Update Policy Library (automated) (#263)

* Update Policy Library (automated) * update custom policy def module Co-authored-by: github-actions <action@github.com> Co-authored-by: Jack Tracey <jack@jacktracey.co.uk>
Azure · Jun 17, 2022 · f9ede3a · f9ede3a
1 parent cdcda6a
commit f9ede3a
Show file tree

Hide file tree

Showing 15 changed files with 618 additions and 58 deletions.
diff --git a/infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep b/infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep
@@ -150,6 +150,10 @@ var varCustomPolicyDefinitionsArray = [
     name: 'Deny-VNET-Peer-Cross-Sub'
     libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deny_vnet_peer_cross_sub.json'))
   }
+  {
+    name: 'Deny-VNET-Peering-To-Non-Approved-VNETs'
+    libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deny_vnet_peering_to_non_approved_vnets.json'))
+  }
   {
     name: 'Deny-VNet-Peering'
     libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deny_vnet_peering.json'))
@@ -198,6 +202,14 @@ var varCustomPolicyDefinitionsArray = [
     name: 'Deploy-Diagnostics-ApplicationGateway'
     libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_applicationgateway.json'))
   }
+  {
+    name: 'Deploy-Diagnostics-AVDScalingPlans'
+    libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_avdscalingplans.json'))
+  }
+  {
+    name: 'Deploy-Diagnostics-Bastion'
+    libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_bastion.json'))
+  }
   {
     name: 'Deploy-Diagnostics-CDNEndpoints'
     libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_cdnendpoints.json'))
@@ -536,6 +548,16 @@ var varCustomPolicySetDefinitionsArray = [
         definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA'
         definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).AutomationDeployDiagnosticLogDeployLogAnalytics.parameters
       }
+      {
+        definitionReferenceId: 'AVDScalingPlansDeployDiagnosticLogDeployLogAnalytics'
+        definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AVDScalingPlans'
+        definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).AVDScalingPlansDeployDiagnosticLogDeployLogAnalytics.parameters
+      }
+      {
+        definitionReferenceId: 'BastionDeployDiagnosticLogDeployLogAnalytics'
+        definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion'
+        definitionParameters: json(loadTextContent('lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.parameters.json')).BastionDeployDiagnosticLogDeployLogAnalytics.parameters
+      }
       {
         definitionReferenceId: 'BatchDeployDiagnosticLogDeployLogAnalytics'
         definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5'

diff --git a/.../bicep/modules/policy/definitions/lib/policy_definitions/_policyDefinitionsBicepInput.txt b/.../bicep/modules/policy/definitions/lib/policy_definitions/_policyDefinitionsBicepInput.txt
@@ -190,6 +190,14 @@
 	name: 'Deploy-Diagnostics-ApplicationGateway'
 	libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_applicationgateway.json'))
 }
+{
+	name: 'Deploy-Diagnostics-AVDScalingPlans'
+	libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_avdscalingplans.json'))
+}
+{
+	name: 'Deploy-Diagnostics-Bastion'
+	libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_bastion.json'))
+}
 {
 	name: 'Deploy-Diagnostics-CDNEndpoints'
 	libDefinition: json(loadTextContent('lib/policy_definitions/policy_definition_es_deploy_diagnostics_cdnendpoints.json'))

diff --git a/...policy_definition_es_deny_machinelearning_computecluster_remoteloginportpublicaccess.json b/...policy_definition_es_deny_machinelearning_computecluster_remoteloginportpublicaccess.json
@@ -5,11 +5,11 @@
   "scope": null,
   "properties": {
     "policyType": "Custom",
-    "mode": "Indexed",
+    "mode": "All",
     "displayName": "Deny public access of Azure Machine Learning clusters via SSH",
     "description": "Deny public access of Azure Machine Learning clusters via SSH.",
     "metadata": {
-      "version": "1.0.0",
+      "version": "1.1.0",
       "category": "Machine Learning"
     },
     "parameters": {

diff --git a/...y/definitions/lib/policy_definitions/policy_definition_es_deploy_diagnostics_apimgmt.json b/...y/definitions/lib/policy_definitions/policy_definition_es_deploy_diagnostics_apimgmt.json
@@ -147,6 +147,10 @@
                         {
                           "category": "GatewayLogs",
                           "enabled": "[parameters('logsEnabled')]"
+                        },
+                        {
+                          "category": "WebSocketConnectionLogs",
+                          "enabled": "[parameters('logsEnabled')]"
                         }
                       ]
                     }

diff --git a/...tions/lib/policy_definitions/policy_definition_es_deploy_diagnostics_avdscalingplans.json b/...tions/lib/policy_definitions/policy_definition_es_deploy_diagnostics_avdscalingplans.json
@@ -0,0 +1,150 @@
+{
+  "name": "Deploy-Diagnostics-AVDScalingPlans",
+  "type": "Microsoft.Authorization/policyDefinitions",
+  "apiVersion": "2021-06-01",
+  "scope": null,
+  "properties": {
+    "policyType": "Custom",
+    "mode": "Indexed",
+    "displayName": "Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace",
+    "description": "Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any Scaling Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.",
+    "metadata": {
+      "version": "1.0.0",
+      "category": "Monitoring"
+    },
+    "parameters": {
+      "logAnalytics": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Log Analytics workspace",
+          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
+          "strongType": "omsWorkspace"
+        }
+      },
+      "effect": {
+        "type": "String",
+        "defaultValue": "DeployIfNotExists",
+        "allowedValues": [
+          "DeployIfNotExists",
+          "Disabled"
+        ],
+        "metadata": {
+          "displayName": "Effect",
+          "description": "Enable or disable the execution of the policy"
+        }
+      },
+      "profileName": {
+        "type": "String",
+        "defaultValue": "setbypolicy",
+        "metadata": {
+          "displayName": "Profile name",
+          "description": "The diagnostic settings profile name"
+        }
+      },
+      "logsEnabled": {
+        "type": "String",
+        "defaultValue": "True",
+        "allowedValues": [
+          "True",
+          "False"
+        ],
+        "metadata": {
+          "displayName": "Enable logs",
+          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
+        }
+      }
+    },
+    "policyRule": {
+      "if": {
+        "field": "type",
+        "equals": "Microsoft.DesktopVirtualization/scalingplans"
+      },
+      "then": {
+        "effect": "[parameters('effect')]",
+        "details": {
+          "type": "Microsoft.Insights/diagnosticSettings",
+          "name": "setByPolicy",
+          "existenceCondition": {
+            "allOf": [
+              {
+                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
+                "equals": "true"
+              },
+              {
+                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
+                "equals": "[parameters('logAnalytics')]"
+              }
+            ]
+          },
+          "roleDefinitionIds": [
+            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
+          ],
+          "deployment": {
+            "properties": {
+              "mode": "Incremental",
+              "template": {
+                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+                "contentVersion": "1.0.0.0",
+                "parameters": {
+                  "resourceName": {
+                    "type": "String"
+                  },
+                  "logAnalytics": {
+                    "type": "String"
+                  },
+                  "location": {
+                    "type": "String"
+                  },
+                  "profileName": {
+                    "type": "String"
+                  },
+                  "logsEnabled": {
+                    "type": "String"
+                  }
+                },
+                "variables": {},
+                "resources": [
+                  {
+                    "type": "Microsoft.DesktopVirtualization/scalingplans/providers/diagnosticSettings",
+                    "apiVersion": "2017-05-01-preview",
+                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
+                    "location": "[parameters('location')]",
+                    "dependsOn": [],
+                    "properties": {
+                      "workspaceId": "[parameters('logAnalytics')]",
+                      "logs": [
+                        {
+                          "category": "Autoscale",
+                          "enabled": "[parameters('logsEnabled')]"
+                        }
+                      ]
+                    }
+                  }
+                ],
+                "outputs": {}
+              },
+              "parameters": {
+                "logAnalytics": {
+                  "value": "[parameters('logAnalytics')]"
+                },
+                "location": {
+                  "value": "[field('location')]"
+                },
+                "resourceName": {
+                  "value": "[field('name')]"
+                },
+                "profileName": {
+                  "value": "[parameters('profileName')]"
+                },
+                "logsEnabled": {
+                  "value": "[parameters('logsEnabled')]"
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}