net privatelink.azuresynapse.net privatelink.azurewebsites.net privatelink.batch.azure.com privatelink.blob.core.windows.net privatelink.cassandra.cosmos.azure.com privatelink.cognitiveservices.azure.com privatelink.database.windows.net privatelink.datafactory.azure.net privatelink.dev.azuresynapse.net privatelink.dfs.core.windows.net privatelink.dicom.azurehealthcareapis.com privatelink.digitaltwins.azure.net privatelink.directline.botframework.com privatelink.documents.azure.com privatelink.eventgrid.azure.net privatelink.file.core.windows.net privatelink.gremlin.cosmos.azure.com privatelink.guestconfiguration.azure.com privatelink.his.arc.azure.com privatelink.kubernetesconfiguration.azure.com privatelink.managedhsm.azure.net privatelink.mariadb.database.azure.com privatelink.media.azure.net privatelink.mongo.cosmos.azure.com privatelink.monitor.azure.com privatelink.mysql.database.azure.com privatelink.notebooks.azure.net privatelink.ods.opinsights.azure.com privatelink.oms.opinsights.azure.com privatelink.pbidedicated.windows.net privatelink.postgres.database.azure.com privatelink.prod.migration.windowsazure.com privatelink.purview.azure.com privatelink.purviewstudio.azure.com privatelink.queue.core.windows.net privatelink.redis.cache.windows.net privatelink.redisenterprise.cache.azure.net privatelink.search.windows.net privatelink.service.signalr.net privatelink.servicebus.windows.net privatelink.siterecovery.windowsazure.com privatelink.sql.azuresynapse.net privatelink.table.core.windows.net privatelink.table.cosmos.azure.com privatelink.tip1.powerquery.microsoft.com privatelink.token.botframework.com privatelink.vaultcore.azure.net privatelink.web.core.windows.net privatelink.webpubsub.azure.com` ### parPrivateDnsZoneAutoMergeAzureBackupZone @@ -102,6 +102,7 @@ outPrivateDnsZonesNames | array | "privatelink.azurecr.io", "privatelink.azure-devices.net", "privatelink.azure-devices-provisioning.net", + "privatelink.azuredatabricks.net", "privatelink.azurehdinsight.net", "privatelink.azurehealthcareapis.com", "privatelink.azurestaticapps.net", diff --git a/infra-as-code/bicep/modules/privateDnsZones/parameters/privateDnsZones.parameters.all.json b/infra-as-code/bicep/modules/privateDnsZones/parameters/privateDnsZones.parameters.all.json index 2f84bdac0..6115ea940 100644 --- a/infra-as-code/bicep/modules/privateDnsZones/parameters/privateDnsZones.parameters.all.json +++ b/infra-as-code/bicep/modules/privateDnsZones/parameters/privateDnsZones.parameters.all.json @@ -22,6 +22,7 @@ "privatelink.azurecr.io", "privatelink.azure-devices.net", "privatelink.azure-devices-provisioning.net", + "privatelink.azuredatabricks.net", "privatelink.azurehdinsight.net", "privatelink.azurehealthcareapis.com", "privatelink.azurestaticapps.net", diff --git a/infra-as-code/bicep/modules/privateDnsZones/parameters/privateDnsZones.parameters.min.json b/infra-as-code/bicep/modules/privateDnsZones/parameters/privateDnsZones.parameters.min.json index 3f3a46316..fcad59503 100644 --- a/infra-as-code/bicep/modules/privateDnsZones/parameters/privateDnsZones.parameters.min.json +++ b/infra-as-code/bicep/modules/privateDnsZones/parameters/privateDnsZones.parameters.min.json @@ -19,6 +19,7 @@ "privatelink.azurecr.io", "privatelink.azure-devices.net", "privatelink.azure-devices-provisioning.net", + "privatelink.azuredatabricks.net", "privatelink.azurehdinsight.net", "privatelink.azurehealthcareapis.com", "privatelink.azurestaticapps.net", diff --git a/infra-as-code/bicep/modules/privateDnsZones/privateDnsZones.bicep b/infra-as-code/bicep/modules/privateDnsZones/privateDnsZones.bicep index 2524b52bb..5f4c66100 100644 --- a/infra-as-code/bicep/modules/privateDnsZones/privateDnsZones.bicep +++ b/infra-as-code/bicep/modules/privateDnsZones/privateDnsZones.bicep @@ -20,6 +20,7 @@ param parPrivateDnsZones array = [ 'privatelink.azurecr.io' 'privatelink.azure-devices.net' 'privatelink.azure-devices-provisioning.net' + 'privatelink.azuredatabricks.net' 'privatelink.azurehdinsight.net' 'privatelink.azurehealthcareapis.com' 'privatelink.azurestaticapps.net' @@ -86,7 +87,6 @@ param parVirtualNetworkIdToLink string = '' @sys.description('Resource ID of VNet for Failover Private DNS Zone VNet Links.') param parVirtualNetworkIdToLinkFailover string = '' - @sys.description('Set Parameter to true to Opt-out of deployment telemetry.') param parTelemetryOptOut bool = false @@ -207,4 +207,4 @@ output outPrivateDnsZones array = [for i in range(0, length(varPrivateDnsZonesMe id: resPrivateDnsZones[i].id }] -output outPrivateDnsZonesNames array = [for i in range(0, length(varPrivateDnsZonesMerge)): resPrivateDnsZones[i].name ] +output outPrivateDnsZonesNames array = [for i in range(0, length(varPrivateDnsZonesMerge)): resPrivateDnsZones[i].name] diff --git a/infra-as-code/bicep/modules/privateDnsZones/samples/baseline.sample.bicep b/infra-as-code/bicep/modules/privateDnsZones/samples/baseline.sample.bicep index 08e585cd8..b023f8099 100644 --- a/infra-as-code/bicep/modules/privateDnsZones/samples/baseline.sample.bicep +++ b/infra-as-code/bicep/modules/privateDnsZones/samples/baseline.sample.bicep @@ -35,6 +35,7 @@ module baseline_private_dns '../privateDnsZones.bicep' = { 'privatelink.azurecr.io' 'privatelink.azure-devices.net' 'privatelink.azure-devices-provisioning.net' + 'privatelink.azuredatabricks.net' 'privatelink.azurehdinsight.net' 'privatelink.azurehealthcareapis.com' 'privatelink.azurestaticapps.net' diff --git a/infra-as-code/bicep/modules/vwanConnectivity/generateddocs/vwanConnectivity.bicep.md b/infra-as-code/bicep/modules/vwanConnectivity/generateddocs/vwanConnectivity.bicep.md index 0da985c3e..3d59d18a4 100644 --- a/infra-as-code/bicep/modules/vwanConnectivity/generateddocs/vwanConnectivity.bicep.md +++ b/infra-as-code/bicep/modules/vwanConnectivity/generateddocs/vwanConnectivity.bicep.md @@ -208,7 +208,7 @@ Resource Group Name for Private DNS Zones. Array of DNS Zones to provision in Hub Virtual Network. -- Default value: `[format('privatelink.{0}.azmk8s.io', toLower(parameters('parLocation')))] [format('privatelink.{0}.batch.azure.com', toLower(parameters('parLocation')))] [format('privatelink.{0}.kusto.windows.net', toLower(parameters('parLocation')))] privatelink.adf.azure.com privatelink.afs.azure.net privatelink.agentsvc.azure-automation.net privatelink.analysis.windows.net privatelink.api.azureml.ms privatelink.azconfig.io privatelink.azure-api.net privatelink.azure-automation.net privatelink.azurecr.io privatelink.azure-devices.net privatelink.azure-devices-provisioning.net privatelink.azurehdinsight.net privatelink.azurehealthcareapis.com privatelink.azurestaticapps.net privatelink.azuresynapse.net privatelink.azurewebsites.net privatelink.batch.azure.com privatelink.blob.core.windows.net privatelink.cassandra.cosmos.azure.com privatelink.cognitiveservices.azure.com privatelink.database.windows.net privatelink.datafactory.azure.net privatelink.dev.azuresynapse.net privatelink.dfs.core.windows.net privatelink.dicom.azurehealthcareapis.com privatelink.digitaltwins.azure.net privatelink.directline.botframework.com privatelink.documents.azure.com privatelink.eventgrid.azure.net privatelink.file.core.windows.net privatelink.gremlin.cosmos.azure.com privatelink.guestconfiguration.azure.com privatelink.his.arc.azure.com privatelink.kubernetesconfiguration.azure.com privatelink.managedhsm.azure.net privatelink.mariadb.database.azure.com privatelink.media.azure.net privatelink.mongo.cosmos.azure.com privatelink.monitor.azure.com privatelink.mysql.database.azure.com privatelink.notebooks.azure.net privatelink.ods.opinsights.azure.com privatelink.oms.opinsights.azure.com privatelink.pbidedicated.windows.net privatelink.postgres.database.azure.com privatelink.prod.migration.windowsazure.com privatelink.purview.azure.com privatelink.purviewstudio.azure.com privatelink.queue.core.windows.net privatelink.redis.cache.windows.net privatelink.redisenterprise.cache.azure.net privatelink.search.windows.net privatelink.service.signalr.net privatelink.servicebus.windows.net privatelink.siterecovery.windowsazure.com privatelink.sql.azuresynapse.net privatelink.table.core.windows.net privatelink.table.cosmos.azure.com privatelink.tip1.powerquery.microsoft.com privatelink.token.botframework.com privatelink.vaultcore.azure.net privatelink.web.core.windows.net privatelink.webpubsub.azure.com` +- Default value: `[format('privatelink.{0}.azmk8s.io', toLower(parameters('parLocation')))] [format('privatelink.{0}.batch.azure.com', toLower(parameters('parLocation')))] [format('privatelink.{0}.kusto.windows.net', toLower(parameters('parLocation')))] privatelink.adf.azure.com privatelink.afs.azure.net privatelink.agentsvc.azure-automation.net privatelink.analysis.windows.net privatelink.api.azureml.ms privatelink.azconfig.io privatelink.azure-api.net privatelink.azure-automation.net privatelink.azurecr.io privatelink.azure-devices.net privatelink.azure-devices-provisioning.net privatelink.azuredatabricks.net privatelink.azurehdinsight.net privatelink.azurehealthcareapis.com privatelink.azurestaticapps.net privatelink.azuresynapse.net privatelink.azurewebsites.net privatelink.batch.azure.com privatelink.blob.core.windows.net privatelink.cassandra.cosmos.azure.com privatelink.cognitiveservices.azure.com privatelink.database.windows.net privatelink.datafactory.azure.net privatelink.dev.azuresynapse.net privatelink.dfs.core.windows.net privatelink.dicom.azurehealthcareapis.com privatelink.digitaltwins.azure.net privatelink.directline.botframework.com privatelink.documents.azure.com privatelink.eventgrid.azure.net privatelink.file.core.windows.net privatelink.gremlin.cosmos.azure.com privatelink.guestconfiguration.azure.com privatelink.his.arc.azure.com privatelink.kubernetesconfiguration.azure.com privatelink.managedhsm.azure.net privatelink.mariadb.database.azure.com privatelink.media.azure.net privatelink.mongo.cosmos.azure.com privatelink.monitor.azure.com privatelink.mysql.database.azure.com privatelink.notebooks.azure.net privatelink.ods.opinsights.azure.com privatelink.oms.opinsights.azure.com privatelink.pbidedicated.windows.net privatelink.postgres.database.azure.com privatelink.prod.migration.windowsazure.com privatelink.purview.azure.com privatelink.purviewstudio.azure.com privatelink.queue.core.windows.net privatelink.redis.cache.windows.net privatelink.redisenterprise.cache.azure.net privatelink.search.windows.net privatelink.service.signalr.net privatelink.servicebus.windows.net privatelink.siterecovery.windowsazure.com privatelink.sql.azuresynapse.net privatelink.table.core.windows.net privatelink.table.cosmos.azure.com privatelink.tip1.powerquery.microsoft.com privatelink.token.botframework.com privatelink.vaultcore.azure.net privatelink.web.core.windows.net privatelink.webpubsub.azure.com` ### parPrivateDnsZoneAutoMergeAzureBackupZone @@ -356,6 +356,7 @@ outAzFwPrivateIps | array | "privatelink.azurecr.io", "privatelink.azure-devices.net", "privatelink.azure-devices-provisioning.net", + "privatelink.azuredatabricks.net", "privatelink.azurehdinsight.net", "privatelink.azurehealthcareapis.com", "privatelink.azurestaticapps.net", diff --git a/infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.all.json b/infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.all.json index bbcc8f3ea..82fe9a96d 100644 --- a/infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.all.json +++ b/infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.all.json @@ -87,6 +87,7 @@ "privatelink.azurecr.io", "privatelink.azure-devices.net", "privatelink.azure-devices-provisioning.net", + "privatelink.azuredatabricks.net", "privatelink.azurehdinsight.net", "privatelink.azurehealthcareapis.com", "privatelink.azurestaticapps.net", diff --git a/infra-as-code/bicep/modules/vwanConnectivity/samples/baseline.sample.bicep b/infra-as-code/bicep/modules/vwanConnectivity/samples/baseline.sample.bicep index ebff7adaa..92e90247d 100644 --- a/infra-as-code/bicep/modules/vwanConnectivity/samples/baseline.sample.bicep +++ b/infra-as-code/bicep/modules/vwanConnectivity/samples/baseline.sample.bicep @@ -22,16 +22,16 @@ module minimum_vwan_conn '../vwanConnectivity.bicep' = { parLocation: parLocation parAzFirewallTier: 'Standard' parVirtualHubEnabled: true - parVirtualWanHubs:[{ - parVpnGatewayEnabled: true - parExpressRouteGatewayEnabled: true - parAzFirewallEnabled: true - parVirtualHubAddressPrefix: '10.100.0.0/23' - parHubLocation: 'centralus' - parhubRoutingPreference: 'ExpressRoute' //allowed values are 'ASN','VpnGateway','ExpressRoute' - parvirtualRouterAutoScaleConfiguration: 2 //minimum capacity should be between 2 to 50 - parVirtualHubRoutingIntentDestinations: [] - }] + parVirtualWanHubs: [ { + parVpnGatewayEnabled: true + parExpressRouteGatewayEnabled: true + parAzFirewallEnabled: true + parVirtualHubAddressPrefix: '10.100.0.0/23' + parHubLocation: 'centralus' + parhubRoutingPreference: 'ExpressRoute' //allowed values are 'ASN','VpnGateway','ExpressRoute' + parvirtualRouterAutoScaleConfiguration: 2 //minimum capacity should be between 2 to 50 + parVirtualHubRoutingIntentDestinations: [] + } ] parAzFirewallDnsProxyEnabled: true parVirtualWanName: '${parCompanyPrefix}-vwan-${parLocation}' parVirtualWanHubName: '${parCompanyPrefix}-vhub' @@ -71,6 +71,7 @@ module minimum_vwan_conn '../vwanConnectivity.bicep' = { 'privatelink.azurecr.io' 'privatelink.azure-devices.net' 'privatelink.azure-devices-provisioning.net' + 'privatelink.azuredatabricks.net' 'privatelink.azurehdinsight.net' 'privatelink.azurehealthcareapis.com' 'privatelink.azurestaticapps.net' diff --git a/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep b/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep index 26f109003..012182361 100644 --- a/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep +++ b/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep @@ -108,6 +108,7 @@ param parPrivateDnsZones array = [ 'privatelink.azurecr.io' 'privatelink.azure-devices.net' 'privatelink.azure-devices-provisioning.net' + 'privatelink.azuredatabricks.net' 'privatelink.azurehdinsight.net' 'privatelink.azurehealthcareapis.com' 'privatelink.azurestaticapps.net'